hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-23 18:33:42 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add failing log injection test for @Pattern validation

Browse Source
This commit is contained in:
Owen Mansel-Chan
2026-02-14 01:50:34 +00:00
parent 149f3ed5b6
commit 146fc7a8c0
4 changed files with 6654 additions and 6638 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13278
java/ql/test/query-tests/security/CWE-117/LogInjectionTest.expected
View File

File diff suppressed because it is too large Load Diff

2
java/ql/test/query-tests/security/CWE-117/LogInjectionTest.ext.yml
View File

@@ -4,3 +4,5 @@ extensions:
extensible: sourceModel
data:
- ["loginjection", "LogInjectionTest", False, "source", "()", "", "ReturnValue", "remote", "manual"]
- ["loginjection", "LogInjectionTest", False, "validatedInput", "()", "", "ReturnValue", "remote", "manual"]
- ["loginjection", "LogInjectionTest", False, "validatedInputField", "", "", "", "remote", "manual"]

10
java/ql/test/query-tests/security/CWE-117/LogInjectionTest.java
View File

@@ -19,6 +19,14 @@ import org.jboss.logging.BasicLogger;
import org.slf4j.spi.LoggingEventBuilder;
public class LogInjectionTest {
@javax.validation.constraints.Pattern(regexp = "^[a-zA-Z0-9]*$")
public String validatedInputField;
@javax.validation.constraints.Pattern(regexp = "[^\n\r]*")
public String validatedInput() {
return (String) source();
}
public Object source() {
return null;
}
@@ -187,6 +195,8 @@ public class LogInjectionTest {
logger.debug(source); // $ MISSING: $ Alert
}
logger.debug(validatedInputField); // $ SPURIOUS: Alert
logger.debug(validatedInput()); // $ SPURIOUS: Alert
}
public void test() {

2
java/ql/test/query-tests/security/CWE-117/options
View File

@@ -1 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/apache-log4j-1.2.17:${testdir}/../../../stubs/apache-log4j-2.14.1:${testdir}/../../../stubs/apache-commons-logging-1.2:${testdir}/../../../stubs/jboss-logging-3.4.2:${testdir}/../../../stubs/slf4j-2.0.0:${testdir}/../../../stubs/scijava-common-2.87.1:${testdir}/../../../stubs/flogger-0.7.1:${testdir}/../../../stubs/google-android-9.0.0:${testdir}/../../../stubs/apache-cxf
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/javax-validation-constraints:${testdir}/../../../stubs/apache-log4j-1.2.17:${testdir}/../../../stubs/apache-log4j-2.14.1:${testdir}/../../../stubs/apache-commons-logging-1.2:${testdir}/../../../stubs/jboss-logging-3.4.2:${testdir}/../../../stubs/slf4j-2.0.0:${testdir}/../../../stubs/scijava-common-2.87.1:${testdir}/../../../stubs/flogger-0.7.1:${testdir}/../../../stubs/google-android-9.0.0:${testdir}/../../../stubs/apache-cxf