Java: convert GroovyInjection test to .qlref

2026-05-01 03:35:13 +02:00 · 2025-06-23 11:57:08 +02:00
parent 8e53da285f
commit 1cc91e964d
10 changed files with 417 additions and 108 deletions
--- a/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyClassLoaderTest.java
+++ b/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyClassLoaderTest.java
@@ -0,0 +1,54 @@
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.StringReader;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import groovy.lang.GroovyClassLoader;
+import groovy.lang.GroovyCodeSource;
+
+public class GroovyClassLoaderTest extends HttpServlet {
+
+    protected void doGet(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        // "groovy.lang;GroovyClassLoader;false;parseClass;(GroovyCodeSource);;Argument[0];groovy;manual",
+        {
+            String script = request.getParameter("script"); // $ Source
+            final GroovyClassLoader classLoader = new GroovyClassLoader();
+            GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test");
+            classLoader.parseClass(gcs); // $ Alert
+        }
+        // "groovy.lang;GroovyClassLoader;false;parseClass;(GroovyCodeSource,boolean);;Argument[0];groovy;manual",
+        {
+            String script = request.getParameter("script"); // $ Source
+            final GroovyClassLoader classLoader = new GroovyClassLoader();
+            GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test");
+            classLoader.parseClass(gcs, true); // $ Alert
+        }
+        // "groovy.lang;GroovyClassLoader;false;parseClass;(InputStream,String);;Argument[0];groovy;manual",
+        {
+            String script = request.getParameter("script"); // $ Source
+            final GroovyClassLoader classLoader = new GroovyClassLoader();
+            classLoader.parseClass(new ByteArrayInputStream(script.getBytes()), "test"); // $ Alert
+        }
+        // "groovy.lang;GroovyClassLoader;false;parseClass;(Reader,String);;Argument[0];groovy;manual",
+        {
+            String script = request.getParameter("script"); // $ Source
+            final GroovyClassLoader classLoader = new GroovyClassLoader();
+            classLoader.parseClass(new StringReader(script), "test"); // $ Alert
+        }
+        // "groovy.lang;GroovyClassLoader;false;parseClass;(String);;Argument[0];groovy;manual",
+        {
+            String script = request.getParameter("script"); // $ Source
+            final GroovyClassLoader classLoader = new GroovyClassLoader();
+            classLoader.parseClass(script); // $ Alert
+        }
+        // "groovy.lang;GroovyClassLoader;false;parseClass;(String,String);;Argument[0];groovy;manual",
+        {
+            String script = request.getParameter("script"); // $ Source
+            final GroovyClassLoader classLoader = new GroovyClassLoader();
+            classLoader.parseClass(script, "test"); // $ Alert
+        }
+    }
+}