Merge pull request #5141 from github/yo-h/java-flow-check-fix

Java: prepare to enforce additional compiler checks in test code
2026-04-30 11:15:13 +02:00 · 2021-02-15 09:41:03 +01:00
parent 178c54e69b 1d007b6e72
commit 161e756c4b
53 changed files with 166 additions and 159 deletions
--- a/java/ql/test/experimental/query-tests/security/CWE-273/UnsafeCertTrustTest.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-273/UnsafeCertTrustTest.java
@@ -87,7 +87,7 @@ public class UnsafeCertTrustTest {
 	/**
 	 * Test the endpoint identification of SSL engine is set to null
 	 */
-	public void testSSLEngineEndpointIdSetNull() {
+	public void testSSLEngineEndpointIdSetNull() throws java.security.NoSuchAlgorithmException {
 		SSLContext sslContext = SSLContext.getInstance("TLS");
 		SSLEngine sslEngine = sslContext.createSSLEngine();
 		SSLParameters sslParameters = sslEngine.getSSLParameters();
@@ -98,7 +98,7 @@ public class UnsafeCertTrustTest {
 	/**
 	 * Test the endpoint identification of SSL engine is not set
 	 */
-	public void testSSLEngineEndpointIdNotSet() {
+	public void testSSLEngineEndpointIdNotSet() throws java.security.NoSuchAlgorithmException {
 		SSLContext sslContext = SSLContext.getInstance("TLS");
 		SSLEngine sslEngine = sslContext.createSSLEngine();
 	}
@@ -106,7 +106,7 @@ public class UnsafeCertTrustTest {
 	/**
 	 * Test the endpoint identification of SSL socket is not set
 	 */
-	public void testSSLSocketEndpointIdNotSet() {
+	public void testSSLSocketEndpointIdNotSet() throws java.security.NoSuchAlgorithmException, java.io.IOException {
 		SSLContext sslContext = SSLContext.getInstance("TLS");
 		final SSLSocketFactory socketFactory = sslContext.getSocketFactory();
 		SSLSocket socket = (SSLSocket) socketFactory.createSocket("www.example.com", 443);
@@ -115,7 +115,7 @@ public class UnsafeCertTrustTest {
 	/**
 	 * Test the endpoint identification of regular socket is not set
 	 */
-	public void testSocketEndpointIdNotSet() {
+	public void testSocketEndpointIdNotSet() throws java.io.IOException {
 		SocketFactory socketFactory = SocketFactory.getDefault();
 		Socket socket = socketFactory.createSocket("www.example.com", 80);
 	}
@@ -127,4 +127,4 @@ public class UnsafeCertTrustTest {
 	// ConnectionFactory connectionFactory = new ConnectionFactory();
 	// connectionFactory.useSslProtocol();
 	// }
-}
+}
--- a/java/ql/test/experimental/query-tests/security/CWE-297/InsecureJavaMail.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-297/InsecureJavaMail.java
@@ -29,7 +29,7 @@ class InsecureJavaMail {
 		final Session session = Session.getInstance(properties, authenticator);
 	}

-	public void testSimpleMail() {
+	public void testSimpleMail() throws Exception {
 		Email email = new SimpleEmail();
 		email.setHostName("config.hostName");
 		email.setSmtpPort(25);
@@ -42,4 +42,4 @@ class InsecureJavaMail {
 		email.addTo("toAddress");
 		email.send();
 	}
-}
+}
--- a/java/ql/test/experimental/query-tests/security/CWE-312/CleartextStorageSharedPrefs.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-312/CleartextStorageSharedPrefs.java
@@ -20,7 +20,7 @@ public class CleartextStorageSharedPrefs extends Activity {
 	}

 	// GOOD - save sensitive information in encrypted format
-	public void testSetSharedPrefs2(Context context, String name, String password) {
+	public void testSetSharedPrefs2(Context context, String name, String password) throws Exception {
 		SharedPreferences sharedPrefs = context.getSharedPreferences("user_prefs", Context.MODE_PRIVATE);
 		Editor editor = sharedPrefs.edit();
 		editor.putString("name", encrypt(name));
@@ -28,7 +28,7 @@ public class CleartextStorageSharedPrefs extends Activity {
 		editor.commit();
 	}

-	private static String encrypt(String cleartext) {
+	private static String encrypt(String cleartext) throws Exception {
 		// Use an encryption or hashing algorithm in real world. The demo below just returns its hash.
 		MessageDigest digest = MessageDigest.getInstance("SHA-256");
 		byte[] hash = digest.digest(cleartext.getBytes(StandardCharsets.UTF_8));
@@ -37,7 +37,7 @@ public class CleartextStorageSharedPrefs extends Activity {
 	}

 	// GOOD - save sensitive information in encrypted format using separate variables
-	public void testSetSharedPrefs3(Context context, String name, String password) {
+	public void testSetSharedPrefs3(Context context, String name, String password) throws Exception {
 		String encUsername = encrypt(name);
 		String encPassword = encrypt(password);
 		SharedPreferences sharedPrefs = context.getSharedPreferences("user_prefs", Context.MODE_PRIVATE);
@@ -49,7 +49,7 @@ public class CleartextStorageSharedPrefs extends Activity {


 	// GOOD - save sensitive information using the built-in `EncryptedSharedPreferences` class in androidx
-	public void testSetSharedPrefs4(Context context, String name, String password) {
+	public void testSetSharedPrefs4(Context context, String name, String password) throws Exception {
 		MasterKey masterKey = new MasterKey.Builder(context, MasterKey.DEFAULT_MASTER_KEY_ALIAS)
 			.setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
 			.build();
@@ -69,7 +69,7 @@ public class CleartextStorageSharedPrefs extends Activity {
 	}

 	// GOOD - save sensitive information using the built-in `EncryptedSharedPreferences` class in androidx
-	public void testSetSharedPrefs5(Context context, String name, String password) {
+	public void testSetSharedPrefs5(Context context, String name, String password) throws Exception {
 		MasterKey masterKey = new MasterKey.Builder(context, MasterKey.DEFAULT_MASTER_KEY_ALIAS)
 			.setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
 			.build();
@@ -89,7 +89,7 @@ public class CleartextStorageSharedPrefs extends Activity {
 	}

 	// GOOD - save sensitive information using the built-in `EncryptedSharedPreferences` class in androidx
-	public void testSetSharedPrefs6(Context context, String name, String password) {
+	public void testSetSharedPrefs6(Context context, String name, String password) throws Exception {
 		MasterKey masterKey = new MasterKey.Builder(context, MasterKey.DEFAULT_MASTER_KEY_ALIAS)
 			.setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
 			.build();
--- a/java/ql/test/experimental/query-tests/security/CWE-326/InsufficientKeySize.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-326/InsufficientKeySize.java
@@ -3,7 +3,7 @@ import java.security.spec.ECGenParameterSpec;
 import javax.crypto.KeyGenerator;

 public class InsufficientKeySize {
-    public void CryptoMethod() {
+    public void CryptoMethod() throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException {
        KeyGenerator keyGen1 = KeyGenerator.getInstance("AES");
        // BAD: Key size is less than 128
        keyGen1.init(64);
--- a/java/ql/test/experimental/query-tests/security/CWE-522/InsecureBasicAuth.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureBasicAuth.java
@@ -57,7 +57,7 @@ public class InsecureBasicAuth {
 	/**
 	 * Test basic authentication with Apache HTTP POST request using the URI constructor with one argument.
 	 */
-	public void testApacheHttpRequest4(String username, String password) {
+	public void testApacheHttpRequest4(String username, String password) throws Exception {
 		String uriStr = "http://www.example.com/rest/getuser.do?uid=abcdx";
 		URI uri = new URI(uriStr);
 		HttpRequestBase post = new HttpPost(uri);
@@ -74,7 +74,7 @@ public class InsecureBasicAuth {
 	/**
 	 * Test basic authentication with Apache HTTP POST request using a URI constructor with multiple arguments.
 	 */
-	public void testApacheHttpRequest5(String username, String password) {
+	public void testApacheHttpRequest5(String username, String password) throws Exception {
 		HttpRequestBase post = new HttpPost(new URI("http", "www.example.com", "/test", "abc=123", null));
 		post.setHeader("Accept", "application/json");
 		post.setHeader("Content-type", "application/json");
@@ -122,7 +122,7 @@ public class InsecureBasicAuth {
 	/**
 	 * Test basic authentication with Java HTTP URL connection using the `URL(String spec)` constructor.
 	 */
-	public void testHttpUrlConnection(String username, String password) {
+	public void testHttpUrlConnection(String username, String password) throws Exception {
 		String urlStr = "http://www.example.com/rest/getuser.do?uid=abcdx";
 		String authString = username + ":" + password;
 		String encoding = Base64.getEncoder().encodeToString(authString.getBytes("UTF-8"));
@@ -136,7 +136,7 @@ public class InsecureBasicAuth {
 	/**
 	 * Test basic authentication with Java HTTP URL connection using the `URL(String protocol, String host, String file)` constructor.
 	 */
-	public void testHttpUrlConnection2(String username, String password) {
+	public void testHttpUrlConnection2(String username, String password) throws Exception {
 		String host = "www.example.com";
 		String path = "/rest/getuser.do?uid=abcdx";
 		String protocol = "http";
@@ -152,7 +152,7 @@ public class InsecureBasicAuth {
 	/**
 	 * Test basic authentication with Java HTTP URL connection using a constructor with private URL.
 	 */
-	public void testHttpUrlConnection3(String username, String password) {
+	public void testHttpUrlConnection3(String username, String password) throws Exception {
 		String host = "LOCALHOST";
 		String authString = username + ":" + password;
 		String encoding = Base64.getEncoder().encodeToString(authString.getBytes("UTF-8"));
@@ -161,4 +161,4 @@ public class InsecureBasicAuth {
 		conn.setDoOutput(true);
 		conn.setRequestProperty("Authorization", "Basic " + encoding);
 	}
-}
+}
--- a/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.java
@@ -7,7 +7,7 @@ import javax.naming.ldap.InitialLdapContext;

 public class InsecureLdapAuth {
 	// BAD - Test LDAP authentication in cleartext using `DirContext`.
-	public void testCleartextLdapAuth(String ldapUserName, String password) {
+	public void testCleartextLdapAuth(String ldapUserName, String password) throws Exception {
 		String ldapUrl = "ldap://ad.your-server.com:389";
 		Hashtable<String, String> environment = new Hashtable<String, String>();
 		environment.put(Context.INITIAL_CONTEXT_FACTORY,
@@ -21,7 +21,7 @@ public class InsecureLdapAuth {
 	}

 	// BAD - Test LDAP authentication in cleartext using `DirContext`.
-	public void testCleartextLdapAuth(String ldapUserName, String password, String serverName) {
+	public void testCleartextLdapAuth(String ldapUserName, String password, String serverName) throws Exception {
 		String ldapUrl = "ldap://"+serverName+":389";
 		Hashtable<String, String> environment = new Hashtable<String, String>();
 		environment.put(Context.INITIAL_CONTEXT_FACTORY,
@@ -35,7 +35,7 @@ public class InsecureLdapAuth {
 	}

 	// GOOD - Test LDAP authentication over SSL.
-	public void testSslLdapAuth(String ldapUserName, String password) {
+	public void testSslLdapAuth(String ldapUserName, String password) throws Exception {
 		String ldapUrl = "ldaps://ad.your-server.com:636";
 		Hashtable<String, String> environment = new Hashtable<String, String>();
 		environment.put(Context.INITIAL_CONTEXT_FACTORY,
@@ -49,7 +49,7 @@ public class InsecureLdapAuth {
 	}

 	// GOOD - Test LDAP authentication over SSL.
-	public void testSslLdapAuth2(String ldapUserName, String password) {
+	public void testSslLdapAuth2(String ldapUserName, String password) throws Exception {
 		String ldapUrl = "ldap://ad.your-server.com:636";
 		Hashtable<String, String> environment = new Hashtable<String, String>();
 		environment.put(Context.INITIAL_CONTEXT_FACTORY,
@@ -64,7 +64,7 @@ public class InsecureLdapAuth {
 	}

 	// GOOD - Test LDAP authentication with SASL authentication.
-	public void testSaslLdapAuth(String ldapUserName, String password) {
+	public void testSaslLdapAuth(String ldapUserName, String password) throws Exception {
 		String ldapUrl = "ldap://ad.your-server.com:389";
 		Hashtable<String, String> environment = new Hashtable<String, String>();
 		environment.put(Context.INITIAL_CONTEXT_FACTORY,
@@ -78,7 +78,7 @@ public class InsecureLdapAuth {
 	}

 	// GOOD - Test LDAP authentication in cleartext connecting to local LDAP server.
-	public void testCleartextLdapAuth2(String ldapUserName, String password) {
+	public void testCleartextLdapAuth2(String ldapUserName, String password) throws Exception {
 		String ldapUrl = "ldap://localhost:389";
 		Hashtable<String, String> environment = new Hashtable<String, String>();
 		environment.put(Context.INITIAL_CONTEXT_FACTORY,
@@ -92,7 +92,7 @@ public class InsecureLdapAuth {
 	}

 	// BAD - Test LDAP authentication in cleartext using `InitialLdapContext`.
-	public void testCleartextLdapAuth3(String ldapUserName, String password) {
+	public void testCleartextLdapAuth3(String ldapUserName, String password) throws Exception {
 		String ldapUrl = "ldap://ad.your-server.com:389";
 		Hashtable<String, String> environment = new Hashtable<String, String>();
 		environment.put(Context.INITIAL_CONTEXT_FACTORY,
@@ -107,7 +107,7 @@ public class InsecureLdapAuth {


 	// BAD - Test LDAP authentication in cleartext using `DirContext` and string literals.
-	public void testCleartextLdapAuth4(String ldapUserName, String password) {
+	public void testCleartextLdapAuth4(String ldapUserName, String password) throws Exception {
 		String ldapUrl = "ldap://ad.your-server.com:389";
 		Hashtable<String, String> environment = new Hashtable<String, String>();
 		environment.put("java.naming.factory.initial",
@@ -131,7 +131,7 @@ public class InsecureLdapAuth {
 	}

 	// GOOD - Test LDAP authentication with `ssl` configuration and basic authentication.
-	public void testCleartextLdapAuth5(String ldapUserName, String password, String serverName) {
+	public void testCleartextLdapAuth5(String ldapUserName, String password, String serverName) throws Exception {
 		String ldapUrl = "ldap://"+serverName+":389";
 		Hashtable<String, String> environment = new Hashtable<String, String>();
 		setSSL(environment);
@@ -143,7 +143,7 @@ public class InsecureLdapAuth {
 	}

 	// BAD - Test LDAP authentication with basic authentication.
-	public void testCleartextLdapAuth6(String ldapUserName, String password, String serverName) {
+	public void testCleartextLdapAuth6(String ldapUserName, String password, String serverName) throws Exception {
 		String ldapUrl = "ldap://"+serverName+":389";
 		Hashtable<String, String> environment = new Hashtable<String, String>();
 		environment.put(Context.INITIAL_CONTEXT_FACTORY,
--- a/java/ql/test/experimental/query-tests/security/CWE-918/SpringSSRF.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-918/SpringSSRF.java
@@ -26,7 +26,7 @@ public class SpringSSRF extends HttpServlet {
        String fooResourceUrl = request2.getParameter("uri");;
        RestTemplate restTemplate = new RestTemplate();
        HttpEntity<String> request = new HttpEntity<>(new String("bar"));
-
+        try {
        {
            ResponseEntity<String> response =
                    restTemplate.getForEntity(fooResourceUrl + "/1", String.class);
@@ -68,5 +68,6 @@ public class SpringSSRF extends HttpServlet {
        {
            restTemplate.put(fooResourceUrl, new String("object"));
        }
+        } catch (org.springframework.web.client.RestClientException | java.net.URISyntaxException e) {}
    }
 }