add test and stubs

java/ql/test/query-tests/security/CWE-094/InsecureBeanValidation.java

@@ -0,0 +1,18 @@
+import javax.validation.ConstraintValidator;
+import javax.validation.ConstraintValidatorContext;
+
+public class InsecureBeanValidation implements ConstraintValidator<Override, String> {
+
+    @Override
+    public boolean isValid(String object, ConstraintValidatorContext constraintContext) {
+        String value = object + " is invalid";
+
+        // Bad: Bean properties (normally user-controlled) are passed directly to `buildConstraintViolationWithTemplate`
+        constraintContext.buildConstraintViolationWithTemplate(value).addConstraintViolation().disableDefaultConstraintViolation();
+
+        // Good: Using message parameters
+        constraintContext.buildConstraintViolationWithTemplate("literal {message_parameter}").addConstraintViolation().disableDefaultConstraintViolation();
+        
+        return true;
+    }
+}

java/ql/test/query-tests/security/CWE-094/InsecureBeanValidation.qlref

@@ -0,0 +1 @@
+Security/CWE/CWE-094/InsecureBeanValidation.ql

java/ql/test/query-tests/security/CWE-094/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/validation-api-2.0.1.Final

java/ql/test/stubs/validation-api-2.0.1.Final/javax/validation/ClockProvider.java

@@ -0,0 +1,8 @@
+package javax.validation;
+
+import java.time.Clock;
+
+public interface ClockProvider {
+
+	Clock getClock();
+}

java/ql/test/stubs/validation-api-2.0.1.Final/javax/validation/ConstraintValidator.java

@@ -0,0 +1,8 @@
+package javax.validation;
+
+import java.lang.annotation.Annotation;
+
+public interface ConstraintValidator<A extends Annotation, T> {
+	default void initialize(A constraintAnnotation) {}
+	boolean isValid(T value, ConstraintValidatorContext context);
+}

java/ql/test/stubs/validation-api-2.0.1.Final/javax/validation/ConstraintValidatorContext.java

@@ -0,0 +1,212 @@
+package javax.validation;
+
+import java.time.Clock;
+
+public interface ConstraintValidatorContext {
+
+	
+	void disableDefaultConstraintViolation();
+
+	
+	String getDefaultConstraintMessageTemplate();
+
+	
+	ClockProvider getClockProvider();
+
+	
+	ConstraintViolationBuilder buildConstraintViolationWithTemplate(String messageTemplate);
+
+	
+	<T> T unwrap(Class<T> type);
+
+	
+	interface ConstraintViolationBuilder {
+
+		
+		NodeBuilderDefinedContext addNode(String name);
+
+		
+		NodeBuilderCustomizableContext addPropertyNode(String name);
+
+		
+		LeafNodeBuilderCustomizableContext addBeanNode();
+
+		
+		ContainerElementNodeBuilderCustomizableContext addContainerElementNode(String name,
+				Class<?> containerType, Integer typeArgumentIndex);
+
+		
+		NodeBuilderDefinedContext addParameterNode(int index);
+
+		
+		ConstraintValidatorContext addConstraintViolation();
+
+		
+		interface LeafNodeBuilderDefinedContext {
+
+			
+			ConstraintValidatorContext addConstraintViolation();
+		}
+
+		
+		interface LeafNodeBuilderCustomizableContext {
+
+			
+			LeafNodeContextBuilder inIterable();
+
+			
+			LeafNodeBuilderCustomizableContext inContainer(Class<?> containerClass,
+														   Integer typeArgumentIndex);
+
+			
+			ConstraintValidatorContext addConstraintViolation();
+		}
+
+		
+		interface LeafNodeContextBuilder {
+
+			
+			LeafNodeBuilderDefinedContext atKey(Object key);
+
+			
+			LeafNodeBuilderDefinedContext atIndex(Integer index);
+
+			
+			ConstraintValidatorContext addConstraintViolation();
+		}
+
+		
+		interface NodeBuilderDefinedContext {
+
+			
+			NodeBuilderCustomizableContext addNode(String name);
+
+			
+			NodeBuilderCustomizableContext addPropertyNode(String name);
+
+			
+			LeafNodeBuilderCustomizableContext addBeanNode();
+
+			
+			ContainerElementNodeBuilderCustomizableContext addContainerElementNode(
+					String name, Class<?> containerType, Integer typeArgumentIndex);
+
+			
+			ConstraintValidatorContext addConstraintViolation();
+		}
+
+		
+		interface NodeBuilderCustomizableContext {
+
+			
+			NodeContextBuilder inIterable();
+
+			
+			NodeBuilderCustomizableContext inContainer(Class<?> containerClass,
+													   Integer typeArgumentIndex);
+
+			
+			NodeBuilderCustomizableContext addNode(String name);
+
+			
+			NodeBuilderCustomizableContext addPropertyNode(String name);
+
+			
+			LeafNodeBuilderCustomizableContext addBeanNode();
+
+			
+			ContainerElementNodeBuilderCustomizableContext addContainerElementNode(
+					String name, Class<?> containerType, Integer typeArgumentIndex);
+
+			
+			ConstraintValidatorContext addConstraintViolation();
+		}
+
+		
+		interface NodeContextBuilder {
+
+			
+			NodeBuilderDefinedContext atKey(Object key);
+
+			
+			NodeBuilderDefinedContext atIndex(Integer index);
+
+			
+			NodeBuilderCustomizableContext addNode(String name);
+
+			
+			NodeBuilderCustomizableContext addPropertyNode(String name);
+
+			
+			LeafNodeBuilderCustomizableContext addBeanNode();
+
+			
+			ContainerElementNodeBuilderCustomizableContext addContainerElementNode(
+					String name, Class<?> containerType, Integer typeArgumentIndex);
+
+			
+			ConstraintValidatorContext addConstraintViolation();
+		}
+
+		
+		interface ContainerElementNodeBuilderDefinedContext {
+
+			
+			NodeBuilderCustomizableContext addPropertyNode(String name);
+
+			
+			LeafNodeBuilderCustomizableContext addBeanNode();
+
+			
+			ContainerElementNodeBuilderCustomizableContext addContainerElementNode(
+					String name, Class<?> containerType, Integer typeArgumentIndex);
+
+			
+			ConstraintValidatorContext addConstraintViolation();
+		}
+
+		
+		interface ContainerElementNodeBuilderCustomizableContext {
+
+			
+			ContainerElementNodeContextBuilder inIterable();
+
+			
+			NodeBuilderCustomizableContext addPropertyNode(String name);
+
+			
+			LeafNodeBuilderCustomizableContext addBeanNode();
+
+			
+			ContainerElementNodeBuilderCustomizableContext addContainerElementNode(
+					String name, Class<?> containerType, Integer typeArgumentIndex);
+
+			
+			ConstraintValidatorContext addConstraintViolation();
+		}
+
+		
+		interface ContainerElementNodeContextBuilder {
+
+			
+			ContainerElementNodeBuilderDefinedContext atKey(Object key);
+
+			
+			ContainerElementNodeBuilderDefinedContext atIndex(Integer index);
+
+			
+			NodeBuilderCustomizableContext addPropertyNode(String name);
+
+			
+			LeafNodeBuilderCustomizableContext addBeanNode();
+
+			
+			ContainerElementNodeBuilderCustomizableContext addContainerElementNode(
+					String name, Class<?> containerType, Integer typeArgumentIndex);
+
+			
+			ConstraintValidatorContext addConstraintViolation();
+		}
+	}
+}
+