From 5f85878531a312ebcc6a55474fd4aa5e2a2e7e17 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Sat, 20 Jul 2024 21:56:25 +0100 Subject: [PATCH 01/14] Create DefaultTaintSanitizer --- .../code/java/dataflow/internal/TaintTrackingUtil.qll | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll index 4984b8b050fd..077c6e6d219e 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll @@ -155,12 +155,19 @@ private module Cached { any(AdditionalTaintStep a).step(src, sink) and model = "AdditionalTaintStep" } + /** + * A sanitizer in all global taint flow configurations but not in local taint. + */ + cached + abstract class DefaultTaintSanitizer extends DataFlow::Node { } + /** * Holds if `node` should be a sanitizer in all global taint flow configurations * but not in local taint. */ cached predicate defaultTaintSanitizer(DataFlow::Node node) { + node instanceof DefaultTaintSanitizer or // Ignore paths through test code. node.getEnclosingCallable().getDeclaringType() instanceof NonSecurityTestClass or node.asExpr() instanceof ValidatedVariableAccess From a4957272d3bffd15d0764340666d1c3b1346e144 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 16 Aug 2024 15:31:40 +0100 Subject: [PATCH 02/14] Add list of constants sanitizer for java.util.List --- .../dataflow/ListOfConstantsSanitizer.qll | 242 ++++++++++++++++++ .../dataflow/internal/TaintTrackingUtil.qll | 1 + .../semmle/examples/AllowListSanitizer.java | 231 +++++++++++++++++ .../semmle/examples/SqlConcatenated.expected | 21 ++ .../semmle/examples/SqlTainted.expected | 49 ++++ 5 files changed, 544 insertions(+) create mode 100644 java/ql/lib/semmle/code/java/dataflow/ListOfConstantsSanitizer.qll create mode 100644 java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizer.java diff --git a/java/ql/lib/semmle/code/java/dataflow/ListOfConstantsSanitizer.qll b/java/ql/lib/semmle/code/java/dataflow/ListOfConstantsSanitizer.qll new file mode 100644 index 000000000000..60a23233ab0a --- /dev/null +++ b/java/ql/lib/semmle/code/java/dataflow/ListOfConstantsSanitizer.qll @@ -0,0 +1,242 @@ +/** + * Provides classes for identifying comparisons against a list of compile-time + * constants and considering them as taint-sanitizers. + */ + +import java +private import semmle.code.java.controlflow.Guards +private import semmle.code.java.dataflow.TaintTracking + +/** + * A comparison against a list of compile-time constants, sanitizing taint by + * restricting to a set of known values. + */ +class ListOfConstantsComparisonSanitizerGuard extends TaintTracking::DefaultTaintSanitizer { + ListOfConstantsComparisonSanitizerGuard() { + this = DataFlow::BarrierGuard::getABarrierNode() + } +} + +private predicate listOfConstantsComparisonSanitizerGuard(Guard g, Expr e, boolean outcome) { + exists(ListOfConstantsComparison locc | + g = locc and + e = locc.getExpr() and + outcome = locc.getOutcome() + ) +} + +/** A comparison against a list of compile-time constants. */ +abstract class ListOfConstantsComparison extends Guard { + Expr e; + boolean outcome; + + ListOfConstantsComparison() { + exists(this) and + outcome = [true, false] + } + + /** Gets the expression that is compared to a list of constants. */ + Expr getExpr() { result = e } + + /** Gets the value of `this` when `e` is in the list of constants. */ + boolean getOutcome() { result = outcome } +} + +/** + * Holds if the method call `mc` has only compile-time constant arguments (and + * at least one argument). To account for varargs methods, we also include + * a single array argument which is initialized locally with at least one + * compile-time constant. + */ +predicate methodCallHasConstantArguments(MethodCall mc) { + // f("a", "b", "c") + forex(Expr e | e = mc.getAnArgument() | + not e.getType() instanceof Array and e.isCompileTimeConstant() + ) + or + // String[] a = {"a", "b", "c"}; + // f(a) + mc.getNumArgument() = 1 and + mc.getArgument(0).getType() instanceof Array and + exists(ArrayInit arr | DataFlow::localExprFlow(arr, mc.getArgument(0)) | + forex(Expr e | e = arr.getAnInit() | e.isCompileTimeConstant()) + ) +} + +/** Classes for `java.util.List`. */ +module JavaUtilList { + private class JavaUtilListContainsCall extends MethodCall { + JavaUtilListContainsCall() { + exists(Method m | + this.getMethod() = m and + m.hasName("contains") and + m.getDeclaringType().getSourceDeclaration().hasQualifiedName("java.util", "List") + ) + } + } + + private class NonConstantElementAddition extends Expr { + NonConstantElementAddition() { + exists(Method m, RefType t, MethodCall mc | + this = mc.getQualifier() and + mc.getMethod() = m and + t = m.getDeclaringType().getSourceDeclaration().getASourceSupertype*() + | + t.hasQualifiedName("java.util", "List") and + m.getName() = ["add", "addFirst", "addLast"] and + not mc.getArgument(m.getNumberOfParameters() - 1).isCompileTimeConstant() + or + // If a whole collection is added then we don't try to track if it contains + // only compile-time constants, and conservatively assume that it does. + t.hasQualifiedName("java.util", ["Collection", "List"]) and m.getName() = "addAll" + ) + } + } + + private predicate javaUtilListOfConstantsLocalFlowTo(Expr e) { + exists(JavaUtilListOfConstants loc | DataFlow::localExprFlow(loc, e) | + loc.isImmutable() + or + not DataFlow::localExprFlow(any(NonConstantElementAddition ncea), e) + ) + } + + private predicate javaUtilListOfConstantsFlowsTo(Expr e) { + javaUtilListOfConstantsLocalFlowTo(e) + or + // Access a static final field to get an immutable list of constants. + exists(Field f | + f.isStatic() and + f.isFinal() and + forall(Expr v | v = f.getInitializer() or v = f.getAnAccess().(FieldWrite).getASource() | + v = any(JavaUtilListOfConstants loc | loc.isImmutable()) + ) + | + DataFlow::localExprFlow(f.getAnAccess(), e) + ) + } + + /** + * An invocation of `java.util.List.contains` where the qualifier contains only + * compile-time constants. + */ + private class JavaUtilListOfConstantsContains extends ListOfConstantsComparison { + JavaUtilListOfConstantsContains() { + exists(JavaUtilListContainsCall mc | + this = mc and + e = mc.getArgument(0) and + outcome = true and + javaUtilListOfConstantsFlowsTo(mc.getQualifier()) + ) + } + } + + /** + * An instance of `java.util.List` which contains only compile-time constants. + */ + abstract class JavaUtilListOfConstants extends Call { + /** Holds if this list of constants is immutable. */ + abstract predicate isImmutable(); + } + + /** + * A invocation of a constructor of a type that extends `java.util.List` + * which constructs an empty mutable list. + */ + private class JavaUtilListOfConstantsEmptyConstructor extends ClassInstanceExpr, + JavaUtilListOfConstants + { + JavaUtilListOfConstantsEmptyConstructor() { + this.getConstructedType() + .getSourceDeclaration() + .getASourceSupertype*() + .hasQualifiedName("java.util", "List") and + exists(Constructor c | c = this.getConstructor() | + c.hasNoParameters() + or + c.getNumberOfParameters() = 1 and + c.getParameter(0).getType().(PrimitiveType).hasName("int") + ) + } + + override predicate isImmutable() { none() } + } + + /** + * A invocation of a constructor of a type that extends `java.util.List` + * which constructs an empty mutable list. + */ + private class JavaUtilListOfConstantsNonEmptyConstructor extends ClassInstanceExpr, + JavaUtilListOfConstants + { + JavaUtilListOfConstantsNonEmptyConstructor() { + this.getConstructedType() + .getSourceDeclaration() + .getASourceSupertype*() + .hasQualifiedName("java.util", "List") and + exists(Constructor c | c = this.getConstructor() | + c.getNumberOfParameters() = 1 and + c.getParameter(0) + .getType() + .(RefType) + .getASourceSupertype*() + .hasQualifiedName("java.util", "Collection") + ) and + javaUtilListOfConstantsFlowsTo(this.getArgument(0)) + } + + override predicate isImmutable() { none() } + } + + /** + * A invocation of `java.util.Arrays.asList` which constructs a mutable list. + */ + private class JavaUtilArraysAsList extends MethodCall, JavaUtilListOfConstants { + JavaUtilArraysAsList() { + exists(Method m | this.getMethod() = m | + m.hasName("asList") and + m.getDeclaringType().getSourceDeclaration().hasQualifiedName("java.util", "Arrays") + ) and + methodCallHasConstantArguments(this) + } + + override predicate isImmutable() { none() } + } + + /** + * An invocation of `java.util.List.of` which constructs an immutable list + * which contains only compile-time constants. + */ + private class JavaUtilListOfConstantsCreatedWithListOf extends MethodCall, JavaUtilListOfConstants + { + JavaUtilListOfConstantsCreatedWithListOf() { + exists(Method m | this.getMethod() = m | + m.hasName("of") and + m.getDeclaringType().getSourceDeclaration().hasQualifiedName("java.util", "List") + ) and + methodCallHasConstantArguments(this) + } + + override predicate isImmutable() { any() } + } + + /** + * An invocation of `java.util.Collections.unmodifiableList` which constructs an immutable list + * which contains only compile-time constants. + */ + private class JavaUtilListOfConstantsCreatedWithCollectionsUnmodifiableList extends MethodCall, + JavaUtilListOfConstants + { + JavaUtilListOfConstantsCreatedWithCollectionsUnmodifiableList() { + exists(Method m | + m.hasName("unmodifiableList") and + m.getDeclaringType().getSourceDeclaration().hasQualifiedName("java.util", "Collections") and + this.getMethod() = m + | + javaUtilListOfConstantsFlowsTo(this.getArgument(0)) + ) + } + + override predicate isImmutable() { any() } + } +} diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll index 077c6e6d219e..00c316b184bd 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll @@ -7,6 +7,7 @@ private import semmle.code.java.security.SecurityTests private import semmle.code.java.security.Validation private import semmle.code.java.Maps private import semmle.code.java.dataflow.internal.ContainerFlow +private import semmle.code.java.dataflow.ListOfConstantsSanitizer private import semmle.code.java.frameworks.spring.SpringController private import semmle.code.java.frameworks.spring.SpringHttp private import semmle.code.java.frameworks.Networking diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizer.java b/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizer.java new file mode 100644 index 000000000000..6e4a01a3b860 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizer.java @@ -0,0 +1,231 @@ +// Test cases for CWE-089 (SQL injection and Java Persistence query injection) +// http://cwe.mitre.org/data/definitions/89.html +package test.cwe089.semmle.tests; + +import java.io.IOException; +import java.sql.Connection; +import java.sql.PreparedStatement; +import java.sql.ResultSet; +import java.sql.SQLException; +import java.sql.Statement; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Collections; +import java.util.List; + +class AllowListSanitizer { + public static Connection connection; + public static final List goodAllowList1 = List.of("allowed1", "allowed2", "allowed3"); + public static final List goodAllowList2 = Collections.unmodifiableList(Arrays.asList("allowed1")); + public static final List goodAllowList3; + public static final List goodAllowList4; + public static final List badAllowList1 = List.of("allowed1", "allowed2", getNonConstantString()); + public static final List badAllowList2 = Collections.unmodifiableList(Arrays.asList("allowed1", getNonConstantString())); + public static final List badAllowList3; + public static final List badAllowList4; + public static final List badAllowList5; + public static List badAllowList6 = List.of("allowed1", "allowed2", "allowed3"); + public final List badAllowList7 = List.of("allowed1", "allowed2", "allowed3"); + + static { + goodAllowList3 = List.of("allowed1", "allowed2", "allowed3"); + goodAllowList4 = Collections.unmodifiableList(Arrays.asList("allowed1", "allowed2")); + badAllowList3 = List.of(getNonConstantString(), "allowed2", "allowed3"); + badAllowList4 = Collections.unmodifiableList(Arrays.asList("allowed1", getNonConstantString())); + badAllowList5 = new ArrayList(); + badAllowList5.add("allowed1"); + badAllowList5.add("allowed2"); + badAllowList5.add("allowed3"); + } + + public static String getNonConstantString() { + return String.valueOf(System.currentTimeMillis()); + } + + public static void main(String[] args) throws IOException, SQLException { + badAllowList6 = List.of("allowed1", getNonConstantString(), "allowed3"); + testStaticFields(args); + testLocal(args); + var x = new AllowListSanitizer(); + x.testNonStaticFields(args); + } + + private static void testStaticFields(String[] args) throws IOException, SQLException { + String tainted = args[1]; + // GOOD: an allowlist is used with constant strings + if(goodAllowList1.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + // GOOD: an allowlist is used with constant strings + if(goodAllowList2.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + // GOOD: an allowlist is used with constant strings + if(goodAllowList3.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + // GOOD: an allowlist is used with constant strings + if(goodAllowList4.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + // BAD: an allowlist is used with constant strings + if(badAllowList1.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + // BAD: an allowlist is used with constant strings + if(badAllowList2.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + // BAD: an allowlist is used with constant strings + if(badAllowList3.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + // BAD: an allowlist is used with constant strings + if(badAllowList4.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + // BAD: an allowlist is used with constant strings + if(badAllowList5.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + // BAD: the allowlist is in a non-final field + if(badAllowList6.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + } + + private void testNonStaticFields(String[] args) throws IOException, SQLException { + String tainted = args[0]; + // BAD: the allowlist is in a non-static field + if(badAllowList7.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + } + + private static void testLocal(String[] args) throws IOException, SQLException { + String tainted = args[1]; + // GOOD: an allowlist is used with constant strings + { + List allowlist = List.of("allowed1", "allowed2", "allowed3"); + if(allowlist.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + } + // BAD: an allowlist is used but one of the entries is not a compile-time constant + { + List allowlist = List.of("allowed1", "allowed2", args[2]); + if(allowlist.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + } + // GOOD: an allowlist is used with constant strings + { + String[] allowedArray = {"allowed1", "allowed2", "allowed3"}; + List allowlist = List.of(allowedArray); + if(allowlist.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + } + // BAD: an allowlist is used but one of the entries is not a compile-time constant + { + String[] allowedArray = {"allowed1", "allowed2", args[2]}; + List allowlist = List.of(allowedArray); + if(allowlist.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + } + // GOOD: an allowlist is used with constant strings + { + List allowlist = Collections.unmodifiableList(Arrays.asList("allowed1")); + if(allowlist.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + } + // BAD: an allowlist is used but one of the entries is not a compile-time constant + { + List allowlist = Collections.unmodifiableList(Arrays.asList("allowed1", "allowed2", args[2])); + if(allowlist.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + } + // GOOD: an allowlist is used with constant strings + { + String[] allowedArray = {"allowed1", "allowed2", "allowed3"}; + List allowlist = Collections.unmodifiableList(Arrays.asList(allowedArray)); + if(allowlist.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + } + // BAD: an allowlist is used but one of the entries is not a compile-time constant + { + String[] allowedArray = {"allowed1", "allowed2", args[2]}; + List allowlist = Collections.unmodifiableList(Arrays.asList(allowedArray)); + if(allowlist.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + } + // GOOD: an allowlist is used with constant string + { + List allowlist = new ArrayList(); + allowlist.add("allowed1"); + allowlist.add("allowed2"); + allowlist.add("allowed3"); + if(allowlist.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + } + // BAD: an allowlist is used but one of the entries is not a compile-time constant + { + List allowlist = new ArrayList(); + allowlist.add("allowed1"); + allowlist.add(getNonConstantString()); + allowlist.add("allowed3"); + if(allowlist.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + } + } + +} diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlConcatenated.expected b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlConcatenated.expected index fc1d87f06b17..05bdd993a16d 100644 --- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlConcatenated.expected +++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlConcatenated.expected @@ -1,3 +1,24 @@ +| AllowListSanitizer.java:59:66:59:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizer.java:58:8:58:14 | tainted | this expression | +| AllowListSanitizer.java:65:66:65:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizer.java:64:8:64:14 | tainted | this expression | +| AllowListSanitizer.java:71:66:71:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizer.java:70:8:70:14 | tainted | this expression | +| AllowListSanitizer.java:77:66:77:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizer.java:76:8:76:14 | tainted | this expression | +| AllowListSanitizer.java:83:66:83:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizer.java:82:8:82:14 | tainted | this expression | +| AllowListSanitizer.java:89:66:89:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizer.java:88:8:88:14 | tainted | this expression | +| AllowListSanitizer.java:95:66:95:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizer.java:94:8:94:14 | tainted | this expression | +| AllowListSanitizer.java:101:66:101:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizer.java:100:8:100:14 | tainted | this expression | +| AllowListSanitizer.java:107:66:107:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizer.java:106:8:106:14 | tainted | this expression | +| AllowListSanitizer.java:113:66:113:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizer.java:112:8:112:14 | tainted | this expression | +| AllowListSanitizer.java:123:66:123:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizer.java:122:8:122:14 | tainted | this expression | +| AllowListSanitizer.java:135:67:135:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizer.java:134:9:134:15 | tainted | this expression | +| AllowListSanitizer.java:144:67:144:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizer.java:143:9:143:15 | tainted | this expression | +| AllowListSanitizer.java:154:67:154:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizer.java:153:9:153:15 | tainted | this expression | +| AllowListSanitizer.java:164:67:164:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizer.java:163:9:163:15 | tainted | this expression | +| AllowListSanitizer.java:173:67:173:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizer.java:172:9:172:15 | tainted | this expression | +| AllowListSanitizer.java:182:67:182:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizer.java:181:9:181:15 | tainted | this expression | +| AllowListSanitizer.java:192:67:192:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizer.java:191:9:191:15 | tainted | this expression | +| AllowListSanitizer.java:202:67:202:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizer.java:201:9:201:15 | tainted | this expression | +| AllowListSanitizer.java:214:67:214:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizer.java:213:9:213:15 | tainted | this expression | +| AllowListSanitizer.java:226:67:226:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizer.java:225:9:225:15 | tainted | this expression | | Test.java:36:47:36:52 | query1 | Query built by concatenation with $@, which may be untrusted. | Test.java:35:8:35:15 | category | this expression | | Test.java:42:57:42:62 | query2 | Query built by concatenation with $@, which may be untrusted. | Test.java:41:51:41:52 | id | this expression | | Test.java:50:62:50:67 | query3 | Query built by concatenation with $@, which may be untrusted. | Test.java:49:8:49:15 | category | this expression | diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.expected b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.expected index decf551ab445..b5dbf4b2898e 100644 --- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.expected +++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.expected @@ -1,4 +1,16 @@ #select +| AllowListSanitizer.java:83:66:83:70 | query | AllowListSanitizer.java:45:26:45:38 | args : String[] | AllowListSanitizer.java:83:66:83:70 | query | This query depends on a $@. | AllowListSanitizer.java:45:26:45:38 | args | user-provided value | +| AllowListSanitizer.java:89:66:89:70 | query | AllowListSanitizer.java:45:26:45:38 | args : String[] | AllowListSanitizer.java:89:66:89:70 | query | This query depends on a $@. | AllowListSanitizer.java:45:26:45:38 | args | user-provided value | +| AllowListSanitizer.java:95:66:95:70 | query | AllowListSanitizer.java:45:26:45:38 | args : String[] | AllowListSanitizer.java:95:66:95:70 | query | This query depends on a $@. | AllowListSanitizer.java:45:26:45:38 | args | user-provided value | +| AllowListSanitizer.java:101:66:101:70 | query | AllowListSanitizer.java:45:26:45:38 | args : String[] | AllowListSanitizer.java:101:66:101:70 | query | This query depends on a $@. | AllowListSanitizer.java:45:26:45:38 | args | user-provided value | +| AllowListSanitizer.java:107:66:107:70 | query | AllowListSanitizer.java:45:26:45:38 | args : String[] | AllowListSanitizer.java:107:66:107:70 | query | This query depends on a $@. | AllowListSanitizer.java:45:26:45:38 | args | user-provided value | +| AllowListSanitizer.java:113:66:113:70 | query | AllowListSanitizer.java:45:26:45:38 | args : String[] | AllowListSanitizer.java:113:66:113:70 | query | This query depends on a $@. | AllowListSanitizer.java:45:26:45:38 | args | user-provided value | +| AllowListSanitizer.java:123:66:123:70 | query | AllowListSanitizer.java:45:26:45:38 | args : String[] | AllowListSanitizer.java:123:66:123:70 | query | This query depends on a $@. | AllowListSanitizer.java:45:26:45:38 | args | user-provided value | +| AllowListSanitizer.java:144:67:144:71 | query | AllowListSanitizer.java:45:26:45:38 | args : String[] | AllowListSanitizer.java:144:67:144:71 | query | This query depends on a $@. | AllowListSanitizer.java:45:26:45:38 | args | user-provided value | +| AllowListSanitizer.java:164:67:164:71 | query | AllowListSanitizer.java:45:26:45:38 | args : String[] | AllowListSanitizer.java:164:67:164:71 | query | This query depends on a $@. | AllowListSanitizer.java:45:26:45:38 | args | user-provided value | +| AllowListSanitizer.java:182:67:182:71 | query | AllowListSanitizer.java:45:26:45:38 | args : String[] | AllowListSanitizer.java:182:67:182:71 | query | This query depends on a $@. | AllowListSanitizer.java:45:26:45:38 | args | user-provided value | +| AllowListSanitizer.java:202:67:202:71 | query | AllowListSanitizer.java:45:26:45:38 | args : String[] | AllowListSanitizer.java:202:67:202:71 | query | This query depends on a $@. | AllowListSanitizer.java:45:26:45:38 | args | user-provided value | +| AllowListSanitizer.java:226:67:226:71 | query | AllowListSanitizer.java:45:26:45:38 | args : String[] | AllowListSanitizer.java:226:67:226:71 | query | This query depends on a $@. | AllowListSanitizer.java:45:26:45:38 | args | user-provided value | | Mongo.java:17:45:17:67 | parse(...) | Mongo.java:10:29:10:41 | args : String[] | Mongo.java:17:45:17:67 | parse(...) | This query depends on a $@. | Mongo.java:10:29:10:41 | args | user-provided value | | Mongo.java:21:49:21:52 | json | Mongo.java:10:29:10:41 | args : String[] | Mongo.java:21:49:21:52 | json | This query depends on a $@. | Mongo.java:10:29:10:41 | args | user-provided value | | Test.java:36:47:36:52 | query1 | Test.java:227:26:227:38 | args : String[] | Test.java:36:47:36:52 | query1 | This query depends on a $@. | Test.java:227:26:227:38 | args | user-provided value | @@ -10,6 +22,24 @@ | Test.java:209:47:209:68 | queryWithUserTableName | Test.java:227:26:227:38 | args : String[] | Test.java:209:47:209:68 | queryWithUserTableName | This query depends on a $@. | Test.java:227:26:227:38 | args | user-provided value | | Test.java:221:81:221:111 | ... + ... | Test.java:227:26:227:38 | args : String[] | Test.java:221:81:221:111 | ... + ... | This query depends on a $@. | Test.java:227:26:227:38 | args | user-provided value | edges +| AllowListSanitizer.java:45:26:45:38 | args : String[] | AllowListSanitizer.java:47:20:47:23 | args : String[] | provenance | | +| AllowListSanitizer.java:45:26:45:38 | args : String[] | AllowListSanitizer.java:48:13:48:16 | args : String[] | provenance | | +| AllowListSanitizer.java:45:26:45:38 | args : String[] | AllowListSanitizer.java:50:25:50:28 | args : String[] | provenance | | +| AllowListSanitizer.java:47:20:47:23 | args : String[] | AllowListSanitizer.java:53:39:53:51 | args : String[] | provenance | | +| AllowListSanitizer.java:48:13:48:16 | args : String[] | AllowListSanitizer.java:127:32:127:44 | args : String[] | provenance | | +| AllowListSanitizer.java:50:25:50:28 | args : String[] | AllowListSanitizer.java:117:35:117:47 | args : String[] | provenance | | +| AllowListSanitizer.java:53:39:53:51 | args : String[] | AllowListSanitizer.java:83:66:83:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizer.java:53:39:53:51 | args : String[] | AllowListSanitizer.java:89:66:89:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizer.java:53:39:53:51 | args : String[] | AllowListSanitizer.java:95:66:95:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizer.java:53:39:53:51 | args : String[] | AllowListSanitizer.java:101:66:101:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizer.java:53:39:53:51 | args : String[] | AllowListSanitizer.java:107:66:107:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizer.java:53:39:53:51 | args : String[] | AllowListSanitizer.java:113:66:113:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizer.java:117:35:117:47 | args : String[] | AllowListSanitizer.java:123:66:123:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizer.java:127:32:127:44 | args : String[] | AllowListSanitizer.java:144:67:144:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizer.java:127:32:127:44 | args : String[] | AllowListSanitizer.java:164:67:164:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizer.java:127:32:127:44 | args : String[] | AllowListSanitizer.java:182:67:182:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizer.java:127:32:127:44 | args : String[] | AllowListSanitizer.java:202:67:202:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizer.java:127:32:127:44 | args : String[] | AllowListSanitizer.java:226:67:226:71 | query | provenance | Sink:MaD:6 | | Mongo.java:10:29:10:41 | args : String[] | Mongo.java:17:56:17:66 | stringQuery : String | provenance | | | Mongo.java:10:29:10:41 | args : String[] | Mongo.java:21:49:21:52 | json | provenance | | | Mongo.java:17:56:17:66 | stringQuery : String | Mongo.java:17:45:17:67 | parse(...) | provenance | Config | @@ -40,6 +70,25 @@ models | 6 | Sink: java.sql; Statement; true; executeQuery; ; ; Argument[0]; sql-injection; manual | | 7 | Sink: java.sql; Statement; true; executeUpdate; ; ; Argument[0]; sql-injection; manual | nodes +| AllowListSanitizer.java:45:26:45:38 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizer.java:47:20:47:23 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizer.java:48:13:48:16 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizer.java:50:25:50:28 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizer.java:53:39:53:51 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizer.java:83:66:83:70 | query | semmle.label | query | +| AllowListSanitizer.java:89:66:89:70 | query | semmle.label | query | +| AllowListSanitizer.java:95:66:95:70 | query | semmle.label | query | +| AllowListSanitizer.java:101:66:101:70 | query | semmle.label | query | +| AllowListSanitizer.java:107:66:107:70 | query | semmle.label | query | +| AllowListSanitizer.java:113:66:113:70 | query | semmle.label | query | +| AllowListSanitizer.java:117:35:117:47 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizer.java:123:66:123:70 | query | semmle.label | query | +| AllowListSanitizer.java:127:32:127:44 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizer.java:144:67:144:71 | query | semmle.label | query | +| AllowListSanitizer.java:164:67:164:71 | query | semmle.label | query | +| AllowListSanitizer.java:182:67:182:71 | query | semmle.label | query | +| AllowListSanitizer.java:202:67:202:71 | query | semmle.label | query | +| AllowListSanitizer.java:226:67:226:71 | query | semmle.label | query | | Mongo.java:10:29:10:41 | args : String[] | semmle.label | args : String[] | | Mongo.java:17:45:17:67 | parse(...) | semmle.label | parse(...) | | Mongo.java:17:56:17:66 | stringQuery : String | semmle.label | stringQuery : String | From af741dc74b399d6a3f8eb1c4f296e98a2eea5b4b Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 3 Oct 2024 15:44:38 +0100 Subject: [PATCH 03/14] Add tests for java.util.Set --- ...> AllowListSanitizerWithJavaUtilList.java} | 4 +- .../AllowListSanitizerWithJavaUtilSet.java | 232 ++++++++++++++++++ .../semmle/examples/SqlConcatenated.expected | 63 +++-- .../semmle/examples/SqlTainted.expected | 174 +++++++++---- 4 files changed, 401 insertions(+), 72 deletions(-) rename java/ql/test/query-tests/security/CWE-089/semmle/examples/{AllowListSanitizer.java => AllowListSanitizerWithJavaUtilList.java} (99%) create mode 100644 java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilSet.java diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizer.java b/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilList.java similarity index 99% rename from java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizer.java rename to java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilList.java index 6e4a01a3b860..65bbd9e9fdd8 100644 --- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizer.java +++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilList.java @@ -13,7 +13,7 @@ import java.util.Collections; import java.util.List; -class AllowListSanitizer { +class AllowListSanitizerWithJavaUtilList { public static Connection connection; public static final List goodAllowList1 = List.of("allowed1", "allowed2", "allowed3"); public static final List goodAllowList2 = Collections.unmodifiableList(Arrays.asList("allowed1")); @@ -46,7 +46,7 @@ public static void main(String[] args) throws IOException, SQLException { badAllowList6 = List.of("allowed1", getNonConstantString(), "allowed3"); testStaticFields(args); testLocal(args); - var x = new AllowListSanitizer(); + var x = new AllowListSanitizerWithJavaUtilList(); x.testNonStaticFields(args); } diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilSet.java b/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilSet.java new file mode 100644 index 000000000000..2e4887320a1f --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilSet.java @@ -0,0 +1,232 @@ +// Test cases for CWE-089 (SQL injection and Java Persistence query injection) +// http://cwe.mitre.org/data/definitions/89.html +package test.cwe089.semmle.tests; + +import java.io.IOException; +import java.sql.Connection; +import java.sql.PreparedStatement; +import java.sql.ResultSet; +import java.sql.SQLException; +import java.sql.Statement; +import java.util.HashSet; +import java.util.List; +import java.util.Arrays; +import java.util.Collections; +import java.util.Set; + +class AllowListSanitizerWithJavaUtilSet { + public static Connection connection; + public static final Set goodAllowSet1 = Set.of("allowed1", "allowed2", "allowed3"); + public static final Set goodAllowSet2 = Collections.unmodifiableSet(new HashSet(Arrays.asList("allowed1","allowed2"))); + public static final Set goodAllowSet3; + public static final Set goodAllowSet4; + public static final Set badAllowSet1 = Set.of("allowed1", "allowed2", getNonConstantString()); + public static final Set badAllowSet2 = Collections.unmodifiableSet(new HashSet(Arrays.asList("allowed1", getNonConstantString()))); + public static final Set badAllowSet3; + public static final Set badAllowSet4; + public static final Set badAllowSet5; + public static Set badAllowSet6 = Set.of("allowed1", "allowed2", "allowed3"); + public final Set badAllowSet7 = Set.of("allowed1", "allowed2", "allowed3"); + + static { + goodAllowSet3 = Set.of("allowed1", "allowed2", "allowed3"); + goodAllowSet4 = Collections.unmodifiableSet(new HashSet(Arrays.asList("allowed1", "allowed2"))); + badAllowSet3 = Set.of(getNonConstantString(), "allowed2", "allowed3"); + badAllowSet4 = Collections.unmodifiableSet(new HashSet(Arrays.asList("allowed1", getNonConstantString()))); + badAllowSet5 = new HashSet(); + badAllowSet5.add("allowed1"); + badAllowSet5.add("allowed2"); + badAllowSet5.add("allowed3"); + } + + public static String getNonConstantString() { + return String.valueOf(System.currentTimeMillis()); + } + + public static void main(String[] args) throws IOException, SQLException { + badAllowSet6 = Set.of("allowed1", getNonConstantString(), "allowed3"); + testStaticFields(args); + testLocal(args); + var x = new AllowListSanitizerWithJavaUtilSet(); + x.testNonStaticFields(args); + } + + private static void testStaticFields(String[] args) throws IOException, SQLException { + String tainted = args[1]; + // GOOD: an allowSet is used with constant strings + if(goodAllowSet1.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + // GOOD: an allowSet is used with constant strings + if(goodAllowSet2.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + // GOOD: an allowSet is used with constant strings + if(goodAllowSet3.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + // GOOD: an allowSet is used with constant strings + if(goodAllowSet4.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + // BAD: an allowSet is used with constant strings + if(badAllowSet1.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + // BAD: an allowSet is used with constant strings + if(badAllowSet2.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + // BAD: an allowSet is used with constant strings + if(badAllowSet3.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + // BAD: an allowSet is used with constant strings + if(badAllowSet4.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + // BAD: an allowSet is used with constant strings + if(badAllowSet5.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + // BAD: the allowSet is in a non-final field + if(badAllowSet6.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + } + + private void testNonStaticFields(String[] args) throws IOException, SQLException { + String tainted = args[0]; + // BAD: the allowSet is in a non-static field + if(badAllowSet7.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + } + + private static void testLocal(String[] args) throws IOException, SQLException { + String tainted = args[1]; + // GOOD: an allowSet is used with constant strings + { + Set allowSet = Set.of("allowed1", "allowed2", "allowed3"); + if(allowSet.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + } + // BAD: an allowSet is used but one of the entries is not a compile-time constant + { + Set allowSet = Set.of("allowed1", "allowed2", args[2]); + if(allowSet.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + } + // GOOD: an allowSet is used with constant strings + { + String[] allowedArray = {"allowed1", "allowed2", "allowed3"}; + Set allowSet = Set.of(allowedArray); + if(allowSet.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + } + // BAD: an allowSet is used but one of the entries is not a compile-time constant + { + String[] allowedArray = {"allowed1", "allowed2", args[2]}; + Set allowSet = Set.of(allowedArray); + if(allowSet.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + } + // GOOD: an allowlist is used with constant strings + { + Set allowlist = Collections.unmodifiableSet(new HashSet<>(Arrays.asList("allowed1"))); + if(allowlist.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + } + // BAD: an allowlist is used but one of the entries is not a compile-time constant + { + Set allowlist = Collections.unmodifiableSet(new HashSet<>(Arrays.asList("allowed1", "allowed2", args[2]))); + if(allowlist.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + } + // GOOD: an allowlist is used with constant strings + { + String[] allowedArray = {"allowed1", "allowed2", "allowed3"}; + Set allowlist = Collections.unmodifiableSet(new HashSet<>(Arrays.asList(allowedArray))); + if(allowlist.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + } + // BAD: an allowlist is used but one of the entries is not a compile-time constant + { + String[] allowedArray = {"allowed1", "allowed2", args[2]}; + Set allowlist = Collections.unmodifiableSet(new HashSet<>(Arrays.asList(allowedArray))); + if(allowlist.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + } + // GOOD: an allowSet is used with constant string + { + Set allowSet = new HashSet(); + allowSet.add("allowed1"); + allowSet.add("allowed2"); + allowSet.add("allowed3"); + if(allowSet.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + } + // BAD: an allowSet is used but one of the entries is not a compile-time constant + { + Set allowSet = new HashSet(); + allowSet.add("allowed1"); + allowSet.add(getNonConstantString()); + allowSet.add("allowed3"); + if(allowSet.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + } + } + +} diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlConcatenated.expected b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlConcatenated.expected index 05bdd993a16d..8005ae8b4951 100644 --- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlConcatenated.expected +++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlConcatenated.expected @@ -1,24 +1,45 @@ -| AllowListSanitizer.java:59:66:59:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizer.java:58:8:58:14 | tainted | this expression | -| AllowListSanitizer.java:65:66:65:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizer.java:64:8:64:14 | tainted | this expression | -| AllowListSanitizer.java:71:66:71:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizer.java:70:8:70:14 | tainted | this expression | -| AllowListSanitizer.java:77:66:77:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizer.java:76:8:76:14 | tainted | this expression | -| AllowListSanitizer.java:83:66:83:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizer.java:82:8:82:14 | tainted | this expression | -| AllowListSanitizer.java:89:66:89:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizer.java:88:8:88:14 | tainted | this expression | -| AllowListSanitizer.java:95:66:95:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizer.java:94:8:94:14 | tainted | this expression | -| AllowListSanitizer.java:101:66:101:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizer.java:100:8:100:14 | tainted | this expression | -| AllowListSanitizer.java:107:66:107:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizer.java:106:8:106:14 | tainted | this expression | -| AllowListSanitizer.java:113:66:113:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizer.java:112:8:112:14 | tainted | this expression | -| AllowListSanitizer.java:123:66:123:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizer.java:122:8:122:14 | tainted | this expression | -| AllowListSanitizer.java:135:67:135:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizer.java:134:9:134:15 | tainted | this expression | -| AllowListSanitizer.java:144:67:144:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizer.java:143:9:143:15 | tainted | this expression | -| AllowListSanitizer.java:154:67:154:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizer.java:153:9:153:15 | tainted | this expression | -| AllowListSanitizer.java:164:67:164:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizer.java:163:9:163:15 | tainted | this expression | -| AllowListSanitizer.java:173:67:173:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizer.java:172:9:172:15 | tainted | this expression | -| AllowListSanitizer.java:182:67:182:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizer.java:181:9:181:15 | tainted | this expression | -| AllowListSanitizer.java:192:67:192:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizer.java:191:9:191:15 | tainted | this expression | -| AllowListSanitizer.java:202:67:202:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizer.java:201:9:201:15 | tainted | this expression | -| AllowListSanitizer.java:214:67:214:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizer.java:213:9:213:15 | tainted | this expression | -| AllowListSanitizer.java:226:67:226:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizer.java:225:9:225:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:59:66:59:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:58:8:58:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:65:66:65:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:64:8:64:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:71:66:71:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:70:8:70:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:77:66:77:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:76:8:76:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:83:66:83:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:82:8:82:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:89:66:89:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:88:8:88:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:95:66:95:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:94:8:94:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:101:66:101:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:100:8:100:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:107:66:107:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:106:8:106:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:113:66:113:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:112:8:112:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:123:66:123:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:122:8:122:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:135:67:135:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:134:9:134:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:144:67:144:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:143:9:143:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:154:67:154:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:153:9:153:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:164:67:164:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:163:9:163:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:173:67:173:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:172:9:172:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:182:67:182:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:181:9:181:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:192:67:192:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:191:9:191:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:202:67:202:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:201:9:201:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:214:67:214:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:213:9:213:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:226:67:226:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:225:9:225:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:60:66:60:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:59:8:59:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:66:66:66:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:65:8:65:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:72:66:72:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:71:8:71:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:78:66:78:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:77:8:77:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:84:66:84:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:83:8:83:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:90:66:90:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:89:8:89:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:96:66:96:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:95:8:95:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:102:66:102:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:101:8:101:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:108:66:108:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:107:8:107:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:114:66:114:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:113:8:113:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:124:66:124:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:123:8:123:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:136:67:136:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:135:9:135:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:145:67:145:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:144:9:144:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:155:67:155:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:154:9:154:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:165:67:165:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:164:9:164:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:174:67:174:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:173:9:173:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:183:67:183:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:182:9:182:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:193:67:193:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:192:9:192:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:203:67:203:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:202:9:202:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:215:67:215:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:214:9:214:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:227:67:227:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:226:9:226:15 | tainted | this expression | | Test.java:36:47:36:52 | query1 | Query built by concatenation with $@, which may be untrusted. | Test.java:35:8:35:15 | category | this expression | | Test.java:42:57:42:62 | query2 | Query built by concatenation with $@, which may be untrusted. | Test.java:41:51:41:52 | id | this expression | | Test.java:50:62:50:67 | query3 | Query built by concatenation with $@, which may be untrusted. | Test.java:49:8:49:15 | category | this expression | diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.expected b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.expected index b5dbf4b2898e..9c828fbc38e7 100644 --- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.expected +++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.expected @@ -1,16 +1,37 @@ #select -| AllowListSanitizer.java:83:66:83:70 | query | AllowListSanitizer.java:45:26:45:38 | args : String[] | AllowListSanitizer.java:83:66:83:70 | query | This query depends on a $@. | AllowListSanitizer.java:45:26:45:38 | args | user-provided value | -| AllowListSanitizer.java:89:66:89:70 | query | AllowListSanitizer.java:45:26:45:38 | args : String[] | AllowListSanitizer.java:89:66:89:70 | query | This query depends on a $@. | AllowListSanitizer.java:45:26:45:38 | args | user-provided value | -| AllowListSanitizer.java:95:66:95:70 | query | AllowListSanitizer.java:45:26:45:38 | args : String[] | AllowListSanitizer.java:95:66:95:70 | query | This query depends on a $@. | AllowListSanitizer.java:45:26:45:38 | args | user-provided value | -| AllowListSanitizer.java:101:66:101:70 | query | AllowListSanitizer.java:45:26:45:38 | args : String[] | AllowListSanitizer.java:101:66:101:70 | query | This query depends on a $@. | AllowListSanitizer.java:45:26:45:38 | args | user-provided value | -| AllowListSanitizer.java:107:66:107:70 | query | AllowListSanitizer.java:45:26:45:38 | args : String[] | AllowListSanitizer.java:107:66:107:70 | query | This query depends on a $@. | AllowListSanitizer.java:45:26:45:38 | args | user-provided value | -| AllowListSanitizer.java:113:66:113:70 | query | AllowListSanitizer.java:45:26:45:38 | args : String[] | AllowListSanitizer.java:113:66:113:70 | query | This query depends on a $@. | AllowListSanitizer.java:45:26:45:38 | args | user-provided value | -| AllowListSanitizer.java:123:66:123:70 | query | AllowListSanitizer.java:45:26:45:38 | args : String[] | AllowListSanitizer.java:123:66:123:70 | query | This query depends on a $@. | AllowListSanitizer.java:45:26:45:38 | args | user-provided value | -| AllowListSanitizer.java:144:67:144:71 | query | AllowListSanitizer.java:45:26:45:38 | args : String[] | AllowListSanitizer.java:144:67:144:71 | query | This query depends on a $@. | AllowListSanitizer.java:45:26:45:38 | args | user-provided value | -| AllowListSanitizer.java:164:67:164:71 | query | AllowListSanitizer.java:45:26:45:38 | args : String[] | AllowListSanitizer.java:164:67:164:71 | query | This query depends on a $@. | AllowListSanitizer.java:45:26:45:38 | args | user-provided value | -| AllowListSanitizer.java:182:67:182:71 | query | AllowListSanitizer.java:45:26:45:38 | args : String[] | AllowListSanitizer.java:182:67:182:71 | query | This query depends on a $@. | AllowListSanitizer.java:45:26:45:38 | args | user-provided value | -| AllowListSanitizer.java:202:67:202:71 | query | AllowListSanitizer.java:45:26:45:38 | args : String[] | AllowListSanitizer.java:202:67:202:71 | query | This query depends on a $@. | AllowListSanitizer.java:45:26:45:38 | args | user-provided value | -| AllowListSanitizer.java:226:67:226:71 | query | AllowListSanitizer.java:45:26:45:38 | args : String[] | AllowListSanitizer.java:226:67:226:71 | query | This query depends on a $@. | AllowListSanitizer.java:45:26:45:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:83:66:83:70 | query | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:83:66:83:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:89:66:89:70 | query | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:89:66:89:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:95:66:95:70 | query | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:95:66:95:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:101:66:101:70 | query | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:101:66:101:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:107:66:107:70 | query | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:107:66:107:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:113:66:113:70 | query | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:113:66:113:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:123:66:123:70 | query | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:123:66:123:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:144:67:144:71 | query | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:144:67:144:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:164:67:164:71 | query | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:164:67:164:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:182:67:182:71 | query | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:182:67:182:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:202:67:202:71 | query | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:202:67:202:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:226:67:226:71 | query | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:226:67:226:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:60:66:60:70 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:60:66:60:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:66:66:66:70 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:66:66:66:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:72:66:72:70 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:72:66:72:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:78:66:78:70 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:78:66:78:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:84:66:84:70 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:84:66:84:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:90:66:90:70 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:90:66:90:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:96:66:96:70 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:96:66:96:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:102:66:102:70 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:102:66:102:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:108:66:108:70 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:108:66:108:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:114:66:114:70 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:114:66:114:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:124:66:124:70 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:124:66:124:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:136:67:136:71 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:136:67:136:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:145:67:145:71 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:145:67:145:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:155:67:155:71 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:155:67:155:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:165:67:165:71 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:165:67:165:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:174:67:174:71 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:174:67:174:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:183:67:183:71 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:183:67:183:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:193:67:193:71 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:193:67:193:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:203:67:203:71 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:203:67:203:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:215:67:215:71 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:215:67:215:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:227:67:227:71 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:227:67:227:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | | Mongo.java:17:45:17:67 | parse(...) | Mongo.java:10:29:10:41 | args : String[] | Mongo.java:17:45:17:67 | parse(...) | This query depends on a $@. | Mongo.java:10:29:10:41 | args | user-provided value | | Mongo.java:21:49:21:52 | json | Mongo.java:10:29:10:41 | args : String[] | Mongo.java:21:49:21:52 | json | This query depends on a $@. | Mongo.java:10:29:10:41 | args | user-provided value | | Test.java:36:47:36:52 | query1 | Test.java:227:26:227:38 | args : String[] | Test.java:36:47:36:52 | query1 | This query depends on a $@. | Test.java:227:26:227:38 | args | user-provided value | @@ -22,24 +43,51 @@ | Test.java:209:47:209:68 | queryWithUserTableName | Test.java:227:26:227:38 | args : String[] | Test.java:209:47:209:68 | queryWithUserTableName | This query depends on a $@. | Test.java:227:26:227:38 | args | user-provided value | | Test.java:221:81:221:111 | ... + ... | Test.java:227:26:227:38 | args : String[] | Test.java:221:81:221:111 | ... + ... | This query depends on a $@. | Test.java:227:26:227:38 | args | user-provided value | edges -| AllowListSanitizer.java:45:26:45:38 | args : String[] | AllowListSanitizer.java:47:20:47:23 | args : String[] | provenance | | -| AllowListSanitizer.java:45:26:45:38 | args : String[] | AllowListSanitizer.java:48:13:48:16 | args : String[] | provenance | | -| AllowListSanitizer.java:45:26:45:38 | args : String[] | AllowListSanitizer.java:50:25:50:28 | args : String[] | provenance | | -| AllowListSanitizer.java:47:20:47:23 | args : String[] | AllowListSanitizer.java:53:39:53:51 | args : String[] | provenance | | -| AllowListSanitizer.java:48:13:48:16 | args : String[] | AllowListSanitizer.java:127:32:127:44 | args : String[] | provenance | | -| AllowListSanitizer.java:50:25:50:28 | args : String[] | AllowListSanitizer.java:117:35:117:47 | args : String[] | provenance | | -| AllowListSanitizer.java:53:39:53:51 | args : String[] | AllowListSanitizer.java:83:66:83:70 | query | provenance | Sink:MaD:6 | -| AllowListSanitizer.java:53:39:53:51 | args : String[] | AllowListSanitizer.java:89:66:89:70 | query | provenance | Sink:MaD:6 | -| AllowListSanitizer.java:53:39:53:51 | args : String[] | AllowListSanitizer.java:95:66:95:70 | query | provenance | Sink:MaD:6 | -| AllowListSanitizer.java:53:39:53:51 | args : String[] | AllowListSanitizer.java:101:66:101:70 | query | provenance | Sink:MaD:6 | -| AllowListSanitizer.java:53:39:53:51 | args : String[] | AllowListSanitizer.java:107:66:107:70 | query | provenance | Sink:MaD:6 | -| AllowListSanitizer.java:53:39:53:51 | args : String[] | AllowListSanitizer.java:113:66:113:70 | query | provenance | Sink:MaD:6 | -| AllowListSanitizer.java:117:35:117:47 | args : String[] | AllowListSanitizer.java:123:66:123:70 | query | provenance | Sink:MaD:6 | -| AllowListSanitizer.java:127:32:127:44 | args : String[] | AllowListSanitizer.java:144:67:144:71 | query | provenance | Sink:MaD:6 | -| AllowListSanitizer.java:127:32:127:44 | args : String[] | AllowListSanitizer.java:164:67:164:71 | query | provenance | Sink:MaD:6 | -| AllowListSanitizer.java:127:32:127:44 | args : String[] | AllowListSanitizer.java:182:67:182:71 | query | provenance | Sink:MaD:6 | -| AllowListSanitizer.java:127:32:127:44 | args : String[] | AllowListSanitizer.java:202:67:202:71 | query | provenance | Sink:MaD:6 | -| AllowListSanitizer.java:127:32:127:44 | args : String[] | AllowListSanitizer.java:226:67:226:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:47:20:47:23 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:48:13:48:16 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:50:25:50:28 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilList.java:47:20:47:23 | args : String[] | AllowListSanitizerWithJavaUtilList.java:53:39:53:51 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilList.java:48:13:48:16 | args : String[] | AllowListSanitizerWithJavaUtilList.java:127:32:127:44 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilList.java:50:25:50:28 | args : String[] | AllowListSanitizerWithJavaUtilList.java:117:35:117:47 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilList.java:53:39:53:51 | args : String[] | AllowListSanitizerWithJavaUtilList.java:83:66:83:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:53:39:53:51 | args : String[] | AllowListSanitizerWithJavaUtilList.java:89:66:89:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:53:39:53:51 | args : String[] | AllowListSanitizerWithJavaUtilList.java:95:66:95:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:53:39:53:51 | args : String[] | AllowListSanitizerWithJavaUtilList.java:101:66:101:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:53:39:53:51 | args : String[] | AllowListSanitizerWithJavaUtilList.java:107:66:107:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:53:39:53:51 | args : String[] | AllowListSanitizerWithJavaUtilList.java:113:66:113:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:117:35:117:47 | args : String[] | AllowListSanitizerWithJavaUtilList.java:123:66:123:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:127:32:127:44 | args : String[] | AllowListSanitizerWithJavaUtilList.java:144:67:144:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:127:32:127:44 | args : String[] | AllowListSanitizerWithJavaUtilList.java:164:67:164:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:127:32:127:44 | args : String[] | AllowListSanitizerWithJavaUtilList.java:182:67:182:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:127:32:127:44 | args : String[] | AllowListSanitizerWithJavaUtilList.java:202:67:202:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:127:32:127:44 | args : String[] | AllowListSanitizerWithJavaUtilList.java:226:67:226:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:48:20:48:23 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:49:13:49:16 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:51:25:51:28 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilSet.java:48:20:48:23 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:54:39:54:51 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilSet.java:49:13:49:16 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:128:32:128:44 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilSet.java:51:25:51:28 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:118:35:118:47 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilSet.java:54:39:54:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:60:66:60:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:54:39:54:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:66:66:66:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:54:39:54:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:72:66:72:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:54:39:54:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:78:66:78:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:54:39:54:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:84:66:84:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:54:39:54:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:90:66:90:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:54:39:54:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:96:66:96:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:54:39:54:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:102:66:102:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:54:39:54:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:108:66:108:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:54:39:54:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:114:66:114:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:118:35:118:47 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:124:66:124:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:128:32:128:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:136:67:136:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:128:32:128:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:145:67:145:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:128:32:128:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:155:67:155:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:128:32:128:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:165:67:165:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:128:32:128:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:174:67:174:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:128:32:128:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:183:67:183:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:128:32:128:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:193:67:193:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:128:32:128:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:203:67:203:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:128:32:128:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:215:67:215:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:128:32:128:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:227:67:227:71 | query | provenance | Sink:MaD:6 | | Mongo.java:10:29:10:41 | args : String[] | Mongo.java:17:56:17:66 | stringQuery : String | provenance | | | Mongo.java:10:29:10:41 | args : String[] | Mongo.java:21:49:21:52 | json | provenance | | | Mongo.java:17:56:17:66 | stringQuery : String | Mongo.java:17:45:17:67 | parse(...) | provenance | Config | @@ -70,25 +118,53 @@ models | 6 | Sink: java.sql; Statement; true; executeQuery; ; ; Argument[0]; sql-injection; manual | | 7 | Sink: java.sql; Statement; true; executeUpdate; ; ; Argument[0]; sql-injection; manual | nodes -| AllowListSanitizer.java:45:26:45:38 | args : String[] | semmle.label | args : String[] | -| AllowListSanitizer.java:47:20:47:23 | args : String[] | semmle.label | args : String[] | -| AllowListSanitizer.java:48:13:48:16 | args : String[] | semmle.label | args : String[] | -| AllowListSanitizer.java:50:25:50:28 | args : String[] | semmle.label | args : String[] | -| AllowListSanitizer.java:53:39:53:51 | args : String[] | semmle.label | args : String[] | -| AllowListSanitizer.java:83:66:83:70 | query | semmle.label | query | -| AllowListSanitizer.java:89:66:89:70 | query | semmle.label | query | -| AllowListSanitizer.java:95:66:95:70 | query | semmle.label | query | -| AllowListSanitizer.java:101:66:101:70 | query | semmle.label | query | -| AllowListSanitizer.java:107:66:107:70 | query | semmle.label | query | -| AllowListSanitizer.java:113:66:113:70 | query | semmle.label | query | -| AllowListSanitizer.java:117:35:117:47 | args : String[] | semmle.label | args : String[] | -| AllowListSanitizer.java:123:66:123:70 | query | semmle.label | query | -| AllowListSanitizer.java:127:32:127:44 | args : String[] | semmle.label | args : String[] | -| AllowListSanitizer.java:144:67:144:71 | query | semmle.label | query | -| AllowListSanitizer.java:164:67:164:71 | query | semmle.label | query | -| AllowListSanitizer.java:182:67:182:71 | query | semmle.label | query | -| AllowListSanitizer.java:202:67:202:71 | query | semmle.label | query | -| AllowListSanitizer.java:226:67:226:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilList.java:47:20:47:23 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilList.java:48:13:48:16 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilList.java:50:25:50:28 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilList.java:53:39:53:51 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilList.java:83:66:83:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:89:66:89:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:95:66:95:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:101:66:101:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:107:66:107:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:113:66:113:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:117:35:117:47 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilList.java:123:66:123:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:127:32:127:44 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilList.java:144:67:144:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:164:67:164:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:182:67:182:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:202:67:202:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:226:67:226:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilSet.java:48:20:48:23 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilSet.java:49:13:49:16 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilSet.java:51:25:51:28 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilSet.java:54:39:54:51 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilSet.java:60:66:60:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:66:66:66:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:72:66:72:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:78:66:78:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:84:66:84:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:90:66:90:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:96:66:96:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:102:66:102:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:108:66:108:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:114:66:114:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:118:35:118:47 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilSet.java:124:66:124:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:128:32:128:44 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilSet.java:136:67:136:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:145:67:145:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:155:67:155:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:165:67:165:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:174:67:174:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:183:67:183:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:193:67:193:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:203:67:203:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:215:67:215:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:227:67:227:71 | query | semmle.label | query | | Mongo.java:10:29:10:41 | args : String[] | semmle.label | args : String[] | | Mongo.java:17:45:17:67 | parse(...) | semmle.label | parse(...) | | Mongo.java:17:56:17:66 | stringQuery : String | semmle.label | stringQuery : String | From bebf594283b3f6fec16c2a43a7be13e0386e4e7c Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 3 Oct 2024 21:37:46 +0100 Subject: [PATCH 04/14] Add list of constants sanitizer for java.util.Set --- .../dataflow/ListOfConstantsSanitizer.qll | 134 ++++++++++++------ .../semmle/examples/SqlTainted.expected | 27 ---- 2 files changed, 91 insertions(+), 70 deletions(-) diff --git a/java/ql/lib/semmle/code/java/dataflow/ListOfConstantsSanitizer.qll b/java/ql/lib/semmle/code/java/dataflow/ListOfConstantsSanitizer.qll index 60a23233ab0a..15eb1aa675f9 100644 --- a/java/ql/lib/semmle/code/java/dataflow/ListOfConstantsSanitizer.qll +++ b/java/ql/lib/semmle/code/java/dataflow/ListOfConstantsSanitizer.qll @@ -63,53 +63,82 @@ predicate methodCallHasConstantArguments(MethodCall mc) { ) } -/** Classes for `java.util.List`. */ -module JavaUtilList { - private class JavaUtilListContainsCall extends MethodCall { - JavaUtilListContainsCall() { +class CollectionClass extends string { + CollectionClass() { this = ["List", "Set"] } +} + +/** Classes for `java.util.List` and `java.util.Set`. */ +module Collection { + private class CollectionContainsCall extends MethodCall { + CollectionClass collectionClass; + + /** Gets whether the collection is a "List" or a "Set". */ + CollectionClass getCollectionClass() { result = collectionClass } + + CollectionContainsCall() { exists(Method m | this.getMethod() = m and m.hasName("contains") and - m.getDeclaringType().getSourceDeclaration().hasQualifiedName("java.util", "List") + m.getDeclaringType() + .getSourceDeclaration() + .getASourceSupertype*() + .hasQualifiedName("java.util", collectionClass) ) } } private class NonConstantElementAddition extends Expr { + CollectionClass collectionClass; + + /** Gets whether the collection is a "List" or a "Set". */ + CollectionClass getCollectionClass() { result = collectionClass } + NonConstantElementAddition() { exists(Method m, RefType t, MethodCall mc | this = mc.getQualifier() and mc.getMethod() = m and t = m.getDeclaringType().getSourceDeclaration().getASourceSupertype*() | + collectionClass = "List" and t.hasQualifiedName("java.util", "List") and m.getName() = ["add", "addFirst", "addLast"] and not mc.getArgument(m.getNumberOfParameters() - 1).isCompileTimeConstant() or + collectionClass = "Set" and + t.hasQualifiedName("java.util", "Set") and + m.getName() = ["add"] and + not mc.getArgument(0).isCompileTimeConstant() + or // If a whole collection is added then we don't try to track if it contains // only compile-time constants, and conservatively assume that it does. - t.hasQualifiedName("java.util", ["Collection", "List"]) and m.getName() = "addAll" + t.hasQualifiedName("java.util", "Collection") and + m.getName() = "addAll" ) } } - private predicate javaUtilListOfConstantsLocalFlowTo(Expr e) { - exists(JavaUtilListOfConstants loc | DataFlow::localExprFlow(loc, e) | + private predicate collectionOfConstantsLocalFlowTo(CollectionClass collectionClass, Expr e) { + exists(CollectionOfConstants loc | + loc.getCollectionClass() = collectionClass and DataFlow::localExprFlow(loc, e) + | loc.isImmutable() or not DataFlow::localExprFlow(any(NonConstantElementAddition ncea), e) ) } - private predicate javaUtilListOfConstantsFlowsTo(Expr e) { - javaUtilListOfConstantsLocalFlowTo(e) + private predicate collectionOfConstantsFlowsTo(CollectionClass collectionClass, Expr e) { + collectionOfConstantsLocalFlowTo(collectionClass, e) or // Access a static final field to get an immutable list of constants. exists(Field f | f.isStatic() and f.isFinal() and forall(Expr v | v = f.getInitializer() or v = f.getAnAccess().(FieldWrite).getASource() | - v = any(JavaUtilListOfConstants loc | loc.isImmutable()) + v = + any(CollectionOfConstants loc | + loc.getCollectionClass() = collectionClass and loc.isImmutable() + ) ) | DataFlow::localExprFlow(f.getAnAccess(), e) @@ -120,13 +149,13 @@ module JavaUtilList { * An invocation of `java.util.List.contains` where the qualifier contains only * compile-time constants. */ - private class JavaUtilListOfConstantsContains extends ListOfConstantsComparison { - JavaUtilListOfConstantsContains() { - exists(JavaUtilListContainsCall mc | + private class CollectionOfConstantsContains extends ListOfConstantsComparison { + CollectionOfConstantsContains() { + exists(CollectionContainsCall mc | this = mc and e = mc.getArgument(0) and outcome = true and - javaUtilListOfConstantsFlowsTo(mc.getQualifier()) + collectionOfConstantsFlowsTo(mc.getCollectionClass(), mc.getQualifier()) ) } } @@ -134,28 +163,37 @@ module JavaUtilList { /** * An instance of `java.util.List` which contains only compile-time constants. */ - abstract class JavaUtilListOfConstants extends Call { + abstract class CollectionOfConstants extends Call { + CollectionClass collectionClass; + + /** Gets whether the collection is a "List" or a "Set". */ + CollectionClass getCollectionClass() { result = collectionClass } + /** Holds if this list of constants is immutable. */ abstract predicate isImmutable(); } /** - * A invocation of a constructor of a type that extends `java.util.List` - * which constructs an empty mutable list. + * A invocation of a constructor of a type that extends `java.util.List` or + * `java.util.Set` which constructs an empty mutable list. */ - private class JavaUtilListOfConstantsEmptyConstructor extends ClassInstanceExpr, - JavaUtilListOfConstants + private class CollectionOfConstantsEmptyConstructor extends ClassInstanceExpr, + CollectionOfConstants { - JavaUtilListOfConstantsEmptyConstructor() { + CollectionOfConstantsEmptyConstructor() { this.getConstructedType() .getSourceDeclaration() .getASourceSupertype*() - .hasQualifiedName("java.util", "List") and + .hasQualifiedName("java.util", collectionClass) and exists(Constructor c | c = this.getConstructor() | c.hasNoParameters() or c.getNumberOfParameters() = 1 and c.getParameter(0).getType().(PrimitiveType).hasName("int") + or + c.getNumberOfParameters() = 2 and + c.getParameter(0).getType().(PrimitiveType).hasName("int") and + c.getParameter(0).getType().(PrimitiveType).hasName("float") ) } @@ -163,17 +201,17 @@ module JavaUtilList { } /** - * A invocation of a constructor of a type that extends `java.util.List` - * which constructs an empty mutable list. + * A invocation of a constructor of a type that extends `java.util.List` or + * `java.util.Set` which constructs a non-empty mutable list. */ - private class JavaUtilListOfConstantsNonEmptyConstructor extends ClassInstanceExpr, - JavaUtilListOfConstants + private class CollectionOfConstantsNonEmptyConstructor extends ClassInstanceExpr, + CollectionOfConstants { - JavaUtilListOfConstantsNonEmptyConstructor() { + CollectionOfConstantsNonEmptyConstructor() { this.getConstructedType() .getSourceDeclaration() .getASourceSupertype*() - .hasQualifiedName("java.util", "List") and + .hasQualifiedName("java.util", collectionClass) and exists(Constructor c | c = this.getConstructor() | c.getNumberOfParameters() = 1 and c.getParameter(0) @@ -182,7 +220,7 @@ module JavaUtilList { .getASourceSupertype*() .hasQualifiedName("java.util", "Collection") ) and - javaUtilListOfConstantsFlowsTo(this.getArgument(0)) + collectionOfConstantsFlowsTo(_, this.getArgument(0)) } override predicate isImmutable() { none() } @@ -191,11 +229,15 @@ module JavaUtilList { /** * A invocation of `java.util.Arrays.asList` which constructs a mutable list. */ - private class JavaUtilArraysAsList extends MethodCall, JavaUtilListOfConstants { + private class JavaUtilArraysAsList extends MethodCall, CollectionOfConstants { JavaUtilArraysAsList() { + collectionClass = "List" and exists(Method m | this.getMethod() = m | m.hasName("asList") and - m.getDeclaringType().getSourceDeclaration().hasQualifiedName("java.util", "Arrays") + m.getDeclaringType() + .getSourceDeclaration() + .getASourceSupertype*() + .hasQualifiedName("java.util", "Arrays") ) and methodCallHasConstantArguments(this) } @@ -207,12 +249,14 @@ module JavaUtilList { * An invocation of `java.util.List.of` which constructs an immutable list * which contains only compile-time constants. */ - private class JavaUtilListOfConstantsCreatedWithListOf extends MethodCall, JavaUtilListOfConstants - { - JavaUtilListOfConstantsCreatedWithListOf() { + private class CollectionOfConstantsCreatedWithOf extends MethodCall, CollectionOfConstants { + CollectionOfConstantsCreatedWithOf() { exists(Method m | this.getMethod() = m | m.hasName("of") and - m.getDeclaringType().getSourceDeclaration().hasQualifiedName("java.util", "List") + m.getDeclaringType() + .getSourceDeclaration() + .getASourceSupertype*() + .hasQualifiedName("java.util", collectionClass) ) and methodCallHasConstantArguments(this) } @@ -221,19 +265,23 @@ module JavaUtilList { } /** - * An invocation of `java.util.Collections.unmodifiableList` which constructs an immutable list - * which contains only compile-time constants. + * An invocation of `java.util.Collections.unmodifiableList` or + * `java.util.Collections.unmodifiableSet` which constructs an immutable + * list/set which contains only compile-time constants. */ - private class JavaUtilListOfConstantsCreatedWithCollectionsUnmodifiableList extends MethodCall, - JavaUtilListOfConstants + private class CollectionOfConstantsCreatedWithCollectionsUnmodifiableList extends MethodCall, + CollectionOfConstants { - JavaUtilListOfConstantsCreatedWithCollectionsUnmodifiableList() { + CollectionOfConstantsCreatedWithCollectionsUnmodifiableList() { exists(Method m | - m.hasName("unmodifiableList") and - m.getDeclaringType().getSourceDeclaration().hasQualifiedName("java.util", "Collections") and + m.hasName("unmodifiable" + collectionClass) and + m.getDeclaringType() + .getSourceDeclaration() + .getASourceSupertype*() + .hasQualifiedName("java.util", "Collections") and this.getMethod() = m | - javaUtilListOfConstantsFlowsTo(this.getArgument(0)) + collectionOfConstantsFlowsTo(collectionClass, this.getArgument(0)) ) } diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.expected b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.expected index 9c828fbc38e7..be04e0ae5a93 100644 --- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.expected +++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.expected @@ -11,10 +11,6 @@ | AllowListSanitizerWithJavaUtilList.java:182:67:182:71 | query | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:182:67:182:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args | user-provided value | | AllowListSanitizerWithJavaUtilList.java:202:67:202:71 | query | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:202:67:202:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args | user-provided value | | AllowListSanitizerWithJavaUtilList.java:226:67:226:71 | query | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:226:67:226:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilSet.java:60:66:60:70 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:60:66:60:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilSet.java:66:66:66:70 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:66:66:66:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilSet.java:72:66:72:70 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:72:66:72:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilSet.java:78:66:78:70 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:78:66:78:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | | AllowListSanitizerWithJavaUtilSet.java:84:66:84:70 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:84:66:84:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | | AllowListSanitizerWithJavaUtilSet.java:90:66:90:70 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:90:66:90:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | | AllowListSanitizerWithJavaUtilSet.java:96:66:96:70 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:96:66:96:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | @@ -22,15 +18,10 @@ | AllowListSanitizerWithJavaUtilSet.java:108:66:108:70 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:108:66:108:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | | AllowListSanitizerWithJavaUtilSet.java:114:66:114:70 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:114:66:114:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | | AllowListSanitizerWithJavaUtilSet.java:124:66:124:70 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:124:66:124:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilSet.java:136:67:136:71 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:136:67:136:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | | AllowListSanitizerWithJavaUtilSet.java:145:67:145:71 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:145:67:145:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilSet.java:155:67:155:71 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:155:67:155:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | | AllowListSanitizerWithJavaUtilSet.java:165:67:165:71 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:165:67:165:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilSet.java:174:67:174:71 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:174:67:174:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | | AllowListSanitizerWithJavaUtilSet.java:183:67:183:71 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:183:67:183:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilSet.java:193:67:193:71 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:193:67:193:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | | AllowListSanitizerWithJavaUtilSet.java:203:67:203:71 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:203:67:203:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilSet.java:215:67:215:71 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:215:67:215:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | | AllowListSanitizerWithJavaUtilSet.java:227:67:227:71 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:227:67:227:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | | Mongo.java:17:45:17:67 | parse(...) | Mongo.java:10:29:10:41 | args : String[] | Mongo.java:17:45:17:67 | parse(...) | This query depends on a $@. | Mongo.java:10:29:10:41 | args | user-provided value | | Mongo.java:21:49:21:52 | json | Mongo.java:10:29:10:41 | args : String[] | Mongo.java:21:49:21:52 | json | This query depends on a $@. | Mongo.java:10:29:10:41 | args | user-provided value | @@ -67,10 +58,6 @@ edges | AllowListSanitizerWithJavaUtilSet.java:48:20:48:23 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:54:39:54:51 | args : String[] | provenance | | | AllowListSanitizerWithJavaUtilSet.java:49:13:49:16 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:128:32:128:44 | args : String[] | provenance | | | AllowListSanitizerWithJavaUtilSet.java:51:25:51:28 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:118:35:118:47 | args : String[] | provenance | | -| AllowListSanitizerWithJavaUtilSet.java:54:39:54:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:60:66:60:70 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilSet.java:54:39:54:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:66:66:66:70 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilSet.java:54:39:54:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:72:66:72:70 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilSet.java:54:39:54:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:78:66:78:70 | query | provenance | Sink:MaD:6 | | AllowListSanitizerWithJavaUtilSet.java:54:39:54:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:84:66:84:70 | query | provenance | Sink:MaD:6 | | AllowListSanitizerWithJavaUtilSet.java:54:39:54:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:90:66:90:70 | query | provenance | Sink:MaD:6 | | AllowListSanitizerWithJavaUtilSet.java:54:39:54:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:96:66:96:70 | query | provenance | Sink:MaD:6 | @@ -78,15 +65,10 @@ edges | AllowListSanitizerWithJavaUtilSet.java:54:39:54:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:108:66:108:70 | query | provenance | Sink:MaD:6 | | AllowListSanitizerWithJavaUtilSet.java:54:39:54:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:114:66:114:70 | query | provenance | Sink:MaD:6 | | AllowListSanitizerWithJavaUtilSet.java:118:35:118:47 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:124:66:124:70 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilSet.java:128:32:128:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:136:67:136:71 | query | provenance | Sink:MaD:6 | | AllowListSanitizerWithJavaUtilSet.java:128:32:128:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:145:67:145:71 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilSet.java:128:32:128:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:155:67:155:71 | query | provenance | Sink:MaD:6 | | AllowListSanitizerWithJavaUtilSet.java:128:32:128:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:165:67:165:71 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilSet.java:128:32:128:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:174:67:174:71 | query | provenance | Sink:MaD:6 | | AllowListSanitizerWithJavaUtilSet.java:128:32:128:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:183:67:183:71 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilSet.java:128:32:128:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:193:67:193:71 | query | provenance | Sink:MaD:6 | | AllowListSanitizerWithJavaUtilSet.java:128:32:128:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:203:67:203:71 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilSet.java:128:32:128:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:215:67:215:71 | query | provenance | Sink:MaD:6 | | AllowListSanitizerWithJavaUtilSet.java:128:32:128:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:227:67:227:71 | query | provenance | Sink:MaD:6 | | Mongo.java:10:29:10:41 | args : String[] | Mongo.java:17:56:17:66 | stringQuery : String | provenance | | | Mongo.java:10:29:10:41 | args : String[] | Mongo.java:21:49:21:52 | json | provenance | | @@ -142,10 +124,6 @@ nodes | AllowListSanitizerWithJavaUtilSet.java:49:13:49:16 | args : String[] | semmle.label | args : String[] | | AllowListSanitizerWithJavaUtilSet.java:51:25:51:28 | args : String[] | semmle.label | args : String[] | | AllowListSanitizerWithJavaUtilSet.java:54:39:54:51 | args : String[] | semmle.label | args : String[] | -| AllowListSanitizerWithJavaUtilSet.java:60:66:60:70 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilSet.java:66:66:66:70 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilSet.java:72:66:72:70 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilSet.java:78:66:78:70 | query | semmle.label | query | | AllowListSanitizerWithJavaUtilSet.java:84:66:84:70 | query | semmle.label | query | | AllowListSanitizerWithJavaUtilSet.java:90:66:90:70 | query | semmle.label | query | | AllowListSanitizerWithJavaUtilSet.java:96:66:96:70 | query | semmle.label | query | @@ -155,15 +133,10 @@ nodes | AllowListSanitizerWithJavaUtilSet.java:118:35:118:47 | args : String[] | semmle.label | args : String[] | | AllowListSanitizerWithJavaUtilSet.java:124:66:124:70 | query | semmle.label | query | | AllowListSanitizerWithJavaUtilSet.java:128:32:128:44 | args : String[] | semmle.label | args : String[] | -| AllowListSanitizerWithJavaUtilSet.java:136:67:136:71 | query | semmle.label | query | | AllowListSanitizerWithJavaUtilSet.java:145:67:145:71 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilSet.java:155:67:155:71 | query | semmle.label | query | | AllowListSanitizerWithJavaUtilSet.java:165:67:165:71 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilSet.java:174:67:174:71 | query | semmle.label | query | | AllowListSanitizerWithJavaUtilSet.java:183:67:183:71 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilSet.java:193:67:193:71 | query | semmle.label | query | | AllowListSanitizerWithJavaUtilSet.java:203:67:203:71 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilSet.java:215:67:215:71 | query | semmle.label | query | | AllowListSanitizerWithJavaUtilSet.java:227:67:227:71 | query | semmle.label | query | | Mongo.java:10:29:10:41 | args : String[] | semmle.label | args : String[] | | Mongo.java:17:45:17:67 | parse(...) | semmle.label | parse(...) | From cbab9a71062d0a7de3488005d8d82626cabb14c1 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 4 Oct 2024 15:43:47 +0100 Subject: [PATCH 05/14] Improve local flow logic --- .../dataflow/ListOfConstantsSanitizer.qll | 137 ++++++++--- .../AllowListSanitizerWithJavaUtilList.java | 54 +++++ .../AllowListSanitizerWithJavaUtilSet.java | 188 +++++++++------ .../semmle/examples/SqlConcatenated.expected | 92 ++++---- .../semmle/examples/SqlTainted.expected | 214 ++++++++++-------- 5 files changed, 448 insertions(+), 237 deletions(-) diff --git a/java/ql/lib/semmle/code/java/dataflow/ListOfConstantsSanitizer.qll b/java/ql/lib/semmle/code/java/dataflow/ListOfConstantsSanitizer.qll index 15eb1aa675f9..c0778ce8c573 100644 --- a/java/ql/lib/semmle/code/java/dataflow/ListOfConstantsSanitizer.qll +++ b/java/ql/lib/semmle/code/java/dataflow/ListOfConstantsSanitizer.qll @@ -63,6 +63,7 @@ predicate methodCallHasConstantArguments(MethodCall mc) { ) } +/** The name of a class implementing `java.util.Collection`. */ class CollectionClass extends string { CollectionClass() { this = ["List", "Set"] } } @@ -87,64 +88,127 @@ module Collection { } } - private class NonConstantElementAddition extends Expr { + /** A call where a collection of constants of class `collectionClass` can be in */ + abstract class SafeCall extends Call { + int arg; CollectionClass collectionClass; + SafeCall() { + arg = -1 and exists(this.getQualifier()) + or + exists(this.getArgument(arg)) + } + /** Gets whether the collection is a "List" or a "Set". */ CollectionClass getCollectionClass() { result = collectionClass } - NonConstantElementAddition() { - exists(Method m, RefType t, MethodCall mc | - this = mc.getQualifier() and - mc.getMethod() = m and + /** Gets the argument index, or -1 for the qualifier. */ + int getArg() { result = arg } + } + + private class AddConstantElement extends SafeCall, MethodCall { + AddConstantElement() { + arg = -1 and + exists(Method m, RefType t | + this.getMethod() = m and t = m.getDeclaringType().getSourceDeclaration().getASourceSupertype*() | collectionClass = "List" and t.hasQualifiedName("java.util", "List") and m.getName() = ["add", "addFirst", "addLast"] and - not mc.getArgument(m.getNumberOfParameters() - 1).isCompileTimeConstant() + this.getArgument(m.getNumberOfParameters() - 1).isCompileTimeConstant() or collectionClass = "Set" and t.hasQualifiedName("java.util", "Set") and m.getName() = ["add"] and - not mc.getArgument(0).isCompileTimeConstant() - or - // If a whole collection is added then we don't try to track if it contains - // only compile-time constants, and conservatively assume that it does. - t.hasQualifiedName("java.util", "Collection") and - m.getName() = "addAll" + this.getArgument(0).isCompileTimeConstant() ) } } - private predicate collectionOfConstantsLocalFlowTo(CollectionClass collectionClass, Expr e) { - exists(CollectionOfConstants loc | - loc.getCollectionClass() = collectionClass and DataFlow::localExprFlow(loc, e) - | - loc.isImmutable() - or - not DataFlow::localExprFlow(any(NonConstantElementAddition ncea), e) - ) + private class UnmodifiableCollection extends SafeCall, MethodCall { + UnmodifiableCollection() { + arg = 0 and + exists(Method m | + this.getMethod() = m and + m.hasName("unmodifiable" + collectionClass) and + m.getDeclaringType() + .getSourceDeclaration() + .getASourceSupertype*() + .hasQualifiedName("java.util", "Collections") + ) + } + } + + // Expr foo(Expr q, string s) { + // q = any(CollectionContainsCall ccc).getQualifier() and + // result = getALocalExprFlowRoot(q) and + // ( + // if exists(Field f | DataFlow::localExprFlow(f.getAnAccess(), result)) + // then + // exists(Field f | DataFlow::localExprFlow(f.getAnAccess(), result) | + // f.isStatic() and + // f.isFinal() and + // s = "static final field" + // or + // not ( + // f.isStatic() and + // f.isFinal() + // ) and + // s = "field read" + // ) + // else + // if result = any(MethodCall mc) + // then s = "method call" + // else + // if result = any(ConstructorCall cc) + // then s = "constructor call" + // else + // if result = any(Call cc) + // then s = "other call" + // else s = "something else" + // ) + // } + Expr getALocalExprFlowRoot(Expr e) { + DataFlow::localExprFlow(result, e) and + not exists(Expr e2 | e2 != result | DataFlow::localExprFlow(e2, result)) } - private predicate collectionOfConstantsFlowsTo(CollectionClass collectionClass, Expr e) { - collectionOfConstantsLocalFlowTo(collectionClass, e) - or - // Access a static final field to get an immutable list of constants. - exists(Field f | - f.isStatic() and - f.isFinal() and - forall(Expr v | v = f.getInitializer() or v = f.getAnAccess().(FieldWrite).getASource() | - v = - any(CollectionOfConstants loc | - loc.getCollectionClass() = collectionClass and loc.isImmutable() - ) + private predicate noUnsafeCalls(Expr e) { + forall(MethodCall mc, int arg, Expr x | + DataFlow::localExprFlow(x, e) and + ( + arg = -1 and x = mc.getQualifier() + or + x = mc.getArgument(arg) ) | - DataFlow::localExprFlow(f.getAnAccess(), e) + x = e or arg = mc.(SafeCall).getArg() ) } + private predicate collectionOfConstantsFlowsTo(Expr e) { + forex(Expr r | r = getALocalExprFlowRoot(e) | + r instanceof CollectionOfConstants + or + // Access a static final field to get an immutable list of constants. + exists(Field f | r = f.getAnAccess() | + f.isStatic() and + f.isFinal() and + forall(Expr v | v = f.getInitializer() | + v = any(CollectionOfConstants loc | loc.isImmutable()) + ) and + forall(Expr fieldSource | fieldSource = f.getAnAccess().(FieldWrite).getASource() | + forall(Expr root | root = getALocalExprFlowRoot(fieldSource) | + root.(CollectionOfConstants).isImmutable() + ) and + noUnsafeCalls(fieldSource) + ) + ) + ) and + noUnsafeCalls(e) + } + /** * An invocation of `java.util.List.contains` where the qualifier contains only * compile-time constants. @@ -155,7 +219,7 @@ module Collection { this = mc and e = mc.getArgument(0) and outcome = true and - collectionOfConstantsFlowsTo(mc.getCollectionClass(), mc.getQualifier()) + collectionOfConstantsFlowsTo(mc.getQualifier()) ) } } @@ -220,7 +284,8 @@ module Collection { .getASourceSupertype*() .hasQualifiedName("java.util", "Collection") ) and - collectionOfConstantsFlowsTo(_, this.getArgument(0)) + // Any collection can be used in the non-empty constructor. + collectionOfConstantsFlowsTo(this.getArgument(0)) } override predicate isImmutable() { none() } @@ -281,7 +346,7 @@ module Collection { .hasQualifiedName("java.util", "Collections") and this.getMethod() = m | - collectionOfConstantsFlowsTo(collectionClass, this.getArgument(0)) + collectionOfConstantsFlowsTo(this.getArgument(0)) ) } diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilList.java b/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilList.java index 65bbd9e9fdd8..4f4c551dfd1a 100644 --- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilList.java +++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilList.java @@ -11,7 +11,9 @@ import java.util.ArrayList; import java.util.Arrays; import java.util.Collections; +import java.util.HashSet; import java.util.List; +import java.util.Set; class AllowListSanitizerWithJavaUtilList { public static Connection connection; @@ -48,6 +50,7 @@ public static void main(String[] args) throws IOException, SQLException { testLocal(args); var x = new AllowListSanitizerWithJavaUtilList(); x.testNonStaticFields(args); + testMultipleSources(args); } private static void testStaticFields(String[] args) throws IOException, SQLException { @@ -226,6 +229,57 @@ private static void testLocal(String[] args) throws IOException, SQLException { ResultSet results = connection.createStatement().executeQuery(query); } } + // BAD: an allowlist is used but it may contain a non-compile-time constant element + { + List allowlist = new ArrayList(); + allowlist.add("allowed1"); + possiblyMutate(allowlist); + if(allowlist.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + } + } + + private static void testMultipleSources(String[] args) throws IOException, SQLException { + String tainted = args[1]; + boolean b = args[2] == "True"; + { + // BAD: an allowlist is used which might contain constant strings + List allowlist = new ArrayList(); + allowlist.add("allowed1"); + if (b) { + allowlist.add(getNonConstantString()); + } + if(allowlist.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + } + { + // BAD: an allowlist is used which might contain constant strings + List allowlist = b ? goodAllowList1 : badAllowList1; + if(allowlist.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + } + { + // BAD: an allowlist is used which might contain constant strings + List allowlist = b ? goodAllowList1 : List.of("allowed1", "allowed2", args[2]);; + if(allowlist.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + } + } + + private static void possiblyMutate(List list) { + list.add(getNonConstantString()); } } diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilSet.java b/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilSet.java index 2e4887320a1f..9c252620c31a 100644 --- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilSet.java +++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilSet.java @@ -16,27 +16,27 @@ class AllowListSanitizerWithJavaUtilSet { public static Connection connection; - public static final Set goodAllowSet1 = Set.of("allowed1", "allowed2", "allowed3"); - public static final Set goodAllowSet2 = Collections.unmodifiableSet(new HashSet(Arrays.asList("allowed1","allowed2"))); - public static final Set goodAllowSet3; - public static final Set goodAllowSet4; - public static final Set badAllowSet1 = Set.of("allowed1", "allowed2", getNonConstantString()); - public static final Set badAllowSet2 = Collections.unmodifiableSet(new HashSet(Arrays.asList("allowed1", getNonConstantString()))); - public static final Set badAllowSet3; - public static final Set badAllowSet4; - public static final Set badAllowSet5; - public static Set badAllowSet6 = Set.of("allowed1", "allowed2", "allowed3"); - public final Set badAllowSet7 = Set.of("allowed1", "allowed2", "allowed3"); + public static final Set goodAllowList1 = Set.of("allowed1", "allowed2", "allowed3"); + public static final Set goodAllowList2 = Collections.unmodifiableSet(new HashSet(Arrays.asList("allowed1","allowed2"))); + public static final Set goodAllowList3; + public static final Set goodAllowList4; + public static final Set badAllowList1 = Set.of("allowed1", "allowed2", getNonConstantString()); + public static final Set badAllowList2 = Collections.unmodifiableSet(new HashSet(Arrays.asList("allowed1", getNonConstantString()))); + public static final Set badAllowList3; + public static final Set badAllowList4; + public static final Set badAllowList5; + public static Set badAllowList6 = Set.of("allowed1", "allowed2", "allowed3"); + public final Set badAllowList7 = Set.of("allowed1", "allowed2", "allowed3"); static { - goodAllowSet3 = Set.of("allowed1", "allowed2", "allowed3"); - goodAllowSet4 = Collections.unmodifiableSet(new HashSet(Arrays.asList("allowed1", "allowed2"))); - badAllowSet3 = Set.of(getNonConstantString(), "allowed2", "allowed3"); - badAllowSet4 = Collections.unmodifiableSet(new HashSet(Arrays.asList("allowed1", getNonConstantString()))); - badAllowSet5 = new HashSet(); - badAllowSet5.add("allowed1"); - badAllowSet5.add("allowed2"); - badAllowSet5.add("allowed3"); + goodAllowList3 = Set.of("allowed1", "allowed2", "allowed3"); + goodAllowList4 = Collections.unmodifiableSet(new HashSet(Arrays.asList("allowed1", "allowed2"))); + badAllowList3 = Set.of(getNonConstantString(), "allowed2", "allowed3"); + badAllowList4 = Collections.unmodifiableSet(new HashSet(Arrays.asList("allowed1", getNonConstantString()))); + badAllowList5 = new HashSet(); + badAllowList5.add("allowed1"); + badAllowList5.add("allowed2"); + badAllowList5.add("allowed3"); } public static String getNonConstantString() { @@ -44,71 +44,72 @@ public static String getNonConstantString() { } public static void main(String[] args) throws IOException, SQLException { - badAllowSet6 = Set.of("allowed1", getNonConstantString(), "allowed3"); + badAllowList6 = Set.of("allowed1", getNonConstantString(), "allowed3"); testStaticFields(args); testLocal(args); var x = new AllowListSanitizerWithJavaUtilSet(); x.testNonStaticFields(args); + testMultipleSources(args); } private static void testStaticFields(String[] args) throws IOException, SQLException { String tainted = args[1]; - // GOOD: an allowSet is used with constant strings - if(goodAllowSet1.contains(tainted)){ + // GOOD: an allowlist is used with constant strings + if(goodAllowList1.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; ResultSet results = connection.createStatement().executeQuery(query); } - // GOOD: an allowSet is used with constant strings - if(goodAllowSet2.contains(tainted)){ + // GOOD: an allowlist is used with constant strings + if(goodAllowList2.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; ResultSet results = connection.createStatement().executeQuery(query); } - // GOOD: an allowSet is used with constant strings - if(goodAllowSet3.contains(tainted)){ + // GOOD: an allowlist is used with constant strings + if(goodAllowList3.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; ResultSet results = connection.createStatement().executeQuery(query); } - // GOOD: an allowSet is used with constant strings - if(goodAllowSet4.contains(tainted)){ + // GOOD: an allowlist is used with constant strings + if(goodAllowList4.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; ResultSet results = connection.createStatement().executeQuery(query); } - // BAD: an allowSet is used with constant strings - if(badAllowSet1.contains(tainted)){ + // BAD: an allowlist is used with constant strings + if(badAllowList1.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; ResultSet results = connection.createStatement().executeQuery(query); } - // BAD: an allowSet is used with constant strings - if(badAllowSet2.contains(tainted)){ + // BAD: an allowlist is used with constant strings + if(badAllowList2.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; ResultSet results = connection.createStatement().executeQuery(query); } - // BAD: an allowSet is used with constant strings - if(badAllowSet3.contains(tainted)){ + // BAD: an allowlist is used with constant strings + if(badAllowList3.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; ResultSet results = connection.createStatement().executeQuery(query); } - // BAD: an allowSet is used with constant strings - if(badAllowSet4.contains(tainted)){ + // BAD: an allowlist is used with constant strings + if(badAllowList4.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; ResultSet results = connection.createStatement().executeQuery(query); } - // BAD: an allowSet is used with constant strings - if(badAllowSet5.contains(tainted)){ + // BAD: an allowlist is used with constant strings + if(badAllowList5.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; ResultSet results = connection.createStatement().executeQuery(query); } - // BAD: the allowSet is in a non-final field - if(badAllowSet6.contains(tainted)){ + // BAD: the allowlist is in a non-final field + if(badAllowList6.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; ResultSet results = connection.createStatement().executeQuery(query); @@ -116,9 +117,9 @@ private static void testStaticFields(String[] args) throws IOException, SQLExcep } private void testNonStaticFields(String[] args) throws IOException, SQLException { - String tainted = args[0]; - // BAD: the allowSet is in a non-static field - if(badAllowSet7.contains(tainted)){ + String tainted = args[1]; + // BAD: the allowlist is in a non-static field + if(badAllowList7.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; ResultSet results = connection.createStatement().executeQuery(query); @@ -126,40 +127,40 @@ private void testNonStaticFields(String[] args) throws IOException, SQLException } private static void testLocal(String[] args) throws IOException, SQLException { - String tainted = args[1]; - // GOOD: an allowSet is used with constant strings + String tainted = args[1]; + // GOOD: an allowlist is used with constant strings { - Set allowSet = Set.of("allowed1", "allowed2", "allowed3"); - if(allowSet.contains(tainted)){ + Set allowlist = Set.of("allowed1", "allowed2", "allowed3"); + if(allowlist.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; ResultSet results = connection.createStatement().executeQuery(query); } } - // BAD: an allowSet is used but one of the entries is not a compile-time constant + // BAD: an allowlist is used but one of the entries is not a compile-time constant { - Set allowSet = Set.of("allowed1", "allowed2", args[2]); - if(allowSet.contains(tainted)){ + Set allowlist = Set.of("allowed1", "allowed2", args[2]); + if(allowlist.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; ResultSet results = connection.createStatement().executeQuery(query); } } - // GOOD: an allowSet is used with constant strings + // GOOD: an allowlist is used with constant strings { String[] allowedArray = {"allowed1", "allowed2", "allowed3"}; - Set allowSet = Set.of(allowedArray); - if(allowSet.contains(tainted)){ + Set allowlist = Set.of(allowedArray); + if(allowlist.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; ResultSet results = connection.createStatement().executeQuery(query); } } - // BAD: an allowSet is used but one of the entries is not a compile-time constant + // BAD: an allowlist is used but one of the entries is not a compile-time constant { String[] allowedArray = {"allowed1", "allowed2", args[2]}; - Set allowSet = Set.of(allowedArray); - if(allowSet.contains(tainted)){ + Set allowlist = Set.of(allowedArray); + if(allowlist.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; ResultSet results = connection.createStatement().executeQuery(query); @@ -203,30 +204,81 @@ private static void testLocal(String[] args) throws IOException, SQLException { ResultSet results = connection.createStatement().executeQuery(query); } } - // GOOD: an allowSet is used with constant string + // GOOD: an allowlist is used with constant string { - Set allowSet = new HashSet(); - allowSet.add("allowed1"); - allowSet.add("allowed2"); - allowSet.add("allowed3"); - if(allowSet.contains(tainted)){ + Set allowlist = new HashSet(); + allowlist.add("allowed1"); + allowlist.add("allowed2"); + allowlist.add("allowed3"); + if(allowlist.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; ResultSet results = connection.createStatement().executeQuery(query); } } - // BAD: an allowSet is used but one of the entries is not a compile-time constant + // BAD: an allowlist is used but one of the entries is not a compile-time constant { - Set allowSet = new HashSet(); - allowSet.add("allowed1"); - allowSet.add(getNonConstantString()); - allowSet.add("allowed3"); - if(allowSet.contains(tainted)){ + Set allowlist = new HashSet(); + allowlist.add("allowed1"); + allowlist.add(getNonConstantString()); + allowlist.add("allowed3"); + if(allowlist.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; ResultSet results = connection.createStatement().executeQuery(query); } } + // BAD: an allowlist is used but it may contain a non-compile-time constant element + { + Set allowlist = new HashSet(); + allowlist.add("allowed1"); + possiblyMutate(allowlist); + if(allowlist.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + } + } + + private static void testMultipleSources(String[] args) throws IOException, SQLException { + String tainted = args[1]; + boolean b = args[2] == "True"; + { + // BAD: an allowlist is used which might contain constant strings + Set allowlist = new HashSet(); + allowlist.add("allowed1"); + if (b) { + allowlist.add(getNonConstantString()); + } + if(allowlist.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + } + { + // BAD: an allowlist is used which might contain constant strings + Set allowlist = b ? goodAllowList1 : badAllowList1; + if(allowlist.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + } + { + // BAD: an allowlist is used which might contain constant strings + Set allowlist = b ? goodAllowList1 : Set.of("allowed1", "allowed2", args[2]);; + if(allowlist.contains(tainted)){ + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + } + } + + private static void possiblyMutate(Set set) { + set.add(getNonConstantString()); } } diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlConcatenated.expected b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlConcatenated.expected index 8005ae8b4951..a05b4c985a6b 100644 --- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlConcatenated.expected +++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlConcatenated.expected @@ -1,45 +1,53 @@ -| AllowListSanitizerWithJavaUtilList.java:59:66:59:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:58:8:58:14 | tainted | this expression | -| AllowListSanitizerWithJavaUtilList.java:65:66:65:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:64:8:64:14 | tainted | this expression | -| AllowListSanitizerWithJavaUtilList.java:71:66:71:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:70:8:70:14 | tainted | this expression | -| AllowListSanitizerWithJavaUtilList.java:77:66:77:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:76:8:76:14 | tainted | this expression | -| AllowListSanitizerWithJavaUtilList.java:83:66:83:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:82:8:82:14 | tainted | this expression | -| AllowListSanitizerWithJavaUtilList.java:89:66:89:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:88:8:88:14 | tainted | this expression | -| AllowListSanitizerWithJavaUtilList.java:95:66:95:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:94:8:94:14 | tainted | this expression | -| AllowListSanitizerWithJavaUtilList.java:101:66:101:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:100:8:100:14 | tainted | this expression | -| AllowListSanitizerWithJavaUtilList.java:107:66:107:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:106:8:106:14 | tainted | this expression | -| AllowListSanitizerWithJavaUtilList.java:113:66:113:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:112:8:112:14 | tainted | this expression | -| AllowListSanitizerWithJavaUtilList.java:123:66:123:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:122:8:122:14 | tainted | this expression | -| AllowListSanitizerWithJavaUtilList.java:135:67:135:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:134:9:134:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilList.java:144:67:144:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:143:9:143:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilList.java:154:67:154:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:153:9:153:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilList.java:164:67:164:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:163:9:163:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilList.java:173:67:173:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:172:9:172:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilList.java:182:67:182:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:181:9:181:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilList.java:192:67:192:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:191:9:191:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilList.java:202:67:202:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:201:9:201:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilList.java:214:67:214:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:213:9:213:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilList.java:226:67:226:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:225:9:225:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:60:66:60:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:59:8:59:14 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:66:66:66:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:65:8:65:14 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:72:66:72:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:71:8:71:14 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:78:66:78:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:77:8:77:14 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:84:66:84:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:83:8:83:14 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:90:66:90:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:89:8:89:14 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:96:66:96:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:95:8:95:14 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:102:66:102:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:101:8:101:14 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:108:66:108:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:107:8:107:14 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:114:66:114:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:113:8:113:14 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:124:66:124:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:123:8:123:14 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:136:67:136:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:135:9:135:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:145:67:145:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:144:9:144:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:155:67:155:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:154:9:154:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:165:67:165:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:164:9:164:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:174:67:174:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:173:9:173:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:183:67:183:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:182:9:182:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:193:67:193:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:192:9:192:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:203:67:203:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:202:9:202:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:215:67:215:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:214:9:214:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:227:67:227:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:226:9:226:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:62:66:62:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:61:8:61:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:68:66:68:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:67:8:67:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:74:66:74:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:73:8:73:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:80:66:80:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:79:8:79:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:86:66:86:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:85:8:85:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:92:66:92:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:91:8:91:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:98:66:98:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:97:8:97:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:104:66:104:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:103:8:103:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:110:66:110:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:109:8:109:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:116:66:116:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:115:8:115:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:126:66:126:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:125:8:125:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:138:67:138:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:137:9:137:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:147:67:147:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:146:9:146:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:157:67:157:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:156:9:156:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:167:67:167:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:166:9:166:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:176:67:176:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:175:9:175:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:185:67:185:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:184:9:184:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:195:67:195:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:194:9:194:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:205:67:205:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:204:9:204:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:217:67:217:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:216:9:216:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:229:67:229:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:228:9:228:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:240:67:240:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:239:9:239:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:258:67:258:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:257:9:257:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:267:67:267:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:266:9:266:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:276:67:276:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:275:9:275:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:61:66:61:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:60:8:60:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:67:66:67:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:66:8:66:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:73:66:73:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:72:8:72:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:79:66:79:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:78:8:78:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:85:66:85:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:84:8:84:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:91:66:91:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:90:8:90:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:97:66:97:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:96:8:96:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:103:66:103:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:102:8:102:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:109:66:109:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:108:8:108:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:115:66:115:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:114:8:114:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:125:66:125:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:124:8:124:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:137:67:137:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:136:9:136:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:146:67:146:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:145:9:145:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:156:67:156:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:155:9:155:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:166:67:166:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:165:9:165:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:175:67:175:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:174:9:174:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:184:67:184:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:183:9:183:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:194:67:194:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:193:9:193:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:204:67:204:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:203:9:203:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:216:67:216:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:215:9:215:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:228:67:228:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:227:9:227:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:239:67:239:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:238:9:238:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:257:67:257:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:256:9:256:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:266:67:266:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:265:9:265:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:275:67:275:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:274:9:274:15 | tainted | this expression | | Test.java:36:47:36:52 | query1 | Query built by concatenation with $@, which may be untrusted. | Test.java:35:8:35:15 | category | this expression | | Test.java:42:57:42:62 | query2 | Query built by concatenation with $@, which may be untrusted. | Test.java:41:51:41:52 | id | this expression | | Test.java:50:62:50:67 | query3 | Query built by concatenation with $@, which may be untrusted. | Test.java:49:8:49:15 | category | this expression | diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.expected b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.expected index be04e0ae5a93..5a9321debe49 100644 --- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.expected +++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.expected @@ -1,28 +1,36 @@ #select -| AllowListSanitizerWithJavaUtilList.java:83:66:83:70 | query | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:83:66:83:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilList.java:89:66:89:70 | query | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:89:66:89:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilList.java:95:66:95:70 | query | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:95:66:95:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilList.java:101:66:101:70 | query | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:101:66:101:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilList.java:107:66:107:70 | query | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:107:66:107:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilList.java:113:66:113:70 | query | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:113:66:113:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilList.java:123:66:123:70 | query | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:123:66:123:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilList.java:144:67:144:71 | query | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:144:67:144:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilList.java:164:67:164:71 | query | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:164:67:164:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilList.java:182:67:182:71 | query | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:182:67:182:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilList.java:202:67:202:71 | query | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:202:67:202:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilList.java:226:67:226:71 | query | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:226:67:226:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilSet.java:84:66:84:70 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:84:66:84:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilSet.java:90:66:90:70 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:90:66:90:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilSet.java:96:66:96:70 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:96:66:96:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilSet.java:102:66:102:70 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:102:66:102:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilSet.java:108:66:108:70 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:108:66:108:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilSet.java:114:66:114:70 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:114:66:114:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilSet.java:124:66:124:70 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:124:66:124:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilSet.java:145:67:145:71 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:145:67:145:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilSet.java:165:67:165:71 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:165:67:165:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilSet.java:183:67:183:71 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:183:67:183:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilSet.java:203:67:203:71 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:203:67:203:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilSet.java:227:67:227:71 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:227:67:227:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:86:66:86:70 | query | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:86:66:86:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:92:66:92:70 | query | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:92:66:92:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:98:66:98:70 | query | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:98:66:98:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:104:66:104:70 | query | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:104:66:104:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:110:66:110:70 | query | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:110:66:110:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:116:66:116:70 | query | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:116:66:116:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:126:66:126:70 | query | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:126:66:126:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:147:67:147:71 | query | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:147:67:147:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:167:67:167:71 | query | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:167:67:167:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:185:67:185:71 | query | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:185:67:185:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:205:67:205:71 | query | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:205:67:205:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:229:67:229:71 | query | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:229:67:229:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:240:67:240:71 | query | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:240:67:240:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:258:67:258:71 | query | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:258:67:258:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:267:67:267:71 | query | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:267:67:267:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:276:67:276:71 | query | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:276:67:276:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:85:66:85:70 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:85:66:85:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:91:66:91:70 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:91:66:91:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:97:66:97:70 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:97:66:97:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:103:66:103:70 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:103:66:103:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:109:66:109:70 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:109:66:109:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:115:66:115:70 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:115:66:115:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:125:66:125:70 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:125:66:125:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:146:67:146:71 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:146:67:146:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:166:67:166:71 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:166:67:166:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:184:67:184:71 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:184:67:184:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:204:67:204:71 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:204:67:204:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:228:67:228:71 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:228:67:228:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:239:67:239:71 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:239:67:239:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:257:67:257:71 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:257:67:257:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:266:67:266:71 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:266:67:266:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:275:67:275:71 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:275:67:275:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | | Mongo.java:17:45:17:67 | parse(...) | Mongo.java:10:29:10:41 | args : String[] | Mongo.java:17:45:17:67 | parse(...) | This query depends on a $@. | Mongo.java:10:29:10:41 | args | user-provided value | | Mongo.java:21:49:21:52 | json | Mongo.java:10:29:10:41 | args : String[] | Mongo.java:21:49:21:52 | json | This query depends on a $@. | Mongo.java:10:29:10:41 | args | user-provided value | | Test.java:36:47:36:52 | query1 | Test.java:227:26:227:38 | args : String[] | Test.java:36:47:36:52 | query1 | This query depends on a $@. | Test.java:227:26:227:38 | args | user-provided value | @@ -34,42 +42,54 @@ | Test.java:209:47:209:68 | queryWithUserTableName | Test.java:227:26:227:38 | args : String[] | Test.java:209:47:209:68 | queryWithUserTableName | This query depends on a $@. | Test.java:227:26:227:38 | args | user-provided value | | Test.java:221:81:221:111 | ... + ... | Test.java:227:26:227:38 | args : String[] | Test.java:221:81:221:111 | ... + ... | This query depends on a $@. | Test.java:227:26:227:38 | args | user-provided value | edges -| AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:47:20:47:23 | args : String[] | provenance | | -| AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:48:13:48:16 | args : String[] | provenance | | -| AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:50:25:50:28 | args : String[] | provenance | | -| AllowListSanitizerWithJavaUtilList.java:47:20:47:23 | args : String[] | AllowListSanitizerWithJavaUtilList.java:53:39:53:51 | args : String[] | provenance | | -| AllowListSanitizerWithJavaUtilList.java:48:13:48:16 | args : String[] | AllowListSanitizerWithJavaUtilList.java:127:32:127:44 | args : String[] | provenance | | -| AllowListSanitizerWithJavaUtilList.java:50:25:50:28 | args : String[] | AllowListSanitizerWithJavaUtilList.java:117:35:117:47 | args : String[] | provenance | | -| AllowListSanitizerWithJavaUtilList.java:53:39:53:51 | args : String[] | AllowListSanitizerWithJavaUtilList.java:83:66:83:70 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilList.java:53:39:53:51 | args : String[] | AllowListSanitizerWithJavaUtilList.java:89:66:89:70 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilList.java:53:39:53:51 | args : String[] | AllowListSanitizerWithJavaUtilList.java:95:66:95:70 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilList.java:53:39:53:51 | args : String[] | AllowListSanitizerWithJavaUtilList.java:101:66:101:70 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilList.java:53:39:53:51 | args : String[] | AllowListSanitizerWithJavaUtilList.java:107:66:107:70 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilList.java:53:39:53:51 | args : String[] | AllowListSanitizerWithJavaUtilList.java:113:66:113:70 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilList.java:117:35:117:47 | args : String[] | AllowListSanitizerWithJavaUtilList.java:123:66:123:70 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilList.java:127:32:127:44 | args : String[] | AllowListSanitizerWithJavaUtilList.java:144:67:144:71 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilList.java:127:32:127:44 | args : String[] | AllowListSanitizerWithJavaUtilList.java:164:67:164:71 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilList.java:127:32:127:44 | args : String[] | AllowListSanitizerWithJavaUtilList.java:182:67:182:71 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilList.java:127:32:127:44 | args : String[] | AllowListSanitizerWithJavaUtilList.java:202:67:202:71 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilList.java:127:32:127:44 | args : String[] | AllowListSanitizerWithJavaUtilList.java:226:67:226:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:49:20:49:23 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:50:13:50:16 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:52:25:52:28 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:53:23:53:26 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilList.java:49:20:49:23 | args : String[] | AllowListSanitizerWithJavaUtilList.java:56:39:56:51 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilList.java:50:13:50:16 | args : String[] | AllowListSanitizerWithJavaUtilList.java:130:32:130:44 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilList.java:52:25:52:28 | args : String[] | AllowListSanitizerWithJavaUtilList.java:120:35:120:47 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilList.java:53:23:53:26 | args : String[] | AllowListSanitizerWithJavaUtilList.java:245:42:245:54 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilList.java:56:39:56:51 | args : String[] | AllowListSanitizerWithJavaUtilList.java:86:66:86:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:56:39:56:51 | args : String[] | AllowListSanitizerWithJavaUtilList.java:92:66:92:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:56:39:56:51 | args : String[] | AllowListSanitizerWithJavaUtilList.java:98:66:98:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:56:39:56:51 | args : String[] | AllowListSanitizerWithJavaUtilList.java:104:66:104:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:56:39:56:51 | args : String[] | AllowListSanitizerWithJavaUtilList.java:110:66:110:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:56:39:56:51 | args : String[] | AllowListSanitizerWithJavaUtilList.java:116:66:116:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:120:35:120:47 | args : String[] | AllowListSanitizerWithJavaUtilList.java:126:66:126:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:130:32:130:44 | args : String[] | AllowListSanitizerWithJavaUtilList.java:147:67:147:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:130:32:130:44 | args : String[] | AllowListSanitizerWithJavaUtilList.java:167:67:167:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:130:32:130:44 | args : String[] | AllowListSanitizerWithJavaUtilList.java:185:67:185:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:130:32:130:44 | args : String[] | AllowListSanitizerWithJavaUtilList.java:205:67:205:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:130:32:130:44 | args : String[] | AllowListSanitizerWithJavaUtilList.java:229:67:229:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:130:32:130:44 | args : String[] | AllowListSanitizerWithJavaUtilList.java:240:67:240:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:245:42:245:54 | args : String[] | AllowListSanitizerWithJavaUtilList.java:258:67:258:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:245:42:245:54 | args : String[] | AllowListSanitizerWithJavaUtilList.java:267:67:267:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:245:42:245:54 | args : String[] | AllowListSanitizerWithJavaUtilList.java:276:67:276:71 | query | provenance | Sink:MaD:6 | | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:48:20:48:23 | args : String[] | provenance | | | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:49:13:49:16 | args : String[] | provenance | | | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:51:25:51:28 | args : String[] | provenance | | -| AllowListSanitizerWithJavaUtilSet.java:48:20:48:23 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:54:39:54:51 | args : String[] | provenance | | -| AllowListSanitizerWithJavaUtilSet.java:49:13:49:16 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:128:32:128:44 | args : String[] | provenance | | -| AllowListSanitizerWithJavaUtilSet.java:51:25:51:28 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:118:35:118:47 | args : String[] | provenance | | -| AllowListSanitizerWithJavaUtilSet.java:54:39:54:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:84:66:84:70 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilSet.java:54:39:54:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:90:66:90:70 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilSet.java:54:39:54:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:96:66:96:70 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilSet.java:54:39:54:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:102:66:102:70 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilSet.java:54:39:54:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:108:66:108:70 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilSet.java:54:39:54:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:114:66:114:70 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilSet.java:118:35:118:47 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:124:66:124:70 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilSet.java:128:32:128:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:145:67:145:71 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilSet.java:128:32:128:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:165:67:165:71 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilSet.java:128:32:128:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:183:67:183:71 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilSet.java:128:32:128:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:203:67:203:71 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilSet.java:128:32:128:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:227:67:227:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:52:23:52:26 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilSet.java:48:20:48:23 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:55:39:55:51 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilSet.java:49:13:49:16 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:129:32:129:44 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilSet.java:51:25:51:28 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:119:35:119:47 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilSet.java:52:23:52:26 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:244:42:244:54 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilSet.java:55:39:55:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:85:66:85:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:55:39:55:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:91:66:91:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:55:39:55:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:97:66:97:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:55:39:55:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:103:66:103:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:55:39:55:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:109:66:109:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:55:39:55:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:115:66:115:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:119:35:119:47 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:125:66:125:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:129:32:129:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:146:67:146:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:129:32:129:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:166:67:166:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:129:32:129:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:184:67:184:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:129:32:129:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:204:67:204:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:129:32:129:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:228:67:228:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:129:32:129:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:239:67:239:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:244:42:244:54 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:257:67:257:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:244:42:244:54 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:266:67:266:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:244:42:244:54 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:275:67:275:71 | query | provenance | Sink:MaD:6 | | Mongo.java:10:29:10:41 | args : String[] | Mongo.java:17:56:17:66 | stringQuery : String | provenance | | | Mongo.java:10:29:10:41 | args : String[] | Mongo.java:21:49:21:52 | json | provenance | | | Mongo.java:17:56:17:66 | stringQuery : String | Mongo.java:17:45:17:67 | parse(...) | provenance | Config | @@ -100,44 +120,56 @@ models | 6 | Sink: java.sql; Statement; true; executeQuery; ; ; Argument[0]; sql-injection; manual | | 7 | Sink: java.sql; Statement; true; executeUpdate; ; ; Argument[0]; sql-injection; manual | nodes -| AllowListSanitizerWithJavaUtilList.java:45:26:45:38 | args : String[] | semmle.label | args : String[] | -| AllowListSanitizerWithJavaUtilList.java:47:20:47:23 | args : String[] | semmle.label | args : String[] | -| AllowListSanitizerWithJavaUtilList.java:48:13:48:16 | args : String[] | semmle.label | args : String[] | -| AllowListSanitizerWithJavaUtilList.java:50:25:50:28 | args : String[] | semmle.label | args : String[] | -| AllowListSanitizerWithJavaUtilList.java:53:39:53:51 | args : String[] | semmle.label | args : String[] | -| AllowListSanitizerWithJavaUtilList.java:83:66:83:70 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilList.java:89:66:89:70 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilList.java:95:66:95:70 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilList.java:101:66:101:70 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilList.java:107:66:107:70 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilList.java:113:66:113:70 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilList.java:117:35:117:47 | args : String[] | semmle.label | args : String[] | -| AllowListSanitizerWithJavaUtilList.java:123:66:123:70 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilList.java:127:32:127:44 | args : String[] | semmle.label | args : String[] | -| AllowListSanitizerWithJavaUtilList.java:144:67:144:71 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilList.java:164:67:164:71 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilList.java:182:67:182:71 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilList.java:202:67:202:71 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilList.java:226:67:226:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilList.java:49:20:49:23 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilList.java:50:13:50:16 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilList.java:52:25:52:28 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilList.java:53:23:53:26 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilList.java:56:39:56:51 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilList.java:86:66:86:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:92:66:92:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:98:66:98:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:104:66:104:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:110:66:110:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:116:66:116:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:120:35:120:47 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilList.java:126:66:126:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:130:32:130:44 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilList.java:147:67:147:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:167:67:167:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:185:67:185:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:205:67:205:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:229:67:229:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:240:67:240:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:245:42:245:54 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilList.java:258:67:258:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:267:67:267:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:276:67:276:71 | query | semmle.label | query | | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | semmle.label | args : String[] | | AllowListSanitizerWithJavaUtilSet.java:48:20:48:23 | args : String[] | semmle.label | args : String[] | | AllowListSanitizerWithJavaUtilSet.java:49:13:49:16 | args : String[] | semmle.label | args : String[] | | AllowListSanitizerWithJavaUtilSet.java:51:25:51:28 | args : String[] | semmle.label | args : String[] | -| AllowListSanitizerWithJavaUtilSet.java:54:39:54:51 | args : String[] | semmle.label | args : String[] | -| AllowListSanitizerWithJavaUtilSet.java:84:66:84:70 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilSet.java:90:66:90:70 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilSet.java:96:66:96:70 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilSet.java:102:66:102:70 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilSet.java:108:66:108:70 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilSet.java:114:66:114:70 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilSet.java:118:35:118:47 | args : String[] | semmle.label | args : String[] | -| AllowListSanitizerWithJavaUtilSet.java:124:66:124:70 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilSet.java:128:32:128:44 | args : String[] | semmle.label | args : String[] | -| AllowListSanitizerWithJavaUtilSet.java:145:67:145:71 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilSet.java:165:67:165:71 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilSet.java:183:67:183:71 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilSet.java:203:67:203:71 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilSet.java:227:67:227:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:52:23:52:26 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilSet.java:55:39:55:51 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilSet.java:85:66:85:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:91:66:91:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:97:66:97:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:103:66:103:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:109:66:109:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:115:66:115:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:119:35:119:47 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilSet.java:125:66:125:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:129:32:129:44 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilSet.java:146:67:146:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:166:67:166:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:184:67:184:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:204:67:204:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:228:67:228:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:239:67:239:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:244:42:244:54 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilSet.java:257:67:257:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:266:67:266:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:275:67:275:71 | query | semmle.label | query | | Mongo.java:10:29:10:41 | args : String[] | semmle.label | args : String[] | | Mongo.java:17:45:17:67 | parse(...) | semmle.label | parse(...) | | Mongo.java:17:56:17:66 | stringQuery : String | semmle.label | stringQuery : String | From 8b0dafddadf9b7c719a92abd5ff2b27f237125a0 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Tue, 23 Jul 2024 13:59:52 +0100 Subject: [PATCH 06/14] Add change note --- .../2024-10-03-list-of-constants-sanitizer.md | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 java/ql/lib/change-notes/2024-10-03-list-of-constants-sanitizer.md diff --git a/java/ql/lib/change-notes/2024-10-03-list-of-constants-sanitizer.md b/java/ql/lib/change-notes/2024-10-03-list-of-constants-sanitizer.md new file mode 100644 index 000000000000..91def3083027 --- /dev/null +++ b/java/ql/lib/change-notes/2024-10-03-list-of-constants-sanitizer.md @@ -0,0 +1,10 @@ +--- +category: minorAnalysis +--- +* Calling `coll.contains(x)` is now a taint sanitizer (for any query) for the value `x`, where `coll` is a `java.util.List` or `java.util.Set` which was constructed in one of the below ways, which contains only constant elements, and which is either read from a final static field (in which case it must be immutable) or constructed locally. + * `java.util.List.of(...)` + * `java.util.Collections.unmodifiableList(java.util.Arrays.asList(...))` + * `java.util.Set.of(...)` + * `java.util.Collections.unmodifiableSet(new HashSet<>(java.util.Arrays.asList(list)))` where `list` is a list of constant elements + * `var coll = new T(); coll.add(...); ...` where `T` is a class that implements `java.util.List` or `java.util.Set`. + * `var coll = new T(coll2); coll.add(...); ...` where `T` is a class that implements `java.util.List` or `java.util.Set` and `coll2` is a list of constant elements. From e410f022c24b5e8ed840bdaf6f0fe4ba3b6520bb Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Tue, 8 Oct 2024 14:18:42 +0100 Subject: [PATCH 07/14] Refactor --- .../dataflow/ListOfConstantsSanitizer.qll | 104 +++++++----------- 1 file changed, 41 insertions(+), 63 deletions(-) diff --git a/java/ql/lib/semmle/code/java/dataflow/ListOfConstantsSanitizer.qll b/java/ql/lib/semmle/code/java/dataflow/ListOfConstantsSanitizer.qll index c0778ce8c573..8ee9b70f1cd2 100644 --- a/java/ql/lib/semmle/code/java/dataflow/ListOfConstantsSanitizer.qll +++ b/java/ql/lib/semmle/code/java/dataflow/ListOfConstantsSanitizer.qll @@ -88,7 +88,11 @@ module Collection { } } - /** A call where a collection of constants of class `collectionClass` can be in */ + /** + * A call with a collection of class `collectionClass` as argument `arg` (or + * as qualifier, if `arg` is -1) which will not add any new non-constant + * elements to it. + */ abstract class SafeCall extends Call { int arg; CollectionClass collectionClass; @@ -120,7 +124,7 @@ module Collection { or collectionClass = "Set" and t.hasQualifiedName("java.util", "Set") and - m.getName() = ["add"] and + m.getName() = "add" and this.getArgument(0).isCompileTimeConstant() ) } @@ -140,40 +144,19 @@ module Collection { } } - // Expr foo(Expr q, string s) { - // q = any(CollectionContainsCall ccc).getQualifier() and - // result = getALocalExprFlowRoot(q) and - // ( - // if exists(Field f | DataFlow::localExprFlow(f.getAnAccess(), result)) - // then - // exists(Field f | DataFlow::localExprFlow(f.getAnAccess(), result) | - // f.isStatic() and - // f.isFinal() and - // s = "static final field" - // or - // not ( - // f.isStatic() and - // f.isFinal() - // ) and - // s = "field read" - // ) - // else - // if result = any(MethodCall mc) - // then s = "method call" - // else - // if result = any(ConstructorCall cc) - // then s = "constructor call" - // else - // if result = any(Call cc) - // then s = "other call" - // else s = "something else" - // ) - // } - Expr getALocalExprFlowRoot(Expr e) { + /** + * Gets an `Expr` which locally flows to `e` and which nothing locally flows + * to. + */ + private Expr getALocalExprFlowRoot(Expr e) { DataFlow::localExprFlow(result, e) and not exists(Expr e2 | e2 != result | DataFlow::localExprFlow(e2, result)) } + /** + * Holds if `e` was not involved in any calls which might add non-constant + * elements. + */ private predicate noUnsafeCalls(Expr e) { forall(MethodCall mc, int arg, Expr x | DataFlow::localExprFlow(x, e) and @@ -187,7 +170,8 @@ module Collection { ) } - private predicate collectionOfConstantsFlowsTo(Expr e) { + /** Holds if `e` is a collection of constants. */ + private predicate isCollectionOfConstants(Expr e) { forex(Expr r | r = getALocalExprFlowRoot(e) | r instanceof CollectionOfConstants or @@ -195,12 +179,10 @@ module Collection { exists(Field f | r = f.getAnAccess() | f.isStatic() and f.isFinal() and - forall(Expr v | v = f.getInitializer() | - v = any(CollectionOfConstants loc | loc.isImmutable()) - ) and + forall(Expr v | v = f.getInitializer() | v instanceof ImmutableCollectionOfConstants) and forall(Expr fieldSource | fieldSource = f.getAnAccess().(FieldWrite).getASource() | forall(Expr root | root = getALocalExprFlowRoot(fieldSource) | - root.(CollectionOfConstants).isImmutable() + root instanceof ImmutableCollectionOfConstants ) and noUnsafeCalls(fieldSource) ) @@ -210,8 +192,8 @@ module Collection { } /** - * An invocation of `java.util.List.contains` where the qualifier contains only - * compile-time constants. + * An invocation of `java.util.List.contains` or `java.util.Set.contains` + * where the qualifier contains only compile-time constants. */ private class CollectionOfConstantsContains extends ListOfConstantsComparison { CollectionOfConstantsContains() { @@ -219,27 +201,31 @@ module Collection { this = mc and e = mc.getArgument(0) and outcome = true and - collectionOfConstantsFlowsTo(mc.getQualifier()) + isCollectionOfConstants(mc.getQualifier()) ) } } /** - * An instance of `java.util.List` which contains only compile-time constants. + * An instance of `java.util.List` or `java.util.Set` which contains only + * compile-time constants. */ abstract class CollectionOfConstants extends Call { CollectionClass collectionClass; /** Gets whether the collection is a "List" or a "Set". */ CollectionClass getCollectionClass() { result = collectionClass } - - /** Holds if this list of constants is immutable. */ - abstract predicate isImmutable(); } + /** + * An immutable instance of `java.util.List` or `java.util.Set` which + * contains only compile-time constants. + */ + abstract class ImmutableCollectionOfConstants extends CollectionOfConstants { } + /** * A invocation of a constructor of a type that extends `java.util.List` or - * `java.util.Set` which constructs an empty mutable list. + * `java.util.Set` which constructs an empty mutable list/set. */ private class CollectionOfConstantsEmptyConstructor extends ClassInstanceExpr, CollectionOfConstants @@ -260,13 +246,11 @@ module Collection { c.getParameter(0).getType().(PrimitiveType).hasName("float") ) } - - override predicate isImmutable() { none() } } /** * A invocation of a constructor of a type that extends `java.util.List` or - * `java.util.Set` which constructs a non-empty mutable list. + * `java.util.Set` which constructs a non-empty mutable list/set. */ private class CollectionOfConstantsNonEmptyConstructor extends ClassInstanceExpr, CollectionOfConstants @@ -284,11 +268,9 @@ module Collection { .getASourceSupertype*() .hasQualifiedName("java.util", "Collection") ) and - // Any collection can be used in the non-empty constructor. - collectionOfConstantsFlowsTo(this.getArgument(0)) + // Note that any collection can be used in the non-empty constructor. + isCollectionOfConstants(this.getArgument(0)) } - - override predicate isImmutable() { none() } } /** @@ -306,15 +288,15 @@ module Collection { ) and methodCallHasConstantArguments(this) } - - override predicate isImmutable() { none() } } /** - * An invocation of `java.util.List.of` which constructs an immutable list - * which contains only compile-time constants. + * An invocation of `java.util.List.of` or `java.util.Set.of` which + * constructs an immutable list/set which contains only compile-time constants. */ - private class CollectionOfConstantsCreatedWithOf extends MethodCall, CollectionOfConstants { + private class CollectionOfConstantsCreatedWithOf extends MethodCall, + ImmutableCollectionOfConstants + { CollectionOfConstantsCreatedWithOf() { exists(Method m | this.getMethod() = m | m.hasName("of") and @@ -325,8 +307,6 @@ module Collection { ) and methodCallHasConstantArguments(this) } - - override predicate isImmutable() { any() } } /** @@ -335,7 +315,7 @@ module Collection { * list/set which contains only compile-time constants. */ private class CollectionOfConstantsCreatedWithCollectionsUnmodifiableList extends MethodCall, - CollectionOfConstants + ImmutableCollectionOfConstants { CollectionOfConstantsCreatedWithCollectionsUnmodifiableList() { exists(Method m | @@ -346,10 +326,8 @@ module Collection { .hasQualifiedName("java.util", "Collections") and this.getMethod() = m | - collectionOfConstantsFlowsTo(this.getArgument(0)) + isCollectionOfConstants(this.getArgument(0)) ) } - - override predicate isImmutable() { any() } } } From 1f1a58c8db642bcc449083676aaea22c27e0ef3f Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Tue, 8 Oct 2024 17:05:57 +0100 Subject: [PATCH 08/14] Specify type parameter in test --- .../semmle/examples/AllowListSanitizerWithJavaUtilList.java | 2 +- .../semmle/examples/AllowListSanitizerWithJavaUtilSet.java | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilList.java b/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilList.java index 4f4c551dfd1a..bffc8c9c22dc 100644 --- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilList.java +++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilList.java @@ -278,7 +278,7 @@ private static void testMultipleSources(String[] args) throws IOException, SQLEx } } - private static void possiblyMutate(List list) { + private static void possiblyMutate(List list) { list.add(getNonConstantString()); } diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilSet.java b/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilSet.java index 9c252620c31a..157e8909f9a4 100644 --- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilSet.java +++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilSet.java @@ -277,7 +277,7 @@ private static void testMultipleSources(String[] args) throws IOException, SQLEx } } - private static void possiblyMutate(Set set) { + private static void possiblyMutate(Set set) { set.add(getNonConstantString()); } From 5848af2379e77f7da5c3c91429c8b900bc92c39a Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Tue, 8 Oct 2024 17:54:50 +0100 Subject: [PATCH 09/14] Accept consistency check result --- .../semmle/examples/CONSISTENCY/typeParametersInScope.expected | 1 + 1 file changed, 1 insertion(+) create mode 100644 java/ql/test/query-tests/security/CWE-089/semmle/examples/CONSISTENCY/typeParametersInScope.expected diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/CONSISTENCY/typeParametersInScope.expected b/java/ql/test/query-tests/security/CWE-089/semmle/examples/CONSISTENCY/typeParametersInScope.expected new file mode 100644 index 000000000000..1f8028eff60e --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/CONSISTENCY/typeParametersInScope.expected @@ -0,0 +1 @@ +| Type AllowListSanitizerWithJavaUtilSet uses out-of-scope type variable E. Note the Java extractor is known to sometimes do this; the Kotlin extractor should not. | From 63b122dfec83bd7fd01518503a43d8334fcb100e Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 11 Oct 2024 19:41:40 +0100 Subject: [PATCH 10/14] Refactor for fear of bad optimization --- .../lib/semmle/code/java/dataflow/ListOfConstantsSanitizer.qll | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/java/ql/lib/semmle/code/java/dataflow/ListOfConstantsSanitizer.qll b/java/ql/lib/semmle/code/java/dataflow/ListOfConstantsSanitizer.qll index 8ee9b70f1cd2..bb8470b467c0 100644 --- a/java/ql/lib/semmle/code/java/dataflow/ListOfConstantsSanitizer.qll +++ b/java/ql/lib/semmle/code/java/dataflow/ListOfConstantsSanitizer.qll @@ -160,13 +160,14 @@ module Collection { private predicate noUnsafeCalls(Expr e) { forall(MethodCall mc, int arg, Expr x | DataFlow::localExprFlow(x, e) and + x != e and ( arg = -1 and x = mc.getQualifier() or x = mc.getArgument(arg) ) | - x = e or arg = mc.(SafeCall).getArg() + arg = mc.(SafeCall).getArg() ) } From 50d97ff72fbfafc3a7aa09efcc80df18a5074f69 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 11 Oct 2024 23:12:44 +0100 Subject: [PATCH 11/14] Add (failing) test for lambda --- .../AllowListSanitizerWithJavaUtilList.java | 27 +- .../AllowListSanitizerWithJavaUtilSet.java | 27 +- .../semmle/examples/SqlConcatenated.expected | 102 +++---- .../semmle/examples/SqlTainted.expected | 260 +++++++++--------- 4 files changed, 230 insertions(+), 186 deletions(-) diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilList.java b/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilList.java index bffc8c9c22dc..f8f24ab54616 100644 --- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilList.java +++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilList.java @@ -14,6 +14,7 @@ import java.util.HashSet; import java.util.List; import java.util.Set; +import java.util.function.Consumer; class AllowListSanitizerWithJavaUtilList { public static Connection connection; @@ -51,6 +52,7 @@ public static void main(String[] args) throws IOException, SQLException { var x = new AllowListSanitizerWithJavaUtilList(); x.testNonStaticFields(args); testMultipleSources(args); + testEscape(args); } private static void testStaticFields(String[] args) throws IOException, SQLException { @@ -229,11 +231,11 @@ private static void testLocal(String[] args) throws IOException, SQLException { ResultSet results = connection.createStatement().executeQuery(query); } } - // BAD: an allowlist is used but it may contain a non-compile-time constant element + // BAD: an allowlist is used but it contains a non-compile-time constant element { List allowlist = new ArrayList(); allowlist.add("allowed1"); - possiblyMutate(allowlist); + addNonConstantStringDirectly(allowlist); if(allowlist.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; @@ -278,8 +280,27 @@ private static void testMultipleSources(String[] args) throws IOException, SQLEx } } - private static void possiblyMutate(List list) { + private static void testEscape(String[] args) throws IOException, SQLException { + String tainted = args[1]; + boolean b = args[2] == "True"; + { + // BAD: an allowlist is used which contains constant strings + List allowlist = new ArrayList(); + addNonConstantStringViaLambda(e -> allowlist.add(e)); + if(allowlist.contains(tainted)){ // missing result + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + } + } + + private static void addNonConstantStringDirectly(List list) { list.add(getNonConstantString()); } + private static void addNonConstantStringViaLambda(Consumer adder) { + adder.accept(getNonConstantString()); + } + } diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilSet.java b/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilSet.java index 157e8909f9a4..bb94b57ef512 100644 --- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilSet.java +++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilSet.java @@ -13,6 +13,7 @@ import java.util.Arrays; import java.util.Collections; import java.util.Set; +import java.util.function.Consumer; class AllowListSanitizerWithJavaUtilSet { public static Connection connection; @@ -50,6 +51,7 @@ public static void main(String[] args) throws IOException, SQLException { var x = new AllowListSanitizerWithJavaUtilSet(); x.testNonStaticFields(args); testMultipleSources(args); + testEscape(args); } private static void testStaticFields(String[] args) throws IOException, SQLException { @@ -228,11 +230,11 @@ private static void testLocal(String[] args) throws IOException, SQLException { ResultSet results = connection.createStatement().executeQuery(query); } } - // BAD: an allowlist is used but it may contain a non-compile-time constant element + // BAD: an allowlist is used but it contains a non-compile-time constant element { Set allowlist = new HashSet(); allowlist.add("allowed1"); - possiblyMutate(allowlist); + addNonConstantStringDirectly(allowlist); if(allowlist.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; @@ -277,8 +279,27 @@ private static void testMultipleSources(String[] args) throws IOException, SQLEx } } - private static void possiblyMutate(Set set) { + private static void testEscape(String[] args) throws IOException, SQLException { + String tainted = args[1]; + boolean b = args[2] == "True"; + { + // BAD: an allowlist is used which contains constant strings + Set allowlist = new HashSet(); + addNonConstantStringViaLambda(e -> allowlist.add(e)); + if(allowlist.contains(tainted)){ // missing result + String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + + tainted + "' ORDER BY PRICE"; + ResultSet results = connection.createStatement().executeQuery(query); + } + } + } + + private static void addNonConstantStringDirectly(Set set) { set.add(getNonConstantString()); } + private static void addNonConstantStringViaLambda(Consumer adder) { + adder.accept(getNonConstantString()); + } + } diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlConcatenated.expected b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlConcatenated.expected index a05b4c985a6b..1e560f03c3b9 100644 --- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlConcatenated.expected +++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlConcatenated.expected @@ -1,53 +1,55 @@ -| AllowListSanitizerWithJavaUtilList.java:62:66:62:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:61:8:61:14 | tainted | this expression | -| AllowListSanitizerWithJavaUtilList.java:68:66:68:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:67:8:67:14 | tainted | this expression | -| AllowListSanitizerWithJavaUtilList.java:74:66:74:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:73:8:73:14 | tainted | this expression | -| AllowListSanitizerWithJavaUtilList.java:80:66:80:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:79:8:79:14 | tainted | this expression | -| AllowListSanitizerWithJavaUtilList.java:86:66:86:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:85:8:85:14 | tainted | this expression | -| AllowListSanitizerWithJavaUtilList.java:92:66:92:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:91:8:91:14 | tainted | this expression | -| AllowListSanitizerWithJavaUtilList.java:98:66:98:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:97:8:97:14 | tainted | this expression | -| AllowListSanitizerWithJavaUtilList.java:104:66:104:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:103:8:103:14 | tainted | this expression | -| AllowListSanitizerWithJavaUtilList.java:110:66:110:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:109:8:109:14 | tainted | this expression | -| AllowListSanitizerWithJavaUtilList.java:116:66:116:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:115:8:115:14 | tainted | this expression | -| AllowListSanitizerWithJavaUtilList.java:126:66:126:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:125:8:125:14 | tainted | this expression | -| AllowListSanitizerWithJavaUtilList.java:138:67:138:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:137:9:137:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilList.java:147:67:147:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:146:9:146:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilList.java:157:67:157:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:156:9:156:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilList.java:167:67:167:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:166:9:166:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilList.java:176:67:176:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:175:9:175:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilList.java:185:67:185:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:184:9:184:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilList.java:195:67:195:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:194:9:194:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilList.java:205:67:205:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:204:9:204:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilList.java:217:67:217:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:216:9:216:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilList.java:229:67:229:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:228:9:228:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilList.java:240:67:240:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:239:9:239:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilList.java:258:67:258:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:257:9:257:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilList.java:267:67:267:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:266:9:266:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilList.java:276:67:276:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:275:9:275:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:61:66:61:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:60:8:60:14 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:67:66:67:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:66:8:66:14 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:73:66:73:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:72:8:72:14 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:79:66:79:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:78:8:78:14 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:85:66:85:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:84:8:84:14 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:91:66:91:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:90:8:90:14 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:97:66:97:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:96:8:96:14 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:103:66:103:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:102:8:102:14 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:109:66:109:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:108:8:108:14 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:115:66:115:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:114:8:114:14 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:125:66:125:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:124:8:124:14 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:137:67:137:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:136:9:136:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:146:67:146:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:145:9:145:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:156:67:156:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:155:9:155:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:166:67:166:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:165:9:165:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:175:67:175:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:174:9:174:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:184:67:184:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:183:9:183:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:194:67:194:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:193:9:193:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:204:67:204:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:203:9:203:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:216:67:216:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:215:9:215:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:228:67:228:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:227:9:227:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:239:67:239:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:238:9:238:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:257:67:257:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:256:9:256:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:266:67:266:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:265:9:265:15 | tainted | this expression | -| AllowListSanitizerWithJavaUtilSet.java:275:67:275:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:274:9:274:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:64:66:64:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:63:8:63:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:70:66:70:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:69:8:69:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:76:66:76:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:75:8:75:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:82:66:82:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:81:8:81:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:88:66:88:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:87:8:87:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:94:66:94:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:93:8:93:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:100:66:100:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:99:8:99:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:106:66:106:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:105:8:105:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:112:66:112:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:111:8:111:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:118:66:118:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:117:8:117:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:128:66:128:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:127:8:127:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:140:67:140:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:139:9:139:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:149:67:149:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:148:9:148:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:159:67:159:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:158:9:158:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:169:67:169:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:168:9:168:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:178:67:178:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:177:9:177:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:187:67:187:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:186:9:186:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:197:67:197:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:196:9:196:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:207:67:207:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:206:9:206:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:219:67:219:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:218:9:218:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:231:67:231:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:230:9:230:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:242:67:242:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:241:9:241:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:260:67:260:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:259:9:259:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:269:67:269:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:268:9:268:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:278:67:278:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:277:9:277:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilList.java:293:67:293:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilList.java:292:9:292:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:63:66:63:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:62:8:62:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:69:66:69:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:68:8:68:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:75:66:75:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:74:8:74:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:81:66:81:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:80:8:80:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:87:66:87:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:86:8:86:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:93:66:93:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:92:8:92:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:99:66:99:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:98:8:98:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:105:66:105:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:104:8:104:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:111:66:111:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:110:8:110:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:117:66:117:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:116:8:116:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:127:66:127:70 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:126:8:126:14 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:139:67:139:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:138:9:138:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:148:67:148:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:147:9:147:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:158:67:158:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:157:9:157:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:168:67:168:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:167:9:167:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:177:67:177:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:176:9:176:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:186:67:186:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:185:9:185:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:196:67:196:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:195:9:195:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:206:67:206:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:205:9:205:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:218:67:218:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:217:9:217:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:230:67:230:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:229:9:229:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:241:67:241:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:240:9:240:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:259:67:259:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:258:9:258:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:268:67:268:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:267:9:267:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:277:67:277:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:276:9:276:15 | tainted | this expression | +| AllowListSanitizerWithJavaUtilSet.java:292:67:292:71 | query | Query built by concatenation with $@, which may be untrusted. | AllowListSanitizerWithJavaUtilSet.java:291:9:291:15 | tainted | this expression | | Test.java:36:47:36:52 | query1 | Query built by concatenation with $@, which may be untrusted. | Test.java:35:8:35:15 | category | this expression | | Test.java:42:57:42:62 | query2 | Query built by concatenation with $@, which may be untrusted. | Test.java:41:51:41:52 | id | this expression | | Test.java:50:62:50:67 | query3 | Query built by concatenation with $@, which may be untrusted. | Test.java:49:8:49:15 | category | this expression | diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.expected b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.expected index 5a9321debe49..1849f9f3ef39 100644 --- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.expected +++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.expected @@ -1,36 +1,36 @@ #select -| AllowListSanitizerWithJavaUtilList.java:86:66:86:70 | query | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:86:66:86:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilList.java:92:66:92:70 | query | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:92:66:92:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilList.java:98:66:98:70 | query | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:98:66:98:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilList.java:104:66:104:70 | query | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:104:66:104:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilList.java:110:66:110:70 | query | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:110:66:110:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilList.java:116:66:116:70 | query | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:116:66:116:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilList.java:126:66:126:70 | query | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:126:66:126:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilList.java:147:67:147:71 | query | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:147:67:147:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilList.java:167:67:167:71 | query | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:167:67:167:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilList.java:185:67:185:71 | query | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:185:67:185:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilList.java:205:67:205:71 | query | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:205:67:205:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilList.java:229:67:229:71 | query | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:229:67:229:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilList.java:240:67:240:71 | query | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:240:67:240:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilList.java:258:67:258:71 | query | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:258:67:258:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilList.java:267:67:267:71 | query | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:267:67:267:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilList.java:276:67:276:71 | query | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:276:67:276:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilSet.java:85:66:85:70 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:85:66:85:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilSet.java:91:66:91:70 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:91:66:91:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilSet.java:97:66:97:70 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:97:66:97:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilSet.java:103:66:103:70 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:103:66:103:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilSet.java:109:66:109:70 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:109:66:109:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilSet.java:115:66:115:70 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:115:66:115:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilSet.java:125:66:125:70 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:125:66:125:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilSet.java:146:67:146:71 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:146:67:146:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilSet.java:166:67:166:71 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:166:67:166:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilSet.java:184:67:184:71 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:184:67:184:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilSet.java:204:67:204:71 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:204:67:204:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilSet.java:228:67:228:71 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:228:67:228:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilSet.java:239:67:239:71 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:239:67:239:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilSet.java:257:67:257:71 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:257:67:257:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilSet.java:266:67:266:71 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:266:67:266:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | -| AllowListSanitizerWithJavaUtilSet.java:275:67:275:71 | query | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:275:67:275:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:88:66:88:70 | query | AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:88:66:88:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:94:66:94:70 | query | AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:94:66:94:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:100:66:100:70 | query | AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:100:66:100:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:106:66:106:70 | query | AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:106:66:106:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:112:66:112:70 | query | AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:112:66:112:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:118:66:118:70 | query | AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:118:66:118:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:128:66:128:70 | query | AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:128:66:128:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:149:67:149:71 | query | AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:149:67:149:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:169:67:169:71 | query | AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:169:67:169:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:187:67:187:71 | query | AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:187:67:187:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:207:67:207:71 | query | AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:207:67:207:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:231:67:231:71 | query | AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:231:67:231:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:242:67:242:71 | query | AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:242:67:242:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:260:67:260:71 | query | AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:260:67:260:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:269:67:269:71 | query | AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:269:67:269:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:278:67:278:71 | query | AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:278:67:278:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:87:66:87:70 | query | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:87:66:87:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:93:66:93:70 | query | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:93:66:93:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:99:66:99:70 | query | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:99:66:99:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:105:66:105:70 | query | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:105:66:105:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:111:66:111:70 | query | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:111:66:111:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:117:66:117:70 | query | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:117:66:117:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:127:66:127:70 | query | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:127:66:127:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:148:67:148:71 | query | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:148:67:148:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:168:67:168:71 | query | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:168:67:168:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:186:67:186:71 | query | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:186:67:186:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:206:67:206:71 | query | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:206:67:206:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:230:67:230:71 | query | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:230:67:230:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:241:67:241:71 | query | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:241:67:241:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:259:67:259:71 | query | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:259:67:259:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:268:67:268:71 | query | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:268:67:268:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:277:67:277:71 | query | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:277:67:277:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args | user-provided value | | Mongo.java:17:45:17:67 | parse(...) | Mongo.java:10:29:10:41 | args : String[] | Mongo.java:17:45:17:67 | parse(...) | This query depends on a $@. | Mongo.java:10:29:10:41 | args | user-provided value | | Mongo.java:21:49:21:52 | json | Mongo.java:10:29:10:41 | args : String[] | Mongo.java:21:49:21:52 | json | This query depends on a $@. | Mongo.java:10:29:10:41 | args | user-provided value | | Test.java:36:47:36:52 | query1 | Test.java:227:26:227:38 | args : String[] | Test.java:36:47:36:52 | query1 | This query depends on a $@. | Test.java:227:26:227:38 | args | user-provided value | @@ -42,54 +42,54 @@ | Test.java:209:47:209:68 | queryWithUserTableName | Test.java:227:26:227:38 | args : String[] | Test.java:209:47:209:68 | queryWithUserTableName | This query depends on a $@. | Test.java:227:26:227:38 | args | user-provided value | | Test.java:221:81:221:111 | ... + ... | Test.java:227:26:227:38 | args : String[] | Test.java:221:81:221:111 | ... + ... | This query depends on a $@. | Test.java:227:26:227:38 | args | user-provided value | edges -| AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:49:20:49:23 | args : String[] | provenance | | -| AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:50:13:50:16 | args : String[] | provenance | | -| AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:52:25:52:28 | args : String[] | provenance | | -| AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:53:23:53:26 | args : String[] | provenance | | -| AllowListSanitizerWithJavaUtilList.java:49:20:49:23 | args : String[] | AllowListSanitizerWithJavaUtilList.java:56:39:56:51 | args : String[] | provenance | | -| AllowListSanitizerWithJavaUtilList.java:50:13:50:16 | args : String[] | AllowListSanitizerWithJavaUtilList.java:130:32:130:44 | args : String[] | provenance | | -| AllowListSanitizerWithJavaUtilList.java:52:25:52:28 | args : String[] | AllowListSanitizerWithJavaUtilList.java:120:35:120:47 | args : String[] | provenance | | -| AllowListSanitizerWithJavaUtilList.java:53:23:53:26 | args : String[] | AllowListSanitizerWithJavaUtilList.java:245:42:245:54 | args : String[] | provenance | | -| AllowListSanitizerWithJavaUtilList.java:56:39:56:51 | args : String[] | AllowListSanitizerWithJavaUtilList.java:86:66:86:70 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilList.java:56:39:56:51 | args : String[] | AllowListSanitizerWithJavaUtilList.java:92:66:92:70 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilList.java:56:39:56:51 | args : String[] | AllowListSanitizerWithJavaUtilList.java:98:66:98:70 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilList.java:56:39:56:51 | args : String[] | AllowListSanitizerWithJavaUtilList.java:104:66:104:70 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilList.java:56:39:56:51 | args : String[] | AllowListSanitizerWithJavaUtilList.java:110:66:110:70 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilList.java:56:39:56:51 | args : String[] | AllowListSanitizerWithJavaUtilList.java:116:66:116:70 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilList.java:120:35:120:47 | args : String[] | AllowListSanitizerWithJavaUtilList.java:126:66:126:70 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilList.java:130:32:130:44 | args : String[] | AllowListSanitizerWithJavaUtilList.java:147:67:147:71 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilList.java:130:32:130:44 | args : String[] | AllowListSanitizerWithJavaUtilList.java:167:67:167:71 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilList.java:130:32:130:44 | args : String[] | AllowListSanitizerWithJavaUtilList.java:185:67:185:71 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilList.java:130:32:130:44 | args : String[] | AllowListSanitizerWithJavaUtilList.java:205:67:205:71 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilList.java:130:32:130:44 | args : String[] | AllowListSanitizerWithJavaUtilList.java:229:67:229:71 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilList.java:130:32:130:44 | args : String[] | AllowListSanitizerWithJavaUtilList.java:240:67:240:71 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilList.java:245:42:245:54 | args : String[] | AllowListSanitizerWithJavaUtilList.java:258:67:258:71 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilList.java:245:42:245:54 | args : String[] | AllowListSanitizerWithJavaUtilList.java:267:67:267:71 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilList.java:245:42:245:54 | args : String[] | AllowListSanitizerWithJavaUtilList.java:276:67:276:71 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:48:20:48:23 | args : String[] | provenance | | -| AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:49:13:49:16 | args : String[] | provenance | | -| AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:51:25:51:28 | args : String[] | provenance | | -| AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:52:23:52:26 | args : String[] | provenance | | -| AllowListSanitizerWithJavaUtilSet.java:48:20:48:23 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:55:39:55:51 | args : String[] | provenance | | -| AllowListSanitizerWithJavaUtilSet.java:49:13:49:16 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:129:32:129:44 | args : String[] | provenance | | -| AllowListSanitizerWithJavaUtilSet.java:51:25:51:28 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:119:35:119:47 | args : String[] | provenance | | -| AllowListSanitizerWithJavaUtilSet.java:52:23:52:26 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:244:42:244:54 | args : String[] | provenance | | -| AllowListSanitizerWithJavaUtilSet.java:55:39:55:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:85:66:85:70 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilSet.java:55:39:55:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:91:66:91:70 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilSet.java:55:39:55:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:97:66:97:70 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilSet.java:55:39:55:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:103:66:103:70 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilSet.java:55:39:55:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:109:66:109:70 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilSet.java:55:39:55:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:115:66:115:70 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilSet.java:119:35:119:47 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:125:66:125:70 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilSet.java:129:32:129:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:146:67:146:71 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilSet.java:129:32:129:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:166:67:166:71 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilSet.java:129:32:129:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:184:67:184:71 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilSet.java:129:32:129:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:204:67:204:71 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilSet.java:129:32:129:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:228:67:228:71 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilSet.java:129:32:129:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:239:67:239:71 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilSet.java:244:42:244:54 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:257:67:257:71 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilSet.java:244:42:244:54 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:266:67:266:71 | query | provenance | Sink:MaD:6 | -| AllowListSanitizerWithJavaUtilSet.java:244:42:244:54 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:275:67:275:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:50:20:50:23 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:51:13:51:16 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:53:25:53:28 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:54:23:54:26 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilList.java:50:20:50:23 | args : String[] | AllowListSanitizerWithJavaUtilList.java:58:39:58:51 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilList.java:51:13:51:16 | args : String[] | AllowListSanitizerWithJavaUtilList.java:132:32:132:44 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilList.java:53:25:53:28 | args : String[] | AllowListSanitizerWithJavaUtilList.java:122:35:122:47 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilList.java:54:23:54:26 | args : String[] | AllowListSanitizerWithJavaUtilList.java:247:42:247:54 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilList.java:58:39:58:51 | args : String[] | AllowListSanitizerWithJavaUtilList.java:88:66:88:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:58:39:58:51 | args : String[] | AllowListSanitizerWithJavaUtilList.java:94:66:94:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:58:39:58:51 | args : String[] | AllowListSanitizerWithJavaUtilList.java:100:66:100:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:58:39:58:51 | args : String[] | AllowListSanitizerWithJavaUtilList.java:106:66:106:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:58:39:58:51 | args : String[] | AllowListSanitizerWithJavaUtilList.java:112:66:112:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:58:39:58:51 | args : String[] | AllowListSanitizerWithJavaUtilList.java:118:66:118:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:122:35:122:47 | args : String[] | AllowListSanitizerWithJavaUtilList.java:128:66:128:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:132:32:132:44 | args : String[] | AllowListSanitizerWithJavaUtilList.java:149:67:149:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:132:32:132:44 | args : String[] | AllowListSanitizerWithJavaUtilList.java:169:67:169:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:132:32:132:44 | args : String[] | AllowListSanitizerWithJavaUtilList.java:187:67:187:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:132:32:132:44 | args : String[] | AllowListSanitizerWithJavaUtilList.java:207:67:207:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:132:32:132:44 | args : String[] | AllowListSanitizerWithJavaUtilList.java:231:67:231:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:132:32:132:44 | args : String[] | AllowListSanitizerWithJavaUtilList.java:242:67:242:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:247:42:247:54 | args : String[] | AllowListSanitizerWithJavaUtilList.java:260:67:260:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:247:42:247:54 | args : String[] | AllowListSanitizerWithJavaUtilList.java:269:67:269:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:247:42:247:54 | args : String[] | AllowListSanitizerWithJavaUtilList.java:278:67:278:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:49:20:49:23 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:50:13:50:16 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:52:25:52:28 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:53:23:53:26 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilSet.java:49:20:49:23 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:57:39:57:51 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilSet.java:50:13:50:16 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:131:32:131:44 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilSet.java:52:25:52:28 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:121:35:121:47 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilSet.java:53:23:53:26 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:246:42:246:54 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilSet.java:57:39:57:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:87:66:87:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:57:39:57:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:93:66:93:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:57:39:57:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:99:66:99:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:57:39:57:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:105:66:105:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:57:39:57:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:111:66:111:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:57:39:57:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:117:66:117:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:121:35:121:47 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:127:66:127:70 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:131:32:131:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:148:67:148:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:131:32:131:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:168:67:168:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:131:32:131:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:186:67:186:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:131:32:131:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:206:67:206:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:131:32:131:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:230:67:230:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:131:32:131:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:241:67:241:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:246:42:246:54 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:259:67:259:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:246:42:246:54 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:268:67:268:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:246:42:246:54 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:277:67:277:71 | query | provenance | Sink:MaD:6 | | Mongo.java:10:29:10:41 | args : String[] | Mongo.java:17:56:17:66 | stringQuery : String | provenance | | | Mongo.java:10:29:10:41 | args : String[] | Mongo.java:21:49:21:52 | json | provenance | | | Mongo.java:17:56:17:66 | stringQuery : String | Mongo.java:17:45:17:67 | parse(...) | provenance | Config | @@ -120,56 +120,56 @@ models | 6 | Sink: java.sql; Statement; true; executeQuery; ; ; Argument[0]; sql-injection; manual | | 7 | Sink: java.sql; Statement; true; executeUpdate; ; ; Argument[0]; sql-injection; manual | nodes -| AllowListSanitizerWithJavaUtilList.java:47:26:47:38 | args : String[] | semmle.label | args : String[] | -| AllowListSanitizerWithJavaUtilList.java:49:20:49:23 | args : String[] | semmle.label | args : String[] | -| AllowListSanitizerWithJavaUtilList.java:50:13:50:16 | args : String[] | semmle.label | args : String[] | -| AllowListSanitizerWithJavaUtilList.java:52:25:52:28 | args : String[] | semmle.label | args : String[] | -| AllowListSanitizerWithJavaUtilList.java:53:23:53:26 | args : String[] | semmle.label | args : String[] | -| AllowListSanitizerWithJavaUtilList.java:56:39:56:51 | args : String[] | semmle.label | args : String[] | -| AllowListSanitizerWithJavaUtilList.java:86:66:86:70 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilList.java:92:66:92:70 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilList.java:98:66:98:70 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilList.java:104:66:104:70 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilList.java:110:66:110:70 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilList.java:116:66:116:70 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilList.java:120:35:120:47 | args : String[] | semmle.label | args : String[] | -| AllowListSanitizerWithJavaUtilList.java:126:66:126:70 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilList.java:130:32:130:44 | args : String[] | semmle.label | args : String[] | -| AllowListSanitizerWithJavaUtilList.java:147:67:147:71 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilList.java:167:67:167:71 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilList.java:185:67:185:71 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilList.java:205:67:205:71 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilList.java:229:67:229:71 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilList.java:240:67:240:71 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilList.java:245:42:245:54 | args : String[] | semmle.label | args : String[] | -| AllowListSanitizerWithJavaUtilList.java:258:67:258:71 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilList.java:267:67:267:71 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilList.java:276:67:276:71 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilSet.java:46:26:46:38 | args : String[] | semmle.label | args : String[] | -| AllowListSanitizerWithJavaUtilSet.java:48:20:48:23 | args : String[] | semmle.label | args : String[] | -| AllowListSanitizerWithJavaUtilSet.java:49:13:49:16 | args : String[] | semmle.label | args : String[] | -| AllowListSanitizerWithJavaUtilSet.java:51:25:51:28 | args : String[] | semmle.label | args : String[] | -| AllowListSanitizerWithJavaUtilSet.java:52:23:52:26 | args : String[] | semmle.label | args : String[] | -| AllowListSanitizerWithJavaUtilSet.java:55:39:55:51 | args : String[] | semmle.label | args : String[] | -| AllowListSanitizerWithJavaUtilSet.java:85:66:85:70 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilSet.java:91:66:91:70 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilSet.java:97:66:97:70 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilSet.java:103:66:103:70 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilSet.java:109:66:109:70 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilSet.java:115:66:115:70 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilSet.java:119:35:119:47 | args : String[] | semmle.label | args : String[] | -| AllowListSanitizerWithJavaUtilSet.java:125:66:125:70 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilSet.java:129:32:129:44 | args : String[] | semmle.label | args : String[] | -| AllowListSanitizerWithJavaUtilSet.java:146:67:146:71 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilSet.java:166:67:166:71 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilSet.java:184:67:184:71 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilSet.java:204:67:204:71 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilSet.java:228:67:228:71 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilSet.java:239:67:239:71 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilSet.java:244:42:244:54 | args : String[] | semmle.label | args : String[] | -| AllowListSanitizerWithJavaUtilSet.java:257:67:257:71 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilSet.java:266:67:266:71 | query | semmle.label | query | -| AllowListSanitizerWithJavaUtilSet.java:275:67:275:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilList.java:50:20:50:23 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilList.java:51:13:51:16 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilList.java:53:25:53:28 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilList.java:54:23:54:26 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilList.java:58:39:58:51 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilList.java:88:66:88:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:94:66:94:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:100:66:100:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:106:66:106:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:112:66:112:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:118:66:118:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:122:35:122:47 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilList.java:128:66:128:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:132:32:132:44 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilList.java:149:67:149:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:169:67:169:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:187:67:187:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:207:67:207:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:231:67:231:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:242:67:242:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:247:42:247:54 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilList.java:260:67:260:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:269:67:269:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:278:67:278:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilSet.java:49:20:49:23 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilSet.java:50:13:50:16 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilSet.java:52:25:52:28 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilSet.java:53:23:53:26 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilSet.java:57:39:57:51 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilSet.java:87:66:87:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:93:66:93:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:99:66:99:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:105:66:105:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:111:66:111:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:117:66:117:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:121:35:121:47 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilSet.java:127:66:127:70 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:131:32:131:44 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilSet.java:148:67:148:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:168:67:168:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:186:67:186:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:206:67:206:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:230:67:230:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:241:67:241:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:246:42:246:54 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilSet.java:259:67:259:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:268:67:268:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:277:67:277:71 | query | semmle.label | query | | Mongo.java:10:29:10:41 | args : String[] | semmle.label | args : String[] | | Mongo.java:17:45:17:67 | parse(...) | semmle.label | parse(...) | | Mongo.java:17:56:17:66 | stringQuery : String | semmle.label | stringQuery : String | From f37077d68412efe78c1161aa8db52c5924cbe87d Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Tue, 15 Oct 2024 10:51:59 +0100 Subject: [PATCH 12/14] Fix list of constants sanitizer for captured variables If a mutable allowlist flows to a captured variable in a lambda, we can't be sure that it won't have a non-constant element added, so we exclude it as a list of constants sanitizer. --- .../dataflow/ListOfConstantsSanitizer.qll | 31 ++++++++++++------- .../semmle/examples/SqlTainted.expected | 14 +++++++++ 2 files changed, 33 insertions(+), 12 deletions(-) diff --git a/java/ql/lib/semmle/code/java/dataflow/ListOfConstantsSanitizer.qll b/java/ql/lib/semmle/code/java/dataflow/ListOfConstantsSanitizer.qll index bb8470b467c0..1a838e9c8e99 100644 --- a/java/ql/lib/semmle/code/java/dataflow/ListOfConstantsSanitizer.qll +++ b/java/ql/lib/semmle/code/java/dataflow/ListOfConstantsSanitizer.qll @@ -6,6 +6,7 @@ import java private import semmle.code.java.controlflow.Guards private import semmle.code.java.dataflow.TaintTracking +private import internal.DataFlowPrivate /** * A comparison against a list of compile-time constants, sanitizing taint by @@ -174,19 +175,25 @@ module Collection { /** Holds if `e` is a collection of constants. */ private predicate isCollectionOfConstants(Expr e) { forex(Expr r | r = getALocalExprFlowRoot(e) | - r instanceof CollectionOfConstants - or - // Access a static final field to get an immutable list of constants. - exists(Field f | r = f.getAnAccess() | - f.isStatic() and - f.isFinal() and - forall(Expr v | v = f.getInitializer() | v instanceof ImmutableCollectionOfConstants) and - forall(Expr fieldSource | fieldSource = f.getAnAccess().(FieldWrite).getASource() | - forall(Expr root | root = getALocalExprFlowRoot(fieldSource) | - root instanceof ImmutableCollectionOfConstants - ) and - noUnsafeCalls(fieldSource) + ( + r instanceof CollectionOfConstants + or + // Access a static final field to get an immutable list of constants. + exists(Field f | r = f.getAnAccess() | + f.isStatic() and + f.isFinal() and + forall(Expr v | v = f.getInitializer() | v instanceof ImmutableCollectionOfConstants) and + forall(Expr fieldSource | fieldSource = f.getAnAccess().(FieldWrite).getASource() | + forall(Expr root | root = getALocalExprFlowRoot(fieldSource) | + root instanceof ImmutableCollectionOfConstants + ) and + noUnsafeCalls(fieldSource) + ) ) + ) and + ( + r instanceof ImmutableCollectionOfConstants or + not DataFlow::localExprFlow(r, any(CapturedVariable cv).(LocalScopeVariable).getAnAccess()) ) ) and noUnsafeCalls(e) diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.expected b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.expected index 1849f9f3ef39..a8f97ac203ad 100644 --- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.expected +++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.expected @@ -15,6 +15,7 @@ | AllowListSanitizerWithJavaUtilList.java:260:67:260:71 | query | AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:260:67:260:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args | user-provided value | | AllowListSanitizerWithJavaUtilList.java:269:67:269:71 | query | AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:269:67:269:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args | user-provided value | | AllowListSanitizerWithJavaUtilList.java:278:67:278:71 | query | AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:278:67:278:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilList.java:293:67:293:71 | query | AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:293:67:293:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args | user-provided value | | AllowListSanitizerWithJavaUtilSet.java:87:66:87:70 | query | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:87:66:87:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args | user-provided value | | AllowListSanitizerWithJavaUtilSet.java:93:66:93:70 | query | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:93:66:93:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args | user-provided value | | AllowListSanitizerWithJavaUtilSet.java:99:66:99:70 | query | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:99:66:99:70 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args | user-provided value | @@ -31,6 +32,7 @@ | AllowListSanitizerWithJavaUtilSet.java:259:67:259:71 | query | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:259:67:259:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args | user-provided value | | AllowListSanitizerWithJavaUtilSet.java:268:67:268:71 | query | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:268:67:268:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args | user-provided value | | AllowListSanitizerWithJavaUtilSet.java:277:67:277:71 | query | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:277:67:277:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args | user-provided value | +| AllowListSanitizerWithJavaUtilSet.java:292:67:292:71 | query | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:292:67:292:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args | user-provided value | | Mongo.java:17:45:17:67 | parse(...) | Mongo.java:10:29:10:41 | args : String[] | Mongo.java:17:45:17:67 | parse(...) | This query depends on a $@. | Mongo.java:10:29:10:41 | args | user-provided value | | Mongo.java:21:49:21:52 | json | Mongo.java:10:29:10:41 | args : String[] | Mongo.java:21:49:21:52 | json | This query depends on a $@. | Mongo.java:10:29:10:41 | args | user-provided value | | Test.java:36:47:36:52 | query1 | Test.java:227:26:227:38 | args : String[] | Test.java:36:47:36:52 | query1 | This query depends on a $@. | Test.java:227:26:227:38 | args | user-provided value | @@ -46,10 +48,12 @@ edges | AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:51:13:51:16 | args : String[] | provenance | | | AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:53:25:53:28 | args : String[] | provenance | | | AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:54:23:54:26 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args : String[] | AllowListSanitizerWithJavaUtilList.java:55:14:55:17 | args : String[] | provenance | | | AllowListSanitizerWithJavaUtilList.java:50:20:50:23 | args : String[] | AllowListSanitizerWithJavaUtilList.java:58:39:58:51 | args : String[] | provenance | | | AllowListSanitizerWithJavaUtilList.java:51:13:51:16 | args : String[] | AllowListSanitizerWithJavaUtilList.java:132:32:132:44 | args : String[] | provenance | | | AllowListSanitizerWithJavaUtilList.java:53:25:53:28 | args : String[] | AllowListSanitizerWithJavaUtilList.java:122:35:122:47 | args : String[] | provenance | | | AllowListSanitizerWithJavaUtilList.java:54:23:54:26 | args : String[] | AllowListSanitizerWithJavaUtilList.java:247:42:247:54 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilList.java:55:14:55:17 | args : String[] | AllowListSanitizerWithJavaUtilList.java:283:33:283:45 | args : String[] | provenance | | | AllowListSanitizerWithJavaUtilList.java:58:39:58:51 | args : String[] | AllowListSanitizerWithJavaUtilList.java:88:66:88:70 | query | provenance | Sink:MaD:6 | | AllowListSanitizerWithJavaUtilList.java:58:39:58:51 | args : String[] | AllowListSanitizerWithJavaUtilList.java:94:66:94:70 | query | provenance | Sink:MaD:6 | | AllowListSanitizerWithJavaUtilList.java:58:39:58:51 | args : String[] | AllowListSanitizerWithJavaUtilList.java:100:66:100:70 | query | provenance | Sink:MaD:6 | @@ -66,14 +70,17 @@ edges | AllowListSanitizerWithJavaUtilList.java:247:42:247:54 | args : String[] | AllowListSanitizerWithJavaUtilList.java:260:67:260:71 | query | provenance | Sink:MaD:6 | | AllowListSanitizerWithJavaUtilList.java:247:42:247:54 | args : String[] | AllowListSanitizerWithJavaUtilList.java:269:67:269:71 | query | provenance | Sink:MaD:6 | | AllowListSanitizerWithJavaUtilList.java:247:42:247:54 | args : String[] | AllowListSanitizerWithJavaUtilList.java:278:67:278:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilList.java:283:33:283:45 | args : String[] | AllowListSanitizerWithJavaUtilList.java:293:67:293:71 | query | provenance | Sink:MaD:6 | | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:49:20:49:23 | args : String[] | provenance | | | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:50:13:50:16 | args : String[] | provenance | | | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:52:25:52:28 | args : String[] | provenance | | | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:53:23:53:26 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:54:14:54:17 | args : String[] | provenance | | | AllowListSanitizerWithJavaUtilSet.java:49:20:49:23 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:57:39:57:51 | args : String[] | provenance | | | AllowListSanitizerWithJavaUtilSet.java:50:13:50:16 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:131:32:131:44 | args : String[] | provenance | | | AllowListSanitizerWithJavaUtilSet.java:52:25:52:28 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:121:35:121:47 | args : String[] | provenance | | | AllowListSanitizerWithJavaUtilSet.java:53:23:53:26 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:246:42:246:54 | args : String[] | provenance | | +| AllowListSanitizerWithJavaUtilSet.java:54:14:54:17 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:282:33:282:45 | args : String[] | provenance | | | AllowListSanitizerWithJavaUtilSet.java:57:39:57:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:87:66:87:70 | query | provenance | Sink:MaD:6 | | AllowListSanitizerWithJavaUtilSet.java:57:39:57:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:93:66:93:70 | query | provenance | Sink:MaD:6 | | AllowListSanitizerWithJavaUtilSet.java:57:39:57:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:99:66:99:70 | query | provenance | Sink:MaD:6 | @@ -90,6 +97,7 @@ edges | AllowListSanitizerWithJavaUtilSet.java:246:42:246:54 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:259:67:259:71 | query | provenance | Sink:MaD:6 | | AllowListSanitizerWithJavaUtilSet.java:246:42:246:54 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:268:67:268:71 | query | provenance | Sink:MaD:6 | | AllowListSanitizerWithJavaUtilSet.java:246:42:246:54 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:277:67:277:71 | query | provenance | Sink:MaD:6 | +| AllowListSanitizerWithJavaUtilSet.java:282:33:282:45 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:292:67:292:71 | query | provenance | Sink:MaD:6 | | Mongo.java:10:29:10:41 | args : String[] | Mongo.java:17:56:17:66 | stringQuery : String | provenance | | | Mongo.java:10:29:10:41 | args : String[] | Mongo.java:21:49:21:52 | json | provenance | | | Mongo.java:17:56:17:66 | stringQuery : String | Mongo.java:17:45:17:67 | parse(...) | provenance | Config | @@ -125,6 +133,7 @@ nodes | AllowListSanitizerWithJavaUtilList.java:51:13:51:16 | args : String[] | semmle.label | args : String[] | | AllowListSanitizerWithJavaUtilList.java:53:25:53:28 | args : String[] | semmle.label | args : String[] | | AllowListSanitizerWithJavaUtilList.java:54:23:54:26 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilList.java:55:14:55:17 | args : String[] | semmle.label | args : String[] | | AllowListSanitizerWithJavaUtilList.java:58:39:58:51 | args : String[] | semmle.label | args : String[] | | AllowListSanitizerWithJavaUtilList.java:88:66:88:70 | query | semmle.label | query | | AllowListSanitizerWithJavaUtilList.java:94:66:94:70 | query | semmle.label | query | @@ -145,11 +154,14 @@ nodes | AllowListSanitizerWithJavaUtilList.java:260:67:260:71 | query | semmle.label | query | | AllowListSanitizerWithJavaUtilList.java:269:67:269:71 | query | semmle.label | query | | AllowListSanitizerWithJavaUtilList.java:278:67:278:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilList.java:283:33:283:45 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilList.java:293:67:293:71 | query | semmle.label | query | | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args : String[] | semmle.label | args : String[] | | AllowListSanitizerWithJavaUtilSet.java:49:20:49:23 | args : String[] | semmle.label | args : String[] | | AllowListSanitizerWithJavaUtilSet.java:50:13:50:16 | args : String[] | semmle.label | args : String[] | | AllowListSanitizerWithJavaUtilSet.java:52:25:52:28 | args : String[] | semmle.label | args : String[] | | AllowListSanitizerWithJavaUtilSet.java:53:23:53:26 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilSet.java:54:14:54:17 | args : String[] | semmle.label | args : String[] | | AllowListSanitizerWithJavaUtilSet.java:57:39:57:51 | args : String[] | semmle.label | args : String[] | | AllowListSanitizerWithJavaUtilSet.java:87:66:87:70 | query | semmle.label | query | | AllowListSanitizerWithJavaUtilSet.java:93:66:93:70 | query | semmle.label | query | @@ -170,6 +182,8 @@ nodes | AllowListSanitizerWithJavaUtilSet.java:259:67:259:71 | query | semmle.label | query | | AllowListSanitizerWithJavaUtilSet.java:268:67:268:71 | query | semmle.label | query | | AllowListSanitizerWithJavaUtilSet.java:277:67:277:71 | query | semmle.label | query | +| AllowListSanitizerWithJavaUtilSet.java:282:33:282:45 | args : String[] | semmle.label | args : String[] | +| AllowListSanitizerWithJavaUtilSet.java:292:67:292:71 | query | semmle.label | query | | Mongo.java:10:29:10:41 | args : String[] | semmle.label | args : String[] | | Mongo.java:17:45:17:67 | parse(...) | semmle.label | parse(...) | | Mongo.java:17:56:17:66 | stringQuery : String | semmle.label | stringQuery : String | From 6e084d4a939a2fd8d2ecfbf76e1618df9a9bad24 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Tue, 15 Oct 2024 12:01:45 +0100 Subject: [PATCH 13/14] Add (failing) tests for `toUpperCase` and `toLowerCase` --- .../examples/AllowListSanitizerWithJavaUtilList.java | 8 ++++---- .../examples/AllowListSanitizerWithJavaUtilSet.java | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilList.java b/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilList.java index f8f24ab54616..8f97f022a714 100644 --- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilList.java +++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilList.java @@ -58,13 +58,13 @@ public static void main(String[] args) throws IOException, SQLException { private static void testStaticFields(String[] args) throws IOException, SQLException { String tainted = args[1]; // GOOD: an allowlist is used with constant strings - if(goodAllowList1.contains(tainted)){ + if(goodAllowList1.contains(tainted.toLowerCase())){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; ResultSet results = connection.createStatement().executeQuery(query); } // GOOD: an allowlist is used with constant strings - if(goodAllowList2.contains(tainted)){ + if(goodAllowList2.contains(tainted.toUpperCase())){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; ResultSet results = connection.createStatement().executeQuery(query); @@ -134,7 +134,7 @@ private static void testLocal(String[] args) throws IOException, SQLException { // GOOD: an allowlist is used with constant strings { List allowlist = List.of("allowed1", "allowed2", "allowed3"); - if(allowlist.contains(tainted)){ + if(allowlist.contains(tainted.toLowerCase())){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; ResultSet results = connection.createStatement().executeQuery(query); @@ -153,7 +153,7 @@ private static void testLocal(String[] args) throws IOException, SQLException { { String[] allowedArray = {"allowed1", "allowed2", "allowed3"}; List allowlist = List.of(allowedArray); - if(allowlist.contains(tainted)){ + if(allowlist.contains(tainted.toUpperCase())){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; ResultSet results = connection.createStatement().executeQuery(query); diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilSet.java b/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilSet.java index bb94b57ef512..a9e1e0f99e5e 100644 --- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilSet.java +++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilSet.java @@ -57,13 +57,13 @@ public static void main(String[] args) throws IOException, SQLException { private static void testStaticFields(String[] args) throws IOException, SQLException { String tainted = args[1]; // GOOD: an allowlist is used with constant strings - if(goodAllowList1.contains(tainted)){ + if(goodAllowList1.contains(tainted.toLowerCase())){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; ResultSet results = connection.createStatement().executeQuery(query); } // GOOD: an allowlist is used with constant strings - if(goodAllowList2.contains(tainted)){ + if(goodAllowList2.contains(tainted.toUpperCase())){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; ResultSet results = connection.createStatement().executeQuery(query); @@ -133,7 +133,7 @@ private static void testLocal(String[] args) throws IOException, SQLException { // GOOD: an allowlist is used with constant strings { Set allowlist = Set.of("allowed1", "allowed2", "allowed3"); - if(allowlist.contains(tainted)){ + if(allowlist.contains(tainted.toLowerCase())){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; ResultSet results = connection.createStatement().executeQuery(query); @@ -152,7 +152,7 @@ private static void testLocal(String[] args) throws IOException, SQLException { { String[] allowedArray = {"allowed1", "allowed2", "allowed3"}; Set allowlist = Set.of(allowedArray); - if(allowlist.contains(tainted)){ + if(allowlist.contains(tainted.toUpperCase())){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; ResultSet results = connection.createStatement().executeQuery(query); From 08443e8db058088c59eb21c95432db269c4442e6 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Tue, 15 Oct 2024 12:31:36 +0100 Subject: [PATCH 14/14] Fix list of constants sanitize for `toUpperCase` and `toLowerCase` --- .../dataflow/ListOfConstantsSanitizer.qll | 20 +++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/java/ql/lib/semmle/code/java/dataflow/ListOfConstantsSanitizer.qll b/java/ql/lib/semmle/code/java/dataflow/ListOfConstantsSanitizer.qll index 1a838e9c8e99..530da96ad3f9 100644 --- a/java/ql/lib/semmle/code/java/dataflow/ListOfConstantsSanitizer.qll +++ b/java/ql/lib/semmle/code/java/dataflow/ListOfConstantsSanitizer.qll @@ -26,6 +26,14 @@ private predicate listOfConstantsComparisonSanitizerGuard(Guard g, Expr e, boole ) } +private Expr skipCaseChanges(MethodCall mc) { + exists(Method changecase | mc.getMethod() = changecase | + changecase.hasName(["toUpperCase", "toLowerCase"]) and + changecase.getDeclaringType() instanceof TypeString + ) and + result = mc.getQualifier() +} + /** A comparison against a list of compile-time constants. */ abstract class ListOfConstantsComparison extends Guard { Expr e; @@ -36,8 +44,16 @@ abstract class ListOfConstantsComparison extends Guard { outcome = [true, false] } - /** Gets the expression that is compared to a list of constants. */ - Expr getExpr() { result = e } + /** + * Gets the expression that is compared to a list of constants. Note that it + * is very common to see `x.toUpperCase()` or `x.toLowerCase()` compared with + * a list of constants, and in this case `result` is `x`. + */ + Expr getExpr() { + result = skipCaseChanges(e) + or + not exists(skipCaseChanges(e)) and result = e + } /** Gets the value of `this` when `e` is in the list of constants. */ boolean getOutcome() { result = outcome }