Merge branch 'main' into promote-jexl-injection

2026-04-29 10:45:15 +02:00 · 2021-06-03 11:10:56 +02:00
parent 607dcd4a27 ffad65be40
commit 56a429a5f9
674 changed files with 32825 additions and 8447 deletions
--- a/java/ql/test/query-tests/CloseResource/CloseReader/CloseReader.expected
+++ b/java/ql/test/query-tests/CloseResource/CloseReader/CloseReader.expected
@@ -1,2 +1,4 @@
-| CloseReader.java:11:42:11:71 | new FileReader(...) | This FileReader is not always closed on method exit. |
-| CloseReader.java:44:6:44:40 | new FileInputStream(...) | This FileInputStream is not always closed on method exit. |
+| CloseReader.java:18:42:18:71 | new FileReader(...) | This FileReader is not always closed on method exit. |
+| CloseReader.java:23:20:23:50 | new FileInputStream(...) | This FileInputStream is not always closed on method exit. |
+| CloseReader.java:33:6:33:40 | new FileInputStream(...) | This FileInputStream is not always closed on method exit. |
+| CloseReader.java:43:21:43:43 | new ZipFile(...) | This ZipFile is not always closed on method exit. |
--- a/java/ql/test/query-tests/CloseResource/CloseReader/CloseReader.java
+++ b/java/ql/test/query-tests/CloseResource/CloseReader/CloseReader.java
@@ -1,41 +1,30 @@
 import java.io.BufferedReader;
+import java.io.ByteArrayInputStream;
+import java.io.CharArrayReader;
+import java.io.Closeable;
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.FileReader;
-import java.io.IOException;
+import java.io.InputStream;
 import java.io.InputStreamReader;
+import java.io.IOException;
+import java.io.Reader;
+import java.io.StringReader;
+import java.util.zip.ZipFile;

 class CloseReader {

-	public static void test1() throws IOException {
+	void test1() throws IOException {
 		BufferedReader br = new BufferedReader(new FileReader("C:\\test.txt"));
 		System.out.println(br.readLine());
 	}

-	public static void test2() throws FileNotFoundException, IOException {
-		BufferedReader br = null;
-		try {
-			br = new BufferedReader(new FileReader("C:\\test.txt"));
-			System.out.println(br.readLine());
-		}
-		finally {
-			if(br != null)
-				br.close();  // 'br' is closed
-		}
+	void test2() throws IOException {
+		InputStream in = new FileInputStream("file.bin");
+		in.read();
 	}

-	public static void test3() throws IOException {
-		BufferedReader br = null;
-		try {
-			br = new BufferedReader(new FileReader("C:\\test.txt"));
-			System.out.println(br.readLine());
-		}
-		finally {
-			cleanup(br); // 'br' is closed within a helper method
-		}
-	}
-
-	public static void test4() throws IOException {
+	void test3() throws IOException {
 		InputStreamReader reader = null;
 		try {
 			// InputStreamReader may throw an exception, in which case the ...
@@ -50,7 +39,35 @@ class CloseReader {
 		}
 	}

-	public static void test5() throws IOException {
+	void test4() throws IOException {
+		ZipFile zipFile = new ZipFile("file.zip");
+		System.out.println(zipFile.getComment());
+	}
+
+	void testCorrect1() throws IOException {
+		BufferedReader br = null;
+		try {
+			br = new BufferedReader(new FileReader("C:\\test.txt"));
+			System.out.println(br.readLine());
+		}
+		finally {
+			if(br != null)
+				br.close();  // 'br' is closed
+		}
+	}
+
+	void testCorrect2() throws IOException {
+		BufferedReader br = null;
+		try {
+			br = new BufferedReader(new FileReader("C:\\test.txt"));
+			System.out.println(br.readLine());
+		}
+		finally {
+			cleanup(br); // 'br' is closed within a helper method
+		}
+	}
+
+	void testCorrect3() throws IOException {
 		FileInputStream fis = null;
 		InputStreamReader reader = null;
 		try {
@@ -66,7 +83,7 @@ class CloseReader {
 		}
 	}

-	public static void test6() throws IOException {
+	void testCorrect4() throws IOException {
 		BufferedReader br = null;
 		try {
 			br = new BufferedReader(new FileReader("C:\\test.txt"));
@@ -77,15 +94,15 @@ class CloseReader {
 		}
 	}

-	public static void cleanup(java.io.Closeable... closeables) throws IOException {
-		for (java.io.Closeable c : closeables) {
+	void cleanup(Closeable... closeables) throws IOException {
+		for (Closeable c : closeables) {
 			if (c != null) {
 				c.close();
 			}
 		}
 	}

-	public static class LogFile {
+	static class LogFile {
 		private BufferedReader fileRd;
 		LogFile(String path) {
 			FileReader fr = null;
@@ -100,9 +117,21 @@ class CloseReader {
 		private void init(InputStreamReader reader) {
 			fileRd = new BufferedReader(reader);
 		}
-		public void readStuff() throws java.io.IOException {
+		public void readStuff() throws IOException {
 			System.out.println(fileRd.readLine());
 			fileRd.close();
 		}
 	}
+
+	// Classes which should be ignored
+	void testIgnore() throws IOException {
+		Reader r1 = new CharArrayReader(new char[] {'a'});
+		r1.read();
+
+		Reader r2 = new StringReader("a");
+		r2.read();
+
+		InputStream i1 = new ByteArrayInputStream(new byte[] {1});
+		i1.read();
+	}
 }
--- a/java/ql/test/query-tests/CloseResource/CloseReader/CloseReader.qlref
+++ b/java/ql/test/query-tests/CloseResource/CloseReader/CloseReader.qlref
@@ -1 +1 @@
-Likely Bugs/Resource Leaks/CloseReader.ql
+Likely Bugs/Resource Leaks/CloseReader.ql
--- a/java/ql/test/query-tests/CloseResource/CloseWriter/CloseWriter.expected
+++ b/java/ql/test/query-tests/CloseResource/CloseWriter/CloseWriter.expected
@@ -0,0 +1,3 @@
+| CloseWriter.java:17:42:17:71 | new FileWriter(...) | This FileWriter is not always closed on method exit. |
+| CloseWriter.java:22:22:22:53 | new FileOutputStream(...) | This FileOutputStream is not always closed on method exit. |
+| CloseWriter.java:32:6:32:41 | new FileOutputStream(...) | This FileOutputStream is not always closed on method exit. |
--- a/java/ql/test/query-tests/CloseResource/CloseWriter/CloseWriter.java
+++ b/java/ql/test/query-tests/CloseResource/CloseWriter/CloseWriter.java
@@ -0,0 +1,131 @@
+import java.io.BufferedWriter;
+import java.io.ByteArrayOutputStream;
+import java.io.CharArrayWriter;
+import java.io.Closeable;
+import java.io.FileOutputStream;
+import java.io.FileWriter;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.io.OutputStreamWriter;
+import java.io.StringWriter;
+import java.io.Writer;
+import java.util.zip.ZipFile;
+
+class CloseWriter {
+
+	void test1() throws IOException {
+		BufferedWriter bw = new BufferedWriter(new FileWriter("C:\\test.txt"));
+		bw.write("test");
+	}
+
+	void test2() throws IOException {
+		OutputStream out = new FileOutputStream("test.bin");
+		out.write(1);
+	}
+
+	void test3() throws IOException {
+		OutputStreamWriter writer = null;
+		try {
+			// OutputStreamWriter may throw an exception, in which case the ...
+			writer = new OutputStreamWriter(
+					// ... FileOutputStream is not closed by the finally block
+					new FileOutputStream("C:\\test.txt"), "UTF-8");
+			writer.write("test");
+		}
+		finally {
+			if (writer != null)
+				writer.close();
+		}
+	}
+
+	void testCorrect1() throws IOException {
+		BufferedWriter bw = null;
+		try {
+			bw = new BufferedWriter(new FileWriter("C:\\test.txt"));
+			bw.write("test");
+		}
+		finally {
+			if(bw != null)
+				bw.close();  // 'bw' is closed
+		}
+	}
+
+	void testCorrect2() throws IOException {
+		BufferedWriter bw = null;
+		try {
+			bw = new BufferedWriter(new FileWriter("C:\\test.txt"));
+			bw.write("test");
+		}
+		finally {
+			cleanup(bw); // 'bw' is closed within a helper method
+		}
+	}
+
+	void testCorrect3() throws IOException {
+		FileOutputStream fos = null;
+		OutputStreamWriter writer = null;
+		try {
+			fos = new FileOutputStream("C:\\test.txt");
+			writer = new OutputStreamWriter(fos);
+			writer.write("test");
+		}
+		finally {
+			if (fos != null)
+				fos.close();  // 'fos' is closed
+			if (writer != null)
+				writer.close();  // 'writer' is closed
+		}
+	}
+
+	void testCorrect4() throws IOException {
+		BufferedWriter bw = null;
+		try {
+			bw = new BufferedWriter(new FileWriter("C:\\test.txt"));
+			bw.write("test");
+		}
+		finally {
+			cleanup(null, bw); // 'bw' is closed within a varargs helper method, invoked with multiple args
+		}
+	}
+
+	void cleanup(Closeable... closeables) throws IOException {
+		for (Closeable c : closeables) {
+			if (c != null) {
+				c.close();
+			}
+		}
+	}
+
+	static class LogFile {
+		private BufferedWriter fileWr;
+		LogFile(String path) {
+			FileWriter fw = null;
+			try {
+				fw = new FileWriter(path);
+			} catch (IOException e) {
+				System.out.println("Error: File not readable: " + path);
+				System.exit(1);
+			}
+			init(fw);
+		}
+		private void init(OutputStreamWriter writer) {
+			fileWr = new BufferedWriter(writer);
+		}
+		public void writeStuff() throws IOException {
+			fileWr.write("test");
+			fileWr.close();
+		}
+	}
+
+	// Classes which should be ignored
+	void testIgnore() throws IOException {
+		Writer w1 = new CharArrayWriter();
+		w1.write("test");
+
+		Writer w2 = new StringWriter();
+		w2.write("test");
+
+		OutputStream o1 = new ByteArrayOutputStream();
+		o1.write(1);
+	}
+}
--- a/java/ql/test/query-tests/CloseResource/CloseWriter/CloseWriter.qlref
+++ b/java/ql/test/query-tests/CloseResource/CloseWriter/CloseWriter.qlref
@@ -0,0 +1 @@
+Likely Bugs/Resource Leaks/CloseWriter.ql
--- a/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.expected
+++ b/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.expected
@@ -1,19 +1,15 @@
 edges
 | XSS.java:23:21:23:48 | getParameter(...) : String | XSS.java:23:5:23:70 | ... + ... |
-| XSS.java:27:21:27:48 | getParameter(...) : String | XSS.java:27:5:27:70 | ... + ... |
 | XSS.java:38:67:38:87 | getPathInfo(...) : String | XSS.java:38:30:38:87 | ... + ... |
 | XSS.java:41:36:41:56 | getPathInfo(...) : String | XSS.java:41:36:41:67 | getBytes(...) |
 nodes
 | XSS.java:23:5:23:70 | ... + ... | semmle.label | ... + ... |
 | XSS.java:23:21:23:48 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| XSS.java:27:5:27:70 | ... + ... | semmle.label | ... + ... |
-| XSS.java:27:21:27:48 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | XSS.java:38:30:38:87 | ... + ... | semmle.label | ... + ... |
 | XSS.java:38:67:38:87 | getPathInfo(...) : String | semmle.label | getPathInfo(...) : String |
 | XSS.java:41:36:41:56 | getPathInfo(...) : String | semmle.label | getPathInfo(...) : String |
 | XSS.java:41:36:41:67 | getBytes(...) | semmle.label | getBytes(...) |
 #select
 | XSS.java:23:5:23:70 | ... + ... | XSS.java:23:21:23:48 | getParameter(...) : String | XSS.java:23:5:23:70 | ... + ... | Cross-site scripting vulnerability due to $@. | XSS.java:23:21:23:48 | getParameter(...) | user-provided value |
-| XSS.java:27:5:27:70 | ... + ... | XSS.java:27:21:27:48 | getParameter(...) : String | XSS.java:27:5:27:70 | ... + ... | Cross-site scripting vulnerability due to $@. | XSS.java:27:21:27:48 | getParameter(...) | user-provided value |
 | XSS.java:38:30:38:87 | ... + ... | XSS.java:38:67:38:87 | getPathInfo(...) : String | XSS.java:38:30:38:87 | ... + ... | Cross-site scripting vulnerability due to $@. | XSS.java:38:67:38:87 | getPathInfo(...) | user-provided value |
 | XSS.java:41:36:41:67 | getBytes(...) | XSS.java:41:36:41:56 | getPathInfo(...) : String | XSS.java:41:36:41:67 | getBytes(...) | Cross-site scripting vulnerability due to $@. | XSS.java:41:36:41:56 | getPathInfo(...) | user-provided value |
--- a/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.java
+++ b/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.java
@@ -22,7 +22,7 @@ public class XSS extends HttpServlet {
 		response.getWriter().print(
 				"The page \"" + request.getParameter("page") + "\" was not found.");

-		// BAD: a request parameter is written directly to an error response page
+		// GOOD: servlet API encodes the error message HTML for the HTML context
 		response.sendError(HttpServletResponse.SC_NOT_FOUND,
 				"The page \"" + request.getParameter("page") + "\" was not found.");

@@ -30,7 +30,7 @@ public class XSS extends HttpServlet {
 		response.sendError(HttpServletResponse.SC_NOT_FOUND,
 				"The page \"" + encodeForHtml(request.getParameter("page")) + "\" was not found.");
 		
-		// FALSE NEGATIVE: passed through function that is not a secure check
+		// GOOD: servlet API encodes the error message HTML for the HTML context
 		response.sendError(HttpServletResponse.SC_NOT_FOUND,
 				"The page \"" + capitalizeName(request.getParameter("page")) + "\" was not found.");
 		
--- a/java/ql/test/query-tests/security/CWE-502/KryoTest.java
+++ b/java/ql/test/query-tests/security/CWE-502/KryoTest.java
@@ -0,0 +1,34 @@
+
+import java.io.*;
+import java.net.Socket;
+import com.esotericsoftware.kryo.Kryo;
+import com.esotericsoftware.kryo.pool.KryoPool;
+import com.esotericsoftware.kryo.io.Input;
+
+public class KryoTest {
+
+    private Kryo getSafeKryo() {
+        Kryo kryo = new Kryo();
+        kryo.setRegistrationRequired(true);
+        // ... kryo.register(A.class) ...
+        return kryo;
+    }
+
+    public void kryoDeserialize(Socket sock) throws java.io.IOException {
+        KryoPool kryoPool = new KryoPool.Builder(this::getSafeKryo).softReferences().build();
+        Input input = new Input(sock.getInputStream());
+        Object o = kryoPool.run(kryo -> kryo.readClassAndObject(input)); // OK
+    }
+
+    public void kryoDeserialize2(Socket sock) throws java.io.IOException {
+        KryoPool kryoPool = new KryoPool.Builder(this::getSafeKryo).softReferences().build();
+        Input input = new Input(sock.getInputStream());
+        Kryo k = kryoPool.borrow();
+        try {
+            Object o = k.readClassAndObject(input); // OK
+        } finally {
+            kryoPool.release(k);
+        }
+    }
+
+}