mirror of
https://github.com/github/codeql.git
synced 2025-12-21 19:26:31 +01:00
Merge branch 'main' into polyQhelp
This commit is contained in:
erik-krogh
@@ -8,6 +8,17 @@ if "JAVA_HOME_8_X64" in os.environ:
|
||||
sep = ";" if platform.system() == "Windows" else ":"
|
||||
os.environ["PATH"] = "".join([os.path.join(os.environ["JAVA_HOME"], "bin"), sep, os.environ["PATH"]])
|
||||
|
||||
run_codeql_database_create([], lang="java", runFunction = runUnsuccessfully, db = None)
|
||||
# Ensure the autobuilder *doesn't* see Java 11 or 17, which it could switch to in order to build the project:
|
||||
for k in ["JAVA_HOME_11_X64", "JAVA_HOME_17_X64"]:
|
||||
if k in os.environ:
|
||||
del os.environ[k]
|
||||
|
||||
# Use a custom, empty toolchains.xml file so the autobuilder doesn't see any Java versions that may be
|
||||
# in a system-level toolchains file
|
||||
toolchains_path = os.path.join(os.getcwd(), 'toolchains.xml')
|
||||
|
||||
run_codeql_database_create([], lang="java", runFunction = runUnsuccessfully, db = None, extra_env={
|
||||
'LGTM_INDEX_MAVEN_TOOLCHAINS_FILE': toolchains_path
|
||||
})
|
||||
|
||||
check_diagnostics()
|
||||
|
||||
@@ -0,0 +1,5 @@
|
||||
<?xml version="1.0"?>
|
||||
<toolchains xmlns="https://maven.apache.org/TOOLCHAINS/1.1.0"
|
||||
xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:schemaLocation="https://maven.apache.org/TOOLCHAINS/1.1.0 https://maven.apache.org/xsd/toolchains-1.1.0.xsd">
|
||||
</toolchains>
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added SQL injection sinks for Spring JDBC's `NamedParameterJdbcOperations`.
|
||||
@@ -0,0 +1,14 @@
|
||||
extensions:
|
||||
- addsTo:
|
||||
pack: codeql/java-all
|
||||
extensible: sinkModel
|
||||
data:
|
||||
- ["org.springframework.jdbc.core.namedparam", "NamedParameterJdbcOperations", True, "batchUpdate", "", "", "Argument[0]", "sql", "manual"]
|
||||
- ["org.springframework.jdbc.core.namedparam", "NamedParameterJdbcOperations", True, "execute", "", "", "Argument[0]", "sql", "manual"]
|
||||
- ["org.springframework.jdbc.core.namedparam", "NamedParameterJdbcOperations", True, "query", "", "", "Argument[0]", "sql", "manual"]
|
||||
- ["org.springframework.jdbc.core.namedparam", "NamedParameterJdbcOperations", True, "queryForList", "", "", "Argument[0]", "sql", "manual"]
|
||||
- ["org.springframework.jdbc.core.namedparam", "NamedParameterJdbcOperations", True, "queryForMap", "", "", "Argument[0]", "sql", "manual"]
|
||||
- ["org.springframework.jdbc.core.namedparam", "NamedParameterJdbcOperations", True, "queryForObject", "", "", "Argument[0]", "sql", "manual"]
|
||||
- ["org.springframework.jdbc.core.namedparam", "NamedParameterJdbcOperations", True, "queryForRowSet", "", "", "Argument[0]", "sql", "manual"]
|
||||
- ["org.springframework.jdbc.core.namedparam", "NamedParameterJdbcOperations", True, "queryForStream", "", "", "Argument[0]", "sql", "manual"]
|
||||
- ["org.springframework.jdbc.core.namedparam", "NamedParameterJdbcOperations", True, "update", "", "", "Argument[0]", "sql", "manual"]
|
||||
@@ -104,6 +104,17 @@ private predicate constantBooleanExpr(Expr e, boolean val) {
|
||||
CalcConstants::calculateBooleanValue(e) = val
|
||||
}
|
||||
|
||||
pragma[nomagic]
|
||||
private predicate constantStringExpr(Expr e, string val) {
|
||||
e.(CompileTimeConstantExpr).getStringValue() = val
|
||||
or
|
||||
exists(SsaExplicitUpdate v, Expr src |
|
||||
e = v.getAUse() and
|
||||
src = v.getDefiningExpr().(VariableAssign).getSource() and
|
||||
constantStringExpr(src, val)
|
||||
)
|
||||
}
|
||||
|
||||
private boolean getBoolValue(Expr e) { constantBooleanExpr(e, result) }
|
||||
|
||||
private int getIntValue(Expr e) { constantIntegerExpr(e, result) }
|
||||
@@ -126,6 +137,14 @@ class ConstantBooleanExpr extends Expr {
|
||||
boolean getBooleanValue() { constantBooleanExpr(this, result) }
|
||||
}
|
||||
|
||||
/** An expression that always has the same string value. */
|
||||
class ConstantStringExpr extends Expr {
|
||||
ConstantStringExpr() { constantStringExpr(this, _) }
|
||||
|
||||
/** Get the string value of this expression. */
|
||||
string getStringValue() { constantStringExpr(this, result) }
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets an expression that equals `v - d`.
|
||||
*/
|
||||
|
||||
@@ -0,0 +1,90 @@
|
||||
/** Provides XML definitions related to the `org.apache.commons` package. */
|
||||
|
||||
import java
|
||||
private import semmle.code.java.dataflow.RangeUtils
|
||||
private import semmle.code.java.security.XmlParsers
|
||||
|
||||
/**
|
||||
* The classes `org.apache.commons.digester3.Digester`, `org.apache.commons.digester.Digester` or `org.apache.tomcat.util.digester.Digester`.
|
||||
*/
|
||||
private class Digester extends RefType {
|
||||
Digester() {
|
||||
this.hasQualifiedName([
|
||||
"org.apache.commons.digester3", "org.apache.commons.digester",
|
||||
"org.apache.tomcat.util.digester"
|
||||
], "Digester")
|
||||
}
|
||||
}
|
||||
|
||||
/** A call to `Digester.parse`. */
|
||||
private class DigesterParse extends XmlParserCall {
|
||||
DigesterParse() {
|
||||
exists(Method m |
|
||||
this.getMethod() = m and
|
||||
m.getDeclaringType() instanceof Digester and
|
||||
m.hasName("parse")
|
||||
)
|
||||
}
|
||||
|
||||
override Expr getSink() { result = this.getArgument(0) }
|
||||
|
||||
override predicate isSafe() { SafeDigesterFlow::flowToExpr(this.getQualifier()) }
|
||||
}
|
||||
|
||||
/** A `ParserConfig` that is specific to `Digester`. */
|
||||
private class DigesterConfig extends ParserConfig {
|
||||
DigesterConfig() {
|
||||
exists(Method m |
|
||||
m = this.getMethod() and
|
||||
m.getDeclaringType() instanceof Digester and
|
||||
m.hasName("setFeature")
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A safely configured `Digester`.
|
||||
*/
|
||||
private class SafeDigester extends VarAccess {
|
||||
SafeDigester() {
|
||||
exists(Variable v | v = this.getVariable() |
|
||||
exists(DigesterConfig config | config.getQualifier() = v.getAnAccess() |
|
||||
config.enables(singleSafeConfig())
|
||||
)
|
||||
or
|
||||
exists(DigesterConfig config | config.getQualifier() = v.getAnAccess() |
|
||||
config
|
||||
.disables(any(ConstantStringExpr s |
|
||||
s.getStringValue() = "http://xml.org/sax/features/external-general-entities"
|
||||
))
|
||||
) and
|
||||
exists(DigesterConfig config | config.getQualifier() = v.getAnAccess() |
|
||||
config
|
||||
.disables(any(ConstantStringExpr s |
|
||||
s.getStringValue() = "http://xml.org/sax/features/external-parameter-entities"
|
||||
))
|
||||
) and
|
||||
exists(DigesterConfig config | config.getQualifier() = v.getAnAccess() |
|
||||
config
|
||||
.disables(any(ConstantStringExpr s |
|
||||
s.getStringValue() =
|
||||
"http://apache.org/xml/features/nonvalidating/load-external-dtd"
|
||||
))
|
||||
)
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
private module SafeDigesterFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeDigester }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(MethodAccess ma |
|
||||
sink.asExpr() = ma.getQualifier() and ma.getMethod().getDeclaringType() instanceof Digester
|
||||
)
|
||||
}
|
||||
|
||||
int fieldFlowBranchLimit() { result = 0 }
|
||||
}
|
||||
|
||||
private module SafeDigesterFlow = DataFlow::Global<SafeDigesterFlowConfig>;
|
||||
64
java/ql/lib/semmle/code/java/frameworks/javaee/Xml.qll
Normal file
64
java/ql/lib/semmle/code/java/frameworks/javaee/Xml.qll
Normal file
@@ -0,0 +1,64 @@
|
||||
/** Provides definitions related to the `javax.xml` package. */
|
||||
|
||||
import java
|
||||
private import semmle.code.java.security.XmlParsers
|
||||
|
||||
/** A call to `Validator.validate`. */
|
||||
private class ValidatorValidate extends XmlParserCall {
|
||||
ValidatorValidate() {
|
||||
exists(Method m |
|
||||
this.getMethod() = m and
|
||||
m.getDeclaringType() instanceof Validator and
|
||||
m.hasName("validate")
|
||||
)
|
||||
}
|
||||
|
||||
override Expr getSink() { result = this.getArgument(0) }
|
||||
|
||||
override predicate isSafe() { SafeValidatorFlow::flowToExpr(this.getQualifier()) }
|
||||
}
|
||||
|
||||
/** A `TransformerConfig` specific to `Validator`. */
|
||||
private class ValidatorConfig extends TransformerConfig {
|
||||
ValidatorConfig() {
|
||||
exists(Method m |
|
||||
this.getMethod() = m and
|
||||
m.getDeclaringType() instanceof Validator and
|
||||
m.hasName("setProperty")
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
/** The class `javax.xml.validation.Validator`. */
|
||||
private class Validator extends RefType {
|
||||
Validator() { this.hasQualifiedName("javax.xml.validation", "Validator") }
|
||||
}
|
||||
|
||||
/** A safely configured `Validator`. */
|
||||
private class SafeValidator extends VarAccess {
|
||||
SafeValidator() {
|
||||
exists(Variable v | v = this.getVariable() |
|
||||
exists(ValidatorConfig config | config.getQualifier() = v.getAnAccess() |
|
||||
config.disables(configAccessExternalDtd())
|
||||
) and
|
||||
exists(ValidatorConfig config | config.getQualifier() = v.getAnAccess() |
|
||||
config.disables(configAccessExternalSchema())
|
||||
)
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
private module SafeValidatorFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeValidator }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(MethodAccess ma |
|
||||
sink.asExpr() = ma.getQualifier() and
|
||||
ma.getMethod().getDeclaringType() instanceof Validator
|
||||
)
|
||||
}
|
||||
|
||||
int fieldFlowBranchLimit() { result = 0 }
|
||||
}
|
||||
|
||||
private module SafeValidatorFlow = DataFlow::Global<SafeValidatorFlowConfig>;
|
||||
24
java/ql/lib/semmle/code/java/frameworks/javase/Beans.qll
Normal file
24
java/ql/lib/semmle/code/java/frameworks/javase/Beans.qll
Normal file
@@ -0,0 +1,24 @@
|
||||
/** Provides definitions related to the `java.beans` package. */
|
||||
|
||||
import java
|
||||
private import semmle.code.java.security.XmlParsers
|
||||
|
||||
/** The class `java.beans.XMLDecoder`. */
|
||||
private class XmlDecoder extends RefType {
|
||||
XmlDecoder() { this.hasQualifiedName("java.beans", "XMLDecoder") }
|
||||
}
|
||||
|
||||
/** A call to `XMLDecoder.readObject`. */
|
||||
private class XmlDecoderReadObject extends XmlParserCall {
|
||||
XmlDecoderReadObject() {
|
||||
exists(Method m |
|
||||
this.getMethod() = m and
|
||||
m.getDeclaringType() instanceof XmlDecoder and
|
||||
m.hasName("readObject")
|
||||
)
|
||||
}
|
||||
|
||||
override Expr getSink() { result = this.getQualifier() }
|
||||
|
||||
override predicate isSafe() { none() }
|
||||
}
|
||||
@@ -0,0 +1,19 @@
|
||||
/** Provides definitions related to XML parsing in Rundeck. */
|
||||
|
||||
import java
|
||||
private import semmle.code.java.security.XmlParsers
|
||||
|
||||
/** A call to `ParserHelper.loadDocument`. */
|
||||
private class ParserHelperLoadDocument extends XmlParserCall {
|
||||
ParserHelperLoadDocument() {
|
||||
exists(Method m |
|
||||
this.getMethod() = m and
|
||||
m.getDeclaringType().hasQualifiedName("org.rundeck.api.parser", "ParserHelper") and
|
||||
m.hasName("loadDocument")
|
||||
)
|
||||
}
|
||||
|
||||
override Expr getSink() { result = this.getArgument(0) }
|
||||
|
||||
override predicate isSafe() { none() }
|
||||
}
|
||||
@@ -2,15 +2,15 @@
|
||||
|
||||
import java
|
||||
import semmle.code.java.dataflow.DataFlow
|
||||
import semmle.code.java.dataflow.DataFlow2
|
||||
import semmle.code.java.dataflow.DataFlow3
|
||||
import semmle.code.java.dataflow.DataFlow4
|
||||
import semmle.code.java.dataflow.DataFlow5
|
||||
private import semmle.code.java.dataflow.SSA
|
||||
private import semmle.code.java.dataflow.RangeUtils
|
||||
|
||||
/*
|
||||
* Various XML parsers in Java.
|
||||
*/
|
||||
private module Frameworks {
|
||||
private import semmle.code.java.frameworks.apache.CommonsXml
|
||||
private import semmle.code.java.frameworks.javaee.Xml
|
||||
private import semmle.code.java.frameworks.javase.Beans
|
||||
private import semmle.code.java.frameworks.rundeck.RundeckXml
|
||||
}
|
||||
|
||||
/**
|
||||
* An abstract type representing a call to parse XML files.
|
||||
@@ -130,26 +130,6 @@ class DocumentBuilderFactoryConfig extends ParserConfig {
|
||||
}
|
||||
}
|
||||
|
||||
private predicate constantStringExpr(Expr e, string val) {
|
||||
e.(CompileTimeConstantExpr).getStringValue() = val
|
||||
or
|
||||
exists(SsaExplicitUpdate v, Expr src |
|
||||
e = v.getAUse() and
|
||||
src = v.getDefiningExpr().(VariableAssign).getSource() and
|
||||
constantStringExpr(src, val)
|
||||
)
|
||||
}
|
||||
|
||||
/** An expression that always has the same string value. */
|
||||
private class ConstantStringExpr extends Expr {
|
||||
string value;
|
||||
|
||||
ConstantStringExpr() { constantStringExpr(this, value) }
|
||||
|
||||
/** Get the string value of this expression. */
|
||||
string getStringValue() { result = value }
|
||||
}
|
||||
|
||||
/**
|
||||
* A general configuration that is safe when enabled.
|
||||
*/
|
||||
@@ -655,6 +635,11 @@ class XmlReader extends RefType {
|
||||
XmlReader() { this.hasQualifiedName("org.xml.sax", "XMLReader") }
|
||||
}
|
||||
|
||||
/** The class `org.xml.sax.InputSource`. */
|
||||
class InputSource extends Class {
|
||||
InputSource() { this.hasQualifiedName("org.xml.sax", "InputSource") }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for XmlReader */
|
||||
deprecated class XMLReader = XmlReader;
|
||||
|
||||
@@ -968,7 +953,7 @@ class TransformerFactorySource extends XmlParserCall {
|
||||
exists(Method m |
|
||||
this.getMethod() = m and
|
||||
m.getDeclaringType() instanceof TransformerFactory and
|
||||
m.hasName("newTransformer")
|
||||
m.hasName(["newTransformer", "newTransformerHandler"])
|
||||
)
|
||||
}
|
||||
|
||||
@@ -1164,22 +1149,34 @@ class XmlUnmarshal extends XmlParserCall {
|
||||
}
|
||||
|
||||
/* XPathExpression: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xpathexpression */
|
||||
/** The class `javax.xml.xpath.XPathExpression`. */
|
||||
class XPathExpression extends RefType {
|
||||
/** The interface `javax.xml.xpath.XPathExpression`. */
|
||||
class XPathExpression extends Interface {
|
||||
XPathExpression() { this.hasQualifiedName("javax.xml.xpath", "XPathExpression") }
|
||||
}
|
||||
|
||||
/** A call to `XPathExpression.evaluate`. */
|
||||
/** The interface `java.xml.xpath.XPath`. */
|
||||
class XPath extends Interface {
|
||||
XPath() { this.hasQualifiedName("javax.xml.xpath", "XPath") }
|
||||
}
|
||||
|
||||
/** A call to the method `evaluate` of the classes `XPathExpression` or `XPath`. */
|
||||
class XPathEvaluate extends XmlParserCall {
|
||||
Argument sink;
|
||||
|
||||
XPathEvaluate() {
|
||||
exists(Method m |
|
||||
this.getMethod() = m and
|
||||
m.getDeclaringType() instanceof XPathExpression and
|
||||
m.hasName("evaluate")
|
||||
|
|
||||
m.getDeclaringType().getASourceSupertype*() instanceof XPathExpression and
|
||||
sink = this.getArgument(0)
|
||||
or
|
||||
m.getDeclaringType().getASourceSupertype*() instanceof XPath and
|
||||
sink = this.getArgument(1)
|
||||
)
|
||||
}
|
||||
|
||||
override Expr getSink() { result = this.getArgument(0) }
|
||||
override Expr getSink() { result = sink }
|
||||
|
||||
override predicate isSafe() { none() }
|
||||
}
|
||||
|
||||
@@ -27,7 +27,7 @@ abstract class MetadataExtractor extends string {
|
||||
|
||||
abstract predicate hasMetadata(
|
||||
DataFlow::ParameterNode e, string package, string type, boolean subtypes, string name,
|
||||
string signature, int input
|
||||
string signature, int input, string parameterName
|
||||
);
|
||||
}
|
||||
|
||||
@@ -167,14 +167,15 @@ class FrameworkModeMetadataExtractor extends MetadataExtractor {
|
||||
|
||||
override predicate hasMetadata(
|
||||
Endpoint e, string package, string type, boolean subtypes, string name, string signature,
|
||||
int input
|
||||
int input, string parameterName
|
||||
) {
|
||||
exists(Callable callable |
|
||||
e.asParameter() = callable.getParameter(input) and
|
||||
package = callable.getDeclaringType().getPackage().getName() and
|
||||
type = callable.getDeclaringType().getErasure().(RefType).nestedName() and
|
||||
subtypes = this.considerSubtypes(callable) and
|
||||
name = e.toString() and
|
||||
name = callable.getName() and
|
||||
parameterName = e.asParameter().getName() and
|
||||
signature = ExternalFlow::paramsString(callable)
|
||||
)
|
||||
}
|
||||
|
||||
@@ -17,7 +17,7 @@ private import AutomodelSharedUtil
|
||||
|
||||
from
|
||||
Endpoint endpoint, string message, MetadataExtractor meta, string package, string type,
|
||||
boolean subtypes, string name, string signature, int input
|
||||
boolean subtypes, string name, string signature, int input, string parameterName
|
||||
where
|
||||
not exists(CharacteristicsImpl::UninterestingToModelCharacteristic u |
|
||||
u.appliesToEndpoint(endpoint)
|
||||
@@ -28,7 +28,7 @@ where
|
||||
// overlap between our detected sinks and the pre-existing modeling. We assume that, if a sink has already been
|
||||
// modeled in a MaD model, then it doesn't belong to any additional sink types, and we don't need to reexamine it.
|
||||
not CharacteristicsImpl::isSink(endpoint, _) and
|
||||
meta.hasMetadata(endpoint, package, type, subtypes, name, signature, input) and
|
||||
meta.hasMetadata(endpoint, package, type, subtypes, name, signature, input, parameterName) and
|
||||
// The message is the concatenation of all sink types for which this endpoint is known neither to be a sink nor to be
|
||||
// a non-sink, and we surface only endpoints that have at least one such sink type.
|
||||
message =
|
||||
@@ -39,7 +39,7 @@ where
|
||||
sinkType, ", "
|
||||
)
|
||||
select endpoint,
|
||||
message + "\nrelated locations: $@, $@." + "\nmetadata: $@, $@, $@, $@, $@, $@.", //
|
||||
message + "\nrelated locations: $@, $@." + "\nmetadata: $@, $@, $@, $@, $@, $@, $@.", //
|
||||
CharacteristicsImpl::getRelatedLocationOrCandidate(endpoint, MethodDoc()), "MethodDoc", //
|
||||
CharacteristicsImpl::getRelatedLocationOrCandidate(endpoint, ClassDoc()), "ClassDoc", //
|
||||
package.(DollarAtString), "package", //
|
||||
@@ -47,4 +47,5 @@ select endpoint,
|
||||
subtypes.toString().(DollarAtString), "subtypes", //
|
||||
name.(DollarAtString), "name", //
|
||||
signature.(DollarAtString), "signature", //
|
||||
input.toString().(DollarAtString), "input" //
|
||||
input.toString().(DollarAtString), "input", //
|
||||
parameterName.(DollarAtString), "parameterName" //
|
||||
|
||||
@@ -15,7 +15,7 @@ private import AutomodelSharedUtil
|
||||
from
|
||||
Endpoint endpoint, EndpointCharacteristic characteristic, float confidence, string message,
|
||||
MetadataExtractor meta, string package, string type, boolean subtypes, string name,
|
||||
string signature, int input
|
||||
string signature, int input, string parameterName
|
||||
where
|
||||
characteristic.appliesToEndpoint(endpoint) and
|
||||
confidence >= SharedCharacteristics::highConfidence() and
|
||||
@@ -23,7 +23,7 @@ where
|
||||
// Exclude endpoints that have contradictory endpoint characteristics, because we only want examples we're highly
|
||||
// certain about in the prompt.
|
||||
not erroneousEndpoints(endpoint, _, _, _, _, false) and
|
||||
meta.hasMetadata(endpoint, package, type, subtypes, name, signature, input) and
|
||||
meta.hasMetadata(endpoint, package, type, subtypes, name, signature, input, parameterName) and
|
||||
// It's valid for a node to satisfy the logic for both `isSink` and `isSanitizer`, but in that case it will be
|
||||
// treated by the actual query as a sanitizer, since the final logic is something like
|
||||
// `isSink(n) and not isSanitizer(n)`. We don't want to include such nodes as negative examples in the prompt, because
|
||||
@@ -36,7 +36,7 @@ where
|
||||
) and
|
||||
message = characteristic
|
||||
select endpoint,
|
||||
message + "\nrelated locations: $@, $@." + "\nmetadata: $@, $@, $@, $@, $@, $@.", //
|
||||
message + "\nrelated locations: $@, $@." + "\nmetadata: $@, $@, $@, $@, $@, $@, $@.", //
|
||||
CharacteristicsImpl::getRelatedLocationOrCandidate(endpoint, MethodDoc()), "MethodDoc", //
|
||||
CharacteristicsImpl::getRelatedLocationOrCandidate(endpoint, ClassDoc()), "ClassDoc", //
|
||||
package.(DollarAtString), "package", //
|
||||
@@ -44,4 +44,5 @@ select endpoint,
|
||||
subtypes.toString().(DollarAtString), "subtypes", //
|
||||
name.(DollarAtString), "name", //
|
||||
signature.(DollarAtString), "signature", //
|
||||
input.toString().(DollarAtString), "input" //
|
||||
input.toString().(DollarAtString), "input", //
|
||||
parameterName.(DollarAtString), "parameterName" //
|
||||
|
||||
@@ -14,16 +14,16 @@ private import AutomodelSharedUtil
|
||||
|
||||
from
|
||||
Endpoint endpoint, SinkType sinkType, MetadataExtractor meta, string package, string type,
|
||||
boolean subtypes, string name, string signature, int input
|
||||
boolean subtypes, string name, string signature, int input, string parameterName
|
||||
where
|
||||
// Exclude endpoints that have contradictory endpoint characteristics, because we only want examples we're highly
|
||||
// certain about in the prompt.
|
||||
not erroneousEndpoints(endpoint, _, _, _, _, false) and
|
||||
meta.hasMetadata(endpoint, package, type, subtypes, name, signature, input) and
|
||||
meta.hasMetadata(endpoint, package, type, subtypes, name, signature, input, parameterName) and
|
||||
// Extract positive examples of sinks belonging to the existing ATM query configurations.
|
||||
CharacteristicsImpl::isKnownSink(endpoint, sinkType)
|
||||
select endpoint,
|
||||
sinkType + "\nrelated locations: $@, $@." + "\nmetadata: $@, $@, $@, $@, $@, $@.", //
|
||||
sinkType + "\nrelated locations: $@, $@." + "\nmetadata: $@, $@, $@, $@, $@, $@, $@.", //
|
||||
CharacteristicsImpl::getRelatedLocationOrCandidate(endpoint, MethodDoc()), "MethodDoc", //
|
||||
CharacteristicsImpl::getRelatedLocationOrCandidate(endpoint, ClassDoc()), "ClassDoc", //
|
||||
package.(DollarAtString), "package", //
|
||||
@@ -31,4 +31,5 @@ select endpoint,
|
||||
subtypes.toString().(DollarAtString), "subtypes", //
|
||||
name.(DollarAtString), "name", //
|
||||
signature.(DollarAtString), "signature", //
|
||||
input.toString().(DollarAtString), "input" //
|
||||
input.toString().(DollarAtString), "input", //
|
||||
parameterName.(DollarAtString), "parameterName" //
|
||||
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Experimental sinks for the query "Resolving XML external entity in user-controlled data" (`java/xxe`) have been promoted to the main query pack. These sinks were originally [submitted as part of an experimental query by @haby0](https://github.com/github/codeql/pull/6564).
|
||||
4
java/ql/src/change-notes/2023-05-15-xpath-xxe-sink.md
Normal file
4
java/ql/src/change-notes/2023-05-15-xpath-xxe-sink.md
Normal file
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The queries `java/xxe` and `java/xxe-local` now recognize the second argument of calls to `XPath.evaluate` as a sink.
|
||||
@@ -1,85 +0,0 @@
|
||||
import java.beans.XMLDecoder;
|
||||
import java.io.BufferedReader;
|
||||
import javax.servlet.ServletInputStream;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import javax.xml.transform.stream.StreamSource;
|
||||
import javax.xml.validation.Schema;
|
||||
import javax.xml.validation.SchemaFactory;
|
||||
import javax.xml.validation.Validator;
|
||||
import org.apache.commons.digester3.Digester;
|
||||
import org.dom4j.Document;
|
||||
import org.dom4j.DocumentHelper;
|
||||
import org.springframework.stereotype.Controller;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
|
||||
@Controller
|
||||
public class XxeController {
|
||||
|
||||
@PostMapping(value = "xxe1")
|
||||
public void bad1(HttpServletRequest request, HttpServletResponse response) throws Exception {
|
||||
ServletInputStream servletInputStream = request.getInputStream();
|
||||
Digester digester = new Digester();
|
||||
digester.parse(servletInputStream);
|
||||
}
|
||||
|
||||
@PostMapping(value = "xxe2")
|
||||
public void bad2(HttpServletRequest request) throws Exception {
|
||||
BufferedReader br = request.getReader();
|
||||
String str = "";
|
||||
StringBuilder listString = new StringBuilder();
|
||||
while ((str = br.readLine()) != null) {
|
||||
listString.append(str).append("\n");
|
||||
}
|
||||
Document document = DocumentHelper.parseText(listString.toString());
|
||||
}
|
||||
|
||||
@PostMapping(value = "xxe3")
|
||||
public void bad3(HttpServletRequest request) throws Exception {
|
||||
ServletInputStream servletInputStream = request.getInputStream();
|
||||
SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
|
||||
Schema schema = factory.newSchema();
|
||||
Validator validator = schema.newValidator();
|
||||
StreamSource source = new StreamSource(servletInputStream);
|
||||
validator.validate(source);
|
||||
}
|
||||
|
||||
@PostMapping(value = "xxe4")
|
||||
public void bad4(HttpServletRequest request) throws Exception {
|
||||
ServletInputStream servletInputStream = request.getInputStream();
|
||||
XMLDecoder xmlDecoder = new XMLDecoder(servletInputStream);
|
||||
xmlDecoder.readObject();
|
||||
}
|
||||
|
||||
@PostMapping(value = "good1")
|
||||
public void good1(HttpServletRequest request, HttpServletResponse response) throws Exception {
|
||||
BufferedReader br = request.getReader();
|
||||
String str = "";
|
||||
StringBuilder listString = new StringBuilder();
|
||||
while ((str = br.readLine()) != null) {
|
||||
listString.append(str);
|
||||
}
|
||||
Digester digester = new Digester();
|
||||
digester.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
digester.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
digester.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
digester.parse(listString.toString());
|
||||
}
|
||||
|
||||
@PostMapping(value = "good2")
|
||||
public void good2(HttpServletRequest request, HttpServletResponse response) throws Exception {
|
||||
BufferedReader br = request.getReader();
|
||||
String str = "";
|
||||
StringBuilder listString = new StringBuilder();
|
||||
while ((str = br.readLine()) != null) {
|
||||
listString.append(str).append("\n");
|
||||
}
|
||||
SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
|
||||
Schema schema = factory.newSchema();
|
||||
Validator validator = schema.newValidator();
|
||||
validator.setProperty("http://javax.xml.XMLConstants/property/accessExternalDTD", "");
|
||||
validator.setProperty("http://javax.xml.XMLConstants/property/accessExternalSchema", "");
|
||||
StreamSource source = new StreamSource(listString.toString());
|
||||
validator.validate(source);
|
||||
}
|
||||
}
|
||||
@@ -1,67 +0,0 @@
|
||||
<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
|
||||
<qhelp>
|
||||
|
||||
<overview>
|
||||
<p>
|
||||
Parsing untrusted XML files with a weakly configured XML parser may lead to an XML External Entity (XXE) attack. This type of attack
|
||||
uses external entity references to access arbitrary files on a system, carry out denial of service, or server side
|
||||
request forgery. Even when the result of parsing is not returned to the user, out-of-band
|
||||
data retrieval techniques may allow attackers to steal sensitive data. Denial of services can also be
|
||||
carried out in this situation.
|
||||
</p>
|
||||
<p>
|
||||
There are many XML parsers for Java, and most of them are vulnerable to XXE because their default settings enable parsing of
|
||||
external entities. This query currently identifies vulnerable XML parsing from the following parsers: <code>javax.xml.validation.Validator</code>,
|
||||
<code>org.dom4j.DocumentHelper</code>, <code>org.rundeck.api.parser.ParserHelper</code>, <code>org.apache.commons.digester3.Digester</code>,
|
||||
<code>org.apache.commons.digester.Digester</code>, <code>org.apache.tomcat.util.digester.Digester</code>, <code>java.beans.XMLDecoder</code>.
|
||||
</p>
|
||||
</overview>
|
||||
|
||||
<recommendation>
|
||||
<p>
|
||||
The best way to prevent XXE attacks is to disable the parsing of any Document Type Declarations (DTDs) in untrusted data.
|
||||
If this is not possible you should disable the parsing of external general entities and external parameter entities.
|
||||
This improves security but the code will still be at risk of denial of service and server side request forgery attacks.
|
||||
Protection against denial of service attacks may also be implemented by setting entity expansion limits, which is done
|
||||
by default in recent JDK and JRE implementations.
|
||||
</p>
|
||||
</recommendation>
|
||||
|
||||
<example>
|
||||
<p>
|
||||
The following bad examples parses the xml data entered by the user under an unsafe configuration, which is inherently insecure and may cause xml entity injection.
|
||||
In good examples, the security configuration is carried out, for example: Disable DTD to protect the program from XXE attacks.
|
||||
</p>
|
||||
<sample src="XXE.java" />
|
||||
</example>
|
||||
|
||||
<references>
|
||||
|
||||
<li>
|
||||
OWASP vulnerability description:
|
||||
<a href="https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing">XML External Entity (XXE) Processing</a>.
|
||||
</li>
|
||||
<li>
|
||||
OWASP guidance on parsing xml files:
|
||||
<a href="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java">XXE Prevention Cheat Sheet</a>.
|
||||
</li>
|
||||
<li>
|
||||
Paper by Timothy Morgen:
|
||||
<a href="https://research.nccgroup.com/2014/05/19/xml-schema-dtd-and-entity-attacks-a-compendium-of-known-techniques/">XML Schema, DTD, and Entity Attacks</a>
|
||||
</li>
|
||||
<li>
|
||||
Out-of-band data retrieval: Timur Yunusov & Alexey Osipov, Black hat EU 2013:
|
||||
<a href="https://www.slideshare.net/qqlan/bh-ready-v4">XML Out-Of-Band Data Retrieval</a>.
|
||||
</li>
|
||||
<li>
|
||||
Denial of service attack (Billion laughs):
|
||||
<a href="https://en.wikipedia.org/wiki/Billion_laughs">Billion Laughs.</a>
|
||||
</li>
|
||||
<li>
|
||||
The Java Tutorials:
|
||||
<a href="https://docs.oracle.com/javase/tutorial/jaxp/limits/limits.html">Processing Limit Definitions.</a>
|
||||
</li>
|
||||
|
||||
</references>
|
||||
|
||||
</qhelp>
|
||||
@@ -1,32 +0,0 @@
|
||||
/**
|
||||
* @name Resolving XML external entity in user-controlled data (experimental sinks)
|
||||
* @description Parsing user-controlled XML documents and allowing expansion of external entity
|
||||
* references may lead to disclosure of confidential data or denial of service.
|
||||
* (note this version differs from query `java/xxe` by including support for additional possibly-vulnerable XML parsers)
|
||||
* @kind path-problem
|
||||
* @problem.severity error
|
||||
* @precision high
|
||||
* @id java/xxe-with-experimental-sinks
|
||||
* @tags security
|
||||
* experimental
|
||||
* external/cwe/cwe-611
|
||||
*/
|
||||
|
||||
import java
|
||||
import XXELib
|
||||
import semmle.code.java.dataflow.TaintTracking
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import XxeFlow::PathGraph
|
||||
|
||||
module XxeConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeXxeSink }
|
||||
}
|
||||
|
||||
module XxeFlow = TaintTracking::Global<XxeConfig>;
|
||||
|
||||
from XxeFlow::PathNode source, XxeFlow::PathNode sink
|
||||
where XxeFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Unsafe parsing of XML file from $@.", source.getNode(),
|
||||
"user input"
|
||||
@@ -1,246 +0,0 @@
|
||||
import java
|
||||
import semmle.code.java.dataflow.DataFlow3
|
||||
import semmle.code.java.dataflow.DataFlow4
|
||||
import semmle.code.java.dataflow.DataFlow5
|
||||
import semmle.code.java.security.XmlParsers
|
||||
private import semmle.code.java.dataflow.SSA
|
||||
|
||||
/** A data flow sink for untrusted user input used to insecure xml parse. */
|
||||
class UnsafeXxeSink extends DataFlow::ExprNode {
|
||||
UnsafeXxeSink() {
|
||||
exists(XmlParserCall parse |
|
||||
parse.getSink() = this.getExpr() and
|
||||
not parse.isSafe()
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
/** The class `org.rundeck.api.parser.ParserHelper`. */
|
||||
class ParserHelper extends RefType {
|
||||
ParserHelper() { this.hasQualifiedName("org.rundeck.api.parser", "ParserHelper") }
|
||||
}
|
||||
|
||||
/** A call to `ParserHelper.loadDocument`. */
|
||||
class ParserHelperLoadDocument extends XmlParserCall {
|
||||
ParserHelperLoadDocument() {
|
||||
exists(Method m |
|
||||
this.getMethod() = m and
|
||||
m.getDeclaringType() instanceof ParserHelper and
|
||||
m.hasName("loadDocument")
|
||||
)
|
||||
}
|
||||
|
||||
override Expr getSink() { result = this.getArgument(0) }
|
||||
|
||||
override predicate isSafe() { none() }
|
||||
}
|
||||
|
||||
/** The class `javax.xml.validation.Validator`. */
|
||||
class Validator extends RefType {
|
||||
Validator() { this.hasQualifiedName("javax.xml.validation", "Validator") }
|
||||
}
|
||||
|
||||
/** A call to `Validator.validate`. */
|
||||
class ValidatorValidate extends XmlParserCall {
|
||||
ValidatorValidate() {
|
||||
exists(Method m |
|
||||
this.getMethod() = m and
|
||||
m.getDeclaringType() instanceof Validator and
|
||||
m.hasName("validate")
|
||||
)
|
||||
}
|
||||
|
||||
override Expr getSink() { result = this.getArgument(0) }
|
||||
|
||||
override predicate isSafe() { SafeValidatorFlow::flowToExpr(this.getQualifier()) }
|
||||
}
|
||||
|
||||
/** A `ParserConfig` specific to `Validator`. */
|
||||
class ValidatorConfig extends TransformerConfig {
|
||||
ValidatorConfig() {
|
||||
exists(Method m |
|
||||
this.getMethod() = m and
|
||||
m.getDeclaringType() instanceof Validator and
|
||||
m.hasName("setProperty")
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
/** A safely configured `Validator`. */
|
||||
class SafeValidator extends VarAccess {
|
||||
SafeValidator() {
|
||||
exists(Variable v | v = this.getVariable() |
|
||||
exists(ValidatorConfig config | config.getQualifier() = v.getAnAccess() |
|
||||
config.disables(configAccessExternalDtd())
|
||||
) and
|
||||
exists(ValidatorConfig config | config.getQualifier() = v.getAnAccess() |
|
||||
config.disables(configAccessExternalSchema())
|
||||
)
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
private module SafeValidatorFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeValidator }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(MethodAccess ma |
|
||||
sink.asExpr() = ma.getQualifier() and
|
||||
ma.getMethod().getDeclaringType() instanceof Validator
|
||||
)
|
||||
}
|
||||
|
||||
int fieldFlowBranchLimit() { result = 0 }
|
||||
}
|
||||
|
||||
private module SafeValidatorFlow = DataFlow::Global<SafeValidatorFlowConfig>;
|
||||
|
||||
/**
|
||||
* The classes `org.apache.commons.digester3.Digester`, `org.apache.commons.digester.Digester` or `org.apache.tomcat.util.digester.Digester`.
|
||||
*/
|
||||
class Digester extends RefType {
|
||||
Digester() {
|
||||
this.hasQualifiedName([
|
||||
"org.apache.commons.digester3", "org.apache.commons.digester",
|
||||
"org.apache.tomcat.util.digester"
|
||||
], "Digester")
|
||||
}
|
||||
}
|
||||
|
||||
/** A call to `Digester.parse`. */
|
||||
class DigesterParse extends XmlParserCall {
|
||||
DigesterParse() {
|
||||
exists(Method m |
|
||||
this.getMethod() = m and
|
||||
m.getDeclaringType() instanceof Digester and
|
||||
m.hasName("parse")
|
||||
)
|
||||
}
|
||||
|
||||
override Expr getSink() { result = this.getArgument(0) }
|
||||
|
||||
override predicate isSafe() { SafeDigesterFlow::flowToExpr(this.getQualifier()) }
|
||||
}
|
||||
|
||||
/** A `ParserConfig` that is specific to `Digester`. */
|
||||
class DigesterConfig extends ParserConfig {
|
||||
DigesterConfig() {
|
||||
exists(Method m |
|
||||
m = this.getMethod() and
|
||||
m.getDeclaringType() instanceof Digester and
|
||||
m.hasName("setFeature")
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A safely configured `Digester`.
|
||||
*/
|
||||
class SafeDigester extends VarAccess {
|
||||
SafeDigester() {
|
||||
exists(Variable v | v = this.getVariable() |
|
||||
exists(DigesterConfig config | config.getQualifier() = v.getAnAccess() |
|
||||
config.enables(singleSafeConfig())
|
||||
)
|
||||
or
|
||||
exists(DigesterConfig config | config.getQualifier() = v.getAnAccess() |
|
||||
config
|
||||
.disables(any(ConstantStringExpr s |
|
||||
s.getStringValue() = "http://xml.org/sax/features/external-general-entities"
|
||||
))
|
||||
) and
|
||||
exists(DigesterConfig config | config.getQualifier() = v.getAnAccess() |
|
||||
config
|
||||
.disables(any(ConstantStringExpr s |
|
||||
s.getStringValue() = "http://xml.org/sax/features/external-parameter-entities"
|
||||
))
|
||||
) and
|
||||
exists(DigesterConfig config | config.getQualifier() = v.getAnAccess() |
|
||||
config
|
||||
.disables(any(ConstantStringExpr s |
|
||||
s.getStringValue() =
|
||||
"http://apache.org/xml/features/nonvalidating/load-external-dtd"
|
||||
))
|
||||
)
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
private module SafeDigesterFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeDigester }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(MethodAccess ma |
|
||||
sink.asExpr() = ma.getQualifier() and ma.getMethod().getDeclaringType() instanceof Digester
|
||||
)
|
||||
}
|
||||
|
||||
int fieldFlowBranchLimit() { result = 0 }
|
||||
}
|
||||
|
||||
private module SafeDigesterFlow = DataFlow::Global<SafeDigesterFlowConfig>;
|
||||
|
||||
/** The class `java.beans.XMLDecoder`. */
|
||||
class XmlDecoder extends RefType {
|
||||
XmlDecoder() { this.hasQualifiedName("java.beans", "XMLDecoder") }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for XmlDecoder */
|
||||
deprecated class XMLDecoder = XmlDecoder;
|
||||
|
||||
/** A call to `XMLDecoder.readObject`. */
|
||||
class XmlDecoderReadObject extends XmlParserCall {
|
||||
XmlDecoderReadObject() {
|
||||
exists(Method m |
|
||||
this.getMethod() = m and
|
||||
m.getDeclaringType() instanceof XmlDecoder and
|
||||
m.hasName("readObject")
|
||||
)
|
||||
}
|
||||
|
||||
override Expr getSink() { result = this.getQualifier() }
|
||||
|
||||
override predicate isSafe() { none() }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for XmlDecoderReadObject */
|
||||
deprecated class XMLDecoderReadObject = XmlDecoderReadObject;
|
||||
|
||||
private predicate constantStringExpr(Expr e, string val) {
|
||||
e.(CompileTimeConstantExpr).getStringValue() = val
|
||||
or
|
||||
exists(SsaExplicitUpdate v, Expr src |
|
||||
e = v.getAUse() and
|
||||
src = v.getDefiningExpr().(VariableAssign).getSource() and
|
||||
constantStringExpr(src, val)
|
||||
)
|
||||
}
|
||||
|
||||
/** A call to `SAXTransformerFactory.newTransformerHandler`. */
|
||||
class SaxTransformerFactoryNewTransformerHandler extends XmlParserCall {
|
||||
SaxTransformerFactoryNewTransformerHandler() {
|
||||
exists(Method m |
|
||||
this.getMethod() = m and
|
||||
m.getDeclaringType().hasQualifiedName("javax.xml.transform.sax", "SAXTransformerFactory") and
|
||||
m.hasName("newTransformerHandler")
|
||||
)
|
||||
}
|
||||
|
||||
override Expr getSink() { result = this.getArgument(0) }
|
||||
|
||||
override predicate isSafe() { SafeTransformerFactoryFlow::flowToExpr(this.getQualifier()) }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SaxTransformerFactoryNewTransformerHandler */
|
||||
deprecated class SAXTransformerFactoryNewTransformerHandler =
|
||||
SaxTransformerFactoryNewTransformerHandler;
|
||||
|
||||
/** An expression that always has the same string value. */
|
||||
private class ConstantStringExpr extends Expr {
|
||||
string value;
|
||||
|
||||
ConstantStringExpr() { constantStringExpr(this, value) }
|
||||
|
||||
/** Get the string value of this expression. */
|
||||
string getStringValue() { result = value }
|
||||
}
|
||||
@@ -1,5 +0,0 @@
|
||||
<!DOCTYPE qhelp PUBLIC
|
||||
"-//Semmle//qhelp//EN"
|
||||
"qhelp.dtd">
|
||||
<qhelp>
|
||||
<include src="XXE.qhelp" /></qhelp>
|
||||
@@ -1,34 +0,0 @@
|
||||
/**
|
||||
* @name Resolving XML external entity from a local source (experimental sinks)
|
||||
* @description Parsing user-controlled XML documents and allowing expansion of external entity
|
||||
* references may lead to disclosure of confidential data or denial of service.
|
||||
* (note this version differs from query `java/xxe` by including support for additional possibly-vulnerable XML parsers,
|
||||
* and by considering local information sources dangerous (e.g. environment variables) in addition to the remote sources
|
||||
* considered by the normal `java/xxe` query)
|
||||
* @kind path-problem
|
||||
* @problem.severity recommendation
|
||||
* @precision medium
|
||||
* @id java/xxe-local-experimental-sinks
|
||||
* @tags security
|
||||
* experimental
|
||||
* external/cwe/cwe-611
|
||||
*/
|
||||
|
||||
import java
|
||||
import XXELib
|
||||
import semmle.code.java.dataflow.TaintTracking
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import XxeLocalFlow::PathGraph
|
||||
|
||||
module XxeLocalConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeXxeSink }
|
||||
}
|
||||
|
||||
module XxeLocalFlow = TaintTracking::Global<XxeLocalConfig>;
|
||||
|
||||
from XxeLocalFlow::PathNode source, XxeLocalFlow::PathNode sink
|
||||
where XxeLocalFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Unsafe parsing of XML file from $@.", source.getNode(),
|
||||
"user input"
|
||||
@@ -1,26 +0,0 @@
|
||||
edges
|
||||
| XXE.java:22:43:22:66 | getInputStream(...) : ServletInputStream | XXE.java:24:18:24:35 | servletInputStream |
|
||||
| XXE.java:29:43:29:66 | getInputStream(...) : ServletInputStream | XXE.java:33:42:33:59 | servletInputStream : ServletInputStream |
|
||||
| XXE.java:33:25:33:60 | new StreamSource(...) : StreamSource | XXE.java:34:22:34:27 | source |
|
||||
| XXE.java:33:42:33:59 | servletInputStream : ServletInputStream | XXE.java:33:25:33:60 | new StreamSource(...) : StreamSource |
|
||||
| XXE.java:39:43:39:66 | getInputStream(...) : ServletInputStream | XXE.java:40:42:40:59 | servletInputStream : ServletInputStream |
|
||||
| XXE.java:40:27:40:60 | new XMLDecoder(...) : XMLDecoder | XXE.java:41:3:41:12 | xmlDecoder |
|
||||
| XXE.java:40:42:40:59 | servletInputStream : ServletInputStream | XXE.java:40:27:40:60 | new XMLDecoder(...) : XMLDecoder |
|
||||
nodes
|
||||
| XXE.java:22:43:22:66 | getInputStream(...) : ServletInputStream | semmle.label | getInputStream(...) : ServletInputStream |
|
||||
| XXE.java:24:18:24:35 | servletInputStream | semmle.label | servletInputStream |
|
||||
| XXE.java:29:43:29:66 | getInputStream(...) : ServletInputStream | semmle.label | getInputStream(...) : ServletInputStream |
|
||||
| XXE.java:33:25:33:60 | new StreamSource(...) : StreamSource | semmle.label | new StreamSource(...) : StreamSource |
|
||||
| XXE.java:33:42:33:59 | servletInputStream : ServletInputStream | semmle.label | servletInputStream : ServletInputStream |
|
||||
| XXE.java:34:22:34:27 | source | semmle.label | source |
|
||||
| XXE.java:39:43:39:66 | getInputStream(...) : ServletInputStream | semmle.label | getInputStream(...) : ServletInputStream |
|
||||
| XXE.java:40:27:40:60 | new XMLDecoder(...) : XMLDecoder | semmle.label | new XMLDecoder(...) : XMLDecoder |
|
||||
| XXE.java:40:42:40:59 | servletInputStream : ServletInputStream | semmle.label | servletInputStream : ServletInputStream |
|
||||
| XXE.java:41:3:41:12 | xmlDecoder | semmle.label | xmlDecoder |
|
||||
| XXE.java:46:49:46:72 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
subpaths
|
||||
#select
|
||||
| XXE.java:24:18:24:35 | servletInputStream | XXE.java:22:43:22:66 | getInputStream(...) : ServletInputStream | XXE.java:24:18:24:35 | servletInputStream | Unsafe parsing of XML file from $@. | XXE.java:22:43:22:66 | getInputStream(...) | user input |
|
||||
| XXE.java:34:22:34:27 | source | XXE.java:29:43:29:66 | getInputStream(...) : ServletInputStream | XXE.java:34:22:34:27 | source | Unsafe parsing of XML file from $@. | XXE.java:29:43:29:66 | getInputStream(...) | user input |
|
||||
| XXE.java:41:3:41:12 | xmlDecoder | XXE.java:39:43:39:66 | getInputStream(...) : ServletInputStream | XXE.java:41:3:41:12 | xmlDecoder | Unsafe parsing of XML file from $@. | XXE.java:39:43:39:66 | getInputStream(...) | user input |
|
||||
| XXE.java:46:49:46:72 | getInputStream(...) | XXE.java:46:49:46:72 | getInputStream(...) | XXE.java:46:49:46:72 | getInputStream(...) | Unsafe parsing of XML file from $@. | XXE.java:46:49:46:72 | getInputStream(...) | user input |
|
||||
@@ -1,92 +0,0 @@
|
||||
import java.beans.XMLDecoder;
|
||||
import java.io.BufferedReader;
|
||||
import javax.servlet.ServletInputStream;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import javax.xml.transform.stream.StreamSource;
|
||||
import javax.xml.validation.Schema;
|
||||
import javax.xml.validation.SchemaFactory;
|
||||
import javax.xml.validation.Validator;
|
||||
import org.rundeck.api.parser.ParserHelper;
|
||||
import org.apache.commons.digester3.Digester;
|
||||
import org.dom4j.Document;
|
||||
import org.dom4j.DocumentHelper;
|
||||
import org.springframework.stereotype.Controller;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
|
||||
@Controller
|
||||
public class XXE {
|
||||
|
||||
@PostMapping(value = "bad1")
|
||||
public void bad1(HttpServletRequest request, HttpServletResponse response) throws Exception {
|
||||
ServletInputStream servletInputStream = request.getInputStream();
|
||||
Digester digester = new Digester();
|
||||
digester.parse(servletInputStream); // bad
|
||||
}
|
||||
|
||||
@PostMapping(value = "bad2")
|
||||
public void bad2(HttpServletRequest request) throws Exception {
|
||||
ServletInputStream servletInputStream = request.getInputStream();
|
||||
SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
|
||||
Schema schema = factory.newSchema();
|
||||
Validator validator = schema.newValidator();
|
||||
StreamSource source = new StreamSource(servletInputStream);
|
||||
validator.validate(source); // bad
|
||||
}
|
||||
|
||||
@PostMapping(value = "bad3")
|
||||
public void bad3(HttpServletRequest request) throws Exception {
|
||||
ServletInputStream servletInputStream = request.getInputStream();
|
||||
XMLDecoder xmlDecoder = new XMLDecoder(servletInputStream);
|
||||
xmlDecoder.readObject(); // bad
|
||||
}
|
||||
|
||||
@PostMapping(value = "bad4")
|
||||
public void bad4(HttpServletRequest request) throws Exception {
|
||||
Document document = ParserHelper.loadDocument(request.getInputStream()); // bad
|
||||
}
|
||||
|
||||
@PostMapping(value = "good1")
|
||||
public void good1(HttpServletRequest request, HttpServletResponse response) throws Exception {
|
||||
BufferedReader br = request.getReader();
|
||||
String str = "";
|
||||
StringBuilder listString = new StringBuilder();
|
||||
while ((str = br.readLine()) != null) {
|
||||
listString.append(str);
|
||||
}
|
||||
Digester digester = new Digester();
|
||||
digester.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
digester.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
digester.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
digester.parse(listString.toString());
|
||||
}
|
||||
|
||||
@PostMapping(value = "good2")
|
||||
public void good2(HttpServletRequest request, HttpServletResponse response) throws Exception {
|
||||
BufferedReader br = request.getReader();
|
||||
String str = "";
|
||||
StringBuilder listString = new StringBuilder();
|
||||
while ((str = br.readLine()) != null) {
|
||||
listString.append(str).append("\n");
|
||||
}
|
||||
SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
|
||||
Schema schema = factory.newSchema();
|
||||
Validator validator = schema.newValidator();
|
||||
validator.setProperty("http://javax.xml.XMLConstants/property/accessExternalDTD", "");
|
||||
validator.setProperty("http://javax.xml.XMLConstants/property/accessExternalSchema", "");
|
||||
StreamSource source = new StreamSource(listString.toString());
|
||||
validator.validate(source);
|
||||
}
|
||||
|
||||
@PostMapping(value = "good3")
|
||||
public void good3(HttpServletRequest request) throws Exception {
|
||||
BufferedReader br = request.getReader();
|
||||
String str = "";
|
||||
StringBuilder listString = new StringBuilder();
|
||||
while ((str = br.readLine()) != null) {
|
||||
listString.append(str).append("\n");
|
||||
}
|
||||
// parseText falls back to a default SAXReader, which is safe
|
||||
Document document = DocumentHelper.parseText(listString.toString()); // Safe
|
||||
}
|
||||
}
|
||||
@@ -1 +0,0 @@
|
||||
experimental/Security/CWE/CWE-611/XXE.ql
|
||||
@@ -1 +0,0 @@
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4/:${testdir}/../../../../stubs/springframework-5.3.8/:${testdir}/../../../../stubs/dom4j-2.1.1:${testdir}/../../../../stubs/apache-commons-digester3-3.2:${testdir}/../../../../stubs/jaxen-1.2.0/:${testdir}/../../../../stubs/rundeck-api-java-client-13.2
|
||||
@@ -1,7 +1,13 @@
|
||||
import java.sql.ResultSet;
|
||||
import java.util.Map;
|
||||
import org.springframework.jdbc.core.JdbcTemplate;
|
||||
import org.springframework.jdbc.core.namedparam.NamedParameterJdbcOperations;
|
||||
import org.springframework.jdbc.core.namedparam.SqlParameterSource;
|
||||
import org.springframework.jdbc.core.PreparedStatementCallback;
|
||||
import org.springframework.jdbc.core.ResultSetExtractor;
|
||||
import org.springframework.jdbc.core.RowCallbackHandler;
|
||||
import org.springframework.jdbc.core.RowMapper;
|
||||
import org.springframework.jdbc.core.SqlParameter;
|
||||
import org.springframework.jdbc.object.BatchSqlUpdate;
|
||||
import org.springframework.jdbc.object.MappingSqlQueryWithParameters;
|
||||
import org.springframework.jdbc.object.SqlFunction;
|
||||
@@ -22,7 +28,7 @@ public class SpringJdbc {
|
||||
}
|
||||
}
|
||||
|
||||
public static void test(JdbcTemplate template) {
|
||||
public static void test(JdbcTemplate template, NamedParameterJdbcOperations namedParamTemplate) {
|
||||
new BatchSqlUpdate(null, source()); // $ sqlInjection
|
||||
new SqlFunction(null, source()); // $ sqlInjection
|
||||
new SqlUpdate(null, source()); // $ sqlInjection
|
||||
@@ -39,6 +45,39 @@ public class SpringJdbc {
|
||||
template.queryForObject(source(), (Class)null); // $ sqlInjection
|
||||
template.queryForRowSet(source()); // $ sqlInjection
|
||||
template.queryForStream(source(), (RowMapper)null); // $ sqlInjection
|
||||
|
||||
namedParamTemplate.batchUpdate(source(), (Map<String, ?>[]) null); // $ sqlInjection
|
||||
namedParamTemplate.batchUpdate(source(), (SqlParameterSource[]) null); // $ sqlInjection
|
||||
namedParamTemplate.execute(source(), (PreparedStatementCallback) null); // $ sqlInjection
|
||||
namedParamTemplate.execute(source(), (Map<String, ?>) null, (PreparedStatementCallback) null); // $ sqlInjection
|
||||
namedParamTemplate.execute(source(), (SqlParameterSource) null, (PreparedStatementCallback) null); // $ sqlInjection
|
||||
namedParamTemplate.query(source(), (Map<String, ?>) null, (ResultSetExtractor) null); // $ sqlInjection
|
||||
namedParamTemplate.query(source(), (Map<String, ?>) null, (RowMapper) null); // $ sqlInjection
|
||||
namedParamTemplate.query(source(), (Map<String, ?>) null, (RowCallbackHandler) null); // $ sqlInjection
|
||||
namedParamTemplate.query(source(), (SqlParameterSource) null, (ResultSetExtractor) null); // $ sqlInjection
|
||||
namedParamTemplate.query(source(), (SqlParameterSource) null, (RowMapper) null); // $ sqlInjection
|
||||
namedParamTemplate.query(source(), (SqlParameterSource) null, (RowCallbackHandler) null); // $ sqlInjection
|
||||
namedParamTemplate.query(source(), (ResultSetExtractor) null); // $ sqlInjection
|
||||
namedParamTemplate.query(source(), (RowMapper) null); // $ sqlInjection
|
||||
namedParamTemplate.query(source(), (RowCallbackHandler) null); // $ sqlInjection
|
||||
namedParamTemplate.queryForList(source(), (Map<String, ?>) null); // $ sqlInjection
|
||||
namedParamTemplate.queryForList(source(), (Map<String, ?>) null, (Class) null); // $ sqlInjection
|
||||
namedParamTemplate.queryForList(source(), (SqlParameterSource) null); // $ sqlInjection
|
||||
namedParamTemplate.queryForList(source(), (SqlParameterSource) null, (Class) null); // $ sqlInjection
|
||||
namedParamTemplate.queryForMap(source(), (Map<String, ?>) null); // $ sqlInjection
|
||||
namedParamTemplate.queryForMap(source(), (SqlParameterSource) null); // $ sqlInjection
|
||||
namedParamTemplate.queryForObject(source(), (Map<String, ?>) null, (Class) null); // $ sqlInjection
|
||||
namedParamTemplate.queryForObject(source(), (Map<String, ?>) null, (RowMapper) null); // $ sqlInjection
|
||||
namedParamTemplate.queryForObject(source(), (SqlParameterSource) null, (Class) null); // $ sqlInjection
|
||||
namedParamTemplate.queryForObject(source(), (SqlParameterSource) null, (RowMapper) null); // $ sqlInjection
|
||||
namedParamTemplate.queryForRowSet(source(), (Map<String, ?>) null); // $ sqlInjection
|
||||
namedParamTemplate.queryForRowSet(source(), (SqlParameterSource) null); // $ sqlInjection
|
||||
namedParamTemplate.queryForStream(source(), (Map<String, ?>) null, (RowMapper) null); // $ sqlInjection
|
||||
namedParamTemplate.queryForStream(source(), (SqlParameterSource) null, (RowMapper) null); // $ sqlInjection
|
||||
namedParamTemplate.update(source(), (Map<String, ?>) null); // $ sqlInjection
|
||||
namedParamTemplate.update(source(), (SqlParameterSource) null); // $ sqlInjection
|
||||
namedParamTemplate.update(source(), null, null); // $ sqlInjection
|
||||
namedParamTemplate.update(source(), null, null, null); // $ sqlInjection
|
||||
}
|
||||
|
||||
}
|
||||
33
java/ql/test/query-tests/security/CWE-611/DigesterTests.java
Normal file
33
java/ql/test/query-tests/security/CWE-611/DigesterTests.java
Normal file
@@ -0,0 +1,33 @@
|
||||
import java.io.BufferedReader;
|
||||
import javax.servlet.ServletInputStream;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import org.apache.commons.digester3.Digester;
|
||||
import org.springframework.stereotype.Controller;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
|
||||
@Controller
|
||||
public class DigesterTests {
|
||||
|
||||
@PostMapping(value = "bad")
|
||||
public void bad1(HttpServletRequest request, HttpServletResponse response) throws Exception {
|
||||
ServletInputStream servletInputStream = request.getInputStream();
|
||||
Digester digester = new Digester();
|
||||
digester.parse(servletInputStream); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
@PostMapping(value = "good")
|
||||
public void good1(HttpServletRequest request, HttpServletResponse response) throws Exception {
|
||||
BufferedReader br = request.getReader();
|
||||
String str = "";
|
||||
StringBuilder listString = new StringBuilder();
|
||||
while ((str = br.readLine()) != null) {
|
||||
listString.append(str);
|
||||
}
|
||||
Digester digester = new Digester();
|
||||
digester.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
digester.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
digester.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
digester.parse(listString.toString());
|
||||
}
|
||||
}
|
||||
@@ -11,42 +11,44 @@ class DocumentBuilderTests {
|
||||
public void unconfiguredParse(Socket sock) throws Exception {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
builder.parse(sock.getInputStream()); //unsafe
|
||||
builder.parse(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void disableDTD(Socket sock) throws Exception {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
builder.parse(sock.getInputStream()); //safe
|
||||
builder.parse(sock.getInputStream()); // safe
|
||||
}
|
||||
|
||||
public void enableSecurityFeature(Socket sock) throws Exception {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
builder.parse(sock.getInputStream()); //unsafe -- secure-processing by itself is insufficient
|
||||
builder.parse(sock.getInputStream()); // $ hasTaintFlow -- secure-processing by itself is
|
||||
// insufficient
|
||||
}
|
||||
|
||||
public void enableSecurityFeature2(Socket sock) throws Exception {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
factory.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
builder.parse(sock.getInputStream()); //unsafe -- secure-processing by itself is insufficient
|
||||
builder.parse(sock.getInputStream()); // $ hasTaintFlow -- secure-processing by itself is
|
||||
// insufficient
|
||||
}
|
||||
|
||||
public void enableDTD(Socket sock) throws Exception {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
builder.parse(sock.getInputStream()); //unsafe
|
||||
builder.parse(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void disableSecurityFeature(Socket sock) throws Exception {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
factory.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", false);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
builder.parse(sock.getInputStream()); //unsafe
|
||||
builder.parse(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void disableExternalEntities(Socket sock) throws Exception {
|
||||
@@ -54,21 +56,21 @@ class DocumentBuilderTests {
|
||||
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
builder.parse(sock.getInputStream()); //safe
|
||||
builder.parse(sock.getInputStream()); // safe
|
||||
}
|
||||
|
||||
public void partialDisableExternalEntities(Socket sock) throws Exception {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
builder.parse(sock.getInputStream()); //unsafe
|
||||
builder.parse(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void partialDisableExternalEntities2(Socket sock) throws Exception {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
builder.parse(sock.getInputStream()); //unsafe
|
||||
builder.parse(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void misConfigureExternalEntities1(Socket sock) throws Exception {
|
||||
@@ -76,7 +78,7 @@ class DocumentBuilderTests {
|
||||
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", true);
|
||||
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
builder.parse(sock.getInputStream()); //unsafe
|
||||
builder.parse(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void misConfigureExternalEntities2(Socket sock) throws Exception {
|
||||
@@ -84,22 +86,22 @@ class DocumentBuilderTests {
|
||||
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
factory.setFeature("http://xml.org/sax/features/external-general-entities", true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
builder.parse(sock.getInputStream()); //unsafe
|
||||
builder.parse(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void taintedSAXInputSource1(Socket sock) throws Exception {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
SAXSource source = new SAXSource(new InputSource(sock.getInputStream()));
|
||||
builder.parse(source.getInputSource()); //unsafe
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
SAXSource source = new SAXSource(new InputSource(sock.getInputStream()));
|
||||
builder.parse(source.getInputSource()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void taintedSAXInputSource2(Socket sock) throws Exception {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
StreamSource source = new StreamSource(sock.getInputStream());
|
||||
builder.parse(SAXSource.sourceToInputSource(source)); //unsafe
|
||||
builder.parse(source.getInputStream()); //unsafe
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
StreamSource source = new StreamSource(sock.getInputStream());
|
||||
builder.parse(SAXSource.sourceToInputSource(source)); // $ hasTaintFlow
|
||||
builder.parse(source.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
private static DocumentBuilderFactory getDocumentBuilderFactory() throws Exception {
|
||||
@@ -112,21 +114,22 @@ class DocumentBuilderTests {
|
||||
return factory;
|
||||
}
|
||||
|
||||
private static final ThreadLocal<DocumentBuilder> XML_DOCUMENT_BUILDER = new ThreadLocal<DocumentBuilder>() {
|
||||
@Override
|
||||
protected DocumentBuilder initialValue() {
|
||||
try {
|
||||
DocumentBuilderFactory factory = getDocumentBuilderFactory();
|
||||
return factory.newDocumentBuilder();
|
||||
} catch (Exception ex) {
|
||||
throw new RuntimeException(ex);
|
||||
}
|
||||
}
|
||||
};
|
||||
private static final ThreadLocal<DocumentBuilder> XML_DOCUMENT_BUILDER =
|
||||
new ThreadLocal<DocumentBuilder>() {
|
||||
@Override
|
||||
protected DocumentBuilder initialValue() {
|
||||
try {
|
||||
DocumentBuilderFactory factory = getDocumentBuilderFactory();
|
||||
return factory.newDocumentBuilder();
|
||||
} catch (Exception ex) {
|
||||
throw new RuntimeException(ex);
|
||||
}
|
||||
}
|
||||
};
|
||||
|
||||
public void disableExternalEntities2(Socket sock) throws Exception {
|
||||
DocumentBuilder builder = XML_DOCUMENT_BUILDER.get();
|
||||
builder.parse(sock.getInputStream()); //safe
|
||||
builder.parse(sock.getInputStream()); // safe
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -0,0 +1,14 @@
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import org.dom4j.Document;
|
||||
import org.rundeck.api.parser.ParserHelper;
|
||||
import org.springframework.stereotype.Controller;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
|
||||
@Controller
|
||||
public class ParserHelperTests {
|
||||
|
||||
@PostMapping(value = "bad4")
|
||||
public void bad4(HttpServletRequest request) throws Exception {
|
||||
Document document = ParserHelper.loadDocument(request.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
}
|
||||
@@ -5,18 +5,18 @@ public class SAXBuilderTests {
|
||||
|
||||
public void unconfiguredSAXBuilder(Socket sock) throws Exception {
|
||||
SAXBuilder builder = new SAXBuilder();
|
||||
builder.build(sock.getInputStream()); //unsafe
|
||||
builder.build(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void safeBuilder(Socket sock) throws Exception {
|
||||
SAXBuilder builder = new SAXBuilder();
|
||||
builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl",true);
|
||||
builder.build(sock.getInputStream()); //safe
|
||||
builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
builder.build(sock.getInputStream()); // safe
|
||||
}
|
||||
|
||||
public void misConfiguredBuilder(Socket sock) throws Exception {
|
||||
SAXBuilder builder = new SAXBuilder();
|
||||
builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl",false);
|
||||
builder.build(sock.getInputStream()); //unsafe
|
||||
builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
|
||||
builder.build(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
}
|
||||
|
||||
@@ -6,78 +6,78 @@ import javax.xml.XMLConstants;
|
||||
import org.xml.sax.helpers.DefaultHandler;
|
||||
|
||||
public class SAXParserTests {
|
||||
|
||||
|
||||
public void unconfiguredParser(Socket sock) throws Exception {
|
||||
SAXParserFactory factory = SAXParserFactory.newInstance();
|
||||
SAXParser parser = factory.newSAXParser();
|
||||
parser.parse(sock.getInputStream(), new DefaultHandler()); //unsafe
|
||||
parser.parse(sock.getInputStream(), new DefaultHandler()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void safeParser(Socket sock) throws Exception {
|
||||
SAXParserFactory factory = SAXParserFactory.newInstance();
|
||||
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
||||
SAXParser parser = factory.newSAXParser();
|
||||
parser.parse(sock.getInputStream(), new DefaultHandler()); //safe
|
||||
parser.parse(sock.getInputStream(), new DefaultHandler()); // safe
|
||||
}
|
||||
|
||||
|
||||
public void partialConfiguredParser1(Socket sock) throws Exception {
|
||||
SAXParserFactory factory = SAXParserFactory.newInstance();
|
||||
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
SAXParser parser = factory.newSAXParser();
|
||||
parser.parse(sock.getInputStream(), new DefaultHandler()); //unsafe
|
||||
parser.parse(sock.getInputStream(), new DefaultHandler()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void partialConfiguredParser2(Socket sock) throws Exception {
|
||||
SAXParserFactory factory = SAXParserFactory.newInstance();
|
||||
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
||||
SAXParser parser = factory.newSAXParser();
|
||||
parser.parse(sock.getInputStream(), new DefaultHandler()); //unsafe
|
||||
parser.parse(sock.getInputStream(), new DefaultHandler()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void partialConfiguredParser3(Socket sock) throws Exception {
|
||||
SAXParserFactory factory = SAXParserFactory.newInstance();
|
||||
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
||||
SAXParser parser = factory.newSAXParser();
|
||||
parser.parse(sock.getInputStream(), new DefaultHandler()); //unsafe
|
||||
parser.parse(sock.getInputStream(), new DefaultHandler()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void misConfiguredParser1(Socket sock) throws Exception {
|
||||
SAXParserFactory factory = SAXParserFactory.newInstance();
|
||||
factory.setFeature("http://xml.org/sax/features/external-general-entities", true);
|
||||
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
||||
SAXParser parser = factory.newSAXParser();
|
||||
parser.parse(sock.getInputStream(), new DefaultHandler()); //unsafe
|
||||
parser.parse(sock.getInputStream(), new DefaultHandler()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void misConfiguredParser2(Socket sock) throws Exception {
|
||||
SAXParserFactory factory = SAXParserFactory.newInstance();
|
||||
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", true);
|
||||
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
||||
SAXParser parser = factory.newSAXParser();
|
||||
parser.parse(sock.getInputStream(), new DefaultHandler()); //unsafe
|
||||
parser.parse(sock.getInputStream(), new DefaultHandler()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void misConfiguredParser3(Socket sock) throws Exception {
|
||||
SAXParserFactory factory = SAXParserFactory.newInstance();
|
||||
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", true);
|
||||
SAXParser parser = factory.newSAXParser();
|
||||
parser.parse(sock.getInputStream(), new DefaultHandler()); //unsafe
|
||||
parser.parse(sock.getInputStream(), new DefaultHandler()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void safeParser2(Socket sock) throws Exception {
|
||||
SAXParserFactory factory = SAXParserFactory.newInstance();
|
||||
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
|
||||
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
SAXParser parser = factory.newSAXParser();
|
||||
parser.parse(sock.getInputStream(), new DefaultHandler()); //safe
|
||||
parser.parse(sock.getInputStream(), new DefaultHandler()); // safe
|
||||
}
|
||||
}
|
||||
|
||||
@@ -5,59 +5,59 @@ public class SAXReaderTests {
|
||||
|
||||
public void unconfiguredReader(Socket sock) throws Exception {
|
||||
SAXReader reader = new SAXReader();
|
||||
reader.read(sock.getInputStream()); //unsafe
|
||||
reader.read(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void safeReader(Socket sock) throws Exception {
|
||||
SAXReader reader = new SAXReader();
|
||||
reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
reader.read(sock.getInputStream()); //safe
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
reader.read(sock.getInputStream()); // safe
|
||||
}
|
||||
|
||||
|
||||
public void partialConfiguredReader1(Socket sock) throws Exception {
|
||||
SAXReader reader = new SAXReader();
|
||||
reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
reader.read(sock.getInputStream()); //unsafe
|
||||
reader.read(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void partialConfiguredReader2(Socket sock) throws Exception {
|
||||
SAXReader reader = new SAXReader();
|
||||
reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
reader.read(sock.getInputStream()); //unsafe
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
reader.read(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void partialConfiguredReader3(Socket sock) throws Exception {
|
||||
SAXReader reader = new SAXReader();
|
||||
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
reader.read(sock.getInputStream()); //unsafe
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
reader.read(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void misConfiguredReader1(Socket sock) throws Exception {
|
||||
SAXReader reader = new SAXReader();
|
||||
reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
reader.setFeature("http://xml.org/sax/features/external-general-entities", true);
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
reader.read(sock.getInputStream()); //unsafe
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
reader.read(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void misConfiguredReader2(Socket sock) throws Exception {
|
||||
SAXReader reader = new SAXReader();
|
||||
reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
|
||||
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
reader.read(sock.getInputStream()); //unsafe
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
reader.read(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void misConfiguredReader3(Socket sock) throws Exception {
|
||||
SAXReader reader = new SAXReader();
|
||||
reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", true);
|
||||
reader.read(sock.getInputStream()); //unsafe
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", true);
|
||||
reader.read(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
}
|
||||
|
||||
@@ -17,14 +17,14 @@ public class SAXSourceTests {
|
||||
SAXSource source = new SAXSource(reader, new InputSource(sock.getInputStream()));
|
||||
JAXBContext jc = JAXBContext.newInstance(Object.class);
|
||||
Unmarshaller um = jc.createUnmarshaller();
|
||||
um.unmarshal(source); // BAD
|
||||
um.unmarshal(source); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void explicitlySafeSource1(Socket sock) throws Exception {
|
||||
XMLReader reader = XMLReaderFactory.createXMLReader();
|
||||
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd",false);
|
||||
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
||||
SAXSource source = new SAXSource(reader, new InputSource(sock.getInputStream())); // GOOD
|
||||
}
|
||||
|
||||
|
||||
@@ -9,39 +9,39 @@ public class SchemaTests {
|
||||
|
||||
public void unconfiguredSchemaFactory(Socket sock) throws Exception {
|
||||
SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
|
||||
Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); //unsafe
|
||||
Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void safeSchemaFactory(Socket sock) throws Exception {
|
||||
SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
|
||||
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
|
||||
Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); //safe
|
||||
Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); // safe
|
||||
}
|
||||
|
||||
public void partialConfiguredSchemaFactory1(Socket sock) throws Exception {
|
||||
SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
|
||||
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); //unsafe
|
||||
Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void partialConfiguredSchemaFactory2(Socket sock) throws Exception {
|
||||
SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
|
||||
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
|
||||
Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); //unsafe
|
||||
Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void misConfiguredSchemaFactory1(Socket sock) throws Exception {
|
||||
SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
|
||||
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "ab");
|
||||
Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); //unsafe
|
||||
Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void misConfiguredSchemaFactory2(Socket sock) throws Exception {
|
||||
SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
|
||||
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "cd");
|
||||
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
|
||||
Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); //unsafe
|
||||
Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
}
|
||||
|
||||
@@ -11,145 +11,145 @@ public class SimpleXMLTests {
|
||||
|
||||
public void persisterValidate1(Socket sock) throws Exception {
|
||||
Persister persister = new Persister();
|
||||
persister.validate(this.getClass(), sock.getInputStream());
|
||||
persister.validate(this.getClass(), sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void persisterValidate2(Socket sock) throws Exception {
|
||||
Persister persister = new Persister();
|
||||
persister.validate(this.getClass(), sock.getInputStream(), true);
|
||||
persister.validate(this.getClass(), sock.getInputStream(), true); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void persisterValidate3(Socket sock) throws Exception {
|
||||
Persister persister = new Persister();
|
||||
persister.validate(this.getClass(), new InputStreamReader(sock.getInputStream()));
|
||||
persister.validate(this.getClass(), new InputStreamReader(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void persisterValidate4(Socket sock) throws Exception {
|
||||
Persister persister = new Persister();
|
||||
byte[] b = new byte[]{};
|
||||
byte[] b = new byte[] {};
|
||||
sock.getInputStream().read(b);
|
||||
persister.validate(this.getClass(), new String(b));
|
||||
persister.validate(this.getClass(), new String(b)); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void persisterValidate5(Socket sock) throws Exception {
|
||||
Persister persister = new Persister();
|
||||
byte[] b = new byte[]{};
|
||||
byte[] b = new byte[] {};
|
||||
sock.getInputStream().read(b);
|
||||
persister.validate(this.getClass(), new String(b), true);
|
||||
persister.validate(this.getClass(), new String(b), true); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void persisterValidate6(Socket sock) throws Exception {
|
||||
Persister persister = new Persister();
|
||||
persister.validate(this.getClass(), new InputStreamReader(sock.getInputStream()), true);
|
||||
persister.validate(this.getClass(), new InputStreamReader(sock.getInputStream()), true); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void persisterRead1(Socket sock) throws Exception {
|
||||
Persister persister = new Persister();
|
||||
persister.read(this.getClass(), sock.getInputStream());
|
||||
persister.read(this.getClass(), sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void persisterRead2(Socket sock) throws Exception {
|
||||
Persister persister = new Persister();
|
||||
persister.read(this.getClass(), sock.getInputStream(), true);
|
||||
persister.read(this.getClass(), sock.getInputStream(), true); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void persisterRead3(Socket sock) throws Exception {
|
||||
Persister persister = new Persister();
|
||||
persister.read(this, sock.getInputStream());
|
||||
persister.read(this, sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void persisterRead4(Socket sock) throws Exception {
|
||||
Persister persister = new Persister();
|
||||
persister.read(this, sock.getInputStream(), true);
|
||||
persister.read(this, sock.getInputStream(), true); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void persisterRead5(Socket sock) throws Exception {
|
||||
Persister persister = new Persister();
|
||||
persister.read(this.getClass(), new InputStreamReader(sock.getInputStream()));
|
||||
persister.read(this.getClass(), new InputStreamReader(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void persisterRead6(Socket sock) throws Exception {
|
||||
Persister persister = new Persister();
|
||||
persister.read(this.getClass(), new InputStreamReader(sock.getInputStream()), true);
|
||||
persister.read(this.getClass(), new InputStreamReader(sock.getInputStream()), true); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void persisterRead7(Socket sock) throws Exception {
|
||||
Persister persister = new Persister();
|
||||
persister.read(this, new InputStreamReader(sock.getInputStream()));
|
||||
persister.read(this, new InputStreamReader(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void persisterRead8(Socket sock) throws Exception {
|
||||
Persister persister = new Persister();
|
||||
persister.read(this, new InputStreamReader(sock.getInputStream()), true);
|
||||
persister.read(this, new InputStreamReader(sock.getInputStream()), true); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void persisterRead9(Socket sock) throws Exception {
|
||||
Persister persister = new Persister();
|
||||
byte[] b = new byte[]{};
|
||||
byte[] b = new byte[] {};
|
||||
sock.getInputStream().read(b);
|
||||
persister.read(this.getClass(), new String(b));
|
||||
persister.read(this.getClass(), new String(b)); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void persisterRead10(Socket sock) throws Exception {
|
||||
Persister persister = new Persister();
|
||||
byte[] b = new byte[]{};
|
||||
byte[] b = new byte[] {};
|
||||
sock.getInputStream().read(b);
|
||||
persister.read(this.getClass(), new String(b), true);
|
||||
persister.read(this.getClass(), new String(b), true); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void persisterRead11(Socket sock) throws Exception {
|
||||
Persister persister = new Persister();
|
||||
byte[] b = new byte[]{};
|
||||
byte[] b = new byte[] {};
|
||||
sock.getInputStream().read(b);
|
||||
persister.read(this, new String(b));
|
||||
persister.read(this, new String(b)); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void persisterRead12(Socket sock) throws Exception {
|
||||
Persister persister = new Persister();
|
||||
byte[] b = new byte[]{};
|
||||
byte[] b = new byte[] {};
|
||||
sock.getInputStream().read(b);
|
||||
persister.read(this, new String(b), true);
|
||||
persister.read(this, new String(b), true); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void nodeBuilderRead1(Socket sock) throws Exception {
|
||||
NodeBuilder.read(sock.getInputStream());
|
||||
NodeBuilder.read(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void nodeBuilderRead2(Socket sock) throws Exception {
|
||||
NodeBuilder.read(new InputStreamReader(sock.getInputStream()));
|
||||
NodeBuilder.read(new InputStreamReader(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void documentProviderProvide1(Socket sock) throws Exception {
|
||||
DocumentProvider provider = new DocumentProvider();
|
||||
provider.provide(sock.getInputStream());
|
||||
provider.provide(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void documentProviderProvide2(Socket sock) throws Exception {
|
||||
DocumentProvider provider = new DocumentProvider();
|
||||
provider.provide(new InputStreamReader(sock.getInputStream()));
|
||||
provider.provide(new InputStreamReader(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void streamProviderProvide1(Socket sock) throws Exception {
|
||||
StreamProvider provider = new StreamProvider();
|
||||
provider.provide(sock.getInputStream());
|
||||
provider.provide(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void streamProviderProvide2(Socket sock) throws Exception {
|
||||
StreamProvider provider = new StreamProvider();
|
||||
provider.provide(new InputStreamReader(sock.getInputStream()));
|
||||
provider.provide(new InputStreamReader(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void formatterFormat1(Socket sock) throws Exception {
|
||||
Formatter formatter = new Formatter();
|
||||
byte[] b = new byte[]{};
|
||||
byte[] b = new byte[] {};
|
||||
sock.getInputStream().read(b);
|
||||
formatter.format(new String(b), null);
|
||||
formatter.format(new String(b), null); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void formatterFormat2(Socket sock) throws Exception {
|
||||
Formatter formatter = new Formatter();
|
||||
byte[] b = new byte[]{};
|
||||
byte[] b = new byte[] {};
|
||||
sock.getInputStream().read(b);
|
||||
formatter.format(new String(b));
|
||||
formatter.format(new String(b)); // $ hasTaintFlow
|
||||
}
|
||||
}
|
||||
|
||||
@@ -17,8 +17,8 @@ public class TransformerTests {
|
||||
public void unconfiguredTransformerFactory(Socket sock) throws Exception {
|
||||
TransformerFactory tf = TransformerFactory.newInstance();
|
||||
Transformer transformer = tf.newTransformer();
|
||||
transformer.transform(new StreamSource(sock.getInputStream()), null); //unsafe
|
||||
tf.newTransformer(new StreamSource(sock.getInputStream())); //unsafe
|
||||
transformer.transform(new StreamSource(sock.getInputStream()), null); // $ hasTaintFlow
|
||||
tf.newTransformer(new StreamSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void safeTransformerFactory1(Socket sock) throws Exception {
|
||||
@@ -26,8 +26,8 @@ public class TransformerTests {
|
||||
tf.setAttribute("http://javax.xml.XMLConstants/property/accessExternalDTD", "");
|
||||
tf.setAttribute("http://javax.xml.XMLConstants/property/accessExternalStylesheet", "");
|
||||
Transformer transformer = tf.newTransformer();
|
||||
transformer.transform(new StreamSource(sock.getInputStream()), null); //safe
|
||||
tf.newTransformer(new StreamSource(sock.getInputStream())); //safe
|
||||
transformer.transform(new StreamSource(sock.getInputStream()), null); // safe
|
||||
tf.newTransformer(new StreamSource(sock.getInputStream())); // safe
|
||||
}
|
||||
|
||||
public void safeTransformerFactory2(Socket sock) throws Exception {
|
||||
@@ -35,49 +35,49 @@ public class TransformerTests {
|
||||
tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
Transformer transformer = tf.newTransformer();
|
||||
transformer.transform(new StreamSource(sock.getInputStream()), null); //safe
|
||||
tf.newTransformer(new StreamSource(sock.getInputStream())); //safe
|
||||
transformer.transform(new StreamSource(sock.getInputStream()), null); // safe
|
||||
tf.newTransformer(new StreamSource(sock.getInputStream())); // safe
|
||||
}
|
||||
|
||||
public void safeTransformerFactory3(Socket sock) throws Exception {
|
||||
TransformerFactory tf = TransformerFactory.newInstance();
|
||||
Transformer transformer = tf.newTransformer();
|
||||
TransformerFactory tf = TransformerFactory.newInstance();
|
||||
Transformer transformer = tf.newTransformer();
|
||||
XMLReader reader = XMLReaderFactory.createXMLReader();
|
||||
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd",false);
|
||||
SAXSource source = new SAXSource(reader, new InputSource(sock.getInputStream())); //safe
|
||||
transformer.transform(source, null); //safe
|
||||
tf.newTransformer(source); //safe
|
||||
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
||||
SAXSource source = new SAXSource(reader, new InputSource(sock.getInputStream())); // safe
|
||||
transformer.transform(source, null); // safe
|
||||
tf.newTransformer(source); // safe
|
||||
}
|
||||
|
||||
public void safeTransformerFactory4(Socket sock) throws Exception {
|
||||
TransformerFactory tf = TransformerFactory.newInstance();
|
||||
Transformer transformer = tf.newTransformer();
|
||||
TransformerFactory tf = TransformerFactory.newInstance();
|
||||
Transformer transformer = tf.newTransformer();
|
||||
XMLReader reader = XMLReaderFactory.createXMLReader();
|
||||
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd",false);
|
||||
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
||||
SAXSource source = new SAXSource(new InputSource(sock.getInputStream()));
|
||||
source.setXMLReader(reader);
|
||||
transformer.transform(source, null); //safe
|
||||
tf.newTransformer(source); //safe
|
||||
transformer.transform(source, null); // safe
|
||||
tf.newTransformer(source); // safe
|
||||
}
|
||||
|
||||
public void partialConfiguredTransformerFactory1(Socket sock) throws Exception {
|
||||
TransformerFactory tf = TransformerFactory.newInstance();
|
||||
tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
Transformer transformer = tf.newTransformer();
|
||||
transformer.transform(new StreamSource(sock.getInputStream()), null); //unsafe
|
||||
tf.newTransformer(new StreamSource(sock.getInputStream())); //unsafe
|
||||
transformer.transform(new StreamSource(sock.getInputStream()), null); // $ hasTaintFlow
|
||||
tf.newTransformer(new StreamSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void partialConfiguredTransformerFactory2(Socket sock) throws Exception {
|
||||
TransformerFactory tf = TransformerFactory.newInstance();
|
||||
tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
Transformer transformer = tf.newTransformer();
|
||||
transformer.transform(new StreamSource(sock.getInputStream()), null); //unsafe
|
||||
tf.newTransformer(new StreamSource(sock.getInputStream())); //unsafe
|
||||
transformer.transform(new StreamSource(sock.getInputStream()), null); // $ hasTaintFlow
|
||||
tf.newTransformer(new StreamSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void misConfiguredTransformerFactory1(Socket sock) throws Exception {
|
||||
@@ -85,8 +85,8 @@ public class TransformerTests {
|
||||
Transformer transformer = tf.newTransformer();
|
||||
tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "ab");
|
||||
tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
transformer.transform(new StreamSource(sock.getInputStream()), null); //unsafe
|
||||
tf.newTransformer(new StreamSource(sock.getInputStream())); //unsafe
|
||||
transformer.transform(new StreamSource(sock.getInputStream()), null); // $ hasTaintFlow
|
||||
tf.newTransformer(new StreamSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void misConfiguredTransformerFactory2(Socket sock) throws Exception {
|
||||
@@ -94,50 +94,50 @@ public class TransformerTests {
|
||||
Transformer transformer = tf.newTransformer();
|
||||
tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "cd");
|
||||
transformer.transform(new StreamSource(sock.getInputStream()), null); //unsafe
|
||||
tf.newTransformer(new StreamSource(sock.getInputStream())); //unsafe
|
||||
transformer.transform(new StreamSource(sock.getInputStream()), null); // $ hasTaintFlow
|
||||
tf.newTransformer(new StreamSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void unconfiguredSAXTransformerFactory(Socket sock) throws Exception {
|
||||
SAXTransformerFactory sf = (SAXTransformerFactory)SAXTransformerFactory.newInstance();
|
||||
sf.newXMLFilter(new StreamSource(sock.getInputStream())); //unsafe
|
||||
SAXTransformerFactory sf = (SAXTransformerFactory) SAXTransformerFactory.newInstance();
|
||||
sf.newXMLFilter(new StreamSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void safeSAXTransformerFactory(Socket sock) throws Exception {
|
||||
SAXTransformerFactory sf = (SAXTransformerFactory)SAXTransformerFactory.newInstance();
|
||||
SAXTransformerFactory sf = (SAXTransformerFactory) SAXTransformerFactory.newInstance();
|
||||
sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
sf.newXMLFilter(new StreamSource(sock.getInputStream())); //safe
|
||||
sf.newXMLFilter(new StreamSource(sock.getInputStream())); // safe
|
||||
}
|
||||
|
||||
public void partialConfiguredSAXTransformerFactory1(Socket sock) throws Exception {
|
||||
SAXTransformerFactory sf = (SAXTransformerFactory)SAXTransformerFactory.newInstance();
|
||||
SAXTransformerFactory sf = (SAXTransformerFactory) SAXTransformerFactory.newInstance();
|
||||
sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
sf.newXMLFilter(new StreamSource(sock.getInputStream())); //unsafe
|
||||
sf.newXMLFilter(new StreamSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void partialConfiguredSAXTransformerFactory2(Socket sock) throws Exception {
|
||||
SAXTransformerFactory sf = (SAXTransformerFactory)SAXTransformerFactory.newInstance();
|
||||
SAXTransformerFactory sf = (SAXTransformerFactory) SAXTransformerFactory.newInstance();
|
||||
sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
sf.newXMLFilter(new StreamSource(sock.getInputStream())); //unsafe
|
||||
sf.newXMLFilter(new StreamSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void misConfiguredSAXTransformerFactory1(Socket sock) throws Exception {
|
||||
SAXTransformerFactory sf = (SAXTransformerFactory)SAXTransformerFactory.newInstance();
|
||||
SAXTransformerFactory sf = (SAXTransformerFactory) SAXTransformerFactory.newInstance();
|
||||
sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "ab");
|
||||
sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
sf.newXMLFilter(new StreamSource(sock.getInputStream())); //unsafe
|
||||
sf.newXMLFilter(new StreamSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void misConfiguredSAXTransformerFactory2(Socket sock) throws Exception {
|
||||
SAXTransformerFactory sf = (SAXTransformerFactory)SAXTransformerFactory.newInstance();
|
||||
SAXTransformerFactory sf = (SAXTransformerFactory) SAXTransformerFactory.newInstance();
|
||||
sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "cd");
|
||||
sf.newXMLFilter(new StreamSource(sock.getInputStream())); //unsafe
|
||||
sf.newXMLFilter(new StreamSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void taintedSAXSource(Socket sock) throws Exception {
|
||||
SAXTransformerFactory sf = (SAXTransformerFactory)SAXTransformerFactory.newInstance();
|
||||
sf.newXMLFilter(new SAXSource(new InputSource(sock.getInputStream()))); //unsafe
|
||||
SAXTransformerFactory sf = (SAXTransformerFactory) SAXTransformerFactory.newInstance();
|
||||
sf.newXMLFilter(new SAXSource(new InputSource(sock.getInputStream()))); // $ hasTaintFlow
|
||||
}
|
||||
}
|
||||
|
||||
@@ -16,15 +16,16 @@ public class UnmarshallerTests {
|
||||
spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
||||
JAXBContext jc = JAXBContext.newInstance(Object.class);
|
||||
Source xmlSource = new SAXSource(spf.newSAXParser().getXMLReader(), new InputSource(sock.getInputStream()));
|
||||
Source xmlSource =
|
||||
new SAXSource(spf.newSAXParser().getXMLReader(), new InputSource(sock.getInputStream()));
|
||||
Unmarshaller um = jc.createUnmarshaller();
|
||||
um.unmarshal(xmlSource); //safe
|
||||
um.unmarshal(xmlSource); // safe
|
||||
}
|
||||
|
||||
public void unsafeUnmarshal(Socket sock) throws Exception {
|
||||
SAXParserFactory spf = SAXParserFactory.newInstance();
|
||||
JAXBContext jc = JAXBContext.newInstance(Object.class);
|
||||
Unmarshaller um = jc.createUnmarshaller();
|
||||
um.unmarshal(sock.getInputStream()); //unsafe
|
||||
um.unmarshal(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,41 @@
|
||||
import java.io.BufferedReader;
|
||||
import javax.servlet.ServletInputStream;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import javax.xml.transform.stream.StreamSource;
|
||||
import javax.xml.validation.Schema;
|
||||
import javax.xml.validation.SchemaFactory;
|
||||
import javax.xml.validation.Validator;
|
||||
import org.springframework.stereotype.Controller;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
|
||||
@Controller
|
||||
public class ValidatorTests {
|
||||
|
||||
@PostMapping(value = "bad")
|
||||
public void bad2(HttpServletRequest request) throws Exception {
|
||||
ServletInputStream servletInputStream = request.getInputStream();
|
||||
SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
|
||||
Schema schema = factory.newSchema();
|
||||
Validator validator = schema.newValidator();
|
||||
StreamSource source = new StreamSource(servletInputStream);
|
||||
validator.validate(source); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
@PostMapping(value = "good")
|
||||
public void good2(HttpServletRequest request, HttpServletResponse response) throws Exception {
|
||||
BufferedReader br = request.getReader();
|
||||
String str = "";
|
||||
StringBuilder listString = new StringBuilder();
|
||||
while ((str = br.readLine()) != null) {
|
||||
listString.append(str).append("\n");
|
||||
}
|
||||
SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
|
||||
Schema schema = factory.newSchema();
|
||||
Validator validator = schema.newValidator();
|
||||
validator.setProperty("http://javax.xml.XMLConstants/property/accessExternalDTD", "");
|
||||
validator.setProperty("http://javax.xml.XMLConstants/property/accessExternalSchema", "");
|
||||
StreamSource source = new StreamSource(listString.toString());
|
||||
validator.validate(source);
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,32 @@
|
||||
import java.beans.XMLDecoder;
|
||||
import java.io.BufferedReader;
|
||||
import javax.servlet.ServletInputStream;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import org.dom4j.Document;
|
||||
import org.dom4j.DocumentHelper;
|
||||
import org.springframework.stereotype.Controller;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
|
||||
@Controller
|
||||
public class XMLDecoderTests {
|
||||
|
||||
@PostMapping(value = "bad")
|
||||
public void bad3(HttpServletRequest request) throws Exception {
|
||||
ServletInputStream servletInputStream = request.getInputStream();
|
||||
XMLDecoder xmlDecoder = new XMLDecoder(servletInputStream);
|
||||
xmlDecoder.readObject(); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
@PostMapping(value = "good")
|
||||
public void good3(HttpServletRequest request) throws Exception {
|
||||
BufferedReader br = request.getReader();
|
||||
String str = "";
|
||||
StringBuilder listString = new StringBuilder();
|
||||
while ((str = br.readLine()) != null) {
|
||||
listString.append(str).append("\n");
|
||||
}
|
||||
// parseText falls back to a default SAXReader, which is safe
|
||||
Document document = DocumentHelper.parseText(listString.toString()); // Safe
|
||||
}
|
||||
}
|
||||
@@ -13,23 +13,23 @@ public class XMLReaderTests {
|
||||
|
||||
public void unconfiguredReader(Socket sock) throws Exception {
|
||||
XMLReader reader = XMLReaderFactory.createXMLReader();
|
||||
reader.parse(new InputSource(sock.getInputStream())); //unsafe
|
||||
reader.parse(new InputSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void safeReaderFromConfig1(Socket sock) throws Exception {
|
||||
XMLReader reader = XMLReaderFactory.createXMLReader();
|
||||
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd",false);
|
||||
reader.parse(new InputSource(sock.getInputStream())); //safe
|
||||
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
||||
reader.parse(new InputSource(sock.getInputStream())); // safe
|
||||
}
|
||||
|
||||
public void safeReaderFromConfig2(Socket sock) throws Exception {
|
||||
XMLReader reader = XMLReaderFactory.createXMLReader();
|
||||
reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
reader.parse(new InputSource(sock.getInputStream())); //safe
|
||||
reader.parse(new InputSource(sock.getInputStream())); // safe
|
||||
}
|
||||
|
||||
|
||||
public void safeReaderFromSAXParser(Socket sock) throws Exception {
|
||||
SAXParserFactory factory = SAXParserFactory.newInstance();
|
||||
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
@@ -37,66 +37,66 @@ public class XMLReaderTests {
|
||||
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
||||
SAXParser parser = factory.newSAXParser();
|
||||
XMLReader reader = parser.getXMLReader();
|
||||
reader.parse(new InputSource(sock.getInputStream())); //safe
|
||||
reader.parse(new InputSource(sock.getInputStream())); // safe
|
||||
}
|
||||
|
||||
public void safeReaderFromSAXReader(Socket sock) throws Exception {
|
||||
SAXReader reader = new SAXReader();
|
||||
reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
XMLReader xmlReader = reader.getXMLReader();
|
||||
xmlReader.parse(new InputSource(sock.getInputStream())); //safe
|
||||
xmlReader.parse(new InputSource(sock.getInputStream())); // safe
|
||||
}
|
||||
|
||||
public void partialConfiguredXMLReader1(Socket sock) throws Exception {
|
||||
XMLReader reader = XMLReaderFactory.createXMLReader();
|
||||
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
reader.parse(new InputSource(sock.getInputStream())); //unsafe
|
||||
reader.parse(new InputSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void partialConfiguredXMLReader2(Socket sock) throws Exception {
|
||||
XMLReader reader = XMLReaderFactory.createXMLReader();
|
||||
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd",false);
|
||||
reader.parse(new InputSource(sock.getInputStream())); //unsafe
|
||||
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
||||
reader.parse(new InputSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void partilaConfiguredXMLReader3(Socket sock) throws Exception {
|
||||
XMLReader reader = XMLReaderFactory.createXMLReader();
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd",false);
|
||||
reader.parse(new InputSource(sock.getInputStream())); //unsafe
|
||||
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
||||
reader.parse(new InputSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void misConfiguredXMLReader1(Socket sock) throws Exception {
|
||||
XMLReader reader = XMLReaderFactory.createXMLReader();
|
||||
reader.setFeature("http://xml.org/sax/features/external-general-entities", true);
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd",false);
|
||||
reader.parse(new InputSource(sock.getInputStream())); //unsafe
|
||||
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
||||
reader.parse(new InputSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void misConfiguredXMLReader2(Socket sock) throws Exception {
|
||||
XMLReader reader = XMLReaderFactory.createXMLReader();
|
||||
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", true);
|
||||
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd",false);
|
||||
reader.parse(new InputSource(sock.getInputStream())); //unsafe
|
||||
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
||||
reader.parse(new InputSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void misConfiguredXMLReader3(Socket sock) throws Exception {
|
||||
XMLReader reader = XMLReaderFactory.createXMLReader();
|
||||
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", true);
|
||||
reader.parse(new InputSource(sock.getInputStream())); //unsafe
|
||||
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", true);
|
||||
reader.parse(new InputSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void misConfiguredXMLReader4(Socket sock) throws Exception {
|
||||
XMLReader reader = XMLReaderFactory.createXMLReader();
|
||||
reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
|
||||
reader.parse(new InputSource(sock.getInputStream())); //unsafe
|
||||
reader.parse(new InputSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
}
|
||||
|
||||
@@ -12,18 +12,33 @@ public class XPathExpressionTests {
|
||||
|
||||
public void safeXPathExpression(Socket sock) throws Exception {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
XPathFactory xFactory = XPathFactory.newInstance();
|
||||
XPath path = xFactory.newXPath();
|
||||
XPathExpression expr = path.compile("");
|
||||
expr.evaluate(builder.parse(sock.getInputStream())); //safe
|
||||
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
XPathFactory xFactory = XPathFactory.newInstance();
|
||||
XPath path = xFactory.newXPath();
|
||||
XPathExpression expr = path.compile("");
|
||||
expr.evaluate(builder.parse(sock.getInputStream())); // safe
|
||||
}
|
||||
|
||||
public void unsafeExpressionTests(Socket sock) throws Exception {
|
||||
XPathFactory xFactory = XPathFactory.newInstance();
|
||||
XPath path = xFactory.newXPath();
|
||||
XPathExpression expr = path.compile("");
|
||||
expr.evaluate(new InputSource(sock.getInputStream())); //unsafe
|
||||
XPathFactory xFactory = XPathFactory.newInstance();
|
||||
XPath path = xFactory.newXPath();
|
||||
XPathExpression expr = path.compile("");
|
||||
expr.evaluate(new InputSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void safeXPathEvaluateTest(Socket sock) throws Exception {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
XPathFactory xFactory = XPathFactory.newInstance();
|
||||
XPath path = xFactory.newXPath();
|
||||
path.evaluate("", builder.parse(sock.getInputStream())); // safe
|
||||
}
|
||||
|
||||
public void unsafeXPathEvaluateTest(Socket sock) throws Exception {
|
||||
XPathFactory xFactory = XPathFactory.newInstance();
|
||||
XPath path = xFactory.newXPath();
|
||||
path.evaluate("", new InputSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,351 +0,0 @@
|
||||
edges
|
||||
| DocumentBuilderTests.java:93:21:93:73 | new SAXSource(...) : SAXSource | DocumentBuilderTests.java:94:16:94:21 | source : SAXSource |
|
||||
| DocumentBuilderTests.java:93:35:93:72 | new InputSource(...) : InputSource | DocumentBuilderTests.java:93:21:93:73 | new SAXSource(...) : SAXSource |
|
||||
| DocumentBuilderTests.java:93:51:93:71 | getInputStream(...) : InputStream | DocumentBuilderTests.java:93:35:93:72 | new InputSource(...) : InputSource |
|
||||
| DocumentBuilderTests.java:94:16:94:21 | source : SAXSource | DocumentBuilderTests.java:94:16:94:38 | getInputSource(...) |
|
||||
| DocumentBuilderTests.java:100:24:100:62 | new StreamSource(...) : StreamSource | DocumentBuilderTests.java:101:46:101:51 | source : StreamSource |
|
||||
| DocumentBuilderTests.java:100:24:100:62 | new StreamSource(...) : StreamSource | DocumentBuilderTests.java:102:16:102:21 | source : StreamSource |
|
||||
| DocumentBuilderTests.java:100:41:100:61 | getInputStream(...) : InputStream | DocumentBuilderTests.java:100:24:100:62 | new StreamSource(...) : StreamSource |
|
||||
| DocumentBuilderTests.java:101:46:101:51 | source : StreamSource | DocumentBuilderTests.java:101:16:101:52 | sourceToInputSource(...) |
|
||||
| DocumentBuilderTests.java:102:16:102:21 | source : StreamSource | DocumentBuilderTests.java:102:16:102:38 | getInputStream(...) |
|
||||
| SAXSourceTests.java:17:24:17:84 | new SAXSource(...) : SAXSource | SAXSourceTests.java:20:18:20:23 | source |
|
||||
| SAXSourceTests.java:17:46:17:83 | new InputSource(...) : InputSource | SAXSourceTests.java:17:24:17:84 | new SAXSource(...) : SAXSource |
|
||||
| SAXSourceTests.java:17:62:17:82 | getInputStream(...) : InputStream | SAXSourceTests.java:17:46:17:83 | new InputSource(...) : InputSource |
|
||||
| SchemaTests.java:12:56:12:76 | getInputStream(...) : InputStream | SchemaTests.java:12:39:12:77 | new StreamSource(...) |
|
||||
| SchemaTests.java:25:56:25:76 | getInputStream(...) : InputStream | SchemaTests.java:25:39:25:77 | new StreamSource(...) |
|
||||
| SchemaTests.java:31:56:31:76 | getInputStream(...) : InputStream | SchemaTests.java:31:39:31:77 | new StreamSource(...) |
|
||||
| SchemaTests.java:38:56:38:76 | getInputStream(...) : InputStream | SchemaTests.java:38:39:38:77 | new StreamSource(...) |
|
||||
| SchemaTests.java:45:56:45:76 | getInputStream(...) : InputStream | SchemaTests.java:45:39:45:77 | new StreamSource(...) |
|
||||
| SimpleXMLTests.java:24:63:24:83 | getInputStream(...) : InputStream | SimpleXMLTests.java:24:41:24:84 | new InputStreamReader(...) |
|
||||
| SimpleXMLTests.java:30:5:30:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:30:32:30:32 | b [post update] : byte[] |
|
||||
| SimpleXMLTests.java:30:32:30:32 | b [post update] : byte[] | SimpleXMLTests.java:31:52:31:52 | b : byte[] |
|
||||
| SimpleXMLTests.java:31:52:31:52 | b : byte[] | SimpleXMLTests.java:31:41:31:53 | new String(...) |
|
||||
| SimpleXMLTests.java:37:5:37:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:37:32:37:32 | b [post update] : byte[] |
|
||||
| SimpleXMLTests.java:37:32:37:32 | b [post update] : byte[] | SimpleXMLTests.java:38:52:38:52 | b : byte[] |
|
||||
| SimpleXMLTests.java:38:52:38:52 | b : byte[] | SimpleXMLTests.java:38:41:38:53 | new String(...) |
|
||||
| SimpleXMLTests.java:43:63:43:83 | getInputStream(...) : InputStream | SimpleXMLTests.java:43:41:43:84 | new InputStreamReader(...) |
|
||||
| SimpleXMLTests.java:68:59:68:79 | getInputStream(...) : InputStream | SimpleXMLTests.java:68:37:68:80 | new InputStreamReader(...) |
|
||||
| SimpleXMLTests.java:73:59:73:79 | getInputStream(...) : InputStream | SimpleXMLTests.java:73:37:73:80 | new InputStreamReader(...) |
|
||||
| SimpleXMLTests.java:78:48:78:68 | getInputStream(...) : InputStream | SimpleXMLTests.java:78:26:78:69 | new InputStreamReader(...) |
|
||||
| SimpleXMLTests.java:83:48:83:68 | getInputStream(...) : InputStream | SimpleXMLTests.java:83:26:83:69 | new InputStreamReader(...) |
|
||||
| SimpleXMLTests.java:89:5:89:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:89:32:89:32 | b [post update] : byte[] |
|
||||
| SimpleXMLTests.java:89:32:89:32 | b [post update] : byte[] | SimpleXMLTests.java:90:48:90:48 | b : byte[] |
|
||||
| SimpleXMLTests.java:90:48:90:48 | b : byte[] | SimpleXMLTests.java:90:37:90:49 | new String(...) |
|
||||
| SimpleXMLTests.java:96:5:96:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:96:32:96:32 | b [post update] : byte[] |
|
||||
| SimpleXMLTests.java:96:32:96:32 | b [post update] : byte[] | SimpleXMLTests.java:97:48:97:48 | b : byte[] |
|
||||
| SimpleXMLTests.java:97:48:97:48 | b : byte[] | SimpleXMLTests.java:97:37:97:49 | new String(...) |
|
||||
| SimpleXMLTests.java:103:5:103:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:103:32:103:32 | b [post update] : byte[] |
|
||||
| SimpleXMLTests.java:103:32:103:32 | b [post update] : byte[] | SimpleXMLTests.java:104:37:104:37 | b : byte[] |
|
||||
| SimpleXMLTests.java:104:37:104:37 | b : byte[] | SimpleXMLTests.java:104:26:104:38 | new String(...) |
|
||||
| SimpleXMLTests.java:110:5:110:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:110:32:110:32 | b [post update] : byte[] |
|
||||
| SimpleXMLTests.java:110:32:110:32 | b [post update] : byte[] | SimpleXMLTests.java:111:37:111:37 | b : byte[] |
|
||||
| SimpleXMLTests.java:111:37:111:37 | b : byte[] | SimpleXMLTests.java:111:26:111:38 | new String(...) |
|
||||
| SimpleXMLTests.java:119:44:119:64 | getInputStream(...) : InputStream | SimpleXMLTests.java:119:22:119:65 | new InputStreamReader(...) |
|
||||
| SimpleXMLTests.java:129:44:129:64 | getInputStream(...) : InputStream | SimpleXMLTests.java:129:22:129:65 | new InputStreamReader(...) |
|
||||
| SimpleXMLTests.java:139:44:139:64 | getInputStream(...) : InputStream | SimpleXMLTests.java:139:22:139:65 | new InputStreamReader(...) |
|
||||
| SimpleXMLTests.java:145:5:145:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:145:32:145:32 | b [post update] : byte[] |
|
||||
| SimpleXMLTests.java:145:32:145:32 | b [post update] : byte[] | SimpleXMLTests.java:146:33:146:33 | b : byte[] |
|
||||
| SimpleXMLTests.java:146:33:146:33 | b : byte[] | SimpleXMLTests.java:146:22:146:34 | new String(...) |
|
||||
| SimpleXMLTests.java:152:5:152:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:152:32:152:32 | b [post update] : byte[] |
|
||||
| SimpleXMLTests.java:152:32:152:32 | b [post update] : byte[] | SimpleXMLTests.java:153:33:153:33 | b : byte[] |
|
||||
| SimpleXMLTests.java:153:33:153:33 | b : byte[] | SimpleXMLTests.java:153:22:153:34 | new String(...) |
|
||||
| TransformerTests.java:20:44:20:64 | getInputStream(...) : InputStream | TransformerTests.java:20:27:20:65 | new StreamSource(...) |
|
||||
| TransformerTests.java:21:40:21:60 | getInputStream(...) : InputStream | TransformerTests.java:21:23:21:61 | new StreamSource(...) |
|
||||
| TransformerTests.java:71:44:71:64 | getInputStream(...) : InputStream | TransformerTests.java:71:27:71:65 | new StreamSource(...) |
|
||||
| TransformerTests.java:72:40:72:60 | getInputStream(...) : InputStream | TransformerTests.java:72:23:72:61 | new StreamSource(...) |
|
||||
| TransformerTests.java:79:44:79:64 | getInputStream(...) : InputStream | TransformerTests.java:79:27:79:65 | new StreamSource(...) |
|
||||
| TransformerTests.java:80:40:80:60 | getInputStream(...) : InputStream | TransformerTests.java:80:23:80:61 | new StreamSource(...) |
|
||||
| TransformerTests.java:88:44:88:64 | getInputStream(...) : InputStream | TransformerTests.java:88:27:88:65 | new StreamSource(...) |
|
||||
| TransformerTests.java:89:40:89:60 | getInputStream(...) : InputStream | TransformerTests.java:89:23:89:61 | new StreamSource(...) |
|
||||
| TransformerTests.java:97:44:97:64 | getInputStream(...) : InputStream | TransformerTests.java:97:27:97:65 | new StreamSource(...) |
|
||||
| TransformerTests.java:98:40:98:60 | getInputStream(...) : InputStream | TransformerTests.java:98:23:98:61 | new StreamSource(...) |
|
||||
| TransformerTests.java:103:38:103:58 | getInputStream(...) : InputStream | TransformerTests.java:103:21:103:59 | new StreamSource(...) |
|
||||
| TransformerTests.java:116:38:116:58 | getInputStream(...) : InputStream | TransformerTests.java:116:21:116:59 | new StreamSource(...) |
|
||||
| TransformerTests.java:122:38:122:58 | getInputStream(...) : InputStream | TransformerTests.java:122:21:122:59 | new StreamSource(...) |
|
||||
| TransformerTests.java:129:38:129:58 | getInputStream(...) : InputStream | TransformerTests.java:129:21:129:59 | new StreamSource(...) |
|
||||
| TransformerTests.java:136:38:136:58 | getInputStream(...) : InputStream | TransformerTests.java:136:21:136:59 | new StreamSource(...) |
|
||||
| TransformerTests.java:141:32:141:69 | new InputSource(...) : InputSource | TransformerTests.java:141:18:141:70 | new SAXSource(...) |
|
||||
| TransformerTests.java:141:48:141:68 | getInputStream(...) : InputStream | TransformerTests.java:141:32:141:69 | new InputSource(...) : InputSource |
|
||||
| XMLReaderTests.java:16:34:16:54 | getInputStream(...) : InputStream | XMLReaderTests.java:16:18:16:55 | new InputSource(...) |
|
||||
| XMLReaderTests.java:56:34:56:54 | getInputStream(...) : InputStream | XMLReaderTests.java:56:18:56:55 | new InputSource(...) |
|
||||
| XMLReaderTests.java:63:34:63:54 | getInputStream(...) : InputStream | XMLReaderTests.java:63:18:63:55 | new InputSource(...) |
|
||||
| XMLReaderTests.java:70:34:70:54 | getInputStream(...) : InputStream | XMLReaderTests.java:70:18:70:55 | new InputSource(...) |
|
||||
| XMLReaderTests.java:78:34:78:54 | getInputStream(...) : InputStream | XMLReaderTests.java:78:18:78:55 | new InputSource(...) |
|
||||
| XMLReaderTests.java:86:34:86:54 | getInputStream(...) : InputStream | XMLReaderTests.java:86:18:86:55 | new InputSource(...) |
|
||||
| XMLReaderTests.java:94:34:94:54 | getInputStream(...) : InputStream | XMLReaderTests.java:94:18:94:55 | new InputSource(...) |
|
||||
| XMLReaderTests.java:100:34:100:54 | getInputStream(...) : InputStream | XMLReaderTests.java:100:18:100:55 | new InputSource(...) |
|
||||
| XPathExpressionTests.java:27:37:27:57 | getInputStream(...) : InputStream | XPathExpressionTests.java:27:21:27:58 | new InputSource(...) |
|
||||
nodes
|
||||
| DocumentBuilderTests.java:14:19:14:39 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| DocumentBuilderTests.java:28:19:28:39 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| DocumentBuilderTests.java:35:19:35:39 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| DocumentBuilderTests.java:42:19:42:39 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| DocumentBuilderTests.java:49:19:49:39 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| DocumentBuilderTests.java:64:19:64:39 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| DocumentBuilderTests.java:71:19:71:39 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| DocumentBuilderTests.java:79:19:79:39 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| DocumentBuilderTests.java:87:19:87:39 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| DocumentBuilderTests.java:93:21:93:73 | new SAXSource(...) : SAXSource | semmle.label | new SAXSource(...) : SAXSource |
|
||||
| DocumentBuilderTests.java:93:35:93:72 | new InputSource(...) : InputSource | semmle.label | new InputSource(...) : InputSource |
|
||||
| DocumentBuilderTests.java:93:51:93:71 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| DocumentBuilderTests.java:94:16:94:21 | source : SAXSource | semmle.label | source : SAXSource |
|
||||
| DocumentBuilderTests.java:94:16:94:38 | getInputSource(...) | semmle.label | getInputSource(...) |
|
||||
| DocumentBuilderTests.java:100:24:100:62 | new StreamSource(...) : StreamSource | semmle.label | new StreamSource(...) : StreamSource |
|
||||
| DocumentBuilderTests.java:100:41:100:61 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| DocumentBuilderTests.java:101:16:101:52 | sourceToInputSource(...) | semmle.label | sourceToInputSource(...) |
|
||||
| DocumentBuilderTests.java:101:46:101:51 | source : StreamSource | semmle.label | source : StreamSource |
|
||||
| DocumentBuilderTests.java:102:16:102:21 | source : StreamSource | semmle.label | source : StreamSource |
|
||||
| DocumentBuilderTests.java:102:16:102:38 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SAXBuilderTests.java:8:19:8:39 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SAXBuilderTests.java:20:19:20:39 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SAXParserTests.java:13:18:13:38 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SAXParserTests.java:30:18:30:38 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SAXParserTests.java:38:18:38:38 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SAXParserTests.java:46:18:46:38 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SAXParserTests.java:55:18:55:38 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SAXParserTests.java:64:18:64:38 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SAXParserTests.java:73:18:73:38 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SAXReaderTests.java:8:17:8:37 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SAXReaderTests.java:23:17:23:37 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SAXReaderTests.java:30:17:30:37 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SAXReaderTests.java:37:17:37:37 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SAXReaderTests.java:45:17:45:37 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SAXReaderTests.java:53:17:53:37 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SAXReaderTests.java:61:17:61:37 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SAXSourceTests.java:17:24:17:84 | new SAXSource(...) : SAXSource | semmle.label | new SAXSource(...) : SAXSource |
|
||||
| SAXSourceTests.java:17:46:17:83 | new InputSource(...) : InputSource | semmle.label | new InputSource(...) : InputSource |
|
||||
| SAXSourceTests.java:17:62:17:82 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SAXSourceTests.java:20:18:20:23 | source | semmle.label | source |
|
||||
| SchemaTests.java:12:39:12:77 | new StreamSource(...) | semmle.label | new StreamSource(...) |
|
||||
| SchemaTests.java:12:56:12:76 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SchemaTests.java:25:39:25:77 | new StreamSource(...) | semmle.label | new StreamSource(...) |
|
||||
| SchemaTests.java:25:56:25:76 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SchemaTests.java:31:39:31:77 | new StreamSource(...) | semmle.label | new StreamSource(...) |
|
||||
| SchemaTests.java:31:56:31:76 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SchemaTests.java:38:39:38:77 | new StreamSource(...) | semmle.label | new StreamSource(...) |
|
||||
| SchemaTests.java:38:56:38:76 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SchemaTests.java:45:39:45:77 | new StreamSource(...) | semmle.label | new StreamSource(...) |
|
||||
| SchemaTests.java:45:56:45:76 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SimpleXMLTests.java:14:41:14:61 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SimpleXMLTests.java:19:41:19:61 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SimpleXMLTests.java:24:41:24:84 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
|
||||
| SimpleXMLTests.java:24:63:24:83 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SimpleXMLTests.java:30:5:30:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SimpleXMLTests.java:30:32:30:32 | b [post update] : byte[] | semmle.label | b [post update] : byte[] |
|
||||
| SimpleXMLTests.java:31:41:31:53 | new String(...) | semmle.label | new String(...) |
|
||||
| SimpleXMLTests.java:31:52:31:52 | b : byte[] | semmle.label | b : byte[] |
|
||||
| SimpleXMLTests.java:37:5:37:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SimpleXMLTests.java:37:32:37:32 | b [post update] : byte[] | semmle.label | b [post update] : byte[] |
|
||||
| SimpleXMLTests.java:38:41:38:53 | new String(...) | semmle.label | new String(...) |
|
||||
| SimpleXMLTests.java:38:52:38:52 | b : byte[] | semmle.label | b : byte[] |
|
||||
| SimpleXMLTests.java:43:41:43:84 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
|
||||
| SimpleXMLTests.java:43:63:43:83 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SimpleXMLTests.java:48:37:48:57 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SimpleXMLTests.java:53:37:53:57 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SimpleXMLTests.java:58:26:58:46 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SimpleXMLTests.java:63:26:63:46 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SimpleXMLTests.java:68:37:68:80 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
|
||||
| SimpleXMLTests.java:68:59:68:79 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SimpleXMLTests.java:73:37:73:80 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
|
||||
| SimpleXMLTests.java:73:59:73:79 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SimpleXMLTests.java:78:26:78:69 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
|
||||
| SimpleXMLTests.java:78:48:78:68 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SimpleXMLTests.java:83:26:83:69 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
|
||||
| SimpleXMLTests.java:83:48:83:68 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SimpleXMLTests.java:89:5:89:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SimpleXMLTests.java:89:32:89:32 | b [post update] : byte[] | semmle.label | b [post update] : byte[] |
|
||||
| SimpleXMLTests.java:90:37:90:49 | new String(...) | semmle.label | new String(...) |
|
||||
| SimpleXMLTests.java:90:48:90:48 | b : byte[] | semmle.label | b : byte[] |
|
||||
| SimpleXMLTests.java:96:5:96:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SimpleXMLTests.java:96:32:96:32 | b [post update] : byte[] | semmle.label | b [post update] : byte[] |
|
||||
| SimpleXMLTests.java:97:37:97:49 | new String(...) | semmle.label | new String(...) |
|
||||
| SimpleXMLTests.java:97:48:97:48 | b : byte[] | semmle.label | b : byte[] |
|
||||
| SimpleXMLTests.java:103:5:103:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SimpleXMLTests.java:103:32:103:32 | b [post update] : byte[] | semmle.label | b [post update] : byte[] |
|
||||
| SimpleXMLTests.java:104:26:104:38 | new String(...) | semmle.label | new String(...) |
|
||||
| SimpleXMLTests.java:104:37:104:37 | b : byte[] | semmle.label | b : byte[] |
|
||||
| SimpleXMLTests.java:110:5:110:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SimpleXMLTests.java:110:32:110:32 | b [post update] : byte[] | semmle.label | b [post update] : byte[] |
|
||||
| SimpleXMLTests.java:111:26:111:38 | new String(...) | semmle.label | new String(...) |
|
||||
| SimpleXMLTests.java:111:37:111:37 | b : byte[] | semmle.label | b : byte[] |
|
||||
| SimpleXMLTests.java:115:22:115:42 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SimpleXMLTests.java:119:22:119:65 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
|
||||
| SimpleXMLTests.java:119:44:119:64 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SimpleXMLTests.java:124:22:124:42 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SimpleXMLTests.java:129:22:129:65 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
|
||||
| SimpleXMLTests.java:129:44:129:64 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SimpleXMLTests.java:134:22:134:42 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SimpleXMLTests.java:139:22:139:65 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
|
||||
| SimpleXMLTests.java:139:44:139:64 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SimpleXMLTests.java:145:5:145:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SimpleXMLTests.java:145:32:145:32 | b [post update] : byte[] | semmle.label | b [post update] : byte[] |
|
||||
| SimpleXMLTests.java:146:22:146:34 | new String(...) | semmle.label | new String(...) |
|
||||
| SimpleXMLTests.java:146:33:146:33 | b : byte[] | semmle.label | b : byte[] |
|
||||
| SimpleXMLTests.java:152:5:152:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SimpleXMLTests.java:152:32:152:32 | b [post update] : byte[] | semmle.label | b [post update] : byte[] |
|
||||
| SimpleXMLTests.java:153:22:153:34 | new String(...) | semmle.label | new String(...) |
|
||||
| SimpleXMLTests.java:153:33:153:33 | b : byte[] | semmle.label | b : byte[] |
|
||||
| TransformerTests.java:20:27:20:65 | new StreamSource(...) | semmle.label | new StreamSource(...) |
|
||||
| TransformerTests.java:20:44:20:64 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| TransformerTests.java:21:23:21:61 | new StreamSource(...) | semmle.label | new StreamSource(...) |
|
||||
| TransformerTests.java:21:40:21:60 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| TransformerTests.java:71:27:71:65 | new StreamSource(...) | semmle.label | new StreamSource(...) |
|
||||
| TransformerTests.java:71:44:71:64 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| TransformerTests.java:72:23:72:61 | new StreamSource(...) | semmle.label | new StreamSource(...) |
|
||||
| TransformerTests.java:72:40:72:60 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| TransformerTests.java:79:27:79:65 | new StreamSource(...) | semmle.label | new StreamSource(...) |
|
||||
| TransformerTests.java:79:44:79:64 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| TransformerTests.java:80:23:80:61 | new StreamSource(...) | semmle.label | new StreamSource(...) |
|
||||
| TransformerTests.java:80:40:80:60 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| TransformerTests.java:88:27:88:65 | new StreamSource(...) | semmle.label | new StreamSource(...) |
|
||||
| TransformerTests.java:88:44:88:64 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| TransformerTests.java:89:23:89:61 | new StreamSource(...) | semmle.label | new StreamSource(...) |
|
||||
| TransformerTests.java:89:40:89:60 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| TransformerTests.java:97:27:97:65 | new StreamSource(...) | semmle.label | new StreamSource(...) |
|
||||
| TransformerTests.java:97:44:97:64 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| TransformerTests.java:98:23:98:61 | new StreamSource(...) | semmle.label | new StreamSource(...) |
|
||||
| TransformerTests.java:98:40:98:60 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| TransformerTests.java:103:21:103:59 | new StreamSource(...) | semmle.label | new StreamSource(...) |
|
||||
| TransformerTests.java:103:38:103:58 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| TransformerTests.java:116:21:116:59 | new StreamSource(...) | semmle.label | new StreamSource(...) |
|
||||
| TransformerTests.java:116:38:116:58 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| TransformerTests.java:122:21:122:59 | new StreamSource(...) | semmle.label | new StreamSource(...) |
|
||||
| TransformerTests.java:122:38:122:58 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| TransformerTests.java:129:21:129:59 | new StreamSource(...) | semmle.label | new StreamSource(...) |
|
||||
| TransformerTests.java:129:38:129:58 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| TransformerTests.java:136:21:136:59 | new StreamSource(...) | semmle.label | new StreamSource(...) |
|
||||
| TransformerTests.java:136:38:136:58 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| TransformerTests.java:141:18:141:70 | new SAXSource(...) | semmle.label | new SAXSource(...) |
|
||||
| TransformerTests.java:141:32:141:69 | new InputSource(...) : InputSource | semmle.label | new InputSource(...) : InputSource |
|
||||
| TransformerTests.java:141:48:141:68 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| UnmarshallerTests.java:28:18:28:38 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| XMLReaderTests.java:16:18:16:55 | new InputSource(...) | semmle.label | new InputSource(...) |
|
||||
| XMLReaderTests.java:16:34:16:54 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| XMLReaderTests.java:56:18:56:55 | new InputSource(...) | semmle.label | new InputSource(...) |
|
||||
| XMLReaderTests.java:56:34:56:54 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| XMLReaderTests.java:63:18:63:55 | new InputSource(...) | semmle.label | new InputSource(...) |
|
||||
| XMLReaderTests.java:63:34:63:54 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| XMLReaderTests.java:70:18:70:55 | new InputSource(...) | semmle.label | new InputSource(...) |
|
||||
| XMLReaderTests.java:70:34:70:54 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| XMLReaderTests.java:78:18:78:55 | new InputSource(...) | semmle.label | new InputSource(...) |
|
||||
| XMLReaderTests.java:78:34:78:54 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| XMLReaderTests.java:86:18:86:55 | new InputSource(...) | semmle.label | new InputSource(...) |
|
||||
| XMLReaderTests.java:86:34:86:54 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| XMLReaderTests.java:94:18:94:55 | new InputSource(...) | semmle.label | new InputSource(...) |
|
||||
| XMLReaderTests.java:94:34:94:54 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| XMLReaderTests.java:100:18:100:55 | new InputSource(...) | semmle.label | new InputSource(...) |
|
||||
| XMLReaderTests.java:100:34:100:54 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| XPathExpressionTests.java:27:21:27:58 | new InputSource(...) | semmle.label | new InputSource(...) |
|
||||
| XPathExpressionTests.java:27:37:27:57 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| XmlInputFactoryTests.java:9:35:9:55 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| XmlInputFactoryTests.java:10:34:10:54 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| XmlInputFactoryTests.java:24:35:24:55 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| XmlInputFactoryTests.java:25:34:25:54 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| XmlInputFactoryTests.java:31:35:31:55 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| XmlInputFactoryTests.java:32:34:32:54 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| XmlInputFactoryTests.java:39:35:39:55 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| XmlInputFactoryTests.java:40:34:40:54 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| XmlInputFactoryTests.java:47:35:47:55 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| XmlInputFactoryTests.java:48:34:48:54 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| XmlInputFactoryTests.java:55:35:55:55 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| XmlInputFactoryTests.java:56:34:56:54 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
subpaths
|
||||
#select
|
||||
| DocumentBuilderTests.java:14:19:14:39 | getInputStream(...) | DocumentBuilderTests.java:14:19:14:39 | getInputStream(...) | DocumentBuilderTests.java:14:19:14:39 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:14:19:14:39 | getInputStream(...) | user-provided value |
|
||||
| DocumentBuilderTests.java:28:19:28:39 | getInputStream(...) | DocumentBuilderTests.java:28:19:28:39 | getInputStream(...) | DocumentBuilderTests.java:28:19:28:39 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:28:19:28:39 | getInputStream(...) | user-provided value |
|
||||
| DocumentBuilderTests.java:35:19:35:39 | getInputStream(...) | DocumentBuilderTests.java:35:19:35:39 | getInputStream(...) | DocumentBuilderTests.java:35:19:35:39 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:35:19:35:39 | getInputStream(...) | user-provided value |
|
||||
| DocumentBuilderTests.java:42:19:42:39 | getInputStream(...) | DocumentBuilderTests.java:42:19:42:39 | getInputStream(...) | DocumentBuilderTests.java:42:19:42:39 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:42:19:42:39 | getInputStream(...) | user-provided value |
|
||||
| DocumentBuilderTests.java:49:19:49:39 | getInputStream(...) | DocumentBuilderTests.java:49:19:49:39 | getInputStream(...) | DocumentBuilderTests.java:49:19:49:39 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:49:19:49:39 | getInputStream(...) | user-provided value |
|
||||
| DocumentBuilderTests.java:64:19:64:39 | getInputStream(...) | DocumentBuilderTests.java:64:19:64:39 | getInputStream(...) | DocumentBuilderTests.java:64:19:64:39 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:64:19:64:39 | getInputStream(...) | user-provided value |
|
||||
| DocumentBuilderTests.java:71:19:71:39 | getInputStream(...) | DocumentBuilderTests.java:71:19:71:39 | getInputStream(...) | DocumentBuilderTests.java:71:19:71:39 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:71:19:71:39 | getInputStream(...) | user-provided value |
|
||||
| DocumentBuilderTests.java:79:19:79:39 | getInputStream(...) | DocumentBuilderTests.java:79:19:79:39 | getInputStream(...) | DocumentBuilderTests.java:79:19:79:39 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:79:19:79:39 | getInputStream(...) | user-provided value |
|
||||
| DocumentBuilderTests.java:87:19:87:39 | getInputStream(...) | DocumentBuilderTests.java:87:19:87:39 | getInputStream(...) | DocumentBuilderTests.java:87:19:87:39 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:87:19:87:39 | getInputStream(...) | user-provided value |
|
||||
| DocumentBuilderTests.java:94:16:94:38 | getInputSource(...) | DocumentBuilderTests.java:93:51:93:71 | getInputStream(...) : InputStream | DocumentBuilderTests.java:94:16:94:38 | getInputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:93:51:93:71 | getInputStream(...) | user-provided value |
|
||||
| DocumentBuilderTests.java:101:16:101:52 | sourceToInputSource(...) | DocumentBuilderTests.java:100:41:100:61 | getInputStream(...) : InputStream | DocumentBuilderTests.java:101:16:101:52 | sourceToInputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:100:41:100:61 | getInputStream(...) | user-provided value |
|
||||
| DocumentBuilderTests.java:102:16:102:38 | getInputStream(...) | DocumentBuilderTests.java:100:41:100:61 | getInputStream(...) : InputStream | DocumentBuilderTests.java:102:16:102:38 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:100:41:100:61 | getInputStream(...) | user-provided value |
|
||||
| SAXBuilderTests.java:8:19:8:39 | getInputStream(...) | SAXBuilderTests.java:8:19:8:39 | getInputStream(...) | SAXBuilderTests.java:8:19:8:39 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXBuilderTests.java:8:19:8:39 | getInputStream(...) | user-provided value |
|
||||
| SAXBuilderTests.java:20:19:20:39 | getInputStream(...) | SAXBuilderTests.java:20:19:20:39 | getInputStream(...) | SAXBuilderTests.java:20:19:20:39 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXBuilderTests.java:20:19:20:39 | getInputStream(...) | user-provided value |
|
||||
| SAXParserTests.java:13:18:13:38 | getInputStream(...) | SAXParserTests.java:13:18:13:38 | getInputStream(...) | SAXParserTests.java:13:18:13:38 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXParserTests.java:13:18:13:38 | getInputStream(...) | user-provided value |
|
||||
| SAXParserTests.java:30:18:30:38 | getInputStream(...) | SAXParserTests.java:30:18:30:38 | getInputStream(...) | SAXParserTests.java:30:18:30:38 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXParserTests.java:30:18:30:38 | getInputStream(...) | user-provided value |
|
||||
| SAXParserTests.java:38:18:38:38 | getInputStream(...) | SAXParserTests.java:38:18:38:38 | getInputStream(...) | SAXParserTests.java:38:18:38:38 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXParserTests.java:38:18:38:38 | getInputStream(...) | user-provided value |
|
||||
| SAXParserTests.java:46:18:46:38 | getInputStream(...) | SAXParserTests.java:46:18:46:38 | getInputStream(...) | SAXParserTests.java:46:18:46:38 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXParserTests.java:46:18:46:38 | getInputStream(...) | user-provided value |
|
||||
| SAXParserTests.java:55:18:55:38 | getInputStream(...) | SAXParserTests.java:55:18:55:38 | getInputStream(...) | SAXParserTests.java:55:18:55:38 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXParserTests.java:55:18:55:38 | getInputStream(...) | user-provided value |
|
||||
| SAXParserTests.java:64:18:64:38 | getInputStream(...) | SAXParserTests.java:64:18:64:38 | getInputStream(...) | SAXParserTests.java:64:18:64:38 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXParserTests.java:64:18:64:38 | getInputStream(...) | user-provided value |
|
||||
| SAXParserTests.java:73:18:73:38 | getInputStream(...) | SAXParserTests.java:73:18:73:38 | getInputStream(...) | SAXParserTests.java:73:18:73:38 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXParserTests.java:73:18:73:38 | getInputStream(...) | user-provided value |
|
||||
| SAXReaderTests.java:8:17:8:37 | getInputStream(...) | SAXReaderTests.java:8:17:8:37 | getInputStream(...) | SAXReaderTests.java:8:17:8:37 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXReaderTests.java:8:17:8:37 | getInputStream(...) | user-provided value |
|
||||
| SAXReaderTests.java:23:17:23:37 | getInputStream(...) | SAXReaderTests.java:23:17:23:37 | getInputStream(...) | SAXReaderTests.java:23:17:23:37 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXReaderTests.java:23:17:23:37 | getInputStream(...) | user-provided value |
|
||||
| SAXReaderTests.java:30:17:30:37 | getInputStream(...) | SAXReaderTests.java:30:17:30:37 | getInputStream(...) | SAXReaderTests.java:30:17:30:37 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXReaderTests.java:30:17:30:37 | getInputStream(...) | user-provided value |
|
||||
| SAXReaderTests.java:37:17:37:37 | getInputStream(...) | SAXReaderTests.java:37:17:37:37 | getInputStream(...) | SAXReaderTests.java:37:17:37:37 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXReaderTests.java:37:17:37:37 | getInputStream(...) | user-provided value |
|
||||
| SAXReaderTests.java:45:17:45:37 | getInputStream(...) | SAXReaderTests.java:45:17:45:37 | getInputStream(...) | SAXReaderTests.java:45:17:45:37 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXReaderTests.java:45:17:45:37 | getInputStream(...) | user-provided value |
|
||||
| SAXReaderTests.java:53:17:53:37 | getInputStream(...) | SAXReaderTests.java:53:17:53:37 | getInputStream(...) | SAXReaderTests.java:53:17:53:37 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXReaderTests.java:53:17:53:37 | getInputStream(...) | user-provided value |
|
||||
| SAXReaderTests.java:61:17:61:37 | getInputStream(...) | SAXReaderTests.java:61:17:61:37 | getInputStream(...) | SAXReaderTests.java:61:17:61:37 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXReaderTests.java:61:17:61:37 | getInputStream(...) | user-provided value |
|
||||
| SAXSourceTests.java:20:18:20:23 | source | SAXSourceTests.java:17:62:17:82 | getInputStream(...) : InputStream | SAXSourceTests.java:20:18:20:23 | source | XML parsing depends on a $@ without guarding against external entity expansion. | SAXSourceTests.java:17:62:17:82 | getInputStream(...) | user-provided value |
|
||||
| SchemaTests.java:12:39:12:77 | new StreamSource(...) | SchemaTests.java:12:56:12:76 | getInputStream(...) : InputStream | SchemaTests.java:12:39:12:77 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SchemaTests.java:12:56:12:76 | getInputStream(...) | user-provided value |
|
||||
| SchemaTests.java:25:39:25:77 | new StreamSource(...) | SchemaTests.java:25:56:25:76 | getInputStream(...) : InputStream | SchemaTests.java:25:39:25:77 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SchemaTests.java:25:56:25:76 | getInputStream(...) | user-provided value |
|
||||
| SchemaTests.java:31:39:31:77 | new StreamSource(...) | SchemaTests.java:31:56:31:76 | getInputStream(...) : InputStream | SchemaTests.java:31:39:31:77 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SchemaTests.java:31:56:31:76 | getInputStream(...) | user-provided value |
|
||||
| SchemaTests.java:38:39:38:77 | new StreamSource(...) | SchemaTests.java:38:56:38:76 | getInputStream(...) : InputStream | SchemaTests.java:38:39:38:77 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SchemaTests.java:38:56:38:76 | getInputStream(...) | user-provided value |
|
||||
| SchemaTests.java:45:39:45:77 | new StreamSource(...) | SchemaTests.java:45:56:45:76 | getInputStream(...) : InputStream | SchemaTests.java:45:39:45:77 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SchemaTests.java:45:56:45:76 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:14:41:14:61 | getInputStream(...) | SimpleXMLTests.java:14:41:14:61 | getInputStream(...) | SimpleXMLTests.java:14:41:14:61 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:14:41:14:61 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:19:41:19:61 | getInputStream(...) | SimpleXMLTests.java:19:41:19:61 | getInputStream(...) | SimpleXMLTests.java:19:41:19:61 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:19:41:19:61 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:24:41:24:84 | new InputStreamReader(...) | SimpleXMLTests.java:24:63:24:83 | getInputStream(...) : InputStream | SimpleXMLTests.java:24:41:24:84 | new InputStreamReader(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:24:63:24:83 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:31:41:31:53 | new String(...) | SimpleXMLTests.java:30:5:30:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:31:41:31:53 | new String(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:30:5:30:25 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:38:41:38:53 | new String(...) | SimpleXMLTests.java:37:5:37:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:38:41:38:53 | new String(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:37:5:37:25 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:43:41:43:84 | new InputStreamReader(...) | SimpleXMLTests.java:43:63:43:83 | getInputStream(...) : InputStream | SimpleXMLTests.java:43:41:43:84 | new InputStreamReader(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:43:63:43:83 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:48:37:48:57 | getInputStream(...) | SimpleXMLTests.java:48:37:48:57 | getInputStream(...) | SimpleXMLTests.java:48:37:48:57 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:48:37:48:57 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:53:37:53:57 | getInputStream(...) | SimpleXMLTests.java:53:37:53:57 | getInputStream(...) | SimpleXMLTests.java:53:37:53:57 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:53:37:53:57 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:58:26:58:46 | getInputStream(...) | SimpleXMLTests.java:58:26:58:46 | getInputStream(...) | SimpleXMLTests.java:58:26:58:46 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:58:26:58:46 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:63:26:63:46 | getInputStream(...) | SimpleXMLTests.java:63:26:63:46 | getInputStream(...) | SimpleXMLTests.java:63:26:63:46 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:63:26:63:46 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:68:37:68:80 | new InputStreamReader(...) | SimpleXMLTests.java:68:59:68:79 | getInputStream(...) : InputStream | SimpleXMLTests.java:68:37:68:80 | new InputStreamReader(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:68:59:68:79 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:73:37:73:80 | new InputStreamReader(...) | SimpleXMLTests.java:73:59:73:79 | getInputStream(...) : InputStream | SimpleXMLTests.java:73:37:73:80 | new InputStreamReader(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:73:59:73:79 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:78:26:78:69 | new InputStreamReader(...) | SimpleXMLTests.java:78:48:78:68 | getInputStream(...) : InputStream | SimpleXMLTests.java:78:26:78:69 | new InputStreamReader(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:78:48:78:68 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:83:26:83:69 | new InputStreamReader(...) | SimpleXMLTests.java:83:48:83:68 | getInputStream(...) : InputStream | SimpleXMLTests.java:83:26:83:69 | new InputStreamReader(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:83:48:83:68 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:90:37:90:49 | new String(...) | SimpleXMLTests.java:89:5:89:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:90:37:90:49 | new String(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:89:5:89:25 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:97:37:97:49 | new String(...) | SimpleXMLTests.java:96:5:96:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:97:37:97:49 | new String(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:96:5:96:25 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:104:26:104:38 | new String(...) | SimpleXMLTests.java:103:5:103:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:104:26:104:38 | new String(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:103:5:103:25 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:111:26:111:38 | new String(...) | SimpleXMLTests.java:110:5:110:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:111:26:111:38 | new String(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:110:5:110:25 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:115:22:115:42 | getInputStream(...) | SimpleXMLTests.java:115:22:115:42 | getInputStream(...) | SimpleXMLTests.java:115:22:115:42 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:115:22:115:42 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:119:22:119:65 | new InputStreamReader(...) | SimpleXMLTests.java:119:44:119:64 | getInputStream(...) : InputStream | SimpleXMLTests.java:119:22:119:65 | new InputStreamReader(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:119:44:119:64 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:124:22:124:42 | getInputStream(...) | SimpleXMLTests.java:124:22:124:42 | getInputStream(...) | SimpleXMLTests.java:124:22:124:42 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:124:22:124:42 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:129:22:129:65 | new InputStreamReader(...) | SimpleXMLTests.java:129:44:129:64 | getInputStream(...) : InputStream | SimpleXMLTests.java:129:22:129:65 | new InputStreamReader(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:129:44:129:64 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:134:22:134:42 | getInputStream(...) | SimpleXMLTests.java:134:22:134:42 | getInputStream(...) | SimpleXMLTests.java:134:22:134:42 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:134:22:134:42 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:139:22:139:65 | new InputStreamReader(...) | SimpleXMLTests.java:139:44:139:64 | getInputStream(...) : InputStream | SimpleXMLTests.java:139:22:139:65 | new InputStreamReader(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:139:44:139:64 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:146:22:146:34 | new String(...) | SimpleXMLTests.java:145:5:145:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:146:22:146:34 | new String(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:145:5:145:25 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:153:22:153:34 | new String(...) | SimpleXMLTests.java:152:5:152:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:153:22:153:34 | new String(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:152:5:152:25 | getInputStream(...) | user-provided value |
|
||||
| TransformerTests.java:20:27:20:65 | new StreamSource(...) | TransformerTests.java:20:44:20:64 | getInputStream(...) : InputStream | TransformerTests.java:20:27:20:65 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:20:44:20:64 | getInputStream(...) | user-provided value |
|
||||
| TransformerTests.java:21:23:21:61 | new StreamSource(...) | TransformerTests.java:21:40:21:60 | getInputStream(...) : InputStream | TransformerTests.java:21:23:21:61 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:21:40:21:60 | getInputStream(...) | user-provided value |
|
||||
| TransformerTests.java:71:27:71:65 | new StreamSource(...) | TransformerTests.java:71:44:71:64 | getInputStream(...) : InputStream | TransformerTests.java:71:27:71:65 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:71:44:71:64 | getInputStream(...) | user-provided value |
|
||||
| TransformerTests.java:72:23:72:61 | new StreamSource(...) | TransformerTests.java:72:40:72:60 | getInputStream(...) : InputStream | TransformerTests.java:72:23:72:61 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:72:40:72:60 | getInputStream(...) | user-provided value |
|
||||
| TransformerTests.java:79:27:79:65 | new StreamSource(...) | TransformerTests.java:79:44:79:64 | getInputStream(...) : InputStream | TransformerTests.java:79:27:79:65 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:79:44:79:64 | getInputStream(...) | user-provided value |
|
||||
| TransformerTests.java:80:23:80:61 | new StreamSource(...) | TransformerTests.java:80:40:80:60 | getInputStream(...) : InputStream | TransformerTests.java:80:23:80:61 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:80:40:80:60 | getInputStream(...) | user-provided value |
|
||||
| TransformerTests.java:88:27:88:65 | new StreamSource(...) | TransformerTests.java:88:44:88:64 | getInputStream(...) : InputStream | TransformerTests.java:88:27:88:65 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:88:44:88:64 | getInputStream(...) | user-provided value |
|
||||
| TransformerTests.java:89:23:89:61 | new StreamSource(...) | TransformerTests.java:89:40:89:60 | getInputStream(...) : InputStream | TransformerTests.java:89:23:89:61 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:89:40:89:60 | getInputStream(...) | user-provided value |
|
||||
| TransformerTests.java:97:27:97:65 | new StreamSource(...) | TransformerTests.java:97:44:97:64 | getInputStream(...) : InputStream | TransformerTests.java:97:27:97:65 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:97:44:97:64 | getInputStream(...) | user-provided value |
|
||||
| TransformerTests.java:98:23:98:61 | new StreamSource(...) | TransformerTests.java:98:40:98:60 | getInputStream(...) : InputStream | TransformerTests.java:98:23:98:61 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:98:40:98:60 | getInputStream(...) | user-provided value |
|
||||
| TransformerTests.java:103:21:103:59 | new StreamSource(...) | TransformerTests.java:103:38:103:58 | getInputStream(...) : InputStream | TransformerTests.java:103:21:103:59 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:103:38:103:58 | getInputStream(...) | user-provided value |
|
||||
| TransformerTests.java:116:21:116:59 | new StreamSource(...) | TransformerTests.java:116:38:116:58 | getInputStream(...) : InputStream | TransformerTests.java:116:21:116:59 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:116:38:116:58 | getInputStream(...) | user-provided value |
|
||||
| TransformerTests.java:122:21:122:59 | new StreamSource(...) | TransformerTests.java:122:38:122:58 | getInputStream(...) : InputStream | TransformerTests.java:122:21:122:59 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:122:38:122:58 | getInputStream(...) | user-provided value |
|
||||
| TransformerTests.java:129:21:129:59 | new StreamSource(...) | TransformerTests.java:129:38:129:58 | getInputStream(...) : InputStream | TransformerTests.java:129:21:129:59 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:129:38:129:58 | getInputStream(...) | user-provided value |
|
||||
| TransformerTests.java:136:21:136:59 | new StreamSource(...) | TransformerTests.java:136:38:136:58 | getInputStream(...) : InputStream | TransformerTests.java:136:21:136:59 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:136:38:136:58 | getInputStream(...) | user-provided value |
|
||||
| TransformerTests.java:141:18:141:70 | new SAXSource(...) | TransformerTests.java:141:48:141:68 | getInputStream(...) : InputStream | TransformerTests.java:141:18:141:70 | new SAXSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:141:48:141:68 | getInputStream(...) | user-provided value |
|
||||
| UnmarshallerTests.java:28:18:28:38 | getInputStream(...) | UnmarshallerTests.java:28:18:28:38 | getInputStream(...) | UnmarshallerTests.java:28:18:28:38 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | UnmarshallerTests.java:28:18:28:38 | getInputStream(...) | user-provided value |
|
||||
| XMLReaderTests.java:16:18:16:55 | new InputSource(...) | XMLReaderTests.java:16:34:16:54 | getInputStream(...) : InputStream | XMLReaderTests.java:16:18:16:55 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XMLReaderTests.java:16:34:16:54 | getInputStream(...) | user-provided value |
|
||||
| XMLReaderTests.java:56:18:56:55 | new InputSource(...) | XMLReaderTests.java:56:34:56:54 | getInputStream(...) : InputStream | XMLReaderTests.java:56:18:56:55 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XMLReaderTests.java:56:34:56:54 | getInputStream(...) | user-provided value |
|
||||
| XMLReaderTests.java:63:18:63:55 | new InputSource(...) | XMLReaderTests.java:63:34:63:54 | getInputStream(...) : InputStream | XMLReaderTests.java:63:18:63:55 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XMLReaderTests.java:63:34:63:54 | getInputStream(...) | user-provided value |
|
||||
| XMLReaderTests.java:70:18:70:55 | new InputSource(...) | XMLReaderTests.java:70:34:70:54 | getInputStream(...) : InputStream | XMLReaderTests.java:70:18:70:55 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XMLReaderTests.java:70:34:70:54 | getInputStream(...) | user-provided value |
|
||||
| XMLReaderTests.java:78:18:78:55 | new InputSource(...) | XMLReaderTests.java:78:34:78:54 | getInputStream(...) : InputStream | XMLReaderTests.java:78:18:78:55 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XMLReaderTests.java:78:34:78:54 | getInputStream(...) | user-provided value |
|
||||
| XMLReaderTests.java:86:18:86:55 | new InputSource(...) | XMLReaderTests.java:86:34:86:54 | getInputStream(...) : InputStream | XMLReaderTests.java:86:18:86:55 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XMLReaderTests.java:86:34:86:54 | getInputStream(...) | user-provided value |
|
||||
| XMLReaderTests.java:94:18:94:55 | new InputSource(...) | XMLReaderTests.java:94:34:94:54 | getInputStream(...) : InputStream | XMLReaderTests.java:94:18:94:55 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XMLReaderTests.java:94:34:94:54 | getInputStream(...) | user-provided value |
|
||||
| XMLReaderTests.java:100:18:100:55 | new InputSource(...) | XMLReaderTests.java:100:34:100:54 | getInputStream(...) : InputStream | XMLReaderTests.java:100:18:100:55 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XMLReaderTests.java:100:34:100:54 | getInputStream(...) | user-provided value |
|
||||
| XPathExpressionTests.java:27:21:27:58 | new InputSource(...) | XPathExpressionTests.java:27:37:27:57 | getInputStream(...) : InputStream | XPathExpressionTests.java:27:21:27:58 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XPathExpressionTests.java:27:37:27:57 | getInputStream(...) | user-provided value |
|
||||
| XmlInputFactoryTests.java:9:35:9:55 | getInputStream(...) | XmlInputFactoryTests.java:9:35:9:55 | getInputStream(...) | XmlInputFactoryTests.java:9:35:9:55 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:9:35:9:55 | getInputStream(...) | user-provided value |
|
||||
| XmlInputFactoryTests.java:10:34:10:54 | getInputStream(...) | XmlInputFactoryTests.java:10:34:10:54 | getInputStream(...) | XmlInputFactoryTests.java:10:34:10:54 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:10:34:10:54 | getInputStream(...) | user-provided value |
|
||||
| XmlInputFactoryTests.java:24:35:24:55 | getInputStream(...) | XmlInputFactoryTests.java:24:35:24:55 | getInputStream(...) | XmlInputFactoryTests.java:24:35:24:55 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:24:35:24:55 | getInputStream(...) | user-provided value |
|
||||
| XmlInputFactoryTests.java:25:34:25:54 | getInputStream(...) | XmlInputFactoryTests.java:25:34:25:54 | getInputStream(...) | XmlInputFactoryTests.java:25:34:25:54 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:25:34:25:54 | getInputStream(...) | user-provided value |
|
||||
| XmlInputFactoryTests.java:31:35:31:55 | getInputStream(...) | XmlInputFactoryTests.java:31:35:31:55 | getInputStream(...) | XmlInputFactoryTests.java:31:35:31:55 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:31:35:31:55 | getInputStream(...) | user-provided value |
|
||||
| XmlInputFactoryTests.java:32:34:32:54 | getInputStream(...) | XmlInputFactoryTests.java:32:34:32:54 | getInputStream(...) | XmlInputFactoryTests.java:32:34:32:54 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:32:34:32:54 | getInputStream(...) | user-provided value |
|
||||
| XmlInputFactoryTests.java:39:35:39:55 | getInputStream(...) | XmlInputFactoryTests.java:39:35:39:55 | getInputStream(...) | XmlInputFactoryTests.java:39:35:39:55 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:39:35:39:55 | getInputStream(...) | user-provided value |
|
||||
| XmlInputFactoryTests.java:40:34:40:54 | getInputStream(...) | XmlInputFactoryTests.java:40:34:40:54 | getInputStream(...) | XmlInputFactoryTests.java:40:34:40:54 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:40:34:40:54 | getInputStream(...) | user-provided value |
|
||||
| XmlInputFactoryTests.java:47:35:47:55 | getInputStream(...) | XmlInputFactoryTests.java:47:35:47:55 | getInputStream(...) | XmlInputFactoryTests.java:47:35:47:55 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:47:35:47:55 | getInputStream(...) | user-provided value |
|
||||
| XmlInputFactoryTests.java:48:34:48:54 | getInputStream(...) | XmlInputFactoryTests.java:48:34:48:54 | getInputStream(...) | XmlInputFactoryTests.java:48:34:48:54 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:48:34:48:54 | getInputStream(...) | user-provided value |
|
||||
| XmlInputFactoryTests.java:55:35:55:55 | getInputStream(...) | XmlInputFactoryTests.java:55:35:55:55 | getInputStream(...) | XmlInputFactoryTests.java:55:35:55:55 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:55:35:55:55 | getInputStream(...) | user-provided value |
|
||||
| XmlInputFactoryTests.java:56:34:56:54 | getInputStream(...) | XmlInputFactoryTests.java:56:34:56:54 | getInputStream(...) | XmlInputFactoryTests.java:56:34:56:54 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:56:34:56:54 | getInputStream(...) | user-provided value |
|
||||
|
||||
11
java/ql/test/query-tests/security/CWE-611/XXE.ql
Normal file
11
java/ql/test/query-tests/security/CWE-611/XXE.ql
Normal file
@@ -0,0 +1,11 @@
|
||||
import java
|
||||
import TestUtilities.InlineFlowTest
|
||||
import semmle.code.java.security.XxeRemoteQuery
|
||||
|
||||
class HasFlowTest extends InlineFlowTest {
|
||||
override predicate hasTaintFlow(DataFlow::Node src, DataFlow::Node sink) {
|
||||
XxeFlow::flow(src, sink)
|
||||
}
|
||||
|
||||
override predicate hasValueFlow(DataFlow::Node src, DataFlow::Node sink) { none() }
|
||||
}
|
||||
@@ -1 +0,0 @@
|
||||
Security/CWE/CWE-611/XXE.ql
|
||||
@@ -6,53 +6,53 @@ public class XmlInputFactoryTests {
|
||||
|
||||
public void unconfigureFactory(Socket sock) throws Exception {
|
||||
XMLInputFactory factory = XMLInputFactory.newFactory();
|
||||
factory.createXMLStreamReader(sock.getInputStream()); //unsafe
|
||||
factory.createXMLEventReader(sock.getInputStream()); //unsafe
|
||||
factory.createXMLStreamReader(sock.getInputStream()); // $ hasTaintFlow
|
||||
factory.createXMLEventReader(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void safeFactory(Socket sock) throws Exception {
|
||||
XMLInputFactory factory = XMLInputFactory.newFactory();
|
||||
factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
|
||||
factory.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
|
||||
factory.createXMLStreamReader(sock.getInputStream()); //safe
|
||||
factory.createXMLEventReader(sock.getInputStream()); //safe
|
||||
factory.createXMLStreamReader(sock.getInputStream()); // safe
|
||||
factory.createXMLEventReader(sock.getInputStream()); // safe
|
||||
}
|
||||
|
||||
|
||||
public void misConfiguredFactory(Socket sock) throws Exception {
|
||||
XMLInputFactory factory = XMLInputFactory.newFactory();
|
||||
factory.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
|
||||
factory.createXMLStreamReader(sock.getInputStream()); //unsafe
|
||||
factory.createXMLEventReader(sock.getInputStream()); //unsafe
|
||||
factory.createXMLStreamReader(sock.getInputStream()); // $ hasTaintFlow
|
||||
factory.createXMLEventReader(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void misConfiguredFactory2(Socket sock) throws Exception {
|
||||
XMLInputFactory factory = XMLInputFactory.newFactory();
|
||||
factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
|
||||
factory.createXMLStreamReader(sock.getInputStream()); //unsafe
|
||||
factory.createXMLEventReader(sock.getInputStream()); //unsafe
|
||||
factory.createXMLStreamReader(sock.getInputStream()); // $ hasTaintFlow
|
||||
factory.createXMLEventReader(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void misConfiguredFactory3(Socket sock) throws Exception {
|
||||
XMLInputFactory factory = XMLInputFactory.newFactory();
|
||||
factory.setProperty("javax.xml.stream.isSupportingExternalEntities", true);
|
||||
factory.setProperty(XMLInputFactory.SUPPORT_DTD, true);
|
||||
factory.createXMLStreamReader(sock.getInputStream()); //unsafe
|
||||
factory.createXMLEventReader(sock.getInputStream()); //unsafe
|
||||
factory.createXMLStreamReader(sock.getInputStream()); // $ hasTaintFlow
|
||||
factory.createXMLEventReader(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void misConfiguredFactory4(Socket sock) throws Exception {
|
||||
XMLInputFactory factory = XMLInputFactory.newFactory();
|
||||
factory.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
|
||||
factory.setProperty(XMLInputFactory.SUPPORT_DTD, true);
|
||||
factory.createXMLStreamReader(sock.getInputStream()); //unsafe
|
||||
factory.createXMLEventReader(sock.getInputStream()); //unsafe
|
||||
factory.createXMLStreamReader(sock.getInputStream()); // $ hasTaintFlow
|
||||
factory.createXMLEventReader(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void misConfiguredFactory5(Socket sock) throws Exception {
|
||||
XMLInputFactory factory = XMLInputFactory.newFactory();
|
||||
factory.setProperty("javax.xml.stream.isSupportingExternalEntities", true);
|
||||
factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
|
||||
factory.createXMLStreamReader(sock.getInputStream()); //unsafe
|
||||
factory.createXMLEventReader(sock.getInputStream()); //unsafe
|
||||
}
|
||||
factory.createXMLStreamReader(sock.getInputStream()); // $ hasTaintFlow
|
||||
factory.createXMLEventReader(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1 +1 @@
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jdom-1.1.3:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/simple-xml-2.7.1:${testdir}/../../../stubs/jaxb-api-2.3.1:${testdir}/../../../stubs/jaxen-1.2.0
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jdom-1.1.3:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/simple-xml-2.7.1:${testdir}/../../../stubs/jaxb-api-2.3.1:${testdir}/../../../stubs/jaxen-1.2.0:${testdir}/../../../stubs/apache-commons-digester3-3.2:${testdir}/../../../stubs/servlet-api-2.4/:${testdir}/../../../stubs/rundeck-api-java-client-13.2:${testdir}/../../../stubs/springframework-5.3.8/
|
||||
|
||||
@@ -24,41 +24,41 @@ import org.springframework.jdbc.support.rowset.SqlRowSet;
|
||||
|
||||
public interface JdbcOperations
|
||||
{
|
||||
<T> List<T> query(PreparedStatementCreator p0, RowMapper<T> p1);
|
||||
<T> List<T> query(String p0, Object[] p1, RowMapper<T> p2);
|
||||
<T> List<T> query(String p0, Object[] p1, int[] p2, RowMapper<T> p3);
|
||||
<T> List<T> query(String p0, PreparedStatementSetter p1, RowMapper<T> p2);
|
||||
<T> List<T> query(String p0, RowMapper<T> p1);
|
||||
<T> List<T> query(String p0, RowMapper<T> p1, Object... p2);
|
||||
<T> List<T> queryForList(String p0, Class<T> p1);
|
||||
<T> List<T> queryForList(String p0, Class<T> p1, Object... p2);
|
||||
<T> List<T> queryForList(String p0, Object[] p1, Class<T> p2);
|
||||
<T> List<T> queryForList(String p0, Object[] p1, int[] p2, Class<T> p3);
|
||||
<T> Stream<T> queryForStream(PreparedStatementCreator p0, RowMapper<T> p1);
|
||||
<T> Stream<T> queryForStream(String p0, PreparedStatementSetter p1, RowMapper<T> p2);
|
||||
<T> Stream<T> queryForStream(String p0, RowMapper<T> p1);
|
||||
<T> Stream<T> queryForStream(String p0, RowMapper<T> p1, Object... p2);
|
||||
<T> T execute(CallableStatementCreator p0, CallableStatementCallback<T> p1);
|
||||
<T> T execute(ConnectionCallback<T> p0);
|
||||
<T> T execute(PreparedStatementCreator p0, PreparedStatementCallback<T> p1);
|
||||
<T> T execute(StatementCallback<T> p0);
|
||||
<T> T execute(String p0, CallableStatementCallback<T> p1);
|
||||
<T> T execute(String p0, PreparedStatementCallback<T> p1);
|
||||
<T> T query(PreparedStatementCreator p0, ResultSetExtractor<T> p1);
|
||||
<T> T query(String p0, Object[] p1, ResultSetExtractor<T> p2);
|
||||
<T> T query(String p0, Object[] p1, int[] p2, ResultSetExtractor<T> p3);
|
||||
<T> T query(String p0, PreparedStatementSetter p1, ResultSetExtractor<T> p2);
|
||||
<T> T query(String p0, ResultSetExtractor<T> p1);
|
||||
<T> T query(String p0, ResultSetExtractor<T> p1, Object... p2);
|
||||
<T> T queryForObject(String p0, Class<T> p1);
|
||||
<T> T queryForObject(String p0, Class<T> p1, Object... p2);
|
||||
<T> T queryForObject(String p0, Object[] p1, Class<T> p2);
|
||||
<T> T queryForObject(String p0, Object[] p1, RowMapper<T> p2);
|
||||
<T> T queryForObject(String p0, Object[] p1, int[] p2, Class<T> p3);
|
||||
<T> T queryForObject(String p0, Object[] p1, int[] p2, RowMapper<T> p3);
|
||||
<T> T queryForObject(String p0, RowMapper<T> p1);
|
||||
<T> T queryForObject(String p0, RowMapper<T> p1, Object... p2);
|
||||
<T> int[] batchUpdate(String p0, Collection<T> p1, int p2, ParameterizedPreparedStatementSetter<T> p3);
|
||||
<T> T execute(CallableStatementCreator p0, org.springframework.jdbc.core.CallableStatementCallback<T> p1);
|
||||
<T> T execute(PreparedStatementCreator p0, org.springframework.jdbc.core.PreparedStatementCallback<T> p1);
|
||||
<T> T execute(String p0, org.springframework.jdbc.core.CallableStatementCallback<T> p1);
|
||||
<T> T execute(String p0, org.springframework.jdbc.core.PreparedStatementCallback<T> p1);
|
||||
<T> T execute(org.springframework.jdbc.core.ConnectionCallback<T> p0);
|
||||
<T> T execute(org.springframework.jdbc.core.StatementCallback<T> p0);
|
||||
<T> T query(PreparedStatementCreator p0, org.springframework.jdbc.core.ResultSetExtractor<T> p1);
|
||||
<T> T query(String p0, Object[] p1, int[] p2, org.springframework.jdbc.core.ResultSetExtractor<T> p3);
|
||||
<T> T query(String p0, Object[] p1, org.springframework.jdbc.core.ResultSetExtractor<T> p2);
|
||||
<T> T query(String p0, PreparedStatementSetter p1, org.springframework.jdbc.core.ResultSetExtractor<T> p2);
|
||||
<T> T query(String p0, org.springframework.jdbc.core.ResultSetExtractor<T> p1);
|
||||
<T> T query(String p0, org.springframework.jdbc.core.ResultSetExtractor<T> p1, Object... p2);
|
||||
<T> T queryForObject(String p0, Object[] p1, int[] p2, java.lang.Class<T> p3);
|
||||
<T> T queryForObject(String p0, Object[] p1, int[] p2, org.springframework.jdbc.core.RowMapper<T> p3);
|
||||
<T> T queryForObject(String p0, Object[] p1, java.lang.Class<T> p2);
|
||||
<T> T queryForObject(String p0, Object[] p1, org.springframework.jdbc.core.RowMapper<T> p2);
|
||||
<T> T queryForObject(String p0, java.lang.Class<T> p1);
|
||||
<T> T queryForObject(String p0, java.lang.Class<T> p1, Object... p2);
|
||||
<T> T queryForObject(String p0, org.springframework.jdbc.core.RowMapper<T> p1);
|
||||
<T> T queryForObject(String p0, org.springframework.jdbc.core.RowMapper<T> p1, Object... p2);
|
||||
<T> int[][] batchUpdate(String p0, java.util.Collection<T> p1, int p2, org.springframework.jdbc.core.ParameterizedPreparedStatementSetter<T> p3);
|
||||
<T> java.util.List<T> query(PreparedStatementCreator p0, org.springframework.jdbc.core.RowMapper<T> p1);
|
||||
<T> java.util.List<T> query(String p0, Object[] p1, int[] p2, org.springframework.jdbc.core.RowMapper<T> p3);
|
||||
<T> java.util.List<T> query(String p0, Object[] p1, org.springframework.jdbc.core.RowMapper<T> p2);
|
||||
<T> java.util.List<T> query(String p0, PreparedStatementSetter p1, org.springframework.jdbc.core.RowMapper<T> p2);
|
||||
<T> java.util.List<T> query(String p0, org.springframework.jdbc.core.RowMapper<T> p1);
|
||||
<T> java.util.List<T> query(String p0, org.springframework.jdbc.core.RowMapper<T> p1, Object... p2);
|
||||
<T> java.util.List<T> queryForList(String p0, Object[] p1, int[] p2, java.lang.Class<T> p3);
|
||||
<T> java.util.List<T> queryForList(String p0, Object[] p1, java.lang.Class<T> p2);
|
||||
<T> java.util.List<T> queryForList(String p0, java.lang.Class<T> p1);
|
||||
<T> java.util.List<T> queryForList(String p0, java.lang.Class<T> p1, Object... p2);
|
||||
<T> java.util.stream.Stream<T> queryForStream(PreparedStatementCreator p0, org.springframework.jdbc.core.RowMapper<T> p1);
|
||||
<T> java.util.stream.Stream<T> queryForStream(String p0, PreparedStatementSetter p1, org.springframework.jdbc.core.RowMapper<T> p2);
|
||||
<T> java.util.stream.Stream<T> queryForStream(String p0, org.springframework.jdbc.core.RowMapper<T> p1);
|
||||
<T> java.util.stream.Stream<T> queryForStream(String p0, org.springframework.jdbc.core.RowMapper<T> p1, Object... p2);
|
||||
List<Map<String, Object>> queryForList(String p0);
|
||||
List<Map<String, Object>> queryForList(String p0, Object... p1);
|
||||
List<Map<String, Object>> queryForList(String p0, Object[] p1, int[] p2);
|
||||
|
||||
@@ -35,7 +35,7 @@ import org.springframework.jdbc.support.rowset.SqlRowSet;
|
||||
|
||||
public class JdbcTemplate extends JdbcAccessor implements JdbcOperations
|
||||
{
|
||||
protected <T> RowMapper<T> getSingleColumnRowMapper(Class<T> p0){ return null; }
|
||||
protected <T> org.springframework.jdbc.core.RowMapper<T> getSingleColumnRowMapper(java.lang.Class<T> p0){ return null; }
|
||||
protected Connection createConnectionProxy(Connection p0){ return null; }
|
||||
protected DataAccessException translateException(String p0, String p1, SQLException p2){ return null; }
|
||||
protected Map<String, Object> createResultsMap(){ return null; }
|
||||
@@ -49,43 +49,43 @@ public class JdbcTemplate extends JdbcAccessor implements JdbcOperations
|
||||
protected void applyStatementSettings(Statement p0){}
|
||||
protected void handleWarnings(SQLWarning p0){}
|
||||
protected void handleWarnings(Statement p0){}
|
||||
public <T> List<T> query(PreparedStatementCreator p0, RowMapper<T> p1){ return null; }
|
||||
public <T> List<T> query(String p0, Object[] p1, RowMapper<T> p2){ return null; }
|
||||
public <T> List<T> query(String p0, Object[] p1, int[] p2, RowMapper<T> p3){ return null; }
|
||||
public <T> List<T> query(String p0, PreparedStatementSetter p1, RowMapper<T> p2){ return null; }
|
||||
public <T> List<T> query(String p0, RowMapper<T> p1){ return null; }
|
||||
public <T> List<T> query(String p0, RowMapper<T> p1, Object... p2){ return null; }
|
||||
public <T> List<T> queryForList(String p0, Class<T> p1){ return null; }
|
||||
public <T> List<T> queryForList(String p0, Class<T> p1, Object... p2){ return null; }
|
||||
public <T> List<T> queryForList(String p0, Object[] p1, Class<T> p2){ return null; }
|
||||
public <T> List<T> queryForList(String p0, Object[] p1, int[] p2, Class<T> p3){ return null; }
|
||||
public <T> Stream<T> queryForStream(PreparedStatementCreator p0, PreparedStatementSetter p1, RowMapper<T> p2){ return null; }
|
||||
public <T> Stream<T> queryForStream(PreparedStatementCreator p0, RowMapper<T> p1){ return null; }
|
||||
public <T> Stream<T> queryForStream(String p0, PreparedStatementSetter p1, RowMapper<T> p2){ return null; }
|
||||
public <T> Stream<T> queryForStream(String p0, RowMapper<T> p1){ return null; }
|
||||
public <T> Stream<T> queryForStream(String p0, RowMapper<T> p1, Object... p2){ return null; }
|
||||
public <T> T execute(CallableStatementCreator p0, CallableStatementCallback<T> p1){ return null; }
|
||||
public <T> T execute(ConnectionCallback<T> p0){ return null; }
|
||||
public <T> T execute(PreparedStatementCreator p0, PreparedStatementCallback<T> p1){ return null; }
|
||||
public <T> T execute(StatementCallback<T> p0){ return null; }
|
||||
public <T> T execute(String p0, CallableStatementCallback<T> p1){ return null; }
|
||||
public <T> T execute(String p0, PreparedStatementCallback<T> p1){ return null; }
|
||||
public <T> T query(PreparedStatementCreator p0, PreparedStatementSetter p1, ResultSetExtractor<T> p2){ return null; }
|
||||
public <T> T query(PreparedStatementCreator p0, ResultSetExtractor<T> p1){ return null; }
|
||||
public <T> T query(String p0, Object[] p1, ResultSetExtractor<T> p2){ return null; }
|
||||
public <T> T query(String p0, Object[] p1, int[] p2, ResultSetExtractor<T> p3){ return null; }
|
||||
public <T> T query(String p0, PreparedStatementSetter p1, ResultSetExtractor<T> p2){ return null; }
|
||||
public <T> T query(String p0, ResultSetExtractor<T> p1){ return null; }
|
||||
public <T> T query(String p0, ResultSetExtractor<T> p1, Object... p2){ return null; }
|
||||
public <T> T queryForObject(String p0, Class<T> p1){ return null; }
|
||||
public <T> T queryForObject(String p0, Class<T> p1, Object... p2){ return null; }
|
||||
public <T> T queryForObject(String p0, Object[] p1, Class<T> p2){ return null; }
|
||||
public <T> T queryForObject(String p0, Object[] p1, RowMapper<T> p2){ return null; }
|
||||
public <T> T queryForObject(String p0, Object[] p1, int[] p2, Class<T> p3){ return null; }
|
||||
public <T> T queryForObject(String p0, Object[] p1, int[] p2, RowMapper<T> p3){ return null; }
|
||||
public <T> T queryForObject(String p0, RowMapper<T> p1){ return null; }
|
||||
public <T> T queryForObject(String p0, RowMapper<T> p1, Object... p2){ return null; }
|
||||
public <T> int[] batchUpdate(String p0, Collection<T> p1, int p2, ParameterizedPreparedStatementSetter<T> p3){ return null; }
|
||||
public <T> T execute(CallableStatementCreator p0, org.springframework.jdbc.core.CallableStatementCallback<T> p1){ return null; }
|
||||
public <T> T execute(PreparedStatementCreator p0, org.springframework.jdbc.core.PreparedStatementCallback<T> p1){ return null; }
|
||||
public <T> T execute(String p0, org.springframework.jdbc.core.CallableStatementCallback<T> p1){ return null; }
|
||||
public <T> T execute(String p0, org.springframework.jdbc.core.PreparedStatementCallback<T> p1){ return null; }
|
||||
public <T> T execute(org.springframework.jdbc.core.ConnectionCallback<T> p0){ return null; }
|
||||
public <T> T execute(org.springframework.jdbc.core.StatementCallback<T> p0){ return null; }
|
||||
public <T> T query(PreparedStatementCreator p0, PreparedStatementSetter p1, org.springframework.jdbc.core.ResultSetExtractor<T> p2){ return null; }
|
||||
public <T> T query(PreparedStatementCreator p0, org.springframework.jdbc.core.ResultSetExtractor<T> p1){ return null; }
|
||||
public <T> T query(String p0, Object[] p1, int[] p2, org.springframework.jdbc.core.ResultSetExtractor<T> p3){ return null; }
|
||||
public <T> T query(String p0, Object[] p1, org.springframework.jdbc.core.ResultSetExtractor<T> p2){ return null; }
|
||||
public <T> T query(String p0, PreparedStatementSetter p1, org.springframework.jdbc.core.ResultSetExtractor<T> p2){ return null; }
|
||||
public <T> T query(String p0, org.springframework.jdbc.core.ResultSetExtractor<T> p1){ return null; }
|
||||
public <T> T query(String p0, org.springframework.jdbc.core.ResultSetExtractor<T> p1, Object... p2){ return null; }
|
||||
public <T> T queryForObject(String p0, Object[] p1, int[] p2, java.lang.Class<T> p3){ return null; }
|
||||
public <T> T queryForObject(String p0, Object[] p1, int[] p2, org.springframework.jdbc.core.RowMapper<T> p3){ return null; }
|
||||
public <T> T queryForObject(String p0, Object[] p1, java.lang.Class<T> p2){ return null; }
|
||||
public <T> T queryForObject(String p0, Object[] p1, org.springframework.jdbc.core.RowMapper<T> p2){ return null; }
|
||||
public <T> T queryForObject(String p0, java.lang.Class<T> p1){ return null; }
|
||||
public <T> T queryForObject(String p0, java.lang.Class<T> p1, Object... p2){ return null; }
|
||||
public <T> T queryForObject(String p0, org.springframework.jdbc.core.RowMapper<T> p1){ return null; }
|
||||
public <T> T queryForObject(String p0, org.springframework.jdbc.core.RowMapper<T> p1, Object... p2){ return null; }
|
||||
public <T> int[][] batchUpdate(String p0, java.util.Collection<T> p1, int p2, org.springframework.jdbc.core.ParameterizedPreparedStatementSetter<T> p3){ return null; }
|
||||
public <T> java.util.List<T> query(PreparedStatementCreator p0, org.springframework.jdbc.core.RowMapper<T> p1){ return null; }
|
||||
public <T> java.util.List<T> query(String p0, Object[] p1, int[] p2, org.springframework.jdbc.core.RowMapper<T> p3){ return null; }
|
||||
public <T> java.util.List<T> query(String p0, Object[] p1, org.springframework.jdbc.core.RowMapper<T> p2){ return null; }
|
||||
public <T> java.util.List<T> query(String p0, PreparedStatementSetter p1, org.springframework.jdbc.core.RowMapper<T> p2){ return null; }
|
||||
public <T> java.util.List<T> query(String p0, org.springframework.jdbc.core.RowMapper<T> p1){ return null; }
|
||||
public <T> java.util.List<T> query(String p0, org.springframework.jdbc.core.RowMapper<T> p1, Object... p2){ return null; }
|
||||
public <T> java.util.List<T> queryForList(String p0, Object[] p1, int[] p2, java.lang.Class<T> p3){ return null; }
|
||||
public <T> java.util.List<T> queryForList(String p0, Object[] p1, java.lang.Class<T> p2){ return null; }
|
||||
public <T> java.util.List<T> queryForList(String p0, java.lang.Class<T> p1){ return null; }
|
||||
public <T> java.util.List<T> queryForList(String p0, java.lang.Class<T> p1, Object... p2){ return null; }
|
||||
public <T> java.util.stream.Stream<T> queryForStream(PreparedStatementCreator p0, PreparedStatementSetter p1, org.springframework.jdbc.core.RowMapper<T> p2){ return null; }
|
||||
public <T> java.util.stream.Stream<T> queryForStream(PreparedStatementCreator p0, org.springframework.jdbc.core.RowMapper<T> p1){ return null; }
|
||||
public <T> java.util.stream.Stream<T> queryForStream(String p0, PreparedStatementSetter p1, org.springframework.jdbc.core.RowMapper<T> p2){ return null; }
|
||||
public <T> java.util.stream.Stream<T> queryForStream(String p0, org.springframework.jdbc.core.RowMapper<T> p1){ return null; }
|
||||
public <T> java.util.stream.Stream<T> queryForStream(String p0, org.springframework.jdbc.core.RowMapper<T> p1, Object... p2){ return null; }
|
||||
public JdbcTemplate(){}
|
||||
public JdbcTemplate(DataSource p0){}
|
||||
public JdbcTemplate(DataSource p0, boolean p1){}
|
||||
|
||||
@@ -0,0 +1,52 @@
|
||||
// Generated automatically from org.springframework.jdbc.core.namedparam.NamedParameterJdbcOperations for testing purposes
|
||||
|
||||
package org.springframework.jdbc.core.namedparam;
|
||||
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.stream.Stream;
|
||||
import org.springframework.jdbc.core.JdbcOperations;
|
||||
import org.springframework.jdbc.core.PreparedStatementCallback;
|
||||
import org.springframework.jdbc.core.ResultSetExtractor;
|
||||
import org.springframework.jdbc.core.RowCallbackHandler;
|
||||
import org.springframework.jdbc.core.RowMapper;
|
||||
import org.springframework.jdbc.core.namedparam.SqlParameterSource;
|
||||
import org.springframework.jdbc.support.KeyHolder;
|
||||
import org.springframework.jdbc.support.rowset.SqlRowSet;
|
||||
|
||||
public interface NamedParameterJdbcOperations
|
||||
{
|
||||
<T> T execute(String p0, Map<String, ? extends Object> p1, org.springframework.jdbc.core.PreparedStatementCallback<T> p2);
|
||||
<T> T execute(String p0, SqlParameterSource p1, org.springframework.jdbc.core.PreparedStatementCallback<T> p2);
|
||||
<T> T execute(String p0, org.springframework.jdbc.core.PreparedStatementCallback<T> p1);
|
||||
<T> T query(String p0, Map<String, ? extends Object> p1, org.springframework.jdbc.core.ResultSetExtractor<T> p2);
|
||||
<T> T query(String p0, SqlParameterSource p1, org.springframework.jdbc.core.ResultSetExtractor<T> p2);
|
||||
<T> T query(String p0, org.springframework.jdbc.core.ResultSetExtractor<T> p1);
|
||||
<T> T queryForObject(String p0, Map<String, ? extends Object> p1, java.lang.Class<T> p2);
|
||||
<T> T queryForObject(String p0, Map<String, ? extends Object> p1, org.springframework.jdbc.core.RowMapper<T> p2);
|
||||
<T> T queryForObject(String p0, SqlParameterSource p1, java.lang.Class<T> p2);
|
||||
<T> T queryForObject(String p0, SqlParameterSource p1, org.springframework.jdbc.core.RowMapper<T> p2);
|
||||
<T> java.util.List<T> query(String p0, Map<String, ? extends Object> p1, org.springframework.jdbc.core.RowMapper<T> p2);
|
||||
<T> java.util.List<T> query(String p0, SqlParameterSource p1, org.springframework.jdbc.core.RowMapper<T> p2);
|
||||
<T> java.util.List<T> query(String p0, org.springframework.jdbc.core.RowMapper<T> p1);
|
||||
<T> java.util.List<T> queryForList(String p0, Map<String, ? extends Object> p1, java.lang.Class<T> p2);
|
||||
<T> java.util.List<T> queryForList(String p0, SqlParameterSource p1, java.lang.Class<T> p2);
|
||||
<T> java.util.stream.Stream<T> queryForStream(String p0, Map<String, ? extends Object> p1, org.springframework.jdbc.core.RowMapper<T> p2);
|
||||
<T> java.util.stream.Stream<T> queryForStream(String p0, SqlParameterSource p1, org.springframework.jdbc.core.RowMapper<T> p2);
|
||||
JdbcOperations getJdbcOperations();
|
||||
List<Map<String, Object>> queryForList(String p0, Map<String, ? extends Object> p1);
|
||||
List<Map<String, Object>> queryForList(String p0, SqlParameterSource p1);
|
||||
Map<String, Object> queryForMap(String p0, Map<String, ? extends Object> p1);
|
||||
Map<String, Object> queryForMap(String p0, SqlParameterSource p1);
|
||||
SqlRowSet queryForRowSet(String p0, Map<String, ? extends Object> p1);
|
||||
SqlRowSet queryForRowSet(String p0, SqlParameterSource p1);
|
||||
int update(String p0, Map<String, ? extends Object> p1);
|
||||
int update(String p0, SqlParameterSource p1);
|
||||
int update(String p0, SqlParameterSource p1, KeyHolder p2);
|
||||
int update(String p0, SqlParameterSource p1, KeyHolder p2, String[] p3);
|
||||
int[] batchUpdate(String p0, Map<String, ? extends Object>[] p1);
|
||||
int[] batchUpdate(String p0, SqlParameterSource[] p1);
|
||||
void query(String p0, Map<String, ? extends Object> p1, RowCallbackHandler p2);
|
||||
void query(String p0, RowCallbackHandler p1);
|
||||
void query(String p0, SqlParameterSource p1, RowCallbackHandler p2);
|
||||
}
|
||||
@@ -2,21 +2,9 @@
|
||||
|
||||
package org.springframework.jdbc.core.namedparam;
|
||||
|
||||
import java.util.List;
|
||||
|
||||
public class ParsedSql
|
||||
{
|
||||
protected ParsedSql() {}
|
||||
List<String> getParameterNames(){ return null; }
|
||||
ParsedSql(String p0){}
|
||||
String getOriginalSql(){ return null; }
|
||||
int getNamedParameterCount(){ return 0; }
|
||||
int getTotalParameterCount(){ return 0; }
|
||||
int getUnnamedParameterCount(){ return 0; }
|
||||
int[] getParameterIndexes(int p0){ return null; }
|
||||
public String toString(){ return null; }
|
||||
void addNamedParameter(String p0, int p1, int p2){}
|
||||
void setNamedParameterCount(int p0){}
|
||||
void setTotalParameterCount(int p0){}
|
||||
void setUnnamedParameterCount(int p0){}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,14 @@
|
||||
// Generated automatically from org.springframework.jdbc.core.namedparam.SqlParameterSource for testing purposes
|
||||
|
||||
package org.springframework.jdbc.core.namedparam;
|
||||
|
||||
|
||||
public interface SqlParameterSource
|
||||
{
|
||||
Object getValue(String p0);
|
||||
boolean hasValue(String p0);
|
||||
default String getTypeName(String p0){ return null; }
|
||||
default String[] getParameterNames(){ return null; }
|
||||
default int getSqlType(String p0){ return 0; }
|
||||
static int TYPE_UNKNOWN = 0;
|
||||
}
|
||||
@@ -3,12 +3,14 @@
|
||||
package org.springframework.jdbc.support;
|
||||
|
||||
import javax.sql.DataSource;
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.springframework.beans.factory.InitializingBean;
|
||||
import org.springframework.jdbc.support.SQLExceptionTranslator;
|
||||
|
||||
abstract public class JdbcAccessor implements InitializingBean
|
||||
{
|
||||
protected DataSource obtainDataSource(){ return null; }
|
||||
protected final Log logger = null;
|
||||
public DataSource getDataSource(){ return null; }
|
||||
public JdbcAccessor(){}
|
||||
public SQLExceptionTranslator getExceptionTranslator(){ return null; }
|
||||
|
||||
@@ -7,7 +7,7 @@ import java.util.Map;
|
||||
|
||||
public interface KeyHolder
|
||||
{
|
||||
<T> T getKeyAs(Class<T> p0);
|
||||
<T> T getKeyAs(java.lang.Class<T> p0);
|
||||
List<Map<String, Object>> getKeyList();
|
||||
Map<String, Object> getKeys();
|
||||
Number getKey();
|
||||
|
||||
Reference in New Issue
Block a user