Merge branch 'main' into impropnull

Author: geoffw0

docs/codeql/query-help/codeql-cwe-coverage.md renamed to docs/codeql/query-help/codeql-cwe-coverage.rst

@@ -1,8 +1,10 @@
-# CodeQL CWE coverage
+CodeQL CWE coverage
+===================
 
-An overview of the coverage of MITRE's Common Weakness Enumeration (CWE) for the latest release of CodeQL.
+You can view the full coverage of MITRE's Common Weakness Enumeration (CWE) or coverage by language for the latest release of CodeQL.
 
-## About CWEs
+About CWEs
+##########
 
 The CWE categorization contains several types of entity, collectively known as CWEs. The CWEs that we consider in this report are only those of the types:
 
@@ -11,15 +13,22 @@ The CWE categorization contains several types of entity, collectively known as C
 - Weakness Variant
 - Compound Element
 
-Other types of CWE do not correspond directly to weaknesses, so are omitted.
+Other types of CWE that do not correspond directly to weaknesses are omitted.
 
 The CWE categorization includes relationships between entities, in particular a parent-child relationship.
-These relationships are associated with Views (another kind of CWE entity). For the purposes of coverage claims, we use the "[Research View](https://cwe.mitre.org/data/definitions/1000.html)."
+These relationships are associated with Views (another kind of CWE entity). For the purposes of coverage claims, we use the "`Research View <https://cwe.mitre.org/data/definitions/1000.html>`_."
 
 Every security query is associated with one or more CWEs, which are the most precise CWEs that are covered by that query.
 Overall coverage is claimed for the most-precise CWEs, as well as for any of their ancestors in the View.
 
-## Overview
-
-<!-- autogenerated CWE coverage table will be added below -->
-
+.. toctree::
+   :hidden:
+   :titlesonly:
+
+   full-cwe
+   cpp-cwe
+   csharp-cwe
+   go-cwe
+   java-cwe
+   javascript-cwe
+   python-cwe

docs/codeql/query-help/cpp-cwe.md

@@ -0,0 +1,8 @@
+# CWE coverage for C and C++
+
+An overview of CWE coverage for C and C++ in the latest release of CodeQL.
+
+## Overview
+
+<!-- autogenerated CWE coverage table will be added below -->
+

docs/codeql/query-help/csharp-cwe.md

@@ -0,0 +1,8 @@
+# CWE coverage for C#
+
+An overview of CWE coverage for C# in the latest release of CodeQL.
+
+## Overview
+
+<!-- autogenerated CWE coverage table will be added below -->
+

docs/codeql/query-help/full-cwe.md

@@ -0,0 +1,8 @@
+# CodeQL full CWE coverage
+
+An overview of the full coverage of MITRE's Common Weakness Enumeration (CWE) for the latest release of CodeQL.
+
+## Overview
+
+<!-- autogenerated CWE coverage table will be added below -->
+

docs/codeql/query-help/go-cwe.md

@@ -0,0 +1,8 @@
+# CWE coverage for Go
+
+An overview of CWE coverage for Go in the latest release of CodeQL.
+
+## Overview
+
+<!-- autogenerated CWE coverage table will be added below -->
+

docs/codeql/query-help/java-cwe.md

@@ -0,0 +1,8 @@
+# CWE coverage for Java
+
+An overview of CWE coverage for Java in the latest release of CodeQL.
+
+## Overview
+
+<!-- autogenerated CWE coverage table will be added below -->
+

docs/codeql/query-help/javascript-cwe.md

@@ -0,0 +1,8 @@
+# CWE coverage for JavaScript
+
+An overview of CWE coverage for JavaScript in the latest release of CodeQL.
+
+## Overview
+
+<!-- autogenerated CWE coverage table will be added below -->
+

docs/codeql/query-help/python-cwe.md

@@ -0,0 +1,8 @@
+# CWE coverage for Python
+
+An overview of CWE coverage for Python in the latest release of CodeQL.
+
+## Overview
+
+<!-- autogenerated CWE coverage table will be added below -->
+

docs/codeql/query-help/readme.md

@@ -2,7 +2,9 @@ CodeQL query help Sphinx documentation
 --------------------------------------
 
 This project supplies the configuration and some boiler plate
-index files for the CodeQL query help documentation.
+index files for the CodeQL query help and CWE coverage documentation.
 
 The query help itself is automatically generated by the 
-"Generate CodeQL query help documentation using Sphinx" workflow.
+"Generate CodeQL query help documentation using Sphinx" workflow.
+
+The CWE coverage tables are generated and appended to pages by the "Docs generate query help" workflow in the `semmle-code` repository.

java/ql/src/experimental/Security/CWE/CWE-470/UnsafeReflection.java

@@ -0,0 +1,103 @@
+import java.lang.reflect.Method;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import javax.servlet.http.HttpServletRequest;
+import org.springframework.stereotype.Controller;
+import org.springframework.util.StringUtils;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.multipart.MultipartFile;
+
+@Controller
+public class UnsafeReflection {
+
+    @RequestMapping(value = {"/service/{beanIdOrClassName}/{methodName}"}, method = {RequestMethod.POST}, consumes = {"application/json"}, produces = {"application/json"})
+    public Object bad1(@PathVariable("beanIdOrClassName") String beanIdOrClassName, @PathVariable("methodName") String methodName, @RequestBody Map<String, Object> body) throws Exception {
+        List<Object> rawData = null;
+        try {
+            rawData = (List<Object>)body.get("methodInput");
+        } catch (Exception e) {
+            return e;
+        }
+        return invokeService(beanIdOrClassName, methodName, null, rawData);
+    }
+
+    @GetMapping(value = "uf1")
+    public void good1(HttpServletRequest request) throws Exception {
+        HashSet<String> hashSet = new HashSet<>();
+        hashSet.add("com.example.test1");
+        hashSet.add("com.example.test2");
+        String className = request.getParameter("className");
+        String parameterValue = request.getParameter("parameterValue");
+        if (!hashSet.contains(className)){ 
+            throw new Exception("Class not valid: "  + className);
+        }
+        try {
+            Class clazz = Class.forName(className);
+            Object object = clazz.getDeclaredConstructors()[0].newInstance(parameterValue); //good
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+
+    @GetMapping(value = "uf2")
+    public void good2(HttpServletRequest request) throws Exception {
+        String className = request.getParameter("className");
+        String parameterValue = request.getParameter("parameterValue");
+        if (!"com.example.test1".equals(className)){
+            throw new Exception("Class not valid: "  + className);
+        }
+        try {
+            Class clazz = Class.forName(className);
+            Object object = clazz.getDeclaredConstructors()[0].newInstance(parameterValue); //good
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+
+    private Object invokeService(String beanIdOrClassName, String methodName, MultipartFile[] files, List<Object> data) throws Exception {
+        BeanFactory beanFactory = new BeanFactory();
+		try {
+			Object bean = null;
+			Class<?> beanClass = Class.forName(beanIdOrClassName);
+			bean = beanFactory.getBean(beanClass);
+			byte b;
+			int i;
+			Method[] arrayOfMethod;
+			for (i = (arrayOfMethod = bean.getClass().getMethods()).length, b = 0; b < i; ) {
+				Method method = arrayOfMethod[b];
+				if (!method.getName().equals(methodName)) {
+					b++;
+					continue;
+				}
+				Object result = method.invoke(bean, data);
+				Map<String, Object> map = new HashMap<>();
+				return map;
+			}
+		} catch (Exception e) {
+			return e;
+		}
+		return null;
+    }
+}
+
+class BeanFactory {
+
+	private static HashMap<String, Object> classNameMap = new HashMap<>();
+
+	private static HashMap<Class<?>, Object> classMap = new HashMap<>();
+
+	static {
+		classNameMap.put("xxxx", Runtime.getRuntime());
+		classMap.put(Runtime.class, Runtime.getRuntime());
+	}
+
+	public Object getBean(Class<?> clzz) {
+		return classMap.get(clzz);
+	}
+}