github · rvermeulen · Jul 8, 2020 · Jul 8, 2020 · Jul 8, 2020 · Jul 8, 2020
diff --git a/java/ql/src/Security/CWE/CWE-022/PathsCommon.qll b/java/ql/src/Security/CWE/CWE-022/PathsCommon.qll
@@ -1,9 +1,6 @@
 import java
 import semmle.code.java.controlflow.Guards
-
-abstract class PathCreation extends Expr {
-  abstract Expr getInput();
-}
+import semmle.code.java.security.PathCreation
 
 class PathsGet extends PathCreation, MethodAccess {
   PathsGet() {

diff --git a/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql b/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql
@@ -12,7 +12,7 @@
 
 import java
 import semmle.code.java.dataflow.FlowSources
-import SqlInjectionLib
+import semmle.code.java.security.SqlInjection
 import DataFlow::PathGraph
 
 from QueryInjectionSink query, DataFlow::PathNode source, DataFlow::PathNode sink

diff --git a/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql b/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql
@@ -12,7 +12,7 @@
 
 import semmle.code.java.Expr
 import semmle.code.java.dataflow.FlowSources
-import SqlInjectionLib
+import semmle.code.java.security.SqlInjection
 import DataFlow::PathGraph
 
 class LocalUserInputToQueryInjectionFlowConfig extends TaintTracking::Configuration {

diff --git a/java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql b/java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql
@@ -12,7 +12,7 @@
 
 import java
 import semmle.code.java.security.SqlUnescapedLib
-import SqlInjectionLib
+import semmle.code.java.security.SqlInjection
 
 class UncontrolledStringBuilderSource extends DataFlow::ExprNode {
   UncontrolledStringBuilderSource() {

diff --git a/java/ql/src/Security/CWE/CWE-090/LdapInjection.ql b/java/ql/src/Security/CWE/CWE-090/LdapInjection.ql
@@ -12,7 +12,7 @@
 
 import java
 import semmle.code.java.dataflow.FlowSources
-import LdapInjectionLib
+import semmle.code.java.security.LdapInjection
 import DataFlow::PathGraph
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, LdapInjectionFlowConfig conf

diff --git a/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql b/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql
@@ -11,7 +11,7 @@
  */
 
 import java
-import ResponseSplitting
+import semmle.code.java.security.ResponseSplitting
 import DataFlow::PathGraph
 
 class ResponseSplittingConfig extends TaintTracking::Configuration {

diff --git a/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql b/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql
@@ -12,7 +12,7 @@
 
 import java
 import semmle.code.java.dataflow.FlowSources
-import ResponseSplitting
+import semmle.code.java.security.ResponseSplitting
 import DataFlow::PathGraph
 
 class ResponseSplittingLocalConfig extends TaintTracking::Configuration {

diff --git a/java/ql/src/Security/CWE/CWE-129/ArraySizing.qll b/java/ql/src/Security/CWE/CWE-129/ArraySizing.qll
@@ -102,70 +102,3 @@ class CheckableArrayAccess extends ArrayAccess {
     not lowerBound(sizeExpr) > 0
   }
 }
-
-/**
- * A source of "flow" which has an upper or lower bound.
- */
-abstract class BoundedFlowSource extends DataFlow::Node {
-  /**
-   * Return a lower bound for the input, if possible.
-   */
-  abstract int lowerBound();
-
-  /**
-   * Return an upper bound for the input, if possible.
-   */
-  abstract int upperBound();
-
-  /**
-   * Return a description for this flow source, suitable for putting in an alert message.
-   */
-  abstract string getDescription();
-}
-
-/**
- * Input that is constructed using a `Random` value.
- */
-class RandomValueFlowSource extends BoundedFlowSource {
-  RandomValueFlowSource() {
-    exists(RefType random, MethodAccess nextAccess |
-      random.hasQualifiedName("java.util", "Random")
-    |
-      nextAccess.getCallee().getDeclaringType().getAnAncestor() = random and
-      nextAccess.getCallee().getName().matches("next%") and
-      nextAccess = this.asExpr()
-    )
-  }
-
-  override int lowerBound() {
-    // If this call is to `nextInt()`, the lower bound is zero.
-    this.asExpr().(MethodAccess).getCallee().hasName("nextInt") and
-    this.asExpr().(MethodAccess).getNumArgument() = 1 and
-    result = 0
-  }
-
-  override int upperBound() {
-    // If this call specified an argument to `nextInt()`, and that argument is a compile time constant,
-    // it forms the upper bound.
-    this.asExpr().(MethodAccess).getCallee().hasName("nextInt") and
-    this.asExpr().(MethodAccess).getNumArgument() = 1 and
-    result = this.asExpr().(MethodAccess).getArgument(0).(CompileTimeConstantExpr).getIntValue()
-  }
-
-  override string getDescription() { result = "Random value" }
-}
-
-/**
- * A compile time constant expression that evaluates to a numeric type.
- */
-class NumericLiteralFlowSource extends BoundedFlowSource {
-  NumericLiteralFlowSource() { exists(this.asExpr().(CompileTimeConstantExpr).getIntValue()) }
-
-  override int lowerBound() { result = this.asExpr().(CompileTimeConstantExpr).getIntValue() }
-
-  override int upperBound() { result = this.asExpr().(CompileTimeConstantExpr).getIntValue() }
-
-  override string getDescription() {
-    result = "Literal value " + this.asExpr().(CompileTimeConstantExpr).getIntValue()
-  }
-}
diff --git a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql
@@ -12,6 +12,7 @@
 
 import java
 import ArraySizing
+import semmle.code.java.security.BoundedFlow
 import DataFlow::PathGraph
 
 class BoundedFlowSourceConf extends DataFlow::Configuration {

diff --git a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexCodeSpecified.ql b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexCodeSpecified.ql
@@ -13,6 +13,7 @@
 import java
 import ArraySizing
 import BoundingChecks
+import semmle.code.java.security.BoundedFlow
 import DataFlow::PathGraph
 
 class BoundedFlowSourceConf extends DataFlow::Configuration {

diff --git a/java/ql/src/Security/CWE/CWE-312/CleartextStorageClass.ql b/java/ql/src/Security/CWE/CWE-312/CleartextStorageClass.ql
@@ -11,7 +11,7 @@
  */
 
 import java
-import SensitiveStorage
+import semmle.code.java.security.SensitiveStorage
 
 from SensitiveSource data, ClassStore s, Expr input, Expr store
 where

diff --git a/java/ql/src/Security/CWE/CWE-312/CleartextStorageCookie.ql b/java/ql/src/Security/CWE/CWE-312/CleartextStorageCookie.ql
@@ -10,7 +10,7 @@
  */
 
 import java
-import SensitiveStorage
+import semmle.code.java.security.SensitiveStorage
 
 from SensitiveSource data, Cookie s, Expr input, Expr store
 where

diff --git a/java/ql/src/Security/CWE/CWE-312/CleartextStorageProperties.ql b/java/ql/src/Security/CWE/CWE-312/CleartextStorageProperties.ql
@@ -10,7 +10,7 @@
  */
 
 import java
-import SensitiveStorage
+import semmle.code.java.security.SensitiveStorage
 
 from SensitiveSource data, Properties s, Expr input, Expr store
 where

diff --git a/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql b/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql
@@ -12,7 +12,7 @@
 
 import java
 import semmle.code.java.dataflow.FlowSources
-import UrlRedirect
+import semmle.code.java.security.UrlRedirect
 import DataFlow::PathGraph
 
 class UrlRedirectConfig extends TaintTracking::Configuration {

diff --git a/java/ql/src/Security/CWE/CWE-601/UrlRedirectLocal.ql b/java/ql/src/Security/CWE/CWE-601/UrlRedirectLocal.ql
@@ -12,7 +12,7 @@
 
 import java
 import semmle.code.java.dataflow.FlowSources
-import UrlRedirect
+import semmle.code.java.security.UrlRedirect
 import DataFlow::PathGraph
 
 class UrlRedirectLocalConfig extends TaintTracking::Configuration {

diff --git a/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql b/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql
@@ -11,7 +11,7 @@
 
 import java
 import semmle.code.java.dataflow.DataFlow
-import HardcodedCredentials
+import semmle.code.java.security.HardcodedCredentials
 import DataFlow::PathGraph
 
 class HardcodedCredentialApiCallConfiguration extends DataFlow::Configuration {

diff --git a/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsComparison.ql b/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsComparison.ql
@@ -10,7 +10,7 @@
  */
 
 import java
-import HardcodedCredentials
+import semmle.code.java.security.HardcodedCredentials
 
 class EqualsAccess extends MethodAccess {
   EqualsAccess() { getMethod() instanceof EqualsMethod }

diff --git a/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsSourceCall.ql b/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsSourceCall.ql
@@ -12,7 +12,7 @@
 import java
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.DataFlow2
-import HardcodedCredentials
+import semmle.code.java.security.HardcodedCredentials
 import DataFlow::PathGraph
 
 class HardcodedCredentialSourceCallConfiguration extends DataFlow::Configuration {

diff --git a/java/ql/src/Security/CWE/CWE-798/HardcodedPasswordField.ql b/java/ql/src/Security/CWE/CWE-798/HardcodedPasswordField.ql
@@ -10,7 +10,7 @@
  */
 
 import java
-import HardcodedCredentials
+import semmle.code.java.security.HardcodedCredentials
 
 from PasswordVariable f, CompileTimeConstantExpr e
 where

diff --git a/java/ql/src/semmle/code/java/security/BoundedFlow.qll b/java/ql/src/semmle/code/java/security/BoundedFlow.qll
@@ -0,0 +1,69 @@
+import java
+import semmle.code.java.dataflow.DataFlow
+
+/**
+ * A source of "flow" which has an upper or lower bound.
+ */
+abstract class BoundedFlowSource extends DataFlow::Node {
+  /**
+   * Return a lower bound for the input, if possible.
+   */
+  abstract int lowerBound();
+
+  /**
+   * Return an upper bound for the input, if possible.
+   */
+  abstract int upperBound();
+
+  /**
+   * Return a description for this flow source, suitable for putting in an alert message.
+   */
+  abstract string getDescription();
+}
+
+/**
+ * Input that is constructed using a `Random` value.
+ */
+class RandomValueFlowSource extends BoundedFlowSource {
+  RandomValueFlowSource() {
+    exists(RefType random, MethodAccess nextAccess |
+      random.hasQualifiedName("java.util", "Random")
+    |
+      nextAccess.getCallee().getDeclaringType().getAnAncestor() = random and
+      nextAccess.getCallee().getName().matches("next%") and
+      nextAccess = this.asExpr()
+    )
+  }
+
+  override int lowerBound() {
+    // If this call is to `nextInt()`, the lower bound is zero.
+    this.asExpr().(MethodAccess).getCallee().hasName("nextInt") and
+    this.asExpr().(MethodAccess).getNumArgument() = 1 and
+    result = 0
+  }
+
+  override int upperBound() {
+    // If this call specified an argument to `nextInt()`, and that argument is a compile time constant,
+    // it forms the upper bound.
+    this.asExpr().(MethodAccess).getCallee().hasName("nextInt") and
+    this.asExpr().(MethodAccess).getNumArgument() = 1 and
+    result = this.asExpr().(MethodAccess).getArgument(0).(CompileTimeConstantExpr).getIntValue()
+  }
+
+  override string getDescription() { result = "Random value" }
+}
+
+/**
+ * A compile time constant expression that evaluates to a numeric type.
+ */
+class NumericLiteralFlowSource extends BoundedFlowSource {
+  NumericLiteralFlowSource() { exists(this.asExpr().(CompileTimeConstantExpr).getIntValue()) }
+
+  override int lowerBound() { result = this.asExpr().(CompileTimeConstantExpr).getIntValue() }
+
+  override int upperBound() { result = this.asExpr().(CompileTimeConstantExpr).getIntValue() }
+
+  override string getDescription() {
+    result = "Literal value " + this.asExpr().(CompileTimeConstantExpr).getIntValue()
+  }
+}
diff --git a/...rity/CWE/CWE-798/HardcodedCredentials.qll → ...de/java/security/HardcodedCredentials.qll b/...rity/CWE/CWE-798/HardcodedCredentials.qll → ...de/java/security/HardcodedCredentials.qll
diff --git a/...Security/CWE/CWE-090/LdapInjectionLib.qll → ...mmle/code/java/security/LdapInjection.qll b/...Security/CWE/CWE-090/LdapInjectionLib.qll → ...mmle/code/java/security/LdapInjection.qll
diff --git a/java/ql/src/semmle/code/java/security/PathCreation.qll b/java/ql/src/semmle/code/java/security/PathCreation.qll
@@ -0,0 +1,5 @@
+import java
+
+abstract class PathCreation extends Expr {
+  abstract Expr getInput();
+}
diff --git a/...ecurity/CWE/CWE-113/ResponseSplitting.qll → .../code/java/security/ResponseSplitting.qll b/...ecurity/CWE/CWE-113/ResponseSplitting.qll → .../code/java/security/ResponseSplitting.qll
diff --git a/...src/Security/CWE/CWE-798/SensitiveApi.qll → ...emmle/code/java/security/SensitiveApi.qll b/...src/Security/CWE/CWE-798/SensitiveApi.qll → ...emmle/code/java/security/SensitiveApi.qll
diff --git a/...Security/CWE/CWE-312/SensitiveStorage.qll → ...e/code/java/security/SensitiveStorage.qll b/...Security/CWE/CWE-312/SensitiveStorage.qll → ...e/code/java/security/SensitiveStorage.qll
diff --git a/.../Security/CWE/CWE-089/SqlInjectionLib.qll → ...emmle/code/java/security/SqlInjection.qll b/.../Security/CWE/CWE-089/SqlInjectionLib.qll → ...emmle/code/java/security/SqlInjection.qll
diff --git a/.../src/Security/CWE/CWE-601/UrlRedirect.qll → ...semmle/code/java/security/UrlRedirect.qll b/.../src/Security/CWE/CWE-601/UrlRedirect.qll → ...semmle/code/java/security/UrlRedirect.qll