Merge pull request github#5931 from atorralba/atorralba/promote-jndi-injection

Java: Promote JNDI Injection query from experimental

Author: aschackmull

java/change-notes/2021-05-20-jndi-injection-query.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The query "JNDI lookup with user-controlled name" (`java/jndi-injection`) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally [submitted as an experimental query by @ggolawski](https://github.com/github/codeql/pull/3288).

java/ql/src/experimental/Security/CWE/CWE-074/JndiInjection.java renamed to java/ql/src/Security/CWE/CWE-074/JndiInjection.java

@@ -11,7 +11,7 @@ code execution.</p>
 </overview>
 
 <recommendation>
-<p>The general recommendation is to not pass untrusted data to the <code>InitialContext.lookup
+<p>The general recommendation is to avoid passing untrusted data to the <code>InitialContext.lookup
 </code> method. If the name being used to look up the object must be provided by the user, make
 sure that it's not in the form of an absolute URL or that it's the URL pointing to a trused server.
 </p>

java/ql/src/experimental/Security/CWE/CWE-074/JndiInjection.qhelp renamed to java/ql/src/Security/CWE/CWE-074/JndiInjection.qhelp

@@ -1,6 +1,6 @@
 /**
  * @name JNDI lookup with user-controlled name
- * @description Doing a JNDI lookup with user-controlled name can lead to download an untrusted
+ * @description Performing a JNDI lookup with a user-controlled name can lead to the download of an untrusted
  *              object and to execution of arbitrary code.
  * @kind path-problem
  * @problem.severity error
@@ -11,8 +11,7 @@
  */
 
 import java
-import semmle.code.java.dataflow.FlowSources
-import JndiInjectionLib
+import semmle.code.java.security.JndiInjectionQuery
 import DataFlow::PathGraph
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, JndiInjectionFlowConfig conf

java/ql/src/experimental/Security/CWE/CWE-074/JndiInjection.ql renamed to java/ql/src/Security/CWE/CWE-074/JndiInjection.ql

@@ -30,11 +30,6 @@ class InsecureLdapUrlLiteral extends StringLiteral {
   }
 }
 
-/** The interface `javax.naming.Context`. */
-class TypeNamingContext extends Interface {
-  TypeNamingContext() { this.hasQualifiedName("javax.naming", "Context") }
-}
-
 /** The class `java.util.Hashtable`. */
 class TypeHashtable extends Class {
   TypeHashtable() { this.getSourceDeclaration().hasQualifiedName("java.util", "Hashtable") }

java/ql/src/experimental/Security/CWE/CWE-074/JndiInjectionLib.qll

@@ -86,3 +86,20 @@ class JMXRegistrationMethod extends Method {
     )
   }
 }
+
+/** The class `javax.management.remote.JMXConnectorFactory`. */
+class TypeJMXConnectorFactory extends Class {
+  TypeJMXConnectorFactory() {
+    this.hasQualifiedName("javax.management.remote", "JMXConnectorFactory")
+  }
+}
+
+/** The class `javax.management.remote.JMXServiceURL`. */
+class TypeJMXServiceURL extends Class {
+  TypeJMXServiceURL() { this.hasQualifiedName("javax.management.remote", "JMXServiceURL") }
+}
+
+/** The class `javax.management.remote.rmi.RMIConnector`. */
+class TypeRMIConnector extends Class {
+  TypeRMIConnector() { this.hasQualifiedName("javax.management.remote.rmi", "RMIConnector") }
+}