diff --git a/java/ql/test/query-tests/DeadCode/camel/DeadClass.qlref b/java/ql/test/query-tests/DeadCode/camel/DeadClass.qlref index b94832ebfca..d726e7e0849 100644 --- a/java/ql/test/query-tests/DeadCode/camel/DeadClass.qlref +++ b/java/ql/test/query-tests/DeadCode/camel/DeadClass.qlref @@ -1,2 +1 @@ -query: DeadCode/DeadClass.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +DeadCode/DeadClass.ql diff --git a/java/ql/test/query-tests/DeadCode/camel/DeadMethod.qlref b/java/ql/test/query-tests/DeadCode/camel/DeadMethod.qlref index 743a5f15775..76204a1df5a 100644 --- a/java/ql/test/query-tests/DeadCode/camel/DeadMethod.qlref +++ b/java/ql/test/query-tests/DeadCode/camel/DeadMethod.qlref @@ -1,2 +1 @@ -query: DeadCode/DeadMethod.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +DeadCode/DeadMethod.ql diff --git a/java/ql/test/query-tests/DeadCode/camel/com/semmle/camel/DeadTarget.java b/java/ql/test/query-tests/DeadCode/camel/com/semmle/camel/DeadTarget.java index d2ccfa90e36..f4fabc7d22e 100644 --- a/java/ql/test/query-tests/DeadCode/camel/com/semmle/camel/DeadTarget.java +++ b/java/ql/test/query-tests/DeadCode/camel/com/semmle/camel/DeadTarget.java @@ -1,10 +1,10 @@ package com.semmle.camel; /** Dead because it is not referenced in the {@code config.xml} file, or in the Java DSL. */ -public class DeadTarget { // $ Alert[java/dead-class] +public class DeadTarget { public Foo getFoo(Foo foo1) { return new Foo(); } - public static class Foo {} // $ Alert[java/dead-class] + public static class Foo {} } diff --git a/java/ql/test/query-tests/DeadCode/camel/com/semmle/camel/javadsl/CustomRouteBuilder.java b/java/ql/test/query-tests/DeadCode/camel/com/semmle/camel/javadsl/CustomRouteBuilder.java index 01baa30e0a9..437a4d7b56d 100644 --- a/java/ql/test/query-tests/DeadCode/camel/com/semmle/camel/javadsl/CustomRouteBuilder.java +++ b/java/ql/test/query-tests/DeadCode/camel/com/semmle/camel/javadsl/CustomRouteBuilder.java @@ -5,7 +5,7 @@ import org.apache.camel.impl.DefaultCamelContext; public class CustomRouteBuilder extends RouteBuilder { @Override - public void configure() throws Exception { // $ Alert[java/dead-function] + public void configure() throws Exception { from("direct:test") .to("bean:dslToTarget") .bean(DSLBeanTarget.class) diff --git a/java/ql/test/query-tests/Javadoc/ImpossibleJavadocThrows.java b/java/ql/test/query-tests/Javadoc/ImpossibleJavadocThrows.java index 9795251ce9a..3a087f6ea92 100644 --- a/java/ql/test/query-tests/Javadoc/ImpossibleJavadocThrows.java +++ b/java/ql/test/query-tests/Javadoc/ImpossibleJavadocThrows.java @@ -6,14 +6,14 @@ class ImpossibleJavadocThrows { /** * - * @throws InterruptedException // $ Alert + * @throws InterruptedException */ public void bad1() { } /** * - * @exception Exception // $ Alert + * @exception Exception */ public void bad2() { } diff --git a/java/ql/test/query-tests/Javadoc/ImpossibleJavadocThrows.qlref b/java/ql/test/query-tests/Javadoc/ImpossibleJavadocThrows.qlref index dc001712b07..51541686bfc 100644 --- a/java/ql/test/query-tests/Javadoc/ImpossibleJavadocThrows.qlref +++ b/java/ql/test/query-tests/Javadoc/ImpossibleJavadocThrows.qlref @@ -1,2 +1 @@ -query: Advisory/Documentation/ImpossibleJavadocThrows.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +Advisory/Documentation/ImpossibleJavadocThrows.ql diff --git a/java/ql/test/query-tests/MissingSpaceTypo/A.java b/java/ql/test/query-tests/MissingSpaceTypo/A.java index a095d8568d8..284fd20c863 100644 --- a/java/ql/test/query-tests/MissingSpaceTypo/A.java +++ b/java/ql/test/query-tests/MissingSpaceTypo/A.java @@ -1,19 +1,19 @@ public class A { public void missing() { String s; - s = "this text" + // $ + s = "this text" + "is missing a space"; // $ Alert - s = "the class java.util.ArrayList" + // $ + s = "the class java.util.ArrayList" + "without a space"; // $ Alert - s = "This isn't" + // $ + s = "This isn't" + "right."; // $ Alert - s = "There's 1" + // $ + s = "There's 1" + "thing wrong"; // $ Alert - s = "There's A/B" + // $ + s = "There's A/B" + "and no space"; // $ Alert - s = "Wait for it...." + // $ + s = "Wait for it...." + "No space!"; // $ Alert - s = "Is there a space?" + // $ + s = "Is there a space?" + "No!"; // $ Alert } diff --git a/java/ql/test/query-tests/SpuriousJavadocParam/Test.java b/java/ql/test/query-tests/SpuriousJavadocParam/Test.java index ca724cf468c..d8891afb756 100644 --- a/java/ql/test/query-tests/SpuriousJavadocParam/Test.java +++ b/java/ql/test/query-tests/SpuriousJavadocParam/Test.java @@ -54,83 +54,83 @@ public class Test { protected void ok9(int...param){ } /** - * @param prameter typo // $ Alert + * @param prameter typo */ public void problem1(int parameter){ } /** - * @param Parameter capitalization // $ Alert + * @param Parameter capitalization */ public void problem2(int parameter){ } /** - * @param parameter unmatched // $ Alert + * @param parameter unmatched */ public void problem3(){ } /** * @param someOtherParameter matched - * @param parameter unmatched // $ Alert + * @param parameter unmatched */ public void problem4(int someOtherParameter){ } /** - * @param unmatched type parameter // $ Alert + * @param unmatched type parameter */ private T problem5(){ return null; } /** * @param matched type parameter - * @param

unmatched type parameter // $ Alert - * @param n unmatched normal parameter // $ Alert + * @param

unmatched type parameter + * @param n unmatched normal parameter */ private T problem6(V p){ return null; } /** * param with immediate newline - * @param // $ Alert + * @param */ protected void problem7(){ } /** * param without a value (followed by blanks) - * @param // $ Alert + * @param */ protected void problem8(){ } class SomeClass { /** * @param i exists - * @param k does not // $ Alert + * @param k does not */ SomeClass(int i, int j) {} } /** * @param exists - * @param T wrong syntax // $ Alert - * @param does not exist // $ Alert + * @param T wrong syntax + * @param does not exist */ class GenericClass {} /** * @param exists - * @param T wrong syntax // $ Alert - * @param does not exist // $ Alert + * @param T wrong syntax + * @param does not exist */ interface GenericInterface {} /** * @param i exists - * @param k does not // $ Alert + * @param k does not */ static record SomeRecord(int i, int j) {} /** * @param exists - * @param does not // $ Alert + * @param does not * @param i exists - * @param k does not // $ Alert + * @param k does not */ static record GenericRecord(int i, int j) {} } diff --git a/java/ql/test/query-tests/SpuriousJavadocParam/test.qlref b/java/ql/test/query-tests/SpuriousJavadocParam/test.qlref index 85c1971658c..05f7231fe6b 100644 --- a/java/ql/test/query-tests/SpuriousJavadocParam/test.qlref +++ b/java/ql/test/query-tests/SpuriousJavadocParam/test.qlref @@ -1,2 +1 @@ -query: Advisory/Documentation/SpuriousJavadocParam.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +Advisory/Documentation/SpuriousJavadocParam.ql diff --git a/java/ql/test/query-tests/security/CWE-020/ExternalAPISinkExample.java b/java/ql/test/query-tests/security/CWE-020/ExternalAPISinkExample.java index de76455c201..9e30b228c48 100644 --- a/java/ql/test/query-tests/security/CWE-020/ExternalAPISinkExample.java +++ b/java/ql/test/query-tests/security/CWE-020/ExternalAPISinkExample.java @@ -9,6 +9,6 @@ public class ExternalAPISinkExample extends HttpServlet { throws ServletException, IOException { // BAD: a request parameter is written directly to an error response page response.sendError(HttpServletResponse.SC_NOT_FOUND, - "The page \"" + request.getParameter("page") + "\" was not found."); // $ Alert + "The page \"" + request.getParameter("page") + "\" was not found."); // $ Alert[java/untrusted-data-to-external-api] } } diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.java b/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.java index fb87c687823..fffb93c6291 100644 --- a/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.java +++ b/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.java @@ -10,10 +10,10 @@ import java.nio.file.Paths; public class TaintedPath { public void sendUserFile(Socket sock, String user) throws IOException { BufferedReader filenameReader = - new BufferedReader(new InputStreamReader(sock.getInputStream(), "UTF-8")); // $ Source + new BufferedReader(new InputStreamReader(sock.getInputStream(), "UTF-8")); // $ Source[java/path-injection] String filename = filenameReader.readLine(); // BAD: read from a file without checking its path - BufferedReader fileReader = new BufferedReader(new FileReader(filename)); // $ Alert + BufferedReader fileReader = new BufferedReader(new FileReader(filename)); // $ Alert[java/path-injection] String fileLine = fileReader.readLine(); while (fileLine != null) { sock.getOutputStream().write(fileLine.getBytes()); diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java b/java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java index 362c84f4b16..6ef57737226 100644 --- a/java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java +++ b/java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java @@ -29,143 +29,143 @@ public class Test { private HttpServletRequest request; public Object source() { - return request.getParameter("source"); // $ Source + return request.getParameter("source"); // $ Source[java/path-injection] } void test() throws IOException { // "java.lang;Module;true;getResourceAsStream;(String);;Argument[0];read-file;ai-generated" - getClass().getModule().getResourceAsStream((String) source()); // $ Alert + getClass().getModule().getResourceAsStream((String) source()); // $ Alert[java/path-injection] // "java.lang;Class;false;getResource;(String);;Argument[0];read-file;ai-generated" - getClass().getResource((String) source()); // $ Alert + getClass().getResource((String) source()); // $ Alert[java/path-injection] // "java.lang;ClassLoader;true;getSystemResourceAsStream;(String);;Argument[0];read-file;ai-generated" - ClassLoader.getSystemResourceAsStream((String) source()); // $ Alert + ClassLoader.getSystemResourceAsStream((String) source()); // $ Alert[java/path-injection] // "java.io;File;True;canExecute;();;Argument[this];path-injection;manual" - ((File) source()).canExecute(); // $ Alert + ((File) source()).canExecute(); // $ Alert[java/path-injection] // "java.io;File;True;canRead;();;Argument[this];path-injection;manual" - ((File) source()).canRead(); // $ Alert + ((File) source()).canRead(); // $ Alert[java/path-injection] // "java.io;File;True;canWrite;();;Argument[this];path-injection;manual" - ((File) source()).canWrite(); // $ Alert + ((File) source()).canWrite(); // $ Alert[java/path-injection] // "java.io;File;True;createNewFile;();;Argument[this];path-injection;ai-manual" - ((File) source()).createNewFile(); // $ Alert + ((File) source()).createNewFile(); // $ Alert[java/path-injection] // "java.io;File;true;createTempFile;(String,String,File);;Argument[2];create-file;ai-generated" - File.createTempFile(";", ";", (File) source()); // $ Alert + File.createTempFile(";", ";", (File) source()); // $ Alert[java/path-injection] // "java.io;File;True;delete;();;Argument[this];path-injection;manual" - ((File) source()).delete(); // $ Alert + ((File) source()).delete(); // $ Alert[java/path-injection] // "java.io;File;True;deleteOnExit;();;Argument[this];path-injection;manual" - ((File) source()).deleteOnExit(); // $ Alert + ((File) source()).deleteOnExit(); // $ Alert[java/path-injection] // "java.io;File;True;exists;();;Argument[this];path-injection;manual" - ((File) source()).exists(); // $ Alert + ((File) source()).exists(); // $ Alert[java/path-injection] // "java.io:File;True;isDirectory;();;Argument[this];path-injection;manual" - ((File) source()).isDirectory(); // $ Alert + ((File) source()).isDirectory(); // $ Alert[java/path-injection] // "java.io:File;True;isFile;();;Argument[this];path-injection;manual" - ((File) source()).isFile(); // $ Alert + ((File) source()).isFile(); // $ Alert[java/path-injection] // "java.io:File;True;isHidden;();;Argument[this];path-injection;manual" - ((File) source()).isHidden(); // $ Alert + ((File) source()).isHidden(); // $ Alert[java/path-injection] // "java.io;File;True;mkdir;();;Argument[this];path-injection;manual" - ((File) source()).mkdir(); // $ Alert + ((File) source()).mkdir(); // $ Alert[java/path-injection] // "java.io;File;True;mkdirs;();;Argument[this];path-injection;manual" - ((File) source()).mkdirs(); // $ Alert + ((File) source()).mkdirs(); // $ Alert[java/path-injection] // "java.io;File;True;renameTo;(File);;Argument[0];path-injection;ai-manual" - new File("").renameTo((File) source()); // $ Alert + new File("").renameTo((File) source()); // $ Alert[java/path-injection] // "java.io;File;True;renameTo;(File);;Argument[this];path-injection;ai-manual" - ((File) source()).renameTo(null); // $ Alert + ((File) source()).renameTo(null); // $ Alert[java/path-injection] // "java.io;File;True;setExecutable;;;Argument[this];path-injection;manual" - ((File) source()).setExecutable(true); // $ Alert + ((File) source()).setExecutable(true); // $ Alert[java/path-injection] // "java.io;File;True;setLastModified;;;Argument[this];path-injection;manual" - ((File) source()).setLastModified(0); // $ Alert + ((File) source()).setLastModified(0); // $ Alert[java/path-injection] // "java.io;File;True;setReadable;;;Argument[this];path-injection;manual" - ((File) source()).setReadable(true); // $ Alert + ((File) source()).setReadable(true); // $ Alert[java/path-injection] // "java.io;File;True;setReadOnly;;;Argument[this];path-injection;manual" - ((File) source()).setReadOnly(); // $ Alert + ((File) source()).setReadOnly(); // $ Alert[java/path-injection] // "java.io;File;True;setWritable;;;Argument[this];path-injection;manual" - ((File) source()).setWritable(true); // $ Alert + ((File) source()).setWritable(true); // $ Alert[java/path-injection] // "java.io;File;true;renameTo;(File);;Argument[0];create-file;ai-generated" - new File("").renameTo((File) source()); // $ Alert + new File("").renameTo((File) source()); // $ Alert[java/path-injection] // "java.io;FileInputStream;true;FileInputStream;(File);;Argument[0];read-file;ai-generated" - new FileInputStream((File) source()); // $ Alert + new FileInputStream((File) source()); // $ Alert[java/path-injection] // "java.io;FileInputStream;true;FileInputStream;(FileDescriptor);;Argument[0];read-file;manual" - new FileInputStream((FileDescriptor) source()); // $ Alert + new FileInputStream((FileDescriptor) source()); // $ Alert[java/path-injection] // "java.io;FileInputStream;true;FileInputStream;(String);;Argument[0];read-file;manual" - new FileInputStream((String) source()); // $ Alert + new FileInputStream((String) source()); // $ Alert[java/path-injection] // "java.io;FileReader;true;FileReader;(File);;Argument[0];read-file;ai-generated" - new FileReader((File) source()); // $ Alert + new FileReader((File) source()); // $ Alert[java/path-injection] // "java.io;FileReader;true;FileReader;(FileDescriptor);;Argument[0];read-file;manual" - new FileReader((FileDescriptor) source()); // $ Alert + new FileReader((FileDescriptor) source()); // $ Alert[java/path-injection] // "java.io;FileReader;true;FileReader;(File,Charset);;Argument[0];read-file;manual" - new FileReader((File) source(), null); // $ Alert + new FileReader((File) source(), null); // $ Alert[java/path-injection] // "java.io;FileReader;true;FileReader;(String);;Argument[0];read-file;ai-generated" - new FileReader((String) source()); // $ Alert + new FileReader((String) source()); // $ Alert[java/path-injection] // "java.io;FileReader;true;FileReader;(String,Charset);;Argument[0];read-file;manual" - new FileReader((String) source(), null); // $ Alert + new FileReader((String) source(), null); // $ Alert[java/path-injection] // "java.nio.file;Files;false;copy;;;Argument[0];read-file;manual" - Files.copy((Path) source(), (Path) null); // $ Alert - Files.copy((Path) source(), (OutputStream) null); // $ Alert + Files.copy((Path) source(), (Path) null); // $ Alert[java/path-injection] + Files.copy((Path) source(), (OutputStream) null); // $ Alert[java/path-injection] // "java.nio.file;Files;false;copy;;;Argument[1];create-file;manual" - Files.copy((Path) null, (Path) source()); // $ Alert - Files.copy((InputStream) null, (Path) source()); // $ Alert + Files.copy((Path) null, (Path) source()); // $ Alert[java/path-injection] + Files.copy((InputStream) null, (Path) source()); // $ Alert[java/path-injection] // "java.nio.file;Files;false;createDirectories;;;Argument[0];create-file;manual" - Files.createDirectories((Path) source()); // $ Alert + Files.createDirectories((Path) source()); // $ Alert[java/path-injection] // "java.nio.file;Files;false;createDirectory;;;Argument[0];create-file;manual" - Files.createDirectory((Path) source()); // $ Alert + Files.createDirectory((Path) source()); // $ Alert[java/path-injection] // "java.nio.file;Files;false;createFile;;;Argument[0];create-file;manual" - Files.createFile((Path) source()); // $ Alert + Files.createFile((Path) source()); // $ Alert[java/path-injection] // "java.nio.file;Files;false;createLink;;;Argument[0];create-file;manual" - Files.createLink((Path) source(), null); // $ Alert + Files.createLink((Path) source(), null); // $ Alert[java/path-injection] // "java.nio.file;Files;false;createSymbolicLink;;;Argument[0];create-file;manual" - Files.createSymbolicLink((Path) source(), null); // $ Alert + Files.createSymbolicLink((Path) source(), null); // $ Alert[java/path-injection] // "java.nio.file;Files;false;createTempDirectory;(Path,String,FileAttribute[]);;Argument[0];create-file;manual" - Files.createTempDirectory((Path) source(), null); // $ Alert + Files.createTempDirectory((Path) source(), null); // $ Alert[java/path-injection] // "java.nio.file;Files;false;createTempFile;(Path,String,String,FileAttribute[]);;Argument[0];create-file;manual" - Files.createTempFile((Path) source(), null, null); // $ Alert + Files.createTempFile((Path) source(), null, null); // $ Alert[java/path-injection] // "java.nio.file;Files;false;delete;(Path);;Argument[0];delete-file;ai-generated" - Files.delete((Path) source()); // $ Alert + Files.delete((Path) source()); // $ Alert[java/path-injection] // "java.nio.file;Files;false;deleteIfExists;(Path);;Argument[0];delete-file;ai-generated" - Files.deleteIfExists((Path) source()); // $ Alert + Files.deleteIfExists((Path) source()); // $ Alert[java/path-injection] // "java.nio.file;Files;false;lines;(Path,Charset);;Argument[0];read-file;ai-generated" - Files.lines((Path) source(), null); // $ Alert + Files.lines((Path) source(), null); // $ Alert[java/path-injection] // "java.nio.file;Files;false;move;;;Argument[1];create-file;manual" - Files.move(null, (Path) source()); // $ Alert + Files.move(null, (Path) source()); // $ Alert[java/path-injection] // "java.nio.file;Files;false;newBufferedReader;(Path,Charset);;Argument[0];read-file;ai-generated" - Files.newBufferedReader((Path) source(), null); // $ Alert + Files.newBufferedReader((Path) source(), null); // $ Alert[java/path-injection] // "java.nio.file;Files;false;newBufferedWriter;;;Argument[0];create-file;manual" - Files.newBufferedWriter((Path) source()); // $ Alert - Files.newBufferedWriter((Path) source(), (Charset) null); // $ Alert + Files.newBufferedWriter((Path) source()); // $ Alert[java/path-injection] + Files.newBufferedWriter((Path) source(), (Charset) null); // $ Alert[java/path-injection] // "java.nio.file;Files;false;newOutputStream;;;Argument[0];create-file;manual" - Files.newOutputStream((Path) source()); // $ Alert + Files.newOutputStream((Path) source()); // $ Alert[java/path-injection] // "java.nio.file;Files;false;write;;;Argument[0];create-file;manual" - Files.write((Path) source(), (byte[]) null); // $ Alert - Files.write((Path) source(), (Iterable) null); // $ Alert - Files.write((Path) source(), (Iterable) null, (Charset) null); // $ Alert + Files.write((Path) source(), (byte[]) null); // $ Alert[java/path-injection] + Files.write((Path) source(), (Iterable) null); // $ Alert[java/path-injection] + Files.write((Path) source(), (Iterable) null, (Charset) null); // $ Alert[java/path-injection] // "java.nio.file;Files;false;writeString;;;Argument[0];create-file;manual" - Files.writeString((Path) source(), (CharSequence) null); // $ Alert - Files.writeString((Path) source(), (CharSequence) null, (Charset) null); // $ Alert + Files.writeString((Path) source(), (CharSequence) null); // $ Alert[java/path-injection] + Files.writeString((Path) source(), (CharSequence) null, (Charset) null); // $ Alert[java/path-injection] // "javax.xml.transform.stream;StreamResult";true;"StreamResult;(File);;Argument[0];create-file;ai-generated" - new StreamResult((File) source()); // $ Alert + new StreamResult((File) source()); // $ Alert[java/path-injection] // "org.apache.commons.io;FileUtils;true;openInputStream;(File);;Argument[0];read-file;ai-generated" - FileUtils.openInputStream((File) source()); // $ Alert + FileUtils.openInputStream((File) source()); // $ Alert[java/path-injection] // "org.codehaus.cargo.container.installer;ZipURLInstaller;true;ZipURLInstaller;(URL,String,String);;Argument[1];create-file;ai-generated" - new ZipURLInstaller((URL) null, (String) source(), ""); // $ Alert + new ZipURLInstaller((URL) null, (String) source(), ""); // $ Alert[java/path-injection] // "org.codehaus.cargo.container.installer;ZipURLInstaller;true;ZipURLInstaller;(URL,String,String);;Argument[2];create-file;ai-generated" - new ZipURLInstaller((URL) null, "", (String) source()); // $ Alert + new ZipURLInstaller((URL) null, "", (String) source()); // $ Alert[java/path-injection] // "org.springframework.util;FileCopyUtils;false;copy;(byte[],File);;Argument[1];create-file;manual" - FileCopyUtils.copy((byte[]) null, (File) source()); // $ Alert + FileCopyUtils.copy((byte[]) null, (File) source()); // $ Alert[java/path-injection] // "org.springframework.util;FileCopyUtils;false;copy;(File,File);;Argument[0];create-file;manual" - FileCopyUtils.copy((File) source(), null); // $ Alert + FileCopyUtils.copy((File) source(), null); // $ Alert[java/path-injection] // "org.springframework.util;FileCopyUtils;false;copy;(File,File);;Argument[1];create-file;manual" - FileCopyUtils.copy((File) null, (File) source()); // $ Alert + FileCopyUtils.copy((File) null, (File) source()); // $ Alert[java/path-injection] } void test(AntClassLoader acl) { // "org.apache.tools.ant;AntClassLoader;true;addPathComponent;(File);;Argument[0];read-file;ai-generated" - acl.addPathComponent((File) source()); // $ Alert + acl.addPathComponent((File) source()); // $ Alert[java/path-injection] // "org.apache.tools.ant;AntClassLoader;true;AntClassLoader;(ClassLoader,Project,Path,boolean);;Argument[2];read-file;ai-generated" - new AntClassLoader(null, null, (org.apache.tools.ant.types.Path) source(), false); // $ Alert + new AntClassLoader(null, null, (org.apache.tools.ant.types.Path) source(), false); // $ Alert[java/path-injection] // "org.apache.tools.ant;AntClassLoader;true;AntClassLoader;(Project,Path,boolean);;Argument[1];read-file;ai-generated" - new AntClassLoader(null, (org.apache.tools.ant.types.Path) source(), false); // $ Alert + new AntClassLoader(null, (org.apache.tools.ant.types.Path) source(), false); // $ Alert[java/path-injection] // "org.apache.tools.ant;AntClassLoader;true;AntClassLoader;(Project,Path);;Argument[1];read-file;ai-generated" - new AntClassLoader(null, (org.apache.tools.ant.types.Path) source()); // $ Alert + new AntClassLoader(null, (org.apache.tools.ant.types.Path) source()); // $ Alert[java/path-injection] // "org.kohsuke.stapler.framework.io;LargeText;true;LargeText;(File,Charset,boolean,boolean);;Argument[0];read-file;ai-generated" - new LargeText((File) source(), null, false, false); // $ Alert + new LargeText((File) source(), null, false, false); // $ Alert[java/path-injection] } void doGet6(String root, HttpServletRequest request) throws IOException { @@ -178,29 +178,29 @@ public class Test { void test(DirectoryScanner ds) { // "org.apache.tools.ant;DirectoryScanner;true;setBasedir;(File);;Argument[0];read-file;ai-generated" - ds.setBasedir((File) source()); // $ Alert + ds.setBasedir((File) source()); // $ Alert[java/path-injection] } void test(Copy cp) { // "org.apache.tools.ant.taskdefs;Copy;true;addFileset;(FileSet);;Argument[0];read-file;ai-generated" - cp.addFileset((FileSet) source()); // $ Alert + cp.addFileset((FileSet) source()); // $ Alert[java/path-injection] // "org.apache.tools.ant.taskdefs;Copy;true;setFile;(File);;Argument[0];read-file;ai-generated" - cp.setFile((File) source()); // $ Alert + cp.setFile((File) source()); // $ Alert[java/path-injection] // "org.apache.tools.ant.taskdefs;Copy;true;setTodir;(File);;Argument[0];create-file;ai-generated" - cp.setTodir((File) source()); // $ Alert + cp.setTodir((File) source()); // $ Alert[java/path-injection] // "org.apache.tools.ant.taskdefs;Copy;true;setTofile;(File);;Argument[0];create-file;ai-generated" - cp.setTofile((File) source()); // $ Alert + cp.setTofile((File) source()); // $ Alert[java/path-injection] } void test(Expand ex) { // "org.apache.tools.ant.taskdefs;Expand;true;setDest;(File);;Argument[0];create-file;ai-generated" - ex.setDest((File) source()); // $ Alert + ex.setDest((File) source()); // $ Alert[java/path-injection] // "org.apache.tools.ant.taskdefs;Expand;true;setSrc;(File);;Argument[0];read-file;ai-generated" - ex.setSrc((File) source()); // $ Alert + ex.setSrc((File) source()); // $ Alert[java/path-injection] } void test(ChainedOptionsBuilder cob) { // "org.openjdk.jmh.runner.options;ChainedOptionsBuilder;true;result;(String);;Argument[0];create-file;ai-generated" - cob.result((String) source()); // $ Alert + cob.result((String) source()); // $ Alert[java/path-injection] } } diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/JaxXSS.java b/java/ql/test/query-tests/security/CWE-079/semmle/tests/JaxXSS.java index 0e096ab94e0..0ca5b737d86 100644 --- a/java/ql/test/query-tests/security/CWE-079/semmle/tests/JaxXSS.java +++ b/java/ql/test/query-tests/security/CWE-079/semmle/tests/JaxXSS.java @@ -12,25 +12,25 @@ import java.util.Locale; public class JaxXSS { @GET - public static Response specificContentType(boolean safeContentType, boolean chainDirectly, boolean contentTypeFirst, String userControlled) { // $ Source + public static Response specificContentType(boolean safeContentType, boolean chainDirectly, boolean contentTypeFirst, String userControlled) { // $ Source[java/xss] Response.ResponseBuilder builder = Response.ok(); if(!safeContentType) { if(chainDirectly) { if(contentTypeFirst) - return builder.type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ Alert + return builder.type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ Alert[java/xss] else - return builder.entity(userControlled).type(MediaType.TEXT_HTML).build(); // $ Alert + return builder.entity(userControlled).type(MediaType.TEXT_HTML).build(); // $ Alert[java/xss] } else { if(contentTypeFirst) { Response.ResponseBuilder builder2 = builder.type(MediaType.TEXT_HTML); - return builder2.entity(userControlled).build(); // $ Alert + return builder2.entity(userControlled).build(); // $ Alert[java/xss] } else { Response.ResponseBuilder builder2 = builder.entity(userControlled); - return builder2.type(MediaType.TEXT_HTML).build(); // $ Alert + return builder2.type(MediaType.TEXT_HTML).build(); // $ Alert[java/xss] } } } @@ -56,7 +56,7 @@ public class JaxXSS { } @GET - public static Response specificContentTypeSetterMethods(int route, boolean safeContentType, String userControlled) { // $ Source + public static Response specificContentTypeSetterMethods(int route, boolean safeContentType, String userControlled) { // $ Source[java/xss] // Test the remarkably many routes to setting a content-type in Jax-RS, besides the ResponseBuilder.entity method used above: @@ -105,39 +105,39 @@ public class JaxXSS { else { if(route == 0) { // via ok, as a string literal: - return Response.ok("text/html").entity(userControlled).build(); // $ Alert + return Response.ok("text/html").entity(userControlled).build(); // $ Alert[java/xss] } else if(route == 1) { // via ok, as a string constant: - return Response.ok(MediaType.TEXT_HTML).entity(userControlled).build(); // $ Alert + return Response.ok(MediaType.TEXT_HTML).entity(userControlled).build(); // $ Alert[java/xss] } else if(route == 2) { // via ok, as a MediaType constant: - return Response.ok(MediaType.TEXT_HTML_TYPE).entity(userControlled).build(); // $ Alert + return Response.ok(MediaType.TEXT_HTML_TYPE).entity(userControlled).build(); // $ Alert[java/xss] } else if(route == 3) { // via ok, as a Variant, via constructor: - return Response.ok(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $ Alert + return Response.ok(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $ Alert[java/xss] } else if(route == 4) { // via ok, as a Variant, via static method: - return Response.ok(Variant.mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $ Alert + return Response.ok(Variant.mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $ Alert[java/xss] } else if(route == 5) { // via ok, as a Variant, via instance method: - return Response.ok(Variant.languages(Locale.UK).mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $ Alert + return Response.ok(Variant.languages(Locale.UK).mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $ Alert[java/xss] } else if(route == 6) { // via builder variant, before entity: - return Response.ok().variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $ Alert + return Response.ok().variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $ Alert[java/xss] } else if(route == 7) { // via builder variant, after entity: - return Response.ok().entity(userControlled).variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).build(); // $ Alert + return Response.ok().entity(userControlled).variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).build(); // $ Alert[java/xss] } else if(route == 8) { // provide entity via ok, then content-type via builder: - return Response.ok(userControlled).type(MediaType.TEXT_HTML_TYPE).build(); // $ Alert + return Response.ok(userControlled).type(MediaType.TEXT_HTML_TYPE).build(); // $ Alert[java/xss] } } @@ -161,28 +161,28 @@ public class JaxXSS { } @GET @Produces(MediaType.TEXT_HTML) - public static Response methodContentTypeUnsafe(String userControlled) { // $ Source - return Response.ok(userControlled).build(); // $ Alert + public static Response methodContentTypeUnsafe(String userControlled) { // $ Source[java/xss] + return Response.ok(userControlled).build(); // $ Alert[java/xss] } @POST @Produces(MediaType.TEXT_HTML) - public static Response methodContentTypeUnsafePost(String userControlled) { // $ Source - return Response.ok(userControlled).build(); // $ Alert + public static Response methodContentTypeUnsafePost(String userControlled) { // $ Source[java/xss] + return Response.ok(userControlled).build(); // $ Alert[java/xss] } @GET @Produces("text/html") - public static Response methodContentTypeUnsafeStringLiteral(String userControlled) { // $ Source - return Response.ok(userControlled).build(); // $ Alert + public static Response methodContentTypeUnsafeStringLiteral(String userControlled) { // $ Source[java/xss] + return Response.ok(userControlled).build(); // $ Alert[java/xss] } @GET @Produces({MediaType.TEXT_HTML, MediaType.APPLICATION_JSON}) - public static Response methodContentTypeMaybeSafe(String userControlled) { // $ Source - return Response.ok(userControlled).build(); // $ Alert + public static Response methodContentTypeMaybeSafe(String userControlled) { // $ Source[java/xss] + return Response.ok(userControlled).build(); // $ Alert[java/xss] } @GET @Produces(MediaType.APPLICATION_JSON) - public static Response methodContentTypeSafeOverriddenWithUnsafe(String userControlled) { // $ Source - return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ Alert + public static Response methodContentTypeSafeOverriddenWithUnsafe(String userControlled) { // $ Source[java/xss] + return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ Alert[java/xss] } @GET @Produces(MediaType.TEXT_HTML) @@ -204,13 +204,13 @@ public class JaxXSS { } @GET @Produces({"text/html"}) - public Response overridesWithUnsafe(String userControlled) { // $ Source - return Response.ok(userControlled).build(); // $ Alert + public Response overridesWithUnsafe(String userControlled) { // $ Source[java/xss] + return Response.ok(userControlled).build(); // $ Alert[java/xss] } @GET - public Response overridesWithUnsafe2(String userControlled) { // $ Source - return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ Alert + public Response overridesWithUnsafe2(String userControlled) { // $ Source[java/xss] + return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ Alert[java/xss] } } @@ -218,13 +218,13 @@ public class JaxXSS { @Produces({"text/html"}) public static class ClassContentTypeUnsafe { @GET - public Response test(String userControlled) { // $ Source - return Response.ok(userControlled).build(); // $ Alert + public Response test(String userControlled) { // $ Source[java/xss] + return Response.ok(userControlled).build(); // $ Alert[java/xss] } @GET - public String testDirectReturn(String userControlled) { // $ Source - return userControlled; // $ Alert + public String testDirectReturn(String userControlled) { // $ Source[java/xss] + return userControlled; // $ Alert[java/xss] } @GET @Produces({"application/json"}) @@ -239,13 +239,13 @@ public class JaxXSS { } @GET - public static Response entityWithNoMediaType(String userControlled) { // $ Source - return Response.ok(userControlled).build(); // $ Alert + public static Response entityWithNoMediaType(String userControlled) { // $ Source[java/xss] + return Response.ok(userControlled).build(); // $ Alert[java/xss] } @GET - public static String stringWithNoMediaType(String userControlled) { // $ Source - return userControlled; // $ Alert + public static String stringWithNoMediaType(String userControlled) { // $ Source[java/xss] + return userControlled; // $ Alert[java/xss] } } diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/JsfXSS.java b/java/ql/test/query-tests/security/CWE-079/semmle/tests/JsfXSS.java index f3efab3ddfe..a6f95bccfa6 100644 --- a/java/ql/test/query-tests/security/CWE-079/semmle/tests/JsfXSS.java +++ b/java/ql/test/query-tests/security/CWE-079/semmle/tests/JsfXSS.java @@ -18,7 +18,7 @@ public class JsfXSS extends Renderer { super.encodeBegin(facesContext, component); - Map requestParameters = facesContext.getExternalContext().getRequestParameterMap(); // $ Source + Map requestParameters = facesContext.getExternalContext().getRequestParameterMap(); // $ Source[java/xss] String windowId = requestParameters.get("window_id"); ResponseWriter writer = facesContext.getResponseWriter(); @@ -26,7 +26,7 @@ public class JsfXSS extends Renderer writer.write("(function(){"); writer.write("dswh.init('" + windowId + "','" + "......" + "'," - + -1 + ",{"); // $ Alert + + -1 + ",{"); // $ Alert[java/xss] writer.write("});"); writer.write("})();"); writer.write(""); @@ -57,13 +57,13 @@ public class JsfXSS extends Renderer { ExternalContext ec = facesContext.getExternalContext(); ResponseWriter writer = facesContext.getResponseWriter(); - writer.write(ec.getRequestParameterMap().keySet().iterator().next()); // $ Alert - writer.write(ec.getRequestParameterNames().next()); // $ Alert - writer.write(ec.getRequestParameterValuesMap().get("someKey")[0]); // $ Alert - writer.write(ec.getRequestParameterValuesMap().keySet().iterator().next()); // $ Alert - writer.write(ec.getRequestPathInfo()); // $ Alert - writer.write(((Cookie)ec.getRequestCookieMap().get("someKey")).getName()); // $ Alert - writer.write(ec.getRequestHeaderMap().get("someKey")); // $ Alert - writer.write(ec.getRequestHeaderValuesMap().get("someKey")[0]); // $ Alert + writer.write(ec.getRequestParameterMap().keySet().iterator().next()); // $ Alert[java/xss] + writer.write(ec.getRequestParameterNames().next()); // $ Alert[java/xss] + writer.write(ec.getRequestParameterValuesMap().get("someKey")[0]); // $ Alert[java/xss] + writer.write(ec.getRequestParameterValuesMap().keySet().iterator().next()); // $ Alert[java/xss] + writer.write(ec.getRequestPathInfo()); // $ Alert[java/xss] + writer.write(((Cookie)ec.getRequestCookieMap().get("someKey")).getName()); // $ Alert[java/xss] + writer.write(ec.getRequestHeaderMap().get("someKey")); // $ Alert[java/xss] + writer.write(ec.getRequestHeaderValuesMap().get("someKey")[0]); // $ Alert[java/xss] } } diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/SpringXSS.java b/java/ql/test/query-tests/security/CWE-079/semmle/tests/SpringXSS.java index fd3a26bcf10..53b45c678af 100644 --- a/java/ql/test/query-tests/security/CWE-079/semmle/tests/SpringXSS.java +++ b/java/ql/test/query-tests/security/CWE-079/semmle/tests/SpringXSS.java @@ -13,17 +13,17 @@ import java.util.Optional; public class SpringXSS { @GetMapping - public static ResponseEntity specificContentType(boolean safeContentType, boolean chainDirectly, String userControlled) { // $ Source + public static ResponseEntity specificContentType(boolean safeContentType, boolean chainDirectly, String userControlled) { // $ Source[java/xss] ResponseEntity.BodyBuilder builder = ResponseEntity.ok(); if(!safeContentType) { if(chainDirectly) { - return builder.contentType(MediaType.TEXT_HTML).body(userControlled); // $ Alert + return builder.contentType(MediaType.TEXT_HTML).body(userControlled); // $ Alert[java/xss] } else { ResponseEntity.BodyBuilder builder2 = builder.contentType(MediaType.TEXT_HTML); - return builder2.body(userControlled); // $ Alert + return builder2.body(userControlled); // $ Alert[java/xss] } } else { @@ -59,23 +59,23 @@ public class SpringXSS { } @GetMapping(value = "/xyz", produces = MediaType.TEXT_HTML_VALUE) - public static ResponseEntity methodContentTypeUnsafe(String userControlled) { // $ Source - return ResponseEntity.ok(userControlled); // $ Alert + public static ResponseEntity methodContentTypeUnsafe(String userControlled) { // $ Source[java/xss] + return ResponseEntity.ok(userControlled); // $ Alert[java/xss] } @GetMapping(value = "/xyz", produces = "text/html") - public static ResponseEntity methodContentTypeUnsafeStringLiteral(String userControlled) { // $ Source - return ResponseEntity.ok(userControlled); // $ Alert + public static ResponseEntity methodContentTypeUnsafeStringLiteral(String userControlled) { // $ Source[java/xss] + return ResponseEntity.ok(userControlled); // $ Alert[java/xss] } @GetMapping(value = "/xyz", produces = {MediaType.TEXT_HTML_VALUE, MediaType.APPLICATION_JSON_VALUE}) - public static ResponseEntity methodContentTypeMaybeSafe(String userControlled) { // $ Source - return ResponseEntity.ok(userControlled); // $ Alert + public static ResponseEntity methodContentTypeMaybeSafe(String userControlled) { // $ Source[java/xss] + return ResponseEntity.ok(userControlled); // $ Alert[java/xss] } @GetMapping(value = "/xyz", produces = MediaType.APPLICATION_JSON_VALUE) - public static ResponseEntity methodContentTypeSafeOverriddenWithUnsafe(String userControlled) { // $ Source - return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $ Alert + public static ResponseEntity methodContentTypeSafeOverriddenWithUnsafe(String userControlled) { // $ Source[java/xss] + return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $ Alert[java/xss] } @GetMapping(value = "/xyz", produces = MediaType.TEXT_HTML_VALUE) @@ -84,17 +84,17 @@ public class SpringXSS { } @GetMapping(value = "/xyz", produces = {"text/html", "application/json"}) - public static ResponseEntity methodContentTypeMaybeSafeStringLiterals(String userControlled, int constructionMethod) { // $ Source + public static ResponseEntity methodContentTypeMaybeSafeStringLiterals(String userControlled, int constructionMethod) { // $ Source[java/xss] // Also try out some alternative constructors for the ResponseEntity: switch(constructionMethod) { case 0: - return ResponseEntity.ok(userControlled); // $ Alert + return ResponseEntity.ok(userControlled); // $ Alert[java/xss] case 1: - return ResponseEntity.of(Optional.of(userControlled)); // $ Alert + return ResponseEntity.of(Optional.of(userControlled)); // $ Alert[java/xss] case 2: - return ResponseEntity.ok().body(userControlled); // $ Alert + return ResponseEntity.ok().body(userControlled); // $ Alert[java/xss] case 3: - return new ResponseEntity(userControlled, HttpStatus.OK); // $ Alert + return new ResponseEntity(userControlled, HttpStatus.OK); // $ Alert[java/xss] default: return null; } @@ -114,13 +114,13 @@ public class SpringXSS { } @GetMapping(value = "/xyz", produces = {"text/html"}) - public ResponseEntity overridesWithUnsafe(String userControlled) { // $ Source - return ResponseEntity.ok(userControlled); // $ Alert + public ResponseEntity overridesWithUnsafe(String userControlled) { // $ Source[java/xss] + return ResponseEntity.ok(userControlled); // $ Alert[java/xss] } @GetMapping(value = "/abc") - public ResponseEntity overridesWithUnsafe2(String userControlled) { // $ Source - return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $ Alert + public ResponseEntity overridesWithUnsafe2(String userControlled) { // $ Source[java/xss] + return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $ Alert[java/xss] } } @@ -128,13 +128,13 @@ public class SpringXSS { @RequestMapping(produces = {"text/html"}) private static class ClassContentTypeUnsafe { @GetMapping(value = "/abc") - public ResponseEntity test(String userControlled) { // $ Source - return ResponseEntity.ok(userControlled); // $ Alert + public ResponseEntity test(String userControlled) { // $ Source[java/xss] + return ResponseEntity.ok(userControlled); // $ Alert[java/xss] } @GetMapping(value = "/abc") - public String testDirectReturn(String userControlled) { // $ Source - return userControlled; // $ Alert + public String testDirectReturn(String userControlled) { // $ Source[java/xss] + return userControlled; // $ Alert[java/xss] } @GetMapping(value = "/xyz", produces = {"application/json"}) @@ -149,13 +149,13 @@ public class SpringXSS { } @GetMapping(value = "/abc") - public static ResponseEntity entityWithNoMediaType(String userControlled) { // $ Source - return ResponseEntity.ok(userControlled); // $ Alert + public static ResponseEntity entityWithNoMediaType(String userControlled) { // $ Source[java/xss] + return ResponseEntity.ok(userControlled); // $ Alert[java/xss] } @GetMapping(value = "/abc") - public static String stringWithNoMediaType(String userControlled) { // $ Source - return userControlled; // $ Alert + public static String stringWithNoMediaType(String userControlled) { // $ Source[java/xss] + return userControlled; // $ Alert[java/xss] } @GetMapping(value = "/abc") diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.java b/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.java index 13ae6b62e10..b12099673b8 100644 --- a/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.java +++ b/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.java @@ -16,7 +16,7 @@ public class XSS extends HttpServlet { throws ServletException, IOException { // BAD: a request parameter is written directly to the Servlet response stream response.getWriter() - .print("The page \"" + request.getParameter("page") + "\" was not found."); // $ Alert + .print("The page \"" + request.getParameter("page") + "\" was not found."); // $ Alert[java/xss] // GOOD: servlet API encodes the error message HTML for the HTML context response.sendError(HttpServletResponse.SC_NOT_FOUND, @@ -31,10 +31,10 @@ public class XSS extends HttpServlet { "The page \"" + capitalizeName(request.getParameter("page")) + "\" was not found."); // BAD: outputting the path of the resource - response.getWriter().print("The path section of the URL was " + request.getPathInfo()); // $ Alert + response.getWriter().print("The path section of the URL was " + request.getPathInfo()); // $ Alert[java/xss] // BAD: typical XSS, this time written to an OutputStream instead of a Writer - response.getOutputStream().write(request.getPathInfo().getBytes()); // $ Alert + response.getOutputStream().write(request.getPathInfo().getBytes()); // $ Alert[java/xss] // GOOD: sanitizer response.getOutputStream().write(hudson.Util.escape(request.getPathInfo()).getBytes()); // safe @@ -80,34 +80,34 @@ public class XSS extends HttpServlet { if(setContentMethod == 0) { // BAD: set content-type to something that is not safe response.setContentType("text/html"); - response.getWriter().print(request.getPathInfo()); // $ Alert + response.getWriter().print(request.getPathInfo()); // $ Alert[java/xss] } else if(setContentMethod == 1) { // BAD: set content-type to something that is not safe response.setHeader("Content-Type", "text/html"); - response.getWriter().print(request.getPathInfo()); // $ Alert + response.getWriter().print(request.getPathInfo()); // $ Alert[java/xss] } else { // BAD: set content-type to something that is not safe response.addHeader("Content-Type", "text/html"); - response.getWriter().print(request.getPathInfo()); // $ Alert + response.getWriter().print(request.getPathInfo()); // $ Alert[java/xss] } } else { if(setContentMethod == 0) { // BAD: set content-type to something that is not safe response.setContentType("text/html"); - response.getOutputStream().write(request.getPathInfo().getBytes()); // $ Alert + response.getOutputStream().write(request.getPathInfo().getBytes()); // $ Alert[java/xss] } else if(setContentMethod == 1) { // BAD: set content-type to something that is not safe response.setHeader("Content-Type", "text/html"); - response.getOutputStream().write(request.getPathInfo().getBytes()); // $ Alert + response.getOutputStream().write(request.getPathInfo().getBytes()); // $ Alert[java/xss] } else { // BAD: set content-type to something that is not safe response.addHeader("Content-Type", "text/html"); - response.getOutputStream().write(request.getPathInfo().getBytes()); // $ Alert + response.getOutputStream().write(request.getPathInfo().getBytes()); // $ Alert[java/xss] } } } diff --git a/java/ql/test/query-tests/security/CWE-094/ApkInstallationTest/ApkInstallation.java b/java/ql/test/query-tests/security/CWE-094/ApkInstallationTest/ApkInstallation.java index ee6a0c56b70..5f13a16d690 100644 --- a/java/ql/test/query-tests/security/CWE-094/ApkInstallationTest/ApkInstallation.java +++ b/java/ql/test/query-tests/security/CWE-094/ApkInstallationTest/ApkInstallation.java @@ -11,7 +11,7 @@ public class ApkInstallation extends Activity { public void installAPK(String path) { // BAD: the path is not checked Intent intent = new Intent(Intent.ACTION_VIEW); - intent.setDataAndType(Uri.fromFile(new File(path)), "application/vnd.android.package-archive"); // $ Alert + intent.setDataAndType(Uri.fromFile(new File(path)), "application/vnd.android.package-archive"); // $ Alert[java/android/arbitrary-apk-installation] startActivity(intent); } @@ -19,7 +19,7 @@ public class ApkInstallation extends Activity { Intent intent = new Intent(Intent.ACTION_VIEW); intent.setType(APK_MIMETYPE); // BAD: the path is not checked - intent.setData(Uri.fromFile(new File(path))); // $ Alert + intent.setData(Uri.fromFile(new File(path))); // $ Alert[java/android/arbitrary-apk-installation] startActivity(intent); } @@ -27,7 +27,7 @@ public class ApkInstallation extends Activity { // BAD: file is from external storage File file = new File(Environment.getExternalStorageDirectory(), path); Intent intent = new Intent(Intent.ACTION_VIEW); - intent.setDataAndType(Uri.fromFile(file), APK_MIMETYPE); // $ Alert + intent.setDataAndType(Uri.fromFile(file), APK_MIMETYPE); // $ Alert[java/android/arbitrary-apk-installation] startActivity(intent); } @@ -35,14 +35,14 @@ public class ApkInstallation extends Activity { // BAD: file is from external storage File file = new File(Environment.getExternalStorageDirectory(), path); Intent intent = new Intent(Intent.ACTION_INSTALL_PACKAGE); - intent.setData(Uri.fromFile(file)); // $ Alert + intent.setData(Uri.fromFile(file)); // $ Alert[java/android/arbitrary-apk-installation] startActivity(intent); } public void installAPKInstallPackageLiteral(String path) { File file = new File(Environment.getExternalStorageDirectory(), path); Intent intent = new Intent("android.intent.action.INSTALL_PACKAGE"); - intent.setData(Uri.fromFile(file)); // $ Alert + intent.setData(Uri.fromFile(file)); // $ Alert[java/android/arbitrary-apk-installation] startActivity(intent); } @@ -50,7 +50,7 @@ public class ApkInstallation extends Activity { Intent intent = new Intent(this, OtherActivity.class); intent.setAction(Intent.ACTION_VIEW); // BAD: the file is from unknown source - intent.setData(Uri.fromFile(file)); // $ Alert + intent.setData(Uri.fromFile(file)); // $ Alert[java/android/arbitrary-apk-installation] } } diff --git a/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyClassLoaderTest.java b/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyClassLoaderTest.java index ff7d73f16bd..9fd078b1ba9 100644 --- a/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyClassLoaderTest.java +++ b/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyClassLoaderTest.java @@ -14,41 +14,41 @@ public class GroovyClassLoaderTest extends HttpServlet { throws ServletException, IOException { // "groovy.lang;GroovyClassLoader;false;parseClass;(GroovyCodeSource);;Argument[0];groovy;manual", { - String script = request.getParameter("script"); // $ Source + String script = request.getParameter("script"); // $ Source[java/groovy-injection] final GroovyClassLoader classLoader = new GroovyClassLoader(); GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test"); - classLoader.parseClass(gcs); // $ Alert + classLoader.parseClass(gcs); // $ Alert[java/groovy-injection] } // "groovy.lang;GroovyClassLoader;false;parseClass;(GroovyCodeSource,boolean);;Argument[0];groovy;manual", { - String script = request.getParameter("script"); // $ Source + String script = request.getParameter("script"); // $ Source[java/groovy-injection] final GroovyClassLoader classLoader = new GroovyClassLoader(); GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test"); - classLoader.parseClass(gcs, true); // $ Alert + classLoader.parseClass(gcs, true); // $ Alert[java/groovy-injection] } // "groovy.lang;GroovyClassLoader;false;parseClass;(InputStream,String);;Argument[0];groovy;manual", { - String script = request.getParameter("script"); // $ Source + String script = request.getParameter("script"); // $ Source[java/groovy-injection] final GroovyClassLoader classLoader = new GroovyClassLoader(); - classLoader.parseClass(new ByteArrayInputStream(script.getBytes()), "test"); // $ Alert + classLoader.parseClass(new ByteArrayInputStream(script.getBytes()), "test"); // $ Alert[java/groovy-injection] } // "groovy.lang;GroovyClassLoader;false;parseClass;(Reader,String);;Argument[0];groovy;manual", { - String script = request.getParameter("script"); // $ Source + String script = request.getParameter("script"); // $ Source[java/groovy-injection] final GroovyClassLoader classLoader = new GroovyClassLoader(); - classLoader.parseClass(new StringReader(script), "test"); // $ Alert + classLoader.parseClass(new StringReader(script), "test"); // $ Alert[java/groovy-injection] } // "groovy.lang;GroovyClassLoader;false;parseClass;(String);;Argument[0];groovy;manual", { - String script = request.getParameter("script"); // $ Source + String script = request.getParameter("script"); // $ Source[java/groovy-injection] final GroovyClassLoader classLoader = new GroovyClassLoader(); - classLoader.parseClass(script); // $ Alert + classLoader.parseClass(script); // $ Alert[java/groovy-injection] } // "groovy.lang;GroovyClassLoader;false;parseClass;(String,String);;Argument[0];groovy;manual", { - String script = request.getParameter("script"); // $ Source + String script = request.getParameter("script"); // $ Source[java/groovy-injection] final GroovyClassLoader classLoader = new GroovyClassLoader(); - classLoader.parseClass(script, "test"); // $ Alert + classLoader.parseClass(script, "test"); // $ Alert[java/groovy-injection] } } } diff --git a/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyCompilationUnitTest.java b/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyCompilationUnitTest.java index a906d9fdc96..e5088d873af 100644 --- a/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyCompilationUnitTest.java +++ b/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyCompilationUnitTest.java @@ -18,8 +18,8 @@ public class GroovyCompilationUnitTest extends HttpServlet { // "org.codehaus.groovy.control;CompilationUnit;false;compile;;;Argument[this];groovy;manual" { CompilationUnit cu = new CompilationUnit(); - cu.addSource("test", request.getParameter("source")); // $ Source - cu.compile(); // $ Alert + cu.addSource("test", request.getParameter("source")); // $ Source[java/groovy-injection] + cu.compile(); // $ Alert[java/groovy-injection] } { CompilationUnit cu = new CompilationUnit(); @@ -29,20 +29,20 @@ public class GroovyCompilationUnitTest extends HttpServlet { { CompilationUnit cu = new CompilationUnit(); cu.addSource("test", - new ByteArrayInputStream(request.getParameter("source").getBytes())); // $ Source - cu.compile(); // $ Alert + new ByteArrayInputStream(request.getParameter("source").getBytes())); // $ Source[java/groovy-injection] + cu.compile(); // $ Alert[java/groovy-injection] } { CompilationUnit cu = new CompilationUnit(); - cu.addSource(new URL(request.getParameter("source"))); // $ Source - cu.compile(); // $ Alert + cu.addSource(new URL(request.getParameter("source"))); // $ Source[java/groovy-injection] + cu.compile(); // $ Alert[java/groovy-injection] } { CompilationUnit cu = new CompilationUnit(); SourceUnit su = - new SourceUnit("test", request.getParameter("source"), null, null, null); // $ Source + new SourceUnit("test", request.getParameter("source"), null, null, null); // $ Source[java/groovy-injection] cu.addSource(su); - cu.compile(); // $ Alert + cu.compile(); // $ Alert[java/groovy-injection] } { CompilationUnit cu = new CompilationUnit(); @@ -53,29 +53,29 @@ public class GroovyCompilationUnitTest extends HttpServlet { } { CompilationUnit cu = new CompilationUnit(); - StringReaderSource rs = new StringReaderSource(request.getParameter("source"), null); // $ Source + StringReaderSource rs = new StringReaderSource(request.getParameter("source"), null); // $ Source[java/groovy-injection] SourceUnit su = new SourceUnit("test", rs, null, null, null); cu.addSource(su); - cu.compile(); // $ Alert + cu.compile(); // $ Alert[java/groovy-injection] } { CompilationUnit cu = new CompilationUnit(); SourceUnit su = - new SourceUnit(new URL(request.getParameter("source")), null, null, null); // $ Source + new SourceUnit(new URL(request.getParameter("source")), null, null, null); // $ Source[java/groovy-injection] cu.addSource(su); - cu.compile(); // $ Alert + cu.compile(); // $ Alert[java/groovy-injection] } { CompilationUnit cu = new CompilationUnit(); - SourceUnit su = SourceUnit.create("test", request.getParameter("source")); // $ Source + SourceUnit su = SourceUnit.create("test", request.getParameter("source")); // $ Source[java/groovy-injection] cu.addSource(su); - cu.compile(); // $ Alert + cu.compile(); // $ Alert[java/groovy-injection] } { CompilationUnit cu = new CompilationUnit(); - SourceUnit su = SourceUnit.create("test", request.getParameter("source"), 0); // $ Source + SourceUnit su = SourceUnit.create("test", request.getParameter("source"), 0); // $ Source[java/groovy-injection] cu.addSource(su); - cu.compile(); // $ Alert + cu.compile(); // $ Alert[java/groovy-injection] } { CompilationUnit cu = new CompilationUnit(); @@ -85,8 +85,8 @@ public class GroovyCompilationUnitTest extends HttpServlet { } { JavaAwareCompilationUnit cu = new JavaAwareCompilationUnit(); - cu.addSource("test", request.getParameter("source")); // $ Source - cu.compile(); // $ Alert + cu.addSource("test", request.getParameter("source")); // $ Source[java/groovy-injection] + cu.compile(); // $ Alert[java/groovy-injection] } { JavaStubCompilationUnit cu = new JavaStubCompilationUnit(null, null); diff --git a/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyEvalTest.java b/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyEvalTest.java index 3756cd10bfa..704a225c670 100644 --- a/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyEvalTest.java +++ b/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyEvalTest.java @@ -11,29 +11,29 @@ public class GroovyEvalTest extends HttpServlet { throws ServletException, IOException { // "groovy.util;Eval;false;me;(String);;Argument[0];groovy;manual", { - String script = request.getParameter("script"); // $ Source - Eval.me(script); // $ Alert + String script = request.getParameter("script"); // $ Source[java/groovy-injection] + Eval.me(script); // $ Alert[java/groovy-injection] } // "groovy.util;Eval;false;me;(String,Object,String);;Argument[2];groovy;manual", { - String script = request.getParameter("script"); // $ Source - Eval.me("test", "result", script); // $ Alert + String script = request.getParameter("script"); // $ Source[java/groovy-injection] + Eval.me("test", "result", script); // $ Alert[java/groovy-injection] } // "groovy.util;Eval;false;x;(Object,String);;Argument[1];groovy;manual", { - String script = request.getParameter("script"); // $ Source - Eval.x("result2", script); // $ Alert + String script = request.getParameter("script"); // $ Source[java/groovy-injection] + Eval.x("result2", script); // $ Alert[java/groovy-injection] } // "groovy.util;Eval;false;xy;(Object,Object,String);;Argument[2];groovy;manual", { - String script = request.getParameter("script"); // $ Source - Eval.xy("result3", "result4", script); // $ Alert + String script = request.getParameter("script"); // $ Source[java/groovy-injection] + Eval.xy("result3", "result4", script); // $ Alert[java/groovy-injection] } // "groovy.util;Eval;false;xyz;(Object,Object,Object,String);;Argument[3];groovy;manual", { - String script = request.getParameter("script"); // $ Source - Eval.xyz("result3", "result4", "aaa", script); // $ Alert + String script = request.getParameter("script"); // $ Source[java/groovy-injection] + Eval.xyz("result3", "result4", "aaa", script); // $ Alert[java/groovy-injection] } } } diff --git a/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyShellTest.java b/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyShellTest.java index 6e2e773b03c..aa26691c019 100644 --- a/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyShellTest.java +++ b/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyShellTest.java @@ -19,134 +19,134 @@ public class GroovyShellTest extends HttpServlet { // "groovy.lang;GroovyShell;false;evaluate;(GroovyCodeSource);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); // $ Source + String script = request.getParameter("script"); // $ Source[java/groovy-injection] GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test"); - shell.evaluate(gcs); // $ Alert + shell.evaluate(gcs); // $ Alert[java/groovy-injection] } // "groovy.lang;GroovyShell;false;evaluate;(Reader);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); // $ Source + String script = request.getParameter("script"); // $ Source[java/groovy-injection] Reader reader = new StringReader(script); - shell.evaluate(reader); // $ Alert + shell.evaluate(reader); // $ Alert[java/groovy-injection] } // "groovy.lang;GroovyShell;false;evaluate;(Reader,String);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); // $ Source + String script = request.getParameter("script"); // $ Source[java/groovy-injection] Reader reader = new StringReader(script); - shell.evaluate(reader, "_"); // $ Alert + shell.evaluate(reader, "_"); // $ Alert[java/groovy-injection] } // "groovy.lang;GroovyShell;false;evaluate;(String);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); // $ Source - shell.evaluate(script); // $ Alert + String script = request.getParameter("script"); // $ Source[java/groovy-injection] + shell.evaluate(script); // $ Alert[java/groovy-injection] } // "groovy.lang;GroovyShell;false;evaluate;(String,String);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); // $ Source - shell.evaluate(script, "test"); // $ Alert + String script = request.getParameter("script"); // $ Source[java/groovy-injection] + shell.evaluate(script, "test"); // $ Alert[java/groovy-injection] } // "groovy.lang;GroovyShell;false;evaluate;(String,String,String);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); // $ Source - shell.evaluate(script, "test", "test2"); // $ Alert + String script = request.getParameter("script"); // $ Source[java/groovy-injection] + shell.evaluate(script, "test", "test2"); // $ Alert[java/groovy-injection] } // "groovy.lang;GroovyShell;false;evaluate;(URI);;Argument[0];groovy;manual", try { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); // $ Source - shell.parse(new URI(script)); // $ Alert + String script = request.getParameter("script"); // $ Source[java/groovy-injection] + shell.parse(new URI(script)); // $ Alert[java/groovy-injection] } catch (URISyntaxException e) { } // "groovy.lang;GroovyShell;false;parse;(Reader);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); // $ Source + String script = request.getParameter("script"); // $ Source[java/groovy-injection] Reader reader = new StringReader(script); - shell.parse(reader); // $ Alert + shell.parse(reader); // $ Alert[java/groovy-injection] } // "groovy.lang;GroovyShell;false;parse;(Reader,String);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); // $ Source + String script = request.getParameter("script"); // $ Source[java/groovy-injection] Reader reader = new StringReader(script); - shell.parse(reader, "_"); // $ Alert + shell.parse(reader, "_"); // $ Alert[java/groovy-injection] } // "groovy.lang;GroovyShell;false;parse;(String);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); // $ Source - shell.parse(script); // $ Alert + String script = request.getParameter("script"); // $ Source[java/groovy-injection] + shell.parse(script); // $ Alert[java/groovy-injection] } // "groovy.lang;GroovyShell;false;parse;(String,String);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); // $ Source - shell.parse(script, "_"); // $ Alert + String script = request.getParameter("script"); // $ Source[java/groovy-injection] + shell.parse(script, "_"); // $ Alert[java/groovy-injection] } // "groovy.lang;GroovyShell;false;parse;(URI);;Argument[0];groovy;manual", try { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); // $ Source - shell.parse(new URI(script)); // $ Alert + String script = request.getParameter("script"); // $ Source[java/groovy-injection] + shell.parse(new URI(script)); // $ Alert[java/groovy-injection] } catch (URISyntaxException e) { } // "groovy.lang;GroovyShell;false;run;(GroovyCodeSource,String[]);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); // $ Source + String script = request.getParameter("script"); // $ Source[java/groovy-injection] GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test"); - shell.run(gcs, new String[] {}); // $ Alert + shell.run(gcs, new String[] {}); // $ Alert[java/groovy-injection] } // "groovy.lang;GroovyShell;false;run;(GroovyCodeSource,List);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); // $ Source + String script = request.getParameter("script"); // $ Source[java/groovy-injection] GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test"); - shell.run(gcs, new ArrayList()); // $ Alert + shell.run(gcs, new ArrayList()); // $ Alert[java/groovy-injection] } // "groovy.lang;GroovyShell;false;run;(Reader,String,String[]);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); // $ Source + String script = request.getParameter("script"); // $ Source[java/groovy-injection] Reader reader = new StringReader(script); - shell.run(reader, "test", new String[] {}); // $ Alert + shell.run(reader, "test", new String[] {}); // $ Alert[java/groovy-injection] } // "groovy.lang;GroovyShell;false;run;(Reader,String,List);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); // $ Source + String script = request.getParameter("script"); // $ Source[java/groovy-injection] Reader reader = new StringReader(script); - shell.run(reader, "test", new ArrayList()); // $ Alert + shell.run(reader, "test", new ArrayList()); // $ Alert[java/groovy-injection] } // "groovy.lang;GroovyShell;false;run;(String,String,String[]);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); // $ Source - shell.run(script, "_", new String[] {}); // $ Alert + String script = request.getParameter("script"); // $ Source[java/groovy-injection] + shell.run(script, "_", new String[] {}); // $ Alert[java/groovy-injection] } // "groovy.lang;GroovyShell;false;run;(String,String,List);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); // $ Source - shell.run(script, "_", new ArrayList()); // $ Alert + String script = request.getParameter("script"); // $ Source[java/groovy-injection] + shell.run(script, "_", new ArrayList()); // $ Alert[java/groovy-injection] } // "groovy.lang;GroovyShell;false;run;(URI,String[]);;Argument[0];groovy;manual", try { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); // $ Source - shell.run(new URI(script), new String[] {}); // $ Alert + String script = request.getParameter("script"); // $ Source[java/groovy-injection] + shell.run(new URI(script), new String[] {}); // $ Alert[java/groovy-injection] } catch (URISyntaxException e) { } // "groovy.lang;GroovyShell;false;run;(URI,List);;Argument[0];groovy;manual", try { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); // $ Source - shell.run(new URI(script), new ArrayList()); // $ Alert + String script = request.getParameter("script"); // $ Source[java/groovy-injection] + shell.run(new URI(script), new ArrayList()); // $ Alert[java/groovy-injection] } catch (URISyntaxException e) { } } diff --git a/java/ql/test/query-tests/security/CWE-094/GroovyInjection/TemplateEngineTest.java b/java/ql/test/query-tests/security/CWE-094/GroovyInjection/TemplateEngineTest.java index a046b9cd332..77519656614 100644 --- a/java/ql/test/query-tests/security/CWE-094/GroovyInjection/TemplateEngineTest.java +++ b/java/ql/test/query-tests/security/CWE-094/GroovyInjection/TemplateEngineTest.java @@ -11,7 +11,7 @@ import groovy.text.TemplateEngine; public class TemplateEngineTest extends HttpServlet { private Object source(HttpServletRequest request) { - return request.getParameter("script"); // $ Source + return request.getParameter("script"); // $ Source[java/groovy-injection] } protected void doGet(HttpServletRequest request, HttpServletResponse response) @@ -19,10 +19,10 @@ public class TemplateEngineTest extends HttpServlet { try { Object script = source(request); TemplateEngine engine = null; - engine.createTemplate(request.getParameter("script")); // $ Alert - engine.createTemplate((File) script); // $ Alert - engine.createTemplate((Reader) script); // $ Alert - engine.createTemplate((URL) script); // $ Alert + engine.createTemplate(request.getParameter("script")); // $ Alert[java/groovy-injection] + engine.createTemplate((File) script); // $ Alert[java/groovy-injection] + engine.createTemplate((Reader) script); // $ Alert[java/groovy-injection] + engine.createTemplate((URL) script); // $ Alert[java/groovy-injection] } catch (Exception e) { } diff --git a/java/ql/test/query-tests/security/CWE-094/InsecureBeanValidation.java b/java/ql/test/query-tests/security/CWE-094/InsecureBeanValidation.java index bfa94bbe3a8..fb840759b62 100644 --- a/java/ql/test/query-tests/security/CWE-094/InsecureBeanValidation.java +++ b/java/ql/test/query-tests/security/CWE-094/InsecureBeanValidation.java @@ -4,11 +4,11 @@ import javax.validation.ConstraintValidatorContext; public class InsecureBeanValidation implements ConstraintValidator { @Override - public boolean isValid(String object, ConstraintValidatorContext constraintContext) { // $ Source + public boolean isValid(String object, ConstraintValidatorContext constraintContext) { // $ Source[java/insecure-bean-validation] String value = object + " is invalid"; // Bad: Bean properties (normally user-controlled) are passed directly to `buildConstraintViolationWithTemplate` - constraintContext.buildConstraintViolationWithTemplate(value).addConstraintViolation().disableDefaultConstraintViolation(); // $ Alert + constraintContext.buildConstraintViolationWithTemplate(value).addConstraintViolation().disableDefaultConstraintViolation(); // $ Alert[java/insecure-bean-validation] // Good: Using message parameters constraintContext.buildConstraintViolationWithTemplate("literal {message_parameter}").addConstraintViolation().disableDefaultConstraintViolation(); diff --git a/java/ql/test/query-tests/security/CWE-094/JexlInjection/Jexl2Injection.java b/java/ql/test/query-tests/security/CWE-094/JexlInjection/Jexl2Injection.java index b306cf4e535..ab5a6b179a5 100644 --- a/java/ql/test/query-tests/security/CWE-094/JexlInjection/Jexl2Injection.java +++ b/java/ql/test/query-tests/security/CWE-094/JexlInjection/Jexl2Injection.java @@ -11,21 +11,21 @@ public class Jexl2Injection { JexlEngine jexl = new JexlEngine(); Expression e = jexl.createExpression(jexlExpr); JexlContext jc = new MapContext(); - e.evaluate(jc); // $ Alert + e.evaluate(jc); // $ Alert[java/jexl-expression-injection] } private static void runJexlExpressionWithJexlInfo(String jexlExpr) { JexlEngine jexl = new JexlEngine(); Expression e = jexl.createExpression(jexlExpr, new DebugInfo("unknown", 0, 0)); JexlContext jc = new MapContext(); - e.evaluate(jc); // $ Alert + e.evaluate(jc); // $ Alert[java/jexl-expression-injection] } private static void runJexlScript(String jexlExpr) { JexlEngine jexl = new JexlEngine(); Script script = jexl.createScript(jexlExpr); JexlContext jc = new MapContext(); - script.execute(jc); // $ Alert + script.execute(jc); // $ Alert[java/jexl-expression-injection] } private static void runJexlScriptViaCallable(String jexlExpr) { @@ -34,7 +34,7 @@ public class Jexl2Injection { JexlContext jc = new MapContext(); try { - script.callable(jc).call(); // $ Alert + script.callable(jc).call(); // $ Alert[java/jexl-expression-injection] } catch (Exception e) { throw new RuntimeException(e); } @@ -42,37 +42,37 @@ public class Jexl2Injection { private static void runJexlExpressionViaGetProperty(String jexlExpr) { JexlEngine jexl = new JexlEngine(); - jexl.getProperty(new Object(), jexlExpr); // $ Alert + jexl.getProperty(new Object(), jexlExpr); // $ Alert[java/jexl-expression-injection] } private static void runJexlExpressionViaSetProperty(String jexlExpr) { JexlEngine jexl = new JexlEngine(); - jexl.setProperty(new Object(), jexlExpr, new Object()); // $ Alert + jexl.setProperty(new Object(), jexlExpr, new Object()); // $ Alert[java/jexl-expression-injection] } private static void runJexlExpressionViaUnifiedJEXLParseAndEvaluate(String jexlExpr) { JexlEngine jexl = new JexlEngine(); UnifiedJEXL unifiedJEXL = new UnifiedJEXL(jexl); - unifiedJEXL.parse(jexlExpr).evaluate(new MapContext()); // $ Alert + unifiedJEXL.parse(jexlExpr).evaluate(new MapContext()); // $ Alert[java/jexl-expression-injection] } private static void runJexlExpressionViaUnifiedJEXLParseAndPrepare(String jexlExpr) { JexlEngine jexl = new JexlEngine(); UnifiedJEXL unifiedJEXL = new UnifiedJEXL(jexl); - unifiedJEXL.parse(jexlExpr).prepare(new MapContext()); // $ Alert + unifiedJEXL.parse(jexlExpr).prepare(new MapContext()); // $ Alert[java/jexl-expression-injection] } private static void runJexlExpressionViaUnifiedJEXLTemplateEvaluate(String jexlExpr) { JexlEngine jexl = new JexlEngine(); UnifiedJEXL unifiedJEXL = new UnifiedJEXL(jexl); - unifiedJEXL.createTemplate(jexlExpr).evaluate(new MapContext(), new StringWriter()); // $ Alert + unifiedJEXL.createTemplate(jexlExpr).evaluate(new MapContext(), new StringWriter()); // $ Alert[java/jexl-expression-injection] } private static void testWithSocket(Consumer action) throws Exception { try (ServerSocket serverSocket = new ServerSocket(0)) { try (Socket socket = serverSocket.accept()) { byte[] bytes = new byte[1024]; - int n = socket.getInputStream().read(bytes); // $ Source + int n = socket.getInputStream().read(bytes); // $ Source[java/jexl-expression-injection] String jexlExpr = new String(bytes, 0, n); action.accept(jexlExpr); } diff --git a/java/ql/test/query-tests/security/CWE-094/JexlInjection/Jexl3Injection.java b/java/ql/test/query-tests/security/CWE-094/JexlInjection/Jexl3Injection.java index c047bb5b315..04e0f9a5e53 100644 --- a/java/ql/test/query-tests/security/CWE-094/JexlInjection/Jexl3Injection.java +++ b/java/ql/test/query-tests/security/CWE-094/JexlInjection/Jexl3Injection.java @@ -18,21 +18,21 @@ public class Jexl3Injection { JexlEngine jexl = new JexlBuilder().create(); JexlExpression e = jexl.createExpression(jexlExpr); JexlContext jc = new MapContext(); - e.evaluate(jc); // $ Alert + e.evaluate(jc); // $ Alert[java/jexl-expression-injection] } private static void runJexlExpressionWithJexlInfo(String jexlExpr) { JexlEngine jexl = new JexlBuilder().create(); JexlExpression e = jexl.createExpression(new JexlInfo("unknown", 0, 0), jexlExpr); JexlContext jc = new MapContext(); - e.evaluate(jc); // $ Alert + e.evaluate(jc); // $ Alert[java/jexl-expression-injection] } private static void runJexlScript(String jexlExpr) { JexlEngine jexl = new JexlBuilder().create(); JexlScript script = jexl.createScript(jexlExpr); JexlContext jc = new MapContext(); - script.execute(jc); // $ Alert + script.execute(jc); // $ Alert[java/jexl-expression-injection] } private static void runJexlScriptViaCallable(String jexlExpr) { @@ -41,7 +41,7 @@ public class Jexl3Injection { JexlContext jc = new MapContext(); try { - script.callable(jc).call(); // $ Alert + script.callable(jc).call(); // $ Alert[java/jexl-expression-injection] } catch (Exception e) { throw new RuntimeException(e); } @@ -49,30 +49,30 @@ public class Jexl3Injection { private static void runJexlExpressionViaGetProperty(String jexlExpr) { JexlEngine jexl = new JexlBuilder().create(); - jexl.getProperty(new Object(), jexlExpr); // $ Alert + jexl.getProperty(new Object(), jexlExpr); // $ Alert[java/jexl-expression-injection] } private static void runJexlExpressionViaSetProperty(String jexlExpr) { JexlEngine jexl = new JexlBuilder().create(); - jexl.setProperty(new Object(), jexlExpr, new Object()); // $ Alert + jexl.setProperty(new Object(), jexlExpr, new Object()); // $ Alert[java/jexl-expression-injection] } private static void runJexlExpressionViaJxltEngineExpressionEvaluate(String jexlExpr) { JexlEngine jexl = new JexlBuilder().create(); JxltEngine jxlt = jexl.createJxltEngine(); - jxlt.createExpression(jexlExpr).evaluate(new MapContext()); // $ Alert + jxlt.createExpression(jexlExpr).evaluate(new MapContext()); // $ Alert[java/jexl-expression-injection] } private static void runJexlExpressionViaJxltEngineExpressionPrepare(String jexlExpr) { JexlEngine jexl = new JexlBuilder().create(); JxltEngine jxlt = jexl.createJxltEngine(); - jxlt.createExpression(jexlExpr).prepare(new MapContext()); // $ Alert + jxlt.createExpression(jexlExpr).prepare(new MapContext()); // $ Alert[java/jexl-expression-injection] } private static void runJexlExpressionViaJxltEngineTemplateEvaluate(String jexlExpr) { JexlEngine jexl = new JexlBuilder().create(); JxltEngine jxlt = jexl.createJxltEngine(); - jxlt.createTemplate(jexlExpr).evaluate(new MapContext(), new StringWriter()); // $ Alert + jxlt.createTemplate(jexlExpr).evaluate(new MapContext(), new StringWriter()); // $ Alert[java/jexl-expression-injection] } private static void runJexlExpressionViaCallable(String jexlExpr) { @@ -81,7 +81,7 @@ public class Jexl3Injection { JexlContext jc = new MapContext(); try { - e.callable(jc).call(); // $ Alert + e.callable(jc).call(); // $ Alert[java/jexl-expression-injection] } catch (Exception ex) { throw new RuntimeException(ex); } @@ -91,7 +91,7 @@ public class Jexl3Injection { try (ServerSocket serverSocket = new ServerSocket(0)) { try (Socket socket = serverSocket.accept()) { byte[] bytes = new byte[1024]; - int n = socket.getInputStream().read(bytes); // $ Source + int n = socket.getInputStream().read(bytes); // $ Source[java/jexl-expression-injection] String jexlExpr = new String(bytes, 0, n); action.accept(jexlExpr); } @@ -141,14 +141,14 @@ public class Jexl3Injection { } @PostMapping("/request") - public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromPathVariable(@PathVariable String expr) { // $ Source + public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromPathVariable(@PathVariable String expr) { // $ Source[java/jexl-expression-injection] runJexlExpression(expr); return ResponseEntity.ok(HttpStatus.OK); } @PostMapping("/request") - public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromRequestBody(@RequestBody Data data) { // $ Source + public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromRequestBody(@RequestBody Data data) { // $ Source[java/jexl-expression-injection] String expr = data.getExpr(); runJexlExpression(expr); @@ -158,7 +158,7 @@ public class Jexl3Injection { @PostMapping("/request") public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromRequestBodyWithNestedObjects( - @RequestBody CustomRequest customRequest) { // $ Source + @RequestBody CustomRequest customRequest) { // $ Source[java/jexl-expression-injection] String expr = customRequest.getData().getExpr(); runJexlExpression(expr); diff --git a/java/ql/test/query-tests/security/CWE-094/MvelInjection/MvelInjectionTest.java b/java/ql/test/query-tests/security/CWE-094/MvelInjection/MvelInjectionTest.java index 4e6738dbfd9..b661732cc37 100644 --- a/java/ql/test/query-tests/security/CWE-094/MvelInjection/MvelInjectionTest.java +++ b/java/ql/test/query-tests/security/CWE-094/MvelInjection/MvelInjectionTest.java @@ -21,31 +21,31 @@ import org.mvel2.templates.TemplateRuntime; public class MvelInjectionTest { public static void testWithMvelEval(Socket socket) throws IOException { - MVEL.eval(read(socket)); // $ Alert + MVEL.eval(read(socket)); // $ Alert[java/mvel-expression-injection] } public static void testWithMvelCompileAndExecute(Socket socket) throws IOException { Serializable expression = MVEL.compileExpression(read(socket)); - MVEL.executeExpression(expression); // $ Alert + MVEL.executeExpression(expression); // $ Alert[java/mvel-expression-injection] } public static void testWithExpressionCompiler(Socket socket) throws IOException { ExpressionCompiler compiler = new ExpressionCompiler(read(socket)); ExecutableStatement statement = compiler.compile(); - statement.getValue(new Object(), new ImmutableDefaultFactory()); // $ Alert - statement.getValue(new Object(), new Object(), new ImmutableDefaultFactory()); // $ Alert + statement.getValue(new Object(), new ImmutableDefaultFactory()); // $ Alert[java/mvel-expression-injection] + statement.getValue(new Object(), new Object(), new ImmutableDefaultFactory()); // $ Alert[java/mvel-expression-injection] } public static void testWithCompiledExpressionGetDirectValue(Socket socket) throws IOException { ExpressionCompiler compiler = new ExpressionCompiler(read(socket)); CompiledExpression expression = compiler.compile(); - expression.getDirectValue(new Object(), new ImmutableDefaultFactory()); // $ Alert + expression.getDirectValue(new Object(), new ImmutableDefaultFactory()); // $ Alert[java/mvel-expression-injection] } public static void testCompiledAccExpressionGetValue(Socket socket) throws IOException { CompiledAccExpression expression = new CompiledAccExpression(read(socket).toCharArray(), Object.class, new ParserContext()); - expression.getValue(new Object(), new ImmutableDefaultFactory()); // $ Alert + expression.getValue(new Object(), new ImmutableDefaultFactory()); // $ Alert[java/mvel-expression-injection] } public static void testMvelScriptEngineCompileAndEvaluate(Socket socket) throws Exception { @@ -53,10 +53,10 @@ public class MvelInjectionTest { MvelScriptEngine engine = new MvelScriptEngine(); CompiledScript compiledScript = engine.compile(input); - compiledScript.eval(); // $ Alert + compiledScript.eval(); // $ Alert[java/mvel-expression-injection] Serializable script = engine.compiledScript(input); - engine.evaluate(script, new SimpleScriptContext()); // $ Alert + engine.evaluate(script, new SimpleScriptContext()); // $ Alert[java/mvel-expression-injection] } public static void testMvelCompiledScriptCompileAndEvaluate(Socket socket) throws Exception { @@ -64,30 +64,30 @@ public class MvelInjectionTest { ExpressionCompiler compiler = new ExpressionCompiler(read(socket)); ExecutableStatement statement = compiler.compile(); MvelCompiledScript script = new MvelCompiledScript(engine, statement); - script.eval(new SimpleScriptContext()); // $ Alert + script.eval(new SimpleScriptContext()); // $ Alert[java/mvel-expression-injection] } public static void testTemplateRuntimeEval(Socket socket) throws Exception { - TemplateRuntime.eval(read(socket), new HashMap()); // $ Alert + TemplateRuntime.eval(read(socket), new HashMap()); // $ Alert[java/mvel-expression-injection] } public static void testTemplateRuntimeCompileTemplateAndExecute(Socket socket) throws Exception { - TemplateRuntime.execute(TemplateCompiler.compileTemplate(read(socket)), new HashMap()); // $ Alert + TemplateRuntime.execute(TemplateCompiler.compileTemplate(read(socket)), new HashMap()); // $ Alert[java/mvel-expression-injection] } public static void testTemplateRuntimeCompileAndExecute(Socket socket) throws Exception { TemplateCompiler compiler = new TemplateCompiler(read(socket)); - TemplateRuntime.execute(compiler.compile(), new HashMap()); // $ Alert + TemplateRuntime.execute(compiler.compile(), new HashMap()); // $ Alert[java/mvel-expression-injection] } public static void testMvelRuntimeExecute(Socket socket) throws Exception { ExpressionCompiler compiler = new ExpressionCompiler(read(socket)); CompiledExpression expression = compiler.compile(); - MVELRuntime.execute(false, expression, new Object(), new ImmutableDefaultFactory()); // $ Alert + MVELRuntime.execute(false, expression, new Object(), new ImmutableDefaultFactory()); // $ Alert[java/mvel-expression-injection] } public static String read(Socket socket) throws IOException { - try (InputStream is = socket.getInputStream()) { // $ Source + try (InputStream is = socket.getInputStream()) { // $ Source[java/mvel-expression-injection] byte[] bytes = new byte[1024]; int n = is.read(bytes); return new String(bytes, 0, n); diff --git a/java/ql/test/query-tests/security/CWE-094/SpelInjection/SpelInjectionTest.java b/java/ql/test/query-tests/security/CWE-094/SpelInjection/SpelInjectionTest.java index 88c4e913d49..17bf732d547 100644 --- a/java/ql/test/query-tests/security/CWE-094/SpelInjection/SpelInjectionTest.java +++ b/java/ql/test/query-tests/security/CWE-094/SpelInjection/SpelInjectionTest.java @@ -13,7 +13,7 @@ public class SpelInjectionTest { private static final ExpressionParser PARSER = new SpelExpressionParser(); public void testGetValue(Socket socket) throws IOException { - InputStream in = socket.getInputStream(); // $ Source + InputStream in = socket.getInputStream(); // $ Source[java/spel-expression-injection] byte[] bytes = new byte[1024]; int n = in.read(bytes); @@ -21,33 +21,33 @@ public class SpelInjectionTest { ExpressionParser parser = new SpelExpressionParser(); Expression expression = parser.parseExpression(input); - expression.getValue(); // $ Alert + expression.getValue(); // $ Alert[java/spel-expression-injection] } public void testGetValueWithParseRaw(Socket socket) throws IOException { - InputStream in = socket.getInputStream(); // $ Source + InputStream in = socket.getInputStream(); // $ Source[java/spel-expression-injection] byte[] bytes = new byte[1024]; int n = in.read(bytes); String input = new String(bytes, 0, n); SpelExpressionParser parser = new SpelExpressionParser(); SpelExpression expression = parser.parseRaw(input); - expression.getValue(); // $ Alert + expression.getValue(); // $ Alert[java/spel-expression-injection] } public void testGetValueWithChainedCalls(Socket socket) throws IOException { - InputStream in = socket.getInputStream(); // $ Source + InputStream in = socket.getInputStream(); // $ Source[java/spel-expression-injection] byte[] bytes = new byte[1024]; int n = in.read(bytes); String input = new String(bytes, 0, n); Expression expression = new SpelExpressionParser().parseExpression(input); - expression.getValue(); // $ Alert + expression.getValue(); // $ Alert[java/spel-expression-injection] } public void testSetValueWithRootObject(Socket socket) throws IOException { - InputStream in = socket.getInputStream(); // $ Source + InputStream in = socket.getInputStream(); // $ Source[java/spel-expression-injection] byte[] bytes = new byte[1024]; int n = in.read(bytes); @@ -57,33 +57,33 @@ public class SpelInjectionTest { Object root = new Object(); Object value = new Object(); - expression.setValue(root, value); // $ Alert + expression.setValue(root, value); // $ Alert[java/spel-expression-injection] } public void testGetValueWithStaticParser(Socket socket) throws IOException { - InputStream in = socket.getInputStream(); // $ Source + InputStream in = socket.getInputStream(); // $ Source[java/spel-expression-injection] byte[] bytes = new byte[1024]; int n = in.read(bytes); String input = new String(bytes, 0, n); Expression expression = PARSER.parseExpression(input); - expression.getValue(); // $ Alert + expression.getValue(); // $ Alert[java/spel-expression-injection] } public void testGetValueType(Socket socket) throws IOException { - InputStream in = socket.getInputStream(); // $ Source + InputStream in = socket.getInputStream(); // $ Source[java/spel-expression-injection] byte[] bytes = new byte[1024]; int n = in.read(bytes); String input = new String(bytes, 0, n); Expression expression = PARSER.parseExpression(input); - expression.getValueType(); // $ Alert + expression.getValueType(); // $ Alert[java/spel-expression-injection] } public void testWithStandardEvaluationContext(Socket socket) throws IOException { - InputStream in = socket.getInputStream(); // $ Source + InputStream in = socket.getInputStream(); // $ Source[java/spel-expression-injection] byte[] bytes = new byte[1024]; int n = in.read(bytes); @@ -92,7 +92,7 @@ public class SpelInjectionTest { Expression expression = PARSER.parseExpression(input); StandardEvaluationContext context = new StandardEvaluationContext(); - expression.getValue(context); // $ Alert + expression.getValue(context); // $ Alert[java/spel-expression-injection] } public void testWithSimpleEvaluationContext(Socket socket) throws IOException { diff --git a/java/ql/test/query-tests/security/CWE-094/TemplateInjection/FreemarkerSSTI.java b/java/ql/test/query-tests/security/CWE-094/TemplateInjection/FreemarkerSSTI.java index a39ed8c5a4e..e1b87b3d2e5 100644 --- a/java/ql/test/query-tests/security/CWE-094/TemplateInjection/FreemarkerSSTI.java +++ b/java/ql/test/query-tests/security/CWE-094/TemplateInjection/FreemarkerSSTI.java @@ -20,88 +20,88 @@ public class FreemarkerSSTI { @GetMapping(value = "bad1") public void bad1(HttpServletRequest request) { String name = "ttemplate"; - String code = request.getParameter("code"); // $ Source + String code = request.getParameter("code"); // $ Source[java/server-side-template-injection] Reader reader = new StringReader(code); - Template t = new Template(name, reader); // $ Alert + Template t = new Template(name, reader); // $ Alert[java/server-side-template-injection] } @GetMapping(value = "bad2") public void bad2(HttpServletRequest request) { String name = "ttemplate"; - String code = request.getParameter("code"); // $ Source + String code = request.getParameter("code"); // $ Source[java/server-side-template-injection] Reader reader = new StringReader(code); Configuration cfg = new Configuration(); - Template t = new Template(name, reader, cfg); // $ Alert + Template t = new Template(name, reader, cfg); // $ Alert[java/server-side-template-injection] } @GetMapping(value = "bad3") public void bad3(HttpServletRequest request) { String name = "ttemplate"; - String code = request.getParameter("code"); // $ Source + String code = request.getParameter("code"); // $ Source[java/server-side-template-injection] Reader reader = new StringReader(code); Configuration cfg = new Configuration(); - Template t = new Template(name, reader, cfg, "UTF-8"); // $ Alert + Template t = new Template(name, reader, cfg, "UTF-8"); // $ Alert[java/server-side-template-injection] } @GetMapping(value = "bad4") public void bad4(HttpServletRequest request) { String name = "ttemplate"; - String sourceCode = request.getParameter("sourceCode"); // $ Source + String sourceCode = request.getParameter("sourceCode"); // $ Source[java/server-side-template-injection] Configuration cfg = new Configuration(); - Template t = new Template(name, sourceCode, cfg); // $ Alert + Template t = new Template(name, sourceCode, cfg); // $ Alert[java/server-side-template-injection] } @GetMapping(value = "bad5") public void bad5(HttpServletRequest request) { String name = "ttemplate"; - String code = request.getParameter("code"); // $ Source + String code = request.getParameter("code"); // $ Source[java/server-side-template-injection] Configuration cfg = new Configuration(); Reader reader = new StringReader(code); - Template t = new Template(name, sourceName, reader, cfg); // $ Alert + Template t = new Template(name, sourceName, reader, cfg); // $ Alert[java/server-side-template-injection] } @GetMapping(value = "bad6") public void bad6(HttpServletRequest request) { String name = "ttemplate"; - String code = request.getParameter("code"); // $ Source + String code = request.getParameter("code"); // $ Source[java/server-side-template-injection] Configuration cfg = new Configuration(); ParserConfiguration customParserConfiguration = new Configuration(); Reader reader = new StringReader(code); Template t = - new Template(name, sourceName, reader, cfg, customParserConfiguration, "UTF-8"); // $ Alert + new Template(name, sourceName, reader, cfg, customParserConfiguration, "UTF-8"); // $ Alert[java/server-side-template-injection] } @GetMapping(value = "bad7") public void bad7(HttpServletRequest request) { String name = "ttemplate"; - String code = request.getParameter("code"); // $ Source + String code = request.getParameter("code"); // $ Source[java/server-side-template-injection] Configuration cfg = new Configuration(); ParserConfiguration customParserConfiguration = new Configuration(); Reader reader = new StringReader(code); - Template t = new Template(name, sourceName, reader, cfg, "UTF-8"); // $ Alert + Template t = new Template(name, sourceName, reader, cfg, "UTF-8"); // $ Alert[java/server-side-template-injection] } @GetMapping(value = "bad8") public void bad8(HttpServletRequest request) { - String code = request.getParameter("code"); // $ Source + String code = request.getParameter("code"); // $ Source[java/server-side-template-injection] StringTemplateLoader stringLoader = new StringTemplateLoader(); - stringLoader.putTemplate("myTemplate", code); // $ Alert + stringLoader.putTemplate("myTemplate", code); // $ Alert[java/server-side-template-injection] } @GetMapping(value = "bad9") public void bad9(HttpServletRequest request) { - String code = request.getParameter("code"); // $ Source + String code = request.getParameter("code"); // $ Source[java/server-side-template-injection] StringTemplateLoader stringLoader = new StringTemplateLoader(); - stringLoader.putTemplate("myTemplate", code, 0); // $ Alert + stringLoader.putTemplate("myTemplate", code, 0); // $ Alert[java/server-side-template-injection] } @GetMapping(value = "good1") diff --git a/java/ql/test/query-tests/security/CWE-094/TemplateInjection/JinJavaSSTI.java b/java/ql/test/query-tests/security/CWE-094/TemplateInjection/JinJavaSSTI.java index 9bd9bad4ca8..ef931de1537 100644 --- a/java/ql/test/query-tests/security/CWE-094/TemplateInjection/JinJavaSSTI.java +++ b/java/ql/test/query-tests/security/CWE-094/TemplateInjection/JinJavaSSTI.java @@ -18,27 +18,27 @@ public class JinJavaSSTI { @GetMapping(value = "bad1") public void bad1(HttpServletRequest request) { - String template = request.getParameter("template"); // $ Source + String template = request.getParameter("template"); // $ Source[java/server-side-template-injection] Jinjava jinjava = new Jinjava(); Map context = new HashMap<>(); - String renderedTemplate = jinjava.render(template, context); // $ Alert + String renderedTemplate = jinjava.render(template, context); // $ Alert[java/server-side-template-injection] } @GetMapping(value = "bad2") public void bad2(HttpServletRequest request) { - String template = request.getParameter("template"); // $ Source + String template = request.getParameter("template"); // $ Source[java/server-side-template-injection] Jinjava jinjava = new Jinjava(); Map bindings = new HashMap<>(); - RenderResult renderResult = jinjava.renderForResult(template, bindings); // $ Alert + RenderResult renderResult = jinjava.renderForResult(template, bindings); // $ Alert[java/server-side-template-injection] } @GetMapping(value = "bad3") public void bad3(HttpServletRequest request) { - String template = request.getParameter("template"); // $ Source + String template = request.getParameter("template"); // $ Source[java/server-side-template-injection] Jinjava jinjava = new Jinjava(); Map bindings = new HashMap<>(); JinjavaConfig renderConfig = new JinjavaConfig(); - RenderResult renderResult = jinjava.renderForResult(template, bindings, renderConfig); // $ Alert + RenderResult renderResult = jinjava.renderForResult(template, bindings, renderConfig); // $ Alert[java/server-side-template-injection] } } diff --git a/java/ql/test/query-tests/security/CWE-094/TemplateInjection/PebbleSSTI.java b/java/ql/test/query-tests/security/CWE-094/TemplateInjection/PebbleSSTI.java index 45beaf46fa1..c2404a83172 100644 --- a/java/ql/test/query-tests/security/CWE-094/TemplateInjection/PebbleSSTI.java +++ b/java/ql/test/query-tests/security/CWE-094/TemplateInjection/PebbleSSTI.java @@ -15,15 +15,15 @@ public class PebbleSSTI { @GetMapping(value = "bad1") public void bad1(HttpServletRequest request) { - String templateName = request.getParameter("templateName"); // $ Source + String templateName = request.getParameter("templateName"); // $ Source[java/server-side-template-injection] PebbleEngine engine = new PebbleEngine.Builder().build(); - PebbleTemplate compiledTemplate = engine.getTemplate(templateName); // $ Alert + PebbleTemplate compiledTemplate = engine.getTemplate(templateName); // $ Alert[java/server-side-template-injection] } @GetMapping(value = "bad2") public void bad2(HttpServletRequest request) { - String templateName = request.getParameter("templateName"); // $ Source + String templateName = request.getParameter("templateName"); // $ Source[java/server-side-template-injection] PebbleEngine engine = new PebbleEngine.Builder().build(); - PebbleTemplate compiledTemplate = engine.getLiteralTemplate(templateName); // $ Alert + PebbleTemplate compiledTemplate = engine.getLiteralTemplate(templateName); // $ Alert[java/server-side-template-injection] } } diff --git a/java/ql/test/query-tests/security/CWE-094/TemplateInjection/ThymeleafSSTI.java b/java/ql/test/query-tests/security/CWE-094/TemplateInjection/ThymeleafSSTI.java index 669b287ea79..ce8813ab902 100644 --- a/java/ql/test/query-tests/security/CWE-094/TemplateInjection/ThymeleafSSTI.java +++ b/java/ql/test/query-tests/security/CWE-094/TemplateInjection/ThymeleafSSTI.java @@ -18,20 +18,20 @@ import org.thymeleaf.context.Context; public class ThymeleafSSTI { @GetMapping(value = "bad1") public void bad1(HttpServletRequest request) { - String code = request.getParameter("code"); // $ Source + String code = request.getParameter("code"); // $ Source[java/server-side-template-injection] try { TemplateEngine templateEngine = new TemplateEngine(); - templateEngine.process(code, (Set) null, (Context) null); // $ Alert - templateEngine.process(code, (Set) null, (Context) null, (Writer) null); // $ Alert - templateEngine.process(code, (Context) null); // $ Alert - templateEngine.process(code, (Context) null, (Writer) null); // $ Alert - templateEngine.processThrottled(code, (Set) null, (Context) null); // $ Alert - templateEngine.processThrottled(code, (Context) null); // $ Alert + templateEngine.process(code, (Set) null, (Context) null); // $ Alert[java/server-side-template-injection] + templateEngine.process(code, (Set) null, (Context) null, (Writer) null); // $ Alert[java/server-side-template-injection] + templateEngine.process(code, (Context) null); // $ Alert[java/server-side-template-injection] + templateEngine.process(code, (Context) null, (Writer) null); // $ Alert[java/server-side-template-injection] + templateEngine.processThrottled(code, (Set) null, (Context) null); // $ Alert[java/server-side-template-injection] + templateEngine.processThrottled(code, (Context) null); // $ Alert[java/server-side-template-injection] TemplateSpec spec = new TemplateSpec(code, ""); - templateEngine.process(spec, (Context) null); // $ Alert - templateEngine.process(spec, (Context) null, (Writer) null); // $ Alert - templateEngine.processThrottled(spec, (Context) null); // $ Alert + templateEngine.process(spec, (Context) null); // $ Alert[java/server-side-template-injection] + templateEngine.process(spec, (Context) null, (Writer) null); // $ Alert[java/server-side-template-injection] + templateEngine.processThrottled(spec, (Context) null); // $ Alert[java/server-side-template-injection] } catch (Exception e) { } } diff --git a/java/ql/test/query-tests/security/CWE-094/TemplateInjection/VelocitySSTI.java b/java/ql/test/query-tests/security/CWE-094/TemplateInjection/VelocitySSTI.java index 463a653525e..f175cae98e4 100644 --- a/java/ql/test/query-tests/security/CWE-094/TemplateInjection/VelocitySSTI.java +++ b/java/ql/test/query-tests/security/CWE-094/TemplateInjection/VelocitySSTI.java @@ -28,19 +28,19 @@ public class VelocitySSTI { @GetMapping(value = "bad1") public void bad1(HttpServletRequest request) { String name = "ttemplate"; - String code = request.getParameter("code"); // $ Source + String code = request.getParameter("code"); // $ Source[java/server-side-template-injection] VelocityContext context = null; String s = "We are using $project $name to render this."; StringWriter w = new StringWriter(); - Velocity.evaluate(context, w, "mystring", code); // $ Alert + Velocity.evaluate(context, w, "mystring", code); // $ Alert[java/server-side-template-injection] } @GetMapping(value = "bad2") public void bad2(HttpServletRequest request) { String name = "ttemplate"; - String code = request.getParameter("code"); // $ Source + String code = request.getParameter("code"); // $ Source[java/server-side-template-injection] VelocityContext context = null; @@ -48,17 +48,17 @@ public class VelocitySSTI { StringWriter w = new StringWriter(); StringReader reader = new StringReader(code); - Velocity.evaluate(context, w, "mystring", reader); // $ Alert + Velocity.evaluate(context, w, "mystring", reader); // $ Alert[java/server-side-template-injection] } @GetMapping(value = "bad3") public void bad3(HttpServletRequest request) { String name = "ttemplate"; - String code = request.getParameter("code"); // $ Source + String code = request.getParameter("code"); // $ Source[java/server-side-template-injection] RuntimeServices runtimeServices = null; StringReader reader = new StringReader(code); - runtimeServices.parse(reader, new Template()); // $ Alert + runtimeServices.parse(reader, new Template()); // $ Alert[java/server-side-template-injection] } @GetMapping(value = "good1") @@ -78,7 +78,7 @@ public class VelocitySSTI { @GetMapping(value = "bad5") public void bad5(HttpServletRequest request) { String name = "ttemplate"; - String code = request.getParameter("code"); // $ Source + String code = request.getParameter("code"); // $ Source[java/server-side-template-injection] VelocityContext context = new VelocityContext(); context.put("code", code); @@ -90,8 +90,8 @@ public class VelocitySSTI { ctx.put("key", code); engine.evaluate(ctx, null, null, (String) null); // Safe engine.evaluate(ctx, null, null, (Reader) null); // Safe - engine.evaluate(null, null, null, code); // $ Alert - engine.evaluate(null, null, null, new StringReader(code)); // $ Alert + engine.evaluate(null, null, null, code); // $ Alert[java/server-side-template-injection] + engine.evaluate(null, null, null, new StringReader(code)); // $ Alert[java/server-side-template-injection] } @GetMapping(value = "good2") @@ -111,10 +111,10 @@ public class VelocitySSTI { @GetMapping(value = "bad6") public void bad6(HttpServletRequest request) { - String code = request.getParameter("code"); // $ Source + String code = request.getParameter("code"); // $ Source[java/server-side-template-injection] StringResourceRepository repo = new StringResourceRepositoryImpl(); - repo.putStringResource("woogie2", code); // $ Alert + repo.putStringResource("woogie2", code); // $ Alert[java/server-side-template-injection] } } diff --git a/java/ql/test/query-tests/security/CWE-807/semmle/tests/ConditionalBypassTest.java b/java/ql/test/query-tests/security/CWE-807/semmle/tests/ConditionalBypassTest.java index 0085ce516cc..0de066c9872 100644 --- a/java/ql/test/query-tests/security/CWE-807/semmle/tests/ConditionalBypassTest.java +++ b/java/ql/test/query-tests/security/CWE-807/semmle/tests/ConditionalBypassTest.java @@ -16,18 +16,18 @@ class ConditionalBypassTest { String user = request.getParameter("user"); String password = request.getParameter("password"); - String isAdmin = request.getParameter("isAdmin"); // $ Source + String isAdmin = request.getParameter("isAdmin"); // $ Source[java/user-controlled-bypass] // BAD: login is only executed if isAdmin is false, but isAdmin // is controlled by the user - if (isAdmin == "false") // $ Sink - login(user, password); // $ Alert + if (isAdmin == "false") // $ Sink[java/user-controlled-bypass] + login(user, password); // $ Alert[java/user-controlled-bypass] Cookie adminCookie = getCookies()[0]; // BAD: login is only executed if the cookie value is false, but the cookie // is controlled by the user - if (adminCookie.getValue().equals("false")) // $ Source Sink - login(user, password); // $ Alert + if (adminCookie.getValue().equals("false")) // $ Source[java/user-controlled-bypass] Sink[java/user-controlled-bypass] + login(user, password); // $ Alert[java/user-controlled-bypass] // GOOD: both methods are conditionally executed, but they probably // both perform the security-critical action @@ -73,8 +73,8 @@ class ConditionalBypassTest { public static void test2(String user, String password) { Cookie adminCookie = getCookies()[0]; // BAD: login may happen once or twice - if (adminCookie.getValue() == "false") // $ Source Sink - login(user, password); // $ Alert + if (adminCookie.getValue() == "false") // $ Source[java/user-controlled-bypass] Sink[java/user-controlled-bypass] + login(user, password); // $ Alert[java/user-controlled-bypass] else { // do something else doIt(); @@ -85,8 +85,8 @@ class ConditionalBypassTest { public static void test3(String user, String password) { Cookie adminCookie = getCookies()[0]; // BAD: login may not happen - if (adminCookie.getValue() == "false") // $ Source Sink - login(user, password); // $ Alert + if (adminCookie.getValue() == "false") // $ Source[java/user-controlled-bypass] Sink[java/user-controlled-bypass] + login(user, password); // $ Alert[java/user-controlled-bypass] else { // do something else doIt(); @@ -130,8 +130,8 @@ class ConditionalBypassTest { public static void test7(String user, String password) { Cookie adminCookie = getCookies()[0]; // BAD: login is bypasseable - if (adminCookie.getValue() == "false") { // $ Source Sink - login(user, password); // $ Alert + if (adminCookie.getValue() == "false") { // $ Source[java/user-controlled-bypass] Sink[java/user-controlled-bypass] + login(user, password); // $ Alert[java/user-controlled-bypass] return; } else { doIt(); @@ -142,8 +142,8 @@ class ConditionalBypassTest { Cookie adminCookie = getCookies()[0]; { // BAD: login may not happen - if (adminCookie.getValue() == "false") // $ Source Sink - authorize(user, password); // $ Alert + if (adminCookie.getValue() == "false") // $ Source[java/user-controlled-bypass] Sink[java/user-controlled-bypass] + authorize(user, password); // $ Alert[java/user-controlled-bypass] else { // do something else doIt(); diff --git a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/Consume.java b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/Consume.java index 6bd0966ff28..70f5a0b2bee 100644 --- a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/Consume.java +++ b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/Consume.java @@ -38,7 +38,7 @@ public @interface Consume { /** * The uri to consume from */ - String value() default ""; // $ Alert[java/dead-function] + String value() default ""; /** * The uri to consume from @@ -46,12 +46,12 @@ public @interface Consume { * @deprecated use value instead */ @Deprecated - String uri() default ""; // $ Alert[java/dead-function] + String uri() default ""; /** * Use the field or getter on the bean to provide the uri to consume from */ - String property() default ""; // $ Alert[java/dead-function] + String property() default ""; /** * Optional predicate (using simple language) to only consume if the predicate matches . This can be used to filter @@ -60,5 +60,5 @@ public @interface Consume { * Notice that only the first method that matches the predicate will be used. And if no predicate matches then the * message is dropped. */ - String predicate() default ""; // $ Alert[java/dead-function] + String predicate() default ""; } diff --git a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/builder/ExpressionClause.java b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/builder/ExpressionClause.java index e90e607e50c..2dcc3ad5a7a 100644 --- a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/builder/ExpressionClause.java +++ b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/builder/ExpressionClause.java @@ -20,6 +20,6 @@ package org.apache.camel.builder; * Represents an expression clause within the DSL which when the expression is complete the clause continues to another * part of the DSL */ -public class ExpressionClause { // $ Alert[java/dead-class] +public class ExpressionClause { public T method(String ref) { return null; } } diff --git a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/builder/RouteBuilder.java b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/builder/RouteBuilder.java index 0cb300895bc..9c1b8c45d68 100644 --- a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/builder/RouteBuilder.java +++ b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/builder/RouteBuilder.java @@ -31,9 +31,9 @@ public abstract class RouteBuilder implements RoutesBuilder { * @param uri the from uri * @return the builder */ - public RouteDefinition from(String uri) { // $ Alert[java/dead-function] + public RouteDefinition from(String uri) { return null; } - public abstract void configure() throws Exception; // $ Alert[java/dead-function] + public abstract void configure() throws Exception; } diff --git a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/impl/DefaultCamelContext.java b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/impl/DefaultCamelContext.java index 22140d4b2f5..2180623054b 100644 --- a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/impl/DefaultCamelContext.java +++ b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/impl/DefaultCamelContext.java @@ -21,7 +21,7 @@ import org.apache.camel.RoutesBuilder; public class DefaultCamelContext implements ModelCamelContext { - public void configure() throws Exception {} // $ Alert[java/dead-function] + public void configure() throws Exception {} public void addRoutes(RoutesBuilder arg0) {} diff --git a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/FilterDefinition.java b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/FilterDefinition.java index d3bed4347b5..1138c8d3783 100644 --- a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/FilterDefinition.java +++ b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/FilterDefinition.java @@ -16,4 +16,4 @@ */ package org.apache.camel.model; -public class FilterDefinition { } // $ Alert[java/dead-class] +public class FilterDefinition { } diff --git a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/OutputDefinition.java b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/OutputDefinition.java index 5c4045cdc95..cfe55f5cc17 100644 --- a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/OutputDefinition.java +++ b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/OutputDefinition.java @@ -19,5 +19,5 @@ package org.apache.camel.model; /** * A useful base class for output types */ -public class OutputDefinition> extends ProcessorDefinition { // $ Alert[java/dead-class] +public class OutputDefinition> extends ProcessorDefinition { } diff --git a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/ProcessorDefinition.java b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/ProcessorDefinition.java index 37931b91796..2423e907b01 100644 --- a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/ProcessorDefinition.java +++ b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/ProcessorDefinition.java @@ -18,7 +18,7 @@ package org.apache.camel.model; import org.apache.camel.builder.ExpressionClause; -public abstract class ProcessorDefinition> { // $ Alert[java/dead-class] +public abstract class ProcessorDefinition> { public Type to(String uri) { return null; } public Type bean(Object bean) { return null; } diff --git a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/RouteDefinition.java b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/RouteDefinition.java index 2052e6a0cdd..2ab31d2126a 100644 --- a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/RouteDefinition.java +++ b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/RouteDefinition.java @@ -16,7 +16,7 @@ */ package org.apache.camel.model; -public class RouteDefinition extends OutputDefinition { // $ Alert[java/dead-class] +public class RouteDefinition extends OutputDefinition { }