mirror of
https://github.com/github/codeql.git
synced 2026-05-04 05:05:12 +02:00
Merge pull request #409 from yh-semmle/java/move-tests
Java: move/tweak some tests
This commit is contained in:
Anders Schack-Mulligen
@@ -1,4 +0,0 @@
|
||||
| Test.java:72:5:72:20 | writeObject(...) | Storable class $@ containing $@ is stored here. Data was added $@. | Test.java:68:11:68:17 | new S(...) | new S(...) | Test.java:65:46:65:70 | getPassword(...) | sensitive data | Test.java:128:16:128:16 | d | here |
|
||||
| Test.java:72:5:72:20 | writeObject(...) | Storable class $@ containing $@ is stored here. Data was added $@. | Test.java:68:11:68:17 | new S(...) | new S(...) | Test.java:76:46:76:70 | getPassword(...) | sensitive data | Test.java:128:16:128:16 | d | here |
|
||||
| Test.java:84:5:84:19 | marshal(...) | Storable class $@ containing $@ is stored here. Data was added $@. | Test.java:79:11:79:17 | new S(...) | new S(...) | Test.java:65:46:65:70 | getPassword(...) | sensitive data | Test.java:128:16:128:16 | d | here |
|
||||
| Test.java:84:5:84:19 | marshal(...) | Storable class $@ containing $@ is stored here. Data was added $@. | Test.java:79:11:79:17 | new S(...) | new S(...) | Test.java:76:46:76:70 | getPassword(...) | sensitive data | Test.java:128:16:128:16 | d | here |
|
||||
@@ -1 +0,0 @@
|
||||
Security/CWE/CWE-312/CleartextStorageClass.ql
|
||||
@@ -1,3 +0,0 @@
|
||||
| Test.java:33:5:33:48 | addCookie(...) | Cookie $@ containing $@ is stored here. Data was added $@. | Test.java:33:24:33:47 | new Cookie(...) | new Cookie(...) | Test.java:31:46:31:70 | getPassword(...) | sensitive data | Test.java:33:43:33:46 | data | here |
|
||||
| Test.java:41:5:41:48 | addCookie(...) | Cookie $@ containing $@ is stored here. Data was added $@. | Test.java:41:24:41:47 | new Cookie(...) | new Cookie(...) | Test.java:38:12:38:36 | getProperty(...) | sensitive data | Test.java:41:43:41:46 | data | here |
|
||||
| Test.java:103:5:103:48 | addCookie(...) | Cookie $@ containing $@ is stored here. Data was added $@. | Test.java:103:24:103:47 | new Cookie(...) | new Cookie(...) | Test.java:100:12:100:30 | isPasswordChecked(...) | sensitive data | Test.java:103:43:103:46 | data | here |
|
||||
@@ -1 +0,0 @@
|
||||
Security/CWE/CWE-312/CleartextStorageCookie.ql
|
||||
@@ -1,2 +0,0 @@
|
||||
| Test.java:51:5:51:18 | store(...) | 'Properties' class $@ containing $@ is stored here. Data was added $@. | Test.java:45:20:45:35 | new Properties(...) | new Properties(...) | Test.java:46:46:46:70 | getPassword(...) | sensitive data | Test.java:49:38:49:41 | data | here |
|
||||
| Test.java:61:5:61:18 | store(...) | 'Properties' class $@ containing $@ is stored here. Data was added $@. | Test.java:55:20:55:35 | new Properties(...) | new Properties(...) | Test.java:56:46:56:70 | getPassword(...) | sensitive data | Test.java:133:26:133:26 | s | here |
|
||||
@@ -1 +0,0 @@
|
||||
Security/CWE/CWE-312/CleartextStorageProperties.ql
|
||||
@@ -1,143 +0,0 @@
|
||||
// Semmle test case for CWE-312: Cleartext Storage of Sensitive Information
|
||||
// http://cwe.mitre.org/data/definitions/312.html
|
||||
package test.cwe0312.semmle.tests;
|
||||
|
||||
|
||||
|
||||
|
||||
import javax.servlet.http.HttpServlet;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import javax.servlet.http.Cookie;
|
||||
import java.security.MessageDigest;
|
||||
import java.net.PasswordAuthentication;
|
||||
import java.util.Properties;
|
||||
import java.io.Serializable;
|
||||
import java.io.OutputStream;
|
||||
import java.io.ByteArrayOutputStream;
|
||||
import java.io.ObjectOutputStream;
|
||||
import javax.xml.bind.annotation.*;
|
||||
import javax.xml.bind.JAXBContext;
|
||||
import javax.xml.bind.Marshaller;
|
||||
|
||||
class CWE312 {
|
||||
public void test(HttpServletRequest request, HttpServletResponse response) {
|
||||
try {
|
||||
String data;
|
||||
PasswordAuthentication credentials = new PasswordAuthentication(
|
||||
"user", "BP@ssw0rd".toCharArray());
|
||||
|
||||
{
|
||||
data = credentials.getUserName() + ":" + credentials.getPassword();
|
||||
// BAD: store data directly in a cookie
|
||||
response.addCookie(new Cookie("auth", data));
|
||||
}
|
||||
|
||||
{
|
||||
Properties p = new Properties();
|
||||
data = p.getProperty("password");
|
||||
|
||||
// BAD: store data directly in a cookie
|
||||
response.addCookie(new Cookie("auth", data));
|
||||
}
|
||||
|
||||
{
|
||||
Properties p = new Properties();
|
||||
data = credentials.getUserName() + ":" + credentials.getPassword();
|
||||
|
||||
// BAD: store data directly in properties
|
||||
p.setProperty("unsecured info!", data);
|
||||
OutputStream o = new ByteArrayOutputStream();
|
||||
p.store(o, "");
|
||||
}
|
||||
|
||||
{
|
||||
Properties p = new Properties();
|
||||
data = credentials.getUserName() + ":" + credentials.getPassword();
|
||||
|
||||
// BAD: store data on properties using method
|
||||
putInProperties(p, data);
|
||||
OutputStream o = new ByteArrayOutputStream();
|
||||
p.store(o, "");
|
||||
}
|
||||
|
||||
{
|
||||
data = credentials.getUserName() + ":" + credentials.getPassword();
|
||||
|
||||
// BAD: store data in serializable class
|
||||
S s = new S();
|
||||
s.setData(data);
|
||||
ObjectOutputStream o = new ObjectOutputStream(
|
||||
new ByteArrayOutputStream());
|
||||
o.writeObject(s);
|
||||
}
|
||||
|
||||
{
|
||||
data = credentials.getUserName() + ":" + credentials.getPassword();
|
||||
|
||||
// BAD: store data in marshalled class
|
||||
S t = new S();
|
||||
t.setData(data);
|
||||
OutputStream o = new ByteArrayOutputStream();
|
||||
JAXBContext context = JAXBContext.newInstance(this.getClass());
|
||||
Marshaller m = context.createMarshaller();
|
||||
m.marshal(t, o);
|
||||
}
|
||||
|
||||
{
|
||||
String salt = "ThisIsMySalt";
|
||||
MessageDigest messageDigest = MessageDigest.getInstance("SHA-512");
|
||||
messageDigest.reset();
|
||||
String credentialsToHash = credentials.getUserName() + ":" + credentials.getPassword();
|
||||
byte[] hashedCredsAsBytes = messageDigest.digest((salt + credentialsToHash).getBytes("UTF-8"));
|
||||
data = bytesToString(hashedCredsAsBytes);
|
||||
|
||||
// GOOD: use encrypted data
|
||||
response.addCookie(new Cookie("auth", data));
|
||||
}
|
||||
|
||||
{
|
||||
data = isPasswordChecked();
|
||||
// FALSE POSITIVE: the query's detection of what counts as sensitive information
|
||||
// can be misled
|
||||
response.addCookie(new Cookie("auth", data));
|
||||
}
|
||||
|
||||
{
|
||||
data = getCCNumber();
|
||||
// FALSE Negative: the query's detection of what counts as sensitive information
|
||||
// is unable to tell in general what can be sensitive information
|
||||
response.addCookie(new Cookie("auth", data));
|
||||
}
|
||||
} catch (Exception e) {
|
||||
// fail
|
||||
}
|
||||
}
|
||||
|
||||
public static String bytesToString(byte[] input) {
|
||||
// fake
|
||||
return null;
|
||||
}
|
||||
|
||||
@XmlRootElement
|
||||
public static class S implements Serializable {
|
||||
@XmlElement(name = "data")
|
||||
String data;
|
||||
|
||||
public void setData(String d) {
|
||||
this.data = d;
|
||||
}
|
||||
}
|
||||
|
||||
public static void putInProperties(Properties p, String s) {
|
||||
p.setProperty("stuff", s);
|
||||
}
|
||||
|
||||
public static String isPasswordChecked() {
|
||||
return "true";
|
||||
}
|
||||
|
||||
public static String getCCNumber() {
|
||||
return "Your CC number here";
|
||||
}
|
||||
}
|
||||
@@ -1 +0,0 @@
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../../stubs/servlet-api-2.4
|
||||
@@ -1,4 +0,0 @@
|
||||
| Test.java:50:50:50:67 | openConnection(...) | URL may have been constructed with HTTP protocol, using $@. | Test.java:45:23:45:31 | "http://" | this source |
|
||||
| Test.java:63:50:63:67 | openConnection(...) | URL may have been constructed with HTTP protocol, using $@. | Test.java:58:23:58:28 | "http" | this source |
|
||||
| Test.java:77:50:77:67 | openConnection(...) | URL may have been constructed with HTTP protocol, using $@. | Test.java:71:23:71:31 | "http://" | this source |
|
||||
| Test.java:114:50:114:67 | openConnection(...) | URL may have been constructed with HTTP protocol, using $@. | Test.java:109:23:109:28 | "http" | this source |
|
||||
@@ -1 +0,0 @@
|
||||
Security/CWE/CWE-319/HttpsUrls.ql
|
||||
@@ -1,141 +0,0 @@
|
||||
// Semmle test case for CWE-319: Cleartext Transmission of Sensitive Data
|
||||
// http://cwe.mitre.org/data/definitions/319.html
|
||||
package test.cwe319.cwe.examples;
|
||||
|
||||
import java.net.URL;
|
||||
import java.io.*;
|
||||
import java.rmi.*;
|
||||
import java.rmi.server.*;
|
||||
import java.rmi.registry.*;
|
||||
|
||||
import javax.net.ssl.HttpsURLConnection;
|
||||
import javax.rmi.ssl.*;
|
||||
|
||||
interface Hello extends java.rmi.Remote {
|
||||
String sayHello() throws java.rmi.RemoteException;
|
||||
}
|
||||
|
||||
class HelloImpl implements Hello {
|
||||
public static void main(String[] args) {
|
||||
try {
|
||||
// UseSSLSocketFactories
|
||||
{
|
||||
HelloImpl obj = new HelloImpl();
|
||||
// BAD: default socket factory will be used
|
||||
Hello stub = (Hello) UnicastRemoteObject.exportObject(obj, 0);
|
||||
}
|
||||
|
||||
{
|
||||
HelloImpl obj = new HelloImpl();
|
||||
SslRMIClientSocketFactory csf = new SslRMIClientSocketFactory();
|
||||
SslRMIServerSocketFactory ssf = new SslRMIServerSocketFactory();
|
||||
|
||||
// GOOD: use SSL factories
|
||||
Hello stub = (Hello) UnicastRemoteObject.exportObject(obj, 0, csf, ssf);
|
||||
}
|
||||
|
||||
{
|
||||
// BAD: setting non-SSL default socket factory
|
||||
RMISocketFactory.setSocketFactory(RMISocketFactory.getDefaultSocketFactory());
|
||||
// use RMI ...
|
||||
}
|
||||
|
||||
// HttpsUrls
|
||||
{
|
||||
String protocol = "http://";
|
||||
URL u = new URL(protocol + "www.secret.example.org/");
|
||||
// using HttpsURLConnections to enforce SSL is desirable
|
||||
// BAD: this will give a ClassCastException at runtime, as the
|
||||
// http URL cannot be used to make an HttpsURLConnection
|
||||
HttpsURLConnection hu = (HttpsURLConnection) u.openConnection();
|
||||
hu.setRequestMethod("PUT");
|
||||
hu.connect();
|
||||
OutputStream os = hu.getOutputStream();
|
||||
hu.disconnect();
|
||||
}
|
||||
|
||||
{
|
||||
String protocol = "http";
|
||||
URL u = new URL(protocol, "www.secret.example.org", "foo");
|
||||
// using HttpsURLConnections to enforce SSL is desirable
|
||||
// BAD: this will give a ClassCastException at runtime, as the
|
||||
// http URL cannot be used to make an HttpsURLConnection
|
||||
HttpsURLConnection hu = (HttpsURLConnection) u.openConnection();
|
||||
hu.setRequestMethod("PUT");
|
||||
hu.connect();
|
||||
OutputStream os = hu.getOutputStream();
|
||||
hu.disconnect();
|
||||
}
|
||||
|
||||
{
|
||||
String protocol = "http://";
|
||||
// the second URL overwrites the first, as it has a protocol
|
||||
URL u = new URL(new URL("https://www.secret.example.org"), protocol + "www.secret.example.org");
|
||||
// using HttpsURLConnections to enforce SSL is desirable
|
||||
// BAD: this will give a ClassCastException at runtime, as the
|
||||
// http URL cannot be used to make an HttpsURLConnection
|
||||
HttpsURLConnection hu = (HttpsURLConnection) u.openConnection();
|
||||
hu.setRequestMethod("PUT");
|
||||
hu.connect();
|
||||
OutputStream os = hu.getOutputStream();
|
||||
hu.disconnect();
|
||||
}
|
||||
|
||||
{
|
||||
String protocol = "https://";
|
||||
URL u = new URL(protocol + "www.secret.example.org/");
|
||||
// using HttpsURLConnections to enforce SSL is desirable
|
||||
// GOOD: open connection to URL using HTTPS
|
||||
HttpsURLConnection hu = (HttpsURLConnection) u.openConnection();
|
||||
hu.setRequestMethod("PUT");
|
||||
hu.connect();
|
||||
OutputStream os = hu.getOutputStream();
|
||||
hu.disconnect();
|
||||
}
|
||||
|
||||
{
|
||||
String protocol = "https";
|
||||
URL u = new URL(protocol, "www.secret.example.org", "foo");
|
||||
// using HttpsURLConnections to enforce SSL is desirable
|
||||
// GOOD: open connection to URL using HTTPS
|
||||
HttpsURLConnection hu = (HttpsURLConnection) u.openConnection();
|
||||
hu.setRequestMethod("PUT");
|
||||
hu.connect();
|
||||
OutputStream os = hu.getOutputStream();
|
||||
hu.disconnect();
|
||||
}
|
||||
|
||||
{
|
||||
String protocol = "http";
|
||||
URL u = new URL(protocol, "internal-url", "foo");
|
||||
// FALSE POSITIVE: the query has no way of knowing whether the url will
|
||||
// resolve to somewhere outside the internal network, where there
|
||||
// are unlikely to be interception attempts
|
||||
HttpsURLConnection hu = (HttpsURLConnection) u.openConnection();
|
||||
hu.setRequestMethod("PUT");
|
||||
hu.connect();
|
||||
OutputStream os = hu.getOutputStream();
|
||||
hu.disconnect();
|
||||
}
|
||||
|
||||
{
|
||||
String input = "URL is: http://www.secret-example.org";
|
||||
String url = input.substring(8);
|
||||
URL u = new URL(url);
|
||||
// FALSE NEGATIVE: we cannot tell that the substring results in a url
|
||||
// string
|
||||
HttpsURLConnection hu = (HttpsURLConnection) u.openConnection();
|
||||
hu.setRequestMethod("PUT");
|
||||
hu.connect();
|
||||
OutputStream os = hu.getOutputStream();
|
||||
hu.disconnect();
|
||||
}
|
||||
} catch (Exception e) {
|
||||
// fail
|
||||
}
|
||||
}
|
||||
|
||||
public String sayHello() {
|
||||
return "Hello";
|
||||
}
|
||||
}
|
||||
@@ -1,2 +0,0 @@
|
||||
| Test.java:25:26:25:65 | exportObject(...) | Method could use custom factories via overloaded method : use an SSL factory. |
|
||||
| Test.java:39:5:39:81 | setSocketFactory(...) | Method has a non-SSL factory argument : use an SSL factory. |
|
||||
@@ -1 +0,0 @@
|
||||
Security/CWE/CWE-319/UseSSLSocketFactories.ql
|
||||
@@ -1,41 +0,0 @@
|
||||
import java.net.Socket;
|
||||
|
||||
import javax.xml.parsers.SAXParser;
|
||||
import javax.xml.parsers.SAXParserFactory;
|
||||
import javax.xml.transform.sax.SAXSource;
|
||||
import javax.xml.bind.JAXBContext;
|
||||
import javax.xml.bind.Unmarshaller;
|
||||
|
||||
import org.xml.sax.InputSource;
|
||||
import org.xml.sax.XMLReader;
|
||||
import org.xml.sax.helpers.XMLReaderFactory;
|
||||
|
||||
public class SAXSourceTests {
|
||||
|
||||
public void unsafeSource(Socket sock) throws Exception {
|
||||
XMLReader reader = XMLReaderFactory.createXMLReader();
|
||||
SAXSource source = new SAXSource(reader, new InputSource(sock.getInputStream()));
|
||||
JAXBContext jc = JAXBContext.newInstance(Object.class);
|
||||
Unmarshaller um = jc.createUnmarshaller();
|
||||
um.unmarshal(source); //unsafe
|
||||
}
|
||||
|
||||
public void explicitlySafeSource1(Socket sock) throws Exception {
|
||||
XMLReader reader = XMLReaderFactory.createXMLReader();
|
||||
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd",false);
|
||||
SAXSource source = new SAXSource(reader, new InputSource(sock.getInputStream())); //safe
|
||||
}
|
||||
|
||||
public void createdSafeSource(Socket sock) throws Exception {
|
||||
SAXParserFactory factory = SAXParserFactory.newInstance();
|
||||
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
||||
SAXParser parser = factory.newSAXParser();
|
||||
XMLReader reader = parser.getXMLReader();
|
||||
SAXSource source = new SAXSource(parser.getXMLReader(), new InputSource(sock.getInputStream())); //safe
|
||||
SAXSource source2 = new SAXSource(reader, new InputSource(sock.getInputStream())); //safe
|
||||
}
|
||||
}
|
||||
@@ -1,30 +0,0 @@
|
||||
import java.net.Socket;
|
||||
|
||||
import javax.xml.bind.JAXBContext;
|
||||
import javax.xml.bind.Unmarshaller;
|
||||
import javax.xml.parsers.SAXParserFactory;
|
||||
import javax.xml.transform.Source;
|
||||
import javax.xml.transform.sax.SAXSource;
|
||||
|
||||
import org.xml.sax.InputSource;
|
||||
|
||||
public class UnmarshallerTests {
|
||||
|
||||
public void safeUnmarshal(Socket sock) throws Exception {
|
||||
SAXParserFactory spf = SAXParserFactory.newInstance();
|
||||
spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
||||
JAXBContext jc = JAXBContext.newInstance(Object.class);
|
||||
Source xmlSource = new SAXSource(spf.newSAXParser().getXMLReader(), new InputSource(sock.getInputStream()));
|
||||
Unmarshaller um = jc.createUnmarshaller();
|
||||
um.unmarshal(xmlSource); //safe
|
||||
}
|
||||
|
||||
public void unsafeUnmarshal(Socket sock) throws Exception {
|
||||
SAXParserFactory spf = SAXParserFactory.newInstance();
|
||||
JAXBContext jc = JAXBContext.newInstance(Object.class);
|
||||
Unmarshaller um = jc.createUnmarshaller();
|
||||
um.unmarshal(sock.getInputStream()); //unsafe
|
||||
}
|
||||
}
|
||||
@@ -24,7 +24,6 @@
|
||||
| SAXReaderTests.java:45:17:45:37 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXReaderTests.java:45:17:45:37 | getInputStream(...) | user input |
|
||||
| SAXReaderTests.java:53:17:53:37 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXReaderTests.java:53:17:53:37 | getInputStream(...) | user input |
|
||||
| SAXReaderTests.java:61:17:61:37 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXReaderTests.java:61:17:61:37 | getInputStream(...) | user input |
|
||||
| SAXSourceTests.java:20:18:20:23 | source | Unsafe parsing of XML file from $@. | SAXSourceTests.java:17:62:17:82 | getInputStream(...) | user input |
|
||||
| SchemaTests.java:12:39:12:77 | new StreamSource(...) | Unsafe parsing of XML file from $@. | SchemaTests.java:12:56:12:76 | getInputStream(...) | user input |
|
||||
| SchemaTests.java:25:39:25:77 | new StreamSource(...) | Unsafe parsing of XML file from $@. | SchemaTests.java:25:56:25:76 | getInputStream(...) | user input |
|
||||
| SchemaTests.java:31:39:31:77 | new StreamSource(...) | Unsafe parsing of XML file from $@. | SchemaTests.java:31:56:31:76 | getInputStream(...) | user input |
|
||||
@@ -72,7 +71,6 @@
|
||||
| TransformerTests.java:129:21:129:59 | new StreamSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:129:38:129:58 | getInputStream(...) | user input |
|
||||
| TransformerTests.java:136:21:136:59 | new StreamSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:136:38:136:58 | getInputStream(...) | user input |
|
||||
| TransformerTests.java:141:18:141:70 | new SAXSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:141:48:141:68 | getInputStream(...) | user input |
|
||||
| UnmarshallerTests.java:28:18:28:38 | getInputStream(...) | Unsafe parsing of XML file from $@. | UnmarshallerTests.java:28:18:28:38 | getInputStream(...) | user input |
|
||||
| XMLReaderTests.java:16:18:16:55 | new InputSource(...) | Unsafe parsing of XML file from $@. | XMLReaderTests.java:16:34:16:54 | getInputStream(...) | user input |
|
||||
| XMLReaderTests.java:56:18:56:55 | new InputSource(...) | Unsafe parsing of XML file from $@. | XMLReaderTests.java:56:34:56:54 | getInputStream(...) | user input |
|
||||
| XMLReaderTests.java:63:18:63:55 | new InputSource(...) | Unsafe parsing of XML file from $@. | XMLReaderTests.java:63:34:63:54 | getInputStream(...) | user input |
|
||||
|
||||
Reference in New Issue
Block a user