Skip to content

Commit

Permalink
New rules, first implemented in CodeQL (#483)
Browse files Browse the repository at this point in the history
This change introduces new remediation logic for weak crypto algorithms,
and log injection, two unexciting vulnerability classes for different
reasons, but for completeness, should be present.
  • Loading branch information
nahsra authored Dec 9, 2024
1 parent f69332a commit 56aba73
Show file tree
Hide file tree
Showing 23 changed files with 307,611 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -34,8 +34,10 @@ public static List<Class<? extends CodeChanger>> asList() {
CodeQLJDBCResourceLeakCodemod.class,
CodeQLJEXLInjectionCodemod.class,
CodeQLJNDIInjectionCodemod.class,
CodeQLLogInjectionCodemod.class,
CodeQLMavenSecureURLCodemod.class,
CodeQLOutputResourceLeakCodemod.class,
CodeQLPotentiallyUnsafeCryptoAlgorithmCodemod.class,
CodeQLPredictableSeedCodemod.class,
CodeQLRegexInjectionCodemod.class,
CodeQLSQLInjectionCodemod.class,
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
package io.codemodder.codemods.codeql;

import com.contrastsecurity.sarif.Result;
import com.github.javaparser.ast.CompilationUnit;
import io.codemodder.*;
import io.codemodder.codetf.DetectorRule;
import io.codemodder.providers.sarif.codeql.ProvidedCodeQLScan;
import io.codemodder.remediation.GenericRemediationMetadata;
import io.codemodder.remediation.Remediator;
import io.codemodder.remediation.loginjection.LogInjectionRemediator;
import java.util.Optional;
import javax.inject.Inject;

/** A codemod for automatically fixing Log Injection from CodeQL. */
@Codemod(
id = "codeql:java/log-injection",
reviewGuidance = ReviewGuidance.MERGE_WITHOUT_REVIEW,
importance = Importance.HIGH,
executionPriority = CodemodExecutionPriority.HIGH)
public final class CodeQLLogInjectionCodemod extends CodeQLRemediationCodemod {

private final Remediator<Result> remediator;

@Inject
public CodeQLLogInjectionCodemod(
@ProvidedCodeQLScan(ruleId = "java/log-injection") final RuleSarif sarif) {
super(GenericRemediationMetadata.LOG_INJECTION.reporter(), sarif);
this.remediator = new LogInjectionRemediator<>();
}

@Override
public DetectorRule detectorRule() {
return new DetectorRule(
"log-injection",
"Log Injection",
"https://codeql.github.com/codeql-query-help/java/java-log-injection/");
}

@Override
public CodemodFileScanningResult visit(
final CodemodInvocationContext context, final CompilationUnit cu) {
return remediator.remediateAll(
cu,
context.path().toString(),
detectorRule(),
ruleSarif.getResultsByLocationPath(context.path()),
SarifFindingKeyUtil::buildFindingId,
r -> r.getLocations().get(0).getPhysicalLocation().getRegion().getStartLine(),
r ->
Optional.ofNullable(
r.getLocations().get(0).getPhysicalLocation().getRegion().getEndLine()),
r -> Optional.empty());
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
package io.codemodder.codemods.codeql;

import com.contrastsecurity.sarif.Result;
import com.github.javaparser.ast.CompilationUnit;
import io.codemodder.*;
import io.codemodder.codetf.DetectorRule;
import io.codemodder.providers.sarif.codeql.ProvidedCodeQLScan;
import io.codemodder.remediation.GenericRemediationMetadata;
import io.codemodder.remediation.Remediator;
import io.codemodder.remediation.weakcrypto.WeakCryptoAlgorithmRemediator;
import java.util.Optional;
import javax.inject.Inject;

/** A codemod for automatically fixing weak crypto algorithms. */
@Codemod(
id = "codeql:java/potentially-weak-cryptographic-algorithm",
reviewGuidance = ReviewGuidance.MERGE_AFTER_REVIEW,
importance = Importance.HIGH,
executionPriority = CodemodExecutionPriority.HIGH)
public final class CodeQLPotentiallyUnsafeCryptoAlgorithmCodemod extends CodeQLRemediationCodemod {

private final Remediator<Result> remediator;

@Inject
public CodeQLPotentiallyUnsafeCryptoAlgorithmCodemod(
@ProvidedCodeQLScan(ruleId = "java/potentially-weak-cryptographic-algorithm")
final RuleSarif sarif) {
super(GenericRemediationMetadata.WEAK_CRYPTO_ALGORITHM.reporter(), sarif);
this.remediator = new WeakCryptoAlgorithmRemediator<>();
}

@Override
public DetectorRule detectorRule() {
return new DetectorRule(
"potentially-weak-cryptographic-algorithm",
"Use of a potentially broken or risky cryptographic algorithm",
"https://codeql.github.com/codeql-query-help/java/java-potentially-weak-cryptographic-algorithm/");
}

@Override
public CodemodFileScanningResult visit(
final CodemodInvocationContext context, final CompilationUnit cu) {
return remediator.remediateAll(
cu,
context.path().toString(),
detectorRule(),
ruleSarif.getResultsByLocationPath(context.path()),
SarifFindingKeyUtil::buildFindingId,
r -> r.getLocations().get(0).getPhysicalLocation().getRegion().getStartLine(),
r ->
Optional.ofNullable(
r.getLocations().get(0).getPhysicalLocation().getRegion().getEndLine()),
r -> Optional.empty());
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -6,5 +6,6 @@
@Metadata(
codemodType = CodeQLJEXLInjectionCodemod.class,
testResourceDir = "jexl-expression-injection",
doRetransformTest = false,
dependencies = {})
final class CodeQLJEXLInjectionCodemodTest implements CodemodTestMixin {}
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
package io.codemodder.codemods.codeql;

import io.codemodder.testutils.CodemodTestMixin;
import io.codemodder.testutils.Metadata;

@Metadata(
codemodType = CodeQLLogInjectionCodemod.class,
testResourceDir = "codeql-log-injection",
renameTestFile =
"app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/Templates.java",
doRetransformTest = false,
expectingFixesAtLines = {124},
dependencies = {})
final class CodeQLLogInjectionCodemodTest implements CodemodTestMixin {}
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
package io.codemodder.codemods.codeql;

import io.codemodder.testutils.CodemodTestMixin;
import io.codemodder.testutils.Metadata;

@Metadata(
codemodType = CodeQLPotentiallyUnsafeCryptoAlgorithmCodemod.class,
testResourceDir = "codeql-potentially-unsafe-crypto-algorithm",
renameTestFile = "app/src/main/java/org/apache/roller/weblogger/util/WSSEUtilities.java",
expectingFixesAtLines = {38},
doRetransformTest = false,
dependencies = {})
final class CodeQLPotentiallyUnsafeCryptoAlgorithmCodemodTest implements CodemodTestMixin {}
Loading

0 comments on commit 56aba73

Please sign in to comment.