Add additional Ratpack test and improve Promise based dataflow tracking

2026-05-05 13:45:19 +02:00 · 2021-04-30 14:58:37 -04:00
parent dabf00e8b4
commit 170657b9a4
5 changed files with 119 additions and 9 deletions
--- a/java/ql/test/library-tests/frameworks/ratpack/resources/Resource.java
+++ b/java/ql/test/library-tests/frameworks/ratpack/resources/Resource.java
@@ -1,5 +1,7 @@
 import ratpack.core.handling.Context;
 import ratpack.core.http.TypedData;
+import ratpack.core.form.UploadedFile;
+import java.io.OutputStream;

 class Resource {

@@ -10,18 +12,45 @@ class Resource {
        sink(ctx.getRequest().getCookies()); //$hasTaintFlow
        sink(ctx.getRequest().oneCookie("Magic-Cookie")); //$hasTaintFlow
        sink(ctx.getRequest().getHeaders()); //$hasTaintFlow
+        sink(ctx.getRequest().getHeaders().get("questionable_header")); //$hasTaintFlow
+        sink(ctx.getRequest().getHeaders().getAll("questionable_header")); //$hasTaintFlow
+        sink(ctx.getRequest().getHeaders().getNames()); //$hasTaintFlow
+        sink(ctx.getRequest().getHeaders().asMultiValueMap()); //$hasTaintFlow
+        sink(ctx.getRequest().getHeaders().asMultiValueMap().get("questionable_header")); //$hasTaintFlow
        sink(ctx.getRequest().getPath()); //$hasTaintFlow
        sink(ctx.getRequest().getQuery()); //$hasTaintFlow
        sink(ctx.getRequest().getQueryParams()); //$hasTaintFlow
+        sink(ctx.getRequest().getQueryParams().get("questionable_parameter")); //$hasTaintFlow
        sink(ctx.getRequest().getRawUri()); //$hasTaintFlow
        sink(ctx.getRequest().getUri()); //$hasTaintFlow
    }

    void test2(TypedData td) {
        sink(td.getText()); //$hasTaintFlow
+        sink(td.getBuffer()); //$hasTaintFlow
+        sink(td.getBytes()); //$hasTaintFlow
+        sink(td.getContentType()); //$hasTaintFlow
+        sink(td.getInputStream()); //$hasTaintFlow
    }

-    void test2(Context ctx) {
+    void test3(TypedData td, OutputStream os) throws java.io.IOException {
+        sink(os);
+        td.writeTo(os);
+        sink(os); //$hasTaintFlow
+    }
+
+    void test4(UploadedFile uf) {
+        sink(uf.getFileName()); //$hasTaintFlow
+    }
+
+    void test5(Context ctx) {
+        sink(ctx.getRequest().getBody().map(TypedData::getText)); //$hasTaintFlow
        ctx.getRequest().getBody().map(TypedData::getText).then(this::sink); //$hasTaintFlow
+        ctx
+            .getRequest()
+            .getBody()
+            .map(TypedData::getText)
+            .next(this::sink) //$hasTaintFlow
+            .then(this::sink); //$hasTaintFlow
    }
 }