From 65655db77bfcbdccfdaffa4f6f396204f24ef7e7 Mon Sep 17 00:00:00 2001 From: Philip Ginsbach Date: Wed, 26 Jun 2024 15:27:59 +0100 Subject: [PATCH] java inline expectations prototype with tests --- .../TestUtilities/JavaInlineExpectations.ql | 88 +++++++++++++++++++ .../ProblematicJavaInlineExpectations1.ql | 1 + .../ProblematicJavaInlineExpectations2.ql | 3 + .../ProblematicJavaInlineExpectations3.ql | 3 + .../ProblematicJavaInlineExpectations4.ql | 3 + .../ProblematicJavaInlineExpectations5.ql | 1 + .../ProblematicJavaInlineExpectations6.ql | 1 + .../ProblematicJavaInlineExpectations7.ql | 6 ++ .../failing/OverlyLargeRangeQuery.expected | 0 .../failing/OverlyLargeRangeQuery.qlref | 2 + .../failing/SuspiciousRegexpRange.java | 37 ++++++++ .../passing/OverlyLargeRangeQuery.expected | 0 .../passing/OverlyLargeRangeQuery.qlref | 2 + .../passing/SuspiciousRegexpRange.java | 37 ++++++++ .../OverlyLargeRangeQuery.expected | 2 + .../OverlyLargeRangeQuery.qlref | 2 + .../SuspiciousRegexpRange.java | 37 ++++++++ .../OverlyLargeRangeQuery.expected | 1 + .../OverlyLargeRangeQuery.qlref | 2 + .../SuspiciousRegexpRange.java | 37 ++++++++ .../OverlyLargeRangeQuery.expected | 0 .../OverlyLargeRangeQuery.qlref | 2 + .../SuspiciousRegexpRange.java | 0 .../OverlyLargeRangeQuery.expected | 0 .../OverlyLargeRangeQuery.qlref | 2 + .../SuspiciousRegexpRange.java | 0 .../OverlyLargeRangeQuery.expected | 0 .../OverlyLargeRangeQuery.qlref | 2 + .../SuspiciousRegexpRange.java | 0 .../OverlyLargeRangeQuery.expected | 0 .../OverlyLargeRangeQuery.qlref | 2 + .../SuspiciousRegexpRange.java | 0 .../OverlyLargeRangeQuery.expected | 0 .../OverlyLargeRangeQuery.qlref | 2 + .../SuspiciousRegexpRange.java | 0 .../OverlyLargeRangeQuery.expected | 0 .../OverlyLargeRangeQuery.qlref | 2 + .../SuspiciousRegexpRange.java | 0 .../OverlyLargeRangeQuery.expected | 0 .../OverlyLargeRangeQuery.qlref | 2 + .../SuspiciousRegexpRange.java | 0 .../OverlyLargeRangeQuery.expected | 0 .../unrecognised/OverlyLargeRangeQuery.qlref | 2 + .../unrecognised/SuspiciousRegexpRange.java | 37 ++++++++ 44 files changed, 318 insertions(+) create mode 100644 java/ql/test/TestUtilities/JavaInlineExpectations.ql create mode 100644 java/ql/test/TestUtilities/ProblematicJavaInlineExpectations1.ql create mode 100644 java/ql/test/TestUtilities/ProblematicJavaInlineExpectations2.ql create mode 100644 java/ql/test/TestUtilities/ProblematicJavaInlineExpectations3.ql create mode 100644 java/ql/test/TestUtilities/ProblematicJavaInlineExpectations4.ql create mode 100644 java/ql/test/TestUtilities/ProblematicJavaInlineExpectations5.ql create mode 100644 java/ql/test/TestUtilities/ProblematicJavaInlineExpectations6.ql create mode 100644 java/ql/test/TestUtilities/ProblematicJavaInlineExpectations7.ql create mode 100644 java/ql/test/query-tests/Postprocessing/failing/OverlyLargeRangeQuery.expected create mode 100644 java/ql/test/query-tests/Postprocessing/failing/OverlyLargeRangeQuery.qlref create mode 100644 java/ql/test/query-tests/Postprocessing/failing/SuspiciousRegexpRange.java create mode 100644 java/ql/test/query-tests/Postprocessing/passing/OverlyLargeRangeQuery.expected create mode 100644 java/ql/test/query-tests/Postprocessing/passing/OverlyLargeRangeQuery.qlref create mode 100644 java/ql/test/query-tests/Postprocessing/passing/SuspiciousRegexpRange.java create mode 100644 java/ql/test/query-tests/Postprocessing/passingWithDiff/OverlyLargeRangeQuery.expected create mode 100644 java/ql/test/query-tests/Postprocessing/passingWithDiff/OverlyLargeRangeQuery.qlref create mode 100644 java/ql/test/query-tests/Postprocessing/passingWithDiff/SuspiciousRegexpRange.java create mode 100644 java/ql/test/query-tests/Postprocessing/passingWithUnrecognised/OverlyLargeRangeQuery.expected create mode 100644 java/ql/test/query-tests/Postprocessing/passingWithUnrecognised/OverlyLargeRangeQuery.qlref create mode 100644 java/ql/test/query-tests/Postprocessing/passingWithUnrecognised/SuspiciousRegexpRange.java create mode 100644 java/ql/test/query-tests/Postprocessing/postprocessingBug1/OverlyLargeRangeQuery.expected create mode 100644 java/ql/test/query-tests/Postprocessing/postprocessingBug1/OverlyLargeRangeQuery.qlref create mode 100644 java/ql/test/query-tests/Postprocessing/postprocessingBug1/SuspiciousRegexpRange.java create mode 100644 java/ql/test/query-tests/Postprocessing/postprocessingBug2/OverlyLargeRangeQuery.expected create mode 100644 java/ql/test/query-tests/Postprocessing/postprocessingBug2/OverlyLargeRangeQuery.qlref create mode 100644 java/ql/test/query-tests/Postprocessing/postprocessingBug2/SuspiciousRegexpRange.java create mode 100644 java/ql/test/query-tests/Postprocessing/postprocessingBug3/OverlyLargeRangeQuery.expected create mode 100644 java/ql/test/query-tests/Postprocessing/postprocessingBug3/OverlyLargeRangeQuery.qlref create mode 100644 java/ql/test/query-tests/Postprocessing/postprocessingBug3/SuspiciousRegexpRange.java create mode 100644 java/ql/test/query-tests/Postprocessing/postprocessingBug4/OverlyLargeRangeQuery.expected create mode 100644 java/ql/test/query-tests/Postprocessing/postprocessingBug4/OverlyLargeRangeQuery.qlref create mode 100644 java/ql/test/query-tests/Postprocessing/postprocessingBug4/SuspiciousRegexpRange.java create mode 100644 java/ql/test/query-tests/Postprocessing/postprocessingBug5/OverlyLargeRangeQuery.expected create mode 100644 java/ql/test/query-tests/Postprocessing/postprocessingBug5/OverlyLargeRangeQuery.qlref create mode 100644 java/ql/test/query-tests/Postprocessing/postprocessingBug5/SuspiciousRegexpRange.java create mode 100644 java/ql/test/query-tests/Postprocessing/postprocessingBug6/OverlyLargeRangeQuery.expected create mode 100644 java/ql/test/query-tests/Postprocessing/postprocessingBug6/OverlyLargeRangeQuery.qlref create mode 100644 java/ql/test/query-tests/Postprocessing/postprocessingBug6/SuspiciousRegexpRange.java create mode 100644 java/ql/test/query-tests/Postprocessing/postprocessingBug7/OverlyLargeRangeQuery.expected create mode 100644 java/ql/test/query-tests/Postprocessing/postprocessingBug7/OverlyLargeRangeQuery.qlref create mode 100644 java/ql/test/query-tests/Postprocessing/postprocessingBug7/SuspiciousRegexpRange.java create mode 100644 java/ql/test/query-tests/Postprocessing/unrecognised/OverlyLargeRangeQuery.expected create mode 100644 java/ql/test/query-tests/Postprocessing/unrecognised/OverlyLargeRangeQuery.qlref create mode 100644 java/ql/test/query-tests/Postprocessing/unrecognised/SuspiciousRegexpRange.java diff --git a/java/ql/test/TestUtilities/JavaInlineExpectations.ql b/java/ql/test/TestUtilities/JavaInlineExpectations.ql new file mode 100644 index 00000000000..1528581ddfe --- /dev/null +++ b/java/ql/test/TestUtilities/JavaInlineExpectations.ql @@ -0,0 +1,88 @@ +import java + +external predicate queryResults(string relation, int row, int column, string data); + +string actualLines() { + exists(int i | + queryResults("#select", i, _, _) and + result = + " | " + + concat(int j, string cell | queryResults("#select", i, j, cell) | cell, " | " order by j) + + " | " + ) +} + +predicate parsedExpectedResults(string filename, int line, string content) { + exists(Javadoc doc | + isEolComment(doc) and + filename = doc.getLocation().getFile().getBaseName() and + line = doc.getLocation().getStartLine() and + line = doc.getLocation().getEndLine() and + content = doc.getChild(0).getText().trim() + ) +} + +predicate expectError(string filename, int line) { + exists(string content | + parsedExpectedResults(filename, line, content) and content.indexOf("NOT OK") = 0 + ) +} + +predicate expectPass(string filename, int line) { + exists(string content | + parsedExpectedResults(filename, line, content) and content.indexOf("OK") = 0 + ) +} + +predicate parsedActualResults(string filename, int line, int colStart, int colEnd, string content) { + exists(string s, string posString, string lineString | + s = actualLines() and + posString = s.substring(s.indexOf("|", 0, 0) + 1, s.indexOf("|", 1, 0)).trim() and + filename = posString.substring(0, posString.indexOf(":", 0, 0)) and + lineString = posString.substring(posString.indexOf(":", 0, 0) + 1, posString.indexOf(":", 1, 0)) and + lineString = posString.substring(posString.indexOf(":", 2, 0) + 1, posString.indexOf(":", 3, 0)) and + colStart = + posString.substring(posString.indexOf(":", 1, 0) + 1, posString.indexOf(":", 2, 0)).toInt() and + colEnd = posString.substring(posString.indexOf(":", 3, 0) + 1, posString.length()).toInt() and + line = lineString.toInt() and + content = s.substring(s.indexOf("|", 2, 0) + 1, s.indexOf("|", 3, 0)).trim() + ) +} + +predicate actualExpectedDiff(string type, string position, string error) { + exists(string filename, int line, int colStart, int colEnd | + parsedActualResults(filename, line, colStart, colEnd, error) and + expectPass(filename, line) and + type = "unexpected alert" and + position = filename + ":" + line + ":" + colStart + ":" + line + ":" + colEnd + ) + or + exists(string filename, int line | + expectError(filename, line) and + not parsedActualResults(filename, line, _, _, _) and + type = "expected alert" and + position = filename + ":" + line and + parsedExpectedResults(filename, line, error) + ) + or + exists(string filename, int line, string content | + parsedExpectedResults(filename, line, content) and + not expectPass(filename, line) and + not expectError(filename, line) and + type = "invalid inline expectation" and + position = filename + ":" + line and + error = content + ) +} + +from int line, string position, int column, string content +where + position = rank[line](string p | actualExpectedDiff(_, p, _) | p) and + ( + column = 0 and content = position + or + column = 1 and actualExpectedDiff(content, position, _) + or + column = 2 and actualExpectedDiff(_, position, content) + ) +select "#select", line, column, content diff --git a/java/ql/test/TestUtilities/ProblematicJavaInlineExpectations1.ql b/java/ql/test/TestUtilities/ProblematicJavaInlineExpectations1.ql new file mode 100644 index 00000000000..e6298ada4ea --- /dev/null +++ b/java/ql/test/TestUtilities/ProblematicJavaInlineExpectations1.ql @@ -0,0 +1 @@ +query predicate resultRelations(string name) { name = "#select" } diff --git a/java/ql/test/TestUtilities/ProblematicJavaInlineExpectations2.ql b/java/ql/test/TestUtilities/ProblematicJavaInlineExpectations2.ql new file mode 100644 index 00000000000..8e3f0f4d5a0 --- /dev/null +++ b/java/ql/test/TestUtilities/ProblematicJavaInlineExpectations2.ql @@ -0,0 +1,3 @@ +query predicate learnEdits(string name) { none() } + +select "#select", 1, 1, "foo" diff --git a/java/ql/test/TestUtilities/ProblematicJavaInlineExpectations3.ql b/java/ql/test/TestUtilities/ProblematicJavaInlineExpectations3.ql new file mode 100644 index 00000000000..48467f78a16 --- /dev/null +++ b/java/ql/test/TestUtilities/ProblematicJavaInlineExpectations3.ql @@ -0,0 +1,3 @@ +query predicate extraQuery(string name) { none() } + +select "#select", 1, 1, "foo" diff --git a/java/ql/test/TestUtilities/ProblematicJavaInlineExpectations4.ql b/java/ql/test/TestUtilities/ProblematicJavaInlineExpectations4.ql new file mode 100644 index 00000000000..531b88e2bfe --- /dev/null +++ b/java/ql/test/TestUtilities/ProblematicJavaInlineExpectations4.ql @@ -0,0 +1,3 @@ +query predicate resultRelations(string name, int arity) { name = "#select" and arity = 5 } + +select "#select", 1, 1, "foo" diff --git a/java/ql/test/TestUtilities/ProblematicJavaInlineExpectations5.ql b/java/ql/test/TestUtilities/ProblematicJavaInlineExpectations5.ql new file mode 100644 index 00000000000..c12ce4a11bb --- /dev/null +++ b/java/ql/test/TestUtilities/ProblematicJavaInlineExpectations5.ql @@ -0,0 +1 @@ +select "#select", "1", 1, "foo" diff --git a/java/ql/test/TestUtilities/ProblematicJavaInlineExpectations6.ql b/java/ql/test/TestUtilities/ProblematicJavaInlineExpectations6.ql new file mode 100644 index 00000000000..663da98464d --- /dev/null +++ b/java/ql/test/TestUtilities/ProblematicJavaInlineExpectations6.ql @@ -0,0 +1 @@ +select "#select", 1, 1, ["foo", "bar"] diff --git a/java/ql/test/TestUtilities/ProblematicJavaInlineExpectations7.ql b/java/ql/test/TestUtilities/ProblematicJavaInlineExpectations7.ql new file mode 100644 index 00000000000..ea6572630ca --- /dev/null +++ b/java/ql/test/TestUtilities/ProblematicJavaInlineExpectations7.ql @@ -0,0 +1,6 @@ +from int i, int j +where + i in [1, 2] and + j in [1, 2] and + not (i = 2 and j = 2) +select "#select", i, j, "foo" diff --git a/java/ql/test/query-tests/Postprocessing/failing/OverlyLargeRangeQuery.expected b/java/ql/test/query-tests/Postprocessing/failing/OverlyLargeRangeQuery.expected new file mode 100644 index 00000000000..e69de29bb2d diff --git a/java/ql/test/query-tests/Postprocessing/failing/OverlyLargeRangeQuery.qlref b/java/ql/test/query-tests/Postprocessing/failing/OverlyLargeRangeQuery.qlref new file mode 100644 index 00000000000..147042ad6d3 --- /dev/null +++ b/java/ql/test/query-tests/Postprocessing/failing/OverlyLargeRangeQuery.qlref @@ -0,0 +1,2 @@ +query: Security/CWE/CWE-020/OverlyLargeRange.ql +postprocess: TestUtilities/JavaInlineExpectations.ql diff --git a/java/ql/test/query-tests/Postprocessing/failing/SuspiciousRegexpRange.java b/java/ql/test/query-tests/Postprocessing/failing/SuspiciousRegexpRange.java new file mode 100644 index 00000000000..9214d6fe0d1 --- /dev/null +++ b/java/ql/test/query-tests/Postprocessing/failing/SuspiciousRegexpRange.java @@ -0,0 +1,37 @@ +import java.util.regex.Pattern; + +class SuspiciousRegexpRange { + void test() { + Pattern overlap1 = Pattern.compile("^[0-93-5]*$"); // NOT OK + + Pattern overlap2 = Pattern.compile("[A-ZA-z]*"); // OK + + Pattern isEmpty = Pattern.compile("^[z-a]*$"); // NOT OK + + Pattern isAscii = Pattern.compile("^[\\x00-\\x7F]*$"); // NOT OK + + Pattern printable = Pattern.compile("[!-~]*"); // OK - used to select most printable ASCII characters + + Pattern codePoints = Pattern.compile("[^\\x21-\\x7E]|[[\\](){}<>/%]*"); // OK + + Pattern NON_ALPHANUMERIC_REGEXP = Pattern.compile("([^\\#-~| |!])*"); // OK + + Pattern smallOverlap = Pattern.compile("[0-9a-fA-f]*"); // NOT OK + + Pattern weirdRange = Pattern.compile("[$-`]*"); // NOT OK + + Pattern keywordOperator = Pattern.compile("[!\\~\\*\\/%+-<>\\^|=&]*"); // NOT OK + + Pattern notYoutube = Pattern.compile("youtu.be/[a-z1-9.-_]+"); // NOT OK + + Pattern numberToLetter = Pattern.compile("[7-F]*"); // NOT OK + + Pattern overlapsWithClass1 = Pattern.compile("[0-9\\d]*"); // NOT OK + + Pattern overlapsWithClass2 = Pattern.compile("[\\w,.-?:*+]*"); // NOT OK + + Pattern nested = Pattern.compile("[[A-Za-z_][A-Za-z0-9._-]]*"); // OK, the dash it at the end + + Pattern octal = Pattern.compile("[\000-\037\040-\045]*"); // OK + } +} diff --git a/java/ql/test/query-tests/Postprocessing/passing/OverlyLargeRangeQuery.expected b/java/ql/test/query-tests/Postprocessing/passing/OverlyLargeRangeQuery.expected new file mode 100644 index 00000000000..e69de29bb2d diff --git a/java/ql/test/query-tests/Postprocessing/passing/OverlyLargeRangeQuery.qlref b/java/ql/test/query-tests/Postprocessing/passing/OverlyLargeRangeQuery.qlref new file mode 100644 index 00000000000..147042ad6d3 --- /dev/null +++ b/java/ql/test/query-tests/Postprocessing/passing/OverlyLargeRangeQuery.qlref @@ -0,0 +1,2 @@ +query: Security/CWE/CWE-020/OverlyLargeRange.ql +postprocess: TestUtilities/JavaInlineExpectations.ql diff --git a/java/ql/test/query-tests/Postprocessing/passing/SuspiciousRegexpRange.java b/java/ql/test/query-tests/Postprocessing/passing/SuspiciousRegexpRange.java new file mode 100644 index 00000000000..e3fbc077817 --- /dev/null +++ b/java/ql/test/query-tests/Postprocessing/passing/SuspiciousRegexpRange.java @@ -0,0 +1,37 @@ +import java.util.regex.Pattern; + +class SuspiciousRegexpRange { + void test() { + Pattern overlap1 = Pattern.compile("^[0-93-5]*$"); // NOT OK + + Pattern overlap2 = Pattern.compile("[A-ZA-z]*"); // NOT OK + + Pattern isEmpty = Pattern.compile("^[z-a]*$"); // NOT OK + + Pattern isAscii = Pattern.compile("^[\\x00-\\x7F]*$"); // OK + + Pattern printable = Pattern.compile("[!-~]*"); // OK - used to select most printable ASCII characters + + Pattern codePoints = Pattern.compile("[^\\x21-\\x7E]|[[\\](){}<>/%]*"); // OK + + Pattern NON_ALPHANUMERIC_REGEXP = Pattern.compile("([^\\#-~| |!])*"); // OK + + Pattern smallOverlap = Pattern.compile("[0-9a-fA-f]*"); // NOT OK + + Pattern weirdRange = Pattern.compile("[$-`]*"); // NOT OK + + Pattern keywordOperator = Pattern.compile("[!\\~\\*\\/%+-<>\\^|=&]*"); // NOT OK + + Pattern notYoutube = Pattern.compile("youtu.be/[a-z1-9.-_]+"); // NOT OK + + Pattern numberToLetter = Pattern.compile("[7-F]*"); // NOT OK + + Pattern overlapsWithClass1 = Pattern.compile("[0-9\\d]*"); // NOT OK + + Pattern overlapsWithClass2 = Pattern.compile("[\\w,.-?:*+]*"); // NOT OK + + Pattern nested = Pattern.compile("[[A-Za-z_][A-Za-z0-9._-]]*"); // OK, the dash it at the end + + Pattern octal = Pattern.compile("[\000-\037\040-\045]*"); // OK + } +} diff --git a/java/ql/test/query-tests/Postprocessing/passingWithDiff/OverlyLargeRangeQuery.expected b/java/ql/test/query-tests/Postprocessing/passingWithDiff/OverlyLargeRangeQuery.expected new file mode 100644 index 00000000000..ee03d8e133a --- /dev/null +++ b/java/ql/test/query-tests/Postprocessing/passingWithDiff/OverlyLargeRangeQuery.expected @@ -0,0 +1,2 @@ +| SuspiciousRegexpRange.java:11 | expected alert | NOT OK | +| SuspiciousRegexpRange.java:7:49:7:51 | unexpected alert | Suspicious character range that overlaps with A-Z in the same character class, and is equivalent to [A-Z\\[\\\\\\]^_`a-z]. | diff --git a/java/ql/test/query-tests/Postprocessing/passingWithDiff/OverlyLargeRangeQuery.qlref b/java/ql/test/query-tests/Postprocessing/passingWithDiff/OverlyLargeRangeQuery.qlref new file mode 100644 index 00000000000..147042ad6d3 --- /dev/null +++ b/java/ql/test/query-tests/Postprocessing/passingWithDiff/OverlyLargeRangeQuery.qlref @@ -0,0 +1,2 @@ +query: Security/CWE/CWE-020/OverlyLargeRange.ql +postprocess: TestUtilities/JavaInlineExpectations.ql diff --git a/java/ql/test/query-tests/Postprocessing/passingWithDiff/SuspiciousRegexpRange.java b/java/ql/test/query-tests/Postprocessing/passingWithDiff/SuspiciousRegexpRange.java new file mode 100644 index 00000000000..9214d6fe0d1 --- /dev/null +++ b/java/ql/test/query-tests/Postprocessing/passingWithDiff/SuspiciousRegexpRange.java @@ -0,0 +1,37 @@ +import java.util.regex.Pattern; + +class SuspiciousRegexpRange { + void test() { + Pattern overlap1 = Pattern.compile("^[0-93-5]*$"); // NOT OK + + Pattern overlap2 = Pattern.compile("[A-ZA-z]*"); // OK + + Pattern isEmpty = Pattern.compile("^[z-a]*$"); // NOT OK + + Pattern isAscii = Pattern.compile("^[\\x00-\\x7F]*$"); // NOT OK + + Pattern printable = Pattern.compile("[!-~]*"); // OK - used to select most printable ASCII characters + + Pattern codePoints = Pattern.compile("[^\\x21-\\x7E]|[[\\](){}<>/%]*"); // OK + + Pattern NON_ALPHANUMERIC_REGEXP = Pattern.compile("([^\\#-~| |!])*"); // OK + + Pattern smallOverlap = Pattern.compile("[0-9a-fA-f]*"); // NOT OK + + Pattern weirdRange = Pattern.compile("[$-`]*"); // NOT OK + + Pattern keywordOperator = Pattern.compile("[!\\~\\*\\/%+-<>\\^|=&]*"); // NOT OK + + Pattern notYoutube = Pattern.compile("youtu.be/[a-z1-9.-_]+"); // NOT OK + + Pattern numberToLetter = Pattern.compile("[7-F]*"); // NOT OK + + Pattern overlapsWithClass1 = Pattern.compile("[0-9\\d]*"); // NOT OK + + Pattern overlapsWithClass2 = Pattern.compile("[\\w,.-?:*+]*"); // NOT OK + + Pattern nested = Pattern.compile("[[A-Za-z_][A-Za-z0-9._-]]*"); // OK, the dash it at the end + + Pattern octal = Pattern.compile("[\000-\037\040-\045]*"); // OK + } +} diff --git a/java/ql/test/query-tests/Postprocessing/passingWithUnrecognised/OverlyLargeRangeQuery.expected b/java/ql/test/query-tests/Postprocessing/passingWithUnrecognised/OverlyLargeRangeQuery.expected new file mode 100644 index 00000000000..444c36694ce --- /dev/null +++ b/java/ql/test/query-tests/Postprocessing/passingWithUnrecognised/OverlyLargeRangeQuery.expected @@ -0,0 +1 @@ +| SuspiciousRegexpRange.java:13 | invalid inline expectation | IS OK - used to select most printable ASCII characters | diff --git a/java/ql/test/query-tests/Postprocessing/passingWithUnrecognised/OverlyLargeRangeQuery.qlref b/java/ql/test/query-tests/Postprocessing/passingWithUnrecognised/OverlyLargeRangeQuery.qlref new file mode 100644 index 00000000000..147042ad6d3 --- /dev/null +++ b/java/ql/test/query-tests/Postprocessing/passingWithUnrecognised/OverlyLargeRangeQuery.qlref @@ -0,0 +1,2 @@ +query: Security/CWE/CWE-020/OverlyLargeRange.ql +postprocess: TestUtilities/JavaInlineExpectations.ql diff --git a/java/ql/test/query-tests/Postprocessing/passingWithUnrecognised/SuspiciousRegexpRange.java b/java/ql/test/query-tests/Postprocessing/passingWithUnrecognised/SuspiciousRegexpRange.java new file mode 100644 index 00000000000..3808441dda8 --- /dev/null +++ b/java/ql/test/query-tests/Postprocessing/passingWithUnrecognised/SuspiciousRegexpRange.java @@ -0,0 +1,37 @@ +import java.util.regex.Pattern; + +class SuspiciousRegexpRange { + void test() { + Pattern overlap1 = Pattern.compile("^[0-93-5]*$"); // NOT OK + + Pattern overlap2 = Pattern.compile("[A-ZA-z]*"); // NOT OK + + Pattern isEmpty = Pattern.compile("^[z-a]*$"); // NOT OK + + Pattern isAscii = Pattern.compile("^[\\x00-\\x7F]*$"); // OK + + Pattern printable = Pattern.compile("[!-~]*"); // IS OK - used to select most printable ASCII characters + + Pattern codePoints = Pattern.compile("[^\\x21-\\x7E]|[[\\](){}<>/%]*"); // OK + + Pattern NON_ALPHANUMERIC_REGEXP = Pattern.compile("([^\\#-~| |!])*"); // OK + + Pattern smallOverlap = Pattern.compile("[0-9a-fA-f]*"); // NOT OK + + Pattern weirdRange = Pattern.compile("[$-`]*"); // NOT OK + + Pattern keywordOperator = Pattern.compile("[!\\~\\*\\/%+-<>\\^|=&]*"); // NOT OK + + Pattern notYoutube = Pattern.compile("youtu.be/[a-z1-9.-_]+"); // NOT OK + + Pattern numberToLetter = Pattern.compile("[7-F]*"); // NOT OK + + Pattern overlapsWithClass1 = Pattern.compile("[0-9\\d]*"); // NOT OK + + Pattern overlapsWithClass2 = Pattern.compile("[\\w,.-?:*+]*"); // NOT OK + + Pattern nested = Pattern.compile("[[A-Za-z_][A-Za-z0-9._-]]*"); // OK, the dash it at the end + + Pattern octal = Pattern.compile("[\000-\037\040-\045]*"); // OK + } +} diff --git a/java/ql/test/query-tests/Postprocessing/postprocessingBug1/OverlyLargeRangeQuery.expected b/java/ql/test/query-tests/Postprocessing/postprocessingBug1/OverlyLargeRangeQuery.expected new file mode 100644 index 00000000000..e69de29bb2d diff --git a/java/ql/test/query-tests/Postprocessing/postprocessingBug1/OverlyLargeRangeQuery.qlref b/java/ql/test/query-tests/Postprocessing/postprocessingBug1/OverlyLargeRangeQuery.qlref new file mode 100644 index 00000000000..601bf119f00 --- /dev/null +++ b/java/ql/test/query-tests/Postprocessing/postprocessingBug1/OverlyLargeRangeQuery.qlref @@ -0,0 +1,2 @@ +query: Security/CWE/CWE-020/OverlyLargeRange.ql +postprocess: TestUtilities/ProblematicJavaInlineExpectations1.ql diff --git a/java/ql/test/query-tests/Postprocessing/postprocessingBug1/SuspiciousRegexpRange.java b/java/ql/test/query-tests/Postprocessing/postprocessingBug1/SuspiciousRegexpRange.java new file mode 100644 index 00000000000..e69de29bb2d diff --git a/java/ql/test/query-tests/Postprocessing/postprocessingBug2/OverlyLargeRangeQuery.expected b/java/ql/test/query-tests/Postprocessing/postprocessingBug2/OverlyLargeRangeQuery.expected new file mode 100644 index 00000000000..e69de29bb2d diff --git a/java/ql/test/query-tests/Postprocessing/postprocessingBug2/OverlyLargeRangeQuery.qlref b/java/ql/test/query-tests/Postprocessing/postprocessingBug2/OverlyLargeRangeQuery.qlref new file mode 100644 index 00000000000..d0355f59b35 --- /dev/null +++ b/java/ql/test/query-tests/Postprocessing/postprocessingBug2/OverlyLargeRangeQuery.qlref @@ -0,0 +1,2 @@ +query: Security/CWE/CWE-020/OverlyLargeRange.ql +postprocess: TestUtilities/ProblematicJavaInlineExpectations2.ql diff --git a/java/ql/test/query-tests/Postprocessing/postprocessingBug2/SuspiciousRegexpRange.java b/java/ql/test/query-tests/Postprocessing/postprocessingBug2/SuspiciousRegexpRange.java new file mode 100644 index 00000000000..e69de29bb2d diff --git a/java/ql/test/query-tests/Postprocessing/postprocessingBug3/OverlyLargeRangeQuery.expected b/java/ql/test/query-tests/Postprocessing/postprocessingBug3/OverlyLargeRangeQuery.expected new file mode 100644 index 00000000000..e69de29bb2d diff --git a/java/ql/test/query-tests/Postprocessing/postprocessingBug3/OverlyLargeRangeQuery.qlref b/java/ql/test/query-tests/Postprocessing/postprocessingBug3/OverlyLargeRangeQuery.qlref new file mode 100644 index 00000000000..36ef536a096 --- /dev/null +++ b/java/ql/test/query-tests/Postprocessing/postprocessingBug3/OverlyLargeRangeQuery.qlref @@ -0,0 +1,2 @@ +query: Security/CWE/CWE-020/OverlyLargeRange.ql +postprocess: TestUtilities/ProblematicJavaInlineExpectations3.ql diff --git a/java/ql/test/query-tests/Postprocessing/postprocessingBug3/SuspiciousRegexpRange.java b/java/ql/test/query-tests/Postprocessing/postprocessingBug3/SuspiciousRegexpRange.java new file mode 100644 index 00000000000..e69de29bb2d diff --git a/java/ql/test/query-tests/Postprocessing/postprocessingBug4/OverlyLargeRangeQuery.expected b/java/ql/test/query-tests/Postprocessing/postprocessingBug4/OverlyLargeRangeQuery.expected new file mode 100644 index 00000000000..e69de29bb2d diff --git a/java/ql/test/query-tests/Postprocessing/postprocessingBug4/OverlyLargeRangeQuery.qlref b/java/ql/test/query-tests/Postprocessing/postprocessingBug4/OverlyLargeRangeQuery.qlref new file mode 100644 index 00000000000..2afef8d6ae3 --- /dev/null +++ b/java/ql/test/query-tests/Postprocessing/postprocessingBug4/OverlyLargeRangeQuery.qlref @@ -0,0 +1,2 @@ +query: Security/CWE/CWE-020/OverlyLargeRange.ql +postprocess: TestUtilities/ProblematicJavaInlineExpectations4.ql diff --git a/java/ql/test/query-tests/Postprocessing/postprocessingBug4/SuspiciousRegexpRange.java b/java/ql/test/query-tests/Postprocessing/postprocessingBug4/SuspiciousRegexpRange.java new file mode 100644 index 00000000000..e69de29bb2d diff --git a/java/ql/test/query-tests/Postprocessing/postprocessingBug5/OverlyLargeRangeQuery.expected b/java/ql/test/query-tests/Postprocessing/postprocessingBug5/OverlyLargeRangeQuery.expected new file mode 100644 index 00000000000..e69de29bb2d diff --git a/java/ql/test/query-tests/Postprocessing/postprocessingBug5/OverlyLargeRangeQuery.qlref b/java/ql/test/query-tests/Postprocessing/postprocessingBug5/OverlyLargeRangeQuery.qlref new file mode 100644 index 00000000000..4ad83bc16d7 --- /dev/null +++ b/java/ql/test/query-tests/Postprocessing/postprocessingBug5/OverlyLargeRangeQuery.qlref @@ -0,0 +1,2 @@ +query: Security/CWE/CWE-020/OverlyLargeRange.ql +postprocess: TestUtilities/ProblematicJavaInlineExpectations5.ql diff --git a/java/ql/test/query-tests/Postprocessing/postprocessingBug5/SuspiciousRegexpRange.java b/java/ql/test/query-tests/Postprocessing/postprocessingBug5/SuspiciousRegexpRange.java new file mode 100644 index 00000000000..e69de29bb2d diff --git a/java/ql/test/query-tests/Postprocessing/postprocessingBug6/OverlyLargeRangeQuery.expected b/java/ql/test/query-tests/Postprocessing/postprocessingBug6/OverlyLargeRangeQuery.expected new file mode 100644 index 00000000000..e69de29bb2d diff --git a/java/ql/test/query-tests/Postprocessing/postprocessingBug6/OverlyLargeRangeQuery.qlref b/java/ql/test/query-tests/Postprocessing/postprocessingBug6/OverlyLargeRangeQuery.qlref new file mode 100644 index 00000000000..faa8221589d --- /dev/null +++ b/java/ql/test/query-tests/Postprocessing/postprocessingBug6/OverlyLargeRangeQuery.qlref @@ -0,0 +1,2 @@ +query: Security/CWE/CWE-020/OverlyLargeRange.ql +postprocess: TestUtilities/ProblematicJavaInlineExpectations6.ql diff --git a/java/ql/test/query-tests/Postprocessing/postprocessingBug6/SuspiciousRegexpRange.java b/java/ql/test/query-tests/Postprocessing/postprocessingBug6/SuspiciousRegexpRange.java new file mode 100644 index 00000000000..e69de29bb2d diff --git a/java/ql/test/query-tests/Postprocessing/postprocessingBug7/OverlyLargeRangeQuery.expected b/java/ql/test/query-tests/Postprocessing/postprocessingBug7/OverlyLargeRangeQuery.expected new file mode 100644 index 00000000000..e69de29bb2d diff --git a/java/ql/test/query-tests/Postprocessing/postprocessingBug7/OverlyLargeRangeQuery.qlref b/java/ql/test/query-tests/Postprocessing/postprocessingBug7/OverlyLargeRangeQuery.qlref new file mode 100644 index 00000000000..d77525b17cc --- /dev/null +++ b/java/ql/test/query-tests/Postprocessing/postprocessingBug7/OverlyLargeRangeQuery.qlref @@ -0,0 +1,2 @@ +query: Security/CWE/CWE-020/OverlyLargeRange.ql +postprocess: TestUtilities/ProblematicJavaInlineExpectations7.ql diff --git a/java/ql/test/query-tests/Postprocessing/postprocessingBug7/SuspiciousRegexpRange.java b/java/ql/test/query-tests/Postprocessing/postprocessingBug7/SuspiciousRegexpRange.java new file mode 100644 index 00000000000..e69de29bb2d diff --git a/java/ql/test/query-tests/Postprocessing/unrecognised/OverlyLargeRangeQuery.expected b/java/ql/test/query-tests/Postprocessing/unrecognised/OverlyLargeRangeQuery.expected new file mode 100644 index 00000000000..e69de29bb2d diff --git a/java/ql/test/query-tests/Postprocessing/unrecognised/OverlyLargeRangeQuery.qlref b/java/ql/test/query-tests/Postprocessing/unrecognised/OverlyLargeRangeQuery.qlref new file mode 100644 index 00000000000..147042ad6d3 --- /dev/null +++ b/java/ql/test/query-tests/Postprocessing/unrecognised/OverlyLargeRangeQuery.qlref @@ -0,0 +1,2 @@ +query: Security/CWE/CWE-020/OverlyLargeRange.ql +postprocess: TestUtilities/JavaInlineExpectations.ql diff --git a/java/ql/test/query-tests/Postprocessing/unrecognised/SuspiciousRegexpRange.java b/java/ql/test/query-tests/Postprocessing/unrecognised/SuspiciousRegexpRange.java new file mode 100644 index 00000000000..3808441dda8 --- /dev/null +++ b/java/ql/test/query-tests/Postprocessing/unrecognised/SuspiciousRegexpRange.java @@ -0,0 +1,37 @@ +import java.util.regex.Pattern; + +class SuspiciousRegexpRange { + void test() { + Pattern overlap1 = Pattern.compile("^[0-93-5]*$"); // NOT OK + + Pattern overlap2 = Pattern.compile("[A-ZA-z]*"); // NOT OK + + Pattern isEmpty = Pattern.compile("^[z-a]*$"); // NOT OK + + Pattern isAscii = Pattern.compile("^[\\x00-\\x7F]*$"); // OK + + Pattern printable = Pattern.compile("[!-~]*"); // IS OK - used to select most printable ASCII characters + + Pattern codePoints = Pattern.compile("[^\\x21-\\x7E]|[[\\](){}<>/%]*"); // OK + + Pattern NON_ALPHANUMERIC_REGEXP = Pattern.compile("([^\\#-~| |!])*"); // OK + + Pattern smallOverlap = Pattern.compile("[0-9a-fA-f]*"); // NOT OK + + Pattern weirdRange = Pattern.compile("[$-`]*"); // NOT OK + + Pattern keywordOperator = Pattern.compile("[!\\~\\*\\/%+-<>\\^|=&]*"); // NOT OK + + Pattern notYoutube = Pattern.compile("youtu.be/[a-z1-9.-_]+"); // NOT OK + + Pattern numberToLetter = Pattern.compile("[7-F]*"); // NOT OK + + Pattern overlapsWithClass1 = Pattern.compile("[0-9\\d]*"); // NOT OK + + Pattern overlapsWithClass2 = Pattern.compile("[\\w,.-?:*+]*"); // NOT OK + + Pattern nested = Pattern.compile("[[A-Za-z_][A-Za-z0-9._-]]*"); // OK, the dash it at the end + + Pattern octal = Pattern.compile("[\000-\037\040-\045]*"); // OK + } +}