Merge pull request #3543 from porcupineyhairs/WebsocketReadAsSource

Java: add websocket reads as remote flow source.
2026-04-29 02:35:15 +02:00 · 2020-09-01 10:58:02 +02:00
parent beca44ec2f 4f07733b06
commit 1dae99e4a5
3 changed files with 57 additions and 0 deletions
--- a/java/ql/test/query-tests/security/CWE-079/semmle/tests/WebsocketXss.java
+++ b/java/ql/test/query-tests/security/CWE-079/semmle/tests/WebsocketXss.java
@@ -0,0 +1,27 @@
+// package test.cwe079.cwe.examples;
+
+// import java.net.http.HttpClient;
+// import java.net.http.WebSocket;
+// import java.net.URI;
+// import java.util.*;
+// import java.util.concurrent.*;
+
+// public class WebsocketXss {
+//     public static void main(String[] args) throws Exception {
+//         WebSocket.Listener listener = new WebSocket.Listener() {
+//             public CompletionStage<?> onText(WebSocket webSocket, CharSequence message, boolean last) {
+//                 try {
+//                     HttpClient client = HttpClient.newBuilder().build();
+//                     CompletableFuture<WebSocket> ws = client.newWebSocketBuilder()
+//                             .buildAsync(URI.create("ws://websocket.example.com"), null);
+//                     ws.get().sendText(message, false);
+//                 } catch (Exception e) {
+//                     // TODO: handle exception
+//                 }
+
+//                 return null;
+//             };
+//         };
+
+//     }
+// }