Java: update test cases to use inline expectations

java/ql/test/query-tests/security/CWE-552/UnsafeLoadSpringResource.java

@@ -32,7 +32,7 @@ public class UnsafeLoadSpringResource {
 		char[] buffer = new char[4096];
 		StringBuilder out = new StringBuilder();
 		try {
-			Reader in = new FileReader(clr.getFilename());
+			Reader in = new FileReader(clr.getFilename()); // $ hasUnsafeUrlForward (path-inj?)
 			for (int numRead; (numRead = in.read(buffer, 0, buffer.length)) > 0; ) {
 				out.append(buffer, 0, numRead);
 			}
@@ -67,13 +67,13 @@ public class UnsafeLoadSpringResource {
 	//BAD: Get resource from ResourceUtils without input validation
 	public String getFileContent2(@RequestParam(name="fileName") String fileName) {
 		String content = null;
-		
+
 		try {
 			// A request such as the following can disclose source code and system configuration
 			// fileName=/etc/hosts
 			// fileName=file:/etc/hosts
 			// fileName=/opt/appdir/WEB-INF/views/page.jsp
-			File file = ResourceUtils.getFile(fileName);
+			File file = ResourceUtils.getFile(fileName); // $ hasUnsafeUrlForward (path-inj?)
 			//Read File Content
 			content = new String(Files.readAllBytes(file.toPath()));
 		} catch (IOException ie) {
@@ -86,7 +86,7 @@ public class UnsafeLoadSpringResource {
 	//GOOD: Get resource from ResourceUtils with input path validation
 	public String getFileContent2a(@RequestParam(name="fileName") String fileName) {
 		String content = null;
-		
+
 		if (fileName.startsWith("/safe_dir") && !fileName.contains("..")) {
 			try {
 					File file = ResourceUtils.getFile(fileName);
@@ -113,7 +113,7 @@ public class UnsafeLoadSpringResource {
 			// fileName=/WEB-INF/views/page.jsp
 			// fileName=/WEB-INF/classes/com/example/package/SampleController.class
 			// fileName=file:/etc/hosts
-			Resource resource = resourceLoader.getResource(fileName);
+			Resource resource = resourceLoader.getResource(fileName); // $ hasUnsafeUrlForward (path-inj?)
 
 			char[] buffer = new char[4096];
 			StringBuilder out = new StringBuilder();

java/ql/test/query-tests/security/CWE-552/UnsafeRequestPath.java

@@ -14,23 +14,23 @@ public class UnsafeRequestPath implements Filter {
 	private static final String BASE_PATH = "/pages";
 
 	@Override
-	// BAD: Request dispatcher from servlet path without check 
+	// BAD: Request dispatcher from servlet path without check
 	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
 		throws IOException, ServletException {
 		String path = ((HttpServletRequest) request).getServletPath();
 		// A sample payload "/%57EB-INF/web.xml" can bypass this `startsWith` check
 		if (path != null && !path.startsWith("/WEB-INF")) {
-			request.getRequestDispatcher(path).forward(request, response);
+			request.getRequestDispatcher(path).forward(request, response); // $ hasUnsafeUrlForward
 		} else {
 			chain.doFilter(request, response);
 		}
 	}
 
-	// GOOD: Request dispatcher from servlet path with check 
+	// GOOD: Request dispatcher from servlet path with check
 	public void doFilter2(ServletRequest request, ServletResponse response, FilterChain chain)
 		throws IOException, ServletException {
 		String path = ((HttpServletRequest) request).getServletPath();
-		
+
 		if (path.startsWith(BASE_PATH) && !path.contains("..")) {
 			request.getRequestDispatcher(path).forward(request, response);
 		} else {
@@ -38,11 +38,11 @@ public class UnsafeRequestPath implements Filter {
 		}
 	}
 
-	// GOOD: Request dispatcher from servlet path with whitelisted string comparison 
+	// GOOD: Request dispatcher from servlet path with whitelisted string comparison
 	public void doFilter3(ServletRequest request, ServletResponse response, FilterChain chain)
 		throws IOException, ServletException {
 		String path = ((HttpServletRequest) request).getServletPath();
-		
+
 		if (path.equals("/comaction")) {
 			request.getRequestDispatcher(path).forward(request, response);
 		} else {

java/ql/test/query-tests/security/CWE-552/UnsafeResourceGet.java

@@ -38,7 +38,7 @@ public class UnsafeResourceGet extends HttpServlet {
 		// A sample request /fake.jsp/../WEB-INF/web.xml can load the web.xml file
 		URL url = sc.getResource(requestUrl);
 
-		InputStream in = url.openStream();
+		InputStream in = url.openStream(); // $ hasUnsafeUrlForward (SSRF)
 		byte[] buf = new byte[4 * 1024];  // 4K buffer
 		int bytesRead;
 		while ((bytesRead = in.read(buf)) != -1) {
@@ -112,7 +112,7 @@ public class UnsafeResourceGet extends HttpServlet {
 		ServletOutputStream out = response.getOutputStream();
 
 		// A sample request /fake.jsp/../WEB-INF/web.xml can load the web.xml file
-		InputStream in = request.getServletContext().getResourceAsStream(requestPath);
+		InputStream in = request.getServletContext().getResourceAsStream(requestPath); // $ hasUnsafeUrlForward (path-inj?)
 		byte[] buf = new byte[4 * 1024];  // 4K buffer
 		int bytesRead;
 		while ((bytesRead = in.read(buf)) != -1) {
@@ -147,7 +147,7 @@ public class UnsafeResourceGet extends HttpServlet {
 		// Note the class is in two levels of subpackages and `Class.getResource` starts from its own directory
 		URL url = getClass().getResource(requestUrl);
 
-		InputStream in = url.openStream();
+		InputStream in = url.openStream(); // $ hasUnsafeUrlForward (SSRF)
 		byte[] buf = new byte[4 * 1024];  // 4K buffer
 		int bytesRead;
 		while ((bytesRead = in.read(buf)) != -1) {
@@ -186,7 +186,7 @@ public class UnsafeResourceGet extends HttpServlet {
 
 		// A sample request /fake.jsp/../../../WEB-INF/web.xml can load the web.xml file
 		// Note the class is in two levels of subpackages and `ClassLoader.getResourceAsStream` starts from its own directory
-		InputStream in = getClass().getClassLoader().getResourceAsStream(requestPath);
+		InputStream in = getClass().getClassLoader().getResourceAsStream(requestPath); // $ hasUnsafeUrlForward (path-inj?)
 		byte[] buf = new byte[4 * 1024];  // 4K buffer
 		int bytesRead;
 		while ((bytesRead = in.read(buf)) != -1) {
@@ -223,7 +223,7 @@ public class UnsafeResourceGet extends HttpServlet {
 		// Note the class is in two levels of subpackages and `ClassLoader.getResource` starts from its own directory
 		URL url = getClass().getClassLoader().getResource(requestUrl);
 
-		InputStream in = url.openStream();
+		InputStream in = url.openStream(); // $ hasUnsafeUrlForward (SSRF)
 		byte[] buf = new byte[4 * 1024];  // 4K buffer
 		int bytesRead;
 		while ((bytesRead = in.read(buf)) != -1) {
@@ -242,7 +242,7 @@ public class UnsafeResourceGet extends HttpServlet {
 
 			VirtualFile overlay = VFS.getChild(new URI("EAP_HOME/modules/"));
 			// Do file operations
-			overlay.getChild(rs.getPath());
+			overlay.getChild(rs.getPath()); // $ hasUnsafeUrlForward (path-inj?)
 		} catch (URISyntaxException ue) {
 			throw new IOException("Cannot parse the URI");
 		}

java/ql/test/query-tests/security/CWE-552/UnsafeResourceGet2.java

@@ -16,7 +16,7 @@ public class UnsafeResourceGet2 {
 		Map<String, String> params = fc.getExternalContext().getRequestParameterMap();
 		String loadUrl = params.get("loadUrl");
 
-		InputStreamReader isr = new InputStreamReader(fc.getExternalContext().getResourceAsStream(loadUrl));
+		InputStreamReader isr = new InputStreamReader(fc.getExternalContext().getResourceAsStream(loadUrl)); // $ hasUnsafeUrlForward (path-inj?)
 		BufferedReader br = new BufferedReader(isr);
 		if(br.ready()) {
 			//Do Stuff
@@ -34,7 +34,7 @@ public class UnsafeResourceGet2 {
 
 		URL url = fc.getExternalContext().getResource(loadUrl);
 
-		InputStream in = url.openStream();
+		InputStream in = url.openStream(); // $ hasUnsafeUrlForward (SSRF)
 		//Do Stuff
 		return "result";
 	}

java/ql/test/query-tests/security/CWE-552/UnsafeServletRequestDispatch.java

@@ -29,13 +29,13 @@ public class UnsafeServletRequestDispatch extends HttpServlet {
 			rd.forward(request, response);
 		} else {
 			ServletContext sc = cfg.getServletContext();
-			RequestDispatcher rd = sc.getRequestDispatcher(returnURL);
+			RequestDispatcher rd = sc.getRequestDispatcher(returnURL); // $ hasUnsafeUrlForward
 			rd.forward(request, response);
 		}
 	}
 
 	@Override
-	// BAD: Request dispatcher constructed from `HttpServletRequest` without input validation 
+	// BAD: Request dispatcher constructed from `HttpServletRequest` without input validation
 	protected void doPost(HttpServletRequest request, HttpServletResponse response)
 			throws ServletException, IOException {
 		String action = request.getParameter("action");
@@ -45,7 +45,7 @@ public class UnsafeServletRequestDispatch extends HttpServlet {
 			RequestDispatcher rd = request.getRequestDispatcher("/Login.jsp");
 			rd.forward(request, response);
 		} else {
-			RequestDispatcher rd = request.getRequestDispatcher(returnURL);
+			RequestDispatcher rd = request.getRequestDispatcher(returnURL); // $ hasUnsafeUrlForward
 			rd.forward(request, response);
 		}
 	}
@@ -65,22 +65,22 @@ public class UnsafeServletRequestDispatch extends HttpServlet {
 		}
 	}
 
-	// BAD: Request dispatcher without path traversal check 
+	// BAD: Request dispatcher without path traversal check
 	protected void doHead2(HttpServletRequest request, HttpServletResponse response)
 			throws ServletException, IOException {
 		String path = request.getParameter("path");
 
-		// A sample payload "/pages/welcome.jsp/../WEB-INF/web.xml" can bypass the `startsWith` check 
-		// The payload "/pages/welcome.jsp/../../%57EB-INF/web.xml" can bypass the check as well since RequestDispatcher will decode `%57` as `W`  
+		// A sample payload "/pages/welcome.jsp/../WEB-INF/web.xml" can bypass the `startsWith` check
+		// The payload "/pages/welcome.jsp/../../%57EB-INF/web.xml" can bypass the check as well since RequestDispatcher will decode `%57` as `W`
 		if (path.startsWith(BASE_PATH)) {
-			request.getServletContext().getRequestDispatcher(path).include(request, response);
+			request.getServletContext().getRequestDispatcher(path).include(request, response); // $ hasUnsafeUrlForward
 		}
 	}
 
-	// GOOD: Request dispatcher with path traversal check 
+	// GOOD: Request dispatcher with path traversal check
 	protected void doHead3(HttpServletRequest request, HttpServletResponse response)
 			throws ServletException, IOException {
-		String path = request.getParameter("path");		
+		String path = request.getParameter("path");
 
 		if (path.startsWith(BASE_PATH) && !path.contains("..")) {
 			request.getServletContext().getRequestDispatcher(path).include(request, response);
@@ -110,7 +110,7 @@ public class UnsafeServletRequestDispatch extends HttpServlet {
 		Path requestedPath = Paths.get(BASE_PATH).resolve(path).normalize();
 
 		if (!requestedPath.startsWith("/WEB-INF") && !requestedPath.startsWith("/META-INF")) {
-			request.getServletContext().getRequestDispatcher(requestedPath.toString()).forward(request, response);
+			request.getServletContext().getRequestDispatcher(requestedPath.toString()).forward(request, response); // $ MISSING: hasUnsafeUrlForward
 		}
 	}
 

java/ql/test/query-tests/security/CWE-552/UnsafeUrlForward.expected

@@ -1,129 +0,0 @@
-edges
-| UnsafeLoadSpringResource.java:27:32:27:77 | fileName : String | UnsafeLoadSpringResource.java:31:49:31:56 | fileName : String |
-| UnsafeLoadSpringResource.java:31:27:31:57 | new ClassPathResource(...) : ClassPathResource | UnsafeLoadSpringResource.java:35:31:35:33 | clr |
-| UnsafeLoadSpringResource.java:31:49:31:56 | fileName : String | UnsafeLoadSpringResource.java:31:27:31:57 | new ClassPathResource(...) : ClassPathResource |
-| UnsafeLoadSpringResource.java:68:32:68:77 | fileName : String | UnsafeLoadSpringResource.java:76:38:76:45 | fileName |
-| UnsafeLoadSpringResource.java:108:32:108:77 | fileName : String | UnsafeLoadSpringResource.java:116:51:116:58 | fileName |
-| UnsafeRequestPath.java:20:17:20:63 | getServletPath(...) : String | UnsafeRequestPath.java:23:33:23:36 | path |
-| UnsafeResourceGet2.java:16:32:16:79 | getRequestParameterMap(...) : Map | UnsafeResourceGet2.java:17:20:17:25 | params : Map |
-| UnsafeResourceGet2.java:17:20:17:25 | params : Map | UnsafeResourceGet2.java:17:20:17:40 | get(...) : String |
-| UnsafeResourceGet2.java:17:20:17:40 | get(...) : String | UnsafeResourceGet2.java:19:93:19:99 | loadUrl |
-| UnsafeResourceGet2.java:32:32:32:79 | getRequestParameterMap(...) : Map | UnsafeResourceGet2.java:33:20:33:25 | params : Map |
-| UnsafeResourceGet2.java:33:20:33:25 | params : Map | UnsafeResourceGet2.java:33:20:33:40 | get(...) : String |
-| UnsafeResourceGet2.java:33:20:33:40 | get(...) : String | UnsafeResourceGet2.java:35:49:35:55 | loadUrl : String |
-| UnsafeResourceGet2.java:35:13:35:56 | getResource(...) : URL | UnsafeResourceGet2.java:37:20:37:22 | url |
-| UnsafeResourceGet2.java:35:49:35:55 | loadUrl : String | UnsafeResourceGet2.java:35:13:35:56 | getResource(...) : URL |
-| UnsafeResourceGet.java:32:23:32:56 | getParameter(...) : String | UnsafeResourceGet.java:39:28:39:37 | requestUrl : String |
-| UnsafeResourceGet.java:39:13:39:38 | getResource(...) : URL | UnsafeResourceGet.java:41:20:41:22 | url |
-| UnsafeResourceGet.java:39:28:39:37 | requestUrl : String | UnsafeResourceGet.java:39:13:39:38 | getResource(...) : URL |
-| UnsafeResourceGet.java:111:24:111:58 | getParameter(...) : String | UnsafeResourceGet.java:115:68:115:78 | requestPath |
-| UnsafeResourceGet.java:143:23:143:56 | getParameter(...) : String | UnsafeResourceGet.java:148:36:148:45 | requestUrl : String |
-| UnsafeResourceGet.java:148:13:148:46 | getResource(...) : URL | UnsafeResourceGet.java:150:20:150:22 | url |
-| UnsafeResourceGet.java:148:36:148:45 | requestUrl : String | UnsafeResourceGet.java:148:13:148:46 | getResource(...) : URL |
-| UnsafeResourceGet.java:181:24:181:58 | getParameter(...) : String | UnsafeResourceGet.java:189:68:189:78 | requestPath |
-| UnsafeResourceGet.java:219:23:219:56 | getParameter(...) : String | UnsafeResourceGet.java:224:53:224:62 | requestUrl : String |
-| UnsafeResourceGet.java:224:13:224:63 | getResource(...) : URL | UnsafeResourceGet.java:226:20:226:22 | url |
-| UnsafeResourceGet.java:224:53:224:62 | requestUrl : String | UnsafeResourceGet.java:224:13:224:63 | getResource(...) : URL |
-| UnsafeResourceGet.java:237:24:237:58 | getParameter(...) : String | UnsafeResourceGet.java:241:33:241:43 | requestPath : String |
-| UnsafeResourceGet.java:241:18:241:44 | getResource(...) : Resource | UnsafeResourceGet.java:245:21:245:22 | rs : Resource |
-| UnsafeResourceGet.java:241:33:241:43 | requestPath : String | UnsafeResourceGet.java:241:18:241:44 | getResource(...) : Resource |
-| UnsafeResourceGet.java:245:21:245:22 | rs : Resource | UnsafeResourceGet.java:245:21:245:32 | getPath(...) |
-| UnsafeServletRequestDispatch.java:23:22:23:54 | getParameter(...) : String | UnsafeServletRequestDispatch.java:32:51:32:59 | returnURL |
-| UnsafeServletRequestDispatch.java:42:22:42:54 | getParameter(...) : String | UnsafeServletRequestDispatch.java:48:56:48:64 | returnURL |
-| UnsafeServletRequestDispatch.java:71:17:71:44 | getParameter(...) : String | UnsafeServletRequestDispatch.java:76:53:76:56 | path |
-| UnsafeUrlForward.java:13:27:13:36 | url : String | UnsafeUrlForward.java:14:27:14:29 | url |
-| UnsafeUrlForward.java:18:27:18:36 | url : String | UnsafeUrlForward.java:20:28:20:30 | url |
-| UnsafeUrlForward.java:25:21:25:30 | url : String | UnsafeUrlForward.java:26:23:26:25 | url |
-| UnsafeUrlForward.java:30:27:30:36 | url : String | UnsafeUrlForward.java:31:48:31:63 | ... + ... |
-| UnsafeUrlForward.java:30:27:30:36 | url : String | UnsafeUrlForward.java:31:61:31:63 | url |
-| UnsafeUrlForward.java:36:19:36:28 | url : String | UnsafeUrlForward.java:38:33:38:35 | url |
-| UnsafeUrlForward.java:47:19:47:28 | url : String | UnsafeUrlForward.java:49:33:49:62 | ... + ... |
-| UnsafeUrlForward.java:58:19:58:28 | url : String | UnsafeUrlForward.java:60:33:60:62 | ... + ... |
-nodes
-| UnsafeLoadSpringResource.java:27:32:27:77 | fileName : String | semmle.label | fileName : String |
-| UnsafeLoadSpringResource.java:31:27:31:57 | new ClassPathResource(...) : ClassPathResource | semmle.label | new ClassPathResource(...) : ClassPathResource |
-| UnsafeLoadSpringResource.java:31:49:31:56 | fileName : String | semmle.label | fileName : String |
-| UnsafeLoadSpringResource.java:35:31:35:33 | clr | semmle.label | clr |
-| UnsafeLoadSpringResource.java:68:32:68:77 | fileName : String | semmle.label | fileName : String |
-| UnsafeLoadSpringResource.java:76:38:76:45 | fileName | semmle.label | fileName |
-| UnsafeLoadSpringResource.java:108:32:108:77 | fileName : String | semmle.label | fileName : String |
-| UnsafeLoadSpringResource.java:116:51:116:58 | fileName | semmle.label | fileName |
-| UnsafeRequestPath.java:20:17:20:63 | getServletPath(...) : String | semmle.label | getServletPath(...) : String |
-| UnsafeRequestPath.java:23:33:23:36 | path | semmle.label | path |
-| UnsafeResourceGet2.java:16:32:16:79 | getRequestParameterMap(...) : Map | semmle.label | getRequestParameterMap(...) : Map |
-| UnsafeResourceGet2.java:17:20:17:25 | params : Map | semmle.label | params : Map |
-| UnsafeResourceGet2.java:17:20:17:40 | get(...) : String | semmle.label | get(...) : String |
-| UnsafeResourceGet2.java:19:93:19:99 | loadUrl | semmle.label | loadUrl |
-| UnsafeResourceGet2.java:32:32:32:79 | getRequestParameterMap(...) : Map | semmle.label | getRequestParameterMap(...) : Map |
-| UnsafeResourceGet2.java:33:20:33:25 | params : Map | semmle.label | params : Map |
-| UnsafeResourceGet2.java:33:20:33:40 | get(...) : String | semmle.label | get(...) : String |
-| UnsafeResourceGet2.java:35:13:35:56 | getResource(...) : URL | semmle.label | getResource(...) : URL |
-| UnsafeResourceGet2.java:35:49:35:55 | loadUrl : String | semmle.label | loadUrl : String |
-| UnsafeResourceGet2.java:37:20:37:22 | url | semmle.label | url |
-| UnsafeResourceGet.java:32:23:32:56 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| UnsafeResourceGet.java:39:13:39:38 | getResource(...) : URL | semmle.label | getResource(...) : URL |
-| UnsafeResourceGet.java:39:28:39:37 | requestUrl : String | semmle.label | requestUrl : String |
-| UnsafeResourceGet.java:41:20:41:22 | url | semmle.label | url |
-| UnsafeResourceGet.java:111:24:111:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| UnsafeResourceGet.java:115:68:115:78 | requestPath | semmle.label | requestPath |
-| UnsafeResourceGet.java:143:23:143:56 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| UnsafeResourceGet.java:148:13:148:46 | getResource(...) : URL | semmle.label | getResource(...) : URL |
-| UnsafeResourceGet.java:148:36:148:45 | requestUrl : String | semmle.label | requestUrl : String |
-| UnsafeResourceGet.java:150:20:150:22 | url | semmle.label | url |
-| UnsafeResourceGet.java:181:24:181:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| UnsafeResourceGet.java:189:68:189:78 | requestPath | semmle.label | requestPath |
-| UnsafeResourceGet.java:219:23:219:56 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| UnsafeResourceGet.java:224:13:224:63 | getResource(...) : URL | semmle.label | getResource(...) : URL |
-| UnsafeResourceGet.java:224:53:224:62 | requestUrl : String | semmle.label | requestUrl : String |
-| UnsafeResourceGet.java:226:20:226:22 | url | semmle.label | url |
-| UnsafeResourceGet.java:237:24:237:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| UnsafeResourceGet.java:241:18:241:44 | getResource(...) : Resource | semmle.label | getResource(...) : Resource |
-| UnsafeResourceGet.java:241:33:241:43 | requestPath : String | semmle.label | requestPath : String |
-| UnsafeResourceGet.java:245:21:245:22 | rs : Resource | semmle.label | rs : Resource |
-| UnsafeResourceGet.java:245:21:245:32 | getPath(...) | semmle.label | getPath(...) |
-| UnsafeServletRequestDispatch.java:23:22:23:54 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| UnsafeServletRequestDispatch.java:32:51:32:59 | returnURL | semmle.label | returnURL |
-| UnsafeServletRequestDispatch.java:42:22:42:54 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| UnsafeServletRequestDispatch.java:48:56:48:64 | returnURL | semmle.label | returnURL |
-| UnsafeServletRequestDispatch.java:71:17:71:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| UnsafeServletRequestDispatch.java:76:53:76:56 | path | semmle.label | path |
-| UnsafeUrlForward.java:13:27:13:36 | url : String | semmle.label | url : String |
-| UnsafeUrlForward.java:14:27:14:29 | url | semmle.label | url |
-| UnsafeUrlForward.java:18:27:18:36 | url : String | semmle.label | url : String |
-| UnsafeUrlForward.java:20:28:20:30 | url | semmle.label | url |
-| UnsafeUrlForward.java:25:21:25:30 | url : String | semmle.label | url : String |
-| UnsafeUrlForward.java:26:23:26:25 | url | semmle.label | url |
-| UnsafeUrlForward.java:30:27:30:36 | url : String | semmle.label | url : String |
-| UnsafeUrlForward.java:31:48:31:63 | ... + ... | semmle.label | ... + ... |
-| UnsafeUrlForward.java:31:61:31:63 | url | semmle.label | url |
-| UnsafeUrlForward.java:36:19:36:28 | url : String | semmle.label | url : String |
-| UnsafeUrlForward.java:38:33:38:35 | url | semmle.label | url |
-| UnsafeUrlForward.java:47:19:47:28 | url : String | semmle.label | url : String |
-| UnsafeUrlForward.java:49:33:49:62 | ... + ... | semmle.label | ... + ... |
-| UnsafeUrlForward.java:58:19:58:28 | url : String | semmle.label | url : String |
-| UnsafeUrlForward.java:60:33:60:62 | ... + ... | semmle.label | ... + ... |
-subpaths
-#select
-| UnsafeLoadSpringResource.java:35:31:35:33 | clr | UnsafeLoadSpringResource.java:27:32:27:77 | fileName : String | UnsafeLoadSpringResource.java:35:31:35:33 | clr | Potentially untrusted URL forward due to $@. | UnsafeLoadSpringResource.java:27:32:27:77 | fileName | user-provided value |
-| UnsafeLoadSpringResource.java:76:38:76:45 | fileName | UnsafeLoadSpringResource.java:68:32:68:77 | fileName : String | UnsafeLoadSpringResource.java:76:38:76:45 | fileName | Potentially untrusted URL forward due to $@. | UnsafeLoadSpringResource.java:68:32:68:77 | fileName | user-provided value |
-| UnsafeLoadSpringResource.java:116:51:116:58 | fileName | UnsafeLoadSpringResource.java:108:32:108:77 | fileName : String | UnsafeLoadSpringResource.java:116:51:116:58 | fileName | Potentially untrusted URL forward due to $@. | UnsafeLoadSpringResource.java:108:32:108:77 | fileName | user-provided value |
-| UnsafeRequestPath.java:23:33:23:36 | path | UnsafeRequestPath.java:20:17:20:63 | getServletPath(...) : String | UnsafeRequestPath.java:23:33:23:36 | path | Potentially untrusted URL forward due to $@. | UnsafeRequestPath.java:20:17:20:63 | getServletPath(...) | user-provided value |
-| UnsafeResourceGet2.java:19:93:19:99 | loadUrl | UnsafeResourceGet2.java:16:32:16:79 | getRequestParameterMap(...) : Map | UnsafeResourceGet2.java:19:93:19:99 | loadUrl | Potentially untrusted URL forward due to $@. | UnsafeResourceGet2.java:16:32:16:79 | getRequestParameterMap(...) | user-provided value |
-| UnsafeResourceGet2.java:37:20:37:22 | url | UnsafeResourceGet2.java:32:32:32:79 | getRequestParameterMap(...) : Map | UnsafeResourceGet2.java:37:20:37:22 | url | Potentially untrusted URL forward due to $@. | UnsafeResourceGet2.java:32:32:32:79 | getRequestParameterMap(...) | user-provided value |
-| UnsafeResourceGet.java:41:20:41:22 | url | UnsafeResourceGet.java:32:23:32:56 | getParameter(...) : String | UnsafeResourceGet.java:41:20:41:22 | url | Potentially untrusted URL forward due to $@. | UnsafeResourceGet.java:32:23:32:56 | getParameter(...) | user-provided value |
-| UnsafeResourceGet.java:115:68:115:78 | requestPath | UnsafeResourceGet.java:111:24:111:58 | getParameter(...) : String | UnsafeResourceGet.java:115:68:115:78 | requestPath | Potentially untrusted URL forward due to $@. | UnsafeResourceGet.java:111:24:111:58 | getParameter(...) | user-provided value |
-| UnsafeResourceGet.java:150:20:150:22 | url | UnsafeResourceGet.java:143:23:143:56 | getParameter(...) : String | UnsafeResourceGet.java:150:20:150:22 | url | Potentially untrusted URL forward due to $@. | UnsafeResourceGet.java:143:23:143:56 | getParameter(...) | user-provided value |
-| UnsafeResourceGet.java:189:68:189:78 | requestPath | UnsafeResourceGet.java:181:24:181:58 | getParameter(...) : String | UnsafeResourceGet.java:189:68:189:78 | requestPath | Potentially untrusted URL forward due to $@. | UnsafeResourceGet.java:181:24:181:58 | getParameter(...) | user-provided value |
-| UnsafeResourceGet.java:226:20:226:22 | url | UnsafeResourceGet.java:219:23:219:56 | getParameter(...) : String | UnsafeResourceGet.java:226:20:226:22 | url | Potentially untrusted URL forward due to $@. | UnsafeResourceGet.java:219:23:219:56 | getParameter(...) | user-provided value |
-| UnsafeResourceGet.java:245:21:245:32 | getPath(...) | UnsafeResourceGet.java:237:24:237:58 | getParameter(...) : String | UnsafeResourceGet.java:245:21:245:32 | getPath(...) | Potentially untrusted URL forward due to $@. | UnsafeResourceGet.java:237:24:237:58 | getParameter(...) | user-provided value |
-| UnsafeServletRequestDispatch.java:32:51:32:59 | returnURL | UnsafeServletRequestDispatch.java:23:22:23:54 | getParameter(...) : String | UnsafeServletRequestDispatch.java:32:51:32:59 | returnURL | Potentially untrusted URL forward due to $@. | UnsafeServletRequestDispatch.java:23:22:23:54 | getParameter(...) | user-provided value |
-| UnsafeServletRequestDispatch.java:48:56:48:64 | returnURL | UnsafeServletRequestDispatch.java:42:22:42:54 | getParameter(...) : String | UnsafeServletRequestDispatch.java:48:56:48:64 | returnURL | Potentially untrusted URL forward due to $@. | UnsafeServletRequestDispatch.java:42:22:42:54 | getParameter(...) | user-provided value |
-| UnsafeServletRequestDispatch.java:76:53:76:56 | path | UnsafeServletRequestDispatch.java:71:17:71:44 | getParameter(...) : String | UnsafeServletRequestDispatch.java:76:53:76:56 | path | Potentially untrusted URL forward due to $@. | UnsafeServletRequestDispatch.java:71:17:71:44 | getParameter(...) | user-provided value |
-| UnsafeUrlForward.java:14:27:14:29 | url | UnsafeUrlForward.java:13:27:13:36 | url : String | UnsafeUrlForward.java:14:27:14:29 | url | Potentially untrusted URL forward due to $@. | UnsafeUrlForward.java:13:27:13:36 | url | user-provided value |
-| UnsafeUrlForward.java:20:28:20:30 | url | UnsafeUrlForward.java:18:27:18:36 | url : String | UnsafeUrlForward.java:20:28:20:30 | url | Potentially untrusted URL forward due to $@. | UnsafeUrlForward.java:18:27:18:36 | url | user-provided value |
-| UnsafeUrlForward.java:26:23:26:25 | url | UnsafeUrlForward.java:25:21:25:30 | url : String | UnsafeUrlForward.java:26:23:26:25 | url | Potentially untrusted URL forward due to $@. | UnsafeUrlForward.java:25:21:25:30 | url | user-provided value |
-| UnsafeUrlForward.java:31:48:31:63 | ... + ... | UnsafeUrlForward.java:30:27:30:36 | url : String | UnsafeUrlForward.java:31:48:31:63 | ... + ... | Potentially untrusted URL forward due to $@. | UnsafeUrlForward.java:30:27:30:36 | url | user-provided value |
-| UnsafeUrlForward.java:31:61:31:63 | url | UnsafeUrlForward.java:30:27:30:36 | url : String | UnsafeUrlForward.java:31:61:31:63 | url | Potentially untrusted URL forward due to $@. | UnsafeUrlForward.java:30:27:30:36 | url | user-provided value |
-| UnsafeUrlForward.java:38:33:38:35 | url | UnsafeUrlForward.java:36:19:36:28 | url : String | UnsafeUrlForward.java:38:33:38:35 | url | Potentially untrusted URL forward due to $@. | UnsafeUrlForward.java:36:19:36:28 | url | user-provided value |
-| UnsafeUrlForward.java:49:33:49:62 | ... + ... | UnsafeUrlForward.java:47:19:47:28 | url : String | UnsafeUrlForward.java:49:33:49:62 | ... + ... | Potentially untrusted URL forward due to $@. | UnsafeUrlForward.java:47:19:47:28 | url | user-provided value |
-| UnsafeUrlForward.java:60:33:60:62 | ... + ... | UnsafeUrlForward.java:58:19:58:28 | url : String | UnsafeUrlForward.java:60:33:60:62 | ... + ... | Potentially untrusted URL forward due to $@. | UnsafeUrlForward.java:58:19:58:28 | url | user-provided value |

java/ql/test/query-tests/security/CWE-552/UnsafeUrlForward.java

@@ -11,31 +11,31 @@ public class UnsafeUrlForward {
 
 	@GetMapping("/bad1")
 	public ModelAndView bad1(String url) {
-		return new ModelAndView(url);
+		return new ModelAndView(url); // $ hasUnsafeUrlForward
 	}
 
 	@GetMapping("/bad2")
 	public ModelAndView bad2(String url) {
 		ModelAndView modelAndView = new ModelAndView();
-		modelAndView.setViewName(url);
+		modelAndView.setViewName(url); // $ hasUnsafeUrlForward
 		return modelAndView;
 	}
 
 	@GetMapping("/bad3")
 	public String bad3(String url) {
-		return "forward:" + url + "/swagger-ui/index.html";
+		return "forward:" + url + "/swagger-ui/index.html"; // $ hasUnsafeUrlForward
 	}
 
 	@GetMapping("/bad4")
 	public ModelAndView bad4(String url) {
-		ModelAndView modelAndView = new ModelAndView("forward:" + url);
+		ModelAndView modelAndView = new ModelAndView("forward:" + url); // $ hasUnsafeUrlForward
 		return modelAndView;
 	}
 
 	@GetMapping("/bad5")
 	public void bad5(String url, HttpServletRequest request, HttpServletResponse response) {
 		try {
-			request.getRequestDispatcher(url).include(request, response);
+			request.getRequestDispatcher(url).include(request, response); // $ hasUnsafeUrlForward
 		} catch (ServletException e) {
 			e.printStackTrace();
 		} catch (IOException e) {
@@ -46,7 +46,7 @@ public class UnsafeUrlForward {
 	@GetMapping("/bad6")
 	public void bad6(String url, HttpServletRequest request, HttpServletResponse response) {
 		try {
-			request.getRequestDispatcher("/WEB-INF/jsp/" + url + ".jsp").include(request, response);
+			request.getRequestDispatcher("/WEB-INF/jsp/" + url + ".jsp").include(request, response); // $ hasUnsafeUrlForward
 		} catch (ServletException e) {
 			e.printStackTrace();
 		} catch (IOException e) {
@@ -57,7 +57,7 @@ public class UnsafeUrlForward {
 	@GetMapping("/bad7")
 	public void bad7(String url, HttpServletRequest request, HttpServletResponse response) {
 		try {
-			request.getRequestDispatcher("/WEB-INF/jsp/" + url + ".jsp").forward(request, response);
+			request.getRequestDispatcher("/WEB-INF/jsp/" + url + ".jsp").forward(request, response); // $ hasUnsafeUrlForward
 		} catch (ServletException e) {
 			e.printStackTrace();
 		} catch (IOException e) {

java/ql/test/query-tests/security/CWE-552/UnsafeUrlForward.qlref

@@ -1 +0,0 @@
-experimental/Security/CWE/CWE-552/UnsafeUrlForward.ql

java/ql/test/query-tests/security/CWE-552/UnsafeUrlForwardTest.expected

@@ -0,0 +1,2 @@
+testFailures
+failures

java/ql/test/query-tests/security/CWE-552/UnsafeUrlForwardTest.ql

@@ -0,0 +1,18 @@
+import java
+import TestUtilities.InlineExpectationsTest
+import semmle.code.java.security.UnsafeUrlForwardQuery
+
+module UnsafeUrlForwardTest implements TestSig {
+  string getARelevantTag() { result = "hasUnsafeUrlForward" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasUnsafeUrlForward" and
+    exists(UnsafeUrlForwardFlow::PathNode sink | UnsafeUrlForwardFlow::flowPath(_, sink) |
+      location = sink.getNode().getLocation() and
+      element = sink.getNode().toString() and
+      value = ""
+    )
+  }
+}
+
+import MakeTest<UnsafeUrlForwardTest>