From 38c0557d90b40bf8f0cb347e66eb08c82adf9e20 Mon Sep 17 00:00:00 2001 From: Chris Smowton Date: Mon, 15 Aug 2022 11:06:06 +0100 Subject: [PATCH] Adjust test to moved and expanded stubs --- .../security/CWE-078/ExecTainted.expected | 14 +++---- .../security/CWE-078/JSchOSInjectionTest.java | 42 ++++++++++--------- .../query-tests/security/CWE-078/options | 2 +- 3 files changed, 31 insertions(+), 27 deletions(-) diff --git a/java/ql/test/experimental/query-tests/security/CWE-078/ExecTainted.expected b/java/ql/test/experimental/query-tests/security/CWE-078/ExecTainted.expected index c3b0608c33e..682993380af 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-078/ExecTainted.expected +++ b/java/ql/test/experimental/query-tests/security/CWE-078/ExecTainted.expected @@ -1,12 +1,12 @@ edges -| JSchOSInjectionTest.java:14:30:14:60 | getParameter(...) : String | JSchOSInjectionTest.java:26:48:26:64 | ... + ... | -| JSchOSInjectionTest.java:38:30:38:60 | getParameter(...) : String | JSchOSInjectionTest.java:50:32:50:48 | ... + ... | +| JSchOSInjectionTest.java:14:30:14:60 | getParameter(...) : String | JSchOSInjectionTest.java:27:52:27:68 | ... + ... | +| JSchOSInjectionTest.java:40:30:40:60 | getParameter(...) : String | JSchOSInjectionTest.java:53:36:53:52 | ... + ... | nodes | JSchOSInjectionTest.java:14:30:14:60 | getParameter(...) : String | semmle.label | getParameter(...) : String | -| JSchOSInjectionTest.java:26:48:26:64 | ... + ... | semmle.label | ... + ... | -| JSchOSInjectionTest.java:38:30:38:60 | getParameter(...) : String | semmle.label | getParameter(...) : String | -| JSchOSInjectionTest.java:50:32:50:48 | ... + ... | semmle.label | ... + ... | +| JSchOSInjectionTest.java:27:52:27:68 | ... + ... | semmle.label | ... + ... | +| JSchOSInjectionTest.java:40:30:40:60 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| JSchOSInjectionTest.java:53:36:53:52 | ... + ... | semmle.label | ... + ... | subpaths #select -| JSchOSInjectionTest.java:26:48:26:64 | ... + ... | JSchOSInjectionTest.java:14:30:14:60 | getParameter(...) : String | JSchOSInjectionTest.java:26:48:26:64 | ... + ... | $@ flows to here and is used in a command. | JSchOSInjectionTest.java:14:30:14:60 | getParameter(...) | User-provided value | -| JSchOSInjectionTest.java:50:32:50:48 | ... + ... | JSchOSInjectionTest.java:38:30:38:60 | getParameter(...) : String | JSchOSInjectionTest.java:50:32:50:48 | ... + ... | $@ flows to here and is used in a command. | JSchOSInjectionTest.java:38:30:38:60 | getParameter(...) | User-provided value | +| JSchOSInjectionTest.java:27:52:27:68 | ... + ... | JSchOSInjectionTest.java:14:30:14:60 | getParameter(...) : String | JSchOSInjectionTest.java:27:52:27:68 | ... + ... | $@ flows to here and is used in a command. | JSchOSInjectionTest.java:14:30:14:60 | getParameter(...) | User-provided value | +| JSchOSInjectionTest.java:53:36:53:52 | ... + ... | JSchOSInjectionTest.java:40:30:40:60 | getParameter(...) : String | JSchOSInjectionTest.java:53:36:53:52 | ... + ... | $@ flows to here and is used in a command. | JSchOSInjectionTest.java:40:30:40:60 | getParameter(...) | User-provided value | diff --git a/java/ql/test/experimental/query-tests/security/CWE-078/JSchOSInjectionTest.java b/java/ql/test/experimental/query-tests/security/CWE-078/JSchOSInjectionTest.java index 08baf0a9772..7b8c5a1181c 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-078/JSchOSInjectionTest.java +++ b/java/ql/test/experimental/query-tests/security/CWE-078/JSchOSInjectionTest.java @@ -17,17 +17,19 @@ public class JSchOSInjectionTest extends HttpServlet { config.put("StrictHostKeyChecking", "no"); JSch jsch = new JSch(); - Session session = jsch.getSession(user, host, 22); - session.setPassword(password); - session.setConfig(config); - session.connect(); + try { + Session session = jsch.getSession(user, host, 22); + session.setPassword(password); + session.setConfig(config); + session.connect(); - Channel channel = session.openChannel("exec"); - ((ChannelExec) channel).setCommand("ping " + command); - channel.setInputStream(null); - ((ChannelExec) channel).setErrStream(System.err); + Channel channel = session.openChannel("exec"); + ((ChannelExec) channel).setCommand("ping " + command); + channel.setInputStream(null); + ((ChannelExec) channel).setErrStream(System.err); - channel.connect(); + channel.connect(); + } catch (JSchException e) { } } protected void doPost(HttpServletRequest request, HttpServletResponse response) @@ -41,16 +43,18 @@ public class JSchOSInjectionTest extends HttpServlet { config.put("StrictHostKeyChecking", "no"); JSch jsch = new JSch(); - Session session = jsch.getSession(user, host, 22); - session.setPassword(password); - session.setConfig(config); - session.connect(); + try { + Session session = jsch.getSession(user, host, 22); + session.setPassword(password); + session.setConfig(config); + session.connect(); - ChannelExec channel = (ChannelExec)session.openChannel("exec"); - channel.setCommand("ping " + command); - channel.setInputStream(null); - channel.setErrStream(System.err); + ChannelExec channel = (ChannelExec)session.openChannel("exec"); + channel.setCommand("ping " + command); + channel.setInputStream(null); + channel.setErrStream(System.err); - channel.connect(); + channel.connect(); + } catch (JSchException e) { } } -} \ No newline at end of file +} diff --git a/java/ql/test/experimental/query-tests/security/CWE-078/options b/java/ql/test/experimental/query-tests/security/CWE-078/options index eb7209ebe1e..27f8028a9d4 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-078/options +++ b/java/ql/test/experimental/query-tests/security/CWE-078/options @@ -1,2 +1,2 @@ -//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/jsch-0.1.55 +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/jsch-0.1.55