*)add XQExpression.executeCommand(0) sink

2026-05-02 12:15:17 +02:00 · 2021-02-12 11:17:42 +08:00
parent a6a0fa28c4
commit 22e741c7a3
6 changed files with 112 additions and 52 deletions
--- a/java/ql/test/experimental/query-tests/security/CWE-652/XQueryInjection.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-652/XQueryInjection.java
@@ -1,3 +1,5 @@
+package com.vuln.v2.controller;
+
 import java.io.BufferedReader;
 import java.io.InputStream;
 import java.io.InputStreamReader;
@@ -27,9 +29,10 @@ public class XQueryInjection {
                    + " for $user in doc(\"users.xml\")/Users/User[name=$name] return $user/password";
            conn = xqds.getConnection();
            XQExpression expr = conn.createExpression();
-            expr.bindString(new QName("name"), name, conn.createAtomicType(XQItemType.XQBASETYPE_STRING));
+            expr.bindString(new QName("name"), name,
+                    conn.createAtomicType(XQItemType.XQBASETYPE_STRING));
            XQResultSequence result = expr.executeQuery(query);
-            while (result.next()){
+            while (result.next()) {
                System.out.println(result.getItemAsString(null));
            }
        } catch (XQException e) {
@@ -42,10 +45,11 @@ public class XQueryInjection {
        String name = request.getParameter("name");
        XQDataSource ds = new SaxonXQDataSource();
        XQConnection conn = ds.getConnection();
-        String query = "for $user in doc(\"users.xml\")/Users/User[name='" + name + "'] return $user/password";
+        String query = "for $user in doc(\"users.xml\")/Users/User[name='" + name
+                + "'] return $user/password";
        XQPreparedExpression xqpe = conn.prepareExpression(query);
        XQResultSequence result = xqpe.executeQuery();
-        while (result.next()){
+        while (result.next()) {
            System.out.println(result.getItemAsString(null));
        }
    }
@@ -54,11 +58,12 @@ public class XQueryInjection {
    public void testRequestbad1(HttpServletRequest request) throws Exception {
        String name = request.getParameter("name");
        XQDataSource xqds = new SaxonXQDataSource();
-        String query = "for $user in doc(\"users.xml\")/Users/User[name='" + name + "'] return $user/password";
+        String query = "for $user in doc(\"users.xml\")/Users/User[name='" + name
+                + "'] return $user/password";
        XQConnection conn = xqds.getConnection();
        XQExpression expr = conn.createExpression();
        XQResultSequence result = expr.executeQuery(query);
-        while (result.next()){
+        while (result.next()) {
            System.out.println(result.getItemAsString(null));
        }
    }
@@ -68,10 +73,11 @@ public class XQueryInjection {
    public void testStringtbad(@RequestParam String nameStr) throws XQException {
        XQDataSource ds = new SaxonXQDataSource();
        XQConnection conn = ds.getConnection();
-        String query = "for $user in doc(\"users.xml\")/Users/User[name='" + nameStr + "'] return $user/password";
+        String query = "for $user in doc(\"users.xml\")/Users/User[name='" + nameStr
+                + "'] return $user/password";
        XQPreparedExpression xqpe = conn.prepareExpression(query);
        XQResultSequence result = xqpe.executeQuery();
-        while (result.next()){
+        while (result.next()) {
            System.out.println(result.getItemAsString(null));
        }
    }
@@ -79,11 +85,12 @@ public class XQueryInjection {
    @RequestMapping
    public void testStringtbad1(@RequestParam String nameStr) throws XQException {
        XQDataSource xqds = new SaxonXQDataSource();
-        String query = "for $user in doc(\"users.xml\")/Users/User[name='" + nameStr + "'] return $user/password";
+        String query = "for $user in doc(\"users.xml\")/Users/User[name='" + nameStr
+                + "'] return $user/password";
        XQConnection conn = xqds.getConnection();
        XQExpression expr = conn.createExpression();
        XQResultSequence result = expr.executeQuery(query);
-        while (result.next()){
+        while (result.next()) {
            System.out.println(result.getItemAsString(null));
        }
    }
@@ -95,7 +102,7 @@ public class XQueryInjection {
        XQConnection conn = ds.getConnection();
        XQPreparedExpression xqpe = conn.prepareExpression(name);
        XQResultSequence result = xqpe.executeQuery();
-        while (result.next()){
+        while (result.next()) {
            System.out.println(result.getItemAsString(null));
        }
    }
@@ -107,7 +114,7 @@ public class XQueryInjection {
        XQConnection conn = xqds.getConnection();
        XQExpression expr = conn.createExpression();
        XQResultSequence result = expr.executeQuery(name);
-        while (result.next()){
+        while (result.next()) {
            System.out.println(result.getItemAsString(null));
        }
    }
@@ -120,7 +127,7 @@ public class XQueryInjection {
        XQConnection conn = ds.getConnection();
        XQPreparedExpression xqpe = conn.prepareExpression(br);
        XQResultSequence result = xqpe.executeQuery();
-        while (result.next()){
+        while (result.next()) {
            System.out.println(result.getItemAsString(null));
        }
    }
@@ -133,11 +140,26 @@ public class XQueryInjection {
        XQConnection conn = xqds.getConnection();
        XQExpression expr = conn.createExpression();
        XQResultSequence result = expr.executeQuery(br);
-        while (result.next()){
+        while (result.next()) {
            System.out.println(result.getItemAsString(null));
        }
    }

+    @RequestMapping
+    public void testExecuteCommandbad(HttpServletRequest request) throws Exception {
+        String name = request.getParameter("name");
+        XQDataSource xqds = new SaxonXQDataSource();
+        XQConnection conn = xqds.getConnection();
+        XQExpression expr = conn.createExpression();
+        //bad code
+        expr.executeCommand(name);
+        //bad code
+        InputStream is = request.getInputStream();
+        BufferedReader br = new BufferedReader(new InputStreamReader(is));
+        expr.executeCommand(br);
+        expr.close();
+    }
+
    @RequestMapping
    public void good(HttpServletRequest request) throws XQException {
        String name = request.getParameter("name");
@@ -146,9 +168,10 @@ public class XQueryInjection {
        String query = "declare variable $name as xs:string external;"
                + " for $user in doc(\"users.xml\")/Users/User[name=$name] return $user/password";
        XQPreparedExpression xqpe = conn.prepareExpression(query);
-        xqpe.bindString(new QName("name"), name, conn.createAtomicType(XQItemType.XQBASETYPE_STRING));
+        xqpe.bindString(new QName("name"), name,
+                conn.createAtomicType(XQItemType.XQBASETYPE_STRING));
        XQResultSequence result = xqpe.executeQuery();
-        while (result.next()){
+        while (result.next()) {
            System.out.println(result.getItemAsString(null));
        }
    }
@@ -161,10 +184,12 @@ public class XQueryInjection {
        XQDataSource xqds = new SaxonXQDataSource();
        XQConnection conn = xqds.getConnection();
        XQExpression expr = conn.createExpression();
-        expr.bindString(new QName("name"), name, conn.createAtomicType(XQItemType.XQBASETYPE_STRING));
+        expr.bindString(new QName("name"), name,
+                conn.createAtomicType(XQItemType.XQBASETYPE_STRING));
        XQResultSequence result = expr.executeQuery(query);
-        while (result.next()){
+        while (result.next()) {
            System.out.println(result.getItemAsString(null));
        }
    }
-}
+}
+