hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-06-13 08:51:20 +02:00
Code Issues Packages Projects Releases Wiki Activity

Second pass

Browse Source
This commit is contained in:
Owen Mansel-Chan
2026-06-10 09:14:47 +02:00
parent 1c1d26453d
commit 3693185b6b
41 changed files with 416 additions and 420 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
java/ql/test/query-tests/DeadCode/camel/DeadClass.qlref
View File

@@ -1,2 +1 @@
query: DeadCode/DeadClass.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
DeadCode/DeadClass.ql

3
java/ql/test/query-tests/DeadCode/camel/DeadMethod.qlref
View File

@@ -1,2 +1 @@
query: DeadCode/DeadMethod.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
DeadCode/DeadMethod.ql

4
java/ql/test/query-tests/DeadCode/camel/com/semmle/camel/DeadTarget.java
View File

@@ -1,10 +1,10 @@
package com.semmle.camel;
/** Dead because it is not referenced in the {@code config.xml} file, or in the Java DSL. */
public class DeadTarget { // $ Alert[java/dead-class]
public class DeadTarget {
public Foo getFoo(Foo foo1) {
return new Foo();
}
public static class Foo {} // $ Alert[java/dead-class]
public static class Foo {}
}

2
java/ql/test/query-tests/DeadCode/camel/com/semmle/camel/javadsl/CustomRouteBuilder.java
View File

@@ -5,7 +5,7 @@ import org.apache.camel.impl.DefaultCamelContext;
public class CustomRouteBuilder extends RouteBuilder {
@Override
public void configure() throws Exception { // $ Alert[java/dead-function]
public void configure() throws Exception {
from("direct:test")
.to("bean:dslToTarget")
.bean(DSLBeanTarget.class)

4
java/ql/test/query-tests/Javadoc/ImpossibleJavadocThrows.java
View File

@@ -6,14 +6,14 @@ class ImpossibleJavadocThrows {
/**
*
* @throws InterruptedException // $ Alert
* @throws InterruptedException
*/
public void bad1() {
}
/**
*
* @exception Exception // $ Alert
* @exception Exception
*/
public void bad2() {
}

3
java/ql/test/query-tests/Javadoc/ImpossibleJavadocThrows.qlref
View File

@@ -1,2 +1 @@
query: Advisory/Documentation/ImpossibleJavadocThrows.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
Advisory/Documentation/ImpossibleJavadocThrows.ql

14
java/ql/test/query-tests/MissingSpaceTypo/A.java
View File

@@ -1,19 +1,19 @@
public class A {
public void missing() {
String s;
s = "this text" + // $
s = "this text" +
"is missing a space"; // $ Alert
s = "the class java.util.ArrayList" + // $
s = "the class java.util.ArrayList" +
"without a space"; // $ Alert
s = "This isn't" + // $
s = "This isn't" +
"right."; // $ Alert
s = "There's 1" + // $
s = "There's 1" +
"thing wrong"; // $ Alert
s = "There's A/B" + // $
s = "There's A/B" +
"and no space"; // $ Alert
s = "Wait for it...." + // $
s = "Wait for it...." +
"No space!"; // $ Alert
s = "Is there a space?" + // $
s = "Is there a space?" +
"No!"; // $ Alert
}

34
java/ql/test/query-tests/SpuriousJavadocParam/Test.java
View File

@@ -54,83 +54,83 @@ public class Test<V> {
protected void ok9(int...param){ }
/**
* @param prameter typo // $ Alert
* @param prameter typo
*/
public void problem1(int parameter){ }
/**
* @param Parameter capitalization // $ Alert
* @param Parameter capitalization
*/
public void problem2(int parameter){ }
/**
* @param parameter unmatched // $ Alert
* @param parameter unmatched
*/
public void problem3(){ }
/**
* @param someOtherParameter matched
* @param parameter unmatched // $ Alert
* @param parameter unmatched
*/
public void problem4(int someOtherParameter){ }
/**
* @param <V> unmatched type parameter // $ Alert
* @param <V> unmatched type parameter
*/
private <T> T problem5(){ return null; }
/**
* @param <V> matched type parameter
* @param <P> unmatched type parameter // $ Alert
* @param n unmatched normal parameter // $ Alert
* @param <P> unmatched type parameter
* @param n unmatched normal parameter
*/
private <T,V> T problem6(V p){ return null; }
/**
* param with immediate newline
* @param // $ Alert
* @param
*/
protected void problem7(){ }
/**
* param without a value (followed by blanks)
* @param // $ Alert
* @param
*/
protected void problem8(){ }
class SomeClass {
/**
* @param i exists
* @param k does not // $ Alert
* @param k does not
*/
SomeClass(int i, int j) {}
}
/**
* @param <T> exists
* @param T wrong syntax // $ Alert
* @param <X> does not exist // $ Alert
* @param T wrong syntax
* @param <X> does not exist
*/
class GenericClass<T> {}
/**
* @param <T> exists
* @param T wrong syntax // $ Alert
* @param <X> does not exist // $ Alert
* @param T wrong syntax
* @param <X> does not exist
*/
interface GenericInterface<T> {}
/**
* @param i exists
* @param k does not // $ Alert
* @param k does not
*/
static record SomeRecord(int i, int j) {}
/**
* @param <T> exists
* @param <U> does not // $ Alert
* @param <U> does not
* @param i exists
* @param k does not // $ Alert
* @param k does not
*/
static record GenericRecord<T>(int i, int j) {}
}

3
java/ql/test/query-tests/SpuriousJavadocParam/test.qlref
View File

@@ -1,2 +1 @@
query: Advisory/Documentation/SpuriousJavadocParam.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
Advisory/Documentation/SpuriousJavadocParam.ql

2
java/ql/test/query-tests/security/CWE-020/ExternalAPISinkExample.java
View File

@@ -9,6 +9,6 @@ public class ExternalAPISinkExample extends HttpServlet {
throws ServletException, IOException {
// BAD: a request parameter is written directly to an error response page
response.sendError(HttpServletResponse.SC_NOT_FOUND,
"The page \"" + request.getParameter("page") + "\" was not found."); // $ Alert
"The page \"" + request.getParameter("page") + "\" was not found."); // $ Alert[java/untrusted-data-to-external-api]
}
}

4
java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.java
View File

@@ -10,10 +10,10 @@ import java.nio.file.Paths;
public class TaintedPath {
public void sendUserFile(Socket sock, String user) throws IOException {
BufferedReader filenameReader =
new BufferedReader(new InputStreamReader(sock.getInputStream(), "UTF-8")); // $ Source
new BufferedReader(new InputStreamReader(sock.getInputStream(), "UTF-8")); // $ Source[java/path-injection]
String filename = filenameReader.readLine();
// BAD: read from a file without checking its path
BufferedReader fileReader = new BufferedReader(new FileReader(filename)); // $ Alert
BufferedReader fileReader = new BufferedReader(new FileReader(filename)); // $ Alert[java/path-injection]
String fileLine = fileReader.readLine();
while (fileLine != null) {
sock.getOutputStream().write(fileLine.getBytes());

154
java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java
View File

@@ -29,143 +29,143 @@ public class Test {
private HttpServletRequest request;
public Object source() {
return request.getParameter("source"); // $ Source
return request.getParameter("source"); // $ Source[java/path-injection]
}
void test() throws IOException {
// "java.lang;Module;true;getResourceAsStream;(String);;Argument[0];read-file;ai-generated"
getClass().getModule().getResourceAsStream((String) source()); // $ Alert
getClass().getModule().getResourceAsStream((String) source()); // $ Alert[java/path-injection]
// "java.lang;Class;false;getResource;(String);;Argument[0];read-file;ai-generated"
getClass().getResource((String) source()); // $ Alert
getClass().getResource((String) source()); // $ Alert[java/path-injection]
// "java.lang;ClassLoader;true;getSystemResourceAsStream;(String);;Argument[0];read-file;ai-generated"
ClassLoader.getSystemResourceAsStream((String) source()); // $ Alert
ClassLoader.getSystemResourceAsStream((String) source()); // $ Alert[java/path-injection]
// "java.io;File;True;canExecute;();;Argument[this];path-injection;manual"
((File) source()).canExecute(); // $ Alert
((File) source()).canExecute(); // $ Alert[java/path-injection]
// "java.io;File;True;canRead;();;Argument[this];path-injection;manual"
((File) source()).canRead(); // $ Alert
((File) source()).canRead(); // $ Alert[java/path-injection]
// "java.io;File;True;canWrite;();;Argument[this];path-injection;manual"
((File) source()).canWrite(); // $ Alert
((File) source()).canWrite(); // $ Alert[java/path-injection]
// "java.io;File;True;createNewFile;();;Argument[this];path-injection;ai-manual"
((File) source()).createNewFile(); // $ Alert
((File) source()).createNewFile(); // $ Alert[java/path-injection]
// "java.io;File;true;createTempFile;(String,String,File);;Argument[2];create-file;ai-generated"
File.createTempFile(";", ";", (File) source()); // $ Alert
File.createTempFile(";", ";", (File) source()); // $ Alert[java/path-injection]
// "java.io;File;True;delete;();;Argument[this];path-injection;manual"
((File) source()).delete(); // $ Alert
((File) source()).delete(); // $ Alert[java/path-injection]
// "java.io;File;True;deleteOnExit;();;Argument[this];path-injection;manual"
((File) source()).deleteOnExit(); // $ Alert
((File) source()).deleteOnExit(); // $ Alert[java/path-injection]
// "java.io;File;True;exists;();;Argument[this];path-injection;manual"
((File) source()).exists(); // $ Alert
((File) source()).exists(); // $ Alert[java/path-injection]
// "java.io:File;True;isDirectory;();;Argument[this];path-injection;manual"
((File) source()).isDirectory(); // $ Alert
((File) source()).isDirectory(); // $ Alert[java/path-injection]
// "java.io:File;True;isFile;();;Argument[this];path-injection;manual"
((File) source()).isFile(); // $ Alert
((File) source()).isFile(); // $ Alert[java/path-injection]
// "java.io:File;True;isHidden;();;Argument[this];path-injection;manual"
((File) source()).isHidden(); // $ Alert
((File) source()).isHidden(); // $ Alert[java/path-injection]
// "java.io;File;True;mkdir;();;Argument[this];path-injection;manual"
((File) source()).mkdir(); // $ Alert
((File) source()).mkdir(); // $ Alert[java/path-injection]
// "java.io;File;True;mkdirs;();;Argument[this];path-injection;manual"
((File) source()).mkdirs(); // $ Alert
((File) source()).mkdirs(); // $ Alert[java/path-injection]
// "java.io;File;True;renameTo;(File);;Argument[0];path-injection;ai-manual"
new File("").renameTo((File) source()); // $ Alert
new File("").renameTo((File) source()); // $ Alert[java/path-injection]
// "java.io;File;True;renameTo;(File);;Argument[this];path-injection;ai-manual"
((File) source()).renameTo(null); // $ Alert
((File) source()).renameTo(null); // $ Alert[java/path-injection]
// "java.io;File;True;setExecutable;;;Argument[this];path-injection;manual"
((File) source()).setExecutable(true); // $ Alert
((File) source()).setExecutable(true); // $ Alert[java/path-injection]
// "java.io;File;True;setLastModified;;;Argument[this];path-injection;manual"
((File) source()).setLastModified(0); // $ Alert
((File) source()).setLastModified(0); // $ Alert[java/path-injection]
// "java.io;File;True;setReadable;;;Argument[this];path-injection;manual"
((File) source()).setReadable(true); // $ Alert
((File) source()).setReadable(true); // $ Alert[java/path-injection]
// "java.io;File;True;setReadOnly;;;Argument[this];path-injection;manual"
((File) source()).setReadOnly(); // $ Alert
((File) source()).setReadOnly(); // $ Alert[java/path-injection]
// "java.io;File;True;setWritable;;;Argument[this];path-injection;manual"
((File) source()).setWritable(true); // $ Alert
((File) source()).setWritable(true); // $ Alert[java/path-injection]
// "java.io;File;true;renameTo;(File);;Argument[0];create-file;ai-generated"
new File("").renameTo((File) source()); // $ Alert
new File("").renameTo((File) source()); // $ Alert[java/path-injection]
// "java.io;FileInputStream;true;FileInputStream;(File);;Argument[0];read-file;ai-generated"
new FileInputStream((File) source()); // $ Alert
new FileInputStream((File) source()); // $ Alert[java/path-injection]
// "java.io;FileInputStream;true;FileInputStream;(FileDescriptor);;Argument[0];read-file;manual"
new FileInputStream((FileDescriptor) source()); // $ Alert
new FileInputStream((FileDescriptor) source()); // $ Alert[java/path-injection]
// "java.io;FileInputStream;true;FileInputStream;(String);;Argument[0];read-file;manual"
new FileInputStream((String) source()); // $ Alert
new FileInputStream((String) source()); // $ Alert[java/path-injection]
// "java.io;FileReader;true;FileReader;(File);;Argument[0];read-file;ai-generated"
new FileReader((File) source()); // $ Alert
new FileReader((File) source()); // $ Alert[java/path-injection]
// "java.io;FileReader;true;FileReader;(FileDescriptor);;Argument[0];read-file;manual"
new FileReader((FileDescriptor) source()); // $ Alert
new FileReader((FileDescriptor) source()); // $ Alert[java/path-injection]
// "java.io;FileReader;true;FileReader;(File,Charset);;Argument[0];read-file;manual"
new FileReader((File) source(), null); // $ Alert
new FileReader((File) source(), null); // $ Alert[java/path-injection]
// "java.io;FileReader;true;FileReader;(String);;Argument[0];read-file;ai-generated"
new FileReader((String) source()); // $ Alert
new FileReader((String) source()); // $ Alert[java/path-injection]
// "java.io;FileReader;true;FileReader;(String,Charset);;Argument[0];read-file;manual"
new FileReader((String) source(), null); // $ Alert
new FileReader((String) source(), null); // $ Alert[java/path-injection]
// "java.nio.file;Files;false;copy;;;Argument[0];read-file;manual"
Files.copy((Path) source(), (Path) null); // $ Alert
Files.copy((Path) source(), (OutputStream) null); // $ Alert
Files.copy((Path) source(), (Path) null); // $ Alert[java/path-injection]
Files.copy((Path) source(), (OutputStream) null); // $ Alert[java/path-injection]
// "java.nio.file;Files;false;copy;;;Argument[1];create-file;manual"
Files.copy((Path) null, (Path) source()); // $ Alert
Files.copy((InputStream) null, (Path) source()); // $ Alert
Files.copy((Path) null, (Path) source()); // $ Alert[java/path-injection]
Files.copy((InputStream) null, (Path) source()); // $ Alert[java/path-injection]
// "java.nio.file;Files;false;createDirectories;;;Argument[0];create-file;manual"
Files.createDirectories((Path) source()); // $ Alert
Files.createDirectories((Path) source()); // $ Alert[java/path-injection]
// "java.nio.file;Files;false;createDirectory;;;Argument[0];create-file;manual"
Files.createDirectory((Path) source()); // $ Alert
Files.createDirectory((Path) source()); // $ Alert[java/path-injection]
// "java.nio.file;Files;false;createFile;;;Argument[0];create-file;manual"
Files.createFile((Path) source()); // $ Alert
Files.createFile((Path) source()); // $ Alert[java/path-injection]
// "java.nio.file;Files;false;createLink;;;Argument[0];create-file;manual"
Files.createLink((Path) source(), null); // $ Alert
Files.createLink((Path) source(), null); // $ Alert[java/path-injection]
// "java.nio.file;Files;false;createSymbolicLink;;;Argument[0];create-file;manual"
Files.createSymbolicLink((Path) source(), null); // $ Alert
Files.createSymbolicLink((Path) source(), null); // $ Alert[java/path-injection]
// "java.nio.file;Files;false;createTempDirectory;(Path,String,FileAttribute[]);;Argument[0];create-file;manual"
Files.createTempDirectory((Path) source(), null); // $ Alert
Files.createTempDirectory((Path) source(), null); // $ Alert[java/path-injection]
// "java.nio.file;Files;false;createTempFile;(Path,String,String,FileAttribute[]);;Argument[0];create-file;manual"
Files.createTempFile((Path) source(), null, null); // $ Alert
Files.createTempFile((Path) source(), null, null); // $ Alert[java/path-injection]
// "java.nio.file;Files;false;delete;(Path);;Argument[0];delete-file;ai-generated"
Files.delete((Path) source()); // $ Alert
Files.delete((Path) source()); // $ Alert[java/path-injection]
// "java.nio.file;Files;false;deleteIfExists;(Path);;Argument[0];delete-file;ai-generated"
Files.deleteIfExists((Path) source()); // $ Alert
Files.deleteIfExists((Path) source()); // $ Alert[java/path-injection]
// "java.nio.file;Files;false;lines;(Path,Charset);;Argument[0];read-file;ai-generated"
Files.lines((Path) source(), null); // $ Alert
Files.lines((Path) source(), null); // $ Alert[java/path-injection]
// "java.nio.file;Files;false;move;;;Argument[1];create-file;manual"
Files.move(null, (Path) source()); // $ Alert
Files.move(null, (Path) source()); // $ Alert[java/path-injection]
// "java.nio.file;Files;false;newBufferedReader;(Path,Charset);;Argument[0];read-file;ai-generated"
Files.newBufferedReader((Path) source(), null); // $ Alert
Files.newBufferedReader((Path) source(), null); // $ Alert[java/path-injection]
// "java.nio.file;Files;false;newBufferedWriter;;;Argument[0];create-file;manual"
Files.newBufferedWriter((Path) source()); // $ Alert
Files.newBufferedWriter((Path) source(), (Charset) null); // $ Alert
Files.newBufferedWriter((Path) source()); // $ Alert[java/path-injection]
Files.newBufferedWriter((Path) source(), (Charset) null); // $ Alert[java/path-injection]
// "java.nio.file;Files;false;newOutputStream;;;Argument[0];create-file;manual"
Files.newOutputStream((Path) source()); // $ Alert
Files.newOutputStream((Path) source()); // $ Alert[java/path-injection]
// "java.nio.file;Files;false;write;;;Argument[0];create-file;manual"
Files.write((Path) source(), (byte[]) null); // $ Alert
Files.write((Path) source(), (Iterable<CharSequence>) null); // $ Alert
Files.write((Path) source(), (Iterable<CharSequence>) null, (Charset) null); // $ Alert
Files.write((Path) source(), (byte[]) null); // $ Alert[java/path-injection]
Files.write((Path) source(), (Iterable<CharSequence>) null); // $ Alert[java/path-injection]
Files.write((Path) source(), (Iterable<CharSequence>) null, (Charset) null); // $ Alert[java/path-injection]
// "java.nio.file;Files;false;writeString;;;Argument[0];create-file;manual"
Files.writeString((Path) source(), (CharSequence) null); // $ Alert
Files.writeString((Path) source(), (CharSequence) null, (Charset) null); // $ Alert
Files.writeString((Path) source(), (CharSequence) null); // $ Alert[java/path-injection]
Files.writeString((Path) source(), (CharSequence) null, (Charset) null); // $ Alert[java/path-injection]
// "javax.xml.transform.stream;StreamResult";true;"StreamResult;(File);;Argument[0];create-file;ai-generated"
new StreamResult((File) source()); // $ Alert
new StreamResult((File) source()); // $ Alert[java/path-injection]
// "org.apache.commons.io;FileUtils;true;openInputStream;(File);;Argument[0];read-file;ai-generated"
FileUtils.openInputStream((File) source()); // $ Alert
FileUtils.openInputStream((File) source()); // $ Alert[java/path-injection]
// "org.codehaus.cargo.container.installer;ZipURLInstaller;true;ZipURLInstaller;(URL,String,String);;Argument[1];create-file;ai-generated"
new ZipURLInstaller((URL) null, (String) source(), ""); // $ Alert
new ZipURLInstaller((URL) null, (String) source(), ""); // $ Alert[java/path-injection]
// "org.codehaus.cargo.container.installer;ZipURLInstaller;true;ZipURLInstaller;(URL,String,String);;Argument[2];create-file;ai-generated"
new ZipURLInstaller((URL) null, "", (String) source()); // $ Alert
new ZipURLInstaller((URL) null, "", (String) source()); // $ Alert[java/path-injection]
// "org.springframework.util;FileCopyUtils;false;copy;(byte[],File);;Argument[1];create-file;manual"
FileCopyUtils.copy((byte[]) null, (File) source()); // $ Alert
FileCopyUtils.copy((byte[]) null, (File) source()); // $ Alert[java/path-injection]
// "org.springframework.util;FileCopyUtils;false;copy;(File,File);;Argument[0];create-file;manual"
FileCopyUtils.copy((File) source(), null); // $ Alert
FileCopyUtils.copy((File) source(), null); // $ Alert[java/path-injection]
// "org.springframework.util;FileCopyUtils;false;copy;(File,File);;Argument[1];create-file;manual"
FileCopyUtils.copy((File) null, (File) source()); // $ Alert
FileCopyUtils.copy((File) null, (File) source()); // $ Alert[java/path-injection]
}
void test(AntClassLoader acl) {
// "org.apache.tools.ant;AntClassLoader;true;addPathComponent;(File);;Argument[0];read-file;ai-generated"
acl.addPathComponent((File) source()); // $ Alert
acl.addPathComponent((File) source()); // $ Alert[java/path-injection]
// "org.apache.tools.ant;AntClassLoader;true;AntClassLoader;(ClassLoader,Project,Path,boolean);;Argument[2];read-file;ai-generated"
new AntClassLoader(null, null, (org.apache.tools.ant.types.Path) source(), false); // $ Alert
new AntClassLoader(null, null, (org.apache.tools.ant.types.Path) source(), false); // $ Alert[java/path-injection]
// "org.apache.tools.ant;AntClassLoader;true;AntClassLoader;(Project,Path,boolean);;Argument[1];read-file;ai-generated"
new AntClassLoader(null, (org.apache.tools.ant.types.Path) source(), false); // $ Alert
new AntClassLoader(null, (org.apache.tools.ant.types.Path) source(), false); // $ Alert[java/path-injection]
// "org.apache.tools.ant;AntClassLoader;true;AntClassLoader;(Project,Path);;Argument[1];read-file;ai-generated"
new AntClassLoader(null, (org.apache.tools.ant.types.Path) source()); // $ Alert
new AntClassLoader(null, (org.apache.tools.ant.types.Path) source()); // $ Alert[java/path-injection]
// "org.kohsuke.stapler.framework.io;LargeText;true;LargeText;(File,Charset,boolean,boolean);;Argument[0];read-file;ai-generated"
new LargeText((File) source(), null, false, false); // $ Alert
new LargeText((File) source(), null, false, false); // $ Alert[java/path-injection]
}
void doGet6(String root, HttpServletRequest request) throws IOException {
@@ -178,29 +178,29 @@ public class Test {
void test(DirectoryScanner ds) {
// "org.apache.tools.ant;DirectoryScanner;true;setBasedir;(File);;Argument[0];read-file;ai-generated"
ds.setBasedir((File) source()); // $ Alert
ds.setBasedir((File) source()); // $ Alert[java/path-injection]
}
void test(Copy cp) {
// "org.apache.tools.ant.taskdefs;Copy;true;addFileset;(FileSet);;Argument[0];read-file;ai-generated"
cp.addFileset((FileSet) source()); // $ Alert
cp.addFileset((FileSet) source()); // $ Alert[java/path-injection]
// "org.apache.tools.ant.taskdefs;Copy;true;setFile;(File);;Argument[0];read-file;ai-generated"
cp.setFile((File) source()); // $ Alert
cp.setFile((File) source()); // $ Alert[java/path-injection]
// "org.apache.tools.ant.taskdefs;Copy;true;setTodir;(File);;Argument[0];create-file;ai-generated"
cp.setTodir((File) source()); // $ Alert
cp.setTodir((File) source()); // $ Alert[java/path-injection]
// "org.apache.tools.ant.taskdefs;Copy;true;setTofile;(File);;Argument[0];create-file;ai-generated"
cp.setTofile((File) source()); // $ Alert
cp.setTofile((File) source()); // $ Alert[java/path-injection]
}
void test(Expand ex) {
// "org.apache.tools.ant.taskdefs;Expand;true;setDest;(File);;Argument[0];create-file;ai-generated"
ex.setDest((File) source()); // $ Alert
ex.setDest((File) source()); // $ Alert[java/path-injection]
// "org.apache.tools.ant.taskdefs;Expand;true;setSrc;(File);;Argument[0];read-file;ai-generated"
ex.setSrc((File) source()); // $ Alert
ex.setSrc((File) source()); // $ Alert[java/path-injection]
}
void test(ChainedOptionsBuilder cob) {
// "org.openjdk.jmh.runner.options;ChainedOptionsBuilder;true;result;(String);;Argument[0];create-file;ai-generated"
cob.result((String) source()); // $ Alert
cob.result((String) source()); // $ Alert[java/path-injection]
}
}

74
java/ql/test/query-tests/security/CWE-079/semmle/tests/JaxXSS.java
View File

@@ -12,25 +12,25 @@ import java.util.Locale;
public class JaxXSS {
@GET
public static Response specificContentType(boolean safeContentType, boolean chainDirectly, boolean contentTypeFirst, String userControlled) { // $ Source
public static Response specificContentType(boolean safeContentType, boolean chainDirectly, boolean contentTypeFirst, String userControlled) { // $ Source[java/xss]
Response.ResponseBuilder builder = Response.ok();
if(!safeContentType) {
if(chainDirectly) {
if(contentTypeFirst)
return builder.type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ Alert
return builder.type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ Alert[java/xss]
else
return builder.entity(userControlled).type(MediaType.TEXT_HTML).build(); // $ Alert
return builder.entity(userControlled).type(MediaType.TEXT_HTML).build(); // $ Alert[java/xss]
}
else {
if(contentTypeFirst) {
Response.ResponseBuilder builder2 = builder.type(MediaType.TEXT_HTML);
return builder2.entity(userControlled).build(); // $ Alert
return builder2.entity(userControlled).build(); // $ Alert[java/xss]
}
else {
Response.ResponseBuilder builder2 = builder.entity(userControlled);
return builder2.type(MediaType.TEXT_HTML).build(); // $ Alert
return builder2.type(MediaType.TEXT_HTML).build(); // $ Alert[java/xss]
}
}
}
@@ -56,7 +56,7 @@ public class JaxXSS {
}
@GET
public static Response specificContentTypeSetterMethods(int route, boolean safeContentType, String userControlled) { // $ Source
public static Response specificContentTypeSetterMethods(int route, boolean safeContentType, String userControlled) { // $ Source[java/xss]
// Test the remarkably many routes to setting a content-type in Jax-RS, besides the ResponseBuilder.entity method used above:
@@ -105,39 +105,39 @@ public class JaxXSS {
else {
if(route == 0) {
// via ok, as a string literal:
return Response.ok("text/html").entity(userControlled).build(); // $ Alert
return Response.ok("text/html").entity(userControlled).build(); // $ Alert[java/xss]
}
else if(route == 1) {
// via ok, as a string constant:
return Response.ok(MediaType.TEXT_HTML).entity(userControlled).build(); // $ Alert
return Response.ok(MediaType.TEXT_HTML).entity(userControlled).build(); // $ Alert[java/xss]
}
else if(route == 2) {
// via ok, as a MediaType constant:
return Response.ok(MediaType.TEXT_HTML_TYPE).entity(userControlled).build(); // $ Alert
return Response.ok(MediaType.TEXT_HTML_TYPE).entity(userControlled).build(); // $ Alert[java/xss]
}
else if(route == 3) {
// via ok, as a Variant, via constructor:
return Response.ok(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $ Alert
return Response.ok(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $ Alert[java/xss]
}
else if(route == 4) {
// via ok, as a Variant, via static method:
return Response.ok(Variant.mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $ Alert
return Response.ok(Variant.mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $ Alert[java/xss]
}
else if(route == 5) {
// via ok, as a Variant, via instance method:
return Response.ok(Variant.languages(Locale.UK).mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $ Alert
return Response.ok(Variant.languages(Locale.UK).mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $ Alert[java/xss]
}
else if(route == 6) {
// via builder variant, before entity:
return Response.ok().variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $ Alert
return Response.ok().variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $ Alert[java/xss]
}
else if(route == 7) {
// via builder variant, after entity:
return Response.ok().entity(userControlled).variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).build(); // $ Alert
return Response.ok().entity(userControlled).variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).build(); // $ Alert[java/xss]
}
else if(route == 8) {
// provide entity via ok, then content-type via builder:
return Response.ok(userControlled).type(MediaType.TEXT_HTML_TYPE).build(); // $ Alert
return Response.ok(userControlled).type(MediaType.TEXT_HTML_TYPE).build(); // $ Alert[java/xss]
}
}
@@ -161,28 +161,28 @@ public class JaxXSS {
}
@GET @Produces(MediaType.TEXT_HTML)
public static Response methodContentTypeUnsafe(String userControlled) { // $ Source
return Response.ok(userControlled).build(); // $ Alert
public static Response methodContentTypeUnsafe(String userControlled) { // $ Source[java/xss]
return Response.ok(userControlled).build(); // $ Alert[java/xss]
}
@POST @Produces(MediaType.TEXT_HTML)
public static Response methodContentTypeUnsafePost(String userControlled) { // $ Source
return Response.ok(userControlled).build(); // $ Alert
public static Response methodContentTypeUnsafePost(String userControlled) { // $ Source[java/xss]
return Response.ok(userControlled).build(); // $ Alert[java/xss]
}
@GET @Produces("text/html")
public static Response methodContentTypeUnsafeStringLiteral(String userControlled) { // $ Source
return Response.ok(userControlled).build(); // $ Alert
public static Response methodContentTypeUnsafeStringLiteral(String userControlled) { // $ Source[java/xss]
return Response.ok(userControlled).build(); // $ Alert[java/xss]
}
@GET @Produces({MediaType.TEXT_HTML, MediaType.APPLICATION_JSON})
public static Response methodContentTypeMaybeSafe(String userControlled) { // $ Source
return Response.ok(userControlled).build(); // $ Alert
public static Response methodContentTypeMaybeSafe(String userControlled) { // $ Source[java/xss]
return Response.ok(userControlled).build(); // $ Alert[java/xss]
}
@GET @Produces(MediaType.APPLICATION_JSON)
public static Response methodContentTypeSafeOverriddenWithUnsafe(String userControlled) { // $ Source
return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ Alert
public static Response methodContentTypeSafeOverriddenWithUnsafe(String userControlled) { // $ Source[java/xss]
return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ Alert[java/xss]
}
@GET @Produces(MediaType.TEXT_HTML)
@@ -204,13 +204,13 @@ public class JaxXSS {
}
@GET @Produces({"text/html"})
public Response overridesWithUnsafe(String userControlled) { // $ Source
return Response.ok(userControlled).build(); // $ Alert
public Response overridesWithUnsafe(String userControlled) { // $ Source[java/xss]
return Response.ok(userControlled).build(); // $ Alert[java/xss]
}
@GET
public Response overridesWithUnsafe2(String userControlled) { // $ Source
return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ Alert
public Response overridesWithUnsafe2(String userControlled) { // $ Source[java/xss]
return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ Alert[java/xss]
}
}
@@ -218,13 +218,13 @@ public class JaxXSS {
@Produces({"text/html"})
public static class ClassContentTypeUnsafe {
@GET
public Response test(String userControlled) { // $ Source
return Response.ok(userControlled).build(); // $ Alert
public Response test(String userControlled) { // $ Source[java/xss]
return Response.ok(userControlled).build(); // $ Alert[java/xss]
}
@GET
public String testDirectReturn(String userControlled) { // $ Source
return userControlled; // $ Alert
public String testDirectReturn(String userControlled) { // $ Source[java/xss]
return userControlled; // $ Alert[java/xss]
}
@GET @Produces({"application/json"})
@@ -239,13 +239,13 @@ public class JaxXSS {
}
@GET
public static Response entityWithNoMediaType(String userControlled) { // $ Source
return Response.ok(userControlled).build(); // $ Alert
public static Response entityWithNoMediaType(String userControlled) { // $ Source[java/xss]
return Response.ok(userControlled).build(); // $ Alert[java/xss]
}
@GET
public static String stringWithNoMediaType(String userControlled) { // $ Source
return userControlled; // $ Alert
public static String stringWithNoMediaType(String userControlled) { // $ Source[java/xss]
return userControlled; // $ Alert[java/xss]
}
}

20
java/ql/test/query-tests/security/CWE-079/semmle/tests/JsfXSS.java
View File

@@ -18,7 +18,7 @@ public class JsfXSS extends Renderer
{
super.encodeBegin(facesContext, component);
Map<String, String> requestParameters = facesContext.getExternalContext().getRequestParameterMap(); // $ Source
Map<String, String> requestParameters = facesContext.getExternalContext().getRequestParameterMap(); // $ Source[java/xss]
String windowId = requestParameters.get("window_id");
ResponseWriter writer = facesContext.getResponseWriter();
@@ -26,7 +26,7 @@ public class JsfXSS extends Renderer
writer.write("(function(){");
writer.write("dswh.init('" + windowId + "','"
+ "......" + "',"
+ -1 + ",{"); // $ Alert
+ -1 + ",{"); // $ Alert[java/xss]
writer.write("});");
writer.write("})();");
writer.write("</script>");
@@ -57,13 +57,13 @@ public class JsfXSS extends Renderer
{
ExternalContext ec = facesContext.getExternalContext();
ResponseWriter writer = facesContext.getResponseWriter();
writer.write(ec.getRequestParameterMap().keySet().iterator().next()); // $ Alert
writer.write(ec.getRequestParameterNames().next()); // $ Alert
writer.write(ec.getRequestParameterValuesMap().get("someKey")[0]); // $ Alert
writer.write(ec.getRequestParameterValuesMap().keySet().iterator().next()); // $ Alert
writer.write(ec.getRequestPathInfo()); // $ Alert
writer.write(((Cookie)ec.getRequestCookieMap().get("someKey")).getName()); // $ Alert
writer.write(ec.getRequestHeaderMap().get("someKey")); // $ Alert
writer.write(ec.getRequestHeaderValuesMap().get("someKey")[0]); // $ Alert
writer.write(ec.getRequestParameterMap().keySet().iterator().next()); // $ Alert[java/xss]
writer.write(ec.getRequestParameterNames().next()); // $ Alert[java/xss]
writer.write(ec.getRequestParameterValuesMap().get("someKey")[0]); // $ Alert[java/xss]
writer.write(ec.getRequestParameterValuesMap().keySet().iterator().next()); // $ Alert[java/xss]
writer.write(ec.getRequestPathInfo()); // $ Alert[java/xss]
writer.write(((Cookie)ec.getRequestCookieMap().get("someKey")).getName()); // $ Alert[java/xss]
writer.write(ec.getRequestHeaderMap().get("someKey")); // $ Alert[java/xss]
writer.write(ec.getRequestHeaderValuesMap().get("someKey")[0]); // $ Alert[java/xss]
}
}

56
java/ql/test/query-tests/security/CWE-079/semmle/tests/SpringXSS.java
View File

@@ -13,17 +13,17 @@ import java.util.Optional;
public class SpringXSS {
@GetMapping
public static ResponseEntity<String> specificContentType(boolean safeContentType, boolean chainDirectly, String userControlled) { // $ Source
public static ResponseEntity<String> specificContentType(boolean safeContentType, boolean chainDirectly, String userControlled) { // $ Source[java/xss]
ResponseEntity.BodyBuilder builder = ResponseEntity.ok();
if(!safeContentType) {
if(chainDirectly) {
return builder.contentType(MediaType.TEXT_HTML).body(userControlled); // $ Alert
return builder.contentType(MediaType.TEXT_HTML).body(userControlled); // $ Alert[java/xss]
}
else {
ResponseEntity.BodyBuilder builder2 = builder.contentType(MediaType.TEXT_HTML);
return builder2.body(userControlled); // $ Alert
return builder2.body(userControlled); // $ Alert[java/xss]
}
}
else {
@@ -59,23 +59,23 @@ public class SpringXSS {
}
@GetMapping(value = "/xyz", produces = MediaType.TEXT_HTML_VALUE)
public static ResponseEntity<String> methodContentTypeUnsafe(String userControlled) { // $ Source
return ResponseEntity.ok(userControlled); // $ Alert
public static ResponseEntity<String> methodContentTypeUnsafe(String userControlled) { // $ Source[java/xss]
return ResponseEntity.ok(userControlled); // $ Alert[java/xss]
}
@GetMapping(value = "/xyz", produces = "text/html")
public static ResponseEntity<String> methodContentTypeUnsafeStringLiteral(String userControlled) { // $ Source
return ResponseEntity.ok(userControlled); // $ Alert
public static ResponseEntity<String> methodContentTypeUnsafeStringLiteral(String userControlled) { // $ Source[java/xss]
return ResponseEntity.ok(userControlled); // $ Alert[java/xss]
}
@GetMapping(value = "/xyz", produces = {MediaType.TEXT_HTML_VALUE, MediaType.APPLICATION_JSON_VALUE})
public static ResponseEntity<String> methodContentTypeMaybeSafe(String userControlled) { // $ Source
return ResponseEntity.ok(userControlled); // $ Alert
public static ResponseEntity<String> methodContentTypeMaybeSafe(String userControlled) { // $ Source[java/xss]
return ResponseEntity.ok(userControlled); // $ Alert[java/xss]
}
@GetMapping(value = "/xyz", produces = MediaType.APPLICATION_JSON_VALUE)
public static ResponseEntity<String> methodContentTypeSafeOverriddenWithUnsafe(String userControlled) { // $ Source
return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $ Alert
public static ResponseEntity<String> methodContentTypeSafeOverriddenWithUnsafe(String userControlled) { // $ Source[java/xss]
return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $ Alert[java/xss]
}
@GetMapping(value = "/xyz", produces = MediaType.TEXT_HTML_VALUE)
@@ -84,17 +84,17 @@ public class SpringXSS {
}
@GetMapping(value = "/xyz", produces = {"text/html", "application/json"})
public static ResponseEntity<String> methodContentTypeMaybeSafeStringLiterals(String userControlled, int constructionMethod) { // $ Source
public static ResponseEntity<String> methodContentTypeMaybeSafeStringLiterals(String userControlled, int constructionMethod) { // $ Source[java/xss]
// Also try out some alternative constructors for the ResponseEntity:
switch(constructionMethod) {
case 0:
return ResponseEntity.ok(userControlled); // $ Alert
return ResponseEntity.ok(userControlled); // $ Alert[java/xss]
case 1:
return ResponseEntity.of(Optional.of(userControlled)); // $ Alert
return ResponseEntity.of(Optional.of(userControlled)); // $ Alert[java/xss]
case 2:
return ResponseEntity.ok().body(userControlled); // $ Alert
return ResponseEntity.ok().body(userControlled); // $ Alert[java/xss]
case 3:
return new ResponseEntity<String>(userControlled, HttpStatus.OK); // $ Alert
return new ResponseEntity<String>(userControlled, HttpStatus.OK); // $ Alert[java/xss]
default:
return null;
}
@@ -114,13 +114,13 @@ public class SpringXSS {
}
@GetMapping(value = "/xyz", produces = {"text/html"})
public ResponseEntity<String> overridesWithUnsafe(String userControlled) { // $ Source
return ResponseEntity.ok(userControlled); // $ Alert
public ResponseEntity<String> overridesWithUnsafe(String userControlled) { // $ Source[java/xss]
return ResponseEntity.ok(userControlled); // $ Alert[java/xss]
}
@GetMapping(value = "/abc")
public ResponseEntity<String> overridesWithUnsafe2(String userControlled) { // $ Source
return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $ Alert
public ResponseEntity<String> overridesWithUnsafe2(String userControlled) { // $ Source[java/xss]
return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $ Alert[java/xss]
}
}
@@ -128,13 +128,13 @@ public class SpringXSS {
@RequestMapping(produces = {"text/html"})
private static class ClassContentTypeUnsafe {
@GetMapping(value = "/abc")
public ResponseEntity<String> test(String userControlled) { // $ Source
return ResponseEntity.ok(userControlled); // $ Alert
public ResponseEntity<String> test(String userControlled) { // $ Source[java/xss]
return ResponseEntity.ok(userControlled); // $ Alert[java/xss]
}
@GetMapping(value = "/abc")
public String testDirectReturn(String userControlled) { // $ Source
return userControlled; // $ Alert
public String testDirectReturn(String userControlled) { // $ Source[java/xss]
return userControlled; // $ Alert[java/xss]
}
@GetMapping(value = "/xyz", produces = {"application/json"})
@@ -149,13 +149,13 @@ public class SpringXSS {
}
@GetMapping(value = "/abc")
public static ResponseEntity<String> entityWithNoMediaType(String userControlled) { // $ Source
return ResponseEntity.ok(userControlled); // $ Alert
public static ResponseEntity<String> entityWithNoMediaType(String userControlled) { // $ Source[java/xss]
return ResponseEntity.ok(userControlled); // $ Alert[java/xss]
}
@GetMapping(value = "/abc")
public static String stringWithNoMediaType(String userControlled) { // $ Source
return userControlled; // $ Alert
public static String stringWithNoMediaType(String userControlled) { // $ Source[java/xss]
return userControlled; // $ Alert[java/xss]
}
@GetMapping(value = "/abc")

18
java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.java
View File

@@ -16,7 +16,7 @@ public class XSS extends HttpServlet {
throws ServletException, IOException {
// BAD: a request parameter is written directly to the Servlet response stream
response.getWriter()
.print("The page \"" + request.getParameter("page") + "\" was not found."); // $ Alert
.print("The page \"" + request.getParameter("page") + "\" was not found."); // $ Alert[java/xss]
// GOOD: servlet API encodes the error message HTML for the HTML context
response.sendError(HttpServletResponse.SC_NOT_FOUND,
@@ -31,10 +31,10 @@ public class XSS extends HttpServlet {
"The page \"" + capitalizeName(request.getParameter("page")) + "\" was not found.");
// BAD: outputting the path of the resource
response.getWriter().print("The path section of the URL was " + request.getPathInfo()); // $ Alert
response.getWriter().print("The path section of the URL was " + request.getPathInfo()); // $ Alert[java/xss]
// BAD: typical XSS, this time written to an OutputStream instead of a Writer
response.getOutputStream().write(request.getPathInfo().getBytes()); // $ Alert
response.getOutputStream().write(request.getPathInfo().getBytes()); // $ Alert[java/xss]
// GOOD: sanitizer
response.getOutputStream().write(hudson.Util.escape(request.getPathInfo()).getBytes()); // safe
@@ -80,34 +80,34 @@ public class XSS extends HttpServlet {
if(setContentMethod == 0) {
// BAD: set content-type to something that is not safe
response.setContentType("text/html");
response.getWriter().print(request.getPathInfo()); // $ Alert
response.getWriter().print(request.getPathInfo()); // $ Alert[java/xss]
}
else if(setContentMethod == 1) {
// BAD: set content-type to something that is not safe
response.setHeader("Content-Type", "text/html");
response.getWriter().print(request.getPathInfo()); // $ Alert
response.getWriter().print(request.getPathInfo()); // $ Alert[java/xss]
}
else {
// BAD: set content-type to something that is not safe
response.addHeader("Content-Type", "text/html");
response.getWriter().print(request.getPathInfo()); // $ Alert
response.getWriter().print(request.getPathInfo()); // $ Alert[java/xss]
}
}
else {
if(setContentMethod == 0) {
// BAD: set content-type to something that is not safe
response.setContentType("text/html");
response.getOutputStream().write(request.getPathInfo().getBytes()); // $ Alert
response.getOutputStream().write(request.getPathInfo().getBytes()); // $ Alert[java/xss]
}
else if(setContentMethod == 1) {
// BAD: set content-type to something that is not safe
response.setHeader("Content-Type", "text/html");
response.getOutputStream().write(request.getPathInfo().getBytes()); // $ Alert
response.getOutputStream().write(request.getPathInfo().getBytes()); // $ Alert[java/xss]
}
else {
// BAD: set content-type to something that is not safe
response.addHeader("Content-Type", "text/html");
response.getOutputStream().write(request.getPathInfo().getBytes()); // $ Alert
response.getOutputStream().write(request.getPathInfo().getBytes()); // $ Alert[java/xss]
}
}
}

12
java/ql/test/query-tests/security/CWE-094/ApkInstallationTest/ApkInstallation.java
View File

@@ -11,7 +11,7 @@ public class ApkInstallation extends Activity {
public void installAPK(String path) {
// BAD: the path is not checked
Intent intent = new Intent(Intent.ACTION_VIEW);
intent.setDataAndType(Uri.fromFile(new File(path)), "application/vnd.android.package-archive"); // $ Alert
intent.setDataAndType(Uri.fromFile(new File(path)), "application/vnd.android.package-archive"); // $ Alert[java/android/arbitrary-apk-installation]
startActivity(intent);
}
@@ -19,7 +19,7 @@ public class ApkInstallation extends Activity {
Intent intent = new Intent(Intent.ACTION_VIEW);
intent.setType(APK_MIMETYPE);
// BAD: the path is not checked
intent.setData(Uri.fromFile(new File(path))); // $ Alert
intent.setData(Uri.fromFile(new File(path))); // $ Alert[java/android/arbitrary-apk-installation]
startActivity(intent);
}
@@ -27,7 +27,7 @@ public class ApkInstallation extends Activity {
// BAD: file is from external storage
File file = new File(Environment.getExternalStorageDirectory(), path);
Intent intent = new Intent(Intent.ACTION_VIEW);
intent.setDataAndType(Uri.fromFile(file), APK_MIMETYPE); // $ Alert
intent.setDataAndType(Uri.fromFile(file), APK_MIMETYPE); // $ Alert[java/android/arbitrary-apk-installation]
startActivity(intent);
}
@@ -35,14 +35,14 @@ public class ApkInstallation extends Activity {
// BAD: file is from external storage
File file = new File(Environment.getExternalStorageDirectory(), path);
Intent intent = new Intent(Intent.ACTION_INSTALL_PACKAGE);
intent.setData(Uri.fromFile(file)); // $ Alert
intent.setData(Uri.fromFile(file)); // $ Alert[java/android/arbitrary-apk-installation]
startActivity(intent);
}
public void installAPKInstallPackageLiteral(String path) {
File file = new File(Environment.getExternalStorageDirectory(), path);
Intent intent = new Intent("android.intent.action.INSTALL_PACKAGE");
intent.setData(Uri.fromFile(file)); // $ Alert
intent.setData(Uri.fromFile(file)); // $ Alert[java/android/arbitrary-apk-installation]
startActivity(intent);
}
@@ -50,7 +50,7 @@ public class ApkInstallation extends Activity {
Intent intent = new Intent(this, OtherActivity.class);
intent.setAction(Intent.ACTION_VIEW);
// BAD: the file is from unknown source
intent.setData(Uri.fromFile(file)); // $ Alert
intent.setData(Uri.fromFile(file)); // $ Alert[java/android/arbitrary-apk-installation]
}
}

24
java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyClassLoaderTest.java
View File

@@ -14,41 +14,41 @@ public class GroovyClassLoaderTest extends HttpServlet {
throws ServletException, IOException {
// "groovy.lang;GroovyClassLoader;false;parseClass;(GroovyCodeSource);;Argument[0];groovy;manual",
{
String script = request.getParameter("script"); // $ Source
String script = request.getParameter("script"); // $ Source[java/groovy-injection]
final GroovyClassLoader classLoader = new GroovyClassLoader();
GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test");
classLoader.parseClass(gcs); // $ Alert
classLoader.parseClass(gcs); // $ Alert[java/groovy-injection]
}
// "groovy.lang;GroovyClassLoader;false;parseClass;(GroovyCodeSource,boolean);;Argument[0];groovy;manual",
{
String script = request.getParameter("script"); // $ Source
String script = request.getParameter("script"); // $ Source[java/groovy-injection]
final GroovyClassLoader classLoader = new GroovyClassLoader();
GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test");
classLoader.parseClass(gcs, true); // $ Alert
classLoader.parseClass(gcs, true); // $ Alert[java/groovy-injection]
}
// "groovy.lang;GroovyClassLoader;false;parseClass;(InputStream,String);;Argument[0];groovy;manual",
{
String script = request.getParameter("script"); // $ Source
String script = request.getParameter("script"); // $ Source[java/groovy-injection]
final GroovyClassLoader classLoader = new GroovyClassLoader();
classLoader.parseClass(new ByteArrayInputStream(script.getBytes()), "test"); // $ Alert
classLoader.parseClass(new ByteArrayInputStream(script.getBytes()), "test"); // $ Alert[java/groovy-injection]
}
// "groovy.lang;GroovyClassLoader;false;parseClass;(Reader,String);;Argument[0];groovy;manual",
{
String script = request.getParameter("script"); // $ Source
String script = request.getParameter("script"); // $ Source[java/groovy-injection]
final GroovyClassLoader classLoader = new GroovyClassLoader();
classLoader.parseClass(new StringReader(script), "test"); // $ Alert
classLoader.parseClass(new StringReader(script), "test"); // $ Alert[java/groovy-injection]
}
// "groovy.lang;GroovyClassLoader;false;parseClass;(String);;Argument[0];groovy;manual",
{
String script = request.getParameter("script"); // $ Source
String script = request.getParameter("script"); // $ Source[java/groovy-injection]
final GroovyClassLoader classLoader = new GroovyClassLoader();
classLoader.parseClass(script); // $ Alert
classLoader.parseClass(script); // $ Alert[java/groovy-injection]
}
// "groovy.lang;GroovyClassLoader;false;parseClass;(String,String);;Argument[0];groovy;manual",
{
String script = request.getParameter("script"); // $ Source
String script = request.getParameter("script"); // $ Source[java/groovy-injection]
final GroovyClassLoader classLoader = new GroovyClassLoader();
classLoader.parseClass(script, "test"); // $ Alert
classLoader.parseClass(script, "test"); // $ Alert[java/groovy-injection]
}
}
}

36
java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyCompilationUnitTest.java
View File

@@ -18,8 +18,8 @@ public class GroovyCompilationUnitTest extends HttpServlet {
// "org.codehaus.groovy.control;CompilationUnit;false;compile;;;Argument[this];groovy;manual"
{
CompilationUnit cu = new CompilationUnit();
cu.addSource("test", request.getParameter("source")); // $ Source
cu.compile(); // $ Alert
cu.addSource("test", request.getParameter("source")); // $ Source[java/groovy-injection]
cu.compile(); // $ Alert[java/groovy-injection]
}
{
CompilationUnit cu = new CompilationUnit();
@@ -29,20 +29,20 @@ public class GroovyCompilationUnitTest extends HttpServlet {
{
CompilationUnit cu = new CompilationUnit();
cu.addSource("test",
new ByteArrayInputStream(request.getParameter("source").getBytes())); // $ Source
cu.compile(); // $ Alert
new ByteArrayInputStream(request.getParameter("source").getBytes())); // $ Source[java/groovy-injection]
cu.compile(); // $ Alert[java/groovy-injection]
}
{
CompilationUnit cu = new CompilationUnit();
cu.addSource(new URL(request.getParameter("source"))); // $ Source
cu.compile(); // $ Alert
cu.addSource(new URL(request.getParameter("source"))); // $ Source[java/groovy-injection]
cu.compile(); // $ Alert[java/groovy-injection]
}
{
CompilationUnit cu = new CompilationUnit();
SourceUnit su =
new SourceUnit("test", request.getParameter("source"), null, null, null); // $ Source
new SourceUnit("test", request.getParameter("source"), null, null, null); // $ Source[java/groovy-injection]
cu.addSource(su);
cu.compile(); // $ Alert
cu.compile(); // $ Alert[java/groovy-injection]
}
{
CompilationUnit cu = new CompilationUnit();
@@ -53,29 +53,29 @@ public class GroovyCompilationUnitTest extends HttpServlet {
}
{
CompilationUnit cu = new CompilationUnit();
StringReaderSource rs = new StringReaderSource(request.getParameter("source"), null); // $ Source
StringReaderSource rs = new StringReaderSource(request.getParameter("source"), null); // $ Source[java/groovy-injection]
SourceUnit su = new SourceUnit("test", rs, null, null, null);
cu.addSource(su);
cu.compile(); // $ Alert
cu.compile(); // $ Alert[java/groovy-injection]
}
{
CompilationUnit cu = new CompilationUnit();
SourceUnit su =
new SourceUnit(new URL(request.getParameter("source")), null, null, null); // $ Source
new SourceUnit(new URL(request.getParameter("source")), null, null, null); // $ Source[java/groovy-injection]
cu.addSource(su);
cu.compile(); // $ Alert
cu.compile(); // $ Alert[java/groovy-injection]
}
{
CompilationUnit cu = new CompilationUnit();
SourceUnit su = SourceUnit.create("test", request.getParameter("source")); // $ Source
SourceUnit su = SourceUnit.create("test", request.getParameter("source")); // $ Source[java/groovy-injection]
cu.addSource(su);
cu.compile(); // $ Alert
cu.compile(); // $ Alert[java/groovy-injection]
}
{
CompilationUnit cu = new CompilationUnit();
SourceUnit su = SourceUnit.create("test", request.getParameter("source"), 0); // $ Source
SourceUnit su = SourceUnit.create("test", request.getParameter("source"), 0); // $ Source[java/groovy-injection]
cu.addSource(su);
cu.compile(); // $ Alert
cu.compile(); // $ Alert[java/groovy-injection]
}
{
CompilationUnit cu = new CompilationUnit();
@@ -85,8 +85,8 @@ public class GroovyCompilationUnitTest extends HttpServlet {
}
{
JavaAwareCompilationUnit cu = new JavaAwareCompilationUnit();
cu.addSource("test", request.getParameter("source")); // $ Source
cu.compile(); // $ Alert
cu.addSource("test", request.getParameter("source")); // $ Source[java/groovy-injection]
cu.compile(); // $ Alert[java/groovy-injection]
}
{
JavaStubCompilationUnit cu = new JavaStubCompilationUnit(null, null);

20
java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyEvalTest.java
View File

@@ -11,29 +11,29 @@ public class GroovyEvalTest extends HttpServlet {
throws ServletException, IOException {
// "groovy.util;Eval;false;me;(String);;Argument[0];groovy;manual",
{
String script = request.getParameter("script"); // $ Source
Eval.me(script); // $ Alert
String script = request.getParameter("script"); // $ Source[java/groovy-injection]
Eval.me(script); // $ Alert[java/groovy-injection]
}
// "groovy.util;Eval;false;me;(String,Object,String);;Argument[2];groovy;manual",
{
String script = request.getParameter("script"); // $ Source
Eval.me("test", "result", script); // $ Alert
String script = request.getParameter("script"); // $ Source[java/groovy-injection]
Eval.me("test", "result", script); // $ Alert[java/groovy-injection]
}
// "groovy.util;Eval;false;x;(Object,String);;Argument[1];groovy;manual",
{
String script = request.getParameter("script"); // $ Source
Eval.x("result2", script); // $ Alert
String script = request.getParameter("script"); // $ Source[java/groovy-injection]
Eval.x("result2", script); // $ Alert[java/groovy-injection]
}
// "groovy.util;Eval;false;xy;(Object,Object,String);;Argument[2];groovy;manual",
{
String script = request.getParameter("script"); // $ Source
Eval.xy("result3", "result4", script); // $ Alert
String script = request.getParameter("script"); // $ Source[java/groovy-injection]
Eval.xy("result3", "result4", script); // $ Alert[java/groovy-injection]
}
// "groovy.util;Eval;false;xyz;(Object,Object,Object,String);;Argument[3];groovy;manual",
{
String script = request.getParameter("script"); // $ Source
Eval.xyz("result3", "result4", "aaa", script); // $ Alert
String script = request.getParameter("script"); // $ Source[java/groovy-injection]
Eval.xyz("result3", "result4", "aaa", script); // $ Alert[java/groovy-injection]
}
}
}

80
java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyShellTest.java
View File

@@ -19,134 +19,134 @@ public class GroovyShellTest extends HttpServlet {
// "groovy.lang;GroovyShell;false;evaluate;(GroovyCodeSource);;Argument[0];groovy;manual",
{
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script"); // $ Source
String script = request.getParameter("script"); // $ Source[java/groovy-injection]
GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test");
shell.evaluate(gcs); // $ Alert
shell.evaluate(gcs); // $ Alert[java/groovy-injection]
}
// "groovy.lang;GroovyShell;false;evaluate;(Reader);;Argument[0];groovy;manual",
{
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script"); // $ Source
String script = request.getParameter("script"); // $ Source[java/groovy-injection]
Reader reader = new StringReader(script);
shell.evaluate(reader); // $ Alert
shell.evaluate(reader); // $ Alert[java/groovy-injection]
}
// "groovy.lang;GroovyShell;false;evaluate;(Reader,String);;Argument[0];groovy;manual",
{
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script"); // $ Source
String script = request.getParameter("script"); // $ Source[java/groovy-injection]
Reader reader = new StringReader(script);
shell.evaluate(reader, "_"); // $ Alert
shell.evaluate(reader, "_"); // $ Alert[java/groovy-injection]
}
// "groovy.lang;GroovyShell;false;evaluate;(String);;Argument[0];groovy;manual",
{
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script"); // $ Source
shell.evaluate(script); // $ Alert
String script = request.getParameter("script"); // $ Source[java/groovy-injection]
shell.evaluate(script); // $ Alert[java/groovy-injection]
}
// "groovy.lang;GroovyShell;false;evaluate;(String,String);;Argument[0];groovy;manual",
{
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script"); // $ Source
shell.evaluate(script, "test"); // $ Alert
String script = request.getParameter("script"); // $ Source[java/groovy-injection]
shell.evaluate(script, "test"); // $ Alert[java/groovy-injection]
}
// "groovy.lang;GroovyShell;false;evaluate;(String,String,String);;Argument[0];groovy;manual",
{
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script"); // $ Source
shell.evaluate(script, "test", "test2"); // $ Alert
String script = request.getParameter("script"); // $ Source[java/groovy-injection]
shell.evaluate(script, "test", "test2"); // $ Alert[java/groovy-injection]
}
// "groovy.lang;GroovyShell;false;evaluate;(URI);;Argument[0];groovy;manual",
try {
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script"); // $ Source
shell.parse(new URI(script)); // $ Alert
String script = request.getParameter("script"); // $ Source[java/groovy-injection]
shell.parse(new URI(script)); // $ Alert[java/groovy-injection]
} catch (URISyntaxException e) {
}
// "groovy.lang;GroovyShell;false;parse;(Reader);;Argument[0];groovy;manual",
{
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script"); // $ Source
String script = request.getParameter("script"); // $ Source[java/groovy-injection]
Reader reader = new StringReader(script);
shell.parse(reader); // $ Alert
shell.parse(reader); // $ Alert[java/groovy-injection]
}
// "groovy.lang;GroovyShell;false;parse;(Reader,String);;Argument[0];groovy;manual",
{
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script"); // $ Source
String script = request.getParameter("script"); // $ Source[java/groovy-injection]
Reader reader = new StringReader(script);
shell.parse(reader, "_"); // $ Alert
shell.parse(reader, "_"); // $ Alert[java/groovy-injection]
}
// "groovy.lang;GroovyShell;false;parse;(String);;Argument[0];groovy;manual",
{
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script"); // $ Source
shell.parse(script); // $ Alert
String script = request.getParameter("script"); // $ Source[java/groovy-injection]
shell.parse(script); // $ Alert[java/groovy-injection]
}
// "groovy.lang;GroovyShell;false;parse;(String,String);;Argument[0];groovy;manual",
{
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script"); // $ Source
shell.parse(script, "_"); // $ Alert
String script = request.getParameter("script"); // $ Source[java/groovy-injection]
shell.parse(script, "_"); // $ Alert[java/groovy-injection]
}
// "groovy.lang;GroovyShell;false;parse;(URI);;Argument[0];groovy;manual",
try {
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script"); // $ Source
shell.parse(new URI(script)); // $ Alert
String script = request.getParameter("script"); // $ Source[java/groovy-injection]
shell.parse(new URI(script)); // $ Alert[java/groovy-injection]
} catch (URISyntaxException e) {
}
// "groovy.lang;GroovyShell;false;run;(GroovyCodeSource,String[]);;Argument[0];groovy;manual",
{
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script"); // $ Source
String script = request.getParameter("script"); // $ Source[java/groovy-injection]
GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test");
shell.run(gcs, new String[] {}); // $ Alert
shell.run(gcs, new String[] {}); // $ Alert[java/groovy-injection]
}
// "groovy.lang;GroovyShell;false;run;(GroovyCodeSource,List);;Argument[0];groovy;manual",
{
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script"); // $ Source
String script = request.getParameter("script"); // $ Source[java/groovy-injection]
GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test");
shell.run(gcs, new ArrayList<String>()); // $ Alert
shell.run(gcs, new ArrayList<String>()); // $ Alert[java/groovy-injection]
}
// "groovy.lang;GroovyShell;false;run;(Reader,String,String[]);;Argument[0];groovy;manual",
{
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script"); // $ Source
String script = request.getParameter("script"); // $ Source[java/groovy-injection]
Reader reader = new StringReader(script);
shell.run(reader, "test", new String[] {}); // $ Alert
shell.run(reader, "test", new String[] {}); // $ Alert[java/groovy-injection]
}
// "groovy.lang;GroovyShell;false;run;(Reader,String,List);;Argument[0];groovy;manual",
{
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script"); // $ Source
String script = request.getParameter("script"); // $ Source[java/groovy-injection]
Reader reader = new StringReader(script);
shell.run(reader, "test", new ArrayList<String>()); // $ Alert
shell.run(reader, "test", new ArrayList<String>()); // $ Alert[java/groovy-injection]
}
// "groovy.lang;GroovyShell;false;run;(String,String,String[]);;Argument[0];groovy;manual",
{
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script"); // $ Source
shell.run(script, "_", new String[] {}); // $ Alert
String script = request.getParameter("script"); // $ Source[java/groovy-injection]
shell.run(script, "_", new String[] {}); // $ Alert[java/groovy-injection]
}
// "groovy.lang;GroovyShell;false;run;(String,String,List);;Argument[0];groovy;manual",
{
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script"); // $ Source
shell.run(script, "_", new ArrayList<String>()); // $ Alert
String script = request.getParameter("script"); // $ Source[java/groovy-injection]
shell.run(script, "_", new ArrayList<String>()); // $ Alert[java/groovy-injection]
}
// "groovy.lang;GroovyShell;false;run;(URI,String[]);;Argument[0];groovy;manual",
try {
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script"); // $ Source
shell.run(new URI(script), new String[] {}); // $ Alert
String script = request.getParameter("script"); // $ Source[java/groovy-injection]
shell.run(new URI(script), new String[] {}); // $ Alert[java/groovy-injection]
} catch (URISyntaxException e) {
}
// "groovy.lang;GroovyShell;false;run;(URI,List);;Argument[0];groovy;manual",
try {
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script"); // $ Source
shell.run(new URI(script), new ArrayList<String>()); // $ Alert
String script = request.getParameter("script"); // $ Source[java/groovy-injection]
shell.run(new URI(script), new ArrayList<String>()); // $ Alert[java/groovy-injection]
} catch (URISyntaxException e) {
}
}

10
java/ql/test/query-tests/security/CWE-094/GroovyInjection/TemplateEngineTest.java
View File

@@ -11,7 +11,7 @@ import groovy.text.TemplateEngine;
public class TemplateEngineTest extends HttpServlet {
private Object source(HttpServletRequest request) {
return request.getParameter("script"); // $ Source
return request.getParameter("script"); // $ Source[java/groovy-injection]
}
protected void doGet(HttpServletRequest request, HttpServletResponse response)
@@ -19,10 +19,10 @@ public class TemplateEngineTest extends HttpServlet {
try {
Object script = source(request);
TemplateEngine engine = null;
engine.createTemplate(request.getParameter("script")); // $ Alert
engine.createTemplate((File) script); // $ Alert
engine.createTemplate((Reader) script); // $ Alert
engine.createTemplate((URL) script); // $ Alert
engine.createTemplate(request.getParameter("script")); // $ Alert[java/groovy-injection]
engine.createTemplate((File) script); // $ Alert[java/groovy-injection]
engine.createTemplate((Reader) script); // $ Alert[java/groovy-injection]
engine.createTemplate((URL) script); // $ Alert[java/groovy-injection]
} catch (Exception e) {
}

4
java/ql/test/query-tests/security/CWE-094/InsecureBeanValidation.java
View File

@@ -4,11 +4,11 @@ import javax.validation.ConstraintValidatorContext;
public class InsecureBeanValidation implements ConstraintValidator<Override, String> {
@Override
public boolean isValid(String object, ConstraintValidatorContext constraintContext) { // $ Source
public boolean isValid(String object, ConstraintValidatorContext constraintContext) { // $ Source[java/insecure-bean-validation]
String value = object + " is invalid";
// Bad: Bean properties (normally user-controlled) are passed directly to `buildConstraintViolationWithTemplate`
constraintContext.buildConstraintViolationWithTemplate(value).addConstraintViolation().disableDefaultConstraintViolation(); // $ Alert
constraintContext.buildConstraintViolationWithTemplate(value).addConstraintViolation().disableDefaultConstraintViolation(); // $ Alert[java/insecure-bean-validation]
// Good: Using message parameters
constraintContext.buildConstraintViolationWithTemplate("literal {message_parameter}").addConstraintViolation().disableDefaultConstraintViolation();

20
java/ql/test/query-tests/security/CWE-094/JexlInjection/Jexl2Injection.java
View File

@@ -11,21 +11,21 @@ public class Jexl2Injection {
JexlEngine jexl = new JexlEngine();
Expression e = jexl.createExpression(jexlExpr);
JexlContext jc = new MapContext();
e.evaluate(jc); // $ Alert
e.evaluate(jc); // $ Alert[java/jexl-expression-injection]
}
private static void runJexlExpressionWithJexlInfo(String jexlExpr) {
JexlEngine jexl = new JexlEngine();
Expression e = jexl.createExpression(jexlExpr, new DebugInfo("unknown", 0, 0));
JexlContext jc = new MapContext();
e.evaluate(jc); // $ Alert
e.evaluate(jc); // $ Alert[java/jexl-expression-injection]
}
private static void runJexlScript(String jexlExpr) {
JexlEngine jexl = new JexlEngine();
Script script = jexl.createScript(jexlExpr);
JexlContext jc = new MapContext();
script.execute(jc); // $ Alert
script.execute(jc); // $ Alert[java/jexl-expression-injection]
}
private static void runJexlScriptViaCallable(String jexlExpr) {
@@ -34,7 +34,7 @@ public class Jexl2Injection {
JexlContext jc = new MapContext();
try {
script.callable(jc).call(); // $ Alert
script.callable(jc).call(); // $ Alert[java/jexl-expression-injection]
} catch (Exception e) {
throw new RuntimeException(e);
}
@@ -42,37 +42,37 @@ public class Jexl2Injection {
private static void runJexlExpressionViaGetProperty(String jexlExpr) {
JexlEngine jexl = new JexlEngine();
jexl.getProperty(new Object(), jexlExpr); // $ Alert
jexl.getProperty(new Object(), jexlExpr); // $ Alert[java/jexl-expression-injection]
}
private static void runJexlExpressionViaSetProperty(String jexlExpr) {
JexlEngine jexl = new JexlEngine();
jexl.setProperty(new Object(), jexlExpr, new Object()); // $ Alert
jexl.setProperty(new Object(), jexlExpr, new Object()); // $ Alert[java/jexl-expression-injection]
}
private static void runJexlExpressionViaUnifiedJEXLParseAndEvaluate(String jexlExpr) {
JexlEngine jexl = new JexlEngine();
UnifiedJEXL unifiedJEXL = new UnifiedJEXL(jexl);
unifiedJEXL.parse(jexlExpr).evaluate(new MapContext()); // $ Alert
unifiedJEXL.parse(jexlExpr).evaluate(new MapContext()); // $ Alert[java/jexl-expression-injection]
}
private static void runJexlExpressionViaUnifiedJEXLParseAndPrepare(String jexlExpr) {
JexlEngine jexl = new JexlEngine();
UnifiedJEXL unifiedJEXL = new UnifiedJEXL(jexl);
unifiedJEXL.parse(jexlExpr).prepare(new MapContext()); // $ Alert
unifiedJEXL.parse(jexlExpr).prepare(new MapContext()); // $ Alert[java/jexl-expression-injection]
}
private static void runJexlExpressionViaUnifiedJEXLTemplateEvaluate(String jexlExpr) {
JexlEngine jexl = new JexlEngine();
UnifiedJEXL unifiedJEXL = new UnifiedJEXL(jexl);
unifiedJEXL.createTemplate(jexlExpr).evaluate(new MapContext(), new StringWriter()); // $ Alert
unifiedJEXL.createTemplate(jexlExpr).evaluate(new MapContext(), new StringWriter()); // $ Alert[java/jexl-expression-injection]
}
private static void testWithSocket(Consumer<String> action) throws Exception {
try (ServerSocket serverSocket = new ServerSocket(0)) {
try (Socket socket = serverSocket.accept()) {
byte[] bytes = new byte[1024];
int n = socket.getInputStream().read(bytes); // $ Source
int n = socket.getInputStream().read(bytes); // $ Source[java/jexl-expression-injection]
String jexlExpr = new String(bytes, 0, n);
action.accept(jexlExpr);
}

28
java/ql/test/query-tests/security/CWE-094/JexlInjection/Jexl3Injection.java
View File

@@ -18,21 +18,21 @@ public class Jexl3Injection {
JexlEngine jexl = new JexlBuilder().create();
JexlExpression e = jexl.createExpression(jexlExpr);
JexlContext jc = new MapContext();
e.evaluate(jc); // $ Alert
e.evaluate(jc); // $ Alert[java/jexl-expression-injection]
}
private static void runJexlExpressionWithJexlInfo(String jexlExpr) {
JexlEngine jexl = new JexlBuilder().create();
JexlExpression e = jexl.createExpression(new JexlInfo("unknown", 0, 0), jexlExpr);
JexlContext jc = new MapContext();
e.evaluate(jc); // $ Alert
e.evaluate(jc); // $ Alert[java/jexl-expression-injection]
}
private static void runJexlScript(String jexlExpr) {
JexlEngine jexl = new JexlBuilder().create();
JexlScript script = jexl.createScript(jexlExpr);
JexlContext jc = new MapContext();
script.execute(jc); // $ Alert
script.execute(jc); // $ Alert[java/jexl-expression-injection]
}
private static void runJexlScriptViaCallable(String jexlExpr) {
@@ -41,7 +41,7 @@ public class Jexl3Injection {
JexlContext jc = new MapContext();
try {
script.callable(jc).call(); // $ Alert
script.callable(jc).call(); // $ Alert[java/jexl-expression-injection]
} catch (Exception e) {
throw new RuntimeException(e);
}
@@ -49,30 +49,30 @@ public class Jexl3Injection {
private static void runJexlExpressionViaGetProperty(String jexlExpr) {
JexlEngine jexl = new JexlBuilder().create();
jexl.getProperty(new Object(), jexlExpr); // $ Alert
jexl.getProperty(new Object(), jexlExpr); // $ Alert[java/jexl-expression-injection]
}
private static void runJexlExpressionViaSetProperty(String jexlExpr) {
JexlEngine jexl = new JexlBuilder().create();
jexl.setProperty(new Object(), jexlExpr, new Object()); // $ Alert
jexl.setProperty(new Object(), jexlExpr, new Object()); // $ Alert[java/jexl-expression-injection]
}
private static void runJexlExpressionViaJxltEngineExpressionEvaluate(String jexlExpr) {
JexlEngine jexl = new JexlBuilder().create();
JxltEngine jxlt = jexl.createJxltEngine();
jxlt.createExpression(jexlExpr).evaluate(new MapContext()); // $ Alert
jxlt.createExpression(jexlExpr).evaluate(new MapContext()); // $ Alert[java/jexl-expression-injection]
}
private static void runJexlExpressionViaJxltEngineExpressionPrepare(String jexlExpr) {
JexlEngine jexl = new JexlBuilder().create();
JxltEngine jxlt = jexl.createJxltEngine();
jxlt.createExpression(jexlExpr).prepare(new MapContext()); // $ Alert
jxlt.createExpression(jexlExpr).prepare(new MapContext()); // $ Alert[java/jexl-expression-injection]
}
private static void runJexlExpressionViaJxltEngineTemplateEvaluate(String jexlExpr) {
JexlEngine jexl = new JexlBuilder().create();
JxltEngine jxlt = jexl.createJxltEngine();
jxlt.createTemplate(jexlExpr).evaluate(new MapContext(), new StringWriter()); // $ Alert
jxlt.createTemplate(jexlExpr).evaluate(new MapContext(), new StringWriter()); // $ Alert[java/jexl-expression-injection]
}
private static void runJexlExpressionViaCallable(String jexlExpr) {
@@ -81,7 +81,7 @@ public class Jexl3Injection {
JexlContext jc = new MapContext();
try {
e.callable(jc).call(); // $ Alert
e.callable(jc).call(); // $ Alert[java/jexl-expression-injection]
} catch (Exception ex) {
throw new RuntimeException(ex);
}
@@ -91,7 +91,7 @@ public class Jexl3Injection {
try (ServerSocket serverSocket = new ServerSocket(0)) {
try (Socket socket = serverSocket.accept()) {
byte[] bytes = new byte[1024];
int n = socket.getInputStream().read(bytes); // $ Source
int n = socket.getInputStream().read(bytes); // $ Source[java/jexl-expression-injection]
String jexlExpr = new String(bytes, 0, n);
action.accept(jexlExpr);
}
@@ -141,14 +141,14 @@ public class Jexl3Injection {
}
@PostMapping("/request")
public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromPathVariable(@PathVariable String expr) { // $ Source
public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromPathVariable(@PathVariable String expr) { // $ Source[java/jexl-expression-injection]
runJexlExpression(expr);
return ResponseEntity.ok(HttpStatus.OK);
}
@PostMapping("/request")
public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromRequestBody(@RequestBody Data data) { // $ Source
public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromRequestBody(@RequestBody Data data) { // $ Source[java/jexl-expression-injection]
String expr = data.getExpr();
runJexlExpression(expr);
@@ -158,7 +158,7 @@ public class Jexl3Injection {
@PostMapping("/request")
public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromRequestBodyWithNestedObjects(
@RequestBody CustomRequest customRequest) { // $ Source
@RequestBody CustomRequest customRequest) { // $ Source[java/jexl-expression-injection]
String expr = customRequest.getData().getExpr();
runJexlExpression(expr);

28
java/ql/test/query-tests/security/CWE-094/MvelInjection/MvelInjectionTest.java
View File

@@ -21,31 +21,31 @@ import org.mvel2.templates.TemplateRuntime;
public class MvelInjectionTest {
public static void testWithMvelEval(Socket socket) throws IOException {
MVEL.eval(read(socket)); // $ Alert
MVEL.eval(read(socket)); // $ Alert[java/mvel-expression-injection]
}
public static void testWithMvelCompileAndExecute(Socket socket) throws IOException {
Serializable expression = MVEL.compileExpression(read(socket));
MVEL.executeExpression(expression); // $ Alert
MVEL.executeExpression(expression); // $ Alert[java/mvel-expression-injection]
}
public static void testWithExpressionCompiler(Socket socket) throws IOException {
ExpressionCompiler compiler = new ExpressionCompiler(read(socket));
ExecutableStatement statement = compiler.compile();
statement.getValue(new Object(), new ImmutableDefaultFactory()); // $ Alert
statement.getValue(new Object(), new Object(), new ImmutableDefaultFactory()); // $ Alert
statement.getValue(new Object(), new ImmutableDefaultFactory()); // $ Alert[java/mvel-expression-injection]
statement.getValue(new Object(), new Object(), new ImmutableDefaultFactory()); // $ Alert[java/mvel-expression-injection]
}
public static void testWithCompiledExpressionGetDirectValue(Socket socket) throws IOException {
ExpressionCompiler compiler = new ExpressionCompiler(read(socket));
CompiledExpression expression = compiler.compile();
expression.getDirectValue(new Object(), new ImmutableDefaultFactory()); // $ Alert
expression.getDirectValue(new Object(), new ImmutableDefaultFactory()); // $ Alert[java/mvel-expression-injection]
}
public static void testCompiledAccExpressionGetValue(Socket socket) throws IOException {
CompiledAccExpression expression =
new CompiledAccExpression(read(socket).toCharArray(), Object.class, new ParserContext());
expression.getValue(new Object(), new ImmutableDefaultFactory()); // $ Alert
expression.getValue(new Object(), new ImmutableDefaultFactory()); // $ Alert[java/mvel-expression-injection]
}
public static void testMvelScriptEngineCompileAndEvaluate(Socket socket) throws Exception {
@@ -53,10 +53,10 @@ public class MvelInjectionTest {
MvelScriptEngine engine = new MvelScriptEngine();
CompiledScript compiledScript = engine.compile(input);
compiledScript.eval(); // $ Alert
compiledScript.eval(); // $ Alert[java/mvel-expression-injection]
Serializable script = engine.compiledScript(input);
engine.evaluate(script, new SimpleScriptContext()); // $ Alert
engine.evaluate(script, new SimpleScriptContext()); // $ Alert[java/mvel-expression-injection]
}
public static void testMvelCompiledScriptCompileAndEvaluate(Socket socket) throws Exception {
@@ -64,30 +64,30 @@ public class MvelInjectionTest {
ExpressionCompiler compiler = new ExpressionCompiler(read(socket));
ExecutableStatement statement = compiler.compile();
MvelCompiledScript script = new MvelCompiledScript(engine, statement);
script.eval(new SimpleScriptContext()); // $ Alert
script.eval(new SimpleScriptContext()); // $ Alert[java/mvel-expression-injection]
}
public static void testTemplateRuntimeEval(Socket socket) throws Exception {
TemplateRuntime.eval(read(socket), new HashMap()); // $ Alert
TemplateRuntime.eval(read(socket), new HashMap()); // $ Alert[java/mvel-expression-injection]
}
public static void testTemplateRuntimeCompileTemplateAndExecute(Socket socket) throws Exception {
TemplateRuntime.execute(TemplateCompiler.compileTemplate(read(socket)), new HashMap()); // $ Alert
TemplateRuntime.execute(TemplateCompiler.compileTemplate(read(socket)), new HashMap()); // $ Alert[java/mvel-expression-injection]
}
public static void testTemplateRuntimeCompileAndExecute(Socket socket) throws Exception {
TemplateCompiler compiler = new TemplateCompiler(read(socket));
TemplateRuntime.execute(compiler.compile(), new HashMap()); // $ Alert
TemplateRuntime.execute(compiler.compile(), new HashMap()); // $ Alert[java/mvel-expression-injection]
}
public static void testMvelRuntimeExecute(Socket socket) throws Exception {
ExpressionCompiler compiler = new ExpressionCompiler(read(socket));
CompiledExpression expression = compiler.compile();
MVELRuntime.execute(false, expression, new Object(), new ImmutableDefaultFactory()); // $ Alert
MVELRuntime.execute(false, expression, new Object(), new ImmutableDefaultFactory()); // $ Alert[java/mvel-expression-injection]
}
public static String read(Socket socket) throws IOException {
try (InputStream is = socket.getInputStream()) { // $ Source
try (InputStream is = socket.getInputStream()) { // $ Source[java/mvel-expression-injection]
byte[] bytes = new byte[1024];
int n = is.read(bytes);
return new String(bytes, 0, n);

28
java/ql/test/query-tests/security/CWE-094/SpelInjection/SpelInjectionTest.java
View File

@@ -13,7 +13,7 @@ public class SpelInjectionTest {
private static final ExpressionParser PARSER = new SpelExpressionParser();
public void testGetValue(Socket socket) throws IOException {
InputStream in = socket.getInputStream(); // $ Source
InputStream in = socket.getInputStream(); // $ Source[java/spel-expression-injection]
byte[] bytes = new byte[1024];
int n = in.read(bytes);
@@ -21,33 +21,33 @@ public class SpelInjectionTest {
ExpressionParser parser = new SpelExpressionParser();
Expression expression = parser.parseExpression(input);
expression.getValue(); // $ Alert
expression.getValue(); // $ Alert[java/spel-expression-injection]
}
public void testGetValueWithParseRaw(Socket socket) throws IOException {
InputStream in = socket.getInputStream(); // $ Source
InputStream in = socket.getInputStream(); // $ Source[java/spel-expression-injection]
byte[] bytes = new byte[1024];
int n = in.read(bytes);
String input = new String(bytes, 0, n);
SpelExpressionParser parser = new SpelExpressionParser();
SpelExpression expression = parser.parseRaw(input);
expression.getValue(); // $ Alert
expression.getValue(); // $ Alert[java/spel-expression-injection]
}
public void testGetValueWithChainedCalls(Socket socket) throws IOException {
InputStream in = socket.getInputStream(); // $ Source
InputStream in = socket.getInputStream(); // $ Source[java/spel-expression-injection]
byte[] bytes = new byte[1024];
int n = in.read(bytes);
String input = new String(bytes, 0, n);
Expression expression = new SpelExpressionParser().parseExpression(input);
expression.getValue(); // $ Alert
expression.getValue(); // $ Alert[java/spel-expression-injection]
}
public void testSetValueWithRootObject(Socket socket) throws IOException {
InputStream in = socket.getInputStream(); // $ Source
InputStream in = socket.getInputStream(); // $ Source[java/spel-expression-injection]
byte[] bytes = new byte[1024];
int n = in.read(bytes);
@@ -57,33 +57,33 @@ public class SpelInjectionTest {
Object root = new Object();
Object value = new Object();
expression.setValue(root, value); // $ Alert
expression.setValue(root, value); // $ Alert[java/spel-expression-injection]
}
public void testGetValueWithStaticParser(Socket socket) throws IOException {
InputStream in = socket.getInputStream(); // $ Source
InputStream in = socket.getInputStream(); // $ Source[java/spel-expression-injection]
byte[] bytes = new byte[1024];
int n = in.read(bytes);
String input = new String(bytes, 0, n);
Expression expression = PARSER.parseExpression(input);
expression.getValue(); // $ Alert
expression.getValue(); // $ Alert[java/spel-expression-injection]
}
public void testGetValueType(Socket socket) throws IOException {
InputStream in = socket.getInputStream(); // $ Source
InputStream in = socket.getInputStream(); // $ Source[java/spel-expression-injection]
byte[] bytes = new byte[1024];
int n = in.read(bytes);
String input = new String(bytes, 0, n);
Expression expression = PARSER.parseExpression(input);
expression.getValueType(); // $ Alert
expression.getValueType(); // $ Alert[java/spel-expression-injection]
}
public void testWithStandardEvaluationContext(Socket socket) throws IOException {
InputStream in = socket.getInputStream(); // $ Source
InputStream in = socket.getInputStream(); // $ Source[java/spel-expression-injection]
byte[] bytes = new byte[1024];
int n = in.read(bytes);
@@ -92,7 +92,7 @@ public class SpelInjectionTest {
Expression expression = PARSER.parseExpression(input);
StandardEvaluationContext context = new StandardEvaluationContext();
expression.getValue(context); // $ Alert
expression.getValue(context); // $ Alert[java/spel-expression-injection]
}
public void testWithSimpleEvaluationContext(Socket socket) throws IOException {

36
java/ql/test/query-tests/security/CWE-094/TemplateInjection/FreemarkerSSTI.java
View File

@@ -20,88 +20,88 @@ public class FreemarkerSSTI {
@GetMapping(value = "bad1")
public void bad1(HttpServletRequest request) {
String name = "ttemplate";
String code = request.getParameter("code"); // $ Source
String code = request.getParameter("code"); // $ Source[java/server-side-template-injection]
Reader reader = new StringReader(code);
Template t = new Template(name, reader); // $ Alert
Template t = new Template(name, reader); // $ Alert[java/server-side-template-injection]
}
@GetMapping(value = "bad2")
public void bad2(HttpServletRequest request) {
String name = "ttemplate";
String code = request.getParameter("code"); // $ Source
String code = request.getParameter("code"); // $ Source[java/server-side-template-injection]
Reader reader = new StringReader(code);
Configuration cfg = new Configuration();
Template t = new Template(name, reader, cfg); // $ Alert
Template t = new Template(name, reader, cfg); // $ Alert[java/server-side-template-injection]
}
@GetMapping(value = "bad3")
public void bad3(HttpServletRequest request) {
String name = "ttemplate";
String code = request.getParameter("code"); // $ Source
String code = request.getParameter("code"); // $ Source[java/server-side-template-injection]
Reader reader = new StringReader(code);
Configuration cfg = new Configuration();
Template t = new Template(name, reader, cfg, "UTF-8"); // $ Alert
Template t = new Template(name, reader, cfg, "UTF-8"); // $ Alert[java/server-side-template-injection]
}
@GetMapping(value = "bad4")
public void bad4(HttpServletRequest request) {
String name = "ttemplate";
String sourceCode = request.getParameter("sourceCode"); // $ Source
String sourceCode = request.getParameter("sourceCode"); // $ Source[java/server-side-template-injection]
Configuration cfg = new Configuration();
Template t = new Template(name, sourceCode, cfg); // $ Alert
Template t = new Template(name, sourceCode, cfg); // $ Alert[java/server-side-template-injection]
}
@GetMapping(value = "bad5")
public void bad5(HttpServletRequest request) {
String name = "ttemplate";
String code = request.getParameter("code"); // $ Source
String code = request.getParameter("code"); // $ Source[java/server-side-template-injection]
Configuration cfg = new Configuration();
Reader reader = new StringReader(code);
Template t = new Template(name, sourceName, reader, cfg); // $ Alert
Template t = new Template(name, sourceName, reader, cfg); // $ Alert[java/server-side-template-injection]
}
@GetMapping(value = "bad6")
public void bad6(HttpServletRequest request) {
String name = "ttemplate";
String code = request.getParameter("code"); // $ Source
String code = request.getParameter("code"); // $ Source[java/server-side-template-injection]
Configuration cfg = new Configuration();
ParserConfiguration customParserConfiguration = new Configuration();
Reader reader = new StringReader(code);
Template t =
new Template(name, sourceName, reader, cfg, customParserConfiguration, "UTF-8"); // $ Alert
new Template(name, sourceName, reader, cfg, customParserConfiguration, "UTF-8"); // $ Alert[java/server-side-template-injection]
}
@GetMapping(value = "bad7")
public void bad7(HttpServletRequest request) {
String name = "ttemplate";
String code = request.getParameter("code"); // $ Source
String code = request.getParameter("code"); // $ Source[java/server-side-template-injection]
Configuration cfg = new Configuration();
ParserConfiguration customParserConfiguration = new Configuration();
Reader reader = new StringReader(code);
Template t = new Template(name, sourceName, reader, cfg, "UTF-8"); // $ Alert
Template t = new Template(name, sourceName, reader, cfg, "UTF-8"); // $ Alert[java/server-side-template-injection]
}
@GetMapping(value = "bad8")
public void bad8(HttpServletRequest request) {
String code = request.getParameter("code"); // $ Source
String code = request.getParameter("code"); // $ Source[java/server-side-template-injection]
StringTemplateLoader stringLoader = new StringTemplateLoader();
stringLoader.putTemplate("myTemplate", code); // $ Alert
stringLoader.putTemplate("myTemplate", code); // $ Alert[java/server-side-template-injection]
}
@GetMapping(value = "bad9")
public void bad9(HttpServletRequest request) {
String code = request.getParameter("code"); // $ Source
String code = request.getParameter("code"); // $ Source[java/server-side-template-injection]
StringTemplateLoader stringLoader = new StringTemplateLoader();
stringLoader.putTemplate("myTemplate", code, 0); // $ Alert
stringLoader.putTemplate("myTemplate", code, 0); // $ Alert[java/server-side-template-injection]
}
@GetMapping(value = "good1")

12
java/ql/test/query-tests/security/CWE-094/TemplateInjection/JinJavaSSTI.java
View File

@@ -18,27 +18,27 @@ public class JinJavaSSTI {
@GetMapping(value = "bad1")
public void bad1(HttpServletRequest request) {
String template = request.getParameter("template"); // $ Source
String template = request.getParameter("template"); // $ Source[java/server-side-template-injection]
Jinjava jinjava = new Jinjava();
Map<String, Object> context = new HashMap<>();
String renderedTemplate = jinjava.render(template, context); // $ Alert
String renderedTemplate = jinjava.render(template, context); // $ Alert[java/server-side-template-injection]
}
@GetMapping(value = "bad2")
public void bad2(HttpServletRequest request) {
String template = request.getParameter("template"); // $ Source
String template = request.getParameter("template"); // $ Source[java/server-side-template-injection]
Jinjava jinjava = new Jinjava();
Map<String, Object> bindings = new HashMap<>();
RenderResult renderResult = jinjava.renderForResult(template, bindings); // $ Alert
RenderResult renderResult = jinjava.renderForResult(template, bindings); // $ Alert[java/server-side-template-injection]
}
@GetMapping(value = "bad3")
public void bad3(HttpServletRequest request) {
String template = request.getParameter("template"); // $ Source
String template = request.getParameter("template"); // $ Source[java/server-side-template-injection]
Jinjava jinjava = new Jinjava();
Map<String, Object> bindings = new HashMap<>();
JinjavaConfig renderConfig = new JinjavaConfig();
RenderResult renderResult = jinjava.renderForResult(template, bindings, renderConfig); // $ Alert
RenderResult renderResult = jinjava.renderForResult(template, bindings, renderConfig); // $ Alert[java/server-side-template-injection]
}
}

8
java/ql/test/query-tests/security/CWE-094/TemplateInjection/PebbleSSTI.java
View File

@@ -15,15 +15,15 @@ public class PebbleSSTI {
@GetMapping(value = "bad1")
public void bad1(HttpServletRequest request) {
String templateName = request.getParameter("templateName"); // $ Source
String templateName = request.getParameter("templateName"); // $ Source[java/server-side-template-injection]
PebbleEngine engine = new PebbleEngine.Builder().build();
PebbleTemplate compiledTemplate = engine.getTemplate(templateName); // $ Alert
PebbleTemplate compiledTemplate = engine.getTemplate(templateName); // $ Alert[java/server-side-template-injection]
}
@GetMapping(value = "bad2")
public void bad2(HttpServletRequest request) {
String templateName = request.getParameter("templateName"); // $ Source
String templateName = request.getParameter("templateName"); // $ Source[java/server-side-template-injection]
PebbleEngine engine = new PebbleEngine.Builder().build();
PebbleTemplate compiledTemplate = engine.getLiteralTemplate(templateName); // $ Alert
PebbleTemplate compiledTemplate = engine.getLiteralTemplate(templateName); // $ Alert[java/server-side-template-injection]
}
}

20
java/ql/test/query-tests/security/CWE-094/TemplateInjection/ThymeleafSSTI.java
View File

@@ -18,20 +18,20 @@ import org.thymeleaf.context.Context;
public class ThymeleafSSTI {
@GetMapping(value = "bad1")
public void bad1(HttpServletRequest request) {
String code = request.getParameter("code"); // $ Source
String code = request.getParameter("code"); // $ Source[java/server-side-template-injection]
try {
TemplateEngine templateEngine = new TemplateEngine();
templateEngine.process(code, (Set<String>) null, (Context) null); // $ Alert
templateEngine.process(code, (Set<String>) null, (Context) null, (Writer) null); // $ Alert
templateEngine.process(code, (Context) null); // $ Alert
templateEngine.process(code, (Context) null, (Writer) null); // $ Alert
templateEngine.processThrottled(code, (Set<String>) null, (Context) null); // $ Alert
templateEngine.processThrottled(code, (Context) null); // $ Alert
templateEngine.process(code, (Set<String>) null, (Context) null); // $ Alert[java/server-side-template-injection]
templateEngine.process(code, (Set<String>) null, (Context) null, (Writer) null); // $ Alert[java/server-side-template-injection]
templateEngine.process(code, (Context) null); // $ Alert[java/server-side-template-injection]
templateEngine.process(code, (Context) null, (Writer) null); // $ Alert[java/server-side-template-injection]
templateEngine.processThrottled(code, (Set<String>) null, (Context) null); // $ Alert[java/server-side-template-injection]
templateEngine.processThrottled(code, (Context) null); // $ Alert[java/server-side-template-injection]
TemplateSpec spec = new TemplateSpec(code, "");
templateEngine.process(spec, (Context) null); // $ Alert
templateEngine.process(spec, (Context) null, (Writer) null); // $ Alert
templateEngine.processThrottled(spec, (Context) null); // $ Alert
templateEngine.process(spec, (Context) null); // $ Alert[java/server-side-template-injection]
templateEngine.process(spec, (Context) null, (Writer) null); // $ Alert[java/server-side-template-injection]
templateEngine.processThrottled(spec, (Context) null); // $ Alert[java/server-side-template-injection]
} catch (Exception e) {
}
}

22
java/ql/test/query-tests/security/CWE-094/TemplateInjection/VelocitySSTI.java
View File

@@ -28,19 +28,19 @@ public class VelocitySSTI {
@GetMapping(value = "bad1")
public void bad1(HttpServletRequest request) {
String name = "ttemplate";
String code = request.getParameter("code"); // $ Source
String code = request.getParameter("code"); // $ Source[java/server-side-template-injection]
VelocityContext context = null;
String s = "We are using $project $name to render this.";
StringWriter w = new StringWriter();
Velocity.evaluate(context, w, "mystring", code); // $ Alert
Velocity.evaluate(context, w, "mystring", code); // $ Alert[java/server-side-template-injection]
}
@GetMapping(value = "bad2")
public void bad2(HttpServletRequest request) {
String name = "ttemplate";
String code = request.getParameter("code"); // $ Source
String code = request.getParameter("code"); // $ Source[java/server-side-template-injection]
VelocityContext context = null;
@@ -48,17 +48,17 @@ public class VelocitySSTI {
StringWriter w = new StringWriter();
StringReader reader = new StringReader(code);
Velocity.evaluate(context, w, "mystring", reader); // $ Alert
Velocity.evaluate(context, w, "mystring", reader); // $ Alert[java/server-side-template-injection]
}
@GetMapping(value = "bad3")
public void bad3(HttpServletRequest request) {
String name = "ttemplate";
String code = request.getParameter("code"); // $ Source
String code = request.getParameter("code"); // $ Source[java/server-side-template-injection]
RuntimeServices runtimeServices = null;
StringReader reader = new StringReader(code);
runtimeServices.parse(reader, new Template()); // $ Alert
runtimeServices.parse(reader, new Template()); // $ Alert[java/server-side-template-injection]
}
@GetMapping(value = "good1")
@@ -78,7 +78,7 @@ public class VelocitySSTI {
@GetMapping(value = "bad5")
public void bad5(HttpServletRequest request) {
String name = "ttemplate";
String code = request.getParameter("code"); // $ Source
String code = request.getParameter("code"); // $ Source[java/server-side-template-injection]
VelocityContext context = new VelocityContext();
context.put("code", code);
@@ -90,8 +90,8 @@ public class VelocitySSTI {
ctx.put("key", code);
engine.evaluate(ctx, null, null, (String) null); // Safe
engine.evaluate(ctx, null, null, (Reader) null); // Safe
engine.evaluate(null, null, null, code); // $ Alert
engine.evaluate(null, null, null, new StringReader(code)); // $ Alert
engine.evaluate(null, null, null, code); // $ Alert[java/server-side-template-injection]
engine.evaluate(null, null, null, new StringReader(code)); // $ Alert[java/server-side-template-injection]
}
@GetMapping(value = "good2")
@@ -111,10 +111,10 @@ public class VelocitySSTI {
@GetMapping(value = "bad6")
public void bad6(HttpServletRequest request) {
String code = request.getParameter("code"); // $ Source
String code = request.getParameter("code"); // $ Source[java/server-side-template-injection]
StringResourceRepository repo = new StringResourceRepositoryImpl();
repo.putStringResource("woogie2", code); // $ Alert
repo.putStringResource("woogie2", code); // $ Alert[java/server-side-template-injection]
}
}

26
java/ql/test/query-tests/security/CWE-807/semmle/tests/ConditionalBypassTest.java
View File

@@ -16,18 +16,18 @@ class ConditionalBypassTest {
String user = request.getParameter("user");
String password = request.getParameter("password");
String isAdmin = request.getParameter("isAdmin"); // $ Source
String isAdmin = request.getParameter("isAdmin"); // $ Source[java/user-controlled-bypass]
// BAD: login is only executed if isAdmin is false, but isAdmin
// is controlled by the user
if (isAdmin == "false") // $ Sink
login(user, password); // $ Alert
if (isAdmin == "false") // $ Sink[java/user-controlled-bypass]
login(user, password); // $ Alert[java/user-controlled-bypass]
Cookie adminCookie = getCookies()[0];
// BAD: login is only executed if the cookie value is false, but the cookie
// is controlled by the user
if (adminCookie.getValue().equals("false")) // $ Source Sink
login(user, password); // $ Alert
if (adminCookie.getValue().equals("false")) // $ Source[java/user-controlled-bypass] Sink[java/user-controlled-bypass]
login(user, password); // $ Alert[java/user-controlled-bypass]
// GOOD: both methods are conditionally executed, but they probably
// both perform the security-critical action
@@ -73,8 +73,8 @@ class ConditionalBypassTest {
public static void test2(String user, String password) {
Cookie adminCookie = getCookies()[0];
// BAD: login may happen once or twice
if (adminCookie.getValue() == "false") // $ Source Sink
login(user, password); // $ Alert
if (adminCookie.getValue() == "false") // $ Source[java/user-controlled-bypass] Sink[java/user-controlled-bypass]
login(user, password); // $ Alert[java/user-controlled-bypass]
else {
// do something else
doIt();
@@ -85,8 +85,8 @@ class ConditionalBypassTest {
public static void test3(String user, String password) {
Cookie adminCookie = getCookies()[0];
// BAD: login may not happen
if (adminCookie.getValue() == "false") // $ Source Sink
login(user, password); // $ Alert
if (adminCookie.getValue() == "false") // $ Source[java/user-controlled-bypass] Sink[java/user-controlled-bypass]
login(user, password); // $ Alert[java/user-controlled-bypass]
else {
// do something else
doIt();
@@ -130,8 +130,8 @@ class ConditionalBypassTest {
public static void test7(String user, String password) {
Cookie adminCookie = getCookies()[0];
// BAD: login is bypasseable
if (adminCookie.getValue() == "false") { // $ Source Sink
login(user, password); // $ Alert
if (adminCookie.getValue() == "false") { // $ Source[java/user-controlled-bypass] Sink[java/user-controlled-bypass]
login(user, password); // $ Alert[java/user-controlled-bypass]
return;
} else {
doIt();
@@ -142,8 +142,8 @@ class ConditionalBypassTest {
Cookie adminCookie = getCookies()[0];
{
// BAD: login may not happen
if (adminCookie.getValue() == "false") // $ Source Sink
authorize(user, password); // $ Alert
if (adminCookie.getValue() == "false") // $ Source[java/user-controlled-bypass] Sink[java/user-controlled-bypass]
authorize(user, password); // $ Alert[java/user-controlled-bypass]
else {
// do something else
doIt();

8
java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/Consume.java generated
View File

@@ -38,7 +38,7 @@ public @interface Consume {
/**
* The uri to consume from
*/
String value() default ""; // $ Alert[java/dead-function]
String value() default "";
/**
* The uri to consume from
@@ -46,12 +46,12 @@ public @interface Consume {
* @deprecated use value instead
*/
@Deprecated
String uri() default ""; // $ Alert[java/dead-function]
String uri() default "";
/**
* Use the field or getter on the bean to provide the uri to consume from
*/
String property() default ""; // $ Alert[java/dead-function]
String property() default "";
/**
* Optional predicate (using simple language) to only consume if the predicate matches . This can be used to filter
@@ -60,5 +60,5 @@ public @interface Consume {
* Notice that only the first method that matches the predicate will be used. And if no predicate matches then the
* message is dropped.
*/
String predicate() default ""; // $ Alert[java/dead-function]
String predicate() default "";
}

2
java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/builder/ExpressionClause.java generated
View File

@@ -20,6 +20,6 @@ package org.apache.camel.builder;
* Represents an expression clause within the DSL which when the expression is complete the clause continues to another
* part of the DSL
*/
public class ExpressionClause<T> { // $ Alert[java/dead-class]
public class ExpressionClause<T> {
public T method(String ref) { return null; }
}

4
java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/builder/RouteBuilder.java generated
View File

@@ -31,9 +31,9 @@ public abstract class RouteBuilder implements RoutesBuilder {
* @param uri the from uri
* @return the builder
*/
public RouteDefinition from(String uri) { // $ Alert[java/dead-function]
public RouteDefinition from(String uri) {
return null;
}
public abstract void configure() throws Exception; // $ Alert[java/dead-function]
public abstract void configure() throws Exception;
}

2
java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/impl/DefaultCamelContext.java generated
View File

@@ -21,7 +21,7 @@ import org.apache.camel.RoutesBuilder;
public class DefaultCamelContext implements ModelCamelContext {
public void configure() throws Exception {} // $ Alert[java/dead-function]
public void configure() throws Exception {}
public void addRoutes(RoutesBuilder arg0) {}

2
java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/FilterDefinition.java generated
View File

@@ -16,4 +16,4 @@
*/
package org.apache.camel.model;
public class FilterDefinition { } // $ Alert[java/dead-class]
public class FilterDefinition { }

2
java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/OutputDefinition.java generated
View File

@@ -19,5 +19,5 @@ package org.apache.camel.model;
/**
* A useful base class for output types
*/
public class OutputDefinition<Type extends ProcessorDefinition<Type>> extends ProcessorDefinition<Type> { // $ Alert[java/dead-class]
public class OutputDefinition<Type extends ProcessorDefinition<Type>> extends ProcessorDefinition<Type> {
}

2
java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/ProcessorDefinition.java generated
View File

@@ -18,7 +18,7 @@ package org.apache.camel.model;
import org.apache.camel.builder.ExpressionClause;
public abstract class ProcessorDefinition<Type extends ProcessorDefinition<Type>> { // $ Alert[java/dead-class]
public abstract class ProcessorDefinition<Type extends ProcessorDefinition<Type>> {
public Type to(String uri) { return null; }
public Type bean(Object bean) { return null; }

2
java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/RouteDefinition.java generated
View File

@@ -16,7 +16,7 @@
*/
package org.apache.camel.model;
public class RouteDefinition extends OutputDefinition<RouteDefinition> { // $ Alert[java/dead-class]
public class RouteDefinition extends OutputDefinition<RouteDefinition> {
}