mirror of
https://github.com/github/codeql.git
synced 2025-12-17 01:03:14 +01:00
Merge pull request #409 from yh-semmle/java/move-tests
Java: move/tweak some tests
This commit is contained in:
Anders Schack-Mulligen
@@ -1 +0,0 @@
|
||||
| Test3.java:3:8:3:21 | AnnotatedClass |
|
||||
@@ -1,4 +0,0 @@
|
||||
import java
|
||||
|
||||
from GeneratedClass c
|
||||
select c
|
||||
@@ -1,4 +0,0 @@
|
||||
class Test3 {
|
||||
@javax.annotation.Generated(value = "test")
|
||||
class AnnotatedClass {}
|
||||
}
|
||||
@@ -1,6 +0,0 @@
|
||||
| 3 | 1 | annotations/C.java:3:1:3:61 | Pair | 1 |
|
||||
| 3 | 14 | annotations/C.java:3:14:3:31 | Ann | 1 |
|
||||
| 3 | 42 | annotations/C.java:3:42:3:60 | Ann | 1 |
|
||||
| 4 | 1 | annotations/C.java:4:1:4:68 | Container | 1 |
|
||||
| 4 | 25 | annotations/C.java:4:25:4:46 | Ann | 1 |
|
||||
| 4 | 49 | annotations/C.java:4:49:4:65 | Ann | 1 |
|
||||
@@ -1,15 +0,0 @@
|
||||
/**
|
||||
* @name Annotations
|
||||
* @description Check that annotation ids are distinct
|
||||
*/
|
||||
|
||||
import default
|
||||
|
||||
private int numberOfLocations(Annotation a) { result = count(a.getLocation()) }
|
||||
|
||||
from Annotation a, RefType c, Location loc
|
||||
where
|
||||
c.hasQualifiedName("annotations", "C") and
|
||||
c.getAnAnnotation() = a.getParent*() and
|
||||
loc = a.getLocation()
|
||||
select loc.getStartLine(), loc.getStartColumn(), a, numberOfLocations(a)
|
||||
@@ -1,43 +0,0 @@
|
||||
| annotations/A.java:4:14:4:14 | A | key | annotations/A.java:3:10:3:16 | "value" |
|
||||
| annotations/A.java:4:14:4:14 | A | unused1 | annotations/A.class:0:0:0:0 | {...} |
|
||||
| annotations/A.java:4:14:4:14 | A | unused2 | annotations/A.class:0:0:0:0 | {...} |
|
||||
| annotations/A.java:8:7:8:9 | Sub | key | annotations/A.java:3:10:3:16 | "value" |
|
||||
| annotations/A.java:8:7:8:9 | Sub | unused1 | annotations/A.class:0:0:0:0 | {...} |
|
||||
| annotations/A.java:8:7:8:9 | Sub | unused2 | annotations/A.class:0:0:0:0 | {...} |
|
||||
| annotations/A.java:11:11:11:11 | I | key | annotations/A.java:10:10:10:15 | "IAnn" |
|
||||
| annotations/A.java:11:11:11:11 | I | unused1 | annotations/I.class:0:0:0:0 | {...} |
|
||||
| annotations/A.java:11:11:11:11 | I | unused2 | annotations/I.class:0:0:0:0 | {...} |
|
||||
| annotations/A.java:14:7:14:10 | Sub2 | key | annotations/A.java:3:10:3:16 | "value" |
|
||||
| annotations/A.java:14:7:14:10 | Sub2 | unused1 | annotations/A.class:0:0:0:0 | {...} |
|
||||
| annotations/A.java:14:7:14:10 | Sub2 | unused2 | annotations/A.class:0:0:0:0 | {...} |
|
||||
| annotations/A.java:18:7:18:10 | Sub3 | key | annotations/A.java:17:10:17:18 | "Sub3Ann" |
|
||||
| annotations/A.java:18:7:18:10 | Sub3 | unused1 | annotations/Sub3.class:0:0:0:0 | {...} |
|
||||
| annotations/A.java:18:7:18:10 | Sub3 | unused2 | annotations/Sub3.class:0:0:0:0 | {...} |
|
||||
| annotations/B.java:3:42:3:42 | B | value | annotations/B.java:3:19:3:26 | "unused" |
|
||||
| annotations/C.java:3:1:3:61 | Pair | key | annotations/C.java:3:25:3:30 | "Left" |
|
||||
| annotations/C.java:3:1:3:61 | Pair | key | annotations/C.java:3:53:3:59 | "Right" |
|
||||
| annotations/C.java:3:1:3:61 | Pair | unused1 | annotations/C.class:0:0:0:0 | {...} |
|
||||
| annotations/C.java:3:1:3:61 | Pair | unused1 | annotations/C.class:0:0:0:0 | {...} |
|
||||
| annotations/C.java:3:1:3:61 | Pair | unused2 | annotations/C.class:0:0:0:0 | {...} |
|
||||
| annotations/C.java:3:1:3:61 | Pair | unused2 | annotations/C.class:0:0:0:0 | {...} |
|
||||
| annotations/C.java:4:23:4:67 | {...} | key | annotations/C.java:4:36:4:45 | "On" + "e" |
|
||||
| annotations/C.java:4:23:4:67 | {...} | key | annotations/C.java:4:60:4:64 | "Two" |
|
||||
| annotations/C.java:4:23:4:67 | {...} | unused1 | annotations/C.class:0:0:0:0 | {...} |
|
||||
| annotations/C.java:4:23:4:67 | {...} | unused1 | annotations/C.class:0:0:0:0 | {...} |
|
||||
| annotations/C.java:4:23:4:67 | {...} | unused2 | annotations/C.class:0:0:0:0 | {...} |
|
||||
| annotations/C.java:4:23:4:67 | {...} | unused2 | annotations/C.class:0:0:0:0 | {...} |
|
||||
| annotations/C.java:5:14:5:14 | C | children | annotations/C.java:4:23:4:67 | {...} |
|
||||
| annotations/C.java:5:14:5:14 | C | left | annotations/C.java:3:14:3:31 | Ann |
|
||||
| annotations/C.java:5:14:5:14 | C | right | annotations/C.java:3:42:3:60 | Ann |
|
||||
| annotations/FieldAnnotations.java:4:35:4:43 | listField | key | annotations/FieldAnnotations.java:4:11:4:17 | "value" |
|
||||
| annotations/FieldAnnotations.java:4:35:4:43 | listField | unused1 | annotations/FieldAnnotations.class:0:0:0:0 | {...} |
|
||||
| annotations/FieldAnnotations.java:4:35:4:43 | listField | unused2 | annotations/FieldAnnotations.class:0:0:0:0 | {...} |
|
||||
| annotations/LocalVarAnnotations.java:5:3:5:41 | int unusedLocal | key | annotations/LocalVarAnnotations.java:5:12:5:18 | "value" |
|
||||
| annotations/LocalVarAnnotations.java:5:3:5:41 | int unusedLocal | unused1 | annotations/LocalVarAnnotations.class:0:0:0:0 | {...} |
|
||||
| annotations/LocalVarAnnotations.java:5:3:5:41 | int unusedLocal | unused2 | annotations/LocalVarAnnotations.class:0:0:0:0 | {...} |
|
||||
| annotations/ParameterAnnotations.java:6:11:6:46 | listParameter | key | annotations/ParameterAnnotations.java:6:20:6:26 | "value" |
|
||||
| annotations/ParameterAnnotations.java:6:11:6:46 | listParameter | unused1 | annotations/ParameterAnnotations.class:0:0:0:0 | {...} |
|
||||
| annotations/ParameterAnnotations.java:6:11:6:46 | listParameter | unused2 | annotations/ParameterAnnotations.class:0:0:0:0 | {...} |
|
||||
| annotations/SuppressWarningsExample.java:7:14:7:14 | g | value | annotations/SuppressWarningsExample.java:6:20:6:34 | {...} |
|
||||
| annotations/SuppressWarningsExample.java:12:14:12:14 | h | value | annotations/SuppressWarningsExample.java:11:20:11:32 | "deprecation" |
|
||||
| annotations/SuppressWarningsExample.java:17:14:17:14 | k | value | annotations/SuppressWarningsExample.java:16:20:16:46 | {...} |
|
||||
@@ -1,9 +0,0 @@
|
||||
/**
|
||||
* @name GetAnnotationValue
|
||||
*/
|
||||
|
||||
import default
|
||||
|
||||
from Annotatable a, string key
|
||||
where a.fromSource()
|
||||
select a, key, a.getAnAnnotation().getValue(key)
|
||||
@@ -1,16 +0,0 @@
|
||||
| annotations/A.java:4:14:4:14 | A | annotations/A.java:3:1:3:17 | Ann | annotations.Ann | key |
|
||||
| annotations/A.java:4:14:4:14 | A | annotations/A.java:3:1:3:17 | Ann | annotations.Ann | unused1 |
|
||||
| annotations/A.java:4:14:4:14 | A | annotations/A.java:3:1:3:17 | Ann | annotations.Ann | unused2 |
|
||||
| annotations/A.java:8:7:8:9 | Sub | annotations/A.java:3:1:3:17 | Ann | annotations.Ann | key |
|
||||
| annotations/A.java:8:7:8:9 | Sub | annotations/A.java:3:1:3:17 | Ann | annotations.Ann | unused1 |
|
||||
| annotations/A.java:8:7:8:9 | Sub | annotations/A.java:3:1:3:17 | Ann | annotations.Ann | unused2 |
|
||||
| annotations/A.java:14:7:14:10 | Sub2 | annotations/A.java:3:1:3:17 | Ann | annotations.Ann | key |
|
||||
| annotations/A.java:14:7:14:10 | Sub2 | annotations/A.java:3:1:3:17 | Ann | annotations.Ann | unused1 |
|
||||
| annotations/A.java:14:7:14:10 | Sub2 | annotations/A.java:3:1:3:17 | Ann | annotations.Ann | unused2 |
|
||||
| annotations/A.java:18:7:18:10 | Sub3 | annotations/A.java:17:1:17:19 | Ann | annotations.Ann | key |
|
||||
| annotations/A.java:18:7:18:10 | Sub3 | annotations/A.java:17:1:17:19 | Ann | annotations.Ann | unused1 |
|
||||
| annotations/A.java:18:7:18:10 | Sub3 | annotations/A.java:17:1:17:19 | Ann | annotations.Ann | unused2 |
|
||||
| annotations/B.java:3:42:3:42 | B | annotations/B.java:3:1:3:27 | SuppressWarnings | java.lang.SuppressWarnings | value |
|
||||
| annotations/C.java:5:14:5:14 | C | annotations/C.java:3:1:3:61 | Pair | annotations.Pair | left |
|
||||
| annotations/C.java:5:14:5:14 | C | annotations/C.java:3:1:3:61 | Pair | annotations.Pair | right |
|
||||
| annotations/C.java:5:14:5:14 | C | annotations/C.java:4:1:4:68 | Container | annotations.Container | children |
|
||||
@@ -1,13 +0,0 @@
|
||||
/**
|
||||
* @name GetLibraryAnnotationElement
|
||||
*/
|
||||
|
||||
import default
|
||||
|
||||
from Class cl, Annotation ann, AnnotationType anntp, AnnotationElement anne
|
||||
where
|
||||
cl.fromSource() and
|
||||
ann = cl.getAnAnnotation() and
|
||||
anntp = ann.getType() and
|
||||
anne = anntp.getAnAnnotationElement()
|
||||
select cl, ann, anntp.getQualifiedName(), anne.getName()
|
||||
@@ -1,5 +0,0 @@
|
||||
| annotations/B.java:3:1:3:27 | SuppressWarnings | "unused" |
|
||||
| annotations/SuppressWarningsExample.java:6:2:6:35 | SuppressWarnings | "deprecation" |
|
||||
| annotations/SuppressWarningsExample.java:11:2:11:33 | SuppressWarnings | "deprecation" |
|
||||
| annotations/SuppressWarningsExample.java:16:2:16:47 | SuppressWarnings | "deprecation" |
|
||||
| annotations/SuppressWarningsExample.java:16:2:16:47 | SuppressWarnings | "rawtypes" |
|
||||
@@ -1,4 +0,0 @@
|
||||
import semmle.code.java.JDKAnnotations
|
||||
|
||||
from SuppressWarningsAnnotation swa
|
||||
select swa, swa.getASuppressedWarning()
|
||||
@@ -1,18 +0,0 @@
|
||||
package annotations;
|
||||
|
||||
@Ann(key="value")
|
||||
public class A {
|
||||
}
|
||||
|
||||
// Sub inherits the Ann annotation from A
|
||||
class Sub extends A {}
|
||||
|
||||
@Ann(key="IAnn")
|
||||
interface I {}
|
||||
|
||||
// Sub2 inherits the Ann annotation from A, but not from I
|
||||
class Sub2 extends Sub implements I {}
|
||||
|
||||
// Sub3 does not inherit any Ann annotations since it has its own
|
||||
@Ann(key="Sub3Ann")
|
||||
class Sub3 extends Sub2 {}
|
||||
@@ -1,10 +0,0 @@
|
||||
package annotations;
|
||||
|
||||
import java.lang.annotation.Inherited;
|
||||
|
||||
@Inherited
|
||||
public @interface Ann {
|
||||
String key();
|
||||
String[] unused1() default {};
|
||||
String[] unused2() default {};
|
||||
}
|
||||
@@ -1,4 +0,0 @@
|
||||
package annotations;
|
||||
|
||||
@SuppressWarnings("unused") public class B {
|
||||
}
|
||||
@@ -1,5 +0,0 @@
|
||||
package annotations;
|
||||
|
||||
@Pair(left = @Ann(key = "Left"), right = @Ann(key = "Right"))
|
||||
@Container(children = { @Ann(key = "On" + "e"), @Ann(key = "Two") })
|
||||
public class C { }
|
||||
@@ -1,5 +0,0 @@
|
||||
package annotations;
|
||||
|
||||
public @interface Container {
|
||||
Ann[] children();
|
||||
}
|
||||
@@ -1,5 +0,0 @@
|
||||
package annotations;
|
||||
|
||||
public class FieldAnnotations {
|
||||
@Ann(key="value") java.util.List listField;
|
||||
}
|
||||
@@ -1,7 +0,0 @@
|
||||
package annotations;
|
||||
|
||||
public class LocalVarAnnotations {
|
||||
{
|
||||
@Ann(key="value") int unusedLocal = 23;
|
||||
}
|
||||
}
|
||||
@@ -1,6 +0,0 @@
|
||||
package annotations;
|
||||
|
||||
public @interface Pair {
|
||||
Ann left();
|
||||
Ann right();
|
||||
}
|
||||
@@ -1,7 +0,0 @@
|
||||
package annotations;
|
||||
|
||||
import java.util.List;
|
||||
|
||||
public class ParameterAnnotations {
|
||||
void foo(@Ann(key="value") List listParameter) {}
|
||||
}
|
||||
@@ -1,20 +0,0 @@
|
||||
package annotations;
|
||||
|
||||
public class SuppressWarningsExample {
|
||||
@Deprecated void f() {}
|
||||
|
||||
@SuppressWarnings({"deprecation"})
|
||||
public void g() {
|
||||
f();
|
||||
}
|
||||
|
||||
@SuppressWarnings("deprecation")
|
||||
public void h() {
|
||||
f();
|
||||
}
|
||||
|
||||
@SuppressWarnings({"deprecation", "rawtypes"})
|
||||
public void k(java.util.List l) {
|
||||
f();
|
||||
}
|
||||
}
|
||||
@@ -1,4 +1,5 @@
|
||||
import semmle.code.java.Expr
|
||||
|
||||
from BooleanLiteral lit
|
||||
where lit.getCompilationUnit().fromSource()
|
||||
select lit
|
||||
|
||||
@@ -1,2 +0,0 @@
|
||||
| Test.java:23:14:23:14 | i | Field i never assigned non-null value, yet it is read at $@. | Test.java:24:29:24:29 | i | Test.java:24 |
|
||||
| Test.java:31:14:31:14 | i | Field i never assigned non-null value, yet it is read at $@. | Test.java:32:29:32:29 | i | Test.java:32 |
|
||||
|
||||
@@ -1,55 +0,0 @@
|
||||
public class Test {
|
||||
// OK: may be assigned by init() below
|
||||
private int foo;
|
||||
|
||||
public Test() {
|
||||
init();
|
||||
}
|
||||
|
||||
private native void init();
|
||||
|
||||
public int getFoo() {
|
||||
return foo;
|
||||
}
|
||||
}
|
||||
|
||||
class GsonTest {
|
||||
@com.google.gson.annotations.Expose private String s; // OK
|
||||
public String getS() { return s; }
|
||||
}
|
||||
|
||||
class JacksonTest {
|
||||
@com.fasterxml.jackson.annotation.JsonIgnore
|
||||
private int i; // not OK; field is ignored for Jackson JSON deserialization
|
||||
public int getI() { return i; }
|
||||
{
|
||||
new com.fasterxml.jackson.databind.ObjectMapper().readValue("...", JacksonTest.class);
|
||||
}
|
||||
}
|
||||
|
||||
class JacksonTest3 {
|
||||
private int i; // not OK; field is never deserialized
|
||||
public int getI() { return i; }
|
||||
}
|
||||
|
||||
@com.fasterxml.jackson.annotation.JsonAutoDetect
|
||||
@com.fasterxml.jackson.annotation.JsonIgnoreProperties
|
||||
class JacksonTest2 {
|
||||
private int i; // OK
|
||||
public int getI() { return i; }
|
||||
{
|
||||
new com.fasterxml.jackson.databind.ObjectMapper().readValue("...", JacksonTest2.class);
|
||||
}
|
||||
}
|
||||
|
||||
class JacksonTest4 {
|
||||
private int i; // OK
|
||||
public int getI() { return i; }
|
||||
{
|
||||
Class<?> clazz = JacksonTest4.class;
|
||||
readvalue(clazz);
|
||||
}
|
||||
public void readvalue(Class<?> clazz) {
|
||||
new com.fasterxml.jackson.databind.ObjectMapper().readValue("...", clazz);
|
||||
}
|
||||
}
|
||||
@@ -1,5 +0,0 @@
|
||||
| p/JdkInternalAccess.java:1:1:1:18 | import sun.misc.* | Access to unsupported JDK-internal API 'sun.misc'. (Removed. See http://openjdk.java.net/jeps/260) |
|
||||
| p/JdkInternalAccess.java:2:1:2:31 | import DirectBuffer | Access to unsupported JDK-internal API 'sun.nio.ch.DirectBuffer'. |
|
||||
| p/JdkInternalAccess.java:5:2:5:7 | Unsafe | Access to unsupported JDK-internal API 'sun.misc.Unsafe'. (See http://openjdk.java.net/jeps/260) |
|
||||
| p/JdkInternalAccess.java:6:2:6:14 | BASE64Encoder | Access to unsupported JDK-internal API 'sun.misc.BASE64Encoder'. (Use java.util.Base64 @since 1.8) |
|
||||
| p/JdkInternalAccess.java:7:2:7:13 | DirectBuffer | Access to unsupported JDK-internal API 'sun.nio.ch.DirectBuffer'. |
|
||||
@@ -1 +0,0 @@
|
||||
Compatibility/JDK9/JdkInternalAccess.ql
|
||||
@@ -1,5 +0,0 @@
|
||||
| p/_/UnderscoreIdentifier.java:0:0:0:0 | UnderscoreIdentifier | Use of underscore as a one-character identifier in package name 'p._'. |
|
||||
| p/_/UnderscoreIdentifier.java:4:8:4:8 | _ | Use of underscore as a one-character identifier. |
|
||||
| p/_/UnderscoreIdentifier.java:5:6:5:6 | _ | Use of underscore as a one-character identifier. |
|
||||
| p/_/UnderscoreIdentifier.java:6:12:6:16 | _ | Use of underscore as a one-character identifier. |
|
||||
| p/_/UnderscoreIdentifier.java:9:3:9:12 | boolean _ | Use of underscore as a one-character identifier. |
|
||||
@@ -1 +0,0 @@
|
||||
Compatibility/JDK9/UnderscoreIdentifier.ql
|
||||
@@ -1,8 +0,0 @@
|
||||
import sun.misc.*;
|
||||
import sun.nio.ch.DirectBuffer;
|
||||
|
||||
public class JdkInternalAccess {
|
||||
Unsafe unsafe;
|
||||
BASE64Encoder enc;
|
||||
DirectBuffer buf;
|
||||
}
|
||||
@@ -1,11 +0,0 @@
|
||||
package p._;
|
||||
|
||||
public class UnderscoreIdentifier {
|
||||
class _ {}
|
||||
int _;
|
||||
void test(int _) {
|
||||
}
|
||||
{
|
||||
boolean _;
|
||||
}
|
||||
}
|
||||
@@ -1,33 +0,0 @@
|
||||
import javax.xml.bind.annotation.XmlAttribute;
|
||||
|
||||
public class SomeFields {
|
||||
public String unusedPublic;
|
||||
protected String unusedProtected;
|
||||
String unusedDefault;
|
||||
private String unusedPrivate;
|
||||
private String unusedInitialisedPrivate = "foo";
|
||||
|
||||
public String usedPublic;
|
||||
protected String usedProtected;
|
||||
String usedDefault;
|
||||
private String usedPrivate;
|
||||
private String usedInitialisedPrivate;
|
||||
|
||||
@XmlAttribute
|
||||
private String xmlString;
|
||||
|
||||
@Deprecated
|
||||
private String deprecatedString;
|
||||
|
||||
@SuppressWarnings("unused")
|
||||
private String unusedStringWithSuppressedWarning;
|
||||
|
||||
private String use() {
|
||||
return usedPublic + usedProtected + usedDefault + usedPrivate + usedInitialisedPrivate;
|
||||
}
|
||||
|
||||
@SuppressWarnings("unused")
|
||||
class Inner {
|
||||
private int unusedIntWithEnclosingSuppressedWarning;
|
||||
}
|
||||
}
|
||||
@@ -1,39 +0,0 @@
|
||||
import java.io.Serializable;
|
||||
|
||||
import javax.xml.bind.annotation.XmlAttribute;
|
||||
|
||||
public class SomeFieldsInSerializable implements Serializable {
|
||||
public String unusedPublic;
|
||||
protected String unusedProtected;
|
||||
String unusedDefault;
|
||||
private String unusedPrivate;
|
||||
private String unusedInitialisedPrivate = "foo";
|
||||
|
||||
public transient String unusedTransientPublic;
|
||||
protected transient String unusedTransientProtected;
|
||||
transient String unusedTransientDefault;
|
||||
private transient String unusedTransientPrivate;
|
||||
private transient String unusedInitialisedTransientPrivate = "foo";
|
||||
|
||||
public String usedPublic;
|
||||
protected String usedProtected;
|
||||
String usedDefault;
|
||||
private String usedPrivate;
|
||||
private String usedInitialisedPrivate;
|
||||
|
||||
@XmlAttribute
|
||||
private String xmlString;
|
||||
|
||||
@XmlAttribute
|
||||
private transient String transientXMLString;
|
||||
|
||||
@Deprecated
|
||||
private String deprecatedString;
|
||||
|
||||
@Deprecated
|
||||
private transient String transientDeprecatedString;
|
||||
|
||||
private String use() {
|
||||
return usedPublic + usedProtected + usedDefault + usedPrivate + usedInitialisedPrivate;
|
||||
}
|
||||
}
|
||||
@@ -1,6 +0,0 @@
|
||||
| SomeFields.java:6:9:6:21 | unusedDefault | Unused field unusedDefault in SomeFields. |
|
||||
| SomeFields.java:7:17:7:29 | unusedPrivate | Unused field unusedPrivate in SomeFields. |
|
||||
| SomeFields.java:20:17:20:32 | deprecatedString | Unused field deprecatedString in SomeFields. |
|
||||
| SomeFieldsInSerializable.java:14:19:14:40 | unusedTransientDefault | Unused field unusedTransientDefault in SomeFieldsInSerializable. |
|
||||
| SomeFieldsInSerializable.java:15:27:15:48 | unusedTransientPrivate | Unused field unusedTransientPrivate in SomeFieldsInSerializable. |
|
||||
| SomeFieldsInSerializable.java:34:27:34:51 | transientDeprecatedString | Unused field transientDeprecatedString in SomeFieldsInSerializable. |
|
||||
@@ -1 +0,0 @@
|
||||
Violations of Best Practice/Dead Code/UnusedField.ql
|
||||
@@ -1,10 +1,6 @@
|
||||
| InternalDeadCodeCycle.java:3:14:3:16 | foo | The method foo is only used from, or in, a dead-code cycle. | InternalDeadCodeCycle.java:3:14:3:16 | foo | foo |
|
||||
| InternalDeadCodeCycle.java:7:14:7:16 | bar | The method bar is only used from, or in, a dead-code cycle. | InternalDeadCodeCycle.java:7:14:7:16 | bar | bar |
|
||||
| JMXTest.java:14:17:14:35 | sometimesLiveMethod | The method sometimesLiveMethod is only used from dead code originating at $@. | JMXTest.java:8:17:8:35 | sometimesLiveMethod | sometimesLiveMethod |
|
||||
| JaxbTest.java:61:15:61:25 | setDeadLink | The method setDeadLink is entirely unused. | JaxbTest.java:61:15:61:25 | setDeadLink | setDeadLink |
|
||||
| JaxbTest.java:65:19:65:29 | getDeadLink | The method getDeadLink is entirely unused. | JaxbTest.java:65:19:65:29 | getDeadLink | getDeadLink |
|
||||
| JaxbTest.java:123:15:123:29 | setDeadProperty | The method setDeadProperty is entirely unused. | JaxbTest.java:123:15:123:29 | setDeadProperty | setDeadProperty |
|
||||
| JaxbTest.java:127:19:127:33 | getDeadProperty | The method getDeadProperty is entirely unused. | JaxbTest.java:127:19:127:33 | getDeadProperty | getDeadProperty |
|
||||
| SuppressedConstructorTest.java:9:15:9:24 | deadMethod | The method deadMethod is entirely unused. | SuppressedConstructorTest.java:9:15:9:24 | deadMethod | deadMethod |
|
||||
| SuppressedConstructorTest.java:15:13:15:36 | NestedPrivateConstructor | The method NestedPrivateConstructor is only used from dead code originating at $@. | SuppressedConstructorTest.java:9:15:9:24 | deadMethod | deadMethod |
|
||||
| SuppressedConstructorTest.java:26:13:26:28 | OtherConstructor | The method OtherConstructor is entirely unused. | SuppressedConstructorTest.java:26:13:26:28 | OtherConstructor | OtherConstructor |
|
||||
|
||||
@@ -1,158 +0,0 @@
|
||||
import java.util.List;
|
||||
|
||||
import javax.xml.bind.annotation.XmlEnum;
|
||||
import javax.xml.bind.annotation.XmlRegistry;
|
||||
import javax.xml.bind.annotation.XmlType;
|
||||
import javax.xml.bind.annotation.XmlElement;
|
||||
import javax.xml.bind.annotation.XmlAccessorType;
|
||||
import javax.xml.bind.annotation.XmlAccessType;
|
||||
import javax.xml.bind.Marshaller;
|
||||
import javax.xml.bind.Unmarshaller;
|
||||
|
||||
public class JaxbTest {
|
||||
@XmlRegistry
|
||||
public static class ObjectFactory {
|
||||
public AnnotatedObject createAnnotatedObject() {
|
||||
return new AnnotatedObject();
|
||||
}
|
||||
|
||||
public PublicMemberObject createPublicMemberObject() {
|
||||
return new PublicMemberObject();
|
||||
}
|
||||
|
||||
public FieldObject createFieldObject() {
|
||||
return new FieldObject();
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify that annotated fields work correctly.
|
||||
*/
|
||||
@XmlType
|
||||
@XmlAccessorType(XmlAccessType.NONE)
|
||||
public static class AnnotatedObject {
|
||||
@XmlElement
|
||||
private LiveEnum liveEnum;
|
||||
|
||||
@XmlElement
|
||||
public List<UnnannotatedLiveClass> classes;
|
||||
|
||||
private LiveEnum liveEnumProp;
|
||||
|
||||
private LiveEnum deadLink;
|
||||
|
||||
public void setLiveEnum(LiveEnum liveEnum) {
|
||||
this.liveEnum = liveEnum;
|
||||
}
|
||||
|
||||
public LiveEnum getLiveEnum() {
|
||||
return liveEnum;
|
||||
}
|
||||
|
||||
@XmlElement
|
||||
public void setLiveEnumProp(LiveEnum liveEnumProp) {
|
||||
this.liveEnumProp = liveEnumProp;
|
||||
}
|
||||
|
||||
public LiveEnum getLiveEnumProp() {
|
||||
return liveEnumProp;
|
||||
}
|
||||
|
||||
public void setDeadLink(LiveEnum deadLink) {
|
||||
this.deadLink = deadLink;
|
||||
}
|
||||
|
||||
public LiveEnum getDeadLink() {
|
||||
return deadLink;
|
||||
}
|
||||
|
||||
// Live marshal and unmarshal methods
|
||||
public void afterUnmarshal(Unmarshaller a, Object b) {
|
||||
}
|
||||
|
||||
public void beforeUnmarshal(Unmarshaller a, Object b) {
|
||||
}
|
||||
|
||||
public void afterMarshal(Marshaller a, Object b) {
|
||||
}
|
||||
|
||||
public void beforeMarshal(Marshaller a, Object b) {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Using default XmlAccessType (PUBLIC_MEMBER), verify that the properties are identified.
|
||||
*/
|
||||
@XmlType
|
||||
public static class PublicMemberObject {
|
||||
private LiveEnum liveEnum;
|
||||
|
||||
public void setLiveEnum(LiveEnum liveEnum) {
|
||||
this.liveEnum = liveEnum;
|
||||
}
|
||||
|
||||
public LiveEnum getLiveEnum() {
|
||||
return liveEnum;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify that the field is picked up.
|
||||
*/
|
||||
@XmlAccessorType(XmlAccessType.FIELD)
|
||||
@XmlType
|
||||
public static class FieldObject {
|
||||
private LiveEnum liveEnum;
|
||||
|
||||
public void setLiveEnum(LiveEnum liveEnum) {
|
||||
this.liveEnum = liveEnum;
|
||||
}
|
||||
|
||||
public LiveEnum getLiveEnum() {
|
||||
return liveEnum;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A class whose setter/getter would be live, but the constructor is not live.
|
||||
*/
|
||||
@XmlType
|
||||
public static class DeadPublicMemberObject {
|
||||
private LiveEnum deadProperty;
|
||||
|
||||
public void setDeadProperty(LiveEnum deadProperty) {
|
||||
this.deadProperty = deadProperty;
|
||||
}
|
||||
|
||||
public LiveEnum getDeadProperty() {
|
||||
return deadProperty;
|
||||
}
|
||||
|
||||
public static void liveMethod() { }
|
||||
}
|
||||
|
||||
@XmlEnum
|
||||
public static enum LiveEnum {
|
||||
A;
|
||||
}
|
||||
|
||||
/**
|
||||
* A class that is live because it is referred to in AnnotatedObject.
|
||||
*/
|
||||
public static class UnnannotatedLiveClass {
|
||||
@XmlElement
|
||||
private LiveEnum liveEnum;
|
||||
|
||||
public void setLiveEnum(LiveEnum liveEnum) {
|
||||
this.liveEnum = liveEnum;
|
||||
}
|
||||
|
||||
public LiveEnum getLiveEnum() {
|
||||
return liveEnum;
|
||||
}
|
||||
}
|
||||
|
||||
public static void main(String[] args) {
|
||||
DeadPublicMemberObject.liveMethod();
|
||||
}
|
||||
}
|
||||
@@ -1,4 +0,0 @@
|
||||
| Test.java:72:5:72:20 | writeObject(...) | Storable class $@ containing $@ is stored here. Data was added $@. | Test.java:68:11:68:17 | new S(...) | new S(...) | Test.java:65:46:65:70 | getPassword(...) | sensitive data | Test.java:128:16:128:16 | d | here |
|
||||
| Test.java:72:5:72:20 | writeObject(...) | Storable class $@ containing $@ is stored here. Data was added $@. | Test.java:68:11:68:17 | new S(...) | new S(...) | Test.java:76:46:76:70 | getPassword(...) | sensitive data | Test.java:128:16:128:16 | d | here |
|
||||
| Test.java:84:5:84:19 | marshal(...) | Storable class $@ containing $@ is stored here. Data was added $@. | Test.java:79:11:79:17 | new S(...) | new S(...) | Test.java:65:46:65:70 | getPassword(...) | sensitive data | Test.java:128:16:128:16 | d | here |
|
||||
| Test.java:84:5:84:19 | marshal(...) | Storable class $@ containing $@ is stored here. Data was added $@. | Test.java:79:11:79:17 | new S(...) | new S(...) | Test.java:76:46:76:70 | getPassword(...) | sensitive data | Test.java:128:16:128:16 | d | here |
|
||||
@@ -1 +0,0 @@
|
||||
Security/CWE/CWE-312/CleartextStorageClass.ql
|
||||
@@ -1,3 +0,0 @@
|
||||
| Test.java:33:5:33:48 | addCookie(...) | Cookie $@ containing $@ is stored here. Data was added $@. | Test.java:33:24:33:47 | new Cookie(...) | new Cookie(...) | Test.java:31:46:31:70 | getPassword(...) | sensitive data | Test.java:33:43:33:46 | data | here |
|
||||
| Test.java:41:5:41:48 | addCookie(...) | Cookie $@ containing $@ is stored here. Data was added $@. | Test.java:41:24:41:47 | new Cookie(...) | new Cookie(...) | Test.java:38:12:38:36 | getProperty(...) | sensitive data | Test.java:41:43:41:46 | data | here |
|
||||
| Test.java:103:5:103:48 | addCookie(...) | Cookie $@ containing $@ is stored here. Data was added $@. | Test.java:103:24:103:47 | new Cookie(...) | new Cookie(...) | Test.java:100:12:100:30 | isPasswordChecked(...) | sensitive data | Test.java:103:43:103:46 | data | here |
|
||||
@@ -1 +0,0 @@
|
||||
Security/CWE/CWE-312/CleartextStorageCookie.ql
|
||||
@@ -1,2 +0,0 @@
|
||||
| Test.java:51:5:51:18 | store(...) | 'Properties' class $@ containing $@ is stored here. Data was added $@. | Test.java:45:20:45:35 | new Properties(...) | new Properties(...) | Test.java:46:46:46:70 | getPassword(...) | sensitive data | Test.java:49:38:49:41 | data | here |
|
||||
| Test.java:61:5:61:18 | store(...) | 'Properties' class $@ containing $@ is stored here. Data was added $@. | Test.java:55:20:55:35 | new Properties(...) | new Properties(...) | Test.java:56:46:56:70 | getPassword(...) | sensitive data | Test.java:133:26:133:26 | s | here |
|
||||
@@ -1 +0,0 @@
|
||||
Security/CWE/CWE-312/CleartextStorageProperties.ql
|
||||
@@ -1,143 +0,0 @@
|
||||
// Semmle test case for CWE-312: Cleartext Storage of Sensitive Information
|
||||
// http://cwe.mitre.org/data/definitions/312.html
|
||||
package test.cwe0312.semmle.tests;
|
||||
|
||||
|
||||
|
||||
|
||||
import javax.servlet.http.HttpServlet;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import javax.servlet.http.Cookie;
|
||||
import java.security.MessageDigest;
|
||||
import java.net.PasswordAuthentication;
|
||||
import java.util.Properties;
|
||||
import java.io.Serializable;
|
||||
import java.io.OutputStream;
|
||||
import java.io.ByteArrayOutputStream;
|
||||
import java.io.ObjectOutputStream;
|
||||
import javax.xml.bind.annotation.*;
|
||||
import javax.xml.bind.JAXBContext;
|
||||
import javax.xml.bind.Marshaller;
|
||||
|
||||
class CWE312 {
|
||||
public void test(HttpServletRequest request, HttpServletResponse response) {
|
||||
try {
|
||||
String data;
|
||||
PasswordAuthentication credentials = new PasswordAuthentication(
|
||||
"user", "BP@ssw0rd".toCharArray());
|
||||
|
||||
{
|
||||
data = credentials.getUserName() + ":" + credentials.getPassword();
|
||||
// BAD: store data directly in a cookie
|
||||
response.addCookie(new Cookie("auth", data));
|
||||
}
|
||||
|
||||
{
|
||||
Properties p = new Properties();
|
||||
data = p.getProperty("password");
|
||||
|
||||
// BAD: store data directly in a cookie
|
||||
response.addCookie(new Cookie("auth", data));
|
||||
}
|
||||
|
||||
{
|
||||
Properties p = new Properties();
|
||||
data = credentials.getUserName() + ":" + credentials.getPassword();
|
||||
|
||||
// BAD: store data directly in properties
|
||||
p.setProperty("unsecured info!", data);
|
||||
OutputStream o = new ByteArrayOutputStream();
|
||||
p.store(o, "");
|
||||
}
|
||||
|
||||
{
|
||||
Properties p = new Properties();
|
||||
data = credentials.getUserName() + ":" + credentials.getPassword();
|
||||
|
||||
// BAD: store data on properties using method
|
||||
putInProperties(p, data);
|
||||
OutputStream o = new ByteArrayOutputStream();
|
||||
p.store(o, "");
|
||||
}
|
||||
|
||||
{
|
||||
data = credentials.getUserName() + ":" + credentials.getPassword();
|
||||
|
||||
// BAD: store data in serializable class
|
||||
S s = new S();
|
||||
s.setData(data);
|
||||
ObjectOutputStream o = new ObjectOutputStream(
|
||||
new ByteArrayOutputStream());
|
||||
o.writeObject(s);
|
||||
}
|
||||
|
||||
{
|
||||
data = credentials.getUserName() + ":" + credentials.getPassword();
|
||||
|
||||
// BAD: store data in marshalled class
|
||||
S t = new S();
|
||||
t.setData(data);
|
||||
OutputStream o = new ByteArrayOutputStream();
|
||||
JAXBContext context = JAXBContext.newInstance(this.getClass());
|
||||
Marshaller m = context.createMarshaller();
|
||||
m.marshal(t, o);
|
||||
}
|
||||
|
||||
{
|
||||
String salt = "ThisIsMySalt";
|
||||
MessageDigest messageDigest = MessageDigest.getInstance("SHA-512");
|
||||
messageDigest.reset();
|
||||
String credentialsToHash = credentials.getUserName() + ":" + credentials.getPassword();
|
||||
byte[] hashedCredsAsBytes = messageDigest.digest((salt + credentialsToHash).getBytes("UTF-8"));
|
||||
data = bytesToString(hashedCredsAsBytes);
|
||||
|
||||
// GOOD: use encrypted data
|
||||
response.addCookie(new Cookie("auth", data));
|
||||
}
|
||||
|
||||
{
|
||||
data = isPasswordChecked();
|
||||
// FALSE POSITIVE: the query's detection of what counts as sensitive information
|
||||
// can be misled
|
||||
response.addCookie(new Cookie("auth", data));
|
||||
}
|
||||
|
||||
{
|
||||
data = getCCNumber();
|
||||
// FALSE Negative: the query's detection of what counts as sensitive information
|
||||
// is unable to tell in general what can be sensitive information
|
||||
response.addCookie(new Cookie("auth", data));
|
||||
}
|
||||
} catch (Exception e) {
|
||||
// fail
|
||||
}
|
||||
}
|
||||
|
||||
public static String bytesToString(byte[] input) {
|
||||
// fake
|
||||
return null;
|
||||
}
|
||||
|
||||
@XmlRootElement
|
||||
public static class S implements Serializable {
|
||||
@XmlElement(name = "data")
|
||||
String data;
|
||||
|
||||
public void setData(String d) {
|
||||
this.data = d;
|
||||
}
|
||||
}
|
||||
|
||||
public static void putInProperties(Properties p, String s) {
|
||||
p.setProperty("stuff", s);
|
||||
}
|
||||
|
||||
public static String isPasswordChecked() {
|
||||
return "true";
|
||||
}
|
||||
|
||||
public static String getCCNumber() {
|
||||
return "Your CC number here";
|
||||
}
|
||||
}
|
||||
@@ -1 +0,0 @@
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../../stubs/servlet-api-2.4
|
||||
@@ -1,4 +0,0 @@
|
||||
| Test.java:50:50:50:67 | openConnection(...) | URL may have been constructed with HTTP protocol, using $@. | Test.java:45:23:45:31 | "http://" | this source |
|
||||
| Test.java:63:50:63:67 | openConnection(...) | URL may have been constructed with HTTP protocol, using $@. | Test.java:58:23:58:28 | "http" | this source |
|
||||
| Test.java:77:50:77:67 | openConnection(...) | URL may have been constructed with HTTP protocol, using $@. | Test.java:71:23:71:31 | "http://" | this source |
|
||||
| Test.java:114:50:114:67 | openConnection(...) | URL may have been constructed with HTTP protocol, using $@. | Test.java:109:23:109:28 | "http" | this source |
|
||||
@@ -1 +0,0 @@
|
||||
Security/CWE/CWE-319/HttpsUrls.ql
|
||||
@@ -1,141 +0,0 @@
|
||||
// Semmle test case for CWE-319: Cleartext Transmission of Sensitive Data
|
||||
// http://cwe.mitre.org/data/definitions/319.html
|
||||
package test.cwe319.cwe.examples;
|
||||
|
||||
import java.net.URL;
|
||||
import java.io.*;
|
||||
import java.rmi.*;
|
||||
import java.rmi.server.*;
|
||||
import java.rmi.registry.*;
|
||||
|
||||
import javax.net.ssl.HttpsURLConnection;
|
||||
import javax.rmi.ssl.*;
|
||||
|
||||
interface Hello extends java.rmi.Remote {
|
||||
String sayHello() throws java.rmi.RemoteException;
|
||||
}
|
||||
|
||||
class HelloImpl implements Hello {
|
||||
public static void main(String[] args) {
|
||||
try {
|
||||
// UseSSLSocketFactories
|
||||
{
|
||||
HelloImpl obj = new HelloImpl();
|
||||
// BAD: default socket factory will be used
|
||||
Hello stub = (Hello) UnicastRemoteObject.exportObject(obj, 0);
|
||||
}
|
||||
|
||||
{
|
||||
HelloImpl obj = new HelloImpl();
|
||||
SslRMIClientSocketFactory csf = new SslRMIClientSocketFactory();
|
||||
SslRMIServerSocketFactory ssf = new SslRMIServerSocketFactory();
|
||||
|
||||
// GOOD: use SSL factories
|
||||
Hello stub = (Hello) UnicastRemoteObject.exportObject(obj, 0, csf, ssf);
|
||||
}
|
||||
|
||||
{
|
||||
// BAD: setting non-SSL default socket factory
|
||||
RMISocketFactory.setSocketFactory(RMISocketFactory.getDefaultSocketFactory());
|
||||
// use RMI ...
|
||||
}
|
||||
|
||||
// HttpsUrls
|
||||
{
|
||||
String protocol = "http://";
|
||||
URL u = new URL(protocol + "www.secret.example.org/");
|
||||
// using HttpsURLConnections to enforce SSL is desirable
|
||||
// BAD: this will give a ClassCastException at runtime, as the
|
||||
// http URL cannot be used to make an HttpsURLConnection
|
||||
HttpsURLConnection hu = (HttpsURLConnection) u.openConnection();
|
||||
hu.setRequestMethod("PUT");
|
||||
hu.connect();
|
||||
OutputStream os = hu.getOutputStream();
|
||||
hu.disconnect();
|
||||
}
|
||||
|
||||
{
|
||||
String protocol = "http";
|
||||
URL u = new URL(protocol, "www.secret.example.org", "foo");
|
||||
// using HttpsURLConnections to enforce SSL is desirable
|
||||
// BAD: this will give a ClassCastException at runtime, as the
|
||||
// http URL cannot be used to make an HttpsURLConnection
|
||||
HttpsURLConnection hu = (HttpsURLConnection) u.openConnection();
|
||||
hu.setRequestMethod("PUT");
|
||||
hu.connect();
|
||||
OutputStream os = hu.getOutputStream();
|
||||
hu.disconnect();
|
||||
}
|
||||
|
||||
{
|
||||
String protocol = "http://";
|
||||
// the second URL overwrites the first, as it has a protocol
|
||||
URL u = new URL(new URL("https://www.secret.example.org"), protocol + "www.secret.example.org");
|
||||
// using HttpsURLConnections to enforce SSL is desirable
|
||||
// BAD: this will give a ClassCastException at runtime, as the
|
||||
// http URL cannot be used to make an HttpsURLConnection
|
||||
HttpsURLConnection hu = (HttpsURLConnection) u.openConnection();
|
||||
hu.setRequestMethod("PUT");
|
||||
hu.connect();
|
||||
OutputStream os = hu.getOutputStream();
|
||||
hu.disconnect();
|
||||
}
|
||||
|
||||
{
|
||||
String protocol = "https://";
|
||||
URL u = new URL(protocol + "www.secret.example.org/");
|
||||
// using HttpsURLConnections to enforce SSL is desirable
|
||||
// GOOD: open connection to URL using HTTPS
|
||||
HttpsURLConnection hu = (HttpsURLConnection) u.openConnection();
|
||||
hu.setRequestMethod("PUT");
|
||||
hu.connect();
|
||||
OutputStream os = hu.getOutputStream();
|
||||
hu.disconnect();
|
||||
}
|
||||
|
||||
{
|
||||
String protocol = "https";
|
||||
URL u = new URL(protocol, "www.secret.example.org", "foo");
|
||||
// using HttpsURLConnections to enforce SSL is desirable
|
||||
// GOOD: open connection to URL using HTTPS
|
||||
HttpsURLConnection hu = (HttpsURLConnection) u.openConnection();
|
||||
hu.setRequestMethod("PUT");
|
||||
hu.connect();
|
||||
OutputStream os = hu.getOutputStream();
|
||||
hu.disconnect();
|
||||
}
|
||||
|
||||
{
|
||||
String protocol = "http";
|
||||
URL u = new URL(protocol, "internal-url", "foo");
|
||||
// FALSE POSITIVE: the query has no way of knowing whether the url will
|
||||
// resolve to somewhere outside the internal network, where there
|
||||
// are unlikely to be interception attempts
|
||||
HttpsURLConnection hu = (HttpsURLConnection) u.openConnection();
|
||||
hu.setRequestMethod("PUT");
|
||||
hu.connect();
|
||||
OutputStream os = hu.getOutputStream();
|
||||
hu.disconnect();
|
||||
}
|
||||
|
||||
{
|
||||
String input = "URL is: http://www.secret-example.org";
|
||||
String url = input.substring(8);
|
||||
URL u = new URL(url);
|
||||
// FALSE NEGATIVE: we cannot tell that the substring results in a url
|
||||
// string
|
||||
HttpsURLConnection hu = (HttpsURLConnection) u.openConnection();
|
||||
hu.setRequestMethod("PUT");
|
||||
hu.connect();
|
||||
OutputStream os = hu.getOutputStream();
|
||||
hu.disconnect();
|
||||
}
|
||||
} catch (Exception e) {
|
||||
// fail
|
||||
}
|
||||
}
|
||||
|
||||
public String sayHello() {
|
||||
return "Hello";
|
||||
}
|
||||
}
|
||||
@@ -1,2 +0,0 @@
|
||||
| Test.java:25:26:25:65 | exportObject(...) | Method could use custom factories via overloaded method : use an SSL factory. |
|
||||
| Test.java:39:5:39:81 | setSocketFactory(...) | Method has a non-SSL factory argument : use an SSL factory. |
|
||||
@@ -1 +0,0 @@
|
||||
Security/CWE/CWE-319/UseSSLSocketFactories.ql
|
||||
@@ -1,41 +0,0 @@
|
||||
import java.net.Socket;
|
||||
|
||||
import javax.xml.parsers.SAXParser;
|
||||
import javax.xml.parsers.SAXParserFactory;
|
||||
import javax.xml.transform.sax.SAXSource;
|
||||
import javax.xml.bind.JAXBContext;
|
||||
import javax.xml.bind.Unmarshaller;
|
||||
|
||||
import org.xml.sax.InputSource;
|
||||
import org.xml.sax.XMLReader;
|
||||
import org.xml.sax.helpers.XMLReaderFactory;
|
||||
|
||||
public class SAXSourceTests {
|
||||
|
||||
public void unsafeSource(Socket sock) throws Exception {
|
||||
XMLReader reader = XMLReaderFactory.createXMLReader();
|
||||
SAXSource source = new SAXSource(reader, new InputSource(sock.getInputStream()));
|
||||
JAXBContext jc = JAXBContext.newInstance(Object.class);
|
||||
Unmarshaller um = jc.createUnmarshaller();
|
||||
um.unmarshal(source); //unsafe
|
||||
}
|
||||
|
||||
public void explicitlySafeSource1(Socket sock) throws Exception {
|
||||
XMLReader reader = XMLReaderFactory.createXMLReader();
|
||||
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd",false);
|
||||
SAXSource source = new SAXSource(reader, new InputSource(sock.getInputStream())); //safe
|
||||
}
|
||||
|
||||
public void createdSafeSource(Socket sock) throws Exception {
|
||||
SAXParserFactory factory = SAXParserFactory.newInstance();
|
||||
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
||||
SAXParser parser = factory.newSAXParser();
|
||||
XMLReader reader = parser.getXMLReader();
|
||||
SAXSource source = new SAXSource(parser.getXMLReader(), new InputSource(sock.getInputStream())); //safe
|
||||
SAXSource source2 = new SAXSource(reader, new InputSource(sock.getInputStream())); //safe
|
||||
}
|
||||
}
|
||||
@@ -1,30 +0,0 @@
|
||||
import java.net.Socket;
|
||||
|
||||
import javax.xml.bind.JAXBContext;
|
||||
import javax.xml.bind.Unmarshaller;
|
||||
import javax.xml.parsers.SAXParserFactory;
|
||||
import javax.xml.transform.Source;
|
||||
import javax.xml.transform.sax.SAXSource;
|
||||
|
||||
import org.xml.sax.InputSource;
|
||||
|
||||
public class UnmarshallerTests {
|
||||
|
||||
public void safeUnmarshal(Socket sock) throws Exception {
|
||||
SAXParserFactory spf = SAXParserFactory.newInstance();
|
||||
spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
||||
JAXBContext jc = JAXBContext.newInstance(Object.class);
|
||||
Source xmlSource = new SAXSource(spf.newSAXParser().getXMLReader(), new InputSource(sock.getInputStream()));
|
||||
Unmarshaller um = jc.createUnmarshaller();
|
||||
um.unmarshal(xmlSource); //safe
|
||||
}
|
||||
|
||||
public void unsafeUnmarshal(Socket sock) throws Exception {
|
||||
SAXParserFactory spf = SAXParserFactory.newInstance();
|
||||
JAXBContext jc = JAXBContext.newInstance(Object.class);
|
||||
Unmarshaller um = jc.createUnmarshaller();
|
||||
um.unmarshal(sock.getInputStream()); //unsafe
|
||||
}
|
||||
}
|
||||
@@ -24,7 +24,6 @@
|
||||
| SAXReaderTests.java:45:17:45:37 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXReaderTests.java:45:17:45:37 | getInputStream(...) | user input |
|
||||
| SAXReaderTests.java:53:17:53:37 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXReaderTests.java:53:17:53:37 | getInputStream(...) | user input |
|
||||
| SAXReaderTests.java:61:17:61:37 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXReaderTests.java:61:17:61:37 | getInputStream(...) | user input |
|
||||
| SAXSourceTests.java:20:18:20:23 | source | Unsafe parsing of XML file from $@. | SAXSourceTests.java:17:62:17:82 | getInputStream(...) | user input |
|
||||
| SchemaTests.java:12:39:12:77 | new StreamSource(...) | Unsafe parsing of XML file from $@. | SchemaTests.java:12:56:12:76 | getInputStream(...) | user input |
|
||||
| SchemaTests.java:25:39:25:77 | new StreamSource(...) | Unsafe parsing of XML file from $@. | SchemaTests.java:25:56:25:76 | getInputStream(...) | user input |
|
||||
| SchemaTests.java:31:39:31:77 | new StreamSource(...) | Unsafe parsing of XML file from $@. | SchemaTests.java:31:56:31:76 | getInputStream(...) | user input |
|
||||
@@ -72,7 +71,6 @@
|
||||
| TransformerTests.java:129:21:129:59 | new StreamSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:129:38:129:58 | getInputStream(...) | user input |
|
||||
| TransformerTests.java:136:21:136:59 | new StreamSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:136:38:136:58 | getInputStream(...) | user input |
|
||||
| TransformerTests.java:141:18:141:70 | new SAXSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:141:48:141:68 | getInputStream(...) | user input |
|
||||
| UnmarshallerTests.java:28:18:28:38 | getInputStream(...) | Unsafe parsing of XML file from $@. | UnmarshallerTests.java:28:18:28:38 | getInputStream(...) | user input |
|
||||
| XMLReaderTests.java:16:18:16:55 | new InputSource(...) | Unsafe parsing of XML file from $@. | XMLReaderTests.java:16:34:16:54 | getInputStream(...) | user input |
|
||||
| XMLReaderTests.java:56:18:56:55 | new InputSource(...) | Unsafe parsing of XML file from $@. | XMLReaderTests.java:56:34:56:54 | getInputStream(...) | user input |
|
||||
| XMLReaderTests.java:63:18:63:55 | new InputSource(...) | Unsafe parsing of XML file from $@. | XMLReaderTests.java:63:34:63:54 | getInputStream(...) | user input |
|
||||
|
||||
Reference in New Issue
Block a user