hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-02 20:25:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

[TEST] Java: CWE-020/ExternalAPI: new test based on qhelp

Browse Source
This commit is contained in:
Nora Dimitrijević
2025-07-15 11:05:25 +02:00
parent 1485d7072d
commit 5c2cf79785
6 changed files with 50 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
java/ql/test/query-tests/security/CWE-020/ExternalAPISinkExample.java Normal file
View File

@@ -0,0 +1,14 @@
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.ServletException;
import java.io.IOException;
public class ExternalAPISinkExample extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
// BAD: a request parameter is written directly to an error response page
response.sendError(HttpServletResponse.SC_NOT_FOUND,
"The page \"" + request.getParameter("page") + "\" was not found."); // $ Alert
}
}

19
java/ql/test/query-tests/security/CWE-020/ExternalAPITaintStepExample.java Normal file
View File

@@ -0,0 +1,19 @@
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.ServletException;
import java.io.IOException;
public class ExternalAPITaintStepExample extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
StringBuilder sqlQueryBuilder = new StringBuilder();
sqlQueryBuilder.append("SELECT * FROM user WHERE user_id='");
// BAD: a request parameter is concatenated directly into a SQL query
sqlQueryBuilder.append(request.getParameter("user_id"));
sqlQueryBuilder.append("'");
// ...
}
}

1
java/ql/test/query-tests/security/CWE-020/ExternalAPIsUsedWithUntrustedData.expected Normal file
View File

@@ -0,0 +1 @@
| javax.servlet.http.HttpServletResponse.sendError(int,java.lang.String) [param 1] | 1 | 1 |

1
java/ql/test/query-tests/security/CWE-020/ExternalAPIsUsedWithUntrustedData.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE/CWE-020/ExternalAPIsUsedWithUntrustedData.ql

11
java/ql/test/query-tests/security/CWE-020/UntrustedDataToExternalAPI.expected Normal file
View File

@@ -0,0 +1,11 @@
#select
| ExternalAPISinkExample.java:12:5:12:70 | ... + ... | ExternalAPISinkExample.java:12:21:12:48 | getParameter(...) : String | ExternalAPISinkExample.java:12:5:12:70 | ... + ... | Call to javax.servlet.http.HttpServletResponse.sendError with untrusted data from $@. | ExternalAPISinkExample.java:12:21:12:48 | getParameter(...) : String | getParameter(...) : String |
edges
| ExternalAPISinkExample.java:12:21:12:48 | getParameter(...) : String | ExternalAPISinkExample.java:12:5:12:70 | ... + ... | provenance | Src:MaD:2 Sink:MaD:1 |
models
| 1 | Sink: javax.servlet.http; HttpServletResponse; false; sendError; (int,String); ; Argument[1]; information-leak; manual |
| 2 | Source: javax.servlet; ServletRequest; false; getParameter; (String); ; ReturnValue; remote; manual |
nodes
| ExternalAPISinkExample.java:12:5:12:70 | ... + ... | semmle.label | ... + ... |
| ExternalAPISinkExample.java:12:21:12:48 | getParameter(...) : String | semmle.label | getParameter(...) : String |
subpaths

4
java/ql/test/query-tests/security/CWE-020/UntrustedDataToExternalAPI.qlref Normal file
View File

@@ -0,0 +1,4 @@
query: Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql
postprocess:
- utils/test/PrettyPrintModels.ql
- utils/test/InlineExpectationsTestQuery.ql