hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 03:05:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add Java autobuilder integration tests

Browse Source
This commit is contained in:
Chris Smowton
2023-01-05 12:19:25 +00:00
parent 4aa62757a9
commit 52297c0b23
166 changed files with 4562 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
java/ql/integration-tests/all-platforms/java/ant-sample/build.xml Normal file
View File

@@ -0,0 +1,38 @@
<project name="ant-sample" default="dist" basedir=".">
<description>
simple example build file
</description>
<!-- set global properties for this build -->
<property name="src" location="src"/>
<property name="build" location="build"/>
<property name="dist" location="dist"/>
<target name="init">
<!-- Create the time stamp -->
<tstamp/>
<!-- Create the build directory structure used by compile -->
<mkdir dir="${build}"/>
</target>
<target name="compile" depends="init"
description="compile the source">
<!-- Compile the Java code from ${src} into ${build} -->
<javac srcdir="${src}" destdir="${build}"/>
</target>
<target name="dist" depends="compile"
description="generate the distribution">
<!-- Create the distribution directory -->
<mkdir dir="${dist}/lib"/>
<!-- Put everything in ${build} into the ant-sample-${DSTAMP}.jar file -->
<jar jarfile="${dist}/lib/ant-sample-${DSTAMP}.jar" basedir="${build}"/>
</target>
<target name="clean"
description="clean up">
<!-- Delete the ${build} and ${dist} directory trees -->
<delete dir="${build}"/>
<delete dir="${dist}"/>
</target>
</project>

14
java/ql/integration-tests/all-platforms/java/ant-sample/src/main/java/com/example/App.java Normal file
View File

@@ -0,0 +1,14 @@
/*
* This Java source file was generated by the Gradle 'init' task.
*/
package com.example;
public class App {
public String getGreeting() {
return "Hello world.";
}
public static void main(String[] args) {
System.out.println(new App().getGreeting());
}
}

4
java/ql/integration-tests/all-platforms/java/ant-sample/test.expected Normal file
View File

@@ -0,0 +1,4 @@
xmlFiles
| build.xml:0:0:0:0 | build.xml |
#select
| src/main/java/com/example/App.java:0:0:0:0 | App |

5
java/ql/integration-tests/all-platforms/java/ant-sample/test.py Normal file
View File

@@ -0,0 +1,5 @@
import sys
from create_database_utils import *
run_codeql_database_create([], lang="java")

7
java/ql/integration-tests/all-platforms/java/ant-sample/test.ql Normal file
View File

@@ -0,0 +1,7 @@
import java
from File f
where f.isSourceFile()
select f
query predicate xmlFiles(XmlFile x) { any() }

6
java/ql/integration-tests/all-platforms/java/gradle-sample/.gitattributes vendored Normal file
View File

@@ -0,0 +1,6 @@
#
# https://help.github.com/articles/dealing-with-line-endings/
#
# These are explicitly windows files and should use crlf
*.bat text eol=crlf

5
java/ql/integration-tests/all-platforms/java/gradle-sample/.gitignore vendored Normal file
View File

@@ -0,0 +1,5 @@
# Ignore Gradle project-specific cache directory
.gradle
# Ignore Gradle build output directory
build

30
java/ql/integration-tests/all-platforms/java/gradle-sample/build.gradle Normal file
View File

@@ -0,0 +1,30 @@
/*
* This build file was auto generated by running the Gradle 'init' task
* by 'arthur' at '28/11/20 22:29' with Gradle 3.0
*
* This generated file contains a sample Java project to get you started.
* For more details take a look at the Java Quickstart chapter in the Gradle
* user guide available at https://docs.gradle.org/3.0/userguide/tutorial_java_projects.html
*/
// Apply the java plugin to add support for Java
apply plugin: 'java'
// In this section you declare where to find the dependencies of your project
repositories {
// Use 'jcenter' for resolving your dependencies.
// You can declare any Maven/Ivy/file repository here.
jcenter()
}
// In this section you declare the dependencies for your production and test code
dependencies {
// The production code uses the SLF4J logging API at compile time
compile 'org.slf4j:slf4j-api:1.7.21'
// Declare the dependency for your favourite test framework you want to use in your tests.
// TestNG is also supported by the Gradle Test task. Just change the
// testCompile dependency to testCompile 'org.testng:testng:6.8.1' and add
// 'test.useTestNG()' to your build script.
testCompile 'junit:junit:4.12'
}

7
java/ql/integration-tests/all-platforms/java/gradle-sample/gradle/verification-metadata.xml Normal file
View File

@@ -0,0 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<verification-metadata>
<configuration>
<verify-metadata>true</verify-metadata>
<verify-signatures>false</verify-signatures>
</configuration>
</verification-metadata>

BIN
java/ql/integration-tests/all-platforms/java/gradle-sample/gradle/wrapper/gradle-wrapper.jar vendored Normal file
View File

Binary file not shown.

5
java/ql/integration-tests/all-platforms/java/gradle-sample/gradle/wrapper/gradle-wrapper.properties vendored Normal file
View File

@@ -0,0 +1,5 @@
distributionBase=GRADLE_USER_HOME
distributionPath=wrapper/dists
distributionUrl=https\://services.gradle.org/distributions/gradle-6.6.1-bin.zip
zipStoreBase=GRADLE_USER_HOME
zipStorePath=wrapper/dists

185
java/ql/integration-tests/all-platforms/java/gradle-sample/gradlew vendored Executable file
View File

@@ -0,0 +1,185 @@
#!/usr/bin/env sh
#
# Copyright 2015 the original author or authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
##############################################################################
##
## Gradle start up script for UN*X
##
##############################################################################
# Attempt to set APP_HOME
# Resolve links: $0 may be a link
PRG="$0"
# Need this for relative symlinks.
while [ -h "$PRG" ] ; do
ls=`ls -ld "$PRG"`
link=`expr "$ls" : '.*-> \(.*\)$'`
if expr "$link" : '/.*' > /dev/null; then
PRG="$link"
else
PRG=`dirname "$PRG"`"/$link"
fi
done
SAVED="`pwd`"
cd "`dirname \"$PRG\"`/" >/dev/null
APP_HOME="`pwd -P`"
cd "$SAVED" >/dev/null
APP_NAME="Gradle"
APP_BASE_NAME=`basename "$0"`
# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
# Use the maximum available, or set MAX_FD != -1 to use that value.
MAX_FD="maximum"
warn () {
echo "$*"
}
die () {
echo
echo "$*"
echo
exit 1
}
# OS specific support (must be 'true' or 'false').
cygwin=false
msys=false
darwin=false
nonstop=false
case "`uname`" in
CYGWIN* )
cygwin=true
;;
Darwin* )
darwin=true
;;
MINGW* )
msys=true
;;
NONSTOP* )
nonstop=true
;;
esac
CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
# Determine the Java command to use to start the JVM.
if [ -n "$JAVA_HOME" ] ; then
if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
# IBM's JDK on AIX uses strange locations for the executables
JAVACMD="$JAVA_HOME/jre/sh/java"
else
JAVACMD="$JAVA_HOME/bin/java"
fi
if [ ! -x "$JAVACMD" ] ; then
die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
Please set the JAVA_HOME variable in your environment to match the
location of your Java installation."
fi
else
JAVACMD="java"
which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
Please set the JAVA_HOME variable in your environment to match the
location of your Java installation."
fi
# Increase the maximum file descriptors if we can.
if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then
MAX_FD_LIMIT=`ulimit -H -n`
if [ $? -eq 0 ] ; then
if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then
MAX_FD="$MAX_FD_LIMIT"
fi
ulimit -n $MAX_FD
if [ $? -ne 0 ] ; then
warn "Could not set maximum file descriptor limit: $MAX_FD"
fi
else
warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT"
fi
fi
# For Darwin, add options to specify how the application appears in the dock
if $darwin; then
GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\""
fi
# For Cygwin or MSYS, switch paths to Windows format before running java
if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then
APP_HOME=`cygpath --path --mixed "$APP_HOME"`
CLASSPATH=`cygpath --path --mixed "$CLASSPATH"`
JAVACMD=`cygpath --unix "$JAVACMD"`
# We build the pattern for arguments to be converted via cygpath
ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null`
SEP=""
for dir in $ROOTDIRSRAW ; do
ROOTDIRS="$ROOTDIRS$SEP$dir"
SEP="|"
done
OURCYGPATTERN="(^($ROOTDIRS))"
# Add a user-defined pattern to the cygpath arguments
if [ "$GRADLE_CYGPATTERN" != "" ] ; then
OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)"
fi
# Now convert the arguments - kludge to limit ourselves to /bin/sh
i=0
for arg in "$@" ; do
CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -`
CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option
if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition
eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"`
else
eval `echo args$i`="\"$arg\""
fi
i=`expr $i + 1`
done
case $i in
0) set -- ;;
1) set -- "$args0" ;;
2) set -- "$args0" "$args1" ;;
3) set -- "$args0" "$args1" "$args2" ;;
4) set -- "$args0" "$args1" "$args2" "$args3" ;;
5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;;
6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;;
7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;;
8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;;
9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;;
esac
fi
# Escape application args
save () {
for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done
echo " "
}
APP_ARGS=`save "$@"`
# Collect all arguments for the java command, following the shell quoting and substitution rules
eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS"
exec "$JAVACMD" "$@"

89
java/ql/integration-tests/all-platforms/java/gradle-sample/gradlew.bat vendored Normal file
View File

@@ -0,0 +1,89 @@
@rem
@rem Copyright 2015 the original author or authors.
@rem
@rem Licensed under the Apache License, Version 2.0 (the "License");
@rem you may not use this file except in compliance with the License.
@rem You may obtain a copy of the License at
@rem
@rem https://www.apache.org/licenses/LICENSE-2.0
@rem
@rem Unless required by applicable law or agreed to in writing, software
@rem distributed under the License is distributed on an "AS IS" BASIS,
@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@rem See the License for the specific language governing permissions and
@rem limitations under the License.
@rem
@if "%DEBUG%" == "" @echo off
@rem ##########################################################################
@rem
@rem Gradle startup script for Windows
@rem
@rem ##########################################################################
@rem Set local scope for the variables with windows NT shell
if "%OS%"=="Windows_NT" setlocal
set DIRNAME=%~dp0
if "%DIRNAME%" == "" set DIRNAME=.
set APP_BASE_NAME=%~n0
set APP_HOME=%DIRNAME%
@rem Resolve any "." and ".." in APP_HOME to make it shorter.
for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi
@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m"
@rem Find java.exe
if defined JAVA_HOME goto findJavaFromJavaHome
set JAVA_EXE=java.exe
%JAVA_EXE% -version >NUL 2>&1
if "%ERRORLEVEL%" == "0" goto execute
echo.
echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
echo.
echo Please set the JAVA_HOME variable in your environment to match the
echo location of your Java installation.
goto fail
:findJavaFromJavaHome
set JAVA_HOME=%JAVA_HOME:"=%
set JAVA_EXE=%JAVA_HOME%/bin/java.exe
if exist "%JAVA_EXE%" goto execute
echo.
echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
echo.
echo Please set the JAVA_HOME variable in your environment to match the
echo location of your Java installation.
goto fail
:execute
@rem Setup the command line
set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
@rem Execute Gradle
"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %*
:end
@rem End local scope for the variables with windows NT shell
if "%ERRORLEVEL%"=="0" goto mainEnd
:fail
rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of
rem the _cmd.exe /c_ return code!
if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1
exit /b 1
:mainEnd
if "%OS%"=="Windows_NT" endlocal
:omega

19
java/ql/integration-tests/all-platforms/java/gradle-sample/settings.gradle Normal file
View File

@@ -0,0 +1,19 @@
/*
* This settings file was auto generated by the Gradle buildInit task
* by 'arthur' at '28/11/20 22:29' with Gradle 3.0
*
* The settings file is used to specify which projects to include in your build.
* In a single project build this file can be empty or even removed.
*
* Detailed information about configuring a multi-project build in Gradle can be found
* in the user guide at https://docs.gradle.org/3.0/userguide/multi_project_builds.html
*/
/*
// To declare projects as part of a multi-project build use the 'include' method
include 'shared'
include 'api'
include 'services:webservice'
*/
rootProject.name = 'gradle-sample'

14
java/ql/integration-tests/all-platforms/java/gradle-sample/src/main/java/com/example/App.java Normal file
View File

@@ -0,0 +1,14 @@
/*
* This Java source file was generated by the Gradle 'init' task.
*/
package com.example;
public class App {
public String getGreeting() {
return "Hello world.";
}
public static void main(String[] args) {
System.out.println(new App().getGreeting());
}
}

14
java/ql/integration-tests/all-platforms/java/gradle-sample/src/test/java/com/example/AppTest.java Normal file
View File

@@ -0,0 +1,14 @@
/*
* This Java source file was generated by the Gradle 'init' task.
*/
package com.example;
import org.junit.Test;
import static org.junit.Assert.*;
public class AppTest {
@Test public void testAppHasAGreeting() {
App classUnderTest = new App();
assertNotNull("app should have a greeting", classUnderTest.getGreeting());
}
}

5
java/ql/integration-tests/all-platforms/java/gradle-sample/test.expected Normal file
View File

@@ -0,0 +1,5 @@
xmlFiles
| gradle/verification-metadata.xml:0:0:0:0 | gradle/verification-metadata.xml |
#select
| src/main/java/com/example/App.java:0:0:0:0 | App |
| src/test/java/com/example/AppTest.java:0:0:0:0 | AppTest |

5
java/ql/integration-tests/all-platforms/java/gradle-sample/test.py Normal file
View File

@@ -0,0 +1,5 @@
import sys
from create_database_utils import *
run_codeql_database_create([], lang="java")

7
java/ql/integration-tests/all-platforms/java/gradle-sample/test.ql Normal file
View File

@@ -0,0 +1,7 @@
import java
from File f
where f.isSourceFile()
select f
query predicate xmlFiles(XmlFile x) { any() }

22
java/ql/integration-tests/all-platforms/java/java-web-jsp/.gitignore vendored Normal file
View File

@@ -0,0 +1,22 @@
#Eclipse
.classpath
.project
test-output
.settings
#IntelliJ
*.iml
*.ipr
*.iws
.idea/
#Gradle
.gradle
#Build directories
bin/
build/
target/
#Maven
*.versionsBackup

1
java/ql/integration-tests/all-platforms/java/java-web-jsp/README.txt Normal file
View File

@@ -0,0 +1 @@
Modified version of https://github.com/find-sec-bugs/find-sec-bugs-demos/tree/84274ed6c47ed4627fd13be6ac099dd9fb66f3c8/java-web-jsp

306
java/ql/integration-tests/all-platforms/java/java-web-jsp/pom.xml Normal file
View File

@@ -0,0 +1,306 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.h3xstream.test</groupId>
<artifactId>vulnerable-jsp-app</artifactId>
<version>1.0.0-SNAPSHOT</version>
<packaging>war</packaging>
<name>Vulnerable JSP Application</name>
<description>
This is a demo application used to display the typical configuration required to precompiled JSP.
This application also contains vulnerable samples. DO NOT used this project's code as example.
</description>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<jetty-version>9.3.3.v20150827</jetty-version>
<spring.version>4.0.2.RELEASE</spring.version>
<!--<sonar.language></sonar.language>-->
</properties>
<dependencies>
<!-- Servlet API -->
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>3.1.0</version>
</dependency>
<!-- Jetty -->
<dependency>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-annotations</artifactId>
<version>${jetty-version}</version>
</dependency>
<dependency>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-webapp</artifactId>
<version>${jetty-version}</version>
</dependency>
<dependency>
<groupId>org.eclipse.jetty</groupId>
<artifactId>apache-jsp</artifactId>
<version>${jetty-version}</version>
<type>jar</type>
</dependency>
<dependency>
<groupId>org.eclipse.jetty</groupId>
<artifactId>apache-jstl</artifactId>
<version>${jetty-version}</version>
<type>pom</type>
</dependency>
<!-- Spring Web MVC (Include Tag Lib) -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>${spring.version}</version>
<type>jar</type>
</dependency>
<!-- OWASP Java Encoder -->
<dependency>
<groupId>org.owasp.encoder</groupId>
<artifactId>encoder</artifactId>
<version>1.2</version>
</dependency>
<dependency>
<groupId>org.owasp.encoder</groupId>
<artifactId>encoder-jsp</artifactId>
<version>1.2</version>
</dependency>
</dependencies>
<profiles>
<!-- Compilation of the JSP with Weblogic 12.1.3.0 -->
<profile>
<id>weblogic1213Jsp</id>
<activation>
<activeByDefault>false</activeByDefault>
</activation>
<build>
<plugins>
<plugin>
<!-- This is the configuration for the
weblogic-maven-plugin
-->
<groupId>com.oracle.weblogic</groupId>
<artifactId>wls-maven-plugin</artifactId>
<version>12.1.3.0</version>
<configuration>
<middlewareHome>C:/Oracle/Middleware/Oracle_Home</middlewareHome>
</configuration>
<executions>
<!-- Execute the appc goal during the package phase -->
<execution>
<id>wls-appc</id>
<phase>package</phase>
<goals>
<goal>appc</goal>
</goals>
<configuration>
<continueCompilation>true</continueCompilation>
<writeInferredDescriptors>true</writeInferredDescriptors>
<commentary>true</commentary>
<lineNumbers>true</lineNumbers>
<verboseJavac>true</verboseJavac>
<idlVerbose>true</idlVerbose>
<source>${project.build.directory}/${project.artifactId}-${project.version}.${project.packaging}</source>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
<!-- Compilation of the JSP with Jetty 9.4.20 -->
<profile>
<id>jetty9420Jsp</id>
<activation>
<activeByDefault>false</activeByDefault>
</activation>
<build>
<plugins>
<plugin>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-jspc-maven-plugin</artifactId>
<version>9.4.20.v20190813</version> <!-- Latest version -->
<executions>
<execution>
<id>jspc</id>
<goals>
<goal>jspc</goal>
</goals>
<configuration>
<jspc>
<smapSuppressed>false</smapSuppressed>
<smapDumped>true</smapDumped>
</jspc>
<keepSources>true</keepSources>
<useProvidedScope>true</useProvidedScope>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
<!-- Compilation of the JSP with Jetty 9.3.6 -->
<profile>
<id>jetty936Jsp</id>
<activation>
<activeByDefault>false</activeByDefault>
</activation>
<build>
<plugins>
<plugin>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-jspc-maven-plugin</artifactId>
<version>9.3.6.v20151106</version>
<executions>
<execution>
<id>jspc</id>
<goals>
<goal>jspc</goal>
</goals>
<configuration>
<jspc>
<smapSuppressed>false</smapSuppressed>
<smapDumped>true</smapDumped>
</jspc>
<keepSources>true</keepSources>
<useProvidedScope>true</useProvidedScope>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
<!-- Compilation of the JSP with Jetty 9.0.7 -->
<profile>
<id>jetty907Jsp</id>
<activation>
<activeByDefault>false</activeByDefault>
</activation>
<build>
<plugins>
<plugin>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-jspc-maven-plugin</artifactId>
<version>9.0.7.v20131107</version>
<executions>
<execution>
<id>jspc</id>
<goals>
<goal>jspc</goal>
</goals>
<configuration>
<suppressSmap>false</suppressSmap>
<useProvidedScope>true</useProvidedScope>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
<!-- Compilation of the JSP with Tomcat -->
<profile>
<id>tomcat8Jsp</id>
<activation>
<activeByDefault>false</activeByDefault>
</activation>
<build>
<plugins>
<plugin>
<groupId>io.leonard.maven.plugins</groupId>
<artifactId>jspc-maven-plugin</artifactId>
<version>3.2.0</version>
<executions>
<execution>
<goals>
<goal>compile</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
</profiles>
<build>
<plugins>
<!-- Compilation with Java 8 -->
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.10.1</version>
<configuration>
<source>1.8</source>
<target>1.8</target>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-war-plugin</artifactId>
<version>3.3.2</version>
</plugin>
<!-- SpotBugs Static Analysis -->
<plugin>
<groupId>com.github.spotbugs</groupId>
<artifactId>spotbugs-maven-plugin</artifactId>
<version>3.1.12</version>
<configuration>
<effort>Max</effort>
<threshold>Low</threshold>
<failOnError>true</failOnError>
<includeFilterFile>${session.executionRootDirectory}/spotbugs-security-include.xml</includeFilterFile>
<excludeFilterFile>${session.executionRootDirectory}/spotbugs-security-exclude.xml</excludeFilterFile>
<plugins>
<plugin>
<groupId>com.h3xstream.findsecbugs</groupId>
<artifactId>findsecbugs-plugin</artifactId>
<version>1.9.0</version> <!-- Auto-update to the latest stable -->
</plugin>
</plugins>
</configuration>
</plugin>
</plugins>
</build>
</project>

2
java/ql/integration-tests/all-platforms/java/java-web-jsp/spotbugs-security-exclude.xml Normal file
View File

@@ -0,0 +1,2 @@
<FindBugsFilter>
</FindBugsFilter>

5
java/ql/integration-tests/all-platforms/java/java-web-jsp/spotbugs-security-include.xml Normal file
View File

@@ -0,0 +1,5 @@
<FindBugsFilter>
<Match>
<Bug category="SECURITY"/>
</Match>
</FindBugsFilter>

41
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/java/com/acme/Counter.java Normal file
View File

@@ -0,0 +1,41 @@
//
// ========================================================================
// Copyright (c) 1995-2013 Mort Bay Consulting Pty. Ltd.
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
//
// The Eclipse Public License is available at
// http://www.eclipse.org/legal/epl-v10.html
//
// The Apache License v2.0 is available at
// http://www.opensource.org/licenses/apache2.0.php
//
// You may elect to redistribute this code under either of these licenses.
// ========================================================================
//
package com.acme;
@SuppressWarnings("serial")
public class Counter implements java.io.Serializable
{
int counter=0;
String last;
public int getCount()
{
counter++;
return counter;
}
public void setLast(String uri) {
last=uri;
}
public String getLast() {
return last;
}
}

53
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/java/com/acme/Date2Tag.java Normal file
View File

@@ -0,0 +1,53 @@
//
// ========================================================================
// Copyright (c) 1995-2013 Mort Bay Consulting Pty. Ltd.
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
//
// The Eclipse Public License is available at
// http://www.eclipse.org/legal/epl-v10.html
//
// The Apache License v2.0 is available at
// http://www.opensource.org/licenses/apache2.0.php
//
// You may elect to redistribute this code under either of these licenses.
// ========================================================================
//
package com.acme;
import java.io.IOException;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.StringTokenizer;
import javax.servlet.jsp.JspContext;
import javax.servlet.jsp.JspException;
import javax.servlet.jsp.tagext.JspFragment;
import javax.servlet.jsp.tagext.SimpleTagSupport;
public class Date2Tag extends SimpleTagSupport
{
String format;
public void setFormat(String value) {
this.format = value;
}
public void doTag() throws JspException, IOException {
String formatted =
new SimpleDateFormat("long".equals(format)?"EEE 'the' d:MMM:yyyy":"d:MM:yy")
.format(new Date());
StringTokenizer tok = new StringTokenizer(formatted,":");
JspContext context = getJspContext();
context.setAttribute("day", tok.nextToken() );
context.setAttribute("month", tok.nextToken() );
context.setAttribute("year", tok.nextToken() );
JspFragment fragment = getJspBody();
fragment.invoke(null);
}
}

36
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/java/com/acme/DateServlet.java Normal file
View File

@@ -0,0 +1,36 @@
//
// ========================================================================
// Copyright (c) 1995-2013 Mort Bay Consulting Pty. Ltd.
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
//
// The Eclipse Public License is available at
// http://www.eclipse.org/legal/epl-v10.html
//
// The Apache License v2.0 is available at
// http://www.opensource.org/licenses/apache2.0.php
//
// You may elect to redistribute this code under either of these licenses.
// ========================================================================
//
package com.acme;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@SuppressWarnings("serial")
public class DateServlet extends HttpServlet
{
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException
{
req.getRequestDispatcher("/test/tag2.jsp").forward(req,resp);
}
}

71
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/java/com/acme/DateTag.java Normal file
View File

@@ -0,0 +1,71 @@
//
// ========================================================================
// Copyright (c) 1995-2013 Mort Bay Consulting Pty. Ltd.
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
//
// The Eclipse Public License is available at
// http://www.eclipse.org/legal/epl-v10.html
//
// The Apache License v2.0 is available at
// http://www.opensource.org/licenses/apache2.0.php
//
// You may elect to redistribute this code under either of these licenses.
// ========================================================================
//
package com.acme;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.TimeZone;
import javax.servlet.jsp.JspException;
import javax.servlet.jsp.JspTagException;
import javax.servlet.jsp.PageContext;
import javax.servlet.jsp.tagext.BodyContent;
import javax.servlet.jsp.tagext.BodyTagSupport;
import javax.servlet.jsp.tagext.Tag;
@SuppressWarnings("serial")
public class DateTag extends BodyTagSupport
{
Tag parent;
BodyContent body;
String tz="GMT";
public void setParent(Tag parent) {this.parent=parent;}
public Tag getParent() {return parent;}
public void setBodyContent(BodyContent content) {body=content;}
public void setPageContext(PageContext pageContext) {}
public void setTz(String value) {tz=value;}
public int doStartTag() throws JspException {return EVAL_BODY_BUFFERED;}
public int doEndTag() throws JspException {return EVAL_PAGE;}
public void doInitBody() throws JspException {}
public int doAfterBody() throws JspException {
try
{
SimpleDateFormat format = new SimpleDateFormat(body.getString());
format.setTimeZone(TimeZone.getTimeZone(tz));
body.getEnclosingWriter().write(format.format(new Date()));
return SKIP_BODY;
}
catch (Exception ex) {
ex.printStackTrace();
throw new JspTagException(ex.toString());
}
}
public void release()
{
body=null;
}
}

122
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/java/com/acme/TagListener.java Normal file
View File

@@ -0,0 +1,122 @@
//
// ========================================================================
// Copyright (c) 1995-2013 Mort Bay Consulting Pty. Ltd.
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
//
// The Eclipse Public License is available at
// http://www.eclipse.org/legal/epl-v10.html
//
// The Apache License v2.0 is available at
// http://www.opensource.org/licenses/apache2.0.php
//
// You may elect to redistribute this code under either of these licenses.
// ========================================================================
//
package com.acme;
import javax.servlet.ServletContextAttributeEvent;
import javax.servlet.ServletContextAttributeListener;
import javax.servlet.ServletContextEvent;
import javax.servlet.ServletContextListener;
import javax.servlet.ServletRequestAttributeEvent;
import javax.servlet.ServletRequestAttributeListener;
import javax.servlet.ServletRequestEvent;
import javax.servlet.ServletRequestListener;
import javax.servlet.http.HttpSessionActivationListener;
import javax.servlet.http.HttpSessionAttributeListener;
import javax.servlet.http.HttpSessionBindingEvent;
import javax.servlet.http.HttpSessionEvent;
import javax.servlet.http.HttpSessionListener;
public class TagListener implements HttpSessionListener, HttpSessionAttributeListener, HttpSessionActivationListener, ServletContextListener, ServletContextAttributeListener, ServletRequestListener, ServletRequestAttributeListener
{
public void attributeAdded(HttpSessionBindingEvent se)
{
//System.err.println("tagListener: attributedAdded "+se);
}
public void attributeRemoved(HttpSessionBindingEvent se)
{
//System.err.println("tagListener: attributeRemoved "+se);
}
public void attributeReplaced(HttpSessionBindingEvent se)
{
//System.err.println("tagListener: attributeReplaced "+se);
}
public void sessionWillPassivate(HttpSessionEvent se)
{
//System.err.println("tagListener: sessionWillPassivate "+se);
}
public void sessionDidActivate(HttpSessionEvent se)
{
//System.err.println("tagListener: sessionDidActivate "+se);
}
public void contextInitialized(ServletContextEvent sce)
{
//System.err.println("tagListener: contextInitialized "+sce);
}
public void contextDestroyed(ServletContextEvent sce)
{
//System.err.println("tagListener: contextDestroyed "+sce);
}
public void attributeAdded(ServletContextAttributeEvent scab)
{
//System.err.println("tagListener: attributeAdded "+scab);
}
public void attributeRemoved(ServletContextAttributeEvent scab)
{
//System.err.println("tagListener: attributeRemoved "+scab);
}
public void attributeReplaced(ServletContextAttributeEvent scab)
{
//System.err.println("tagListener: attributeReplaced "+scab);
}
public void requestDestroyed(ServletRequestEvent sre)
{
//System.err.println("tagListener: requestDestroyed "+sre);
}
public void requestInitialized(ServletRequestEvent sre)
{
//System.err.println("tagListener: requestInitialized "+sre);
}
public void attributeAdded(ServletRequestAttributeEvent srae)
{
//System.err.println("tagListener: attributeAdded "+srae);
}
public void attributeRemoved(ServletRequestAttributeEvent srae)
{
//System.err.println("tagListener: attributeRemoved "+srae);
}
public void attributeReplaced(ServletRequestAttributeEvent srae)
{
//System.err.println("tagListener: attributeReplaced "+srae);
}
public void sessionCreated(HttpSessionEvent se)
{
//System.err.println("tagListener: sessionCreated "+se);
}
public void sessionDestroyed(HttpSessionEvent se)
{
//System.err.println("tagListener: sessionDestroyed "+se);
}
}

44
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/java/org/eclipse/jetty/demo/LoggingUtil.java Normal file
View File

@@ -0,0 +1,44 @@
//
// ========================================================================
// Copyright (c) 1995-2013 Mort Bay Consulting Pty. Ltd.
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
//
// The Eclipse Public License is available at
// http://www.eclipse.org/legal/epl-v10.html
//
// The Apache License v2.0 is available at
// http://www.opensource.org/licenses/apache2.0.php
//
// You may elect to redistribute this code under either of these licenses.
// ========================================================================
//
package org.eclipse.jetty.demo;
import java.io.IOException;
import java.io.InputStream;
import java.net.URL;
import java.util.logging.LogManager;
public final class LoggingUtil
{
public static void config()
{
ClassLoader cl = Thread.currentThread().getContextClassLoader();
URL url = cl.getResource("logging.properties");
if (url != null)
{
try(InputStream in = url.openStream())
{
LogManager.getLogManager().readConfiguration(in);
}
catch (IOException e)
{
e.printStackTrace(System.err);
}
}
}
}

277
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/java/org/eclipse/jetty/demo/Main.java Normal file
View File

@@ -0,0 +1,277 @@
//
// ========================================================================
// Copyright (c) 1995-2013 Mort Bay Consulting Pty. Ltd.
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
//
// The Eclipse Public License is available at
// http://www.eclipse.org/legal/epl-v10.html
//
// The Apache License v2.0 is available at
// http://www.opensource.org/licenses/apache2.0.php
//
// You may elect to redistribute this code under either of these licenses.
// ========================================================================
//
package org.eclipse.jetty.demo;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.net.URLClassLoader;
import java.util.ArrayList;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.eclipse.jetty.jsp.JettyJspServlet;
import org.apache.tomcat.InstanceManager;
import org.apache.tomcat.SimpleInstanceManager;
import org.eclipse.jetty.annotations.ServletContainerInitializersStarter;
import org.eclipse.jetty.apache.jsp.JettyJasperInitializer;
import org.eclipse.jetty.plus.annotation.ContainerInitializer;
import org.eclipse.jetty.server.ConnectionFactory;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.ServerConnector;
import org.eclipse.jetty.servlet.DefaultServlet;
import org.eclipse.jetty.servlet.ServletHolder;
import org.eclipse.jetty.util.log.JavaUtilLog;
import org.eclipse.jetty.util.log.Log;
import org.eclipse.jetty.webapp.WebAppContext;
import com.acme.DateServlet;
/**
* Example of using JSP's with embedded jetty and not requiring
* all of the overhead of a WebAppContext
*/
public class Main
{
// Resource path pointing to where the WEBROOT is
private static final String WEBROOT_INDEX = "/WEB-INF/..";
public static void main(String[] args) throws Exception
{
int port = 9999;
LoggingUtil.config();
Log.setLog(new JavaUtilLog());
Main main = new Main(port);
main.start();
main.waitForInterrupt();
}
private static final Logger LOG = Logger.getLogger(Main.class.getName());
private int port;
private Server server;
private URI serverURI;
public Main(int port)
{
this.port = port;
}
public URI getServerURI()
{
return serverURI;
}
public void start() throws Exception
{
server = new Server();
ServerConnector connector = connector();
server.addConnector(connector);
URI baseUri = getWebRootResourceUri();
// Set JSP to use Standard JavaC always
System.setProperty("org.apache.jasper.compiler.disablejsr199", "false");
WebAppContext webAppContext = getWebAppContext(baseUri, getScratchDir());
server.setHandler(webAppContext);
// Start Server
server.start();
// Show server state
if (LOG.isLoggable(Level.FINE))
{
LOG.fine(server.dump());
}
this.serverURI = getServerUri(connector);
}
private ServerConnector connector()
{
ServerConnector connector = new ServerConnector(server);
connector.setPort(port);
return connector;
}
private URI getWebRootResourceUri() throws FileNotFoundException, URISyntaxException
{
URL indexUri = this.getClass().getResource("/");
if (indexUri == null)
{
throw new FileNotFoundException("Unable to find resource " + WEBROOT_INDEX);
}
// Points to wherever /webroot/ (the resource) is
//return indexUri.toURI();
return new URI(indexUri.getPath()+"../../src/main/webapp");
}
/**
* Establish Scratch directory for the servlet context (used by JSP compilation)
*/
private File getScratchDir() throws IOException
{
File tempDir = new File(System.getProperty("java.io.tmpdir"));
File scratchDir = new File(tempDir.toString(), "embedded-jetty-jsp");
if (!scratchDir.exists())
{
if (!scratchDir.mkdirs())
{
throw new IOException("Unable to create scratch directory: " + scratchDir);
}
}
return scratchDir;
}
/**
* Setup the basic application "context" for this application at "/"
* This is also known as the handler tree (in jetty speak)
*/
private WebAppContext getWebAppContext(URI baseUri, File scratchDir)
{
WebAppContext context = new WebAppContext();
context.setContextPath("/");
context.setAttribute("javax.servlet.context.tempdir", scratchDir);
context.setAttribute("org.eclipse.jetty.server.webapp.ContainerIncludeJarPattern",
".*/[^/]*servlet-api-[^/]*\\.jar$|.*/javax.servlet.jsp.jstl-.*\\.jar$|.*/.*taglibs.*\\.jar$");
context.setResourceBase(baseUri.toASCIIString());
context.setAttribute("org.eclipse.jetty.containerInitializers", jspInitializers());
context.setAttribute(InstanceManager.class.getName(), new SimpleInstanceManager());
context.addBean(new ServletContainerInitializersStarter(context), true);
context.setClassLoader(getUrlClassLoader());
context.addServlet(jspServletHolder(), "*.jsp");
// Add Application Servlets
context.addServlet(DateServlet.class, "/date/");
context.addServlet(exampleJspFileMappedServletHolder(), "/test/foo/");
context.addServlet(defaultServletHolder(baseUri), "/");
return context;
}
/**
* Ensure the jsp engine is initialized correctly
*/
private List<ContainerInitializer> jspInitializers()
{
JettyJasperInitializer sci = new JettyJasperInitializer();
ContainerInitializer initializer = new ContainerInitializer(sci, null);
List<ContainerInitializer> initializers = new ArrayList<ContainerInitializer>();
initializers.add(initializer);
return initializers;
}
/**
* Set Classloader of Context to be sane (needed for JSTL)
* JSP requires a non-System classloader, this simply wraps the
* embedded System classloader in a way that makes it suitable
* for JSP to use
*/
private ClassLoader getUrlClassLoader()
{
ClassLoader jspClassLoader = new URLClassLoader(new URL[0], this.getClass().getClassLoader());
return jspClassLoader;
}
/**
* Create JSP Servlet (must be named "jsp")
*/
private ServletHolder jspServletHolder()
{
ServletHolder holderJsp = new ServletHolder("jsp", JettyJspServlet.class);
holderJsp.setInitOrder(0);
holderJsp.setInitParameter("logVerbosityLevel", "DEBUG");
holderJsp.setInitParameter("fork", "false");
holderJsp.setInitParameter("xpoweredBy", "false");
holderJsp.setInitParameter("compilerTargetVM", "1.7");
holderJsp.setInitParameter("compilerSourceVM", "1.7");
holderJsp.setInitParameter("keepgenerated", "true");
return holderJsp;
}
/**
* Create Example of mapping jsp to path spec
*/
private ServletHolder exampleJspFileMappedServletHolder()
{
ServletHolder holderAltMapping = new ServletHolder();
holderAltMapping.setName("foo.jsp");
holderAltMapping.setForcedPath("/test/foo/foo.jsp");
return holderAltMapping;
}
/**
* Create Default Servlet (must be named "default")
*/
private ServletHolder defaultServletHolder(URI baseUri)
{
ServletHolder holderDefault = new ServletHolder("default", DefaultServlet.class);
LOG.info("Base URI: " + baseUri);
holderDefault.setInitParameter("resourceBase", baseUri.toASCIIString());
holderDefault.setInitParameter("dirAllowed", "true");
return holderDefault;
}
/**
* Establish the Server URI
*/
private URI getServerUri(ServerConnector connector) throws URISyntaxException
{
String scheme = "http";
for (ConnectionFactory connectFactory : connector.getConnectionFactories())
{
if (connectFactory.getProtocol().equals("SSL-http"))
{
scheme = "https";
}
}
String host = connector.getHost();
if (host == null)
{
host = "localhost";
}
int port = connector.getLocalPort();
serverURI = new URI(String.format("%s://%s:%d/", scheme, host, port));
LOG.info("Server URI: " + serverURI);
return serverURI;
}
public void stop() throws Exception
{
server.stop();
}
/**
* Cause server to keep running until it receives a Interrupt.
* <p>
* Interrupt Signal, or SIGINT (Unix Signal), is typically seen as a result of a kill -TERM {pid} or Ctrl+C
* @throws InterruptedException if interrupted
*/
public void waitForInterrupt() throws InterruptedException
{
server.join();
}
}

57
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/java/org/eclipse/jetty/demo/SystemOutHandler.java Normal file
View File

@@ -0,0 +1,57 @@
//
// ========================================================================
// Copyright (c) 1995-2013 Mort Bay Consulting Pty. Ltd.
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
//
// The Eclipse Public License is available at
// http://www.eclipse.org/legal/epl-v10.html
//
// The Apache License v2.0 is available at
// http://www.opensource.org/licenses/apache2.0.php
//
// You may elect to redistribute this code under either of these licenses.
// ========================================================================
//
package org.eclipse.jetty.demo;
import java.util.logging.Handler;
import java.util.logging.LogRecord;
public class SystemOutHandler extends Handler
{
@Override
public void publish(LogRecord record)
{
StringBuilder buf = new StringBuilder();
buf.append("[").append(record.getLevel().getName()).append("] ");
String logname = record.getLoggerName();
int idx = logname.lastIndexOf('.');
if (idx > 0)
{
logname = logname.substring(idx + 1);
}
buf.append(logname);
buf.append(": ");
buf.append(record.getMessage());
System.out.println(buf.toString());
if (record.getThrown() != null)
{
record.getThrown().printStackTrace(System.out);
}
}
@Override
public void flush()
{
}
@Override
public void close() throws SecurityException
{
}
}

1
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/resources/jetty-logging.properties Normal file
View File

@@ -0,0 +1 @@
org.eclipse.jetty.util.log.class=org.eclipse.jetty.util.log.JavaUtilLog

4
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/resources/logging.properties Normal file
View File

@@ -0,0 +1,4 @@
handlers = org.eclipse.jetty.demo.SystemOutHandler
.level = INFO
#org.eclipse.jetty.level = FINE
#org.apache.level = FINEST

28
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/webapp/WEB-INF/acme-taglib.tld Normal file
View File

@@ -0,0 +1,28 @@
<?xml version="1.0" encoding="ISO-8859-1" ?>
<!DOCTYPE taglib
PUBLIC "-//Sun Microsystems, Inc.//DTD JSP Tag Library 1.2//EN"
"http://java.sun.com/dtd/web-jsptaglibrary_1_2.dtd">
<taglib>
<tlib-version>1.0</tlib-version>
<jsp-version>1.2</jsp-version>
<short-name>acme</short-name>
<uri>http://www.acme.com/taglib</uri>
<description>taglib example</description>
<listener>
<listener-class>com.acme.TagListener</listener-class>
</listener>
<tag>
<name>date</name>
<tag-class>com.acme.DateTag</tag-class>
<body-content>TAGDEPENDENT</body-content>
<description>Display Date</description>
<attribute>
<name>tz</name>
<required>false</required>
</attribute>
</tag>
</taglib>

35
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/webapp/WEB-INF/acme-taglib2.tld Normal file
View File

@@ -0,0 +1,35 @@
<?xml version="1.0" encoding="UTF-8" ?>
<taglib xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee web-jsptaglibrary_2_0.xsd"
version="2.0">
<description>Acme JSP2 tags</description>
<tlib-version>1.0</tlib-version>
<short-name>acme2</short-name>
<uri>http://www.acme.com/taglib2</uri>
<tag>
<description>Simple Date formatting</description>
<name>date2</name>
<tag-class>com.acme.Date2Tag</tag-class>
<body-content>scriptless</body-content>
<variable>
<description>Day of the Month</description>
<name-given>day</name-given>
</variable>
<variable>
<description>Month of the Year</description>
<name-given>month</name-given>
</variable>
<variable>
<description>Year</description>
<name-given>year</name-given>
</variable>
<attribute>
<name>format</name>
<required>true</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
</tag>
</taglib>

9
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/webapp/WEB-INF/applicationContext.xml Normal file
View File

@@ -0,0 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd">
</beans>

1
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/webapp/WEB-INF/secret.jsp Normal file
View File

@@ -0,0 +1 @@
This page should be private.

475
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/webapp/WEB-INF/spring.tld Normal file
View File

@@ -0,0 +1,475 @@
<?xml version="1.0" encoding="UTF-8"?>
<taglib xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-jsptaglibrary_2_0.xsd"
version="2.0">
<description>Spring Framework JSP Tag Library</description>
<tlib-version>4.0</tlib-version>
<short-name>spring</short-name>
<uri>http://www.springframework.org/tags</uri>
<tag>
<description>
Sets default HTML escape value for the current page.
Overrides a "defaultHtmlEscape" context-param in web.xml, if any.
</description>
<name>htmlEscape</name>
<tag-class>org.springframework.web.servlet.tags.HtmlEscapeTag</tag-class>
<body-content>JSP</body-content>
<attribute>
<description>Set the default value for HTML escaping, to be put
into the current PageContext.</description>
<name>defaultHtmlEscape</name>
<required>true</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
</tag>
<tag>
<description>
Escapes its enclosed body content, applying HTML escaping and/or JavaScript escaping.
The HTML escaping flag participates in a page-wide or application-wide setting
(i.e. by HtmlEscapeTag or a "defaultHtmlEscape" context-param in web.xml).
</description>
<name>escapeBody</name>
<tag-class>org.springframework.web.servlet.tags.EscapeBodyTag</tag-class>
<body-content>JSP</body-content>
<attribute>
<description>Set HTML escaping for this tag, as boolean value. Overrides the
default HTML escaping setting for the current page.</description>
<name>htmlEscape</name>
<required>false</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
<attribute>
<description>Set JavaScript escaping for this tag, as boolean value.
Default is false.</description>
<name>javaScriptEscape</name>
<required>false</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
</tag>
<tag>
<description>
Retrieves the message with the given code, or text if code isn't resolvable.
The HTML escaping flag participates in a page-wide or application-wide setting
(i.e. by HtmlEscapeTag or a "defaultHtmlEscape" context-param in web.xml).
</description>
<name>message</name>
<tag-class>org.springframework.web.servlet.tags.MessageTag</tag-class>
<body-content>JSP</body-content>
<attribute>
<description>A MessageSourceResolvable argument (direct or through JSP EL).
Fits nicely when used in conjunction with Spring's own validation error
classes which all implement the MessageSourceResolvable interface. For
example, this allows you to iterate over all of the errors in a form,
passing each error (using a runtime expression) as the value of this
'message' attribute, thus effecting the easy display of such error
messages.</description>
<name>message</name>
<required>false</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
<attribute>
<description>The code (key) to use when looking up the message.
If code is not provided, the text attribute will be used.</description>
<name>code</name>
<required>false</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
<attribute>
<description>Set optional message arguments for this tag, as a
(comma-)delimited String (each String argument can contain JSP EL),
an Object array (used as argument array), or a single Object (used
as single argument). You can additionally use nested spring:argument
tags.</description>
<name>arguments</name>
<required>false</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
<attribute>
<description>The separator character to be used for splitting the
arguments string value; defaults to a 'comma' (',').</description>
<name>argumentSeparator</name>
<required>false</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
<attribute>
<description>Default text to output when a message for the given code
could not be found. If both text and code are not set, the tag will
output null.</description>
<name>text</name>
<required>false</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
<attribute>
<description>The string to use when binding the result to the page,
request, session or application scope. If not specified, the result
gets outputted to the writer (i.e. typically directly to the JSP).</description>
<name>var</name>
<required>false</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
<attribute>
<description>The scope to use when exporting the result to a variable.
This attribute is only used when var is also set. Possible values are
page, request, session and application.</description>
<name>scope</name>
<required>false</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
<attribute>
<description>Set HTML escaping for this tag, as boolean value.
Overrides the default HTML escaping setting for the current page.</description>
<name>htmlEscape</name>
<required>false</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
<attribute>
<description>Set JavaScript escaping for this tag, as boolean value. Default is false.</description>
<name>javaScriptEscape</name>
<required>false</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
</tag>
<tag>
<description>
Retrieves the theme message with the given code, or text if code isn't resolvable.
The HTML escaping flag participates in a page-wide or application-wide setting
(i.e. by HtmlEscapeTag or a "defaultHtmlEscape" context-param in web.xml).
</description>
<name>theme</name>
<tag-class>org.springframework.web.servlet.tags.ThemeTag</tag-class>
<body-content>JSP</body-content>
<attribute>
<description>A MessageSourceResolvable argument (direct or through JSP EL).</description>
<name>message</name>
<required>false</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
<attribute>
<description>The code (key) to use when looking up the message.
If code is not provided, the text attribute will be used.</description>
<name>code</name>
<required>false</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
<attribute>
<description>Set optional message arguments for this tag, as a
(comma-)delimited String (each String argument can contain JSP EL),
an Object array (used as argument array), or a single Object (used
as single argument). You can additionally use nested spring:argument
tags.</description>
<name>arguments</name>
<required>false</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
<attribute>
<description>The separator character to be used for splitting the
arguments string value; defaults to a 'comma' (',').</description>
<name>argumentSeparator</name>
<required>false</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
<attribute>
<description>Default text to output when a message for the given code
could not be found. If both text and code are not set, the tag will
output null.</description>
<name>text</name>
<required>false</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
<attribute>
<description>The string to use when binding the result to the page,
request, session or application scope. If not specified, the result
gets outputted to the writer (i.e. typically directly to the JSP).</description>
<name>var</name>
<required>false</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
<attribute>
<description>The scope to use when exporting the result to a variable.
This attribute is only used when var is also set. Possible values are
page, request, session and application.</description>
<name>scope</name>
<required>false</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
<attribute>
<description>Set HTML escaping for this tag, as boolean value.
Overrides the default HTML escaping setting for the current page.</description>
<name>htmlEscape</name>
<required>false</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
<attribute>
<description>Set JavaScript escaping for this tag, as boolean value. Default is false.</description>
<name>javaScriptEscape</name>
<required>false</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
</tag>
<tag>
<description>Argument tag based on the JSTL fmt:param tag. The purpose is to
support arguments inside the spring:message and spring:theme
tags.</description>
<name>argument</name>
<tag-class>org.springframework.web.servlet.tags.ArgumentTag</tag-class>
<body-content>JSP</body-content>
<attribute>
<description>The value of the argument.</description>
<name>value</name>
<required>false</required>
<rtexprvalue>true</rtexprvalue>
<type>java.lang.Object</type>
</attribute>
</tag>
<tag>
<description>
Provides Errors instance in case of bind errors.
The HTML escaping flag participates in a page-wide or application-wide setting
(i.e. by HtmlEscapeTag or a "defaultHtmlEscape" context-param in web.xml).
</description>
<name>hasBindErrors</name>
<tag-class>org.springframework.web.servlet.tags.BindErrorsTag</tag-class>
<body-content>JSP</body-content>
<variable>
<name-given>errors</name-given>
<variable-class>org.springframework.validation.Errors</variable-class>
</variable>
<attribute>
<description>The name of the bean in the request, that needs to be
inspected for errors. If errors are available for this bean, they
will be bound under the 'errors' key.</description>
<name>name</name>
<required>true</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
<attribute>
<description>Set HTML escaping for this tag, as boolean value.
Overrides the default HTML escaping setting for the current page.</description>
<name>htmlEscape</name>
<required>false</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
</tag>
<tag>
<description>
Sets a nested path to be used by the bind tag's path.
</description>
<name>nestedPath</name>
<tag-class>org.springframework.web.servlet.tags.NestedPathTag</tag-class>
<body-content>JSP</body-content>
<variable>
<name-given>nestedPath</name-given>
<variable-class>java.lang.String</variable-class>
</variable>
<attribute>
<description>Set the path that this tag should apply. E.g. 'customer'
to allow bind paths like 'address.street' rather than
'customer.address.street'.</description>
<name>path</name>
<required>true</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
</tag>
<tag>
<description>
Provides BindStatus object for the given bind path.
The HTML escaping flag participates in a page-wide or application-wide setting
(i.e. by HtmlEscapeTag or a "defaultHtmlEscape" context-param in web.xml).
</description>
<name>bind</name>
<tag-class>org.springframework.web.servlet.tags.BindTag</tag-class>
<body-content>JSP</body-content>
<variable>
<name-given>status</name-given>
<variable-class>org.springframework.web.servlet.support.BindStatus</variable-class>
</variable>
<attribute>
<description>The path to the bean or bean property to bind status
information for. For instance account.name, company.address.zipCode
or just employee. The status object will exported to the page scope,
specifically for this bean or bean property</description>
<name>path</name>
<required>true</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
<attribute>
<description>Set whether to ignore a nested path, if any. Default is to not ignore.</description>
<name>ignoreNestedPath</name>
<required>false</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
<attribute>
<description>Set HTML escaping for this tag, as boolean value. Overrides
the default HTML escaping setting for the current page.</description>
<name>htmlEscape</name>
<required>false</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
</tag>
<tag>
<description>
Provides transformation of variables to Strings, using an appropriate
custom PropertyEditor from BindTag (can only be used inside BindTag).
The HTML escaping flag participates in a page-wide or application-wide setting
(i.e. by HtmlEscapeTag or a 'defaultHtmlEscape' context-param in web.xml).
</description>
<name>transform</name>
<tag-class>org.springframework.web.servlet.tags.TransformTag</tag-class>
<body-content>JSP</body-content>
<attribute>
<description>The value to transform. This is the actual object you want
to have transformed (for instance a Date). Using the PropertyEditor that
is currently in use by the 'spring:bind' tag.</description>
<name>value</name>
<required>true</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
<attribute>
<description>The string to use when binding the result to the page,
request, session or application scope. If not specified, the result gets
outputted to the writer (i.e. typically directly to the JSP).</description>
<name>var</name>
<required>false</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
<attribute>
<description>The scope to use when exported the result to a variable.
This attribute is only used when var is also set. Possible values are
page, request, session and application.</description>
<name>scope</name>
<required>false</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
<attribute>
<description>Set HTML escaping for this tag, as boolean value. Overrides
the default HTML escaping setting for the current page.</description>
<name>htmlEscape</name>
<required>false</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
</tag>
<tag>
<description>URL tag based on the JSTL c:url tag. This variant is fully
backwards compatible with the standard tag. Enhancements include support
for URL template parameters.</description>
<name>url</name>
<tag-class>org.springframework.web.servlet.tags.UrlTag</tag-class>
<body-content>JSP</body-content>
<attribute>
<description>The URL to build. This value can include template place holders
that are replaced with the URL encoded value of the named parameter. Parameters
must be defined using the param tag inside the body of this tag.</description>
<name>value</name>
<required>true</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
<attribute>
<description>Specifies a remote application context path. The default is the
current application context path.</description>
<name>context</name>
<required>false</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
<attribute>
<description>The name of the variable to export the URL value to.</description>
<name>var</name>
<required>false</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
<attribute>
<description>The scope for the var. 'application', 'session', 'request' and
'page' scopes are supported. Defaults to page scope. This attribute has no
effect unless the var attribute is also defined.</description>
<name>scope</name>
<required>false</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
<attribute>
<description>Set HTML escaping for this tag, as a boolean value. Overrides the
default HTML escaping setting for the current page.</description>
<name>htmlEscape</name>
<required>false</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
<attribute>
<description>Set JavaScript escaping for this tag, as a boolean value.
Default is false.</description>
<name>javaScriptEscape</name>
<required>false</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
</tag>
<tag>
<description>Parameter tag based on the JSTL c:param tag. The sole purpose is to
support params inside the spring:url tag.</description>
<name>param</name>
<tag-class>org.springframework.web.servlet.tags.ParamTag</tag-class>
<body-content>JSP</body-content>
<attribute>
<description>The name of the parameter.</description>
<name>name</name>
<required>true</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
<attribute>
<description>The value of the parameter.</description>
<name>value</name>
<required>false</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
</tag>
<tag>
<description>Evaluates a Spring expression (SpEL) and either prints the result or assigns it to a variable.</description>
<name>eval</name>
<tag-class>org.springframework.web.servlet.tags.EvalTag</tag-class>
<body-content>JSP</body-content>
<attribute>
<description>The expression to evaluate.</description>
<name>expression</name>
<required>true</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
<attribute>
<description>The name of the variable to export the evaluation result to.</description>
<name>var</name>
<required>false</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
<attribute>
<description>The scope for the var. 'application', 'session', 'request' and
'page' scopes are supported. Defaults to page scope. This attribute has no
effect unless the var attribute is also defined.</description>
<name>scope</name>
<required>false</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
<attribute>
<description>Set HTML escaping for this tag, as a boolean value. Overrides the
default HTML escaping setting for the current page.</description>
<name>htmlEscape</name>
<required>false</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
<attribute>
<description>Set JavaScript escaping for this tag, as a boolean value. Default is false.</description>
<name>javaScriptEscape</name>
<required>false</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
</tag>
</taglib>

17
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/webapp/WEB-INF/tags/panel.tag Normal file
View File

@@ -0,0 +1,17 @@
<%--
- Copyright (c) 2002 The Apache Software Foundation. All rights
- reserved.
--%>
<%@ attribute name="color" %>
<%@ attribute name="bgcolor" %>
<%@ attribute name="title" %>
<table border="1" bgcolor="${color}">
<tr>
<td><b>${title}</b></td>
</tr>
<tr>
<td bgcolor="${bgcolor}">
<jsp:doBody/>
</td>
</tr>
</table>

9
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/webapp/WEB-INF/web.xml Normal file
View File

@@ -0,0 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
<display-name>Vulnerable JSP Application</display-name>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
</web-app>

14
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/webapp/WEB-INF/weblogic.xml Normal file
View File

@@ -0,0 +1,14 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE weblogic-web-app PUBLIC "-//BEA Systems, Inc.//DTD Web Application 8.1//EN" "http://www.bea.com/servers/wls810/dtd/weblogic810-web-jar.dtd" >
<weblogic-web-app>
<jsp-descriptor>
<jsp-param>
<param-name>compileFlags</param-name>
<param-value>-g</param-value>
</jsp-param>
<jsp-param>
<param-name>keepgenerated</param-name>
<param-value>true</param-value>
</jsp-param>
</jsp-descriptor>
</weblogic-web-app>

1
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/webapp/include/${param.secret_param}.jsp Normal file
View File

@@ -0,0 +1 @@
Dummy

5
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/webapp/include/jsp_include_1.jsp Normal file
View File

@@ -0,0 +1,5 @@
<i>Psst <a href="?secret_param=../WEB-INF/secret.jsp">click me</a> or <a href="?secret_param=../WEB-INF/web.xml">click me</a>!</i>
<br/><br/>
<jsp:include page="safe$afe.jsp" />
<jsp:include page="${param.secret_param}" /><%-- This line doesn't compile in weblogic --%>

6
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/webapp/include/jsp_include_2_safe.jsp Normal file
View File

@@ -0,0 +1,6 @@
<i>Psst <a href="?secret_param=../WEB-INF/secret.jsp">click me</a> or <a href="?secret_param=../WEB-INF/web.xml">click me</a>!</i>
<br/><br/>
<%@include file="${param.secret_param}.jsp"%> <!-- Safe will be evaluate as literal -->
<%-- This line doesn't compile in weblogic --%>

9
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/webapp/include/jsp_include_3.jsp Normal file
View File

@@ -0,0 +1,9 @@
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<i>Psst <a href="?secret_param=../WEB-INF/secret.jsp">click me</a> or <a href="?secret_param=../WEB-INF/web.xml">click me</a>!</i>
<br/><br/>
<c:if test="${param.secret_param != null}">
<c:import url="${param.secret_param}" />
</c:if>

45
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/webapp/index.jsp Normal file
View File

@@ -0,0 +1,45 @@
<html>
<head>
<title>Embedded Jetty: JSP Examples</title>
</head>
<body>
<h1>Vulnerable JSP pages</h1>
<h2>XSS</h2>
<ul>
<li><a href="/xss/xss0.jsp">XSS 0</a></li>
<li><a href="/xss/xss1.jsp">XSS 1</a></li>
<li><a href="/xss/xss2.jsp">XSS 2</a></li>
<li><a href="/xss/xss3.jsp">XSS 3</a></li>
<li><a href="/xss/xss4.jsp">XSS 4</a></li>
<li><a href="/xss/xss5.jsp">XSS 5</a></li>
</ul>
<h2>XML parsing</h2>
<ul>
<li><a href="/xml/xml1.jsp?xml=<stock><symbol>TKM%3C%2Fsymbol>%3C%2Fstock>">XML 1</a></li>
<li><a href="/xml/xml2.jsp">XML 2</a></li>
</ul>
<h2>XSLT</h2>
<ul>
<li><a href='/xsl/xsl1.jsp?xml=<stock><symbol>TKM%3C%2Fsymbol>%3C%2Fstock>&xslt=%3Cxsl%3Astylesheet%20version%3D"1.0"%0A%20xmlns%3Axsl%3D"http%3A%2F%2Fwww.w3.org%2F1999%2FXSL%2FTransform"%20%20%20%20%20%20%20%20%20%0A%20xmlns%3Art%3D"http%3A%2F%2Fxml.apache.org%2Fxalan%2Fjava%2Fjava.lang.Runtime"%0A%20exclude-result-prefixes%3D"date">%0A%20%20%20%20%20%20%20%20%3Cxsl%3Aoutput%20method%3D"text"%2F>%0A%20%20%20%20%20%20%20%20%3Cxsl%3Atemplate%20match%3D"%2F">%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3Cxsl%3Atext>Quote%20requested%20for%3A%20%3C%2Fxsl%3Atext>%3Cblink>%3Cxsl%3Avalue-of%20select%3D"stock%2Fsymbol"%2F>%3C%2Fblink>%0A%20%20%20%20%20%20%20%20%3C%2Fxsl%3Atemplate>%0A%3C%2Fxsl%3Astylesheet>'>XSL 1</a></li>
<li><a href='/xsl/xsl2.jsp?xslt=%3Cxsl%3Astylesheet%20version%3D"1.0"%0A%20xmlns%3Axsl%3D"http%3A%2F%2Fwww.w3.org%2F1999%2FXSL%2FTransform"%20%20%20%20%20%20%20%20%20%0A%20xmlns%3Art%3D"http%3A%2F%2Fxml.apache.org%2Fxalan%2Fjava%2Fjava.lang.Runtime"%0A%20exclude-result-prefixes%3D"date">%0A%20%20%20%20%20%20%20%20%3Cxsl%3Aoutput%20method%3D"text"%2F>%0A%20%20%20%20%20%20%20%20%3Cxsl%3Atemplate%20match%3D"%2F">%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3Cxsl%3Atext>Quote%20requested%20for%3A%20%3C%2Fxsl%3Atext>%3Cblink>%3Cxsl%3Avalue-of%20select%3D"stock%2Fsymbol"%2F>%3C%2Fblink>%0A%20%20%20%20%20%20%20%20%3C%2Fxsl%3Atemplate>%0A%3C%2Fxsl%3Astylesheet>'>XSL 2</a></li>
<li><a href='/xsl/xsl3.jsp?xml=<stock><symbol>TKM%3C%2Fsymbol>%3C%2Fstock>'>XSL 3</a></li>
<li><a href='/xsl/xsl4.jsp'>XSL 4</a></li>
</ul>
<h2>Various JSP samples </h2>
<ul>
<li><a href="test/dump.jsp">JSP 1.2 embedded java</a></li>
<li><a href="test/bean1.jsp">JSP 1.2 Bean demo</a></li>
<li><a href="test/tag.jsp">JSP 1.2 BodyTag demo</a></li>
<li><a href="test/tag2.jsp">JSP 2.0 SimpleTag demo</a></li>
<li><a href="test/tagfile.jsp">JSP 2.0 Tag File demo</a></li>
<li><a href="test/expr.jsp?A=1">JSP 2.0 Tag Expression</a></li>
<li><a href="test/jstl.jsp">JSTL Expression</a></li>
<li><a href="test/foo/">Mapping to &lt;jsp-file&gt;</a></li>
<li><a href="date/">Servlet Forwarding to JSP demo</a></li>
</ul>
</body>
</html>

3
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/webapp/jstl/jstl_escape_1.jsp Normal file
View File

@@ -0,0 +1,3 @@
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<c:out value="${param.test_param}"/>

3
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/webapp/jstl/jstl_escape_2.jsp Normal file
View File

@@ -0,0 +1,3 @@
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<c:out value="${param.test_param}" escapeXml="true"/>

3
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/webapp/jstl/jstl_escape_3.jsp Normal file
View File

@@ -0,0 +1,3 @@
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<c:out value="${param.test_param}" escapeXml="false"/>

6
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/webapp/random.jsp Normal file
View File

@@ -0,0 +1,6 @@
<%@ page import="java.util.Random" %>
<%
Random random = new Random();
%>
<%= random.nextInt() %>

20
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/webapp/spring/spring_eval_1.jsp Normal file
View File

@@ -0,0 +1,20 @@
<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<form method="get" action="">
<input type="text" name="expression" value="1+1"> <input type="submit" value="test">
</form>
<c:set var="expression" value="${param.expression}" scope="request" />
Evaluating ("&#36;{expression}") : <c:out value="${expression}" /><br/>
<br/>
<c:if test="${expression != null}">
Output:
<pre style="background-color:#CCC">
<spring:eval expression="${expression}" var="results" />
<c:out value="${results}" />
</pre>
</c:if>

20
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/webapp/spring/spring_eval_2.jsp Normal file
View File

@@ -0,0 +1,20 @@
<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
Change the language:
<form method="get" action="">
<input type="text" name="lang" value="1+1"> <input type="submit" value="test">
</form>
Evaluating ("&#36;{param.lang}") : <c:out value="${param.lang}" /><br/>
<br/>
<c:if test="${param.lang != null}">
Output:
<pre style="background-color:#CCC">
<spring:eval expression="${param.lang}" var="results" />
<c:out value="${results}" />
</pre>
</c:if>

20
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/webapp/spring/spring_eval_3.jsp Normal file
View File

@@ -0,0 +1,20 @@
<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
Value is YOLO ?:
<form method="get" action="">
<input type="text" name="value" value="1+1"> <input type="submit" value="test">
</form>
Evaluating ("'&#36;{param.value}'=='YOLO'") : <c:out value="${param.value}" /><br/>
<br/>
<c:if test="${param.value != null}">
Output:
<pre style="background-color:#CCC">
<spring:eval expression="'${param.value}'=='YOLO'" var="results" />
<c:out value="${results}" />
</pre>
</c:if>

20
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/webapp/spring/spring_eval_4_safe.jsp Normal file
View File

@@ -0,0 +1,20 @@
<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
Set some value :
<form method="get" action="">
<input type="text" name="value" value="1+1"> <input type="submit" value="test">
</form>
Evaluating ("param.value") : <c:out value="${param.value}" /><br/>
<br/>
<c:if test="${param.value != null}">
Output:
<pre style="background-color:#CCC">
<spring:eval expression="param.value" var="results" />
<c:out value="${results}" />
</pre>
</c:if>

15
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/webapp/test/bean1.jsp Normal file
View File

@@ -0,0 +1,15 @@
<html>
<%@ page session="true"%>
<body>
<jsp:useBean id='counter' scope='session' class='com.acme.Counter' type="com.acme.Counter" />
<h1>JSP1.2 Beans: 1</h1>
Counter accessed <jsp:getProperty name="counter" property="count"/> times.<br/>
Counter last accessed by <jsp:getProperty name="counter" property="last"/><br/>
<jsp:setProperty name="counter" property="last" value="<%= request.getRequestURI()%>"/>
<a href="bean2.jsp">Goto bean2.jsp</a>
</body>
</html>

15
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/webapp/test/bean2.jsp Normal file
View File

@@ -0,0 +1,15 @@
<html>
<%@ page session="true"%>
<body>
<jsp:useBean id='counter' scope='session' class='com.acme.Counter' type="com.acme.Counter" />
<h1>JSP1.2 Beans: 2</h1>
Counter accessed <jsp:getProperty name="counter" property="count"/> times.<br/>
Counter last accessed by <jsp:getProperty name="counter" property="last"/><br/>
<jsp:setProperty name="counter" property="last" value="<%= request.getRequestURI()%>"/>
<a href="bean1.jsp">Goto bean1.jsp</a>
</body>
</html>

23
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/webapp/test/dump.jsp Normal file
View File

@@ -0,0 +1,23 @@
<html><head>
<%@ page import="java.util.Enumeration" %>
</head><body>
<h1>JSP Dump</h1>
<table border="1">
<tr><th>Request URI:</th><td><%= request.getRequestURI() %></td></tr>
<tr><th>ServletPath:</th><td><%= request.getServletPath() %></td></tr>
<tr><th>PathInfo:</th><td><%= request.getPathInfo() %></td></tr>
<%
Enumeration e =request.getParameterNames();
while(e.hasMoreElements())
{
String name = (String)e.nextElement();
%>
<tr>
<th>getParameter("<%= name %>")</th>
<td><%= request.getParameter(name) %></td></tr>
<% } %>
</table>
</body></html>

23
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/webapp/test/expr.jsp Normal file
View File

@@ -0,0 +1,23 @@
<html>
<h1>JSP2.0 Expressions</h1>
<table border="1">
<tr><th>Expression</th><th>Result</th></tr>
<tr>
<td>\${param["A"]}</td>
<td>${param["A"]}&nbsp;</td>
</tr><tr>
<td>\${header["host"]}</td>
<td>${header["host"]}</td>
</tr><tr>
<td>\${header["user-agent"]}</td>
<td>${header["user-agent"]}</td>
</tr><tr>
<td>\${1+1}</td>
<td>${1+1}</td>
</tr><tr>
<td>\${param["A"] * 2}</td>
<td>${param["A"] * 2}&nbsp;</td>
</tr>
</table>
</html>

15
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/webapp/test/foo/foo.jsp Normal file
View File

@@ -0,0 +1,15 @@
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<html>
<head>
</head>
<body>
<h1>FOO Example</h1>
<hr>
<p>A trivial FOO example
<hr>
<c:forEach var="i" begin="1" end="10" step="1">
<c:out value="${i}" />
<br />
</c:forEach>
</body>
</html>

15
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/webapp/test/jstl.jsp Normal file
View File

@@ -0,0 +1,15 @@
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<html>
<head>
</head>
<body>
<h1>JSTL Example</h1>
<hr>
<p>A trivial jstl example
<hr>
<c:forEach var="i" begin="1" end="10" step="1">
<c:out value="${i}" />
<br />
</c:forEach>
</body>
</html>

16
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/webapp/test/tag.jsp Normal file
View File

@@ -0,0 +1,16 @@
<html>
<body>
<%@ taglib uri="http://www.acme.com/taglib" prefix="acme" %>
<small>&lt;acme:date tz="GMT"&gt;EEE, dd/MMM/yyyy HH:mm:ss ZZZ&lt;/acme:date&gt;
==&gt;</small>
<acme:date tz="GMT">EEE, dd/MMM/yyyy HH:mm:ss ZZZ</acme:date>
<br/>
<small>&lt;acme:date tz="EST"&gt;EEE, dd-MMM-yyyy HH:mm:ss ZZZ&lt;/acme:date&gt;
==&gt;</small>
<acme:date tz="EST">EEE, dd-MMM-yyyy HH:mm:ss ZZZ</acme:date>
<br/>
</body>
</html>

19
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/webapp/test/tag2.jsp Normal file
View File

@@ -0,0 +1,19 @@
<html>
<body>
<%@ taglib uri="http://www.acme.com/taglib2" prefix="acme" %>
<acme:date2 format="long">
On ${day} of ${month} in the year ${year}
</acme:date2>
<br/>
<acme:date2 format="short">
${day} - ${month} - ${year}
</acme:date2>
<br/>
</body>
</html>

37
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/webapp/test/tagfile.jsp Normal file
View File

@@ -0,0 +1,37 @@
<%@ taglib prefix="acme" tagdir="/WEB-INF/tags" %>
<html>
<head>
</head>
<body>
<h1>JSP 2.0 Tag File Example</h1>
<hr>
<p>Panel tag created from JSP fragment file in WEB-INF/tags
<hr>
<table border="0">
<tr valign="top">
<td>
<acme:panel color="#ff8080" bgcolor="#ffc0c0" title="Panel 1">
First panel.<br/>
</acme:panel>
</td>
<td>
<acme:panel color="#80ff80" bgcolor="#c0ffc0" title="Panel 2">
Second panel.<br/>
Second panel.<br/>
Second panel.<br/>
Second panel.<br/>
</acme:panel>
</td>
<td>
<acme:panel color="#8080ff" bgcolor="#c0c0ff" title="Panel 3">
Third panel.<br/>
<acme:panel color="#ff80ff" bgcolor="#ffc0ff" title="Inner">
A panel in a panel.
</acme:panel>
Third panel.<br/>
</acme:panel>
</td>
</tr>
</table>
</body>
</html>

21
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/webapp/various.jsp Normal file
View File

@@ -0,0 +1,21 @@
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
JSTL
<c:out value="${param.test_param1}"/>
<c:out value="${param.test_param2}" escapeXml="true"/>
<c:out value="${param.test_param3}" escapeXml="false"/>
JSP include
<%@include file="index.jsp"%>
<c:import url="${param.secret_param}" />
Spring eval
<spring:eval expression="${param.lang}" var="results" />
<c:out value="${results}" />

3
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/webapp/xml/xml1.jsp Normal file
View File

@@ -0,0 +1,3 @@
<%@ taglib prefix="x" uri="http://java.sun.com/jsp/jstl/xml" %>
<x:parse var="doc" xml="${param.xml}" />
You requested a quote for: <x:out select="$doc/stock/symbol" />

3
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/webapp/xml/xml2.jsp Normal file
View File

@@ -0,0 +1,3 @@
<%@ taglib prefix="x" uri="http://java.sun.com/jsp/jstl/xml" %>
<x:parse var="doc" xml="<stock><symbol>TKM</symbol></stock>" />
You requested a quote for: <x:out select="$doc/stock/symbol" />

2
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/webapp/xsl/xsl1.jsp Normal file
View File

@@ -0,0 +1,2 @@
<%@ taglib prefix="x" uri="http://java.sun.com/jsp/jstl/xml" %>
<x:transform xml="${param.xml}" xslt="${param.xslt}" />

2
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/webapp/xsl/xsl2.jsp Normal file
View File

@@ -0,0 +1,2 @@
<%@ taglib prefix="x" uri="http://java.sun.com/jsp/jstl/xml" %>
<x:transform xml="<stock><symbol>TKM</symbol></stock>" xslt="${param.xslt}" />

2
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/webapp/xsl/xsl3.jsp Normal file
View File

@@ -0,0 +1,2 @@
<%@ taglib prefix="x" uri="http://java.sun.com/jsp/jstl/xml" %>
<x:transform xml="${param.xml}" xslt='<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" exclude-result-prefixes="date"></xsl:stylesheet>' />

2
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/webapp/xsl/xsl4.jsp Normal file
View File

@@ -0,0 +1,2 @@
<%@ taglib prefix="x" uri="http://java.sun.com/jsp/jstl/xml" %>
<x:transform xml="<static>SAFE</static>" xslt='<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" exclude-result-prefixes="date"></xsl:stylesheet>' />

6
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/webapp/xss/xss0.jsp Normal file
View File

@@ -0,0 +1,6 @@
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<p>
Client message:<br/>
<c:out value="${param.test}" escapeXml="false"/>
</p>

4
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/webapp/xss/xss1.jsp Normal file
View File

@@ -0,0 +1,4 @@
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<script>
var test = ${param.test};
</script>

4
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/webapp/xss/xss2.jsp Normal file
View File

@@ -0,0 +1,4 @@
Contact form:<br/>
<textarea>${param.message}</textarea>

3
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/webapp/xss/xss3.jsp Normal file
View File

@@ -0,0 +1,3 @@
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
Hello <c:out value="${param.test}"/>!

7
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/webapp/xss/xss4.jsp Normal file
View File

@@ -0,0 +1,7 @@
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<script>
function hello(param1,param2) {
console.info(param1+" "+param2);
}
var test = hello('<c:out value="${param.test1}"/>','<c:out value="${param.test2}"/>');
</script>

11
java/ql/integration-tests/all-platforms/java/java-web-jsp/src/main/webapp/xss/xss5.jsp Normal file
View File

@@ -0,0 +1,11 @@
<%@taglib prefix="e" uri="https://www.owasp.org/index.php/OWASP_Java_Encoder_Project" %>
<h1>${e:forHtml(param.test1)}</h1>
<script>
function hello(param1,param2) {
console.info(param1+" "+param2);
}
var test = hello('${e:forJavaScript(param.test1)}','${e:forJavaScript(param.test2)}');
</script>

58
java/ql/integration-tests/all-platforms/java/java-web-jsp/test.expected Normal file
View File

@@ -0,0 +1,58 @@
xmlFiles
| pom.xml:0:0:0:0 | pom.xml |
| spotbugs-security-exclude.xml:0:0:0:0 | spotbugs-security-exclude.xml |
| spotbugs-security-include.xml:0:0:0:0 | spotbugs-security-include.xml |
| src/main/webapp/WEB-INF/applicationContext.xml:0:0:0:0 | src/main/webapp/WEB-INF/applicationContext.xml |
| src/main/webapp/WEB-INF/web.xml:0:0:0:0 | src/main/webapp/WEB-INF/web.xml |
| src/main/webapp/WEB-INF/weblogic.xml:0:0:0:0 | src/main/webapp/WEB-INF/weblogic.xml |
| target/vulnerable-jsp-app-1.0.0-SNAPSHOT/WEB-INF/applicationContext.xml:0:0:0:0 | target/vulnerable-jsp-app-1.0.0-SNAPSHOT/WEB-INF/applicationContext.xml |
| target/vulnerable-jsp-app-1.0.0-SNAPSHOT/WEB-INF/web.xml:0:0:0:0 | target/vulnerable-jsp-app-1.0.0-SNAPSHOT/WEB-INF/web.xml |
| target/vulnerable-jsp-app-1.0.0-SNAPSHOT/WEB-INF/weblogic.xml:0:0:0:0 | target/vulnerable-jsp-app-1.0.0-SNAPSHOT/WEB-INF/weblogic.xml |
| target/web.xml:0:0:0:0 | target/web.xml |
| target/webfrag.xml:0:0:0:0 | target/webfrag.xml |
#select
| src/main/java/com/acme/Counter.java:0:0:0:0 | Counter |
| src/main/java/com/acme/Date2Tag.java:0:0:0:0 | Date2Tag |
| src/main/java/com/acme/DateServlet.java:0:0:0:0 | DateServlet |
| src/main/java/com/acme/DateTag.java:0:0:0:0 | DateTag |
| src/main/java/com/acme/TagListener.java:0:0:0:0 | TagListener |
| src/main/java/org/eclipse/jetty/demo/LoggingUtil.java:0:0:0:0 | LoggingUtil |
| src/main/java/org/eclipse/jetty/demo/Main.java:0:0:0:0 | Main |
| src/main/java/org/eclipse/jetty/demo/SystemOutHandler.java:0:0:0:0 | SystemOutHandler |
| target/classes/jsp/WEB_002dINF/secret_jsp.java:0:0:0:0 | secret_jsp |
| target/classes/jsp/include/$_007bparam_secret_005fparam_007d_jsp.java:0:0:0:0 | $_007bparam_secret_005fparam_007d_jsp |
| target/classes/jsp/include/jsp_005finclude_005f1_jsp.java:0:0:0:0 | jsp_005finclude_005f1_jsp |
| target/classes/jsp/include/jsp_005finclude_005f2_005fsafe_jsp.java:0:0:0:0 | jsp_005finclude_005f2_005fsafe_jsp |
| target/classes/jsp/include/jsp_005finclude_005f3_jsp.java:0:0:0:0 | jsp_005finclude_005f3_jsp |
| target/classes/jsp/index_jsp.java:0:0:0:0 | index_jsp |
| target/classes/jsp/jstl/jstl_005fescape_005f1_jsp.java:0:0:0:0 | jstl_005fescape_005f1_jsp |
| target/classes/jsp/jstl/jstl_005fescape_005f2_jsp.java:0:0:0:0 | jstl_005fescape_005f2_jsp |
| target/classes/jsp/jstl/jstl_005fescape_005f3_jsp.java:0:0:0:0 | jstl_005fescape_005f3_jsp |
| target/classes/jsp/random_jsp.java:0:0:0:0 | random_jsp |
| target/classes/jsp/spring/spring_005feval_005f1_jsp.java:0:0:0:0 | spring_005feval_005f1_jsp |
| target/classes/jsp/spring/spring_005feval_005f2_jsp.java:0:0:0:0 | spring_005feval_005f2_jsp |
| target/classes/jsp/spring/spring_005feval_005f3_jsp.java:0:0:0:0 | spring_005feval_005f3_jsp |
| target/classes/jsp/spring/spring_005feval_005f4_005fsafe_jsp.java:0:0:0:0 | spring_005feval_005f4_005fsafe_jsp |
| target/classes/jsp/test/bean1_jsp.java:0:0:0:0 | bean1_jsp |
| target/classes/jsp/test/bean2_jsp.java:0:0:0:0 | bean2_jsp |
| target/classes/jsp/test/dump_jsp.java:0:0:0:0 | dump_jsp |
| target/classes/jsp/test/expr_jsp.java:0:0:0:0 | expr_jsp |
| target/classes/jsp/test/foo/foo_jsp.java:0:0:0:0 | foo_jsp |
| target/classes/jsp/test/jstl_jsp.java:0:0:0:0 | jstl_jsp |
| target/classes/jsp/test/tag2_jsp.java:0:0:0:0 | tag2_jsp |
| target/classes/jsp/test/tag_jsp.java:0:0:0:0 | tag_jsp |
| target/classes/jsp/test/tagfile_jsp.java:0:0:0:0 | tagfile_jsp |
| target/classes/jsp/various_jsp.java:0:0:0:0 | various_jsp |
| target/classes/jsp/xml/xml1_jsp.java:0:0:0:0 | xml1_jsp |
| target/classes/jsp/xml/xml2_jsp.java:0:0:0:0 | xml2_jsp |
| target/classes/jsp/xsl/xsl1_jsp.java:0:0:0:0 | xsl1_jsp |
| target/classes/jsp/xsl/xsl2_jsp.java:0:0:0:0 | xsl2_jsp |
| target/classes/jsp/xsl/xsl3_jsp.java:0:0:0:0 | xsl3_jsp |
| target/classes/jsp/xsl/xsl4_jsp.java:0:0:0:0 | xsl4_jsp |
| target/classes/jsp/xss/xss0_jsp.java:0:0:0:0 | xss0_jsp |
| target/classes/jsp/xss/xss1_jsp.java:0:0:0:0 | xss1_jsp |
| target/classes/jsp/xss/xss2_jsp.java:0:0:0:0 | xss2_jsp |
| target/classes/jsp/xss/xss3_jsp.java:0:0:0:0 | xss3_jsp |
| target/classes/jsp/xss/xss4_jsp.java:0:0:0:0 | xss4_jsp |
| target/classes/jsp/xss/xss5_jsp.java:0:0:0:0 | xss5_jsp |
| target/classes/org/apache/jsp/tag/web/panel_tag.java:0:0:0:0 | panel_tag |

5
java/ql/integration-tests/all-platforms/java/java-web-jsp/test.py Normal file
View File

@@ -0,0 +1,5 @@
import sys
from create_database_utils import *
run_codeql_database_create(["mvn clean package -P tomcat8Jsp"], lang="java", extra_env = {"CODEQL_EXTRACTOR_JAVA_JSP": "true"})

7
java/ql/integration-tests/all-platforms/java/java-web-jsp/test.ql Normal file
View File

@@ -0,0 +1,7 @@
import java
from File f
where f.isSourceFile()
select f
query predicate xmlFiles(XmlFile x) { any() }

114
java/ql/integration-tests/all-platforms/java/maven-sample-extract-properties/pom.xml Normal file
View File

@@ -0,0 +1,114 @@
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.example</groupId>
<artifactId>maven-sample</artifactId>
<version>1.0-SNAPSHOT</version>
<name>maven-sample</name>
<!-- FIXME change it to the project's website -->
<url>http://www.example.com</url>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<maven.compiler.source>1.7</maven.compiler.source>
<maven.compiler.target>1.7</maven.compiler.target>
</properties>
<dependencies>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.11</version>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<artifactId>exec-maven-plugin</artifactId>
<groupId>org.codehaus.mojo</groupId>
<version>1.1.1</version>
<executions>
<execution>
<id>check-maven-version</id>
<phase>package</phase>
<goals>
<goal>java</goal>
</goals>
</execution>
</executions>
<configuration>
<mainClass>com.example.App</mainClass>
</configuration>
</plugin>
<plugin>
<groupId>com.diffplug.spotless</groupId>
<artifactId>spotless-maven-plugin</artifactId>
<version>2.19.1</version>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
<phase>compile</phase>
</execution>
</executions>
<configuration>
<java>
<licenseHeader>
<content>/* FAIL ME */</content>
</licenseHeader>
</java>
</configuration>
</plugin>
</plugins>
<pluginManagement>
<!-- lock down plugins versions to avoid using Maven defaults (may be moved to parent pom) -->
<plugins>
<!-- clean lifecycle, see https://maven.apache.org/ref/current/maven-core/lifecycles.html#clean_Lifecycle -->
<plugin>
<artifactId>maven-clean-plugin</artifactId>
<version>3.1.0</version>
</plugin>
<!-- default lifecycle, jar packaging: see https://maven.apache.org/ref/current/maven-core/default-bindings.html#Plugin_bindings_for_jar_packaging -->
<plugin>
<artifactId>maven-resources-plugin</artifactId>
<version>3.0.2</version>
</plugin>
<plugin>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.8.0</version>
</plugin>
<plugin>
<artifactId>maven-surefire-plugin</artifactId>
<version>2.22.1</version>
</plugin>
<plugin>
<artifactId>maven-jar-plugin</artifactId>
<version>3.0.2</version>
</plugin>
<plugin>
<artifactId>maven-install-plugin</artifactId>
<version>2.5.2</version>
</plugin>
<plugin>
<artifactId>maven-deploy-plugin</artifactId>
<version>2.8.2</version>
</plugin>
<!-- site lifecycle, see https://maven.apache.org/ref/current/maven-core/lifecycles.html#site_Lifecycle -->
<plugin>
<artifactId>maven-site-plugin</artifactId>
<version>3.7.1</version>
</plugin>
<plugin>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>3.0.0</version>
</plugin>
</plugins>
</pluginManagement>
</build>
</project>

30
java/ql/integration-tests/all-platforms/java/maven-sample-extract-properties/src/main/java/com/example/App.java Normal file
View File

@@ -0,0 +1,30 @@
package com.example;
import java.util.regex.Pattern;
import java.nio.file.Path;
import java.nio.file.Paths;
/**
* Hello world!
*
*/
public class App
{
public static void main( String[] args )
{
System.out.println( "Hello World!" );
String expectedVersion = System.getenv("EXPECT_MAVEN");
Path mavenHome = Paths.get(System.getProperty("maven.home")).normalize();
String observedVersion = mavenHome.getFileName().toString();
if (expectedVersion != null && !expectedVersion.equals(observedVersion)) {
System.err.println("Wrong maven version, expected '" + expectedVersion + "' but got '" + observedVersion + "'" + mavenHome);
System.exit(1);
}
String commandMatcher = System.getenv("EXPECT_COMMAND_REGEX");
String command = System.getProperty("sun.java.command");
if (commandMatcher != null && !Pattern.matches(commandMatcher, command)) {
System.err.println("Wrong command line, '" + command + "' does not match '" + commandMatcher + "'");
System.exit(1);
}
}
}

1
java/ql/integration-tests/all-platforms/java/maven-sample-extract-properties/src/main/resources/my-app.properties Normal file
View File

@@ -0,0 +1 @@
version=1.0

8
java/ql/integration-tests/all-platforms/java/maven-sample-extract-properties/src/main/resources/page.xml Normal file
View File

@@ -0,0 +1,8 @@
<html>
<head>
<title>A sample</title>
</head>
<body>
<p>Hello world!</p>
</body>
</html>

4
java/ql/integration-tests/all-platforms/java/maven-sample-extract-properties/src/main/resources/struts.xml Normal file
View File

@@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8"?>
<struts>
This is a sample file
</struts>

20
java/ql/integration-tests/all-platforms/java/maven-sample-extract-properties/src/test/java/com/example/AppTest.java Normal file
View File

@@ -0,0 +1,20 @@
package com.example;
import static org.junit.Assert.assertTrue;
import org.junit.Test;
/**
* Unit test for simple App.
*/
public class AppTest
{
/**
* Rigorous Test :-)
*/
@Test
public void shouldAnswerWithTrue()
{
assertTrue( true );
}
}

15
java/ql/integration-tests/all-platforms/java/maven-sample-extract-properties/test.expected Normal file
View File

@@ -0,0 +1,15 @@
xmlFiles
| pom.xml:0:0:0:0 | pom.xml |
| src/main/resources/page.xml:0:0:0:0 | src/main/resources/page.xml |
| src/main/resources/struts.xml:0:0:0:0 | src/main/resources/struts.xml |
| target/classes/page.xml:0:0:0:0 | target/classes/page.xml |
| target/classes/struts.xml:0:0:0:0 | target/classes/struts.xml |
propertiesFiles
| src/main/resources/my-app.properties:0:0:0:0 | src/main/resources/my-app.properties |
| target/classes/my-app.properties:0:0:0:0 | target/classes/my-app.properties |
| target/maven-archiver/pom.properties:0:0:0:0 | target/maven-archiver/pom.properties |
| test-db/log/ext/javac-1.properties:0:0:0:0 | test-db/log/ext/javac-1.properties |
| test-db/log/ext/javac.properties:0:0:0:0 | test-db/log/ext/javac.properties |
#select
| src/main/java/com/example/App.java:0:0:0:0 | App |
| src/test/java/com/example/AppTest.java:0:0:0:0 | AppTest |

5
java/ql/integration-tests/all-platforms/java/maven-sample-extract-properties/test.py Normal file
View File

@@ -0,0 +1,5 @@
import sys
from create_database_utils import *
run_codeql_database_create([], lang="java", extra_env = {"LGTM_INDEX_PROPERTIES_FILES": "true"})

9
java/ql/integration-tests/all-platforms/java/maven-sample-extract-properties/test.ql Normal file
View File

@@ -0,0 +1,9 @@
import java
from File f
where f.isSourceFile()
select f
query predicate xmlFiles(XmlFile x) { any() }
query predicate propertiesFiles(File f) { f.getExtension() = "properties" }

114
java/ql/integration-tests/all-platforms/java/maven-sample-large-xml-files/pom.xml Normal file
View File

@@ -0,0 +1,114 @@
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.example</groupId>
<artifactId>maven-sample</artifactId>
<version>1.0-SNAPSHOT</version>
<name>maven-sample</name>
<!-- FIXME change it to the project's website -->
<url>http://www.example.com</url>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<maven.compiler.source>1.7</maven.compiler.source>
<maven.compiler.target>1.7</maven.compiler.target>
</properties>
<dependencies>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.11</version>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<artifactId>exec-maven-plugin</artifactId>
<groupId>org.codehaus.mojo</groupId>
<version>1.1.1</version>
<executions>
<execution>
<id>check-maven-version</id>
<phase>package</phase>
<goals>
<goal>java</goal>
</goals>
</execution>
</executions>
<configuration>
<mainClass>com.example.App</mainClass>
</configuration>
</plugin>
<plugin>
<groupId>com.diffplug.spotless</groupId>
<artifactId>spotless-maven-plugin</artifactId>
<version>2.19.1</version>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
<phase>compile</phase>
</execution>
</executions>
<configuration>
<java>
<licenseHeader>
<content>/* FAIL ME */</content>
</licenseHeader>
</java>
</configuration>
</plugin>
</plugins>
<pluginManagement>
<!-- lock down plugins versions to avoid using Maven defaults (may be moved to parent pom) -->
<plugins>
<!-- clean lifecycle, see https://maven.apache.org/ref/current/maven-core/lifecycles.html#clean_Lifecycle -->
<plugin>
<artifactId>maven-clean-plugin</artifactId>
<version>3.1.0</version>
</plugin>
<!-- default lifecycle, jar packaging: see https://maven.apache.org/ref/current/maven-core/default-bindings.html#Plugin_bindings_for_jar_packaging -->
<plugin>
<artifactId>maven-resources-plugin</artifactId>
<version>3.0.2</version>
</plugin>
<plugin>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.8.0</version>
</plugin>
<plugin>
<artifactId>maven-surefire-plugin</artifactId>
<version>2.22.1</version>
</plugin>
<plugin>
<artifactId>maven-jar-plugin</artifactId>
<version>3.0.2</version>
</plugin>
<plugin>
<artifactId>maven-install-plugin</artifactId>
<version>2.5.2</version>
</plugin>
<plugin>
<artifactId>maven-deploy-plugin</artifactId>
<version>2.8.2</version>
</plugin>
<!-- site lifecycle, see https://maven.apache.org/ref/current/maven-core/lifecycles.html#site_Lifecycle -->
<plugin>
<artifactId>maven-site-plugin</artifactId>
<version>3.7.1</version>
</plugin>
<plugin>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>3.0.0</version>
</plugin>
</plugins>
</pluginManagement>
</build>
</project>

30
java/ql/integration-tests/all-platforms/java/maven-sample-large-xml-files/src/main/java/com/example/App.java Normal file
View File

@@ -0,0 +1,30 @@
package com.example;
import java.util.regex.Pattern;
import java.nio.file.Path;
import java.nio.file.Paths;
/**
* Hello world!
*
*/
public class App
{
public static void main( String[] args )
{
System.out.println( "Hello World!" );
String expectedVersion = System.getenv("EXPECT_MAVEN");
Path mavenHome = Paths.get(System.getProperty("maven.home")).normalize();
String observedVersion = mavenHome.getFileName().toString();
if (expectedVersion != null && !expectedVersion.equals(observedVersion)) {
System.err.println("Wrong maven version, expected '" + expectedVersion + "' but got '" + observedVersion + "'" + mavenHome);
System.exit(1);
}
String commandMatcher = System.getenv("EXPECT_COMMAND_REGEX");
String command = System.getProperty("sun.java.command");
if (commandMatcher != null && !Pattern.matches(commandMatcher, command)) {
System.err.println("Wrong command line, '" + command + "' does not match '" + commandMatcher + "'");
System.exit(1);
}
}
}

1
java/ql/integration-tests/all-platforms/java/maven-sample-large-xml-files/src/main/resources/my-app.properties Normal file
View File

@@ -0,0 +1 @@
version=1.0

8
java/ql/integration-tests/all-platforms/java/maven-sample-large-xml-files/src/main/resources/page.xml Normal file
View File

@@ -0,0 +1,8 @@
<html>
<head>
<title>A sample</title>
</head>
<body>
<p>Hello world!</p>
</body>
</html>

4
java/ql/integration-tests/all-platforms/java/maven-sample-large-xml-files/src/main/resources/struts.xml Normal file
View File

@@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8"?>
<struts>
This is a sample file
</struts>

20
java/ql/integration-tests/all-platforms/java/maven-sample-large-xml-files/src/test/java/com/example/AppTest.java Normal file
View File

@@ -0,0 +1,20 @@
package com.example;
import static org.junit.Assert.assertTrue;
import org.junit.Test;
/**
* Unit test for simple App.
*/
public class AppTest
{
/**
* Rigorous Test :-)
*/
@Test
public void shouldAnswerWithTrue()
{
assertTrue( true );
}
}

7
java/ql/integration-tests/all-platforms/java/maven-sample-large-xml-files/test.expected Normal file
View File

@@ -0,0 +1,7 @@
xmlFiles
| pom.xml:0:0:0:0 | pom.xml |
| src/main/resources/struts.xml:0:0:0:0 | src/main/resources/struts.xml |
| target/classes/struts.xml:0:0:0:0 | target/classes/struts.xml |
#select
| src/main/java/com/example/App.java:0:0:0:0 | App |
| src/test/java/com/example/AppTest.java:0:0:0:0 | AppTest |

10
java/ql/integration-tests/all-platforms/java/maven-sample-large-xml-files/test.py Normal file
View File

@@ -0,0 +1,10 @@
import sys
from create_database_utils import *
# Test that a build with 60 ~1MB XML docs extracts does not extract them, but we fall back to by-name mode instead:
for i in range(60):
with open("generated-%d.xml" % i, "w") as f:
f.write("<xml>" + ("a" * 1000000) + "</xml>")
run_codeql_database_create([], lang="java")

7
java/ql/integration-tests/all-platforms/java/maven-sample-large-xml-files/test.ql Normal file
View File

@@ -0,0 +1,7 @@
import java
from File f
where f.isSourceFile()
select f
query predicate xmlFiles(XmlFile x) { any() }

114
java/ql/integration-tests/all-platforms/java/maven-sample-small-xml-files/pom.xml Normal file
View File

@@ -0,0 +1,114 @@
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.example</groupId>
<artifactId>maven-sample</artifactId>
<version>1.0-SNAPSHOT</version>
<name>maven-sample</name>
<!-- FIXME change it to the project's website -->
<url>http://www.example.com</url>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<maven.compiler.source>1.7</maven.compiler.source>
<maven.compiler.target>1.7</maven.compiler.target>
</properties>
<dependencies>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.11</version>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<artifactId>exec-maven-plugin</artifactId>
<groupId>org.codehaus.mojo</groupId>
<version>1.1.1</version>
<executions>
<execution>
<id>check-maven-version</id>
<phase>package</phase>
<goals>
<goal>java</goal>
</goals>
</execution>
</executions>
<configuration>
<mainClass>com.example.App</mainClass>
</configuration>
</plugin>
<plugin>
<groupId>com.diffplug.spotless</groupId>
<artifactId>spotless-maven-plugin</artifactId>
<version>2.19.1</version>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
<phase>compile</phase>
</execution>
</executions>
<configuration>
<java>
<licenseHeader>
<content>/* FAIL ME */</content>
</licenseHeader>
</java>
</configuration>
</plugin>
</plugins>
<pluginManagement>
<!-- lock down plugins versions to avoid using Maven defaults (may be moved to parent pom) -->
<plugins>
<!-- clean lifecycle, see https://maven.apache.org/ref/current/maven-core/lifecycles.html#clean_Lifecycle -->
<plugin>
<artifactId>maven-clean-plugin</artifactId>
<version>3.1.0</version>
</plugin>
<!-- default lifecycle, jar packaging: see https://maven.apache.org/ref/current/maven-core/default-bindings.html#Plugin_bindings_for_jar_packaging -->
<plugin>
<artifactId>maven-resources-plugin</artifactId>
<version>3.0.2</version>
</plugin>
<plugin>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.8.0</version>
</plugin>
<plugin>
<artifactId>maven-surefire-plugin</artifactId>
<version>2.22.1</version>
</plugin>
<plugin>
<artifactId>maven-jar-plugin</artifactId>
<version>3.0.2</version>
</plugin>
<plugin>
<artifactId>maven-install-plugin</artifactId>
<version>2.5.2</version>
</plugin>
<plugin>
<artifactId>maven-deploy-plugin</artifactId>
<version>2.8.2</version>
</plugin>
<!-- site lifecycle, see https://maven.apache.org/ref/current/maven-core/lifecycles.html#site_Lifecycle -->
<plugin>
<artifactId>maven-site-plugin</artifactId>
<version>3.7.1</version>
</plugin>
<plugin>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>3.0.0</version>
</plugin>
</plugins>
</pluginManagement>
</build>
</project>

30
java/ql/integration-tests/all-platforms/java/maven-sample-small-xml-files/src/main/java/com/example/App.java Normal file
View File

@@ -0,0 +1,30 @@
package com.example;
import java.util.regex.Pattern;
import java.nio.file.Path;
import java.nio.file.Paths;
/**
* Hello world!
*
*/
public class App
{
public static void main( String[] args )
{
System.out.println( "Hello World!" );
String expectedVersion = System.getenv("EXPECT_MAVEN");
Path mavenHome = Paths.get(System.getProperty("maven.home")).normalize();
String observedVersion = mavenHome.getFileName().toString();
if (expectedVersion != null && !expectedVersion.equals(observedVersion)) {
System.err.println("Wrong maven version, expected '" + expectedVersion + "' but got '" + observedVersion + "'" + mavenHome);
System.exit(1);
}
String commandMatcher = System.getenv("EXPECT_COMMAND_REGEX");
String command = System.getProperty("sun.java.command");
if (commandMatcher != null && !Pattern.matches(commandMatcher, command)) {
System.err.println("Wrong command line, '" + command + "' does not match '" + commandMatcher + "'");
System.exit(1);
}
}
}

Some files were not shown because too many files have changed in this diff Show More