Merge pull request #5102 from luchua-bc/java/main-method-in-servlet

Java: CWE-489 Query to detect main() method in servlets
2026-04-27 17:55:19 +02:00 · 2021-02-25 16:05:06 +01:00
parent 81b29316e1 e34a203731
commit 505d04b13e
36 changed files with 2538 additions and 0 deletions
--- a/java/ql/test/experimental/query-tests/security/CWE-489/ServiceBean.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-489/ServiceBean.expected
@@ -0,0 +1 @@
+| ServiceBean.java:55:24:55:27 | main | Java EE application has a main method. |
--- a/java/ql/test/experimental/query-tests/security/CWE-489/ServiceBean.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-489/ServiceBean.java
@@ -0,0 +1,59 @@
+import javax.ejb.SessionBean;
+import javax.ejb.EJBException;
+import java.rmi.RemoteException;
+import javax.ejb.SessionContext;
+import javax.naming.Context;
+import javax.naming.InitialContext;
+
+public class ServiceBean implements SessionBean {
+
+    protected SessionContext ctx;
+
+    private String _serviceName;
+
+    /**
+     * Create the session bean (empty implementation)
+     */
+    public void ejbCreate() throws javax.ejb.CreateException {
+        System.out.println("ServiceBean:ejbCreate()");
+    }
+
+    public void ejbActivate() throws javax.ejb.EJBException, java.rmi.RemoteException {
+    }
+
+    public void ejbPassivate() throws javax.ejb.EJBException, java.rmi.RemoteException {
+    }
+
+    public void ejbRemove() throws javax.ejb.EJBException, java.rmi.RemoteException {
+    }
+
+    public void setSessionContext(SessionContext parm1) throws javax.ejb.EJBException, java.rmi.RemoteException {
+    }
+
+    /**
+     * Get service name
+     * @return service name
+     */
+    public String getServiceName() {
+        return _serviceName;
+    }
+
+    /**
+     * Set service name
+     * @param serviceName the service name
+     */
+    public void setServiceName(String serviceName) {
+        _serviceName = serviceName;
+    }
+
+    /** Do service (no implementation) */
+    public String doService() {
+        return null;
+    }
+
+    /** Local unit testing code */
+    public static void main(String[] args) throws Exception {
+        ServiceBean b = new ServiceBean();
+        b.doService();
+    }
+}
--- a/java/ql/test/experimental/query-tests/security/CWE-489/ServiceBean.qlref
+++ b/java/ql/test/experimental/query-tests/security/CWE-489/ServiceBean.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-489/EJBMain.ql
--- a/java/ql/test/experimental/query-tests/security/CWE-489/ServletContextListenerMain.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-489/ServletContextListenerMain.java
@@ -0,0 +1,25 @@
+import javax.servlet.ServletContextEvent;
+import javax.servlet.ServletContextListener;
+import java.net.URL;
+
+public class ServletContextListenerMain implements ServletContextListener {
+	@Override
+	public void contextInitialized(ServletContextEvent sce) {
+		System.out.println("listener starts to work!");
+	}
+
+	@Override
+	public void contextDestroyed(ServletContextEvent sce) {
+		System.out.println("listener stopped!");
+	}
+
+	// BAD - Implement a main method in servlet listener.
+	public static void main(String[] args) {
+		try {
+			URL url = new URL("https://www.example.com");
+			url.openConnection();
+		} catch (Exception e) {
+			e.printStackTrace();
+		}
+	}
+}
--- a/java/ql/test/experimental/query-tests/security/CWE-489/ServletMain.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-489/ServletMain.expected
@@ -0,0 +1,2 @@
+| ServletContextListenerMain.java:17:21:17:24 | main | Web application has a main method. |
+| ServletMain.java:28:21:28:24 | main | Web application has a main method. |
--- a/java/ql/test/experimental/query-tests/security/CWE-489/ServletMain.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-489/ServletMain.java
@@ -0,0 +1,33 @@
+import javax.servlet.Servlet;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.ServletException;
+import javax.servlet.ServletConfig;
+import java.io.IOException;
+import java.net.URL;
+
+public class ServletMain implements Servlet {
+	public void service(ServletRequest servletRequest, ServletResponse servletResponse) throws ServletException, IOException {
+	}
+
+	public void init(ServletConfig servletConfig) throws ServletException {
+	}
+
+	public ServletConfig getServletConfig() {
+		return null;
+	}
+
+	public String getServletInfo() {
+		return null;
+	}
+
+	public void destroy() {
+	}
+
+	// BAD - Implement a main method in servlet.
+	public static void main(String[] args) throws Exception {
+		// Connect to my server
+		URL url = new URL("https://www.example.com");
+		url.openConnection();
+	}
+}
--- a/java/ql/test/experimental/query-tests/security/CWE-489/ServletMain.qlref
+++ b/java/ql/test/experimental/query-tests/security/CWE-489/ServletMain.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-489/WebComponentMain.ql
--- a/java/ql/test/experimental/query-tests/security/CWE-489/options
+++ b/java/ql/test/experimental/query-tests/security/CWE-489/options
@@ -0,0 +1 @@
+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/ejb-3.2
				`@@ -0,0 +1 @@`
				`\| ServiceBean.java:55:24:55:27 \| main \| Java EE application has a main method. \|`
				`@@ -0,0 +1 @@`
				`experimental/Security/CWE/CWE-489/EJBMain.ql`
				`@@ -0,0 +1 @@`
				`experimental/Security/CWE/CWE-489/WebComponentMain.ql`
				`@@ -0,0 +1 @@`
				`// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/ejb-3.2`