-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Java : Add SSTI query #5935
Java : Add SSTI query #5935
Conversation
java/ql/src/experimental/Security/CWE/CWE-094/TemplateInjection.qll
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-094/TemplateInjection.qll
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-094/TemplateInjection.qll
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/semmle/code/java/frameworks/FreeMarker.qll
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/semmle/code/java/frameworks/JinJava.qll
Outdated
Show resolved
Hide resolved
} | ||
|
||
/** Models `attachEventCartridge` method of Velocity Templating Engine. */ | ||
class MethodVelocityAttachEventCartridge extends Method { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unused?
Check other class/method defns to see if they're still used.
I'd completely lost track of this; are you applying to the bounty program for this PR? |
@smowton I am sorry for the delay in addressing the review. There is already an issue open github/securitylab#94 for this PR. I can see the bot has marked that as closed but on Github it is reflected as open. You may want to check what happening here. The PR push should have triggered the issue open. Anyways, I have now made some changes. The PR is now ready for review. |
97357c0
to
02d1ebe
Compare
java/ql/src/experimental/Security/CWE/CWE-094/TemplateInjection.qll
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-094/TemplateInjection.qll
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-094/TemplateInjection.qll
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-094/TemplateInjection.qll
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-094/TemplateInjection.qll
Outdated
Show resolved
Hide resolved
@porcupineyhairs please create a fresh bounty application for this |
76782be
to
0f12477
Compare
0f12477
to
1ea7093
Compare
@smowton Any updates here? |
This is under review by the security lab; comments should be directed to github/securitylab#410 about that. The CodeQL team will review as and when it passes their review. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added some inline comments. Also, I made a commit with a trivial change (added this.
to some predicate calls).
java/ql/src/experimental/Security/CWE/CWE-094/TemplateInjection.qll
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-094/TemplateInjection.qll
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-094/TemplateInjection.qll
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-094/TemplateInjection.qll
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-094/TemplateInjection.qll
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/semmle/code/java/frameworks/Velocity.qll
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/semmle/code/java/frameworks/Velocity.qll
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-094/TemplateInjection.qll
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-094/TemplateInjection.qll
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Currently lacks tests: please add test cases to java/ql/test/experimental/query-tests/security/CWE-094
, as well as stubs of your dependencies to https://github.com/github/codeql/tree/main/java/ql/test/experimental/stubs
There are many examples at https://github.com/github/codeql/tree/main/java/ql/test/experimental/query-tests/security to crib off, but do ask if you have any questions about writing codeql tests.
java/ql/src/experimental/Security/CWE/CWE-094/TemplateInjection.qll
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-094/TemplateInjection.qll
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-094/TemplateInjection.qll
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-094/TemplateInjection.qll
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/semmle/code/java/frameworks/FreeMarker.qll
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/semmle/code/java/frameworks/JinJava.qll
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/semmle/code/java/frameworks/FreeMarker.qll
Outdated
Show resolved
Hide resolved
7fb9a46
to
e1bac79
Compare
@smowton Sorry for the long wait. I have added the necessary tests and a qhelp. This PR is now ready for a review. |
Why is this being added direct to the main query suite rather than experimental? (for experimental additions you won't need a change note either) |
@smowton I moved it from experimental to stable as this meets all the requirements for a supported stable query as listed here. The PR includes a well documented query along with units tests, and a qhelp. The only divergence from the norm is that I include all of these in a single PR instead of two separate ones. Do you want me to split this one into two parts? |
@porcupineyhairs to enter the main query suite we'll want to do a more detailed study into false positives and ways they could be remediated. Please commit this to the experimental area for the time being. |
2195052
to
7c62a56
Compare
@smowton Changes done! PTAL. |
7c62a56
to
e536628
Compare
|
|
@smowton Done! |
This adds a query to detect server side template injections in Java.
This is a continuation of #3353. Since, that one is quite stale, I am closing that and opening a new one .