Merge branch 'main' into operation_step_refactor

java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll

@@ -323,6 +323,10 @@ private module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) { isUnsafeDeserializationSanitizer(node) }
 
   predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.(UnsafeDeserializationSink).getMethodCall().getLocation()
+  }
 }
 
 module UnsafeDeserializationFlow = TaintTracking::Global<UnsafeDeserializationConfig>;

java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll

@@ -47,18 +47,6 @@ module PolynomialRedosConfig implements DataFlow::ConfigSig {
     node instanceof SimpleTypeSanitizer or
     node.asExpr().(MethodCall).getMethod() instanceof LengthRestrictedMethod
   }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSinkLocation(DataFlow::Node sink) {
-    exists(SuperlinearBackTracking::PolynomialBackTrackingTerm regexp |
-      regexp.getRootTerm() = sink.(PolynomialRedosSink).getRegExp()
-    |
-      result = sink.getLocation()
-      or
-      result = regexp.getLocation()
-    )
-  }
 }
 
 module PolynomialRedosFlow = TaintTracking::Global<PolynomialRedosConfig>;

java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected

@@ -0,0 +1,474 @@
+#select
+| TaintedPath.java:16:71:16:78 | filename | TaintedPath.java:13:58:13:78 | getInputStream(...) : InputStream | TaintedPath.java:16:71:16:78 | filename | This path depends on a $@. | TaintedPath.java:13:58:13:78 | getInputStream(...) | user-provided value |
+| Test.java:37:52:37:68 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:37:52:37:68 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:39:32:39:48 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:39:32:39:48 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:41:47:41:63 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:41:47:41:63 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:43:10:43:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:43:10:43:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:45:10:45:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:45:10:45:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:47:10:47:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:47:10:47:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:49:10:49:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:49:10:49:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:51:39:51:53 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:51:39:51:53 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:53:10:53:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:53:10:53:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:55:10:55:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:55:10:55:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:57:10:57:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:57:10:57:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:59:10:59:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:59:10:59:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:61:10:61:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:61:10:61:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:63:10:63:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:63:10:63:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:65:10:65:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:65:10:65:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:67:10:67:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:67:10:67:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:69:31:69:45 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:69:31:69:45 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:71:10:71:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:71:10:71:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:73:10:73:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:73:10:73:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:75:10:75:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:75:10:75:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:77:10:77:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:77:10:77:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:79:10:79:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:79:10:79:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:81:10:81:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:81:10:81:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:83:31:83:45 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:83:31:83:45 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:85:29:85:43 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:85:29:85:43 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:87:29:87:53 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:87:29:87:53 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:89:29:89:45 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:89:29:89:45 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:91:24:91:38 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:91:24:91:38 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:93:24:93:48 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:93:24:93:48 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:95:24:95:38 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:95:24:95:38 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:97:24:97:40 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:97:24:97:40 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:99:24:99:40 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:99:24:99:40 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:101:20:101:34 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:101:20:101:34 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:102:20:102:34 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:102:20:102:34 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:104:33:104:47 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:104:33:104:47 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:105:40:105:54 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:105:40:105:54 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:107:33:107:47 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:107:33:107:47 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:109:31:109:45 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:109:31:109:45 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:111:26:111:40 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:111:26:111:40 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:113:26:113:40 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:113:26:113:40 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:115:34:115:48 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:115:34:115:48 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:117:35:117:49 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:117:35:117:49 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:119:30:119:44 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:119:30:119:44 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:121:22:121:36 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:121:22:121:36 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:123:30:123:44 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:123:30:123:44 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:125:21:125:35 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:125:21:125:35 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:127:26:127:40 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:127:26:127:40 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:129:33:129:47 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:129:33:129:47 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:131:33:131:47 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:131:33:131:47 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:132:33:132:47 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:132:33:132:47 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:134:31:134:45 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:134:31:134:45 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:136:21:136:35 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:136:21:136:35 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:137:21:137:35 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:137:21:137:35 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:138:21:138:35 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:138:21:138:35 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:140:27:140:41 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:140:27:140:41 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:141:27:141:41 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:141:27:141:41 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:143:26:143:40 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:143:26:143:40 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:145:35:145:49 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:145:35:145:49 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:147:41:147:57 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:147:41:147:57 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:149:45:149:61 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:149:45:149:61 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:151:43:151:57 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:151:43:151:57 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:153:28:153:42 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:153:28:153:42 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:155:41:155:55 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:155:41:155:55 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:160:30:160:44 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:160:30:160:44 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:162:40:162:81 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:162:40:162:81 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:164:34:164:75 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:164:34:164:75 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:166:34:166:75 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:166:34:166:75 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:168:23:168:37 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:168:23:168:37 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:181:23:181:37 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:181:23:181:37 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:186:23:186:40 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:186:23:186:40 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:188:20:188:34 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:188:20:188:34 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:190:21:190:35 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:190:21:190:35 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:192:22:192:36 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:192:22:192:36 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:197:20:197:34 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:197:20:197:34 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:199:19:199:33 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:199:19:199:33 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+| Test.java:204:20:204:36 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:204:20:204:36 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
+edges
+| TaintedPath.java:13:17:13:89 | new BufferedReader(...) : BufferedReader | TaintedPath.java:14:27:14:40 | filenameReader : BufferedReader | provenance |  |
+| TaintedPath.java:13:36:13:88 | new InputStreamReader(...) : InputStreamReader | TaintedPath.java:13:17:13:89 | new BufferedReader(...) : BufferedReader | provenance | MaD:74 |
+| TaintedPath.java:13:58:13:78 | getInputStream(...) : InputStream | TaintedPath.java:13:36:13:88 | new InputStreamReader(...) : InputStreamReader | provenance | Src:MaD:72 MaD:76 |
+| TaintedPath.java:14:27:14:40 | filenameReader : BufferedReader | TaintedPath.java:14:27:14:51 | readLine(...) : String | provenance | MaD:75 |
+| TaintedPath.java:14:27:14:51 | readLine(...) : String | TaintedPath.java:16:71:16:78 | filename | provenance | Sink:MaD:27 |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:37:61:37:68 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:39:41:39:48 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:41:56:41:63 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:43:17:43:24 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:45:17:45:24 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:47:17:47:24 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:49:17:49:24 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:51:46:51:53 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:53:17:53:24 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:55:17:55:24 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:57:17:57:24 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:59:17:59:24 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:61:17:61:24 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:63:17:63:24 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:65:17:65:24 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:67:17:67:24 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:69:38:69:45 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:71:17:71:24 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:73:17:73:24 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:75:17:75:24 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:77:17:77:24 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:79:17:79:24 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:81:17:81:24 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:83:38:83:45 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:85:36:85:43 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:87:46:87:53 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:89:38:89:45 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:91:31:91:38 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:93:41:93:48 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:95:31:95:38 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:97:33:97:40 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:99:33:99:40 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:101:27:101:34 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:102:27:102:34 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:104:40:104:47 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:105:47:105:54 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:107:40:107:47 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:109:38:109:45 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:111:33:111:40 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:113:33:113:40 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:115:41:115:48 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:117:42:117:49 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:119:37:119:44 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:121:29:121:36 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:123:37:123:44 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:125:28:125:35 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:127:33:127:40 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:129:40:129:47 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:131:40:131:47 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:132:40:132:47 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:134:38:134:45 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:136:28:136:35 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:137:28:137:35 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:138:28:138:35 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:140:34:140:41 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:141:34:141:41 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:143:33:143:40 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:145:42:145:49 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:147:50:147:57 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:149:54:149:61 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:151:50:151:57 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:153:35:153:42 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:155:48:155:55 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:160:37:160:44 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:162:74:162:81 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:164:68:164:75 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:166:68:166:75 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:168:30:168:37 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:181:30:181:37 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:186:33:186:40 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:188:27:188:34 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:190:28:190:35 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:192:29:192:36 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:197:27:197:34 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:199:26:199:33 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:204:29:204:36 | source(...) : String | provenance | Src:MaD:73  |
+| Test.java:37:61:37:68 | source(...) : String | Test.java:37:52:37:68 | (...)... | provenance | Sink:MaD:31 |
+| Test.java:39:41:39:48 | source(...) : String | Test.java:39:32:39:48 | (...)... | provenance | Sink:MaD:29 |
+| Test.java:41:56:41:63 | source(...) : String | Test.java:41:47:41:63 | (...)... | provenance | Sink:MaD:30 |
+| Test.java:43:17:43:24 | source(...) : String | Test.java:43:10:43:24 | (...)... | provenance | Sink:MaD:1 |
+| Test.java:45:17:45:24 | source(...) : String | Test.java:45:10:45:24 | (...)... | provenance | Sink:MaD:2 |
+| Test.java:47:17:47:24 | source(...) : String | Test.java:47:10:47:24 | (...)... | provenance | Sink:MaD:3 |
+| Test.java:49:17:49:24 | source(...) : String | Test.java:49:10:49:24 | (...)... | provenance | Sink:MaD:4 |
+| Test.java:51:46:51:53 | source(...) : String | Test.java:51:39:51:53 | (...)... | provenance | Sink:MaD:5 |
+| Test.java:53:17:53:24 | source(...) : String | Test.java:53:10:53:24 | (...)... | provenance | Sink:MaD:6 |
+| Test.java:55:17:55:24 | source(...) : String | Test.java:55:10:55:24 | (...)... | provenance | Sink:MaD:7 |
+| Test.java:57:17:57:24 | source(...) : String | Test.java:57:10:57:24 | (...)... | provenance | Sink:MaD:8 |
+| Test.java:59:17:59:24 | source(...) : String | Test.java:59:10:59:24 | (...)... | provenance | Sink:MaD:9 |
+| Test.java:61:17:61:24 | source(...) : String | Test.java:61:10:61:24 | (...)... | provenance | Sink:MaD:10 |
+| Test.java:63:17:63:24 | source(...) : String | Test.java:63:10:63:24 | (...)... | provenance | Sink:MaD:11 |
+| Test.java:65:17:65:24 | source(...) : String | Test.java:65:10:65:24 | (...)... | provenance | Sink:MaD:12 |
+| Test.java:67:17:67:24 | source(...) : String | Test.java:67:10:67:24 | (...)... | provenance | Sink:MaD:13 |
+| Test.java:69:38:69:45 | source(...) : String | Test.java:69:31:69:45 | (...)... | provenance | Sink:MaD:14 |
+| Test.java:71:17:71:24 | source(...) : String | Test.java:71:10:71:24 | (...)... | provenance | Sink:MaD:15 |
+| Test.java:73:17:73:24 | source(...) : String | Test.java:73:10:73:24 | (...)... | provenance | Sink:MaD:16 |
+| Test.java:75:17:75:24 | source(...) : String | Test.java:75:10:75:24 | (...)... | provenance | Sink:MaD:17 |
+| Test.java:77:17:77:24 | source(...) : String | Test.java:77:10:77:24 | (...)... | provenance | Sink:MaD:19 |
+| Test.java:79:17:79:24 | source(...) : String | Test.java:79:10:79:24 | (...)... | provenance | Sink:MaD:18 |
+| Test.java:81:17:81:24 | source(...) : String | Test.java:81:10:81:24 | (...)... | provenance | Sink:MaD:20 |
+| Test.java:83:38:83:45 | source(...) : String | Test.java:83:31:83:45 | (...)... | provenance | Sink:MaD:14 |
+| Test.java:85:36:85:43 | source(...) : String | Test.java:85:29:85:43 | (...)... | provenance | Sink:MaD:21 |
+| Test.java:87:46:87:53 | source(...) : String | Test.java:87:29:87:53 | (...)... | provenance | Sink:MaD:22 |
+| Test.java:89:38:89:45 | source(...) : String | Test.java:89:29:89:45 | (...)... | provenance | Sink:MaD:23 |
+| Test.java:91:31:91:38 | source(...) : String | Test.java:91:24:91:38 | (...)... | provenance | Sink:MaD:24 |
+| Test.java:93:41:93:48 | source(...) : String | Test.java:93:24:93:48 | (...)... | provenance | Sink:MaD:26 |
+| Test.java:95:31:95:38 | source(...) : String | Test.java:95:24:95:38 | (...)... | provenance | Sink:MaD:25 |
+| Test.java:97:33:97:40 | source(...) : String | Test.java:97:24:97:40 | (...)... | provenance | Sink:MaD:27 |
+| Test.java:99:33:99:40 | source(...) : String | Test.java:99:24:99:40 | (...)... | provenance | Sink:MaD:28 |
+| Test.java:101:27:101:34 | source(...) : String | Test.java:101:20:101:34 | (...)... | provenance | Sink:MaD:34 |
+| Test.java:102:27:102:34 | source(...) : String | Test.java:102:20:102:34 | (...)... | provenance | Sink:MaD:33 |
+| Test.java:104:40:104:47 | source(...) : String | Test.java:104:33:104:47 | (...)... | provenance | Sink:MaD:35 |
+| Test.java:105:47:105:54 | source(...) : String | Test.java:105:40:105:54 | (...)... | provenance | Sink:MaD:32 |
+| Test.java:107:40:107:47 | source(...) : String | Test.java:107:33:107:47 | (...)... | provenance | Sink:MaD:36 |
+| Test.java:109:38:109:45 | source(...) : String | Test.java:109:31:109:45 | (...)... | provenance | Sink:MaD:37 |
+| Test.java:111:33:111:40 | source(...) : String | Test.java:111:26:111:40 | (...)... | provenance | Sink:MaD:38 |
+| Test.java:113:33:113:40 | source(...) : String | Test.java:113:26:113:40 | (...)... | provenance | Sink:MaD:39 |
+| Test.java:115:41:115:48 | source(...) : String | Test.java:115:34:115:48 | (...)... | provenance | Sink:MaD:40 |
+| Test.java:117:42:117:49 | source(...) : String | Test.java:117:35:117:49 | (...)... | provenance | Sink:MaD:41 |
+| Test.java:119:37:119:44 | source(...) : String | Test.java:119:30:119:44 | (...)... | provenance | Sink:MaD:42 |
+| Test.java:121:29:121:36 | source(...) : String | Test.java:121:22:121:36 | (...)... | provenance | Sink:MaD:43 |
+| Test.java:123:37:123:44 | source(...) : String | Test.java:123:30:123:44 | (...)... | provenance | Sink:MaD:44 |
+| Test.java:125:28:125:35 | source(...) : String | Test.java:125:21:125:35 | (...)... | provenance | Sink:MaD:45 |
+| Test.java:127:33:127:40 | source(...) : String | Test.java:127:26:127:40 | (...)... | provenance | Sink:MaD:46 |
+| Test.java:129:40:129:47 | source(...) : String | Test.java:129:33:129:47 | (...)... | provenance | Sink:MaD:47 |
+| Test.java:131:40:131:47 | source(...) : String | Test.java:131:33:131:47 | (...)... | provenance | Sink:MaD:48 |
+| Test.java:132:40:132:47 | source(...) : String | Test.java:132:33:132:47 | (...)... | provenance | Sink:MaD:48 |
+| Test.java:134:38:134:45 | source(...) : String | Test.java:134:31:134:45 | (...)... | provenance | Sink:MaD:49 |
+| Test.java:136:28:136:35 | source(...) : String | Test.java:136:21:136:35 | (...)... | provenance | Sink:MaD:50 |
+| Test.java:137:28:137:35 | source(...) : String | Test.java:137:21:137:35 | (...)... | provenance | Sink:MaD:50 |
+| Test.java:138:28:138:35 | source(...) : String | Test.java:138:21:138:35 | (...)... | provenance | Sink:MaD:50 |
+| Test.java:140:34:140:41 | source(...) : String | Test.java:140:27:140:41 | (...)... | provenance | Sink:MaD:51 |
+| Test.java:141:34:141:41 | source(...) : String | Test.java:141:27:141:41 | (...)... | provenance | Sink:MaD:51 |
+| Test.java:143:33:143:40 | source(...) : String | Test.java:143:26:143:40 | (...)... | provenance | Sink:MaD:52 |
+| Test.java:145:42:145:49 | source(...) : String | Test.java:145:35:145:49 | (...)... | provenance | Sink:MaD:53 |
+| Test.java:147:50:147:57 | source(...) : String | Test.java:147:41:147:57 | (...)... | provenance | Sink:MaD:65 |
+| Test.java:149:54:149:61 | source(...) : String | Test.java:149:45:149:61 | (...)... | provenance | Sink:MaD:66 |
+| Test.java:151:50:151:57 | source(...) : String | Test.java:151:43:151:57 | (...)... | provenance | Sink:MaD:71 |
+| Test.java:153:35:153:42 | source(...) : String | Test.java:153:28:153:42 | (...)... | provenance | Sink:MaD:69 |
+| Test.java:155:48:155:55 | source(...) : String | Test.java:155:41:155:55 | (...)... | provenance | Sink:MaD:70 |
+| Test.java:160:37:160:44 | source(...) : String | Test.java:160:30:160:44 | (...)... | provenance | Sink:MaD:63 |
+| Test.java:162:74:162:81 | source(...) : String | Test.java:162:40:162:81 | (...)... | provenance | Sink:MaD:60 |
+| Test.java:164:68:164:75 | source(...) : String | Test.java:164:34:164:75 | (...)... | provenance | Sink:MaD:62 |
+| Test.java:166:68:166:75 | source(...) : String | Test.java:166:34:166:75 | (...)... | provenance | Sink:MaD:61 |
+| Test.java:168:30:168:37 | source(...) : String | Test.java:168:23:168:37 | (...)... | provenance | Sink:MaD:67 |
+| Test.java:181:30:181:37 | source(...) : String | Test.java:181:23:181:37 | (...)... | provenance | Sink:MaD:64 |
+| Test.java:186:33:186:40 | source(...) : String | Test.java:186:23:186:40 | (...)... | provenance | Sink:MaD:54 |
+| Test.java:188:27:188:34 | source(...) : String | Test.java:188:20:188:34 | (...)... | provenance | Sink:MaD:55 |
+| Test.java:190:28:190:35 | source(...) : String | Test.java:190:21:190:35 | (...)... | provenance | Sink:MaD:56 |
+| Test.java:192:29:192:36 | source(...) : String | Test.java:192:22:192:36 | (...)... | provenance | Sink:MaD:57 |
+| Test.java:197:27:197:34 | source(...) : String | Test.java:197:20:197:34 | (...)... | provenance | Sink:MaD:58 |
+| Test.java:199:26:199:33 | source(...) : String | Test.java:199:19:199:33 | (...)... | provenance | Sink:MaD:59 |
+| Test.java:204:29:204:36 | source(...) : String | Test.java:204:20:204:36 | (...)... | provenance | Sink:MaD:68 |
+models
+| 1 | Sink: java.io; File; true; canExecute; (); ; Argument[this]; path-injection; manual |
+| 2 | Sink: java.io; File; true; canRead; (); ; Argument[this]; path-injection; manual |
+| 3 | Sink: java.io; File; true; canWrite; (); ; Argument[this]; path-injection; manual |
+| 4 | Sink: java.io; File; true; createNewFile; (); ; Argument[this]; path-injection; ai-manual |
+| 5 | Sink: java.io; File; true; createTempFile; (String,String,File); ; Argument[2]; path-injection; ai-manual |
+| 6 | Sink: java.io; File; true; delete; (); ; Argument[this]; path-injection; manual |
+| 7 | Sink: java.io; File; true; deleteOnExit; (); ; Argument[this]; path-injection; manual |
+| 8 | Sink: java.io; File; true; exists; (); ; Argument[this]; path-injection; manual |
+| 9 | Sink: java.io; File; true; isDirectory; (); ; Argument[this]; path-injection; manual |
+| 10 | Sink: java.io; File; true; isFile; (); ; Argument[this]; path-injection; manual |
+| 11 | Sink: java.io; File; true; isHidden; (); ; Argument[this]; path-injection; manual |
+| 12 | Sink: java.io; File; true; mkdir; (); ; Argument[this]; path-injection; manual |
+| 13 | Sink: java.io; File; true; mkdirs; (); ; Argument[this]; path-injection; manual |
+| 14 | Sink: java.io; File; true; renameTo; (File); ; Argument[0]; path-injection; ai-manual |
+| 15 | Sink: java.io; File; true; renameTo; (File); ; Argument[this]; path-injection; ai-manual |
+| 16 | Sink: java.io; File; true; setExecutable; ; ; Argument[this]; path-injection; manual |
+| 17 | Sink: java.io; File; true; setLastModified; ; ; Argument[this]; path-injection; manual |
+| 18 | Sink: java.io; File; true; setReadOnly; ; ; Argument[this]; path-injection; manual |
+| 19 | Sink: java.io; File; true; setReadable; ; ; Argument[this]; path-injection; manual |
+| 20 | Sink: java.io; File; true; setWritable; ; ; Argument[this]; path-injection; manual |
+| 21 | Sink: java.io; FileInputStream; true; FileInputStream; (File); ; Argument[0]; path-injection; ai-manual |
+| 22 | Sink: java.io; FileInputStream; true; FileInputStream; (FileDescriptor); ; Argument[0]; path-injection; manual |
+| 23 | Sink: java.io; FileInputStream; true; FileInputStream; (String); ; Argument[0]; path-injection; ai-manual |
+| 24 | Sink: java.io; FileReader; true; FileReader; (File); ; Argument[0]; path-injection; ai-manual |
+| 25 | Sink: java.io; FileReader; true; FileReader; (File,Charset); ; Argument[0]; path-injection; manual |
+| 26 | Sink: java.io; FileReader; true; FileReader; (FileDescriptor); ; Argument[0]; path-injection; manual |
+| 27 | Sink: java.io; FileReader; true; FileReader; (String); ; Argument[0]; path-injection; ai-manual |
+| 28 | Sink: java.io; FileReader; true; FileReader; (String,Charset); ; Argument[0]; path-injection; manual |
+| 29 | Sink: java.lang; Class; false; getResource; (String); ; Argument[0]; path-injection; ai-manual |
+| 30 | Sink: java.lang; ClassLoader; true; getSystemResourceAsStream; (String); ; Argument[0]; path-injection; ai-manual |
+| 31 | Sink: java.lang; Module; true; getResourceAsStream; (String); ; Argument[0]; path-injection; ai-manual |
+| 32 | Sink: java.nio.file; Files; false; copy; (InputStream,Path,CopyOption[]); ; Argument[1]; path-injection; manual |
+| 33 | Sink: java.nio.file; Files; false; copy; (Path,OutputStream); ; Argument[0]; path-injection; manual |
+| 34 | Sink: java.nio.file; Files; false; copy; (Path,Path,CopyOption[]); ; Argument[0]; path-injection; manual |
+| 35 | Sink: java.nio.file; Files; false; copy; (Path,Path,CopyOption[]); ; Argument[1]; path-injection; manual |
+| 36 | Sink: java.nio.file; Files; false; createDirectories; ; ; Argument[0]; path-injection; manual |
+| 37 | Sink: java.nio.file; Files; false; createDirectory; ; ; Argument[0]; path-injection; manual |
+| 38 | Sink: java.nio.file; Files; false; createFile; ; ; Argument[0]; path-injection; manual |
+| 39 | Sink: java.nio.file; Files; false; createLink; ; ; Argument[0]; path-injection; manual |
+| 40 | Sink: java.nio.file; Files; false; createSymbolicLink; ; ; Argument[0]; path-injection; manual |
+| 41 | Sink: java.nio.file; Files; false; createTempDirectory; (Path,String,FileAttribute[]); ; Argument[0]; path-injection; manual |
+| 42 | Sink: java.nio.file; Files; false; createTempFile; (Path,String,String,FileAttribute[]); ; Argument[0]; path-injection; manual |
+| 43 | Sink: java.nio.file; Files; false; delete; (Path); ; Argument[0]; path-injection; ai-manual |
+| 44 | Sink: java.nio.file; Files; false; deleteIfExists; (Path); ; Argument[0]; path-injection; ai-manual |
+| 45 | Sink: java.nio.file; Files; false; lines; (Path,Charset); ; Argument[0]; path-injection; ai-manual |
+| 46 | Sink: java.nio.file; Files; false; move; ; ; Argument[1]; path-injection; manual |
+| 47 | Sink: java.nio.file; Files; false; newBufferedReader; (Path,Charset); ; Argument[0]; path-injection; ai-manual |
+| 48 | Sink: java.nio.file; Files; false; newBufferedWriter; ; ; Argument[0]; path-injection; manual |
+| 49 | Sink: java.nio.file; Files; false; newOutputStream; ; ; Argument[0]; path-injection; manual |
+| 50 | Sink: java.nio.file; Files; false; write; ; ; Argument[0]; path-injection; manual |
+| 51 | Sink: java.nio.file; Files; false; writeString; ; ; Argument[0]; path-injection; manual |
+| 52 | Sink: javax.xml.transform.stream; StreamResult; true; StreamResult; (File); ; Argument[0]; path-injection; ai-manual |
+| 53 | Sink: org.apache.commons.io; FileUtils; true; openInputStream; (File); ; Argument[0]; path-injection; ai-manual |
+| 54 | Sink: org.apache.tools.ant.taskdefs; Copy; true; addFileset; (FileSet); ; Argument[0]; path-injection; ai-manual |
+| 55 | Sink: org.apache.tools.ant.taskdefs; Copy; true; setFile; (File); ; Argument[0]; path-injection; ai-manual |
+| 56 | Sink: org.apache.tools.ant.taskdefs; Copy; true; setTodir; (File); ; Argument[0]; path-injection; ai-manual |
+| 57 | Sink: org.apache.tools.ant.taskdefs; Copy; true; setTofile; (File); ; Argument[0]; path-injection; ai-manual |
+| 58 | Sink: org.apache.tools.ant.taskdefs; Expand; true; setDest; (File); ; Argument[0]; path-injection; ai-manual |
+| 59 | Sink: org.apache.tools.ant.taskdefs; Expand; true; setSrc; (File); ; Argument[0]; path-injection; ai-manual |
+| 60 | Sink: org.apache.tools.ant; AntClassLoader; true; AntClassLoader; (ClassLoader,Project,Path,boolean); ; Argument[2]; path-injection; ai-manual |
+| 61 | Sink: org.apache.tools.ant; AntClassLoader; true; AntClassLoader; (Project,Path); ; Argument[1]; path-injection; ai-manual |
+| 62 | Sink: org.apache.tools.ant; AntClassLoader; true; AntClassLoader; (Project,Path,boolean); ; Argument[1]; path-injection; ai-manual |
+| 63 | Sink: org.apache.tools.ant; AntClassLoader; true; addPathComponent; (File); ; Argument[0]; path-injection; ai-manual |
+| 64 | Sink: org.apache.tools.ant; DirectoryScanner; true; setBasedir; (File); ; Argument[0]; path-injection; ai-manual |
+| 65 | Sink: org.codehaus.cargo.container.installer; ZipURLInstaller; true; ZipURLInstaller; (URL,String,String); ; Argument[1]; path-injection; ai-manual |
+| 66 | Sink: org.codehaus.cargo.container.installer; ZipURLInstaller; true; ZipURLInstaller; (URL,String,String); ; Argument[2]; path-injection; ai-manual |
+| 67 | Sink: org.kohsuke.stapler.framework.io; LargeText; true; LargeText; (File,Charset,boolean,boolean); ; Argument[0]; path-injection; ai-manual |
+| 68 | Sink: org.openjdk.jmh.runner.options; ChainedOptionsBuilder; true; result; (String); ; Argument[0]; path-injection; ai-manual |
+| 69 | Sink: org.springframework.util; FileCopyUtils; false; copy; (File,File); ; Argument[0]; path-injection; manual |
+| 70 | Sink: org.springframework.util; FileCopyUtils; false; copy; (File,File); ; Argument[1]; path-injection; manual |
+| 71 | Sink: org.springframework.util; FileCopyUtils; false; copy; (byte[],File); ; Argument[1]; path-injection; manual |
+| 72 | Source: java.net; Socket; false; getInputStream; (); ; ReturnValue; remote; manual |
+| 73 | Source: javax.servlet; ServletRequest; false; getParameter; (String); ; ReturnValue; remote; manual |
+| 74 | Summary: java.io; BufferedReader; false; BufferedReader; ; ; Argument[0]; Argument[this]; taint; manual |
+| 75 | Summary: java.io; BufferedReader; true; readLine; ; ; Argument[this]; ReturnValue; taint; manual |
+| 76 | Summary: java.io; InputStreamReader; false; InputStreamReader; ; ; Argument[0]; Argument[this]; taint; manual |
+nodes
+| TaintedPath.java:13:17:13:89 | new BufferedReader(...) : BufferedReader | semmle.label | new BufferedReader(...) : BufferedReader |
+| TaintedPath.java:13:36:13:88 | new InputStreamReader(...) : InputStreamReader | semmle.label | new InputStreamReader(...) : InputStreamReader |
+| TaintedPath.java:13:58:13:78 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| TaintedPath.java:14:27:14:40 | filenameReader : BufferedReader | semmle.label | filenameReader : BufferedReader |
+| TaintedPath.java:14:27:14:51 | readLine(...) : String | semmle.label | readLine(...) : String |
+| TaintedPath.java:16:71:16:78 | filename | semmle.label | filename |
+| Test.java:32:16:32:45 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| Test.java:37:52:37:68 | (...)... | semmle.label | (...)... |
+| Test.java:37:61:37:68 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:39:32:39:48 | (...)... | semmle.label | (...)... |
+| Test.java:39:41:39:48 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:41:47:41:63 | (...)... | semmle.label | (...)... |
+| Test.java:41:56:41:63 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:43:10:43:24 | (...)... | semmle.label | (...)... |
+| Test.java:43:17:43:24 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:45:10:45:24 | (...)... | semmle.label | (...)... |
+| Test.java:45:17:45:24 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:47:10:47:24 | (...)... | semmle.label | (...)... |
+| Test.java:47:17:47:24 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:49:10:49:24 | (...)... | semmle.label | (...)... |
+| Test.java:49:17:49:24 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:51:39:51:53 | (...)... | semmle.label | (...)... |
+| Test.java:51:46:51:53 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:53:10:53:24 | (...)... | semmle.label | (...)... |
+| Test.java:53:17:53:24 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:55:10:55:24 | (...)... | semmle.label | (...)... |
+| Test.java:55:17:55:24 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:57:10:57:24 | (...)... | semmle.label | (...)... |
+| Test.java:57:17:57:24 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:59:10:59:24 | (...)... | semmle.label | (...)... |
+| Test.java:59:17:59:24 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:61:10:61:24 | (...)... | semmle.label | (...)... |
+| Test.java:61:17:61:24 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:63:10:63:24 | (...)... | semmle.label | (...)... |
+| Test.java:63:17:63:24 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:65:10:65:24 | (...)... | semmle.label | (...)... |
+| Test.java:65:17:65:24 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:67:10:67:24 | (...)... | semmle.label | (...)... |
+| Test.java:67:17:67:24 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:69:31:69:45 | (...)... | semmle.label | (...)... |
+| Test.java:69:38:69:45 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:71:10:71:24 | (...)... | semmle.label | (...)... |
+| Test.java:71:17:71:24 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:73:10:73:24 | (...)... | semmle.label | (...)... |
+| Test.java:73:17:73:24 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:75:10:75:24 | (...)... | semmle.label | (...)... |
+| Test.java:75:17:75:24 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:77:10:77:24 | (...)... | semmle.label | (...)... |
+| Test.java:77:17:77:24 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:79:10:79:24 | (...)... | semmle.label | (...)... |
+| Test.java:79:17:79:24 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:81:10:81:24 | (...)... | semmle.label | (...)... |
+| Test.java:81:17:81:24 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:83:31:83:45 | (...)... | semmle.label | (...)... |
+| Test.java:83:38:83:45 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:85:29:85:43 | (...)... | semmle.label | (...)... |
+| Test.java:85:36:85:43 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:87:29:87:53 | (...)... | semmle.label | (...)... |
+| Test.java:87:46:87:53 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:89:29:89:45 | (...)... | semmle.label | (...)... |
+| Test.java:89:38:89:45 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:91:24:91:38 | (...)... | semmle.label | (...)... |
+| Test.java:91:31:91:38 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:93:24:93:48 | (...)... | semmle.label | (...)... |
+| Test.java:93:41:93:48 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:95:24:95:38 | (...)... | semmle.label | (...)... |
+| Test.java:95:31:95:38 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:97:24:97:40 | (...)... | semmle.label | (...)... |
+| Test.java:97:33:97:40 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:99:24:99:40 | (...)... | semmle.label | (...)... |
+| Test.java:99:33:99:40 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:101:20:101:34 | (...)... | semmle.label | (...)... |
+| Test.java:101:27:101:34 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:102:20:102:34 | (...)... | semmle.label | (...)... |
+| Test.java:102:27:102:34 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:104:33:104:47 | (...)... | semmle.label | (...)... |
+| Test.java:104:40:104:47 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:105:40:105:54 | (...)... | semmle.label | (...)... |
+| Test.java:105:47:105:54 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:107:33:107:47 | (...)... | semmle.label | (...)... |
+| Test.java:107:40:107:47 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:109:31:109:45 | (...)... | semmle.label | (...)... |
+| Test.java:109:38:109:45 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:111:26:111:40 | (...)... | semmle.label | (...)... |
+| Test.java:111:33:111:40 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:113:26:113:40 | (...)... | semmle.label | (...)... |
+| Test.java:113:33:113:40 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:115:34:115:48 | (...)... | semmle.label | (...)... |
+| Test.java:115:41:115:48 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:117:35:117:49 | (...)... | semmle.label | (...)... |
+| Test.java:117:42:117:49 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:119:30:119:44 | (...)... | semmle.label | (...)... |
+| Test.java:119:37:119:44 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:121:22:121:36 | (...)... | semmle.label | (...)... |
+| Test.java:121:29:121:36 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:123:30:123:44 | (...)... | semmle.label | (...)... |
+| Test.java:123:37:123:44 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:125:21:125:35 | (...)... | semmle.label | (...)... |
+| Test.java:125:28:125:35 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:127:26:127:40 | (...)... | semmle.label | (...)... |
+| Test.java:127:33:127:40 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:129:33:129:47 | (...)... | semmle.label | (...)... |
+| Test.java:129:40:129:47 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:131:33:131:47 | (...)... | semmle.label | (...)... |
+| Test.java:131:40:131:47 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:132:33:132:47 | (...)... | semmle.label | (...)... |
+| Test.java:132:40:132:47 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:134:31:134:45 | (...)... | semmle.label | (...)... |
+| Test.java:134:38:134:45 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:136:21:136:35 | (...)... | semmle.label | (...)... |
+| Test.java:136:28:136:35 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:137:21:137:35 | (...)... | semmle.label | (...)... |
+| Test.java:137:28:137:35 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:138:21:138:35 | (...)... | semmle.label | (...)... |
+| Test.java:138:28:138:35 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:140:27:140:41 | (...)... | semmle.label | (...)... |
+| Test.java:140:34:140:41 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:141:27:141:41 | (...)... | semmle.label | (...)... |
+| Test.java:141:34:141:41 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:143:26:143:40 | (...)... | semmle.label | (...)... |
+| Test.java:143:33:143:40 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:145:35:145:49 | (...)... | semmle.label | (...)... |
+| Test.java:145:42:145:49 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:147:41:147:57 | (...)... | semmle.label | (...)... |
+| Test.java:147:50:147:57 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:149:45:149:61 | (...)... | semmle.label | (...)... |
+| Test.java:149:54:149:61 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:151:43:151:57 | (...)... | semmle.label | (...)... |
+| Test.java:151:50:151:57 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:153:28:153:42 | (...)... | semmle.label | (...)... |
+| Test.java:153:35:153:42 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:155:41:155:55 | (...)... | semmle.label | (...)... |
+| Test.java:155:48:155:55 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:160:30:160:44 | (...)... | semmle.label | (...)... |
+| Test.java:160:37:160:44 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:162:40:162:81 | (...)... | semmle.label | (...)... |
+| Test.java:162:74:162:81 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:164:34:164:75 | (...)... | semmle.label | (...)... |
+| Test.java:164:68:164:75 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:166:34:166:75 | (...)... | semmle.label | (...)... |
+| Test.java:166:68:166:75 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:168:23:168:37 | (...)... | semmle.label | (...)... |
+| Test.java:168:30:168:37 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:181:23:181:37 | (...)... | semmle.label | (...)... |
+| Test.java:181:30:181:37 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:186:23:186:40 | (...)... | semmle.label | (...)... |
+| Test.java:186:33:186:40 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:188:20:188:34 | (...)... | semmle.label | (...)... |
+| Test.java:188:27:188:34 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:190:21:190:35 | (...)... | semmle.label | (...)... |
+| Test.java:190:28:190:35 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:192:22:192:36 | (...)... | semmle.label | (...)... |
+| Test.java:192:29:192:36 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:197:20:197:34 | (...)... | semmle.label | (...)... |
+| Test.java:197:27:197:34 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:199:19:199:33 | (...)... | semmle.label | (...)... |
+| Test.java:199:26:199:33 | source(...) : String | semmle.label | source(...) : String |
+| Test.java:204:20:204:36 | (...)... | semmle.label | (...)... |
+| Test.java:204:29:204:36 | source(...) : String | semmle.label | source(...) : String |
+subpaths

java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.java

@@ -10,10 +10,10 @@ import java.nio.file.Paths;
 public class TaintedPath {
     public void sendUserFile(Socket sock, String user) throws IOException {
         BufferedReader filenameReader =
-                new BufferedReader(new InputStreamReader(sock.getInputStream(), "UTF-8"));
+                new BufferedReader(new InputStreamReader(sock.getInputStream(), "UTF-8")); // $ Source
         String filename = filenameReader.readLine();
         // BAD: read from a file without checking its path
-        BufferedReader fileReader = new BufferedReader(new FileReader(filename)); // $ hasTaintFlow
+        BufferedReader fileReader = new BufferedReader(new FileReader(filename)); // $ Alert
         String fileLine = fileReader.readLine();
         while (fileLine != null) {
             sock.getOutputStream().write(fileLine.getBytes());

java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.ql

@@ -1,4 +0,0 @@
-import java
-import utils.test.InlineFlowTest
-import semmle.code.java.security.TaintedPathQuery
-import TaintFlowTest<TaintedPathConfig>

java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.qlref

@@ -0,0 +1,4 @@
+query: Security/CWE/CWE-022/TaintedPath.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java

@@ -29,143 +29,143 @@ public class Test {
     private HttpServletRequest request;
 
     public Object source() {
-        return request.getParameter("source");
+        return request.getParameter("source"); // $ Source
     }
 
     void test() throws IOException {
         // "java.lang;Module;true;getResourceAsStream;(String);;Argument[0];read-file;ai-generated"
-        getClass().getModule().getResourceAsStream((String) source()); // $ hasTaintFlow
+        getClass().getModule().getResourceAsStream((String) source()); // $ Alert
         // "java.lang;Class;false;getResource;(String);;Argument[0];read-file;ai-generated"
-        getClass().getResource((String) source()); // $ hasTaintFlow
+        getClass().getResource((String) source()); // $ Alert
         // "java.lang;ClassLoader;true;getSystemResourceAsStream;(String);;Argument[0];read-file;ai-generated"
-        ClassLoader.getSystemResourceAsStream((String) source()); // $ hasTaintFlow
+        ClassLoader.getSystemResourceAsStream((String) source()); // $ Alert
         // "java.io;File;True;canExecute;();;Argument[this];path-injection;manual"
-        ((File) source()).canExecute(); // $ hasTaintFlow
+        ((File) source()).canExecute(); // $ Alert
         // "java.io;File;True;canRead;();;Argument[this];path-injection;manual"
-        ((File) source()).canRead(); // $ hasTaintFlow
+        ((File) source()).canRead(); // $ Alert
         // "java.io;File;True;canWrite;();;Argument[this];path-injection;manual"
-        ((File) source()).canWrite(); // $ hasTaintFlow
+        ((File) source()).canWrite(); // $ Alert
         // "java.io;File;True;createNewFile;();;Argument[this];path-injection;ai-manual"
-        ((File) source()).createNewFile(); // $ hasTaintFlow
+        ((File) source()).createNewFile(); // $ Alert
         // "java.io;File;true;createTempFile;(String,String,File);;Argument[2];create-file;ai-generated"
-        File.createTempFile(";", ";", (File) source()); // $ hasTaintFlow
+        File.createTempFile(";", ";", (File) source()); // $ Alert
         // "java.io;File;True;delete;();;Argument[this];path-injection;manual"
-        ((File) source()).delete(); // $ hasTaintFlow
+        ((File) source()).delete(); // $ Alert
         // "java.io;File;True;deleteOnExit;();;Argument[this];path-injection;manual"
-        ((File) source()).deleteOnExit(); // $ hasTaintFlow
+        ((File) source()).deleteOnExit(); // $ Alert
         // "java.io;File;True;exists;();;Argument[this];path-injection;manual"
-        ((File) source()).exists(); // $ hasTaintFlow
+        ((File) source()).exists(); // $ Alert
         // "java.io:File;True;isDirectory;();;Argument[this];path-injection;manual"
-        ((File) source()).isDirectory(); // $ hasTaintFlow
+        ((File) source()).isDirectory(); // $ Alert
         // "java.io:File;True;isFile;();;Argument[this];path-injection;manual"
-        ((File) source()).isFile(); // $ hasTaintFlow
+        ((File) source()).isFile(); // $ Alert
         // "java.io:File;True;isHidden;();;Argument[this];path-injection;manual"
-        ((File) source()).isHidden(); // $ hasTaintFlow
+        ((File) source()).isHidden(); // $ Alert
         // "java.io;File;True;mkdir;();;Argument[this];path-injection;manual"
-        ((File) source()).mkdir(); // $ hasTaintFlow
+        ((File) source()).mkdir(); // $ Alert
         // "java.io;File;True;mkdirs;();;Argument[this];path-injection;manual"
-        ((File) source()).mkdirs(); // $ hasTaintFlow
+        ((File) source()).mkdirs(); // $ Alert
         // "java.io;File;True;renameTo;(File);;Argument[0];path-injection;ai-manual"
-        new File("").renameTo((File) source()); // $ hasTaintFlow
+        new File("").renameTo((File) source()); // $ Alert
         // "java.io;File;True;renameTo;(File);;Argument[this];path-injection;ai-manual"
-        ((File) source()).renameTo(null); // $ hasTaintFlow
+        ((File) source()).renameTo(null); // $ Alert
         // "java.io;File;True;setExecutable;;;Argument[this];path-injection;manual"
-        ((File) source()).setExecutable(true); // $ hasTaintFlow
+        ((File) source()).setExecutable(true); // $ Alert
         // "java.io;File;True;setLastModified;;;Argument[this];path-injection;manual"
-        ((File) source()).setLastModified(0); // $ hasTaintFlow
+        ((File) source()).setLastModified(0); // $ Alert
         // "java.io;File;True;setReadable;;;Argument[this];path-injection;manual"
-        ((File) source()).setReadable(true); // $ hasTaintFlow
+        ((File) source()).setReadable(true); // $ Alert
         // "java.io;File;True;setReadOnly;;;Argument[this];path-injection;manual"
-        ((File) source()).setReadOnly(); // $ hasTaintFlow
+        ((File) source()).setReadOnly(); // $ Alert
         // "java.io;File;True;setWritable;;;Argument[this];path-injection;manual"
-        ((File) source()).setWritable(true); // $ hasTaintFlow
+        ((File) source()).setWritable(true); // $ Alert
         // "java.io;File;true;renameTo;(File);;Argument[0];create-file;ai-generated"
-        new File("").renameTo((File) source()); // $ hasTaintFlow
+        new File("").renameTo((File) source()); // $ Alert
         // "java.io;FileInputStream;true;FileInputStream;(File);;Argument[0];read-file;ai-generated"
-        new FileInputStream((File) source()); // $ hasTaintFlow
+        new FileInputStream((File) source()); // $ Alert
         // "java.io;FileInputStream;true;FileInputStream;(FileDescriptor);;Argument[0];read-file;manual"
-        new FileInputStream((FileDescriptor) source()); // $ hasTaintFlow
-        // "java.io;FileInputStream;true;FileInputStream;(Strrirng);;Argument[0];read-file;manual"
-        new FileInputStream((String) source()); // $ hasTaintFlow
+        new FileInputStream((FileDescriptor) source()); // $ Alert
+        // "java.io;FileInputStream;true;FileInputStream;(String);;Argument[0];read-file;manual"
+        new FileInputStream((String) source()); // $ Alert
         // "java.io;FileReader;true;FileReader;(File);;Argument[0];read-file;ai-generated"
-        new FileReader((File) source()); // $ hasTaintFlow
+        new FileReader((File) source()); // $ Alert
         // "java.io;FileReader;true;FileReader;(FileDescriptor);;Argument[0];read-file;manual"
-        new FileReader((FileDescriptor) source()); // $ hasTaintFlow
+        new FileReader((FileDescriptor) source()); // $ Alert
         // "java.io;FileReader;true;FileReader;(File,Charset);;Argument[0];read-file;manual"
-        new FileReader((File) source(), null); // $ hasTaintFlow
+        new FileReader((File) source(), null); // $ Alert
         // "java.io;FileReader;true;FileReader;(String);;Argument[0];read-file;ai-generated"
-        new FileReader((String) source()); // $ hasTaintFlow
+        new FileReader((String) source()); // $ Alert
         // "java.io;FileReader;true;FileReader;(String,Charset);;Argument[0];read-file;manual"
-        new FileReader((String) source(), null); // $ hasTaintFlow
+        new FileReader((String) source(), null); // $ Alert
         // "java.nio.file;Files;false;copy;;;Argument[0];read-file;manual"
-        Files.copy((Path) source(), (Path) null); // $ hasTaintFlow
-        Files.copy((Path) source(), (OutputStream) null); // $ hasTaintFlow
+        Files.copy((Path) source(), (Path) null); // $ Alert
+        Files.copy((Path) source(), (OutputStream) null); // $ Alert
         // "java.nio.file;Files;false;copy;;;Argument[1];create-file;manual"
-        Files.copy((Path) null, (Path) source()); // $ hasTaintFlow
-        Files.copy((InputStream) null, (Path) source()); // $ hasTaintFlow
+        Files.copy((Path) null, (Path) source()); // $ Alert
+        Files.copy((InputStream) null, (Path) source()); // $ Alert
         // "java.nio.file;Files;false;createDirectories;;;Argument[0];create-file;manual"
-        Files.createDirectories((Path) source()); // $ hasTaintFlow
+        Files.createDirectories((Path) source()); // $ Alert
         // "java.nio.file;Files;false;createDirectory;;;Argument[0];create-file;manual"
-        Files.createDirectory((Path) source()); // $ hasTaintFlow
+        Files.createDirectory((Path) source()); // $ Alert
         // "java.nio.file;Files;false;createFile;;;Argument[0];create-file;manual"
-        Files.createFile((Path) source()); // $ hasTaintFlow
+        Files.createFile((Path) source()); // $ Alert
         // "java.nio.file;Files;false;createLink;;;Argument[0];create-file;manual"
-        Files.createLink((Path) source(), null); // $ hasTaintFlow
+        Files.createLink((Path) source(), null); // $ Alert
         // "java.nio.file;Files;false;createSymbolicLink;;;Argument[0];create-file;manual"
-        Files.createSymbolicLink((Path) source(), null); // $ hasTaintFlow
+        Files.createSymbolicLink((Path) source(), null); // $ Alert
         // "java.nio.file;Files;false;createTempDirectory;(Path,String,FileAttribute[]);;Argument[0];create-file;manual"
-        Files.createTempDirectory((Path) source(), null); // $ hasTaintFlow
+        Files.createTempDirectory((Path) source(), null); // $ Alert
         // "java.nio.file;Files;false;createTempFile;(Path,String,String,FileAttribute[]);;Argument[0];create-file;manual"
-        Files.createTempFile((Path) source(), null, null); // $ hasTaintFlow
+        Files.createTempFile((Path) source(), null, null); // $ Alert
         // "java.nio.file;Files;false;delete;(Path);;Argument[0];delete-file;ai-generated"
-        Files.delete((Path) source()); // $ hasTaintFlow
+        Files.delete((Path) source()); // $ Alert
         // "java.nio.file;Files;false;deleteIfExists;(Path);;Argument[0];delete-file;ai-generated"
-        Files.deleteIfExists((Path) source()); // $ hasTaintFlow
+        Files.deleteIfExists((Path) source()); // $ Alert
         // "java.nio.file;Files;false;lines;(Path,Charset);;Argument[0];read-file;ai-generated"
-        Files.lines((Path) source(), null); // $ hasTaintFlow
+        Files.lines((Path) source(), null); // $ Alert
         // "java.nio.file;Files;false;move;;;Argument[1];create-file;manual"
-        Files.move(null, (Path) source()); // $ hasTaintFlow
+        Files.move(null, (Path) source()); // $ Alert
         // "java.nio.file;Files;false;newBufferedReader;(Path,Charset);;Argument[0];read-file;ai-generated"
-        Files.newBufferedReader((Path) source(), null); // $ hasTaintFlow
+        Files.newBufferedReader((Path) source(), null); // $ Alert
         // "java.nio.file;Files;false;newBufferedWriter;;;Argument[0];create-file;manual"
-        Files.newBufferedWriter((Path) source()); // $ hasTaintFlow
-        Files.newBufferedWriter((Path) source(), (Charset) null); // $ hasTaintFlow
+        Files.newBufferedWriter((Path) source()); // $ Alert
+        Files.newBufferedWriter((Path) source(), (Charset) null); // $ Alert
         // "java.nio.file;Files;false;newOutputStream;;;Argument[0];create-file;manual"
-        Files.newOutputStream((Path) source()); // $ hasTaintFlow
+        Files.newOutputStream((Path) source()); // $ Alert
         // "java.nio.file;Files;false;write;;;Argument[0];create-file;manual"
-        Files.write((Path) source(), (byte[]) null); // $ hasTaintFlow
-        Files.write((Path) source(), (Iterable<CharSequence>) null); // $ hasTaintFlow
-        Files.write((Path) source(), (Iterable<CharSequence>) null, (Charset) null); // $ hasTaintFlow
+        Files.write((Path) source(), (byte[]) null); // $ Alert
+        Files.write((Path) source(), (Iterable<CharSequence>) null); // $ Alert
+        Files.write((Path) source(), (Iterable<CharSequence>) null, (Charset) null); // $ Alert
         // "java.nio.file;Files;false;writeString;;;Argument[0];create-file;manual"
-        Files.writeString((Path) source(), (CharSequence) null); // $ hasTaintFlow
-        Files.writeString((Path) source(), (CharSequence) null, (Charset) null); // $ hasTaintFlow
+        Files.writeString((Path) source(), (CharSequence) null); // $ Alert
+        Files.writeString((Path) source(), (CharSequence) null, (Charset) null); // $ Alert
         // "javax.xml.transform.stream;StreamResult";true;"StreamResult;(File);;Argument[0];create-file;ai-generated"
-        new StreamResult((File) source()); // $ hasTaintFlow
+        new StreamResult((File) source()); // $ Alert
         // "org.apache.commons.io;FileUtils;true;openInputStream;(File);;Argument[0];read-file;ai-generated"
-        FileUtils.openInputStream((File) source()); // $ hasTaintFlow
+        FileUtils.openInputStream((File) source()); // $ Alert
         // "org.codehaus.cargo.container.installer;ZipURLInstaller;true;ZipURLInstaller;(URL,String,String);;Argument[1];create-file;ai-generated"
-        new ZipURLInstaller((URL) null, (String) source(), ""); // $ hasTaintFlow
+        new ZipURLInstaller((URL) null, (String) source(), ""); // $ Alert
         // "org.codehaus.cargo.container.installer;ZipURLInstaller;true;ZipURLInstaller;(URL,String,String);;Argument[2];create-file;ai-generated"
-        new ZipURLInstaller((URL) null, "", (String) source()); // $ hasTaintFlow
+        new ZipURLInstaller((URL) null, "", (String) source()); // $ Alert
         // "org.springframework.util;FileCopyUtils;false;copy;(byte[],File);;Argument[1];create-file;manual"
-        FileCopyUtils.copy((byte[]) null, (File) source()); // $ hasTaintFlow
+        FileCopyUtils.copy((byte[]) null, (File) source()); // $ Alert
         // "org.springframework.util;FileCopyUtils;false;copy;(File,File);;Argument[0];create-file;manual"
-        FileCopyUtils.copy((File) source(), null); // $ hasTaintFlow
+        FileCopyUtils.copy((File) source(), null); // $ Alert
         // "org.springframework.util;FileCopyUtils;false;copy;(File,File);;Argument[1];create-file;manual"
-        FileCopyUtils.copy((File) null, (File) source()); // $ hasTaintFlow
+        FileCopyUtils.copy((File) null, (File) source()); // $ Alert
     }
 
     void test(AntClassLoader acl) {
         // "org.apache.tools.ant;AntClassLoader;true;addPathComponent;(File);;Argument[0];read-file;ai-generated"
-        acl.addPathComponent((File) source()); // $ hasTaintFlow
+        acl.addPathComponent((File) source()); // $ Alert
         // "org.apache.tools.ant;AntClassLoader;true;AntClassLoader;(ClassLoader,Project,Path,boolean);;Argument[2];read-file;ai-generated"
-        new AntClassLoader(null, null, (org.apache.tools.ant.types.Path) source(), false); // $ hasTaintFlow
+        new AntClassLoader(null, null, (org.apache.tools.ant.types.Path) source(), false); // $ Alert
         // "org.apache.tools.ant;AntClassLoader;true;AntClassLoader;(Project,Path,boolean);;Argument[1];read-file;ai-generated"
-        new AntClassLoader(null, (org.apache.tools.ant.types.Path) source(), false); // $ hasTaintFlow
+        new AntClassLoader(null, (org.apache.tools.ant.types.Path) source(), false); // $ Alert
         // "org.apache.tools.ant;AntClassLoader;true;AntClassLoader;(Project,Path);;Argument[1];read-file;ai-generated"
-        new AntClassLoader(null, (org.apache.tools.ant.types.Path) source()); // $ hasTaintFlow
+        new AntClassLoader(null, (org.apache.tools.ant.types.Path) source()); // $ Alert
         // "org.kohsuke.stapler.framework.io;LargeText;true;LargeText;(File,Charset,boolean,boolean);;Argument[0];read-file;ai-generated"
-        new LargeText((File) source(), null, false, false); // $ hasTaintFlow
+        new LargeText((File) source(), null, false, false); // $ Alert
     }
 
     void doGet6(String root, HttpServletRequest request) throws IOException {
@@ -178,29 +178,29 @@ public class Test {
 
     void test(DirectoryScanner ds) {
         // "org.apache.tools.ant;DirectoryScanner;true;setBasedir;(File);;Argument[0];read-file;ai-generated"
-        ds.setBasedir((File) source()); // $ hasTaintFlow
+        ds.setBasedir((File) source()); // $ Alert
     }
 
     void test(Copy cp) {
         // "org.apache.tools.ant.taskdefs;Copy;true;addFileset;(FileSet);;Argument[0];read-file;ai-generated"
-        cp.addFileset((FileSet) source()); // $ hasTaintFlow
+        cp.addFileset((FileSet) source()); // $ Alert
         // "org.apache.tools.ant.taskdefs;Copy;true;setFile;(File);;Argument[0];read-file;ai-generated"
-        cp.setFile((File) source()); // $ hasTaintFlow
+        cp.setFile((File) source()); // $ Alert
         // "org.apache.tools.ant.taskdefs;Copy;true;setTodir;(File);;Argument[0];create-file;ai-generated"
-        cp.setTodir((File) source()); // $ hasTaintFlow
+        cp.setTodir((File) source()); // $ Alert
         // "org.apache.tools.ant.taskdefs;Copy;true;setTofile;(File);;Argument[0];create-file;ai-generated"
-        cp.setTofile((File) source()); // $ hasTaintFlow
+        cp.setTofile((File) source()); // $ Alert
     }
 
     void test(Expand ex) {
         // "org.apache.tools.ant.taskdefs;Expand;true;setDest;(File);;Argument[0];create-file;ai-generated"
-        ex.setDest((File) source()); // $ hasTaintFlow
+        ex.setDest((File) source()); // $ Alert
         // "org.apache.tools.ant.taskdefs;Expand;true;setSrc;(File);;Argument[0];read-file;ai-generated"
-        ex.setSrc((File) source()); // $ hasTaintFlow
+        ex.setSrc((File) source()); // $ Alert
     }
 
     void test(ChainedOptionsBuilder cob) {
         // "org.openjdk.jmh.runner.options;ChainedOptionsBuilder;true;result;(String);;Argument[0];create-file;ai-generated"
-        cob.result((String) source()); // $ hasTaintFlow
+        cob.result((String) source()); // $ Alert
     }
 }

java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversal.expected

@@ -1,16 +1,16 @@
-| PartialPathTraversalTest.java:10:14:10:73 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
-| PartialPathTraversalTest.java:17:9:17:72 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
-| PartialPathTraversalTest.java:29:14:29:58 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
-| PartialPathTraversalTest.java:35:14:35:63 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
-| PartialPathTraversalTest.java:42:14:42:64 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
-| PartialPathTraversalTest.java:49:14:49:64 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
-| PartialPathTraversalTest.java:53:14:53:65 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
-| PartialPathTraversalTest.java:61:14:61:64 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
-| PartialPathTraversalTest.java:64:14:64:65 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
-| PartialPathTraversalTest.java:75:14:75:64 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
-| PartialPathTraversalTest.java:94:14:94:63 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
-| PartialPathTraversalTest.java:102:14:102:63 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
-| PartialPathTraversalTest.java:105:14:105:64 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
-| PartialPathTraversalTest.java:173:14:173:63 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
-| PartialPathTraversalTest.java:191:18:191:87 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
-| PartialPathTraversalTest.java:209:14:209:64 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
+| PartialPathTraversalTest.java:13:14:13:75 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
+| PartialPathTraversalTest.java:20:9:20:74 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
+| PartialPathTraversalTest.java:32:14:32:60 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
+| PartialPathTraversalTest.java:38:14:38:65 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
+| PartialPathTraversalTest.java:45:14:45:64 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
+| PartialPathTraversalTest.java:52:14:52:64 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
+| PartialPathTraversalTest.java:56:14:56:65 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
+| PartialPathTraversalTest.java:64:14:64:64 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
+| PartialPathTraversalTest.java:67:14:67:65 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
+| PartialPathTraversalTest.java:78:14:78:64 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
+| PartialPathTraversalTest.java:97:14:97:65 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
+| PartialPathTraversalTest.java:105:14:105:65 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
+| PartialPathTraversalTest.java:108:14:108:66 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
+| PartialPathTraversalTest.java:176:14:176:65 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
+| PartialPathTraversalTest.java:194:18:194:87 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
+| PartialPathTraversalTest.java:212:14:212:64 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |

java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversalFromRemoteTest.expected

@@ -0,0 +1,135 @@
+#select
+| PartialPathTraversalTest.java:13:14:13:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:13:14:13:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
+| PartialPathTraversalTest.java:20:10:20:33 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:20:10:20:33 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
+| PartialPathTraversalTest.java:32:14:32:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:32:14:32:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
+| PartialPathTraversalTest.java:38:14:38:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:38:14:38:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
+| PartialPathTraversalTest.java:45:14:45:26 | canonicalPath | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:45:14:45:26 | canonicalPath | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
+| PartialPathTraversalTest.java:52:14:52:26 | canonicalPath | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:52:14:52:26 | canonicalPath | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
+| PartialPathTraversalTest.java:56:14:56:27 | canonicalPath2 | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:56:14:56:27 | canonicalPath2 | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
+| PartialPathTraversalTest.java:64:14:64:26 | canonicalPath | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:64:14:64:26 | canonicalPath | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
+| PartialPathTraversalTest.java:67:14:67:27 | canonicalPath2 | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:67:14:67:27 | canonicalPath2 | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
+| PartialPathTraversalTest.java:97:14:97:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:97:14:97:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
+| PartialPathTraversalTest.java:105:14:105:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:105:14:105:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
+| PartialPathTraversalTest.java:108:14:108:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:108:14:108:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
+| PartialPathTraversalTest.java:176:14:176:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:176:14:176:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
+| PartialPathTraversalTest.java:194:18:194:47 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:194:18:194:47 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
+| PartialPathTraversalTest.java:212:14:212:26 | canonicalPath | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:212:14:212:26 | canonicalPath | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
+edges
+| PartialPathTraversalTest.java:13:14:13:18 | dir(...) : File | PartialPathTraversalTest.java:13:14:13:37 | getCanonicalPath(...) | provenance | MaD:6 |
+| PartialPathTraversalTest.java:20:10:20:14 | dir(...) : File | PartialPathTraversalTest.java:20:10:20:33 | getCanonicalPath(...) | provenance | MaD:6 |
+| PartialPathTraversalTest.java:32:14:32:18 | dir(...) : File | PartialPathTraversalTest.java:32:14:32:37 | getCanonicalPath(...) | provenance | MaD:6 |
+| PartialPathTraversalTest.java:38:14:38:18 | dir(...) : File | PartialPathTraversalTest.java:38:14:38:37 | getCanonicalPath(...) | provenance | MaD:6 |
+| PartialPathTraversalTest.java:44:32:44:36 | dir(...) : File | PartialPathTraversalTest.java:44:32:44:55 | getCanonicalPath(...) : String | provenance | MaD:6 |
+| PartialPathTraversalTest.java:44:32:44:55 | getCanonicalPath(...) : String | PartialPathTraversalTest.java:45:14:45:26 | canonicalPath | provenance |  |
+| PartialPathTraversalTest.java:51:32:51:36 | dir(...) : File | PartialPathTraversalTest.java:51:32:51:55 | getCanonicalPath(...) : String | provenance | MaD:6 |
+| PartialPathTraversalTest.java:51:32:51:55 | getCanonicalPath(...) : String | PartialPathTraversalTest.java:52:14:52:26 | canonicalPath | provenance |  |
+| PartialPathTraversalTest.java:55:33:55:37 | dir(...) : File | PartialPathTraversalTest.java:55:33:55:56 | getCanonicalPath(...) : String | provenance | MaD:6 |
+| PartialPathTraversalTest.java:55:33:55:56 | getCanonicalPath(...) : String | PartialPathTraversalTest.java:56:14:56:27 | canonicalPath2 | provenance |  |
+| PartialPathTraversalTest.java:62:32:62:36 | dir(...) : File | PartialPathTraversalTest.java:62:32:62:55 | getCanonicalPath(...) : String | provenance | MaD:6 |
+| PartialPathTraversalTest.java:62:32:62:55 | getCanonicalPath(...) : String | PartialPathTraversalTest.java:64:14:64:26 | canonicalPath | provenance |  |
+| PartialPathTraversalTest.java:63:33:63:37 | dir(...) : File | PartialPathTraversalTest.java:63:33:63:56 | getCanonicalPath(...) : String | provenance | MaD:6 |
+| PartialPathTraversalTest.java:63:33:63:56 | getCanonicalPath(...) : String | PartialPathTraversalTest.java:67:14:67:27 | canonicalPath2 | provenance |  |
+| PartialPathTraversalTest.java:97:14:97:18 | dir(...) : File | PartialPathTraversalTest.java:97:14:97:37 | getCanonicalPath(...) | provenance | MaD:6 |
+| PartialPathTraversalTest.java:105:14:105:18 | dir(...) : File | PartialPathTraversalTest.java:105:14:105:37 | getCanonicalPath(...) | provenance | MaD:6 |
+| PartialPathTraversalTest.java:108:14:108:18 | dir(...) : File | PartialPathTraversalTest.java:108:14:108:37 | getCanonicalPath(...) | provenance | MaD:6 |
+| PartialPathTraversalTest.java:176:14:176:18 | dir(...) : File | PartialPathTraversalTest.java:176:14:176:37 | getCanonicalPath(...) | provenance | MaD:6 |
+| PartialPathTraversalTest.java:186:25:186:30 | path(...) : String[] | PartialPathTraversalTest.java:188:23:188:23 | p : String | provenance |  |
+| PartialPathTraversalTest.java:188:13:188:14 | sb [post update] : StringBuilder | PartialPathTraversalTest.java:191:27:191:28 | sb : StringBuilder | provenance |  |
+| PartialPathTraversalTest.java:188:23:188:23 | p : String | PartialPathTraversalTest.java:188:13:188:14 | sb [post update] : StringBuilder | provenance | MaD:8 |
+| PartialPathTraversalTest.java:191:27:191:28 | sb : StringBuilder | PartialPathTraversalTest.java:191:27:191:39 | toString(...) : String | provenance | MaD:9 |
+| PartialPathTraversalTest.java:191:27:191:39 | toString(...) : String | PartialPathTraversalTest.java:192:37:192:44 | filePath : String | provenance |  |
+| PartialPathTraversalTest.java:192:28:192:45 | new File(...) : File | PartialPathTraversalTest.java:194:18:194:28 | encodedFile : File | provenance |  |
+| PartialPathTraversalTest.java:192:37:192:44 | filePath : String | PartialPathTraversalTest.java:192:28:192:45 | new File(...) : File | provenance | MaD:4 |
+| PartialPathTraversalTest.java:194:18:194:28 | encodedFile : File | PartialPathTraversalTest.java:194:18:194:47 | getCanonicalPath(...) | provenance | MaD:6 |
+| PartialPathTraversalTest.java:211:46:211:50 | dir(...) : File | PartialPathTraversalTest.java:211:46:211:69 | getCanonicalPath(...) : String | provenance | MaD:6 |
+| PartialPathTraversalTest.java:211:46:211:69 | getCanonicalPath(...) : String | PartialPathTraversalTest.java:212:14:212:26 | canonicalPath | provenance |  |
+| PartialPathTraversalTest.java:252:45:252:117 | new BufferedReader(...) : BufferedReader | PartialPathTraversalTest.java:253:31:253:44 | filenameReader : BufferedReader | provenance |  |
+| PartialPathTraversalTest.java:252:64:252:116 | new InputStreamReader(...) : InputStreamReader | PartialPathTraversalTest.java:252:45:252:117 | new BufferedReader(...) : BufferedReader | provenance | MaD:2 |
+| PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:252:64:252:116 | new InputStreamReader(...) : InputStreamReader | provenance | Src:MaD:1 MaD:7 |
+| PartialPathTraversalTest.java:253:31:253:44 | filenameReader : BufferedReader | PartialPathTraversalTest.java:253:31:253:55 | readLine(...) : String | provenance | MaD:3 |
+| PartialPathTraversalTest.java:253:31:253:55 | readLine(...) : String | PartialPathTraversalTest.java:254:29:254:36 | filename : String | provenance |  |
+| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:13:14:13:18 | dir(...) : File | provenance |  |
+| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:20:10:20:14 | dir(...) : File | provenance |  |
+| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:32:14:32:18 | dir(...) : File | provenance |  |
+| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:38:14:38:18 | dir(...) : File | provenance |  |
+| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:44:32:44:36 | dir(...) : File | provenance |  |
+| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:51:32:51:36 | dir(...) : File | provenance |  |
+| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:55:33:55:37 | dir(...) : File | provenance |  |
+| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:62:32:62:36 | dir(...) : File | provenance |  |
+| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:63:33:63:37 | dir(...) : File | provenance |  |
+| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:97:14:97:18 | dir(...) : File | provenance |  |
+| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:105:14:105:18 | dir(...) : File | provenance |  |
+| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:108:14:108:18 | dir(...) : File | provenance |  |
+| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:176:14:176:18 | dir(...) : File | provenance |  |
+| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:211:46:211:50 | dir(...) : File | provenance |  |
+| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:261:16:261:20 | dir(...) : File | provenance |  |
+| PartialPathTraversalTest.java:254:29:254:36 | filename : String | PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | provenance | MaD:4 |
+| PartialPathTraversalTest.java:261:16:261:20 | dir(...) : File | PartialPathTraversalTest.java:261:16:261:38 | getAbsolutePath(...) : String | provenance | MaD:5 |
+| PartialPathTraversalTest.java:261:16:261:38 | getAbsolutePath(...) : String | PartialPathTraversalTest.java:261:16:261:60 | split(...) : String[] | provenance | MaD:10 |
+| PartialPathTraversalTest.java:261:16:261:60 | split(...) : String[] | PartialPathTraversalTest.java:186:25:186:30 | path(...) : String[] | provenance |  |
+models
+| 1 | Source: java.net; Socket; false; getInputStream; (); ; ReturnValue; remote; manual |
+| 2 | Summary: java.io; BufferedReader; false; BufferedReader; ; ; Argument[0]; Argument[this]; taint; manual |
+| 3 | Summary: java.io; BufferedReader; true; readLine; ; ; Argument[this]; ReturnValue; taint; manual |
+| 4 | Summary: java.io; File; false; File; ; ; Argument[0]; Argument[this]; taint; manual |
+| 5 | Summary: java.io; File; true; getAbsolutePath; ; ; Argument[this]; ReturnValue; taint; manual |
+| 6 | Summary: java.io; File; true; getCanonicalPath; ; ; Argument[this]; ReturnValue; taint; manual |
+| 7 | Summary: java.io; InputStreamReader; false; InputStreamReader; ; ; Argument[0]; Argument[this]; taint; manual |
+| 8 | Summary: java.lang; AbstractStringBuilder; true; append; ; ; Argument[0]; Argument[this]; taint; manual |
+| 9 | Summary: java.lang; CharSequence; true; toString; ; ; Argument[this]; ReturnValue; taint; manual |
+| 10 | Summary: java.lang; String; false; split; ; ; Argument[this]; ReturnValue; taint; manual |
+nodes
+| PartialPathTraversalTest.java:13:14:13:18 | dir(...) : File | semmle.label | dir(...) : File |
+| PartialPathTraversalTest.java:13:14:13:37 | getCanonicalPath(...) | semmle.label | getCanonicalPath(...) |
+| PartialPathTraversalTest.java:20:10:20:14 | dir(...) : File | semmle.label | dir(...) : File |
+| PartialPathTraversalTest.java:20:10:20:33 | getCanonicalPath(...) | semmle.label | getCanonicalPath(...) |
+| PartialPathTraversalTest.java:32:14:32:18 | dir(...) : File | semmle.label | dir(...) : File |
+| PartialPathTraversalTest.java:32:14:32:37 | getCanonicalPath(...) | semmle.label | getCanonicalPath(...) |
+| PartialPathTraversalTest.java:38:14:38:18 | dir(...) : File | semmle.label | dir(...) : File |
+| PartialPathTraversalTest.java:38:14:38:37 | getCanonicalPath(...) | semmle.label | getCanonicalPath(...) |
+| PartialPathTraversalTest.java:44:32:44:36 | dir(...) : File | semmle.label | dir(...) : File |
+| PartialPathTraversalTest.java:44:32:44:55 | getCanonicalPath(...) : String | semmle.label | getCanonicalPath(...) : String |
+| PartialPathTraversalTest.java:45:14:45:26 | canonicalPath | semmle.label | canonicalPath |
+| PartialPathTraversalTest.java:51:32:51:36 | dir(...) : File | semmle.label | dir(...) : File |
+| PartialPathTraversalTest.java:51:32:51:55 | getCanonicalPath(...) : String | semmle.label | getCanonicalPath(...) : String |
+| PartialPathTraversalTest.java:52:14:52:26 | canonicalPath | semmle.label | canonicalPath |
+| PartialPathTraversalTest.java:55:33:55:37 | dir(...) : File | semmle.label | dir(...) : File |
+| PartialPathTraversalTest.java:55:33:55:56 | getCanonicalPath(...) : String | semmle.label | getCanonicalPath(...) : String |
+| PartialPathTraversalTest.java:56:14:56:27 | canonicalPath2 | semmle.label | canonicalPath2 |
+| PartialPathTraversalTest.java:62:32:62:36 | dir(...) : File | semmle.label | dir(...) : File |
+| PartialPathTraversalTest.java:62:32:62:55 | getCanonicalPath(...) : String | semmle.label | getCanonicalPath(...) : String |
+| PartialPathTraversalTest.java:63:33:63:37 | dir(...) : File | semmle.label | dir(...) : File |
+| PartialPathTraversalTest.java:63:33:63:56 | getCanonicalPath(...) : String | semmle.label | getCanonicalPath(...) : String |
+| PartialPathTraversalTest.java:64:14:64:26 | canonicalPath | semmle.label | canonicalPath |
+| PartialPathTraversalTest.java:67:14:67:27 | canonicalPath2 | semmle.label | canonicalPath2 |
+| PartialPathTraversalTest.java:97:14:97:18 | dir(...) : File | semmle.label | dir(...) : File |
+| PartialPathTraversalTest.java:97:14:97:37 | getCanonicalPath(...) | semmle.label | getCanonicalPath(...) |
+| PartialPathTraversalTest.java:105:14:105:18 | dir(...) : File | semmle.label | dir(...) : File |
+| PartialPathTraversalTest.java:105:14:105:37 | getCanonicalPath(...) | semmle.label | getCanonicalPath(...) |
+| PartialPathTraversalTest.java:108:14:108:18 | dir(...) : File | semmle.label | dir(...) : File |
+| PartialPathTraversalTest.java:108:14:108:37 | getCanonicalPath(...) | semmle.label | getCanonicalPath(...) |
+| PartialPathTraversalTest.java:176:14:176:18 | dir(...) : File | semmle.label | dir(...) : File |
+| PartialPathTraversalTest.java:176:14:176:37 | getCanonicalPath(...) | semmle.label | getCanonicalPath(...) |
+| PartialPathTraversalTest.java:186:25:186:30 | path(...) : String[] | semmle.label | path(...) : String[] |
+| PartialPathTraversalTest.java:188:13:188:14 | sb [post update] : StringBuilder | semmle.label | sb [post update] : StringBuilder |
+| PartialPathTraversalTest.java:188:23:188:23 | p : String | semmle.label | p : String |
+| PartialPathTraversalTest.java:191:27:191:28 | sb : StringBuilder | semmle.label | sb : StringBuilder |
+| PartialPathTraversalTest.java:191:27:191:39 | toString(...) : String | semmle.label | toString(...) : String |
+| PartialPathTraversalTest.java:192:28:192:45 | new File(...) : File | semmle.label | new File(...) : File |
+| PartialPathTraversalTest.java:192:37:192:44 | filePath : String | semmle.label | filePath : String |
+| PartialPathTraversalTest.java:194:18:194:28 | encodedFile : File | semmle.label | encodedFile : File |
+| PartialPathTraversalTest.java:194:18:194:47 | getCanonicalPath(...) | semmle.label | getCanonicalPath(...) |
+| PartialPathTraversalTest.java:211:46:211:50 | dir(...) : File | semmle.label | dir(...) : File |
+| PartialPathTraversalTest.java:211:46:211:69 | getCanonicalPath(...) : String | semmle.label | getCanonicalPath(...) : String |
+| PartialPathTraversalTest.java:212:14:212:26 | canonicalPath | semmle.label | canonicalPath |
+| PartialPathTraversalTest.java:252:45:252:117 | new BufferedReader(...) : BufferedReader | semmle.label | new BufferedReader(...) : BufferedReader |
+| PartialPathTraversalTest.java:252:64:252:116 | new InputStreamReader(...) : InputStreamReader | semmle.label | new InputStreamReader(...) : InputStreamReader |
+| PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| PartialPathTraversalTest.java:253:31:253:44 | filenameReader : BufferedReader | semmle.label | filenameReader : BufferedReader |
+| PartialPathTraversalTest.java:253:31:253:55 | readLine(...) : String | semmle.label | readLine(...) : String |
+| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | semmle.label | new File(...) : File |
+| PartialPathTraversalTest.java:254:29:254:36 | filename : String | semmle.label | filename : String |
+| PartialPathTraversalTest.java:261:16:261:20 | dir(...) : File | semmle.label | dir(...) : File |
+| PartialPathTraversalTest.java:261:16:261:38 | getAbsolutePath(...) : String | semmle.label | getAbsolutePath(...) : String |
+| PartialPathTraversalTest.java:261:16:261:60 | split(...) : String[] | semmle.label | split(...) : String[] |
+subpaths

java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversalFromRemoteTest.ql

@@ -1,24 +0,0 @@
-import java
-import utils.test.InlineExpectationsTest
-import semmle.code.java.security.PartialPathTraversalQuery
-
-class TestRemoteSource extends RemoteFlowSource {
-  TestRemoteSource() { this.asParameter().hasName(["dir", "path"]) }
-
-  override string getSourceType() { result = "TestSource" }
-}
-
-module Test implements TestSig {
-  string getARelevantTag() { result = "hasTaintFlow" }
-
-  predicate hasActualResult(Location location, string element, string tag, string value) {
-    tag = "hasTaintFlow" and
-    exists(DataFlow::Node sink | PartialPathTraversalFromRemoteFlow::flowTo(sink) |
-      sink.getLocation() = location and
-      element = sink.toString() and
-      value = ""
-    )
-  }
-}
-
-import MakeTest<Test>

java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversalFromRemoteTest.qlref

@@ -0,0 +1,4 @@
+query: Security/CWE/CWE-023/PartialPathTraversalFromRemote.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversalTest.java

@@ -1,68 +1,71 @@
 import java.io.IOException;
 import java.io.File;
 import java.io.InputStream;
+import java.io.BufferedReader;
+import java.io.InputStreamReader;
 import static java.io.File.separatorChar;
 import java.nio.file.Files;
+import java.net.Socket;
 
 
 public class PartialPathTraversalTest {
-    public void esapiExample(File dir, File parent) throws IOException {
-        if (!dir.getCanonicalPath().startsWith(parent.getCanonicalPath())) { // $hasTaintFlow
-            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+    public void esapiExample(File parent) throws IOException {
+        if (!dir().getCanonicalPath().startsWith(parent.getCanonicalPath())) { // $ Alert
+            throw new IOException("Invalid directory: " + dir().getCanonicalPath());
         }
     }
 
     @SuppressWarnings("ResultOfMethodCallIgnored")
-    void foo1(File dir, File parent) throws IOException {
-        (dir.getCanonicalPath()).startsWith((parent.getCanonicalPath())); // $hasTaintFlow
+    void foo1(File parent) throws IOException {
+        (dir().getCanonicalPath()).startsWith((parent.getCanonicalPath())); // $ Alert
     }
 
-    void foo2(File dir, File parent) throws IOException {
-        dir.getCanonicalPath();
+    void foo2(File parent) throws IOException {
+        dir().getCanonicalPath();
         if ("potato".startsWith(parent.getCanonicalPath())) {
             System.out.println("Hello!");
         }
     }
 
-    void foo3(File dir, File parent) throws IOException {
+    void foo3(File parent) throws IOException {
         String parentPath = parent.getCanonicalPath();
-        if (!dir.getCanonicalPath().startsWith(parentPath)) { // $hasTaintFlow
-            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+        if (!dir().getCanonicalPath().startsWith(parentPath)) { // $ Alert
+            throw new IOException("Invalid directory: " + dir().getCanonicalPath());
         }
     }
 
-    void foo4(File dir) throws IOException {
-        if (!dir.getCanonicalPath().startsWith("/usr" + "/dir")) { // $hasTaintFlow
-            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+    void foo4() throws IOException {
+        if (!dir().getCanonicalPath().startsWith("/usr" + "/dir")) { // $ Alert
+            throw new IOException("Invalid directory: " + dir().getCanonicalPath());
         }
     }
 
-    void foo5(File dir, File parent) throws IOException {
-        String canonicalPath = dir.getCanonicalPath();
-        if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $hasTaintFlow
-            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+    void foo5(File parent) throws IOException {
+        String canonicalPath = dir().getCanonicalPath();
+        if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert
+            throw new IOException("Invalid directory: " + dir().getCanonicalPath());
         }
     }
 
-    void foo6(File dir, File parent) throws IOException {
-        String canonicalPath = dir.getCanonicalPath();
-        if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $hasTaintFlow
-            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+    void foo6(File parent) throws IOException {
+        String canonicalPath = dir().getCanonicalPath();
+        if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert
+            throw new IOException("Invalid directory: " + dir().getCanonicalPath());
         }
-        String canonicalPath2 = dir.getCanonicalPath();
-        if (!canonicalPath2.startsWith(parent.getCanonicalPath())) { // $hasTaintFlow
-            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+        String canonicalPath2 = dir().getCanonicalPath();
+        if (!canonicalPath2.startsWith(parent.getCanonicalPath())) { // $ Alert
+            throw new IOException("Invalid directory: " + dir().getCanonicalPath());
         }
     }
 
     void foo7(File dir, File parent) throws IOException {
-        String canonicalPath = dir.getCanonicalPath();
-        String canonicalPath2 = dir.getCanonicalPath();
-        if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $hasTaintFlow
-            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+        String canonicalPath = dir().getCanonicalPath();
+        String canonicalPath2 = dir().getCanonicalPath();
+        if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert
+            throw new IOException("Invalid directory: " + dir().getCanonicalPath());
         }
-        if (!canonicalPath2.startsWith(parent.getCanonicalPath())) { // $hasTaintFlow
-            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+        if (!canonicalPath2.startsWith(parent.getCanonicalPath())) { // $ Alert
+            throw new IOException("Invalid directory: " + dir().getCanonicalPath());
         }
     }
 
@@ -72,70 +75,70 @@ public class PartialPathTraversalTest {
 
     void foo8(File parent) throws IOException {
         String canonicalPath = getChild().getCanonicalPath();
-        if (!canonicalPath.startsWith(parent.getCanonicalPath())) { 
+        if (!canonicalPath.startsWith(parent.getCanonicalPath())) {
             throw new IOException("Invalid directory: " + getChild().getCanonicalPath());
         }
     }
 
-    void foo9(File dir, File parent) throws IOException {
-        if (!dir.getCanonicalPath().startsWith(parent.getCanonicalPath() + File.separator)) {
-            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+    void foo9(File parent) throws IOException {
+        if (!dir().getCanonicalPath().startsWith(parent.getCanonicalPath() + File.separator)) {
+            throw new IOException("Invalid directory: " + dir().getCanonicalPath());
         }
     }
 
-    void foo10(File dir, File parent) throws IOException {
-        if (!dir.getCanonicalPath().startsWith(parent.getCanonicalPath() + File.separatorChar)) {
-            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+    void foo10(File parent) throws IOException {
+        if (!dir().getCanonicalPath().startsWith(parent.getCanonicalPath() + File.separatorChar)) {
+            throw new IOException("Invalid directory: " + dir().getCanonicalPath());
         }
     }
 
-    void foo11(File dir, File parent) throws IOException {
+    void foo11(File parent) throws IOException {
         String parentCanonical = parent.getCanonicalPath();
-        if (!dir.getCanonicalPath().startsWith(parentCanonical)) { // $hasTaintFlow
-            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+        if (!dir().getCanonicalPath().startsWith(parentCanonical)) { // $ Alert
+            throw new IOException("Invalid directory: " + dir().getCanonicalPath());
         }
     }
 
-    void foo12(File dir, File parent) throws IOException {
+    void foo12(File parent) throws IOException {
         String parentCanonical = parent.getCanonicalPath();
         String parentCanonical2 = parent.getCanonicalPath();
-        if (!dir.getCanonicalPath().startsWith(parentCanonical)) { // $hasTaintFlow
-            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+        if (!dir().getCanonicalPath().startsWith(parentCanonical)) { // $ Alert
+            throw new IOException("Invalid directory: " + dir().getCanonicalPath());
         }
-        if (!dir.getCanonicalPath().startsWith(parentCanonical2)) { // $hasTaintFlow
-            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+        if (!dir().getCanonicalPath().startsWith(parentCanonical2)) { // $ Alert
+            throw new IOException("Invalid directory: " + dir().getCanonicalPath());
         }
     }
 
-    void foo13(File dir, File parent) throws IOException {
+    void foo13(File parent) throws IOException {
         String parentCanonical = parent.getCanonicalPath() + File.separatorChar;
-        if (!dir.getCanonicalPath().startsWith(parentCanonical)) {
-            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+        if (!dir().getCanonicalPath().startsWith(parentCanonical)) {
+            throw new IOException("Invalid directory: " + dir().getCanonicalPath());
         }
     }
 
-    void foo14(File dir, File parent) throws IOException {
+    void foo14(File parent) throws IOException {
         String parentCanonical = parent.getCanonicalPath() + separatorChar;
-        if (!dir.getCanonicalPath().startsWith(parentCanonical)) { 
-            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+        if (!dir().getCanonicalPath().startsWith(parentCanonical)) {
+            throw new IOException("Invalid directory: " + dir().getCanonicalPath());
         }
     }
 
     void foo15(File dir, File parent) throws IOException {
         String parentCanonical = parent.getCanonicalPath() + File.separatorChar;
         String parentCanonical2 = parent.getCanonicalPath() + File.separatorChar;
-        if (!dir.getCanonicalPath().startsWith(parentCanonical)) {
-            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+        if (!dir().getCanonicalPath().startsWith(parentCanonical)) {
+            throw new IOException("Invalid directory: " + dir().getCanonicalPath());
         }
-        if (!dir.getCanonicalPath().startsWith(parentCanonical2)) {
-            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+        if (!dir().getCanonicalPath().startsWith(parentCanonical2)) {
+            throw new IOException("Invalid directory: " + dir().getCanonicalPath());
         }
     }
 
-    void foo16(File dir, File parent) throws IOException {
+    void foo16(File parent) throws IOException {
         String parentCanonical = parent.getCanonicalPath() + File.separator;
-        if (!dir.getCanonicalPath().startsWith(parentCanonical)) {
-            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+        if (!dir().getCanonicalPath().startsWith(parentCanonical)) {
+            throw new IOException("Invalid directory: " + dir().getCanonicalPath());
         }
     }
 
@@ -145,7 +148,7 @@ public class PartialPathTraversalTest {
             "UnusedAssignment",
             "ResultOfMethodCallIgnored"
     })
-    void foo17(File dir, File parent, boolean branch) throws IOException {
+    void foo17(File parent, boolean branch) throws IOException {
         String parentCanonical = null;
         "test ".startsWith("somethingElse");
         if (branch) {
@@ -153,8 +156,8 @@ public class PartialPathTraversalTest {
         } else {
             parentCanonical = parent.getCanonicalPath() + File.separatorChar;
         }
-        if (!dir.getCanonicalPath().startsWith(parentCanonical)) {
-            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+        if (!dir().getCanonicalPath().startsWith(parentCanonical)) {
+            throw new IOException("Invalid directory: " + dir().getCanonicalPath());
         }
     }
 
@@ -163,24 +166,24 @@ public class PartialPathTraversalTest {
         if (branch) {
             parentCanonical = parent.getCanonicalPath() + File.separatorChar;
         }
-        if (!dir.getCanonicalPath().startsWith(parentCanonical)) {
-            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+        if (!dir().getCanonicalPath().startsWith(parentCanonical)) {
+            throw new IOException("Invalid directory: " + dir().getCanonicalPath());
         }
     }
 
-    void foo19(File dir, File parent) throws IOException {
+    void foo19(File parent) throws IOException {
         String parentCanonical = parent.getCanonicalPath() + "/potato";
-        if (!dir.getCanonicalPath().startsWith(parentCanonical)) { // $hasTaintFlow
-            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+        if (!dir().getCanonicalPath().startsWith(parentCanonical)) { // $ Alert
+            throw new IOException("Invalid directory: " + dir().getCanonicalPath());
         }
     }
 
     private File cacheDir;
 
-    InputStream foo20(String... path) {
+    InputStream foo20() {
         StringBuilder sb = new StringBuilder();
         sb.append(cacheDir.getAbsolutePath());
-        for (String p : path) {
+        for (String p : path()) {
             sb.append(File.separatorChar);
             sb.append(p);
         }
@@ -188,7 +191,7 @@ public class PartialPathTraversalTest {
         String filePath = sb.toString();
         File encodedFile = new File(filePath);
         try {
-            if (!encodedFile.getCanonicalPath().startsWith(cacheDir.getCanonicalPath())) { // $hasTaintFlow 
+            if (!encodedFile.getCanonicalPath().startsWith(cacheDir.getCanonicalPath())) { // $ Alert
                 return null;
             }
             return Files.newInputStream(encodedFile.toPath());
@@ -197,37 +200,37 @@ public class PartialPathTraversalTest {
         }
     }
 
-    void foo21(File dir, File parent) throws IOException {
+    void foo21(File parent) throws IOException {
         String parentCanonical = parent.getCanonicalPath();
-        if (!dir.getCanonicalPath().startsWith(parentCanonical + File.separator)) {
-            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+        if (!dir().getCanonicalPath().startsWith(parentCanonical + File.separator)) {
+            throw new IOException("Invalid directory: " + dir().getCanonicalPath());
         }
     }
 
-    void foo22(File dir, File dir2, File parent, boolean conditional) throws IOException {
-        String canonicalPath = conditional ? dir.getCanonicalPath() : dir2.getCanonicalPath();
-        if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $hasTaintFlow
-            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+    void foo22(File dir2, File parent, boolean conditional) throws IOException {
+        String canonicalPath = conditional ? dir().getCanonicalPath() : dir2.getCanonicalPath();
+        if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert
+            throw new IOException("Invalid directory: " + dir().getCanonicalPath());
         }
     }
 
-    void foo23(File dir, File parent) throws IOException {
+    void foo23(File parent) throws IOException {
         String parentCanonical = parent.getCanonicalPath();
-        if (!dir.getCanonicalPath().startsWith(parentCanonical + "/")) {
-            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+        if (!dir().getCanonicalPath().startsWith(parentCanonical + "/")) {
+            throw new IOException("Invalid directory: " + dir().getCanonicalPath());
         }
     }
 
-    void foo24(File dir, File parent) throws IOException {
+    void foo24(File parent) throws IOException {
         String parentCanonical = parent.getCanonicalPath();
-        if (!dir.getCanonicalPath().startsWith(parentCanonical + '/')) {
-            throw new IOException("Invalid directory: " + dir.getCanonicalPath());
+        if (!dir().getCanonicalPath().startsWith(parentCanonical + '/')) {
+            throw new IOException("Invalid directory: " + dir().getCanonicalPath());
         }
     }
 
-    public void doesNotFlagOptimalSafeVersion(File dir, File parent) throws IOException {
-        if (!dir.toPath().normalize().startsWith(parent.toPath())) { // Safe
-            throw new IOException("Path traversal attempt: " + dir.getCanonicalPath());
+    public void doesNotFlagOptimalSafeVersion(File parent) throws IOException {
+        if (!dir().toPath().normalize().startsWith(parent.toPath())) { // Safe
+            throw new IOException("Path traversal attempt: " + dir().getCanonicalPath());
         }
     }
 
@@ -242,4 +245,19 @@ public class PartialPathTraversalTest {
         }
     }
 
-}
+    Socket sock;
+
+    File dir() {
+        try {
+            BufferedReader filenameReader = new BufferedReader(new InputStreamReader(sock.getInputStream(), "UTF-8")); // $ Source
+            String filename = filenameReader.readLine();
+            return new File(filename);
+        } catch (IOException e) {
+            throw new RuntimeException("Failed to read from socket", e);
+        }
+    }
+
+    String[] path() {
+        return dir().getAbsolutePath().split(File.separator);
+    }
+}

java/ql/test/query-tests/security/CWE-074/JndiInjection/JndiInjectionTest.expected

@@ -0,0 +1,308 @@
+#select
+| JndiInjectionTest.java:36:16:36:22 | nameStr | JndiInjectionTest.java:32:38:32:65 | nameStr : String | JndiInjectionTest.java:36:16:36:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:32:38:32:65 | nameStr | this user input |
+| JndiInjectionTest.java:37:20:37:26 | nameStr | JndiInjectionTest.java:32:38:32:65 | nameStr : String | JndiInjectionTest.java:37:20:37:26 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:32:38:32:65 | nameStr | this user input |
+| JndiInjectionTest.java:38:29:38:35 | nameStr | JndiInjectionTest.java:32:38:32:65 | nameStr : String | JndiInjectionTest.java:38:29:38:35 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:32:38:32:65 | nameStr | this user input |
+| JndiInjectionTest.java:39:16:39:22 | nameStr | JndiInjectionTest.java:32:38:32:65 | nameStr : String | JndiInjectionTest.java:39:16:39:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:32:38:32:65 | nameStr | this user input |
+| JndiInjectionTest.java:40:14:40:20 | nameStr | JndiInjectionTest.java:32:38:32:65 | nameStr : String | JndiInjectionTest.java:40:14:40:20 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:32:38:32:65 | nameStr | this user input |
+| JndiInjectionTest.java:41:22:41:28 | nameStr | JndiInjectionTest.java:32:38:32:65 | nameStr : String | JndiInjectionTest.java:41:22:41:28 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:32:38:32:65 | nameStr | this user input |
+| JndiInjectionTest.java:43:16:43:19 | name | JndiInjectionTest.java:32:38:32:65 | nameStr : String | JndiInjectionTest.java:43:16:43:19 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:32:38:32:65 | nameStr | this user input |
+| JndiInjectionTest.java:44:20:44:23 | name | JndiInjectionTest.java:32:38:32:65 | nameStr : String | JndiInjectionTest.java:44:20:44:23 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:32:38:32:65 | nameStr | this user input |
+| JndiInjectionTest.java:45:29:45:32 | name | JndiInjectionTest.java:32:38:32:65 | nameStr : String | JndiInjectionTest.java:45:29:45:32 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:32:38:32:65 | nameStr | this user input |
+| JndiInjectionTest.java:46:16:46:19 | name | JndiInjectionTest.java:32:38:32:65 | nameStr : String | JndiInjectionTest.java:46:16:46:19 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:32:38:32:65 | nameStr | this user input |
+| JndiInjectionTest.java:47:14:47:17 | name | JndiInjectionTest.java:32:38:32:65 | nameStr : String | JndiInjectionTest.java:47:14:47:17 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:32:38:32:65 | nameStr | this user input |
+| JndiInjectionTest.java:48:22:48:25 | name | JndiInjectionTest.java:32:38:32:65 | nameStr : String | JndiInjectionTest.java:48:22:48:25 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:32:38:32:65 | nameStr | this user input |
+| JndiInjectionTest.java:56:16:56:22 | nameStr | JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:56:16:56:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:52:34:52:61 | nameStr | this user input |
+| JndiInjectionTest.java:57:20:57:26 | nameStr | JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:57:20:57:26 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:52:34:52:61 | nameStr | this user input |
+| JndiInjectionTest.java:58:16:58:22 | nameStr | JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:58:16:58:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:52:34:52:61 | nameStr | this user input |
+| JndiInjectionTest.java:59:14:59:20 | nameStr | JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:59:14:59:20 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:52:34:52:61 | nameStr | this user input |
+| JndiInjectionTest.java:60:22:60:28 | nameStr | JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:60:22:60:28 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:52:34:52:61 | nameStr | this user input |
+| JndiInjectionTest.java:62:16:62:19 | name | JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:62:16:62:19 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:52:34:52:61 | nameStr | this user input |
+| JndiInjectionTest.java:63:20:63:23 | name | JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:63:20:63:23 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:52:34:52:61 | nameStr | this user input |
+| JndiInjectionTest.java:64:16:64:19 | name | JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:64:16:64:19 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:52:34:52:61 | nameStr | this user input |
+| JndiInjectionTest.java:65:14:65:17 | name | JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:65:14:65:17 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:52:34:52:61 | nameStr | this user input |
+| JndiInjectionTest.java:66:22:66:25 | name | JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:66:22:66:25 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:52:34:52:61 | nameStr | this user input |
+| JndiInjectionTest.java:70:16:70:22 | nameStr | JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:70:16:70:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:52:34:52:61 | nameStr | this user input |
+| JndiInjectionTest.java:71:16:71:22 | nameStr | JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:71:16:71:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:52:34:52:61 | nameStr | this user input |
+| JndiInjectionTest.java:74:16:74:22 | nameStr | JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:74:16:74:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:52:34:52:61 | nameStr | this user input |
+| JndiInjectionTest.java:75:16:75:22 | nameStr | JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:75:16:75:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:52:34:52:61 | nameStr | this user input |
+| JndiInjectionTest.java:87:16:87:22 | nameStr | JndiInjectionTest.java:83:42:83:69 | nameStr : String | JndiInjectionTest.java:87:16:87:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:83:42:83:69 | nameStr | this user input |
+| JndiInjectionTest.java:88:20:88:26 | nameStr | JndiInjectionTest.java:83:42:83:69 | nameStr : String | JndiInjectionTest.java:88:20:88:26 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:83:42:83:69 | nameStr | this user input |
+| JndiInjectionTest.java:89:16:89:22 | nameStr | JndiInjectionTest.java:83:42:83:69 | nameStr : String | JndiInjectionTest.java:89:16:89:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:83:42:83:69 | nameStr | this user input |
+| JndiInjectionTest.java:90:14:90:20 | nameStr | JndiInjectionTest.java:83:42:83:69 | nameStr : String | JndiInjectionTest.java:90:14:90:20 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:83:42:83:69 | nameStr | this user input |
+| JndiInjectionTest.java:91:22:91:28 | nameStr | JndiInjectionTest.java:83:42:83:69 | nameStr : String | JndiInjectionTest.java:91:22:91:28 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:83:42:83:69 | nameStr | this user input |
+| JndiInjectionTest.java:93:16:93:19 | name | JndiInjectionTest.java:83:42:83:69 | nameStr : String | JndiInjectionTest.java:93:16:93:19 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:83:42:83:69 | nameStr | this user input |
+| JndiInjectionTest.java:94:20:94:23 | name | JndiInjectionTest.java:83:42:83:69 | nameStr : String | JndiInjectionTest.java:94:20:94:23 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:83:42:83:69 | nameStr | this user input |
+| JndiInjectionTest.java:95:16:95:19 | name | JndiInjectionTest.java:83:42:83:69 | nameStr : String | JndiInjectionTest.java:95:16:95:19 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:83:42:83:69 | nameStr | this user input |
+| JndiInjectionTest.java:96:14:96:17 | name | JndiInjectionTest.java:83:42:83:69 | nameStr : String | JndiInjectionTest.java:96:14:96:17 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:83:42:83:69 | nameStr | this user input |
+| JndiInjectionTest.java:97:22:97:25 | name | JndiInjectionTest.java:83:42:83:69 | nameStr : String | JndiInjectionTest.java:97:22:97:25 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:83:42:83:69 | nameStr | this user input |
+| JndiInjectionTest.java:104:16:104:22 | nameStr | JndiInjectionTest.java:101:42:101:69 | nameStr : String | JndiInjectionTest.java:104:16:104:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:101:42:101:69 | nameStr | this user input |
+| JndiInjectionTest.java:105:16:105:22 | nameStr | JndiInjectionTest.java:101:42:101:69 | nameStr : String | JndiInjectionTest.java:105:16:105:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:101:42:101:69 | nameStr | this user input |
+| JndiInjectionTest.java:113:16:113:19 | name | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:113:16:113:19 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
+| JndiInjectionTest.java:115:16:115:19 | name | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:115:16:115:19 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
+| JndiInjectionTest.java:117:16:117:19 | name | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:117:16:117:19 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
+| JndiInjectionTest.java:118:16:118:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:118:16:118:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
+| JndiInjectionTest.java:120:16:120:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:120:16:120:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
+| JndiInjectionTest.java:122:16:122:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:122:16:122:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
+| JndiInjectionTest.java:123:23:123:26 | name | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:123:23:123:26 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
+| JndiInjectionTest.java:124:23:124:29 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:124:23:124:29 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
+| JndiInjectionTest.java:125:18:125:21 | name | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:125:18:125:21 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
+| JndiInjectionTest.java:126:16:126:19 | name | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:126:16:126:19 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
+| JndiInjectionTest.java:127:14:127:17 | name | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:127:14:127:17 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
+| JndiInjectionTest.java:128:22:128:25 | name | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:128:22:128:25 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
+| JndiInjectionTest.java:129:16:129:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:129:16:129:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
+| JndiInjectionTest.java:131:16:131:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:131:16:131:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
+| JndiInjectionTest.java:132:16:132:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:132:16:132:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
+| JndiInjectionTest.java:133:16:133:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:133:16:133:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
+| JndiInjectionTest.java:134:16:134:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:134:16:134:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
+| JndiInjectionTest.java:138:16:138:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:138:16:138:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
+| JndiInjectionTest.java:139:16:139:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:139:16:139:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
+| JndiInjectionTest.java:141:16:141:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:141:16:141:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
+| JndiInjectionTest.java:142:16:142:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:142:16:142:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
+| JndiInjectionTest.java:144:16:144:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:144:16:144:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
+| JndiInjectionTest.java:145:16:145:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:145:16:145:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
+| JndiInjectionTest.java:149:16:149:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:149:16:149:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
+| JndiInjectionTest.java:150:16:150:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:150:16:150:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
+| JndiInjectionTest.java:152:16:152:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:152:16:152:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
+| JndiInjectionTest.java:153:16:153:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:153:16:153:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
+| JndiInjectionTest.java:155:16:155:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:155:16:155:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
+| JndiInjectionTest.java:156:16:156:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:156:16:156:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
+| JndiInjectionTest.java:170:25:170:31 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:170:25:170:31 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
+| JndiInjectionTest.java:177:16:177:22 | nameStr | JndiInjectionTest.java:174:41:174:68 | nameStr : String | JndiInjectionTest.java:177:16:177:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:174:41:174:68 | nameStr | this user input |
+| JndiInjectionTest.java:178:16:178:22 | nameStr | JndiInjectionTest.java:174:41:174:68 | nameStr : String | JndiInjectionTest.java:178:16:178:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:174:41:174:68 | nameStr | this user input |
+| JndiInjectionTest.java:183:33:183:57 | new JMXServiceURL(...) | JndiInjectionTest.java:182:37:182:63 | urlStr : String | JndiInjectionTest.java:183:33:183:57 | new JMXServiceURL(...) | JNDI lookup might include name from $@. | JndiInjectionTest.java:182:37:182:63 | urlStr | this user input |
+| JndiInjectionTest.java:187:5:187:13 | connector | JndiInjectionTest.java:182:37:182:63 | urlStr : String | JndiInjectionTest.java:187:5:187:13 | connector | JNDI lookup might include name from $@. | JndiInjectionTest.java:182:37:182:63 | urlStr | this user input |
+| JndiInjectionTest.java:194:35:194:40 | urlStr | JndiInjectionTest.java:191:27:191:53 | urlStr : String | JndiInjectionTest.java:194:35:194:40 | urlStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:191:27:191:53 | urlStr | this user input |
+| JndiInjectionTest.java:202:41:202:46 | urlStr | JndiInjectionTest.java:199:27:199:53 | urlStr : String | JndiInjectionTest.java:202:41:202:46 | urlStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:199:27:199:53 | urlStr | this user input |
+| JndiInjectionTest.java:211:37:211:42 | urlStr | JndiInjectionTest.java:207:52:207:78 | urlStr : String | JndiInjectionTest.java:211:37:211:42 | urlStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:207:52:207:78 | urlStr | this user input |
+| JndiInjectionTest.java:221:51:221:56 | urlStr | JndiInjectionTest.java:216:52:216:78 | urlStr : String | JndiInjectionTest.java:221:51:221:56 | urlStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:216:52:216:78 | urlStr | this user input |
+| JndiInjectionTest.java:231:51:231:56 | urlStr | JndiInjectionTest.java:226:52:226:78 | urlStr : String | JndiInjectionTest.java:231:51:231:56 | urlStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:226:52:226:78 | urlStr | this user input |
+edges
+| JndiInjectionTest.java:32:38:32:65 | nameStr : String | JndiInjectionTest.java:33:35:33:41 | nameStr : String | provenance |  |
+| JndiInjectionTest.java:33:17:33:42 | new CompositeName(...) : CompositeName | JndiInjectionTest.java:43:16:43:19 | name | provenance | Sink:MaD:6 |
+| JndiInjectionTest.java:33:17:33:42 | new CompositeName(...) : CompositeName | JndiInjectionTest.java:44:20:44:23 | name | provenance | Sink:MaD:7 |
+| JndiInjectionTest.java:33:17:33:42 | new CompositeName(...) : CompositeName | JndiInjectionTest.java:45:29:45:32 | name | provenance | Sink:MaD:9 |
+| JndiInjectionTest.java:33:17:33:42 | new CompositeName(...) : CompositeName | JndiInjectionTest.java:46:16:46:19 | name | provenance | Sink:MaD:8 |
+| JndiInjectionTest.java:33:17:33:42 | new CompositeName(...) : CompositeName | JndiInjectionTest.java:47:14:47:17 | name | provenance | Sink:MaD:4 |
+| JndiInjectionTest.java:33:17:33:42 | new CompositeName(...) : CompositeName | JndiInjectionTest.java:48:22:48:25 | name | provenance | Sink:MaD:5 |
+| JndiInjectionTest.java:33:35:33:41 | nameStr : String | JndiInjectionTest.java:33:17:33:42 | new CompositeName(...) : CompositeName | provenance | Config |
+| JndiInjectionTest.java:33:35:33:41 | nameStr : String | JndiInjectionTest.java:36:16:36:22 | nameStr | provenance | Sink:MaD:6 |
+| JndiInjectionTest.java:33:35:33:41 | nameStr : String | JndiInjectionTest.java:37:20:37:26 | nameStr | provenance | Sink:MaD:7 |
+| JndiInjectionTest.java:33:35:33:41 | nameStr : String | JndiInjectionTest.java:38:29:38:35 | nameStr | provenance | Sink:MaD:9 |
+| JndiInjectionTest.java:33:35:33:41 | nameStr : String | JndiInjectionTest.java:39:16:39:22 | nameStr | provenance | Sink:MaD:8 |
+| JndiInjectionTest.java:33:35:33:41 | nameStr : String | JndiInjectionTest.java:40:14:40:20 | nameStr | provenance | Sink:MaD:4 |
+| JndiInjectionTest.java:33:35:33:41 | nameStr : String | JndiInjectionTest.java:41:22:41:28 | nameStr | provenance | Sink:MaD:5 |
+| JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:53:34:53:40 | nameStr : String | provenance |  |
+| JndiInjectionTest.java:53:17:53:59 | new CompoundName(...) : CompoundName | JndiInjectionTest.java:62:16:62:19 | name | provenance | Sink:MaD:6 |
+| JndiInjectionTest.java:53:17:53:59 | new CompoundName(...) : CompoundName | JndiInjectionTest.java:63:20:63:23 | name | provenance | Sink:MaD:7 |
+| JndiInjectionTest.java:53:17:53:59 | new CompoundName(...) : CompoundName | JndiInjectionTest.java:64:16:64:19 | name | provenance | Sink:MaD:8 |
+| JndiInjectionTest.java:53:17:53:59 | new CompoundName(...) : CompoundName | JndiInjectionTest.java:65:14:65:17 | name | provenance | Sink:MaD:4 |
+| JndiInjectionTest.java:53:17:53:59 | new CompoundName(...) : CompoundName | JndiInjectionTest.java:66:22:66:25 | name | provenance | Sink:MaD:5 |
+| JndiInjectionTest.java:53:34:53:40 | nameStr : String | JndiInjectionTest.java:53:17:53:59 | new CompoundName(...) : CompoundName | provenance | Config |
+| JndiInjectionTest.java:53:34:53:40 | nameStr : String | JndiInjectionTest.java:56:16:56:22 | nameStr | provenance | Sink:MaD:6 |
+| JndiInjectionTest.java:53:34:53:40 | nameStr : String | JndiInjectionTest.java:57:20:57:26 | nameStr | provenance | Sink:MaD:7 |
+| JndiInjectionTest.java:53:34:53:40 | nameStr : String | JndiInjectionTest.java:58:16:58:22 | nameStr | provenance | Sink:MaD:8 |
+| JndiInjectionTest.java:53:34:53:40 | nameStr : String | JndiInjectionTest.java:59:14:59:20 | nameStr | provenance | Sink:MaD:4 |
+| JndiInjectionTest.java:53:34:53:40 | nameStr : String | JndiInjectionTest.java:60:22:60:28 | nameStr | provenance | Sink:MaD:5 |
+| JndiInjectionTest.java:53:34:53:40 | nameStr : String | JndiInjectionTest.java:70:16:70:22 | nameStr | provenance | Sink:MaD:3 |
+| JndiInjectionTest.java:53:34:53:40 | nameStr : String | JndiInjectionTest.java:71:16:71:22 | nameStr | provenance | Sink:MaD:3 |
+| JndiInjectionTest.java:53:34:53:40 | nameStr : String | JndiInjectionTest.java:74:16:74:22 | nameStr | provenance | Sink:MaD:3 |
+| JndiInjectionTest.java:53:34:53:40 | nameStr : String | JndiInjectionTest.java:75:16:75:22 | nameStr | provenance | Sink:MaD:3 |
+| JndiInjectionTest.java:83:42:83:69 | nameStr : String | JndiInjectionTest.java:84:35:84:41 | nameStr : String | provenance |  |
+| JndiInjectionTest.java:84:17:84:42 | new CompositeName(...) : CompositeName | JndiInjectionTest.java:93:16:93:19 | name | provenance | Sink:MaD:6 |
+| JndiInjectionTest.java:84:17:84:42 | new CompositeName(...) : CompositeName | JndiInjectionTest.java:94:20:94:23 | name | provenance | Sink:MaD:7 |
+| JndiInjectionTest.java:84:17:84:42 | new CompositeName(...) : CompositeName | JndiInjectionTest.java:95:16:95:19 | name | provenance | Sink:MaD:8 |
+| JndiInjectionTest.java:84:17:84:42 | new CompositeName(...) : CompositeName | JndiInjectionTest.java:96:14:96:17 | name | provenance | Sink:MaD:4 |
+| JndiInjectionTest.java:84:17:84:42 | new CompositeName(...) : CompositeName | JndiInjectionTest.java:97:22:97:25 | name | provenance | Sink:MaD:5 |
+| JndiInjectionTest.java:84:35:84:41 | nameStr : String | JndiInjectionTest.java:84:17:84:42 | new CompositeName(...) : CompositeName | provenance | Config |
+| JndiInjectionTest.java:84:35:84:41 | nameStr : String | JndiInjectionTest.java:87:16:87:22 | nameStr | provenance | Sink:MaD:6 |
+| JndiInjectionTest.java:84:35:84:41 | nameStr : String | JndiInjectionTest.java:88:20:88:26 | nameStr | provenance | Sink:MaD:7 |
+| JndiInjectionTest.java:84:35:84:41 | nameStr : String | JndiInjectionTest.java:89:16:89:22 | nameStr | provenance | Sink:MaD:8 |
+| JndiInjectionTest.java:84:35:84:41 | nameStr : String | JndiInjectionTest.java:90:14:90:20 | nameStr | provenance | Sink:MaD:4 |
+| JndiInjectionTest.java:84:35:84:41 | nameStr : String | JndiInjectionTest.java:91:22:91:28 | nameStr | provenance | Sink:MaD:5 |
+| JndiInjectionTest.java:101:42:101:69 | nameStr : String | JndiInjectionTest.java:104:16:104:22 | nameStr | provenance | Sink:MaD:11 |
+| JndiInjectionTest.java:101:42:101:69 | nameStr : String | JndiInjectionTest.java:105:16:105:22 | nameStr | provenance | Sink:MaD:11 |
+| JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:111:41:111:47 | nameStr : String | provenance |  |
+| JndiInjectionTest.java:111:17:111:48 | add(...) : Name | JndiInjectionTest.java:113:16:113:19 | name | provenance | Sink:MaD:15 |
+| JndiInjectionTest.java:111:17:111:48 | add(...) : Name | JndiInjectionTest.java:115:16:115:19 | name | provenance | Sink:MaD:16 |
+| JndiInjectionTest.java:111:17:111:48 | add(...) : Name | JndiInjectionTest.java:117:16:117:19 | name | provenance | Sink:MaD:17 |
+| JndiInjectionTest.java:111:17:111:48 | add(...) : Name | JndiInjectionTest.java:123:23:123:26 | name | provenance | Sink:MaD:21 |
+| JndiInjectionTest.java:111:17:111:48 | add(...) : Name | JndiInjectionTest.java:125:18:125:21 | name | provenance | Sink:MaD:12 |
+| JndiInjectionTest.java:111:17:111:48 | add(...) : Name | JndiInjectionTest.java:126:16:126:19 | name | provenance | Sink:MaD:22 |
+| JndiInjectionTest.java:111:17:111:48 | add(...) : Name | JndiInjectionTest.java:127:14:127:17 | name | provenance | Sink:MaD:13 |
+| JndiInjectionTest.java:111:17:111:48 | add(...) : Name | JndiInjectionTest.java:128:22:128:25 | name | provenance | Sink:MaD:14 |
+| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:111:17:111:48 | add(...) : Name | provenance | Config |
+| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:118:16:118:22 | nameStr | provenance | Sink:MaD:18 |
+| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:120:16:120:22 | nameStr | provenance | Sink:MaD:19 |
+| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:122:16:122:22 | nameStr | provenance | Sink:MaD:20 |
+| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:124:23:124:29 | nameStr | provenance | Sink:MaD:21 |
+| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:129:16:129:22 | nameStr | provenance |  |
+| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:131:16:131:22 | nameStr | provenance | Sink:MaD:27 |
+| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:132:16:132:22 | nameStr | provenance | Sink:MaD:25 |
+| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:132:16:132:22 | nameStr | provenance | Sink:MaD:27 |
+| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:133:16:133:22 | nameStr | provenance | Sink:MaD:24 |
+| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:133:16:133:22 | nameStr | provenance | Sink:MaD:27 |
+| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:134:16:134:22 | nameStr | provenance | Sink:MaD:23 |
+| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:134:16:134:22 | nameStr | provenance | Sink:MaD:27 |
+| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:138:16:138:22 | nameStr | provenance | Sink:MaD:27 |
+| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:139:16:139:22 | nameStr | provenance | Sink:MaD:27 |
+| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:141:16:141:22 | nameStr | provenance | Sink:MaD:27 |
+| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:142:16:142:22 | nameStr | provenance | Sink:MaD:27 |
+| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:144:16:144:22 | nameStr | provenance | Sink:MaD:27 |
+| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:145:16:145:22 | nameStr | provenance | Sink:MaD:27 |
+| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:149:16:149:22 | nameStr | provenance | Sink:MaD:27 |
+| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:150:16:150:22 | nameStr | provenance | Sink:MaD:27 |
+| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:152:16:152:22 | nameStr | provenance | Sink:MaD:27 |
+| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:153:16:153:22 | nameStr | provenance | Sink:MaD:27 |
+| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:155:16:155:22 | nameStr | provenance | Sink:MaD:27 |
+| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:156:16:156:22 | nameStr | provenance | Sink:MaD:27 |
+| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:170:25:170:31 | nameStr | provenance | Sink:MaD:26 |
+| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:170:25:170:31 | nameStr | provenance | Sink:MaD:28 |
+| JndiInjectionTest.java:174:41:174:68 | nameStr : String | JndiInjectionTest.java:177:16:177:22 | nameStr | provenance | Sink:MaD:10 |
+| JndiInjectionTest.java:174:41:174:68 | nameStr : String | JndiInjectionTest.java:178:16:178:22 | nameStr | provenance | Sink:MaD:10 |
+| JndiInjectionTest.java:182:37:182:63 | urlStr : String | JndiInjectionTest.java:183:51:183:56 | urlStr : String | provenance |  |
+| JndiInjectionTest.java:183:51:183:56 | urlStr : String | JndiInjectionTest.java:183:33:183:57 | new JMXServiceURL(...) | provenance | Config Sink:MaD:2 |
+| JndiInjectionTest.java:183:51:183:56 | urlStr : String | JndiInjectionTest.java:185:43:185:48 | urlStr : String | provenance |  |
+| JndiInjectionTest.java:185:25:185:49 | new JMXServiceURL(...) : JMXServiceURL | JndiInjectionTest.java:186:66:186:68 | url : JMXServiceURL | provenance |  |
+| JndiInjectionTest.java:185:43:185:48 | urlStr : String | JndiInjectionTest.java:185:25:185:49 | new JMXServiceURL(...) : JMXServiceURL | provenance | Config |
+| JndiInjectionTest.java:186:30:186:75 | newJMXConnector(...) : JMXConnector | JndiInjectionTest.java:187:5:187:13 | connector | provenance | Sink:MaD:1 |
+| JndiInjectionTest.java:186:66:186:68 | url : JMXServiceURL | JndiInjectionTest.java:186:30:186:75 | newJMXConnector(...) : JMXConnector | provenance | Config |
+| JndiInjectionTest.java:186:66:186:68 | url : JMXServiceURL | JndiInjectionTest.java:186:30:186:75 | newJMXConnector(...) : JMXConnector | provenance | MaD:29 |
+| JndiInjectionTest.java:191:27:191:53 | urlStr : String | JndiInjectionTest.java:194:35:194:40 | urlStr | provenance |  |
+| JndiInjectionTest.java:199:27:199:53 | urlStr : String | JndiInjectionTest.java:202:41:202:46 | urlStr | provenance |  |
+| JndiInjectionTest.java:207:52:207:78 | urlStr : String | JndiInjectionTest.java:211:37:211:42 | urlStr | provenance |  |
+| JndiInjectionTest.java:216:52:216:78 | urlStr : String | JndiInjectionTest.java:221:51:221:56 | urlStr | provenance |  |
+| JndiInjectionTest.java:226:52:226:78 | urlStr : String | JndiInjectionTest.java:231:51:231:56 | urlStr | provenance |  |
+models
+| 1 | Sink: javax.management.remote; JMXConnector; true; connect; ; ; Argument[this]; jndi-injection; manual |
+| 2 | Sink: javax.management.remote; JMXConnectorFactory; false; connect; ; ; Argument[0]; jndi-injection; manual |
+| 3 | Sink: javax.naming.directory; DirContext; true; search; ; ; Argument[0..1]; ldap-injection; manual |
+| 4 | Sink: javax.naming; Context; true; list; ; ; Argument[0]; jndi-injection; manual |
+| 5 | Sink: javax.naming; Context; true; listBindings; ; ; Argument[0]; jndi-injection; manual |
+| 6 | Sink: javax.naming; Context; true; lookup; ; ; Argument[0]; jndi-injection; manual |
+| 7 | Sink: javax.naming; Context; true; lookupLink; ; ; Argument[0]; jndi-injection; manual |
+| 8 | Sink: javax.naming; Context; true; rename; ; ; Argument[0]; jndi-injection; manual |
+| 9 | Sink: javax.naming; InitialContext; true; doLookup; ; ; Argument[0]; jndi-injection; manual |
+| 10 | Sink: org.apache.shiro.jndi; JndiTemplate; false; lookup; ; ; Argument[0]; jndi-injection; manual |
+| 11 | Sink: org.springframework.jndi; JndiTemplate; false; lookup; ; ; Argument[0]; jndi-injection; manual |
+| 12 | Sink: org.springframework.ldap.core; LdapOperations; true; findByDn; ; ; Argument[0]; jndi-injection; manual |
+| 13 | Sink: org.springframework.ldap.core; LdapOperations; true; list; ; ; Argument[0]; jndi-injection; manual |
+| 14 | Sink: org.springframework.ldap.core; LdapOperations; true; listBindings; ; ; Argument[0]; jndi-injection; manual |
+| 15 | Sink: org.springframework.ldap.core; LdapOperations; true; lookup; (Name); ; Argument[0]; jndi-injection; manual |
+| 16 | Sink: org.springframework.ldap.core; LdapOperations; true; lookup; (Name,ContextMapper); ; Argument[0]; jndi-injection; manual |
+| 17 | Sink: org.springframework.ldap.core; LdapOperations; true; lookup; (Name,String[],ContextMapper); ; Argument[0]; jndi-injection; manual |
+| 18 | Sink: org.springframework.ldap.core; LdapOperations; true; lookup; (String); ; Argument[0]; jndi-injection; manual |
+| 19 | Sink: org.springframework.ldap.core; LdapOperations; true; lookup; (String,ContextMapper); ; Argument[0]; jndi-injection; manual |
+| 20 | Sink: org.springframework.ldap.core; LdapOperations; true; lookup; (String,String[],ContextMapper); ; Argument[0]; jndi-injection; manual |
+| 21 | Sink: org.springframework.ldap.core; LdapOperations; true; lookupContext; ; ; Argument[0]; jndi-injection; manual |
+| 22 | Sink: org.springframework.ldap.core; LdapOperations; true; rename; ; ; Argument[0]; jndi-injection; manual |
+| 23 | Sink: org.springframework.ldap.core; LdapOperations; true; search; (String,String,ContextMapper); ; Argument[0]; jndi-injection; manual |
+| 24 | Sink: org.springframework.ldap.core; LdapOperations; true; search; (String,String,int,ContextMapper); ; Argument[0]; jndi-injection; manual |
+| 25 | Sink: org.springframework.ldap.core; LdapOperations; true; search; (String,String,int,String[],ContextMapper); ; Argument[0]; jndi-injection; manual |
+| 26 | Sink: org.springframework.ldap.core; LdapOperations; true; searchForObject; (String,String,ContextMapper); ; Argument[0]; jndi-injection; manual |
+| 27 | Sink: org.springframework.ldap.core; LdapTemplate; false; search; ; ; Argument[0..1]; ldap-injection; manual |
+| 28 | Sink: org.springframework.ldap.core; LdapTemplate; false; searchForObject; ; ; Argument[0..1]; ldap-injection; manual |
+| 29 | Summary: javax.management.remote; JMXConnectorFactory; true; newJMXConnector; (JMXServiceURL,Map); ; Argument[0]; ReturnValue; taint; df-generated |
+nodes
+| JndiInjectionTest.java:32:38:32:65 | nameStr : String | semmle.label | nameStr : String |
+| JndiInjectionTest.java:33:17:33:42 | new CompositeName(...) : CompositeName | semmle.label | new CompositeName(...) : CompositeName |
+| JndiInjectionTest.java:33:35:33:41 | nameStr : String | semmle.label | nameStr : String |
+| JndiInjectionTest.java:36:16:36:22 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:37:20:37:26 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:38:29:38:35 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:39:16:39:22 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:40:14:40:20 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:41:22:41:28 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:43:16:43:19 | name | semmle.label | name |
+| JndiInjectionTest.java:44:20:44:23 | name | semmle.label | name |
+| JndiInjectionTest.java:45:29:45:32 | name | semmle.label | name |
+| JndiInjectionTest.java:46:16:46:19 | name | semmle.label | name |
+| JndiInjectionTest.java:47:14:47:17 | name | semmle.label | name |
+| JndiInjectionTest.java:48:22:48:25 | name | semmle.label | name |
+| JndiInjectionTest.java:52:34:52:61 | nameStr : String | semmle.label | nameStr : String |
+| JndiInjectionTest.java:53:17:53:59 | new CompoundName(...) : CompoundName | semmle.label | new CompoundName(...) : CompoundName |
+| JndiInjectionTest.java:53:34:53:40 | nameStr : String | semmle.label | nameStr : String |
+| JndiInjectionTest.java:56:16:56:22 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:57:20:57:26 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:58:16:58:22 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:59:14:59:20 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:60:22:60:28 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:62:16:62:19 | name | semmle.label | name |
+| JndiInjectionTest.java:63:20:63:23 | name | semmle.label | name |
+| JndiInjectionTest.java:64:16:64:19 | name | semmle.label | name |
+| JndiInjectionTest.java:65:14:65:17 | name | semmle.label | name |
+| JndiInjectionTest.java:66:22:66:25 | name | semmle.label | name |
+| JndiInjectionTest.java:70:16:70:22 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:71:16:71:22 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:74:16:74:22 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:75:16:75:22 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:83:42:83:69 | nameStr : String | semmle.label | nameStr : String |
+| JndiInjectionTest.java:84:17:84:42 | new CompositeName(...) : CompositeName | semmle.label | new CompositeName(...) : CompositeName |
+| JndiInjectionTest.java:84:35:84:41 | nameStr : String | semmle.label | nameStr : String |
+| JndiInjectionTest.java:87:16:87:22 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:88:20:88:26 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:89:16:89:22 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:90:14:90:20 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:91:22:91:28 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:93:16:93:19 | name | semmle.label | name |
+| JndiInjectionTest.java:94:20:94:23 | name | semmle.label | name |
+| JndiInjectionTest.java:95:16:95:19 | name | semmle.label | name |
+| JndiInjectionTest.java:96:14:96:17 | name | semmle.label | name |
+| JndiInjectionTest.java:97:22:97:25 | name | semmle.label | name |
+| JndiInjectionTest.java:101:42:101:69 | nameStr : String | semmle.label | nameStr : String |
+| JndiInjectionTest.java:104:16:104:22 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:105:16:105:22 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:109:42:109:69 | nameStr : String | semmle.label | nameStr : String |
+| JndiInjectionTest.java:111:17:111:48 | add(...) : Name | semmle.label | add(...) : Name |
+| JndiInjectionTest.java:111:41:111:47 | nameStr : String | semmle.label | nameStr : String |
+| JndiInjectionTest.java:113:16:113:19 | name | semmle.label | name |
+| JndiInjectionTest.java:115:16:115:19 | name | semmle.label | name |
+| JndiInjectionTest.java:117:16:117:19 | name | semmle.label | name |
+| JndiInjectionTest.java:118:16:118:22 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:120:16:120:22 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:122:16:122:22 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:123:23:123:26 | name | semmle.label | name |
+| JndiInjectionTest.java:124:23:124:29 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:125:18:125:21 | name | semmle.label | name |
+| JndiInjectionTest.java:126:16:126:19 | name | semmle.label | name |
+| JndiInjectionTest.java:127:14:127:17 | name | semmle.label | name |
+| JndiInjectionTest.java:128:22:128:25 | name | semmle.label | name |
+| JndiInjectionTest.java:129:16:129:22 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:131:16:131:22 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:132:16:132:22 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:133:16:133:22 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:134:16:134:22 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:138:16:138:22 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:139:16:139:22 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:141:16:141:22 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:142:16:142:22 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:144:16:144:22 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:145:16:145:22 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:149:16:149:22 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:150:16:150:22 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:152:16:152:22 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:153:16:153:22 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:155:16:155:22 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:156:16:156:22 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:170:25:170:31 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:174:41:174:68 | nameStr : String | semmle.label | nameStr : String |
+| JndiInjectionTest.java:177:16:177:22 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:178:16:178:22 | nameStr | semmle.label | nameStr |
+| JndiInjectionTest.java:182:37:182:63 | urlStr : String | semmle.label | urlStr : String |
+| JndiInjectionTest.java:183:33:183:57 | new JMXServiceURL(...) | semmle.label | new JMXServiceURL(...) |
+| JndiInjectionTest.java:183:51:183:56 | urlStr : String | semmle.label | urlStr : String |
+| JndiInjectionTest.java:185:25:185:49 | new JMXServiceURL(...) : JMXServiceURL | semmle.label | new JMXServiceURL(...) : JMXServiceURL |
+| JndiInjectionTest.java:185:43:185:48 | urlStr : String | semmle.label | urlStr : String |
+| JndiInjectionTest.java:186:30:186:75 | newJMXConnector(...) : JMXConnector | semmle.label | newJMXConnector(...) : JMXConnector |
+| JndiInjectionTest.java:186:66:186:68 | url : JMXServiceURL | semmle.label | url : JMXServiceURL |
+| JndiInjectionTest.java:187:5:187:13 | connector | semmle.label | connector |
+| JndiInjectionTest.java:191:27:191:53 | urlStr : String | semmle.label | urlStr : String |
+| JndiInjectionTest.java:194:35:194:40 | urlStr | semmle.label | urlStr |
+| JndiInjectionTest.java:199:27:199:53 | urlStr : String | semmle.label | urlStr : String |
+| JndiInjectionTest.java:202:41:202:46 | urlStr | semmle.label | urlStr |
+| JndiInjectionTest.java:207:52:207:78 | urlStr : String | semmle.label | urlStr : String |
+| JndiInjectionTest.java:211:37:211:42 | urlStr | semmle.label | urlStr |
+| JndiInjectionTest.java:216:52:216:78 | urlStr : String | semmle.label | urlStr : String |
+| JndiInjectionTest.java:221:51:221:56 | urlStr | semmle.label | urlStr |
+| JndiInjectionTest.java:226:52:226:78 | urlStr : String | semmle.label | urlStr : String |
+| JndiInjectionTest.java:231:51:231:56 | urlStr | semmle.label | urlStr |
+subpaths

java/ql/test/query-tests/security/CWE-074/JndiInjection/JndiInjectionTest.java

@@ -29,50 +29,50 @@ import org.springframework.web.bind.annotation.RequestMapping;
 @Controller
 public class JndiInjectionTest {
   @RequestMapping
-  public void testInitialContextBad1(@RequestParam String nameStr) throws NamingException {
+  public void testInitialContextBad1(@RequestParam String nameStr) throws NamingException { // $ Source
     Name name = new CompositeName(nameStr);
     InitialContext ctx = new InitialContext();
 
-    ctx.lookup(nameStr); // $hasJndiInjection
-    ctx.lookupLink(nameStr); // $hasJndiInjection
-    InitialContext.doLookup(nameStr); // $hasJndiInjection
-    ctx.rename(nameStr, ""); // $hasJndiInjection
-    ctx.list(nameStr); // $hasJndiInjection
-    ctx.listBindings(nameStr); // $hasJndiInjection
+    ctx.lookup(nameStr); // $ Alert
+    ctx.lookupLink(nameStr); // $ Alert
+    InitialContext.doLookup(nameStr); // $ Alert
+    ctx.rename(nameStr, ""); // $ Alert
+    ctx.list(nameStr); // $ Alert
+    ctx.listBindings(nameStr); // $ Alert
 
-    ctx.lookup(name); // $hasJndiInjection
-    ctx.lookupLink(name); // $hasJndiInjection
-    InitialContext.doLookup(name); // $hasJndiInjection
-    ctx.rename(name, null); // $hasJndiInjection
-    ctx.list(name); // $hasJndiInjection
-    ctx.listBindings(name); // $hasJndiInjection
+    ctx.lookup(name); // $ Alert
+    ctx.lookupLink(name); // $ Alert
+    InitialContext.doLookup(name); // $ Alert
+    ctx.rename(name, null); // $ Alert
+    ctx.list(name); // $ Alert
+    ctx.listBindings(name); // $ Alert
   }
 
   @RequestMapping
-  public void testDirContextBad1(@RequestParam String nameStr) throws NamingException {
+  public void testDirContextBad1(@RequestParam String nameStr) throws NamingException { // $ Source
     Name name = new CompoundName(nameStr, new Properties());
     DirContext ctx = new InitialDirContext();
 
-    ctx.lookup(nameStr); // $hasJndiInjection
-    ctx.lookupLink(nameStr); // $hasJndiInjection
-    ctx.rename(nameStr, ""); // $hasJndiInjection
-    ctx.list(nameStr); // $hasJndiInjection
-    ctx.listBindings(nameStr); // $hasJndiInjection
+    ctx.lookup(nameStr); // $ Alert
+    ctx.lookupLink(nameStr); // $ Alert
+    ctx.rename(nameStr, ""); // $ Alert
+    ctx.list(nameStr); // $ Alert
+    ctx.listBindings(nameStr); // $ Alert
 
-    ctx.lookup(name); // $hasJndiInjection
-    ctx.lookupLink(name); // $hasJndiInjection
-    ctx.rename(name, null); // $hasJndiInjection
-    ctx.list(name); // $hasJndiInjection
-    ctx.listBindings(name); // $hasJndiInjection
+    ctx.lookup(name); // $ Alert
+    ctx.lookupLink(name); // $ Alert
+    ctx.rename(name, null); // $ Alert
+    ctx.list(name); // $ Alert
+    ctx.listBindings(name); // $ Alert
 
     SearchControls searchControls = new SearchControls();
     searchControls.setReturningObjFlag(true);
-    ctx.search(nameStr, "", searchControls); // $hasJndiInjection
-    ctx.search(nameStr, "", new Object[] {}, searchControls); // $hasJndiInjection
+    ctx.search(nameStr, "", searchControls); // $ Alert
+    ctx.search(nameStr, "", new Object[] {}, searchControls); // $ Alert
 
     SearchControls searchControls2 = new SearchControls(1, 0, 0, null, true, false);
-    ctx.search(nameStr, "", searchControls2); // $hasJndiInjection
-    ctx.search(nameStr, "", new Object[] {}, searchControls2); // $hasJndiInjection
+    ctx.search(nameStr, "", searchControls2); // $ Alert
+    ctx.search(nameStr, "", new Object[] {}, searchControls2); // $ Alert
 
     SearchControls searchControls3 = new SearchControls(1, 0, 0, null, false, false);
     ctx.search(nameStr, "", searchControls3); // Safe
@@ -80,80 +80,80 @@ public class JndiInjectionTest {
   }
 
   @RequestMapping
-  public void testInitialLdapContextBad1(@RequestParam String nameStr) throws NamingException {
+  public void testInitialLdapContextBad1(@RequestParam String nameStr) throws NamingException { // $ Source
     Name name = new CompositeName(nameStr);
     InitialLdapContext ctx = new InitialLdapContext();
 
-    ctx.lookup(nameStr); // $hasJndiInjection
-    ctx.lookupLink(nameStr); // $hasJndiInjection
-    ctx.rename(nameStr, ""); // $hasJndiInjection
-    ctx.list(nameStr); // $hasJndiInjection
-    ctx.listBindings(nameStr); // $hasJndiInjection
+    ctx.lookup(nameStr); // $ Alert
+    ctx.lookupLink(nameStr); // $ Alert
+    ctx.rename(nameStr, ""); // $ Alert
+    ctx.list(nameStr); // $ Alert
+    ctx.listBindings(nameStr); // $ Alert
 
-    ctx.lookup(name); // $hasJndiInjection
-    ctx.lookupLink(name); // $hasJndiInjection
-    ctx.rename(name, null); // $hasJndiInjection
-    ctx.list(name); // $hasJndiInjection
-    ctx.listBindings(name); // $hasJndiInjection
+    ctx.lookup(name); // $ Alert
+    ctx.lookupLink(name); // $ Alert
+    ctx.rename(name, null); // $ Alert
+    ctx.list(name); // $ Alert
+    ctx.listBindings(name); // $ Alert
   }
 
   @RequestMapping
-  public void testSpringJndiTemplateBad1(@RequestParam String nameStr) throws NamingException {
+  public void testSpringJndiTemplateBad1(@RequestParam String nameStr) throws NamingException { // $ Source
     JndiTemplate ctx = new JndiTemplate();
 
-    ctx.lookup(nameStr); // $hasJndiInjection
-    ctx.lookup(nameStr, null); // $hasJndiInjection
+    ctx.lookup(nameStr); // $ Alert
+    ctx.lookup(nameStr, null); // $ Alert
   }
 
   @RequestMapping
-  public void testSpringLdapTemplateBad1(@RequestParam String nameStr) throws NamingException {
+  public void testSpringLdapTemplateBad1(@RequestParam String nameStr) throws NamingException { // $ Source
     LdapTemplate ctx = new LdapTemplate();
     Name name = new CompositeName().add(nameStr);
 
-    ctx.lookup(name); // $hasJndiInjection
+    ctx.lookup(name); // $ Alert
     ctx.lookup(name, (AttributesMapper) null); // Safe
-    ctx.lookup(name, (ContextMapper) null); // $hasJndiInjection
+    ctx.lookup(name, (ContextMapper) null); // $ Alert
     ctx.lookup(name, new String[] {}, (AttributesMapper) null); // Safe
-    ctx.lookup(name, new String[] {}, (ContextMapper) null); // $hasJndiInjection
-    ctx.lookup(nameStr); // $hasJndiInjection
+    ctx.lookup(name, new String[] {}, (ContextMapper) null); // $ Alert
+    ctx.lookup(nameStr); // $ Alert
     ctx.lookup(nameStr, (AttributesMapper) null); // Safe
-    ctx.lookup(nameStr, (ContextMapper) null); // $hasJndiInjection
+    ctx.lookup(nameStr, (ContextMapper) null); // $ Alert
     ctx.lookup(nameStr, new String[] {}, (AttributesMapper) null); // Safe
-    ctx.lookup(nameStr, new String[] {}, (ContextMapper) null); // $hasJndiInjection
-    ctx.lookupContext(name); // $hasJndiInjection
-    ctx.lookupContext(nameStr); // $hasJndiInjection
-    ctx.findByDn(name, null); // $hasJndiInjection
-    ctx.rename(name, null); // $hasJndiInjection
-    ctx.list(name); // $hasJndiInjection
-    ctx.listBindings(name); // $hasJndiInjection
-    ctx.unbind(nameStr, true); // $hasJndiInjection
+    ctx.lookup(nameStr, new String[] {}, (ContextMapper) null); // $ Alert
+    ctx.lookupContext(name); // $ Alert
+    ctx.lookupContext(nameStr); // $ Alert
+    ctx.findByDn(name, null); // $ Alert
+    ctx.rename(name, null); // $ Alert
+    ctx.list(name); // $ Alert
+    ctx.listBindings(name); // $ Alert
+    ctx.unbind(nameStr, true); // $ Alert
 
-    ctx.search(nameStr, "", 0, true, null); // $hasJndiInjection
-    ctx.search(nameStr, "", 0, new String[] {}, (ContextMapper<Object>) null); // $hasJndiInjection
-    ctx.search(nameStr, "", 0, (ContextMapper<Object>) null); // $hasJndiInjection
-    ctx.search(nameStr, "", (ContextMapper<Object>) null); // $hasJndiInjection
+    ctx.search(nameStr, "", 0, true, null); // $ Alert
+    ctx.search(nameStr, "", 0, new String[] {}, (ContextMapper<Object>) null); // $ Alert
+    ctx.search(nameStr, "", 0, (ContextMapper<Object>) null); // $ Alert
+    ctx.search(nameStr, "", (ContextMapper<Object>) null); // $ Alert
 
     SearchControls searchControls = new SearchControls();
     searchControls.setReturningObjFlag(true);
-    ctx.search(nameStr, "", searchControls, (AttributesMapper<Object>) null); // $hasJndiInjection
-    ctx.search(nameStr, "", searchControls, (AttributesMapper<Object>) null, // $hasJndiInjection
+    ctx.search(nameStr, "", searchControls, (AttributesMapper<Object>) null); // $ Alert
+    ctx.search(nameStr, "", searchControls, (AttributesMapper<Object>) null, // $ Alert
         (DirContextProcessor) null);
-    ctx.search(nameStr, "", searchControls, (ContextMapper<Object>) null); // $hasJndiInjection
-    ctx.search(nameStr, "", searchControls, (ContextMapper<Object>) null, // $hasJndiInjection
+    ctx.search(nameStr, "", searchControls, (ContextMapper<Object>) null); // $ Alert
+    ctx.search(nameStr, "", searchControls, (ContextMapper<Object>) null, // $ Alert
         (DirContextProcessor) null);
-    ctx.search(nameStr, "", searchControls, (NameClassPairCallbackHandler) null); // $hasJndiInjection
-    ctx.search(nameStr, "", searchControls, (NameClassPairCallbackHandler) null, // $hasJndiInjection
+    ctx.search(nameStr, "", searchControls, (NameClassPairCallbackHandler) null); // $ Alert
+    ctx.search(nameStr, "", searchControls, (NameClassPairCallbackHandler) null, // $ Alert
         (DirContextProcessor) null);
 
     SearchControls searchControls2 = new SearchControls(1, 0, 0, null, true, false);
-    ctx.search(nameStr, "", searchControls2, (AttributesMapper<Object>) null); // $hasJndiInjection
-    ctx.search(nameStr, "", searchControls2, (AttributesMapper<Object>) null, // $hasJndiInjection
+    ctx.search(nameStr, "", searchControls2, (AttributesMapper<Object>) null); // $ Alert
+    ctx.search(nameStr, "", searchControls2, (AttributesMapper<Object>) null, // $ Alert
         (DirContextProcessor) null);
-    ctx.search(nameStr, "", searchControls2, (ContextMapper<Object>) null); // $hasJndiInjection
-    ctx.search(nameStr, "", searchControls2, (ContextMapper<Object>) null, // $hasJndiInjection
+    ctx.search(nameStr, "", searchControls2, (ContextMapper<Object>) null); // $ Alert
+    ctx.search(nameStr, "", searchControls2, (ContextMapper<Object>) null, // $ Alert
         (DirContextProcessor) null);
-    ctx.search(nameStr, "", searchControls2, (NameClassPairCallbackHandler) null); // $hasJndiInjection
-    ctx.search(nameStr, "", searchControls2, (NameClassPairCallbackHandler) null, // $hasJndiInjection
+    ctx.search(nameStr, "", searchControls2, (NameClassPairCallbackHandler) null); // $ Alert
+    ctx.search(nameStr, "", searchControls2, (NameClassPairCallbackHandler) null, // $ Alert
         (DirContextProcessor) null);
 
     SearchControls searchControls3 = new SearchControls(1, 0, 0, null, false, false);
@@ -167,68 +167,68 @@ public class JndiInjectionTest {
     ctx.search(nameStr, "", searchControls3, (NameClassPairCallbackHandler) null, // Safe
         (DirContextProcessor) null);
 
-    ctx.searchForObject(nameStr, "", (ContextMapper<Object>) null); // $hasJndiInjection
+    ctx.searchForObject(nameStr, "", (ContextMapper<Object>) null); // $ Alert
   }
 
   @RequestMapping
-  public void testShiroJndiTemplateBad1(@RequestParam String nameStr) throws NamingException {
+  public void testShiroJndiTemplateBad1(@RequestParam String nameStr) throws NamingException { // $ Source
     org.apache.shiro.jndi.JndiTemplate ctx = new org.apache.shiro.jndi.JndiTemplate();
 
-    ctx.lookup(nameStr); // $hasJndiInjection
-    ctx.lookup(nameStr, null); // $hasJndiInjection
+    ctx.lookup(nameStr); // $ Alert
+    ctx.lookup(nameStr, null); // $ Alert
   }
 
   @RequestMapping
-  public void testJMXServiceUrlBad1(@RequestParam String urlStr) throws IOException {
-    JMXConnectorFactory.connect(new JMXServiceURL(urlStr)); // $hasJndiInjection
+  public void testJMXServiceUrlBad1(@RequestParam String urlStr) throws IOException { // $ Source
+    JMXConnectorFactory.connect(new JMXServiceURL(urlStr)); // $ Alert
 
     JMXServiceURL url = new JMXServiceURL(urlStr);
     JMXConnector connector = JMXConnectorFactory.newJMXConnector(url, null);
-    connector.connect(); // $hasJndiInjection
+    connector.connect(); // $ Alert
   }
 
   @RequestMapping
-  public void testEnvBad1(@RequestParam String urlStr) throws NamingException {
+  public void testEnvBad1(@RequestParam String urlStr) throws NamingException { // $ Source
     Hashtable<String, String> env = new Hashtable<String, String>();
     env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.rmi.registry.RegistryContextFactory");
-    env.put(Context.PROVIDER_URL, urlStr); // $hasJndiInjection
+    env.put(Context.PROVIDER_URL, urlStr); // $ Alert
     new InitialContext(env);
   }
 
   @RequestMapping
-  public void testEnvBad2(@RequestParam String urlStr) throws NamingException {
+  public void testEnvBad2(@RequestParam String urlStr) throws NamingException { // $ Source
     Hashtable<String, String> env = new Hashtable<String, String>();
     env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.rmi.registry.RegistryContextFactory");
-    env.put("java.naming.provider.url", urlStr); // $hasJndiInjection
+    env.put("java.naming.provider.url", urlStr); // $ Alert
     new InitialDirContext(env);
   }
 
   @RequestMapping
-  public void testSpringJndiTemplatePropertiesBad1(@RequestParam String urlStr)
+  public void testSpringJndiTemplatePropertiesBad1(@RequestParam String urlStr) // $ Source
       throws NamingException {
     Properties props = new Properties();
     props.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.rmi.registry.RegistryContextFactory");
-    props.put(Context.PROVIDER_URL, urlStr); // $hasJndiInjection
+    props.put(Context.PROVIDER_URL, urlStr); // $ Alert
     new JndiTemplate(props);
   }
 
   @RequestMapping
-  public void testSpringJndiTemplatePropertiesBad2(@RequestParam String urlStr)
+  public void testSpringJndiTemplatePropertiesBad2(@RequestParam String urlStr) // $ Source
       throws NamingException {
     Properties props = new Properties();
     props.setProperty(Context.INITIAL_CONTEXT_FACTORY,
         "com.sun.jndi.rmi.registry.RegistryContextFactory");
-    props.setProperty("java.naming.provider.url", urlStr); // $hasJndiInjection
+    props.setProperty("java.naming.provider.url", urlStr); // $ Alert
     new JndiTemplate(props);
   }
 
   @RequestMapping
-  public void testSpringJndiTemplatePropertiesBad3(@RequestParam String urlStr)
+  public void testSpringJndiTemplatePropertiesBad3(@RequestParam String urlStr) // $ Source
       throws NamingException {
     Properties props = new Properties();
     props.setProperty(Context.INITIAL_CONTEXT_FACTORY,
         "com.sun.jndi.rmi.registry.RegistryContextFactory");
-    props.setProperty("java.naming.provider.url", urlStr); // $hasJndiInjection
+    props.setProperty("java.naming.provider.url", urlStr); // $ Alert
     JndiTemplate template = new JndiTemplate();
     template.setEnvironment(props);
   }

java/ql/test/query-tests/security/CWE-074/JndiInjection/JndiInjectionTest.qlref

@@ -0,0 +1,4 @@
+query: Security/CWE/CWE-074/JndiInjection.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

java/ql/test/query-tests/security/CWE-074/JndiInjection/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.8.x:${testdir}/../../../../stubs/shiro-core-1.5.2:${testdir}/../../../../stubs/spring-ldap-2.3.2:${testdir}/../../../../stubs/Saxon-HE-9.9.1-7:${testdir}/../../../../stubs/apache-commons-logging-1.2

java/ql/test/query-tests/security/CWE-074/JndiInjectionTest.ql

@@ -1,18 +0,0 @@
-import java
-import semmle.code.java.security.JndiInjectionQuery
-import utils.test.InlineExpectationsTest
-
-module HasJndiInjectionTest implements TestSig {
-  string getARelevantTag() { result = "hasJndiInjection" }
-
-  predicate hasActualResult(Location location, string element, string tag, string value) {
-    tag = "hasJndiInjection" and
-    exists(DataFlow::Node sink | JndiInjectionFlow::flowTo(sink) |
-      sink.getLocation() = location and
-      element = sink.toString() and
-      value = ""
-    )
-  }
-}
-
-import MakeTest<HasJndiInjectionTest>

java/ql/test/query-tests/security/CWE-074/XsltInjection/XsltInjectionTest.expected

@@ -0,0 +1,245 @@
+#select
+| XsltInjectionTest.java:31:5:31:59 | newTransformer(...) | XsltInjectionTest.java:30:44:30:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:31:5:31:59 | newTransformer(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:30:44:30:66 | getInputStream(...) | this user input |
+| XsltInjectionTest.java:36:5:36:74 | newTransformer(...) | XsltInjectionTest.java:35:66:35:88 | getInputStream(...) : InputStream | XsltInjectionTest.java:36:5:36:74 | newTransformer(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:35:66:35:88 | getInputStream(...) | this user input |
+| XsltInjectionTest.java:43:5:43:59 | newTransformer(...) | XsltInjectionTest.java:40:45:40:70 | param : String | XsltInjectionTest.java:43:5:43:59 | newTransformer(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:40:45:40:70 | param | this user input |
+| XsltInjectionTest.java:48:5:48:74 | newTransformer(...) | XsltInjectionTest.java:47:54:47:76 | getInputStream(...) : InputStream | XsltInjectionTest.java:48:5:48:74 | newTransformer(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:47:54:47:76 | getInputStream(...) | this user input |
+| XsltInjectionTest.java:54:5:54:59 | newTransformer(...) | XsltInjectionTest.java:53:67:53:89 | getInputStream(...) : InputStream | XsltInjectionTest.java:54:5:54:59 | newTransformer(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:53:67:53:89 | getInputStream(...) | this user input |
+| XsltInjectionTest.java:60:5:60:59 | newTransformer(...) | XsltInjectionTest.java:59:75:59:97 | getInputStream(...) : InputStream | XsltInjectionTest.java:60:5:60:59 | newTransformer(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:59:75:59:97 | getInputStream(...) | this user input |
+| XsltInjectionTest.java:66:5:66:74 | newTransformer(...) | XsltInjectionTest.java:65:31:65:53 | getInputStream(...) : InputStream | XsltInjectionTest.java:66:5:66:74 | newTransformer(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:65:31:65:53 | getInputStream(...) | this user input |
+| XsltInjectionTest.java:72:5:72:59 | newTransformer(...) | XsltInjectionTest.java:71:73:71:95 | getInputStream(...) : InputStream | XsltInjectionTest.java:72:5:72:59 | newTransformer(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:71:73:71:95 | getInputStream(...) | this user input |
+| XsltInjectionTest.java:80:5:80:34 | newTransformer(...) | XsltInjectionTest.java:76:44:76:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:80:5:80:34 | newTransformer(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:76:44:76:66 | getInputStream(...) | this user input |
+| XsltInjectionTest.java:87:5:87:34 | newTransformer(...) | XsltInjectionTest.java:84:44:84:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:87:5:87:34 | newTransformer(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:84:44:84:66 | getInputStream(...) | this user input |
+| XsltInjectionTest.java:94:5:94:35 | load(...) | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:94:5:94:35 | load(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) | this user input |
+| XsltInjectionTest.java:95:5:95:37 | load30(...) | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:95:5:95:37 | load30(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) | this user input |
+| XsltInjectionTest.java:96:5:96:37 | load30(...) | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:96:5:96:37 | load30(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) | this user input |
+| XsltInjectionTest.java:97:5:97:37 | load30(...) | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:97:5:97:37 | load30(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) | this user input |
+| XsltInjectionTest.java:98:5:98:37 | load30(...) | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:98:5:98:37 | load30(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) | this user input |
+| XsltInjectionTest.java:99:5:99:37 | load30(...) | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:99:5:99:37 | load30(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) | this user input |
+| XsltInjectionTest.java:100:5:100:37 | load30(...) | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:100:5:100:37 | load30(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) | this user input |
+| XsltInjectionTest.java:101:5:101:37 | load30(...) | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:101:5:101:37 | load30(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) | this user input |
+| XsltInjectionTest.java:102:5:102:37 | load30(...) | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:102:5:102:37 | load30(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) | this user input |
+| XsltInjectionTest.java:103:5:103:37 | load30(...) | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:103:5:103:37 | load30(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) | this user input |
+| XsltInjectionTest.java:112:5:112:46 | load(...) | XsltInjectionTest.java:107:36:107:61 | param : String | XsltInjectionTest.java:112:5:112:46 | load(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:107:36:107:61 | param | this user input |
+| XsltInjectionTest.java:113:5:113:49 | load(...) | XsltInjectionTest.java:107:64:107:76 | socket : Socket | XsltInjectionTest.java:113:5:113:49 | load(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:107:64:107:76 | socket | this user input |
+| XsltInjectionTest.java:113:5:113:49 | load(...) | XsltInjectionTest.java:109:44:109:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:113:5:113:49 | load(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:109:44:109:66 | getInputStream(...) | this user input |
+| XsltInjectionTest.java:114:5:114:50 | load(...) | XsltInjectionTest.java:107:36:107:61 | param : String | XsltInjectionTest.java:114:5:114:50 | load(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:107:36:107:61 | param | this user input |
+edges
+| XsltInjectionTest.java:30:27:30:67 | new StreamSource(...) : StreamSource | XsltInjectionTest.java:31:53:31:58 | source : StreamSource | provenance |  |
+| XsltInjectionTest.java:30:44:30:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:30:27:30:67 | new StreamSource(...) : StreamSource | provenance | Src:MaD:7 MaD:14 |
+| XsltInjectionTest.java:31:53:31:58 | source : StreamSource | XsltInjectionTest.java:31:5:31:59 | newTransformer(...) | provenance | Config Sink:MaD:1 |
+| XsltInjectionTest.java:35:27:35:90 | new StreamSource(...) : StreamSource | XsltInjectionTest.java:36:51:36:56 | source : StreamSource | provenance |  |
+| XsltInjectionTest.java:35:44:35:89 | new InputStreamReader(...) : InputStreamReader | XsltInjectionTest.java:35:27:35:90 | new StreamSource(...) : StreamSource | provenance | MaD:14 |
+| XsltInjectionTest.java:35:66:35:88 | getInputStream(...) : InputStream | XsltInjectionTest.java:35:44:35:89 | new InputStreamReader(...) : InputStreamReader | provenance | Src:MaD:7 MaD:8 |
+| XsltInjectionTest.java:36:5:36:57 | newTemplates(...) : Templates | XsltInjectionTest.java:36:5:36:74 | newTransformer(...) | provenance | Config Sink:MaD:1 |
+| XsltInjectionTest.java:36:5:36:57 | newTemplates(...) : Templates | XsltInjectionTest.java:36:5:36:74 | newTransformer(...) | provenance | MaD:15 Sink:MaD:1 |
+| XsltInjectionTest.java:36:51:36:56 | source : StreamSource | XsltInjectionTest.java:36:5:36:57 | newTemplates(...) : Templates | provenance | Config |
+| XsltInjectionTest.java:36:51:36:56 | source : StreamSource | XsltInjectionTest.java:36:5:36:57 | newTemplates(...) : Templates | provenance | MaD:16 |
+| XsltInjectionTest.java:40:45:40:70 | param : String | XsltInjectionTest.java:42:61:42:64 | xslt : String | provenance |  |
+| XsltInjectionTest.java:42:27:42:66 | new StreamSource(...) : StreamSource | XsltInjectionTest.java:43:53:43:58 | source : StreamSource | provenance |  |
+| XsltInjectionTest.java:42:44:42:65 | new StringReader(...) : StringReader | XsltInjectionTest.java:42:27:42:66 | new StreamSource(...) : StreamSource | provenance | MaD:14 |
+| XsltInjectionTest.java:42:61:42:64 | xslt : String | XsltInjectionTest.java:42:44:42:65 | new StringReader(...) : StringReader | provenance | MaD:9 |
+| XsltInjectionTest.java:43:53:43:58 | source : StreamSource | XsltInjectionTest.java:43:5:43:59 | newTransformer(...) | provenance | Config Sink:MaD:1 |
+| XsltInjectionTest.java:47:24:47:78 | new SAXSource(...) : SAXSource | XsltInjectionTest.java:48:51:48:56 | source : SAXSource | provenance |  |
+| XsltInjectionTest.java:47:38:47:77 | new InputSource(...) : InputSource | XsltInjectionTest.java:47:24:47:78 | new SAXSource(...) : SAXSource | provenance | MaD:12 |
+| XsltInjectionTest.java:47:54:47:76 | getInputStream(...) : InputStream | XsltInjectionTest.java:47:38:47:77 | new InputSource(...) : InputSource | provenance | Src:MaD:7 MaD:17 |
+| XsltInjectionTest.java:48:5:48:57 | newTemplates(...) : Templates | XsltInjectionTest.java:48:5:48:74 | newTransformer(...) | provenance | Config Sink:MaD:1 |
+| XsltInjectionTest.java:48:5:48:57 | newTemplates(...) : Templates | XsltInjectionTest.java:48:5:48:74 | newTransformer(...) | provenance | MaD:15 Sink:MaD:1 |
+| XsltInjectionTest.java:48:51:48:56 | source : SAXSource | XsltInjectionTest.java:48:5:48:57 | newTemplates(...) : Templates | provenance | Config |
+| XsltInjectionTest.java:48:51:48:56 | source : SAXSource | XsltInjectionTest.java:48:5:48:57 | newTemplates(...) : Templates | provenance | MaD:16 |
+| XsltInjectionTest.java:53:9:53:92 | new SAXSource(...) : SAXSource | XsltInjectionTest.java:54:53:54:58 | source : SAXSource | provenance |  |
+| XsltInjectionTest.java:53:29:53:91 | new InputSource(...) : InputSource | XsltInjectionTest.java:53:9:53:92 | new SAXSource(...) : SAXSource | provenance | MaD:13 |
+| XsltInjectionTest.java:53:45:53:90 | new InputStreamReader(...) : InputStreamReader | XsltInjectionTest.java:53:29:53:91 | new InputSource(...) : InputSource | provenance | MaD:17 |
+| XsltInjectionTest.java:53:67:53:89 | getInputStream(...) : InputStream | XsltInjectionTest.java:53:45:53:90 | new InputStreamReader(...) : InputStreamReader | provenance | Src:MaD:7 MaD:8 |
+| XsltInjectionTest.java:54:53:54:58 | source : SAXSource | XsltInjectionTest.java:54:5:54:59 | newTransformer(...) | provenance | Config Sink:MaD:1 |
+| XsltInjectionTest.java:59:9:59:99 | new StAXSource(...) : StAXSource | XsltInjectionTest.java:60:53:60:58 | source : StAXSource | provenance |  |
+| XsltInjectionTest.java:59:24:59:98 | createXMLEventReader(...) : XMLEventReader | XsltInjectionTest.java:59:9:59:99 | new StAXSource(...) : StAXSource | provenance | Config |
+| XsltInjectionTest.java:59:75:59:97 | getInputStream(...) : InputStream | XsltInjectionTest.java:59:24:59:98 | createXMLEventReader(...) : XMLEventReader | provenance | Src:MaD:7 Config |
+| XsltInjectionTest.java:60:53:60:58 | source : StAXSource | XsltInjectionTest.java:60:5:60:59 | newTransformer(...) | provenance | Config Sink:MaD:1 |
+| XsltInjectionTest.java:64:25:65:56 | new StAXSource(...) : StAXSource | XsltInjectionTest.java:66:51:66:56 | source : StAXSource | provenance |  |
+| XsltInjectionTest.java:64:40:65:55 | createXMLStreamReader(...) : XMLStreamReader | XsltInjectionTest.java:64:25:65:56 | new StAXSource(...) : StAXSource | provenance | Config |
+| XsltInjectionTest.java:65:9:65:54 | new InputStreamReader(...) : InputStreamReader | XsltInjectionTest.java:64:40:65:55 | createXMLStreamReader(...) : XMLStreamReader | provenance | Config |
+| XsltInjectionTest.java:65:31:65:53 | getInputStream(...) : InputStream | XsltInjectionTest.java:65:9:65:54 | new InputStreamReader(...) : InputStreamReader | provenance | Src:MaD:7 MaD:8 |
+| XsltInjectionTest.java:66:5:66:57 | newTemplates(...) : Templates | XsltInjectionTest.java:66:5:66:74 | newTransformer(...) | provenance | Config Sink:MaD:1 |
+| XsltInjectionTest.java:66:5:66:57 | newTemplates(...) : Templates | XsltInjectionTest.java:66:5:66:74 | newTransformer(...) | provenance | MaD:15 Sink:MaD:1 |
+| XsltInjectionTest.java:66:51:66:56 | source : StAXSource | XsltInjectionTest.java:66:5:66:57 | newTemplates(...) : Templates | provenance | Config |
+| XsltInjectionTest.java:66:51:66:56 | source : StAXSource | XsltInjectionTest.java:66:5:66:57 | newTemplates(...) : Templates | provenance | MaD:16 |
+| XsltInjectionTest.java:70:24:71:97 | new DOMSource(...) : DOMSource | XsltInjectionTest.java:72:53:72:58 | source : DOMSource | provenance |  |
+| XsltInjectionTest.java:71:9:71:96 | parse(...) : Document | XsltInjectionTest.java:70:24:71:97 | new DOMSource(...) : DOMSource | provenance | Config |
+| XsltInjectionTest.java:71:73:71:95 | getInputStream(...) : InputStream | XsltInjectionTest.java:71:9:71:96 | parse(...) : Document | provenance | Src:MaD:7 Config |
+| XsltInjectionTest.java:72:53:72:58 | source : DOMSource | XsltInjectionTest.java:72:5:72:59 | newTransformer(...) | provenance | Config Sink:MaD:1 |
+| XsltInjectionTest.java:76:27:76:67 | new StreamSource(...) : StreamSource | XsltInjectionTest.java:80:28:80:33 | source : StreamSource | provenance |  |
+| XsltInjectionTest.java:76:44:76:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:76:27:76:67 | new StreamSource(...) : StreamSource | provenance | Src:MaD:7 MaD:14 |
+| XsltInjectionTest.java:80:28:80:33 | source : StreamSource | XsltInjectionTest.java:80:5:80:34 | newTransformer(...) | provenance | Config Sink:MaD:1 |
+| XsltInjectionTest.java:84:27:84:67 | new StreamSource(...) : StreamSource | XsltInjectionTest.java:87:28:87:33 | source : StreamSource | provenance |  |
+| XsltInjectionTest.java:84:44:84:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:84:27:84:67 | new StreamSource(...) : StreamSource | provenance | Src:MaD:7 MaD:14 |
+| XsltInjectionTest.java:87:28:87:33 | source : StreamSource | XsltInjectionTest.java:87:5:87:34 | newTransformer(...) | provenance | Config Sink:MaD:1 |
+| XsltInjectionTest.java:91:27:91:67 | new StreamSource(...) : StreamSource | XsltInjectionTest.java:94:22:94:27 | source : StreamSource | provenance |  |
+| XsltInjectionTest.java:91:44:91:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:91:27:91:67 | new StreamSource(...) : StreamSource | provenance | Src:MaD:7 MaD:14 |
+| XsltInjectionTest.java:94:5:94:28 | compile(...) : XsltExecutable | XsltInjectionTest.java:94:5:94:35 | load(...) | provenance | Config Sink:MaD:6 |
+| XsltInjectionTest.java:94:22:94:27 | source : StreamSource | XsltInjectionTest.java:94:5:94:28 | compile(...) : XsltExecutable | provenance | Config |
+| XsltInjectionTest.java:94:22:94:27 | source : StreamSource | XsltInjectionTest.java:95:22:95:27 | source : StreamSource | provenance |  |
+| XsltInjectionTest.java:95:5:95:28 | compile(...) : XsltExecutable | XsltInjectionTest.java:95:5:95:37 | load30(...) | provenance | Config Sink:MaD:5 |
+| XsltInjectionTest.java:95:22:95:27 | source : StreamSource | XsltInjectionTest.java:95:5:95:28 | compile(...) : XsltExecutable | provenance | Config |
+| XsltInjectionTest.java:95:22:95:27 | source : StreamSource | XsltInjectionTest.java:96:22:96:27 | source : StreamSource | provenance |  |
+| XsltInjectionTest.java:96:5:96:28 | compile(...) : XsltExecutable | XsltInjectionTest.java:96:5:96:37 | load30(...) | provenance | Config Sink:MaD:2 |
+| XsltInjectionTest.java:96:22:96:27 | source : StreamSource | XsltInjectionTest.java:96:5:96:28 | compile(...) : XsltExecutable | provenance | Config |
+| XsltInjectionTest.java:96:22:96:27 | source : StreamSource | XsltInjectionTest.java:97:22:97:27 | source : StreamSource | provenance |  |
+| XsltInjectionTest.java:97:5:97:28 | compile(...) : XsltExecutable | XsltInjectionTest.java:97:5:97:37 | load30(...) | provenance | Config Sink:MaD:2 |
+| XsltInjectionTest.java:97:22:97:27 | source : StreamSource | XsltInjectionTest.java:97:5:97:28 | compile(...) : XsltExecutable | provenance | Config |
+| XsltInjectionTest.java:97:22:97:27 | source : StreamSource | XsltInjectionTest.java:98:22:98:27 | source : StreamSource | provenance |  |
+| XsltInjectionTest.java:98:5:98:28 | compile(...) : XsltExecutable | XsltInjectionTest.java:98:5:98:37 | load30(...) | provenance | Config Sink:MaD:2 |
+| XsltInjectionTest.java:98:22:98:27 | source : StreamSource | XsltInjectionTest.java:98:5:98:28 | compile(...) : XsltExecutable | provenance | Config |
+| XsltInjectionTest.java:98:22:98:27 | source : StreamSource | XsltInjectionTest.java:99:22:99:27 | source : StreamSource | provenance |  |
+| XsltInjectionTest.java:99:5:99:28 | compile(...) : XsltExecutable | XsltInjectionTest.java:99:5:99:37 | load30(...) | provenance | Config Sink:MaD:2 |
+| XsltInjectionTest.java:99:22:99:27 | source : StreamSource | XsltInjectionTest.java:99:5:99:28 | compile(...) : XsltExecutable | provenance | Config |
+| XsltInjectionTest.java:99:22:99:27 | source : StreamSource | XsltInjectionTest.java:100:22:100:27 | source : StreamSource | provenance |  |
+| XsltInjectionTest.java:100:5:100:28 | compile(...) : XsltExecutable | XsltInjectionTest.java:100:5:100:37 | load30(...) | provenance | Config Sink:MaD:3 |
+| XsltInjectionTest.java:100:22:100:27 | source : StreamSource | XsltInjectionTest.java:100:5:100:28 | compile(...) : XsltExecutable | provenance | Config |
+| XsltInjectionTest.java:100:22:100:27 | source : StreamSource | XsltInjectionTest.java:101:22:101:27 | source : StreamSource | provenance |  |
+| XsltInjectionTest.java:101:5:101:28 | compile(...) : XsltExecutable | XsltInjectionTest.java:101:5:101:37 | load30(...) | provenance | Config Sink:MaD:3 |
+| XsltInjectionTest.java:101:22:101:27 | source : StreamSource | XsltInjectionTest.java:101:5:101:28 | compile(...) : XsltExecutable | provenance | Config |
+| XsltInjectionTest.java:101:22:101:27 | source : StreamSource | XsltInjectionTest.java:102:22:102:27 | source : StreamSource | provenance |  |
+| XsltInjectionTest.java:102:5:102:28 | compile(...) : XsltExecutable | XsltInjectionTest.java:102:5:102:37 | load30(...) | provenance | Config Sink:MaD:4 |
+| XsltInjectionTest.java:102:22:102:27 | source : StreamSource | XsltInjectionTest.java:102:5:102:28 | compile(...) : XsltExecutable | provenance | Config |
+| XsltInjectionTest.java:102:22:102:27 | source : StreamSource | XsltInjectionTest.java:103:22:103:27 | source : StreamSource | provenance |  |
+| XsltInjectionTest.java:103:5:103:28 | compile(...) : XsltExecutable | XsltInjectionTest.java:103:5:103:37 | load30(...) | provenance | Config Sink:MaD:4 |
+| XsltInjectionTest.java:103:22:103:27 | source : StreamSource | XsltInjectionTest.java:103:5:103:28 | compile(...) : XsltExecutable | provenance | Config |
+| XsltInjectionTest.java:107:36:107:61 | param : String | XsltInjectionTest.java:108:23:108:27 | param : String | provenance |  |
+| XsltInjectionTest.java:107:64:107:76 | socket : Socket | XsltInjectionTest.java:109:44:109:49 | socket : Socket | provenance |  |
+| XsltInjectionTest.java:108:15:108:28 | new URI(...) : URI | XsltInjectionTest.java:112:36:112:38 | uri : URI | provenance |  |
+| XsltInjectionTest.java:108:23:108:27 | param : String | XsltInjectionTest.java:108:15:108:28 | new URI(...) : URI | provenance | MaD:11 |
+| XsltInjectionTest.java:109:27:109:67 | new StreamSource(...) : StreamSource | XsltInjectionTest.java:113:29:113:34 | source : StreamSource | provenance |  |
+| XsltInjectionTest.java:109:44:109:49 | socket : Socket | XsltInjectionTest.java:109:44:109:66 | getInputStream(...) : InputStream | provenance | MaD:10 |
+| XsltInjectionTest.java:109:44:109:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:109:27:109:67 | new StreamSource(...) : StreamSource | provenance | Src:MaD:7 MaD:14 |
+| XsltInjectionTest.java:112:5:112:39 | loadExecutablePackage(...) : XsltExecutable | XsltInjectionTest.java:112:5:112:46 | load(...) | provenance | Config Sink:MaD:6 |
+| XsltInjectionTest.java:112:36:112:38 | uri : URI | XsltInjectionTest.java:112:5:112:39 | loadExecutablePackage(...) : XsltExecutable | provenance | Config |
+| XsltInjectionTest.java:112:36:112:38 | uri : URI | XsltInjectionTest.java:114:33:114:35 | uri : URI | provenance |  |
+| XsltInjectionTest.java:113:5:113:35 | compilePackage(...) : XsltPackage | XsltInjectionTest.java:113:5:113:42 | link(...) : XsltExecutable | provenance | Config |
+| XsltInjectionTest.java:113:5:113:42 | link(...) : XsltExecutable | XsltInjectionTest.java:113:5:113:49 | load(...) | provenance | Config Sink:MaD:6 |
+| XsltInjectionTest.java:113:29:113:34 | source : StreamSource | XsltInjectionTest.java:113:5:113:35 | compilePackage(...) : XsltPackage | provenance | Config |
+| XsltInjectionTest.java:114:5:114:36 | loadLibraryPackage(...) : XsltPackage | XsltInjectionTest.java:114:5:114:43 | link(...) : XsltExecutable | provenance | Config |
+| XsltInjectionTest.java:114:5:114:43 | link(...) : XsltExecutable | XsltInjectionTest.java:114:5:114:50 | load(...) | provenance | Config Sink:MaD:6 |
+| XsltInjectionTest.java:114:33:114:35 | uri : URI | XsltInjectionTest.java:114:5:114:36 | loadLibraryPackage(...) : XsltPackage | provenance | Config |
+models
+| 1 | Sink: javax.xml.transform; Transformer; false; transform; ; ; Argument[this]; xslt-injection; manual |
+| 2 | Sink: net.sf.saxon.s9api; Xslt30Transformer; false; applyTemplates; ; ; Argument[this]; xslt-injection; manual |
+| 3 | Sink: net.sf.saxon.s9api; Xslt30Transformer; false; callFunction; ; ; Argument[this]; xslt-injection; manual |
+| 4 | Sink: net.sf.saxon.s9api; Xslt30Transformer; false; callTemplate; ; ; Argument[this]; xslt-injection; manual |
+| 5 | Sink: net.sf.saxon.s9api; Xslt30Transformer; false; transform; ; ; Argument[this]; xslt-injection; manual |
+| 6 | Sink: net.sf.saxon.s9api; XsltTransformer; false; transform; ; ; Argument[this]; xslt-injection; manual |
+| 7 | Source: java.net; Socket; false; getInputStream; (); ; ReturnValue; remote; manual |
+| 8 | Summary: java.io; InputStreamReader; false; InputStreamReader; ; ; Argument[0]; Argument[this]; taint; manual |
+| 9 | Summary: java.io; StringReader; false; StringReader; ; ; Argument[0]; Argument[this]; taint; manual |
+| 10 | Summary: java.net; Socket; true; getInputStream; (); ; Argument[this]; ReturnValue; taint; df-generated |
+| 11 | Summary: java.net; URI; false; URI; (String); ; Argument[0]; Argument[this]; taint; manual |
+| 12 | Summary: javax.xml.transform.sax; SAXSource; false; SAXSource; (InputSource); ; Argument[0]; Argument[this]; taint; manual |
+| 13 | Summary: javax.xml.transform.sax; SAXSource; false; SAXSource; (XMLReader,InputSource); ; Argument[1]; Argument[this]; taint; manual |
+| 14 | Summary: javax.xml.transform.stream; StreamSource; false; StreamSource; ; ; Argument[0]; Argument[this]; taint; manual |
+| 15 | Summary: javax.xml.transform; Templates; true; newTransformer; (); ; Argument[this]; ReturnValue; taint; df-generated |
+| 16 | Summary: javax.xml.transform; TransformerFactory; true; newTemplates; (Source); ; Argument[0]; ReturnValue; taint; df-generated |
+| 17 | Summary: org.xml.sax; InputSource; false; InputSource; ; ; Argument[0]; Argument[this]; taint; manual |
+nodes
+| XsltInjectionTest.java:30:27:30:67 | new StreamSource(...) : StreamSource | semmle.label | new StreamSource(...) : StreamSource |
+| XsltInjectionTest.java:30:44:30:66 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| XsltInjectionTest.java:31:5:31:59 | newTransformer(...) | semmle.label | newTransformer(...) |
+| XsltInjectionTest.java:31:53:31:58 | source : StreamSource | semmle.label | source : StreamSource |
+| XsltInjectionTest.java:35:27:35:90 | new StreamSource(...) : StreamSource | semmle.label | new StreamSource(...) : StreamSource |
+| XsltInjectionTest.java:35:44:35:89 | new InputStreamReader(...) : InputStreamReader | semmle.label | new InputStreamReader(...) : InputStreamReader |
+| XsltInjectionTest.java:35:66:35:88 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| XsltInjectionTest.java:36:5:36:57 | newTemplates(...) : Templates | semmle.label | newTemplates(...) : Templates |
+| XsltInjectionTest.java:36:5:36:74 | newTransformer(...) | semmle.label | newTransformer(...) |
+| XsltInjectionTest.java:36:51:36:56 | source : StreamSource | semmle.label | source : StreamSource |
+| XsltInjectionTest.java:40:45:40:70 | param : String | semmle.label | param : String |
+| XsltInjectionTest.java:42:27:42:66 | new StreamSource(...) : StreamSource | semmle.label | new StreamSource(...) : StreamSource |
+| XsltInjectionTest.java:42:44:42:65 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
+| XsltInjectionTest.java:42:61:42:64 | xslt : String | semmle.label | xslt : String |
+| XsltInjectionTest.java:43:5:43:59 | newTransformer(...) | semmle.label | newTransformer(...) |
+| XsltInjectionTest.java:43:53:43:58 | source : StreamSource | semmle.label | source : StreamSource |
+| XsltInjectionTest.java:47:24:47:78 | new SAXSource(...) : SAXSource | semmle.label | new SAXSource(...) : SAXSource |
+| XsltInjectionTest.java:47:38:47:77 | new InputSource(...) : InputSource | semmle.label | new InputSource(...) : InputSource |
+| XsltInjectionTest.java:47:54:47:76 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| XsltInjectionTest.java:48:5:48:57 | newTemplates(...) : Templates | semmle.label | newTemplates(...) : Templates |
+| XsltInjectionTest.java:48:5:48:74 | newTransformer(...) | semmle.label | newTransformer(...) |
+| XsltInjectionTest.java:48:51:48:56 | source : SAXSource | semmle.label | source : SAXSource |
+| XsltInjectionTest.java:53:9:53:92 | new SAXSource(...) : SAXSource | semmle.label | new SAXSource(...) : SAXSource |
+| XsltInjectionTest.java:53:29:53:91 | new InputSource(...) : InputSource | semmle.label | new InputSource(...) : InputSource |
+| XsltInjectionTest.java:53:45:53:90 | new InputStreamReader(...) : InputStreamReader | semmle.label | new InputStreamReader(...) : InputStreamReader |
+| XsltInjectionTest.java:53:67:53:89 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| XsltInjectionTest.java:54:5:54:59 | newTransformer(...) | semmle.label | newTransformer(...) |
+| XsltInjectionTest.java:54:53:54:58 | source : SAXSource | semmle.label | source : SAXSource |
+| XsltInjectionTest.java:59:9:59:99 | new StAXSource(...) : StAXSource | semmle.label | new StAXSource(...) : StAXSource |
+| XsltInjectionTest.java:59:24:59:98 | createXMLEventReader(...) : XMLEventReader | semmle.label | createXMLEventReader(...) : XMLEventReader |
+| XsltInjectionTest.java:59:75:59:97 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| XsltInjectionTest.java:60:5:60:59 | newTransformer(...) | semmle.label | newTransformer(...) |
+| XsltInjectionTest.java:60:53:60:58 | source : StAXSource | semmle.label | source : StAXSource |
+| XsltInjectionTest.java:64:25:65:56 | new StAXSource(...) : StAXSource | semmle.label | new StAXSource(...) : StAXSource |
+| XsltInjectionTest.java:64:40:65:55 | createXMLStreamReader(...) : XMLStreamReader | semmle.label | createXMLStreamReader(...) : XMLStreamReader |
+| XsltInjectionTest.java:65:9:65:54 | new InputStreamReader(...) : InputStreamReader | semmle.label | new InputStreamReader(...) : InputStreamReader |
+| XsltInjectionTest.java:65:31:65:53 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| XsltInjectionTest.java:66:5:66:57 | newTemplates(...) : Templates | semmle.label | newTemplates(...) : Templates |
+| XsltInjectionTest.java:66:5:66:74 | newTransformer(...) | semmle.label | newTransformer(...) |
+| XsltInjectionTest.java:66:51:66:56 | source : StAXSource | semmle.label | source : StAXSource |
+| XsltInjectionTest.java:70:24:71:97 | new DOMSource(...) : DOMSource | semmle.label | new DOMSource(...) : DOMSource |
+| XsltInjectionTest.java:71:9:71:96 | parse(...) : Document | semmle.label | parse(...) : Document |
+| XsltInjectionTest.java:71:73:71:95 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| XsltInjectionTest.java:72:5:72:59 | newTransformer(...) | semmle.label | newTransformer(...) |
+| XsltInjectionTest.java:72:53:72:58 | source : DOMSource | semmle.label | source : DOMSource |
+| XsltInjectionTest.java:76:27:76:67 | new StreamSource(...) : StreamSource | semmle.label | new StreamSource(...) : StreamSource |
+| XsltInjectionTest.java:76:44:76:66 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| XsltInjectionTest.java:80:5:80:34 | newTransformer(...) | semmle.label | newTransformer(...) |
+| XsltInjectionTest.java:80:28:80:33 | source : StreamSource | semmle.label | source : StreamSource |
+| XsltInjectionTest.java:84:27:84:67 | new StreamSource(...) : StreamSource | semmle.label | new StreamSource(...) : StreamSource |
+| XsltInjectionTest.java:84:44:84:66 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| XsltInjectionTest.java:87:5:87:34 | newTransformer(...) | semmle.label | newTransformer(...) |
+| XsltInjectionTest.java:87:28:87:33 | source : StreamSource | semmle.label | source : StreamSource |
+| XsltInjectionTest.java:91:27:91:67 | new StreamSource(...) : StreamSource | semmle.label | new StreamSource(...) : StreamSource |
+| XsltInjectionTest.java:91:44:91:66 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| XsltInjectionTest.java:94:5:94:28 | compile(...) : XsltExecutable | semmle.label | compile(...) : XsltExecutable |
+| XsltInjectionTest.java:94:5:94:35 | load(...) | semmle.label | load(...) |
+| XsltInjectionTest.java:94:22:94:27 | source : StreamSource | semmle.label | source : StreamSource |
+| XsltInjectionTest.java:95:5:95:28 | compile(...) : XsltExecutable | semmle.label | compile(...) : XsltExecutable |
+| XsltInjectionTest.java:95:5:95:37 | load30(...) | semmle.label | load30(...) |
+| XsltInjectionTest.java:95:22:95:27 | source : StreamSource | semmle.label | source : StreamSource |
+| XsltInjectionTest.java:96:5:96:28 | compile(...) : XsltExecutable | semmle.label | compile(...) : XsltExecutable |
+| XsltInjectionTest.java:96:5:96:37 | load30(...) | semmle.label | load30(...) |
+| XsltInjectionTest.java:96:22:96:27 | source : StreamSource | semmle.label | source : StreamSource |
+| XsltInjectionTest.java:97:5:97:28 | compile(...) : XsltExecutable | semmle.label | compile(...) : XsltExecutable |
+| XsltInjectionTest.java:97:5:97:37 | load30(...) | semmle.label | load30(...) |
+| XsltInjectionTest.java:97:22:97:27 | source : StreamSource | semmle.label | source : StreamSource |
+| XsltInjectionTest.java:98:5:98:28 | compile(...) : XsltExecutable | semmle.label | compile(...) : XsltExecutable |
+| XsltInjectionTest.java:98:5:98:37 | load30(...) | semmle.label | load30(...) |
+| XsltInjectionTest.java:98:22:98:27 | source : StreamSource | semmle.label | source : StreamSource |
+| XsltInjectionTest.java:99:5:99:28 | compile(...) : XsltExecutable | semmle.label | compile(...) : XsltExecutable |
+| XsltInjectionTest.java:99:5:99:37 | load30(...) | semmle.label | load30(...) |
+| XsltInjectionTest.java:99:22:99:27 | source : StreamSource | semmle.label | source : StreamSource |
+| XsltInjectionTest.java:100:5:100:28 | compile(...) : XsltExecutable | semmle.label | compile(...) : XsltExecutable |
+| XsltInjectionTest.java:100:5:100:37 | load30(...) | semmle.label | load30(...) |
+| XsltInjectionTest.java:100:22:100:27 | source : StreamSource | semmle.label | source : StreamSource |
+| XsltInjectionTest.java:101:5:101:28 | compile(...) : XsltExecutable | semmle.label | compile(...) : XsltExecutable |
+| XsltInjectionTest.java:101:5:101:37 | load30(...) | semmle.label | load30(...) |
+| XsltInjectionTest.java:101:22:101:27 | source : StreamSource | semmle.label | source : StreamSource |
+| XsltInjectionTest.java:102:5:102:28 | compile(...) : XsltExecutable | semmle.label | compile(...) : XsltExecutable |
+| XsltInjectionTest.java:102:5:102:37 | load30(...) | semmle.label | load30(...) |
+| XsltInjectionTest.java:102:22:102:27 | source : StreamSource | semmle.label | source : StreamSource |
+| XsltInjectionTest.java:103:5:103:28 | compile(...) : XsltExecutable | semmle.label | compile(...) : XsltExecutable |
+| XsltInjectionTest.java:103:5:103:37 | load30(...) | semmle.label | load30(...) |
+| XsltInjectionTest.java:103:22:103:27 | source : StreamSource | semmle.label | source : StreamSource |
+| XsltInjectionTest.java:107:36:107:61 | param : String | semmle.label | param : String |
+| XsltInjectionTest.java:107:64:107:76 | socket : Socket | semmle.label | socket : Socket |
+| XsltInjectionTest.java:108:15:108:28 | new URI(...) : URI | semmle.label | new URI(...) : URI |
+| XsltInjectionTest.java:108:23:108:27 | param : String | semmle.label | param : String |
+| XsltInjectionTest.java:109:27:109:67 | new StreamSource(...) : StreamSource | semmle.label | new StreamSource(...) : StreamSource |
+| XsltInjectionTest.java:109:44:109:49 | socket : Socket | semmle.label | socket : Socket |
+| XsltInjectionTest.java:109:44:109:66 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| XsltInjectionTest.java:112:5:112:39 | loadExecutablePackage(...) : XsltExecutable | semmle.label | loadExecutablePackage(...) : XsltExecutable |
+| XsltInjectionTest.java:112:5:112:46 | load(...) | semmle.label | load(...) |
+| XsltInjectionTest.java:112:36:112:38 | uri : URI | semmle.label | uri : URI |
+| XsltInjectionTest.java:113:5:113:35 | compilePackage(...) : XsltPackage | semmle.label | compilePackage(...) : XsltPackage |
+| XsltInjectionTest.java:113:5:113:42 | link(...) : XsltExecutable | semmle.label | link(...) : XsltExecutable |
+| XsltInjectionTest.java:113:5:113:49 | load(...) | semmle.label | load(...) |
+| XsltInjectionTest.java:113:29:113:34 | source : StreamSource | semmle.label | source : StreamSource |
+| XsltInjectionTest.java:114:5:114:36 | loadLibraryPackage(...) : XsltPackage | semmle.label | loadLibraryPackage(...) : XsltPackage |
+| XsltInjectionTest.java:114:5:114:43 | link(...) : XsltExecutable | semmle.label | link(...) : XsltExecutable |
+| XsltInjectionTest.java:114:5:114:50 | load(...) | semmle.label | load(...) |
+| XsltInjectionTest.java:114:33:114:35 | uri : URI | semmle.label | uri : URI |
+subpaths

java/ql/test/query-tests/security/CWE-074/XsltInjection/XsltInjectionTest.java

@@ -27,91 +27,91 @@ import net.sf.saxon.s9api.XsltCompiler;
 @Controller
 public class XsltInjectionTest {
   public void testStreamSourceInputStream(Socket socket) throws Exception {
-    StreamSource source = new StreamSource(socket.getInputStream());
-    TransformerFactory.newInstance().newTransformer(source).transform(null, null); // $hasXsltInjection
+    StreamSource source = new StreamSource(socket.getInputStream()); // $ Source
+    TransformerFactory.newInstance().newTransformer(source).transform(null, null); // $ Alert
   }
 
   public void testStreamSourceReader(Socket socket) throws Exception {
-    StreamSource source = new StreamSource(new InputStreamReader(socket.getInputStream()));
-    TransformerFactory.newInstance().newTemplates(source).newTransformer().transform(null, null); // $hasXsltInjection
+    StreamSource source = new StreamSource(new InputStreamReader(socket.getInputStream())); // $ Source
+    TransformerFactory.newInstance().newTemplates(source).newTransformer().transform(null, null); // $ Alert
   }
 
   @RequestMapping
-  public void testStreamSourceInjectedParam(@RequestParam String param) throws Exception {
+  public void testStreamSourceInjectedParam(@RequestParam String param) throws Exception { // $ Source
     String xslt = "<xsl:stylesheet [...]" + param + "</xsl:stylesheet>";
     StreamSource source = new StreamSource(new StringReader(xslt));
-    TransformerFactory.newInstance().newTransformer(source).transform(null, null); // $hasXsltInjection
+    TransformerFactory.newInstance().newTransformer(source).transform(null, null); // $ Alert
   }
 
   public void testSAXSourceInputStream(Socket socket) throws Exception {
-    SAXSource source = new SAXSource(new InputSource(socket.getInputStream()));
-    TransformerFactory.newInstance().newTemplates(source).newTransformer().transform(null, null); // $hasXsltInjection
+    SAXSource source = new SAXSource(new InputSource(socket.getInputStream())); // $ Source
+    TransformerFactory.newInstance().newTemplates(source).newTransformer().transform(null, null); // $ Alert
   }
 
   public void testSAXSourceReader(Socket socket) throws Exception {
     SAXSource source =
-        new SAXSource(null, new InputSource(new InputStreamReader(socket.getInputStream())));
-    TransformerFactory.newInstance().newTransformer(source).transform(null, null); // $hasXsltInjection
+        new SAXSource(null, new InputSource(new InputStreamReader(socket.getInputStream()))); // $ Source
+    TransformerFactory.newInstance().newTransformer(source).transform(null, null); // $ Alert
   }
 
   public void testStAXSourceEventReader(Socket socket) throws Exception {
     StAXSource source =
-        new StAXSource(XMLInputFactory.newInstance().createXMLEventReader(socket.getInputStream()));
-    TransformerFactory.newInstance().newTransformer(source).transform(null, null); // $hasXsltInjection
+        new StAXSource(XMLInputFactory.newInstance().createXMLEventReader(socket.getInputStream())); // $ Source
+    TransformerFactory.newInstance().newTransformer(source).transform(null, null); // $ Alert
   }
 
   public void testStAXSourceEventStream(Socket socket) throws Exception {
     StAXSource source = new StAXSource(XMLInputFactory.newInstance().createXMLStreamReader(null,
-        new InputStreamReader(socket.getInputStream())));
-    TransformerFactory.newInstance().newTemplates(source).newTransformer().transform(null, null); // $hasXsltInjection
+        new InputStreamReader(socket.getInputStream()))); // $ Source
+    TransformerFactory.newInstance().newTemplates(source).newTransformer().transform(null, null); // $ Alert
   }
 
   public void testDOMSource(Socket socket) throws Exception {
     DOMSource source = new DOMSource(
-        DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(socket.getInputStream()));
-    TransformerFactory.newInstance().newTransformer(source).transform(null, null); // $hasXsltInjection
+        DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(socket.getInputStream())); // $ Source
+    TransformerFactory.newInstance().newTransformer(source).transform(null, null); // $ Alert
   }
 
   public void testDisabledXXE(Socket socket) throws Exception {
-    StreamSource source = new StreamSource(socket.getInputStream());
+    StreamSource source = new StreamSource(socket.getInputStream()); // $ Source
     TransformerFactory factory = TransformerFactory.newInstance();
     factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
     factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
-    factory.newTransformer(source).transform(null, null); // $hasXsltInjection
+    factory.newTransformer(source).transform(null, null); // $ Alert
   }
 
   public void testFeatureSecureProcessingDisabled(Socket socket) throws Exception {
-    StreamSource source = new StreamSource(socket.getInputStream());
+    StreamSource source = new StreamSource(socket.getInputStream()); // $ Source
     TransformerFactory factory = TransformerFactory.newInstance();
     factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false);
-    factory.newTransformer(source).transform(null, null); // $hasXsltInjection
+    factory.newTransformer(source).transform(null, null); // $ Alert
   }
 
   public void testSaxon(Socket socket) throws Exception {
-    StreamSource source = new StreamSource(socket.getInputStream());
+    StreamSource source = new StreamSource(socket.getInputStream()); // $ Source
     XsltCompiler compiler = new Processor(true).newXsltCompiler();
 
-    compiler.compile(source).load().transform(); // $hasXsltInjection
-    compiler.compile(source).load30().transform(null, null); // $hasXsltInjection
-    compiler.compile(source).load30().applyTemplates((Source) null); // $hasXsltInjection
-    compiler.compile(source).load30().applyTemplates((Source) null, null); // $hasXsltInjection
-    compiler.compile(source).load30().applyTemplates((XdmValue) null); // $hasXsltInjection
-    compiler.compile(source).load30().applyTemplates((XdmValue) null, null); // $hasXsltInjection
-    compiler.compile(source).load30().callFunction(null, null); // $hasXsltInjection
-    compiler.compile(source).load30().callFunction(null, null, null); // $hasXsltInjection
-    compiler.compile(source).load30().callTemplate(null); // $hasXsltInjection
-    compiler.compile(source).load30().callTemplate(null, null); // $hasXsltInjection
+    compiler.compile(source).load().transform(); // $ Alert
+    compiler.compile(source).load30().transform(null, null); // $ Alert
+    compiler.compile(source).load30().applyTemplates((Source) null); // $ Alert
+    compiler.compile(source).load30().applyTemplates((Source) null, null); // $ Alert
+    compiler.compile(source).load30().applyTemplates((XdmValue) null); // $ Alert
+    compiler.compile(source).load30().applyTemplates((XdmValue) null, null); // $ Alert
+    compiler.compile(source).load30().callFunction(null, null); // $ Alert
+    compiler.compile(source).load30().callFunction(null, null, null); // $ Alert
+    compiler.compile(source).load30().callTemplate(null); // $ Alert
+    compiler.compile(source).load30().callTemplate(null, null); // $ Alert
   }
 
   @RequestMapping
-  public void testSaxonXsltPackage(@RequestParam String param, Socket socket) throws Exception {
+  public void testSaxonXsltPackage(@RequestParam String param, Socket socket) throws Exception { // $ Source
     URI uri = new URI(param);
-    StreamSource source = new StreamSource(socket.getInputStream());
+    StreamSource source = new StreamSource(socket.getInputStream()); // $ Source
     XsltCompiler compiler = new Processor(true).newXsltCompiler();
 
-    compiler.loadExecutablePackage(uri).load().transform(); // $hasXsltInjection
-    compiler.compilePackage(source).link().load().transform(); // $hasXsltInjection
-    compiler.loadLibraryPackage(uri).link().load().transform(); // $hasXsltInjection
+    compiler.loadExecutablePackage(uri).load().transform(); // $ Alert
+    compiler.compilePackage(source).link().load().transform(); // $ Alert
+    compiler.loadLibraryPackage(uri).link().load().transform(); // $ Alert
   }
 
   public void testOkFeatureSecureProcessing(Socket socket) throws Exception {

java/ql/test/query-tests/security/CWE-074/XsltInjection/XsltInjectionTest.qlref

@@ -0,0 +1,4 @@
+query: Security/CWE/CWE-074/XsltInjection.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

java/ql/test/query-tests/security/CWE-074/XsltInjection/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.8.x:${testdir}/../../../../stubs/shiro-core-1.5.2:${testdir}/../../../../stubs/spring-ldap-2.3.2:${testdir}/../../../../stubs/Saxon-HE-9.9.1-7:${testdir}/../../../../stubs/apache-commons-logging-1.2

java/ql/test/query-tests/security/CWE-074/XsltInjectionTest.ql

@@ -1,20 +0,0 @@
-import java
-import semmle.code.java.dataflow.TaintTracking
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.security.XsltInjectionQuery
-import utils.test.InlineExpectationsTest
-
-module HasXsltInjectionTest implements TestSig {
-  string getARelevantTag() { result = "hasXsltInjection" }
-
-  predicate hasActualResult(Location location, string element, string tag, string value) {
-    tag = "hasXsltInjection" and
-    exists(DataFlow::Node sink | XsltInjectionFlow::flowTo(sink) |
-      sink.getLocation() = location and
-      element = sink.toString() and
-      value = ""
-    )
-  }
-}
-
-import MakeTest<HasXsltInjectionTest>

java/ql/test/query-tests/security/CWE-074/options

@@ -1 +0,0 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/springframework-5.8.x:${testdir}/../../../stubs/shiro-core-1.5.2:${testdir}/../../../stubs/spring-ldap-2.3.2:${testdir}/../../../stubs/Saxon-HE-9.9.1-7:${testdir}/../../../stubs/apache-commons-logging-1.2

java/ql/test/query-tests/security/CWE-079/semmle/tests/JaxXSS.java

@@ -12,25 +12,25 @@ import java.util.Locale;
 public class JaxXSS {
 
   @GET
-  public static Response specificContentType(boolean safeContentType, boolean chainDirectly, boolean contentTypeFirst, String userControlled) {
+  public static Response specificContentType(boolean safeContentType, boolean chainDirectly, boolean contentTypeFirst, String userControlled) { // $ Source
 
     Response.ResponseBuilder builder = Response.ok();
 
     if(!safeContentType) {
       if(chainDirectly) {
         if(contentTypeFirst)
-          return builder.type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ xss
+          return builder.type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ Alert
         else
-          return builder.entity(userControlled).type(MediaType.TEXT_HTML).build(); // $ xss
+          return builder.entity(userControlled).type(MediaType.TEXT_HTML).build(); // $ Alert
       }
       else {
         if(contentTypeFirst) {
           Response.ResponseBuilder builder2 = builder.type(MediaType.TEXT_HTML);
-          return builder2.entity(userControlled).build(); // $ xss
+          return builder2.entity(userControlled).build(); // $ Alert
         }
         else {
           Response.ResponseBuilder builder2 = builder.entity(userControlled);
-          return builder2.type(MediaType.TEXT_HTML).build(); // $ xss
+          return builder2.type(MediaType.TEXT_HTML).build(); // $ Alert
         }
       }
     }
@@ -56,7 +56,7 @@ public class JaxXSS {
   }
 
   @GET
-  public static Response specificContentTypeSetterMethods(int route, boolean safeContentType, String userControlled) {
+  public static Response specificContentTypeSetterMethods(int route, boolean safeContentType, String userControlled) { // $ Source
 
     // Test the remarkably many routes to setting a content-type in Jax-RS, besides the ResponseBuilder.entity method used above:
 
@@ -105,39 +105,39 @@ public class JaxXSS {
     else {
       if(route == 0) {
         // via ok, as a string literal:
-        return Response.ok("text/html").entity(userControlled).build(); // $ xss
+        return Response.ok("text/html").entity(userControlled).build(); // $ Alert
       }
       else if(route == 1) {
         // via ok, as a string constant:
-        return Response.ok(MediaType.TEXT_HTML).entity(userControlled).build(); // $ xss
+        return Response.ok(MediaType.TEXT_HTML).entity(userControlled).build(); // $ Alert
       }
       else if(route == 2) {
         // via ok, as a MediaType constant:
-        return Response.ok(MediaType.TEXT_HTML_TYPE).entity(userControlled).build(); // $ xss
+        return Response.ok(MediaType.TEXT_HTML_TYPE).entity(userControlled).build(); // $ Alert
       }
       else if(route == 3) {
         // via ok, as a Variant, via constructor:
-        return Response.ok(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $ xss
+        return Response.ok(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $ Alert
       }
       else if(route == 4) {
         // via ok, as a Variant, via static method:
-        return Response.ok(Variant.mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $ xss
+        return Response.ok(Variant.mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $ Alert
       }
       else if(route == 5) {
         // via ok, as a Variant, via instance method:
-        return Response.ok(Variant.languages(Locale.UK).mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $ xss
+        return Response.ok(Variant.languages(Locale.UK).mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $ Alert
       }
       else if(route == 6) {
         // via builder variant, before entity:
-        return Response.ok().variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $ xss
+        return Response.ok().variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $ Alert
       }
       else if(route == 7) {
         // via builder variant, after entity:
-        return Response.ok().entity(userControlled).variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).build(); // $ xss
+        return Response.ok().entity(userControlled).variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).build(); // $ Alert
       }
       else if(route == 8) {
         // provide entity via ok, then content-type via builder:
-        return Response.ok(userControlled).type(MediaType.TEXT_HTML_TYPE).build(); // $ xss
+        return Response.ok(userControlled).type(MediaType.TEXT_HTML_TYPE).build(); // $ Alert
       }
     }
 
@@ -161,28 +161,28 @@ public class JaxXSS {
   }
 
   @GET @Produces(MediaType.TEXT_HTML)
-  public static Response methodContentTypeUnsafe(String userControlled) {
-    return Response.ok(userControlled).build(); // $ xss
+  public static Response methodContentTypeUnsafe(String userControlled) { // $ Source
+    return Response.ok(userControlled).build(); // $ Alert
   }
 
   @POST @Produces(MediaType.TEXT_HTML)
-  public static Response methodContentTypeUnsafePost(String userControlled) {
-    return Response.ok(userControlled).build(); // $ xss
+  public static Response methodContentTypeUnsafePost(String userControlled) { // $ Source
+    return Response.ok(userControlled).build(); // $ Alert
   }
 
   @GET @Produces("text/html")
-  public static Response methodContentTypeUnsafeStringLiteral(String userControlled) {
-    return Response.ok(userControlled).build(); // $ xss
+  public static Response methodContentTypeUnsafeStringLiteral(String userControlled) { // $ Source
+    return Response.ok(userControlled).build(); // $ Alert
   }
 
   @GET @Produces({MediaType.TEXT_HTML, MediaType.APPLICATION_JSON})
-  public static Response methodContentTypeMaybeSafe(String userControlled) {
-    return Response.ok(userControlled).build(); // $ xss
+  public static Response methodContentTypeMaybeSafe(String userControlled) { // $ Source
+    return Response.ok(userControlled).build(); // $ Alert
   }
 
   @GET @Produces(MediaType.APPLICATION_JSON)
-  public static Response methodContentTypeSafeOverriddenWithUnsafe(String userControlled) {
-    return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ xss
+  public static Response methodContentTypeSafeOverriddenWithUnsafe(String userControlled) { // $ Source
+    return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ Alert
   }
 
   @GET @Produces(MediaType.TEXT_HTML)
@@ -204,13 +204,13 @@ public class JaxXSS {
     }
 
     @GET @Produces({"text/html"})
-    public Response overridesWithUnsafe(String userControlled) {
-      return Response.ok(userControlled).build(); // $ xss
+    public Response overridesWithUnsafe(String userControlled) { // $ Source
+      return Response.ok(userControlled).build(); // $ Alert
     }
 
     @GET
-    public Response overridesWithUnsafe2(String userControlled) {
-      return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ xss
+    public Response overridesWithUnsafe2(String userControlled) { // $ Source
+      return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ Alert
     }
   }
 
@@ -218,13 +218,13 @@ public class JaxXSS {
   @Produces({"text/html"})
   public static class ClassContentTypeUnsafe {
     @GET
-    public Response test(String userControlled) {
-      return Response.ok(userControlled).build(); // $ xss
+    public Response test(String userControlled) { // $ Source
+      return Response.ok(userControlled).build(); // $ Alert
     }
 
     @GET
-    public String testDirectReturn(String userControlled) {
-      return userControlled; // $ xss
+    public String testDirectReturn(String userControlled) { // $ Source
+      return userControlled; // $ Alert
     }
 
     @GET @Produces({"application/json"})
@@ -239,13 +239,13 @@ public class JaxXSS {
   }
 
   @GET
-  public static Response entityWithNoMediaType(String userControlled) {
-    return Response.ok(userControlled).build(); // $ xss
+  public static Response entityWithNoMediaType(String userControlled) { // $ Source
+    return Response.ok(userControlled).build(); // $ Alert
   }
 
   @GET
-  public static String stringWithNoMediaType(String userControlled) {
-    return userControlled; // $ xss
+  public static String stringWithNoMediaType(String userControlled) { // $ Source
+    return userControlled; // $ Alert
   }
 
 }

java/ql/test/query-tests/security/CWE-079/semmle/tests/JsfXSS.java

@@ -18,7 +18,7 @@ public class JsfXSS extends Renderer
     {
         super.encodeBegin(facesContext, component);
 
-        Map<String, String> requestParameters = facesContext.getExternalContext().getRequestParameterMap();
+         Map<String, String> requestParameters = facesContext.getExternalContext().getRequestParameterMap(); // $ Source
         String windowId = requestParameters.get("window_id");
 
         ResponseWriter writer = facesContext.getResponseWriter();
@@ -26,7 +26,7 @@ public class JsfXSS extends Renderer
         writer.write("(function(){");
         writer.write("dswh.init('" + windowId + "','"
                 + "......" + "',"
-                + -1 + ",{"); // $ xss
+                + -1 + ",{"); // $ Alert
         writer.write("});");
         writer.write("})();");
         writer.write("</script>");
@@ -57,13 +57,13 @@ public class JsfXSS extends Renderer
     {
         ExternalContext ec = facesContext.getExternalContext();
         ResponseWriter writer = facesContext.getResponseWriter();
-        writer.write(ec.getRequestParameterMap().keySet().iterator().next()); // $ xss
-        writer.write(ec.getRequestParameterNames().next()); // $ xss
-        writer.write(ec.getRequestParameterValuesMap().get("someKey")[0]); // $ xss
-        writer.write(ec.getRequestParameterValuesMap().keySet().iterator().next()); // $ xss
-        writer.write(ec.getRequestPathInfo()); // $ xss
-        writer.write(((Cookie)ec.getRequestCookieMap().get("someKey")).getName()); // $ xss
-        writer.write(ec.getRequestHeaderMap().get("someKey")); // $ xss
-        writer.write(ec.getRequestHeaderValuesMap().get("someKey")[0]); // $ xss
+        writer.write(ec.getRequestParameterMap().keySet().iterator().next()); // $ Alert
+        writer.write(ec.getRequestParameterNames().next()); // $ Alert
+        writer.write(ec.getRequestParameterValuesMap().get("someKey")[0]); // $ Alert
+        writer.write(ec.getRequestParameterValuesMap().keySet().iterator().next()); // $ Alert
+        writer.write(ec.getRequestPathInfo()); // $ Alert
+        writer.write(((Cookie)ec.getRequestCookieMap().get("someKey")).getName()); // $ Alert
+        writer.write(ec.getRequestHeaderMap().get("someKey")); // $ Alert
+        writer.write(ec.getRequestHeaderValuesMap().get("someKey")[0]); // $ Alert
     }
 }

java/ql/test/query-tests/security/CWE-079/semmle/tests/SpringXSS.java

@@ -13,17 +13,17 @@ import java.util.Optional;
 public class SpringXSS {
 
   @GetMapping
-  public static ResponseEntity<String> specificContentType(boolean safeContentType, boolean chainDirectly, String userControlled) {
+  public static ResponseEntity<String> specificContentType(boolean safeContentType, boolean chainDirectly, String userControlled) { // $ Source
 
     ResponseEntity.BodyBuilder builder = ResponseEntity.ok();
 
     if(!safeContentType) {
       if(chainDirectly) {
-        return builder.contentType(MediaType.TEXT_HTML).body(userControlled); // $ xss
+        return builder.contentType(MediaType.TEXT_HTML).body(userControlled); // $ Alert
       }
       else {
         ResponseEntity.BodyBuilder builder2 = builder.contentType(MediaType.TEXT_HTML);
-        return builder2.body(userControlled); // $ xss
+        return builder2.body(userControlled); // $ Alert
       }
     }
     else {
@@ -59,23 +59,23 @@ public class SpringXSS {
   }
 
   @GetMapping(value = "/xyz", produces = MediaType.TEXT_HTML_VALUE)
-  public static ResponseEntity<String> methodContentTypeUnsafe(String userControlled) {
-    return ResponseEntity.ok(userControlled); // $ xss
+  public static ResponseEntity<String> methodContentTypeUnsafe(String userControlled) { // $ Source
+    return ResponseEntity.ok(userControlled); // $ Alert
   }
 
   @GetMapping(value = "/xyz", produces = "text/html")
-  public static ResponseEntity<String> methodContentTypeUnsafeStringLiteral(String userControlled) {
-    return ResponseEntity.ok(userControlled); // $ xss
+  public static ResponseEntity<String> methodContentTypeUnsafeStringLiteral(String userControlled) { // $ Source
+    return ResponseEntity.ok(userControlled); // $ Alert
   }
 
   @GetMapping(value = "/xyz", produces = {MediaType.TEXT_HTML_VALUE, MediaType.APPLICATION_JSON_VALUE})
-  public static ResponseEntity<String> methodContentTypeMaybeSafe(String userControlled) {
-    return ResponseEntity.ok(userControlled); // $ xss
+  public static ResponseEntity<String> methodContentTypeMaybeSafe(String userControlled) { // $ Source
+    return ResponseEntity.ok(userControlled); // $ Alert
   }
 
   @GetMapping(value = "/xyz", produces = MediaType.APPLICATION_JSON_VALUE)
-  public static ResponseEntity<String> methodContentTypeSafeOverriddenWithUnsafe(String userControlled) {
-    return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $ xss
+  public static ResponseEntity<String> methodContentTypeSafeOverriddenWithUnsafe(String userControlled) { // $ Source
+    return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $ Alert
   }
 
   @GetMapping(value = "/xyz", produces = MediaType.TEXT_HTML_VALUE)
@@ -84,17 +84,17 @@ public class SpringXSS {
   }
 
   @GetMapping(value = "/xyz", produces = {"text/html", "application/json"})
-  public static ResponseEntity<String> methodContentTypeMaybeSafeStringLiterals(String userControlled, int constructionMethod) {
+  public static ResponseEntity<String> methodContentTypeMaybeSafeStringLiterals(String userControlled, int constructionMethod) { // $ Source
     // Also try out some alternative constructors for the ResponseEntity:
     switch(constructionMethod) {
       case 0:
-      return ResponseEntity.ok(userControlled); // $ xss
+      return ResponseEntity.ok(userControlled); // $ Alert
       case 1:
-      return ResponseEntity.of(Optional.of(userControlled)); // $ xss
+      return ResponseEntity.of(Optional.of(userControlled)); // $ Alert
       case 2:
-      return ResponseEntity.ok().body(userControlled); // $ xss
+      return ResponseEntity.ok().body(userControlled); // $ Alert
       case 3:
-      return new ResponseEntity<String>(userControlled, HttpStatus.OK); // $ xss
+      return new ResponseEntity<String>(userControlled, HttpStatus.OK); // $ Alert
       default:
       return null;
     }
@@ -114,13 +114,13 @@ public class SpringXSS {
     }
 
     @GetMapping(value = "/xyz", produces = {"text/html"})
-    public ResponseEntity<String> overridesWithUnsafe(String userControlled) {
-      return ResponseEntity.ok(userControlled); // $ xss
+    public ResponseEntity<String> overridesWithUnsafe(String userControlled) { // $ Source
+      return ResponseEntity.ok(userControlled); // $ Alert
     }
 
     @GetMapping(value = "/abc")
-    public ResponseEntity<String> overridesWithUnsafe2(String userControlled) {
-      return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $ xss
+    public ResponseEntity<String> overridesWithUnsafe2(String userControlled) { // $ Source
+      return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $ Alert
     }
   }
 
@@ -128,13 +128,13 @@ public class SpringXSS {
   @RequestMapping(produces = {"text/html"})
   private static class ClassContentTypeUnsafe {
     @GetMapping(value = "/abc")
-    public ResponseEntity<String> test(String userControlled) {
-      return ResponseEntity.ok(userControlled); // $ xss
+    public ResponseEntity<String> test(String userControlled) { // $ Source
+      return ResponseEntity.ok(userControlled); // $ Alert
     }
 
     @GetMapping(value = "/abc")
-    public String testDirectReturn(String userControlled) {
-      return userControlled; // $ xss
+    public String testDirectReturn(String userControlled) { // $ Source
+      return userControlled; // $ Alert
     }
 
     @GetMapping(value = "/xyz", produces = {"application/json"})
@@ -149,13 +149,13 @@ public class SpringXSS {
   }
 
   @GetMapping(value = "/abc")
-  public static ResponseEntity<String> entityWithNoMediaType(String userControlled) {
-    return ResponseEntity.ok(userControlled); // $ xss
+  public static ResponseEntity<String> entityWithNoMediaType(String userControlled) { // $ Source
+    return ResponseEntity.ok(userControlled); // $ Alert
   }
 
   @GetMapping(value = "/abc")
-  public static String stringWithNoMediaType(String userControlled) {
-    return userControlled; // $ xss
+  public static String stringWithNoMediaType(String userControlled) { // $ Source
+    return userControlled; // $ Alert
   }
 
   @GetMapping(value = "/abc")

java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.expected

@@ -0,0 +1,336 @@
+#select
+| JaxXSS.java:22:59:22:72 | userControlled | JaxXSS.java:15:120:15:140 | userControlled : String | JaxXSS.java:22:59:22:72 | userControlled | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:15:120:15:140 | userControlled | user-provided value |
+| JaxXSS.java:24:33:24:46 | userControlled | JaxXSS.java:15:120:15:140 | userControlled : String | JaxXSS.java:24:33:24:46 | userControlled | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:15:120:15:140 | userControlled | user-provided value |
+| JaxXSS.java:29:34:29:47 | userControlled | JaxXSS.java:15:120:15:140 | userControlled : String | JaxXSS.java:29:34:29:47 | userControlled | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:15:120:15:140 | userControlled | user-provided value |
+| JaxXSS.java:33:18:33:59 | build(...) | JaxXSS.java:15:120:15:140 | userControlled : String | JaxXSS.java:33:18:33:59 | build(...) | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:15:120:15:140 | userControlled | user-provided value |
+| JaxXSS.java:108:16:108:70 | build(...) | JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:108:16:108:70 | build(...) | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:59:95:59:115 | userControlled | user-provided value |
+| JaxXSS.java:112:16:112:78 | build(...) | JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:112:16:112:78 | build(...) | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:59:95:59:115 | userControlled | user-provided value |
+| JaxXSS.java:116:16:116:83 | build(...) | JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:116:16:116:83 | build(...) | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:59:95:59:115 | userControlled | user-provided value |
+| JaxXSS.java:120:98:120:111 | userControlled | JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:120:98:120:111 | userControlled | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:59:95:59:115 | userControlled | user-provided value |
+| JaxXSS.java:124:89:124:102 | userControlled | JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:124:89:124:102 | userControlled | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:59:95:59:115 | userControlled | user-provided value |
+| JaxXSS.java:128:110:128:123 | userControlled | JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:128:110:128:123 | userControlled | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:59:95:59:115 | userControlled | user-provided value |
+| JaxXSS.java:132:108:132:121 | userControlled | JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:132:108:132:121 | userControlled | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:59:95:59:115 | userControlled | user-provided value |
+| JaxXSS.java:136:37:136:50 | userControlled | JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:136:37:136:50 | userControlled | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:59:95:59:115 | userControlled | user-provided value |
+| JaxXSS.java:140:16:140:81 | build(...) | JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:140:16:140:81 | build(...) | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:59:95:59:115 | userControlled | user-provided value |
+| JaxXSS.java:165:12:165:46 | build(...) | JaxXSS.java:164:50:164:70 | userControlled : String | JaxXSS.java:165:12:165:46 | build(...) | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:164:50:164:70 | userControlled | user-provided value |
+| JaxXSS.java:170:12:170:46 | build(...) | JaxXSS.java:169:54:169:74 | userControlled : String | JaxXSS.java:170:12:170:46 | build(...) | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:169:54:169:74 | userControlled | user-provided value |
+| JaxXSS.java:175:12:175:46 | build(...) | JaxXSS.java:174:63:174:83 | userControlled : String | JaxXSS.java:175:12:175:46 | build(...) | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:174:63:174:83 | userControlled | user-provided value |
+| JaxXSS.java:180:12:180:46 | build(...) | JaxXSS.java:179:53:179:73 | userControlled : String | JaxXSS.java:180:12:180:46 | build(...) | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:179:53:179:73 | userControlled | user-provided value |
+| JaxXSS.java:185:59:185:72 | userControlled | JaxXSS.java:184:68:184:88 | userControlled : String | JaxXSS.java:185:59:185:72 | userControlled | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:184:68:184:88 | userControlled | user-provided value |
+| JaxXSS.java:208:14:208:48 | build(...) | JaxXSS.java:207:41:207:61 | userControlled : String | JaxXSS.java:208:14:208:48 | build(...) | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:207:41:207:61 | userControlled | user-provided value |
+| JaxXSS.java:213:61:213:74 | userControlled | JaxXSS.java:212:42:212:62 | userControlled : String | JaxXSS.java:213:61:213:74 | userControlled | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:212:42:212:62 | userControlled | user-provided value |
+| JaxXSS.java:222:14:222:48 | build(...) | JaxXSS.java:221:26:221:46 | userControlled : String | JaxXSS.java:222:14:222:48 | build(...) | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:221:26:221:46 | userControlled | user-provided value |
+| JaxXSS.java:227:14:227:27 | userControlled | JaxXSS.java:226:36:226:56 | userControlled : String | JaxXSS.java:227:14:227:27 | userControlled | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:226:36:226:56 | userControlled | user-provided value |
+| JaxXSS.java:243:12:243:46 | build(...) | JaxXSS.java:242:48:242:68 | userControlled : String | JaxXSS.java:243:12:243:46 | build(...) | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:242:48:242:68 | userControlled | user-provided value |
+| JaxXSS.java:248:12:248:25 | userControlled | JaxXSS.java:247:46:247:66 | userControlled : String | JaxXSS.java:248:12:248:25 | userControlled | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:247:46:247:66 | userControlled | user-provided value |
+| JsfXSS.java:27:22:29:27 | ... + ... | JsfXSS.java:21:50:21:107 | getRequestParameterMap(...) : Map | JsfXSS.java:27:22:29:27 | ... + ... | Cross-site scripting vulnerability due to a $@. | JsfXSS.java:21:50:21:107 | getRequestParameterMap(...) | user-provided value |
+| JsfXSS.java:60:22:60:75 | next(...) | JsfXSS.java:60:22:60:48 | getRequestParameterMap(...) : Map | JsfXSS.java:60:22:60:75 | next(...) | Cross-site scripting vulnerability due to a $@. | JsfXSS.java:60:22:60:48 | getRequestParameterMap(...) | user-provided value |
+| JsfXSS.java:61:22:61:57 | next(...) | JsfXSS.java:61:22:61:50 | getRequestParameterNames(...) : Iterator | JsfXSS.java:61:22:61:57 | next(...) | Cross-site scripting vulnerability due to a $@. | JsfXSS.java:61:22:61:50 | getRequestParameterNames(...) | user-provided value |
+| JsfXSS.java:62:22:62:72 | ...[...] | JsfXSS.java:62:22:62:54 | getRequestParameterValuesMap(...) : Map | JsfXSS.java:62:22:62:72 | ...[...] | Cross-site scripting vulnerability due to a $@. | JsfXSS.java:62:22:62:54 | getRequestParameterValuesMap(...) | user-provided value |
+| JsfXSS.java:63:22:63:81 | next(...) | JsfXSS.java:63:22:63:54 | getRequestParameterValuesMap(...) : Map | JsfXSS.java:63:22:63:81 | next(...) | Cross-site scripting vulnerability due to a $@. | JsfXSS.java:63:22:63:54 | getRequestParameterValuesMap(...) | user-provided value |
+| JsfXSS.java:64:22:64:44 | getRequestPathInfo(...) | JsfXSS.java:64:22:64:44 | getRequestPathInfo(...) | JsfXSS.java:64:22:64:44 | getRequestPathInfo(...) | Cross-site scripting vulnerability due to a $@. | JsfXSS.java:64:22:64:44 | getRequestPathInfo(...) | user-provided value |
+| JsfXSS.java:65:22:65:80 | getName(...) | JsfXSS.java:65:22:65:80 | getName(...) | JsfXSS.java:65:22:65:80 | getName(...) | Cross-site scripting vulnerability due to a $@. | JsfXSS.java:65:22:65:80 | getName(...) | user-provided value |
+| JsfXSS.java:66:22:66:60 | get(...) | JsfXSS.java:66:22:66:45 | getRequestHeaderMap(...) : Map | JsfXSS.java:66:22:66:60 | get(...) | Cross-site scripting vulnerability due to a $@. | JsfXSS.java:66:22:66:45 | getRequestHeaderMap(...) | user-provided value |
+| JsfXSS.java:67:22:67:69 | ...[...] | JsfXSS.java:67:22:67:51 | getRequestHeaderValuesMap(...) : Map | JsfXSS.java:67:22:67:69 | ...[...] | Cross-site scripting vulnerability due to a $@. | JsfXSS.java:67:22:67:51 | getRequestHeaderValuesMap(...) | user-provided value |
+| SpringXSS.java:22:62:22:75 | userControlled | SpringXSS.java:16:108:16:128 | userControlled : String | SpringXSS.java:22:62:22:75 | userControlled | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:16:108:16:128 | userControlled | user-provided value |
+| SpringXSS.java:26:30:26:43 | userControlled | SpringXSS.java:16:108:16:128 | userControlled : String | SpringXSS.java:26:30:26:43 | userControlled | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:16:108:16:128 | userControlled | user-provided value |
+| SpringXSS.java:63:12:63:44 | ok(...) | SpringXSS.java:62:64:62:84 | userControlled : String | SpringXSS.java:63:12:63:44 | ok(...) | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:62:64:62:84 | userControlled | user-provided value |
+| SpringXSS.java:68:12:68:44 | ok(...) | SpringXSS.java:67:77:67:97 | userControlled : String | SpringXSS.java:68:12:68:44 | ok(...) | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:67:77:67:97 | userControlled | user-provided value |
+| SpringXSS.java:73:12:73:44 | ok(...) | SpringXSS.java:72:67:72:87 | userControlled : String | SpringXSS.java:73:12:73:44 | ok(...) | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:72:67:72:87 | userControlled | user-provided value |
+| SpringXSS.java:78:70:78:83 | userControlled | SpringXSS.java:77:82:77:102 | userControlled : String | SpringXSS.java:78:70:78:83 | userControlled | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:77:82:77:102 | userControlled | user-provided value |
+| SpringXSS.java:91:14:91:46 | ok(...) | SpringXSS.java:87:81:87:101 | userControlled : String | SpringXSS.java:91:14:91:46 | ok(...) | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:87:81:87:101 | userControlled | user-provided value |
+| SpringXSS.java:93:14:93:59 | of(...) | SpringXSS.java:87:81:87:101 | userControlled : String | SpringXSS.java:93:14:93:59 | of(...) | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:87:81:87:101 | userControlled | user-provided value |
+| SpringXSS.java:95:14:95:53 | body(...) | SpringXSS.java:87:81:87:101 | userControlled : String | SpringXSS.java:95:14:95:53 | body(...) | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:87:81:87:101 | userControlled | user-provided value |
+| SpringXSS.java:97:14:97:70 | new ResponseEntity<String>(...) | SpringXSS.java:87:81:87:101 | userControlled : String | SpringXSS.java:97:14:97:70 | new ResponseEntity<String>(...) | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:87:81:87:101 | userControlled | user-provided value |
+| SpringXSS.java:118:14:118:46 | ok(...) | SpringXSS.java:117:55:117:75 | userControlled : String | SpringXSS.java:118:14:118:46 | ok(...) | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:117:55:117:75 | userControlled | user-provided value |
+| SpringXSS.java:123:72:123:85 | userControlled | SpringXSS.java:122:56:122:76 | userControlled : String | SpringXSS.java:123:72:123:85 | userControlled | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:122:56:122:76 | userControlled | user-provided value |
+| SpringXSS.java:132:14:132:46 | ok(...) | SpringXSS.java:131:40:131:60 | userControlled : String | SpringXSS.java:132:14:132:46 | ok(...) | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:131:40:131:60 | userControlled | user-provided value |
+| SpringXSS.java:137:14:137:27 | userControlled | SpringXSS.java:136:36:136:56 | userControlled : String | SpringXSS.java:137:14:137:27 | userControlled | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:136:36:136:56 | userControlled | user-provided value |
+| SpringXSS.java:153:12:153:44 | ok(...) | SpringXSS.java:152:62:152:82 | userControlled : String | SpringXSS.java:153:12:153:44 | ok(...) | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:152:62:152:82 | userControlled | user-provided value |
+| SpringXSS.java:158:12:158:25 | userControlled | SpringXSS.java:157:46:157:66 | userControlled : String | SpringXSS.java:158:12:158:25 | userControlled | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:157:46:157:66 | userControlled | user-provided value |
+| XSS.java:19:12:19:77 | ... + ... | XSS.java:19:28:19:55 | getParameter(...) : String | XSS.java:19:12:19:77 | ... + ... | Cross-site scripting vulnerability due to a $@. | XSS.java:19:28:19:55 | getParameter(...) | user-provided value |
+| XSS.java:34:30:34:87 | ... + ... | XSS.java:34:67:34:87 | getPathInfo(...) : String | XSS.java:34:30:34:87 | ... + ... | Cross-site scripting vulnerability due to a $@. | XSS.java:34:67:34:87 | getPathInfo(...) | user-provided value |
+| XSS.java:37:36:37:67 | getBytes(...) | XSS.java:37:36:37:56 | getPathInfo(...) : String | XSS.java:37:36:37:67 | getBytes(...) | Cross-site scripting vulnerability due to a $@. | XSS.java:37:36:37:56 | getPathInfo(...) | user-provided value |
+| XSS.java:83:33:83:53 | getPathInfo(...) | XSS.java:83:33:83:53 | getPathInfo(...) | XSS.java:83:33:83:53 | getPathInfo(...) | Cross-site scripting vulnerability due to a $@. | XSS.java:83:33:83:53 | getPathInfo(...) | user-provided value |
+| XSS.java:88:33:88:53 | getPathInfo(...) | XSS.java:88:33:88:53 | getPathInfo(...) | XSS.java:88:33:88:53 | getPathInfo(...) | Cross-site scripting vulnerability due to a $@. | XSS.java:88:33:88:53 | getPathInfo(...) | user-provided value |
+| XSS.java:93:33:93:53 | getPathInfo(...) | XSS.java:93:33:93:53 | getPathInfo(...) | XSS.java:93:33:93:53 | getPathInfo(...) | Cross-site scripting vulnerability due to a $@. | XSS.java:93:33:93:53 | getPathInfo(...) | user-provided value |
+| XSS.java:100:39:100:70 | getBytes(...) | XSS.java:100:39:100:59 | getPathInfo(...) : String | XSS.java:100:39:100:70 | getBytes(...) | Cross-site scripting vulnerability due to a $@. | XSS.java:100:39:100:59 | getPathInfo(...) | user-provided value |
+| XSS.java:105:39:105:70 | getBytes(...) | XSS.java:105:39:105:59 | getPathInfo(...) : String | XSS.java:105:39:105:70 | getBytes(...) | Cross-site scripting vulnerability due to a $@. | XSS.java:105:39:105:59 | getPathInfo(...) | user-provided value |
+| XSS.java:110:39:110:70 | getBytes(...) | XSS.java:110:39:110:59 | getPathInfo(...) : String | XSS.java:110:39:110:70 | getBytes(...) | Cross-site scripting vulnerability due to a $@. | XSS.java:110:39:110:59 | getPathInfo(...) | user-provided value |
+edges
+| JaxXSS.java:15:120:15:140 | userControlled : String | JaxXSS.java:22:59:22:72 | userControlled | provenance |  |
+| JaxXSS.java:15:120:15:140 | userControlled : String | JaxXSS.java:24:33:24:46 | userControlled | provenance |  |
+| JaxXSS.java:15:120:15:140 | userControlled : String | JaxXSS.java:29:34:29:47 | userControlled | provenance |  |
+| JaxXSS.java:15:120:15:140 | userControlled : String | JaxXSS.java:32:62:32:75 | userControlled : String | provenance |  |
+| JaxXSS.java:32:47:32:76 | entity(...) : ResponseBuilder | JaxXSS.java:33:18:33:25 | builder2 : ResponseBuilder | provenance |  |
+| JaxXSS.java:32:62:32:75 | userControlled : String | JaxXSS.java:32:47:32:76 | entity(...) : ResponseBuilder | provenance | MaD:17+MaD:18 |
+| JaxXSS.java:33:18:33:25 | builder2 : ResponseBuilder | JaxXSS.java:33:18:33:51 | type(...) : ResponseBuilder | provenance | MaD:19 |
+| JaxXSS.java:33:18:33:51 | type(...) : ResponseBuilder | JaxXSS.java:33:18:33:59 | build(...) | provenance | MaD:16 |
+| JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:108:48:108:61 | userControlled : String | provenance |  |
+| JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:112:56:112:69 | userControlled : String | provenance |  |
+| JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:116:61:116:74 | userControlled : String | provenance |  |
+| JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:120:98:120:111 | userControlled | provenance |  |
+| JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:124:89:124:102 | userControlled | provenance |  |
+| JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:128:110:128:123 | userControlled | provenance |  |
+| JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:132:108:132:121 | userControlled | provenance |  |
+| JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:136:37:136:50 | userControlled | provenance |  |
+| JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:140:28:140:41 | userControlled : String | provenance |  |
+| JaxXSS.java:108:16:108:62 | entity(...) : ResponseBuilder | JaxXSS.java:108:16:108:70 | build(...) | provenance | MaD:16 |
+| JaxXSS.java:108:48:108:61 | userControlled : String | JaxXSS.java:108:16:108:62 | entity(...) : ResponseBuilder | provenance | MaD:17+MaD:18 |
+| JaxXSS.java:112:16:112:70 | entity(...) : ResponseBuilder | JaxXSS.java:112:16:112:78 | build(...) | provenance | MaD:16 |
+| JaxXSS.java:112:56:112:69 | userControlled : String | JaxXSS.java:112:16:112:70 | entity(...) : ResponseBuilder | provenance | MaD:17+MaD:18 |
+| JaxXSS.java:116:16:116:75 | entity(...) : ResponseBuilder | JaxXSS.java:116:16:116:83 | build(...) | provenance | MaD:16 |
+| JaxXSS.java:116:61:116:74 | userControlled : String | JaxXSS.java:116:16:116:75 | entity(...) : ResponseBuilder | provenance | MaD:17+MaD:18 |
+| JaxXSS.java:140:16:140:42 | ok(...) : ResponseBuilder | JaxXSS.java:140:16:140:73 | type(...) : ResponseBuilder | provenance | MaD:19 |
+| JaxXSS.java:140:16:140:73 | type(...) : ResponseBuilder | JaxXSS.java:140:16:140:81 | build(...) | provenance | MaD:16 |
+| JaxXSS.java:140:28:140:41 | userControlled : String | JaxXSS.java:140:16:140:42 | ok(...) : ResponseBuilder | provenance | MaD:20 |
+| JaxXSS.java:164:50:164:70 | userControlled : String | JaxXSS.java:165:24:165:37 | userControlled : String | provenance |  |
+| JaxXSS.java:165:12:165:38 | ok(...) : ResponseBuilder | JaxXSS.java:165:12:165:46 | build(...) | provenance | MaD:16 |
+| JaxXSS.java:165:24:165:37 | userControlled : String | JaxXSS.java:165:12:165:38 | ok(...) : ResponseBuilder | provenance | MaD:20 |
+| JaxXSS.java:169:54:169:74 | userControlled : String | JaxXSS.java:170:24:170:37 | userControlled : String | provenance |  |
+| JaxXSS.java:170:12:170:38 | ok(...) : ResponseBuilder | JaxXSS.java:170:12:170:46 | build(...) | provenance | MaD:16 |
+| JaxXSS.java:170:24:170:37 | userControlled : String | JaxXSS.java:170:12:170:38 | ok(...) : ResponseBuilder | provenance | MaD:20 |
+| JaxXSS.java:174:63:174:83 | userControlled : String | JaxXSS.java:175:24:175:37 | userControlled : String | provenance |  |
+| JaxXSS.java:175:12:175:38 | ok(...) : ResponseBuilder | JaxXSS.java:175:12:175:46 | build(...) | provenance | MaD:16 |
+| JaxXSS.java:175:24:175:37 | userControlled : String | JaxXSS.java:175:12:175:38 | ok(...) : ResponseBuilder | provenance | MaD:20 |
+| JaxXSS.java:179:53:179:73 | userControlled : String | JaxXSS.java:180:24:180:37 | userControlled : String | provenance |  |
+| JaxXSS.java:180:12:180:38 | ok(...) : ResponseBuilder | JaxXSS.java:180:12:180:46 | build(...) | provenance | MaD:16 |
+| JaxXSS.java:180:24:180:37 | userControlled : String | JaxXSS.java:180:12:180:38 | ok(...) : ResponseBuilder | provenance | MaD:20 |
+| JaxXSS.java:184:68:184:88 | userControlled : String | JaxXSS.java:185:59:185:72 | userControlled | provenance |  |
+| JaxXSS.java:207:41:207:61 | userControlled : String | JaxXSS.java:208:26:208:39 | userControlled : String | provenance |  |
+| JaxXSS.java:208:14:208:40 | ok(...) : ResponseBuilder | JaxXSS.java:208:14:208:48 | build(...) | provenance | MaD:16 |
+| JaxXSS.java:208:26:208:39 | userControlled : String | JaxXSS.java:208:14:208:40 | ok(...) : ResponseBuilder | provenance | MaD:20 |
+| JaxXSS.java:212:42:212:62 | userControlled : String | JaxXSS.java:213:61:213:74 | userControlled | provenance |  |
+| JaxXSS.java:221:26:221:46 | userControlled : String | JaxXSS.java:222:26:222:39 | userControlled : String | provenance |  |
+| JaxXSS.java:222:14:222:40 | ok(...) : ResponseBuilder | JaxXSS.java:222:14:222:48 | build(...) | provenance | MaD:16 |
+| JaxXSS.java:222:26:222:39 | userControlled : String | JaxXSS.java:222:14:222:40 | ok(...) : ResponseBuilder | provenance | MaD:20 |
+| JaxXSS.java:226:36:226:56 | userControlled : String | JaxXSS.java:227:14:227:27 | userControlled | provenance |  |
+| JaxXSS.java:242:48:242:68 | userControlled : String | JaxXSS.java:243:24:243:37 | userControlled : String | provenance |  |
+| JaxXSS.java:243:12:243:38 | ok(...) : ResponseBuilder | JaxXSS.java:243:12:243:46 | build(...) | provenance | MaD:16 |
+| JaxXSS.java:243:24:243:37 | userControlled : String | JaxXSS.java:243:12:243:38 | ok(...) : ResponseBuilder | provenance | MaD:20 |
+| JaxXSS.java:247:46:247:66 | userControlled : String | JaxXSS.java:248:12:248:25 | userControlled | provenance |  |
+| JsfXSS.java:21:50:21:107 | getRequestParameterMap(...) : Map | JsfXSS.java:22:27:22:43 | requestParameters : Map | provenance | Src:MaD:5  |
+| JsfXSS.java:22:27:22:43 | requestParameters : Map | JsfXSS.java:22:27:22:60 | get(...) : String | provenance | MaD:13 |
+| JsfXSS.java:22:27:22:60 | get(...) : String | JsfXSS.java:27:22:29:27 | ... + ... | provenance | Sink:MaD:2 |
+| JsfXSS.java:60:22:60:48 | getRequestParameterMap(...) : Map | JsfXSS.java:60:22:60:57 | keySet(...) : Set [<element>] : Object | provenance | Src:MaD:5 MaD:14 |
+| JsfXSS.java:60:22:60:57 | keySet(...) : Set [<element>] : Object | JsfXSS.java:60:22:60:68 | iterator(...) : Iterator [<element>] : Object | provenance | MaD:10 |
+| JsfXSS.java:60:22:60:68 | iterator(...) : Iterator [<element>] : Object | JsfXSS.java:60:22:60:75 | next(...) | provenance | MaD:12 Sink:MaD:2 |
+| JsfXSS.java:61:22:61:50 | getRequestParameterNames(...) : Iterator | JsfXSS.java:61:22:61:57 | next(...) | provenance | Src:MaD:6 MaD:12 Sink:MaD:2 |
+| JsfXSS.java:62:22:62:54 | getRequestParameterValuesMap(...) : Map | JsfXSS.java:62:22:62:69 | get(...) : String[] | provenance | Src:MaD:7 MaD:13 |
+| JsfXSS.java:62:22:62:69 | get(...) : String[] | JsfXSS.java:62:22:62:72 | ...[...] | provenance | Sink:MaD:2 |
+| JsfXSS.java:63:22:63:54 | getRequestParameterValuesMap(...) : Map | JsfXSS.java:63:22:63:63 | keySet(...) : Set [<element>] : Object | provenance | Src:MaD:7 MaD:14 |
+| JsfXSS.java:63:22:63:63 | keySet(...) : Set [<element>] : Object | JsfXSS.java:63:22:63:74 | iterator(...) : Iterator [<element>] : Object | provenance | MaD:10 |
+| JsfXSS.java:63:22:63:74 | iterator(...) : Iterator [<element>] : Object | JsfXSS.java:63:22:63:81 | next(...) | provenance | MaD:12 Sink:MaD:2 |
+| JsfXSS.java:66:22:66:45 | getRequestHeaderMap(...) : Map | JsfXSS.java:66:22:66:60 | get(...) | provenance | Src:MaD:3 MaD:13 Sink:MaD:2 |
+| JsfXSS.java:67:22:67:51 | getRequestHeaderValuesMap(...) : Map | JsfXSS.java:67:22:67:66 | get(...) : String[] | provenance | Src:MaD:4 MaD:13 |
+| JsfXSS.java:67:22:67:66 | get(...) : String[] | JsfXSS.java:67:22:67:69 | ...[...] | provenance | Sink:MaD:2 |
+| SpringXSS.java:16:108:16:128 | userControlled : String | SpringXSS.java:22:62:22:75 | userControlled | provenance |  |
+| SpringXSS.java:16:108:16:128 | userControlled : String | SpringXSS.java:26:30:26:43 | userControlled | provenance |  |
+| SpringXSS.java:62:64:62:84 | userControlled : String | SpringXSS.java:63:12:63:44 | ok(...) | provenance | SpringResponseEntity |
+| SpringXSS.java:62:64:62:84 | userControlled : String | SpringXSS.java:63:30:63:43 | userControlled : String | provenance |  |
+| SpringXSS.java:63:30:63:43 | userControlled : String | SpringXSS.java:63:12:63:44 | ok(...) | provenance | MaD:24 |
+| SpringXSS.java:67:77:67:97 | userControlled : String | SpringXSS.java:68:12:68:44 | ok(...) | provenance | SpringResponseEntity |
+| SpringXSS.java:67:77:67:97 | userControlled : String | SpringXSS.java:68:30:68:43 | userControlled : String | provenance |  |
+| SpringXSS.java:68:30:68:43 | userControlled : String | SpringXSS.java:68:12:68:44 | ok(...) | provenance | MaD:24 |
+| SpringXSS.java:72:67:72:87 | userControlled : String | SpringXSS.java:73:12:73:44 | ok(...) | provenance | SpringResponseEntity |
+| SpringXSS.java:72:67:72:87 | userControlled : String | SpringXSS.java:73:30:73:43 | userControlled : String | provenance |  |
+| SpringXSS.java:73:30:73:43 | userControlled : String | SpringXSS.java:73:12:73:44 | ok(...) | provenance | MaD:24 |
+| SpringXSS.java:77:82:77:102 | userControlled : String | SpringXSS.java:78:70:78:83 | userControlled | provenance |  |
+| SpringXSS.java:87:81:87:101 | userControlled : String | SpringXSS.java:91:14:91:46 | ok(...) | provenance | SpringResponseEntity |
+| SpringXSS.java:87:81:87:101 | userControlled : String | SpringXSS.java:91:32:91:45 | userControlled : String | provenance |  |
+| SpringXSS.java:87:81:87:101 | userControlled : String | SpringXSS.java:93:44:93:57 | userControlled : String | provenance |  |
+| SpringXSS.java:87:81:87:101 | userControlled : String | SpringXSS.java:95:14:95:53 | body(...) | provenance | SpringResponseEntityBodyBuilder |
+| SpringXSS.java:87:81:87:101 | userControlled : String | SpringXSS.java:95:39:95:52 | userControlled : String | provenance |  |
+| SpringXSS.java:87:81:87:101 | userControlled : String | SpringXSS.java:97:41:97:54 | userControlled : String | provenance |  |
+| SpringXSS.java:91:32:91:45 | userControlled : String | SpringXSS.java:91:14:91:46 | ok(...) | provenance | MaD:24 |
+| SpringXSS.java:93:32:93:58 | of(...) : Optional [<element>] : String | SpringXSS.java:93:14:93:59 | of(...) | provenance | MaD:23 |
+| SpringXSS.java:93:44:93:57 | userControlled : String | SpringXSS.java:93:32:93:58 | of(...) : Optional [<element>] : String | provenance | MaD:15 |
+| SpringXSS.java:95:39:95:52 | userControlled : String | SpringXSS.java:95:14:95:53 | body(...) | provenance | MaD:21 |
+| SpringXSS.java:97:41:97:54 | userControlled : String | SpringXSS.java:97:14:97:70 | new ResponseEntity<String>(...) | provenance | MaD:22 |
+| SpringXSS.java:117:55:117:75 | userControlled : String | SpringXSS.java:118:14:118:46 | ok(...) | provenance | SpringResponseEntity |
+| SpringXSS.java:117:55:117:75 | userControlled : String | SpringXSS.java:118:32:118:45 | userControlled : String | provenance |  |
+| SpringXSS.java:118:32:118:45 | userControlled : String | SpringXSS.java:118:14:118:46 | ok(...) | provenance | MaD:24 |
+| SpringXSS.java:122:56:122:76 | userControlled : String | SpringXSS.java:123:72:123:85 | userControlled | provenance |  |
+| SpringXSS.java:131:40:131:60 | userControlled : String | SpringXSS.java:132:14:132:46 | ok(...) | provenance | SpringResponseEntity |
+| SpringXSS.java:131:40:131:60 | userControlled : String | SpringXSS.java:132:32:132:45 | userControlled : String | provenance |  |
+| SpringXSS.java:132:32:132:45 | userControlled : String | SpringXSS.java:132:14:132:46 | ok(...) | provenance | MaD:24 |
+| SpringXSS.java:136:36:136:56 | userControlled : String | SpringXSS.java:137:14:137:27 | userControlled | provenance |  |
+| SpringXSS.java:152:62:152:82 | userControlled : String | SpringXSS.java:153:12:153:44 | ok(...) | provenance | SpringResponseEntity |
+| SpringXSS.java:152:62:152:82 | userControlled : String | SpringXSS.java:153:30:153:43 | userControlled : String | provenance |  |
+| SpringXSS.java:153:30:153:43 | userControlled : String | SpringXSS.java:153:12:153:44 | ok(...) | provenance | MaD:24 |
+| SpringXSS.java:157:46:157:66 | userControlled : String | SpringXSS.java:158:12:158:25 | userControlled | provenance |  |
+| XSS.java:19:28:19:55 | getParameter(...) : String | XSS.java:19:12:19:77 | ... + ... | provenance | Src:MaD:9 Sink:MaD:1 |
+| XSS.java:34:67:34:87 | getPathInfo(...) : String | XSS.java:34:30:34:87 | ... + ... | provenance | Src:MaD:8 Sink:MaD:1 |
+| XSS.java:37:36:37:56 | getPathInfo(...) : String | XSS.java:37:36:37:67 | getBytes(...) | provenance | Src:MaD:8 MaD:11 |
+| XSS.java:100:39:100:59 | getPathInfo(...) : String | XSS.java:100:39:100:70 | getBytes(...) | provenance | Src:MaD:8 MaD:11 |
+| XSS.java:105:39:105:59 | getPathInfo(...) : String | XSS.java:105:39:105:70 | getBytes(...) | provenance | Src:MaD:8 MaD:11 |
+| XSS.java:110:39:110:59 | getPathInfo(...) : String | XSS.java:110:39:110:70 | getBytes(...) | provenance | Src:MaD:8 MaD:11 |
+models
+| 1 | Sink: java.io; PrintWriter; false; print; ; ; Argument[0]; file-content-store; manual |
+| 2 | Sink: java.io; Writer; true; write; ; ; Argument[0]; file-content-store; manual |
+| 3 | Source: javax.faces.context; ExternalContext; true; getRequestHeaderMap; (); ; ReturnValue; remote; manual |
+| 4 | Source: javax.faces.context; ExternalContext; true; getRequestHeaderValuesMap; (); ; ReturnValue; remote; manual |
+| 5 | Source: javax.faces.context; ExternalContext; true; getRequestParameterMap; (); ; ReturnValue; remote; manual |
+| 6 | Source: javax.faces.context; ExternalContext; true; getRequestParameterNames; (); ; ReturnValue; remote; manual |
+| 7 | Source: javax.faces.context; ExternalContext; true; getRequestParameterValuesMap; (); ; ReturnValue; remote; manual |
+| 8 | Source: javax.servlet.http; HttpServletRequest; false; getPathInfo; (); ; ReturnValue; remote; manual |
+| 9 | Source: javax.servlet; ServletRequest; false; getParameter; (String); ; ReturnValue; remote; manual |
+| 10 | Summary: java.lang; Iterable; true; iterator; (); ; Argument[this].Element; ReturnValue.Element; value; manual |
+| 11 | Summary: java.lang; String; false; getBytes; ; ; Argument[this]; ReturnValue; taint; manual |
+| 12 | Summary: java.util; Iterator; true; next; ; ; Argument[this].Element; ReturnValue; value; manual |
+| 13 | Summary: java.util; Map; true; get; ; ; Argument[this].MapValue; ReturnValue; value; manual |
+| 14 | Summary: java.util; Map; true; keySet; (); ; Argument[this].MapKey; ReturnValue.Element; value; manual |
+| 15 | Summary: java.util; Optional; false; of; ; ; Argument[0]; ReturnValue.Element; value; manual |
+| 16 | Summary: javax.ws.rs.core; Response$ResponseBuilder; true; build; ; ; Argument[this]; ReturnValue; taint; manual |
+| 17 | Summary: javax.ws.rs.core; Response$ResponseBuilder; true; entity; ; ; Argument[0]; Argument[this]; taint; manual |
+| 18 | Summary: javax.ws.rs.core; Response$ResponseBuilder; true; entity; ; ; Argument[this]; ReturnValue; value; manual |
+| 19 | Summary: javax.ws.rs.core; Response$ResponseBuilder; true; type; ; ; Argument[this]; ReturnValue; value; manual |
+| 20 | Summary: javax.ws.rs.core; Response; false; ok; ; ; Argument[0]; ReturnValue; taint; manual |
+| 21 | Summary: org.springframework.http; ResponseEntity$BodyBuilder; true; body; (Object); ; Argument[0]; ReturnValue; taint; manual |
+| 22 | Summary: org.springframework.http; ResponseEntity; true; ResponseEntity; (Object,HttpStatus); ; Argument[0]; Argument[this]; taint; manual |
+| 23 | Summary: org.springframework.http; ResponseEntity; true; of; (Optional); ; Argument[0].Element; ReturnValue; taint; manual |
+| 24 | Summary: org.springframework.http; ResponseEntity; true; ok; (Object); ; Argument[0]; ReturnValue; taint; manual |
+nodes
+| JaxXSS.java:15:120:15:140 | userControlled : String | semmle.label | userControlled : String |
+| JaxXSS.java:22:59:22:72 | userControlled | semmle.label | userControlled |
+| JaxXSS.java:24:33:24:46 | userControlled | semmle.label | userControlled |
+| JaxXSS.java:29:34:29:47 | userControlled | semmle.label | userControlled |
+| JaxXSS.java:32:47:32:76 | entity(...) : ResponseBuilder | semmle.label | entity(...) : ResponseBuilder |
+| JaxXSS.java:32:62:32:75 | userControlled : String | semmle.label | userControlled : String |
+| JaxXSS.java:33:18:33:25 | builder2 : ResponseBuilder | semmle.label | builder2 : ResponseBuilder |
+| JaxXSS.java:33:18:33:51 | type(...) : ResponseBuilder | semmle.label | type(...) : ResponseBuilder |
+| JaxXSS.java:33:18:33:59 | build(...) | semmle.label | build(...) |
+| JaxXSS.java:59:95:59:115 | userControlled : String | semmle.label | userControlled : String |
+| JaxXSS.java:108:16:108:62 | entity(...) : ResponseBuilder | semmle.label | entity(...) : ResponseBuilder |
+| JaxXSS.java:108:16:108:70 | build(...) | semmle.label | build(...) |
+| JaxXSS.java:108:48:108:61 | userControlled : String | semmle.label | userControlled : String |
+| JaxXSS.java:112:16:112:70 | entity(...) : ResponseBuilder | semmle.label | entity(...) : ResponseBuilder |
+| JaxXSS.java:112:16:112:78 | build(...) | semmle.label | build(...) |
+| JaxXSS.java:112:56:112:69 | userControlled : String | semmle.label | userControlled : String |
+| JaxXSS.java:116:16:116:75 | entity(...) : ResponseBuilder | semmle.label | entity(...) : ResponseBuilder |
+| JaxXSS.java:116:16:116:83 | build(...) | semmle.label | build(...) |
+| JaxXSS.java:116:61:116:74 | userControlled : String | semmle.label | userControlled : String |
+| JaxXSS.java:120:98:120:111 | userControlled | semmle.label | userControlled |
+| JaxXSS.java:124:89:124:102 | userControlled | semmle.label | userControlled |
+| JaxXSS.java:128:110:128:123 | userControlled | semmle.label | userControlled |
+| JaxXSS.java:132:108:132:121 | userControlled | semmle.label | userControlled |
+| JaxXSS.java:136:37:136:50 | userControlled | semmle.label | userControlled |
+| JaxXSS.java:140:16:140:42 | ok(...) : ResponseBuilder | semmle.label | ok(...) : ResponseBuilder |
+| JaxXSS.java:140:16:140:73 | type(...) : ResponseBuilder | semmle.label | type(...) : ResponseBuilder |
+| JaxXSS.java:140:16:140:81 | build(...) | semmle.label | build(...) |
+| JaxXSS.java:140:28:140:41 | userControlled : String | semmle.label | userControlled : String |
+| JaxXSS.java:164:50:164:70 | userControlled : String | semmle.label | userControlled : String |
+| JaxXSS.java:165:12:165:38 | ok(...) : ResponseBuilder | semmle.label | ok(...) : ResponseBuilder |
+| JaxXSS.java:165:12:165:46 | build(...) | semmle.label | build(...) |
+| JaxXSS.java:165:24:165:37 | userControlled : String | semmle.label | userControlled : String |
+| JaxXSS.java:169:54:169:74 | userControlled : String | semmle.label | userControlled : String |
+| JaxXSS.java:170:12:170:38 | ok(...) : ResponseBuilder | semmle.label | ok(...) : ResponseBuilder |
+| JaxXSS.java:170:12:170:46 | build(...) | semmle.label | build(...) |
+| JaxXSS.java:170:24:170:37 | userControlled : String | semmle.label | userControlled : String |
+| JaxXSS.java:174:63:174:83 | userControlled : String | semmle.label | userControlled : String |
+| JaxXSS.java:175:12:175:38 | ok(...) : ResponseBuilder | semmle.label | ok(...) : ResponseBuilder |
+| JaxXSS.java:175:12:175:46 | build(...) | semmle.label | build(...) |
+| JaxXSS.java:175:24:175:37 | userControlled : String | semmle.label | userControlled : String |
+| JaxXSS.java:179:53:179:73 | userControlled : String | semmle.label | userControlled : String |
+| JaxXSS.java:180:12:180:38 | ok(...) : ResponseBuilder | semmle.label | ok(...) : ResponseBuilder |
+| JaxXSS.java:180:12:180:46 | build(...) | semmle.label | build(...) |
+| JaxXSS.java:180:24:180:37 | userControlled : String | semmle.label | userControlled : String |
+| JaxXSS.java:184:68:184:88 | userControlled : String | semmle.label | userControlled : String |
+| JaxXSS.java:185:59:185:72 | userControlled | semmle.label | userControlled |
+| JaxXSS.java:207:41:207:61 | userControlled : String | semmle.label | userControlled : String |
+| JaxXSS.java:208:14:208:40 | ok(...) : ResponseBuilder | semmle.label | ok(...) : ResponseBuilder |
+| JaxXSS.java:208:14:208:48 | build(...) | semmle.label | build(...) |
+| JaxXSS.java:208:26:208:39 | userControlled : String | semmle.label | userControlled : String |
+| JaxXSS.java:212:42:212:62 | userControlled : String | semmle.label | userControlled : String |
+| JaxXSS.java:213:61:213:74 | userControlled | semmle.label | userControlled |
+| JaxXSS.java:221:26:221:46 | userControlled : String | semmle.label | userControlled : String |
+| JaxXSS.java:222:14:222:40 | ok(...) : ResponseBuilder | semmle.label | ok(...) : ResponseBuilder |
+| JaxXSS.java:222:14:222:48 | build(...) | semmle.label | build(...) |
+| JaxXSS.java:222:26:222:39 | userControlled : String | semmle.label | userControlled : String |
+| JaxXSS.java:226:36:226:56 | userControlled : String | semmle.label | userControlled : String |
+| JaxXSS.java:227:14:227:27 | userControlled | semmle.label | userControlled |
+| JaxXSS.java:242:48:242:68 | userControlled : String | semmle.label | userControlled : String |
+| JaxXSS.java:243:12:243:38 | ok(...) : ResponseBuilder | semmle.label | ok(...) : ResponseBuilder |
+| JaxXSS.java:243:12:243:46 | build(...) | semmle.label | build(...) |
+| JaxXSS.java:243:24:243:37 | userControlled : String | semmle.label | userControlled : String |
+| JaxXSS.java:247:46:247:66 | userControlled : String | semmle.label | userControlled : String |
+| JaxXSS.java:248:12:248:25 | userControlled | semmle.label | userControlled |
+| JsfXSS.java:21:50:21:107 | getRequestParameterMap(...) : Map | semmle.label | getRequestParameterMap(...) : Map |
+| JsfXSS.java:22:27:22:43 | requestParameters : Map | semmle.label | requestParameters : Map |
+| JsfXSS.java:22:27:22:60 | get(...) : String | semmle.label | get(...) : String |
+| JsfXSS.java:27:22:29:27 | ... + ... | semmle.label | ... + ... |
+| JsfXSS.java:60:22:60:48 | getRequestParameterMap(...) : Map | semmle.label | getRequestParameterMap(...) : Map |
+| JsfXSS.java:60:22:60:57 | keySet(...) : Set [<element>] : Object | semmle.label | keySet(...) : Set [<element>] : Object |
+| JsfXSS.java:60:22:60:68 | iterator(...) : Iterator [<element>] : Object | semmle.label | iterator(...) : Iterator [<element>] : Object |
+| JsfXSS.java:60:22:60:75 | next(...) | semmle.label | next(...) |
+| JsfXSS.java:61:22:61:50 | getRequestParameterNames(...) : Iterator | semmle.label | getRequestParameterNames(...) : Iterator |
+| JsfXSS.java:61:22:61:57 | next(...) | semmle.label | next(...) |
+| JsfXSS.java:62:22:62:54 | getRequestParameterValuesMap(...) : Map | semmle.label | getRequestParameterValuesMap(...) : Map |
+| JsfXSS.java:62:22:62:69 | get(...) : String[] | semmle.label | get(...) : String[] |
+| JsfXSS.java:62:22:62:72 | ...[...] | semmle.label | ...[...] |
+| JsfXSS.java:63:22:63:54 | getRequestParameterValuesMap(...) : Map | semmle.label | getRequestParameterValuesMap(...) : Map |
+| JsfXSS.java:63:22:63:63 | keySet(...) : Set [<element>] : Object | semmle.label | keySet(...) : Set [<element>] : Object |
+| JsfXSS.java:63:22:63:74 | iterator(...) : Iterator [<element>] : Object | semmle.label | iterator(...) : Iterator [<element>] : Object |
+| JsfXSS.java:63:22:63:81 | next(...) | semmle.label | next(...) |
+| JsfXSS.java:64:22:64:44 | getRequestPathInfo(...) | semmle.label | getRequestPathInfo(...) |
+| JsfXSS.java:65:22:65:80 | getName(...) | semmle.label | getName(...) |
+| JsfXSS.java:66:22:66:45 | getRequestHeaderMap(...) : Map | semmle.label | getRequestHeaderMap(...) : Map |
+| JsfXSS.java:66:22:66:60 | get(...) | semmle.label | get(...) |
+| JsfXSS.java:67:22:67:51 | getRequestHeaderValuesMap(...) : Map | semmle.label | getRequestHeaderValuesMap(...) : Map |
+| JsfXSS.java:67:22:67:66 | get(...) : String[] | semmle.label | get(...) : String[] |
+| JsfXSS.java:67:22:67:69 | ...[...] | semmle.label | ...[...] |
+| SpringXSS.java:16:108:16:128 | userControlled : String | semmle.label | userControlled : String |
+| SpringXSS.java:22:62:22:75 | userControlled | semmle.label | userControlled |
+| SpringXSS.java:26:30:26:43 | userControlled | semmle.label | userControlled |
+| SpringXSS.java:62:64:62:84 | userControlled : String | semmle.label | userControlled : String |
+| SpringXSS.java:63:12:63:44 | ok(...) | semmle.label | ok(...) |
+| SpringXSS.java:63:30:63:43 | userControlled : String | semmle.label | userControlled : String |
+| SpringXSS.java:67:77:67:97 | userControlled : String | semmle.label | userControlled : String |
+| SpringXSS.java:68:12:68:44 | ok(...) | semmle.label | ok(...) |
+| SpringXSS.java:68:30:68:43 | userControlled : String | semmle.label | userControlled : String |
+| SpringXSS.java:72:67:72:87 | userControlled : String | semmle.label | userControlled : String |
+| SpringXSS.java:73:12:73:44 | ok(...) | semmle.label | ok(...) |
+| SpringXSS.java:73:30:73:43 | userControlled : String | semmle.label | userControlled : String |
+| SpringXSS.java:77:82:77:102 | userControlled : String | semmle.label | userControlled : String |
+| SpringXSS.java:78:70:78:83 | userControlled | semmle.label | userControlled |
+| SpringXSS.java:87:81:87:101 | userControlled : String | semmle.label | userControlled : String |
+| SpringXSS.java:91:14:91:46 | ok(...) | semmle.label | ok(...) |
+| SpringXSS.java:91:32:91:45 | userControlled : String | semmle.label | userControlled : String |
+| SpringXSS.java:93:14:93:59 | of(...) | semmle.label | of(...) |
+| SpringXSS.java:93:32:93:58 | of(...) : Optional [<element>] : String | semmle.label | of(...) : Optional [<element>] : String |
+| SpringXSS.java:93:44:93:57 | userControlled : String | semmle.label | userControlled : String |
+| SpringXSS.java:95:14:95:53 | body(...) | semmle.label | body(...) |
+| SpringXSS.java:95:39:95:52 | userControlled : String | semmle.label | userControlled : String |
+| SpringXSS.java:97:14:97:70 | new ResponseEntity<String>(...) | semmle.label | new ResponseEntity<String>(...) |
+| SpringXSS.java:97:41:97:54 | userControlled : String | semmle.label | userControlled : String |
+| SpringXSS.java:117:55:117:75 | userControlled : String | semmle.label | userControlled : String |
+| SpringXSS.java:118:14:118:46 | ok(...) | semmle.label | ok(...) |
+| SpringXSS.java:118:32:118:45 | userControlled : String | semmle.label | userControlled : String |
+| SpringXSS.java:122:56:122:76 | userControlled : String | semmle.label | userControlled : String |
+| SpringXSS.java:123:72:123:85 | userControlled | semmle.label | userControlled |
+| SpringXSS.java:131:40:131:60 | userControlled : String | semmle.label | userControlled : String |
+| SpringXSS.java:132:14:132:46 | ok(...) | semmle.label | ok(...) |
+| SpringXSS.java:132:32:132:45 | userControlled : String | semmle.label | userControlled : String |
+| SpringXSS.java:136:36:136:56 | userControlled : String | semmle.label | userControlled : String |
+| SpringXSS.java:137:14:137:27 | userControlled | semmle.label | userControlled |
+| SpringXSS.java:152:62:152:82 | userControlled : String | semmle.label | userControlled : String |
+| SpringXSS.java:153:12:153:44 | ok(...) | semmle.label | ok(...) |
+| SpringXSS.java:153:30:153:43 | userControlled : String | semmle.label | userControlled : String |
+| SpringXSS.java:157:46:157:66 | userControlled : String | semmle.label | userControlled : String |
+| SpringXSS.java:158:12:158:25 | userControlled | semmle.label | userControlled |
+| XSS.java:19:12:19:77 | ... + ... | semmle.label | ... + ... |
+| XSS.java:19:28:19:55 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| XSS.java:34:30:34:87 | ... + ... | semmle.label | ... + ... |
+| XSS.java:34:67:34:87 | getPathInfo(...) : String | semmle.label | getPathInfo(...) : String |
+| XSS.java:37:36:37:56 | getPathInfo(...) : String | semmle.label | getPathInfo(...) : String |
+| XSS.java:37:36:37:67 | getBytes(...) | semmle.label | getBytes(...) |
+| XSS.java:83:33:83:53 | getPathInfo(...) | semmle.label | getPathInfo(...) |
+| XSS.java:88:33:88:53 | getPathInfo(...) | semmle.label | getPathInfo(...) |
+| XSS.java:93:33:93:53 | getPathInfo(...) | semmle.label | getPathInfo(...) |
+| XSS.java:100:39:100:59 | getPathInfo(...) : String | semmle.label | getPathInfo(...) : String |
+| XSS.java:100:39:100:70 | getBytes(...) | semmle.label | getBytes(...) |
+| XSS.java:105:39:105:59 | getPathInfo(...) : String | semmle.label | getPathInfo(...) : String |
+| XSS.java:105:39:105:70 | getBytes(...) | semmle.label | getBytes(...) |
+| XSS.java:110:39:110:59 | getPathInfo(...) : String | semmle.label | getPathInfo(...) : String |
+| XSS.java:110:39:110:70 | getBytes(...) | semmle.label | getBytes(...) |
+subpaths

java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.java

@@ -16,7 +16,7 @@ public class XSS extends HttpServlet {
 			throws ServletException, IOException {
 		// BAD: a request parameter is written directly to the Servlet response stream
 		response.getWriter()
-				.print("The page \"" + request.getParameter("page") + "\" was not found."); // $ xss
+				.print("The page \"" + request.getParameter("page") + "\" was not found."); // $ Alert
 
 		// GOOD: servlet API encodes the error message HTML for the HTML context
 		response.sendError(HttpServletResponse.SC_NOT_FOUND,
@@ -31,10 +31,10 @@ public class XSS extends HttpServlet {
 				"The page \"" + capitalizeName(request.getParameter("page")) + "\" was not found.");
 
 		// BAD: outputting the path of the resource
-		response.getWriter().print("The path section of the URL was " + request.getPathInfo()); // $ xss
+		response.getWriter().print("The path section of the URL was " + request.getPathInfo()); // $ Alert
 
 		// BAD: typical XSS, this time written to an OutputStream instead of a Writer
-		response.getOutputStream().write(request.getPathInfo().getBytes()); // $ xss
+		response.getOutputStream().write(request.getPathInfo().getBytes()); // $ Alert
 
 		// GOOD: sanitizer
 		response.getOutputStream().write(hudson.Util.escape(request.getPathInfo()).getBytes()); // safe
@@ -80,34 +80,34 @@ public class XSS extends HttpServlet {
 				if(setContentMethod == 0) {
 					// BAD: set content-type to something that is not safe
 					response.setContentType("text/html");
-					response.getWriter().print(request.getPathInfo()); // $ xss
+					response.getWriter().print(request.getPathInfo()); // $ Alert
 				}
 				else if(setContentMethod == 1) {
 					// BAD: set content-type to something that is not safe
 					response.setHeader("Content-Type", "text/html");
-					response.getWriter().print(request.getPathInfo()); // $ xss
+					response.getWriter().print(request.getPathInfo()); // $ Alert
 				}
 				else {
 					// BAD: set content-type to something that is not safe
 					response.addHeader("Content-Type", "text/html");
-					response.getWriter().print(request.getPathInfo()); // $ xss
+					response.getWriter().print(request.getPathInfo()); // $ Alert
 				}
 			}
 			else {
 				if(setContentMethod == 0) {
 					// BAD: set content-type to something that is not safe
 					response.setContentType("text/html");
-					response.getOutputStream().write(request.getPathInfo().getBytes()); // $ xss
+					response.getOutputStream().write(request.getPathInfo().getBytes()); // $ Alert
 				}
 				else if(setContentMethod == 1) {
 					// BAD: set content-type to something that is not safe
 					response.setHeader("Content-Type", "text/html");
-					response.getOutputStream().write(request.getPathInfo().getBytes()); // $ xss
+					response.getOutputStream().write(request.getPathInfo().getBytes()); // $ Alert
 				}
 				else {
 					// BAD: set content-type to something that is not safe
 					response.addHeader("Content-Type", "text/html");
-					response.getOutputStream().write(request.getPathInfo().getBytes()); // $ xss
+					response.getOutputStream().write(request.getPathInfo().getBytes()); // $ Alert
 				}
 			}
 		}

java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.ql

@@ -1,18 +0,0 @@
-import java
-import semmle.code.java.security.XssQuery
-import utils.test.InlineExpectationsTest
-
-module XssTest implements TestSig {
-  string getARelevantTag() { result = "xss" }
-
-  predicate hasActualResult(Location location, string element, string tag, string value) {
-    tag = "xss" and
-    exists(DataFlow::Node sink | XssFlow::flowTo(sink) |
-      sink.getLocation() = location and
-      element = sink.toString() and
-      value = ""
-    )
-  }
-}
-
-import MakeTest<XssTest>

java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.qlref

@@ -0,0 +1,4 @@
+query: Security/CWE/CWE-079/XSS.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyClassLoaderTest.java

@@ -14,42 +14,41 @@ public class GroovyClassLoaderTest extends HttpServlet {
             throws ServletException, IOException {
         // "groovy.lang;GroovyClassLoader;false;parseClass;(GroovyCodeSource);;Argument[0];groovy;manual",
         {
-            String script = request.getParameter("script");
+            String script = request.getParameter("script"); // $ Source
             final GroovyClassLoader classLoader = new GroovyClassLoader();
             GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test");
-            classLoader.parseClass(gcs); // $hasGroovyInjection
+            classLoader.parseClass(gcs); // $ Alert
         }
         // "groovy.lang;GroovyClassLoader;false;parseClass;(GroovyCodeSource,boolean);;Argument[0];groovy;manual",
         {
-            String script = request.getParameter("script");
+            String script = request.getParameter("script"); // $ Source
             final GroovyClassLoader classLoader = new GroovyClassLoader();
             GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test");
-            classLoader.parseClass(gcs, true); // $hasGroovyInjection
+            classLoader.parseClass(gcs, true); // $ Alert
         }
         // "groovy.lang;GroovyClassLoader;false;parseClass;(InputStream,String);;Argument[0];groovy;manual",
         {
-            String script = request.getParameter("script");
+            String script = request.getParameter("script"); // $ Source
             final GroovyClassLoader classLoader = new GroovyClassLoader();
-            classLoader.parseClass(new ByteArrayInputStream(script.getBytes()), "test"); // $hasGroovyInjection
+            classLoader.parseClass(new ByteArrayInputStream(script.getBytes()), "test"); // $ Alert
         }
         // "groovy.lang;GroovyClassLoader;false;parseClass;(Reader,String);;Argument[0];groovy;manual",
         {
-            String script = request.getParameter("script");
+            String script = request.getParameter("script"); // $ Source
             final GroovyClassLoader classLoader = new GroovyClassLoader();
-            classLoader.parseClass(new StringReader(script), "test"); // $hasGroovyInjection
+            classLoader.parseClass(new StringReader(script), "test"); // $ Alert
         }
         // "groovy.lang;GroovyClassLoader;false;parseClass;(String);;Argument[0];groovy;manual",
         {
-            String script = request.getParameter("script");
+            String script = request.getParameter("script"); // $ Source
             final GroovyClassLoader classLoader = new GroovyClassLoader();
-            classLoader.parseClass(script); // $hasGroovyInjection
+            classLoader.parseClass(script); // $ Alert
         }
         // "groovy.lang;GroovyClassLoader;false;parseClass;(String,String);;Argument[0];groovy;manual",
         {
-            String script = request.getParameter("script");
+            String script = request.getParameter("script"); // $ Source
             final GroovyClassLoader classLoader = new GroovyClassLoader();
-            classLoader.parseClass(script, "test"); // $hasGroovyInjection
+            classLoader.parseClass(script, "test"); // $ Alert
         }
     }
 }
-

java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyCompilationUnitTest.java

@@ -18,8 +18,8 @@ public class GroovyCompilationUnitTest extends HttpServlet {
         // "org.codehaus.groovy.control;CompilationUnit;false;compile;;;Argument[this];groovy;manual"
         {
             CompilationUnit cu = new CompilationUnit();
-            cu.addSource("test", request.getParameter("source"));
-            cu.compile(); // $hasGroovyInjection
+            cu.addSource("test", request.getParameter("source")); // $ Source
+            cu.compile(); // $ Alert
         }
         {
             CompilationUnit cu = new CompilationUnit();
@@ -29,20 +29,20 @@ public class GroovyCompilationUnitTest extends HttpServlet {
         {
             CompilationUnit cu = new CompilationUnit();
             cu.addSource("test",
-                    new ByteArrayInputStream(request.getParameter("source").getBytes()));
-            cu.compile(); // $hasGroovyInjection
+                    new ByteArrayInputStream(request.getParameter("source").getBytes())); // $ Source
+            cu.compile(); // $ Alert
         }
         {
             CompilationUnit cu = new CompilationUnit();
-            cu.addSource(new URL(request.getParameter("source")));
-            cu.compile(); // $hasGroovyInjection
+            cu.addSource(new URL(request.getParameter("source"))); // $ Source
+            cu.compile(); // $ Alert
         }
         {
             CompilationUnit cu = new CompilationUnit();
             SourceUnit su =
-                    new SourceUnit("test", request.getParameter("source"), null, null, null);
+                    new SourceUnit("test", request.getParameter("source"), null, null, null); // $ Source
             cu.addSource(su);
-            cu.compile(); // $hasGroovyInjection
+            cu.compile(); // $ Alert
         }
         {
             CompilationUnit cu = new CompilationUnit();
@@ -53,29 +53,29 @@ public class GroovyCompilationUnitTest extends HttpServlet {
         }
         {
             CompilationUnit cu = new CompilationUnit();
-            StringReaderSource rs = new StringReaderSource(request.getParameter("source"), null);
+            StringReaderSource rs = new StringReaderSource(request.getParameter("source"), null); // $ Source
             SourceUnit su = new SourceUnit("test", rs, null, null, null);
             cu.addSource(su);
-            cu.compile(); // $hasGroovyInjection
+            cu.compile(); // $ Alert
         }
         {
             CompilationUnit cu = new CompilationUnit();
             SourceUnit su =
-                    new SourceUnit(new URL(request.getParameter("source")), null, null, null);
+                    new SourceUnit(new URL(request.getParameter("source")), null, null, null); // $ Source
             cu.addSource(su);
-            cu.compile(); // $hasGroovyInjection
+            cu.compile(); // $ Alert
         }
         {
             CompilationUnit cu = new CompilationUnit();
-            SourceUnit su = SourceUnit.create("test", request.getParameter("source"));
+            SourceUnit su = SourceUnit.create("test", request.getParameter("source")); // $ Source
             cu.addSource(su);
-            cu.compile(); // $hasGroovyInjection
+            cu.compile(); // $ Alert
         }
         {
             CompilationUnit cu = new CompilationUnit();
-            SourceUnit su = SourceUnit.create("test", request.getParameter("source"), 0);
+            SourceUnit su = SourceUnit.create("test", request.getParameter("source"), 0); // $ Source
             cu.addSource(su);
-            cu.compile(); // $hasGroovyInjection
+            cu.compile(); // $ Alert
         }
         {
             CompilationUnit cu = new CompilationUnit();
@@ -85,8 +85,8 @@ public class GroovyCompilationUnitTest extends HttpServlet {
         }
         {
             JavaAwareCompilationUnit cu = new JavaAwareCompilationUnit();
-            cu.addSource("test", request.getParameter("source"));
-            cu.compile(); // $hasGroovyInjection
+            cu.addSource("test", request.getParameter("source")); // $ Source
+            cu.compile(); // $ Alert
         }
         {
             JavaStubCompilationUnit cu = new JavaStubCompilationUnit(null, null);

java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyEvalTest.java

@@ -11,30 +11,29 @@ public class GroovyEvalTest extends HttpServlet {
             throws ServletException, IOException {
         // "groovy.util;Eval;false;me;(String);;Argument[0];groovy;manual",
         {
-            String script = request.getParameter("script");
-            Eval.me(script); // $hasGroovyInjection
+            String script = request.getParameter("script"); // $ Source
+            Eval.me(script); // $ Alert
         }
         // "groovy.util;Eval;false;me;(String,Object,String);;Argument[2];groovy;manual",
         {
-            String script = request.getParameter("script");
-            Eval.me("test", "result", script); // $hasGroovyInjection
+            String script = request.getParameter("script"); // $ Source
+            Eval.me("test", "result", script); // $ Alert
         }
         // "groovy.util;Eval;false;x;(Object,String);;Argument[1];groovy;manual",
         {
-            String script = request.getParameter("script");
-            Eval.x("result2", script); // $hasGroovyInjection
+            String script = request.getParameter("script"); // $ Source
+            Eval.x("result2", script); // $ Alert
 
         }
         // "groovy.util;Eval;false;xy;(Object,Object,String);;Argument[2];groovy;manual",
         {
-            String script = request.getParameter("script");
-            Eval.xy("result3", "result4", script); // $hasGroovyInjection
+            String script = request.getParameter("script"); // $ Source
+            Eval.xy("result3", "result4", script); // $ Alert
         }
         // "groovy.util;Eval;false;xyz;(Object,Object,Object,String);;Argument[3];groovy;manual",
         {
-            String script = request.getParameter("script");
-            Eval.xyz("result3", "result4", "aaa", script); // $hasGroovyInjection
+            String script = request.getParameter("script"); // $ Source
+            Eval.xyz("result3", "result4", "aaa", script); // $ Alert
         }
     }
 }
-

java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyInjectionTest.expected

@@ -0,0 +1,327 @@
+#select
+| GroovyClassLoaderTest.java:20:36:20:38 | gcs | GroovyClassLoaderTest.java:17:29:17:58 | getParameter(...) : String | GroovyClassLoaderTest.java:20:36:20:38 | gcs | Groovy script depends on a $@. | GroovyClassLoaderTest.java:17:29:17:58 | getParameter(...) | user-provided value |
+| GroovyClassLoaderTest.java:27:36:27:38 | gcs | GroovyClassLoaderTest.java:24:29:24:58 | getParameter(...) : String | GroovyClassLoaderTest.java:27:36:27:38 | gcs | Groovy script depends on a $@. | GroovyClassLoaderTest.java:24:29:24:58 | getParameter(...) | user-provided value |
+| GroovyClassLoaderTest.java:33:36:33:78 | new ByteArrayInputStream(...) | GroovyClassLoaderTest.java:31:29:31:58 | getParameter(...) : String | GroovyClassLoaderTest.java:33:36:33:78 | new ByteArrayInputStream(...) | Groovy script depends on a $@. | GroovyClassLoaderTest.java:31:29:31:58 | getParameter(...) | user-provided value |
+| GroovyClassLoaderTest.java:39:36:39:59 | new StringReader(...) | GroovyClassLoaderTest.java:37:29:37:58 | getParameter(...) : String | GroovyClassLoaderTest.java:39:36:39:59 | new StringReader(...) | Groovy script depends on a $@. | GroovyClassLoaderTest.java:37:29:37:58 | getParameter(...) | user-provided value |
+| GroovyClassLoaderTest.java:45:36:45:41 | script | GroovyClassLoaderTest.java:43:29:43:58 | getParameter(...) : String | GroovyClassLoaderTest.java:45:36:45:41 | script | Groovy script depends on a $@. | GroovyClassLoaderTest.java:43:29:43:58 | getParameter(...) | user-provided value |
+| GroovyClassLoaderTest.java:51:36:51:41 | script | GroovyClassLoaderTest.java:49:29:49:58 | getParameter(...) : String | GroovyClassLoaderTest.java:51:36:51:41 | script | Groovy script depends on a $@. | GroovyClassLoaderTest.java:49:29:49:58 | getParameter(...) | user-provided value |
+| GroovyCompilationUnitTest.java:22:13:22:14 | cu | GroovyCompilationUnitTest.java:21:34:21:63 | getParameter(...) : String | GroovyCompilationUnitTest.java:22:13:22:14 | cu | Groovy script depends on a $@. | GroovyCompilationUnitTest.java:21:34:21:63 | getParameter(...) | user-provided value |
+| GroovyCompilationUnitTest.java:33:13:33:14 | cu | GroovyCompilationUnitTest.java:32:46:32:75 | getParameter(...) : String | GroovyCompilationUnitTest.java:33:13:33:14 | cu | Groovy script depends on a $@. | GroovyCompilationUnitTest.java:32:46:32:75 | getParameter(...) | user-provided value |
+| GroovyCompilationUnitTest.java:38:13:38:14 | cu | GroovyCompilationUnitTest.java:37:34:37:63 | getParameter(...) : String | GroovyCompilationUnitTest.java:38:13:38:14 | cu | Groovy script depends on a $@. | GroovyCompilationUnitTest.java:37:34:37:63 | getParameter(...) | user-provided value |
+| GroovyCompilationUnitTest.java:45:13:45:14 | cu | GroovyCompilationUnitTest.java:43:44:43:73 | getParameter(...) : String | GroovyCompilationUnitTest.java:45:13:45:14 | cu | Groovy script depends on a $@. | GroovyCompilationUnitTest.java:43:44:43:73 | getParameter(...) | user-provided value |
+| GroovyCompilationUnitTest.java:59:13:59:14 | cu | GroovyCompilationUnitTest.java:56:60:56:89 | getParameter(...) : String | GroovyCompilationUnitTest.java:59:13:59:14 | cu | Groovy script depends on a $@. | GroovyCompilationUnitTest.java:56:60:56:89 | getParameter(...) | user-provided value |
+| GroovyCompilationUnitTest.java:66:13:66:14 | cu | GroovyCompilationUnitTest.java:64:44:64:73 | getParameter(...) : String | GroovyCompilationUnitTest.java:66:13:66:14 | cu | Groovy script depends on a $@. | GroovyCompilationUnitTest.java:64:44:64:73 | getParameter(...) | user-provided value |
+| GroovyCompilationUnitTest.java:72:13:72:14 | cu | GroovyCompilationUnitTest.java:70:55:70:84 | getParameter(...) : String | GroovyCompilationUnitTest.java:72:13:72:14 | cu | Groovy script depends on a $@. | GroovyCompilationUnitTest.java:70:55:70:84 | getParameter(...) | user-provided value |
+| GroovyCompilationUnitTest.java:78:13:78:14 | cu | GroovyCompilationUnitTest.java:76:55:76:84 | getParameter(...) : String | GroovyCompilationUnitTest.java:78:13:78:14 | cu | Groovy script depends on a $@. | GroovyCompilationUnitTest.java:76:55:76:84 | getParameter(...) | user-provided value |
+| GroovyCompilationUnitTest.java:89:13:89:14 | cu | GroovyCompilationUnitTest.java:88:34:88:63 | getParameter(...) : String | GroovyCompilationUnitTest.java:89:13:89:14 | cu | Groovy script depends on a $@. | GroovyCompilationUnitTest.java:88:34:88:63 | getParameter(...) | user-provided value |
+| GroovyEvalTest.java:15:21:15:26 | script | GroovyEvalTest.java:14:29:14:58 | getParameter(...) : String | GroovyEvalTest.java:15:21:15:26 | script | Groovy script depends on a $@. | GroovyEvalTest.java:14:29:14:58 | getParameter(...) | user-provided value |
+| GroovyEvalTest.java:20:39:20:44 | script | GroovyEvalTest.java:19:29:19:58 | getParameter(...) : String | GroovyEvalTest.java:20:39:20:44 | script | Groovy script depends on a $@. | GroovyEvalTest.java:19:29:19:58 | getParameter(...) | user-provided value |
+| GroovyEvalTest.java:25:31:25:36 | script | GroovyEvalTest.java:24:29:24:58 | getParameter(...) : String | GroovyEvalTest.java:25:31:25:36 | script | Groovy script depends on a $@. | GroovyEvalTest.java:24:29:24:58 | getParameter(...) | user-provided value |
+| GroovyEvalTest.java:31:43:31:48 | script | GroovyEvalTest.java:30:29:30:58 | getParameter(...) : String | GroovyEvalTest.java:31:43:31:48 | script | Groovy script depends on a $@. | GroovyEvalTest.java:30:29:30:58 | getParameter(...) | user-provided value |
+| GroovyEvalTest.java:36:51:36:56 | script | GroovyEvalTest.java:35:29:35:58 | getParameter(...) : String | GroovyEvalTest.java:36:51:36:56 | script | Groovy script depends on a $@. | GroovyEvalTest.java:35:29:35:58 | getParameter(...) | user-provided value |
+| GroovyShellTest.java:24:28:24:30 | gcs | GroovyShellTest.java:22:29:22:58 | getParameter(...) : String | GroovyShellTest.java:24:28:24:30 | gcs | Groovy script depends on a $@. | GroovyShellTest.java:22:29:22:58 | getParameter(...) | user-provided value |
+| GroovyShellTest.java:31:28:31:33 | reader | GroovyShellTest.java:29:29:29:58 | getParameter(...) : String | GroovyShellTest.java:31:28:31:33 | reader | Groovy script depends on a $@. | GroovyShellTest.java:29:29:29:58 | getParameter(...) | user-provided value |
+| GroovyShellTest.java:38:28:38:33 | reader | GroovyShellTest.java:36:29:36:58 | getParameter(...) : String | GroovyShellTest.java:38:28:38:33 | reader | Groovy script depends on a $@. | GroovyShellTest.java:36:29:36:58 | getParameter(...) | user-provided value |
+| GroovyShellTest.java:44:28:44:33 | script | GroovyShellTest.java:43:29:43:58 | getParameter(...) : String | GroovyShellTest.java:44:28:44:33 | script | Groovy script depends on a $@. | GroovyShellTest.java:43:29:43:58 | getParameter(...) | user-provided value |
+| GroovyShellTest.java:50:28:50:33 | script | GroovyShellTest.java:49:29:49:58 | getParameter(...) : String | GroovyShellTest.java:50:28:50:33 | script | Groovy script depends on a $@. | GroovyShellTest.java:49:29:49:58 | getParameter(...) | user-provided value |
+| GroovyShellTest.java:56:28:56:33 | script | GroovyShellTest.java:55:29:55:58 | getParameter(...) : String | GroovyShellTest.java:56:28:56:33 | script | Groovy script depends on a $@. | GroovyShellTest.java:55:29:55:58 | getParameter(...) | user-provided value |
+| GroovyShellTest.java:62:25:62:39 | new URI(...) | GroovyShellTest.java:61:29:61:58 | getParameter(...) : String | GroovyShellTest.java:62:25:62:39 | new URI(...) | Groovy script depends on a $@. | GroovyShellTest.java:61:29:61:58 | getParameter(...) | user-provided value |
+| GroovyShellTest.java:70:25:70:30 | reader | GroovyShellTest.java:68:29:68:58 | getParameter(...) : String | GroovyShellTest.java:70:25:70:30 | reader | Groovy script depends on a $@. | GroovyShellTest.java:68:29:68:58 | getParameter(...) | user-provided value |
+| GroovyShellTest.java:77:25:77:30 | reader | GroovyShellTest.java:75:29:75:58 | getParameter(...) : String | GroovyShellTest.java:77:25:77:30 | reader | Groovy script depends on a $@. | GroovyShellTest.java:75:29:75:58 | getParameter(...) | user-provided value |
+| GroovyShellTest.java:83:25:83:30 | script | GroovyShellTest.java:82:29:82:58 | getParameter(...) : String | GroovyShellTest.java:83:25:83:30 | script | Groovy script depends on a $@. | GroovyShellTest.java:82:29:82:58 | getParameter(...) | user-provided value |
+| GroovyShellTest.java:89:25:89:30 | script | GroovyShellTest.java:88:29:88:58 | getParameter(...) : String | GroovyShellTest.java:89:25:89:30 | script | Groovy script depends on a $@. | GroovyShellTest.java:88:29:88:58 | getParameter(...) | user-provided value |
+| GroovyShellTest.java:95:25:95:39 | new URI(...) | GroovyShellTest.java:94:29:94:58 | getParameter(...) : String | GroovyShellTest.java:95:25:95:39 | new URI(...) | Groovy script depends on a $@. | GroovyShellTest.java:94:29:94:58 | getParameter(...) | user-provided value |
+| GroovyShellTest.java:103:23:103:25 | gcs | GroovyShellTest.java:101:29:101:58 | getParameter(...) : String | GroovyShellTest.java:103:23:103:25 | gcs | Groovy script depends on a $@. | GroovyShellTest.java:101:29:101:58 | getParameter(...) | user-provided value |
+| GroovyShellTest.java:110:23:110:25 | gcs | GroovyShellTest.java:108:29:108:58 | getParameter(...) : String | GroovyShellTest.java:110:23:110:25 | gcs | Groovy script depends on a $@. | GroovyShellTest.java:108:29:108:58 | getParameter(...) | user-provided value |
+| GroovyShellTest.java:117:23:117:28 | reader | GroovyShellTest.java:115:29:115:58 | getParameter(...) : String | GroovyShellTest.java:117:23:117:28 | reader | Groovy script depends on a $@. | GroovyShellTest.java:115:29:115:58 | getParameter(...) | user-provided value |
+| GroovyShellTest.java:124:23:124:28 | reader | GroovyShellTest.java:122:29:122:58 | getParameter(...) : String | GroovyShellTest.java:124:23:124:28 | reader | Groovy script depends on a $@. | GroovyShellTest.java:122:29:122:58 | getParameter(...) | user-provided value |
+| GroovyShellTest.java:130:23:130:28 | script | GroovyShellTest.java:129:29:129:58 | getParameter(...) : String | GroovyShellTest.java:130:23:130:28 | script | Groovy script depends on a $@. | GroovyShellTest.java:129:29:129:58 | getParameter(...) | user-provided value |
+| GroovyShellTest.java:136:23:136:28 | script | GroovyShellTest.java:135:29:135:58 | getParameter(...) : String | GroovyShellTest.java:136:23:136:28 | script | Groovy script depends on a $@. | GroovyShellTest.java:135:29:135:58 | getParameter(...) | user-provided value |
+| GroovyShellTest.java:142:23:142:37 | new URI(...) | GroovyShellTest.java:141:29:141:58 | getParameter(...) : String | GroovyShellTest.java:142:23:142:37 | new URI(...) | Groovy script depends on a $@. | GroovyShellTest.java:141:29:141:58 | getParameter(...) | user-provided value |
+| GroovyShellTest.java:149:23:149:37 | new URI(...) | GroovyShellTest.java:148:29:148:58 | getParameter(...) : String | GroovyShellTest.java:149:23:149:37 | new URI(...) | Groovy script depends on a $@. | GroovyShellTest.java:148:29:148:58 | getParameter(...) | user-provided value |
+| TemplateEngineTest.java:22:35:22:64 | getParameter(...) | TemplateEngineTest.java:22:35:22:64 | getParameter(...) | TemplateEngineTest.java:22:35:22:64 | getParameter(...) | Groovy script depends on a $@. | TemplateEngineTest.java:22:35:22:64 | getParameter(...) | user-provided value |
+| TemplateEngineTest.java:23:35:23:47 | (...)... | TemplateEngineTest.java:14:16:14:45 | getParameter(...) : String | TemplateEngineTest.java:23:35:23:47 | (...)... | Groovy script depends on a $@. | TemplateEngineTest.java:14:16:14:45 | getParameter(...) | user-provided value |
+| TemplateEngineTest.java:24:35:24:49 | (...)... | TemplateEngineTest.java:14:16:14:45 | getParameter(...) : String | TemplateEngineTest.java:24:35:24:49 | (...)... | Groovy script depends on a $@. | TemplateEngineTest.java:14:16:14:45 | getParameter(...) | user-provided value |
+| TemplateEngineTest.java:25:35:25:46 | (...)... | TemplateEngineTest.java:14:16:14:45 | getParameter(...) : String | TemplateEngineTest.java:25:35:25:46 | (...)... | Groovy script depends on a $@. | TemplateEngineTest.java:14:16:14:45 | getParameter(...) | user-provided value |
+edges
+| GroovyClassLoaderTest.java:17:29:17:58 | getParameter(...) : String | GroovyClassLoaderTest.java:19:57:19:62 | script : String | provenance | Src:MaD:33  |
+| GroovyClassLoaderTest.java:19:36:19:79 | new GroovyCodeSource(...) : GroovyCodeSource | GroovyClassLoaderTest.java:20:36:20:38 | gcs | provenance | Sink:MaD:1 |
+| GroovyClassLoaderTest.java:19:57:19:62 | script : String | GroovyClassLoaderTest.java:19:36:19:79 | new GroovyCodeSource(...) : GroovyCodeSource | provenance | Config |
+| GroovyClassLoaderTest.java:24:29:24:58 | getParameter(...) : String | GroovyClassLoaderTest.java:26:57:26:62 | script : String | provenance | Src:MaD:33  |
+| GroovyClassLoaderTest.java:26:36:26:79 | new GroovyCodeSource(...) : GroovyCodeSource | GroovyClassLoaderTest.java:27:36:27:38 | gcs | provenance | Sink:MaD:2 |
+| GroovyClassLoaderTest.java:26:57:26:62 | script : String | GroovyClassLoaderTest.java:26:36:26:79 | new GroovyCodeSource(...) : GroovyCodeSource | provenance | Config |
+| GroovyClassLoaderTest.java:31:29:31:58 | getParameter(...) : String | GroovyClassLoaderTest.java:33:61:33:66 | script : String | provenance | Src:MaD:33  |
+| GroovyClassLoaderTest.java:33:61:33:66 | script : String | GroovyClassLoaderTest.java:33:61:33:77 | getBytes(...) : byte[] | provenance | MaD:36 |
+| GroovyClassLoaderTest.java:33:61:33:77 | getBytes(...) : byte[] | GroovyClassLoaderTest.java:33:36:33:78 | new ByteArrayInputStream(...) | provenance | MaD:34 Sink:MaD:3 |
+| GroovyClassLoaderTest.java:33:61:33:77 | getBytes(...) : byte[] | GroovyClassLoaderTest.java:33:36:33:78 | new ByteArrayInputStream(...) | provenance | inputStreamWrapper Sink:MaD:3 |
+| GroovyClassLoaderTest.java:37:29:37:58 | getParameter(...) : String | GroovyClassLoaderTest.java:39:53:39:58 | script : String | provenance | Src:MaD:33  |
+| GroovyClassLoaderTest.java:39:53:39:58 | script : String | GroovyClassLoaderTest.java:39:36:39:59 | new StringReader(...) | provenance | MaD:35 Sink:MaD:4 |
+| GroovyClassLoaderTest.java:43:29:43:58 | getParameter(...) : String | GroovyClassLoaderTest.java:45:36:45:41 | script | provenance | Src:MaD:33 Sink:MaD:5 |
+| GroovyClassLoaderTest.java:49:29:49:58 | getParameter(...) : String | GroovyClassLoaderTest.java:51:36:51:41 | script | provenance | Src:MaD:33 Sink:MaD:6 |
+| GroovyCompilationUnitTest.java:21:13:21:14 | cu [post update] : CompilationUnit | GroovyCompilationUnitTest.java:22:13:22:14 | cu | provenance | Sink:MaD:32 |
+| GroovyCompilationUnitTest.java:21:34:21:63 | getParameter(...) : String | GroovyCompilationUnitTest.java:21:13:21:14 | cu [post update] : CompilationUnit | provenance | Src:MaD:33 Config |
+| GroovyCompilationUnitTest.java:31:13:31:14 | cu [post update] : CompilationUnit | GroovyCompilationUnitTest.java:33:13:33:14 | cu | provenance | Sink:MaD:32 |
+| GroovyCompilationUnitTest.java:32:21:32:87 | new ByteArrayInputStream(...) : ByteArrayInputStream | GroovyCompilationUnitTest.java:31:13:31:14 | cu [post update] : CompilationUnit | provenance | Config |
+| GroovyCompilationUnitTest.java:32:46:32:75 | getParameter(...) : String | GroovyCompilationUnitTest.java:32:46:32:86 | getBytes(...) : byte[] | provenance | Src:MaD:33 MaD:36 |
+| GroovyCompilationUnitTest.java:32:46:32:86 | getBytes(...) : byte[] | GroovyCompilationUnitTest.java:32:21:32:87 | new ByteArrayInputStream(...) : ByteArrayInputStream | provenance | MaD:34 |
+| GroovyCompilationUnitTest.java:32:46:32:86 | getBytes(...) : byte[] | GroovyCompilationUnitTest.java:32:21:32:87 | new ByteArrayInputStream(...) : ByteArrayInputStream | provenance | inputStreamWrapper |
+| GroovyCompilationUnitTest.java:37:13:37:14 | cu [post update] : CompilationUnit | GroovyCompilationUnitTest.java:38:13:38:14 | cu | provenance | Sink:MaD:32 |
+| GroovyCompilationUnitTest.java:37:26:37:64 | new URL(...) : URL | GroovyCompilationUnitTest.java:37:13:37:14 | cu [post update] : CompilationUnit | provenance | Config |
+| GroovyCompilationUnitTest.java:37:34:37:63 | getParameter(...) : String | GroovyCompilationUnitTest.java:37:26:37:64 | new URL(...) : URL | provenance | Src:MaD:33 MaD:38 |
+| GroovyCompilationUnitTest.java:43:21:43:92 | new SourceUnit(...) : SourceUnit | GroovyCompilationUnitTest.java:44:26:44:27 | su : SourceUnit | provenance |  |
+| GroovyCompilationUnitTest.java:43:44:43:73 | getParameter(...) : String | GroovyCompilationUnitTest.java:43:21:43:92 | new SourceUnit(...) : SourceUnit | provenance | Src:MaD:33 Config |
+| GroovyCompilationUnitTest.java:44:13:44:14 | cu [post update] : CompilationUnit | GroovyCompilationUnitTest.java:45:13:45:14 | cu | provenance | Sink:MaD:32 |
+| GroovyCompilationUnitTest.java:44:26:44:27 | su : SourceUnit | GroovyCompilationUnitTest.java:44:13:44:14 | cu [post update] : CompilationUnit | provenance | Config |
+| GroovyCompilationUnitTest.java:56:37:56:96 | new StringReaderSource(...) : StringReaderSource | GroovyCompilationUnitTest.java:57:52:57:53 | rs : StringReaderSource | provenance |  |
+| GroovyCompilationUnitTest.java:56:60:56:89 | getParameter(...) : String | GroovyCompilationUnitTest.java:56:37:56:96 | new StringReaderSource(...) : StringReaderSource | provenance | Src:MaD:33 Config |
+| GroovyCompilationUnitTest.java:57:29:57:72 | new SourceUnit(...) : SourceUnit | GroovyCompilationUnitTest.java:58:26:58:27 | su : SourceUnit | provenance |  |
+| GroovyCompilationUnitTest.java:57:52:57:53 | rs : StringReaderSource | GroovyCompilationUnitTest.java:57:29:57:72 | new SourceUnit(...) : SourceUnit | provenance | Config |
+| GroovyCompilationUnitTest.java:58:13:58:14 | cu [post update] : CompilationUnit | GroovyCompilationUnitTest.java:59:13:59:14 | cu | provenance | Sink:MaD:32 |
+| GroovyCompilationUnitTest.java:58:26:58:27 | su : SourceUnit | GroovyCompilationUnitTest.java:58:13:58:14 | cu [post update] : CompilationUnit | provenance | Config |
+| GroovyCompilationUnitTest.java:64:21:64:93 | new SourceUnit(...) : SourceUnit | GroovyCompilationUnitTest.java:65:26:65:27 | su : SourceUnit | provenance |  |
+| GroovyCompilationUnitTest.java:64:36:64:74 | new URL(...) : URL | GroovyCompilationUnitTest.java:64:21:64:93 | new SourceUnit(...) : SourceUnit | provenance | Config |
+| GroovyCompilationUnitTest.java:64:44:64:73 | getParameter(...) : String | GroovyCompilationUnitTest.java:64:36:64:74 | new URL(...) : URL | provenance | Src:MaD:33 MaD:38 |
+| GroovyCompilationUnitTest.java:65:13:65:14 | cu [post update] : CompilationUnit | GroovyCompilationUnitTest.java:66:13:66:14 | cu | provenance | Sink:MaD:32 |
+| GroovyCompilationUnitTest.java:65:26:65:27 | su : SourceUnit | GroovyCompilationUnitTest.java:65:13:65:14 | cu [post update] : CompilationUnit | provenance | Config |
+| GroovyCompilationUnitTest.java:70:29:70:85 | create(...) : SourceUnit | GroovyCompilationUnitTest.java:71:26:71:27 | su : SourceUnit | provenance |  |
+| GroovyCompilationUnitTest.java:70:55:70:84 | getParameter(...) : String | GroovyCompilationUnitTest.java:70:29:70:85 | create(...) : SourceUnit | provenance | Src:MaD:33 Config |
+| GroovyCompilationUnitTest.java:71:13:71:14 | cu [post update] : CompilationUnit | GroovyCompilationUnitTest.java:72:13:72:14 | cu | provenance | Sink:MaD:32 |
+| GroovyCompilationUnitTest.java:71:26:71:27 | su : SourceUnit | GroovyCompilationUnitTest.java:71:13:71:14 | cu [post update] : CompilationUnit | provenance | Config |
+| GroovyCompilationUnitTest.java:76:29:76:88 | create(...) : SourceUnit | GroovyCompilationUnitTest.java:77:26:77:27 | su : SourceUnit | provenance |  |
+| GroovyCompilationUnitTest.java:76:55:76:84 | getParameter(...) : String | GroovyCompilationUnitTest.java:76:29:76:88 | create(...) : SourceUnit | provenance | Src:MaD:33 Config |
+| GroovyCompilationUnitTest.java:77:13:77:14 | cu [post update] : CompilationUnit | GroovyCompilationUnitTest.java:78:13:78:14 | cu | provenance | Sink:MaD:32 |
+| GroovyCompilationUnitTest.java:77:26:77:27 | su : SourceUnit | GroovyCompilationUnitTest.java:77:13:77:14 | cu [post update] : CompilationUnit | provenance | Config |
+| GroovyCompilationUnitTest.java:88:13:88:14 | cu [post update] : JavaAwareCompilationUnit | GroovyCompilationUnitTest.java:89:13:89:14 | cu | provenance | Sink:MaD:32 |
+| GroovyCompilationUnitTest.java:88:34:88:63 | getParameter(...) : String | GroovyCompilationUnitTest.java:88:13:88:14 | cu [post update] : JavaAwareCompilationUnit | provenance | Src:MaD:33 Config |
+| GroovyEvalTest.java:14:29:14:58 | getParameter(...) : String | GroovyEvalTest.java:15:21:15:26 | script | provenance | Src:MaD:33 Sink:MaD:27 |
+| GroovyEvalTest.java:19:29:19:58 | getParameter(...) : String | GroovyEvalTest.java:20:39:20:44 | script | provenance | Src:MaD:33 Sink:MaD:28 |
+| GroovyEvalTest.java:24:29:24:58 | getParameter(...) : String | GroovyEvalTest.java:25:31:25:36 | script | provenance | Src:MaD:33 Sink:MaD:29 |
+| GroovyEvalTest.java:30:29:30:58 | getParameter(...) : String | GroovyEvalTest.java:31:43:31:48 | script | provenance | Src:MaD:33 Sink:MaD:30 |
+| GroovyEvalTest.java:35:29:35:58 | getParameter(...) : String | GroovyEvalTest.java:36:51:36:56 | script | provenance | Src:MaD:33 Sink:MaD:31 |
+| GroovyShellTest.java:22:29:22:58 | getParameter(...) : String | GroovyShellTest.java:23:57:23:62 | script : String | provenance | Src:MaD:33  |
+| GroovyShellTest.java:23:36:23:79 | new GroovyCodeSource(...) : GroovyCodeSource | GroovyShellTest.java:24:28:24:30 | gcs | provenance | Sink:MaD:7 |
+| GroovyShellTest.java:23:57:23:62 | script : String | GroovyShellTest.java:23:36:23:79 | new GroovyCodeSource(...) : GroovyCodeSource | provenance | Config |
+| GroovyShellTest.java:29:29:29:58 | getParameter(...) : String | GroovyShellTest.java:30:46:30:51 | script : String | provenance | Src:MaD:33  |
+| GroovyShellTest.java:30:29:30:52 | new StringReader(...) : StringReader | GroovyShellTest.java:31:28:31:33 | reader | provenance | Sink:MaD:8 |
+| GroovyShellTest.java:30:46:30:51 | script : String | GroovyShellTest.java:30:29:30:52 | new StringReader(...) : StringReader | provenance | MaD:35 |
+| GroovyShellTest.java:36:29:36:58 | getParameter(...) : String | GroovyShellTest.java:37:46:37:51 | script : String | provenance | Src:MaD:33  |
+| GroovyShellTest.java:37:29:37:52 | new StringReader(...) : StringReader | GroovyShellTest.java:38:28:38:33 | reader | provenance | Sink:MaD:9 |
+| GroovyShellTest.java:37:46:37:51 | script : String | GroovyShellTest.java:37:29:37:52 | new StringReader(...) : StringReader | provenance | MaD:35 |
+| GroovyShellTest.java:43:29:43:58 | getParameter(...) : String | GroovyShellTest.java:44:28:44:33 | script | provenance | Src:MaD:33 Sink:MaD:10 |
+| GroovyShellTest.java:49:29:49:58 | getParameter(...) : String | GroovyShellTest.java:50:28:50:33 | script | provenance | Src:MaD:33 Sink:MaD:11 |
+| GroovyShellTest.java:55:29:55:58 | getParameter(...) : String | GroovyShellTest.java:56:28:56:33 | script | provenance | Src:MaD:33 Sink:MaD:12 |
+| GroovyShellTest.java:61:29:61:58 | getParameter(...) : String | GroovyShellTest.java:62:33:62:38 | script : String | provenance | Src:MaD:33  |
+| GroovyShellTest.java:62:33:62:38 | script : String | GroovyShellTest.java:62:25:62:39 | new URI(...) | provenance | MaD:37 Sink:MaD:17 |
+| GroovyShellTest.java:68:29:68:58 | getParameter(...) : String | GroovyShellTest.java:69:46:69:51 | script : String | provenance | Src:MaD:33  |
+| GroovyShellTest.java:69:29:69:52 | new StringReader(...) : StringReader | GroovyShellTest.java:70:25:70:30 | reader | provenance | Sink:MaD:13 |
+| GroovyShellTest.java:69:46:69:51 | script : String | GroovyShellTest.java:69:29:69:52 | new StringReader(...) : StringReader | provenance | MaD:35 |
+| GroovyShellTest.java:75:29:75:58 | getParameter(...) : String | GroovyShellTest.java:76:46:76:51 | script : String | provenance | Src:MaD:33  |
+| GroovyShellTest.java:76:29:76:52 | new StringReader(...) : StringReader | GroovyShellTest.java:77:25:77:30 | reader | provenance | Sink:MaD:14 |
+| GroovyShellTest.java:76:46:76:51 | script : String | GroovyShellTest.java:76:29:76:52 | new StringReader(...) : StringReader | provenance | MaD:35 |
+| GroovyShellTest.java:82:29:82:58 | getParameter(...) : String | GroovyShellTest.java:83:25:83:30 | script | provenance | Src:MaD:33 Sink:MaD:15 |
+| GroovyShellTest.java:88:29:88:58 | getParameter(...) : String | GroovyShellTest.java:89:25:89:30 | script | provenance | Src:MaD:33 Sink:MaD:16 |
+| GroovyShellTest.java:94:29:94:58 | getParameter(...) : String | GroovyShellTest.java:95:33:95:38 | script : String | provenance | Src:MaD:33  |
+| GroovyShellTest.java:95:33:95:38 | script : String | GroovyShellTest.java:95:25:95:39 | new URI(...) | provenance | MaD:37 Sink:MaD:17 |
+| GroovyShellTest.java:101:29:101:58 | getParameter(...) : String | GroovyShellTest.java:102:57:102:62 | script : String | provenance | Src:MaD:33  |
+| GroovyShellTest.java:102:36:102:79 | new GroovyCodeSource(...) : GroovyCodeSource | GroovyShellTest.java:103:23:103:25 | gcs | provenance | Sink:MaD:19 |
+| GroovyShellTest.java:102:57:102:62 | script : String | GroovyShellTest.java:102:36:102:79 | new GroovyCodeSource(...) : GroovyCodeSource | provenance | Config |
+| GroovyShellTest.java:108:29:108:58 | getParameter(...) : String | GroovyShellTest.java:109:57:109:62 | script : String | provenance | Src:MaD:33  |
+| GroovyShellTest.java:109:36:109:79 | new GroovyCodeSource(...) : GroovyCodeSource | GroovyShellTest.java:110:23:110:25 | gcs | provenance | Sink:MaD:18 |
+| GroovyShellTest.java:109:57:109:62 | script : String | GroovyShellTest.java:109:36:109:79 | new GroovyCodeSource(...) : GroovyCodeSource | provenance | Config |
+| GroovyShellTest.java:115:29:115:58 | getParameter(...) : String | GroovyShellTest.java:116:46:116:51 | script : String | provenance | Src:MaD:33  |
+| GroovyShellTest.java:116:29:116:52 | new StringReader(...) : StringReader | GroovyShellTest.java:117:23:117:28 | reader | provenance | Sink:MaD:21 |
+| GroovyShellTest.java:116:46:116:51 | script : String | GroovyShellTest.java:116:29:116:52 | new StringReader(...) : StringReader | provenance | MaD:35 |
+| GroovyShellTest.java:122:29:122:58 | getParameter(...) : String | GroovyShellTest.java:123:46:123:51 | script : String | provenance | Src:MaD:33  |
+| GroovyShellTest.java:123:29:123:52 | new StringReader(...) : StringReader | GroovyShellTest.java:124:23:124:28 | reader | provenance | Sink:MaD:20 |
+| GroovyShellTest.java:123:46:123:51 | script : String | GroovyShellTest.java:123:29:123:52 | new StringReader(...) : StringReader | provenance | MaD:35 |
+| GroovyShellTest.java:129:29:129:58 | getParameter(...) : String | GroovyShellTest.java:130:23:130:28 | script | provenance | Src:MaD:33 Sink:MaD:23 |
+| GroovyShellTest.java:135:29:135:58 | getParameter(...) : String | GroovyShellTest.java:136:23:136:28 | script | provenance | Src:MaD:33 Sink:MaD:22 |
+| GroovyShellTest.java:141:29:141:58 | getParameter(...) : String | GroovyShellTest.java:142:31:142:36 | script : String | provenance | Src:MaD:33  |
+| GroovyShellTest.java:142:31:142:36 | script : String | GroovyShellTest.java:142:23:142:37 | new URI(...) | provenance | MaD:37 Sink:MaD:25 |
+| GroovyShellTest.java:148:29:148:58 | getParameter(...) : String | GroovyShellTest.java:149:31:149:36 | script : String | provenance | Src:MaD:33  |
+| GroovyShellTest.java:149:31:149:36 | script : String | GroovyShellTest.java:149:23:149:37 | new URI(...) | provenance | MaD:37 Sink:MaD:24 |
+| TemplateEngineTest.java:14:16:14:45 | getParameter(...) : String | TemplateEngineTest.java:20:29:20:43 | source(...) : String | provenance | Src:MaD:33  |
+| TemplateEngineTest.java:20:29:20:43 | source(...) : String | TemplateEngineTest.java:23:35:23:47 | (...)... | provenance | Sink:MaD:26 |
+| TemplateEngineTest.java:20:29:20:43 | source(...) : String | TemplateEngineTest.java:24:35:24:49 | (...)... | provenance | Sink:MaD:26 |
+| TemplateEngineTest.java:20:29:20:43 | source(...) : String | TemplateEngineTest.java:25:35:25:46 | (...)... | provenance | Sink:MaD:26 |
+models
+| 1 | Sink: groovy.lang; GroovyClassLoader; false; parseClass; (GroovyCodeSource); ; Argument[0]; groovy-injection; manual |
+| 2 | Sink: groovy.lang; GroovyClassLoader; false; parseClass; (GroovyCodeSource,boolean); ; Argument[0]; groovy-injection; manual |
+| 3 | Sink: groovy.lang; GroovyClassLoader; false; parseClass; (InputStream,String); ; Argument[0]; groovy-injection; manual |
+| 4 | Sink: groovy.lang; GroovyClassLoader; false; parseClass; (Reader,String); ; Argument[0]; groovy-injection; manual |
+| 5 | Sink: groovy.lang; GroovyClassLoader; false; parseClass; (String); ; Argument[0]; groovy-injection; manual |
+| 6 | Sink: groovy.lang; GroovyClassLoader; false; parseClass; (String,String); ; Argument[0]; groovy-injection; manual |
+| 7 | Sink: groovy.lang; GroovyShell; false; evaluate; (GroovyCodeSource); ; Argument[0]; groovy-injection; manual |
+| 8 | Sink: groovy.lang; GroovyShell; false; evaluate; (Reader); ; Argument[0]; groovy-injection; manual |
+| 9 | Sink: groovy.lang; GroovyShell; false; evaluate; (Reader,String); ; Argument[0]; groovy-injection; manual |
+| 10 | Sink: groovy.lang; GroovyShell; false; evaluate; (String); ; Argument[0]; groovy-injection; manual |
+| 11 | Sink: groovy.lang; GroovyShell; false; evaluate; (String,String); ; Argument[0]; groovy-injection; manual |
+| 12 | Sink: groovy.lang; GroovyShell; false; evaluate; (String,String,String); ; Argument[0]; groovy-injection; manual |
+| 13 | Sink: groovy.lang; GroovyShell; false; parse; (Reader); ; Argument[0]; groovy-injection; manual |
+| 14 | Sink: groovy.lang; GroovyShell; false; parse; (Reader,String); ; Argument[0]; groovy-injection; manual |
+| 15 | Sink: groovy.lang; GroovyShell; false; parse; (String); ; Argument[0]; groovy-injection; manual |
+| 16 | Sink: groovy.lang; GroovyShell; false; parse; (String,String); ; Argument[0]; groovy-injection; manual |
+| 17 | Sink: groovy.lang; GroovyShell; false; parse; (URI); ; Argument[0]; groovy-injection; manual |
+| 18 | Sink: groovy.lang; GroovyShell; false; run; (GroovyCodeSource,List); ; Argument[0]; groovy-injection; manual |
+| 19 | Sink: groovy.lang; GroovyShell; false; run; (GroovyCodeSource,String[]); ; Argument[0]; groovy-injection; manual |
+| 20 | Sink: groovy.lang; GroovyShell; false; run; (Reader,String,List); ; Argument[0]; groovy-injection; manual |
+| 21 | Sink: groovy.lang; GroovyShell; false; run; (Reader,String,String[]); ; Argument[0]; groovy-injection; manual |
+| 22 | Sink: groovy.lang; GroovyShell; false; run; (String,String,List); ; Argument[0]; groovy-injection; manual |
+| 23 | Sink: groovy.lang; GroovyShell; false; run; (String,String,String[]); ; Argument[0]; groovy-injection; manual |
+| 24 | Sink: groovy.lang; GroovyShell; false; run; (URI,List); ; Argument[0]; groovy-injection; manual |
+| 25 | Sink: groovy.lang; GroovyShell; false; run; (URI,String[]); ; Argument[0]; groovy-injection; manual |
+| 26 | Sink: groovy.text; TemplateEngine; true; createTemplate; ; ; Argument[0]; groovy-injection; manual |
+| 27 | Sink: groovy.util; Eval; false; me; (String); ; Argument[0]; groovy-injection; manual |
+| 28 | Sink: groovy.util; Eval; false; me; (String,Object,String); ; Argument[2]; groovy-injection; manual |
+| 29 | Sink: groovy.util; Eval; false; x; (Object,String); ; Argument[1]; groovy-injection; manual |
+| 30 | Sink: groovy.util; Eval; false; xy; (Object,Object,String); ; Argument[2]; groovy-injection; manual |
+| 31 | Sink: groovy.util; Eval; false; xyz; (Object,Object,Object,String); ; Argument[3]; groovy-injection; manual |
+| 32 | Sink: org.codehaus.groovy.control; CompilationUnit; false; compile; ; ; Argument[this]; groovy-injection; manual |
+| 33 | Source: javax.servlet; ServletRequest; false; getParameter; (String); ; ReturnValue; remote; manual |
+| 34 | Summary: java.io; ByteArrayInputStream; false; ByteArrayInputStream; ; ; Argument[0]; Argument[this]; taint; manual |
+| 35 | Summary: java.io; StringReader; false; StringReader; ; ; Argument[0]; Argument[this]; taint; manual |
+| 36 | Summary: java.lang; String; false; getBytes; ; ; Argument[this]; ReturnValue; taint; manual |
+| 37 | Summary: java.net; URI; false; URI; (String); ; Argument[0]; Argument[this]; taint; manual |
+| 38 | Summary: java.net; URL; false; URL; (String); ; Argument[0]; Argument[this]; taint; manual |
+nodes
+| GroovyClassLoaderTest.java:17:29:17:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyClassLoaderTest.java:19:36:19:79 | new GroovyCodeSource(...) : GroovyCodeSource | semmle.label | new GroovyCodeSource(...) : GroovyCodeSource |
+| GroovyClassLoaderTest.java:19:57:19:62 | script : String | semmle.label | script : String |
+| GroovyClassLoaderTest.java:20:36:20:38 | gcs | semmle.label | gcs |
+| GroovyClassLoaderTest.java:24:29:24:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyClassLoaderTest.java:26:36:26:79 | new GroovyCodeSource(...) : GroovyCodeSource | semmle.label | new GroovyCodeSource(...) : GroovyCodeSource |
+| GroovyClassLoaderTest.java:26:57:26:62 | script : String | semmle.label | script : String |
+| GroovyClassLoaderTest.java:27:36:27:38 | gcs | semmle.label | gcs |
+| GroovyClassLoaderTest.java:31:29:31:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyClassLoaderTest.java:33:36:33:78 | new ByteArrayInputStream(...) | semmle.label | new ByteArrayInputStream(...) |
+| GroovyClassLoaderTest.java:33:61:33:66 | script : String | semmle.label | script : String |
+| GroovyClassLoaderTest.java:33:61:33:77 | getBytes(...) : byte[] | semmle.label | getBytes(...) : byte[] |
+| GroovyClassLoaderTest.java:37:29:37:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyClassLoaderTest.java:39:36:39:59 | new StringReader(...) | semmle.label | new StringReader(...) |
+| GroovyClassLoaderTest.java:39:53:39:58 | script : String | semmle.label | script : String |
+| GroovyClassLoaderTest.java:43:29:43:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyClassLoaderTest.java:45:36:45:41 | script | semmle.label | script |
+| GroovyClassLoaderTest.java:49:29:49:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyClassLoaderTest.java:51:36:51:41 | script | semmle.label | script |
+| GroovyCompilationUnitTest.java:21:13:21:14 | cu [post update] : CompilationUnit | semmle.label | cu [post update] : CompilationUnit |
+| GroovyCompilationUnitTest.java:21:34:21:63 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyCompilationUnitTest.java:22:13:22:14 | cu | semmle.label | cu |
+| GroovyCompilationUnitTest.java:31:13:31:14 | cu [post update] : CompilationUnit | semmle.label | cu [post update] : CompilationUnit |
+| GroovyCompilationUnitTest.java:32:21:32:87 | new ByteArrayInputStream(...) : ByteArrayInputStream | semmle.label | new ByteArrayInputStream(...) : ByteArrayInputStream |
+| GroovyCompilationUnitTest.java:32:46:32:75 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyCompilationUnitTest.java:32:46:32:86 | getBytes(...) : byte[] | semmle.label | getBytes(...) : byte[] |
+| GroovyCompilationUnitTest.java:33:13:33:14 | cu | semmle.label | cu |
+| GroovyCompilationUnitTest.java:37:13:37:14 | cu [post update] : CompilationUnit | semmle.label | cu [post update] : CompilationUnit |
+| GroovyCompilationUnitTest.java:37:26:37:64 | new URL(...) : URL | semmle.label | new URL(...) : URL |
+| GroovyCompilationUnitTest.java:37:34:37:63 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyCompilationUnitTest.java:38:13:38:14 | cu | semmle.label | cu |
+| GroovyCompilationUnitTest.java:43:21:43:92 | new SourceUnit(...) : SourceUnit | semmle.label | new SourceUnit(...) : SourceUnit |
+| GroovyCompilationUnitTest.java:43:44:43:73 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyCompilationUnitTest.java:44:13:44:14 | cu [post update] : CompilationUnit | semmle.label | cu [post update] : CompilationUnit |
+| GroovyCompilationUnitTest.java:44:26:44:27 | su : SourceUnit | semmle.label | su : SourceUnit |
+| GroovyCompilationUnitTest.java:45:13:45:14 | cu | semmle.label | cu |
+| GroovyCompilationUnitTest.java:56:37:56:96 | new StringReaderSource(...) : StringReaderSource | semmle.label | new StringReaderSource(...) : StringReaderSource |
+| GroovyCompilationUnitTest.java:56:60:56:89 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyCompilationUnitTest.java:57:29:57:72 | new SourceUnit(...) : SourceUnit | semmle.label | new SourceUnit(...) : SourceUnit |
+| GroovyCompilationUnitTest.java:57:52:57:53 | rs : StringReaderSource | semmle.label | rs : StringReaderSource |
+| GroovyCompilationUnitTest.java:58:13:58:14 | cu [post update] : CompilationUnit | semmle.label | cu [post update] : CompilationUnit |
+| GroovyCompilationUnitTest.java:58:26:58:27 | su : SourceUnit | semmle.label | su : SourceUnit |
+| GroovyCompilationUnitTest.java:59:13:59:14 | cu | semmle.label | cu |
+| GroovyCompilationUnitTest.java:64:21:64:93 | new SourceUnit(...) : SourceUnit | semmle.label | new SourceUnit(...) : SourceUnit |
+| GroovyCompilationUnitTest.java:64:36:64:74 | new URL(...) : URL | semmle.label | new URL(...) : URL |
+| GroovyCompilationUnitTest.java:64:44:64:73 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyCompilationUnitTest.java:65:13:65:14 | cu [post update] : CompilationUnit | semmle.label | cu [post update] : CompilationUnit |
+| GroovyCompilationUnitTest.java:65:26:65:27 | su : SourceUnit | semmle.label | su : SourceUnit |
+| GroovyCompilationUnitTest.java:66:13:66:14 | cu | semmle.label | cu |
+| GroovyCompilationUnitTest.java:70:29:70:85 | create(...) : SourceUnit | semmle.label | create(...) : SourceUnit |
+| GroovyCompilationUnitTest.java:70:55:70:84 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyCompilationUnitTest.java:71:13:71:14 | cu [post update] : CompilationUnit | semmle.label | cu [post update] : CompilationUnit |
+| GroovyCompilationUnitTest.java:71:26:71:27 | su : SourceUnit | semmle.label | su : SourceUnit |
+| GroovyCompilationUnitTest.java:72:13:72:14 | cu | semmle.label | cu |
+| GroovyCompilationUnitTest.java:76:29:76:88 | create(...) : SourceUnit | semmle.label | create(...) : SourceUnit |
+| GroovyCompilationUnitTest.java:76:55:76:84 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyCompilationUnitTest.java:77:13:77:14 | cu [post update] : CompilationUnit | semmle.label | cu [post update] : CompilationUnit |
+| GroovyCompilationUnitTest.java:77:26:77:27 | su : SourceUnit | semmle.label | su : SourceUnit |
+| GroovyCompilationUnitTest.java:78:13:78:14 | cu | semmle.label | cu |
+| GroovyCompilationUnitTest.java:88:13:88:14 | cu [post update] : JavaAwareCompilationUnit | semmle.label | cu [post update] : JavaAwareCompilationUnit |
+| GroovyCompilationUnitTest.java:88:34:88:63 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyCompilationUnitTest.java:89:13:89:14 | cu | semmle.label | cu |
+| GroovyEvalTest.java:14:29:14:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyEvalTest.java:15:21:15:26 | script | semmle.label | script |
+| GroovyEvalTest.java:19:29:19:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyEvalTest.java:20:39:20:44 | script | semmle.label | script |
+| GroovyEvalTest.java:24:29:24:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyEvalTest.java:25:31:25:36 | script | semmle.label | script |
+| GroovyEvalTest.java:30:29:30:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyEvalTest.java:31:43:31:48 | script | semmle.label | script |
+| GroovyEvalTest.java:35:29:35:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyEvalTest.java:36:51:36:56 | script | semmle.label | script |
+| GroovyShellTest.java:22:29:22:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyShellTest.java:23:36:23:79 | new GroovyCodeSource(...) : GroovyCodeSource | semmle.label | new GroovyCodeSource(...) : GroovyCodeSource |
+| GroovyShellTest.java:23:57:23:62 | script : String | semmle.label | script : String |
+| GroovyShellTest.java:24:28:24:30 | gcs | semmle.label | gcs |
+| GroovyShellTest.java:29:29:29:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyShellTest.java:30:29:30:52 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
+| GroovyShellTest.java:30:46:30:51 | script : String | semmle.label | script : String |
+| GroovyShellTest.java:31:28:31:33 | reader | semmle.label | reader |
+| GroovyShellTest.java:36:29:36:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyShellTest.java:37:29:37:52 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
+| GroovyShellTest.java:37:46:37:51 | script : String | semmle.label | script : String |
+| GroovyShellTest.java:38:28:38:33 | reader | semmle.label | reader |
+| GroovyShellTest.java:43:29:43:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyShellTest.java:44:28:44:33 | script | semmle.label | script |
+| GroovyShellTest.java:49:29:49:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyShellTest.java:50:28:50:33 | script | semmle.label | script |
+| GroovyShellTest.java:55:29:55:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyShellTest.java:56:28:56:33 | script | semmle.label | script |
+| GroovyShellTest.java:61:29:61:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyShellTest.java:62:25:62:39 | new URI(...) | semmle.label | new URI(...) |
+| GroovyShellTest.java:62:33:62:38 | script : String | semmle.label | script : String |
+| GroovyShellTest.java:68:29:68:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyShellTest.java:69:29:69:52 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
+| GroovyShellTest.java:69:46:69:51 | script : String | semmle.label | script : String |
+| GroovyShellTest.java:70:25:70:30 | reader | semmle.label | reader |
+| GroovyShellTest.java:75:29:75:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyShellTest.java:76:29:76:52 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
+| GroovyShellTest.java:76:46:76:51 | script : String | semmle.label | script : String |
+| GroovyShellTest.java:77:25:77:30 | reader | semmle.label | reader |
+| GroovyShellTest.java:82:29:82:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyShellTest.java:83:25:83:30 | script | semmle.label | script |
+| GroovyShellTest.java:88:29:88:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyShellTest.java:89:25:89:30 | script | semmle.label | script |
+| GroovyShellTest.java:94:29:94:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyShellTest.java:95:25:95:39 | new URI(...) | semmle.label | new URI(...) |
+| GroovyShellTest.java:95:33:95:38 | script : String | semmle.label | script : String |
+| GroovyShellTest.java:101:29:101:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyShellTest.java:102:36:102:79 | new GroovyCodeSource(...) : GroovyCodeSource | semmle.label | new GroovyCodeSource(...) : GroovyCodeSource |
+| GroovyShellTest.java:102:57:102:62 | script : String | semmle.label | script : String |
+| GroovyShellTest.java:103:23:103:25 | gcs | semmle.label | gcs |
+| GroovyShellTest.java:108:29:108:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyShellTest.java:109:36:109:79 | new GroovyCodeSource(...) : GroovyCodeSource | semmle.label | new GroovyCodeSource(...) : GroovyCodeSource |
+| GroovyShellTest.java:109:57:109:62 | script : String | semmle.label | script : String |
+| GroovyShellTest.java:110:23:110:25 | gcs | semmle.label | gcs |
+| GroovyShellTest.java:115:29:115:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyShellTest.java:116:29:116:52 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
+| GroovyShellTest.java:116:46:116:51 | script : String | semmle.label | script : String |
+| GroovyShellTest.java:117:23:117:28 | reader | semmle.label | reader |
+| GroovyShellTest.java:122:29:122:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyShellTest.java:123:29:123:52 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
+| GroovyShellTest.java:123:46:123:51 | script : String | semmle.label | script : String |
+| GroovyShellTest.java:124:23:124:28 | reader | semmle.label | reader |
+| GroovyShellTest.java:129:29:129:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyShellTest.java:130:23:130:28 | script | semmle.label | script |
+| GroovyShellTest.java:135:29:135:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyShellTest.java:136:23:136:28 | script | semmle.label | script |
+| GroovyShellTest.java:141:29:141:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyShellTest.java:142:23:142:37 | new URI(...) | semmle.label | new URI(...) |
+| GroovyShellTest.java:142:31:142:36 | script : String | semmle.label | script : String |
+| GroovyShellTest.java:148:29:148:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyShellTest.java:149:23:149:37 | new URI(...) | semmle.label | new URI(...) |
+| GroovyShellTest.java:149:31:149:36 | script : String | semmle.label | script : String |
+| TemplateEngineTest.java:14:16:14:45 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| TemplateEngineTest.java:20:29:20:43 | source(...) : String | semmle.label | source(...) : String |
+| TemplateEngineTest.java:22:35:22:64 | getParameter(...) | semmle.label | getParameter(...) |
+| TemplateEngineTest.java:23:35:23:47 | (...)... | semmle.label | (...)... |
+| TemplateEngineTest.java:24:35:24:49 | (...)... | semmle.label | (...)... |
+| TemplateEngineTest.java:25:35:25:46 | (...)... | semmle.label | (...)... |
+subpaths

java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyInjectionTest.qlref

@@ -0,0 +1,4 @@
+query: Security/CWE/CWE-094/GroovyInjection.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyShellTest.java

@@ -19,136 +19,135 @@ public class GroovyShellTest extends HttpServlet {
         // "groovy.lang;GroovyShell;false;evaluate;(GroovyCodeSource);;Argument[0];groovy;manual",
         {
             GroovyShell shell = new GroovyShell();
-            String script = request.getParameter("script");
+            String script = request.getParameter("script"); // $ Source
             GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test");
-            shell.evaluate(gcs); // $hasGroovyInjection
+            shell.evaluate(gcs); // $ Alert
         }
         // "groovy.lang;GroovyShell;false;evaluate;(Reader);;Argument[0];groovy;manual",
         {
             GroovyShell shell = new GroovyShell();
-            String script = request.getParameter("script");
+            String script = request.getParameter("script"); // $ Source
             Reader reader = new StringReader(script);
-            shell.evaluate(reader); // $hasGroovyInjection
+            shell.evaluate(reader); // $ Alert
         }
         // "groovy.lang;GroovyShell;false;evaluate;(Reader,String);;Argument[0];groovy;manual",
         {
             GroovyShell shell = new GroovyShell();
-            String script = request.getParameter("script");
+            String script = request.getParameter("script"); // $ Source
             Reader reader = new StringReader(script);
-            shell.evaluate(reader, "_"); // $hasGroovyInjection
+            shell.evaluate(reader, "_"); // $ Alert
         }
         // "groovy.lang;GroovyShell;false;evaluate;(String);;Argument[0];groovy;manual",
         {
             GroovyShell shell = new GroovyShell();
-            String script = request.getParameter("script");
-            shell.evaluate(script); // $hasGroovyInjection
+            String script = request.getParameter("script"); // $ Source
+            shell.evaluate(script); // $ Alert
         }
         // "groovy.lang;GroovyShell;false;evaluate;(String,String);;Argument[0];groovy;manual",
         {
             GroovyShell shell = new GroovyShell();
-            String script = request.getParameter("script");
-            shell.evaluate(script, "test"); // $hasGroovyInjection
+            String script = request.getParameter("script"); // $ Source
+            shell.evaluate(script, "test"); // $ Alert
         }
         // "groovy.lang;GroovyShell;false;evaluate;(String,String,String);;Argument[0];groovy;manual",
         {
             GroovyShell shell = new GroovyShell();
-            String script = request.getParameter("script");
-            shell.evaluate(script, "test", "test2"); // $hasGroovyInjection
+            String script = request.getParameter("script"); // $ Source
+            shell.evaluate(script, "test", "test2"); // $ Alert
         }
         // "groovy.lang;GroovyShell;false;evaluate;(URI);;Argument[0];groovy;manual",
         try {
             GroovyShell shell = new GroovyShell();
-            String script = request.getParameter("script");
-            shell.parse(new URI(script)); // $hasGroovyInjection
+            String script = request.getParameter("script"); // $ Source
+            shell.parse(new URI(script)); // $ Alert
         } catch (URISyntaxException e) {
         }
         // "groovy.lang;GroovyShell;false;parse;(Reader);;Argument[0];groovy;manual",
         {
             GroovyShell shell = new GroovyShell();
-            String script = request.getParameter("script");
+            String script = request.getParameter("script"); // $ Source
             Reader reader = new StringReader(script);
-            shell.parse(reader); // $hasGroovyInjection
+            shell.parse(reader); // $ Alert
         }
         // "groovy.lang;GroovyShell;false;parse;(Reader,String);;Argument[0];groovy;manual",
         {
             GroovyShell shell = new GroovyShell();
-            String script = request.getParameter("script");
+            String script = request.getParameter("script"); // $ Source
             Reader reader = new StringReader(script);
-            shell.parse(reader, "_"); // $hasGroovyInjection
+            shell.parse(reader, "_"); // $ Alert
         }
         // "groovy.lang;GroovyShell;false;parse;(String);;Argument[0];groovy;manual",
         {
             GroovyShell shell = new GroovyShell();
-            String script = request.getParameter("script");
-            shell.parse(script); // $hasGroovyInjection
+            String script = request.getParameter("script"); // $ Source
+            shell.parse(script); // $ Alert
         }
         // "groovy.lang;GroovyShell;false;parse;(String,String);;Argument[0];groovy;manual",
         {
             GroovyShell shell = new GroovyShell();
-            String script = request.getParameter("script");
-            shell.parse(script, "_"); // $hasGroovyInjection
+            String script = request.getParameter("script"); // $ Source
+            shell.parse(script, "_"); // $ Alert
         }
         // "groovy.lang;GroovyShell;false;parse;(URI);;Argument[0];groovy;manual",
         try {
             GroovyShell shell = new GroovyShell();
-            String script = request.getParameter("script");
-            shell.parse(new URI(script)); // $hasGroovyInjection
+            String script = request.getParameter("script"); // $ Source
+            shell.parse(new URI(script)); // $ Alert
         } catch (URISyntaxException e) {
         }
         // "groovy.lang;GroovyShell;false;run;(GroovyCodeSource,String[]);;Argument[0];groovy;manual",
         {
             GroovyShell shell = new GroovyShell();
-            String script = request.getParameter("script");
+            String script = request.getParameter("script"); // $ Source
             GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test");
-            shell.run(gcs, new String[] {}); // $hasGroovyInjection
+            shell.run(gcs, new String[] {}); // $ Alert
         }
         // "groovy.lang;GroovyShell;false;run;(GroovyCodeSource,List);;Argument[0];groovy;manual",
         {
             GroovyShell shell = new GroovyShell();
-            String script = request.getParameter("script");
+            String script = request.getParameter("script"); // $ Source
             GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test");
-            shell.run(gcs, new ArrayList<String>()); // $hasGroovyInjection
+            shell.run(gcs, new ArrayList<String>()); // $ Alert
         }
         // "groovy.lang;GroovyShell;false;run;(Reader,String,String[]);;Argument[0];groovy;manual",
         {
             GroovyShell shell = new GroovyShell();
-            String script = request.getParameter("script");
+            String script = request.getParameter("script"); // $ Source
             Reader reader = new StringReader(script);
-            shell.run(reader, "test", new String[] {}); // $hasGroovyInjection
+            shell.run(reader, "test", new String[] {}); // $ Alert
         }
         // "groovy.lang;GroovyShell;false;run;(Reader,String,List);;Argument[0];groovy;manual",
         {
             GroovyShell shell = new GroovyShell();
-            String script = request.getParameter("script");
+            String script = request.getParameter("script"); // $ Source
             Reader reader = new StringReader(script);
-            shell.run(reader, "test", new ArrayList<String>()); // $hasGroovyInjection
+            shell.run(reader, "test", new ArrayList<String>()); // $ Alert
         }
         // "groovy.lang;GroovyShell;false;run;(String,String,String[]);;Argument[0];groovy;manual",
         {
             GroovyShell shell = new GroovyShell();
-            String script = request.getParameter("script");
-            shell.run(script, "_", new String[] {}); // $hasGroovyInjection
+            String script = request.getParameter("script"); // $ Source
+            shell.run(script, "_", new String[] {}); // $ Alert
         }
         // "groovy.lang;GroovyShell;false;run;(String,String,List);;Argument[0];groovy;manual",
         {
             GroovyShell shell = new GroovyShell();
-            String script = request.getParameter("script");
-            shell.run(script, "_", new ArrayList<String>()); // $hasGroovyInjection
+            String script = request.getParameter("script"); // $ Source
+            shell.run(script, "_", new ArrayList<String>()); // $ Alert
         }
         // "groovy.lang;GroovyShell;false;run;(URI,String[]);;Argument[0];groovy;manual",
         try {
             GroovyShell shell = new GroovyShell();
-            String script = request.getParameter("script");
-            shell.run(new URI(script), new String[] {}); // $hasGroovyInjection
+            String script = request.getParameter("script"); // $ Source
+            shell.run(new URI(script), new String[] {}); // $ Alert
         } catch (URISyntaxException e) {
         }
         // "groovy.lang;GroovyShell;false;run;(URI,List);;Argument[0];groovy;manual",
         try {
             GroovyShell shell = new GroovyShell();
-            String script = request.getParameter("script");
-            shell.run(new URI(script), new ArrayList<String>()); // $hasGroovyInjection
+            String script = request.getParameter("script"); // $ Source
+            shell.run(new URI(script), new ArrayList<String>()); // $ Alert
         } catch (URISyntaxException e) {
         }
     }
 }
-

java/ql/test/query-tests/security/CWE-094/GroovyInjection/TemplateEngineTest.java

@@ -11,7 +11,7 @@ import groovy.text.TemplateEngine;
 public class TemplateEngineTest extends HttpServlet {
 
     private Object source(HttpServletRequest request) {
-        return request.getParameter("script");
+        return request.getParameter("script"); // $ Source
     }
 
     protected void doGet(HttpServletRequest request, HttpServletResponse response)
@@ -19,10 +19,10 @@ public class TemplateEngineTest extends HttpServlet {
         try {
             Object script = source(request);
             TemplateEngine engine = null;
-            engine.createTemplate(request.getParameter("script")); // $ hasGroovyInjection
-            engine.createTemplate((File) script); // $ hasGroovyInjection
-            engine.createTemplate((Reader) script); // $ hasGroovyInjection
-            engine.createTemplate((URL) script); // $ hasGroovyInjection
+            engine.createTemplate(request.getParameter("script")); // $ Alert
+            engine.createTemplate((File) script); // $ Alert
+            engine.createTemplate((Reader) script); // $ Alert
+            engine.createTemplate((URL) script); // $ Alert
         } catch (Exception e) {
         }
 

java/ql/test/query-tests/security/CWE-094/GroovyInjection/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/validation-api-2.0.1.Final:${testdir}/../../../../stubs/springframework-5.8.x:${testdir}/../../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../../stubs/apache-commons-logging-1.2:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/groovy-all-3.0.7:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/apache-freemarker-2.3.31:${testdir}/../../../../stubs/jinjava-2.6.0:${testdir}/../../../../stubs/pebble-3.1.5:${testdir}/../../../../stubs/thymeleaf-3.0.14:${testdir}/../../../../stubs/apache-velocity-2.3:${testdir}/../../../..//stubs/google-android-9.0.0

java/ql/test/query-tests/security/CWE-094/GroovyInjectionTest.ql

@@ -1,20 +0,0 @@
-import java
-import semmle.code.java.dataflow.TaintTracking
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.security.GroovyInjectionQuery
-import utils.test.InlineExpectationsTest
-
-module HasGroovyInjectionTest implements TestSig {
-  string getARelevantTag() { result = "hasGroovyInjection" }
-
-  predicate hasActualResult(Location location, string element, string tag, string value) {
-    tag = "hasGroovyInjection" and
-    exists(DataFlow::Node sink | GroovyInjectionFlow::flowTo(sink) |
-      sink.getLocation() = location and
-      element = sink.toString() and
-      value = ""
-    )
-  }
-}
-
-import MakeTest<HasGroovyInjectionTest>

java/ql/test/query-tests/security/CWE-094/JexlInjection/Jexl2Injection.java

@@ -11,21 +11,21 @@ public class Jexl2Injection {
         JexlEngine jexl = new JexlEngine();
         Expression e = jexl.createExpression(jexlExpr);
         JexlContext jc = new MapContext();
-        e.evaluate(jc); // $hasJexlInjection
+        e.evaluate(jc); // $ Alert
     }
 
     private static void runJexlExpressionWithJexlInfo(String jexlExpr) {
         JexlEngine jexl = new JexlEngine();
         Expression e = jexl.createExpression(jexlExpr, new DebugInfo("unknown", 0, 0));
         JexlContext jc = new MapContext();
-        e.evaluate(jc); // $hasJexlInjection
+        e.evaluate(jc); // $ Alert
     }
 
     private static void runJexlScript(String jexlExpr) {
         JexlEngine jexl = new JexlEngine();
         Script script = jexl.createScript(jexlExpr);
         JexlContext jc = new MapContext();
-        script.execute(jc); // $hasJexlInjection
+        script.execute(jc); // $ Alert
     }
 
     private static void runJexlScriptViaCallable(String jexlExpr) {
@@ -34,7 +34,7 @@ public class Jexl2Injection {
         JexlContext jc = new MapContext();
 
         try {
-            script.callable(jc).call(); // $hasJexlInjection
+            script.callable(jc).call(); // $ Alert
         } catch (Exception e) {
             throw new RuntimeException(e);
         }
@@ -42,37 +42,37 @@ public class Jexl2Injection {
 
     private static void runJexlExpressionViaGetProperty(String jexlExpr) {
         JexlEngine jexl = new JexlEngine();
-        jexl.getProperty(new Object(), jexlExpr); // $hasJexlInjection
+        jexl.getProperty(new Object(), jexlExpr); // $ Alert
     }
 
     private static void runJexlExpressionViaSetProperty(String jexlExpr) {
         JexlEngine jexl = new JexlEngine();
-        jexl.setProperty(new Object(), jexlExpr, new Object()); // $hasJexlInjection
+        jexl.setProperty(new Object(), jexlExpr, new Object()); // $ Alert
     }
 
     private static void runJexlExpressionViaUnifiedJEXLParseAndEvaluate(String jexlExpr) {
         JexlEngine jexl = new JexlEngine();
         UnifiedJEXL unifiedJEXL = new UnifiedJEXL(jexl);
-        unifiedJEXL.parse(jexlExpr).evaluate(new MapContext()); // $hasJexlInjection
+        unifiedJEXL.parse(jexlExpr).evaluate(new MapContext()); // $ Alert
     }
 
     private static void runJexlExpressionViaUnifiedJEXLParseAndPrepare(String jexlExpr) {
         JexlEngine jexl = new JexlEngine();
         UnifiedJEXL unifiedJEXL = new UnifiedJEXL(jexl);
-        unifiedJEXL.parse(jexlExpr).prepare(new MapContext()); // $hasJexlInjection
+        unifiedJEXL.parse(jexlExpr).prepare(new MapContext()); // $ Alert
     }
 
     private static void runJexlExpressionViaUnifiedJEXLTemplateEvaluate(String jexlExpr) {
         JexlEngine jexl = new JexlEngine();
         UnifiedJEXL unifiedJEXL = new UnifiedJEXL(jexl);
-        unifiedJEXL.createTemplate(jexlExpr).evaluate(new MapContext(), new StringWriter()); // $hasJexlInjection
+        unifiedJEXL.createTemplate(jexlExpr).evaluate(new MapContext(), new StringWriter()); // $ Alert
     }
 
     private static void testWithSocket(Consumer<String> action) throws Exception {
         try (ServerSocket serverSocket = new ServerSocket(0)) {
             try (Socket socket = serverSocket.accept()) {
                 byte[] bytes = new byte[1024];
-                int n = socket.getInputStream().read(bytes);
+                int n = socket.getInputStream().read(bytes); // $ Source
                 String jexlExpr = new String(bytes, 0, n);
                 action.accept(jexlExpr);
             }

java/ql/test/query-tests/security/CWE-094/JexlInjection/Jexl3Injection.java

@@ -18,21 +18,21 @@ public class Jexl3Injection {
         JexlEngine jexl = new JexlBuilder().create();
         JexlExpression e = jexl.createExpression(jexlExpr);
         JexlContext jc = new MapContext();
-        e.evaluate(jc); // $hasJexlInjection
+        e.evaluate(jc); // $ Alert
     }
 
     private static void runJexlExpressionWithJexlInfo(String jexlExpr) {
         JexlEngine jexl = new JexlBuilder().create();
         JexlExpression e = jexl.createExpression(new JexlInfo("unknown", 0, 0), jexlExpr);
         JexlContext jc = new MapContext();
-        e.evaluate(jc); // $hasJexlInjection
+        e.evaluate(jc); // $ Alert
     }
 
     private static void runJexlScript(String jexlExpr) {
         JexlEngine jexl = new JexlBuilder().create();
         JexlScript script = jexl.createScript(jexlExpr);
         JexlContext jc = new MapContext();
-        script.execute(jc); // $hasJexlInjection
+        script.execute(jc); // $ Alert
     }
 
     private static void runJexlScriptViaCallable(String jexlExpr) {
@@ -41,7 +41,7 @@ public class Jexl3Injection {
         JexlContext jc = new MapContext();
 
         try {
-            script.callable(jc).call(); // $hasJexlInjection
+            script.callable(jc).call(); // $ Alert
         } catch (Exception e) {
             throw new RuntimeException(e);
         }
@@ -49,30 +49,30 @@ public class Jexl3Injection {
 
     private static void runJexlExpressionViaGetProperty(String jexlExpr) {
         JexlEngine jexl = new JexlBuilder().create();
-        jexl.getProperty(new Object(), jexlExpr); // $hasJexlInjection
+        jexl.getProperty(new Object(), jexlExpr); // $ Alert
     }
 
     private static void runJexlExpressionViaSetProperty(String jexlExpr) {
         JexlEngine jexl = new JexlBuilder().create();
-        jexl.setProperty(new Object(), jexlExpr, new Object()); // $hasJexlInjection
+        jexl.setProperty(new Object(), jexlExpr, new Object()); // $ Alert
     }
 
     private static void runJexlExpressionViaJxltEngineExpressionEvaluate(String jexlExpr) {
         JexlEngine jexl = new JexlBuilder().create();
         JxltEngine jxlt = jexl.createJxltEngine();
-        jxlt.createExpression(jexlExpr).evaluate(new MapContext()); // $hasJexlInjection
+        jxlt.createExpression(jexlExpr).evaluate(new MapContext()); // $ Alert
     }
 
     private static void runJexlExpressionViaJxltEngineExpressionPrepare(String jexlExpr) {
         JexlEngine jexl = new JexlBuilder().create();
         JxltEngine jxlt = jexl.createJxltEngine();
-        jxlt.createExpression(jexlExpr).prepare(new MapContext()); // $hasJexlInjection
+        jxlt.createExpression(jexlExpr).prepare(new MapContext()); // $ Alert
     }
 
     private static void runJexlExpressionViaJxltEngineTemplateEvaluate(String jexlExpr) {
         JexlEngine jexl = new JexlBuilder().create();
         JxltEngine jxlt = jexl.createJxltEngine();
-        jxlt.createTemplate(jexlExpr).evaluate(new MapContext(), new StringWriter()); // $hasJexlInjection
+        jxlt.createTemplate(jexlExpr).evaluate(new MapContext(), new StringWriter()); // $ Alert
     }
 
     private static void runJexlExpressionViaCallable(String jexlExpr) {
@@ -81,7 +81,7 @@ public class Jexl3Injection {
         JexlContext jc = new MapContext();
 
         try {
-            e.callable(jc).call(); // $hasJexlInjection
+            e.callable(jc).call(); // $ Alert
         } catch (Exception ex) {
             throw new RuntimeException(ex);
         }
@@ -91,7 +91,7 @@ public class Jexl3Injection {
         try (ServerSocket serverSocket = new ServerSocket(0)) {
             try (Socket socket = serverSocket.accept()) {
                 byte[] bytes = new byte[1024];
-                int n = socket.getInputStream().read(bytes);
+                int n = socket.getInputStream().read(bytes); // $ Source
                 String jexlExpr = new String(bytes, 0, n);
                 action.accept(jexlExpr);
             }
@@ -141,14 +141,14 @@ public class Jexl3Injection {
     }
 
     @PostMapping("/request")
-    public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromPathVariable(@PathVariable String expr) {
+    public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromPathVariable(@PathVariable String expr) { // $ Source
 
         runJexlExpression(expr);
         return ResponseEntity.ok(HttpStatus.OK);
     }
 
     @PostMapping("/request")
-    public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromRequestBody(@RequestBody Data data) {
+    public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromRequestBody(@RequestBody Data data) { // $ Source
 
         String expr = data.getExpr();
         runJexlExpression(expr);
@@ -158,7 +158,7 @@ public class Jexl3Injection {
 
     @PostMapping("/request")
     public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromRequestBodyWithNestedObjects(
-            @RequestBody CustomRequest customRequest) {
+            @RequestBody CustomRequest customRequest) { // $ Source
 
         String expr = customRequest.getData().getExpr();
         runJexlExpression(expr);

java/ql/test/query-tests/security/CWE-094/JexlInjection/JexlInjectionTest.expected

@@ -0,0 +1,303 @@
+#select
+| Jexl2Injection.java:14:9:14:9 | e | Jexl2Injection.java:75:25:75:47 | getInputStream(...) : InputStream | Jexl2Injection.java:14:9:14:9 | e | JEXL expression depends on a $@. | Jexl2Injection.java:75:25:75:47 | getInputStream(...) | user-provided value |
+| Jexl2Injection.java:21:9:21:9 | e | Jexl2Injection.java:75:25:75:47 | getInputStream(...) : InputStream | Jexl2Injection.java:21:9:21:9 | e | JEXL expression depends on a $@. | Jexl2Injection.java:75:25:75:47 | getInputStream(...) | user-provided value |
+| Jexl2Injection.java:28:9:28:14 | script | Jexl2Injection.java:75:25:75:47 | getInputStream(...) : InputStream | Jexl2Injection.java:28:9:28:14 | script | JEXL expression depends on a $@. | Jexl2Injection.java:75:25:75:47 | getInputStream(...) | user-provided value |
+| Jexl2Injection.java:37:13:37:18 | script | Jexl2Injection.java:75:25:75:47 | getInputStream(...) : InputStream | Jexl2Injection.java:37:13:37:18 | script | JEXL expression depends on a $@. | Jexl2Injection.java:75:25:75:47 | getInputStream(...) | user-provided value |
+| Jexl2Injection.java:45:40:45:47 | jexlExpr | Jexl2Injection.java:75:25:75:47 | getInputStream(...) : InputStream | Jexl2Injection.java:45:40:45:47 | jexlExpr | JEXL expression depends on a $@. | Jexl2Injection.java:75:25:75:47 | getInputStream(...) | user-provided value |
+| Jexl2Injection.java:50:40:50:47 | jexlExpr | Jexl2Injection.java:75:25:75:47 | getInputStream(...) : InputStream | Jexl2Injection.java:50:40:50:47 | jexlExpr | JEXL expression depends on a $@. | Jexl2Injection.java:75:25:75:47 | getInputStream(...) | user-provided value |
+| Jexl2Injection.java:56:9:56:35 | parse(...) | Jexl2Injection.java:75:25:75:47 | getInputStream(...) : InputStream | Jexl2Injection.java:56:9:56:35 | parse(...) | JEXL expression depends on a $@. | Jexl2Injection.java:75:25:75:47 | getInputStream(...) | user-provided value |
+| Jexl2Injection.java:62:9:62:35 | parse(...) | Jexl2Injection.java:75:25:75:47 | getInputStream(...) : InputStream | Jexl2Injection.java:62:9:62:35 | parse(...) | JEXL expression depends on a $@. | Jexl2Injection.java:75:25:75:47 | getInputStream(...) | user-provided value |
+| Jexl2Injection.java:68:9:68:44 | createTemplate(...) | Jexl2Injection.java:75:25:75:47 | getInputStream(...) : InputStream | Jexl2Injection.java:68:9:68:44 | createTemplate(...) | JEXL expression depends on a $@. | Jexl2Injection.java:75:25:75:47 | getInputStream(...) | user-provided value |
+| Jexl3Injection.java:21:9:21:9 | e | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:21:9:21:9 | e | JEXL expression depends on a $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | user-provided value |
+| Jexl3Injection.java:21:9:21:9 | e | Jexl3Injection.java:144:85:144:109 | expr : String | Jexl3Injection.java:21:9:21:9 | e | JEXL expression depends on a $@. | Jexl3Injection.java:144:85:144:109 | expr | user-provided value |
+| Jexl3Injection.java:21:9:21:9 | e | Jexl3Injection.java:151:84:151:105 | data : Data | Jexl3Injection.java:21:9:21:9 | e | JEXL expression depends on a $@. | Jexl3Injection.java:151:84:151:105 | data | user-provided value |
+| Jexl3Injection.java:21:9:21:9 | e | Jexl3Injection.java:161:13:161:52 | customRequest : CustomRequest | Jexl3Injection.java:21:9:21:9 | e | JEXL expression depends on a $@. | Jexl3Injection.java:161:13:161:52 | customRequest | user-provided value |
+| Jexl3Injection.java:28:9:28:9 | e | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:28:9:28:9 | e | JEXL expression depends on a $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | user-provided value |
+| Jexl3Injection.java:35:9:35:14 | script | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:35:9:35:14 | script | JEXL expression depends on a $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | user-provided value |
+| Jexl3Injection.java:44:13:44:18 | script | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:44:13:44:18 | script | JEXL expression depends on a $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | user-provided value |
+| Jexl3Injection.java:52:40:52:47 | jexlExpr | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:52:40:52:47 | jexlExpr | JEXL expression depends on a $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | user-provided value |
+| Jexl3Injection.java:57:40:57:47 | jexlExpr | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:57:40:57:47 | jexlExpr | JEXL expression depends on a $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | user-provided value |
+| Jexl3Injection.java:63:9:63:39 | createExpression(...) | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:63:9:63:39 | createExpression(...) | JEXL expression depends on a $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | user-provided value |
+| Jexl3Injection.java:69:9:69:39 | createExpression(...) | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:69:9:69:39 | createExpression(...) | JEXL expression depends on a $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | user-provided value |
+| Jexl3Injection.java:75:9:75:37 | createTemplate(...) | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:75:9:75:37 | createTemplate(...) | JEXL expression depends on a $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | user-provided value |
+| Jexl3Injection.java:84:13:84:13 | e | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:84:13:84:13 | e | JEXL expression depends on a $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | user-provided value |
+edges
+| Jexl2Injection.java:10:43:10:57 | jexlExpr : String | Jexl2Injection.java:12:46:12:53 | jexlExpr : String | provenance |  |
+| Jexl2Injection.java:12:24:12:54 | createExpression(...) : Expression | Jexl2Injection.java:14:9:14:9 | e | provenance | Sink:MaD:1 |
+| Jexl2Injection.java:12:46:12:53 | jexlExpr : String | Jexl2Injection.java:12:24:12:54 | createExpression(...) : Expression | provenance | Config |
+| Jexl2Injection.java:17:55:17:69 | jexlExpr : String | Jexl2Injection.java:19:46:19:53 | jexlExpr : String | provenance |  |
+| Jexl2Injection.java:19:24:19:86 | createExpression(...) : Expression | Jexl2Injection.java:21:9:21:9 | e | provenance | Sink:MaD:1 |
+| Jexl2Injection.java:19:46:19:53 | jexlExpr : String | Jexl2Injection.java:19:24:19:86 | createExpression(...) : Expression | provenance | Config |
+| Jexl2Injection.java:24:39:24:53 | jexlExpr : String | Jexl2Injection.java:26:43:26:50 | jexlExpr : String | provenance |  |
+| Jexl2Injection.java:26:25:26:51 | createScript(...) : Script | Jexl2Injection.java:28:9:28:14 | script | provenance | Sink:MaD:5 |
+| Jexl2Injection.java:26:43:26:50 | jexlExpr : String | Jexl2Injection.java:26:25:26:51 | createScript(...) : Script | provenance | Config |
+| Jexl2Injection.java:31:50:31:64 | jexlExpr : String | Jexl2Injection.java:33:43:33:50 | jexlExpr : String | provenance |  |
+| Jexl2Injection.java:33:25:33:51 | createScript(...) : Script | Jexl2Injection.java:37:13:37:18 | script | provenance | Sink:MaD:4 |
+| Jexl2Injection.java:33:43:33:50 | jexlExpr : String | Jexl2Injection.java:33:25:33:51 | createScript(...) : Script | provenance | Config |
+| Jexl2Injection.java:43:57:43:71 | jexlExpr : String | Jexl2Injection.java:45:40:45:47 | jexlExpr | provenance | Sink:MaD:2 |
+| Jexl2Injection.java:48:57:48:71 | jexlExpr : String | Jexl2Injection.java:50:40:50:47 | jexlExpr | provenance | Sink:MaD:3 |
+| Jexl2Injection.java:53:73:53:87 | jexlExpr : String | Jexl2Injection.java:56:27:56:34 | jexlExpr : String | provenance |  |
+| Jexl2Injection.java:56:27:56:34 | jexlExpr : String | Jexl2Injection.java:56:9:56:35 | parse(...) | provenance | Config Sink:MaD:6 |
+| Jexl2Injection.java:59:72:59:86 | jexlExpr : String | Jexl2Injection.java:62:27:62:34 | jexlExpr : String | provenance |  |
+| Jexl2Injection.java:62:27:62:34 | jexlExpr : String | Jexl2Injection.java:62:9:62:35 | parse(...) | provenance | Config Sink:MaD:7 |
+| Jexl2Injection.java:65:73:65:87 | jexlExpr : String | Jexl2Injection.java:68:36:68:43 | jexlExpr : String | provenance |  |
+| Jexl2Injection.java:68:36:68:43 | jexlExpr : String | Jexl2Injection.java:68:9:68:44 | createTemplate(...) | provenance | Config Sink:MaD:8 |
+| Jexl2Injection.java:75:25:75:47 | getInputStream(...) : InputStream | Jexl2Injection.java:75:54:75:58 | bytes [post update] : byte[] | provenance | Src:MaD:18 MaD:19 |
+| Jexl2Injection.java:75:54:75:58 | bytes [post update] : byte[] | Jexl2Injection.java:76:46:76:50 | bytes : byte[] | provenance |  |
+| Jexl2Injection.java:76:35:76:57 | new String(...) : String | Jexl2Injection.java:77:31:77:38 | jexlExpr : String | provenance |  |
+| Jexl2Injection.java:76:46:76:50 | bytes : byte[] | Jexl2Injection.java:76:35:76:57 | new String(...) : String | provenance | MaD:20 |
+| Jexl2Injection.java:77:31:77:38 | jexlExpr : String | Jexl2Injection.java:85:24:85:56 | jexlExpr : String | provenance |  |
+| Jexl2Injection.java:77:31:77:38 | jexlExpr : String | Jexl2Injection.java:89:24:89:68 | jexlExpr : String | provenance |  |
+| Jexl2Injection.java:77:31:77:38 | jexlExpr : String | Jexl2Injection.java:93:24:93:52 | jexlExpr : String | provenance |  |
+| Jexl2Injection.java:77:31:77:38 | jexlExpr : String | Jexl2Injection.java:97:24:97:63 | jexlExpr : String | provenance |  |
+| Jexl2Injection.java:77:31:77:38 | jexlExpr : String | Jexl2Injection.java:101:24:101:70 | jexlExpr : String | provenance |  |
+| Jexl2Injection.java:77:31:77:38 | jexlExpr : String | Jexl2Injection.java:105:24:105:70 | jexlExpr : String | provenance |  |
+| Jexl2Injection.java:77:31:77:38 | jexlExpr : String | Jexl2Injection.java:109:24:109:86 | jexlExpr : String | provenance |  |
+| Jexl2Injection.java:77:31:77:38 | jexlExpr : String | Jexl2Injection.java:113:24:113:85 | jexlExpr : String | provenance |  |
+| Jexl2Injection.java:77:31:77:38 | jexlExpr : String | Jexl2Injection.java:117:24:117:86 | jexlExpr : String | provenance |  |
+| Jexl2Injection.java:85:24:85:56 | jexlExpr : String | Jexl2Injection.java:10:43:10:57 | jexlExpr : String | provenance |  |
+| Jexl2Injection.java:85:24:85:56 | jexlExpr : String | Jexl2Injection.java:85:24:85:56 | jexlExpr : String | provenance |  |
+| Jexl2Injection.java:89:24:89:68 | jexlExpr : String | Jexl2Injection.java:17:55:17:69 | jexlExpr : String | provenance |  |
+| Jexl2Injection.java:89:24:89:68 | jexlExpr : String | Jexl2Injection.java:89:24:89:68 | jexlExpr : String | provenance |  |
+| Jexl2Injection.java:93:24:93:52 | jexlExpr : String | Jexl2Injection.java:24:39:24:53 | jexlExpr : String | provenance |  |
+| Jexl2Injection.java:93:24:93:52 | jexlExpr : String | Jexl2Injection.java:93:24:93:52 | jexlExpr : String | provenance |  |
+| Jexl2Injection.java:97:24:97:63 | jexlExpr : String | Jexl2Injection.java:31:50:31:64 | jexlExpr : String | provenance |  |
+| Jexl2Injection.java:97:24:97:63 | jexlExpr : String | Jexl2Injection.java:97:24:97:63 | jexlExpr : String | provenance |  |
+| Jexl2Injection.java:101:24:101:70 | jexlExpr : String | Jexl2Injection.java:43:57:43:71 | jexlExpr : String | provenance |  |
+| Jexl2Injection.java:101:24:101:70 | jexlExpr : String | Jexl2Injection.java:101:24:101:70 | jexlExpr : String | provenance |  |
+| Jexl2Injection.java:105:24:105:70 | jexlExpr : String | Jexl2Injection.java:48:57:48:71 | jexlExpr : String | provenance |  |
+| Jexl2Injection.java:105:24:105:70 | jexlExpr : String | Jexl2Injection.java:105:24:105:70 | jexlExpr : String | provenance |  |
+| Jexl2Injection.java:109:24:109:86 | jexlExpr : String | Jexl2Injection.java:53:73:53:87 | jexlExpr : String | provenance |  |
+| Jexl2Injection.java:109:24:109:86 | jexlExpr : String | Jexl2Injection.java:109:24:109:86 | jexlExpr : String | provenance |  |
+| Jexl2Injection.java:113:24:113:85 | jexlExpr : String | Jexl2Injection.java:59:72:59:86 | jexlExpr : String | provenance |  |
+| Jexl2Injection.java:113:24:113:85 | jexlExpr : String | Jexl2Injection.java:113:24:113:85 | jexlExpr : String | provenance |  |
+| Jexl2Injection.java:117:24:117:86 | jexlExpr : String | Jexl2Injection.java:65:73:65:87 | jexlExpr : String | provenance |  |
+| Jexl2Injection.java:117:24:117:86 | jexlExpr : String | Jexl2Injection.java:117:24:117:86 | jexlExpr : String | provenance |  |
+| Jexl3Injection.java:17:43:17:57 | jexlExpr : String | Jexl3Injection.java:19:50:19:57 | jexlExpr : String | provenance |  |
+| Jexl3Injection.java:19:28:19:58 | createExpression(...) : JexlExpression | Jexl3Injection.java:21:9:21:9 | e | provenance | Sink:MaD:12 |
+| Jexl3Injection.java:19:50:19:57 | jexlExpr : String | Jexl3Injection.java:19:28:19:58 | createExpression(...) : JexlExpression | provenance | Config |
+| Jexl3Injection.java:24:55:24:69 | jexlExpr : String | Jexl3Injection.java:26:81:26:88 | jexlExpr : String | provenance |  |
+| Jexl3Injection.java:26:28:26:89 | createExpression(...) : JexlExpression | Jexl3Injection.java:28:9:28:9 | e | provenance | Sink:MaD:12 |
+| Jexl3Injection.java:26:81:26:88 | jexlExpr : String | Jexl3Injection.java:26:28:26:89 | createExpression(...) : JexlExpression | provenance | Config |
+| Jexl3Injection.java:31:39:31:53 | jexlExpr : String | Jexl3Injection.java:33:47:33:54 | jexlExpr : String | provenance |  |
+| Jexl3Injection.java:33:29:33:55 | createScript(...) : JexlScript | Jexl3Injection.java:35:9:35:14 | script | provenance | Sink:MaD:14 |
+| Jexl3Injection.java:33:47:33:54 | jexlExpr : String | Jexl3Injection.java:33:29:33:55 | createScript(...) : JexlScript | provenance | Config |
+| Jexl3Injection.java:38:50:38:64 | jexlExpr : String | Jexl3Injection.java:40:47:40:54 | jexlExpr : String | provenance |  |
+| Jexl3Injection.java:40:29:40:55 | createScript(...) : JexlScript | Jexl3Injection.java:44:13:44:18 | script | provenance | Sink:MaD:13 |
+| Jexl3Injection.java:40:47:40:54 | jexlExpr : String | Jexl3Injection.java:40:29:40:55 | createScript(...) : JexlScript | provenance | Config |
+| Jexl3Injection.java:50:57:50:71 | jexlExpr : String | Jexl3Injection.java:52:40:52:47 | jexlExpr | provenance | Sink:MaD:9 |
+| Jexl3Injection.java:55:57:55:71 | jexlExpr : String | Jexl3Injection.java:57:40:57:47 | jexlExpr | provenance | Sink:MaD:10 |
+| Jexl3Injection.java:60:74:60:88 | jexlExpr : String | Jexl3Injection.java:63:31:63:38 | jexlExpr : String | provenance |  |
+| Jexl3Injection.java:63:31:63:38 | jexlExpr : String | Jexl3Injection.java:63:9:63:39 | createExpression(...) | provenance | Config Sink:MaD:15 |
+| Jexl3Injection.java:66:73:66:87 | jexlExpr : String | Jexl3Injection.java:69:31:69:38 | jexlExpr : String | provenance |  |
+| Jexl3Injection.java:69:31:69:38 | jexlExpr : String | Jexl3Injection.java:69:9:69:39 | createExpression(...) | provenance | Config Sink:MaD:16 |
+| Jexl3Injection.java:72:72:72:86 | jexlExpr : String | Jexl3Injection.java:75:29:75:36 | jexlExpr : String | provenance |  |
+| Jexl3Injection.java:75:29:75:36 | jexlExpr : String | Jexl3Injection.java:75:9:75:37 | createTemplate(...) | provenance | Config Sink:MaD:17 |
+| Jexl3Injection.java:78:54:78:68 | jexlExpr : String | Jexl3Injection.java:80:50:80:57 | jexlExpr : String | provenance |  |
+| Jexl3Injection.java:80:28:80:58 | createExpression(...) : JexlExpression | Jexl3Injection.java:84:13:84:13 | e | provenance | Sink:MaD:11 |
+| Jexl3Injection.java:80:50:80:57 | jexlExpr : String | Jexl3Injection.java:80:28:80:58 | createExpression(...) : JexlExpression | provenance | Config |
+| Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:94:54:94:58 | bytes [post update] : byte[] | provenance | Src:MaD:18 MaD:19 |
+| Jexl3Injection.java:94:54:94:58 | bytes [post update] : byte[] | Jexl3Injection.java:95:46:95:50 | bytes : byte[] | provenance |  |
+| Jexl3Injection.java:95:35:95:57 | new String(...) : String | Jexl3Injection.java:96:31:96:38 | jexlExpr : String | provenance |  |
+| Jexl3Injection.java:95:46:95:50 | bytes : byte[] | Jexl3Injection.java:95:35:95:57 | new String(...) : String | provenance | MaD:20 |
+| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:104:24:104:56 | jexlExpr : String | provenance |  |
+| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:108:24:108:68 | jexlExpr : String | provenance |  |
+| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:112:24:112:52 | jexlExpr : String | provenance |  |
+| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:116:24:116:63 | jexlExpr : String | provenance |  |
+| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:120:24:120:70 | jexlExpr : String | provenance |  |
+| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:124:24:124:70 | jexlExpr : String | provenance |  |
+| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:128:24:128:87 | jexlExpr : String | provenance |  |
+| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:132:24:132:86 | jexlExpr : String | provenance |  |
+| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:136:24:136:85 | jexlExpr : String | provenance |  |
+| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:140:24:140:67 | jexlExpr : String | provenance |  |
+| Jexl3Injection.java:104:24:104:56 | jexlExpr : String | Jexl3Injection.java:17:43:17:57 | jexlExpr : String | provenance |  |
+| Jexl3Injection.java:104:24:104:56 | jexlExpr : String | Jexl3Injection.java:104:24:104:56 | jexlExpr : String | provenance |  |
+| Jexl3Injection.java:108:24:108:68 | jexlExpr : String | Jexl3Injection.java:24:55:24:69 | jexlExpr : String | provenance |  |
+| Jexl3Injection.java:108:24:108:68 | jexlExpr : String | Jexl3Injection.java:108:24:108:68 | jexlExpr : String | provenance |  |
+| Jexl3Injection.java:112:24:112:52 | jexlExpr : String | Jexl3Injection.java:31:39:31:53 | jexlExpr : String | provenance |  |
+| Jexl3Injection.java:112:24:112:52 | jexlExpr : String | Jexl3Injection.java:112:24:112:52 | jexlExpr : String | provenance |  |
+| Jexl3Injection.java:116:24:116:63 | jexlExpr : String | Jexl3Injection.java:38:50:38:64 | jexlExpr : String | provenance |  |
+| Jexl3Injection.java:116:24:116:63 | jexlExpr : String | Jexl3Injection.java:116:24:116:63 | jexlExpr : String | provenance |  |
+| Jexl3Injection.java:120:24:120:70 | jexlExpr : String | Jexl3Injection.java:50:57:50:71 | jexlExpr : String | provenance |  |
+| Jexl3Injection.java:120:24:120:70 | jexlExpr : String | Jexl3Injection.java:120:24:120:70 | jexlExpr : String | provenance |  |
+| Jexl3Injection.java:124:24:124:70 | jexlExpr : String | Jexl3Injection.java:55:57:55:71 | jexlExpr : String | provenance |  |
+| Jexl3Injection.java:124:24:124:70 | jexlExpr : String | Jexl3Injection.java:124:24:124:70 | jexlExpr : String | provenance |  |
+| Jexl3Injection.java:128:24:128:87 | jexlExpr : String | Jexl3Injection.java:60:74:60:88 | jexlExpr : String | provenance |  |
+| Jexl3Injection.java:128:24:128:87 | jexlExpr : String | Jexl3Injection.java:128:24:128:87 | jexlExpr : String | provenance |  |
+| Jexl3Injection.java:132:24:132:86 | jexlExpr : String | Jexl3Injection.java:66:73:66:87 | jexlExpr : String | provenance |  |
+| Jexl3Injection.java:132:24:132:86 | jexlExpr : String | Jexl3Injection.java:132:24:132:86 | jexlExpr : String | provenance |  |
+| Jexl3Injection.java:136:24:136:85 | jexlExpr : String | Jexl3Injection.java:72:72:72:86 | jexlExpr : String | provenance |  |
+| Jexl3Injection.java:136:24:136:85 | jexlExpr : String | Jexl3Injection.java:136:24:136:85 | jexlExpr : String | provenance |  |
+| Jexl3Injection.java:140:24:140:67 | jexlExpr : String | Jexl3Injection.java:78:54:78:68 | jexlExpr : String | provenance |  |
+| Jexl3Injection.java:140:24:140:67 | jexlExpr : String | Jexl3Injection.java:140:24:140:67 | jexlExpr : String | provenance |  |
+| Jexl3Injection.java:144:85:144:109 | expr : String | Jexl3Injection.java:146:27:146:30 | expr : String | provenance |  |
+| Jexl3Injection.java:146:27:146:30 | expr : String | Jexl3Injection.java:17:43:17:57 | jexlExpr : String | provenance |  |
+| Jexl3Injection.java:151:84:151:105 | data : Data | Jexl3Injection.java:153:23:153:26 | data : Data | provenance |  |
+| Jexl3Injection.java:151:84:151:105 | data : Data | Jexl3Injection.java:154:27:154:30 | expr : String | provenance | SpringUntrustedDataType.getter |
+| Jexl3Injection.java:153:23:153:26 | data : Data | Jexl3Injection.java:153:23:153:36 | getExpr(...) : String | provenance | entrypointFieldStep |
+| Jexl3Injection.java:153:23:153:26 | data : Data | Jexl3Injection.java:190:23:190:29 | parameter this : Data | provenance |  |
+| Jexl3Injection.java:153:23:153:36 | getExpr(...) : String | Jexl3Injection.java:154:27:154:30 | expr : String | provenance |  |
+| Jexl3Injection.java:154:27:154:30 | expr : String | Jexl3Injection.java:17:43:17:57 | jexlExpr : String | provenance |  |
+| Jexl3Injection.java:161:13:161:52 | customRequest : CustomRequest | Jexl3Injection.java:163:23:163:35 | customRequest : CustomRequest | provenance |  |
+| Jexl3Injection.java:161:13:161:52 | customRequest : CustomRequest | Jexl3Injection.java:163:23:163:45 | getData(...) : Data | provenance | SpringUntrustedDataType.getter |
+| Jexl3Injection.java:161:13:161:52 | customRequest : CustomRequest | Jexl3Injection.java:164:27:164:30 | expr : String | provenance | SpringUntrustedDataType.getter |
+| Jexl3Injection.java:163:23:163:35 | customRequest : CustomRequest | Jexl3Injection.java:163:23:163:45 | getData(...) : Data | provenance | entrypointFieldStep |
+| Jexl3Injection.java:163:23:163:35 | customRequest : CustomRequest | Jexl3Injection.java:177:21:177:27 | parameter this : CustomRequest | provenance |  |
+| Jexl3Injection.java:163:23:163:45 | getData(...) : Data | Jexl3Injection.java:163:23:163:55 | getExpr(...) : String | provenance | entrypointFieldStep |
+| Jexl3Injection.java:163:23:163:45 | getData(...) : Data | Jexl3Injection.java:164:27:164:30 | expr : String | provenance | SpringUntrustedDataType.getter |
+| Jexl3Injection.java:163:23:163:45 | getData(...) : Data | Jexl3Injection.java:190:23:190:29 | parameter this : Data | provenance |  |
+| Jexl3Injection.java:163:23:163:55 | getExpr(...) : String | Jexl3Injection.java:164:27:164:30 | expr : String | provenance |  |
+| Jexl3Injection.java:164:27:164:30 | expr : String | Jexl3Injection.java:17:43:17:57 | jexlExpr : String | provenance |  |
+| Jexl3Injection.java:177:21:177:27 | parameter this : CustomRequest | Jexl3Injection.java:178:20:178:23 | data : Data | provenance | entrypointFieldStep |
+| Jexl3Injection.java:190:23:190:29 | parameter this : Data | Jexl3Injection.java:191:20:191:23 | expr : String | provenance | entrypointFieldStep |
+models
+| 1 | Sink: org.apache.commons.jexl2; Expression; false; evaluate; ; ; Argument[this]; jexl-injection; manual |
+| 2 | Sink: org.apache.commons.jexl2; JexlEngine; false; getProperty; (Object,String); ; Argument[1]; jexl-injection; manual |
+| 3 | Sink: org.apache.commons.jexl2; JexlEngine; false; setProperty; (Object,String,Object); ; Argument[1]; jexl-injection; manual |
+| 4 | Sink: org.apache.commons.jexl2; Script; false; callable; ; ; Argument[this]; jexl-injection; manual |
+| 5 | Sink: org.apache.commons.jexl2; Script; false; execute; ; ; Argument[this]; jexl-injection; manual |
+| 6 | Sink: org.apache.commons.jexl2; UnifiedJEXL$Expression; false; evaluate; ; ; Argument[this]; jexl-injection; manual |
+| 7 | Sink: org.apache.commons.jexl2; UnifiedJEXL$Expression; false; prepare; ; ; Argument[this]; jexl-injection; manual |
+| 8 | Sink: org.apache.commons.jexl2; UnifiedJEXL$Template; false; evaluate; ; ; Argument[this]; jexl-injection; manual |
+| 9 | Sink: org.apache.commons.jexl3; JexlEngine; false; getProperty; (Object,String); ; Argument[1]; jexl-injection; manual |
+| 10 | Sink: org.apache.commons.jexl3; JexlEngine; false; setProperty; (Object,String,Object); ; Argument[1]; jexl-injection; manual |
+| 11 | Sink: org.apache.commons.jexl3; JexlExpression; false; callable; ; ; Argument[this]; jexl-injection; manual |
+| 12 | Sink: org.apache.commons.jexl3; JexlExpression; false; evaluate; ; ; Argument[this]; jexl-injection; manual |
+| 13 | Sink: org.apache.commons.jexl3; JexlScript; false; callable; ; ; Argument[this]; jexl-injection; manual |
+| 14 | Sink: org.apache.commons.jexl3; JexlScript; false; execute; ; ; Argument[this]; jexl-injection; manual |
+| 15 | Sink: org.apache.commons.jexl3; JxltEngine$Expression; false; evaluate; ; ; Argument[this]; jexl-injection; manual |
+| 16 | Sink: org.apache.commons.jexl3; JxltEngine$Expression; false; prepare; ; ; Argument[this]; jexl-injection; manual |
+| 17 | Sink: org.apache.commons.jexl3; JxltEngine$Template; false; evaluate; ; ; Argument[this]; jexl-injection; manual |
+| 18 | Source: java.net; Socket; false; getInputStream; (); ; ReturnValue; remote; manual |
+| 19 | Summary: java.io; InputStream; true; read; (byte[]); ; Argument[this]; Argument[0]; taint; manual |
+| 20 | Summary: java.lang; String; false; String; ; ; Argument[0]; Argument[this]; taint; manual |
+nodes
+| Jexl2Injection.java:10:43:10:57 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:12:24:12:54 | createExpression(...) : Expression | semmle.label | createExpression(...) : Expression |
+| Jexl2Injection.java:12:46:12:53 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:14:9:14:9 | e | semmle.label | e |
+| Jexl2Injection.java:17:55:17:69 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:19:24:19:86 | createExpression(...) : Expression | semmle.label | createExpression(...) : Expression |
+| Jexl2Injection.java:19:46:19:53 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:21:9:21:9 | e | semmle.label | e |
+| Jexl2Injection.java:24:39:24:53 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:26:25:26:51 | createScript(...) : Script | semmle.label | createScript(...) : Script |
+| Jexl2Injection.java:26:43:26:50 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:28:9:28:14 | script | semmle.label | script |
+| Jexl2Injection.java:31:50:31:64 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:33:25:33:51 | createScript(...) : Script | semmle.label | createScript(...) : Script |
+| Jexl2Injection.java:33:43:33:50 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:37:13:37:18 | script | semmle.label | script |
+| Jexl2Injection.java:43:57:43:71 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:45:40:45:47 | jexlExpr | semmle.label | jexlExpr |
+| Jexl2Injection.java:48:57:48:71 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:50:40:50:47 | jexlExpr | semmle.label | jexlExpr |
+| Jexl2Injection.java:53:73:53:87 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:56:9:56:35 | parse(...) | semmle.label | parse(...) |
+| Jexl2Injection.java:56:27:56:34 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:59:72:59:86 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:62:9:62:35 | parse(...) | semmle.label | parse(...) |
+| Jexl2Injection.java:62:27:62:34 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:65:73:65:87 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:68:9:68:44 | createTemplate(...) | semmle.label | createTemplate(...) |
+| Jexl2Injection.java:68:36:68:43 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:75:25:75:47 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| Jexl2Injection.java:75:54:75:58 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
+| Jexl2Injection.java:76:35:76:57 | new String(...) : String | semmle.label | new String(...) : String |
+| Jexl2Injection.java:76:46:76:50 | bytes : byte[] | semmle.label | bytes : byte[] |
+| Jexl2Injection.java:77:31:77:38 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:85:24:85:56 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:85:24:85:56 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:89:24:89:68 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:89:24:89:68 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:93:24:93:52 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:93:24:93:52 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:97:24:97:63 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:97:24:97:63 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:101:24:101:70 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:101:24:101:70 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:105:24:105:70 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:105:24:105:70 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:109:24:109:86 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:109:24:109:86 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:113:24:113:85 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:113:24:113:85 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:117:24:117:86 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:117:24:117:86 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:17:43:17:57 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:19:28:19:58 | createExpression(...) : JexlExpression | semmle.label | createExpression(...) : JexlExpression |
+| Jexl3Injection.java:19:50:19:57 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:21:9:21:9 | e | semmle.label | e |
+| Jexl3Injection.java:24:55:24:69 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:26:28:26:89 | createExpression(...) : JexlExpression | semmle.label | createExpression(...) : JexlExpression |
+| Jexl3Injection.java:26:81:26:88 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:28:9:28:9 | e | semmle.label | e |
+| Jexl3Injection.java:31:39:31:53 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:33:29:33:55 | createScript(...) : JexlScript | semmle.label | createScript(...) : JexlScript |
+| Jexl3Injection.java:33:47:33:54 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:35:9:35:14 | script | semmle.label | script |
+| Jexl3Injection.java:38:50:38:64 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:40:29:40:55 | createScript(...) : JexlScript | semmle.label | createScript(...) : JexlScript |
+| Jexl3Injection.java:40:47:40:54 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:44:13:44:18 | script | semmle.label | script |
+| Jexl3Injection.java:50:57:50:71 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:52:40:52:47 | jexlExpr | semmle.label | jexlExpr |
+| Jexl3Injection.java:55:57:55:71 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:57:40:57:47 | jexlExpr | semmle.label | jexlExpr |
+| Jexl3Injection.java:60:74:60:88 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:63:9:63:39 | createExpression(...) | semmle.label | createExpression(...) |
+| Jexl3Injection.java:63:31:63:38 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:66:73:66:87 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:69:9:69:39 | createExpression(...) | semmle.label | createExpression(...) |
+| Jexl3Injection.java:69:31:69:38 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:72:72:72:86 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:75:9:75:37 | createTemplate(...) | semmle.label | createTemplate(...) |
+| Jexl3Injection.java:75:29:75:36 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:78:54:78:68 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:80:28:80:58 | createExpression(...) : JexlExpression | semmle.label | createExpression(...) : JexlExpression |
+| Jexl3Injection.java:80:50:80:57 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:84:13:84:13 | e | semmle.label | e |
+| Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| Jexl3Injection.java:94:54:94:58 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
+| Jexl3Injection.java:95:35:95:57 | new String(...) : String | semmle.label | new String(...) : String |
+| Jexl3Injection.java:95:46:95:50 | bytes : byte[] | semmle.label | bytes : byte[] |
+| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:104:24:104:56 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:104:24:104:56 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:108:24:108:68 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:108:24:108:68 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:112:24:112:52 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:112:24:112:52 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:116:24:116:63 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:116:24:116:63 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:120:24:120:70 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:120:24:120:70 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:124:24:124:70 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:124:24:124:70 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:128:24:128:87 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:128:24:128:87 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:132:24:132:86 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:132:24:132:86 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:136:24:136:85 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:136:24:136:85 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:140:24:140:67 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:140:24:140:67 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:144:85:144:109 | expr : String | semmle.label | expr : String |
+| Jexl3Injection.java:146:27:146:30 | expr : String | semmle.label | expr : String |
+| Jexl3Injection.java:151:84:151:105 | data : Data | semmle.label | data : Data |
+| Jexl3Injection.java:153:23:153:26 | data : Data | semmle.label | data : Data |
+| Jexl3Injection.java:153:23:153:36 | getExpr(...) : String | semmle.label | getExpr(...) : String |
+| Jexl3Injection.java:154:27:154:30 | expr : String | semmle.label | expr : String |
+| Jexl3Injection.java:161:13:161:52 | customRequest : CustomRequest | semmle.label | customRequest : CustomRequest |
+| Jexl3Injection.java:163:23:163:35 | customRequest : CustomRequest | semmle.label | customRequest : CustomRequest |
+| Jexl3Injection.java:163:23:163:45 | getData(...) : Data | semmle.label | getData(...) : Data |
+| Jexl3Injection.java:163:23:163:55 | getExpr(...) : String | semmle.label | getExpr(...) : String |
+| Jexl3Injection.java:164:27:164:30 | expr : String | semmle.label | expr : String |
+| Jexl3Injection.java:177:21:177:27 | parameter this : CustomRequest | semmle.label | parameter this : CustomRequest |
+| Jexl3Injection.java:178:20:178:23 | data : Data | semmle.label | data : Data |
+| Jexl3Injection.java:190:23:190:29 | parameter this : Data | semmle.label | parameter this : Data |
+| Jexl3Injection.java:191:20:191:23 | expr : String | semmle.label | expr : String |
+subpaths
+| Jexl3Injection.java:153:23:153:26 | data : Data | Jexl3Injection.java:190:23:190:29 | parameter this : Data | Jexl3Injection.java:191:20:191:23 | expr : String | Jexl3Injection.java:153:23:153:36 | getExpr(...) : String |
+| Jexl3Injection.java:163:23:163:35 | customRequest : CustomRequest | Jexl3Injection.java:177:21:177:27 | parameter this : CustomRequest | Jexl3Injection.java:178:20:178:23 | data : Data | Jexl3Injection.java:163:23:163:45 | getData(...) : Data |
+| Jexl3Injection.java:163:23:163:45 | getData(...) : Data | Jexl3Injection.java:190:23:190:29 | parameter this : Data | Jexl3Injection.java:191:20:191:23 | expr : String | Jexl3Injection.java:163:23:163:55 | getExpr(...) : String |

java/ql/test/query-tests/security/CWE-094/JexlInjection/JexlInjectionTest.qlref

@@ -0,0 +1,4 @@
+query: Security/CWE/CWE-094/JexlInjection.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

java/ql/test/query-tests/security/CWE-094/JexlInjection/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/validation-api-2.0.1.Final:${testdir}/../../../../stubs/springframework-5.8.x:${testdir}/../../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../../stubs/apache-commons-logging-1.2:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/groovy-all-3.0.7:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/apache-freemarker-2.3.31:${testdir}/../../../../stubs/jinjava-2.6.0:${testdir}/../../../../stubs/pebble-3.1.5:${testdir}/../../../../stubs/thymeleaf-3.0.14:${testdir}/../../../../stubs/apache-velocity-2.3:${testdir}/../../../..//stubs/google-android-9.0.0

java/ql/test/query-tests/security/CWE-094/JexlInjectionTest.ql

@@ -1,18 +0,0 @@
-import java
-import semmle.code.java.security.JexlInjectionQuery
-import utils.test.InlineExpectationsTest
-
-module JexlInjectionTest implements TestSig {
-  string getARelevantTag() { result = "hasJexlInjection" }
-
-  predicate hasActualResult(Location location, string element, string tag, string value) {
-    tag = "hasJexlInjection" and
-    exists(DataFlow::Node sink | JexlInjectionFlow::flowTo(sink) |
-      sink.getLocation() = location and
-      element = sink.toString() and
-      value = ""
-    )
-  }
-}
-
-import MakeTest<JexlInjectionTest>

java/ql/test/query-tests/security/CWE-094/MvelInjection/MvelInjectionTest.expected

@@ -0,0 +1,133 @@
+#select
+| MvelInjectionTest.java:24:15:24:26 | read(...) | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) : InputStream | MvelInjectionTest.java:24:15:24:26 | read(...) | MVEL expression depends on a $@. | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) | user-provided value |
+| MvelInjectionTest.java:29:28:29:37 | expression | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) : InputStream | MvelInjectionTest.java:29:28:29:37 | expression | MVEL expression depends on a $@. | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) | user-provided value |
+| MvelInjectionTest.java:35:5:35:13 | statement | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) : InputStream | MvelInjectionTest.java:35:5:35:13 | statement | MVEL expression depends on a $@. | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) | user-provided value |
+| MvelInjectionTest.java:36:5:36:13 | statement | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) : InputStream | MvelInjectionTest.java:36:5:36:13 | statement | MVEL expression depends on a $@. | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) | user-provided value |
+| MvelInjectionTest.java:42:5:42:14 | expression | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) : InputStream | MvelInjectionTest.java:42:5:42:14 | expression | MVEL expression depends on a $@. | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) | user-provided value |
+| MvelInjectionTest.java:48:5:48:14 | expression | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) : InputStream | MvelInjectionTest.java:48:5:48:14 | expression | MVEL expression depends on a $@. | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) | user-provided value |
+| MvelInjectionTest.java:56:5:56:18 | compiledScript | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) : InputStream | MvelInjectionTest.java:56:5:56:18 | compiledScript | MVEL expression depends on a $@. | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) | user-provided value |
+| MvelInjectionTest.java:59:21:59:26 | script | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) : InputStream | MvelInjectionTest.java:59:21:59:26 | script | MVEL expression depends on a $@. | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) | user-provided value |
+| MvelInjectionTest.java:67:5:67:10 | script | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) : InputStream | MvelInjectionTest.java:67:5:67:10 | script | MVEL expression depends on a $@. | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) | user-provided value |
+| MvelInjectionTest.java:71:26:71:37 | read(...) | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) : InputStream | MvelInjectionTest.java:71:26:71:37 | read(...) | MVEL expression depends on a $@. | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) | user-provided value |
+| MvelInjectionTest.java:75:29:75:74 | compileTemplate(...) | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) : InputStream | MvelInjectionTest.java:75:29:75:74 | compileTemplate(...) | MVEL expression depends on a $@. | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) | user-provided value |
+| MvelInjectionTest.java:80:29:80:46 | compile(...) | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) : InputStream | MvelInjectionTest.java:80:29:80:46 | compile(...) | MVEL expression depends on a $@. | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) | user-provided value |
+| MvelInjectionTest.java:86:32:86:41 | expression | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) : InputStream | MvelInjectionTest.java:86:32:86:41 | expression | MVEL expression depends on a $@. | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) | user-provided value |
+edges
+| MvelInjectionTest.java:28:31:28:66 | compileExpression(...) : Serializable | MvelInjectionTest.java:29:28:29:37 | expression | provenance | Sink:MaD:11 |
+| MvelInjectionTest.java:28:54:28:65 | read(...) : String | MvelInjectionTest.java:28:31:28:66 | compileExpression(...) : Serializable | provenance | Config |
+| MvelInjectionTest.java:33:35:33:70 | new ExpressionCompiler(...) : ExpressionCompiler | MvelInjectionTest.java:34:37:34:44 | compiler : ExpressionCompiler | provenance |  |
+| MvelInjectionTest.java:33:58:33:69 | read(...) : String | MvelInjectionTest.java:33:35:33:70 | new ExpressionCompiler(...) : ExpressionCompiler | provenance | Config |
+| MvelInjectionTest.java:34:37:34:44 | compiler : ExpressionCompiler | MvelInjectionTest.java:34:37:34:54 | compile(...) : CompiledExpression | provenance | Config |
+| MvelInjectionTest.java:34:37:34:54 | compile(...) : CompiledExpression | MvelInjectionTest.java:35:5:35:13 | statement | provenance | Sink:MaD:5 |
+| MvelInjectionTest.java:34:37:34:54 | compile(...) : CompiledExpression | MvelInjectionTest.java:36:5:36:13 | statement | provenance | Sink:MaD:2 |
+| MvelInjectionTest.java:40:35:40:70 | new ExpressionCompiler(...) : ExpressionCompiler | MvelInjectionTest.java:41:37:41:44 | compiler : ExpressionCompiler | provenance |  |
+| MvelInjectionTest.java:40:58:40:69 | read(...) : String | MvelInjectionTest.java:40:35:40:70 | new ExpressionCompiler(...) : ExpressionCompiler | provenance | Config |
+| MvelInjectionTest.java:41:37:41:44 | compiler : ExpressionCompiler | MvelInjectionTest.java:41:37:41:54 | compile(...) : CompiledExpression | provenance | Config |
+| MvelInjectionTest.java:41:37:41:54 | compile(...) : CompiledExpression | MvelInjectionTest.java:42:5:42:14 | expression | provenance | Sink:MaD:4 |
+| MvelInjectionTest.java:47:9:47:96 | new CompiledAccExpression(...) : CompiledAccExpression | MvelInjectionTest.java:48:5:48:14 | expression | provenance | Sink:MaD:3 |
+| MvelInjectionTest.java:47:35:47:46 | read(...) : String | MvelInjectionTest.java:47:35:47:60 | toCharArray(...) : char[] | provenance | MaD:16 |
+| MvelInjectionTest.java:47:35:47:60 | toCharArray(...) : char[] | MvelInjectionTest.java:47:9:47:96 | new CompiledAccExpression(...) : CompiledAccExpression | provenance | Config |
+| MvelInjectionTest.java:52:20:52:31 | read(...) : String | MvelInjectionTest.java:55:52:55:56 | input : String | provenance |  |
+| MvelInjectionTest.java:55:37:55:57 | compile(...) : CompiledScript | MvelInjectionTest.java:56:5:56:18 | compiledScript | provenance | Sink:MaD:1 |
+| MvelInjectionTest.java:55:52:55:56 | input : String | MvelInjectionTest.java:55:37:55:57 | compile(...) : CompiledScript | provenance | Config |
+| MvelInjectionTest.java:55:52:55:56 | input : String | MvelInjectionTest.java:58:49:58:53 | input : String | provenance |  |
+| MvelInjectionTest.java:58:27:58:54 | compiledScript(...) : Serializable | MvelInjectionTest.java:59:21:59:26 | script | provenance | Sink:MaD:7 |
+| MvelInjectionTest.java:58:49:58:53 | input : String | MvelInjectionTest.java:58:27:58:54 | compiledScript(...) : Serializable | provenance | Config |
+| MvelInjectionTest.java:64:35:64:70 | new ExpressionCompiler(...) : ExpressionCompiler | MvelInjectionTest.java:65:37:65:44 | compiler : ExpressionCompiler | provenance |  |
+| MvelInjectionTest.java:64:58:64:69 | read(...) : String | MvelInjectionTest.java:64:35:64:70 | new ExpressionCompiler(...) : ExpressionCompiler | provenance | Config |
+| MvelInjectionTest.java:65:37:65:44 | compiler : ExpressionCompiler | MvelInjectionTest.java:65:37:65:54 | compile(...) : CompiledExpression | provenance | Config |
+| MvelInjectionTest.java:65:37:65:54 | compile(...) : CompiledExpression | MvelInjectionTest.java:66:64:66:72 | statement : CompiledExpression | provenance |  |
+| MvelInjectionTest.java:66:33:66:73 | new MvelCompiledScript(...) : MvelCompiledScript | MvelInjectionTest.java:67:5:67:10 | script | provenance | Sink:MaD:6 |
+| MvelInjectionTest.java:66:64:66:72 | statement : CompiledExpression | MvelInjectionTest.java:66:33:66:73 | new MvelCompiledScript(...) : MvelCompiledScript | provenance | Config |
+| MvelInjectionTest.java:75:62:75:73 | read(...) : String | MvelInjectionTest.java:75:29:75:74 | compileTemplate(...) | provenance | Config Sink:MaD:9 |
+| MvelInjectionTest.java:79:33:79:66 | new TemplateCompiler(...) : TemplateCompiler | MvelInjectionTest.java:80:29:80:36 | compiler : TemplateCompiler | provenance |  |
+| MvelInjectionTest.java:79:54:79:65 | read(...) : String | MvelInjectionTest.java:79:33:79:66 | new TemplateCompiler(...) : TemplateCompiler | provenance | Config |
+| MvelInjectionTest.java:80:29:80:36 | compiler : TemplateCompiler | MvelInjectionTest.java:80:29:80:46 | compile(...) | provenance | Config Sink:MaD:9 |
+| MvelInjectionTest.java:84:35:84:70 | new ExpressionCompiler(...) : ExpressionCompiler | MvelInjectionTest.java:85:37:85:44 | compiler : ExpressionCompiler | provenance |  |
+| MvelInjectionTest.java:84:58:84:69 | read(...) : String | MvelInjectionTest.java:84:35:84:70 | new ExpressionCompiler(...) : ExpressionCompiler | provenance | Config |
+| MvelInjectionTest.java:85:37:85:44 | compiler : ExpressionCompiler | MvelInjectionTest.java:85:37:85:54 | compile(...) : CompiledExpression | provenance | Config |
+| MvelInjectionTest.java:85:37:85:54 | compile(...) : CompiledExpression | MvelInjectionTest.java:86:32:86:41 | expression | provenance | Sink:MaD:12 |
+| MvelInjectionTest.java:90:27:90:49 | getInputStream(...) : InputStream | MvelInjectionTest.java:92:15:92:16 | is : InputStream | provenance | Src:MaD:13  |
+| MvelInjectionTest.java:92:15:92:16 | is : InputStream | MvelInjectionTest.java:92:23:92:27 | bytes [post update] : byte[] | provenance | MaD:14 |
+| MvelInjectionTest.java:92:23:92:27 | bytes [post update] : byte[] | MvelInjectionTest.java:93:25:93:29 | bytes : byte[] | provenance |  |
+| MvelInjectionTest.java:93:14:93:36 | new String(...) : String | MvelInjectionTest.java:24:15:24:26 | read(...) | provenance | Sink:MaD:10 |
+| MvelInjectionTest.java:93:14:93:36 | new String(...) : String | MvelInjectionTest.java:28:54:28:65 | read(...) : String | provenance |  |
+| MvelInjectionTest.java:93:14:93:36 | new String(...) : String | MvelInjectionTest.java:33:58:33:69 | read(...) : String | provenance |  |
+| MvelInjectionTest.java:93:14:93:36 | new String(...) : String | MvelInjectionTest.java:40:58:40:69 | read(...) : String | provenance |  |
+| MvelInjectionTest.java:93:14:93:36 | new String(...) : String | MvelInjectionTest.java:47:35:47:46 | read(...) : String | provenance |  |
+| MvelInjectionTest.java:93:14:93:36 | new String(...) : String | MvelInjectionTest.java:52:20:52:31 | read(...) : String | provenance |  |
+| MvelInjectionTest.java:93:14:93:36 | new String(...) : String | MvelInjectionTest.java:64:58:64:69 | read(...) : String | provenance |  |
+| MvelInjectionTest.java:93:14:93:36 | new String(...) : String | MvelInjectionTest.java:71:26:71:37 | read(...) | provenance | Sink:MaD:8 |
+| MvelInjectionTest.java:93:14:93:36 | new String(...) : String | MvelInjectionTest.java:75:62:75:73 | read(...) : String | provenance |  |
+| MvelInjectionTest.java:93:14:93:36 | new String(...) : String | MvelInjectionTest.java:79:54:79:65 | read(...) : String | provenance |  |
+| MvelInjectionTest.java:93:14:93:36 | new String(...) : String | MvelInjectionTest.java:84:58:84:69 | read(...) : String | provenance |  |
+| MvelInjectionTest.java:93:25:93:29 | bytes : byte[] | MvelInjectionTest.java:93:14:93:36 | new String(...) : String | provenance | MaD:15 |
+models
+| 1 | Sink: javax.script; CompiledScript; false; eval; ; ; Argument[this]; mvel-injection; manual |
+| 2 | Sink: org.mvel2.compiler; Accessor; false; getValue; ; ; Argument[this]; mvel-injection; manual |
+| 3 | Sink: org.mvel2.compiler; CompiledAccExpression; false; getValue; ; ; Argument[this]; mvel-injection; manual |
+| 4 | Sink: org.mvel2.compiler; CompiledExpression; false; getDirectValue; ; ; Argument[this]; mvel-injection; manual |
+| 5 | Sink: org.mvel2.compiler; ExecutableStatement; false; getValue; ; ; Argument[this]; mvel-injection; manual |
+| 6 | Sink: org.mvel2.jsr223; MvelCompiledScript; false; eval; ; ; Argument[this]; mvel-injection; manual |
+| 7 | Sink: org.mvel2.jsr223; MvelScriptEngine; false; evaluate; ; ; Argument[0]; mvel-injection; manual |
+| 8 | Sink: org.mvel2.templates; TemplateRuntime; false; eval; ; ; Argument[0]; mvel-injection; manual |
+| 9 | Sink: org.mvel2.templates; TemplateRuntime; false; execute; ; ; Argument[0]; mvel-injection; manual |
+| 10 | Sink: org.mvel2; MVEL; false; eval; ; ; Argument[0]; mvel-injection; manual |
+| 11 | Sink: org.mvel2; MVEL; false; executeExpression; ; ; Argument[0]; mvel-injection; manual |
+| 12 | Sink: org.mvel2; MVELRuntime; false; execute; ; ; Argument[1]; mvel-injection; manual |
+| 13 | Source: java.net; Socket; false; getInputStream; (); ; ReturnValue; remote; manual |
+| 14 | Summary: java.io; InputStream; true; read; (byte[]); ; Argument[this]; Argument[0]; taint; manual |
+| 15 | Summary: java.lang; String; false; String; ; ; Argument[0]; Argument[this]; taint; manual |
+| 16 | Summary: java.lang; String; false; toCharArray; ; ; Argument[this]; ReturnValue; taint; manual |
+nodes
+| MvelInjectionTest.java:24:15:24:26 | read(...) | semmle.label | read(...) |
+| MvelInjectionTest.java:28:31:28:66 | compileExpression(...) : Serializable | semmle.label | compileExpression(...) : Serializable |
+| MvelInjectionTest.java:28:54:28:65 | read(...) : String | semmle.label | read(...) : String |
+| MvelInjectionTest.java:29:28:29:37 | expression | semmle.label | expression |
+| MvelInjectionTest.java:33:35:33:70 | new ExpressionCompiler(...) : ExpressionCompiler | semmle.label | new ExpressionCompiler(...) : ExpressionCompiler |
+| MvelInjectionTest.java:33:58:33:69 | read(...) : String | semmle.label | read(...) : String |
+| MvelInjectionTest.java:34:37:34:44 | compiler : ExpressionCompiler | semmle.label | compiler : ExpressionCompiler |
+| MvelInjectionTest.java:34:37:34:54 | compile(...) : CompiledExpression | semmle.label | compile(...) : CompiledExpression |
+| MvelInjectionTest.java:35:5:35:13 | statement | semmle.label | statement |
+| MvelInjectionTest.java:36:5:36:13 | statement | semmle.label | statement |
+| MvelInjectionTest.java:40:35:40:70 | new ExpressionCompiler(...) : ExpressionCompiler | semmle.label | new ExpressionCompiler(...) : ExpressionCompiler |
+| MvelInjectionTest.java:40:58:40:69 | read(...) : String | semmle.label | read(...) : String |
+| MvelInjectionTest.java:41:37:41:44 | compiler : ExpressionCompiler | semmle.label | compiler : ExpressionCompiler |
+| MvelInjectionTest.java:41:37:41:54 | compile(...) : CompiledExpression | semmle.label | compile(...) : CompiledExpression |
+| MvelInjectionTest.java:42:5:42:14 | expression | semmle.label | expression |
+| MvelInjectionTest.java:47:9:47:96 | new CompiledAccExpression(...) : CompiledAccExpression | semmle.label | new CompiledAccExpression(...) : CompiledAccExpression |
+| MvelInjectionTest.java:47:35:47:46 | read(...) : String | semmle.label | read(...) : String |
+| MvelInjectionTest.java:47:35:47:60 | toCharArray(...) : char[] | semmle.label | toCharArray(...) : char[] |
+| MvelInjectionTest.java:48:5:48:14 | expression | semmle.label | expression |
+| MvelInjectionTest.java:52:20:52:31 | read(...) : String | semmle.label | read(...) : String |
+| MvelInjectionTest.java:55:37:55:57 | compile(...) : CompiledScript | semmle.label | compile(...) : CompiledScript |
+| MvelInjectionTest.java:55:52:55:56 | input : String | semmle.label | input : String |
+| MvelInjectionTest.java:56:5:56:18 | compiledScript | semmle.label | compiledScript |
+| MvelInjectionTest.java:58:27:58:54 | compiledScript(...) : Serializable | semmle.label | compiledScript(...) : Serializable |
+| MvelInjectionTest.java:58:49:58:53 | input : String | semmle.label | input : String |
+| MvelInjectionTest.java:59:21:59:26 | script | semmle.label | script |
+| MvelInjectionTest.java:64:35:64:70 | new ExpressionCompiler(...) : ExpressionCompiler | semmle.label | new ExpressionCompiler(...) : ExpressionCompiler |
+| MvelInjectionTest.java:64:58:64:69 | read(...) : String | semmle.label | read(...) : String |
+| MvelInjectionTest.java:65:37:65:44 | compiler : ExpressionCompiler | semmle.label | compiler : ExpressionCompiler |
+| MvelInjectionTest.java:65:37:65:54 | compile(...) : CompiledExpression | semmle.label | compile(...) : CompiledExpression |
+| MvelInjectionTest.java:66:33:66:73 | new MvelCompiledScript(...) : MvelCompiledScript | semmle.label | new MvelCompiledScript(...) : MvelCompiledScript |
+| MvelInjectionTest.java:66:64:66:72 | statement : CompiledExpression | semmle.label | statement : CompiledExpression |
+| MvelInjectionTest.java:67:5:67:10 | script | semmle.label | script |
+| MvelInjectionTest.java:71:26:71:37 | read(...) | semmle.label | read(...) |
+| MvelInjectionTest.java:75:29:75:74 | compileTemplate(...) | semmle.label | compileTemplate(...) |
+| MvelInjectionTest.java:75:62:75:73 | read(...) : String | semmle.label | read(...) : String |
+| MvelInjectionTest.java:79:33:79:66 | new TemplateCompiler(...) : TemplateCompiler | semmle.label | new TemplateCompiler(...) : TemplateCompiler |
+| MvelInjectionTest.java:79:54:79:65 | read(...) : String | semmle.label | read(...) : String |
+| MvelInjectionTest.java:80:29:80:36 | compiler : TemplateCompiler | semmle.label | compiler : TemplateCompiler |
+| MvelInjectionTest.java:80:29:80:46 | compile(...) | semmle.label | compile(...) |
+| MvelInjectionTest.java:84:35:84:70 | new ExpressionCompiler(...) : ExpressionCompiler | semmle.label | new ExpressionCompiler(...) : ExpressionCompiler |
+| MvelInjectionTest.java:84:58:84:69 | read(...) : String | semmle.label | read(...) : String |
+| MvelInjectionTest.java:85:37:85:44 | compiler : ExpressionCompiler | semmle.label | compiler : ExpressionCompiler |
+| MvelInjectionTest.java:85:37:85:54 | compile(...) : CompiledExpression | semmle.label | compile(...) : CompiledExpression |
+| MvelInjectionTest.java:86:32:86:41 | expression | semmle.label | expression |
+| MvelInjectionTest.java:90:27:90:49 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| MvelInjectionTest.java:92:15:92:16 | is : InputStream | semmle.label | is : InputStream |
+| MvelInjectionTest.java:92:23:92:27 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
+| MvelInjectionTest.java:93:14:93:36 | new String(...) : String | semmle.label | new String(...) : String |
+| MvelInjectionTest.java:93:25:93:29 | bytes : byte[] | semmle.label | bytes : byte[] |
+subpaths

java/ql/test/query-tests/security/CWE-094/MvelInjection/MvelInjectionTest.java

@@ -21,31 +21,31 @@ import org.mvel2.templates.TemplateRuntime;
 public class MvelInjectionTest {
 
   public static void testWithMvelEval(Socket socket) throws IOException {
-    MVEL.eval(read(socket)); // $hasMvelInjection
+    MVEL.eval(read(socket)); // $ Alert
   }
 
   public static void testWithMvelCompileAndExecute(Socket socket) throws IOException {
     Serializable expression = MVEL.compileExpression(read(socket));
-    MVEL.executeExpression(expression); // $hasMvelInjection
+    MVEL.executeExpression(expression); // $ Alert
   }
 
   public static void testWithExpressionCompiler(Socket socket) throws IOException {
     ExpressionCompiler compiler = new ExpressionCompiler(read(socket));
     ExecutableStatement statement = compiler.compile();
-    statement.getValue(new Object(), new ImmutableDefaultFactory()); // $hasMvelInjection
-    statement.getValue(new Object(), new Object(), new ImmutableDefaultFactory()); // $hasMvelInjection
+    statement.getValue(new Object(), new ImmutableDefaultFactory()); // $ Alert
+    statement.getValue(new Object(), new Object(), new ImmutableDefaultFactory()); // $ Alert
   }
 
   public static void testWithCompiledExpressionGetDirectValue(Socket socket) throws IOException {
     ExpressionCompiler compiler = new ExpressionCompiler(read(socket));
     CompiledExpression expression = compiler.compile();
-    expression.getDirectValue(new Object(), new ImmutableDefaultFactory()); // $hasMvelInjection
+    expression.getDirectValue(new Object(), new ImmutableDefaultFactory()); // $ Alert
   }
 
   public static void testCompiledAccExpressionGetValue(Socket socket) throws IOException {
     CompiledAccExpression expression =
         new CompiledAccExpression(read(socket).toCharArray(), Object.class, new ParserContext());
-    expression.getValue(new Object(), new ImmutableDefaultFactory()); // $hasMvelInjection
+    expression.getValue(new Object(), new ImmutableDefaultFactory()); // $ Alert
   }
 
   public static void testMvelScriptEngineCompileAndEvaluate(Socket socket) throws Exception {
@@ -53,10 +53,10 @@ public class MvelInjectionTest {
 
     MvelScriptEngine engine = new MvelScriptEngine();
     CompiledScript compiledScript = engine.compile(input);
-    compiledScript.eval(); // $hasMvelInjection
+    compiledScript.eval(); // $ Alert
 
     Serializable script = engine.compiledScript(input);
-    engine.evaluate(script, new SimpleScriptContext()); // $hasMvelInjection
+    engine.evaluate(script, new SimpleScriptContext()); // $ Alert
   }
 
   public static void testMvelCompiledScriptCompileAndEvaluate(Socket socket) throws Exception {
@@ -64,30 +64,30 @@ public class MvelInjectionTest {
     ExpressionCompiler compiler = new ExpressionCompiler(read(socket));
     ExecutableStatement statement = compiler.compile();
     MvelCompiledScript script = new MvelCompiledScript(engine, statement);
-    script.eval(new SimpleScriptContext()); // $hasMvelInjection
+    script.eval(new SimpleScriptContext()); // $ Alert
   }
 
   public static void testTemplateRuntimeEval(Socket socket) throws Exception {
-    TemplateRuntime.eval(read(socket), new HashMap()); // $hasMvelInjection
+    TemplateRuntime.eval(read(socket), new HashMap()); // $ Alert
   }
 
   public static void testTemplateRuntimeCompileTemplateAndExecute(Socket socket) throws Exception {
-    TemplateRuntime.execute(TemplateCompiler.compileTemplate(read(socket)), new HashMap()); // $hasMvelInjection
+    TemplateRuntime.execute(TemplateCompiler.compileTemplate(read(socket)), new HashMap()); // $ Alert
   }
 
   public static void testTemplateRuntimeCompileAndExecute(Socket socket) throws Exception {
     TemplateCompiler compiler = new TemplateCompiler(read(socket));
-    TemplateRuntime.execute(compiler.compile(), new HashMap()); // $hasMvelInjection
+    TemplateRuntime.execute(compiler.compile(), new HashMap()); // $ Alert
   }
 
   public static void testMvelRuntimeExecute(Socket socket) throws Exception {
     ExpressionCompiler compiler = new ExpressionCompiler(read(socket));
     CompiledExpression expression = compiler.compile();
-    MVELRuntime.execute(false, expression, new Object(), new ImmutableDefaultFactory()); // $hasMvelInjection
+    MVELRuntime.execute(false, expression, new Object(), new ImmutableDefaultFactory()); // $ Alert
   }
 
   public static String read(Socket socket) throws IOException {
-    try (InputStream is = socket.getInputStream()) {
+    try (InputStream is = socket.getInputStream()) { // $ Source
       byte[] bytes = new byte[1024];
       int n = is.read(bytes);
       return new String(bytes, 0, n);

java/ql/test/query-tests/security/CWE-094/MvelInjection/MvelInjectionTest.qlref

@@ -0,0 +1,4 @@
+query: Security/CWE/CWE-094/MvelInjection.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

java/ql/test/query-tests/security/CWE-094/MvelInjection/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/validation-api-2.0.1.Final:${testdir}/../../../../stubs/springframework-5.8.x:${testdir}/../../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../../stubs/apache-commons-logging-1.2:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/groovy-all-3.0.7:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/apache-freemarker-2.3.31:${testdir}/../../../../stubs/jinjava-2.6.0:${testdir}/../../../../stubs/pebble-3.1.5:${testdir}/../../../../stubs/thymeleaf-3.0.14:${testdir}/../../../../stubs/apache-velocity-2.3:${testdir}/../../../..//stubs/google-android-9.0.0

java/ql/test/query-tests/security/CWE-094/MvelInjectionTest.ql

@@ -1,20 +0,0 @@
-import java
-import semmle.code.java.dataflow.TaintTracking
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.security.MvelInjectionQuery
-import utils.test.InlineExpectationsTest
-
-module HasMvelInjectionTest implements TestSig {
-  string getARelevantTag() { result = "hasMvelInjection" }
-
-  predicate hasActualResult(Location location, string element, string tag, string value) {
-    tag = "hasMvelInjection" and
-    exists(DataFlow::Node sink | MvelInjectionFlow::flowTo(sink) |
-      sink.getLocation() = location and
-      element = sink.toString() and
-      value = ""
-    )
-  }
-}
-
-import MakeTest<HasMvelInjectionTest>

java/ql/test/query-tests/security/CWE-094/SpelInjection/SpelInjectionTest.expected

@@ -0,0 +1,120 @@
+#select
+| SpelInjectionTest.java:24:5:24:14 | expression | SpelInjectionTest.java:16:22:16:44 | getInputStream(...) : InputStream | SpelInjectionTest.java:24:5:24:14 | expression | SpEL expression depends on a $@. | SpelInjectionTest.java:16:22:16:44 | getInputStream(...) | user-provided value |
+| SpelInjectionTest.java:35:5:35:14 | expression | SpelInjectionTest.java:28:22:28:44 | getInputStream(...) : InputStream | SpelInjectionTest.java:35:5:35:14 | expression | SpEL expression depends on a $@. | SpelInjectionTest.java:28:22:28:44 | getInputStream(...) | user-provided value |
+| SpelInjectionTest.java:46:5:46:14 | expression | SpelInjectionTest.java:39:22:39:44 | getInputStream(...) : InputStream | SpelInjectionTest.java:46:5:46:14 | expression | SpEL expression depends on a $@. | SpelInjectionTest.java:39:22:39:44 | getInputStream(...) | user-provided value |
+| SpelInjectionTest.java:60:5:60:14 | expression | SpelInjectionTest.java:50:22:50:44 | getInputStream(...) : InputStream | SpelInjectionTest.java:60:5:60:14 | expression | SpEL expression depends on a $@. | SpelInjectionTest.java:50:22:50:44 | getInputStream(...) | user-provided value |
+| SpelInjectionTest.java:71:5:71:14 | expression | SpelInjectionTest.java:64:22:64:44 | getInputStream(...) : InputStream | SpelInjectionTest.java:71:5:71:14 | expression | SpEL expression depends on a $@. | SpelInjectionTest.java:64:22:64:44 | getInputStream(...) | user-provided value |
+| SpelInjectionTest.java:82:5:82:14 | expression | SpelInjectionTest.java:75:22:75:44 | getInputStream(...) : InputStream | SpelInjectionTest.java:82:5:82:14 | expression | SpEL expression depends on a $@. | SpelInjectionTest.java:75:22:75:44 | getInputStream(...) | user-provided value |
+| SpelInjectionTest.java:95:5:95:14 | expression | SpelInjectionTest.java:86:22:86:44 | getInputStream(...) : InputStream | SpelInjectionTest.java:95:5:95:14 | expression | SpEL expression depends on a $@. | SpelInjectionTest.java:86:22:86:44 | getInputStream(...) | user-provided value |
+edges
+| SpelInjectionTest.java:16:22:16:44 | getInputStream(...) : InputStream | SpelInjectionTest.java:19:13:19:14 | in : InputStream | provenance | Src:MaD:1  |
+| SpelInjectionTest.java:19:13:19:14 | in : InputStream | SpelInjectionTest.java:19:21:19:25 | bytes [post update] : byte[] | provenance | MaD:2 |
+| SpelInjectionTest.java:19:21:19:25 | bytes [post update] : byte[] | SpelInjectionTest.java:20:31:20:35 | bytes : byte[] | provenance |  |
+| SpelInjectionTest.java:20:20:20:42 | new String(...) : String | SpelInjectionTest.java:23:52:23:56 | input : String | provenance |  |
+| SpelInjectionTest.java:20:31:20:35 | bytes : byte[] | SpelInjectionTest.java:20:20:20:42 | new String(...) : String | provenance | MaD:3 |
+| SpelInjectionTest.java:23:29:23:57 | parseExpression(...) : Expression | SpelInjectionTest.java:24:5:24:14 | expression | provenance |  |
+| SpelInjectionTest.java:23:52:23:56 | input : String | SpelInjectionTest.java:23:29:23:57 | parseExpression(...) : Expression | provenance | Config |
+| SpelInjectionTest.java:28:22:28:44 | getInputStream(...) : InputStream | SpelInjectionTest.java:31:13:31:14 | in : InputStream | provenance | Src:MaD:1  |
+| SpelInjectionTest.java:31:13:31:14 | in : InputStream | SpelInjectionTest.java:31:21:31:25 | bytes [post update] : byte[] | provenance | MaD:2 |
+| SpelInjectionTest.java:31:21:31:25 | bytes [post update] : byte[] | SpelInjectionTest.java:32:31:32:35 | bytes : byte[] | provenance |  |
+| SpelInjectionTest.java:32:20:32:42 | new String(...) : String | SpelInjectionTest.java:34:49:34:53 | input : String | provenance |  |
+| SpelInjectionTest.java:32:31:32:35 | bytes : byte[] | SpelInjectionTest.java:32:20:32:42 | new String(...) : String | provenance | MaD:3 |
+| SpelInjectionTest.java:34:33:34:54 | parseRaw(...) : SpelExpression | SpelInjectionTest.java:35:5:35:14 | expression | provenance |  |
+| SpelInjectionTest.java:34:49:34:53 | input : String | SpelInjectionTest.java:34:33:34:54 | parseRaw(...) : SpelExpression | provenance | Config |
+| SpelInjectionTest.java:39:22:39:44 | getInputStream(...) : InputStream | SpelInjectionTest.java:42:13:42:14 | in : InputStream | provenance | Src:MaD:1  |
+| SpelInjectionTest.java:42:13:42:14 | in : InputStream | SpelInjectionTest.java:42:21:42:25 | bytes [post update] : byte[] | provenance | MaD:2 |
+| SpelInjectionTest.java:42:21:42:25 | bytes [post update] : byte[] | SpelInjectionTest.java:43:31:43:35 | bytes : byte[] | provenance |  |
+| SpelInjectionTest.java:43:20:43:42 | new String(...) : String | SpelInjectionTest.java:45:72:45:76 | input : String | provenance |  |
+| SpelInjectionTest.java:43:31:43:35 | bytes : byte[] | SpelInjectionTest.java:43:20:43:42 | new String(...) : String | provenance | MaD:3 |
+| SpelInjectionTest.java:45:29:45:77 | parseExpression(...) : Expression | SpelInjectionTest.java:46:5:46:14 | expression | provenance |  |
+| SpelInjectionTest.java:45:72:45:76 | input : String | SpelInjectionTest.java:45:29:45:77 | parseExpression(...) : Expression | provenance | Config |
+| SpelInjectionTest.java:50:22:50:44 | getInputStream(...) : InputStream | SpelInjectionTest.java:53:13:53:14 | in : InputStream | provenance | Src:MaD:1  |
+| SpelInjectionTest.java:53:13:53:14 | in : InputStream | SpelInjectionTest.java:53:21:53:25 | bytes [post update] : byte[] | provenance | MaD:2 |
+| SpelInjectionTest.java:53:21:53:25 | bytes [post update] : byte[] | SpelInjectionTest.java:54:31:54:35 | bytes : byte[] | provenance |  |
+| SpelInjectionTest.java:54:20:54:42 | new String(...) : String | SpelInjectionTest.java:56:72:56:76 | input : String | provenance |  |
+| SpelInjectionTest.java:54:31:54:35 | bytes : byte[] | SpelInjectionTest.java:54:20:54:42 | new String(...) : String | provenance | MaD:3 |
+| SpelInjectionTest.java:56:29:56:77 | parseExpression(...) : Expression | SpelInjectionTest.java:60:5:60:14 | expression | provenance |  |
+| SpelInjectionTest.java:56:72:56:76 | input : String | SpelInjectionTest.java:56:29:56:77 | parseExpression(...) : Expression | provenance | Config |
+| SpelInjectionTest.java:64:22:64:44 | getInputStream(...) : InputStream | SpelInjectionTest.java:67:13:67:14 | in : InputStream | provenance | Src:MaD:1  |
+| SpelInjectionTest.java:67:13:67:14 | in : InputStream | SpelInjectionTest.java:67:21:67:25 | bytes [post update] : byte[] | provenance | MaD:2 |
+| SpelInjectionTest.java:67:21:67:25 | bytes [post update] : byte[] | SpelInjectionTest.java:68:31:68:35 | bytes : byte[] | provenance |  |
+| SpelInjectionTest.java:68:20:68:42 | new String(...) : String | SpelInjectionTest.java:70:52:70:56 | input : String | provenance |  |
+| SpelInjectionTest.java:68:31:68:35 | bytes : byte[] | SpelInjectionTest.java:68:20:68:42 | new String(...) : String | provenance | MaD:3 |
+| SpelInjectionTest.java:70:29:70:57 | parseExpression(...) : Expression | SpelInjectionTest.java:71:5:71:14 | expression | provenance |  |
+| SpelInjectionTest.java:70:52:70:56 | input : String | SpelInjectionTest.java:70:29:70:57 | parseExpression(...) : Expression | provenance | Config |
+| SpelInjectionTest.java:75:22:75:44 | getInputStream(...) : InputStream | SpelInjectionTest.java:78:13:78:14 | in : InputStream | provenance | Src:MaD:1  |
+| SpelInjectionTest.java:78:13:78:14 | in : InputStream | SpelInjectionTest.java:78:21:78:25 | bytes [post update] : byte[] | provenance | MaD:2 |
+| SpelInjectionTest.java:78:21:78:25 | bytes [post update] : byte[] | SpelInjectionTest.java:79:31:79:35 | bytes : byte[] | provenance |  |
+| SpelInjectionTest.java:79:20:79:42 | new String(...) : String | SpelInjectionTest.java:81:52:81:56 | input : String | provenance |  |
+| SpelInjectionTest.java:79:31:79:35 | bytes : byte[] | SpelInjectionTest.java:79:20:79:42 | new String(...) : String | provenance | MaD:3 |
+| SpelInjectionTest.java:81:29:81:57 | parseExpression(...) : Expression | SpelInjectionTest.java:82:5:82:14 | expression | provenance |  |
+| SpelInjectionTest.java:81:52:81:56 | input : String | SpelInjectionTest.java:81:29:81:57 | parseExpression(...) : Expression | provenance | Config |
+| SpelInjectionTest.java:86:22:86:44 | getInputStream(...) : InputStream | SpelInjectionTest.java:89:13:89:14 | in : InputStream | provenance | Src:MaD:1  |
+| SpelInjectionTest.java:89:13:89:14 | in : InputStream | SpelInjectionTest.java:89:21:89:25 | bytes [post update] : byte[] | provenance | MaD:2 |
+| SpelInjectionTest.java:89:21:89:25 | bytes [post update] : byte[] | SpelInjectionTest.java:90:31:90:35 | bytes : byte[] | provenance |  |
+| SpelInjectionTest.java:90:20:90:42 | new String(...) : String | SpelInjectionTest.java:92:52:92:56 | input : String | provenance |  |
+| SpelInjectionTest.java:90:31:90:35 | bytes : byte[] | SpelInjectionTest.java:90:20:90:42 | new String(...) : String | provenance | MaD:3 |
+| SpelInjectionTest.java:92:29:92:57 | parseExpression(...) : Expression | SpelInjectionTest.java:95:5:95:14 | expression | provenance |  |
+| SpelInjectionTest.java:92:52:92:56 | input : String | SpelInjectionTest.java:92:29:92:57 | parseExpression(...) : Expression | provenance | Config |
+models
+| 1 | Source: java.net; Socket; false; getInputStream; (); ; ReturnValue; remote; manual |
+| 2 | Summary: java.io; InputStream; true; read; (byte[]); ; Argument[this]; Argument[0]; taint; manual |
+| 3 | Summary: java.lang; String; false; String; ; ; Argument[0]; Argument[this]; taint; manual |
+nodes
+| SpelInjectionTest.java:16:22:16:44 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| SpelInjectionTest.java:19:13:19:14 | in : InputStream | semmle.label | in : InputStream |
+| SpelInjectionTest.java:19:21:19:25 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
+| SpelInjectionTest.java:20:20:20:42 | new String(...) : String | semmle.label | new String(...) : String |
+| SpelInjectionTest.java:20:31:20:35 | bytes : byte[] | semmle.label | bytes : byte[] |
+| SpelInjectionTest.java:23:29:23:57 | parseExpression(...) : Expression | semmle.label | parseExpression(...) : Expression |
+| SpelInjectionTest.java:23:52:23:56 | input : String | semmle.label | input : String |
+| SpelInjectionTest.java:24:5:24:14 | expression | semmle.label | expression |
+| SpelInjectionTest.java:28:22:28:44 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| SpelInjectionTest.java:31:13:31:14 | in : InputStream | semmle.label | in : InputStream |
+| SpelInjectionTest.java:31:21:31:25 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
+| SpelInjectionTest.java:32:20:32:42 | new String(...) : String | semmle.label | new String(...) : String |
+| SpelInjectionTest.java:32:31:32:35 | bytes : byte[] | semmle.label | bytes : byte[] |
+| SpelInjectionTest.java:34:33:34:54 | parseRaw(...) : SpelExpression | semmle.label | parseRaw(...) : SpelExpression |
+| SpelInjectionTest.java:34:49:34:53 | input : String | semmle.label | input : String |
+| SpelInjectionTest.java:35:5:35:14 | expression | semmle.label | expression |
+| SpelInjectionTest.java:39:22:39:44 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| SpelInjectionTest.java:42:13:42:14 | in : InputStream | semmle.label | in : InputStream |
+| SpelInjectionTest.java:42:21:42:25 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
+| SpelInjectionTest.java:43:20:43:42 | new String(...) : String | semmle.label | new String(...) : String |
+| SpelInjectionTest.java:43:31:43:35 | bytes : byte[] | semmle.label | bytes : byte[] |
+| SpelInjectionTest.java:45:29:45:77 | parseExpression(...) : Expression | semmle.label | parseExpression(...) : Expression |
+| SpelInjectionTest.java:45:72:45:76 | input : String | semmle.label | input : String |
+| SpelInjectionTest.java:46:5:46:14 | expression | semmle.label | expression |
+| SpelInjectionTest.java:50:22:50:44 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| SpelInjectionTest.java:53:13:53:14 | in : InputStream | semmle.label | in : InputStream |
+| SpelInjectionTest.java:53:21:53:25 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
+| SpelInjectionTest.java:54:20:54:42 | new String(...) : String | semmle.label | new String(...) : String |
+| SpelInjectionTest.java:54:31:54:35 | bytes : byte[] | semmle.label | bytes : byte[] |
+| SpelInjectionTest.java:56:29:56:77 | parseExpression(...) : Expression | semmle.label | parseExpression(...) : Expression |
+| SpelInjectionTest.java:56:72:56:76 | input : String | semmle.label | input : String |
+| SpelInjectionTest.java:60:5:60:14 | expression | semmle.label | expression |
+| SpelInjectionTest.java:64:22:64:44 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| SpelInjectionTest.java:67:13:67:14 | in : InputStream | semmle.label | in : InputStream |
+| SpelInjectionTest.java:67:21:67:25 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
+| SpelInjectionTest.java:68:20:68:42 | new String(...) : String | semmle.label | new String(...) : String |
+| SpelInjectionTest.java:68:31:68:35 | bytes : byte[] | semmle.label | bytes : byte[] |
+| SpelInjectionTest.java:70:29:70:57 | parseExpression(...) : Expression | semmle.label | parseExpression(...) : Expression |
+| SpelInjectionTest.java:70:52:70:56 | input : String | semmle.label | input : String |
+| SpelInjectionTest.java:71:5:71:14 | expression | semmle.label | expression |
+| SpelInjectionTest.java:75:22:75:44 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| SpelInjectionTest.java:78:13:78:14 | in : InputStream | semmle.label | in : InputStream |
+| SpelInjectionTest.java:78:21:78:25 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
+| SpelInjectionTest.java:79:20:79:42 | new String(...) : String | semmle.label | new String(...) : String |
+| SpelInjectionTest.java:79:31:79:35 | bytes : byte[] | semmle.label | bytes : byte[] |
+| SpelInjectionTest.java:81:29:81:57 | parseExpression(...) : Expression | semmle.label | parseExpression(...) : Expression |
+| SpelInjectionTest.java:81:52:81:56 | input : String | semmle.label | input : String |
+| SpelInjectionTest.java:82:5:82:14 | expression | semmle.label | expression |
+| SpelInjectionTest.java:86:22:86:44 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| SpelInjectionTest.java:89:13:89:14 | in : InputStream | semmle.label | in : InputStream |
+| SpelInjectionTest.java:89:21:89:25 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
+| SpelInjectionTest.java:90:20:90:42 | new String(...) : String | semmle.label | new String(...) : String |
+| SpelInjectionTest.java:90:31:90:35 | bytes : byte[] | semmle.label | bytes : byte[] |
+| SpelInjectionTest.java:92:29:92:57 | parseExpression(...) : Expression | semmle.label | parseExpression(...) : Expression |
+| SpelInjectionTest.java:92:52:92:56 | input : String | semmle.label | input : String |
+| SpelInjectionTest.java:95:5:95:14 | expression | semmle.label | expression |
+subpaths

java/ql/test/query-tests/security/CWE-094/SpelInjection/SpelInjectionTest.java

@@ -13,7 +13,7 @@ public class SpelInjectionTest {
   private static final ExpressionParser PARSER = new SpelExpressionParser();
 
   public void testGetValue(Socket socket) throws IOException {
-    InputStream in = socket.getInputStream();
+    InputStream in = socket.getInputStream(); // $ Source
 
     byte[] bytes = new byte[1024];
     int n = in.read(bytes);
@@ -21,33 +21,33 @@ public class SpelInjectionTest {
 
     ExpressionParser parser = new SpelExpressionParser();
     Expression expression = parser.parseExpression(input);
-    expression.getValue(); // $hasSpelInjection
+    expression.getValue(); // $ Alert
   }
 
   public void testGetValueWithParseRaw(Socket socket) throws IOException {
-    InputStream in = socket.getInputStream();
+    InputStream in = socket.getInputStream(); // $ Source
 
     byte[] bytes = new byte[1024];
     int n = in.read(bytes);
     String input = new String(bytes, 0, n);
     SpelExpressionParser parser = new SpelExpressionParser();
     SpelExpression expression = parser.parseRaw(input);
-    expression.getValue(); // $hasSpelInjection
+    expression.getValue(); // $ Alert
   }
 
   public void testGetValueWithChainedCalls(Socket socket) throws IOException {
-    InputStream in = socket.getInputStream();
+    InputStream in = socket.getInputStream(); // $ Source
 
     byte[] bytes = new byte[1024];
     int n = in.read(bytes);
     String input = new String(bytes, 0, n);
 
     Expression expression = new SpelExpressionParser().parseExpression(input);
-    expression.getValue(); // $hasSpelInjection
+    expression.getValue(); // $ Alert
   }
 
   public void testSetValueWithRootObject(Socket socket) throws IOException {
-    InputStream in = socket.getInputStream();
+    InputStream in = socket.getInputStream(); // $ Source
 
     byte[] bytes = new byte[1024];
     int n = in.read(bytes);
@@ -57,33 +57,33 @@ public class SpelInjectionTest {
 
     Object root = new Object();
     Object value = new Object();
-    expression.setValue(root, value); // $hasSpelInjection
+    expression.setValue(root, value); // $ Alert
   }
 
   public void testGetValueWithStaticParser(Socket socket) throws IOException {
-    InputStream in = socket.getInputStream();
+    InputStream in = socket.getInputStream(); // $ Source
 
     byte[] bytes = new byte[1024];
     int n = in.read(bytes);
     String input = new String(bytes, 0, n);
 
     Expression expression = PARSER.parseExpression(input);
-    expression.getValue(); // $hasSpelInjection
+    expression.getValue(); // $ Alert
   }
 
   public void testGetValueType(Socket socket) throws IOException {
-    InputStream in = socket.getInputStream();
+    InputStream in = socket.getInputStream(); // $ Source
 
     byte[] bytes = new byte[1024];
     int n = in.read(bytes);
     String input = new String(bytes, 0, n);
 
     Expression expression = PARSER.parseExpression(input);
-    expression.getValueType(); // $hasSpelInjection
+    expression.getValueType(); // $ Alert
   }
 
   public void testWithStandardEvaluationContext(Socket socket) throws IOException {
-    InputStream in = socket.getInputStream();
+    InputStream in = socket.getInputStream(); // $ Source
 
     byte[] bytes = new byte[1024];
     int n = in.read(bytes);
@@ -92,7 +92,7 @@ public class SpelInjectionTest {
     Expression expression = PARSER.parseExpression(input);
 
     StandardEvaluationContext context = new StandardEvaluationContext();
-    expression.getValue(context); // $hasSpelInjection
+    expression.getValue(context); // $ Alert
   }
 
   public void testWithSimpleEvaluationContext(Socket socket) throws IOException {

java/ql/test/query-tests/security/CWE-094/SpelInjection/SpelInjectionTest.qlref

@@ -0,0 +1,4 @@
+query: Security/CWE/CWE-094/SpelInjection.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

java/ql/test/query-tests/security/CWE-094/SpelInjection/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/validation-api-2.0.1.Final:${testdir}/../../../../stubs/springframework-5.8.x:${testdir}/../../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../../stubs/apache-commons-logging-1.2:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/groovy-all-3.0.7:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/apache-freemarker-2.3.31:${testdir}/../../../../stubs/jinjava-2.6.0:${testdir}/../../../../stubs/pebble-3.1.5:${testdir}/../../../../stubs/thymeleaf-3.0.14:${testdir}/../../../../stubs/apache-velocity-2.3:${testdir}/../../../..//stubs/google-android-9.0.0

java/ql/test/query-tests/security/CWE-094/SpelInjectionTest.ql

@@ -1,20 +0,0 @@
-import java
-import semmle.code.java.dataflow.TaintTracking
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.security.SpelInjectionQuery
-import utils.test.InlineExpectationsTest
-
-module HasSpelInjectionTest implements TestSig {
-  string getARelevantTag() { result = "hasSpelInjection" }
-
-  predicate hasActualResult(Location location, string element, string tag, string value) {
-    tag = "hasSpelInjection" and
-    exists(DataFlow::Node sink | SpelInjectionFlow::flowTo(sink) |
-      sink.getLocation() = location and
-      element = sink.toString() and
-      value = ""
-    )
-  }
-}
-
-import MakeTest<HasSpelInjectionTest>

java/ql/test/query-tests/security/CWE-094/TemplateInjection/FreemarkerSSTI.java

@@ -20,88 +20,88 @@ public class FreemarkerSSTI {
 	@GetMapping(value = "bad1")
 	public void bad1(HttpServletRequest request) {
 		String name = "ttemplate";
-		String code = request.getParameter("code");
+		String code = request.getParameter("code"); // $ Source
 		Reader reader = new StringReader(code);
 
-		Template t = new Template(name, reader); // $hasTemplateInjection
+		Template t = new Template(name, reader); // $ Alert
 	}
 
 	@GetMapping(value = "bad2")
 	public void bad2(HttpServletRequest request) {
 		String name = "ttemplate";
-		String code = request.getParameter("code");
+		String code = request.getParameter("code"); // $ Source
 		Reader reader = new StringReader(code);
 		Configuration cfg = new Configuration();
 
-		Template t = new Template(name, reader, cfg); // $hasTemplateInjection
+		Template t = new Template(name, reader, cfg); // $ Alert
 	}
 
 	@GetMapping(value = "bad3")
 	public void bad3(HttpServletRequest request) {
 		String name = "ttemplate";
-		String code = request.getParameter("code");
+		String code = request.getParameter("code"); // $ Source
 		Reader reader = new StringReader(code);
 		Configuration cfg = new Configuration();
 
-		Template t = new Template(name, reader, cfg, "UTF-8"); // $hasTemplateInjection
+		Template t = new Template(name, reader, cfg, "UTF-8"); // $ Alert
 	}
 
 	@GetMapping(value = "bad4")
 	public void bad4(HttpServletRequest request) {
 		String name = "ttemplate";
-		String sourceCode = request.getParameter("sourceCode");
+		String sourceCode = request.getParameter("sourceCode"); // $ Source
 		Configuration cfg = new Configuration();
 
-		Template t = new Template(name, sourceCode, cfg); // $hasTemplateInjection
+		Template t = new Template(name, sourceCode, cfg); // $ Alert
 	}
 
 	@GetMapping(value = "bad5")
 	public void bad5(HttpServletRequest request) {
 		String name = "ttemplate";
-		String code = request.getParameter("code");
+		String code = request.getParameter("code"); // $ Source
 		Configuration cfg = new Configuration();
 		Reader reader = new StringReader(code);
 
-		Template t = new Template(name, sourceName, reader, cfg); // $hasTemplateInjection
+		Template t = new Template(name, sourceName, reader, cfg); // $ Alert
 	}
 
 	@GetMapping(value = "bad6")
 	public void bad6(HttpServletRequest request) {
 		String name = "ttemplate";
-		String code = request.getParameter("code");
+		String code = request.getParameter("code"); // $ Source
 		Configuration cfg = new Configuration();
 		ParserConfiguration customParserConfiguration = new Configuration();
 		Reader reader = new StringReader(code);
 
 		Template t =
-				new Template(name, sourceName, reader, cfg, customParserConfiguration, "UTF-8"); // $hasTemplateInjection
+				new Template(name, sourceName, reader, cfg, customParserConfiguration, "UTF-8"); // $ Alert
 	}
 
 	@GetMapping(value = "bad7")
 	public void bad7(HttpServletRequest request) {
 		String name = "ttemplate";
-		String code = request.getParameter("code");
+		String code = request.getParameter("code"); // $ Source
 		Configuration cfg = new Configuration();
 		ParserConfiguration customParserConfiguration = new Configuration();
 		Reader reader = new StringReader(code);
 
-		Template t = new Template(name, sourceName, reader, cfg, "UTF-8"); // $hasTemplateInjection
+		Template t = new Template(name, sourceName, reader, cfg, "UTF-8"); // $ Alert
 	}
 
 	@GetMapping(value = "bad8")
 	public void bad8(HttpServletRequest request) {
-		String code = request.getParameter("code");
+		String code = request.getParameter("code"); // $ Source
 		StringTemplateLoader stringLoader = new StringTemplateLoader();
 
-		stringLoader.putTemplate("myTemplate", code); // $hasTemplateInjection
+		stringLoader.putTemplate("myTemplate", code); // $ Alert
 	}
 
 	@GetMapping(value = "bad9")
 	public void bad9(HttpServletRequest request) {
-		String code = request.getParameter("code");
+		String code = request.getParameter("code"); // $ Source
 		StringTemplateLoader stringLoader = new StringTemplateLoader();
 
-		stringLoader.putTemplate("myTemplate", code, 0); // $hasTemplateInjection
+		stringLoader.putTemplate("myTemplate", code, 0); // $ Alert
 	}
 
 	@GetMapping(value = "good1")

java/ql/test/query-tests/security/CWE-094/TemplateInjection/JinJavaSSTI.java

@@ -18,27 +18,27 @@ public class JinJavaSSTI {
 
 	@GetMapping(value = "bad1")
 	public void bad1(HttpServletRequest request) {
-		String template = request.getParameter("template");
+		String template = request.getParameter("template"); // $ Source
 		Jinjava jinjava = new Jinjava();
 		Map<String, Object> context = new HashMap<>();
-		String renderedTemplate = jinjava.render(template, context); // $hasTemplateInjection
+		String renderedTemplate = jinjava.render(template, context); // $ Alert
 	}
 
 	@GetMapping(value = "bad2")
 	public void bad2(HttpServletRequest request) {
-		String template = request.getParameter("template");
+		String template = request.getParameter("template"); // $ Source
 		Jinjava jinjava = new Jinjava();
 		Map<String, Object> bindings = new HashMap<>();
-		RenderResult renderResult = jinjava.renderForResult(template, bindings); // $hasTemplateInjection
+		RenderResult renderResult = jinjava.renderForResult(template, bindings); // $ Alert
 	}
 
 	@GetMapping(value = "bad3")
 	public void bad3(HttpServletRequest request) {
-		String template = request.getParameter("template");
+		String template = request.getParameter("template"); // $ Source
 		Jinjava jinjava = new Jinjava();
 		Map<String, Object> bindings = new HashMap<>();
 		JinjavaConfig renderConfig = new JinjavaConfig();
 
-		RenderResult renderResult = jinjava.renderForResult(template, bindings, renderConfig); // $hasTemplateInjection
+		RenderResult renderResult = jinjava.renderForResult(template, bindings, renderConfig); // $ Alert
 	}
 }

java/ql/test/query-tests/security/CWE-094/TemplateInjection/PebbleSSTI.java

@@ -15,15 +15,15 @@ public class PebbleSSTI {
 
 	@GetMapping(value = "bad1")
 	public void bad1(HttpServletRequest request) {
-		String templateName = request.getParameter("templateName");
+		String templateName = request.getParameter("templateName"); // $ Source
 		PebbleEngine engine = new PebbleEngine.Builder().build();
-		PebbleTemplate compiledTemplate = engine.getTemplate(templateName); // $hasTemplateInjection
+		PebbleTemplate compiledTemplate = engine.getTemplate(templateName); // $ Alert
 	}
 
 	@GetMapping(value = "bad2")
 	public void bad2(HttpServletRequest request) {
-		String templateName = request.getParameter("templateName");
+		String templateName = request.getParameter("templateName"); // $ Source
 		PebbleEngine engine = new PebbleEngine.Builder().build();
-		PebbleTemplate compiledTemplate = engine.getLiteralTemplate(templateName); // $hasTemplateInjection
+		PebbleTemplate compiledTemplate = engine.getLiteralTemplate(templateName); // $ Alert
 	}
 }

java/ql/test/query-tests/security/CWE-094/TemplateInjection/TemplateInjectionTest.expected

@@ -0,0 +1,171 @@
+#select
+| FreemarkerSSTI.java:26:35:26:40 | reader | FreemarkerSSTI.java:23:17:23:44 | getParameter(...) : String | FreemarkerSSTI.java:26:35:26:40 | reader | Template, which may contain code, depends on a $@. | FreemarkerSSTI.java:23:17:23:44 | getParameter(...) | user-provided value |
+| FreemarkerSSTI.java:36:35:36:40 | reader | FreemarkerSSTI.java:32:17:32:44 | getParameter(...) : String | FreemarkerSSTI.java:36:35:36:40 | reader | Template, which may contain code, depends on a $@. | FreemarkerSSTI.java:32:17:32:44 | getParameter(...) | user-provided value |
+| FreemarkerSSTI.java:46:35:46:40 | reader | FreemarkerSSTI.java:42:17:42:44 | getParameter(...) : String | FreemarkerSSTI.java:46:35:46:40 | reader | Template, which may contain code, depends on a $@. | FreemarkerSSTI.java:42:17:42:44 | getParameter(...) | user-provided value |
+| FreemarkerSSTI.java:55:35:55:44 | sourceCode | FreemarkerSSTI.java:52:23:52:56 | getParameter(...) : String | FreemarkerSSTI.java:55:35:55:44 | sourceCode | Template, which may contain code, depends on a $@. | FreemarkerSSTI.java:52:23:52:56 | getParameter(...) | user-provided value |
+| FreemarkerSSTI.java:65:47:65:52 | reader | FreemarkerSSTI.java:61:17:61:44 | getParameter(...) : String | FreemarkerSSTI.java:65:47:65:52 | reader | Template, which may contain code, depends on a $@. | FreemarkerSSTI.java:61:17:61:44 | getParameter(...) | user-provided value |
+| FreemarkerSSTI.java:77:36:77:41 | reader | FreemarkerSSTI.java:71:17:71:44 | getParameter(...) : String | FreemarkerSSTI.java:77:36:77:41 | reader | Template, which may contain code, depends on a $@. | FreemarkerSSTI.java:71:17:71:44 | getParameter(...) | user-provided value |
+| FreemarkerSSTI.java:88:47:88:52 | reader | FreemarkerSSTI.java:83:17:83:44 | getParameter(...) : String | FreemarkerSSTI.java:88:47:88:52 | reader | Template, which may contain code, depends on a $@. | FreemarkerSSTI.java:83:17:83:44 | getParameter(...) | user-provided value |
+| FreemarkerSSTI.java:96:42:96:45 | code | FreemarkerSSTI.java:93:17:93:44 | getParameter(...) : String | FreemarkerSSTI.java:96:42:96:45 | code | Template, which may contain code, depends on a $@. | FreemarkerSSTI.java:93:17:93:44 | getParameter(...) | user-provided value |
+| FreemarkerSSTI.java:104:42:104:45 | code | FreemarkerSSTI.java:101:17:101:44 | getParameter(...) : String | FreemarkerSSTI.java:104:42:104:45 | code | Template, which may contain code, depends on a $@. | FreemarkerSSTI.java:101:17:101:44 | getParameter(...) | user-provided value |
+| JinJavaSSTI.java:24:44:24:51 | template | JinJavaSSTI.java:21:21:21:52 | getParameter(...) : String | JinJavaSSTI.java:24:44:24:51 | template | Template, which may contain code, depends on a $@. | JinJavaSSTI.java:21:21:21:52 | getParameter(...) | user-provided value |
+| JinJavaSSTI.java:32:55:32:62 | template | JinJavaSSTI.java:29:21:29:52 | getParameter(...) : String | JinJavaSSTI.java:32:55:32:62 | template | Template, which may contain code, depends on a $@. | JinJavaSSTI.java:29:21:29:52 | getParameter(...) | user-provided value |
+| JinJavaSSTI.java:42:55:42:62 | template | JinJavaSSTI.java:37:21:37:52 | getParameter(...) : String | JinJavaSSTI.java:42:55:42:62 | template | Template, which may contain code, depends on a $@. | JinJavaSSTI.java:37:21:37:52 | getParameter(...) | user-provided value |
+| PebbleSSTI.java:20:56:20:67 | templateName | PebbleSSTI.java:18:25:18:60 | getParameter(...) : String | PebbleSSTI.java:20:56:20:67 | templateName | Template, which may contain code, depends on a $@. | PebbleSSTI.java:18:25:18:60 | getParameter(...) | user-provided value |
+| PebbleSSTI.java:27:63:27:74 | templateName | PebbleSSTI.java:25:25:25:60 | getParameter(...) : String | PebbleSSTI.java:27:63:27:74 | templateName | Template, which may contain code, depends on a $@. | PebbleSSTI.java:25:25:25:60 | getParameter(...) | user-provided value |
+| ThymeleafSSTI.java:24:27:24:30 | code | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:24:27:24:30 | code | Template, which may contain code, depends on a $@. | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) | user-provided value |
+| ThymeleafSSTI.java:25:27:25:30 | code | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:25:27:25:30 | code | Template, which may contain code, depends on a $@. | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) | user-provided value |
+| ThymeleafSSTI.java:26:27:26:30 | code | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:26:27:26:30 | code | Template, which may contain code, depends on a $@. | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) | user-provided value |
+| ThymeleafSSTI.java:27:27:27:30 | code | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:27:27:27:30 | code | Template, which may contain code, depends on a $@. | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) | user-provided value |
+| ThymeleafSSTI.java:28:36:28:39 | code | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:28:36:28:39 | code | Template, which may contain code, depends on a $@. | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) | user-provided value |
+| ThymeleafSSTI.java:29:36:29:39 | code | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:29:36:29:39 | code | Template, which may contain code, depends on a $@. | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) | user-provided value |
+| ThymeleafSSTI.java:32:27:32:30 | spec | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:32:27:32:30 | spec | Template, which may contain code, depends on a $@. | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) | user-provided value |
+| ThymeleafSSTI.java:33:27:33:30 | spec | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:33:27:33:30 | spec | Template, which may contain code, depends on a $@. | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) | user-provided value |
+| ThymeleafSSTI.java:34:36:34:39 | spec | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:34:36:34:39 | spec | Template, which may contain code, depends on a $@. | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) | user-provided value |
+| VelocitySSTI.java:37:45:37:48 | code | VelocitySSTI.java:31:17:31:44 | getParameter(...) : String | VelocitySSTI.java:37:45:37:48 | code | Template, which may contain code, depends on a $@. | VelocitySSTI.java:31:17:31:44 | getParameter(...) | user-provided value |
+| VelocitySSTI.java:51:45:51:50 | reader | VelocitySSTI.java:43:17:43:44 | getParameter(...) : String | VelocitySSTI.java:51:45:51:50 | reader | Template, which may contain code, depends on a $@. | VelocitySSTI.java:43:17:43:44 | getParameter(...) | user-provided value |
+| VelocitySSTI.java:61:25:61:30 | reader | VelocitySSTI.java:57:17:57:44 | getParameter(...) : String | VelocitySSTI.java:61:25:61:30 | reader | Template, which may contain code, depends on a $@. | VelocitySSTI.java:57:17:57:44 | getParameter(...) | user-provided value |
+| VelocitySSTI.java:93:37:93:40 | code | VelocitySSTI.java:81:17:81:44 | getParameter(...) : String | VelocitySSTI.java:93:37:93:40 | code | Template, which may contain code, depends on a $@. | VelocitySSTI.java:81:17:81:44 | getParameter(...) | user-provided value |
+| VelocitySSTI.java:94:37:94:58 | new StringReader(...) | VelocitySSTI.java:81:17:81:44 | getParameter(...) : String | VelocitySSTI.java:94:37:94:58 | new StringReader(...) | Template, which may contain code, depends on a $@. | VelocitySSTI.java:81:17:81:44 | getParameter(...) | user-provided value |
+| VelocitySSTI.java:117:37:117:40 | code | VelocitySSTI.java:114:17:114:44 | getParameter(...) : String | VelocitySSTI.java:117:37:117:40 | code | Template, which may contain code, depends on a $@. | VelocitySSTI.java:114:17:114:44 | getParameter(...) | user-provided value |
+edges
+| FreemarkerSSTI.java:23:17:23:44 | getParameter(...) : String | FreemarkerSSTI.java:24:36:24:39 | code : String | provenance | Src:MaD:19  |
+| FreemarkerSSTI.java:24:19:24:40 | new StringReader(...) : StringReader | FreemarkerSSTI.java:26:35:26:40 | reader | provenance | Sink:MaD:6 |
+| FreemarkerSSTI.java:24:36:24:39 | code : String | FreemarkerSSTI.java:24:19:24:40 | new StringReader(...) : StringReader | provenance | MaD:20 |
+| FreemarkerSSTI.java:32:17:32:44 | getParameter(...) : String | FreemarkerSSTI.java:33:36:33:39 | code : String | provenance | Src:MaD:19  |
+| FreemarkerSSTI.java:33:19:33:40 | new StringReader(...) : StringReader | FreemarkerSSTI.java:36:35:36:40 | reader | provenance | Sink:MaD:7 |
+| FreemarkerSSTI.java:33:36:33:39 | code : String | FreemarkerSSTI.java:33:19:33:40 | new StringReader(...) : StringReader | provenance | MaD:20 |
+| FreemarkerSSTI.java:42:17:42:44 | getParameter(...) : String | FreemarkerSSTI.java:43:36:43:39 | code : String | provenance | Src:MaD:19  |
+| FreemarkerSSTI.java:43:19:43:40 | new StringReader(...) : StringReader | FreemarkerSSTI.java:46:35:46:40 | reader | provenance | Sink:MaD:8 |
+| FreemarkerSSTI.java:43:36:43:39 | code : String | FreemarkerSSTI.java:43:19:43:40 | new StringReader(...) : StringReader | provenance | MaD:20 |
+| FreemarkerSSTI.java:52:23:52:56 | getParameter(...) : String | FreemarkerSSTI.java:55:35:55:44 | sourceCode | provenance | Src:MaD:19 Sink:MaD:9 |
+| FreemarkerSSTI.java:61:17:61:44 | getParameter(...) : String | FreemarkerSSTI.java:63:36:63:39 | code : String | provenance | Src:MaD:19  |
+| FreemarkerSSTI.java:63:19:63:40 | new StringReader(...) : StringReader | FreemarkerSSTI.java:65:47:65:52 | reader | provenance | Sink:MaD:10 |
+| FreemarkerSSTI.java:63:36:63:39 | code : String | FreemarkerSSTI.java:63:19:63:40 | new StringReader(...) : StringReader | provenance | MaD:20 |
+| FreemarkerSSTI.java:71:17:71:44 | getParameter(...) : String | FreemarkerSSTI.java:74:36:74:39 | code : String | provenance | Src:MaD:19  |
+| FreemarkerSSTI.java:74:19:74:40 | new StringReader(...) : StringReader | FreemarkerSSTI.java:77:36:77:41 | reader | provenance | Sink:MaD:11 |
+| FreemarkerSSTI.java:74:36:74:39 | code : String | FreemarkerSSTI.java:74:19:74:40 | new StringReader(...) : StringReader | provenance | MaD:20 |
+| FreemarkerSSTI.java:83:17:83:44 | getParameter(...) : String | FreemarkerSSTI.java:86:36:86:39 | code : String | provenance | Src:MaD:19  |
+| FreemarkerSSTI.java:86:19:86:40 | new StringReader(...) : StringReader | FreemarkerSSTI.java:88:47:88:52 | reader | provenance | Sink:MaD:12 |
+| FreemarkerSSTI.java:86:36:86:39 | code : String | FreemarkerSSTI.java:86:19:86:40 | new StringReader(...) : StringReader | provenance | MaD:20 |
+| FreemarkerSSTI.java:93:17:93:44 | getParameter(...) : String | FreemarkerSSTI.java:96:42:96:45 | code | provenance | Src:MaD:19 Sink:MaD:5 |
+| FreemarkerSSTI.java:101:17:101:44 | getParameter(...) : String | FreemarkerSSTI.java:104:42:104:45 | code | provenance | Src:MaD:19 Sink:MaD:5 |
+| JinJavaSSTI.java:21:21:21:52 | getParameter(...) : String | JinJavaSSTI.java:24:44:24:51 | template | provenance | Src:MaD:19 Sink:MaD:1 |
+| JinJavaSSTI.java:29:21:29:52 | getParameter(...) : String | JinJavaSSTI.java:32:55:32:62 | template | provenance | Src:MaD:19 Sink:MaD:2 |
+| JinJavaSSTI.java:37:21:37:52 | getParameter(...) : String | JinJavaSSTI.java:42:55:42:62 | template | provenance | Src:MaD:19 Sink:MaD:2 |
+| PebbleSSTI.java:18:25:18:60 | getParameter(...) : String | PebbleSSTI.java:20:56:20:67 | templateName | provenance | Src:MaD:19 Sink:MaD:4 |
+| PebbleSSTI.java:25:25:25:60 | getParameter(...) : String | PebbleSSTI.java:27:63:27:74 | templateName | provenance | Src:MaD:19 Sink:MaD:3 |
+| ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:24:27:24:30 | code | provenance | Src:MaD:19 Sink:MaD:17 |
+| ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:25:27:25:30 | code | provenance | Src:MaD:19 Sink:MaD:17 |
+| ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:26:27:26:30 | code | provenance | Src:MaD:19 Sink:MaD:17 |
+| ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:27:27:27:30 | code | provenance | Src:MaD:19 Sink:MaD:17 |
+| ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:28:36:28:39 | code | provenance | Src:MaD:19 Sink:MaD:18 |
+| ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:29:36:29:39 | code | provenance | Src:MaD:19 Sink:MaD:18 |
+| ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:31:41:31:44 | code : String | provenance | Src:MaD:19  |
+| ThymeleafSSTI.java:31:24:31:49 | new TemplateSpec(...) : TemplateSpec | ThymeleafSSTI.java:32:27:32:30 | spec | provenance | Sink:MaD:17 |
+| ThymeleafSSTI.java:31:24:31:49 | new TemplateSpec(...) : TemplateSpec | ThymeleafSSTI.java:33:27:33:30 | spec | provenance | Sink:MaD:17 |
+| ThymeleafSSTI.java:31:24:31:49 | new TemplateSpec(...) : TemplateSpec | ThymeleafSSTI.java:34:36:34:39 | spec | provenance | Sink:MaD:18 |
+| ThymeleafSSTI.java:31:41:31:44 | code : String | ThymeleafSSTI.java:31:24:31:49 | new TemplateSpec(...) : TemplateSpec | provenance | MaD:21 |
+| VelocitySSTI.java:31:17:31:44 | getParameter(...) : String | VelocitySSTI.java:37:45:37:48 | code | provenance | Src:MaD:19 Sink:MaD:13 |
+| VelocitySSTI.java:43:17:43:44 | getParameter(...) : String | VelocitySSTI.java:49:42:49:45 | code : String | provenance | Src:MaD:19  |
+| VelocitySSTI.java:49:25:49:46 | new StringReader(...) : StringReader | VelocitySSTI.java:51:45:51:50 | reader | provenance | Sink:MaD:13 |
+| VelocitySSTI.java:49:42:49:45 | code : String | VelocitySSTI.java:49:25:49:46 | new StringReader(...) : StringReader | provenance | MaD:20 |
+| VelocitySSTI.java:57:17:57:44 | getParameter(...) : String | VelocitySSTI.java:60:42:60:45 | code : String | provenance | Src:MaD:19  |
+| VelocitySSTI.java:60:25:60:46 | new StringReader(...) : StringReader | VelocitySSTI.java:61:25:61:30 | reader | provenance | Sink:MaD:16 |
+| VelocitySSTI.java:60:42:60:45 | code : String | VelocitySSTI.java:60:25:60:46 | new StringReader(...) : StringReader | provenance | MaD:20 |
+| VelocitySSTI.java:81:17:81:44 | getParameter(...) : String | VelocitySSTI.java:93:37:93:40 | code | provenance | Src:MaD:19 Sink:MaD:14 |
+| VelocitySSTI.java:81:17:81:44 | getParameter(...) : String | VelocitySSTI.java:94:54:94:57 | code : String | provenance | Src:MaD:19  |
+| VelocitySSTI.java:94:54:94:57 | code : String | VelocitySSTI.java:94:37:94:58 | new StringReader(...) | provenance | MaD:20 Sink:MaD:14 |
+| VelocitySSTI.java:114:17:114:44 | getParameter(...) : String | VelocitySSTI.java:117:37:117:40 | code | provenance | Src:MaD:19 Sink:MaD:15 |
+models
+| 1 | Sink: com.hubspot.jinjava; Jinjava; true; render; ; ; Argument[0]; template-injection; manual |
+| 2 | Sink: com.hubspot.jinjava; Jinjava; true; renderForResult; ; ; Argument[0]; template-injection; manual |
+| 3 | Sink: com.mitchellbosecke.pebble; PebbleEngine; true; getLiteralTemplate; ; ; Argument[0]; template-injection; manual |
+| 4 | Sink: com.mitchellbosecke.pebble; PebbleEngine; true; getTemplate; ; ; Argument[0]; template-injection; manual |
+| 5 | Sink: freemarker.cache; StringTemplateLoader; true; putTemplate; ; ; Argument[1]; template-injection; manual |
+| 6 | Sink: freemarker.template; Template; true; Template; (String,Reader); ; Argument[1]; template-injection; manual |
+| 7 | Sink: freemarker.template; Template; true; Template; (String,Reader,Configuration); ; Argument[1]; template-injection; manual |
+| 8 | Sink: freemarker.template; Template; true; Template; (String,Reader,Configuration,String); ; Argument[1]; template-injection; manual |
+| 9 | Sink: freemarker.template; Template; true; Template; (String,String,Configuration); ; Argument[1]; template-injection; manual |
+| 10 | Sink: freemarker.template; Template; true; Template; (String,String,Reader,Configuration); ; Argument[2]; template-injection; manual |
+| 11 | Sink: freemarker.template; Template; true; Template; (String,String,Reader,Configuration,ParserConfiguration,String); ; Argument[2]; template-injection; manual |
+| 12 | Sink: freemarker.template; Template; true; Template; (String,String,Reader,Configuration,String); ; Argument[2]; template-injection; manual |
+| 13 | Sink: org.apache.velocity.app; Velocity; true; evaluate; ; ; Argument[3]; template-injection; manual |
+| 14 | Sink: org.apache.velocity.app; VelocityEngine; true; evaluate; ; ; Argument[3]; template-injection; manual |
+| 15 | Sink: org.apache.velocity.runtime.resource.util; StringResourceRepository; true; putStringResource; ; ; Argument[1]; template-injection; manual |
+| 16 | Sink: org.apache.velocity.runtime; RuntimeServices; true; parse; ; ; Argument[0]; template-injection; manual |
+| 17 | Sink: org.thymeleaf; ITemplateEngine; true; process; ; ; Argument[0]; template-injection; manual |
+| 18 | Sink: org.thymeleaf; ITemplateEngine; true; processThrottled; ; ; Argument[0]; template-injection; manual |
+| 19 | Source: javax.servlet; ServletRequest; false; getParameter; (String); ; ReturnValue; remote; manual |
+| 20 | Summary: java.io; StringReader; false; StringReader; ; ; Argument[0]; Argument[this]; taint; manual |
+| 21 | Summary: org.thymeleaf; TemplateSpec; false; TemplateSpec; ; ; Argument[0]; Argument[this]; taint; manual |
+nodes
+| FreemarkerSSTI.java:23:17:23:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| FreemarkerSSTI.java:24:19:24:40 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
+| FreemarkerSSTI.java:24:36:24:39 | code : String | semmle.label | code : String |
+| FreemarkerSSTI.java:26:35:26:40 | reader | semmle.label | reader |
+| FreemarkerSSTI.java:32:17:32:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| FreemarkerSSTI.java:33:19:33:40 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
+| FreemarkerSSTI.java:33:36:33:39 | code : String | semmle.label | code : String |
+| FreemarkerSSTI.java:36:35:36:40 | reader | semmle.label | reader |
+| FreemarkerSSTI.java:42:17:42:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| FreemarkerSSTI.java:43:19:43:40 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
+| FreemarkerSSTI.java:43:36:43:39 | code : String | semmle.label | code : String |
+| FreemarkerSSTI.java:46:35:46:40 | reader | semmle.label | reader |
+| FreemarkerSSTI.java:52:23:52:56 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| FreemarkerSSTI.java:55:35:55:44 | sourceCode | semmle.label | sourceCode |
+| FreemarkerSSTI.java:61:17:61:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| FreemarkerSSTI.java:63:19:63:40 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
+| FreemarkerSSTI.java:63:36:63:39 | code : String | semmle.label | code : String |
+| FreemarkerSSTI.java:65:47:65:52 | reader | semmle.label | reader |
+| FreemarkerSSTI.java:71:17:71:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| FreemarkerSSTI.java:74:19:74:40 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
+| FreemarkerSSTI.java:74:36:74:39 | code : String | semmle.label | code : String |
+| FreemarkerSSTI.java:77:36:77:41 | reader | semmle.label | reader |
+| FreemarkerSSTI.java:83:17:83:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| FreemarkerSSTI.java:86:19:86:40 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
+| FreemarkerSSTI.java:86:36:86:39 | code : String | semmle.label | code : String |
+| FreemarkerSSTI.java:88:47:88:52 | reader | semmle.label | reader |
+| FreemarkerSSTI.java:93:17:93:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| FreemarkerSSTI.java:96:42:96:45 | code | semmle.label | code |
+| FreemarkerSSTI.java:101:17:101:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| FreemarkerSSTI.java:104:42:104:45 | code | semmle.label | code |
+| JinJavaSSTI.java:21:21:21:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JinJavaSSTI.java:24:44:24:51 | template | semmle.label | template |
+| JinJavaSSTI.java:29:21:29:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JinJavaSSTI.java:32:55:32:62 | template | semmle.label | template |
+| JinJavaSSTI.java:37:21:37:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JinJavaSSTI.java:42:55:42:62 | template | semmle.label | template |
+| PebbleSSTI.java:18:25:18:60 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| PebbleSSTI.java:20:56:20:67 | templateName | semmle.label | templateName |
+| PebbleSSTI.java:25:25:25:60 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| PebbleSSTI.java:27:63:27:74 | templateName | semmle.label | templateName |
+| ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| ThymeleafSSTI.java:24:27:24:30 | code | semmle.label | code |
+| ThymeleafSSTI.java:25:27:25:30 | code | semmle.label | code |
+| ThymeleafSSTI.java:26:27:26:30 | code | semmle.label | code |
+| ThymeleafSSTI.java:27:27:27:30 | code | semmle.label | code |
+| ThymeleafSSTI.java:28:36:28:39 | code | semmle.label | code |
+| ThymeleafSSTI.java:29:36:29:39 | code | semmle.label | code |
+| ThymeleafSSTI.java:31:24:31:49 | new TemplateSpec(...) : TemplateSpec | semmle.label | new TemplateSpec(...) : TemplateSpec |
+| ThymeleafSSTI.java:31:41:31:44 | code : String | semmle.label | code : String |
+| ThymeleafSSTI.java:32:27:32:30 | spec | semmle.label | spec |
+| ThymeleafSSTI.java:33:27:33:30 | spec | semmle.label | spec |
+| ThymeleafSSTI.java:34:36:34:39 | spec | semmle.label | spec |
+| VelocitySSTI.java:31:17:31:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| VelocitySSTI.java:37:45:37:48 | code | semmle.label | code |
+| VelocitySSTI.java:43:17:43:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| VelocitySSTI.java:49:25:49:46 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
+| VelocitySSTI.java:49:42:49:45 | code : String | semmle.label | code : String |
+| VelocitySSTI.java:51:45:51:50 | reader | semmle.label | reader |
+| VelocitySSTI.java:57:17:57:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| VelocitySSTI.java:60:25:60:46 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
+| VelocitySSTI.java:60:42:60:45 | code : String | semmle.label | code : String |
+| VelocitySSTI.java:61:25:61:30 | reader | semmle.label | reader |
+| VelocitySSTI.java:81:17:81:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| VelocitySSTI.java:93:37:93:40 | code | semmle.label | code |
+| VelocitySSTI.java:94:37:94:58 | new StringReader(...) | semmle.label | new StringReader(...) |
+| VelocitySSTI.java:94:54:94:57 | code : String | semmle.label | code : String |
+| VelocitySSTI.java:114:17:114:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| VelocitySSTI.java:117:37:117:40 | code | semmle.label | code |
+subpaths

java/ql/test/query-tests/security/CWE-094/TemplateInjection/TemplateInjectionTest.qlref

@@ -0,0 +1,4 @@
+query: Security/CWE/CWE-094/TemplateInjection.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

java/ql/test/query-tests/security/CWE-094/TemplateInjection/ThymeleafSSTI.java

@@ -18,20 +18,20 @@ import org.thymeleaf.context.Context;
 public class ThymeleafSSTI {
 	@GetMapping(value = "bad1")
 	public void bad1(HttpServletRequest request) {
-		String code = request.getParameter("code");
+		String code = request.getParameter("code"); // $ Source
 		try {
 			TemplateEngine templateEngine = new TemplateEngine();
-			templateEngine.process(code, (Set<String>) null, (Context) null); // $hasTemplateInjection
-			templateEngine.process(code, (Set<String>) null, (Context) null, (Writer) null); // $hasTemplateInjection
-			templateEngine.process(code, (Context) null); // $hasTemplateInjection
-			templateEngine.process(code, (Context) null, (Writer) null); // $hasTemplateInjection
-			templateEngine.processThrottled(code, (Set<String>) null, (Context) null); // $hasTemplateInjection
-			templateEngine.processThrottled(code, (Context) null); // $hasTemplateInjection
+			templateEngine.process(code, (Set<String>) null, (Context) null); // $ Alert
+			templateEngine.process(code, (Set<String>) null, (Context) null, (Writer) null); // $ Alert
+			templateEngine.process(code, (Context) null); // $ Alert
+			templateEngine.process(code, (Context) null, (Writer) null); // $ Alert
+			templateEngine.processThrottled(code, (Set<String>) null, (Context) null); // $ Alert
+			templateEngine.processThrottled(code, (Context) null); // $ Alert
 
 			TemplateSpec spec = new TemplateSpec(code, "");
-			templateEngine.process(spec, (Context) null); // $hasTemplateInjection
-			templateEngine.process(spec, (Context) null, (Writer) null); // $hasTemplateInjection
-			templateEngine.processThrottled(spec, (Context) null); // $hasTemplateInjection
+			templateEngine.process(spec, (Context) null); // $ Alert
+			templateEngine.process(spec, (Context) null, (Writer) null); // $ Alert
+			templateEngine.processThrottled(spec, (Context) null); // $ Alert
 		} catch (Exception e) {
 		}
 	}

java/ql/test/query-tests/security/CWE-094/TemplateInjection/VelocitySSTI.java

@@ -28,19 +28,19 @@ public class VelocitySSTI {
 	@GetMapping(value = "bad1")
 	public void bad1(HttpServletRequest request) {
 		String name = "ttemplate";
-		String code = request.getParameter("code");
+		String code = request.getParameter("code"); // $ Source
 
 		VelocityContext context = null;
 
 		String s = "We are using $project $name to render this.";
 		StringWriter w = new StringWriter();
-		Velocity.evaluate(context, w, "mystring", code); // $hasTemplateInjection
+		Velocity.evaluate(context, w, "mystring", code); // $ Alert
 	}
 
 	@GetMapping(value = "bad2")
 	public void bad2(HttpServletRequest request) {
 		String name = "ttemplate";
-		String code = request.getParameter("code");
+		String code = request.getParameter("code"); // $ Source
 
 		VelocityContext context = null;
 
@@ -48,17 +48,17 @@ public class VelocitySSTI {
 		StringWriter w = new StringWriter();
 		StringReader reader = new StringReader(code);
 
-		Velocity.evaluate(context, w, "mystring", reader); // $hasTemplateInjection
+		Velocity.evaluate(context, w, "mystring", reader); // $ Alert
 	}
 
 	@GetMapping(value = "bad3")
 	public void bad3(HttpServletRequest request) {
 		String name = "ttemplate";
-		String code = request.getParameter("code");
+		String code = request.getParameter("code"); // $ Source
 
 		RuntimeServices runtimeServices = null;
 		StringReader reader = new StringReader(code);
-		runtimeServices.parse(reader, new Template()); // $hasTemplateInjection
+		runtimeServices.parse(reader, new Template()); // $ Alert
 	}
 
 	@GetMapping(value = "good1")
@@ -78,7 +78,7 @@ public class VelocitySSTI {
 	@GetMapping(value = "bad5")
 	public void bad5(HttpServletRequest request) {
 		String name = "ttemplate";
-		String code = request.getParameter("code");
+		String code = request.getParameter("code"); // $ Source
 
 		VelocityContext context = new VelocityContext();
 		context.put("code", code);
@@ -90,8 +90,8 @@ public class VelocitySSTI {
 		ctx.put("key", code);
 		engine.evaluate(ctx, null, null, (String) null); // Safe
 		engine.evaluate(ctx, null, null, (Reader) null); // Safe
-		engine.evaluate(null, null, null, code); // $hasTemplateInjection
-		engine.evaluate(null, null, null, new StringReader(code)); // $hasTemplateInjection
+		engine.evaluate(null, null, null, code); // $ Alert
+		engine.evaluate(null, null, null, new StringReader(code)); // $ Alert
 	}
 
 	@GetMapping(value = "good2")
@@ -111,10 +111,10 @@ public class VelocitySSTI {
 
 	@GetMapping(value = "bad6")
 	public void bad6(HttpServletRequest request) {
-		String code = request.getParameter("code");
+		String code = request.getParameter("code"); // $ Source
 
 		StringResourceRepository repo = new StringResourceRepositoryImpl();
-		repo.putStringResource("woogie2", code); // $hasTemplateInjection
+		repo.putStringResource("woogie2", code); // $ Alert
 
 	}
 }

java/ql/test/query-tests/security/CWE-094/TemplateInjection/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/validation-api-2.0.1.Final:${testdir}/../../../../stubs/springframework-5.8.x:${testdir}/../../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../../stubs/apache-commons-logging-1.2:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/groovy-all-3.0.7:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/apache-freemarker-2.3.31:${testdir}/../../../../stubs/jinjava-2.6.0:${testdir}/../../../../stubs/pebble-3.1.5:${testdir}/../../../../stubs/thymeleaf-3.0.14:${testdir}/../../../../stubs/apache-velocity-2.3:${testdir}/../../../..//stubs/google-android-9.0.0

java/ql/test/query-tests/security/CWE-094/TemplateInjectionTest.ql

@@ -1,18 +0,0 @@
-import java
-import semmle.code.java.security.TemplateInjectionQuery
-import utils.test.InlineExpectationsTest
-
-module TemplateInjectionTest implements TestSig {
-  string getARelevantTag() { result = "hasTemplateInjection" }
-
-  predicate hasActualResult(Location location, string element, string tag, string value) {
-    tag = "hasTemplateInjection" and
-    exists(DataFlow::Node sink | TemplateInjectionFlow::flowTo(sink) |
-      sink.getLocation() = location and
-      element = sink.toString() and
-      value = ""
-    )
-  }
-}
-
-import MakeTest<TemplateInjectionTest>

java/ql/test/query-tests/security/CWE-266/IntentUriPermissionManipulationTest.expected

@@ -0,0 +1,43 @@
+#select
+| MainActivity.java:13:34:13:39 | intent | MainActivity.java:12:29:12:39 | getIntent(...) : Intent | MainActivity.java:13:34:13:39 | intent | This Intent can be set with arbitrary flags from a $@, and used to give access to internal content providers. | MainActivity.java:12:29:12:39 | getIntent(...) | user-provided value |
+| MainActivity.java:17:34:17:44 | extraIntent | MainActivity.java:16:43:16:53 | getIntent(...) : Intent | MainActivity.java:17:34:17:44 | extraIntent | This Intent can be set with arbitrary flags from a $@, and used to give access to internal content providers. | MainActivity.java:16:43:16:53 | getIntent(...) | user-provided value |
+| MainActivity.java:33:34:33:39 | intent | MainActivity.java:30:29:30:39 | getIntent(...) : Intent | MainActivity.java:33:34:33:39 | intent | This Intent can be set with arbitrary flags from a $@, and used to give access to internal content providers. | MainActivity.java:30:29:30:39 | getIntent(...) | user-provided value |
+| MainActivity.java:46:34:46:39 | intent | MainActivity.java:42:29:42:39 | getIntent(...) : Intent | MainActivity.java:46:34:46:39 | intent | This Intent can be set with arbitrary flags from a $@, and used to give access to internal content providers. | MainActivity.java:42:29:42:39 | getIntent(...) | user-provided value |
+| MainActivity.java:52:34:52:39 | intent | MainActivity.java:49:29:49:39 | getIntent(...) : Intent | MainActivity.java:52:34:52:39 | intent | This Intent can be set with arbitrary flags from a $@, and used to give access to internal content providers. | MainActivity.java:49:29:49:39 | getIntent(...) | user-provided value |
+| MainActivity.java:60:38:60:43 | intent | MainActivity.java:55:29:55:39 | getIntent(...) : Intent | MainActivity.java:60:38:60:43 | intent | This Intent can be set with arbitrary flags from a $@, and used to give access to internal content providers. | MainActivity.java:55:29:55:39 | getIntent(...) | user-provided value |
+| MainActivity.java:71:38:71:43 | intent | MainActivity.java:64:29:64:39 | getIntent(...) : Intent | MainActivity.java:71:38:71:43 | intent | This Intent can be set with arbitrary flags from a $@, and used to give access to internal content providers. | MainActivity.java:64:29:64:39 | getIntent(...) | user-provided value |
+| MainActivity.java:81:38:81:43 | intent | MainActivity.java:75:29:75:39 | getIntent(...) : Intent | MainActivity.java:81:38:81:43 | intent | This Intent can be set with arbitrary flags from a $@, and used to give access to internal content providers. | MainActivity.java:75:29:75:39 | getIntent(...) | user-provided value |
+edges
+| MainActivity.java:12:29:12:39 | getIntent(...) : Intent | MainActivity.java:13:34:13:39 | intent | provenance | Sink:MaD:1 |
+| MainActivity.java:16:34:16:87 | (...)... : Intent | MainActivity.java:17:34:17:44 | extraIntent | provenance | Sink:MaD:1 |
+| MainActivity.java:16:43:16:53 | getIntent(...) : Intent | MainActivity.java:16:43:16:87 | getParcelableExtra(...) : Parcelable | provenance | MaD:2 |
+| MainActivity.java:16:43:16:87 | getParcelableExtra(...) : Parcelable | MainActivity.java:16:34:16:87 | (...)... : Intent | provenance |  |
+| MainActivity.java:30:29:30:39 | getIntent(...) : Intent | MainActivity.java:33:34:33:39 | intent | provenance | Sink:MaD:1 |
+| MainActivity.java:42:29:42:39 | getIntent(...) : Intent | MainActivity.java:46:34:46:39 | intent | provenance | Sink:MaD:1 |
+| MainActivity.java:49:29:49:39 | getIntent(...) : Intent | MainActivity.java:52:34:52:39 | intent | provenance | Sink:MaD:1 |
+| MainActivity.java:55:29:55:39 | getIntent(...) : Intent | MainActivity.java:60:38:60:43 | intent | provenance | Sink:MaD:1 |
+| MainActivity.java:64:29:64:39 | getIntent(...) : Intent | MainActivity.java:71:38:71:43 | intent | provenance | Sink:MaD:1 |
+| MainActivity.java:75:29:75:39 | getIntent(...) : Intent | MainActivity.java:81:38:81:43 | intent | provenance | Sink:MaD:1 |
+models
+| 1 | Sink: android.app; Activity; true; setResult; (int,Intent); ; Argument[1]; pending-intents; manual |
+| 2 | Summary: android.content; Intent; true; getParcelableExtra; (String); ; Argument[this].SyntheticField[android.content.Intent.extras].MapValue; ReturnValue; value; manual |
+nodes
+| MainActivity.java:12:29:12:39 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
+| MainActivity.java:13:34:13:39 | intent | semmle.label | intent |
+| MainActivity.java:16:34:16:87 | (...)... : Intent | semmle.label | (...)... : Intent |
+| MainActivity.java:16:43:16:53 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
+| MainActivity.java:16:43:16:87 | getParcelableExtra(...) : Parcelable | semmle.label | getParcelableExtra(...) : Parcelable |
+| MainActivity.java:17:34:17:44 | extraIntent | semmle.label | extraIntent |
+| MainActivity.java:30:29:30:39 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
+| MainActivity.java:33:34:33:39 | intent | semmle.label | intent |
+| MainActivity.java:42:29:42:39 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
+| MainActivity.java:46:34:46:39 | intent | semmle.label | intent |
+| MainActivity.java:49:29:49:39 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
+| MainActivity.java:52:34:52:39 | intent | semmle.label | intent |
+| MainActivity.java:55:29:55:39 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
+| MainActivity.java:60:38:60:43 | intent | semmle.label | intent |
+| MainActivity.java:64:29:64:39 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
+| MainActivity.java:71:38:71:43 | intent | semmle.label | intent |
+| MainActivity.java:75:29:75:39 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
+| MainActivity.java:81:38:81:43 | intent | semmle.label | intent |
+subpaths

java/ql/test/query-tests/security/CWE-266/IntentUriPermissionManipulationTest.ql

@@ -1,4 +0,0 @@
-import java
-import utils.test.InlineFlowTest
-import semmle.code.java.security.IntentUriPermissionManipulationQuery
-import TaintFlowTest<IntentUriPermissionManipulationConfig>

java/ql/test/query-tests/security/CWE-266/IntentUriPermissionManipulationTest.qlref

@@ -0,0 +1,4 @@
+query: Security/CWE/CWE-266/IntentUriPermissionManipulation.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

java/ql/test/query-tests/security/CWE-266/MainActivity.java

@@ -9,12 +9,12 @@ public class MainActivity extends Activity {
 
     public void onCreate(Bundle savedInstance) {
         {
-            Intent intent = getIntent();
-            setResult(RESULT_OK, intent); // $ hasTaintFlow
+            Intent intent = getIntent(); // $ Source
+            setResult(RESULT_OK, intent); // $ Alert
         }
         {
-            Intent extraIntent = (Intent) getIntent().getParcelableExtra("extraIntent");
-            setResult(RESULT_OK, extraIntent); // $ hasTaintFlow
+            Intent extraIntent = (Intent) getIntent().getParcelableExtra("extraIntent"); // $ Source
+            setResult(RESULT_OK, extraIntent); // $ Alert
         }
         {
             Intent intent = getIntent();
@@ -27,10 +27,10 @@ public class MainActivity extends Activity {
             setResult(RESULT_OK, intent); // Safe
         }
         {
-            Intent intent = getIntent();
+            Intent intent = getIntent(); // $ Source
             intent.setFlags( // Not properly sanitized
                     Intent.FLAG_GRANT_WRITE_URI_PERMISSION | Intent.FLAG_ACTIVITY_CLEAR_TOP);
-            setResult(RESULT_OK, intent); // $ hasTaintFlow
+            setResult(RESULT_OK, intent); // $ Alert
         }
         {
             Intent intent = getIntent();
@@ -39,46 +39,46 @@ public class MainActivity extends Activity {
             setResult(RESULT_OK, intent); // Safe
         }
         {
-            Intent intent = getIntent();
+            Intent intent = getIntent(); // $ Source
             // Combined, the following two calls are a sanitizer
             intent.removeFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);
             intent.removeFlags(Intent.FLAG_GRANT_WRITE_URI_PERMISSION);
-            setResult(RESULT_OK, intent); // $ SPURIOUS: $ hasTaintFlow
+            setResult(RESULT_OK, intent); // $ SPURIOUS: $ Alert
         }
         {
-            Intent intent = getIntent();
+            Intent intent = getIntent(); // $ Source
             intent.removeFlags( // Not properly sanitized
                     Intent.FLAG_GRANT_WRITE_URI_PERMISSION | Intent.FLAG_ACTIVITY_CLEAR_TOP);
-            setResult(RESULT_OK, intent); // $ hasTaintFlow
+            setResult(RESULT_OK, intent); // $ Alert
         }
         {
-            Intent intent = getIntent();
+            Intent intent = getIntent(); // $ Source
             // Good check
             if (intent.getData().equals(Uri.parse("content://safe/uri"))) {
                 setResult(RESULT_OK, intent); // Safe
             } else {
-                setResult(RESULT_OK, intent); // $ hasTaintFlow
+                setResult(RESULT_OK, intent); // $ Alert
             }
         }
         {
-            Intent intent = getIntent();
+            Intent intent = getIntent(); // $ Source
             int flags = intent.getFlags();
             // Good check
             if ((flags & Intent.FLAG_GRANT_READ_URI_PERMISSION) == 0
                     && (flags & Intent.FLAG_GRANT_WRITE_URI_PERMISSION) == 0) {
                 setResult(RESULT_OK, intent); // Safe
             } else {
-                setResult(RESULT_OK, intent); // $ hasTaintFlow
+                setResult(RESULT_OK, intent); // $ Alert
             }
         }
         {
-            Intent intent = getIntent();
+            Intent intent = getIntent(); // $ Source
             int flags = intent.getFlags();
             // Insufficient check
             if ((flags & Intent.FLAG_GRANT_READ_URI_PERMISSION) == 0) {
-                setResult(RESULT_OK, intent); // $ MISSING: $ hasTaintFlow
+                setResult(RESULT_OK, intent); // $ MISSING: $ Alert
             } else {
-                setResult(RESULT_OK, intent); // $ hasTaintFlow
+                setResult(RESULT_OK, intent); // $ Alert
             }
         }
     }

java/ql/test/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManagerTest.expected

@@ -0,0 +1,94 @@
+#select
+| InsecureTrustManagerTest.java:124:22:124:33 | trustManager | InsecureTrustManagerTest.java:123:53:123:78 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:124:22:124:33 | trustManager | This uses $@, which is defined in $@ and trusts any certificate. | InsecureTrustManagerTest.java:123:53:123:78 | new InsecureTrustManager(...) : InsecureTrustManager | TrustManager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | InsecureTrustManagerTest$InsecureTrustManager |
+| InsecureTrustManagerTest.java:148:23:148:34 | trustManager | InsecureTrustManagerTest.java:147:54:147:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:148:23:148:34 | trustManager | This uses $@, which is defined in $@ and trusts any certificate. | InsecureTrustManagerTest.java:147:54:147:79 | new InsecureTrustManager(...) : InsecureTrustManager | TrustManager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | InsecureTrustManagerTest$InsecureTrustManager |
+| InsecureTrustManagerTest.java:180:23:180:34 | trustManager | InsecureTrustManagerTest.java:179:54:179:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:180:23:180:34 | trustManager | This uses $@, which is defined in $@ and trusts any certificate. | InsecureTrustManagerTest.java:179:54:179:79 | new InsecureTrustManager(...) : InsecureTrustManager | TrustManager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | InsecureTrustManagerTest$InsecureTrustManager |
+| InsecureTrustManagerTest.java:212:23:212:34 | trustManager | InsecureTrustManagerTest.java:211:54:211:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:212:23:212:34 | trustManager | This uses $@, which is defined in $@ and trusts any certificate. | InsecureTrustManagerTest.java:211:54:211:79 | new InsecureTrustManager(...) : InsecureTrustManager | TrustManager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | InsecureTrustManagerTest$InsecureTrustManager |
+| InsecureTrustManagerTest.java:229:23:229:34 | trustManager | InsecureTrustManagerTest.java:228:54:228:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:229:23:229:34 | trustManager | This uses $@, which is defined in $@ and trusts any certificate. | InsecureTrustManagerTest.java:228:54:228:79 | new InsecureTrustManager(...) : InsecureTrustManager | TrustManager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | InsecureTrustManagerTest$InsecureTrustManager |
+| InsecureTrustManagerTest.java:247:23:247:34 | trustManager | InsecureTrustManagerTest.java:246:54:246:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:247:23:247:34 | trustManager | This uses $@, which is defined in $@ and trusts any certificate. | InsecureTrustManagerTest.java:246:54:246:79 | new InsecureTrustManager(...) : InsecureTrustManager | TrustManager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | InsecureTrustManagerTest$InsecureTrustManager |
+| InsecureTrustManagerTest.java:267:22:267:33 | trustManager | InsecureTrustManagerTest.java:266:53:266:78 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:267:22:267:33 | trustManager | This uses $@, which is defined in $@ and trusts any certificate. | InsecureTrustManagerTest.java:266:53:266:78 | new InsecureTrustManager(...) : InsecureTrustManager | TrustManager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | InsecureTrustManagerTest$InsecureTrustManager |
+| InsecureTrustManagerTest.java:279:22:279:33 | trustManager | InsecureTrustManagerTest.java:278:53:278:78 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:279:22:279:33 | trustManager | This uses $@, which is defined in $@ and trusts any certificate. | InsecureTrustManagerTest.java:278:53:278:78 | new InsecureTrustManager(...) : InsecureTrustManager | TrustManager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | InsecureTrustManagerTest$InsecureTrustManager |
+| InsecureTrustManagerTest.java:291:22:291:33 | trustManager | InsecureTrustManagerTest.java:290:53:290:78 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:291:22:291:33 | trustManager | This uses $@, which is defined in $@ and trusts any certificate. | InsecureTrustManagerTest.java:290:53:290:78 | new InsecureTrustManager(...) : InsecureTrustManager | TrustManager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | InsecureTrustManagerTest$InsecureTrustManager |
+| InsecureTrustManagerTest.java:303:22:303:33 | trustManager | InsecureTrustManagerTest.java:302:53:302:78 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:303:22:303:33 | trustManager | This uses $@, which is defined in $@ and trusts any certificate. | InsecureTrustManagerTest.java:302:53:302:78 | new InsecureTrustManager(...) : InsecureTrustManager | TrustManager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | InsecureTrustManagerTest$InsecureTrustManager |
+| InsecureTrustManagerTest.java:315:22:315:33 | trustManager | InsecureTrustManagerTest.java:314:53:314:78 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:315:22:315:33 | trustManager | This uses $@, which is defined in $@ and trusts any certificate. | InsecureTrustManagerTest.java:314:53:314:78 | new InsecureTrustManager(...) : InsecureTrustManager | TrustManager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | InsecureTrustManagerTest$InsecureTrustManager |
+| InsecureTrustManagerTest.java:327:22:327:33 | trustManager | InsecureTrustManagerTest.java:326:53:326:78 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:327:22:327:33 | trustManager | This uses $@, which is defined in $@ and trusts any certificate. | InsecureTrustManagerTest.java:326:53:326:78 | new InsecureTrustManager(...) : InsecureTrustManager | TrustManager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | InsecureTrustManagerTest$InsecureTrustManager |
+| InsecureTrustManagerTest.java:339:22:339:33 | trustManager | InsecureTrustManagerTest.java:338:53:338:78 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:339:22:339:33 | trustManager | This uses $@, which is defined in $@ and trusts any certificate. | InsecureTrustManagerTest.java:338:53:338:78 | new InsecureTrustManager(...) : InsecureTrustManager | TrustManager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | InsecureTrustManagerTest$InsecureTrustManager |
+| InsecureTrustManagerTest.java:352:22:352:33 | trustManager | InsecureTrustManagerTest.java:351:53:351:78 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:352:22:352:33 | trustManager | This uses $@, which is defined in $@ and trusts any certificate. | InsecureTrustManagerTest.java:351:53:351:78 | new InsecureTrustManager(...) : InsecureTrustManager | TrustManager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | InsecureTrustManagerTest$InsecureTrustManager |
+| InsecureTrustManagerTest.java:360:22:360:33 | trustManager | InsecureTrustManagerTest.java:359:53:359:78 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:360:22:360:33 | trustManager | This uses $@, which is defined in $@ and trusts any certificate. | InsecureTrustManagerTest.java:359:53:359:78 | new InsecureTrustManager(...) : InsecureTrustManager | TrustManager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | InsecureTrustManagerTest$InsecureTrustManager |
+edges
+| InsecureTrustManagerTest.java:123:33:123:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:124:22:124:33 | trustManager | provenance |  |
+| InsecureTrustManagerTest.java:123:53:123:78 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:123:33:123:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | provenance |  |
+| InsecureTrustManagerTest.java:147:34:147:80 | {...} : TrustManager[] [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:148:23:148:34 | trustManager | provenance |  |
+| InsecureTrustManagerTest.java:147:54:147:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:147:34:147:80 | {...} : TrustManager[] [[]] : InsecureTrustManager | provenance |  |
+| InsecureTrustManagerTest.java:179:34:179:80 | {...} : TrustManager[] [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:180:23:180:34 | trustManager | provenance |  |
+| InsecureTrustManagerTest.java:179:54:179:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:179:34:179:80 | {...} : TrustManager[] [[]] : InsecureTrustManager | provenance |  |
+| InsecureTrustManagerTest.java:211:34:211:80 | {...} : TrustManager[] [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:212:23:212:34 | trustManager | provenance |  |
+| InsecureTrustManagerTest.java:211:54:211:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:211:34:211:80 | {...} : TrustManager[] [[]] : InsecureTrustManager | provenance |  |
+| InsecureTrustManagerTest.java:228:34:228:80 | {...} : TrustManager[] [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:229:23:229:34 | trustManager | provenance |  |
+| InsecureTrustManagerTest.java:228:54:228:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:228:34:228:80 | {...} : TrustManager[] [[]] : InsecureTrustManager | provenance |  |
+| InsecureTrustManagerTest.java:246:34:246:80 | {...} : TrustManager[] [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:247:23:247:34 | trustManager | provenance |  |
+| InsecureTrustManagerTest.java:246:54:246:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:246:34:246:80 | {...} : TrustManager[] [[]] : InsecureTrustManager | provenance |  |
+| InsecureTrustManagerTest.java:266:33:266:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:267:22:267:33 | trustManager | provenance |  |
+| InsecureTrustManagerTest.java:266:53:266:78 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:266:33:266:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | provenance |  |
+| InsecureTrustManagerTest.java:278:33:278:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:279:22:279:33 | trustManager | provenance |  |
+| InsecureTrustManagerTest.java:278:53:278:78 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:278:33:278:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | provenance |  |
+| InsecureTrustManagerTest.java:290:33:290:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:291:22:291:33 | trustManager | provenance |  |
+| InsecureTrustManagerTest.java:290:53:290:78 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:290:33:290:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | provenance |  |
+| InsecureTrustManagerTest.java:302:33:302:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:303:22:303:33 | trustManager | provenance |  |
+| InsecureTrustManagerTest.java:302:53:302:78 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:302:33:302:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | provenance |  |
+| InsecureTrustManagerTest.java:314:33:314:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:315:22:315:33 | trustManager | provenance |  |
+| InsecureTrustManagerTest.java:314:53:314:78 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:314:33:314:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | provenance |  |
+| InsecureTrustManagerTest.java:326:33:326:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:327:22:327:33 | trustManager | provenance |  |
+| InsecureTrustManagerTest.java:326:53:326:78 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:326:33:326:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | provenance |  |
+| InsecureTrustManagerTest.java:338:33:338:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:339:22:339:33 | trustManager | provenance |  |
+| InsecureTrustManagerTest.java:338:53:338:78 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:338:33:338:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | provenance |  |
+| InsecureTrustManagerTest.java:351:33:351:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:352:22:352:33 | trustManager | provenance |  |
+| InsecureTrustManagerTest.java:351:53:351:78 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:351:33:351:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | provenance |  |
+| InsecureTrustManagerTest.java:359:33:359:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:360:22:360:33 | trustManager | provenance |  |
+| InsecureTrustManagerTest.java:359:53:359:78 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:359:33:359:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | provenance |  |
+nodes
+| InsecureTrustManagerTest.java:123:33:123:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | semmle.label | {...} : TrustManager[] [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:123:53:123:78 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
+| InsecureTrustManagerTest.java:124:22:124:33 | trustManager | semmle.label | trustManager |
+| InsecureTrustManagerTest.java:147:34:147:80 | {...} : TrustManager[] [[]] : InsecureTrustManager | semmle.label | {...} : TrustManager[] [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:147:54:147:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
+| InsecureTrustManagerTest.java:148:23:148:34 | trustManager | semmle.label | trustManager |
+| InsecureTrustManagerTest.java:179:34:179:80 | {...} : TrustManager[] [[]] : InsecureTrustManager | semmle.label | {...} : TrustManager[] [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:179:54:179:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
+| InsecureTrustManagerTest.java:180:23:180:34 | trustManager | semmle.label | trustManager |
+| InsecureTrustManagerTest.java:211:34:211:80 | {...} : TrustManager[] [[]] : InsecureTrustManager | semmle.label | {...} : TrustManager[] [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:211:54:211:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
+| InsecureTrustManagerTest.java:212:23:212:34 | trustManager | semmle.label | trustManager |
+| InsecureTrustManagerTest.java:228:34:228:80 | {...} : TrustManager[] [[]] : InsecureTrustManager | semmle.label | {...} : TrustManager[] [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:228:54:228:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
+| InsecureTrustManagerTest.java:229:23:229:34 | trustManager | semmle.label | trustManager |
+| InsecureTrustManagerTest.java:246:34:246:80 | {...} : TrustManager[] [[]] : InsecureTrustManager | semmle.label | {...} : TrustManager[] [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:246:54:246:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
+| InsecureTrustManagerTest.java:247:23:247:34 | trustManager | semmle.label | trustManager |
+| InsecureTrustManagerTest.java:266:33:266:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | semmle.label | {...} : TrustManager[] [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:266:53:266:78 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
+| InsecureTrustManagerTest.java:267:22:267:33 | trustManager | semmle.label | trustManager |
+| InsecureTrustManagerTest.java:278:33:278:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | semmle.label | {...} : TrustManager[] [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:278:53:278:78 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
+| InsecureTrustManagerTest.java:279:22:279:33 | trustManager | semmle.label | trustManager |
+| InsecureTrustManagerTest.java:290:33:290:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | semmle.label | {...} : TrustManager[] [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:290:53:290:78 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
+| InsecureTrustManagerTest.java:291:22:291:33 | trustManager | semmle.label | trustManager |
+| InsecureTrustManagerTest.java:302:33:302:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | semmle.label | {...} : TrustManager[] [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:302:53:302:78 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
+| InsecureTrustManagerTest.java:303:22:303:33 | trustManager | semmle.label | trustManager |
+| InsecureTrustManagerTest.java:314:33:314:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | semmle.label | {...} : TrustManager[] [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:314:53:314:78 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
+| InsecureTrustManagerTest.java:315:22:315:33 | trustManager | semmle.label | trustManager |
+| InsecureTrustManagerTest.java:326:33:326:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | semmle.label | {...} : TrustManager[] [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:326:53:326:78 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
+| InsecureTrustManagerTest.java:327:22:327:33 | trustManager | semmle.label | trustManager |
+| InsecureTrustManagerTest.java:338:33:338:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | semmle.label | {...} : TrustManager[] [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:338:53:338:78 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
+| InsecureTrustManagerTest.java:339:22:339:33 | trustManager | semmle.label | trustManager |
+| InsecureTrustManagerTest.java:351:33:351:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | semmle.label | {...} : TrustManager[] [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:351:53:351:78 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
+| InsecureTrustManagerTest.java:352:22:352:33 | trustManager | semmle.label | trustManager |
+| InsecureTrustManagerTest.java:359:33:359:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | semmle.label | {...} : TrustManager[] [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:359:53:359:78 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
+| InsecureTrustManagerTest.java:360:22:360:33 | trustManager | semmle.label | trustManager |
+subpaths

java/ql/test/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManagerTest.java

@@ -120,8 +120,8 @@ public class InsecureTrustManagerTest {
 	private static void directInsecureTrustManagerCall()
 			throws NoSuchAlgorithmException, KeyManagementException {
 		SSLContext context = SSLContext.getInstance("TLS");
-		TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-		context.init(null, trustManager, null); // $ hasValueFlow
+		TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; // $ Source
+		context.init(null, trustManager, null); // $ Alert
 	}
 
 	private static void namedVariableFlagDirectInsecureTrustManagerCall()
@@ -144,8 +144,8 @@ public class InsecureTrustManagerTest {
 			throws NoSuchAlgorithmException, KeyManagementException {
 		if (SOME_NAME_THAT_IS_NOT_A_FLAG_NAME) {
 			SSLContext context = SSLContext.getInstance("TLS");
-			TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-			context.init(null, trustManager, null); // $ hasValueFlow
+			TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; // $ Source
+			context.init(null, trustManager, null); // $ Alert
 		}
 	}
 
@@ -176,8 +176,8 @@ public class InsecureTrustManagerTest {
 			throws NoSuchAlgorithmException, KeyManagementException {
 		if (Boolean.parseBoolean(System.getProperty("SOME_NAME_THAT_IS_NOT_A_FLAG_NAME"))) {
 			SSLContext context = SSLContext.getInstance("TLS");
-			TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-			context.init(null, trustManager, null); // $ hasValueFlow
+			TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; // $ Source
+			context.init(null, trustManager, null); // $ Alert
 		}
 	}
 
@@ -208,8 +208,8 @@ public class InsecureTrustManagerTest {
 			throws NoSuchAlgorithmException, KeyManagementException {
 		if (is42TheAnswerForEverything()) {
 			SSLContext context = SSLContext.getInstance("TLS");
-			TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-			context.init(null, trustManager, null); // $ hasValueFlow
+			TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; // $ Source
+			context.init(null, trustManager, null); // $ Alert
 		}
 	}
 
@@ -225,8 +225,8 @@ public class InsecureTrustManagerTest {
 		String schemaFromHttpRequest = "HTTPS";
 		if (schemaFromHttpRequest.equalsIgnoreCase("https")) {
 			SSLContext context = SSLContext.getInstance("TLS");
-			TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-			context.init(null, trustManager, null); // $ hasValueFlow
+			TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; // $ Source
+			context.init(null, trustManager, null); // $ Alert
 		}
 	}
 
@@ -243,8 +243,8 @@ public class InsecureTrustManagerTest {
 		String schemaFromHttpRequest = "HTTPS";
 		if (!schemaFromHttpRequest.equalsIgnoreCase("https")) {
 			SSLContext context = SSLContext.getInstance("TLS");
-			TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-			context.init(null, trustManager, null); // $ hasValueFlow
+			TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; // $ Source
+			context.init(null, trustManager, null); // $ Alert
 		}
 	}
 
@@ -263,8 +263,8 @@ public class InsecureTrustManagerTest {
 		}
 
 		SSLContext context = SSLContext.getInstance("TLS");
-		TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-		context.init(null, trustManager, null); // $ hasValueFlow
+		TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; // $ Source
+		context.init(null, trustManager, null); // $ Alert
 
 	}
 
@@ -275,8 +275,8 @@ public class InsecureTrustManagerTest {
 		}
 
 		SSLContext context = SSLContext.getInstance("TLS");
-		TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-		context.init(null, trustManager, null); // $ hasValueFlow
+		TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; // $ Source
+		context.init(null, trustManager, null); // $ Alert
 
 	}
 
@@ -287,8 +287,8 @@ public class InsecureTrustManagerTest {
 		}
 
 		SSLContext context = SSLContext.getInstance("TLS");
-		TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-		context.init(null, trustManager, null); // $ hasValueFlow
+		TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; // $ Source
+		context.init(null, trustManager, null); // $ Alert
 
 	}
 
@@ -299,8 +299,8 @@ public class InsecureTrustManagerTest {
 		}
 
 		SSLContext context = SSLContext.getInstance("TLS");
-		TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-		context.init(null, trustManager, null); // $ hasValueFlow
+		TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; // $ Source
+		context.init(null, trustManager, null); // $ Alert
 
 	}
 
@@ -311,8 +311,8 @@ public class InsecureTrustManagerTest {
 		}
 
 		SSLContext context = SSLContext.getInstance("TLS");
-		TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-		context.init(null, trustManager, null); // $ hasValueFlow
+		TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; // $ Source
+		context.init(null, trustManager, null); // $ Alert
 
 	}
 
@@ -323,8 +323,8 @@ public class InsecureTrustManagerTest {
 		}
 
 		SSLContext context = SSLContext.getInstance("TLS");
-		TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-		context.init(null, trustManager, null); // $ hasValueFlow
+		TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; // $ Source
+		context.init(null, trustManager, null); // $ Alert
 	}
 
 	private static void isEqualsIgnoreCaseNOTGuardingDirectInsecureTrustManagerCall()
@@ -335,8 +335,8 @@ public class InsecureTrustManagerTest {
 		}
 
 		SSLContext context = SSLContext.getInstance("TLS");
-		TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-		context.init(null, trustManager, null); // $ hasValueFlow
+		TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; // $ Source
+		context.init(null, trustManager, null); // $ Alert
 
 	}
 
@@ -348,15 +348,15 @@ public class InsecureTrustManagerTest {
 		}
 
 		SSLContext context = SSLContext.getInstance("TLS");
-		TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-		context.init(null, trustManager, null); // $ hasValueFlow
+		TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; // $ Source
+		context.init(null, trustManager, null); // $ Alert
 
 	}
 
 	private static void disableTrustManager()
 			throws NoSuchAlgorithmException, KeyManagementException {
 		SSLContext context = SSLContext.getInstance("TLS");
-		TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-		context.init(null, trustManager, null); // $ hasValueFlow
+		TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; // $ Source
+		context.init(null, trustManager, null); // $ Alert
 	}
 }

java/ql/test/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManagerTest.ql

@@ -1,18 +0,0 @@
-import java
-import semmle.code.java.security.InsecureTrustManagerQuery
-import utils.test.InlineExpectationsTest
-
-module InsecureTrustManagerTest implements TestSig {
-  string getARelevantTag() { result = "hasValueFlow" }
-
-  predicate hasActualResult(Location location, string element, string tag, string value) {
-    tag = "hasValueFlow" and
-    exists(DataFlow::Node sink | InsecureTrustManagerFlow::flowTo(sink) |
-      sink.getLocation() = location and
-      element = sink.toString() and
-      value = ""
-    )
-  }
-}
-
-import MakeTest<InsecureTrustManagerTest>

java/ql/test/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManagerTest.qlref

@@ -0,0 +1,4 @@
+query: Security/CWE/CWE-295/InsecureTrustManager.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

java/ql/test/query-tests/security/CWE-312/CleartextStorageCookie/CleartextStorageCookieTest.expected

@@ -0,0 +1,21 @@
+| CleartextStorageCookieTest.java:22:7:22:40 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:20:31:20:62 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:20:54:20:61 | password | sensitive data | CleartextStorageCookieTest.java:20:54:20:61 | password | added to the cookie |
+| CleartextStorageCookieTest.java:44:7:44:32 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:43:23:43:51 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:20:54:20:61 | password | sensitive data | CleartextStorageCookieTest.java:43:46:43:50 | value | added to the cookie |
+| CleartextStorageCookieTest.java:44:7:44:32 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:43:23:43:51 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:21:31:21:38 | password | sensitive data | CleartextStorageCookieTest.java:43:46:43:50 | value | added to the cookie |
+| CleartextStorageCookieTest.java:44:7:44:32 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:43:23:43:51 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:23:69:23:76 | password | sensitive data | CleartextStorageCookieTest.java:43:46:43:50 | value | added to the cookie |
+| CleartextStorageCookieTest.java:44:7:44:32 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:43:23:43:51 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:24:46:24:53 | password | sensitive data | CleartextStorageCookieTest.java:43:46:43:50 | value | added to the cookie |
+| CleartextStorageCookieTest.java:44:7:44:32 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:43:23:43:51 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:33:67:33:74 | password | sensitive data | CleartextStorageCookieTest.java:43:46:43:50 | value | added to the cookie |
+| CleartextStorageCookieTest.java:44:7:44:32 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:43:23:43:51 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:34:36:34:43 | password | sensitive data | CleartextStorageCookieTest.java:43:46:43:50 | value | added to the cookie |
+| CleartextStorageCookieTest.java:44:7:44:32 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:43:23:43:51 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:37:84:37:91 | password | sensitive data | CleartextStorageCookieTest.java:43:46:43:50 | value | added to the cookie |
+| CleartextStorageCookieTest.java:44:7:44:32 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:43:23:43:51 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:38:51:38:58 | password | sensitive data | CleartextStorageCookieTest.java:43:46:43:50 | value | added to the cookie |
+| CleartextStorageCookieTest.java:44:7:44:32 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:43:23:43:51 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:42:40:42:47 | password | sensitive data | CleartextStorageCookieTest.java:43:46:43:50 | value | added to the cookie |
+| CleartextStorageCookieTest.java:52:7:52:50 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:52:26:52:49 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:20:54:20:61 | password | sensitive data | CleartextStorageCookieTest.java:52:45:52:48 | data | added to the cookie |
+| CleartextStorageCookieTest.java:52:7:52:50 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:52:26:52:49 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:21:31:21:38 | password | sensitive data | CleartextStorageCookieTest.java:52:45:52:48 | data | added to the cookie |
+| CleartextStorageCookieTest.java:52:7:52:50 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:52:26:52:49 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:23:69:23:76 | password | sensitive data | CleartextStorageCookieTest.java:52:45:52:48 | data | added to the cookie |
+| CleartextStorageCookieTest.java:52:7:52:50 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:52:26:52:49 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:24:46:24:53 | password | sensitive data | CleartextStorageCookieTest.java:52:45:52:48 | data | added to the cookie |
+| CleartextStorageCookieTest.java:52:7:52:50 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:52:26:52:49 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:33:67:33:74 | password | sensitive data | CleartextStorageCookieTest.java:52:45:52:48 | data | added to the cookie |
+| CleartextStorageCookieTest.java:52:7:52:50 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:52:26:52:49 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:34:36:34:43 | password | sensitive data | CleartextStorageCookieTest.java:52:45:52:48 | data | added to the cookie |
+| CleartextStorageCookieTest.java:52:7:52:50 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:52:26:52:49 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:37:84:37:91 | password | sensitive data | CleartextStorageCookieTest.java:52:45:52:48 | data | added to the cookie |
+| CleartextStorageCookieTest.java:52:7:52:50 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:52:26:52:49 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:38:51:38:58 | password | sensitive data | CleartextStorageCookieTest.java:52:45:52:48 | data | added to the cookie |
+| CleartextStorageCookieTest.java:52:7:52:50 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:52:26:52:49 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:42:40:42:47 | password | sensitive data | CleartextStorageCookieTest.java:52:45:52:48 | data | added to the cookie |
+| CleartextStorageCookieTest.java:52:7:52:50 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:52:26:52:49 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:48:77:48:84 | password | sensitive data | CleartextStorageCookieTest.java:52:45:52:48 | data | added to the cookie |
+| CleartextStorageCookieTest.java:52:7:52:50 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:52:26:52:49 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:49:59:49:83 | getPassword(...) | sensitive data | CleartextStorageCookieTest.java:52:45:52:48 | data | added to the cookie |

java/ql/test/query-tests/security/CWE-312/CleartextStorageCookie/CleartextStorageCookieTest.java

@@ -0,0 +1,79 @@
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.Cookie;
+import org.owasp.esapi.Encoder;
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+import java.security.MessageDigest;
+import java.net.PasswordAuthentication;
+
+public class CleartextStorageCookieTest extends HttpServlet {
+  HttpServletResponse response;
+  String name = "user";
+  String password = "BP@ssw0rd"; // $ Source
+
+  public void doGet() throws Exception {
+    {
+      Cookie nameCookie = new Cookie("name", name);
+      nameCookie.setValue(name);
+      response.addCookie(nameCookie); // Safe
+      Cookie passwordCookie = new Cookie("password", password);
+      passwordCookie.setValue(password);
+      response.addCookie(passwordCookie); // $ Alert
+      Cookie encodedPasswordCookie = new Cookie("password", encrypt(password));
+      encodedPasswordCookie.setValue(encrypt(password));
+      response.addCookie(encodedPasswordCookie); // Safe
+    }
+    {
+      io.netty.handler.codec.http.Cookie nettyNameCookie =
+        new io.netty.handler.codec.http.DefaultCookie("name", name);
+      nettyNameCookie.setValue(name); // Safe
+
+      io.netty.handler.codec.http.Cookie nettyPasswordCookie =
+        new io.netty.handler.codec.http.DefaultCookie("password", password);
+      nettyPasswordCookie.setValue(password); // $ MISSING: Alert (netty not supported by query)
+
+      io.netty.handler.codec.http.cookie.Cookie nettyEncodedPasswordCookie =
+          new io.netty.handler.codec.http.cookie.DefaultCookie("password", encrypt(password));
+      nettyEncodedPasswordCookie.setValue(encrypt(password)); // Safe
+    }
+    {
+      Encoder enc = null;
+      String value = enc.encodeForHTML(password);
+      Cookie cookie = new Cookie("password", value);
+      response.addCookie(cookie); // $ Alert
+    }
+    {
+      String data;
+      PasswordAuthentication credentials = new PasswordAuthentication(name, password.toCharArray());
+      data = credentials.getUserName() + ":" + new String(credentials.getPassword());
+
+      // BAD: store data in a cookie in cleartext form
+      response.addCookie(new Cookie("auth", data)); // $ Alert
+    }
+    {
+      String data;
+      PasswordAuthentication credentials =
+          new PasswordAuthentication(name, password.toCharArray());
+      String salt = "ThisIsMySalt";
+      MessageDigest messageDigest = MessageDigest.getInstance("SHA-512");
+      messageDigest.reset();
+      String credentialsToHash =
+          credentials.getUserName() + ":" + new String(credentials.getPassword());
+      byte[] hashedCredsAsBytes =
+          messageDigest.digest((salt+credentialsToHash).getBytes("UTF-8"));
+      data = new String(hashedCredsAsBytes);
+
+      // GOOD: store data in a cookie in encrypted form
+      response.addCookie(new Cookie("auth", data)); // Safe
+    }
+  }
+
+
+  private static String encrypt(String cleartext) throws Exception {
+    MessageDigest digest = MessageDigest.getInstance("SHA-256");
+    byte[] hash = digest.digest(cleartext.getBytes(StandardCharsets.UTF_8));
+    String encoded = Base64.getEncoder().encodeToString(hash);
+    return encoded;
+  }
+}

java/ql/test/query-tests/security/CWE-312/CleartextStorageCookie/CleartextStorageCookieTest.qlref

@@ -0,0 +1,4 @@
+query: Security/CWE/CWE-312/CleartextStorageCookie.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

java/ql/test/query-tests/security/CWE-312/CleartextStorageCookie/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/apache-commons-lang3-3.7:${testdir}/../../../../stubs/esapi-2.0.1:${testdir}/../../../../stubs/netty-4.1.x

java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.expected

@@ -0,0 +1,120 @@
+#select
+| InsufficientKeySizeTest.java:17:26:17:27 | 64 | InsufficientKeySizeTest.java:17:26:17:27 | 64 | InsufficientKeySizeTest.java:17:26:17:27 | 64 | This $@ is less than the recommended key size of 128 bits. | InsufficientKeySizeTest.java:17:26:17:27 | 64 | key size |
+| InsufficientKeySizeTest.java:27:26:27:30 | size1 | InsufficientKeySizeTest.java:23:31:23:32 | 64 : Number | InsufficientKeySizeTest.java:27:26:27:30 | size1 | This $@ is less than the recommended key size of 128 bits. | InsufficientKeySizeTest.java:23:31:23:32 | 64 | key size |
+| InsufficientKeySizeTest.java:30:26:30:30 | size2 | InsufficientKeySizeTest.java:24:25:24:26 | 64 : Number | InsufficientKeySizeTest.java:30:26:30:30 | size2 | This $@ is less than the recommended key size of 128 bits. | InsufficientKeySizeTest.java:24:25:24:26 | 64 | key size |
+| InsufficientKeySizeTest.java:40:26:40:27 | 64 | InsufficientKeySizeTest.java:40:26:40:27 | 64 | InsufficientKeySizeTest.java:40:26:40:27 | 64 | This $@ is less than the recommended key size of 128 bits. | InsufficientKeySizeTest.java:40:26:40:27 | 64 | key size |
+| InsufficientKeySizeTest.java:51:36:51:39 | 1024 | InsufficientKeySizeTest.java:51:36:51:39 | 1024 | InsufficientKeySizeTest.java:51:36:51:39 | 1024 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:51:36:51:39 | 1024 | key size |
+| InsufficientKeySizeTest.java:58:73:58:76 | 1024 | InsufficientKeySizeTest.java:58:73:58:76 | 1024 | InsufficientKeySizeTest.java:58:73:58:76 | 1024 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:58:73:58:76 | 1024 | key size |
+| InsufficientKeySizeTest.java:62:63:62:66 | 1024 | InsufficientKeySizeTest.java:62:63:62:66 | 1024 | InsufficientKeySizeTest.java:62:63:62:66 | 1024 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:62:63:62:66 | 1024 | key size |
+| InsufficientKeySizeTest.java:69:36:69:40 | size1 | InsufficientKeySizeTest.java:65:31:65:34 | 1024 : Number | InsufficientKeySizeTest.java:69:36:69:40 | size1 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:65:31:65:34 | 1024 | key size |
+| InsufficientKeySizeTest.java:72:36:72:40 | size2 | InsufficientKeySizeTest.java:66:25:66:28 | 1024 : Number | InsufficientKeySizeTest.java:72:36:72:40 | size2 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:66:25:66:28 | 1024 | key size |
+| InsufficientKeySizeTest.java:81:36:81:50 | getRSAKeySize(...) | InsufficientKeySizeTest.java:255:40:255:43 | 1024 : Number | InsufficientKeySizeTest.java:81:36:81:50 | getRSAKeySize(...) | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:255:40:255:43 | 1024 | key size |
+| InsufficientKeySizeTest.java:86:36:86:39 | 1024 | InsufficientKeySizeTest.java:86:36:86:39 | 1024 | InsufficientKeySizeTest.java:86:36:86:39 | 1024 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:86:36:86:39 | 1024 | key size |
+| InsufficientKeySizeTest.java:97:36:97:39 | 1024 | InsufficientKeySizeTest.java:97:36:97:39 | 1024 | InsufficientKeySizeTest.java:97:36:97:39 | 1024 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:97:36:97:39 | 1024 | key size |
+| InsufficientKeySizeTest.java:104:67:104:70 | 1024 | InsufficientKeySizeTest.java:104:67:104:70 | 1024 | InsufficientKeySizeTest.java:104:67:104:70 | 1024 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:104:67:104:70 | 1024 | key size |
+| InsufficientKeySizeTest.java:108:60:108:63 | 1024 | InsufficientKeySizeTest.java:108:60:108:63 | 1024 | InsufficientKeySizeTest.java:108:60:108:63 | 1024 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:108:60:108:63 | 1024 | key size |
+| InsufficientKeySizeTest.java:112:27:112:30 | 1024 | InsufficientKeySizeTest.java:112:27:112:30 | 1024 | InsufficientKeySizeTest.java:112:27:112:30 | 1024 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:112:27:112:30 | 1024 | key size |
+| InsufficientKeySizeTest.java:117:28:117:31 | 1024 | InsufficientKeySizeTest.java:117:28:117:31 | 1024 | InsufficientKeySizeTest.java:117:28:117:31 | 1024 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:117:28:117:31 | 1024 | key size |
+| InsufficientKeySizeTest.java:128:36:128:39 | 1024 | InsufficientKeySizeTest.java:128:36:128:39 | 1024 | InsufficientKeySizeTest.java:128:36:128:39 | 1024 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:128:36:128:39 | 1024 | key size |
+| InsufficientKeySizeTest.java:135:64:135:67 | 1024 | InsufficientKeySizeTest.java:135:64:135:67 | 1024 | InsufficientKeySizeTest.java:135:64:135:67 | 1024 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:135:64:135:67 | 1024 | key size |
+| InsufficientKeySizeTest.java:139:59:139:62 | 1024 | InsufficientKeySizeTest.java:139:59:139:62 | 1024 | InsufficientKeySizeTest.java:139:59:139:62 | 1024 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:139:59:139:62 | 1024 | key size |
+| InsufficientKeySizeTest.java:143:27:143:30 | 1024 | InsufficientKeySizeTest.java:143:27:143:30 | 1024 | InsufficientKeySizeTest.java:143:27:143:30 | 1024 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:143:27:143:30 | 1024 | key size |
+| InsufficientKeySizeTest.java:150:36:150:38 | 128 | InsufficientKeySizeTest.java:150:36:150:38 | 128 | InsufficientKeySizeTest.java:150:36:150:38 | 128 | This $@ is less than the recommended key size of 256 bits. | InsufficientKeySizeTest.java:150:36:150:38 | 128 | key size |
+| InsufficientKeySizeTest.java:154:65:154:75 | "secp112r1" | InsufficientKeySizeTest.java:154:65:154:75 | "secp112r1" | InsufficientKeySizeTest.java:154:65:154:75 | "secp112r1" | This $@ is less than the recommended key size of EC bits. | InsufficientKeySizeTest.java:154:65:154:75 | "secp112r1" | key size |
+| InsufficientKeySizeTest.java:158:59:158:69 | "secp112r1" | InsufficientKeySizeTest.java:158:59:158:69 | "secp112r1" | InsufficientKeySizeTest.java:158:59:158:69 | "secp112r1" | This $@ is less than the recommended key size of EC bits. | InsufficientKeySizeTest.java:158:59:158:69 | "secp112r1" | key size |
+| InsufficientKeySizeTest.java:165:65:165:82 | "X9.62 prime192v2" | InsufficientKeySizeTest.java:165:65:165:82 | "X9.62 prime192v2" | InsufficientKeySizeTest.java:165:65:165:82 | "X9.62 prime192v2" | This $@ is less than the recommended key size of EC bits. | InsufficientKeySizeTest.java:165:65:165:82 | "X9.62 prime192v2" | key size |
+| InsufficientKeySizeTest.java:169:65:169:82 | "X9.62 c2tnb191v3" | InsufficientKeySizeTest.java:169:65:169:82 | "X9.62 c2tnb191v3" | InsufficientKeySizeTest.java:169:65:169:82 | "X9.62 c2tnb191v3" | This $@ is less than the recommended key size of EC bits. | InsufficientKeySizeTest.java:169:65:169:82 | "X9.62 c2tnb191v3" | key size |
+| InsufficientKeySizeTest.java:173:65:173:75 | "sect163k1" | InsufficientKeySizeTest.java:173:65:173:75 | "sect163k1" | InsufficientKeySizeTest.java:173:65:173:75 | "sect163k1" | This $@ is less than the recommended key size of EC bits. | InsufficientKeySizeTest.java:173:65:173:75 | "sect163k1" | key size |
+| InsufficientKeySizeTest.java:181:65:181:76 | "prime192v2" | InsufficientKeySizeTest.java:181:65:181:76 | "prime192v2" | InsufficientKeySizeTest.java:181:65:181:76 | "prime192v2" | This $@ is less than the recommended key size of EC bits. | InsufficientKeySizeTest.java:181:65:181:76 | "prime192v2" | key size |
+| InsufficientKeySizeTest.java:189:65:189:76 | "c2tnb191v1" | InsufficientKeySizeTest.java:189:65:189:76 | "c2tnb191v1" | InsufficientKeySizeTest.java:189:65:189:76 | "c2tnb191v1" | This $@ is less than the recommended key size of EC bits. | InsufficientKeySizeTest.java:189:65:189:76 | "c2tnb191v1" | key size |
+| InsufficientKeySizeTest.java:197:64:197:74 | "secp112r1" | InsufficientKeySizeTest.java:197:64:197:74 | "secp112r1" | InsufficientKeySizeTest.java:197:64:197:74 | "secp112r1" | This $@ is less than the recommended key size of EC bits. | InsufficientKeySizeTest.java:197:64:197:74 | "secp112r1" | key size |
+| InsufficientKeySizeTest.java:207:66:207:75 | curveName1 | InsufficientKeySizeTest.java:205:39:205:49 | "secp112r1" : String | InsufficientKeySizeTest.java:207:66:207:75 | curveName1 | This $@ is less than the recommended key size of EC bits. | InsufficientKeySizeTest.java:205:39:205:49 | "secp112r1" | key size |
+| InsufficientKeySizeTest.java:212:66:212:75 | curveName2 | InsufficientKeySizeTest.java:210:33:210:43 | "secp112r1" : String | InsufficientKeySizeTest.java:212:66:212:75 | curveName2 | This $@ is less than the recommended key size of EC bits. | InsufficientKeySizeTest.java:210:33:210:43 | "secp112r1" | key size |
+| InsufficientKeySizeTest.java:219:21:219:27 | keySize | InsufficientKeySizeTest.java:24:25:24:26 | 64 : Number | InsufficientKeySizeTest.java:219:21:219:27 | keySize | This $@ is less than the recommended key size of 128 bits. | InsufficientKeySizeTest.java:24:25:24:26 | 64 | key size |
+| InsufficientKeySizeTest.java:225:21:225:27 | keySize | InsufficientKeySizeTest.java:35:30:35:31 | 64 : Number | InsufficientKeySizeTest.java:225:21:225:27 | keySize | This $@ is less than the recommended key size of 128 bits. | InsufficientKeySizeTest.java:35:30:35:31 | 64 | key size |
+| InsufficientKeySizeTest.java:230:31:230:37 | keySize | InsufficientKeySizeTest.java:66:25:66:28 | 1024 : Number | InsufficientKeySizeTest.java:230:31:230:37 | keySize | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:66:25:66:28 | 1024 | key size |
+| InsufficientKeySizeTest.java:236:31:236:37 | keySize | InsufficientKeySizeTest.java:77:36:77:39 | 1024 : Number | InsufficientKeySizeTest.java:236:31:236:37 | keySize | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:77:36:77:39 | 1024 | key size |
+| InsufficientKeySizeTest.java:246:31:246:37 | keySize | InsufficientKeySizeTest.java:199:24:199:26 | 128 : Number | InsufficientKeySizeTest.java:246:31:246:37 | keySize | This $@ is less than the recommended key size of 256 bits. | InsufficientKeySizeTest.java:199:24:199:26 | 128 | key size |
+| InsufficientKeySizeTest.java:252:31:252:37 | keySize | InsufficientKeySizeTest.java:202:40:202:42 | 128 : Number | InsufficientKeySizeTest.java:252:31:252:37 | keySize | This $@ is less than the recommended key size of 256 bits. | InsufficientKeySizeTest.java:202:40:202:42 | 128 | key size |
+edges
+| InsufficientKeySizeTest.java:23:31:23:32 | 64 : Number | InsufficientKeySizeTest.java:27:26:27:30 | size1 | provenance |  |
+| InsufficientKeySizeTest.java:24:25:24:26 | 64 : Number | InsufficientKeySizeTest.java:30:26:30:30 | size2 | provenance |  |
+| InsufficientKeySizeTest.java:24:25:24:26 | 64 : Number | InsufficientKeySizeTest.java:34:35:34:39 | size2 : Number | provenance |  |
+| InsufficientKeySizeTest.java:34:35:34:39 | size2 : Number | InsufficientKeySizeTest.java:217:46:217:56 | keySize : Number | provenance |  |
+| InsufficientKeySizeTest.java:35:30:35:31 | 64 : Number | InsufficientKeySizeTest.java:223:41:223:51 | keySize : Number | provenance |  |
+| InsufficientKeySizeTest.java:65:31:65:34 | 1024 : Number | InsufficientKeySizeTest.java:69:36:69:40 | size1 | provenance |  |
+| InsufficientKeySizeTest.java:66:25:66:28 | 1024 : Number | InsufficientKeySizeTest.java:72:36:72:40 | size2 | provenance |  |
+| InsufficientKeySizeTest.java:66:25:66:28 | 1024 : Number | InsufficientKeySizeTest.java:76:41:76:45 | size2 : Number | provenance |  |
+| InsufficientKeySizeTest.java:76:41:76:45 | size2 : Number | InsufficientKeySizeTest.java:228:52:228:62 | keySize : Number | provenance |  |
+| InsufficientKeySizeTest.java:77:36:77:39 | 1024 : Number | InsufficientKeySizeTest.java:234:47:234:57 | keySize : Number | provenance |  |
+| InsufficientKeySizeTest.java:199:24:199:26 | 128 : Number | InsufficientKeySizeTest.java:201:41:201:44 | size : Number | provenance |  |
+| InsufficientKeySizeTest.java:201:41:201:44 | size : Number | InsufficientKeySizeTest.java:244:52:244:62 | keySize : Number | provenance |  |
+| InsufficientKeySizeTest.java:202:40:202:42 | 128 : Number | InsufficientKeySizeTest.java:250:51:250:61 | keySize : Number | provenance |  |
+| InsufficientKeySizeTest.java:205:39:205:49 | "secp112r1" : String | InsufficientKeySizeTest.java:207:66:207:75 | curveName1 | provenance |  |
+| InsufficientKeySizeTest.java:210:33:210:43 | "secp112r1" : String | InsufficientKeySizeTest.java:212:66:212:75 | curveName2 | provenance |  |
+| InsufficientKeySizeTest.java:217:46:217:56 | keySize : Number | InsufficientKeySizeTest.java:219:21:219:27 | keySize | provenance |  |
+| InsufficientKeySizeTest.java:223:41:223:51 | keySize : Number | InsufficientKeySizeTest.java:225:21:225:27 | keySize | provenance |  |
+| InsufficientKeySizeTest.java:228:52:228:62 | keySize : Number | InsufficientKeySizeTest.java:230:31:230:37 | keySize | provenance |  |
+| InsufficientKeySizeTest.java:234:47:234:57 | keySize : Number | InsufficientKeySizeTest.java:236:31:236:37 | keySize | provenance |  |
+| InsufficientKeySizeTest.java:244:52:244:62 | keySize : Number | InsufficientKeySizeTest.java:246:31:246:37 | keySize | provenance |  |
+| InsufficientKeySizeTest.java:250:51:250:61 | keySize : Number | InsufficientKeySizeTest.java:252:31:252:37 | keySize | provenance |  |
+| InsufficientKeySizeTest.java:255:40:255:43 | 1024 : Number | InsufficientKeySizeTest.java:81:36:81:50 | getRSAKeySize(...) | provenance |  |
+nodes
+| InsufficientKeySizeTest.java:17:26:17:27 | 64 | semmle.label | 64 |
+| InsufficientKeySizeTest.java:23:31:23:32 | 64 : Number | semmle.label | 64 : Number |
+| InsufficientKeySizeTest.java:24:25:24:26 | 64 : Number | semmle.label | 64 : Number |
+| InsufficientKeySizeTest.java:27:26:27:30 | size1 | semmle.label | size1 |
+| InsufficientKeySizeTest.java:30:26:30:30 | size2 | semmle.label | size2 |
+| InsufficientKeySizeTest.java:34:35:34:39 | size2 : Number | semmle.label | size2 : Number |
+| InsufficientKeySizeTest.java:35:30:35:31 | 64 : Number | semmle.label | 64 : Number |
+| InsufficientKeySizeTest.java:40:26:40:27 | 64 | semmle.label | 64 |
+| InsufficientKeySizeTest.java:51:36:51:39 | 1024 | semmle.label | 1024 |
+| InsufficientKeySizeTest.java:58:73:58:76 | 1024 | semmle.label | 1024 |
+| InsufficientKeySizeTest.java:62:63:62:66 | 1024 | semmle.label | 1024 |
+| InsufficientKeySizeTest.java:65:31:65:34 | 1024 : Number | semmle.label | 1024 : Number |
+| InsufficientKeySizeTest.java:66:25:66:28 | 1024 : Number | semmle.label | 1024 : Number |
+| InsufficientKeySizeTest.java:69:36:69:40 | size1 | semmle.label | size1 |
+| InsufficientKeySizeTest.java:72:36:72:40 | size2 | semmle.label | size2 |
+| InsufficientKeySizeTest.java:76:41:76:45 | size2 : Number | semmle.label | size2 : Number |
+| InsufficientKeySizeTest.java:77:36:77:39 | 1024 : Number | semmle.label | 1024 : Number |
+| InsufficientKeySizeTest.java:81:36:81:50 | getRSAKeySize(...) | semmle.label | getRSAKeySize(...) |
+| InsufficientKeySizeTest.java:86:36:86:39 | 1024 | semmle.label | 1024 |
+| InsufficientKeySizeTest.java:97:36:97:39 | 1024 | semmle.label | 1024 |
+| InsufficientKeySizeTest.java:104:67:104:70 | 1024 | semmle.label | 1024 |
+| InsufficientKeySizeTest.java:108:60:108:63 | 1024 | semmle.label | 1024 |
+| InsufficientKeySizeTest.java:112:27:112:30 | 1024 | semmle.label | 1024 |
+| InsufficientKeySizeTest.java:117:28:117:31 | 1024 | semmle.label | 1024 |
+| InsufficientKeySizeTest.java:128:36:128:39 | 1024 | semmle.label | 1024 |
+| InsufficientKeySizeTest.java:135:64:135:67 | 1024 | semmle.label | 1024 |
+| InsufficientKeySizeTest.java:139:59:139:62 | 1024 | semmle.label | 1024 |
+| InsufficientKeySizeTest.java:143:27:143:30 | 1024 | semmle.label | 1024 |
+| InsufficientKeySizeTest.java:150:36:150:38 | 128 | semmle.label | 128 |
+| InsufficientKeySizeTest.java:154:65:154:75 | "secp112r1" | semmle.label | "secp112r1" |
+| InsufficientKeySizeTest.java:158:59:158:69 | "secp112r1" | semmle.label | "secp112r1" |
+| InsufficientKeySizeTest.java:165:65:165:82 | "X9.62 prime192v2" | semmle.label | "X9.62 prime192v2" |
+| InsufficientKeySizeTest.java:169:65:169:82 | "X9.62 c2tnb191v3" | semmle.label | "X9.62 c2tnb191v3" |
+| InsufficientKeySizeTest.java:173:65:173:75 | "sect163k1" | semmle.label | "sect163k1" |
+| InsufficientKeySizeTest.java:181:65:181:76 | "prime192v2" | semmle.label | "prime192v2" |
+| InsufficientKeySizeTest.java:189:65:189:76 | "c2tnb191v1" | semmle.label | "c2tnb191v1" |
+| InsufficientKeySizeTest.java:197:64:197:74 | "secp112r1" | semmle.label | "secp112r1" |
+| InsufficientKeySizeTest.java:199:24:199:26 | 128 : Number | semmle.label | 128 : Number |
+| InsufficientKeySizeTest.java:201:41:201:44 | size : Number | semmle.label | size : Number |
+| InsufficientKeySizeTest.java:202:40:202:42 | 128 : Number | semmle.label | 128 : Number |
+| InsufficientKeySizeTest.java:205:39:205:49 | "secp112r1" : String | semmle.label | "secp112r1" : String |
+| InsufficientKeySizeTest.java:207:66:207:75 | curveName1 | semmle.label | curveName1 |
+| InsufficientKeySizeTest.java:210:33:210:43 | "secp112r1" : String | semmle.label | "secp112r1" : String |
+| InsufficientKeySizeTest.java:212:66:212:75 | curveName2 | semmle.label | curveName2 |
+| InsufficientKeySizeTest.java:217:46:217:56 | keySize : Number | semmle.label | keySize : Number |
+| InsufficientKeySizeTest.java:219:21:219:27 | keySize | semmle.label | keySize |
+| InsufficientKeySizeTest.java:223:41:223:51 | keySize : Number | semmle.label | keySize : Number |
+| InsufficientKeySizeTest.java:225:21:225:27 | keySize | semmle.label | keySize |
+| InsufficientKeySizeTest.java:228:52:228:62 | keySize : Number | semmle.label | keySize : Number |
+| InsufficientKeySizeTest.java:230:31:230:37 | keySize | semmle.label | keySize |
+| InsufficientKeySizeTest.java:234:47:234:57 | keySize : Number | semmle.label | keySize : Number |
+| InsufficientKeySizeTest.java:236:31:236:37 | keySize | semmle.label | keySize |
+| InsufficientKeySizeTest.java:244:52:244:62 | keySize : Number | semmle.label | keySize : Number |
+| InsufficientKeySizeTest.java:246:31:246:37 | keySize | semmle.label | keySize |
+| InsufficientKeySizeTest.java:250:51:250:61 | keySize : Number | semmle.label | keySize : Number |
+| InsufficientKeySizeTest.java:252:31:252:37 | keySize | semmle.label | keySize |
+| InsufficientKeySizeTest.java:255:40:255:43 | 1024 : Number | semmle.label | 1024 : Number |
+subpaths

java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.java

@@ -14,30 +14,30 @@ public class InsufficientKeySizeTest {
         {
             /* Test with keysize as int */
             KeyGenerator keyGen1 = KeyGenerator.getInstance("AES");
-            keyGen1.init(64); // $ hasInsufficientKeySize
+            keyGen1.init(64); // $ Alert
 
             KeyGenerator keyGen2 = KeyGenerator.getInstance("AES");
             keyGen2.init(128); // Safe: Key size is no less than 128
 
             /* Test with local variable as keysize */
-            final int size1 = 64; // compile-time constant
-            int size2 = 64;       // not a compile-time constant
+            final int size1 = 64; // $ Source// compile-time constant
+            int size2 = 64;       // $ Source// not a compile-time constant
 
             KeyGenerator keyGen3 = KeyGenerator.getInstance("AES");
-            keyGen3.init(size1); // $ hasInsufficientKeySize
+            keyGen3.init(size1); // $ Alert
 
             KeyGenerator keyGen4 = KeyGenerator.getInstance("AES");
-            keyGen4.init(size2); // $ hasInsufficientKeySize
+            keyGen4.init(size2); // $ Alert
 
             /* Test variables passed to another method */
             KeyGenerator keyGen5 = KeyGenerator.getInstance("AES"); // MISSING: test KeyGenerator variable as argument
             testSymmetricVariable(size2, keyGen5); // test with variable as key size
-            testSymmetricInt(64); // test with int literal as key size
+            testSymmetricInt(64); // $ Source // test with int literal as key size
 
             /* Test with variable as algo name argument in `getInstance` method. */
             final String algoName1 = "AES"; // compile-time constant
             KeyGenerator keyGen6 = KeyGenerator.getInstance(algoName1);
-            keyGen6.init(64); // $ hasInsufficientKeySize
+            keyGen6.init(64); // $ Alert
 
             String algoName2 = "AES"; // not a compile-time constant
             KeyGenerator keyGen7 = KeyGenerator.getInstance(algoName2);
@@ -48,42 +48,42 @@ public class InsufficientKeySizeTest {
         {
             /* Test with keysize as int */
             KeyPairGenerator keyPairGen1 = KeyPairGenerator.getInstance("RSA");
-            keyPairGen1.initialize(1024); // $ hasInsufficientKeySize
+            keyPairGen1.initialize(1024); // $ Alert
 
             KeyPairGenerator keyPairGen2 = KeyPairGenerator.getInstance("RSA");
             keyPairGen2.initialize(2048); // Safe: Key size is no less than 2048
 
             /* Test spec */
             KeyPairGenerator keyPairGen3 = KeyPairGenerator.getInstance("RSA");
-            RSAKeyGenParameterSpec rsaSpec = new RSAKeyGenParameterSpec(1024, null); // $ hasInsufficientKeySize
+            RSAKeyGenParameterSpec rsaSpec = new RSAKeyGenParameterSpec(1024, null); // $ Alert
             keyPairGen3.initialize(rsaSpec);
 
             KeyPairGenerator keyPairGen4 = KeyPairGenerator.getInstance("RSA");
-            keyPairGen4.initialize(new RSAKeyGenParameterSpec(1024, null)); // $ hasInsufficientKeySize
+            keyPairGen4.initialize(new RSAKeyGenParameterSpec(1024, null)); // $ Alert
 
             /* Test with local variable as keysize */
-            final int size1 = 1024; // compile-time constant
-            int size2 = 1024;       // not a compile-time constant
+            final int size1 = 1024; // $ Source // compile-time constant
+            int size2 = 1024;       // $ Source // not a compile-time constant
 
             KeyPairGenerator keyPairGen5 = KeyPairGenerator.getInstance("RSA");
-            keyPairGen5.initialize(size1); // $ hasInsufficientKeySize
+            keyPairGen5.initialize(size1); // $ Alert
 
             KeyPairGenerator keyPairGen6 = KeyPairGenerator.getInstance("RSA");
-            keyPairGen6.initialize(size2); // $ hasInsufficientKeySize
+            keyPairGen6.initialize(size2); // $ Alert
 
             /* Test variables passed to another method */
             KeyPairGenerator keyPairGen7 = KeyPairGenerator.getInstance("RSA"); // MISSING: test KeyGenerator variable as argument
             testAsymmetricNonEcVariable(size2, keyPairGen7); // test with variable as key size
-            testAsymmetricNonEcInt(1024); // test with int literal as key size
+            testAsymmetricNonEcInt(1024); // $ Source // test with int literal as key size
 
             /* Test getting key size as return value of another method */
             KeyPairGenerator keyPairGen8 = KeyPairGenerator.getInstance("RSA");
-            keyPairGen8.initialize(getRSAKeySize()); // $ hasInsufficientKeySize
+            keyPairGen8.initialize(getRSAKeySize()); // $ Alert
 
             /* Test with variable as algo name argument in `getInstance` method. */
             final String algoName1 = "RSA"; // compile-time constant
             KeyPairGenerator keyPairGen9 = KeyPairGenerator.getInstance(algoName1);
-            keyPairGen9.initialize(1024); // $ hasInsufficientKeySize
+            keyPairGen9.initialize(1024); // $ Alert
 
             String algoName2 = "RSA"; // not a compile-time constant
             KeyPairGenerator keyPairGen10 = KeyPairGenerator.getInstance(algoName2);
@@ -94,27 +94,27 @@ public class InsufficientKeySizeTest {
         {
             /* Test with keysize as int */
             KeyPairGenerator keyPairGen1 = KeyPairGenerator.getInstance("DSA");
-            keyPairGen1.initialize(1024); // $ hasInsufficientKeySize
+            keyPairGen1.initialize(1024); // $ Alert
 
             KeyPairGenerator keyPairGen2 = KeyPairGenerator.getInstance("DSA");
             keyPairGen2.initialize(2048); // Safe: Key size is no less than 2048
 
             /* Test spec */
             KeyPairGenerator keyPairGen3 = KeyPairGenerator.getInstance("DSA");
-            DSAGenParameterSpec dsaSpec = new DSAGenParameterSpec(1024, 0); // $ hasInsufficientKeySize
+            DSAGenParameterSpec dsaSpec = new DSAGenParameterSpec(1024, 0); // $ Alert
             keyPairGen3.initialize(dsaSpec);
 
             KeyPairGenerator keyPairGen4 = KeyPairGenerator.getInstance("DSA");
-            keyPairGen4.initialize(new DSAGenParameterSpec(1024, 0)); // $ hasInsufficientKeySize
+            keyPairGen4.initialize(new DSAGenParameterSpec(1024, 0)); // $ Alert
 
             /* Test `AlgorithmParameterGenerator` */
             AlgorithmParameterGenerator paramGen = AlgorithmParameterGenerator.getInstance("DSA");
-            paramGen.init(1024); // $ hasInsufficientKeySize
+            paramGen.init(1024); // $ Alert
 
             /* Test with variable as algo name argument in `getInstance` method. */
             final String algoName1 = "DSA"; // compile-time constant
             AlgorithmParameterGenerator paramGen1 = AlgorithmParameterGenerator.getInstance(algoName1);
-            paramGen1.init(1024); // $ hasInsufficientKeySize
+            paramGen1.init(1024); // $ Alert
 
             String algoName2 = "DSA"; // not a compile-time constant
             AlgorithmParameterGenerator paramGen2 = AlgorithmParameterGenerator.getInstance(algoName2);
@@ -125,52 +125,52 @@ public class InsufficientKeySizeTest {
         {
             /* Test with keysize as int */
             KeyPairGenerator keyPairGen1 = KeyPairGenerator.getInstance("dh");
-            keyPairGen1.initialize(1024); // $ hasInsufficientKeySize
+            keyPairGen1.initialize(1024); // $ Alert
 
             KeyPairGenerator keyPairGen2 = KeyPairGenerator.getInstance("DH");
             keyPairGen2.initialize(2048); // Safe: Key size is no less than 2048
 
             /* Test spec */
             KeyPairGenerator keyPairGen3 = KeyPairGenerator.getInstance("DH");
-            DHGenParameterSpec dhSpec = new DHGenParameterSpec(1024, 0); // $ hasInsufficientKeySize
+            DHGenParameterSpec dhSpec = new DHGenParameterSpec(1024, 0); // $ Alert
             keyPairGen3.initialize(dhSpec);
 
             KeyPairGenerator keyPairGen4 = KeyPairGenerator.getInstance("DH");
-            keyPairGen4.initialize(new DHGenParameterSpec(1024, 0)); // $ hasInsufficientKeySize
+            keyPairGen4.initialize(new DHGenParameterSpec(1024, 0)); // $ Alert
 
             /* Test `AlgorithmParameterGenerator` */
             AlgorithmParameterGenerator paramGen = AlgorithmParameterGenerator.getInstance("DH");
-            paramGen.init(1024); // $ hasInsufficientKeySize
+            paramGen.init(1024); // $ Alert
         }
 
         // EC (Asymmetric): minimum recommended key size is 256
         {
             /* Test with keysize as int */
             KeyPairGenerator keyPairGen1 = KeyPairGenerator.getInstance("EC");
-            keyPairGen1.initialize(128); // $ hasInsufficientKeySize
+            keyPairGen1.initialize(128); // $ Alert
 
             /* Test with keysize as curve name in spec */
             KeyPairGenerator keyPairGen2 = KeyPairGenerator.getInstance("EC");
-            ECGenParameterSpec ecSpec1 = new ECGenParameterSpec("secp112r1"); // $ hasInsufficientKeySize
+            ECGenParameterSpec ecSpec1 = new ECGenParameterSpec("secp112r1"); // $ Alert
             keyPairGen2.initialize(ecSpec1);
 
             KeyPairGenerator keyPairGen3 = KeyPairGenerator.getInstance("EC");
-            keyPairGen3.initialize(new ECGenParameterSpec("secp112r1")); // $ hasInsufficientKeySize
+            keyPairGen3.initialize(new ECGenParameterSpec("secp112r1")); // $ Alert
 
             KeyPairGenerator keyPairGen4 = KeyPairGenerator.getInstance("EC");
             ECGenParameterSpec ecSpec2 = new ECGenParameterSpec("secp256r1"); // Safe: Key size is no less than 256
             keyPairGen4.initialize(ecSpec2);
 
             KeyPairGenerator keyPairGen5 = KeyPairGenerator.getInstance("EC");
-            ECGenParameterSpec ecSpec3 = new ECGenParameterSpec("X9.62 prime192v2"); // $ hasInsufficientKeySize
+            ECGenParameterSpec ecSpec3 = new ECGenParameterSpec("X9.62 prime192v2"); // $ Alert
             keyPairGen5.initialize(ecSpec3);
 
             KeyPairGenerator keyPairGen6 = KeyPairGenerator.getInstance("EC");
-            ECGenParameterSpec ecSpec4 = new ECGenParameterSpec("X9.62 c2tnb191v3"); // $ hasInsufficientKeySize
+            ECGenParameterSpec ecSpec4 = new ECGenParameterSpec("X9.62 c2tnb191v3"); // $ Alert
             keyPairGen6.initialize(ecSpec4);
 
             KeyPairGenerator keyPairGen7 = KeyPairGenerator.getInstance("EC");
-            ECGenParameterSpec ecSpec5 = new ECGenParameterSpec("sect163k1"); // $ hasInsufficientKeySize
+            ECGenParameterSpec ecSpec5 = new ECGenParameterSpec("sect163k1"); // $ Alert
             keyPairGen7.initialize(ecSpec5);
 
             KeyPairGenerator keyPairGen8 = KeyPairGenerator.getInstance("EC");
@@ -178,7 +178,7 @@ public class InsufficientKeySizeTest {
             keyPairGen8.initialize(ecSpec6);
 
             KeyPairGenerator keyPairGen9 = KeyPairGenerator.getInstance("EC");
-            ECGenParameterSpec ecSpec7 = new ECGenParameterSpec("prime192v2"); // $ hasInsufficientKeySize
+            ECGenParameterSpec ecSpec7 = new ECGenParameterSpec("prime192v2"); // $ Alert
             keyPairGen9.initialize(ecSpec7);
 
             KeyPairGenerator keyPairGen10 = KeyPairGenerator.getInstance("EC");
@@ -186,7 +186,7 @@ public class InsufficientKeySizeTest {
             keyPairGen10.initialize(ecSpec8);
 
             KeyPairGenerator keyPairGen14 = KeyPairGenerator.getInstance("EC");
-            ECGenParameterSpec ecSpec9 = new ECGenParameterSpec("c2tnb191v1"); // $ hasInsufficientKeySize
+            ECGenParameterSpec ecSpec9 = new ECGenParameterSpec("c2tnb191v1"); // $ Alert
             keyPairGen14.initialize(ecSpec9);
 
             KeyPairGenerator keyPairGen15 = KeyPairGenerator.getInstance("EC");
@@ -194,46 +194,46 @@ public class InsufficientKeySizeTest {
             keyPairGen15.initialize(ecSpec10); // Safe: Key size is no less than 256
 
             /* Test variables passed to another method */
-            ECGenParameterSpec ecSpec = new ECGenParameterSpec("secp112r1"); // $ hasInsufficientKeySize
+            ECGenParameterSpec ecSpec = new ECGenParameterSpec("secp112r1"); // $ Alert
             testAsymmetricEcSpecVariable(ecSpec); // test spec as an argument
-            int size = 128;
+            int size = 128; // $ Source
             KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("EC"); // MISSING: test KeyGenerator variable as argument
             testAsymmetricEcIntVariable(size, keyPairGen); // test with variable as key size
-            testAsymmetricEcIntLiteral(128); // test with int literal as key size
+            testAsymmetricEcIntLiteral(128); // $ Source // test with int literal as key size
 
             /* Test with variable as curve name argument in `ECGenParameterSpec` constructor. */
-            final String curveName1 = "secp112r1"; // compile-time constant
+            final String curveName1 = "secp112r1"; // $ Source // compile-time constant
             KeyPairGenerator keyPairGen16 = KeyPairGenerator.getInstance("EC");
-            ECGenParameterSpec ecSpec11 = new ECGenParameterSpec(curveName1); // $ hasInsufficientKeySize
+            ECGenParameterSpec ecSpec11 = new ECGenParameterSpec(curveName1); // $ Alert
             keyPairGen16.initialize(ecSpec11);
 
-            String curveName2 = "secp112r1"; // not a compile-time constant
+            String curveName2 = "secp112r1"; // $ Source // not a compile-time constant
             KeyPairGenerator keyPairGen17 = KeyPairGenerator.getInstance("EC");
-            ECGenParameterSpec ecSpec12 = new ECGenParameterSpec(curveName2); // $ hasInsufficientKeySize
+            ECGenParameterSpec ecSpec12 = new ECGenParameterSpec(curveName2); // $ Alert
             keyPairGen17.initialize(ecSpec12);
         }
     }
 
     public static void testSymmetricVariable(int keySize, KeyGenerator kg) throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException {
         KeyGenerator keyGen = KeyGenerator.getInstance("AES");
-        keyGen.init(keySize); // $ hasInsufficientKeySize
+        keyGen.init(keySize); // $ Alert
         kg.init(64); // $ MISSING: hasInsufficientKeySize
     }
 
     public static void testSymmetricInt(int keySize) throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException {
         KeyGenerator keyGen = KeyGenerator.getInstance("AES");
-        keyGen.init(keySize); // $ hasInsufficientKeySize
+        keyGen.init(keySize); // $ Alert
     }
 
     public static void testAsymmetricNonEcVariable(int keySize, KeyPairGenerator kpg) throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException {
         KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("RSA");
-        keyPairGen.initialize(keySize); // $ hasInsufficientKeySize
+        keyPairGen.initialize(keySize); // $ Alert
         kpg.initialize(1024); // $ MISSING: hasInsufficientKeySize
     }
 
     public static void testAsymmetricNonEcInt(int keySize) throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException {
         KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("RSA");
-        keyPairGen.initialize(keySize); // $ hasInsufficientKeySize
+        keyPairGen.initialize(keySize); // $ Alert
     }
 
     public static void testAsymmetricEcSpecVariable(ECGenParameterSpec spec) throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException {
@@ -243,14 +243,14 @@ public class InsufficientKeySizeTest {
 
     public static void testAsymmetricEcIntVariable(int keySize, KeyPairGenerator kpg) throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException {
         KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("EC");
-        keyPairGen.initialize(keySize); // $ hasInsufficientKeySize
+        keyPairGen.initialize(keySize); // $ Alert
         kpg.initialize(128); // $ MISSING: hasInsufficientKeySize
     }
 
     public static void testAsymmetricEcIntLiteral(int keySize) throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException {
         KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("EC");
-        keyPairGen.initialize(keySize); // $ hasInsufficientKeySize
+        keyPairGen.initialize(keySize); // $ Alert
     }
 
-    public int getRSAKeySize(){ return 1024; }
+    public int getRSAKeySize(){ return 1024; } // $ Source
 }

java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.ql

@@ -1,18 +0,0 @@
-import java
-import utils.test.InlineExpectationsTest
-import semmle.code.java.security.InsufficientKeySizeQuery
-
-module InsufficientKeySizeTest implements TestSig {
-  string getARelevantTag() { result = "hasInsufficientKeySize" }
-
-  predicate hasActualResult(Location location, string element, string tag, string value) {
-    tag = "hasInsufficientKeySize" and
-    exists(KeySizeFlow::PathNode sink | KeySizeFlow::flowPath(_, sink) |
-      sink.getNode().getLocation() = location and
-      element = sink.getNode().toString() and
-      value = ""
-    )
-  }
-}
-
-import MakeTest<InsufficientKeySizeTest>

java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.qlref

@@ -0,0 +1,4 @@
+query: Security/CWE/CWE-326/InsufficientKeySize.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

java/ql/test/query-tests/security/CWE-330/InsecureRandomCookies.java

@@ -16,28 +16,28 @@ public class InsecureRandomCookies extends HttpServlet {
     public void doGet() {
         Random r = new Random();
 
-        int c = r.nextInt();
+        int c = r.nextInt(); // $ Source
         // BAD: The cookie value may be predictable.
-        Cookie cookie = new Cookie("name", Integer.toString(c)); // $hasWeakRandomFlow
-        cookie.setValue(Integer.toString(c)); // $hasWeakRandomFlow
+        Cookie cookie = new Cookie("name", Integer.toString(c)); // $ Alert
+        cookie.setValue(Integer.toString(c)); // $ Alert
 
         io.netty.handler.codec.http.Cookie nettyCookie =
-                new io.netty.handler.codec.http.DefaultCookie("name", Integer.toString(c)); // $hasWeakRandomFlow
-        nettyCookie.setValue(Integer.toString(c)); // $hasWeakRandomFlow
+                new io.netty.handler.codec.http.DefaultCookie("name", Integer.toString(c)); // $ Alert
+        nettyCookie.setValue(Integer.toString(c)); // $ Alert
         io.netty.handler.codec.http.cookie.Cookie nettyCookie2 =
-                new io.netty.handler.codec.http.cookie.DefaultCookie("name", Integer.toString(c)); // $hasWeakRandomFlow
-        nettyCookie2.setValue(Integer.toString(c)); // $hasWeakRandomFlow
+                new io.netty.handler.codec.http.cookie.DefaultCookie("name", Integer.toString(c)); // $ Alert
+        nettyCookie2.setValue(Integer.toString(c)); // $ Alert
 
         Encoder enc = null;
-        int c2 = r.nextInt();
+        int c2 = r.nextInt(); // $ Source
         String value = enc.encodeForHTML(Integer.toString(c2));
         // BAD: The cookie value may be predictable.
-        Cookie cookie2 = new Cookie("name", value); // $hasWeakRandomFlow
+        Cookie cookie2 = new Cookie("name", value); // $ Alert
 
         byte[] bytes = new byte[16];
-        r.nextBytes(bytes);
+        r.nextBytes(bytes); // $ Source
         // BAD: The cookie value may be predictable.
-        Cookie cookie3 = new Cookie("name", new String(bytes)); // $hasWeakRandomFlow
+        Cookie cookie3 = new Cookie("name", new String(bytes)); // $ Alert
 
         SecureRandom sr = new SecureRandom();
 
@@ -48,22 +48,22 @@ public class InsecureRandomCookies extends HttpServlet {
 
         ThreadLocalRandom tlr = ThreadLocalRandom.current();
 
-        Cookie cookie5 = new Cookie("name", Integer.toString(tlr.nextInt())); // $hasWeakRandomFlow
+        Cookie cookie5 = new Cookie("name", Integer.toString(tlr.nextInt())); // $ Alert
 
-        Cookie cookie6 = new Cookie("name", RandomStringUtils.random(10)); // $hasWeakRandomFlow
+        Cookie cookie6 = new Cookie("name", RandomStringUtils.random(10)); // $ Alert
 
-        Cookie cookie7 = new Cookie("name", RandomStringUtils.randomAscii(10)); // $hasWeakRandomFlow
+        Cookie cookie7 = new Cookie("name", RandomStringUtils.randomAscii(10)); // $ Alert
 
-        long c3 = r.nextLong();
+        long c3 = r.nextLong(); // $ Source
         // BAD: The cookie value may be predictable.
-        Cookie cookie8 = new Cookie("name", Long.toString(c3 * 5)); // $hasWeakRandomFlow
+        Cookie cookie8 = new Cookie("name", Long.toString(c3 * 5)); // $ Alert
 
-        double c4 = Math.random();
+        double c4 = Math.random(); // $ Source
         // BAD: The cookie value may be predictable.
-        Cookie cookie9 = new Cookie("name", Double.toString(c4)); // $hasWeakRandomFlow
+        Cookie cookie9 = new Cookie("name", Double.toString(c4)); // $ Alert
 
-        double c5 = Math.random();
+        double c5 = Math.random(); // $ Source
         // BAD: The cookie value may be predictable.
-        Cookie cookie10 = new Cookie("name", Double.toString(++c5)); // $hasWeakRandomFlow
+        Cookie cookie10 = new Cookie("name", Double.toString(++c5)); // $ Alert
     }
 }

java/ql/test/query-tests/security/CWE-330/InsecureRandomnessTest.expected

@@ -0,0 +1,69 @@
+#select
+| InsecureRandomCookies.java:21:44:21:62 | toString(...) | InsecureRandomCookies.java:19:17:19:27 | nextInt(...) : Number | InsecureRandomCookies.java:21:44:21:62 | toString(...) | Potential Insecure randomness due to a $@. | InsecureRandomCookies.java:19:17:19:27 | nextInt(...) | Insecure randomness source. |
+| InsecureRandomCookies.java:22:25:22:43 | toString(...) | InsecureRandomCookies.java:19:17:19:27 | nextInt(...) : Number | InsecureRandomCookies.java:22:25:22:43 | toString(...) | Potential Insecure randomness due to a $@. | InsecureRandomCookies.java:19:17:19:27 | nextInt(...) | Insecure randomness source. |
+| InsecureRandomCookies.java:25:71:25:89 | toString(...) | InsecureRandomCookies.java:19:17:19:27 | nextInt(...) : Number | InsecureRandomCookies.java:25:71:25:89 | toString(...) | Potential Insecure randomness due to a $@. | InsecureRandomCookies.java:19:17:19:27 | nextInt(...) | Insecure randomness source. |
+| InsecureRandomCookies.java:26:30:26:48 | toString(...) | InsecureRandomCookies.java:19:17:19:27 | nextInt(...) : Number | InsecureRandomCookies.java:26:30:26:48 | toString(...) | Potential Insecure randomness due to a $@. | InsecureRandomCookies.java:19:17:19:27 | nextInt(...) | Insecure randomness source. |
+| InsecureRandomCookies.java:28:78:28:96 | toString(...) | InsecureRandomCookies.java:19:17:19:27 | nextInt(...) : Number | InsecureRandomCookies.java:28:78:28:96 | toString(...) | Potential Insecure randomness due to a $@. | InsecureRandomCookies.java:19:17:19:27 | nextInt(...) | Insecure randomness source. |
+| InsecureRandomCookies.java:29:31:29:49 | toString(...) | InsecureRandomCookies.java:19:17:19:27 | nextInt(...) : Number | InsecureRandomCookies.java:29:31:29:49 | toString(...) | Potential Insecure randomness due to a $@. | InsecureRandomCookies.java:19:17:19:27 | nextInt(...) | Insecure randomness source. |
+| InsecureRandomCookies.java:35:45:35:49 | value | InsecureRandomCookies.java:32:18:32:28 | nextInt(...) : Number | InsecureRandomCookies.java:35:45:35:49 | value | Potential Insecure randomness due to a $@. | InsecureRandomCookies.java:32:18:32:28 | nextInt(...) | Insecure randomness source. |
+| InsecureRandomCookies.java:40:45:40:61 | new String(...) | InsecureRandomCookies.java:38:21:38:25 | bytes : byte[] | InsecureRandomCookies.java:40:45:40:61 | new String(...) | Potential Insecure randomness due to a $@. | InsecureRandomCookies.java:38:21:38:25 | bytes | Insecure randomness source. |
+| InsecureRandomCookies.java:51:45:51:75 | toString(...) | InsecureRandomCookies.java:51:62:51:74 | nextInt(...) : Number | InsecureRandomCookies.java:51:45:51:75 | toString(...) | Potential Insecure randomness due to a $@. | InsecureRandomCookies.java:51:62:51:74 | nextInt(...) | Insecure randomness source. |
+| InsecureRandomCookies.java:53:45:53:72 | random(...) | InsecureRandomCookies.java:53:45:53:72 | random(...) | InsecureRandomCookies.java:53:45:53:72 | random(...) | Potential Insecure randomness due to a $@. | InsecureRandomCookies.java:53:45:53:72 | random(...) | Insecure randomness source. |
+| InsecureRandomCookies.java:55:45:55:77 | randomAscii(...) | InsecureRandomCookies.java:55:45:55:77 | randomAscii(...) | InsecureRandomCookies.java:55:45:55:77 | randomAscii(...) | Potential Insecure randomness due to a $@. | InsecureRandomCookies.java:55:45:55:77 | randomAscii(...) | Insecure randomness source. |
+| InsecureRandomCookies.java:59:45:59:65 | toString(...) | InsecureRandomCookies.java:57:19:57:30 | nextLong(...) : Number | InsecureRandomCookies.java:59:45:59:65 | toString(...) | Potential Insecure randomness due to a $@. | InsecureRandomCookies.java:57:19:57:30 | nextLong(...) | Insecure randomness source. |
+| InsecureRandomCookies.java:63:45:63:63 | toString(...) | InsecureRandomCookies.java:61:21:61:33 | random(...) : Number | InsecureRandomCookies.java:63:45:63:63 | toString(...) | Potential Insecure randomness due to a $@. | InsecureRandomCookies.java:61:21:61:33 | random(...) | Insecure randomness source. |
+| InsecureRandomCookies.java:67:46:67:66 | toString(...) | InsecureRandomCookies.java:65:21:65:33 | random(...) : Number | InsecureRandomCookies.java:67:46:67:66 | toString(...) | Potential Insecure randomness due to a $@. | InsecureRandomCookies.java:65:21:65:33 | random(...) | Insecure randomness source. |
+edges
+| InsecureRandomCookies.java:19:17:19:27 | nextInt(...) : Number | InsecureRandomCookies.java:21:44:21:62 | toString(...) | provenance | TaintPreservingCallable |
+| InsecureRandomCookies.java:19:17:19:27 | nextInt(...) : Number | InsecureRandomCookies.java:22:25:22:43 | toString(...) | provenance | TaintPreservingCallable |
+| InsecureRandomCookies.java:19:17:19:27 | nextInt(...) : Number | InsecureRandomCookies.java:25:71:25:89 | toString(...) | provenance | TaintPreservingCallable |
+| InsecureRandomCookies.java:19:17:19:27 | nextInt(...) : Number | InsecureRandomCookies.java:26:30:26:48 | toString(...) | provenance | TaintPreservingCallable |
+| InsecureRandomCookies.java:19:17:19:27 | nextInt(...) : Number | InsecureRandomCookies.java:28:78:28:96 | toString(...) | provenance | TaintPreservingCallable |
+| InsecureRandomCookies.java:19:17:19:27 | nextInt(...) : Number | InsecureRandomCookies.java:29:31:29:49 | toString(...) | provenance | TaintPreservingCallable |
+| InsecureRandomCookies.java:32:18:32:28 | nextInt(...) : Number | InsecureRandomCookies.java:33:42:33:61 | toString(...) : String | provenance | TaintPreservingCallable |
+| InsecureRandomCookies.java:33:24:33:62 | encodeForHTML(...) : String | InsecureRandomCookies.java:35:45:35:49 | value | provenance |  |
+| InsecureRandomCookies.java:33:42:33:61 | toString(...) : String | InsecureRandomCookies.java:33:24:33:62 | encodeForHTML(...) : String | provenance | Config |
+| InsecureRandomCookies.java:33:42:33:61 | toString(...) : String | InsecureRandomCookies.java:33:24:33:62 | encodeForHTML(...) : String | provenance | MaD:2 |
+| InsecureRandomCookies.java:38:21:38:25 | bytes : byte[] | InsecureRandomCookies.java:40:56:40:60 | bytes : byte[] | provenance |  |
+| InsecureRandomCookies.java:40:56:40:60 | bytes : byte[] | InsecureRandomCookies.java:40:45:40:61 | new String(...) | provenance | MaD:1 |
+| InsecureRandomCookies.java:51:62:51:74 | nextInt(...) : Number | InsecureRandomCookies.java:51:45:51:75 | toString(...) | provenance | TaintPreservingCallable |
+| InsecureRandomCookies.java:57:19:57:30 | nextLong(...) : Number | InsecureRandomCookies.java:59:59:59:60 | c3 : Number | provenance |  |
+| InsecureRandomCookies.java:59:59:59:60 | c3 : Number | InsecureRandomCookies.java:59:59:59:64 | ... * ... : Number | provenance | Config |
+| InsecureRandomCookies.java:59:59:59:64 | ... * ... : Number | InsecureRandomCookies.java:59:45:59:65 | toString(...) | provenance | TaintPreservingCallable |
+| InsecureRandomCookies.java:61:21:61:33 | random(...) : Number | InsecureRandomCookies.java:63:45:63:63 | toString(...) | provenance | TaintPreservingCallable |
+| InsecureRandomCookies.java:65:21:65:33 | random(...) : Number | InsecureRandomCookies.java:67:64:67:65 | c5 : Number | provenance |  |
+| InsecureRandomCookies.java:67:62:67:65 | ++... : Number | InsecureRandomCookies.java:67:46:67:66 | toString(...) | provenance | TaintPreservingCallable |
+| InsecureRandomCookies.java:67:64:67:65 | c5 : Number | InsecureRandomCookies.java:67:62:67:65 | ++... : Number | provenance | Config |
+models
+| 1 | Summary: java.lang; String; false; String; ; ; Argument[0]; Argument[this]; taint; manual |
+| 2 | Summary: org.owasp.esapi; Encoder; true; encodeForHTML; (String); ; Argument[0]; ReturnValue; taint; manual |
+nodes
+| InsecureRandomCookies.java:19:17:19:27 | nextInt(...) : Number | semmle.label | nextInt(...) : Number |
+| InsecureRandomCookies.java:21:44:21:62 | toString(...) | semmle.label | toString(...) |
+| InsecureRandomCookies.java:22:25:22:43 | toString(...) | semmle.label | toString(...) |
+| InsecureRandomCookies.java:25:71:25:89 | toString(...) | semmle.label | toString(...) |
+| InsecureRandomCookies.java:26:30:26:48 | toString(...) | semmle.label | toString(...) |
+| InsecureRandomCookies.java:28:78:28:96 | toString(...) | semmle.label | toString(...) |
+| InsecureRandomCookies.java:29:31:29:49 | toString(...) | semmle.label | toString(...) |
+| InsecureRandomCookies.java:32:18:32:28 | nextInt(...) : Number | semmle.label | nextInt(...) : Number |
+| InsecureRandomCookies.java:33:24:33:62 | encodeForHTML(...) : String | semmle.label | encodeForHTML(...) : String |
+| InsecureRandomCookies.java:33:42:33:61 | toString(...) : String | semmle.label | toString(...) : String |
+| InsecureRandomCookies.java:35:45:35:49 | value | semmle.label | value |
+| InsecureRandomCookies.java:38:21:38:25 | bytes : byte[] | semmle.label | bytes : byte[] |
+| InsecureRandomCookies.java:40:45:40:61 | new String(...) | semmle.label | new String(...) |
+| InsecureRandomCookies.java:40:56:40:60 | bytes : byte[] | semmle.label | bytes : byte[] |
+| InsecureRandomCookies.java:51:45:51:75 | toString(...) | semmle.label | toString(...) |
+| InsecureRandomCookies.java:51:62:51:74 | nextInt(...) : Number | semmle.label | nextInt(...) : Number |
+| InsecureRandomCookies.java:53:45:53:72 | random(...) | semmle.label | random(...) |
+| InsecureRandomCookies.java:55:45:55:77 | randomAscii(...) | semmle.label | randomAscii(...) |
+| InsecureRandomCookies.java:57:19:57:30 | nextLong(...) : Number | semmle.label | nextLong(...) : Number |
+| InsecureRandomCookies.java:59:45:59:65 | toString(...) | semmle.label | toString(...) |
+| InsecureRandomCookies.java:59:59:59:60 | c3 : Number | semmle.label | c3 : Number |
+| InsecureRandomCookies.java:59:59:59:64 | ... * ... : Number | semmle.label | ... * ... : Number |
+| InsecureRandomCookies.java:61:21:61:33 | random(...) : Number | semmle.label | random(...) : Number |
+| InsecureRandomCookies.java:63:45:63:63 | toString(...) | semmle.label | toString(...) |
+| InsecureRandomCookies.java:65:21:65:33 | random(...) : Number | semmle.label | random(...) : Number |
+| InsecureRandomCookies.java:67:46:67:66 | toString(...) | semmle.label | toString(...) |
+| InsecureRandomCookies.java:67:62:67:65 | ++... : Number | semmle.label | ++... : Number |
+| InsecureRandomCookies.java:67:64:67:65 | c5 : Number | semmle.label | c5 : Number |
+subpaths

java/ql/test/query-tests/security/CWE-330/InsecureRandomnessTest.ql

@@ -1,19 +0,0 @@
-import java
-import semmle.code.java.dataflow.DataFlow
-import semmle.code.java.security.InsecureRandomnessQuery
-import utils.test.InlineExpectationsTest
-
-module WeakRandomTest implements TestSig {
-  string getARelevantTag() { result = "hasWeakRandomFlow" }
-
-  predicate hasActualResult(Location location, string element, string tag, string value) {
-    tag = "hasWeakRandomFlow" and
-    exists(DataFlow::Node sink | InsecureRandomnessFlow::flowTo(sink) |
-      sink.getLocation() = location and
-      element = sink.toString() and
-      value = ""
-    )
-  }
-}
-
-import MakeTest<WeakRandomTest>

java/ql/test/query-tests/security/CWE-330/InsecureRandomnessTest.qlref

@@ -0,0 +1,4 @@
+query: Security/CWE/CWE-330/InsecureRandomness.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.expected

@@ -0,0 +1,55 @@
+#select
+| MissingJWTSignatureCheckTest.java:83:9:83:14 | parser | MissingJWTSignatureCheckTest.java:13:16:13:66 | setSigningKey(...) : JwtParser | MissingJWTSignatureCheckTest.java:83:9:83:14 | parser | This parser sets a $@, but the signature is not verified. | MissingJWTSignatureCheckTest.java:13:16:13:66 | setSigningKey(...) | JWT signing key |
+| MissingJWTSignatureCheckTest.java:83:9:83:14 | parser | MissingJWTSignatureCheckTest.java:17:16:17:73 | setSigningKey(...) : DefaultJwtParserBuilder | MissingJWTSignatureCheckTest.java:83:9:83:14 | parser | This parser sets a $@, but the signature is not verified. | MissingJWTSignatureCheckTest.java:17:16:17:73 | setSigningKey(...) | JWT signing key |
+| MissingJWTSignatureCheckTest.java:83:9:83:14 | parser | MissingJWTSignatureCheckTest.java:21:16:21:75 | setSigningKey(...) : JwtParser | MissingJWTSignatureCheckTest.java:83:9:83:14 | parser | This parser sets a $@, but the signature is not verified. | MissingJWTSignatureCheckTest.java:21:16:21:75 | setSigningKey(...) | JWT signing key |
+| MissingJWTSignatureCheckTest.java:87:9:87:14 | parser | MissingJWTSignatureCheckTest.java:13:16:13:66 | setSigningKey(...) : JwtParser | MissingJWTSignatureCheckTest.java:87:9:87:14 | parser | This parser sets a $@, but the signature is not verified. | MissingJWTSignatureCheckTest.java:13:16:13:66 | setSigningKey(...) | JWT signing key |
+| MissingJWTSignatureCheckTest.java:87:9:87:14 | parser | MissingJWTSignatureCheckTest.java:17:16:17:73 | setSigningKey(...) : DefaultJwtParserBuilder | MissingJWTSignatureCheckTest.java:87:9:87:14 | parser | This parser sets a $@, but the signature is not verified. | MissingJWTSignatureCheckTest.java:17:16:17:73 | setSigningKey(...) | JWT signing key |
+| MissingJWTSignatureCheckTest.java:87:9:87:14 | parser | MissingJWTSignatureCheckTest.java:21:16:21:75 | setSigningKey(...) : JwtParser | MissingJWTSignatureCheckTest.java:87:9:87:14 | parser | This parser sets a $@, but the signature is not verified. | MissingJWTSignatureCheckTest.java:21:16:21:75 | setSigningKey(...) | JWT signing key |
+| MissingJWTSignatureCheckTest.java:110:9:110:74 | build(...) | MissingJWTSignatureCheckTest.java:110:9:110:66 | setSigningKey(...) : DefaultJwtParserBuilder | MissingJWTSignatureCheckTest.java:110:9:110:74 | build(...) | This parser sets a $@, but the signature is not verified. | MissingJWTSignatureCheckTest.java:110:9:110:66 | setSigningKey(...) | JWT signing key |
+| MissingJWTSignatureCheckTest.java:114:9:114:83 | build(...) | MissingJWTSignatureCheckTest.java:114:9:114:75 | setSigningKey(...) : DefaultJwtParserBuilder | MissingJWTSignatureCheckTest.java:114:9:114:83 | build(...) | This parser sets a $@, but the signature is not verified. | MissingJWTSignatureCheckTest.java:114:9:114:75 | setSigningKey(...) | JWT signing key |
+| MissingJWTSignatureCheckTest.java:118:9:118:59 | setSigningKey(...) | MissingJWTSignatureCheckTest.java:118:9:118:59 | setSigningKey(...) | MissingJWTSignatureCheckTest.java:118:9:118:59 | setSigningKey(...) | This parser sets a $@, but the signature is not verified. | MissingJWTSignatureCheckTest.java:118:9:118:59 | setSigningKey(...) | JWT signing key |
+edges
+| MissingJWTSignatureCheckTest.java:13:16:13:66 | setSigningKey(...) : JwtParser | MissingJWTSignatureCheckTest.java:25:29:25:46 | getASignedParser(...) : JwtParser | provenance |  |
+| MissingJWTSignatureCheckTest.java:17:16:17:73 | setSigningKey(...) : DefaultJwtParserBuilder | MissingJWTSignatureCheckTest.java:17:16:17:81 | build(...) : JwtParser | provenance | Config |
+| MissingJWTSignatureCheckTest.java:17:16:17:81 | build(...) : JwtParser | MissingJWTSignatureCheckTest.java:31:29:31:63 | getASignedParserFromParserBuilder(...) : JwtParser | provenance |  |
+| MissingJWTSignatureCheckTest.java:21:16:21:75 | setSigningKey(...) : JwtParser | MissingJWTSignatureCheckTest.java:37:29:37:49 | getASignedNewParser(...) : JwtParser | provenance |  |
+| MissingJWTSignatureCheckTest.java:25:29:25:46 | getASignedParser(...) : JwtParser | MissingJWTSignatureCheckTest.java:26:31:26:37 | parser1 : JwtParser | provenance |  |
+| MissingJWTSignatureCheckTest.java:25:29:25:46 | getASignedParser(...) : JwtParser | MissingJWTSignatureCheckTest.java:27:38:27:44 | parser1 : JwtParser | provenance |  |
+| MissingJWTSignatureCheckTest.java:26:31:26:37 | parser1 : JwtParser | MissingJWTSignatureCheckTest.java:82:40:82:55 | parser : JwtParser | provenance |  |
+| MissingJWTSignatureCheckTest.java:27:38:27:44 | parser1 : JwtParser | MissingJWTSignatureCheckTest.java:86:47:86:62 | parser : JwtParser | provenance |  |
+| MissingJWTSignatureCheckTest.java:31:29:31:63 | getASignedParserFromParserBuilder(...) : JwtParser | MissingJWTSignatureCheckTest.java:32:31:32:37 | parser2 : JwtParser | provenance |  |
+| MissingJWTSignatureCheckTest.java:31:29:31:63 | getASignedParserFromParserBuilder(...) : JwtParser | MissingJWTSignatureCheckTest.java:33:38:33:44 | parser2 : JwtParser | provenance |  |
+| MissingJWTSignatureCheckTest.java:32:31:32:37 | parser2 : JwtParser | MissingJWTSignatureCheckTest.java:82:40:82:55 | parser : JwtParser | provenance |  |
+| MissingJWTSignatureCheckTest.java:33:38:33:44 | parser2 : JwtParser | MissingJWTSignatureCheckTest.java:86:47:86:62 | parser : JwtParser | provenance |  |
+| MissingJWTSignatureCheckTest.java:37:29:37:49 | getASignedNewParser(...) : JwtParser | MissingJWTSignatureCheckTest.java:38:31:38:37 | parser3 : JwtParser | provenance |  |
+| MissingJWTSignatureCheckTest.java:37:29:37:49 | getASignedNewParser(...) : JwtParser | MissingJWTSignatureCheckTest.java:39:38:39:44 | parser3 : JwtParser | provenance |  |
+| MissingJWTSignatureCheckTest.java:38:31:38:37 | parser3 : JwtParser | MissingJWTSignatureCheckTest.java:82:40:82:55 | parser : JwtParser | provenance |  |
+| MissingJWTSignatureCheckTest.java:39:38:39:44 | parser3 : JwtParser | MissingJWTSignatureCheckTest.java:86:47:86:62 | parser : JwtParser | provenance |  |
+| MissingJWTSignatureCheckTest.java:82:40:82:55 | parser : JwtParser | MissingJWTSignatureCheckTest.java:83:9:83:14 | parser | provenance |  |
+| MissingJWTSignatureCheckTest.java:86:47:86:62 | parser : JwtParser | MissingJWTSignatureCheckTest.java:87:9:87:14 | parser | provenance |  |
+| MissingJWTSignatureCheckTest.java:110:9:110:66 | setSigningKey(...) : DefaultJwtParserBuilder | MissingJWTSignatureCheckTest.java:110:9:110:74 | build(...) | provenance | Config |
+| MissingJWTSignatureCheckTest.java:114:9:114:75 | setSigningKey(...) : DefaultJwtParserBuilder | MissingJWTSignatureCheckTest.java:114:9:114:83 | build(...) | provenance | Config |
+nodes
+| MissingJWTSignatureCheckTest.java:13:16:13:66 | setSigningKey(...) : JwtParser | semmle.label | setSigningKey(...) : JwtParser |
+| MissingJWTSignatureCheckTest.java:17:16:17:73 | setSigningKey(...) : DefaultJwtParserBuilder | semmle.label | setSigningKey(...) : DefaultJwtParserBuilder |
+| MissingJWTSignatureCheckTest.java:17:16:17:81 | build(...) : JwtParser | semmle.label | build(...) : JwtParser |
+| MissingJWTSignatureCheckTest.java:21:16:21:75 | setSigningKey(...) : JwtParser | semmle.label | setSigningKey(...) : JwtParser |
+| MissingJWTSignatureCheckTest.java:25:29:25:46 | getASignedParser(...) : JwtParser | semmle.label | getASignedParser(...) : JwtParser |
+| MissingJWTSignatureCheckTest.java:26:31:26:37 | parser1 : JwtParser | semmle.label | parser1 : JwtParser |
+| MissingJWTSignatureCheckTest.java:27:38:27:44 | parser1 : JwtParser | semmle.label | parser1 : JwtParser |
+| MissingJWTSignatureCheckTest.java:31:29:31:63 | getASignedParserFromParserBuilder(...) : JwtParser | semmle.label | getASignedParserFromParserBuilder(...) : JwtParser |
+| MissingJWTSignatureCheckTest.java:32:31:32:37 | parser2 : JwtParser | semmle.label | parser2 : JwtParser |
+| MissingJWTSignatureCheckTest.java:33:38:33:44 | parser2 : JwtParser | semmle.label | parser2 : JwtParser |
+| MissingJWTSignatureCheckTest.java:37:29:37:49 | getASignedNewParser(...) : JwtParser | semmle.label | getASignedNewParser(...) : JwtParser |
+| MissingJWTSignatureCheckTest.java:38:31:38:37 | parser3 : JwtParser | semmle.label | parser3 : JwtParser |
+| MissingJWTSignatureCheckTest.java:39:38:39:44 | parser3 : JwtParser | semmle.label | parser3 : JwtParser |
+| MissingJWTSignatureCheckTest.java:82:40:82:55 | parser : JwtParser | semmle.label | parser : JwtParser |
+| MissingJWTSignatureCheckTest.java:83:9:83:14 | parser | semmle.label | parser |
+| MissingJWTSignatureCheckTest.java:86:47:86:62 | parser : JwtParser | semmle.label | parser : JwtParser |
+| MissingJWTSignatureCheckTest.java:87:9:87:14 | parser | semmle.label | parser |
+| MissingJWTSignatureCheckTest.java:110:9:110:66 | setSigningKey(...) : DefaultJwtParserBuilder | semmle.label | setSigningKey(...) : DefaultJwtParserBuilder |
+| MissingJWTSignatureCheckTest.java:110:9:110:74 | build(...) | semmle.label | build(...) |
+| MissingJWTSignatureCheckTest.java:114:9:114:75 | setSigningKey(...) : DefaultJwtParserBuilder | semmle.label | setSigningKey(...) : DefaultJwtParserBuilder |
+| MissingJWTSignatureCheckTest.java:114:9:114:83 | build(...) | semmle.label | build(...) |
+| MissingJWTSignatureCheckTest.java:118:9:118:59 | setSigningKey(...) | semmle.label | setSigningKey(...) |
+subpaths

java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.java

@@ -10,15 +10,15 @@ import io.jsonwebtoken.impl.DefaultJwtParserBuilder;
 public class MissingJWTSignatureCheckTest {
 
     private JwtParser getASignedParser() {
-        return Jwts.parser().setSigningKey("someBase64EncodedKey");
+        return Jwts.parser().setSigningKey("someBase64EncodedKey"); // $ Source
     }
 
     private JwtParser getASignedParserFromParserBuilder() {
-        return Jwts.parserBuilder().setSigningKey("someBase64EncodedKey").build();
+        return Jwts.parserBuilder().setSigningKey("someBase64EncodedKey").build(); // $ Source
     }
 
     private JwtParser getASignedNewParser() {
-        return new DefaultJwtParser().setSigningKey("someBase64EncodedKey");
+        return new DefaultJwtParser().setSigningKey("someBase64EncodedKey"); // $ Source
     }
 
     private void callSignedParsers() {
@@ -80,11 +80,11 @@ public class MissingJWTSignatureCheckTest {
     }
 
     private void badJwtOnParserBuilder(JwtParser parser, String token) {
-        parser.parse(token); // $hasMissingJwtSignatureCheck
+        parser.parse(token); // $ Alert
     }
 
     private void badJwtHandlerOnParserBuilder(JwtParser parser, String token) {
-        parser.parse(token, new JwtHandlerAdapter<Jwt<Header, String>>() { // $hasMissingJwtSignatureCheck
+        parser.parse(token, new JwtHandlerAdapter<Jwt<Header, String>>() { // $ Alert
             @Override
             public Jwt<Header, String> onPlaintextJwt(Jwt<Header, String> jwt) {
                 return jwt;
@@ -107,15 +107,15 @@ public class MissingJWTSignatureCheckTest {
     }
 
     private void badJwtOnParserBuilder(String token) {
-        Jwts.parserBuilder().setSigningKey("someBase64EncodedKey").build().parse(token); // $hasMissingJwtSignatureCheck
+        Jwts.parserBuilder().setSigningKey("someBase64EncodedKey").build().parse(token); // $ Alert
     }
 
     private void badJwtOnDefaultParserBuilder(String token) {
-        new DefaultJwtParserBuilder().setSigningKey("someBase64EncodedKey").build().parse(token); // $hasMissingJwtSignatureCheck
+        new DefaultJwtParserBuilder().setSigningKey("someBase64EncodedKey").build().parse(token); // $ Alert
     }
 
     private void badJwtHandlerOnParser(String token) {
-        Jwts.parser().setSigningKey("someBase64EncodedKey").parse(token, // $hasMissingJwtSignatureCheck
+        Jwts.parser().setSigningKey("someBase64EncodedKey").parse(token, // $ Alert
                 new JwtHandlerAdapter<Jwt<Header, String>>() {
                     @Override
                     public Jwt<Header, String> onPlaintextJwt(Jwt<Header, String> jwt) {

java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.ql

@@ -1,18 +0,0 @@
-import java
-import semmle.code.java.security.MissingJWTSignatureCheckQuery
-import utils.test.InlineExpectationsTest
-
-module HasMissingJwtSignatureCheckTest implements TestSig {
-  string getARelevantTag() { result = "hasMissingJwtSignatureCheck" }
-
-  predicate hasActualResult(Location location, string element, string tag, string value) {
-    tag = "hasMissingJwtSignatureCheck" and
-    exists(DataFlow::Node sink | MissingJwtSignatureCheckFlow::flowTo(sink) |
-      sink.getLocation() = location and
-      element = sink.toString() and
-      value = ""
-    )
-  }
-}
-
-import MakeTest<HasMissingJwtSignatureCheckTest>

java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.qlref

@@ -0,0 +1,4 @@
+query: Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

java/ql/test/query-tests/security/CWE-441/Test.java

@@ -29,23 +29,23 @@ public class Test extends Activity {
     public void onCreate() {
         {
             ContentResolver contentResolver = getContentResolver();
-            Uri uri = (Uri) getIntent().getParcelableExtra("URI_EXTRA");
-            contentResolver.openInputStream(uri); // $ hasTaintFlow
-            contentResolver.openOutputStream(uri); // $ hasTaintFlow
-            contentResolver.openAssetFile(uri, null, null); // $ hasTaintFlow
-            contentResolver.openAssetFileDescriptor(uri, null); // $ hasTaintFlow
-            contentResolver.openFile(uri, null, null); // $ hasTaintFlow
-            contentResolver.openFileDescriptor(uri, null); // $ hasTaintFlow
-            contentResolver.openTypedAssetFile(uri, null, null, null); // $ hasTaintFlow
-            contentResolver.openTypedAssetFileDescriptor(uri, null, null); // $ hasTaintFlow
+            Uri uri = (Uri) getIntent().getParcelableExtra("URI_EXTRA"); // $ Source
+            contentResolver.openInputStream(uri); // $ Alert
+            contentResolver.openOutputStream(uri); // $ Alert
+            contentResolver.openAssetFile(uri, null, null); // $ Alert
+            contentResolver.openAssetFileDescriptor(uri, null); // $ Alert
+            contentResolver.openFile(uri, null, null); // $ Alert
+            contentResolver.openFileDescriptor(uri, null); // $ Alert
+            contentResolver.openTypedAssetFile(uri, null, null, null); // $ Alert
+            contentResolver.openTypedAssetFileDescriptor(uri, null, null); // $ Alert
         }
         {
             ContentResolver contentResolver = getContentResolver();
-            Uri uri = (Uri) getIntent().getParcelableExtra("URI_EXTRA");
+            Uri uri = (Uri) getIntent().getParcelableExtra("URI_EXTRA"); // $ Source
             String path = uri.getPath();
             if (path.startsWith("/data"))
                 throw new SecurityException();
-            contentResolver.openInputStream(uri); // $ hasTaintFlow
+            contentResolver.openInputStream(uri); // $ Alert
         }
         // Equals checks
         {
@@ -64,11 +64,11 @@ public class Test extends Activity {
         // Allow list checks
         {
             ContentResolver contentResolver = getContentResolver();
-            Uri uri = (Uri) getIntent().getParcelableExtra("URI_EXTRA");
+            Uri uri = (Uri) getIntent().getParcelableExtra("URI_EXTRA"); // $ Source
             String path = uri.getPath();
             if (!path.startsWith("/safe/path"))
                 throw new SecurityException();
-            contentResolver.openInputStream(uri); // $ hasTaintFlow
+            contentResolver.openInputStream(uri); // $ Alert
         }
         {
             ContentResolver contentResolver = getContentResolver();
@@ -89,11 +89,11 @@ public class Test extends Activity {
         // Block list checks
         {
             ContentResolver contentResolver = getContentResolver();
-            Uri uri = (Uri) getIntent().getParcelableExtra("URI_EXTRA");
+            Uri uri = (Uri) getIntent().getParcelableExtra("URI_EXTRA"); // $ Source
             String path = uri.getPath();
             if (path.startsWith("/data"))
                 throw new SecurityException();
-            contentResolver.openInputStream(uri); // $ hasTaintFlow
+            contentResolver.openInputStream(uri); // $ Alert
         }
         {
             ContentResolver contentResolver = getContentResolver();

java/ql/test/query-tests/security/CWE-441/UnsafeContentUriResolutionTest.expected

@@ -0,0 +1,59 @@
+#select
+| Test.java:33:45:33:47 | uri | Test.java:32:29:32:39 | getIntent(...) : Intent | Test.java:33:45:33:47 | uri | This ContentResolver method that resolves a URI depends on a $@. | Test.java:32:29:32:39 | getIntent(...) | user-provided value |
+| Test.java:34:46:34:48 | uri | Test.java:32:29:32:39 | getIntent(...) : Intent | Test.java:34:46:34:48 | uri | This ContentResolver method that resolves a URI depends on a $@. | Test.java:32:29:32:39 | getIntent(...) | user-provided value |
+| Test.java:35:43:35:45 | uri | Test.java:32:29:32:39 | getIntent(...) : Intent | Test.java:35:43:35:45 | uri | This ContentResolver method that resolves a URI depends on a $@. | Test.java:32:29:32:39 | getIntent(...) | user-provided value |
+| Test.java:36:53:36:55 | uri | Test.java:32:29:32:39 | getIntent(...) : Intent | Test.java:36:53:36:55 | uri | This ContentResolver method that resolves a URI depends on a $@. | Test.java:32:29:32:39 | getIntent(...) | user-provided value |
+| Test.java:37:38:37:40 | uri | Test.java:32:29:32:39 | getIntent(...) : Intent | Test.java:37:38:37:40 | uri | This ContentResolver method that resolves a URI depends on a $@. | Test.java:32:29:32:39 | getIntent(...) | user-provided value |
+| Test.java:38:48:38:50 | uri | Test.java:32:29:32:39 | getIntent(...) : Intent | Test.java:38:48:38:50 | uri | This ContentResolver method that resolves a URI depends on a $@. | Test.java:32:29:32:39 | getIntent(...) | user-provided value |
+| Test.java:39:48:39:50 | uri | Test.java:32:29:32:39 | getIntent(...) : Intent | Test.java:39:48:39:50 | uri | This ContentResolver method that resolves a URI depends on a $@. | Test.java:32:29:32:39 | getIntent(...) | user-provided value |
+| Test.java:40:58:40:60 | uri | Test.java:32:29:32:39 | getIntent(...) : Intent | Test.java:40:58:40:60 | uri | This ContentResolver method that resolves a URI depends on a $@. | Test.java:32:29:32:39 | getIntent(...) | user-provided value |
+| Test.java:48:45:48:47 | uri | Test.java:44:29:44:39 | getIntent(...) : Intent | Test.java:48:45:48:47 | uri | This ContentResolver method that resolves a URI depends on a $@. | Test.java:44:29:44:39 | getIntent(...) | user-provided value |
+| Test.java:71:45:71:47 | uri | Test.java:67:29:67:39 | getIntent(...) : Intent | Test.java:71:45:71:47 | uri | This ContentResolver method that resolves a URI depends on a $@. | Test.java:67:29:67:39 | getIntent(...) | user-provided value |
+| Test.java:96:45:96:47 | uri | Test.java:92:29:92:39 | getIntent(...) : Intent | Test.java:96:45:96:47 | uri | This ContentResolver method that resolves a URI depends on a $@. | Test.java:92:29:92:39 | getIntent(...) | user-provided value |
+edges
+| Test.java:32:23:32:71 | (...)... : Uri | Test.java:33:45:33:47 | uri | provenance |  |
+| Test.java:32:23:32:71 | (...)... : Uri | Test.java:34:46:34:48 | uri | provenance |  |
+| Test.java:32:23:32:71 | (...)... : Uri | Test.java:35:43:35:45 | uri | provenance |  |
+| Test.java:32:23:32:71 | (...)... : Uri | Test.java:36:53:36:55 | uri | provenance |  |
+| Test.java:32:23:32:71 | (...)... : Uri | Test.java:37:38:37:40 | uri | provenance |  |
+| Test.java:32:23:32:71 | (...)... : Uri | Test.java:38:48:38:50 | uri | provenance |  |
+| Test.java:32:23:32:71 | (...)... : Uri | Test.java:39:48:39:50 | uri | provenance |  |
+| Test.java:32:23:32:71 | (...)... : Uri | Test.java:40:58:40:60 | uri | provenance |  |
+| Test.java:32:29:32:39 | getIntent(...) : Intent | Test.java:32:29:32:71 | getParcelableExtra(...) : Parcelable | provenance | MaD:1 |
+| Test.java:32:29:32:71 | getParcelableExtra(...) : Parcelable | Test.java:32:23:32:71 | (...)... : Uri | provenance |  |
+| Test.java:44:23:44:71 | (...)... : Uri | Test.java:48:45:48:47 | uri | provenance |  |
+| Test.java:44:29:44:39 | getIntent(...) : Intent | Test.java:44:29:44:71 | getParcelableExtra(...) : Parcelable | provenance | MaD:1 |
+| Test.java:44:29:44:71 | getParcelableExtra(...) : Parcelable | Test.java:44:23:44:71 | (...)... : Uri | provenance |  |
+| Test.java:67:23:67:71 | (...)... : Uri | Test.java:71:45:71:47 | uri | provenance |  |
+| Test.java:67:29:67:39 | getIntent(...) : Intent | Test.java:67:29:67:71 | getParcelableExtra(...) : Parcelable | provenance | MaD:1 |
+| Test.java:67:29:67:71 | getParcelableExtra(...) : Parcelable | Test.java:67:23:67:71 | (...)... : Uri | provenance |  |
+| Test.java:92:23:92:71 | (...)... : Uri | Test.java:96:45:96:47 | uri | provenance |  |
+| Test.java:92:29:92:39 | getIntent(...) : Intent | Test.java:92:29:92:71 | getParcelableExtra(...) : Parcelable | provenance | MaD:1 |
+| Test.java:92:29:92:71 | getParcelableExtra(...) : Parcelable | Test.java:92:23:92:71 | (...)... : Uri | provenance |  |
+models
+| 1 | Summary: android.content; Intent; true; getParcelableExtra; (String); ; Argument[this].SyntheticField[android.content.Intent.extras].MapValue; ReturnValue; value; manual |
+nodes
+| Test.java:32:23:32:71 | (...)... : Uri | semmle.label | (...)... : Uri |
+| Test.java:32:29:32:39 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
+| Test.java:32:29:32:71 | getParcelableExtra(...) : Parcelable | semmle.label | getParcelableExtra(...) : Parcelable |
+| Test.java:33:45:33:47 | uri | semmle.label | uri |
+| Test.java:34:46:34:48 | uri | semmle.label | uri |
+| Test.java:35:43:35:45 | uri | semmle.label | uri |
+| Test.java:36:53:36:55 | uri | semmle.label | uri |
+| Test.java:37:38:37:40 | uri | semmle.label | uri |
+| Test.java:38:48:38:50 | uri | semmle.label | uri |
+| Test.java:39:48:39:50 | uri | semmle.label | uri |
+| Test.java:40:58:40:60 | uri | semmle.label | uri |
+| Test.java:44:23:44:71 | (...)... : Uri | semmle.label | (...)... : Uri |
+| Test.java:44:29:44:39 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
+| Test.java:44:29:44:71 | getParcelableExtra(...) : Parcelable | semmle.label | getParcelableExtra(...) : Parcelable |
+| Test.java:48:45:48:47 | uri | semmle.label | uri |
+| Test.java:67:23:67:71 | (...)... : Uri | semmle.label | (...)... : Uri |
+| Test.java:67:29:67:39 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
+| Test.java:67:29:67:71 | getParcelableExtra(...) : Parcelable | semmle.label | getParcelableExtra(...) : Parcelable |
+| Test.java:71:45:71:47 | uri | semmle.label | uri |
+| Test.java:92:23:92:71 | (...)... : Uri | semmle.label | (...)... : Uri |
+| Test.java:92:29:92:39 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
+| Test.java:92:29:92:71 | getParcelableExtra(...) : Parcelable | semmle.label | getParcelableExtra(...) : Parcelable |
+| Test.java:96:45:96:47 | uri | semmle.label | uri |
+subpaths

java/ql/test/query-tests/security/CWE-441/UnsafeContentUriResolutionTest.ql

@@ -1,4 +0,0 @@
-import java
-import utils.test.InlineFlowTest
-import semmle.code.java.security.UnsafeContentUriResolutionQuery
-import TaintFlowTest<UnsafeContentResolutionConfig>