Java: Add failing test for Scoped Values

2025-12-17 01:03:14 +01:00 · 2025-09-01 17:40:00 +02:00
parent b4e6d3009e
commit 0159f5b422
4 changed files with 64 additions and 0 deletions
--- a/java/ql/test/library-tests/dataflow/scoped-values/ScopedValueFlowTest.java
+++ b/java/ql/test/library-tests/dataflow/scoped-values/ScopedValueFlowTest.java
@@ -0,0 +1,39 @@
+public class ScopedValueFlowTest {
+    private static final ScopedValue<String> USER_CONTEXT = ScopedValue.newInstance();
+    private static final ScopedValue<String> SESSION_ID = ScopedValue.newInstance();
+
+    public static void main(String[] args) {
+        String userInput = args[0]; // source
+
+        // Test 1: Basic scoped value binding and retrieval
+        ScopedValue.where(USER_CONTEXT, userInput)
+            .run(() -> {
+                String value = USER_CONTEXT.get();
+                sink(value); // should flag: tainted data reaches sink
+            });
+
+        // Test 2: Multiple scoped value bindings with chaining
+        ScopedValue.where(USER_CONTEXT, userInput)
+            .where(SESSION_ID, "safe-one")
+            .run(() -> {
+                String user = USER_CONTEXT.get();
+                String session = SESSION_ID.get();
+                sink(user); // should flag: tainted data reaches sink
+                sink(session); // should NOT flag
+            });
+
+        ScopedValue.where(USER_CONTEXT, userInput)
+            .run(() -> {
+                String outer = USER_CONTEXT.get();
+                ScopedValue.where(USER_CONTEXT, "safe-two")
+                    .run(() -> {
+                        String inner = USER_CONTEXT.get();
+                        sink(inner); // False Positive: currently flags (model limitation
+                    });
+                sink(outer); // should flag: tainted data reaches sink
+            });
+    }
+
+    public static void sink(String s) {
+    }
+}
--- a/java/ql/test/library-tests/dataflow/scoped-values/options
+++ b/java/ql/test/library-tests/dataflow/scoped-values/options
@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -source 25 -target 25 --enable-preview
--- a/java/ql/test/library-tests/dataflow/scoped-values/test.expected
+++ b/java/ql/test/library-tests/dataflow/scoped-values/test.expected
--- a/java/ql/test/library-tests/dataflow/scoped-values/test.ql
+++ b/java/ql/test/library-tests/dataflow/scoped-values/test.ql
@@ -0,0 +1,24 @@
+import java
+import semmle.code.java.dataflow.TaintTracking
+
+module Config implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node n) {
+    exists(ArrayAccess aa |
+      aa.getArray().(VarAccess).getVariable().hasName("args") and
+      n.asExpr() = aa
+    )
+  }
+
+  predicate isSink(DataFlow::Node n) {
+    exists(MethodCall ma |
+      ma.getMethod().hasName("sink") and
+      n.asExpr() = ma.getAnArgument()
+    )
+  }
+}
+
+module Flow = TaintTracking::Global<Config>;
+
+from DataFlow::Node src, DataFlow::Node sink
+where Flow::flow(src, sink)
+select src, sink
				`@@ -0,0 +1 @@`
				`//semmle-extractor-options: --javac-args -source 25 -target 25 --enable-preview`