From b56a9d182d98f1809ee84fc528656d59ba209231 Mon Sep 17 00:00:00 2001 From: Nikita Kraiouchkine Date: Tue, 17 Oct 2023 12:31:22 +0200 Subject: [PATCH 1/8] Create codeql_mono.yml --- .github/workflows/codeql_mono.yml | 72 +++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 .github/workflows/codeql_mono.yml diff --git a/.github/workflows/codeql_mono.yml b/.github/workflows/codeql_mono.yml new file mode 100644 index 0000000..bfea47a --- /dev/null +++ b/.github/workflows/codeql_mono.yml @@ -0,0 +1,72 @@ +name: "CodeQL Analysis" + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + include: + - language: 'java' + build-command: 'mvn compile -pl project1 -B' + directory: 'project1' + - language: 'java' + build-command: 'mvn compile -pl project2 -B' + directory: 'project2' + - language: 'java' + build-command: 'mvn compile -pl project3 -B' + directory: 'project3' + - language: 'java' + build-command: 'mvn compile -pl project4 -B' + directory: 'project4' + - language: 'javascript' + build-command: ${{ null }} + directory: 'project5' + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + source-root: ${{ matrix.directory }} + queries: security-extended,security-and-quality + + - name: Run build command for subproject + run: ${{ matrix.build-command }} + if: ${{ matrix.build-command }} + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{matrix.language}}" + upload: False + output: sarif-results + env: + CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"analyze":["--sarif-add-snippets","--sarif-add-query-help","--sarif-group-rules-by-pack"]}}' + + - name: Rename CodeQL tool + run: | + jq ".runs[0].tool.driver.name = \"CodeQL-${WORKFLOW_TAG}-${{matrix.language}}\"" sarif-results/${{ matrix.language }}.sarif > sarif-results/${{ matrix.language }}-edited.sarif + env: + WORKFLOW_TAG: ${{ matrix.directory }} + + - name: Upload SARIF + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: sarif-results/${{ matrix.language }}-edited.sarif From a68d8dbc58c49c5810e69683a2e05ecb3f6e7597 Mon Sep 17 00:00:00 2001 From: Nikita Kraiouchkine Date: Tue, 17 Oct 2023 15:57:11 +0200 Subject: [PATCH 2/8] Create test.js --- project5/test.js | 50 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 project5/test.js diff --git a/project5/test.js b/project5/test.js new file mode 100644 index 0000000..465b5b7 --- /dev/null +++ b/project5/test.js @@ -0,0 +1,50 @@ +var fs = require('fs'), + http = require('http'), + url = require('url'); + +var server = http.createServer(function(req, res) { + let path = url.parse(req.url, true).query.path; + + fs.readFileSync(path); // NOT OK + + var obj = bla ? something() : path; + + fs.readFileSync(obj.sub); // NOT OK + + obj.sub = "safe"; + + fs.readFileSync(obj.sub); // OK + + obj.sub2 = "safe"; + if (random()) { + fs.readFileSync(obj.sub2); // OK + } + + if (random()) { + obj.sub3 = "safe" + } + fs.readFileSync(obj.sub3); // NOT OK + + obj.sub4 = + fs.readFileSync(obj.sub4) ? // NOT OK + fs.readFileSync(obj.sub4) : // NOT OK + fs.readFileSync(obj.sub4); // NOT OK +}); + +server.listen(); + +var nodefs = require('node:fs'); + +var server2 = http.createServer(function(req, res) { + let path = url.parse(req.url, true).query.path; + nodefs.readFileSync(path); // NOT OK +}); + +server2.listen(); + +const chownr = require("chownr"); + +var server3 = http.createServer(function (req, res) { + let path = url.parse(req.url, true).query.path; + chownr(path, "someuid", "somegid", function (err) {}); // NOT OK +}); From 4bff19931ed2dae7513e6e7043f4bcaa35e6f911 Mon Sep 17 00:00:00 2001 From: Nikita Kraiouchkine Date: Tue, 17 Oct 2023 16:00:51 +0200 Subject: [PATCH 3/8] Update codeql_mono.yml --- .github/workflows/codeql_mono.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql_mono.yml b/.github/workflows/codeql_mono.yml index bfea47a..01b1a99 100644 --- a/.github/workflows/codeql_mono.yml +++ b/.github/workflows/codeql_mono.yml @@ -21,16 +21,16 @@ jobs: matrix: include: - language: 'java' - build-command: 'mvn compile -pl project1 -B' + build-command: 'mvn compile -B' directory: 'project1' - language: 'java' - build-command: 'mvn compile -pl project2 -B' + build-command: 'mvn compile -B' directory: 'project2' - language: 'java' - build-command: 'mvn compile -pl project3 -B' + build-command: 'mvn compile -B' directory: 'project3' - language: 'java' - build-command: 'mvn compile -pl project4 -B' + build-command: 'mvn compile -B' directory: 'project4' - language: 'javascript' build-command: ${{ null }} @@ -49,6 +49,7 @@ jobs: - name: Run build command for subproject run: ${{ matrix.build-command }} + working-directory: ${{ matrix.directory }} if: ${{ matrix.build-command }} - name: Perform CodeQL Analysis From a577df37662cb64518a73bb084371366552e43b6 Mon Sep 17 00:00:00 2001 From: Nikita Kraiouchkine Date: Tue, 17 Oct 2023 16:32:29 +0200 Subject: [PATCH 4/8] Update codeql_mono.yml --- .github/workflows/codeql_mono.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/codeql_mono.yml b/.github/workflows/codeql_mono.yml index 01b1a99..a750f62 100644 --- a/.github/workflows/codeql_mono.yml +++ b/.github/workflows/codeql_mono.yml @@ -44,7 +44,6 @@ jobs: uses: github/codeql-action/init@v2 with: languages: ${{ matrix.language }} - source-root: ${{ matrix.directory }} queries: security-extended,security-and-quality - name: Run build command for subproject From 62c9ac8efa5f4a952c07fb4b7a16d501cad65c18 Mon Sep 17 00:00:00 2001 From: Nikita Kraiouchkine Date: Tue, 17 Oct 2023 17:09:35 +0200 Subject: [PATCH 5/8] Update codeql_mono.yml --- .github/workflows/codeql_mono.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/codeql_mono.yml b/.github/workflows/codeql_mono.yml index a750f62..fe8d92b 100644 --- a/.github/workflows/codeql_mono.yml +++ b/.github/workflows/codeql_mono.yml @@ -35,6 +35,15 @@ jobs: - language: 'javascript' build-command: ${{ null }} directory: 'project5' + config: | + paths: + - project5 + - language: 'javascript' + build-command: ${{ null }} + directory: 'project6' + config: | + paths: + - project6 steps: - name: Checkout repository @@ -45,6 +54,7 @@ jobs: with: languages: ${{ matrix.language }} queries: security-extended,security-and-quality + config: ${{ matrix.config }} - name: Run build command for subproject run: ${{ matrix.build-command }} From d3ec20738d232f5b8d4431951e23e8063c7ec2a1 Mon Sep 17 00:00:00 2001 From: Nikita Kraiouchkine Date: Tue, 17 Oct 2023 17:11:04 +0200 Subject: [PATCH 6/8] Create UnsafeDynamicMethodAccess.js --- project6/UnsafeDynamicMethodAccess.js | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 project6/UnsafeDynamicMethodAccess.js diff --git a/project6/UnsafeDynamicMethodAccess.js b/project6/UnsafeDynamicMethodAccess.js new file mode 100644 index 0000000..a5124d6 --- /dev/null +++ b/project6/UnsafeDynamicMethodAccess.js @@ -0,0 +1,18 @@ +// copied from tests for `UnsafeDynamicMethodAccess.ql` to check that they do not overlap + +let obj = {}; + +window.addEventListener('message', (ev) => { + let message = JSON.parse(ev.data); + window[message.name](message.payload); // NOT OK, but reported by UnsafeDynamicMethodAccess.ql [INCONSISTENCY] + new window[message.name](message.payload); // NOT OK, but reported by UnsafeDynamicMethodAccess.ql [INCONSISTENCY] + window["HTMLElement" + message.name](message.payload); // OK - concatenation restricts choice of methods + window[`HTMLElement${message.name}`](message.payload); // OK - concatenation restricts choice of methods + + function f() {} + f[message.name](message.payload)(); // NOT OK, but reported by UnsafeDynamicMethodAccess.ql [INCONSISTENCY] + + obj[message.name](message.payload); // NOT OK + + window[ev](ev); // NOT OK, but reported by UnsafeDynamicMethodAccess.ql [INCONSISTENCY] +}); From d5ffc10807f41796276554016b6c31776c058a13 Mon Sep 17 00:00:00 2001 From: Nikita Kraiouchkine Date: Thu, 11 Jan 2024 12:36:04 +0100 Subject: [PATCH 7/8] Update codeql_mono.yml --- .github/workflows/codeql_mono.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/codeql_mono.yml b/.github/workflows/codeql_mono.yml index fe8d92b..f49db72 100644 --- a/.github/workflows/codeql_mono.yml +++ b/.github/workflows/codeql_mono.yml @@ -6,6 +6,7 @@ on: pull_request: # The branches below must be a subset of the branches above branches: [ "main" ] + workflow_dispatch: jobs: analyze: From 2c72cd6731bf5e571bf7f447d112356e50581181 Mon Sep 17 00:00:00 2001 From: Nicolas Will Date: Tue, 10 Sep 2024 19:14:26 +0200 Subject: [PATCH 8/8] Update .github/workflows/codeql_mono.yml Co-authored-by: Chad Bentz <1760475+felickz@users.noreply.github.com> --- .github/workflows/codeql_mono.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql_mono.yml b/.github/workflows/codeql_mono.yml index f49db72..c84c8dd 100644 --- a/.github/workflows/codeql_mono.yml +++ b/.github/workflows/codeql_mono.yml @@ -48,7 +48,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Initialize CodeQL uses: github/codeql-action/init@v2