mirror of
https://github.com/github/codeql.git
synced 2026-04-29 02:35:15 +02:00
Merge branch 'main' into atorralba/spring-beans
This commit is contained in:
Tony Torralba
@@ -1 +1 @@
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.3.8
|
||||
|
||||
@@ -1 +1 @@
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../stubs/shiro-core-1.5.2:${testdir}/../../../../stubs/spring-ldap-2.3.2
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/shiro-core-1.5.2:${testdir}/../../../../stubs/spring-ldap-2.3.2
|
||||
|
||||
@@ -1 +1 @@
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../stubs/Saxon-HE-9.9.1-7
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/Saxon-HE-9.9.1-7
|
||||
|
||||
@@ -1 +1 @@
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/java-ee-el:${testdir}/../../../../stubs/juel-2.2:${testdir}/../../../stubs/groovy-all-3.0.7:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/jython-2.7.2:${testdir}/../../../../experimental/stubs/rhino-1.7.13:${testdir}/../../../../stubs/bsh-2.0b5:${testdir}/../../../../experimental/stubs/jshell
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.3.8:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/java-ee-el:${testdir}/../../../../stubs/juel-2.2:${testdir}/../../../stubs/groovy-all-3.0.7:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/jython-2.7.2:${testdir}/../../../../experimental/stubs/rhino-1.7.13:${testdir}/../../../../stubs/bsh-2.0b5:${testdir}/../../../../experimental/stubs/jshell
|
||||
|
||||
@@ -1 +1 @@
|
||||
// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/jsr311-api-1.1.1:${testdir}/../../../../stubs/springframework-5.2.3
|
||||
// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/jsr311-api-1.1.1:${testdir}/../../../../stubs/springframework-5.3.8
|
||||
@@ -1 +1 @@
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/springframework-5.2.3/:${testdir}/../../../../stubs/apache-commons-lang3-3.7/
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/springframework-5.3.8/:${testdir}/../../../../stubs/apache-commons-lang3-3.7/
|
||||
@@ -1 +1 @@
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/apache-http-4.4.13/:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/fastjson-1.2.74/:${testdir}/../../../../stubs/gson-2.8.6/:${testdir}/../../../../stubs/jackson-databind-2.10/:${testdir}/../../../../stubs/springframework-5.2.3/
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/apache-http-4.4.13/:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/fastjson-1.2.74/:${testdir}/../../../../stubs/gson-2.8.6/:${testdir}/../../../../stubs/jackson-databind-2.10/:${testdir}/../../../../stubs/springframework-5.3.8/
|
||||
|
||||
@@ -1 +1 @@
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.3.8
|
||||
@@ -1 +1 @@
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/springframework-5.2.3/
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/springframework-5.3.8/
|
||||
@@ -1 +1 @@
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/apache-http-4.4.13/:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/saxon-xqj-9.x/:${testdir}/../../../../stubs/springframework-5.2.3/
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/apache-http-4.4.13/:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/saxon-xqj-9.x/:${testdir}/../../../../stubs/springframework-5.3.8/
|
||||
|
||||
@@ -1 +1 @@
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../stubs/ognl-3.2.14:${testdir}/../../../stubs/struts2-core-2.5.22
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/ognl-3.2.14:${testdir}/../../../stubs/struts2-core-2.5.22
|
||||
|
||||
@@ -1 +1 @@
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/springframework-5.2.3:${testdir}/../../../stubs/google-android-9.0.0:${testdir}/../../../stubs/playframework-2.6.x:${testdir}/../../../stubs/jackson-databind-2.10:${testdir}/../../../stubs/akka-2.6.x
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/google-android-9.0.0:${testdir}/../../../stubs/playframework-2.6.x:${testdir}/../../../stubs/jackson-databind-2.10:${testdir}/../../../stubs/akka-2.6.x
|
||||
|
||||
@@ -24,8 +24,16 @@ class JaxRsTest extends InlineExpectationsTest {
|
||||
resourceMethod.getLocation() = location and
|
||||
element = resourceMethod.toString() and
|
||||
if exists(resourceMethod.getProducesAnnotation())
|
||||
then value = resourceMethod.getProducesAnnotation().getADeclaredContentType()
|
||||
else value = ""
|
||||
then
|
||||
value = resourceMethod.getProducesAnnotation().getADeclaredContentType() and
|
||||
value != ""
|
||||
else
|
||||
// Filter out empty strings that stem from using stubs.
|
||||
// If we built the test against the real JAR then the field
|
||||
// access against e.g. MediaType.APPLICATION_JSON wouldn't
|
||||
// be a CompileTimeConstantExpr at all, whereas in the stubs
|
||||
// it is and is defined empty.
|
||||
value = ""
|
||||
)
|
||||
or
|
||||
tag = "RootResourceClass" and
|
||||
@@ -135,7 +143,13 @@ class JaxRsTest extends InlineExpectationsTest {
|
||||
exists(JaxRSProducesAnnotation producesAnnotation |
|
||||
producesAnnotation.getLocation() = location and
|
||||
element = producesAnnotation.toString() and
|
||||
value = producesAnnotation.getADeclaredContentType()
|
||||
value = producesAnnotation.getADeclaredContentType() and
|
||||
value != ""
|
||||
// Filter out empty strings that stem from using stubs.
|
||||
// If we built the test against the real JAR then the field
|
||||
// access against e.g. MediaType.APPLICATION_JSON wouldn't
|
||||
// be a CompileTimeConstantExpr at all, whereas in the stubs
|
||||
// it is and is defined empty.
|
||||
)
|
||||
or
|
||||
tag = "ConsumesAnnotation" and
|
||||
|
||||
1438
java/ql/test/library-tests/frameworks/spring/util/Test.java
Normal file
1438
java/ql/test/library-tests/frameworks/spring/util/Test.java
Normal file
File diff suppressed because it is too large
Load Diff
@@ -0,0 +1 @@
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.3.8
|
||||
52
java/ql/test/library-tests/frameworks/spring/util/test.ql
Normal file
52
java/ql/test/library-tests/frameworks/spring/util/test.ql
Normal file
@@ -0,0 +1,52 @@
|
||||
import java
|
||||
import semmle.code.java.dataflow.DataFlow
|
||||
import semmle.code.java.dataflow.TaintTracking
|
||||
import TestUtilities.InlineExpectationsTest
|
||||
|
||||
class ValueFlowConf extends DataFlow::Configuration {
|
||||
ValueFlowConf() { this = "qltest:valueFlowConf" }
|
||||
|
||||
override predicate isSource(DataFlow::Node n) {
|
||||
n.asExpr().(MethodAccess).getMethod().hasName("source")
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node n) {
|
||||
n.asExpr().(Argument).getCall().getCallee().hasName("sink")
|
||||
}
|
||||
}
|
||||
|
||||
class TaintFlowConf extends TaintTracking::Configuration {
|
||||
TaintFlowConf() { this = "qltest:taintFlowConf" }
|
||||
|
||||
override predicate isSource(DataFlow::Node n) {
|
||||
n.asExpr().(MethodAccess).getMethod().hasName("source")
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node n) {
|
||||
n.asExpr().(Argument).getCall().getCallee().hasName("sink")
|
||||
}
|
||||
}
|
||||
|
||||
class HasFlowTest extends InlineExpectationsTest {
|
||||
HasFlowTest() { this = "HasFlowTest" }
|
||||
|
||||
override string getARelevantTag() { result = ["hasValueFlow", "hasTaintFlow"] }
|
||||
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
tag = "hasValueFlow" and
|
||||
exists(DataFlow::Node src, DataFlow::Node sink, ValueFlowConf conf | conf.hasFlow(src, sink) |
|
||||
sink.getLocation() = location and
|
||||
element = sink.toString() and
|
||||
value = ""
|
||||
)
|
||||
or
|
||||
tag = "hasTaintFlow" and
|
||||
exists(DataFlow::Node src, DataFlow::Node sink, TaintFlowConf conf |
|
||||
conf.hasFlow(src, sink) and not any(ValueFlowConf c).hasFlow(src, sink)
|
||||
|
|
||||
sink.getLocation() = location and
|
||||
element = sink.toString() and
|
||||
value = ""
|
||||
)
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,247 @@
|
||||
import javax.ws.rs.GET;
|
||||
import javax.ws.rs.POST;
|
||||
import javax.ws.rs.Path;
|
||||
import javax.ws.rs.Produces;
|
||||
import javax.ws.rs.core.MediaType;
|
||||
import javax.ws.rs.core.Response;
|
||||
import javax.ws.rs.core.Variant;
|
||||
|
||||
import java.util.Locale;
|
||||
|
||||
@Path("")
|
||||
public class JaxXSS {
|
||||
|
||||
@GET
|
||||
public static Response specificContentType(boolean safeContentType, boolean chainDirectly, boolean contentTypeFirst, String userControlled) {
|
||||
|
||||
Response.ResponseBuilder builder = Response.ok();
|
||||
|
||||
if(!safeContentType) {
|
||||
if(chainDirectly) {
|
||||
if(contentTypeFirst)
|
||||
return builder.type(MediaType.TEXT_HTML).entity(userControlled).build(); // $xss
|
||||
else
|
||||
return builder.entity(userControlled).type(MediaType.TEXT_HTML).build(); // $xss
|
||||
}
|
||||
else {
|
||||
if(contentTypeFirst) {
|
||||
Response.ResponseBuilder builder2 = builder.type(MediaType.TEXT_HTML);
|
||||
return builder2.entity(userControlled).build(); // $xss
|
||||
}
|
||||
else {
|
||||
Response.ResponseBuilder builder2 = builder.entity(userControlled);
|
||||
return builder2.type(MediaType.TEXT_HTML).build(); // $xss
|
||||
}
|
||||
}
|
||||
}
|
||||
else {
|
||||
if(chainDirectly) {
|
||||
if(contentTypeFirst)
|
||||
return builder.type(MediaType.APPLICATION_JSON).entity(userControlled).build(); // $SPURIOUS: xss
|
||||
else
|
||||
return builder.entity(userControlled).type(MediaType.APPLICATION_JSON).build(); // $SPURIOUS: xss
|
||||
}
|
||||
else {
|
||||
if(contentTypeFirst) {
|
||||
Response.ResponseBuilder builder2 = builder.type(MediaType.APPLICATION_JSON);
|
||||
return builder2.entity(userControlled).build(); // $SPURIOUS: xss
|
||||
}
|
||||
else {
|
||||
Response.ResponseBuilder builder2 = builder.entity(userControlled);
|
||||
return builder2.type(MediaType.APPLICATION_JSON).build(); // $SPURIOUS: xss
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@GET
|
||||
public static Response specificContentTypeSetterMethods(int route, boolean safeContentType, String userControlled) {
|
||||
|
||||
// Test the remarkably many routes to setting a content-type in Jax-RS, besides the ResponseBuilder.entity method used above:
|
||||
|
||||
if(safeContentType) {
|
||||
if(route == 0) {
|
||||
// via ok, as a string literal:
|
||||
return Response.ok(userControlled, "application/json").build(); // $SPURIOUS: xss
|
||||
}
|
||||
else if(route == 1) {
|
||||
// via ok, as a string constant:
|
||||
return Response.ok(userControlled, MediaType.APPLICATION_JSON).build(); // $SPURIOUS: xss
|
||||
}
|
||||
else if(route == 2) {
|
||||
// via ok, as a MediaType constant:
|
||||
return Response.ok(userControlled, MediaType.APPLICATION_JSON_TYPE).build(); // $SPURIOUS: xss
|
||||
}
|
||||
else if(route == 3) {
|
||||
// via ok, as a Variant, via constructor:
|
||||
return Response.ok(userControlled, new Variant(MediaType.APPLICATION_JSON_TYPE, "language", "encoding")).build(); // $SPURIOUS: xss
|
||||
}
|
||||
else if(route == 4) {
|
||||
// via ok, as a Variant, via static method:
|
||||
return Response.ok(userControlled, Variant.mediaTypes(MediaType.APPLICATION_JSON_TYPE).build().get(0)).build(); // $SPURIOUS: xss
|
||||
}
|
||||
else if(route == 5) {
|
||||
// via ok, as a Variant, via instance method:
|
||||
return Response.ok(userControlled, Variant.languages(Locale.UK).mediaTypes(MediaType.APPLICATION_JSON_TYPE).build().get(0)).build(); // $SPURIOUS: xss
|
||||
}
|
||||
else if(route == 6) {
|
||||
// via builder variant, before entity:
|
||||
return Response.ok().variant(new Variant(MediaType.APPLICATION_JSON_TYPE, "language", "encoding")).entity(userControlled).build(); // $SPURIOUS: xss
|
||||
}
|
||||
else if(route == 7) {
|
||||
// via builder variant, after entity:
|
||||
return Response.ok().entity(userControlled).variant(new Variant(MediaType.APPLICATION_JSON_TYPE, "language", "encoding")).build(); // $SPURIOUS: xss
|
||||
}
|
||||
else if(route == 8) {
|
||||
// provide entity via ok, then content-type via builder:
|
||||
return Response.ok(userControlled).type(MediaType.APPLICATION_JSON_TYPE).build(); // $SPURIOUS: xss
|
||||
}
|
||||
}
|
||||
else {
|
||||
if(route == 0) {
|
||||
// via ok, as a string literal:
|
||||
return Response.ok("text/html").entity(userControlled).build(); // $xss
|
||||
}
|
||||
else if(route == 1) {
|
||||
// via ok, as a string constant:
|
||||
return Response.ok(MediaType.TEXT_HTML).entity(userControlled).build(); // $xss
|
||||
}
|
||||
else if(route == 2) {
|
||||
// via ok, as a MediaType constant:
|
||||
return Response.ok(MediaType.TEXT_HTML_TYPE).entity(userControlled).build(); // $xss
|
||||
}
|
||||
else if(route == 3) {
|
||||
// via ok, as a Variant, via constructor:
|
||||
return Response.ok(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $xss
|
||||
}
|
||||
else if(route == 4) {
|
||||
// via ok, as a Variant, via static method:
|
||||
return Response.ok(Variant.mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $xss
|
||||
}
|
||||
else if(route == 5) {
|
||||
// via ok, as a Variant, via instance method:
|
||||
return Response.ok(Variant.languages(Locale.UK).mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $xss
|
||||
}
|
||||
else if(route == 6) {
|
||||
// via builder variant, before entity:
|
||||
return Response.ok().variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $xss
|
||||
}
|
||||
else if(route == 7) {
|
||||
// via builder variant, after entity:
|
||||
return Response.ok().entity(userControlled).variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).build(); // $xss
|
||||
}
|
||||
else if(route == 8) {
|
||||
// provide entity via ok, then content-type via builder:
|
||||
return Response.ok(userControlled).type(MediaType.TEXT_HTML_TYPE).build(); // $xss
|
||||
}
|
||||
}
|
||||
|
||||
return null;
|
||||
|
||||
}
|
||||
|
||||
@GET @Produces(MediaType.APPLICATION_JSON)
|
||||
public static Response methodContentTypeSafe(String userControlled) {
|
||||
return Response.ok(userControlled).build();
|
||||
}
|
||||
|
||||
@POST @Produces(MediaType.APPLICATION_JSON)
|
||||
public static Response methodContentTypeSafePost(String userControlled) {
|
||||
return Response.ok(userControlled).build();
|
||||
}
|
||||
|
||||
@GET @Produces("application/json")
|
||||
public static Response methodContentTypeSafeStringLiteral(String userControlled) {
|
||||
return Response.ok(userControlled).build();
|
||||
}
|
||||
|
||||
@GET @Produces(MediaType.TEXT_HTML)
|
||||
public static Response methodContentTypeUnsafe(String userControlled) {
|
||||
return Response.ok(userControlled).build(); // $MISSING: xss
|
||||
}
|
||||
|
||||
@POST @Produces(MediaType.TEXT_HTML)
|
||||
public static Response methodContentTypeUnsafePost(String userControlled) {
|
||||
return Response.ok(userControlled).build(); // $MISSING: xss
|
||||
}
|
||||
|
||||
@GET @Produces("text/html")
|
||||
public static Response methodContentTypeUnsafeStringLiteral(String userControlled) {
|
||||
return Response.ok(userControlled).build(); // $MISSING: xss
|
||||
}
|
||||
|
||||
@GET @Produces({MediaType.TEXT_HTML, MediaType.APPLICATION_JSON})
|
||||
public static Response methodContentTypeMaybeSafe(String userControlled) {
|
||||
return Response.ok(userControlled).build(); // $MISSING: xss
|
||||
}
|
||||
|
||||
@GET @Produces(MediaType.APPLICATION_JSON)
|
||||
public static Response methodContentTypeSafeOverriddenWithUnsafe(String userControlled) {
|
||||
return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $MISSING: xss
|
||||
}
|
||||
|
||||
@GET @Produces(MediaType.TEXT_HTML)
|
||||
public static Response methodContentTypeUnsafeOverriddenWithSafe(String userControlled) {
|
||||
return Response.ok().type(MediaType.APPLICATION_JSON).entity(userControlled).build();
|
||||
}
|
||||
|
||||
@Path("/abc")
|
||||
@Produces({"application/json"})
|
||||
public static class ClassContentTypeSafe {
|
||||
@GET
|
||||
public Response test(String userControlled) {
|
||||
return Response.ok(userControlled).build();
|
||||
}
|
||||
|
||||
@GET
|
||||
public String testDirectReturn(String userControlled) {
|
||||
return userControlled;
|
||||
}
|
||||
|
||||
@GET @Produces({"text/html"})
|
||||
public Response overridesWithUnsafe(String userControlled) {
|
||||
return Response.ok(userControlled).build(); // $MISSING: xss
|
||||
}
|
||||
|
||||
@GET
|
||||
public Response overridesWithUnsafe2(String userControlled) {
|
||||
return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $MISSING: xss
|
||||
}
|
||||
}
|
||||
|
||||
@Path("/abc")
|
||||
@Produces({"text/html"})
|
||||
public static class ClassContentTypeUnsafe {
|
||||
@GET
|
||||
public Response test(String userControlled) {
|
||||
return Response.ok(userControlled).build(); // $MISSING: xss
|
||||
}
|
||||
|
||||
@GET
|
||||
public String testDirectReturn(String userControlled) {
|
||||
return userControlled; // $MISSING: xss
|
||||
}
|
||||
|
||||
@GET @Produces({"application/json"})
|
||||
public Response overridesWithSafe(String userControlled) {
|
||||
return Response.ok(userControlled).build();
|
||||
}
|
||||
|
||||
@GET
|
||||
public Response overridesWithSafe2(String userControlled) {
|
||||
return Response.ok().type(MediaType.APPLICATION_JSON).entity(userControlled).build();
|
||||
}
|
||||
}
|
||||
|
||||
@GET
|
||||
public static Response entityWithNoMediaType(String userControlled) {
|
||||
return Response.ok(userControlled).build(); // $xss
|
||||
}
|
||||
|
||||
@GET
|
||||
public static String stringWithNoMediaType(String userControlled) {
|
||||
return userControlled; // $xss
|
||||
}
|
||||
|
||||
}
|
||||
@@ -1,15 +0,0 @@
|
||||
edges
|
||||
| XSS.java:23:21:23:48 | getParameter(...) : String | XSS.java:23:5:23:70 | ... + ... |
|
||||
| XSS.java:38:67:38:87 | getPathInfo(...) : String | XSS.java:38:30:38:87 | ... + ... |
|
||||
| XSS.java:41:36:41:56 | getPathInfo(...) : String | XSS.java:41:36:41:67 | getBytes(...) |
|
||||
nodes
|
||||
| XSS.java:23:5:23:70 | ... + ... | semmle.label | ... + ... |
|
||||
| XSS.java:23:21:23:48 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| XSS.java:38:30:38:87 | ... + ... | semmle.label | ... + ... |
|
||||
| XSS.java:38:67:38:87 | getPathInfo(...) : String | semmle.label | getPathInfo(...) : String |
|
||||
| XSS.java:41:36:41:56 | getPathInfo(...) : String | semmle.label | getPathInfo(...) : String |
|
||||
| XSS.java:41:36:41:67 | getBytes(...) | semmle.label | getBytes(...) |
|
||||
#select
|
||||
| XSS.java:23:5:23:70 | ... + ... | XSS.java:23:21:23:48 | getParameter(...) : String | XSS.java:23:5:23:70 | ... + ... | Cross-site scripting vulnerability due to $@. | XSS.java:23:21:23:48 | getParameter(...) | user-provided value |
|
||||
| XSS.java:38:30:38:87 | ... + ... | XSS.java:38:67:38:87 | getPathInfo(...) : String | XSS.java:38:30:38:87 | ... + ... | Cross-site scripting vulnerability due to $@. | XSS.java:38:67:38:87 | getPathInfo(...) | user-provided value |
|
||||
| XSS.java:41:36:41:67 | getBytes(...) | XSS.java:41:36:41:56 | getPathInfo(...) : String | XSS.java:41:36:41:67 | getBytes(...) | Cross-site scripting vulnerability due to $@. | XSS.java:41:36:41:56 | getPathInfo(...) | user-provided value |
|
||||
|
||||
@@ -20,7 +20,7 @@ public class XSS extends HttpServlet {
|
||||
throws ServletException, IOException {
|
||||
// BAD: a request parameter is written directly to the Servlet response stream
|
||||
response.getWriter().print(
|
||||
"The page \"" + request.getParameter("page") + "\" was not found.");
|
||||
"The page \"" + request.getParameter("page") + "\" was not found."); // $xss
|
||||
|
||||
// GOOD: servlet API encodes the error message HTML for the HTML context
|
||||
response.sendError(HttpServletResponse.SC_NOT_FOUND,
|
||||
@@ -35,10 +35,10 @@ public class XSS extends HttpServlet {
|
||||
"The page \"" + capitalizeName(request.getParameter("page")) + "\" was not found.");
|
||||
|
||||
// BAD: outputting the path of the resource
|
||||
response.getWriter().print("The path section of the URL was " + request.getPathInfo());
|
||||
response.getWriter().print("The path section of the URL was " + request.getPathInfo()); // $xss
|
||||
|
||||
// BAD: typical XSS, this time written to an OutputStream instead of a Writer
|
||||
response.getOutputStream().write(request.getPathInfo().getBytes());
|
||||
response.getOutputStream().write(request.getPathInfo().getBytes()); // $xss
|
||||
}
|
||||
|
||||
|
||||
|
||||
@@ -0,0 +1,33 @@
|
||||
import java
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import semmle.code.java.security.XSS
|
||||
import TestUtilities.InlineExpectationsTest
|
||||
|
||||
class XSSConfig extends TaintTracking::Configuration {
|
||||
XSSConfig() { this = "XSSConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof XssSink }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) { node instanceof XssSanitizer }
|
||||
|
||||
override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
any(XssAdditionalTaintStep s).step(node1, node2)
|
||||
}
|
||||
}
|
||||
|
||||
class XssTest extends InlineExpectationsTest {
|
||||
XssTest() { this = "XssTest" }
|
||||
|
||||
override string getARelevantTag() { result = ["xss"] }
|
||||
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
tag = "xss" and
|
||||
exists(DataFlow::Node src, DataFlow::Node sink, XSSConfig conf | conf.hasFlow(src, sink) |
|
||||
sink.getLocation() = location and
|
||||
element = sink.toString() and
|
||||
value = ""
|
||||
)
|
||||
}
|
||||
}
|
||||
@@ -1 +0,0 @@
|
||||
Security/CWE/CWE-079/XSS.ql
|
||||
@@ -1 +1 @@
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/servlet-api-2.4
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/servlet-api-2.4:${testdir}/../../../../../stubs/javax-ws-rs-api-2.1.1/
|
||||
|
||||
@@ -1 +1 @@
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/springframework-5.2.3:${testdir}/../../../stubs/spring-ldap-2.3.2:${testdir}/../../../stubs/unboundid-ldap-4.0.14:${testdir}/../../../stubs/esapi-2.0.1:${testdir}/../../../stubs/apache-ldap-1.0.2
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/spring-ldap-2.3.2:${testdir}/../../../stubs/unboundid-ldap-4.0.14:${testdir}/../../../stubs/esapi-2.0.1:${testdir}/../../../stubs/apache-ldap-1.0.2
|
||||
|
||||
@@ -1 +1 @@
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/validation-api-2.0.1.Final:${testdir}/../../../stubs/springframework-5.2.3:${testdir}/../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../stubs/apache-commons-logging-1.2
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/validation-api-2.0.1.Final:${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../stubs/apache-commons-logging-1.2
|
||||
|
||||
@@ -1 +1 @@
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/snakeyaml-1.21:${testdir}/../../../stubs/xstream-1.4.10:${testdir}/../../../stubs/kryo-4.0.2:${testdir}/../../../stubs/jsr311-api-1.1.1:${testdir}/../../../stubs/fastjson-1.2.74:${testdir}/../../../stubs/springframework-5.2.3:${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/jyaml-1.3:${testdir}/../../../stubs/json-io-4.10.0:${testdir}/../../../stubs/yamlbeans-1.09:${testdir}/../../../stubs/hessian-4.0.38:${testdir}/../../../stubs/castor-1.4.1
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/snakeyaml-1.21:${testdir}/../../../stubs/xstream-1.4.10:${testdir}/../../../stubs/kryo-4.0.2:${testdir}/../../../stubs/jsr311-api-1.1.1:${testdir}/../../../stubs/fastjson-1.2.74:${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/jyaml-1.3:${testdir}/../../../stubs/json-io-4.10.0:${testdir}/../../../stubs/yamlbeans-1.09:${testdir}/../../../stubs/hessian-4.0.38:${testdir}/../../../stubs/castor-1.4.1
|
||||
|
||||
@@ -1 +1 @@
|
||||
//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/springframework-5.2.3:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/javax-ws-rs-api-3.0.0:${testdir}/../../../stubs/apache-http-4.4.13/:${testdir}/../../../stubs/servlet-api-2.4/
|
||||
//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/javax-ws-rs-api-3.0.0:${testdir}/../../../stubs/apache-http-4.4.13/:${testdir}/../../../stubs/servlet-api-2.4/
|
||||
|
||||
@@ -16,6 +16,48 @@
|
||||
|
||||
package javax.ws.rs;
|
||||
|
||||
import java.lang.annotation.Documented;
|
||||
import java.lang.annotation.ElementType;
|
||||
import java.lang.annotation.Inherited;
|
||||
import java.lang.annotation.Retention;
|
||||
import java.lang.annotation.RetentionPolicy;
|
||||
import java.lang.annotation.Target;
|
||||
|
||||
/**
|
||||
* Defines the media type(s) that the methods of a resource class or
|
||||
* {@link javax.ws.rs.ext.MessageBodyWriter} can produce.
|
||||
* If not specified then a container will assume that any type can be produced.
|
||||
* Method level annotations override a class level annotation. A container
|
||||
* is responsible for ensuring that the method invoked is capable of producing
|
||||
* one of the media types requested in the HTTP request. If no such method is
|
||||
* available the container must respond with a HTTP "406 Not Acceptable" as
|
||||
* specified by RFC 2616.
|
||||
*
|
||||
* <p>A method for which there is a single-valued {@code @Produces}
|
||||
* is not required to set the media type of representations that it produces:
|
||||
* the container will use the value of the {@code @Produces} when
|
||||
* sending a response.</p>
|
||||
*
|
||||
* @author Paul Sandoz
|
||||
* @author Marc Hadley
|
||||
* @see javax.ws.rs.ext.MessageBodyWriter
|
||||
* @since 1.0
|
||||
*/
|
||||
@Inherited
|
||||
@Target({ElementType.TYPE, ElementType.METHOD})
|
||||
@Retention(RetentionPolicy.RUNTIME)
|
||||
@Documented
|
||||
public @interface Produces {
|
||||
|
||||
/**
|
||||
* A list of media types. Each entry may specify a single type or consist
|
||||
* of a comma separated list of types, with any leading or trailing white-spaces
|
||||
* in a single type entry being ignored. For example:
|
||||
* <pre>
|
||||
* {"image/jpeg, image/gif ", " image/png"}
|
||||
* </pre>
|
||||
* Use of the comma-separated form allows definition of a common string constant
|
||||
* for use on multiple targets.
|
||||
*/
|
||||
String[] value() default "*/*";
|
||||
}
|
||||
}
|
||||
@@ -18,39 +18,127 @@ package javax.ws.rs.core;
|
||||
import java.util.Map;
|
||||
|
||||
public class MediaType {
|
||||
public final static MediaType WILDCARD_TYPE = new MediaType();
|
||||
|
||||
public final static MediaType APPLICATION_XML_TYPE = new MediaType("application", "xml");
|
||||
|
||||
public final static MediaType APPLICATION_ATOM_XML_TYPE = new MediaType("application", "atom+xml");
|
||||
|
||||
public final static MediaType APPLICATION_XHTML_XML_TYPE = new MediaType("application", "xhtml+xml");
|
||||
|
||||
public final static MediaType APPLICATION_SVG_XML_TYPE = new MediaType("application", "svg+xml");
|
||||
|
||||
public final static MediaType APPLICATION_JSON_TYPE = new MediaType("application", "json");
|
||||
|
||||
public final static MediaType APPLICATION_FORM_URLENCODED_TYPE = new MediaType("application", "x-www-form-urlencoded");
|
||||
|
||||
public final static MediaType MULTIPART_FORM_DATA_TYPE = new MediaType("multipart", "form-data");
|
||||
|
||||
public final static MediaType APPLICATION_OCTET_STREAM_TYPE = new MediaType("application", "octet-stream");
|
||||
|
||||
public final static String TEXT_PLAIN = "text/plain";
|
||||
|
||||
public final static MediaType TEXT_PLAIN_TYPE = new MediaType("text", "plain");
|
||||
|
||||
public final static String TEXT_XML = "text/xml";
|
||||
|
||||
public final static MediaType TEXT_XML_TYPE = new MediaType("text", "xml");
|
||||
|
||||
public final static String TEXT_HTML = "text/html";
|
||||
|
||||
public final static MediaType TEXT_HTML_TYPE = new MediaType("text", "html");
|
||||
|
||||
public static final MediaType SERVER_SENT_EVENTS_TYPE = new MediaType("text", "event-stream");
|
||||
|
||||
public static final MediaType APPLICATION_JSON_PATCH_JSON_TYPE = new MediaType("application", "json-patch+json");
|
||||
/**
|
||||
* The media type {@code charset} parameter name.
|
||||
*/
|
||||
public static final String CHARSET_PARAMETER = "";
|
||||
/**
|
||||
* The value of a type or subtype wildcard {@value #MEDIA_TYPE_WILDCARD}.
|
||||
*/
|
||||
public static final String MEDIA_TYPE_WILDCARD = "";
|
||||
// Common media type constants
|
||||
/**
|
||||
* A {@code String} constant representing wildcard {@value #WILDCARD} media type .
|
||||
*/
|
||||
public static final String WILDCARD = "";
|
||||
/**
|
||||
* A {@link MediaType} constant representing wildcard {@value #WILDCARD} media type.
|
||||
*/
|
||||
public static final MediaType WILDCARD_TYPE = null;
|
||||
/**
|
||||
* A {@code String} constant representing {@value #APPLICATION_XML} media type.
|
||||
*/
|
||||
public static final String APPLICATION_XML = "";
|
||||
/**
|
||||
* A {@link MediaType} constant representing {@value #APPLICATION_XML} media type.
|
||||
*/
|
||||
public static final MediaType APPLICATION_XML_TYPE = null;
|
||||
/**
|
||||
* A {@code String} constant representing {@value #APPLICATION_ATOM_XML} media type.
|
||||
*/
|
||||
public static final String APPLICATION_ATOM_XML = "";
|
||||
/**
|
||||
* A {@link MediaType} constant representing {@value #APPLICATION_ATOM_XML} media type.
|
||||
*/
|
||||
public static final MediaType APPLICATION_ATOM_XML_TYPE = null;
|
||||
/**
|
||||
* A {@code String} constant representing {@value #APPLICATION_XHTML_XML} media type.
|
||||
*/
|
||||
public static final String APPLICATION_XHTML_XML = "";
|
||||
/**
|
||||
* A {@link MediaType} constant representing {@value #APPLICATION_XHTML_XML} media type.
|
||||
*/
|
||||
public static final MediaType APPLICATION_XHTML_XML_TYPE = null;
|
||||
/**
|
||||
* A {@code String} constant representing {@value #APPLICATION_SVG_XML} media type.
|
||||
*/
|
||||
public static final String APPLICATION_SVG_XML = "";
|
||||
/**
|
||||
* A {@link MediaType} constant representing {@value #APPLICATION_SVG_XML} media type.
|
||||
*/
|
||||
public static final MediaType APPLICATION_SVG_XML_TYPE = null;
|
||||
/**
|
||||
* A {@code String} constant representing {@value #APPLICATION_JSON} media type.
|
||||
*/
|
||||
public static final String APPLICATION_JSON = "";
|
||||
/**
|
||||
* A {@link MediaType} constant representing {@value #APPLICATION_JSON} media type.
|
||||
*/
|
||||
public static final MediaType APPLICATION_JSON_TYPE = null;
|
||||
/**
|
||||
* A {@code String} constant representing {@value #APPLICATION_FORM_URLENCODED} media type.
|
||||
*/
|
||||
public static final String APPLICATION_FORM_URLENCODED = "";
|
||||
/**
|
||||
* A {@link MediaType} constant representing {@value #APPLICATION_FORM_URLENCODED} media type.
|
||||
*/
|
||||
public static final MediaType APPLICATION_FORM_URLENCODED_TYPE = null;
|
||||
/**
|
||||
* A {@code String} constant representing {@value #MULTIPART_FORM_DATA} media type.
|
||||
*/
|
||||
public static final String MULTIPART_FORM_DATA = "";
|
||||
/**
|
||||
* A {@link MediaType} constant representing {@value #MULTIPART_FORM_DATA} media type.
|
||||
*/
|
||||
public static final MediaType MULTIPART_FORM_DATA_TYPE = null;
|
||||
/**
|
||||
* A {@code String} constant representing {@value #APPLICATION_OCTET_STREAM} media type.
|
||||
*/
|
||||
public static final String APPLICATION_OCTET_STREAM = "";
|
||||
/**
|
||||
* A {@link MediaType} constant representing {@value #APPLICATION_OCTET_STREAM} media type.
|
||||
*/
|
||||
public static final MediaType APPLICATION_OCTET_STREAM_TYPE = null;
|
||||
/**
|
||||
* A {@code String} constant representing {@value #TEXT_PLAIN} media type.
|
||||
*/
|
||||
public static final String TEXT_PLAIN = "";
|
||||
/**
|
||||
* A {@link MediaType} constant representing {@value #TEXT_PLAIN} media type.
|
||||
*/
|
||||
public static final MediaType TEXT_PLAIN_TYPE = null;
|
||||
/**
|
||||
* A {@code String} constant representing {@value #TEXT_XML} media type.
|
||||
*/
|
||||
public static final String TEXT_XML = "";
|
||||
/**
|
||||
* A {@link MediaType} constant representing {@value #TEXT_XML} media type.
|
||||
*/
|
||||
public static final MediaType TEXT_XML_TYPE = null;
|
||||
/**
|
||||
* A {@code String} constant representing {@value #TEXT_HTML} media type.
|
||||
*/
|
||||
public static final String TEXT_HTML = "";
|
||||
/**
|
||||
* A {@link MediaType} constant representing {@value #TEXT_HTML} media type.
|
||||
*/
|
||||
public static final MediaType TEXT_HTML_TYPE = null;
|
||||
/**
|
||||
* {@link String} representation of Server sent events media type. ("{@value}").
|
||||
*/
|
||||
public static final String SERVER_SENT_EVENTS = "";
|
||||
/**
|
||||
* Server sent events media type.
|
||||
*/
|
||||
public static final MediaType SERVER_SENT_EVENTS_TYPE = null;
|
||||
/**
|
||||
* {@link String} representation of {@value #APPLICATION_JSON_PATCH_JSON} media type..
|
||||
*/
|
||||
public static final String APPLICATION_JSON_PATCH_JSON = "";
|
||||
/**
|
||||
* A {@link MediaType} constant representing {@value #APPLICATION_JSON_PATCH_JSON} media type.
|
||||
*/
|
||||
public static final MediaType APPLICATION_JSON_PATCH_JSON_TYPE = null;
|
||||
|
||||
public static MediaType valueOf(String type){
|
||||
return null;
|
||||
|
||||
@@ -1,96 +0,0 @@
|
||||
/*
|
||||
* Copyright 2002-2019 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.util;
|
||||
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
|
||||
import org.springframework.lang.Nullable;
|
||||
|
||||
/**
|
||||
* Extension of the {@code Map} interface that stores multiple values.
|
||||
*
|
||||
* @author Arjen Poutsma
|
||||
* @since 3.0
|
||||
* @param <K> the key type
|
||||
* @param <V> the value element type
|
||||
*/
|
||||
public interface MultiValueMap<K, V> extends Map<K, List<V>> {
|
||||
|
||||
/**
|
||||
* Return the first value for the given key.
|
||||
* @param key the key
|
||||
* @return the first value for the specified key, or {@code null} if none
|
||||
*/
|
||||
@Nullable
|
||||
V getFirst(K key);
|
||||
|
||||
/**
|
||||
* Add the given single value to the current list of values for the given key.
|
||||
* @param key the key
|
||||
* @param value the value to be added
|
||||
*/
|
||||
void add(K key, @Nullable V value);
|
||||
|
||||
/**
|
||||
* Add all the values of the given list to the current list of values for the given key.
|
||||
* @param key they key
|
||||
* @param values the values to be added
|
||||
* @since 5.0
|
||||
*/
|
||||
void addAll(K key, List<? extends V> values);
|
||||
|
||||
/**
|
||||
* Add all the values of the given {@code MultiValueMap} to the current values.
|
||||
* @param values the values to be added
|
||||
* @since 5.0
|
||||
*/
|
||||
void addAll(MultiValueMap<K, V> values);
|
||||
|
||||
/**
|
||||
* {@link #add(Object, Object) Add} the given value, only when the map does not
|
||||
* {@link #containsKey(Object) contain} the given key.
|
||||
* @param key the key
|
||||
* @param value the value to be added
|
||||
* @since 5.2
|
||||
*/
|
||||
default void addIfAbsent(K key, @Nullable V value) {
|
||||
if (!containsKey(key)) {
|
||||
add(key, value);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Set the given single value under the given key.
|
||||
* @param key the key
|
||||
* @param value the value to set
|
||||
*/
|
||||
void set(K key, @Nullable V value);
|
||||
|
||||
/**
|
||||
* Set the given values under.
|
||||
* @param values the values.
|
||||
*/
|
||||
void setAll(Map<K, V> values);
|
||||
|
||||
/**
|
||||
* Return a {@code Map} with the first values contained in this {@code MultiValueMap}.
|
||||
* @return a single value representation of this map
|
||||
*/
|
||||
Map<K, V> toSingleValueMap();
|
||||
|
||||
}
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user