mirror of
https://github.com/github/codeql.git
synced 2026-04-30 11:15:13 +02:00
Merge pull request #12932 from atorralba/atorralba/java/promote-xxe-experimental-sinks
Java: Promote experimental XXE sinks
This commit is contained in:
Tony Torralba
@@ -104,6 +104,17 @@ private predicate constantBooleanExpr(Expr e, boolean val) {
|
||||
CalcConstants::calculateBooleanValue(e) = val
|
||||
}
|
||||
|
||||
pragma[nomagic]
|
||||
private predicate constantStringExpr(Expr e, string val) {
|
||||
e.(CompileTimeConstantExpr).getStringValue() = val
|
||||
or
|
||||
exists(SsaExplicitUpdate v, Expr src |
|
||||
e = v.getAUse() and
|
||||
src = v.getDefiningExpr().(VariableAssign).getSource() and
|
||||
constantStringExpr(src, val)
|
||||
)
|
||||
}
|
||||
|
||||
private boolean getBoolValue(Expr e) { constantBooleanExpr(e, result) }
|
||||
|
||||
private int getIntValue(Expr e) { constantIntegerExpr(e, result) }
|
||||
@@ -126,6 +137,14 @@ class ConstantBooleanExpr extends Expr {
|
||||
boolean getBooleanValue() { constantBooleanExpr(this, result) }
|
||||
}
|
||||
|
||||
/** An expression that always has the same string value. */
|
||||
class ConstantStringExpr extends Expr {
|
||||
ConstantStringExpr() { constantStringExpr(this, _) }
|
||||
|
||||
/** Get the string value of this expression. */
|
||||
string getStringValue() { constantStringExpr(this, result) }
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets an expression that equals `v - d`.
|
||||
*/
|
||||
|
||||
@@ -0,0 +1,90 @@
|
||||
/** Provides XML definitions related to the `org.apache.commons` package. */
|
||||
|
||||
import java
|
||||
private import semmle.code.java.dataflow.RangeUtils
|
||||
private import semmle.code.java.security.XmlParsers
|
||||
|
||||
/**
|
||||
* The classes `org.apache.commons.digester3.Digester`, `org.apache.commons.digester.Digester` or `org.apache.tomcat.util.digester.Digester`.
|
||||
*/
|
||||
private class Digester extends RefType {
|
||||
Digester() {
|
||||
this.hasQualifiedName([
|
||||
"org.apache.commons.digester3", "org.apache.commons.digester",
|
||||
"org.apache.tomcat.util.digester"
|
||||
], "Digester")
|
||||
}
|
||||
}
|
||||
|
||||
/** A call to `Digester.parse`. */
|
||||
private class DigesterParse extends XmlParserCall {
|
||||
DigesterParse() {
|
||||
exists(Method m |
|
||||
this.getMethod() = m and
|
||||
m.getDeclaringType() instanceof Digester and
|
||||
m.hasName("parse")
|
||||
)
|
||||
}
|
||||
|
||||
override Expr getSink() { result = this.getArgument(0) }
|
||||
|
||||
override predicate isSafe() { SafeDigesterFlow::flowToExpr(this.getQualifier()) }
|
||||
}
|
||||
|
||||
/** A `ParserConfig` that is specific to `Digester`. */
|
||||
private class DigesterConfig extends ParserConfig {
|
||||
DigesterConfig() {
|
||||
exists(Method m |
|
||||
m = this.getMethod() and
|
||||
m.getDeclaringType() instanceof Digester and
|
||||
m.hasName("setFeature")
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A safely configured `Digester`.
|
||||
*/
|
||||
private class SafeDigester extends VarAccess {
|
||||
SafeDigester() {
|
||||
exists(Variable v | v = this.getVariable() |
|
||||
exists(DigesterConfig config | config.getQualifier() = v.getAnAccess() |
|
||||
config.enables(singleSafeConfig())
|
||||
)
|
||||
or
|
||||
exists(DigesterConfig config | config.getQualifier() = v.getAnAccess() |
|
||||
config
|
||||
.disables(any(ConstantStringExpr s |
|
||||
s.getStringValue() = "http://xml.org/sax/features/external-general-entities"
|
||||
))
|
||||
) and
|
||||
exists(DigesterConfig config | config.getQualifier() = v.getAnAccess() |
|
||||
config
|
||||
.disables(any(ConstantStringExpr s |
|
||||
s.getStringValue() = "http://xml.org/sax/features/external-parameter-entities"
|
||||
))
|
||||
) and
|
||||
exists(DigesterConfig config | config.getQualifier() = v.getAnAccess() |
|
||||
config
|
||||
.disables(any(ConstantStringExpr s |
|
||||
s.getStringValue() =
|
||||
"http://apache.org/xml/features/nonvalidating/load-external-dtd"
|
||||
))
|
||||
)
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
private module SafeDigesterFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeDigester }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(MethodAccess ma |
|
||||
sink.asExpr() = ma.getQualifier() and ma.getMethod().getDeclaringType() instanceof Digester
|
||||
)
|
||||
}
|
||||
|
||||
int fieldFlowBranchLimit() { result = 0 }
|
||||
}
|
||||
|
||||
private module SafeDigesterFlow = DataFlow::Global<SafeDigesterFlowConfig>;
|
||||
64
java/ql/lib/semmle/code/java/frameworks/javaee/Xml.qll
Normal file
64
java/ql/lib/semmle/code/java/frameworks/javaee/Xml.qll
Normal file
@@ -0,0 +1,64 @@
|
||||
/** Provides definitions related to the `javax.xml` package. */
|
||||
|
||||
import java
|
||||
private import semmle.code.java.security.XmlParsers
|
||||
|
||||
/** A call to `Validator.validate`. */
|
||||
private class ValidatorValidate extends XmlParserCall {
|
||||
ValidatorValidate() {
|
||||
exists(Method m |
|
||||
this.getMethod() = m and
|
||||
m.getDeclaringType() instanceof Validator and
|
||||
m.hasName("validate")
|
||||
)
|
||||
}
|
||||
|
||||
override Expr getSink() { result = this.getArgument(0) }
|
||||
|
||||
override predicate isSafe() { SafeValidatorFlow::flowToExpr(this.getQualifier()) }
|
||||
}
|
||||
|
||||
/** A `TransformerConfig` specific to `Validator`. */
|
||||
private class ValidatorConfig extends TransformerConfig {
|
||||
ValidatorConfig() {
|
||||
exists(Method m |
|
||||
this.getMethod() = m and
|
||||
m.getDeclaringType() instanceof Validator and
|
||||
m.hasName("setProperty")
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
/** The class `javax.xml.validation.Validator`. */
|
||||
private class Validator extends RefType {
|
||||
Validator() { this.hasQualifiedName("javax.xml.validation", "Validator") }
|
||||
}
|
||||
|
||||
/** A safely configured `Validator`. */
|
||||
private class SafeValidator extends VarAccess {
|
||||
SafeValidator() {
|
||||
exists(Variable v | v = this.getVariable() |
|
||||
exists(ValidatorConfig config | config.getQualifier() = v.getAnAccess() |
|
||||
config.disables(configAccessExternalDtd())
|
||||
) and
|
||||
exists(ValidatorConfig config | config.getQualifier() = v.getAnAccess() |
|
||||
config.disables(configAccessExternalSchema())
|
||||
)
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
private module SafeValidatorFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeValidator }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(MethodAccess ma |
|
||||
sink.asExpr() = ma.getQualifier() and
|
||||
ma.getMethod().getDeclaringType() instanceof Validator
|
||||
)
|
||||
}
|
||||
|
||||
int fieldFlowBranchLimit() { result = 0 }
|
||||
}
|
||||
|
||||
private module SafeValidatorFlow = DataFlow::Global<SafeValidatorFlowConfig>;
|
||||
24
java/ql/lib/semmle/code/java/frameworks/javase/Beans.qll
Normal file
24
java/ql/lib/semmle/code/java/frameworks/javase/Beans.qll
Normal file
@@ -0,0 +1,24 @@
|
||||
/** Provides definitions related to the `java.beans` package. */
|
||||
|
||||
import java
|
||||
private import semmle.code.java.security.XmlParsers
|
||||
|
||||
/** The class `java.beans.XMLDecoder`. */
|
||||
private class XmlDecoder extends RefType {
|
||||
XmlDecoder() { this.hasQualifiedName("java.beans", "XMLDecoder") }
|
||||
}
|
||||
|
||||
/** A call to `XMLDecoder.readObject`. */
|
||||
private class XmlDecoderReadObject extends XmlParserCall {
|
||||
XmlDecoderReadObject() {
|
||||
exists(Method m |
|
||||
this.getMethod() = m and
|
||||
m.getDeclaringType() instanceof XmlDecoder and
|
||||
m.hasName("readObject")
|
||||
)
|
||||
}
|
||||
|
||||
override Expr getSink() { result = this.getQualifier() }
|
||||
|
||||
override predicate isSafe() { none() }
|
||||
}
|
||||
@@ -0,0 +1,19 @@
|
||||
/** Provides definitions related to XML parsing in Rundeck. */
|
||||
|
||||
import java
|
||||
private import semmle.code.java.security.XmlParsers
|
||||
|
||||
/** A call to `ParserHelper.loadDocument`. */
|
||||
private class ParserHelperLoadDocument extends XmlParserCall {
|
||||
ParserHelperLoadDocument() {
|
||||
exists(Method m |
|
||||
this.getMethod() = m and
|
||||
m.getDeclaringType().hasQualifiedName("org.rundeck.api.parser", "ParserHelper") and
|
||||
m.hasName("loadDocument")
|
||||
)
|
||||
}
|
||||
|
||||
override Expr getSink() { result = this.getArgument(0) }
|
||||
|
||||
override predicate isSafe() { none() }
|
||||
}
|
||||
@@ -2,15 +2,15 @@
|
||||
|
||||
import java
|
||||
import semmle.code.java.dataflow.DataFlow
|
||||
import semmle.code.java.dataflow.DataFlow2
|
||||
import semmle.code.java.dataflow.DataFlow3
|
||||
import semmle.code.java.dataflow.DataFlow4
|
||||
import semmle.code.java.dataflow.DataFlow5
|
||||
private import semmle.code.java.dataflow.SSA
|
||||
private import semmle.code.java.dataflow.RangeUtils
|
||||
|
||||
/*
|
||||
* Various XML parsers in Java.
|
||||
*/
|
||||
private module Frameworks {
|
||||
private import semmle.code.java.frameworks.apache.CommonsXml
|
||||
private import semmle.code.java.frameworks.javaee.Xml
|
||||
private import semmle.code.java.frameworks.javase.Beans
|
||||
private import semmle.code.java.frameworks.rundeck.RundeckXml
|
||||
}
|
||||
|
||||
/**
|
||||
* An abstract type representing a call to parse XML files.
|
||||
@@ -130,26 +130,6 @@ class DocumentBuilderFactoryConfig extends ParserConfig {
|
||||
}
|
||||
}
|
||||
|
||||
private predicate constantStringExpr(Expr e, string val) {
|
||||
e.(CompileTimeConstantExpr).getStringValue() = val
|
||||
or
|
||||
exists(SsaExplicitUpdate v, Expr src |
|
||||
e = v.getAUse() and
|
||||
src = v.getDefiningExpr().(VariableAssign).getSource() and
|
||||
constantStringExpr(src, val)
|
||||
)
|
||||
}
|
||||
|
||||
/** An expression that always has the same string value. */
|
||||
private class ConstantStringExpr extends Expr {
|
||||
string value;
|
||||
|
||||
ConstantStringExpr() { constantStringExpr(this, value) }
|
||||
|
||||
/** Get the string value of this expression. */
|
||||
string getStringValue() { result = value }
|
||||
}
|
||||
|
||||
/**
|
||||
* A general configuration that is safe when enabled.
|
||||
*/
|
||||
@@ -973,7 +953,7 @@ class TransformerFactorySource extends XmlParserCall {
|
||||
exists(Method m |
|
||||
this.getMethod() = m and
|
||||
m.getDeclaringType() instanceof TransformerFactory and
|
||||
m.hasName("newTransformer")
|
||||
m.hasName(["newTransformer", "newTransformerHandler"])
|
||||
)
|
||||
}
|
||||
|
||||
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Experimental sinks for the query "Resolving XML external entity in user-controlled data" (`java/xxe`) have been promoted to the main query pack. These sinks were originally [submitted as part of an experimental query by @haby0](https://github.com/github/codeql/pull/6564).
|
||||
@@ -1,85 +0,0 @@
|
||||
import java.beans.XMLDecoder;
|
||||
import java.io.BufferedReader;
|
||||
import javax.servlet.ServletInputStream;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import javax.xml.transform.stream.StreamSource;
|
||||
import javax.xml.validation.Schema;
|
||||
import javax.xml.validation.SchemaFactory;
|
||||
import javax.xml.validation.Validator;
|
||||
import org.apache.commons.digester3.Digester;
|
||||
import org.dom4j.Document;
|
||||
import org.dom4j.DocumentHelper;
|
||||
import org.springframework.stereotype.Controller;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
|
||||
@Controller
|
||||
public class XxeController {
|
||||
|
||||
@PostMapping(value = "xxe1")
|
||||
public void bad1(HttpServletRequest request, HttpServletResponse response) throws Exception {
|
||||
ServletInputStream servletInputStream = request.getInputStream();
|
||||
Digester digester = new Digester();
|
||||
digester.parse(servletInputStream);
|
||||
}
|
||||
|
||||
@PostMapping(value = "xxe2")
|
||||
public void bad2(HttpServletRequest request) throws Exception {
|
||||
BufferedReader br = request.getReader();
|
||||
String str = "";
|
||||
StringBuilder listString = new StringBuilder();
|
||||
while ((str = br.readLine()) != null) {
|
||||
listString.append(str).append("\n");
|
||||
}
|
||||
Document document = DocumentHelper.parseText(listString.toString());
|
||||
}
|
||||
|
||||
@PostMapping(value = "xxe3")
|
||||
public void bad3(HttpServletRequest request) throws Exception {
|
||||
ServletInputStream servletInputStream = request.getInputStream();
|
||||
SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
|
||||
Schema schema = factory.newSchema();
|
||||
Validator validator = schema.newValidator();
|
||||
StreamSource source = new StreamSource(servletInputStream);
|
||||
validator.validate(source);
|
||||
}
|
||||
|
||||
@PostMapping(value = "xxe4")
|
||||
public void bad4(HttpServletRequest request) throws Exception {
|
||||
ServletInputStream servletInputStream = request.getInputStream();
|
||||
XMLDecoder xmlDecoder = new XMLDecoder(servletInputStream);
|
||||
xmlDecoder.readObject();
|
||||
}
|
||||
|
||||
@PostMapping(value = "good1")
|
||||
public void good1(HttpServletRequest request, HttpServletResponse response) throws Exception {
|
||||
BufferedReader br = request.getReader();
|
||||
String str = "";
|
||||
StringBuilder listString = new StringBuilder();
|
||||
while ((str = br.readLine()) != null) {
|
||||
listString.append(str);
|
||||
}
|
||||
Digester digester = new Digester();
|
||||
digester.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
digester.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
digester.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
digester.parse(listString.toString());
|
||||
}
|
||||
|
||||
@PostMapping(value = "good2")
|
||||
public void good2(HttpServletRequest request, HttpServletResponse response) throws Exception {
|
||||
BufferedReader br = request.getReader();
|
||||
String str = "";
|
||||
StringBuilder listString = new StringBuilder();
|
||||
while ((str = br.readLine()) != null) {
|
||||
listString.append(str).append("\n");
|
||||
}
|
||||
SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
|
||||
Schema schema = factory.newSchema();
|
||||
Validator validator = schema.newValidator();
|
||||
validator.setProperty("http://javax.xml.XMLConstants/property/accessExternalDTD", "");
|
||||
validator.setProperty("http://javax.xml.XMLConstants/property/accessExternalSchema", "");
|
||||
StreamSource source = new StreamSource(listString.toString());
|
||||
validator.validate(source);
|
||||
}
|
||||
}
|
||||
@@ -1,67 +0,0 @@
|
||||
<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
|
||||
<qhelp>
|
||||
|
||||
<overview>
|
||||
<p>
|
||||
Parsing untrusted XML files with a weakly configured XML parser may lead to an XML External Entity (XXE) attack. This type of attack
|
||||
uses external entity references to access arbitrary files on a system, carry out denial of service, or server side
|
||||
request forgery. Even when the result of parsing is not returned to the user, out-of-band
|
||||
data retrieval techniques may allow attackers to steal sensitive data. Denial of services can also be
|
||||
carried out in this situation.
|
||||
</p>
|
||||
<p>
|
||||
There are many XML parsers for Java, and most of them are vulnerable to XXE because their default settings enable parsing of
|
||||
external entities. This query currently identifies vulnerable XML parsing from the following parsers: <code>javax.xml.validation.Validator</code>,
|
||||
<code>org.dom4j.DocumentHelper</code>, <code>org.rundeck.api.parser.ParserHelper</code>, <code>org.apache.commons.digester3.Digester</code>,
|
||||
<code>org.apache.commons.digester.Digester</code>, <code>org.apache.tomcat.util.digester.Digester</code>, <code>java.beans.XMLDecoder</code>.
|
||||
</p>
|
||||
</overview>
|
||||
|
||||
<recommendation>
|
||||
<p>
|
||||
The best way to prevent XXE attacks is to disable the parsing of any Document Type Declarations (DTDs) in untrusted data.
|
||||
If this is not possible you should disable the parsing of external general entities and external parameter entities.
|
||||
This improves security but the code will still be at risk of denial of service and server side request forgery attacks.
|
||||
Protection against denial of service attacks may also be implemented by setting entity expansion limits, which is done
|
||||
by default in recent JDK and JRE implementations.
|
||||
</p>
|
||||
</recommendation>
|
||||
|
||||
<example>
|
||||
<p>
|
||||
The following bad examples parses the xml data entered by the user under an unsafe configuration, which is inherently insecure and may cause xml entity injection.
|
||||
In good examples, the security configuration is carried out, for example: Disable DTD to protect the program from XXE attacks.
|
||||
</p>
|
||||
<sample src="XXE.java" />
|
||||
</example>
|
||||
|
||||
<references>
|
||||
|
||||
<li>
|
||||
OWASP vulnerability description:
|
||||
<a href="https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing">XML External Entity (XXE) Processing</a>.
|
||||
</li>
|
||||
<li>
|
||||
OWASP guidance on parsing xml files:
|
||||
<a href="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java">XXE Prevention Cheat Sheet</a>.
|
||||
</li>
|
||||
<li>
|
||||
Paper by Timothy Morgen:
|
||||
<a href="https://research.nccgroup.com/2014/05/19/xml-schema-dtd-and-entity-attacks-a-compendium-of-known-techniques/">XML Schema, DTD, and Entity Attacks</a>
|
||||
</li>
|
||||
<li>
|
||||
Out-of-band data retrieval: Timur Yunusov & Alexey Osipov, Black hat EU 2013:
|
||||
<a href="https://www.slideshare.net/qqlan/bh-ready-v4">XML Out-Of-Band Data Retrieval</a>.
|
||||
</li>
|
||||
<li>
|
||||
Denial of service attack (Billion laughs):
|
||||
<a href="https://en.wikipedia.org/wiki/Billion_laughs">Billion Laughs.</a>
|
||||
</li>
|
||||
<li>
|
||||
The Java Tutorials:
|
||||
<a href="https://docs.oracle.com/javase/tutorial/jaxp/limits/limits.html">Processing Limit Definitions.</a>
|
||||
</li>
|
||||
|
||||
</references>
|
||||
|
||||
</qhelp>
|
||||
@@ -1,32 +0,0 @@
|
||||
/**
|
||||
* @name Resolving XML external entity in user-controlled data (experimental sinks)
|
||||
* @description Parsing user-controlled XML documents and allowing expansion of external entity
|
||||
* references may lead to disclosure of confidential data or denial of service.
|
||||
* (note this version differs from query `java/xxe` by including support for additional possibly-vulnerable XML parsers)
|
||||
* @kind path-problem
|
||||
* @problem.severity error
|
||||
* @precision high
|
||||
* @id java/xxe-with-experimental-sinks
|
||||
* @tags security
|
||||
* experimental
|
||||
* external/cwe/cwe-611
|
||||
*/
|
||||
|
||||
import java
|
||||
import XXELib
|
||||
import semmle.code.java.dataflow.TaintTracking
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import XxeFlow::PathGraph
|
||||
|
||||
module XxeConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeXxeSink }
|
||||
}
|
||||
|
||||
module XxeFlow = TaintTracking::Global<XxeConfig>;
|
||||
|
||||
from XxeFlow::PathNode source, XxeFlow::PathNode sink
|
||||
where XxeFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Unsafe parsing of XML file from $@.", source.getNode(),
|
||||
"user input"
|
||||
@@ -1,246 +0,0 @@
|
||||
import java
|
||||
import semmle.code.java.dataflow.DataFlow3
|
||||
import semmle.code.java.dataflow.DataFlow4
|
||||
import semmle.code.java.dataflow.DataFlow5
|
||||
import semmle.code.java.security.XmlParsers
|
||||
private import semmle.code.java.dataflow.SSA
|
||||
|
||||
/** A data flow sink for untrusted user input used to insecure xml parse. */
|
||||
class UnsafeXxeSink extends DataFlow::ExprNode {
|
||||
UnsafeXxeSink() {
|
||||
exists(XmlParserCall parse |
|
||||
parse.getSink() = this.getExpr() and
|
||||
not parse.isSafe()
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
/** The class `org.rundeck.api.parser.ParserHelper`. */
|
||||
class ParserHelper extends RefType {
|
||||
ParserHelper() { this.hasQualifiedName("org.rundeck.api.parser", "ParserHelper") }
|
||||
}
|
||||
|
||||
/** A call to `ParserHelper.loadDocument`. */
|
||||
class ParserHelperLoadDocument extends XmlParserCall {
|
||||
ParserHelperLoadDocument() {
|
||||
exists(Method m |
|
||||
this.getMethod() = m and
|
||||
m.getDeclaringType() instanceof ParserHelper and
|
||||
m.hasName("loadDocument")
|
||||
)
|
||||
}
|
||||
|
||||
override Expr getSink() { result = this.getArgument(0) }
|
||||
|
||||
override predicate isSafe() { none() }
|
||||
}
|
||||
|
||||
/** The class `javax.xml.validation.Validator`. */
|
||||
class Validator extends RefType {
|
||||
Validator() { this.hasQualifiedName("javax.xml.validation", "Validator") }
|
||||
}
|
||||
|
||||
/** A call to `Validator.validate`. */
|
||||
class ValidatorValidate extends XmlParserCall {
|
||||
ValidatorValidate() {
|
||||
exists(Method m |
|
||||
this.getMethod() = m and
|
||||
m.getDeclaringType() instanceof Validator and
|
||||
m.hasName("validate")
|
||||
)
|
||||
}
|
||||
|
||||
override Expr getSink() { result = this.getArgument(0) }
|
||||
|
||||
override predicate isSafe() { SafeValidatorFlow::flowToExpr(this.getQualifier()) }
|
||||
}
|
||||
|
||||
/** A `ParserConfig` specific to `Validator`. */
|
||||
class ValidatorConfig extends TransformerConfig {
|
||||
ValidatorConfig() {
|
||||
exists(Method m |
|
||||
this.getMethod() = m and
|
||||
m.getDeclaringType() instanceof Validator and
|
||||
m.hasName("setProperty")
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
/** A safely configured `Validator`. */
|
||||
class SafeValidator extends VarAccess {
|
||||
SafeValidator() {
|
||||
exists(Variable v | v = this.getVariable() |
|
||||
exists(ValidatorConfig config | config.getQualifier() = v.getAnAccess() |
|
||||
config.disables(configAccessExternalDtd())
|
||||
) and
|
||||
exists(ValidatorConfig config | config.getQualifier() = v.getAnAccess() |
|
||||
config.disables(configAccessExternalSchema())
|
||||
)
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
private module SafeValidatorFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeValidator }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(MethodAccess ma |
|
||||
sink.asExpr() = ma.getQualifier() and
|
||||
ma.getMethod().getDeclaringType() instanceof Validator
|
||||
)
|
||||
}
|
||||
|
||||
int fieldFlowBranchLimit() { result = 0 }
|
||||
}
|
||||
|
||||
private module SafeValidatorFlow = DataFlow::Global<SafeValidatorFlowConfig>;
|
||||
|
||||
/**
|
||||
* The classes `org.apache.commons.digester3.Digester`, `org.apache.commons.digester.Digester` or `org.apache.tomcat.util.digester.Digester`.
|
||||
*/
|
||||
class Digester extends RefType {
|
||||
Digester() {
|
||||
this.hasQualifiedName([
|
||||
"org.apache.commons.digester3", "org.apache.commons.digester",
|
||||
"org.apache.tomcat.util.digester"
|
||||
], "Digester")
|
||||
}
|
||||
}
|
||||
|
||||
/** A call to `Digester.parse`. */
|
||||
class DigesterParse extends XmlParserCall {
|
||||
DigesterParse() {
|
||||
exists(Method m |
|
||||
this.getMethod() = m and
|
||||
m.getDeclaringType() instanceof Digester and
|
||||
m.hasName("parse")
|
||||
)
|
||||
}
|
||||
|
||||
override Expr getSink() { result = this.getArgument(0) }
|
||||
|
||||
override predicate isSafe() { SafeDigesterFlow::flowToExpr(this.getQualifier()) }
|
||||
}
|
||||
|
||||
/** A `ParserConfig` that is specific to `Digester`. */
|
||||
class DigesterConfig extends ParserConfig {
|
||||
DigesterConfig() {
|
||||
exists(Method m |
|
||||
m = this.getMethod() and
|
||||
m.getDeclaringType() instanceof Digester and
|
||||
m.hasName("setFeature")
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A safely configured `Digester`.
|
||||
*/
|
||||
class SafeDigester extends VarAccess {
|
||||
SafeDigester() {
|
||||
exists(Variable v | v = this.getVariable() |
|
||||
exists(DigesterConfig config | config.getQualifier() = v.getAnAccess() |
|
||||
config.enables(singleSafeConfig())
|
||||
)
|
||||
or
|
||||
exists(DigesterConfig config | config.getQualifier() = v.getAnAccess() |
|
||||
config
|
||||
.disables(any(ConstantStringExpr s |
|
||||
s.getStringValue() = "http://xml.org/sax/features/external-general-entities"
|
||||
))
|
||||
) and
|
||||
exists(DigesterConfig config | config.getQualifier() = v.getAnAccess() |
|
||||
config
|
||||
.disables(any(ConstantStringExpr s |
|
||||
s.getStringValue() = "http://xml.org/sax/features/external-parameter-entities"
|
||||
))
|
||||
) and
|
||||
exists(DigesterConfig config | config.getQualifier() = v.getAnAccess() |
|
||||
config
|
||||
.disables(any(ConstantStringExpr s |
|
||||
s.getStringValue() =
|
||||
"http://apache.org/xml/features/nonvalidating/load-external-dtd"
|
||||
))
|
||||
)
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
private module SafeDigesterFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeDigester }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(MethodAccess ma |
|
||||
sink.asExpr() = ma.getQualifier() and ma.getMethod().getDeclaringType() instanceof Digester
|
||||
)
|
||||
}
|
||||
|
||||
int fieldFlowBranchLimit() { result = 0 }
|
||||
}
|
||||
|
||||
private module SafeDigesterFlow = DataFlow::Global<SafeDigesterFlowConfig>;
|
||||
|
||||
/** The class `java.beans.XMLDecoder`. */
|
||||
class XmlDecoder extends RefType {
|
||||
XmlDecoder() { this.hasQualifiedName("java.beans", "XMLDecoder") }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for XmlDecoder */
|
||||
deprecated class XMLDecoder = XmlDecoder;
|
||||
|
||||
/** A call to `XMLDecoder.readObject`. */
|
||||
class XmlDecoderReadObject extends XmlParserCall {
|
||||
XmlDecoderReadObject() {
|
||||
exists(Method m |
|
||||
this.getMethod() = m and
|
||||
m.getDeclaringType() instanceof XmlDecoder and
|
||||
m.hasName("readObject")
|
||||
)
|
||||
}
|
||||
|
||||
override Expr getSink() { result = this.getQualifier() }
|
||||
|
||||
override predicate isSafe() { none() }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for XmlDecoderReadObject */
|
||||
deprecated class XMLDecoderReadObject = XmlDecoderReadObject;
|
||||
|
||||
private predicate constantStringExpr(Expr e, string val) {
|
||||
e.(CompileTimeConstantExpr).getStringValue() = val
|
||||
or
|
||||
exists(SsaExplicitUpdate v, Expr src |
|
||||
e = v.getAUse() and
|
||||
src = v.getDefiningExpr().(VariableAssign).getSource() and
|
||||
constantStringExpr(src, val)
|
||||
)
|
||||
}
|
||||
|
||||
/** A call to `SAXTransformerFactory.newTransformerHandler`. */
|
||||
class SaxTransformerFactoryNewTransformerHandler extends XmlParserCall {
|
||||
SaxTransformerFactoryNewTransformerHandler() {
|
||||
exists(Method m |
|
||||
this.getMethod() = m and
|
||||
m.getDeclaringType().hasQualifiedName("javax.xml.transform.sax", "SAXTransformerFactory") and
|
||||
m.hasName("newTransformerHandler")
|
||||
)
|
||||
}
|
||||
|
||||
override Expr getSink() { result = this.getArgument(0) }
|
||||
|
||||
override predicate isSafe() { SafeTransformerFactoryFlow::flowToExpr(this.getQualifier()) }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SaxTransformerFactoryNewTransformerHandler */
|
||||
deprecated class SAXTransformerFactoryNewTransformerHandler =
|
||||
SaxTransformerFactoryNewTransformerHandler;
|
||||
|
||||
/** An expression that always has the same string value. */
|
||||
private class ConstantStringExpr extends Expr {
|
||||
string value;
|
||||
|
||||
ConstantStringExpr() { constantStringExpr(this, value) }
|
||||
|
||||
/** Get the string value of this expression. */
|
||||
string getStringValue() { result = value }
|
||||
}
|
||||
@@ -1,5 +0,0 @@
|
||||
<!DOCTYPE qhelp PUBLIC
|
||||
"-//Semmle//qhelp//EN"
|
||||
"qhelp.dtd">
|
||||
<qhelp>
|
||||
<include src="XXE.qhelp" /></qhelp>
|
||||
@@ -1,34 +0,0 @@
|
||||
/**
|
||||
* @name Resolving XML external entity from a local source (experimental sinks)
|
||||
* @description Parsing user-controlled XML documents and allowing expansion of external entity
|
||||
* references may lead to disclosure of confidential data or denial of service.
|
||||
* (note this version differs from query `java/xxe` by including support for additional possibly-vulnerable XML parsers,
|
||||
* and by considering local information sources dangerous (e.g. environment variables) in addition to the remote sources
|
||||
* considered by the normal `java/xxe` query)
|
||||
* @kind path-problem
|
||||
* @problem.severity recommendation
|
||||
* @precision medium
|
||||
* @id java/xxe-local-experimental-sinks
|
||||
* @tags security
|
||||
* experimental
|
||||
* external/cwe/cwe-611
|
||||
*/
|
||||
|
||||
import java
|
||||
import XXELib
|
||||
import semmle.code.java.dataflow.TaintTracking
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import XxeLocalFlow::PathGraph
|
||||
|
||||
module XxeLocalConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeXxeSink }
|
||||
}
|
||||
|
||||
module XxeLocalFlow = TaintTracking::Global<XxeLocalConfig>;
|
||||
|
||||
from XxeLocalFlow::PathNode source, XxeLocalFlow::PathNode sink
|
||||
where XxeLocalFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Unsafe parsing of XML file from $@.", source.getNode(),
|
||||
"user input"
|
||||
@@ -1,26 +0,0 @@
|
||||
edges
|
||||
| XXE.java:22:43:22:66 | getInputStream(...) : ServletInputStream | XXE.java:24:18:24:35 | servletInputStream |
|
||||
| XXE.java:29:43:29:66 | getInputStream(...) : ServletInputStream | XXE.java:33:42:33:59 | servletInputStream : ServletInputStream |
|
||||
| XXE.java:33:25:33:60 | new StreamSource(...) : StreamSource | XXE.java:34:22:34:27 | source |
|
||||
| XXE.java:33:42:33:59 | servletInputStream : ServletInputStream | XXE.java:33:25:33:60 | new StreamSource(...) : StreamSource |
|
||||
| XXE.java:39:43:39:66 | getInputStream(...) : ServletInputStream | XXE.java:40:42:40:59 | servletInputStream : ServletInputStream |
|
||||
| XXE.java:40:27:40:60 | new XMLDecoder(...) : XMLDecoder | XXE.java:41:3:41:12 | xmlDecoder |
|
||||
| XXE.java:40:42:40:59 | servletInputStream : ServletInputStream | XXE.java:40:27:40:60 | new XMLDecoder(...) : XMLDecoder |
|
||||
nodes
|
||||
| XXE.java:22:43:22:66 | getInputStream(...) : ServletInputStream | semmle.label | getInputStream(...) : ServletInputStream |
|
||||
| XXE.java:24:18:24:35 | servletInputStream | semmle.label | servletInputStream |
|
||||
| XXE.java:29:43:29:66 | getInputStream(...) : ServletInputStream | semmle.label | getInputStream(...) : ServletInputStream |
|
||||
| XXE.java:33:25:33:60 | new StreamSource(...) : StreamSource | semmle.label | new StreamSource(...) : StreamSource |
|
||||
| XXE.java:33:42:33:59 | servletInputStream : ServletInputStream | semmle.label | servletInputStream : ServletInputStream |
|
||||
| XXE.java:34:22:34:27 | source | semmle.label | source |
|
||||
| XXE.java:39:43:39:66 | getInputStream(...) : ServletInputStream | semmle.label | getInputStream(...) : ServletInputStream |
|
||||
| XXE.java:40:27:40:60 | new XMLDecoder(...) : XMLDecoder | semmle.label | new XMLDecoder(...) : XMLDecoder |
|
||||
| XXE.java:40:42:40:59 | servletInputStream : ServletInputStream | semmle.label | servletInputStream : ServletInputStream |
|
||||
| XXE.java:41:3:41:12 | xmlDecoder | semmle.label | xmlDecoder |
|
||||
| XXE.java:46:49:46:72 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
subpaths
|
||||
#select
|
||||
| XXE.java:24:18:24:35 | servletInputStream | XXE.java:22:43:22:66 | getInputStream(...) : ServletInputStream | XXE.java:24:18:24:35 | servletInputStream | Unsafe parsing of XML file from $@. | XXE.java:22:43:22:66 | getInputStream(...) | user input |
|
||||
| XXE.java:34:22:34:27 | source | XXE.java:29:43:29:66 | getInputStream(...) : ServletInputStream | XXE.java:34:22:34:27 | source | Unsafe parsing of XML file from $@. | XXE.java:29:43:29:66 | getInputStream(...) | user input |
|
||||
| XXE.java:41:3:41:12 | xmlDecoder | XXE.java:39:43:39:66 | getInputStream(...) : ServletInputStream | XXE.java:41:3:41:12 | xmlDecoder | Unsafe parsing of XML file from $@. | XXE.java:39:43:39:66 | getInputStream(...) | user input |
|
||||
| XXE.java:46:49:46:72 | getInputStream(...) | XXE.java:46:49:46:72 | getInputStream(...) | XXE.java:46:49:46:72 | getInputStream(...) | Unsafe parsing of XML file from $@. | XXE.java:46:49:46:72 | getInputStream(...) | user input |
|
||||
@@ -1,92 +0,0 @@
|
||||
import java.beans.XMLDecoder;
|
||||
import java.io.BufferedReader;
|
||||
import javax.servlet.ServletInputStream;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import javax.xml.transform.stream.StreamSource;
|
||||
import javax.xml.validation.Schema;
|
||||
import javax.xml.validation.SchemaFactory;
|
||||
import javax.xml.validation.Validator;
|
||||
import org.rundeck.api.parser.ParserHelper;
|
||||
import org.apache.commons.digester3.Digester;
|
||||
import org.dom4j.Document;
|
||||
import org.dom4j.DocumentHelper;
|
||||
import org.springframework.stereotype.Controller;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
|
||||
@Controller
|
||||
public class XXE {
|
||||
|
||||
@PostMapping(value = "bad1")
|
||||
public void bad1(HttpServletRequest request, HttpServletResponse response) throws Exception {
|
||||
ServletInputStream servletInputStream = request.getInputStream();
|
||||
Digester digester = new Digester();
|
||||
digester.parse(servletInputStream); // bad
|
||||
}
|
||||
|
||||
@PostMapping(value = "bad2")
|
||||
public void bad2(HttpServletRequest request) throws Exception {
|
||||
ServletInputStream servletInputStream = request.getInputStream();
|
||||
SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
|
||||
Schema schema = factory.newSchema();
|
||||
Validator validator = schema.newValidator();
|
||||
StreamSource source = new StreamSource(servletInputStream);
|
||||
validator.validate(source); // bad
|
||||
}
|
||||
|
||||
@PostMapping(value = "bad3")
|
||||
public void bad3(HttpServletRequest request) throws Exception {
|
||||
ServletInputStream servletInputStream = request.getInputStream();
|
||||
XMLDecoder xmlDecoder = new XMLDecoder(servletInputStream);
|
||||
xmlDecoder.readObject(); // bad
|
||||
}
|
||||
|
||||
@PostMapping(value = "bad4")
|
||||
public void bad4(HttpServletRequest request) throws Exception {
|
||||
Document document = ParserHelper.loadDocument(request.getInputStream()); // bad
|
||||
}
|
||||
|
||||
@PostMapping(value = "good1")
|
||||
public void good1(HttpServletRequest request, HttpServletResponse response) throws Exception {
|
||||
BufferedReader br = request.getReader();
|
||||
String str = "";
|
||||
StringBuilder listString = new StringBuilder();
|
||||
while ((str = br.readLine()) != null) {
|
||||
listString.append(str);
|
||||
}
|
||||
Digester digester = new Digester();
|
||||
digester.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
digester.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
digester.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
digester.parse(listString.toString());
|
||||
}
|
||||
|
||||
@PostMapping(value = "good2")
|
||||
public void good2(HttpServletRequest request, HttpServletResponse response) throws Exception {
|
||||
BufferedReader br = request.getReader();
|
||||
String str = "";
|
||||
StringBuilder listString = new StringBuilder();
|
||||
while ((str = br.readLine()) != null) {
|
||||
listString.append(str).append("\n");
|
||||
}
|
||||
SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
|
||||
Schema schema = factory.newSchema();
|
||||
Validator validator = schema.newValidator();
|
||||
validator.setProperty("http://javax.xml.XMLConstants/property/accessExternalDTD", "");
|
||||
validator.setProperty("http://javax.xml.XMLConstants/property/accessExternalSchema", "");
|
||||
StreamSource source = new StreamSource(listString.toString());
|
||||
validator.validate(source);
|
||||
}
|
||||
|
||||
@PostMapping(value = "good3")
|
||||
public void good3(HttpServletRequest request) throws Exception {
|
||||
BufferedReader br = request.getReader();
|
||||
String str = "";
|
||||
StringBuilder listString = new StringBuilder();
|
||||
while ((str = br.readLine()) != null) {
|
||||
listString.append(str).append("\n");
|
||||
}
|
||||
// parseText falls back to a default SAXReader, which is safe
|
||||
Document document = DocumentHelper.parseText(listString.toString()); // Safe
|
||||
}
|
||||
}
|
||||
@@ -1 +0,0 @@
|
||||
experimental/Security/CWE/CWE-611/XXE.ql
|
||||
@@ -1 +0,0 @@
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4/:${testdir}/../../../../stubs/springframework-5.3.8/:${testdir}/../../../../stubs/dom4j-2.1.1:${testdir}/../../../../stubs/apache-commons-digester3-3.2:${testdir}/../../../../stubs/jaxen-1.2.0/:${testdir}/../../../../stubs/rundeck-api-java-client-13.2
|
||||
33
java/ql/test/query-tests/security/CWE-611/DigesterTests.java
Normal file
33
java/ql/test/query-tests/security/CWE-611/DigesterTests.java
Normal file
@@ -0,0 +1,33 @@
|
||||
import java.io.BufferedReader;
|
||||
import javax.servlet.ServletInputStream;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import org.apache.commons.digester3.Digester;
|
||||
import org.springframework.stereotype.Controller;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
|
||||
@Controller
|
||||
public class DigesterTests {
|
||||
|
||||
@PostMapping(value = "bad")
|
||||
public void bad1(HttpServletRequest request, HttpServletResponse response) throws Exception {
|
||||
ServletInputStream servletInputStream = request.getInputStream();
|
||||
Digester digester = new Digester();
|
||||
digester.parse(servletInputStream); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
@PostMapping(value = "good")
|
||||
public void good1(HttpServletRequest request, HttpServletResponse response) throws Exception {
|
||||
BufferedReader br = request.getReader();
|
||||
String str = "";
|
||||
StringBuilder listString = new StringBuilder();
|
||||
while ((str = br.readLine()) != null) {
|
||||
listString.append(str);
|
||||
}
|
||||
Digester digester = new Digester();
|
||||
digester.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
digester.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
digester.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
digester.parse(listString.toString());
|
||||
}
|
||||
}
|
||||
@@ -11,42 +11,44 @@ class DocumentBuilderTests {
|
||||
public void unconfiguredParse(Socket sock) throws Exception {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
builder.parse(sock.getInputStream()); //unsafe
|
||||
builder.parse(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void disableDTD(Socket sock) throws Exception {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
builder.parse(sock.getInputStream()); //safe
|
||||
builder.parse(sock.getInputStream()); // safe
|
||||
}
|
||||
|
||||
public void enableSecurityFeature(Socket sock) throws Exception {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
builder.parse(sock.getInputStream()); //unsafe -- secure-processing by itself is insufficient
|
||||
builder.parse(sock.getInputStream()); // $ hasTaintFlow -- secure-processing by itself is
|
||||
// insufficient
|
||||
}
|
||||
|
||||
public void enableSecurityFeature2(Socket sock) throws Exception {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
factory.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
builder.parse(sock.getInputStream()); //unsafe -- secure-processing by itself is insufficient
|
||||
builder.parse(sock.getInputStream()); // $ hasTaintFlow -- secure-processing by itself is
|
||||
// insufficient
|
||||
}
|
||||
|
||||
public void enableDTD(Socket sock) throws Exception {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
builder.parse(sock.getInputStream()); //unsafe
|
||||
builder.parse(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void disableSecurityFeature(Socket sock) throws Exception {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
factory.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", false);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
builder.parse(sock.getInputStream()); //unsafe
|
||||
builder.parse(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void disableExternalEntities(Socket sock) throws Exception {
|
||||
@@ -54,21 +56,21 @@ class DocumentBuilderTests {
|
||||
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
builder.parse(sock.getInputStream()); //safe
|
||||
builder.parse(sock.getInputStream()); // safe
|
||||
}
|
||||
|
||||
public void partialDisableExternalEntities(Socket sock) throws Exception {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
builder.parse(sock.getInputStream()); //unsafe
|
||||
builder.parse(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void partialDisableExternalEntities2(Socket sock) throws Exception {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
builder.parse(sock.getInputStream()); //unsafe
|
||||
builder.parse(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void misConfigureExternalEntities1(Socket sock) throws Exception {
|
||||
@@ -76,7 +78,7 @@ class DocumentBuilderTests {
|
||||
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", true);
|
||||
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
builder.parse(sock.getInputStream()); //unsafe
|
||||
builder.parse(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void misConfigureExternalEntities2(Socket sock) throws Exception {
|
||||
@@ -84,22 +86,22 @@ class DocumentBuilderTests {
|
||||
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
factory.setFeature("http://xml.org/sax/features/external-general-entities", true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
builder.parse(sock.getInputStream()); //unsafe
|
||||
builder.parse(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void taintedSAXInputSource1(Socket sock) throws Exception {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
SAXSource source = new SAXSource(new InputSource(sock.getInputStream()));
|
||||
builder.parse(source.getInputSource()); //unsafe
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
SAXSource source = new SAXSource(new InputSource(sock.getInputStream()));
|
||||
builder.parse(source.getInputSource()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void taintedSAXInputSource2(Socket sock) throws Exception {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
StreamSource source = new StreamSource(sock.getInputStream());
|
||||
builder.parse(SAXSource.sourceToInputSource(source)); //unsafe
|
||||
builder.parse(source.getInputStream()); //unsafe
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
StreamSource source = new StreamSource(sock.getInputStream());
|
||||
builder.parse(SAXSource.sourceToInputSource(source)); // $ hasTaintFlow
|
||||
builder.parse(source.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
private static DocumentBuilderFactory getDocumentBuilderFactory() throws Exception {
|
||||
@@ -112,21 +114,22 @@ class DocumentBuilderTests {
|
||||
return factory;
|
||||
}
|
||||
|
||||
private static final ThreadLocal<DocumentBuilder> XML_DOCUMENT_BUILDER = new ThreadLocal<DocumentBuilder>() {
|
||||
@Override
|
||||
protected DocumentBuilder initialValue() {
|
||||
try {
|
||||
DocumentBuilderFactory factory = getDocumentBuilderFactory();
|
||||
return factory.newDocumentBuilder();
|
||||
} catch (Exception ex) {
|
||||
throw new RuntimeException(ex);
|
||||
}
|
||||
}
|
||||
};
|
||||
private static final ThreadLocal<DocumentBuilder> XML_DOCUMENT_BUILDER =
|
||||
new ThreadLocal<DocumentBuilder>() {
|
||||
@Override
|
||||
protected DocumentBuilder initialValue() {
|
||||
try {
|
||||
DocumentBuilderFactory factory = getDocumentBuilderFactory();
|
||||
return factory.newDocumentBuilder();
|
||||
} catch (Exception ex) {
|
||||
throw new RuntimeException(ex);
|
||||
}
|
||||
}
|
||||
};
|
||||
|
||||
public void disableExternalEntities2(Socket sock) throws Exception {
|
||||
DocumentBuilder builder = XML_DOCUMENT_BUILDER.get();
|
||||
builder.parse(sock.getInputStream()); //safe
|
||||
builder.parse(sock.getInputStream()); // safe
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -0,0 +1,14 @@
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import org.dom4j.Document;
|
||||
import org.rundeck.api.parser.ParserHelper;
|
||||
import org.springframework.stereotype.Controller;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
|
||||
@Controller
|
||||
public class ParserHelperTests {
|
||||
|
||||
@PostMapping(value = "bad4")
|
||||
public void bad4(HttpServletRequest request) throws Exception {
|
||||
Document document = ParserHelper.loadDocument(request.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
}
|
||||
@@ -5,18 +5,18 @@ public class SAXBuilderTests {
|
||||
|
||||
public void unconfiguredSAXBuilder(Socket sock) throws Exception {
|
||||
SAXBuilder builder = new SAXBuilder();
|
||||
builder.build(sock.getInputStream()); //unsafe
|
||||
builder.build(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void safeBuilder(Socket sock) throws Exception {
|
||||
SAXBuilder builder = new SAXBuilder();
|
||||
builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl",true);
|
||||
builder.build(sock.getInputStream()); //safe
|
||||
builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
builder.build(sock.getInputStream()); // safe
|
||||
}
|
||||
|
||||
public void misConfiguredBuilder(Socket sock) throws Exception {
|
||||
SAXBuilder builder = new SAXBuilder();
|
||||
builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl",false);
|
||||
builder.build(sock.getInputStream()); //unsafe
|
||||
builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
|
||||
builder.build(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
}
|
||||
|
||||
@@ -6,78 +6,78 @@ import javax.xml.XMLConstants;
|
||||
import org.xml.sax.helpers.DefaultHandler;
|
||||
|
||||
public class SAXParserTests {
|
||||
|
||||
|
||||
public void unconfiguredParser(Socket sock) throws Exception {
|
||||
SAXParserFactory factory = SAXParserFactory.newInstance();
|
||||
SAXParser parser = factory.newSAXParser();
|
||||
parser.parse(sock.getInputStream(), new DefaultHandler()); //unsafe
|
||||
parser.parse(sock.getInputStream(), new DefaultHandler()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void safeParser(Socket sock) throws Exception {
|
||||
SAXParserFactory factory = SAXParserFactory.newInstance();
|
||||
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
||||
SAXParser parser = factory.newSAXParser();
|
||||
parser.parse(sock.getInputStream(), new DefaultHandler()); //safe
|
||||
parser.parse(sock.getInputStream(), new DefaultHandler()); // safe
|
||||
}
|
||||
|
||||
|
||||
public void partialConfiguredParser1(Socket sock) throws Exception {
|
||||
SAXParserFactory factory = SAXParserFactory.newInstance();
|
||||
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
SAXParser parser = factory.newSAXParser();
|
||||
parser.parse(sock.getInputStream(), new DefaultHandler()); //unsafe
|
||||
parser.parse(sock.getInputStream(), new DefaultHandler()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void partialConfiguredParser2(Socket sock) throws Exception {
|
||||
SAXParserFactory factory = SAXParserFactory.newInstance();
|
||||
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
||||
SAXParser parser = factory.newSAXParser();
|
||||
parser.parse(sock.getInputStream(), new DefaultHandler()); //unsafe
|
||||
parser.parse(sock.getInputStream(), new DefaultHandler()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void partialConfiguredParser3(Socket sock) throws Exception {
|
||||
SAXParserFactory factory = SAXParserFactory.newInstance();
|
||||
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
||||
SAXParser parser = factory.newSAXParser();
|
||||
parser.parse(sock.getInputStream(), new DefaultHandler()); //unsafe
|
||||
parser.parse(sock.getInputStream(), new DefaultHandler()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void misConfiguredParser1(Socket sock) throws Exception {
|
||||
SAXParserFactory factory = SAXParserFactory.newInstance();
|
||||
factory.setFeature("http://xml.org/sax/features/external-general-entities", true);
|
||||
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
||||
SAXParser parser = factory.newSAXParser();
|
||||
parser.parse(sock.getInputStream(), new DefaultHandler()); //unsafe
|
||||
parser.parse(sock.getInputStream(), new DefaultHandler()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void misConfiguredParser2(Socket sock) throws Exception {
|
||||
SAXParserFactory factory = SAXParserFactory.newInstance();
|
||||
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", true);
|
||||
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
||||
SAXParser parser = factory.newSAXParser();
|
||||
parser.parse(sock.getInputStream(), new DefaultHandler()); //unsafe
|
||||
parser.parse(sock.getInputStream(), new DefaultHandler()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void misConfiguredParser3(Socket sock) throws Exception {
|
||||
SAXParserFactory factory = SAXParserFactory.newInstance();
|
||||
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", true);
|
||||
SAXParser parser = factory.newSAXParser();
|
||||
parser.parse(sock.getInputStream(), new DefaultHandler()); //unsafe
|
||||
parser.parse(sock.getInputStream(), new DefaultHandler()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void safeParser2(Socket sock) throws Exception {
|
||||
SAXParserFactory factory = SAXParserFactory.newInstance();
|
||||
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
|
||||
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
SAXParser parser = factory.newSAXParser();
|
||||
parser.parse(sock.getInputStream(), new DefaultHandler()); //safe
|
||||
parser.parse(sock.getInputStream(), new DefaultHandler()); // safe
|
||||
}
|
||||
}
|
||||
|
||||
@@ -5,59 +5,59 @@ public class SAXReaderTests {
|
||||
|
||||
public void unconfiguredReader(Socket sock) throws Exception {
|
||||
SAXReader reader = new SAXReader();
|
||||
reader.read(sock.getInputStream()); //unsafe
|
||||
reader.read(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void safeReader(Socket sock) throws Exception {
|
||||
SAXReader reader = new SAXReader();
|
||||
reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
reader.read(sock.getInputStream()); //safe
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
reader.read(sock.getInputStream()); // safe
|
||||
}
|
||||
|
||||
|
||||
public void partialConfiguredReader1(Socket sock) throws Exception {
|
||||
SAXReader reader = new SAXReader();
|
||||
reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
reader.read(sock.getInputStream()); //unsafe
|
||||
reader.read(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void partialConfiguredReader2(Socket sock) throws Exception {
|
||||
SAXReader reader = new SAXReader();
|
||||
reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
reader.read(sock.getInputStream()); //unsafe
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
reader.read(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void partialConfiguredReader3(Socket sock) throws Exception {
|
||||
SAXReader reader = new SAXReader();
|
||||
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
reader.read(sock.getInputStream()); //unsafe
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
reader.read(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void misConfiguredReader1(Socket sock) throws Exception {
|
||||
SAXReader reader = new SAXReader();
|
||||
reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
reader.setFeature("http://xml.org/sax/features/external-general-entities", true);
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
reader.read(sock.getInputStream()); //unsafe
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
reader.read(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void misConfiguredReader2(Socket sock) throws Exception {
|
||||
SAXReader reader = new SAXReader();
|
||||
reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
|
||||
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
reader.read(sock.getInputStream()); //unsafe
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
reader.read(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void misConfiguredReader3(Socket sock) throws Exception {
|
||||
SAXReader reader = new SAXReader();
|
||||
reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", true);
|
||||
reader.read(sock.getInputStream()); //unsafe
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", true);
|
||||
reader.read(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
}
|
||||
|
||||
@@ -17,14 +17,14 @@ public class SAXSourceTests {
|
||||
SAXSource source = new SAXSource(reader, new InputSource(sock.getInputStream()));
|
||||
JAXBContext jc = JAXBContext.newInstance(Object.class);
|
||||
Unmarshaller um = jc.createUnmarshaller();
|
||||
um.unmarshal(source); // BAD
|
||||
um.unmarshal(source); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void explicitlySafeSource1(Socket sock) throws Exception {
|
||||
XMLReader reader = XMLReaderFactory.createXMLReader();
|
||||
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd",false);
|
||||
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
||||
SAXSource source = new SAXSource(reader, new InputSource(sock.getInputStream())); // GOOD
|
||||
}
|
||||
|
||||
|
||||
@@ -9,39 +9,39 @@ public class SchemaTests {
|
||||
|
||||
public void unconfiguredSchemaFactory(Socket sock) throws Exception {
|
||||
SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
|
||||
Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); //unsafe
|
||||
Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void safeSchemaFactory(Socket sock) throws Exception {
|
||||
SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
|
||||
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
|
||||
Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); //safe
|
||||
Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); // safe
|
||||
}
|
||||
|
||||
public void partialConfiguredSchemaFactory1(Socket sock) throws Exception {
|
||||
SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
|
||||
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); //unsafe
|
||||
Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void partialConfiguredSchemaFactory2(Socket sock) throws Exception {
|
||||
SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
|
||||
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
|
||||
Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); //unsafe
|
||||
Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void misConfiguredSchemaFactory1(Socket sock) throws Exception {
|
||||
SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
|
||||
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "ab");
|
||||
Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); //unsafe
|
||||
Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void misConfiguredSchemaFactory2(Socket sock) throws Exception {
|
||||
SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
|
||||
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "cd");
|
||||
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
|
||||
Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); //unsafe
|
||||
Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
}
|
||||
|
||||
@@ -11,145 +11,145 @@ public class SimpleXMLTests {
|
||||
|
||||
public void persisterValidate1(Socket sock) throws Exception {
|
||||
Persister persister = new Persister();
|
||||
persister.validate(this.getClass(), sock.getInputStream());
|
||||
persister.validate(this.getClass(), sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void persisterValidate2(Socket sock) throws Exception {
|
||||
Persister persister = new Persister();
|
||||
persister.validate(this.getClass(), sock.getInputStream(), true);
|
||||
persister.validate(this.getClass(), sock.getInputStream(), true); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void persisterValidate3(Socket sock) throws Exception {
|
||||
Persister persister = new Persister();
|
||||
persister.validate(this.getClass(), new InputStreamReader(sock.getInputStream()));
|
||||
persister.validate(this.getClass(), new InputStreamReader(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void persisterValidate4(Socket sock) throws Exception {
|
||||
Persister persister = new Persister();
|
||||
byte[] b = new byte[]{};
|
||||
byte[] b = new byte[] {};
|
||||
sock.getInputStream().read(b);
|
||||
persister.validate(this.getClass(), new String(b));
|
||||
persister.validate(this.getClass(), new String(b)); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void persisterValidate5(Socket sock) throws Exception {
|
||||
Persister persister = new Persister();
|
||||
byte[] b = new byte[]{};
|
||||
byte[] b = new byte[] {};
|
||||
sock.getInputStream().read(b);
|
||||
persister.validate(this.getClass(), new String(b), true);
|
||||
persister.validate(this.getClass(), new String(b), true); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void persisterValidate6(Socket sock) throws Exception {
|
||||
Persister persister = new Persister();
|
||||
persister.validate(this.getClass(), new InputStreamReader(sock.getInputStream()), true);
|
||||
persister.validate(this.getClass(), new InputStreamReader(sock.getInputStream()), true); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void persisterRead1(Socket sock) throws Exception {
|
||||
Persister persister = new Persister();
|
||||
persister.read(this.getClass(), sock.getInputStream());
|
||||
persister.read(this.getClass(), sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void persisterRead2(Socket sock) throws Exception {
|
||||
Persister persister = new Persister();
|
||||
persister.read(this.getClass(), sock.getInputStream(), true);
|
||||
persister.read(this.getClass(), sock.getInputStream(), true); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void persisterRead3(Socket sock) throws Exception {
|
||||
Persister persister = new Persister();
|
||||
persister.read(this, sock.getInputStream());
|
||||
persister.read(this, sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void persisterRead4(Socket sock) throws Exception {
|
||||
Persister persister = new Persister();
|
||||
persister.read(this, sock.getInputStream(), true);
|
||||
persister.read(this, sock.getInputStream(), true); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void persisterRead5(Socket sock) throws Exception {
|
||||
Persister persister = new Persister();
|
||||
persister.read(this.getClass(), new InputStreamReader(sock.getInputStream()));
|
||||
persister.read(this.getClass(), new InputStreamReader(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void persisterRead6(Socket sock) throws Exception {
|
||||
Persister persister = new Persister();
|
||||
persister.read(this.getClass(), new InputStreamReader(sock.getInputStream()), true);
|
||||
persister.read(this.getClass(), new InputStreamReader(sock.getInputStream()), true); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void persisterRead7(Socket sock) throws Exception {
|
||||
Persister persister = new Persister();
|
||||
persister.read(this, new InputStreamReader(sock.getInputStream()));
|
||||
persister.read(this, new InputStreamReader(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void persisterRead8(Socket sock) throws Exception {
|
||||
Persister persister = new Persister();
|
||||
persister.read(this, new InputStreamReader(sock.getInputStream()), true);
|
||||
persister.read(this, new InputStreamReader(sock.getInputStream()), true); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void persisterRead9(Socket sock) throws Exception {
|
||||
Persister persister = new Persister();
|
||||
byte[] b = new byte[]{};
|
||||
byte[] b = new byte[] {};
|
||||
sock.getInputStream().read(b);
|
||||
persister.read(this.getClass(), new String(b));
|
||||
persister.read(this.getClass(), new String(b)); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void persisterRead10(Socket sock) throws Exception {
|
||||
Persister persister = new Persister();
|
||||
byte[] b = new byte[]{};
|
||||
byte[] b = new byte[] {};
|
||||
sock.getInputStream().read(b);
|
||||
persister.read(this.getClass(), new String(b), true);
|
||||
persister.read(this.getClass(), new String(b), true); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void persisterRead11(Socket sock) throws Exception {
|
||||
Persister persister = new Persister();
|
||||
byte[] b = new byte[]{};
|
||||
byte[] b = new byte[] {};
|
||||
sock.getInputStream().read(b);
|
||||
persister.read(this, new String(b));
|
||||
persister.read(this, new String(b)); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void persisterRead12(Socket sock) throws Exception {
|
||||
Persister persister = new Persister();
|
||||
byte[] b = new byte[]{};
|
||||
byte[] b = new byte[] {};
|
||||
sock.getInputStream().read(b);
|
||||
persister.read(this, new String(b), true);
|
||||
persister.read(this, new String(b), true); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void nodeBuilderRead1(Socket sock) throws Exception {
|
||||
NodeBuilder.read(sock.getInputStream());
|
||||
NodeBuilder.read(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void nodeBuilderRead2(Socket sock) throws Exception {
|
||||
NodeBuilder.read(new InputStreamReader(sock.getInputStream()));
|
||||
NodeBuilder.read(new InputStreamReader(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void documentProviderProvide1(Socket sock) throws Exception {
|
||||
DocumentProvider provider = new DocumentProvider();
|
||||
provider.provide(sock.getInputStream());
|
||||
provider.provide(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void documentProviderProvide2(Socket sock) throws Exception {
|
||||
DocumentProvider provider = new DocumentProvider();
|
||||
provider.provide(new InputStreamReader(sock.getInputStream()));
|
||||
provider.provide(new InputStreamReader(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void streamProviderProvide1(Socket sock) throws Exception {
|
||||
StreamProvider provider = new StreamProvider();
|
||||
provider.provide(sock.getInputStream());
|
||||
provider.provide(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void streamProviderProvide2(Socket sock) throws Exception {
|
||||
StreamProvider provider = new StreamProvider();
|
||||
provider.provide(new InputStreamReader(sock.getInputStream()));
|
||||
provider.provide(new InputStreamReader(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void formatterFormat1(Socket sock) throws Exception {
|
||||
Formatter formatter = new Formatter();
|
||||
byte[] b = new byte[]{};
|
||||
byte[] b = new byte[] {};
|
||||
sock.getInputStream().read(b);
|
||||
formatter.format(new String(b), null);
|
||||
formatter.format(new String(b), null); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void formatterFormat2(Socket sock) throws Exception {
|
||||
Formatter formatter = new Formatter();
|
||||
byte[] b = new byte[]{};
|
||||
byte[] b = new byte[] {};
|
||||
sock.getInputStream().read(b);
|
||||
formatter.format(new String(b));
|
||||
formatter.format(new String(b)); // $ hasTaintFlow
|
||||
}
|
||||
}
|
||||
|
||||
@@ -17,8 +17,8 @@ public class TransformerTests {
|
||||
public void unconfiguredTransformerFactory(Socket sock) throws Exception {
|
||||
TransformerFactory tf = TransformerFactory.newInstance();
|
||||
Transformer transformer = tf.newTransformer();
|
||||
transformer.transform(new StreamSource(sock.getInputStream()), null); //unsafe
|
||||
tf.newTransformer(new StreamSource(sock.getInputStream())); //unsafe
|
||||
transformer.transform(new StreamSource(sock.getInputStream()), null); // $ hasTaintFlow
|
||||
tf.newTransformer(new StreamSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void safeTransformerFactory1(Socket sock) throws Exception {
|
||||
@@ -26,8 +26,8 @@ public class TransformerTests {
|
||||
tf.setAttribute("http://javax.xml.XMLConstants/property/accessExternalDTD", "");
|
||||
tf.setAttribute("http://javax.xml.XMLConstants/property/accessExternalStylesheet", "");
|
||||
Transformer transformer = tf.newTransformer();
|
||||
transformer.transform(new StreamSource(sock.getInputStream()), null); //safe
|
||||
tf.newTransformer(new StreamSource(sock.getInputStream())); //safe
|
||||
transformer.transform(new StreamSource(sock.getInputStream()), null); // safe
|
||||
tf.newTransformer(new StreamSource(sock.getInputStream())); // safe
|
||||
}
|
||||
|
||||
public void safeTransformerFactory2(Socket sock) throws Exception {
|
||||
@@ -35,49 +35,49 @@ public class TransformerTests {
|
||||
tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
Transformer transformer = tf.newTransformer();
|
||||
transformer.transform(new StreamSource(sock.getInputStream()), null); //safe
|
||||
tf.newTransformer(new StreamSource(sock.getInputStream())); //safe
|
||||
transformer.transform(new StreamSource(sock.getInputStream()), null); // safe
|
||||
tf.newTransformer(new StreamSource(sock.getInputStream())); // safe
|
||||
}
|
||||
|
||||
public void safeTransformerFactory3(Socket sock) throws Exception {
|
||||
TransformerFactory tf = TransformerFactory.newInstance();
|
||||
Transformer transformer = tf.newTransformer();
|
||||
TransformerFactory tf = TransformerFactory.newInstance();
|
||||
Transformer transformer = tf.newTransformer();
|
||||
XMLReader reader = XMLReaderFactory.createXMLReader();
|
||||
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd",false);
|
||||
SAXSource source = new SAXSource(reader, new InputSource(sock.getInputStream())); //safe
|
||||
transformer.transform(source, null); //safe
|
||||
tf.newTransformer(source); //safe
|
||||
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
||||
SAXSource source = new SAXSource(reader, new InputSource(sock.getInputStream())); // safe
|
||||
transformer.transform(source, null); // safe
|
||||
tf.newTransformer(source); // safe
|
||||
}
|
||||
|
||||
public void safeTransformerFactory4(Socket sock) throws Exception {
|
||||
TransformerFactory tf = TransformerFactory.newInstance();
|
||||
Transformer transformer = tf.newTransformer();
|
||||
TransformerFactory tf = TransformerFactory.newInstance();
|
||||
Transformer transformer = tf.newTransformer();
|
||||
XMLReader reader = XMLReaderFactory.createXMLReader();
|
||||
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd",false);
|
||||
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
||||
SAXSource source = new SAXSource(new InputSource(sock.getInputStream()));
|
||||
source.setXMLReader(reader);
|
||||
transformer.transform(source, null); //safe
|
||||
tf.newTransformer(source); //safe
|
||||
transformer.transform(source, null); // safe
|
||||
tf.newTransformer(source); // safe
|
||||
}
|
||||
|
||||
public void partialConfiguredTransformerFactory1(Socket sock) throws Exception {
|
||||
TransformerFactory tf = TransformerFactory.newInstance();
|
||||
tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
Transformer transformer = tf.newTransformer();
|
||||
transformer.transform(new StreamSource(sock.getInputStream()), null); //unsafe
|
||||
tf.newTransformer(new StreamSource(sock.getInputStream())); //unsafe
|
||||
transformer.transform(new StreamSource(sock.getInputStream()), null); // $ hasTaintFlow
|
||||
tf.newTransformer(new StreamSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void partialConfiguredTransformerFactory2(Socket sock) throws Exception {
|
||||
TransformerFactory tf = TransformerFactory.newInstance();
|
||||
tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
Transformer transformer = tf.newTransformer();
|
||||
transformer.transform(new StreamSource(sock.getInputStream()), null); //unsafe
|
||||
tf.newTransformer(new StreamSource(sock.getInputStream())); //unsafe
|
||||
transformer.transform(new StreamSource(sock.getInputStream()), null); // $ hasTaintFlow
|
||||
tf.newTransformer(new StreamSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void misConfiguredTransformerFactory1(Socket sock) throws Exception {
|
||||
@@ -85,8 +85,8 @@ public class TransformerTests {
|
||||
Transformer transformer = tf.newTransformer();
|
||||
tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "ab");
|
||||
tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
transformer.transform(new StreamSource(sock.getInputStream()), null); //unsafe
|
||||
tf.newTransformer(new StreamSource(sock.getInputStream())); //unsafe
|
||||
transformer.transform(new StreamSource(sock.getInputStream()), null); // $ hasTaintFlow
|
||||
tf.newTransformer(new StreamSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void misConfiguredTransformerFactory2(Socket sock) throws Exception {
|
||||
@@ -94,50 +94,50 @@ public class TransformerTests {
|
||||
Transformer transformer = tf.newTransformer();
|
||||
tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "cd");
|
||||
transformer.transform(new StreamSource(sock.getInputStream()), null); //unsafe
|
||||
tf.newTransformer(new StreamSource(sock.getInputStream())); //unsafe
|
||||
transformer.transform(new StreamSource(sock.getInputStream()), null); // $ hasTaintFlow
|
||||
tf.newTransformer(new StreamSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void unconfiguredSAXTransformerFactory(Socket sock) throws Exception {
|
||||
SAXTransformerFactory sf = (SAXTransformerFactory)SAXTransformerFactory.newInstance();
|
||||
sf.newXMLFilter(new StreamSource(sock.getInputStream())); //unsafe
|
||||
SAXTransformerFactory sf = (SAXTransformerFactory) SAXTransformerFactory.newInstance();
|
||||
sf.newXMLFilter(new StreamSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void safeSAXTransformerFactory(Socket sock) throws Exception {
|
||||
SAXTransformerFactory sf = (SAXTransformerFactory)SAXTransformerFactory.newInstance();
|
||||
SAXTransformerFactory sf = (SAXTransformerFactory) SAXTransformerFactory.newInstance();
|
||||
sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
sf.newXMLFilter(new StreamSource(sock.getInputStream())); //safe
|
||||
sf.newXMLFilter(new StreamSource(sock.getInputStream())); // safe
|
||||
}
|
||||
|
||||
public void partialConfiguredSAXTransformerFactory1(Socket sock) throws Exception {
|
||||
SAXTransformerFactory sf = (SAXTransformerFactory)SAXTransformerFactory.newInstance();
|
||||
SAXTransformerFactory sf = (SAXTransformerFactory) SAXTransformerFactory.newInstance();
|
||||
sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
sf.newXMLFilter(new StreamSource(sock.getInputStream())); //unsafe
|
||||
sf.newXMLFilter(new StreamSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void partialConfiguredSAXTransformerFactory2(Socket sock) throws Exception {
|
||||
SAXTransformerFactory sf = (SAXTransformerFactory)SAXTransformerFactory.newInstance();
|
||||
SAXTransformerFactory sf = (SAXTransformerFactory) SAXTransformerFactory.newInstance();
|
||||
sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
sf.newXMLFilter(new StreamSource(sock.getInputStream())); //unsafe
|
||||
sf.newXMLFilter(new StreamSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void misConfiguredSAXTransformerFactory1(Socket sock) throws Exception {
|
||||
SAXTransformerFactory sf = (SAXTransformerFactory)SAXTransformerFactory.newInstance();
|
||||
SAXTransformerFactory sf = (SAXTransformerFactory) SAXTransformerFactory.newInstance();
|
||||
sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "ab");
|
||||
sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
sf.newXMLFilter(new StreamSource(sock.getInputStream())); //unsafe
|
||||
sf.newXMLFilter(new StreamSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void misConfiguredSAXTransformerFactory2(Socket sock) throws Exception {
|
||||
SAXTransformerFactory sf = (SAXTransformerFactory)SAXTransformerFactory.newInstance();
|
||||
SAXTransformerFactory sf = (SAXTransformerFactory) SAXTransformerFactory.newInstance();
|
||||
sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "cd");
|
||||
sf.newXMLFilter(new StreamSource(sock.getInputStream())); //unsafe
|
||||
sf.newXMLFilter(new StreamSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void taintedSAXSource(Socket sock) throws Exception {
|
||||
SAXTransformerFactory sf = (SAXTransformerFactory)SAXTransformerFactory.newInstance();
|
||||
sf.newXMLFilter(new SAXSource(new InputSource(sock.getInputStream()))); //unsafe
|
||||
SAXTransformerFactory sf = (SAXTransformerFactory) SAXTransformerFactory.newInstance();
|
||||
sf.newXMLFilter(new SAXSource(new InputSource(sock.getInputStream()))); // $ hasTaintFlow
|
||||
}
|
||||
}
|
||||
|
||||
@@ -16,15 +16,16 @@ public class UnmarshallerTests {
|
||||
spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
||||
JAXBContext jc = JAXBContext.newInstance(Object.class);
|
||||
Source xmlSource = new SAXSource(spf.newSAXParser().getXMLReader(), new InputSource(sock.getInputStream()));
|
||||
Source xmlSource =
|
||||
new SAXSource(spf.newSAXParser().getXMLReader(), new InputSource(sock.getInputStream()));
|
||||
Unmarshaller um = jc.createUnmarshaller();
|
||||
um.unmarshal(xmlSource); //safe
|
||||
um.unmarshal(xmlSource); // safe
|
||||
}
|
||||
|
||||
public void unsafeUnmarshal(Socket sock) throws Exception {
|
||||
SAXParserFactory spf = SAXParserFactory.newInstance();
|
||||
JAXBContext jc = JAXBContext.newInstance(Object.class);
|
||||
Unmarshaller um = jc.createUnmarshaller();
|
||||
um.unmarshal(sock.getInputStream()); //unsafe
|
||||
um.unmarshal(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,41 @@
|
||||
import java.io.BufferedReader;
|
||||
import javax.servlet.ServletInputStream;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import javax.xml.transform.stream.StreamSource;
|
||||
import javax.xml.validation.Schema;
|
||||
import javax.xml.validation.SchemaFactory;
|
||||
import javax.xml.validation.Validator;
|
||||
import org.springframework.stereotype.Controller;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
|
||||
@Controller
|
||||
public class ValidatorTests {
|
||||
|
||||
@PostMapping(value = "bad")
|
||||
public void bad2(HttpServletRequest request) throws Exception {
|
||||
ServletInputStream servletInputStream = request.getInputStream();
|
||||
SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
|
||||
Schema schema = factory.newSchema();
|
||||
Validator validator = schema.newValidator();
|
||||
StreamSource source = new StreamSource(servletInputStream);
|
||||
validator.validate(source); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
@PostMapping(value = "good")
|
||||
public void good2(HttpServletRequest request, HttpServletResponse response) throws Exception {
|
||||
BufferedReader br = request.getReader();
|
||||
String str = "";
|
||||
StringBuilder listString = new StringBuilder();
|
||||
while ((str = br.readLine()) != null) {
|
||||
listString.append(str).append("\n");
|
||||
}
|
||||
SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
|
||||
Schema schema = factory.newSchema();
|
||||
Validator validator = schema.newValidator();
|
||||
validator.setProperty("http://javax.xml.XMLConstants/property/accessExternalDTD", "");
|
||||
validator.setProperty("http://javax.xml.XMLConstants/property/accessExternalSchema", "");
|
||||
StreamSource source = new StreamSource(listString.toString());
|
||||
validator.validate(source);
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,32 @@
|
||||
import java.beans.XMLDecoder;
|
||||
import java.io.BufferedReader;
|
||||
import javax.servlet.ServletInputStream;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import org.dom4j.Document;
|
||||
import org.dom4j.DocumentHelper;
|
||||
import org.springframework.stereotype.Controller;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
|
||||
@Controller
|
||||
public class XMLDecoderTests {
|
||||
|
||||
@PostMapping(value = "bad")
|
||||
public void bad3(HttpServletRequest request) throws Exception {
|
||||
ServletInputStream servletInputStream = request.getInputStream();
|
||||
XMLDecoder xmlDecoder = new XMLDecoder(servletInputStream);
|
||||
xmlDecoder.readObject(); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
@PostMapping(value = "good")
|
||||
public void good3(HttpServletRequest request) throws Exception {
|
||||
BufferedReader br = request.getReader();
|
||||
String str = "";
|
||||
StringBuilder listString = new StringBuilder();
|
||||
while ((str = br.readLine()) != null) {
|
||||
listString.append(str).append("\n");
|
||||
}
|
||||
// parseText falls back to a default SAXReader, which is safe
|
||||
Document document = DocumentHelper.parseText(listString.toString()); // Safe
|
||||
}
|
||||
}
|
||||
@@ -13,23 +13,23 @@ public class XMLReaderTests {
|
||||
|
||||
public void unconfiguredReader(Socket sock) throws Exception {
|
||||
XMLReader reader = XMLReaderFactory.createXMLReader();
|
||||
reader.parse(new InputSource(sock.getInputStream())); //unsafe
|
||||
reader.parse(new InputSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void safeReaderFromConfig1(Socket sock) throws Exception {
|
||||
XMLReader reader = XMLReaderFactory.createXMLReader();
|
||||
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd",false);
|
||||
reader.parse(new InputSource(sock.getInputStream())); //safe
|
||||
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
||||
reader.parse(new InputSource(sock.getInputStream())); // safe
|
||||
}
|
||||
|
||||
public void safeReaderFromConfig2(Socket sock) throws Exception {
|
||||
XMLReader reader = XMLReaderFactory.createXMLReader();
|
||||
reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
reader.parse(new InputSource(sock.getInputStream())); //safe
|
||||
reader.parse(new InputSource(sock.getInputStream())); // safe
|
||||
}
|
||||
|
||||
|
||||
public void safeReaderFromSAXParser(Socket sock) throws Exception {
|
||||
SAXParserFactory factory = SAXParserFactory.newInstance();
|
||||
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
@@ -37,66 +37,66 @@ public class XMLReaderTests {
|
||||
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
||||
SAXParser parser = factory.newSAXParser();
|
||||
XMLReader reader = parser.getXMLReader();
|
||||
reader.parse(new InputSource(sock.getInputStream())); //safe
|
||||
reader.parse(new InputSource(sock.getInputStream())); // safe
|
||||
}
|
||||
|
||||
public void safeReaderFromSAXReader(Socket sock) throws Exception {
|
||||
SAXReader reader = new SAXReader();
|
||||
reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
XMLReader xmlReader = reader.getXMLReader();
|
||||
xmlReader.parse(new InputSource(sock.getInputStream())); //safe
|
||||
xmlReader.parse(new InputSource(sock.getInputStream())); // safe
|
||||
}
|
||||
|
||||
public void partialConfiguredXMLReader1(Socket sock) throws Exception {
|
||||
XMLReader reader = XMLReaderFactory.createXMLReader();
|
||||
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
reader.parse(new InputSource(sock.getInputStream())); //unsafe
|
||||
reader.parse(new InputSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void partialConfiguredXMLReader2(Socket sock) throws Exception {
|
||||
XMLReader reader = XMLReaderFactory.createXMLReader();
|
||||
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd",false);
|
||||
reader.parse(new InputSource(sock.getInputStream())); //unsafe
|
||||
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
||||
reader.parse(new InputSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void partilaConfiguredXMLReader3(Socket sock) throws Exception {
|
||||
XMLReader reader = XMLReaderFactory.createXMLReader();
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd",false);
|
||||
reader.parse(new InputSource(sock.getInputStream())); //unsafe
|
||||
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
||||
reader.parse(new InputSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void misConfiguredXMLReader1(Socket sock) throws Exception {
|
||||
XMLReader reader = XMLReaderFactory.createXMLReader();
|
||||
reader.setFeature("http://xml.org/sax/features/external-general-entities", true);
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd",false);
|
||||
reader.parse(new InputSource(sock.getInputStream())); //unsafe
|
||||
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
||||
reader.parse(new InputSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void misConfiguredXMLReader2(Socket sock) throws Exception {
|
||||
XMLReader reader = XMLReaderFactory.createXMLReader();
|
||||
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", true);
|
||||
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd",false);
|
||||
reader.parse(new InputSource(sock.getInputStream())); //unsafe
|
||||
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
||||
reader.parse(new InputSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void misConfiguredXMLReader3(Socket sock) throws Exception {
|
||||
XMLReader reader = XMLReaderFactory.createXMLReader();
|
||||
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", true);
|
||||
reader.parse(new InputSource(sock.getInputStream())); //unsafe
|
||||
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", true);
|
||||
reader.parse(new InputSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void misConfiguredXMLReader4(Socket sock) throws Exception {
|
||||
XMLReader reader = XMLReaderFactory.createXMLReader();
|
||||
reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
|
||||
reader.parse(new InputSource(sock.getInputStream())); //unsafe
|
||||
reader.parse(new InputSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
}
|
||||
|
||||
@@ -24,7 +24,7 @@ public class XPathExpressionTests {
|
||||
XPathFactory xFactory = XPathFactory.newInstance();
|
||||
XPath path = xFactory.newXPath();
|
||||
XPathExpression expr = path.compile("");
|
||||
expr.evaluate(new InputSource(sock.getInputStream())); // unsafe
|
||||
expr.evaluate(new InputSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public void safeXPathEvaluateTest(Socket sock) throws Exception {
|
||||
@@ -33,12 +33,12 @@ public class XPathExpressionTests {
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
XPathFactory xFactory = XPathFactory.newInstance();
|
||||
XPath path = xFactory.newXPath();
|
||||
path.evaluate("", builder.parse(sock.getInputStream()));
|
||||
path.evaluate("", builder.parse(sock.getInputStream())); // safe
|
||||
}
|
||||
|
||||
public void unsafeXPathEvaluateTest(Socket sock) throws Exception {
|
||||
XPathFactory xFactory = XPathFactory.newInstance();
|
||||
XPath path = xFactory.newXPath();
|
||||
path.evaluate("", new InputSource(sock.getInputStream())); // unsafe
|
||||
path.evaluate("", new InputSource(sock.getInputStream())); // $ hasTaintFlow
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,355 +0,0 @@
|
||||
edges
|
||||
| DocumentBuilderTests.java:93:21:93:73 | new SAXSource(...) : SAXSource | DocumentBuilderTests.java:94:16:94:21 | source : SAXSource |
|
||||
| DocumentBuilderTests.java:93:35:93:72 | new InputSource(...) : InputSource | DocumentBuilderTests.java:93:21:93:73 | new SAXSource(...) : SAXSource |
|
||||
| DocumentBuilderTests.java:93:51:93:71 | getInputStream(...) : InputStream | DocumentBuilderTests.java:93:35:93:72 | new InputSource(...) : InputSource |
|
||||
| DocumentBuilderTests.java:94:16:94:21 | source : SAXSource | DocumentBuilderTests.java:94:16:94:38 | getInputSource(...) |
|
||||
| DocumentBuilderTests.java:100:24:100:62 | new StreamSource(...) : StreamSource | DocumentBuilderTests.java:101:46:101:51 | source : StreamSource |
|
||||
| DocumentBuilderTests.java:100:24:100:62 | new StreamSource(...) : StreamSource | DocumentBuilderTests.java:102:16:102:21 | source : StreamSource |
|
||||
| DocumentBuilderTests.java:100:41:100:61 | getInputStream(...) : InputStream | DocumentBuilderTests.java:100:24:100:62 | new StreamSource(...) : StreamSource |
|
||||
| DocumentBuilderTests.java:101:46:101:51 | source : StreamSource | DocumentBuilderTests.java:101:16:101:52 | sourceToInputSource(...) |
|
||||
| DocumentBuilderTests.java:102:16:102:21 | source : StreamSource | DocumentBuilderTests.java:102:16:102:38 | getInputStream(...) |
|
||||
| SAXSourceTests.java:17:24:17:84 | new SAXSource(...) : SAXSource | SAXSourceTests.java:20:18:20:23 | source |
|
||||
| SAXSourceTests.java:17:46:17:83 | new InputSource(...) : InputSource | SAXSourceTests.java:17:24:17:84 | new SAXSource(...) : SAXSource |
|
||||
| SAXSourceTests.java:17:62:17:82 | getInputStream(...) : InputStream | SAXSourceTests.java:17:46:17:83 | new InputSource(...) : InputSource |
|
||||
| SchemaTests.java:12:56:12:76 | getInputStream(...) : InputStream | SchemaTests.java:12:39:12:77 | new StreamSource(...) |
|
||||
| SchemaTests.java:25:56:25:76 | getInputStream(...) : InputStream | SchemaTests.java:25:39:25:77 | new StreamSource(...) |
|
||||
| SchemaTests.java:31:56:31:76 | getInputStream(...) : InputStream | SchemaTests.java:31:39:31:77 | new StreamSource(...) |
|
||||
| SchemaTests.java:38:56:38:76 | getInputStream(...) : InputStream | SchemaTests.java:38:39:38:77 | new StreamSource(...) |
|
||||
| SchemaTests.java:45:56:45:76 | getInputStream(...) : InputStream | SchemaTests.java:45:39:45:77 | new StreamSource(...) |
|
||||
| SimpleXMLTests.java:24:63:24:83 | getInputStream(...) : InputStream | SimpleXMLTests.java:24:41:24:84 | new InputStreamReader(...) |
|
||||
| SimpleXMLTests.java:30:5:30:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:30:32:30:32 | b [post update] : byte[] |
|
||||
| SimpleXMLTests.java:30:32:30:32 | b [post update] : byte[] | SimpleXMLTests.java:31:52:31:52 | b : byte[] |
|
||||
| SimpleXMLTests.java:31:52:31:52 | b : byte[] | SimpleXMLTests.java:31:41:31:53 | new String(...) |
|
||||
| SimpleXMLTests.java:37:5:37:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:37:32:37:32 | b [post update] : byte[] |
|
||||
| SimpleXMLTests.java:37:32:37:32 | b [post update] : byte[] | SimpleXMLTests.java:38:52:38:52 | b : byte[] |
|
||||
| SimpleXMLTests.java:38:52:38:52 | b : byte[] | SimpleXMLTests.java:38:41:38:53 | new String(...) |
|
||||
| SimpleXMLTests.java:43:63:43:83 | getInputStream(...) : InputStream | SimpleXMLTests.java:43:41:43:84 | new InputStreamReader(...) |
|
||||
| SimpleXMLTests.java:68:59:68:79 | getInputStream(...) : InputStream | SimpleXMLTests.java:68:37:68:80 | new InputStreamReader(...) |
|
||||
| SimpleXMLTests.java:73:59:73:79 | getInputStream(...) : InputStream | SimpleXMLTests.java:73:37:73:80 | new InputStreamReader(...) |
|
||||
| SimpleXMLTests.java:78:48:78:68 | getInputStream(...) : InputStream | SimpleXMLTests.java:78:26:78:69 | new InputStreamReader(...) |
|
||||
| SimpleXMLTests.java:83:48:83:68 | getInputStream(...) : InputStream | SimpleXMLTests.java:83:26:83:69 | new InputStreamReader(...) |
|
||||
| SimpleXMLTests.java:89:5:89:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:89:32:89:32 | b [post update] : byte[] |
|
||||
| SimpleXMLTests.java:89:32:89:32 | b [post update] : byte[] | SimpleXMLTests.java:90:48:90:48 | b : byte[] |
|
||||
| SimpleXMLTests.java:90:48:90:48 | b : byte[] | SimpleXMLTests.java:90:37:90:49 | new String(...) |
|
||||
| SimpleXMLTests.java:96:5:96:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:96:32:96:32 | b [post update] : byte[] |
|
||||
| SimpleXMLTests.java:96:32:96:32 | b [post update] : byte[] | SimpleXMLTests.java:97:48:97:48 | b : byte[] |
|
||||
| SimpleXMLTests.java:97:48:97:48 | b : byte[] | SimpleXMLTests.java:97:37:97:49 | new String(...) |
|
||||
| SimpleXMLTests.java:103:5:103:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:103:32:103:32 | b [post update] : byte[] |
|
||||
| SimpleXMLTests.java:103:32:103:32 | b [post update] : byte[] | SimpleXMLTests.java:104:37:104:37 | b : byte[] |
|
||||
| SimpleXMLTests.java:104:37:104:37 | b : byte[] | SimpleXMLTests.java:104:26:104:38 | new String(...) |
|
||||
| SimpleXMLTests.java:110:5:110:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:110:32:110:32 | b [post update] : byte[] |
|
||||
| SimpleXMLTests.java:110:32:110:32 | b [post update] : byte[] | SimpleXMLTests.java:111:37:111:37 | b : byte[] |
|
||||
| SimpleXMLTests.java:111:37:111:37 | b : byte[] | SimpleXMLTests.java:111:26:111:38 | new String(...) |
|
||||
| SimpleXMLTests.java:119:44:119:64 | getInputStream(...) : InputStream | SimpleXMLTests.java:119:22:119:65 | new InputStreamReader(...) |
|
||||
| SimpleXMLTests.java:129:44:129:64 | getInputStream(...) : InputStream | SimpleXMLTests.java:129:22:129:65 | new InputStreamReader(...) |
|
||||
| SimpleXMLTests.java:139:44:139:64 | getInputStream(...) : InputStream | SimpleXMLTests.java:139:22:139:65 | new InputStreamReader(...) |
|
||||
| SimpleXMLTests.java:145:5:145:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:145:32:145:32 | b [post update] : byte[] |
|
||||
| SimpleXMLTests.java:145:32:145:32 | b [post update] : byte[] | SimpleXMLTests.java:146:33:146:33 | b : byte[] |
|
||||
| SimpleXMLTests.java:146:33:146:33 | b : byte[] | SimpleXMLTests.java:146:22:146:34 | new String(...) |
|
||||
| SimpleXMLTests.java:152:5:152:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:152:32:152:32 | b [post update] : byte[] |
|
||||
| SimpleXMLTests.java:152:32:152:32 | b [post update] : byte[] | SimpleXMLTests.java:153:33:153:33 | b : byte[] |
|
||||
| SimpleXMLTests.java:153:33:153:33 | b : byte[] | SimpleXMLTests.java:153:22:153:34 | new String(...) |
|
||||
| TransformerTests.java:20:44:20:64 | getInputStream(...) : InputStream | TransformerTests.java:20:27:20:65 | new StreamSource(...) |
|
||||
| TransformerTests.java:21:40:21:60 | getInputStream(...) : InputStream | TransformerTests.java:21:23:21:61 | new StreamSource(...) |
|
||||
| TransformerTests.java:71:44:71:64 | getInputStream(...) : InputStream | TransformerTests.java:71:27:71:65 | new StreamSource(...) |
|
||||
| TransformerTests.java:72:40:72:60 | getInputStream(...) : InputStream | TransformerTests.java:72:23:72:61 | new StreamSource(...) |
|
||||
| TransformerTests.java:79:44:79:64 | getInputStream(...) : InputStream | TransformerTests.java:79:27:79:65 | new StreamSource(...) |
|
||||
| TransformerTests.java:80:40:80:60 | getInputStream(...) : InputStream | TransformerTests.java:80:23:80:61 | new StreamSource(...) |
|
||||
| TransformerTests.java:88:44:88:64 | getInputStream(...) : InputStream | TransformerTests.java:88:27:88:65 | new StreamSource(...) |
|
||||
| TransformerTests.java:89:40:89:60 | getInputStream(...) : InputStream | TransformerTests.java:89:23:89:61 | new StreamSource(...) |
|
||||
| TransformerTests.java:97:44:97:64 | getInputStream(...) : InputStream | TransformerTests.java:97:27:97:65 | new StreamSource(...) |
|
||||
| TransformerTests.java:98:40:98:60 | getInputStream(...) : InputStream | TransformerTests.java:98:23:98:61 | new StreamSource(...) |
|
||||
| TransformerTests.java:103:38:103:58 | getInputStream(...) : InputStream | TransformerTests.java:103:21:103:59 | new StreamSource(...) |
|
||||
| TransformerTests.java:116:38:116:58 | getInputStream(...) : InputStream | TransformerTests.java:116:21:116:59 | new StreamSource(...) |
|
||||
| TransformerTests.java:122:38:122:58 | getInputStream(...) : InputStream | TransformerTests.java:122:21:122:59 | new StreamSource(...) |
|
||||
| TransformerTests.java:129:38:129:58 | getInputStream(...) : InputStream | TransformerTests.java:129:21:129:59 | new StreamSource(...) |
|
||||
| TransformerTests.java:136:38:136:58 | getInputStream(...) : InputStream | TransformerTests.java:136:21:136:59 | new StreamSource(...) |
|
||||
| TransformerTests.java:141:32:141:69 | new InputSource(...) : InputSource | TransformerTests.java:141:18:141:70 | new SAXSource(...) |
|
||||
| TransformerTests.java:141:48:141:68 | getInputStream(...) : InputStream | TransformerTests.java:141:32:141:69 | new InputSource(...) : InputSource |
|
||||
| XMLReaderTests.java:16:34:16:54 | getInputStream(...) : InputStream | XMLReaderTests.java:16:18:16:55 | new InputSource(...) |
|
||||
| XMLReaderTests.java:56:34:56:54 | getInputStream(...) : InputStream | XMLReaderTests.java:56:18:56:55 | new InputSource(...) |
|
||||
| XMLReaderTests.java:63:34:63:54 | getInputStream(...) : InputStream | XMLReaderTests.java:63:18:63:55 | new InputSource(...) |
|
||||
| XMLReaderTests.java:70:34:70:54 | getInputStream(...) : InputStream | XMLReaderTests.java:70:18:70:55 | new InputSource(...) |
|
||||
| XMLReaderTests.java:78:34:78:54 | getInputStream(...) : InputStream | XMLReaderTests.java:78:18:78:55 | new InputSource(...) |
|
||||
| XMLReaderTests.java:86:34:86:54 | getInputStream(...) : InputStream | XMLReaderTests.java:86:18:86:55 | new InputSource(...) |
|
||||
| XMLReaderTests.java:94:34:94:54 | getInputStream(...) : InputStream | XMLReaderTests.java:94:18:94:55 | new InputSource(...) |
|
||||
| XMLReaderTests.java:100:34:100:54 | getInputStream(...) : InputStream | XMLReaderTests.java:100:18:100:55 | new InputSource(...) |
|
||||
| XPathExpressionTests.java:27:35:27:55 | getInputStream(...) : InputStream | XPathExpressionTests.java:27:19:27:56 | new InputSource(...) |
|
||||
| XPathExpressionTests.java:42:39:42:59 | getInputStream(...) : InputStream | XPathExpressionTests.java:42:23:42:60 | new InputSource(...) |
|
||||
nodes
|
||||
| DocumentBuilderTests.java:14:19:14:39 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| DocumentBuilderTests.java:28:19:28:39 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| DocumentBuilderTests.java:35:19:35:39 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| DocumentBuilderTests.java:42:19:42:39 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| DocumentBuilderTests.java:49:19:49:39 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| DocumentBuilderTests.java:64:19:64:39 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| DocumentBuilderTests.java:71:19:71:39 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| DocumentBuilderTests.java:79:19:79:39 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| DocumentBuilderTests.java:87:19:87:39 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| DocumentBuilderTests.java:93:21:93:73 | new SAXSource(...) : SAXSource | semmle.label | new SAXSource(...) : SAXSource |
|
||||
| DocumentBuilderTests.java:93:35:93:72 | new InputSource(...) : InputSource | semmle.label | new InputSource(...) : InputSource |
|
||||
| DocumentBuilderTests.java:93:51:93:71 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| DocumentBuilderTests.java:94:16:94:21 | source : SAXSource | semmle.label | source : SAXSource |
|
||||
| DocumentBuilderTests.java:94:16:94:38 | getInputSource(...) | semmle.label | getInputSource(...) |
|
||||
| DocumentBuilderTests.java:100:24:100:62 | new StreamSource(...) : StreamSource | semmle.label | new StreamSource(...) : StreamSource |
|
||||
| DocumentBuilderTests.java:100:41:100:61 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| DocumentBuilderTests.java:101:16:101:52 | sourceToInputSource(...) | semmle.label | sourceToInputSource(...) |
|
||||
| DocumentBuilderTests.java:101:46:101:51 | source : StreamSource | semmle.label | source : StreamSource |
|
||||
| DocumentBuilderTests.java:102:16:102:21 | source : StreamSource | semmle.label | source : StreamSource |
|
||||
| DocumentBuilderTests.java:102:16:102:38 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SAXBuilderTests.java:8:19:8:39 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SAXBuilderTests.java:20:19:20:39 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SAXParserTests.java:13:18:13:38 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SAXParserTests.java:30:18:30:38 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SAXParserTests.java:38:18:38:38 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SAXParserTests.java:46:18:46:38 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SAXParserTests.java:55:18:55:38 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SAXParserTests.java:64:18:64:38 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SAXParserTests.java:73:18:73:38 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SAXReaderTests.java:8:17:8:37 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SAXReaderTests.java:23:17:23:37 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SAXReaderTests.java:30:17:30:37 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SAXReaderTests.java:37:17:37:37 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SAXReaderTests.java:45:17:45:37 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SAXReaderTests.java:53:17:53:37 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SAXReaderTests.java:61:17:61:37 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SAXSourceTests.java:17:24:17:84 | new SAXSource(...) : SAXSource | semmle.label | new SAXSource(...) : SAXSource |
|
||||
| SAXSourceTests.java:17:46:17:83 | new InputSource(...) : InputSource | semmle.label | new InputSource(...) : InputSource |
|
||||
| SAXSourceTests.java:17:62:17:82 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SAXSourceTests.java:20:18:20:23 | source | semmle.label | source |
|
||||
| SchemaTests.java:12:39:12:77 | new StreamSource(...) | semmle.label | new StreamSource(...) |
|
||||
| SchemaTests.java:12:56:12:76 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SchemaTests.java:25:39:25:77 | new StreamSource(...) | semmle.label | new StreamSource(...) |
|
||||
| SchemaTests.java:25:56:25:76 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SchemaTests.java:31:39:31:77 | new StreamSource(...) | semmle.label | new StreamSource(...) |
|
||||
| SchemaTests.java:31:56:31:76 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SchemaTests.java:38:39:38:77 | new StreamSource(...) | semmle.label | new StreamSource(...) |
|
||||
| SchemaTests.java:38:56:38:76 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SchemaTests.java:45:39:45:77 | new StreamSource(...) | semmle.label | new StreamSource(...) |
|
||||
| SchemaTests.java:45:56:45:76 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SimpleXMLTests.java:14:41:14:61 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SimpleXMLTests.java:19:41:19:61 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SimpleXMLTests.java:24:41:24:84 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
|
||||
| SimpleXMLTests.java:24:63:24:83 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SimpleXMLTests.java:30:5:30:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SimpleXMLTests.java:30:32:30:32 | b [post update] : byte[] | semmle.label | b [post update] : byte[] |
|
||||
| SimpleXMLTests.java:31:41:31:53 | new String(...) | semmle.label | new String(...) |
|
||||
| SimpleXMLTests.java:31:52:31:52 | b : byte[] | semmle.label | b : byte[] |
|
||||
| SimpleXMLTests.java:37:5:37:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SimpleXMLTests.java:37:32:37:32 | b [post update] : byte[] | semmle.label | b [post update] : byte[] |
|
||||
| SimpleXMLTests.java:38:41:38:53 | new String(...) | semmle.label | new String(...) |
|
||||
| SimpleXMLTests.java:38:52:38:52 | b : byte[] | semmle.label | b : byte[] |
|
||||
| SimpleXMLTests.java:43:41:43:84 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
|
||||
| SimpleXMLTests.java:43:63:43:83 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SimpleXMLTests.java:48:37:48:57 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SimpleXMLTests.java:53:37:53:57 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SimpleXMLTests.java:58:26:58:46 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SimpleXMLTests.java:63:26:63:46 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SimpleXMLTests.java:68:37:68:80 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
|
||||
| SimpleXMLTests.java:68:59:68:79 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SimpleXMLTests.java:73:37:73:80 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
|
||||
| SimpleXMLTests.java:73:59:73:79 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SimpleXMLTests.java:78:26:78:69 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
|
||||
| SimpleXMLTests.java:78:48:78:68 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SimpleXMLTests.java:83:26:83:69 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
|
||||
| SimpleXMLTests.java:83:48:83:68 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SimpleXMLTests.java:89:5:89:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SimpleXMLTests.java:89:32:89:32 | b [post update] : byte[] | semmle.label | b [post update] : byte[] |
|
||||
| SimpleXMLTests.java:90:37:90:49 | new String(...) | semmle.label | new String(...) |
|
||||
| SimpleXMLTests.java:90:48:90:48 | b : byte[] | semmle.label | b : byte[] |
|
||||
| SimpleXMLTests.java:96:5:96:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SimpleXMLTests.java:96:32:96:32 | b [post update] : byte[] | semmle.label | b [post update] : byte[] |
|
||||
| SimpleXMLTests.java:97:37:97:49 | new String(...) | semmle.label | new String(...) |
|
||||
| SimpleXMLTests.java:97:48:97:48 | b : byte[] | semmle.label | b : byte[] |
|
||||
| SimpleXMLTests.java:103:5:103:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SimpleXMLTests.java:103:32:103:32 | b [post update] : byte[] | semmle.label | b [post update] : byte[] |
|
||||
| SimpleXMLTests.java:104:26:104:38 | new String(...) | semmle.label | new String(...) |
|
||||
| SimpleXMLTests.java:104:37:104:37 | b : byte[] | semmle.label | b : byte[] |
|
||||
| SimpleXMLTests.java:110:5:110:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SimpleXMLTests.java:110:32:110:32 | b [post update] : byte[] | semmle.label | b [post update] : byte[] |
|
||||
| SimpleXMLTests.java:111:26:111:38 | new String(...) | semmle.label | new String(...) |
|
||||
| SimpleXMLTests.java:111:37:111:37 | b : byte[] | semmle.label | b : byte[] |
|
||||
| SimpleXMLTests.java:115:22:115:42 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SimpleXMLTests.java:119:22:119:65 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
|
||||
| SimpleXMLTests.java:119:44:119:64 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SimpleXMLTests.java:124:22:124:42 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SimpleXMLTests.java:129:22:129:65 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
|
||||
| SimpleXMLTests.java:129:44:129:64 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SimpleXMLTests.java:134:22:134:42 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| SimpleXMLTests.java:139:22:139:65 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
|
||||
| SimpleXMLTests.java:139:44:139:64 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SimpleXMLTests.java:145:5:145:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SimpleXMLTests.java:145:32:145:32 | b [post update] : byte[] | semmle.label | b [post update] : byte[] |
|
||||
| SimpleXMLTests.java:146:22:146:34 | new String(...) | semmle.label | new String(...) |
|
||||
| SimpleXMLTests.java:146:33:146:33 | b : byte[] | semmle.label | b : byte[] |
|
||||
| SimpleXMLTests.java:152:5:152:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SimpleXMLTests.java:152:32:152:32 | b [post update] : byte[] | semmle.label | b [post update] : byte[] |
|
||||
| SimpleXMLTests.java:153:22:153:34 | new String(...) | semmle.label | new String(...) |
|
||||
| SimpleXMLTests.java:153:33:153:33 | b : byte[] | semmle.label | b : byte[] |
|
||||
| TransformerTests.java:20:27:20:65 | new StreamSource(...) | semmle.label | new StreamSource(...) |
|
||||
| TransformerTests.java:20:44:20:64 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| TransformerTests.java:21:23:21:61 | new StreamSource(...) | semmle.label | new StreamSource(...) |
|
||||
| TransformerTests.java:21:40:21:60 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| TransformerTests.java:71:27:71:65 | new StreamSource(...) | semmle.label | new StreamSource(...) |
|
||||
| TransformerTests.java:71:44:71:64 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| TransformerTests.java:72:23:72:61 | new StreamSource(...) | semmle.label | new StreamSource(...) |
|
||||
| TransformerTests.java:72:40:72:60 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| TransformerTests.java:79:27:79:65 | new StreamSource(...) | semmle.label | new StreamSource(...) |
|
||||
| TransformerTests.java:79:44:79:64 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| TransformerTests.java:80:23:80:61 | new StreamSource(...) | semmle.label | new StreamSource(...) |
|
||||
| TransformerTests.java:80:40:80:60 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| TransformerTests.java:88:27:88:65 | new StreamSource(...) | semmle.label | new StreamSource(...) |
|
||||
| TransformerTests.java:88:44:88:64 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| TransformerTests.java:89:23:89:61 | new StreamSource(...) | semmle.label | new StreamSource(...) |
|
||||
| TransformerTests.java:89:40:89:60 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| TransformerTests.java:97:27:97:65 | new StreamSource(...) | semmle.label | new StreamSource(...) |
|
||||
| TransformerTests.java:97:44:97:64 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| TransformerTests.java:98:23:98:61 | new StreamSource(...) | semmle.label | new StreamSource(...) |
|
||||
| TransformerTests.java:98:40:98:60 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| TransformerTests.java:103:21:103:59 | new StreamSource(...) | semmle.label | new StreamSource(...) |
|
||||
| TransformerTests.java:103:38:103:58 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| TransformerTests.java:116:21:116:59 | new StreamSource(...) | semmle.label | new StreamSource(...) |
|
||||
| TransformerTests.java:116:38:116:58 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| TransformerTests.java:122:21:122:59 | new StreamSource(...) | semmle.label | new StreamSource(...) |
|
||||
| TransformerTests.java:122:38:122:58 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| TransformerTests.java:129:21:129:59 | new StreamSource(...) | semmle.label | new StreamSource(...) |
|
||||
| TransformerTests.java:129:38:129:58 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| TransformerTests.java:136:21:136:59 | new StreamSource(...) | semmle.label | new StreamSource(...) |
|
||||
| TransformerTests.java:136:38:136:58 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| TransformerTests.java:141:18:141:70 | new SAXSource(...) | semmle.label | new SAXSource(...) |
|
||||
| TransformerTests.java:141:32:141:69 | new InputSource(...) : InputSource | semmle.label | new InputSource(...) : InputSource |
|
||||
| TransformerTests.java:141:48:141:68 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| UnmarshallerTests.java:28:18:28:38 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| XMLReaderTests.java:16:18:16:55 | new InputSource(...) | semmle.label | new InputSource(...) |
|
||||
| XMLReaderTests.java:16:34:16:54 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| XMLReaderTests.java:56:18:56:55 | new InputSource(...) | semmle.label | new InputSource(...) |
|
||||
| XMLReaderTests.java:56:34:56:54 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| XMLReaderTests.java:63:18:63:55 | new InputSource(...) | semmle.label | new InputSource(...) |
|
||||
| XMLReaderTests.java:63:34:63:54 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| XMLReaderTests.java:70:18:70:55 | new InputSource(...) | semmle.label | new InputSource(...) |
|
||||
| XMLReaderTests.java:70:34:70:54 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| XMLReaderTests.java:78:18:78:55 | new InputSource(...) | semmle.label | new InputSource(...) |
|
||||
| XMLReaderTests.java:78:34:78:54 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| XMLReaderTests.java:86:18:86:55 | new InputSource(...) | semmle.label | new InputSource(...) |
|
||||
| XMLReaderTests.java:86:34:86:54 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| XMLReaderTests.java:94:18:94:55 | new InputSource(...) | semmle.label | new InputSource(...) |
|
||||
| XMLReaderTests.java:94:34:94:54 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| XMLReaderTests.java:100:18:100:55 | new InputSource(...) | semmle.label | new InputSource(...) |
|
||||
| XMLReaderTests.java:100:34:100:54 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| XPathExpressionTests.java:27:19:27:56 | new InputSource(...) | semmle.label | new InputSource(...) |
|
||||
| XPathExpressionTests.java:27:35:27:55 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| XPathExpressionTests.java:42:23:42:60 | new InputSource(...) | semmle.label | new InputSource(...) |
|
||||
| XPathExpressionTests.java:42:39:42:59 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| XmlInputFactoryTests.java:9:35:9:55 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| XmlInputFactoryTests.java:10:34:10:54 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| XmlInputFactoryTests.java:24:35:24:55 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| XmlInputFactoryTests.java:25:34:25:54 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| XmlInputFactoryTests.java:31:35:31:55 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| XmlInputFactoryTests.java:32:34:32:54 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| XmlInputFactoryTests.java:39:35:39:55 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| XmlInputFactoryTests.java:40:34:40:54 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| XmlInputFactoryTests.java:47:35:47:55 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| XmlInputFactoryTests.java:48:34:48:54 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| XmlInputFactoryTests.java:55:35:55:55 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
| XmlInputFactoryTests.java:56:34:56:54 | getInputStream(...) | semmle.label | getInputStream(...) |
|
||||
subpaths
|
||||
#select
|
||||
| DocumentBuilderTests.java:14:19:14:39 | getInputStream(...) | DocumentBuilderTests.java:14:19:14:39 | getInputStream(...) | DocumentBuilderTests.java:14:19:14:39 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:14:19:14:39 | getInputStream(...) | user-provided value |
|
||||
| DocumentBuilderTests.java:28:19:28:39 | getInputStream(...) | DocumentBuilderTests.java:28:19:28:39 | getInputStream(...) | DocumentBuilderTests.java:28:19:28:39 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:28:19:28:39 | getInputStream(...) | user-provided value |
|
||||
| DocumentBuilderTests.java:35:19:35:39 | getInputStream(...) | DocumentBuilderTests.java:35:19:35:39 | getInputStream(...) | DocumentBuilderTests.java:35:19:35:39 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:35:19:35:39 | getInputStream(...) | user-provided value |
|
||||
| DocumentBuilderTests.java:42:19:42:39 | getInputStream(...) | DocumentBuilderTests.java:42:19:42:39 | getInputStream(...) | DocumentBuilderTests.java:42:19:42:39 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:42:19:42:39 | getInputStream(...) | user-provided value |
|
||||
| DocumentBuilderTests.java:49:19:49:39 | getInputStream(...) | DocumentBuilderTests.java:49:19:49:39 | getInputStream(...) | DocumentBuilderTests.java:49:19:49:39 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:49:19:49:39 | getInputStream(...) | user-provided value |
|
||||
| DocumentBuilderTests.java:64:19:64:39 | getInputStream(...) | DocumentBuilderTests.java:64:19:64:39 | getInputStream(...) | DocumentBuilderTests.java:64:19:64:39 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:64:19:64:39 | getInputStream(...) | user-provided value |
|
||||
| DocumentBuilderTests.java:71:19:71:39 | getInputStream(...) | DocumentBuilderTests.java:71:19:71:39 | getInputStream(...) | DocumentBuilderTests.java:71:19:71:39 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:71:19:71:39 | getInputStream(...) | user-provided value |
|
||||
| DocumentBuilderTests.java:79:19:79:39 | getInputStream(...) | DocumentBuilderTests.java:79:19:79:39 | getInputStream(...) | DocumentBuilderTests.java:79:19:79:39 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:79:19:79:39 | getInputStream(...) | user-provided value |
|
||||
| DocumentBuilderTests.java:87:19:87:39 | getInputStream(...) | DocumentBuilderTests.java:87:19:87:39 | getInputStream(...) | DocumentBuilderTests.java:87:19:87:39 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:87:19:87:39 | getInputStream(...) | user-provided value |
|
||||
| DocumentBuilderTests.java:94:16:94:38 | getInputSource(...) | DocumentBuilderTests.java:93:51:93:71 | getInputStream(...) : InputStream | DocumentBuilderTests.java:94:16:94:38 | getInputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:93:51:93:71 | getInputStream(...) | user-provided value |
|
||||
| DocumentBuilderTests.java:101:16:101:52 | sourceToInputSource(...) | DocumentBuilderTests.java:100:41:100:61 | getInputStream(...) : InputStream | DocumentBuilderTests.java:101:16:101:52 | sourceToInputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:100:41:100:61 | getInputStream(...) | user-provided value |
|
||||
| DocumentBuilderTests.java:102:16:102:38 | getInputStream(...) | DocumentBuilderTests.java:100:41:100:61 | getInputStream(...) : InputStream | DocumentBuilderTests.java:102:16:102:38 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:100:41:100:61 | getInputStream(...) | user-provided value |
|
||||
| SAXBuilderTests.java:8:19:8:39 | getInputStream(...) | SAXBuilderTests.java:8:19:8:39 | getInputStream(...) | SAXBuilderTests.java:8:19:8:39 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXBuilderTests.java:8:19:8:39 | getInputStream(...) | user-provided value |
|
||||
| SAXBuilderTests.java:20:19:20:39 | getInputStream(...) | SAXBuilderTests.java:20:19:20:39 | getInputStream(...) | SAXBuilderTests.java:20:19:20:39 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXBuilderTests.java:20:19:20:39 | getInputStream(...) | user-provided value |
|
||||
| SAXParserTests.java:13:18:13:38 | getInputStream(...) | SAXParserTests.java:13:18:13:38 | getInputStream(...) | SAXParserTests.java:13:18:13:38 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXParserTests.java:13:18:13:38 | getInputStream(...) | user-provided value |
|
||||
| SAXParserTests.java:30:18:30:38 | getInputStream(...) | SAXParserTests.java:30:18:30:38 | getInputStream(...) | SAXParserTests.java:30:18:30:38 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXParserTests.java:30:18:30:38 | getInputStream(...) | user-provided value |
|
||||
| SAXParserTests.java:38:18:38:38 | getInputStream(...) | SAXParserTests.java:38:18:38:38 | getInputStream(...) | SAXParserTests.java:38:18:38:38 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXParserTests.java:38:18:38:38 | getInputStream(...) | user-provided value |
|
||||
| SAXParserTests.java:46:18:46:38 | getInputStream(...) | SAXParserTests.java:46:18:46:38 | getInputStream(...) | SAXParserTests.java:46:18:46:38 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXParserTests.java:46:18:46:38 | getInputStream(...) | user-provided value |
|
||||
| SAXParserTests.java:55:18:55:38 | getInputStream(...) | SAXParserTests.java:55:18:55:38 | getInputStream(...) | SAXParserTests.java:55:18:55:38 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXParserTests.java:55:18:55:38 | getInputStream(...) | user-provided value |
|
||||
| SAXParserTests.java:64:18:64:38 | getInputStream(...) | SAXParserTests.java:64:18:64:38 | getInputStream(...) | SAXParserTests.java:64:18:64:38 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXParserTests.java:64:18:64:38 | getInputStream(...) | user-provided value |
|
||||
| SAXParserTests.java:73:18:73:38 | getInputStream(...) | SAXParserTests.java:73:18:73:38 | getInputStream(...) | SAXParserTests.java:73:18:73:38 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXParserTests.java:73:18:73:38 | getInputStream(...) | user-provided value |
|
||||
| SAXReaderTests.java:8:17:8:37 | getInputStream(...) | SAXReaderTests.java:8:17:8:37 | getInputStream(...) | SAXReaderTests.java:8:17:8:37 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXReaderTests.java:8:17:8:37 | getInputStream(...) | user-provided value |
|
||||
| SAXReaderTests.java:23:17:23:37 | getInputStream(...) | SAXReaderTests.java:23:17:23:37 | getInputStream(...) | SAXReaderTests.java:23:17:23:37 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXReaderTests.java:23:17:23:37 | getInputStream(...) | user-provided value |
|
||||
| SAXReaderTests.java:30:17:30:37 | getInputStream(...) | SAXReaderTests.java:30:17:30:37 | getInputStream(...) | SAXReaderTests.java:30:17:30:37 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXReaderTests.java:30:17:30:37 | getInputStream(...) | user-provided value |
|
||||
| SAXReaderTests.java:37:17:37:37 | getInputStream(...) | SAXReaderTests.java:37:17:37:37 | getInputStream(...) | SAXReaderTests.java:37:17:37:37 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXReaderTests.java:37:17:37:37 | getInputStream(...) | user-provided value |
|
||||
| SAXReaderTests.java:45:17:45:37 | getInputStream(...) | SAXReaderTests.java:45:17:45:37 | getInputStream(...) | SAXReaderTests.java:45:17:45:37 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXReaderTests.java:45:17:45:37 | getInputStream(...) | user-provided value |
|
||||
| SAXReaderTests.java:53:17:53:37 | getInputStream(...) | SAXReaderTests.java:53:17:53:37 | getInputStream(...) | SAXReaderTests.java:53:17:53:37 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXReaderTests.java:53:17:53:37 | getInputStream(...) | user-provided value |
|
||||
| SAXReaderTests.java:61:17:61:37 | getInputStream(...) | SAXReaderTests.java:61:17:61:37 | getInputStream(...) | SAXReaderTests.java:61:17:61:37 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXReaderTests.java:61:17:61:37 | getInputStream(...) | user-provided value |
|
||||
| SAXSourceTests.java:20:18:20:23 | source | SAXSourceTests.java:17:62:17:82 | getInputStream(...) : InputStream | SAXSourceTests.java:20:18:20:23 | source | XML parsing depends on a $@ without guarding against external entity expansion. | SAXSourceTests.java:17:62:17:82 | getInputStream(...) | user-provided value |
|
||||
| SchemaTests.java:12:39:12:77 | new StreamSource(...) | SchemaTests.java:12:56:12:76 | getInputStream(...) : InputStream | SchemaTests.java:12:39:12:77 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SchemaTests.java:12:56:12:76 | getInputStream(...) | user-provided value |
|
||||
| SchemaTests.java:25:39:25:77 | new StreamSource(...) | SchemaTests.java:25:56:25:76 | getInputStream(...) : InputStream | SchemaTests.java:25:39:25:77 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SchemaTests.java:25:56:25:76 | getInputStream(...) | user-provided value |
|
||||
| SchemaTests.java:31:39:31:77 | new StreamSource(...) | SchemaTests.java:31:56:31:76 | getInputStream(...) : InputStream | SchemaTests.java:31:39:31:77 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SchemaTests.java:31:56:31:76 | getInputStream(...) | user-provided value |
|
||||
| SchemaTests.java:38:39:38:77 | new StreamSource(...) | SchemaTests.java:38:56:38:76 | getInputStream(...) : InputStream | SchemaTests.java:38:39:38:77 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SchemaTests.java:38:56:38:76 | getInputStream(...) | user-provided value |
|
||||
| SchemaTests.java:45:39:45:77 | new StreamSource(...) | SchemaTests.java:45:56:45:76 | getInputStream(...) : InputStream | SchemaTests.java:45:39:45:77 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SchemaTests.java:45:56:45:76 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:14:41:14:61 | getInputStream(...) | SimpleXMLTests.java:14:41:14:61 | getInputStream(...) | SimpleXMLTests.java:14:41:14:61 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:14:41:14:61 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:19:41:19:61 | getInputStream(...) | SimpleXMLTests.java:19:41:19:61 | getInputStream(...) | SimpleXMLTests.java:19:41:19:61 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:19:41:19:61 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:24:41:24:84 | new InputStreamReader(...) | SimpleXMLTests.java:24:63:24:83 | getInputStream(...) : InputStream | SimpleXMLTests.java:24:41:24:84 | new InputStreamReader(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:24:63:24:83 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:31:41:31:53 | new String(...) | SimpleXMLTests.java:30:5:30:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:31:41:31:53 | new String(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:30:5:30:25 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:38:41:38:53 | new String(...) | SimpleXMLTests.java:37:5:37:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:38:41:38:53 | new String(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:37:5:37:25 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:43:41:43:84 | new InputStreamReader(...) | SimpleXMLTests.java:43:63:43:83 | getInputStream(...) : InputStream | SimpleXMLTests.java:43:41:43:84 | new InputStreamReader(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:43:63:43:83 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:48:37:48:57 | getInputStream(...) | SimpleXMLTests.java:48:37:48:57 | getInputStream(...) | SimpleXMLTests.java:48:37:48:57 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:48:37:48:57 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:53:37:53:57 | getInputStream(...) | SimpleXMLTests.java:53:37:53:57 | getInputStream(...) | SimpleXMLTests.java:53:37:53:57 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:53:37:53:57 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:58:26:58:46 | getInputStream(...) | SimpleXMLTests.java:58:26:58:46 | getInputStream(...) | SimpleXMLTests.java:58:26:58:46 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:58:26:58:46 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:63:26:63:46 | getInputStream(...) | SimpleXMLTests.java:63:26:63:46 | getInputStream(...) | SimpleXMLTests.java:63:26:63:46 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:63:26:63:46 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:68:37:68:80 | new InputStreamReader(...) | SimpleXMLTests.java:68:59:68:79 | getInputStream(...) : InputStream | SimpleXMLTests.java:68:37:68:80 | new InputStreamReader(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:68:59:68:79 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:73:37:73:80 | new InputStreamReader(...) | SimpleXMLTests.java:73:59:73:79 | getInputStream(...) : InputStream | SimpleXMLTests.java:73:37:73:80 | new InputStreamReader(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:73:59:73:79 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:78:26:78:69 | new InputStreamReader(...) | SimpleXMLTests.java:78:48:78:68 | getInputStream(...) : InputStream | SimpleXMLTests.java:78:26:78:69 | new InputStreamReader(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:78:48:78:68 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:83:26:83:69 | new InputStreamReader(...) | SimpleXMLTests.java:83:48:83:68 | getInputStream(...) : InputStream | SimpleXMLTests.java:83:26:83:69 | new InputStreamReader(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:83:48:83:68 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:90:37:90:49 | new String(...) | SimpleXMLTests.java:89:5:89:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:90:37:90:49 | new String(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:89:5:89:25 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:97:37:97:49 | new String(...) | SimpleXMLTests.java:96:5:96:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:97:37:97:49 | new String(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:96:5:96:25 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:104:26:104:38 | new String(...) | SimpleXMLTests.java:103:5:103:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:104:26:104:38 | new String(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:103:5:103:25 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:111:26:111:38 | new String(...) | SimpleXMLTests.java:110:5:110:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:111:26:111:38 | new String(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:110:5:110:25 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:115:22:115:42 | getInputStream(...) | SimpleXMLTests.java:115:22:115:42 | getInputStream(...) | SimpleXMLTests.java:115:22:115:42 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:115:22:115:42 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:119:22:119:65 | new InputStreamReader(...) | SimpleXMLTests.java:119:44:119:64 | getInputStream(...) : InputStream | SimpleXMLTests.java:119:22:119:65 | new InputStreamReader(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:119:44:119:64 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:124:22:124:42 | getInputStream(...) | SimpleXMLTests.java:124:22:124:42 | getInputStream(...) | SimpleXMLTests.java:124:22:124:42 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:124:22:124:42 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:129:22:129:65 | new InputStreamReader(...) | SimpleXMLTests.java:129:44:129:64 | getInputStream(...) : InputStream | SimpleXMLTests.java:129:22:129:65 | new InputStreamReader(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:129:44:129:64 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:134:22:134:42 | getInputStream(...) | SimpleXMLTests.java:134:22:134:42 | getInputStream(...) | SimpleXMLTests.java:134:22:134:42 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:134:22:134:42 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:139:22:139:65 | new InputStreamReader(...) | SimpleXMLTests.java:139:44:139:64 | getInputStream(...) : InputStream | SimpleXMLTests.java:139:22:139:65 | new InputStreamReader(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:139:44:139:64 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:146:22:146:34 | new String(...) | SimpleXMLTests.java:145:5:145:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:146:22:146:34 | new String(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:145:5:145:25 | getInputStream(...) | user-provided value |
|
||||
| SimpleXMLTests.java:153:22:153:34 | new String(...) | SimpleXMLTests.java:152:5:152:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:153:22:153:34 | new String(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:152:5:152:25 | getInputStream(...) | user-provided value |
|
||||
| TransformerTests.java:20:27:20:65 | new StreamSource(...) | TransformerTests.java:20:44:20:64 | getInputStream(...) : InputStream | TransformerTests.java:20:27:20:65 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:20:44:20:64 | getInputStream(...) | user-provided value |
|
||||
| TransformerTests.java:21:23:21:61 | new StreamSource(...) | TransformerTests.java:21:40:21:60 | getInputStream(...) : InputStream | TransformerTests.java:21:23:21:61 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:21:40:21:60 | getInputStream(...) | user-provided value |
|
||||
| TransformerTests.java:71:27:71:65 | new StreamSource(...) | TransformerTests.java:71:44:71:64 | getInputStream(...) : InputStream | TransformerTests.java:71:27:71:65 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:71:44:71:64 | getInputStream(...) | user-provided value |
|
||||
| TransformerTests.java:72:23:72:61 | new StreamSource(...) | TransformerTests.java:72:40:72:60 | getInputStream(...) : InputStream | TransformerTests.java:72:23:72:61 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:72:40:72:60 | getInputStream(...) | user-provided value |
|
||||
| TransformerTests.java:79:27:79:65 | new StreamSource(...) | TransformerTests.java:79:44:79:64 | getInputStream(...) : InputStream | TransformerTests.java:79:27:79:65 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:79:44:79:64 | getInputStream(...) | user-provided value |
|
||||
| TransformerTests.java:80:23:80:61 | new StreamSource(...) | TransformerTests.java:80:40:80:60 | getInputStream(...) : InputStream | TransformerTests.java:80:23:80:61 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:80:40:80:60 | getInputStream(...) | user-provided value |
|
||||
| TransformerTests.java:88:27:88:65 | new StreamSource(...) | TransformerTests.java:88:44:88:64 | getInputStream(...) : InputStream | TransformerTests.java:88:27:88:65 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:88:44:88:64 | getInputStream(...) | user-provided value |
|
||||
| TransformerTests.java:89:23:89:61 | new StreamSource(...) | TransformerTests.java:89:40:89:60 | getInputStream(...) : InputStream | TransformerTests.java:89:23:89:61 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:89:40:89:60 | getInputStream(...) | user-provided value |
|
||||
| TransformerTests.java:97:27:97:65 | new StreamSource(...) | TransformerTests.java:97:44:97:64 | getInputStream(...) : InputStream | TransformerTests.java:97:27:97:65 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:97:44:97:64 | getInputStream(...) | user-provided value |
|
||||
| TransformerTests.java:98:23:98:61 | new StreamSource(...) | TransformerTests.java:98:40:98:60 | getInputStream(...) : InputStream | TransformerTests.java:98:23:98:61 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:98:40:98:60 | getInputStream(...) | user-provided value |
|
||||
| TransformerTests.java:103:21:103:59 | new StreamSource(...) | TransformerTests.java:103:38:103:58 | getInputStream(...) : InputStream | TransformerTests.java:103:21:103:59 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:103:38:103:58 | getInputStream(...) | user-provided value |
|
||||
| TransformerTests.java:116:21:116:59 | new StreamSource(...) | TransformerTests.java:116:38:116:58 | getInputStream(...) : InputStream | TransformerTests.java:116:21:116:59 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:116:38:116:58 | getInputStream(...) | user-provided value |
|
||||
| TransformerTests.java:122:21:122:59 | new StreamSource(...) | TransformerTests.java:122:38:122:58 | getInputStream(...) : InputStream | TransformerTests.java:122:21:122:59 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:122:38:122:58 | getInputStream(...) | user-provided value |
|
||||
| TransformerTests.java:129:21:129:59 | new StreamSource(...) | TransformerTests.java:129:38:129:58 | getInputStream(...) : InputStream | TransformerTests.java:129:21:129:59 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:129:38:129:58 | getInputStream(...) | user-provided value |
|
||||
| TransformerTests.java:136:21:136:59 | new StreamSource(...) | TransformerTests.java:136:38:136:58 | getInputStream(...) : InputStream | TransformerTests.java:136:21:136:59 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:136:38:136:58 | getInputStream(...) | user-provided value |
|
||||
| TransformerTests.java:141:18:141:70 | new SAXSource(...) | TransformerTests.java:141:48:141:68 | getInputStream(...) : InputStream | TransformerTests.java:141:18:141:70 | new SAXSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:141:48:141:68 | getInputStream(...) | user-provided value |
|
||||
| UnmarshallerTests.java:28:18:28:38 | getInputStream(...) | UnmarshallerTests.java:28:18:28:38 | getInputStream(...) | UnmarshallerTests.java:28:18:28:38 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | UnmarshallerTests.java:28:18:28:38 | getInputStream(...) | user-provided value |
|
||||
| XMLReaderTests.java:16:18:16:55 | new InputSource(...) | XMLReaderTests.java:16:34:16:54 | getInputStream(...) : InputStream | XMLReaderTests.java:16:18:16:55 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XMLReaderTests.java:16:34:16:54 | getInputStream(...) | user-provided value |
|
||||
| XMLReaderTests.java:56:18:56:55 | new InputSource(...) | XMLReaderTests.java:56:34:56:54 | getInputStream(...) : InputStream | XMLReaderTests.java:56:18:56:55 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XMLReaderTests.java:56:34:56:54 | getInputStream(...) | user-provided value |
|
||||
| XMLReaderTests.java:63:18:63:55 | new InputSource(...) | XMLReaderTests.java:63:34:63:54 | getInputStream(...) : InputStream | XMLReaderTests.java:63:18:63:55 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XMLReaderTests.java:63:34:63:54 | getInputStream(...) | user-provided value |
|
||||
| XMLReaderTests.java:70:18:70:55 | new InputSource(...) | XMLReaderTests.java:70:34:70:54 | getInputStream(...) : InputStream | XMLReaderTests.java:70:18:70:55 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XMLReaderTests.java:70:34:70:54 | getInputStream(...) | user-provided value |
|
||||
| XMLReaderTests.java:78:18:78:55 | new InputSource(...) | XMLReaderTests.java:78:34:78:54 | getInputStream(...) : InputStream | XMLReaderTests.java:78:18:78:55 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XMLReaderTests.java:78:34:78:54 | getInputStream(...) | user-provided value |
|
||||
| XMLReaderTests.java:86:18:86:55 | new InputSource(...) | XMLReaderTests.java:86:34:86:54 | getInputStream(...) : InputStream | XMLReaderTests.java:86:18:86:55 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XMLReaderTests.java:86:34:86:54 | getInputStream(...) | user-provided value |
|
||||
| XMLReaderTests.java:94:18:94:55 | new InputSource(...) | XMLReaderTests.java:94:34:94:54 | getInputStream(...) : InputStream | XMLReaderTests.java:94:18:94:55 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XMLReaderTests.java:94:34:94:54 | getInputStream(...) | user-provided value |
|
||||
| XMLReaderTests.java:100:18:100:55 | new InputSource(...) | XMLReaderTests.java:100:34:100:54 | getInputStream(...) : InputStream | XMLReaderTests.java:100:18:100:55 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XMLReaderTests.java:100:34:100:54 | getInputStream(...) | user-provided value |
|
||||
| XPathExpressionTests.java:27:19:27:56 | new InputSource(...) | XPathExpressionTests.java:27:35:27:55 | getInputStream(...) : InputStream | XPathExpressionTests.java:27:19:27:56 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XPathExpressionTests.java:27:35:27:55 | getInputStream(...) | user-provided value |
|
||||
| XPathExpressionTests.java:42:23:42:60 | new InputSource(...) | XPathExpressionTests.java:42:39:42:59 | getInputStream(...) : InputStream | XPathExpressionTests.java:42:23:42:60 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XPathExpressionTests.java:42:39:42:59 | getInputStream(...) | user-provided value |
|
||||
| XmlInputFactoryTests.java:9:35:9:55 | getInputStream(...) | XmlInputFactoryTests.java:9:35:9:55 | getInputStream(...) | XmlInputFactoryTests.java:9:35:9:55 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:9:35:9:55 | getInputStream(...) | user-provided value |
|
||||
| XmlInputFactoryTests.java:10:34:10:54 | getInputStream(...) | XmlInputFactoryTests.java:10:34:10:54 | getInputStream(...) | XmlInputFactoryTests.java:10:34:10:54 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:10:34:10:54 | getInputStream(...) | user-provided value |
|
||||
| XmlInputFactoryTests.java:24:35:24:55 | getInputStream(...) | XmlInputFactoryTests.java:24:35:24:55 | getInputStream(...) | XmlInputFactoryTests.java:24:35:24:55 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:24:35:24:55 | getInputStream(...) | user-provided value |
|
||||
| XmlInputFactoryTests.java:25:34:25:54 | getInputStream(...) | XmlInputFactoryTests.java:25:34:25:54 | getInputStream(...) | XmlInputFactoryTests.java:25:34:25:54 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:25:34:25:54 | getInputStream(...) | user-provided value |
|
||||
| XmlInputFactoryTests.java:31:35:31:55 | getInputStream(...) | XmlInputFactoryTests.java:31:35:31:55 | getInputStream(...) | XmlInputFactoryTests.java:31:35:31:55 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:31:35:31:55 | getInputStream(...) | user-provided value |
|
||||
| XmlInputFactoryTests.java:32:34:32:54 | getInputStream(...) | XmlInputFactoryTests.java:32:34:32:54 | getInputStream(...) | XmlInputFactoryTests.java:32:34:32:54 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:32:34:32:54 | getInputStream(...) | user-provided value |
|
||||
| XmlInputFactoryTests.java:39:35:39:55 | getInputStream(...) | XmlInputFactoryTests.java:39:35:39:55 | getInputStream(...) | XmlInputFactoryTests.java:39:35:39:55 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:39:35:39:55 | getInputStream(...) | user-provided value |
|
||||
| XmlInputFactoryTests.java:40:34:40:54 | getInputStream(...) | XmlInputFactoryTests.java:40:34:40:54 | getInputStream(...) | XmlInputFactoryTests.java:40:34:40:54 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:40:34:40:54 | getInputStream(...) | user-provided value |
|
||||
| XmlInputFactoryTests.java:47:35:47:55 | getInputStream(...) | XmlInputFactoryTests.java:47:35:47:55 | getInputStream(...) | XmlInputFactoryTests.java:47:35:47:55 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:47:35:47:55 | getInputStream(...) | user-provided value |
|
||||
| XmlInputFactoryTests.java:48:34:48:54 | getInputStream(...) | XmlInputFactoryTests.java:48:34:48:54 | getInputStream(...) | XmlInputFactoryTests.java:48:34:48:54 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:48:34:48:54 | getInputStream(...) | user-provided value |
|
||||
| XmlInputFactoryTests.java:55:35:55:55 | getInputStream(...) | XmlInputFactoryTests.java:55:35:55:55 | getInputStream(...) | XmlInputFactoryTests.java:55:35:55:55 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:55:35:55:55 | getInputStream(...) | user-provided value |
|
||||
| XmlInputFactoryTests.java:56:34:56:54 | getInputStream(...) | XmlInputFactoryTests.java:56:34:56:54 | getInputStream(...) | XmlInputFactoryTests.java:56:34:56:54 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:56:34:56:54 | getInputStream(...) | user-provided value |
|
||||
|
||||
11
java/ql/test/query-tests/security/CWE-611/XXE.ql
Normal file
11
java/ql/test/query-tests/security/CWE-611/XXE.ql
Normal file
@@ -0,0 +1,11 @@
|
||||
import java
|
||||
import TestUtilities.InlineFlowTest
|
||||
import semmle.code.java.security.XxeRemoteQuery
|
||||
|
||||
class HasFlowTest extends InlineFlowTest {
|
||||
override predicate hasTaintFlow(DataFlow::Node src, DataFlow::Node sink) {
|
||||
XxeFlow::flow(src, sink)
|
||||
}
|
||||
|
||||
override predicate hasValueFlow(DataFlow::Node src, DataFlow::Node sink) { none() }
|
||||
}
|
||||
@@ -1 +0,0 @@
|
||||
Security/CWE/CWE-611/XXE.ql
|
||||
@@ -6,53 +6,53 @@ public class XmlInputFactoryTests {
|
||||
|
||||
public void unconfigureFactory(Socket sock) throws Exception {
|
||||
XMLInputFactory factory = XMLInputFactory.newFactory();
|
||||
factory.createXMLStreamReader(sock.getInputStream()); //unsafe
|
||||
factory.createXMLEventReader(sock.getInputStream()); //unsafe
|
||||
factory.createXMLStreamReader(sock.getInputStream()); // $ hasTaintFlow
|
||||
factory.createXMLEventReader(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void safeFactory(Socket sock) throws Exception {
|
||||
XMLInputFactory factory = XMLInputFactory.newFactory();
|
||||
factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
|
||||
factory.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
|
||||
factory.createXMLStreamReader(sock.getInputStream()); //safe
|
||||
factory.createXMLEventReader(sock.getInputStream()); //safe
|
||||
factory.createXMLStreamReader(sock.getInputStream()); // safe
|
||||
factory.createXMLEventReader(sock.getInputStream()); // safe
|
||||
}
|
||||
|
||||
|
||||
public void misConfiguredFactory(Socket sock) throws Exception {
|
||||
XMLInputFactory factory = XMLInputFactory.newFactory();
|
||||
factory.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
|
||||
factory.createXMLStreamReader(sock.getInputStream()); //unsafe
|
||||
factory.createXMLEventReader(sock.getInputStream()); //unsafe
|
||||
factory.createXMLStreamReader(sock.getInputStream()); // $ hasTaintFlow
|
||||
factory.createXMLEventReader(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void misConfiguredFactory2(Socket sock) throws Exception {
|
||||
XMLInputFactory factory = XMLInputFactory.newFactory();
|
||||
factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
|
||||
factory.createXMLStreamReader(sock.getInputStream()); //unsafe
|
||||
factory.createXMLEventReader(sock.getInputStream()); //unsafe
|
||||
factory.createXMLStreamReader(sock.getInputStream()); // $ hasTaintFlow
|
||||
factory.createXMLEventReader(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void misConfiguredFactory3(Socket sock) throws Exception {
|
||||
XMLInputFactory factory = XMLInputFactory.newFactory();
|
||||
factory.setProperty("javax.xml.stream.isSupportingExternalEntities", true);
|
||||
factory.setProperty(XMLInputFactory.SUPPORT_DTD, true);
|
||||
factory.createXMLStreamReader(sock.getInputStream()); //unsafe
|
||||
factory.createXMLEventReader(sock.getInputStream()); //unsafe
|
||||
factory.createXMLStreamReader(sock.getInputStream()); // $ hasTaintFlow
|
||||
factory.createXMLEventReader(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void misConfiguredFactory4(Socket sock) throws Exception {
|
||||
XMLInputFactory factory = XMLInputFactory.newFactory();
|
||||
factory.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
|
||||
factory.setProperty(XMLInputFactory.SUPPORT_DTD, true);
|
||||
factory.createXMLStreamReader(sock.getInputStream()); //unsafe
|
||||
factory.createXMLEventReader(sock.getInputStream()); //unsafe
|
||||
factory.createXMLStreamReader(sock.getInputStream()); // $ hasTaintFlow
|
||||
factory.createXMLEventReader(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
|
||||
public void misConfiguredFactory5(Socket sock) throws Exception {
|
||||
XMLInputFactory factory = XMLInputFactory.newFactory();
|
||||
factory.setProperty("javax.xml.stream.isSupportingExternalEntities", true);
|
||||
factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
|
||||
factory.createXMLStreamReader(sock.getInputStream()); //unsafe
|
||||
factory.createXMLEventReader(sock.getInputStream()); //unsafe
|
||||
}
|
||||
factory.createXMLStreamReader(sock.getInputStream()); // $ hasTaintFlow
|
||||
factory.createXMLEventReader(sock.getInputStream()); // $ hasTaintFlow
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1 +1 @@
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jdom-1.1.3:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/simple-xml-2.7.1:${testdir}/../../../stubs/jaxb-api-2.3.1:${testdir}/../../../stubs/jaxen-1.2.0
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jdom-1.1.3:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/simple-xml-2.7.1:${testdir}/../../../stubs/jaxb-api-2.3.1:${testdir}/../../../stubs/jaxen-1.2.0:${testdir}/../../../stubs/apache-commons-digester3-3.2:${testdir}/../../../stubs/servlet-api-2.4/:${testdir}/../../../stubs/rundeck-api-java-client-13.2:${testdir}/../../../stubs/springframework-5.3.8/
|
||||
|
||||
Reference in New Issue
Block a user