package io.joern.scanners.c;

import io.joern.console.CodeExamples;
import io.joern.console.Query;
import io.joern.console.Query$;
import io.joern.console.QueryBundle;
import io.joern.console.TraversalWithStrRep;
import io.joern.scanners.Crew$;
import io.joern.scanners.QueryTags$;
import io.shiftleft.codepropertygraph.generated.traversal.CallTraversalExtGen$;
import io.shiftleft.semanticcpg.language.ICallResolver;
import io.shiftleft.semanticcpg.language.NoResolve$;
import io.shiftleft.semanticcpg.language.callgraphextension.MethodTraversal$;
import io.shiftleft.semanticcpg.language.package$;
import io.shiftleft.semanticcpg.language.types.expressions.generalizations.AstNodeTraversal$;
import io.shiftleft.semanticcpg.language.types.expressions.generalizations.CfgNodeTraversal$;
import scala.Predef$;
import scala.collection.StringOps$;
import scala.collection.immutable.List;
import scala.runtime.ScalaRunTime$;

/* compiled from: CredentialDrop.scala */
/* loaded from: input_file:io/joern/scanners/c/CredentialDrop$.class */
public final class CredentialDrop$ implements QueryBundle {
    public static final CredentialDrop$ MODULE$ = new CredentialDrop$();
    private static final ICallResolver resolver = NoResolve$.MODULE$;

    public ICallResolver resolver() {
        return resolver;
    }

    public Query userCredDrop() {
        return Query$.MODULE$.make("setuid-without-setgid", Crew$.MODULE$.malte(), "Process user ID is changed without changing groups first", StringOps$.MODULE$.stripMargin$extension(Predef$.MODULE$.augmentString("\n        |The set*uid system calls do not affect the groups a process belongs to. However, often\n        |there exists a group that is equivalent to a user (e.g. wheel or shadow groups are often\n        |equivalent to the root user).\n        |Group membership can only be changed by the root user.\n        |Changes to the user should therefore always be preceded by calls to set*gid and setgroups,\n        |")), 2.0d, new TraversalWithStrRep(cpg -> {
            return MethodTraversal$.MODULE$.callIn$extension(package$.MODULE$.toMethodForCallGraph(package$.MODULE$.toNodeTypeStarters(cpg).method("(?i)set(res|re|e|)uid"), Predef$.MODULE$.$conforms()), MODULE$.resolver()).whereNot(traversal -> {
                return CallTraversalExtGen$.MODULE$.name$extension(package$.MODULE$.toCallTraversalExtGen(AstNodeTraversal$.MODULE$.isCall$extension(package$.MODULE$.toAstNode(CfgNodeTraversal$.MODULE$.dominatedBy$extension(package$.MODULE$.toCfgNode(traversal, Predef$.MODULE$.$conforms())), Predef$.MODULE$.$conforms()))), "set(res|re|e|)?gid");
            });
        }, "cpg =>\n        cpg\n          .method(\"(?i)set(res|re|e|)uid\")\n          .callIn\n          .whereNot(_.dominatedBy.isCall.name(\"set(res|re|e|)?gid\"))"), (List) scala.package$.MODULE$.List().apply(ScalaRunTime$.MODULE$.wrapRefArray(new String[]{QueryTags$.MODULE$.setxid(), QueryTags$.MODULE$.m4default()})), new CodeExamples((List) scala.package$.MODULE$.List().apply(ScalaRunTime$.MODULE$.wrapRefArray(new String[]{StringOps$.MODULE$.stripMargin$extension(Predef$.MODULE$.augmentString("\n          |\n          |void bad1() {\n          |  setresuid();\n          |}\n          |\n          |void bad3() {\n          |  setgroups();\n          |  setresuid();\n          |}\n          |\n          |"))})), (List) scala.package$.MODULE$.List().apply(ScalaRunTime$.MODULE$.wrapRefArray(new String[]{StringOps$.MODULE$.stripMargin$extension(Predef$.MODULE$.augmentString("\n          |\n          |void good() {\n          |  setgroups();\n          |  setresgid();\n          |  setresuid();\n          |}\n          |\n          |"))}))));
    }

    public Query groupCredDrop() {
        return Query$.MODULE$.make("setgid-without-setgroups", Crew$.MODULE$.malte(), "Process group membership is changed without setting ancillary groups first", StringOps$.MODULE$.stripMargin$extension(Predef$.MODULE$.augmentString("\n        |The set*gid system calls do not affect the ancillary groups a process belongs to.\n        |Changes to the group membership should therefore always be preceded by a call to setgroups.\n        |Otherwise the process may still be a secondary member of the group it tries to disavow.\n        |")), 2.0d, new TraversalWithStrRep(cpg -> {
            return MethodTraversal$.MODULE$.callIn$extension(package$.MODULE$.toMethodForCallGraph(package$.MODULE$.toNodeTypeStarters(cpg).method("(?i)set(res|re|e|)gid"), Predef$.MODULE$.$conforms()), MODULE$.resolver()).whereNot(traversal -> {
                return CallTraversalExtGen$.MODULE$.name$extension(package$.MODULE$.toCallTraversalExtGen(AstNodeTraversal$.MODULE$.isCall$extension(package$.MODULE$.toAstNode(CfgNodeTraversal$.MODULE$.dominatedBy$extension(package$.MODULE$.toCfgNode(traversal, Predef$.MODULE$.$conforms())), Predef$.MODULE$.$conforms()))), "setgroups");
            });
        }, "cpg =>\n        cpg\n          .method(\"(?i)set(res|re|e|)gid\")\n          .callIn\n          .whereNot(_.dominatedBy.isCall.name(\"setgroups\"))"), (List) scala.package$.MODULE$.List().apply(ScalaRunTime$.MODULE$.wrapRefArray(new String[]{QueryTags$.MODULE$.setxid(), QueryTags$.MODULE$.m4default()})), new CodeExamples((List) scala.package$.MODULE$.List().apply(ScalaRunTime$.MODULE$.wrapRefArray(new String[]{StringOps$.MODULE$.stripMargin$extension(Predef$.MODULE$.augmentString("\n          |\n          |void bad2() {\n          |  setresgid();\n          |  setresuid();\n          |}\n          |\n          |"))})), (List) scala.package$.MODULE$.List().apply(ScalaRunTime$.MODULE$.wrapRefArray(new String[]{StringOps$.MODULE$.stripMargin$extension(Predef$.MODULE$.augmentString("\n          |\n          |void good() {\n          |  setgroups();\n          |  setresgid();\n          |  setresuid();\n          |}\n          |\n          |"))}))));
    }

    private CredentialDrop$() {
    }
}
