Add comments and update JavaDocs of GenericServlet using the source JAR

2026-04-30 03:05:15 +02:00 · 2020-10-30 17:05:53 +00:00
parent 93d1393ded
commit 67af9b0f3e
3 changed files with 110 additions and 109 deletions
--- a/java/ql/test/experimental/query-tests/security/CWE-600/UncaughtServletException.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-600/UncaughtServletException.expected
@@ -1,11 +1,11 @@
 edges
-| UncaughtServletException.java:12:15:12:43 | getParameter(...) : String | UncaughtServletException.java:13:44:13:45 | ip |
-| UncaughtServletException.java:15:19:15:41 | getRemoteUser(...) : String | UncaughtServletException.java:16:20:16:25 | userId |
+| UncaughtServletException.java:13:15:13:43 | getParameter(...) : String | UncaughtServletException.java:14:44:14:45 | ip |
+| UncaughtServletException.java:16:19:16:41 | getRemoteUser(...) : String | UncaughtServletException.java:17:20:17:25 | userId |
 nodes
-| UncaughtServletException.java:12:15:12:43 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| UncaughtServletException.java:13:44:13:45 | ip | semmle.label | ip |
-| UncaughtServletException.java:15:19:15:41 | getRemoteUser(...) : String | semmle.label | getRemoteUser(...) : String |
-| UncaughtServletException.java:16:20:16:25 | userId | semmle.label | userId |
+| UncaughtServletException.java:13:15:13:43 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| UncaughtServletException.java:14:44:14:45 | ip | semmle.label | ip |
+| UncaughtServletException.java:16:19:16:41 | getRemoteUser(...) : String | semmle.label | getRemoteUser(...) : String |
+| UncaughtServletException.java:17:20:17:25 | userId | semmle.label | userId |
 #select
-| UncaughtServletException.java:13:44:13:45 | ip | UncaughtServletException.java:12:15:12:43 | getParameter(...) : String | UncaughtServletException.java:13:44:13:45 | ip | $@ flows to here and can throw uncaught exception. | UncaughtServletException.java:12:15:12:43 | getParameter(...) | User-provided value |
-| UncaughtServletException.java:16:20:16:25 | userId | UncaughtServletException.java:15:19:15:41 | getRemoteUser(...) : String | UncaughtServletException.java:16:20:16:25 | userId | $@ flows to here and can throw uncaught exception. | UncaughtServletException.java:15:19:15:41 | getRemoteUser(...) | User-provided value |
+| UncaughtServletException.java:14:44:14:45 | ip | UncaughtServletException.java:13:15:13:43 | getParameter(...) : String | UncaughtServletException.java:14:44:14:45 | ip | $@ flows to here and can throw uncaught exception. | UncaughtServletException.java:13:15:13:43 | getParameter(...) | User-provided value |
+| UncaughtServletException.java:17:20:17:25 | userId | UncaughtServletException.java:16:19:16:41 | getRemoteUser(...) : String | UncaughtServletException.java:17:20:17:25 | userId | $@ flows to here and can throw uncaught exception. | UncaughtServletException.java:16:19:16:41 | getRemoteUser(...) | User-provided value |
--- a/java/ql/test/experimental/query-tests/security/CWE-600/UncaughtServletException.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-600/UncaughtServletException.java
@@ -8,6 +8,7 @@ import javax.servlet.http.HttpServletResponse;
 import javax.servlet.ServletException;

 class UncaughtServletException extends HttpServlet {
+	// BAD - Tests `doGet` without catching exceptions
 	public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
 		String ip = request.getParameter("srcIP");
 		InetAddress addr = InetAddress.getByName(ip); // BAD: getByName(String) throws UnknownHostException
@@ -16,6 +17,7 @@ class UncaughtServletException extends HttpServlet {
 		Integer.parseInt(userId); //BAD: Integer.parse(String) throws RuntimeException
 	}

+	// GOOD - Tests `doPost` with catching exceptions
 	public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
 		try {
 			String ip = request.getParameter("srcIP");
--- a/java/ql/test/stubs/servlet-api-2.4/javax/servlet/GenericServlet.java
+++ b/java/ql/test/stubs/servlet-api-2.4/javax/servlet/GenericServlet.java
@@ -25,193 +25,192 @@ package javax.servlet;

 import java.io.IOException;
 import java.util.Enumeration;
-import java.util.ResourceBundle;

+/**
+ *
+ * Defines a generic, protocol-independent
+ * servlet. To write an HTTP servlet for use on the
+ * Web, extend {@link javax.servlet.http.HttpServlet} instead.
+ *
+ * <p><code>GenericServlet</code> implements the <code>Servlet</code>
+ * and <code>ServletConfig</code> interfaces. <code>GenericServlet</code>
+ * may be directly extended by a servlet, although it's more common to extend
+ * a protocol-specific subclass such as <code>HttpServlet</code>.
+ *
+ * <p><code>GenericServlet</code> makes writing servlets
+ * easier. It provides simple versions of the lifecycle methods
+ * <code>init</code> and <code>destroy</code> and of the methods
+ * in the <code>ServletConfig</code> interface. <code>GenericServlet</code>
+ * also implements the <code>log</code> method, declared in the
+ * <code>ServletContext</code> interface.
+ *
+ * <p>To write a generic servlet, you need only
+ * override the abstract <code>service</code> method.
+ *
+ * @version $Rev: 46019 $ $Date: 2004-09-14 04:56:06 -0500 (Tue, 14 Sep 2004) $
+ */
 public abstract class GenericServlet implements Servlet, ServletConfig, java.io.Serializable {
+
    /**
-     *
-     * Does nothing. All of the servlet initialization is done by one of the
-     * <code>init</code> methods.
-     *
+     * Does nothing. All of the servlet initialization
+     * is done by one of the <code>init</code> methods.
     */
    public GenericServlet() {
    }

    /**
-     * Called by the servlet container to indicate to a servlet that the servlet is
-     * being taken out of service. See {@link Servlet#destroy}.
-     *
-     * 
+     * Called by the servlet container to indicate to a servlet that the
+     * servlet is being taken out of service.  See {@link Servlet#destroy}.
     */
    public void destroy() {
    }

    /**
     * Returns a <code>String</code> containing the value of the named
-     * initialization parameter, or <code>null</code> if the parameter does not
-     * exist. See {@link ServletConfig#getInitParameter}.
+     * initialization parameter, or <code>null</code> if the parameter does
+     * not exist.  See {@link ServletConfig#getInitParameter}.
     *
-     * <p>
-     * This method is supplied for convenience. It gets the value of the named
-     * parameter from the servlet's <code>ServletConfig</code> object.
+     * <p>This method is supplied for convenience. It gets the
+     * value of the named parameter from the servlet's
+     * <code>ServletConfig</code> object.
     *
-     * @param name a <code>String</code> specifying the name of the initialization
-     *             parameter
-     *
-     * @return String a <code>String</code> containing the value of the
-     *         initialization parameter
+     * @param name a <code>String</code> specifying the name
+     * of the initialization parameter
     *
+     * @return String a <code>String</code> containing the value
+     * of the initalization parameter
     */
    public String getInitParameter(String name) {
        return null;
    }

    /**
-     * Returns the names of the servlet's initialization parameters as an
-     * <code>Enumeration</code> of <code>String</code> objects, or an empty
-     * <code>Enumeration</code> if the servlet has no initialization parameters. See
-     * {@link ServletConfig#getInitParameterNames}.
+     * Returns the names of the servlet's initialization parameters
+     * as an <code>Enumeration</code> of <code>String</code> objects,
+     * or an empty <code>Enumeration</code> if the servlet has no
+     * initialization parameters.  See {@link
+     * ServletConfig#getInitParameterNames}.
     *
-     * <p>
-     * This method is supplied for convenience. It gets the parameter names from the
-     * servlet's <code>ServletConfig</code> object.
+     * <p>This method is supplied for convenience. It gets the
+     * parameter names from the servlet's <code>ServletConfig</code> object.
     *
     *
-     * @return Enumeration an enumeration of <code>String</code> objects containing
-     *         the names of the servlet's initialization parameters
+     * @return Enumeration an enumeration of <code>String</code>
+     * objects containing the names of the servlet's initialization parameters
     */
-    public Enumeration<String> getInitParameterNames() {
+    public Enumeration getInitParameterNames() {
        return null;
    }

    /**
     * Returns this servlet's {@link ServletConfig} object.
     *
-     * @return ServletConfig the <code>ServletConfig</code> object that initialized
-     *         this servlet
+     * @return ServletConfig the <code>ServletConfig</code> object
+     * that initialized this servlet
     */
    public ServletConfig getServletConfig() {
        return null;
    }

+
    /**
-     * Returns a reference to the {@link ServletContext} in which this servlet is
-     * running. See {@link ServletConfig#getServletContext}.
+     * Returns a reference to the {@link ServletContext} in which this servlet
+     * is running.  See {@link ServletConfig#getServletContext}.
     *
-     * <p>
-     * This method is supplied for convenience. It gets the context from the
-     * servlet's <code>ServletConfig</code> object.
+     * <p>This method is supplied for convenience. It gets the
+     * context from the servlet's <code>ServletConfig</code> object.
     *
     *
-     * @return ServletContext the <code>ServletContext</code> object passed to this
-     *         servlet by the <code>init</code> method
+     * @return ServletContext the <code>ServletContext</code> object
+     * passed to this servlet by the <code>init</code> method
     */
    public ServletContext getServletContext() {
        return null;
    }

+
    /**
-     * Returns information about the servlet, such as author, version, and
-     * copyright. By default, this method returns an empty string. Override this
-     * method to have it return a meaningful value. See
-     * {@link Servlet#getServletInfo}.
+     * Returns information about the servlet, such as
+     * author, version, and copyright.
+     * By default, this method returns an empty string.  Override this method
+     * to have it return a meaningful value.  See {@link
+     * Servlet#getServletInfo}.
     *
     *
-     * @return String information about this servlet, by default an empty string
+     * @return String information about this servlet, by default an
+     * empty string
     */
    public String getServletInfo() {
        return null;
    }

+
    /**
-     * Called by the servlet container to indicate to a servlet that the servlet is
-     * being placed into service. See {@link Servlet#init}.
+     * Called by the servlet container to indicate to a servlet that the
+     * servlet is being placed into service.  See {@link Servlet#init}.
     *
-     * <p>
-     * This implementation stores the {@link ServletConfig} object it receives from
-     * the servlet container for later use. When overriding this form of the method,
-     * call <code>super.init(config)</code>.
+     * <p>This implementation stores the {@link ServletConfig}
+     * object it receives from the servlet container for later use.
+     * When overriding this form of the method, call
+     * <code>super.init(config)</code>.
     *
-     * @param config the <code>ServletConfig</code> object that contains
-     *               configuration information for this servlet
+     * @param config the <code>ServletConfig</code> object
+     * that contains configutation information for this servlet
+     *
+     * @exception ServletException if an exception occurs that
+     * interrupts the servlet's normal operation
     *
-     * @exception ServletException if an exception occurs that interrupts the
-     *                             servlet's normal operation
-     * 
     * @see UnavailableException
     */
    public void init(ServletConfig config) throws ServletException {
    }

+
    /**
-     * A convenience method which can be overridden so that there's no need to call
-     * <code>super.init(config)</code>.
+     * A convenience method which can be overridden so that there's no need
+     * to call <code>super.init(config)</code>.
     *
-     * <p>
-     * Instead of overriding {@link #init(ServletConfig)}, simply override this
-     * method and it will be called by
-     * <code>GenericServlet.init(ServletConfig config)</code>. The
-     * <code>ServletConfig</code> object can still be retrieved via
-     * {@link #getServletConfig}.
+     * <p>Instead of overriding {@link #init(ServletConfig)}, simply override
+     * this method and it will be called by
+     * <code>GenericServlet.init(ServletConfig config)</code>.
+     * The <code>ServletConfig</code> object can still be retrieved via {@link
+     * #getServletConfig}.
     *
-     * @exception ServletException if an exception occurs that interrupts the
-     *                             servlet's normal operation
+     * @exception ServletException if an exception occurs that
+     * interrupts the servlet's normal operation
     */
    public void init() throws ServletException {
    }

-    /**
-     * Writes the specified message to a servlet log file, prepended by the
-     * servlet's name. See {@link ServletContext#log(String)}.
-     *
-     * @param msg a <code>String</code> specifying the message to be written to the
-     *            log file
-     */
-    public void log(String msg) {
-    }

    /**
-     * Writes an explanatory message and a stack trace for a given
-     * <code>Throwable</code> exception to the servlet log file, prepended by the
-     * servlet's name. See {@link ServletContext#log(String, Throwable)}.
+     * Called by the servlet container to allow the servlet to respond to
+     * a request.  See {@link Servlet#service}.
     *
-     *
-     * @param message a <code>String</code> that describes the error or exception
-     *
-     * @param t       the <code>java.lang.Throwable</code> error or exception
-     */
-    public void log(String message, Throwable t) {
-    }
-
-    /**
-     * Called by the servlet container to allow the servlet to respond to a request.
-     * See {@link Servlet#service}.
-     * 
-     * <p>
-     * This method is declared abstract so subclasses, such as
+     * <p>This method is declared abstract so subclasses, such as
     * <code>HttpServlet</code>, must override it.
     *
-     * @param req the <code>ServletRequest</code> object that contains the client's
-     *            request
+     * @param req the <code>ServletRequest</code> object
+     * that contains the client's request
     *
-     * @param res the <code>ServletResponse</code> object that will contain the
-     *            servlet's response
+     * @param res the <code>ServletResponse</code> object
+     * that will contain the servlet's response
     *
-     * @exception ServletException if an exception occurs that interferes with the
-     *                             servlet's normal operation occurred
+     * @exception ServletException if an exception occurs that
+     * interferes with the servlet's normal operation occurred
     *
-     * @exception IOException      if an input or output exception occurs
+     * @exception IOException if an input or output
+     * exception occurs
     */
-
    public abstract void service(ServletRequest req, ServletResponse res) throws ServletException, IOException;

    /**
-     * Returns the name of this servlet instance. See
-     * {@link ServletConfig#getServletName}.
+     * Returns the name of this servlet instance.
+     * See {@link ServletConfig#getServletName}.
     *
     * @return the name of this servlet instance
     */
    public String getServletName() {
        return null;
    }
-}
+}