diff --git a/java/ql/test/experimental/query-tests/security/CWE-078/ExecTainted.expected b/java/ql/test/experimental/query-tests/security/CWE-078/ExecTainted.expected index c3b0608c33e..682993380af 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-078/ExecTainted.expected +++ b/java/ql/test/experimental/query-tests/security/CWE-078/ExecTainted.expected @@ -1,12 +1,12 @@ edges -| JSchOSInjectionTest.java:14:30:14:60 | getParameter(...) : String | JSchOSInjectionTest.java:26:48:26:64 | ... + ... | -| JSchOSInjectionTest.java:38:30:38:60 | getParameter(...) : String | JSchOSInjectionTest.java:50:32:50:48 | ... + ... | +| JSchOSInjectionTest.java:14:30:14:60 | getParameter(...) : String | JSchOSInjectionTest.java:27:52:27:68 | ... + ... | +| JSchOSInjectionTest.java:40:30:40:60 | getParameter(...) : String | JSchOSInjectionTest.java:53:36:53:52 | ... + ... | nodes | JSchOSInjectionTest.java:14:30:14:60 | getParameter(...) : String | semmle.label | getParameter(...) : String | -| JSchOSInjectionTest.java:26:48:26:64 | ... + ... | semmle.label | ... + ... | -| JSchOSInjectionTest.java:38:30:38:60 | getParameter(...) : String | semmle.label | getParameter(...) : String | -| JSchOSInjectionTest.java:50:32:50:48 | ... + ... | semmle.label | ... + ... | +| JSchOSInjectionTest.java:27:52:27:68 | ... + ... | semmle.label | ... + ... | +| JSchOSInjectionTest.java:40:30:40:60 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| JSchOSInjectionTest.java:53:36:53:52 | ... + ... | semmle.label | ... + ... | subpaths #select -| JSchOSInjectionTest.java:26:48:26:64 | ... + ... | JSchOSInjectionTest.java:14:30:14:60 | getParameter(...) : String | JSchOSInjectionTest.java:26:48:26:64 | ... + ... | $@ flows to here and is used in a command. | JSchOSInjectionTest.java:14:30:14:60 | getParameter(...) | User-provided value | -| JSchOSInjectionTest.java:50:32:50:48 | ... + ... | JSchOSInjectionTest.java:38:30:38:60 | getParameter(...) : String | JSchOSInjectionTest.java:50:32:50:48 | ... + ... | $@ flows to here and is used in a command. | JSchOSInjectionTest.java:38:30:38:60 | getParameter(...) | User-provided value | +| JSchOSInjectionTest.java:27:52:27:68 | ... + ... | JSchOSInjectionTest.java:14:30:14:60 | getParameter(...) : String | JSchOSInjectionTest.java:27:52:27:68 | ... + ... | $@ flows to here and is used in a command. | JSchOSInjectionTest.java:14:30:14:60 | getParameter(...) | User-provided value | +| JSchOSInjectionTest.java:53:36:53:52 | ... + ... | JSchOSInjectionTest.java:40:30:40:60 | getParameter(...) : String | JSchOSInjectionTest.java:53:36:53:52 | ... + ... | $@ flows to here and is used in a command. | JSchOSInjectionTest.java:40:30:40:60 | getParameter(...) | User-provided value | diff --git a/java/ql/test/experimental/query-tests/security/CWE-078/JSchOSInjectionTest.java b/java/ql/test/experimental/query-tests/security/CWE-078/JSchOSInjectionTest.java index 08baf0a9772..7b8c5a1181c 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-078/JSchOSInjectionTest.java +++ b/java/ql/test/experimental/query-tests/security/CWE-078/JSchOSInjectionTest.java @@ -17,17 +17,19 @@ public class JSchOSInjectionTest extends HttpServlet { config.put("StrictHostKeyChecking", "no"); JSch jsch = new JSch(); - Session session = jsch.getSession(user, host, 22); - session.setPassword(password); - session.setConfig(config); - session.connect(); + try { + Session session = jsch.getSession(user, host, 22); + session.setPassword(password); + session.setConfig(config); + session.connect(); - Channel channel = session.openChannel("exec"); - ((ChannelExec) channel).setCommand("ping " + command); - channel.setInputStream(null); - ((ChannelExec) channel).setErrStream(System.err); + Channel channel = session.openChannel("exec"); + ((ChannelExec) channel).setCommand("ping " + command); + channel.setInputStream(null); + ((ChannelExec) channel).setErrStream(System.err); - channel.connect(); + channel.connect(); + } catch (JSchException e) { } } protected void doPost(HttpServletRequest request, HttpServletResponse response) @@ -41,16 +43,18 @@ public class JSchOSInjectionTest extends HttpServlet { config.put("StrictHostKeyChecking", "no"); JSch jsch = new JSch(); - Session session = jsch.getSession(user, host, 22); - session.setPassword(password); - session.setConfig(config); - session.connect(); + try { + Session session = jsch.getSession(user, host, 22); + session.setPassword(password); + session.setConfig(config); + session.connect(); - ChannelExec channel = (ChannelExec)session.openChannel("exec"); - channel.setCommand("ping " + command); - channel.setInputStream(null); - channel.setErrStream(System.err); + ChannelExec channel = (ChannelExec)session.openChannel("exec"); + channel.setCommand("ping " + command); + channel.setInputStream(null); + channel.setErrStream(System.err); - channel.connect(); + channel.connect(); + } catch (JSchException e) { } } -} \ No newline at end of file +} diff --git a/java/ql/test/experimental/query-tests/security/CWE-078/options b/java/ql/test/experimental/query-tests/security/CWE-078/options index eb7209ebe1e..27f8028a9d4 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-078/options +++ b/java/ql/test/experimental/query-tests/security/CWE-078/options @@ -1,2 +1,2 @@ -//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/jsch-0.1.55 +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/jsch-0.1.55