hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #6478 from smowton/smowton/feature/jax-rs-request-filters

Browse Source 
Java: Add sources for Jax-RS filters
This commit is contained in:
Chris Smowton
2021-09-13 10:59:17 +01:00
committed by GitHub
parent c86311e879 95046b9bb1
commit 68ed3250e8
13 changed files with 1363 additions and 346 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
java/change-notes/2021-08-12-jax-rs-filter-sources.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Remote information sources relating to JAX-RS request filters are now recognised. This may lead to additional results from any query where a filter uses user-controlled data in a dangerous way.

506
java/ql/lib/semmle/code/java/frameworks/JaxWS.qll
View File

@@ -340,13 +340,8 @@ private class JaxRSXssSink extends XssSink {
private class JaxRsUrlRedirectSink extends SinkModelCsv {
override predicate row(string row) {
row =
[
//`namespace; type; subtypes; name; signature; ext; input; kind`
"javax.ws.rs.core;Response;true;seeOther;;;Argument[0];url-redirect",
"javax.ws.rs.core;Response;true;temporaryRedirect;;;Argument[0];url-redirect",
"jakarta.ws.rs.core;Response;true;seeOther;;;Argument[0];url-redirect",
"jakarta.ws.rs.core;Response;true;temporaryRedirect;;;Argument[0];url-redirect"
]
["javax", "jakarta"] + ".ws.rs.core;Response;true;" + ["seeOther", "temporaryRedirect"] +
";;;Argument[0];url-redirect"
}
}
@@ -358,14 +353,8 @@ private class JaxRsUrlRedirectSink extends SinkModelCsv {
private class ResponseModel extends SummaryModelCsv {
override predicate row(string row) {
row =
[
"javax.ws.rs.core;Response;false;accepted;;;Argument[0];ReturnValue;taint",
"javax.ws.rs.core;Response;false;fromResponse;;;Argument[0];ReturnValue;taint",
"javax.ws.rs.core;Response;false;ok;;;Argument[0];ReturnValue;taint",
"jakarta.ws.rs.core;Response;false;accepted;;;Argument[0];ReturnValue;taint",
"jakarta.ws.rs.core;Response;false;fromResponse;;;Argument[0];ReturnValue;taint",
"jakarta.ws.rs.core;Response;false;ok;;;Argument[0];ReturnValue;taint"
]
["javax", "jakarta"] + ".ws.rs.core;Response;false;" + ["accepted", "fromResponse", "ok"] +
";;;Argument[0];ReturnValue;taint"
}
}
@@ -379,52 +368,19 @@ private class ResponseModel extends SummaryModelCsv {
private class ResponseBuilderModel extends SummaryModelCsv {
override predicate row(string row) {
row =
[
"javax.ws.rs.core;Response$ResponseBuilder;true;build;;;Argument[-1];ReturnValue;taint",
"javax.ws.rs.core;Response$ResponseBuilder;true;entity;;;Argument[0];Argument[-1];taint",
"javax.ws.rs.core;Response$ResponseBuilder;true;allow;;;Argument[-1];ReturnValue;value",
"javax.ws.rs.core;Response$ResponseBuilder;true;cacheControl;;;Argument[-1];ReturnValue;value",
"javax.ws.rs.core;Response$ResponseBuilder;true;clone;;;Argument[-1];ReturnValue;taint",
"javax.ws.rs.core;Response$ResponseBuilder;true;contentLocation;;;Argument[-1];ReturnValue;value",
"javax.ws.rs.core;Response$ResponseBuilder;true;cookie;;;Argument[-1];ReturnValue;value",
"javax.ws.rs.core;Response$ResponseBuilder;true;encoding;;;Argument[-1];ReturnValue;value",
"javax.ws.rs.core;Response$ResponseBuilder;true;entity;;;Argument[-1];ReturnValue;value",
"javax.ws.rs.core;Response$ResponseBuilder;true;expires;;;Argument[-1];ReturnValue;value",
"javax.ws.rs.core;Response$ResponseBuilder;true;header;;;Argument[-1];ReturnValue;value",
"javax.ws.rs.core;Response$ResponseBuilder;true;language;;;Argument[-1];ReturnValue;value",
"javax.ws.rs.core;Response$ResponseBuilder;true;lastModified;;;Argument[-1];ReturnValue;value",
"javax.ws.rs.core;Response$ResponseBuilder;true;link;;;Argument[-1];ReturnValue;value",
"javax.ws.rs.core;Response$ResponseBuilder;true;links;;;Argument[-1];ReturnValue;value",
"javax.ws.rs.core;Response$ResponseBuilder;true;location;;;Argument[-1];ReturnValue;value",
"javax.ws.rs.core;Response$ResponseBuilder;true;replaceAll;;;Argument[-1];ReturnValue;value",
"javax.ws.rs.core;Response$ResponseBuilder;true;status;;;Argument[-1];ReturnValue;value",
"javax.ws.rs.core;Response$ResponseBuilder;true;tag;;;Argument[-1];ReturnValue;value",
"javax.ws.rs.core;Response$ResponseBuilder;true;type;;;Argument[-1];ReturnValue;value",
"javax.ws.rs.core;Response$ResponseBuilder;true;variant;;;Argument[-1];ReturnValue;value",
"javax.ws.rs.core;Response$ResponseBuilder;true;variants;;;Argument[-1];ReturnValue;value",
"jakarta.ws.rs.core;Response$ResponseBuilder;true;build;;;Argument[-1];ReturnValue;taint",
"jakarta.ws.rs.core;Response$ResponseBuilder;true;entity;;;Argument[0];Argument[-1];taint",
"jakarta.ws.rs.core;Response$ResponseBuilder;true;allow;;;Argument[-1];ReturnValue;value",
"jakarta.ws.rs.core;Response$ResponseBuilder;true;cacheControl;;;Argument[-1];ReturnValue;value",
"jakarta.ws.rs.core;Response$ResponseBuilder;true;clone;;;Argument[-1];ReturnValue;taint",
"jakarta.ws.rs.core;Response$ResponseBuilder;true;contentLocation;;;Argument[-1];ReturnValue;value",
"jakarta.ws.rs.core;Response$ResponseBuilder;true;cookie;;;Argument[-1];ReturnValue;value",
"jakarta.ws.rs.core;Response$ResponseBuilder;true;encoding;;;Argument[-1];ReturnValue;value",
"jakarta.ws.rs.core;Response$ResponseBuilder;true;entity;;;Argument[-1];ReturnValue;value",
"jakarta.ws.rs.core;Response$ResponseBuilder;true;expires;;;Argument[-1];ReturnValue;value",
"jakarta.ws.rs.core;Response$ResponseBuilder;true;header;;;Argument[-1];ReturnValue;value",
"jakarta.ws.rs.core;Response$ResponseBuilder;true;language;;;Argument[-1];ReturnValue;value",
"jakarta.ws.rs.core;Response$ResponseBuilder;true;lastModified;;;Argument[-1];ReturnValue;value",
"jakarta.ws.rs.core;Response$ResponseBuilder;true;link;;;Argument[-1];ReturnValue;value",
"jakarta.ws.rs.core;Response$ResponseBuilder;true;links;;;Argument[-1];ReturnValue;value",
"jakarta.ws.rs.core;Response$ResponseBuilder;true;location;;;Argument[-1];ReturnValue;value",
"jakarta.ws.rs.core;Response$ResponseBuilder;true;replaceAll;;;Argument[-1];ReturnValue;value",
"jakarta.ws.rs.core;Response$ResponseBuilder;true;status;;;Argument[-1];ReturnValue;value",
"jakarta.ws.rs.core;Response$ResponseBuilder;true;tag;;;Argument[-1];ReturnValue;value",
"jakarta.ws.rs.core;Response$ResponseBuilder;true;type;;;Argument[-1];ReturnValue;value",
"jakarta.ws.rs.core;Response$ResponseBuilder;true;variant;;;Argument[-1];ReturnValue;value",
"jakarta.ws.rs.core;Response$ResponseBuilder;true;variants;;;Argument[-1];ReturnValue;value"
]
["javax", "jakarta"] + ".ws.rs.core;Response$ResponseBuilder;true;" +
[
"allow", "cacheControl", "contentLocation", "cookie", "encoding", "entity", "expires",
"header", "language", "lastModified", "link", "links", "location", "replaceAll", "status",
"tag", "type", "variant", "variants"
] + ";;;Argument[-1];ReturnValue;value"
or
row =
["javax", "jakarta"] + ".ws.rs.core;Response$ResponseBuilder;true;" +
[
"build;;;Argument[-1];ReturnValue;taint", "entity;;;Argument[0];Argument[-1];taint",
"clone;;;Argument[-1];ReturnValue;taint"
]
}
}
@@ -436,24 +392,11 @@ private class ResponseBuilderModel extends SummaryModelCsv {
private class HttpHeadersModel extends SummaryModelCsv {
override predicate row(string row) {
row =
[
"javax.ws.rs.core;HttpHeaders;true;getAcceptableLanguages;;;Argument[-1];ReturnValue;taint",
"javax.ws.rs.core;HttpHeaders;true;getAcceptableMediaTypes;;;Argument[-1];ReturnValue;taint",
"javax.ws.rs.core;HttpHeaders;true;getCookies;;;Argument[-1];ReturnValue;taint",
"javax.ws.rs.core;HttpHeaders;true;getHeaderString;;;Argument[-1];ReturnValue;taint",
"javax.ws.rs.core;HttpHeaders;true;getLanguage;;;Argument[-1];ReturnValue;taint",
"javax.ws.rs.core;HttpHeaders;true;getMediaType;;;Argument[-1];ReturnValue;taint",
"javax.ws.rs.core;HttpHeaders;true;getRequestHeader;;;Argument[-1];ReturnValue;taint",
"javax.ws.rs.core;HttpHeaders;true;getRequestHeaders;;;Argument[-1];ReturnValue;taint",
"jakarta.ws.rs.core;HttpHeaders;true;getAcceptableLanguages;;;Argument[-1];ReturnValue;taint",
"jakarta.ws.rs.core;HttpHeaders;true;getAcceptableMediaTypes;;;Argument[-1];ReturnValue;taint",
"jakarta.ws.rs.core;HttpHeaders;true;getCookies;;;Argument[-1];ReturnValue;taint",
"jakarta.ws.rs.core;HttpHeaders;true;getHeaderString;;;Argument[-1];ReturnValue;taint",
"jakarta.ws.rs.core;HttpHeaders;true;getLanguage;;;Argument[-1];ReturnValue;taint",
"jakarta.ws.rs.core;HttpHeaders;true;getMediaType;;;Argument[-1];ReturnValue;taint",
"jakarta.ws.rs.core;HttpHeaders;true;getRequestHeader;;;Argument[-1];ReturnValue;taint",
"jakarta.ws.rs.core;HttpHeaders;true;getRequestHeaders;;;Argument[-1];ReturnValue;taint"
]
["javax", "jakarta"] + ".ws.rs.core;HttpHeaders;true;" +
[
"getAcceptableLanguages", "getAcceptableMediaTypes", "getCookies", "getHeaderString",
"getLanguage", "getMediaType", "getRequestHeader", "getRequestHeaders"
] + ";;;Argument[-1];ReturnValue;taint"
}
}
@@ -463,28 +406,19 @@ private class HttpHeadersModel extends SummaryModelCsv {
private class MultivaluedMapModel extends SummaryModelCsv {
override predicate row(string row) {
row =
[
"javax.ws.rs.core;MultivaluedMap;true;add;;;Argument[0];MapKey of Argument[-1];value",
"javax.ws.rs.core;MultivaluedMap;true;add;;;Argument[1];Element of MapValue of Argument[-1];value",
"javax.ws.rs.core;MultivaluedMap;true;addAll;;;Argument[0];MapKey of Argument[-1];value",
"javax.ws.rs.core;MultivaluedMap;true;addAll;(Object,List);;Element of Argument[1];Element of MapValue of Argument[-1];value",
"javax.ws.rs.core;MultivaluedMap;true;addAll;(Object,Object[]);;ArrayElement of Argument[1];Element of MapValue of Argument[-1];value",
"javax.ws.rs.core;MultivaluedMap;true;addFirst;;;Argument[0];MapKey of Argument[-1];value",
"javax.ws.rs.core;MultivaluedMap;true;addFirst;;;Argument[1];Element of MapValue of Argument[-1];value",
"javax.ws.rs.core;MultivaluedMap;true;getFirst;;;Element of MapValue of Argument[-1];ReturnValue;value",
"javax.ws.rs.core;MultivaluedMap;true;putSingle;;;Argument[0];MapKey of Argument[-1];value",
"javax.ws.rs.core;MultivaluedMap;true;putSingle;;;Argument[1];Element of MapValue of Argument[-1];value",
"jakarta.ws.rs.core;MultivaluedMap;true;add;;;Argument[0];MapKey of Argument[-1];value",
"jakarta.ws.rs.core;MultivaluedMap;true;add;;;Argument[1];Element of MapValue of Argument[-1];value",
"jakarta.ws.rs.core;MultivaluedMap;true;addAll;;;Argument[0];MapKey of Argument[-1];value",
"jakarta.ws.rs.core;MultivaluedMap;true;addAll;(Object,List);;Element of Argument[1];Element of MapValue of Argument[-1];value",
"jakarta.ws.rs.core;MultivaluedMap;true;addAll;(Object,Object[]);;ArrayElement of Argument[1];Element of MapValue of Argument[-1];value",
"jakarta.ws.rs.core;MultivaluedMap;true;addFirst;;;Argument[0];MapKey of Argument[-1];value",
"jakarta.ws.rs.core;MultivaluedMap;true;addFirst;;;Argument[1];Element of MapValue of Argument[-1];value",
"jakarta.ws.rs.core;MultivaluedMap;true;getFirst;;;Element of MapValue of Argument[-1];ReturnValue;value",
"jakarta.ws.rs.core;MultivaluedMap;true;putSingle;;;Argument[0];MapKey of Argument[-1];value",
"jakarta.ws.rs.core;MultivaluedMap;true;putSingle;;;Argument[1];Element of MapValue of Argument[-1];value"
]
["javax", "jakarta"] + ".ws.rs.core;MultivaluedMap;true;" +
[
"add;;;Argument[0];MapKey of Argument[-1];value",
"add;;;Argument[1];Element of MapValue of Argument[-1];value",
"addAll;;;Argument[0];MapKey of Argument[-1];value",
"addAll;(Object,List);;Element of Argument[1];Element of MapValue of Argument[-1];value",
"addAll;(Object,Object[]);;ArrayElement of Argument[1];Element of MapValue of Argument[-1];value",
"addFirst;;;Argument[0];MapKey of Argument[-1];value",
"addFirst;;;Argument[1];Element of MapValue of Argument[-1];value",
"getFirst;;;Element of MapValue of Argument[-1];ReturnValue;value",
"putSingle;;;Argument[0];MapKey of Argument[-1];value",
"putSingle;;;Argument[1];Element of MapValue of Argument[-1];value"
]
}
}
@@ -494,12 +428,11 @@ private class MultivaluedMapModel extends SummaryModelCsv {
private class AbstractMultivaluedMapModel extends SummaryModelCsv {
override predicate row(string row) {
row =
[
"javax.ws.rs.core;AbstractMultivaluedMap;false;AbstractMultivaluedMap;;;MapKey of Argument[0];MapKey of Argument[-1];value",
"javax.ws.rs.core;AbstractMultivaluedMap;false;AbstractMultivaluedMap;;;MapValue of Argument[0];MapValue of Argument[-1];value",
"jakarta.ws.rs.core;AbstractMultivaluedMap;false;AbstractMultivaluedMap;;;MapKey of Argument[0];MapKey of Argument[-1];value",
"jakarta.ws.rs.core;AbstractMultivaluedMap;false;AbstractMultivaluedMap;;;MapValue of Argument[0];MapValue of Argument[-1];value"
]
["javax", "jakarta"] + ".ws.rs.core;AbstractMultivaluedMap;false;AbstractMultivaluedMap;;;" +
[
"MapKey of Argument[0];MapKey of Argument[-1];value",
"MapValue of Argument[0];MapValue of Argument[-1];value"
]
}
}
@@ -509,16 +442,13 @@ private class AbstractMultivaluedMapModel extends SummaryModelCsv {
private class MultivaluedHashMapModel extends SummaryModelCsv {
override predicate row(string row) {
row =
[
"javax.ws.rs.core;MultivaluedHashMap;false;MultivaluedHashMap;(Map);;MapKey of Argument[0];MapKey of Argument[-1];value",
"javax.ws.rs.core;MultivaluedHashMap;false;MultivaluedHashMap;(Map);;MapValue of Argument[0];Element of MapValue of Argument[-1];value",
"javax.ws.rs.core;MultivaluedHashMap;false;MultivaluedHashMap;(MultivaluedMap);;MapKey of Argument[0];MapKey of Argument[-1];value",
"javax.ws.rs.core;MultivaluedHashMap;false;MultivaluedHashMap;(MultivaluedMap);;MapValue of Argument[0];MapValue of Argument[-1];value",
"jakarta.ws.rs.core;MultivaluedHashMap;false;MultivaluedHashMap;(Map);;MapKey of Argument[0];MapKey of Argument[-1];value",
"jakarta.ws.rs.core;MultivaluedHashMap;false;MultivaluedHashMap;(Map);;MapValue of Argument[0];Element of MapValue of Argument[-1];value",
"jakarta.ws.rs.core;MultivaluedHashMap;false;MultivaluedHashMap;(MultivaluedMap);;MapKey of Argument[0];MapKey of Argument[-1];value",
"jakarta.ws.rs.core;MultivaluedHashMap;false;MultivaluedHashMap;(MultivaluedMap);;MapValue of Argument[0];MapValue of Argument[-1];value"
]
["javax", "jakarta"] + ".ws.rs.core;MultivaluedHashMap;false;MultivaluedHashMap;" +
[
"(Map);;MapKey of Argument[0];MapKey of Argument[-1];value",
"(Map);;MapValue of Argument[0];Element of MapValue of Argument[-1];value",
"(MultivaluedMap);;MapKey of Argument[0];MapKey of Argument[-1];value",
"(MultivaluedMap);;MapValue of Argument[0];MapValue of Argument[-1];value"
]
}
}
@@ -528,12 +458,8 @@ private class MultivaluedHashMapModel extends SummaryModelCsv {
private class PathSegmentModel extends SummaryModelCsv {
override predicate row(string row) {
row =
[
"javax.ws.rs.core;PathSegment;true;getMatrixParameters;;;Argument[-1];ReturnValue;taint",
"javax.ws.rs.core;PathSegment;true;getPath;;;Argument[-1];ReturnValue;taint",
"jakarta.ws.rs.core;PathSegment;true;getMatrixParameters;;;Argument[-1];ReturnValue;taint",
"jakarta.ws.rs.core;PathSegment;true;getPath;;;Argument[-1];ReturnValue;taint"
]
["javax", "jakarta"] + ".ws.rs.core;PathSegment;true;" + ["getMatrixParameters", "getPath"] +
";;;Argument[-1];ReturnValue;taint"
}
}
@@ -543,18 +469,19 @@ private class PathSegmentModel extends SummaryModelCsv {
private class UriInfoModel extends SummaryModelCsv {
override predicate row(string row) {
row =
[
"javax.ws.rs.core;UriInfo;true;getPathParameters;;;Argument[-1];ReturnValue;taint",
"javax.ws.rs.core;UriInfo;true;getPathSegments;;;Argument[-1];ReturnValue;taint",
"javax.ws.rs.core;UriInfo;true;getQueryParameters;;;Argument[-1];ReturnValue;taint",
"javax.ws.rs.core;UriInfo;true;getRequestUri;;;Argument[-1];ReturnValue;taint",
"javax.ws.rs.core;UriInfo;true;getRequestUriBuilder;;;Argument[-1];ReturnValue;taint",
"jakarta.ws.rs.core;UriInfo;true;getPathParameters;;;Argument[-1];ReturnValue;taint",
"jakarta.ws.rs.core;UriInfo;true;getPathSegments;;;Argument[-1];ReturnValue;taint",
"jakarta.ws.rs.core;UriInfo;true;getQueryParameters;;;Argument[-1];ReturnValue;taint",
"jakarta.ws.rs.core;UriInfo;true;getRequestUri;;;Argument[-1];ReturnValue;taint",
"jakarta.ws.rs.core;UriInfo;true;getRequestUriBuilder;;;Argument[-1];ReturnValue;taint"
]
["javax", "jakarta"] + ".ws.rs.core;UriInfo;true;" +
[
"getAbsolutePath;;;Argument[-1];ReturnValue;taint",
"getAbsolutePathBuilder;;;Argument[-1];ReturnValue;taint",
"getPath;;;Argument[-1];ReturnValue;taint",
"getPathParameters;;;Argument[-1];ReturnValue;taint",
"getPathSegments;;;Argument[-1];ReturnValue;taint",
"getQueryParameters;;;Argument[-1];ReturnValue;taint",
"getRequestUri;;;Argument[-1];ReturnValue;taint",
"getRequestUriBuilder;;;Argument[-1];ReturnValue;taint",
"relativize;;;Argument[0];ReturnValue;taint", "resolve;;;Argument[-1];ReturnValue;taint",
"resolve;;;Argument[0];ReturnValue;taint"
]
}
}
@@ -564,24 +491,17 @@ private class UriInfoModel extends SummaryModelCsv {
private class CookieModel extends SummaryModelCsv {
override predicate row(string row) {
row =
[
"javax.ws.rs.core;Cookie;true;getDomain;;;Argument[-1];ReturnValue;taint",
"javax.ws.rs.core;Cookie;true;getName;;;Argument[-1];ReturnValue;taint",
"javax.ws.rs.core;Cookie;true;getPath;;;Argument[-1];ReturnValue;taint",
"javax.ws.rs.core;Cookie;true;getValue;;;Argument[-1];ReturnValue;taint",
"javax.ws.rs.core;Cookie;true;getVersion;;;Argument[-1];ReturnValue;taint",
"javax.ws.rs.core;Cookie;true;toString;;;Argument[-1];ReturnValue;taint",
"javax.ws.rs.core;Cookie;false;Cookie;;;Argument[0..4];Argument[-1];taint",
"javax.ws.rs.core;Cookie;false;valueOf;;;Argument[0];ReturnValue;taint",
"jakarta.ws.rs.core;Cookie;true;getDomain;;;Argument[-1];ReturnValue;taint",
"jakarta.ws.rs.core;Cookie;true;getName;;;Argument[-1];ReturnValue;taint",
"jakarta.ws.rs.core;Cookie;true;getPath;;;Argument[-1];ReturnValue;taint",
"jakarta.ws.rs.core;Cookie;true;getValue;;;Argument[-1];ReturnValue;taint",
"jakarta.ws.rs.core;Cookie;true;getVersion;;;Argument[-1];ReturnValue;taint",
"jakarta.ws.rs.core;Cookie;true;toString;;;Argument[-1];ReturnValue;taint",
"jakarta.ws.rs.core;Cookie;false;Cookie;;;Argument[0..4];Argument[-1];taint",
"jakarta.ws.rs.core;Cookie;false;valueOf;;;Argument[0];ReturnValue;taint"
]
["javax", "jakarta"] + ".ws.rs.core;Cookie;" +
[
"true;getDomain;;;Argument[-1];ReturnValue;taint",
"true;getName;;;Argument[-1];ReturnValue;taint",
"true;getPath;;;Argument[-1];ReturnValue;taint",
"true;getValue;;;Argument[-1];ReturnValue;taint",
"true;getVersion;;;Argument[-1];ReturnValue;taint",
"true;toString;;;Argument[-1];ReturnValue;taint",
"false;Cookie;;;Argument[0..4];Argument[-1];taint",
"false;valueOf;;;Argument[0];ReturnValue;taint"
]
}
}
@@ -591,20 +511,15 @@ private class CookieModel extends SummaryModelCsv {
private class NewCookieModel extends SummaryModelCsv {
override predicate row(string row) {
row =
[
"javax.ws.rs.core;NewCookie;true;getComment;;;Argument[-1];ReturnValue;taint",
"javax.ws.rs.core;NewCookie;true;getExpiry;;;Argument[-1];ReturnValue;taint",
"javax.ws.rs.core;NewCookie;true;getMaxAge;;;Argument[-1];ReturnValue;taint",
"javax.ws.rs.core;NewCookie;true;toCookie;;;Argument[-1];ReturnValue;taint",
"javax.ws.rs.core;NewCookie;false;NewCookie;;;Argument[0..9];Argument[-1];taint",
"javax.ws.rs.core;NewCookie;false;valueOf;;;Argument[0];ReturnValue;taint",
"jakarta.ws.rs.core;NewCookie;true;getComment;;;Argument[-1];ReturnValue;taint",
"jakarta.ws.rs.core;NewCookie;true;getExpiry;;;Argument[-1];ReturnValue;taint",
"jakarta.ws.rs.core;NewCookie;true;getMaxAge;;;Argument[-1];ReturnValue;taint",
"jakarta.ws.rs.core;NewCookie;true;toCookie;;;Argument[-1];ReturnValue;taint",
"jakarta.ws.rs.core;NewCookie;false;NewCookie;;;Argument[0..9];Argument[-1];taint",
"jakarta.ws.rs.core;NewCookie;false;valueOf;;;Argument[0];ReturnValue;taint"
]
["javax", "jakarta"] + ".ws.rs.core;NewCookie;" +
[
"true;getComment;;;Argument[-1];ReturnValue;taint",
"true;getExpiry;;;Argument[-1];ReturnValue;taint",
"true;getMaxAge;;;Argument[-1];ReturnValue;taint",
"true;toCookie;;;Argument[-1];ReturnValue;taint",
"false;NewCookie;;;Argument[0..9];Argument[-1];taint",
"false;valueOf;;;Argument[0];ReturnValue;taint"
]
}
}
@@ -614,20 +529,15 @@ private class NewCookieModel extends SummaryModelCsv {
private class FormModel extends SummaryModelCsv {
override predicate row(string row) {
row =
[
"javax.ws.rs.core;Form;false;Form;;;MapKey of Argument[0];Argument[-1];taint",
"javax.ws.rs.core;Form;false;Form;;;Element of MapValue of Argument[0];Argument[-1];taint",
"javax.ws.rs.core;Form;false;Form;;;Argument[0..1];Argument[-1];taint",
"javax.ws.rs.core;Form;true;asMap;;;Argument[-1];ReturnValue;taint",
"javax.ws.rs.core;Form;true;param;;;Argument[0..1];Argument[-1];taint",
"javax.ws.rs.core;Form;true;param;;;Argument[-1];ReturnValue;value",
"jakarta.ws.rs.core;Form;false;Form;;;MapKey of Argument[0];Argument[-1];taint",
"jakarta.ws.rs.core;Form;false;Form;;;Element of MapValue of Argument[0];Argument[-1];taint",
"jakarta.ws.rs.core;Form;false;Form;;;Argument[0..1];Argument[-1];taint",
"jakarta.ws.rs.core;Form;true;asMap;;;Argument[-1];ReturnValue;taint",
"jakarta.ws.rs.core;Form;true;param;;;Argument[0..1];Argument[-1];taint",
"jakarta.ws.rs.core;Form;true;param;;;Argument[-1];ReturnValue;value"
]
["javax", "jakarta"] + ".ws.rs.core;Form;" +
[
"false;Form;;;MapKey of Argument[0];Argument[-1];taint",
"false;Form;;;Element of MapValue of Argument[0];Argument[-1];taint",
"false;Form;;;Argument[0..1];Argument[-1];taint",
"true;asMap;;;Argument[-1];ReturnValue;taint",
"true;param;;;Argument[0..1];Argument[-1];taint",
"true;param;;;Argument[-1];ReturnValue;value"
]
}
}
@@ -637,12 +547,11 @@ private class FormModel extends SummaryModelCsv {
private class GenericEntityModel extends SummaryModelCsv {
override predicate row(string row) {
row =
[
"javax.ws.rs.core;GenericEntity;false;GenericEntity;;;Argument[0];Argument[-1];taint",
"javax.ws.rs.core;GenericEntity;true;getEntity;;;Argument[-1];ReturnValue;taint",
"jakarta.ws.rs.core;GenericEntity;false;GenericEntity;;;Argument[0];Argument[-1];taint",
"jakarta.ws.rs.core;GenericEntity;true;getEntity;;;Argument[-1];ReturnValue;taint"
]
["javax", "jakarta"] + ".ws.rs.core;GenericEntity;" +
[
"false;GenericEntity;;;Argument[0];Argument[-1];taint",
"true;getEntity;;;Argument[-1];ReturnValue;taint"
]
}
}
@@ -653,20 +562,15 @@ private class GenericEntityModel extends SummaryModelCsv {
private class MediaTypeModel extends SummaryModelCsv {
override predicate row(string row) {
row =
[
"javax.ws.rs.core;MediaType;false;MediaType;;;Argument[0..2];Argument[-1];taint",
"javax.ws.rs.core;MediaType;true;getParameters;;;Argument[-1];ReturnValue;taint",
"javax.ws.rs.core;MediaType;true;getSubtype;;;Argument[-1];ReturnValue;taint",
"javax.ws.rs.core;MediaType;true;getType;;;Argument[-1];ReturnValue;taint",
"javax.ws.rs.core;MediaType;false;valueOf;;;Argument[0];ReturnValue;taint",
"javax.ws.rs.core;MediaType;true;withCharset;;;Argument[-1];ReturnValue;taint",
"jakarta.ws.rs.core;MediaType;false;MediaType;;;Argument[0..2];Argument[-1];taint",
"jakarta.ws.rs.core;MediaType;true;getParameters;;;Argument[-1];ReturnValue;taint",
"jakarta.ws.rs.core;MediaType;true;getSubtype;;;Argument[-1];ReturnValue;taint",
"jakarta.ws.rs.core;MediaType;true;getType;;;Argument[-1];ReturnValue;taint",
"jakarta.ws.rs.core;MediaType;false;valueOf;;;Argument[0];ReturnValue;taint",
"jakarta.ws.rs.core;MediaType;true;withCharset;;;Argument[-1];ReturnValue;taint"
]
["javax", "jakarta"] + ".ws.rs.core;MediaType;" +
[
"false;MediaType;;;Argument[0..2];Argument[-1];taint",
"true;getParameters;;;Argument[-1];ReturnValue;taint",
"true;getSubtype;;;Argument[-1];ReturnValue;taint",
"true;getType;;;Argument[-1];ReturnValue;taint",
"false;valueOf;;;Argument[0];ReturnValue;taint",
"true;withCharset;;;Argument[-1];ReturnValue;taint"
]
}
}
@@ -676,136 +580,72 @@ private class MediaTypeModel extends SummaryModelCsv {
private class UriBuilderModel extends SummaryModelCsv {
override predicate row(string row) {
row =
[
"javax.ws.rs.core;UriBuilder;true;build;;;ArrayElement of Argument[0];ReturnValue;taint",
"javax.ws.rs.core;UriBuilder;true;build;;;Argument[-1];ReturnValue;taint",
"javax.ws.rs.core;UriBuilder;true;buildFromEncoded;;;ArrayElement of Argument[0];ReturnValue;taint",
"javax.ws.rs.core;UriBuilder;true;buildFromEncoded;;;Argument[-1];ReturnValue;taint",
"javax.ws.rs.core;UriBuilder;true;buildFromEncodedMap;;;MapKey of Argument[0];ReturnValue;taint",
"javax.ws.rs.core;UriBuilder;true;buildFromEncodedMap;;;MapValue of Argument[0];ReturnValue;taint",
"javax.ws.rs.core;UriBuilder;true;buildFromEncodedMap;;;Argument[-1];ReturnValue;taint",
"javax.ws.rs.core;UriBuilder;true;buildFromMap;;;MapKey of Argument[0];ReturnValue;taint",
"javax.ws.rs.core;UriBuilder;true;buildFromMap;;;MapValue of Argument[0];ReturnValue;taint",
"javax.ws.rs.core;UriBuilder;true;buildFromMap;;;Argument[-1];ReturnValue;taint",
"javax.ws.rs.core;UriBuilder;true;clone;;;Argument[-1];ReturnValue;taint",
"javax.ws.rs.core;UriBuilder;true;fragment;;;Argument[0];ReturnValue;taint",
"javax.ws.rs.core;UriBuilder;true;fragment;;;Argument[-1];ReturnValue;value",
"javax.ws.rs.core;UriBuilder;false;fromLink;;;Argument[0];ReturnValue;taint",
"javax.ws.rs.core;UriBuilder;false;fromPath;;;Argument[0];ReturnValue;taint",
"javax.ws.rs.core;UriBuilder;false;fromUri;;;Argument[0];ReturnValue;taint",
"javax.ws.rs.core;UriBuilder;true;host;;;Argument[0];ReturnValue;taint",
"javax.ws.rs.core;UriBuilder;true;host;;;Argument[-1];ReturnValue;value",
"javax.ws.rs.core;UriBuilder;true;matrixParam;;;Argument[0];ReturnValue;taint",
"javax.ws.rs.core;UriBuilder;true;matrixParam;;;ArrayElement of Argument[1];ReturnValue;taint",
"javax.ws.rs.core;UriBuilder;true;matrixParam;;;Argument[-1];ReturnValue;value",
"javax.ws.rs.core;UriBuilder;true;path;;;Argument[0..1];ReturnValue;taint",
"javax.ws.rs.core;UriBuilder;true;path;;;Argument[-1];ReturnValue;value",
"javax.ws.rs.core;UriBuilder;true;queryParam;;;Argument[0];ReturnValue;taint",
"javax.ws.rs.core;UriBuilder;true;queryParam;;;ArrayElement of Argument[1];ReturnValue;taint",
"javax.ws.rs.core;UriBuilder;true;queryParam;;;Argument[-1];ReturnValue;value",
"javax.ws.rs.core;UriBuilder;true;replaceMatrix;;;Argument[0];ReturnValue;taint",
"javax.ws.rs.core;UriBuilder;true;replaceMatrix;;;Argument[-1];ReturnValue;value",
"javax.ws.rs.core;UriBuilder;true;replaceMatrixParam;;;Argument[0];ReturnValue;taint",
"javax.ws.rs.core;UriBuilder;true;replaceMatrixParam;;;ArrayElement of Argument[1];ReturnValue;taint",
"javax.ws.rs.core;UriBuilder;true;replaceMatrixParam;;;Argument[-1];ReturnValue;value",
"javax.ws.rs.core;UriBuilder;true;replacePath;;;Argument[0];ReturnValue;taint",
"javax.ws.rs.core;UriBuilder;true;replacePath;;;Argument[-1];ReturnValue;value",
"javax.ws.rs.core;UriBuilder;true;replaceQuery;;;Argument[0];ReturnValue;taint",
"javax.ws.rs.core;UriBuilder;true;replaceQuery;;;Argument[-1];ReturnValue;value",
"javax.ws.rs.core;UriBuilder;true;replaceQueryParam;;;Argument[0];ReturnValue;taint",
"javax.ws.rs.core;UriBuilder;true;replaceQueryParam;;;ArrayElement of Argument[1];ReturnValue;taint",
"javax.ws.rs.core;UriBuilder;true;replaceQueryParam;;;Argument[-1];ReturnValue;value",
"javax.ws.rs.core;UriBuilder;true;resolveTemplate;;;Argument[0..2];ReturnValue;taint",
"javax.ws.rs.core;UriBuilder;true;resolveTemplate;;;Argument[-1];ReturnValue;value",
"javax.ws.rs.core;UriBuilder;true;resolveTemplateFromEncoded;;;Argument[0..1];ReturnValue;taint",
"javax.ws.rs.core;UriBuilder;true;resolveTemplateFromEncoded;;;Argument[-1];ReturnValue;value",
"javax.ws.rs.core;UriBuilder;true;resolveTemplates;;;MapKey of Argument[0];ReturnValue;taint",
"javax.ws.rs.core;UriBuilder;true;resolveTemplates;;;MapValue of Argument[0];ReturnValue;taint",
"javax.ws.rs.core;UriBuilder;true;resolveTemplates;;;Argument[-1];ReturnValue;value",
"javax.ws.rs.core;UriBuilder;true;resolveTemplatesFromEncoded;;;MapKey of Argument[0];ReturnValue;taint",
"javax.ws.rs.core;UriBuilder;true;resolveTemplatesFromEncoded;;;MapValue of Argument[0];ReturnValue;taint",
"javax.ws.rs.core;UriBuilder;true;resolveTemplatesFromEncoded;;;Argument[-1];ReturnValue;value",
"javax.ws.rs.core;UriBuilder;true;scheme;;;Argument[0];ReturnValue;taint",
"javax.ws.rs.core;UriBuilder;true;scheme;;;Argument[-1];ReturnValue;value",
"javax.ws.rs.core;UriBuilder;true;schemeSpecificPart;;;Argument[0];ReturnValue;taint",
"javax.ws.rs.core;UriBuilder;true;schemeSpecificPart;;;Argument[-1];ReturnValue;value",
"javax.ws.rs.core;UriBuilder;true;segment;;;ArrayElement of Argument[0];ReturnValue;taint",
"javax.ws.rs.core;UriBuilder;true;segment;;;Argument[-1];ReturnValue;value",
"javax.ws.rs.core;UriBuilder;true;toTemplate;;;Argument[-1];ReturnValue;taint",
"javax.ws.rs.core;UriBuilder;true;uri;;;Argument[0];ReturnValue;taint",
"javax.ws.rs.core;UriBuilder;true;uri;;;Argument[-1];ReturnValue;value",
"javax.ws.rs.core;UriBuilder;true;userInfo;;;Argument[0];ReturnValue;taint",
"javax.ws.rs.core;UriBuilder;true;userInfo;;;Argument[-1];ReturnValue;value",
"jakarta.ws.rs.core;UriBuilder;true;build;;;ArrayElement of Argument[0];ReturnValue;taint",
"jakarta.ws.rs.core;UriBuilder;true;build;;;Argument[-1];ReturnValue;taint",
"jakarta.ws.rs.core;UriBuilder;true;buildFromEncoded;;;ArrayElement of Argument[0];ReturnValue;taint",
"jakarta.ws.rs.core;UriBuilder;true;buildFromEncoded;;;Argument[-1];ReturnValue;taint",
"jakarta.ws.rs.core;UriBuilder;true;buildFromEncodedMap;;;MapKey of Argument[0];ReturnValue;taint",
"jakarta.ws.rs.core;UriBuilder;true;buildFromEncodedMap;;;MapValue of Argument[0];ReturnValue;taint",
"jakarta.ws.rs.core;UriBuilder;true;buildFromEncodedMap;;;Argument[-1];ReturnValue;taint",
"jakarta.ws.rs.core;UriBuilder;true;buildFromMap;;;MapKey of Argument[0];ReturnValue;taint",
"jakarta.ws.rs.core;UriBuilder;true;buildFromMap;;;MapValue of Argument[0];ReturnValue;taint",
"jakarta.ws.rs.core;UriBuilder;true;buildFromMap;;;Argument[-1];ReturnValue;taint",
"jakarta.ws.rs.core;UriBuilder;true;clone;;;Argument[-1];ReturnValue;taint",
"jakarta.ws.rs.core;UriBuilder;true;fragment;;;Argument[0];ReturnValue;taint",
"jakarta.ws.rs.core;UriBuilder;true;fragment;;;Argument[-1];ReturnValue;value",
"jakarta.ws.rs.core;UriBuilder;false;fromLink;;;Argument[0];ReturnValue;taint",
"jakarta.ws.rs.core;UriBuilder;false;fromPath;;;Argument[0];ReturnValue;taint",
"jakarta.ws.rs.core;UriBuilder;false;fromUri;;;Argument[0];ReturnValue;taint",
"jakarta.ws.rs.core;UriBuilder;true;host;;;Argument[0];ReturnValue;taint",
"jakarta.ws.rs.core;UriBuilder;true;host;;;Argument[-1];ReturnValue;value",
"jakarta.ws.rs.core;UriBuilder;true;matrixParam;;;Argument[0];ReturnValue;taint",
"jakarta.ws.rs.core;UriBuilder;true;matrixParam;;;ArrayElement of Argument[1];ReturnValue;taint",
"jakarta.ws.rs.core;UriBuilder;true;matrixParam;;;Argument[-1];ReturnValue;value",
"jakarta.ws.rs.core;UriBuilder;true;path;;;Argument[0..1];ReturnValue;taint",
"jakarta.ws.rs.core;UriBuilder;true;path;;;Argument[-1];ReturnValue;value",
"jakarta.ws.rs.core;UriBuilder;true;queryParam;;;Argument[0];ReturnValue;taint",
"jakarta.ws.rs.core;UriBuilder;true;queryParam;;;ArrayElement of Argument[1];ReturnValue;taint",
"jakarta.ws.rs.core;UriBuilder;true;queryParam;;;Argument[-1];ReturnValue;value",
"jakarta.ws.rs.core;UriBuilder;true;replaceMatrix;;;Argument[0];ReturnValue;taint",
"jakarta.ws.rs.core;UriBuilder;true;replaceMatrix;;;Argument[-1];ReturnValue;value",
"jakarta.ws.rs.core;UriBuilder;true;replaceMatrixParam;;;Argument[0];ReturnValue;taint",
"jakarta.ws.rs.core;UriBuilder;true;replaceMatrixParam;;;ArrayElement of Argument[1];ReturnValue;taint",
"jakarta.ws.rs.core;UriBuilder;true;replaceMatrixParam;;;Argument[-1];ReturnValue;value",
"jakarta.ws.rs.core;UriBuilder;true;replacePath;;;Argument[0];ReturnValue;taint",
"jakarta.ws.rs.core;UriBuilder;true;replacePath;;;Argument[-1];ReturnValue;value",
"jakarta.ws.rs.core;UriBuilder;true;replaceQuery;;;Argument[0];ReturnValue;taint",
"jakarta.ws.rs.core;UriBuilder;true;replaceQuery;;;Argument[-1];ReturnValue;value",
"jakarta.ws.rs.core;UriBuilder;true;replaceQueryParam;;;Argument[0];ReturnValue;taint",
"jakarta.ws.rs.core;UriBuilder;true;replaceQueryParam;;;ArrayElement of Argument[1];ReturnValue;taint",
"jakarta.ws.rs.core;UriBuilder;true;replaceQueryParam;;;Argument[-1];ReturnValue;value",
"jakarta.ws.rs.core;UriBuilder;true;resolveTemplate;;;Argument[0..2];ReturnValue;taint",
"jakarta.ws.rs.core;UriBuilder;true;resolveTemplate;;;Argument[-1];ReturnValue;value",
"jakarta.ws.rs.core;UriBuilder;true;resolveTemplateFromEncoded;;;Argument[0..1];ReturnValue;taint",
"jakarta.ws.rs.core;UriBuilder;true;resolveTemplateFromEncoded;;;Argument[-1];ReturnValue;value",
"jakarta.ws.rs.core;UriBuilder;true;resolveTemplates;;;MapKey of Argument[0];ReturnValue;taint",
"jakarta.ws.rs.core;UriBuilder;true;resolveTemplates;;;MapValue of Argument[0];ReturnValue;taint",
"jakarta.ws.rs.core;UriBuilder;true;resolveTemplates;;;Argument[-1];ReturnValue;value",
"jakarta.ws.rs.core;UriBuilder;true;resolveTemplatesFromEncoded;;;MapKey of Argument[0];ReturnValue;taint",
"jakarta.ws.rs.core;UriBuilder;true;resolveTemplatesFromEncoded;;;MapValue of Argument[0];ReturnValue;taint",
"jakarta.ws.rs.core;UriBuilder;true;resolveTemplatesFromEncoded;;;Argument[-1];ReturnValue;value",
"jakarta.ws.rs.core;UriBuilder;true;scheme;;;Argument[0];ReturnValue;taint",
"jakarta.ws.rs.core;UriBuilder;true;scheme;;;Argument[-1];ReturnValue;value",
"jakarta.ws.rs.core;UriBuilder;true;schemeSpecificPart;;;Argument[0];ReturnValue;taint",
"jakarta.ws.rs.core;UriBuilder;true;schemeSpecificPart;;;Argument[-1];ReturnValue;value",
"jakarta.ws.rs.core;UriBuilder;true;segment;;;ArrayElement of Argument[0];ReturnValue;taint",
"jakarta.ws.rs.core;UriBuilder;true;segment;;;Argument[-1];ReturnValue;value",
"jakarta.ws.rs.core;UriBuilder;true;toTemplate;;;Argument[-1];ReturnValue;taint",
"jakarta.ws.rs.core;UriBuilder;true;uri;;;Argument[0];ReturnValue;taint",
"jakarta.ws.rs.core;UriBuilder;true;uri;;;Argument[-1];ReturnValue;value",
"jakarta.ws.rs.core;UriBuilder;true;userInfo;;;Argument[0];ReturnValue;taint",
"jakarta.ws.rs.core;UriBuilder;true;userInfo;;;Argument[-1];ReturnValue;value"
]
["javax", "jakarta"] + ".ws.rs.core;UriBuilder;" +
[
"true;build;;;ArrayElement of Argument[0];ReturnValue;taint",
"true;build;;;Argument[-1];ReturnValue;taint",
"true;buildFromEncoded;;;ArrayElement of Argument[0];ReturnValue;taint",
"true;buildFromEncoded;;;Argument[-1];ReturnValue;taint",
"true;buildFromEncodedMap;;;MapKey of Argument[0];ReturnValue;taint",
"true;buildFromEncodedMap;;;MapValue of Argument[0];ReturnValue;taint",
"true;buildFromEncodedMap;;;Argument[-1];ReturnValue;taint",
"true;buildFromMap;;;MapKey of Argument[0];ReturnValue;taint",
"true;buildFromMap;;;MapValue of Argument[0];ReturnValue;taint",
"true;buildFromMap;;;Argument[-1];ReturnValue;taint",
"true;clone;;;Argument[-1];ReturnValue;taint",
"true;fragment;;;Argument[0];ReturnValue;taint",
"true;fragment;;;Argument[-1];ReturnValue;value",
"false;fromLink;;;Argument[0];ReturnValue;taint",
"false;fromPath;;;Argument[0];ReturnValue;taint",
"false;fromUri;;;Argument[0];ReturnValue;taint",
"true;host;;;Argument[0];ReturnValue;taint", "true;host;;;Argument[-1];ReturnValue;value",
"true;matrixParam;;;Argument[0];ReturnValue;taint",
"true;matrixParam;;;ArrayElement of Argument[1];ReturnValue;taint",
"true;matrixParam;;;Argument[-1];ReturnValue;value",
"true;path;;;Argument[0..1];ReturnValue;taint",
"true;path;;;Argument[-1];ReturnValue;value",
"true;queryParam;;;Argument[0];ReturnValue;taint",
"true;queryParam;;;ArrayElement of Argument[1];ReturnValue;taint",
"true;queryParam;;;Argument[-1];ReturnValue;value",
"true;replaceMatrix;;;Argument[0];ReturnValue;taint",
"true;replaceMatrix;;;Argument[-1];ReturnValue;value",
"true;replaceMatrixParam;;;Argument[0];ReturnValue;taint",
"true;replaceMatrixParam;;;ArrayElement of Argument[1];ReturnValue;taint",
"true;replaceMatrixParam;;;Argument[-1];ReturnValue;value",
"true;replacePath;;;Argument[0];ReturnValue;taint",
"true;replacePath;;;Argument[-1];ReturnValue;value",
"true;replaceQuery;;;Argument[0];ReturnValue;taint",
"true;replaceQuery;;;Argument[-1];ReturnValue;value",
"true;replaceQueryParam;;;Argument[0];ReturnValue;taint",
"true;replaceQueryParam;;;ArrayElement of Argument[1];ReturnValue;taint",
"true;replaceQueryParam;;;Argument[-1];ReturnValue;value",
"true;resolveTemplate;;;Argument[0..2];ReturnValue;taint",
"true;resolveTemplate;;;Argument[-1];ReturnValue;value",
"true;resolveTemplateFromEncoded;;;Argument[0..1];ReturnValue;taint",
"true;resolveTemplateFromEncoded;;;Argument[-1];ReturnValue;value",
"true;resolveTemplates;;;MapKey of Argument[0];ReturnValue;taint",
"true;resolveTemplates;;;MapValue of Argument[0];ReturnValue;taint",
"true;resolveTemplates;;;Argument[-1];ReturnValue;value",
"true;resolveTemplatesFromEncoded;;;MapKey of Argument[0];ReturnValue;taint",
"true;resolveTemplatesFromEncoded;;;MapValue of Argument[0];ReturnValue;taint",
"true;resolveTemplatesFromEncoded;;;Argument[-1];ReturnValue;value",
"true;scheme;;;Argument[0];ReturnValue;taint",
"true;scheme;;;Argument[-1];ReturnValue;value",
"true;schemeSpecificPart;;;Argument[0];ReturnValue;taint",
"true;schemeSpecificPart;;;Argument[-1];ReturnValue;value",
"true;segment;;;ArrayElement of Argument[0];ReturnValue;taint",
"true;segment;;;Argument[-1];ReturnValue;value",
"true;toTemplate;;;Argument[-1];ReturnValue;taint",
"true;uri;;;Argument[0];ReturnValue;taint", "true;uri;;;Argument[-1];ReturnValue;value",
"true;userInfo;;;Argument[0];ReturnValue;taint",
"true;userInfo;;;Argument[-1];ReturnValue;value"
]
}
}
private class JaxRsUrlOpenSink extends SinkModelCsv {
override predicate row(string row) {
row =
[
"javax.ws.rs.client;Client;true;target;;;Argument[0];open-url",
"jakarta.ws.rs.client;Client;true;target;;;Argument[0];open-url"
]
row = ["javax", "jakarta"] + ".ws.rs.client;Client;true;target;;;Argument[0];open-url"
}
}
@@ -955,3 +795,17 @@ private class VulnerableEntity extends XssSinkBarrier {
).getArgument(0)
}
}
/**
* Model sources stemming from `ContainerRequestContext`.
*/
private class ContainerRequestContextModel extends SourceModelCsv {
override predicate row(string s) {
s =
["javax", "jakarta"] + ".ws.rs.container;ContainerRequestContext;true;" +
[
"getAcceptableLanguages", "getAcceptableMediaTypes", "getCookies", "getEntityStream",
"getHeaders", "getHeaderString", "getLanguage", "getMediaType", "getUriInfo"
] + ";;;ReturnValue;remote"
}
}

19
java/ql/test/library-tests/frameworks/JaxWs/JakartaContainerRequestContextSources.java Normal file
View File

@@ -0,0 +1,19 @@
import jakarta.ws.rs.container.ContainerRequestContext;
public class JakartaContainerRequestContextSources {
void sink(Object o) {}
void test(ContainerRequestContext context) throws Exception {
sink(context.getAcceptableLanguages()); // $ hasValueFlow
sink(context.getAcceptableMediaTypes().get(0).getType()); // $ hasTaintFlow
sink(context.getCookies().get("someKey").getValue()); // $ hasTaintFlow
byte[] buf = new byte[1024];
context.getEntityStream().read(buf);
sink(buf); // $ hasTaintFlow
sink(context.getHeaders().getFirst("someKey")); // $ hasTaintFlow
sink(context.getHeaderString("someKey")); // $ hasValueFlow
sink(context.getLanguage()); // $ hasValueFlow
sink(context.getMediaType().getType()); // $ hasTaintFlow
sink(context.getUriInfo().getPath()); // $ hasTaintFlow
}
}

29
java/ql/test/library-tests/frameworks/JaxWs/JakartaRsFlow.java
View File

@@ -57,11 +57,11 @@ public class JakartaRsFlow {
static PathSegment taint(PathSegment ps) { return ps; }
static UriInfo taint(UriInfo ui) { return ui; }
static Map taint(Map m) { return m; }
static Link taint(Link l) { return l; }
static Class taint(Class c) { return c; }
private static class UriSource {
@@ -196,12 +196,21 @@ public class JakartaRsFlow {
sink(taint(ps2).getPath()); // $ hasTaintFlow
}
void testUriInfo(UriInfo ui1, UriInfo ui2, UriInfo ui3, UriInfo ui4, UriInfo ui5) {
sink(taint(ui1).getPathParameters()); // $ hasTaintFlow
sink(taint(ui2).getPathSegments()); // $ hasTaintFlow
sink(taint(ui2).getQueryParameters()); // $ hasTaintFlow
sink(taint(ui2).getRequestUri()); // $ hasTaintFlow
sink(taint(ui2).getRequestUriBuilder()); // $ hasTaintFlow
void testUriInfo(UriInfo ui, UriInfo untaintedUriInfo) throws Exception {
ui = taint(ui);
sink(ui.getPathParameters()); // $ hasTaintFlow
sink(ui.getPathSegments()); // $ hasTaintFlow
sink(ui.getQueryParameters()); // $ hasTaintFlow
sink(ui.getRequestUri()); // $ hasTaintFlow
sink(ui.getRequestUriBuilder()); // $ hasTaintFlow
sink(ui.getQueryParameters().getFirst("someKey")); // $ hasTaintFlow
sink(ui.getRequestUri()); // $ hasTaintFlow
sink(ui.getRequestUriBuilder().build()); // $ hasTaintFlow
URI taintedUri = UriSource.taint();
URI untaintedUri = new URI("");
sink(untaintedUriInfo.relativize(taintedUri)); // $ hasTaintFlow
sink(untaintedUriInfo.resolve(taintedUri)); // $ hasTaintFlow
sink(ui.resolve(untaintedUri)); // $ hasTaintFlow
}
void testCookie() {
@@ -341,7 +350,7 @@ public class JakartaRsFlow {
sink(UriBuilder.fromPath(taint()).buildFromEncodedMap(new HashMap<String, String>())); // $ hasTaintFlow
sink(UriBuilder.fromPath("").buildFromMap(taint(new HashMap<String, String>()), false)); // $ hasTaintFlow
sink(UriBuilder.fromPath(taint()).buildFromMap(new HashMap<String, String>(), true)); // $ hasTaintFlow
sink(UriBuilder.fromPath(taint()).clone()); // $ hasTaintFlow
sink(UriBuilder.fromPath("").fragment(taint())); // $ hasTaintFlow
sink(UriBuilder.fromPath(taint()).fragment("")); // $ hasTaintFlow

19
java/ql/test/library-tests/frameworks/JaxWs/JaxRsContainerRequestContextSources.java Normal file
View File

@@ -0,0 +1,19 @@
import javax.ws.rs.container.ContainerRequestContext;
public class JaxRsContainerRequestContextSources {
void sink(Object o) {}
void test(ContainerRequestContext context) throws Exception {
sink(context.getAcceptableLanguages()); // $ hasValueFlow
sink(context.getAcceptableMediaTypes().get(0).getType()); // $ hasTaintFlow
sink(context.getCookies().get("someKey").getValue()); // $ hasTaintFlow
byte[] buf = new byte[1024];
context.getEntityStream().read(buf);
sink(buf); // $ hasTaintFlow
sink(context.getHeaders().getFirst("someKey")); // $ hasTaintFlow
sink(context.getHeaderString("someKey")); // $ hasValueFlow
sink(context.getLanguage()); // $ hasValueFlow
sink(context.getMediaType().getType()); // $ hasTaintFlow
sink(context.getUriInfo().getPath()); // $ hasTaintFlow
}
}

29
java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.java
View File

@@ -57,11 +57,11 @@ public class JaxRsFlow {
static PathSegment taint(PathSegment ps) { return ps; }
static UriInfo taint(UriInfo ui) { return ui; }
static Map taint(Map m) { return m; }
static Link taint(Link l) { return l; }
static Class taint(Class c) { return c; }
private static class UriSource {
@@ -192,12 +192,21 @@ public class JaxRsFlow {
sink(taint(ps2).getPath()); // $ hasTaintFlow
}
void testUriInfo(UriInfo ui1, UriInfo ui2, UriInfo ui3, UriInfo ui4, UriInfo ui5) {
sink(taint(ui1).getPathParameters()); // $ hasTaintFlow
sink(taint(ui2).getPathSegments()); // $ hasTaintFlow
sink(taint(ui2).getQueryParameters()); // $ hasTaintFlow
sink(taint(ui2).getRequestUri()); // $ hasTaintFlow
sink(taint(ui2).getRequestUriBuilder()); // $ hasTaintFlow
void testUriInfo(UriInfo ui, UriInfo untaintedUriInfo) throws Exception {
ui = taint(ui);
sink(ui.getPathParameters()); // $ hasTaintFlow
sink(ui.getPathSegments()); // $ hasTaintFlow
sink(ui.getQueryParameters()); // $ hasTaintFlow
sink(ui.getRequestUri()); // $ hasTaintFlow
sink(ui.getRequestUriBuilder()); // $ hasTaintFlow
sink(ui.getQueryParameters().getFirst("someKey")); // $ hasTaintFlow
sink(ui.getRequestUri()); // $ hasTaintFlow
sink(ui.getRequestUriBuilder().build()); // $ hasTaintFlow
URI taintedUri = UriSource.taint();
URI untaintedUri = new URI("");
sink(untaintedUriInfo.relativize(taintedUri)); // $ hasTaintFlow
sink(untaintedUriInfo.resolve(taintedUri)); // $ hasTaintFlow
sink(ui.resolve(untaintedUri)); // $ hasTaintFlow
}
void testCookie() {
@@ -337,7 +346,7 @@ public class JaxRsFlow {
sink(UriBuilder.fromPath(taint()).buildFromEncodedMap(new HashMap<String, String>())); // $ hasTaintFlow
sink(UriBuilder.fromPath("").buildFromMap(taint(new HashMap<String, String>()), false)); // $ hasTaintFlow
sink(UriBuilder.fromPath(taint()).buildFromMap(new HashMap<String, String>(), true)); // $ hasTaintFlow
sink(UriBuilder.fromPath(taint()).clone()); // $ hasTaintFlow
sink(UriBuilder.fromPath("").fragment(taint())); // $ hasTaintFlow
sink(UriBuilder.fromPath(taint()).fragment("")); // $ hasTaintFlow

5
java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.ql
View File

@@ -1,5 +1,6 @@
import java
import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.dataflow.FlowSources
import TestUtilities.InlineExpectationsTest
class TaintFlowConf extends TaintTracking::Configuration {
@@ -7,6 +8,8 @@ class TaintFlowConf extends TaintTracking::Configuration {
override predicate isSource(DataFlow::Node n) {
n.asExpr().(MethodAccess).getMethod().hasName("taint")
or
n instanceof RemoteFlowSource
}
override predicate isSink(DataFlow::Node n) {
@@ -21,6 +24,8 @@ class ValueFlowConf extends DataFlow::Configuration {
override predicate isSource(DataFlow::Node n) {
n.asExpr().(MethodAccess).getMethod().hasName("taint")
or
n instanceof RemoteFlowSource
}
override predicate isSink(DataFlow::Node n) {

336
java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/container/ContainerRequestContext.java generated Normal file
View File

@@ -0,0 +1,336 @@
/*
* Copyright (c) 2012, 2019 Oracle and/or its affiliates. All rights reserved.
*
* This program and the accompanying materials are made available under the
* terms of the Eclipse Public License v. 2.0, which is available at
* http://www.eclipse.org/legal/epl-2.0.
*
* This Source Code may also be made available under the following Secondary
* Licenses when the conditions for such availability set forth in the
* Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
* version 2 with the GNU Classpath Exception, which is available at
* https://www.gnu.org/software/classpath/license.html.
*
* SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
*/
package javax.ws.rs.container;
import java.io.InputStream;
import java.net.URI;
import java.util.Collection;
import java.util.Date;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import javax.ws.rs.core.Cookie;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Request;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import javax.ws.rs.core.UriInfo;
/**
* Container request filter context.
*
* A mutable class that provides request-specific information for the filter, such as request URI, message headers,
* message entity or request-scoped properties. The exposed setters allow modification of the exposed request-specific
* information.
*
* @author Marek Potociar
* @since 2.0
*/
public interface ContainerRequestContext {
/**
* Returns the property with the given name registered in the current request/response exchange context, or {@code null}
* if there is no property by that name.
* <p>
* A property allows a JAX-RS filters and interceptors to exchange additional custom information not already provided by
* this interface.
* </p>
* <p>
* A list of supported properties can be retrieved using {@link #getPropertyNames()}. Custom property names should
* follow the same convention as package names.
* </p>
* <p>
* In a Servlet container, the properties are synchronized with the {@code ServletRequest} and expose all the attributes
* available in the {@code ServletRequest}. Any modifications of the properties are also reflected in the set of
* properties of the associated {@code ServletRequest}.
* </p>
*
* @param name a {@code String} specifying the name of the property.
* @return an {@code Object} containing the value of the property, or {@code null} if no property exists matching the
* given name.
* @see #getPropertyNames()
*/
public Object getProperty(String name);
/**
* Returns {@code true} if the property with the given name is registered in the current request/response exchange
* context, or {@code false} if there is no property by that name.
* <p>
* Use the {@link #getProperty} method with a property name to get the value of a property.
* </p>
*
* @param name a {@code String} specifying the name of the property.
* @return {@code true} if this property is registered in the context, or {@code false} if no property exists matching
* the given name.
* @see #getPropertyNames()
*/
public default boolean hasProperty(String name) {
return getProperty(name) != null;
}
/**
* Returns an immutable {@link java.util.Collection collection} containing the property names available within the
* context of the current request/response exchange context.
* <p>
* Use the {@link #getProperty} method with a property name to get the value of a property.
* </p>
* <p>
* In a Servlet container, the properties are synchronized with the {@code ServletRequest} and expose all the attributes
* available in the {@code ServletRequest}. Any modifications of the properties are also reflected in the set of
* properties of the associated {@code ServletRequest}.
* </p>
*
* @return an immutable {@link java.util.Collection collection} of property names.
* @see #getProperty
*/
public Collection<String> getPropertyNames();
/**
* Binds an object to a given property name in the current request/response exchange context. If the name specified is
* already used for a property, this method will replace the value of the property with the new value.
* <p>
* A property allows a JAX-RS filters and interceptors to exchange additional custom information not already provided by
* this interface.
* </p>
* <p>
* A list of supported properties can be retrieved using {@link #getPropertyNames()}. Custom property names should
* follow the same convention as package names.
* </p>
* <p>
* If a {@code null} value is passed, the effect is the same as calling the {@link #removeProperty(String)} method.
* </p>
* <p>
* In a Servlet container, the properties are synchronized with the {@code ServletRequest} and expose all the attributes
* available in the {@code ServletRequest}. Any modifications of the properties are also reflected in the set of
* properties of the associated {@code ServletRequest}.
* </p>
*
* @param name a {@code String} specifying the name of the property.
* @param object an {@code Object} representing the property to be bound.
*/
public void setProperty(String name, Object object);
/**
* Removes a property with the given name from the current request/response exchange context. After removal, subsequent
* calls to {@link #getProperty} to retrieve the property value will return {@code null}.
* <p>
* In a Servlet container, the properties are synchronized with the {@code ServletRequest} and expose all the attributes
* available in the {@code ServletRequest}. Any modifications of the properties are also reflected in the set of
* properties of the associated {@code ServletRequest}.
* </p>
*
* @param name a {@code String} specifying the name of the property to be removed.
*/
public void removeProperty(String name);
/**
* Get request URI information.
*
* The returned object contains "live" view of the request URI information in a sense that any changes made to the
* request URI using one of the {@code setRequestUri(...)} methods will be reflected in the previously returned
* {@link UriInfo} instance.
*
* @return request URI information.
*/
public UriInfo getUriInfo();
/**
* Set a new request URI using the current base URI of the application to resolve the application-specific request URI
* part.
* <p>
* Note that the method is usable only in pre-matching filters, prior to the resource matching occurs. Trying to invoke
* the method in a filter bound to a resource method results in an {@link IllegalStateException} being thrown.
* </p>
*
* @param requestUri new URI of the request.
* @throws IllegalStateException in case the method is not invoked from a {@link PreMatching pre-matching} request
* filter.
* @see #setRequestUri(java.net.URI, java.net.URI)
*/
public void setRequestUri(URI requestUri);
/**
* Set a new request URI using a new base URI to resolve the application-specific request URI part.
* <p>
* Note that the method is usable only in pre-matching filters, prior to the resource matching occurs. Trying to invoke
* the method in a filter bound to a resource method results in an {@link IllegalStateException} being thrown.
* </p>
*
* @param baseUri base URI that will be used to resolve the application-specific part of the request URI.
* @param requestUri new URI of the request.
* @throws IllegalStateException in case the method is not invoked from a {@link PreMatching pre-matching} request
* filter.
* @see #setRequestUri(java.net.URI)
*/
public void setRequestUri(URI baseUri, URI requestUri);
/**
* Get the injectable request information.
*
* @return injectable request information.
*/
public Request getRequest();
/**
* Get the request method.
*
* @return the request method.
* @see javax.ws.rs.HttpMethod
*/
public String getMethod();
/**
* Set the request method.
* <p>
* Note that the method is usable only in pre-matching filters, prior to the resource matching occurs. Trying to invoke
* the method in a filter bound to a resource method results in an {@link IllegalStateException} being thrown.
* </p>
*
* @param method new request method.
* @throws IllegalStateException in case the method is not invoked from a {@link PreMatching pre-matching} request
* filter.
* @see javax.ws.rs.HttpMethod
*/
public void setMethod(String method);
/**
* Get the mutable request headers multivalued map.
*
* @return mutable multivalued map of request headers.
* @see #getHeaderString(String)
*/
public MultivaluedMap<String, String> getHeaders();
/**
* Get a message header as a single string value.
*
* @param name the message header.
* @return the message header value. If the message header is not present then {@code null} is returned. If the message
* header is present but has no value then the empty string is returned. If the message header is present more than once
* then the values of joined together and separated by a ',' character.
* @see #getHeaders()
*/
public String getHeaderString(String name);
/**
* Get message date.
*
* @return the message date, otherwise {@code null} if not present.
*/
public Date getDate();
/**
* Get the language of the entity.
*
* @return the language of the entity or {@code null} if not specified
*/
public Locale getLanguage();
/**
* Get Content-Length value.
*
* @return Content-Length as integer if present and valid number. In other cases returns {@code -1}.
*/
public int getLength();
/**
* Get the media type of the entity.
*
* @return the media type or {@code null} if not specified (e.g. there's no request entity).
*/
public MediaType getMediaType();
/**
* Get a list of media types that are acceptable for the response.
*
* @return a read-only list of requested response media types sorted according to their q-value, with highest preference
* first.
*/
public List<MediaType> getAcceptableMediaTypes();
/**
* Get a list of languages that are acceptable for the response.
*
* @return a read-only list of acceptable languages sorted according to their q-value, with highest preference first.
*/
public List<Locale> getAcceptableLanguages();
/**
* Get any cookies that accompanied the request.
*
* @return a read-only map of cookie name (String) to {@link Cookie}.
*/
public Map<String, Cookie> getCookies();
/**
* Check if there is a non-empty entity input stream available in the request message.
*
* The method returns {@code true} if the entity is present, returns {@code false} otherwise.
*
* @return {@code true} if there is an entity present in the message, {@code false} otherwise.
*/
public boolean hasEntity();
/**
* Get the entity input stream. The JAX-RS runtime is responsible for closing the input stream.
*
* @return entity input stream.
*/
public InputStream getEntityStream();
/**
* Set a new entity input stream. The JAX-RS runtime is responsible for closing the input stream.
*
* @param input new entity input stream.
* @throws IllegalStateException in case the method is invoked from a response filter.
*/
public void setEntityStream(InputStream input);
/**
* Get the injectable security context information for the current request.
*
* The {@link SecurityContext#getUserPrincipal()} must return {@code null} if the current request has not been
* authenticated.
*
* @return injectable request security context information.
*/
public SecurityContext getSecurityContext();
/**
* Set a new injectable security context information for the current request.
*
* The {@link SecurityContext#getUserPrincipal()} must return {@code null} if the current request has not been
* authenticated.
*
* @param context new injectable request security context information.
* @throws IllegalStateException in case the method is invoked from a response filter.
*/
public void setSecurityContext(SecurityContext context);
/**
* Abort the filter chain with a response.
*
* This method breaks the filter chain processing and returns the provided response back to the client. The provided
* response goes through the chain of applicable response filters.
*
* @param response response to be sent back to the client.
* @throws IllegalStateException in case the method is invoked from a response filter.
*/
public void abortWith(Response response);
}

126
java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Request.java generated Normal file
View File

@@ -0,0 +1,126 @@
/*
* Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
*
* This program and the accompanying materials are made available under the
* terms of the Eclipse Public License v. 2.0, which is available at
* http://www.eclipse.org/legal/epl-2.0.
*
* This Source Code may also be made available under the following Secondary
* Licenses when the conditions for such availability set forth in the
* Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
* version 2 with the GNU Classpath Exception, which is available at
* https://www.gnu.org/software/classpath/license.html.
*
* SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
*/
package javax.ws.rs.core;
import java.util.Date;
import java.util.List;
import javax.ws.rs.core.Response.ResponseBuilder;
/**
* An injectable helper for request processing, all methods throw an {@link IllegalStateException} if called outside the
* scope of a request (e.g. from a provider constructor).
*
* Precondition processing (see the {@code evaluatePreconditions} methods) can result in either a {@code null} return
* value to indicate that preconditions have been met and that the request should continue, or a non-{@code null} return
* value to indicate that preconditions were not met. In the event that preconditions were not met, the returned
* {@code ResponseBuilder} instance will have an appropriate status and will also include a {@code Vary} header if the
* {@link #selectVariant(List)} method was called prior to to calling {@code evaluatePreconditions}. It is the
* responsibility of the caller to check the status and add additional metadata if required. E.g., see
* <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.3.5">HTTP/1.1, section 10.3.5</a> for details
* of the headers that are expected to accompany a {@code 304 Not Modified} response.
*
* @author Paul Sandoz
* @author Marc Hadley
* @author Marek Potociar
* @since 1.0
*/
public interface Request {
/**
* Get the request method, e.g. GET, POST, etc.
*
* @return the request method.
* @see javax.ws.rs.HttpMethod
*/
public String getMethod();
/**
* Select the representation variant that best matches the request. Returns {@code null} in case there is no matching
* variant in the list.
* <p>
* More explicit variants are chosen ahead of less explicit ones. A vary header is computed from the supplied list and
* automatically added to the response.
* </p>
*
* @param variants a list of Variant that describe all of the available representation variants.
* @return the variant that best matches the request or {@code null} if there's no match.
* @throws java.lang.IllegalArgumentException if variants is empty or {@code null}.
* @throws java.lang.IllegalStateException if called outside the scope of a request.
* @see Variant.VariantListBuilder
*/
public Variant selectVariant(List<Variant> variants);
/**
* Evaluate request preconditions based on the passed in value.
*
* @param eTag an ETag for the current state of the resource
* @return {@code null} if the preconditions are met or a {@code ResponseBuilder} set with the appropriate status if the
* preconditions are not met. A returned {@code ResponseBuilder} will include an ETag header set with the value of eTag,
* provided none of the precondition evaluation has failed, in which case the ETag header would not be included and the
* status code of the returned {@code ResponseBuilder} would be set to {@link Response.Status#PRECONDITION_FAILED}.
* @throws java.lang.IllegalArgumentException if eTag is {@code null}.
* @throws java.lang.IllegalStateException if called outside the scope of a request.
*/
public ResponseBuilder evaluatePreconditions(EntityTag eTag);
/**
* Evaluate request preconditions based on the passed in value.
*
* @param lastModified a date that specifies the modification date of the resource
* @return {@code null} if the preconditions are met or a {@code ResponseBuilder} set with the appropriate status if the
* preconditions are not met.
* @throws java.lang.IllegalArgumentException if lastModified is {@code null}.
* @throws java.lang.IllegalStateException if called outside the scope of a request.
*/
public ResponseBuilder evaluatePreconditions(Date lastModified);
/**
* Evaluate request preconditions based on the passed in value.
*
* @param lastModified a date that specifies the modification date of the resource
* @param eTag an ETag for the current state of the resource
* @return {@code null} if the preconditions are met or a {@code ResponseBuilder} set with the appropriate status if the
* preconditions are not met. A returned {@code ResponseBuilder} will include an ETag header set with the value of eTag,
* provided none of the precondition evaluation has failed, in which case the ETag header would not be included and the
* status code of the returned {@code ResponseBuilder} would be set to {@link Response.Status#PRECONDITION_FAILED}.
* @throws java.lang.IllegalArgumentException if lastModified or eTag is {@code null}.
* @throws java.lang.IllegalStateException if called outside the scope of a request.
*/
public ResponseBuilder evaluatePreconditions(Date lastModified, EntityTag eTag);
/**
* Evaluate request preconditions for a resource that does not currently exist. The primary use of this method is to
* support the <a href="https://tools.ietf.org/html/rfc7232#section-3.1"> If-Match: *</a> and
* <a href="https://tools.ietf.org/html/rfc7232#section-3.2"> If-None-Match: *</a> preconditions.
*
* <p>
* Note that precondition <code>If-None-Match: <i>something</i></code> will never be
* considered to have been met, and it is the application's responsibility to enforce any additional method-specific
* semantics. E.g. a {@code PUT} on a resource that does not exist might succeed whereas a {@code GET} on a resource
* that does not exist would likely result in a 404 response. It would be the responsibility of the application to
* generate the 404 response.
* </p>
*
* @return {@code null} if the preconditions are met or a {@code ResponseBuilder} set with the appropriate status if the
* preconditions are not met.
* @throws IllegalStateException if called outside the scope of a request.
* @since 1.1
*/
public ResponseBuilder evaluatePreconditions();
}

88
java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/SecurityContext.java generated Normal file
View File

@@ -0,0 +1,88 @@
/*
* Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
*
* This program and the accompanying materials are made available under the
* terms of the Eclipse Public License v. 2.0, which is available at
* http://www.eclipse.org/legal/epl-2.0.
*
* This Source Code may also be made available under the following Secondary
* Licenses when the conditions for such availability set forth in the
* Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
* version 2 with the GNU Classpath Exception, which is available at
* https://www.gnu.org/software/classpath/license.html.
*
* SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
*/
package javax.ws.rs.core;
import java.security.Principal;
/**
* An injectable interface that provides access to security related information.
*
* @author Paul Sandoz
* @author Marc Hadley
* @see Context
* @since 1.0
*/
public interface SecurityContext {
/**
* String identifier for Basic authentication. Value "BASIC"
*/
public static final String BASIC_AUTH = "BASIC";
/**
* String identifier for Client Certificate authentication. Value "CLIENT_CERT"
*/
public static final String CLIENT_CERT_AUTH = "CLIENT_CERT";
/**
* String identifier for Digest authentication. Value "DIGEST"
*/
public static final String DIGEST_AUTH = "DIGEST";
/**
* String identifier for Form authentication. Value "FORM"
*/
public static final String FORM_AUTH = "FORM";
/**
* Returns a <code>java.security.Principal</code> object containing the name of the current authenticated user. If the
* user has not been authenticated, the method returns null.
*
* @return a <code>java.security.Principal</code> containing the name of the user making this request; null if the user
* has not been authenticated
* @throws java.lang.IllegalStateException if called outside the scope of a request
*/
public Principal getUserPrincipal();
/**
* Returns a boolean indicating whether the authenticated user is included in the specified logical "role". If the user
* has not been authenticated, the method returns <code>false</code>.
*
* @param role a <code>String</code> specifying the name of the role
* @return a <code>boolean</code> indicating whether the user making the request belongs to a given role;
* <code>false</code> if the user has not been authenticated
* @throws java.lang.IllegalStateException if called outside the scope of a request
*/
public boolean isUserInRole(String role);
/**
* Returns a boolean indicating whether this request was made using a secure channel, such as HTTPS.
*
* @return <code>true</code> if the request was made using a secure channel, <code>false</code> otherwise
* @throws java.lang.IllegalStateException if called outside the scope of a request
*/
public boolean isSecure();
/**
* Returns the string value of the authentication scheme used to protect the resource. If the resource is not
* authenticated, null is returned.
*
* Values are the same as the CGI variable AUTH_TYPE
*
* @return one of the static members BASIC_AUTH, FORM_AUTH, CLIENT_CERT_AUTH, DIGEST_AUTH (suitable for == comparison)
* or the container-specific string indicating the authentication scheme, or null if the request was not authenticated.
* @throws java.lang.IllegalStateException if called outside the scope of a request
*/
public String getAuthenticationScheme();
}

336
java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/container/ContainerRequestContext.java generated Normal file
View File

@@ -0,0 +1,336 @@
/*
* Copyright (c) 2012, 2019 Oracle and/or its affiliates. All rights reserved.
*
* This program and the accompanying materials are made available under the
* terms of the Eclipse Public License v. 2.0, which is available at
* http://www.eclipse.org/legal/epl-2.0.
*
* This Source Code may also be made available under the following Secondary
* Licenses when the conditions for such availability set forth in the
* Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
* version 2 with the GNU Classpath Exception, which is available at
* https://www.gnu.org/software/classpath/license.html.
*
* SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
*/
package jakarta.ws.rs.container;
import java.io.InputStream;
import java.net.URI;
import java.util.Collection;
import java.util.Date;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import jakarta.ws.rs.core.Cookie;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.MultivaluedMap;
import jakarta.ws.rs.core.Request;
import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.core.SecurityContext;
import jakarta.ws.rs.core.UriInfo;
/**
* Container request filter context.
*
* A mutable class that provides request-specific information for the filter, such as request URI, message headers,
* message entity or request-scoped properties. The exposed setters allow modification of the exposed request-specific
* information.
*
* @author Marek Potociar
* @since 2.0
*/
public interface ContainerRequestContext {
/**
* Returns the property with the given name registered in the current request/response exchange context, or {@code null}
* if there is no property by that name.
* <p>
* A property allows a JAX-RS filters and interceptors to exchange additional custom information not already provided by
* this interface.
* </p>
* <p>
* A list of supported properties can be retrieved using {@link #getPropertyNames()}. Custom property names should
* follow the same convention as package names.
* </p>
* <p>
* In a Servlet container, the properties are synchronized with the {@code ServletRequest} and expose all the attributes
* available in the {@code ServletRequest}. Any modifications of the properties are also reflected in the set of
* properties of the associated {@code ServletRequest}.
* </p>
*
* @param name a {@code String} specifying the name of the property.
* @return an {@code Object} containing the value of the property, or {@code null} if no property exists matching the
* given name.
* @see #getPropertyNames()
*/
public Object getProperty(String name);
/**
* Returns {@code true} if the property with the given name is registered in the current request/response exchange
* context, or {@code false} if there is no property by that name.
* <p>
* Use the {@link #getProperty} method with a property name to get the value of a property.
* </p>
*
* @param name a {@code String} specifying the name of the property.
* @return {@code true} if this property is registered in the context, or {@code false} if no property exists matching
* the given name.
* @see #getPropertyNames()
*/
public default boolean hasProperty(String name) {
return getProperty(name) != null;
}
/**
* Returns an immutable {@link java.util.Collection collection} containing the property names available within the
* context of the current request/response exchange context.
* <p>
* Use the {@link #getProperty} method with a property name to get the value of a property.
* </p>
* <p>
* In a Servlet container, the properties are synchronized with the {@code ServletRequest} and expose all the attributes
* available in the {@code ServletRequest}. Any modifications of the properties are also reflected in the set of
* properties of the associated {@code ServletRequest}.
* </p>
*
* @return an immutable {@link java.util.Collection collection} of property names.
* @see #getProperty
*/
public Collection<String> getPropertyNames();
/**
* Binds an object to a given property name in the current request/response exchange context. If the name specified is
* already used for a property, this method will replace the value of the property with the new value.
* <p>
* A property allows a JAX-RS filters and interceptors to exchange additional custom information not already provided by
* this interface.
* </p>
* <p>
* A list of supported properties can be retrieved using {@link #getPropertyNames()}. Custom property names should
* follow the same convention as package names.
* </p>
* <p>
* If a {@code null} value is passed, the effect is the same as calling the {@link #removeProperty(String)} method.
* </p>
* <p>
* In a Servlet container, the properties are synchronized with the {@code ServletRequest} and expose all the attributes
* available in the {@code ServletRequest}. Any modifications of the properties are also reflected in the set of
* properties of the associated {@code ServletRequest}.
* </p>
*
* @param name a {@code String} specifying the name of the property.
* @param object an {@code Object} representing the property to be bound.
*/
public void setProperty(String name, Object object);
/**
* Removes a property with the given name from the current request/response exchange context. After removal, subsequent
* calls to {@link #getProperty} to retrieve the property value will return {@code null}.
* <p>
* In a Servlet container, the properties are synchronized with the {@code ServletRequest} and expose all the attributes
* available in the {@code ServletRequest}. Any modifications of the properties are also reflected in the set of
* properties of the associated {@code ServletRequest}.
* </p>
*
* @param name a {@code String} specifying the name of the property to be removed.
*/
public void removeProperty(String name);
/**
* Get request URI information.
*
* The returned object contains "live" view of the request URI information in a sense that any changes made to the
* request URI using one of the {@code setRequestUri(...)} methods will be reflected in the previously returned
* {@link UriInfo} instance.
*
* @return request URI information.
*/
public UriInfo getUriInfo();
/**
* Set a new request URI using the current base URI of the application to resolve the application-specific request URI
* part.
* <p>
* Note that the method is usable only in pre-matching filters, prior to the resource matching occurs. Trying to invoke
* the method in a filter bound to a resource method results in an {@link IllegalStateException} being thrown.
* </p>
*
* @param requestUri new URI of the request.
* @throws IllegalStateException in case the method is not invoked from a {@link PreMatching pre-matching} request
* filter.
* @see #setRequestUri(java.net.URI, java.net.URI)
*/
public void setRequestUri(URI requestUri);
/**
* Set a new request URI using a new base URI to resolve the application-specific request URI part.
* <p>
* Note that the method is usable only in pre-matching filters, prior to the resource matching occurs. Trying to invoke
* the method in a filter bound to a resource method results in an {@link IllegalStateException} being thrown.
* </p>
*
* @param baseUri base URI that will be used to resolve the application-specific part of the request URI.
* @param requestUri new URI of the request.
* @throws IllegalStateException in case the method is not invoked from a {@link PreMatching pre-matching} request
* filter.
* @see #setRequestUri(java.net.URI)
*/
public void setRequestUri(URI baseUri, URI requestUri);
/**
* Get the injectable request information.
*
* @return injectable request information.
*/
public Request getRequest();
/**
* Get the request method.
*
* @return the request method.
* @see jakarta.ws.rs.HttpMethod
*/
public String getMethod();
/**
* Set the request method.
* <p>
* Note that the method is usable only in pre-matching filters, prior to the resource matching occurs. Trying to invoke
* the method in a filter bound to a resource method results in an {@link IllegalStateException} being thrown.
* </p>
*
* @param method new request method.
* @throws IllegalStateException in case the method is not invoked from a {@link PreMatching pre-matching} request
* filter.
* @see jakarta.ws.rs.HttpMethod
*/
public void setMethod(String method);
/**
* Get the mutable request headers multivalued map.
*
* @return mutable multivalued map of request headers.
* @see #getHeaderString(String)
*/
public MultivaluedMap<String, String> getHeaders();
/**
* Get a message header as a single string value.
*
* @param name the message header.
* @return the message header value. If the message header is not present then {@code null} is returned. If the message
* header is present but has no value then the empty string is returned. If the message header is present more than once
* then the values of joined together and separated by a ',' character.
* @see #getHeaders()
*/
public String getHeaderString(String name);
/**
* Get message date.
*
* @return the message date, otherwise {@code null} if not present.
*/
public Date getDate();
/**
* Get the language of the entity.
*
* @return the language of the entity or {@code null} if not specified
*/
public Locale getLanguage();
/**
* Get Content-Length value.
*
* @return Content-Length as integer if present and valid number. In other cases returns {@code -1}.
*/
public int getLength();
/**
* Get the media type of the entity.
*
* @return the media type or {@code null} if not specified (e.g. there's no request entity).
*/
public MediaType getMediaType();
/**
* Get a list of media types that are acceptable for the response.
*
* @return a read-only list of requested response media types sorted according to their q-value, with highest preference
* first.
*/
public List<MediaType> getAcceptableMediaTypes();
/**
* Get a list of languages that are acceptable for the response.
*
* @return a read-only list of acceptable languages sorted according to their q-value, with highest preference first.
*/
public List<Locale> getAcceptableLanguages();
/**
* Get any cookies that accompanied the request.
*
* @return a read-only map of cookie name (String) to {@link Cookie}.
*/
public Map<String, Cookie> getCookies();
/**
* Check if there is a non-empty entity input stream available in the request message.
*
* The method returns {@code true} if the entity is present, returns {@code false} otherwise.
*
* @return {@code true} if there is an entity present in the message, {@code false} otherwise.
*/
public boolean hasEntity();
/**
* Get the entity input stream. The JAX-RS runtime is responsible for closing the input stream.
*
* @return entity input stream.
*/
public InputStream getEntityStream();
/**
* Set a new entity input stream. The JAX-RS runtime is responsible for closing the input stream.
*
* @param input new entity input stream.
* @throws IllegalStateException in case the method is invoked from a response filter.
*/
public void setEntityStream(InputStream input);
/**
* Get the injectable security context information for the current request.
*
* The {@link SecurityContext#getUserPrincipal()} must return {@code null} if the current request has not been
* authenticated.
*
* @return injectable request security context information.
*/
public SecurityContext getSecurityContext();
/**
* Set a new injectable security context information for the current request.
*
* The {@link SecurityContext#getUserPrincipal()} must return {@code null} if the current request has not been
* authenticated.
*
* @param context new injectable request security context information.
* @throws IllegalStateException in case the method is invoked from a response filter.
*/
public void setSecurityContext(SecurityContext context);
/**
* Abort the filter chain with a response.
*
* This method breaks the filter chain processing and returns the provided response back to the client. The provided
* response goes through the chain of applicable response filters.
*
* @param response response to be sent back to the client.
* @throws IllegalStateException in case the method is invoked from a response filter.
*/
public void abortWith(Response response);
}

126
java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Request.java generated Normal file
View File

@@ -0,0 +1,126 @@
/*
* Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
*
* This program and the accompanying materials are made available under the
* terms of the Eclipse Public License v. 2.0, which is available at
* http://www.eclipse.org/legal/epl-2.0.
*
* This Source Code may also be made available under the following Secondary
* Licenses when the conditions for such availability set forth in the
* Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
* version 2 with the GNU Classpath Exception, which is available at
* https://www.gnu.org/software/classpath/license.html.
*
* SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
*/
package jakarta.ws.rs.core;
import java.util.Date;
import java.util.List;
import jakarta.ws.rs.core.Response.ResponseBuilder;
/**
* An injectable helper for request processing, all methods throw an {@link IllegalStateException} if called outside the
* scope of a request (e.g. from a provider constructor).
*
* Precondition processing (see the {@code evaluatePreconditions} methods) can result in either a {@code null} return
* value to indicate that preconditions have been met and that the request should continue, or a non-{@code null} return
* value to indicate that preconditions were not met. In the event that preconditions were not met, the returned
* {@code ResponseBuilder} instance will have an appropriate status and will also include a {@code Vary} header if the
* {@link #selectVariant(List)} method was called prior to to calling {@code evaluatePreconditions}. It is the
* responsibility of the caller to check the status and add additional metadata if required. E.g., see
* <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.3.5">HTTP/1.1, section 10.3.5</a> for details
* of the headers that are expected to accompany a {@code 304 Not Modified} response.
*
* @author Paul Sandoz
* @author Marc Hadley
* @author Marek Potociar
* @since 1.0
*/
public interface Request {
/**
* Get the request method, e.g. GET, POST, etc.
*
* @return the request method.
* @see jakarta.ws.rs.HttpMethod
*/
public String getMethod();
/**
* Select the representation variant that best matches the request. Returns {@code null} in case there is no matching
* variant in the list.
* <p>
* More explicit variants are chosen ahead of less explicit ones. A vary header is computed from the supplied list and
* automatically added to the response.
* </p>
*
* @param variants a list of Variant that describe all of the available representation variants.
* @return the variant that best matches the request or {@code null} if there's no match.
* @throws java.lang.IllegalArgumentException if variants is empty or {@code null}.
* @throws java.lang.IllegalStateException if called outside the scope of a request.
* @see Variant.VariantListBuilder
*/
public Variant selectVariant(List<Variant> variants);
/**
* Evaluate request preconditions based on the passed in value.
*
* @param eTag an ETag for the current state of the resource
* @return {@code null} if the preconditions are met or a {@code ResponseBuilder} set with the appropriate status if the
* preconditions are not met. A returned {@code ResponseBuilder} will include an ETag header set with the value of eTag,
* provided none of the precondition evaluation has failed, in which case the ETag header would not be included and the
* status code of the returned {@code ResponseBuilder} would be set to {@link Response.Status#PRECONDITION_FAILED}.
* @throws java.lang.IllegalArgumentException if eTag is {@code null}.
* @throws java.lang.IllegalStateException if called outside the scope of a request.
*/
public ResponseBuilder evaluatePreconditions(EntityTag eTag);
/**
* Evaluate request preconditions based on the passed in value.
*
* @param lastModified a date that specifies the modification date of the resource
* @return {@code null} if the preconditions are met or a {@code ResponseBuilder} set with the appropriate status if the
* preconditions are not met.
* @throws java.lang.IllegalArgumentException if lastModified is {@code null}.
* @throws java.lang.IllegalStateException if called outside the scope of a request.
*/
public ResponseBuilder evaluatePreconditions(Date lastModified);
/**
* Evaluate request preconditions based on the passed in value.
*
* @param lastModified a date that specifies the modification date of the resource
* @param eTag an ETag for the current state of the resource
* @return {@code null} if the preconditions are met or a {@code ResponseBuilder} set with the appropriate status if the
* preconditions are not met. A returned {@code ResponseBuilder} will include an ETag header set with the value of eTag,
* provided none of the precondition evaluation has failed, in which case the ETag header would not be included and the
* status code of the returned {@code ResponseBuilder} would be set to {@link Response.Status#PRECONDITION_FAILED}.
* @throws java.lang.IllegalArgumentException if lastModified or eTag is {@code null}.
* @throws java.lang.IllegalStateException if called outside the scope of a request.
*/
public ResponseBuilder evaluatePreconditions(Date lastModified, EntityTag eTag);
/**
* Evaluate request preconditions for a resource that does not currently exist. The primary use of this method is to
* support the <a href="https://tools.ietf.org/html/rfc7232#section-3.1"> If-Match: *</a> and
* <a href="https://tools.ietf.org/html/rfc7232#section-3.2"> If-None-Match: *</a> preconditions.
*
* <p>
* Note that precondition <code>If-None-Match: <i>something</i></code> will never be
* considered to have been met, and it is the application's responsibility to enforce any additional method-specific
* semantics. E.g. a {@code PUT} on a resource that does not exist might succeed whereas a {@code GET} on a resource
* that does not exist would likely result in a 404 response. It would be the responsibility of the application to
* generate the 404 response.
* </p>
*
* @return {@code null} if the preconditions are met or a {@code ResponseBuilder} set with the appropriate status if the
* preconditions are not met.
* @throws IllegalStateException if called outside the scope of a request.
* @since 1.1
*/
public ResponseBuilder evaluatePreconditions();
}

88
java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/SecurityContext.java generated Normal file
View File

@@ -0,0 +1,88 @@
/*
* Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
*
* This program and the accompanying materials are made available under the
* terms of the Eclipse Public License v. 2.0, which is available at
* http://www.eclipse.org/legal/epl-2.0.
*
* This Source Code may also be made available under the following Secondary
* Licenses when the conditions for such availability set forth in the
* Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
* version 2 with the GNU Classpath Exception, which is available at
* https://www.gnu.org/software/classpath/license.html.
*
* SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
*/
package jakarta.ws.rs.core;
import java.security.Principal;
/**
* An injectable interface that provides access to security related information.
*
* @author Paul Sandoz
* @author Marc Hadley
* @see Context
* @since 1.0
*/
public interface SecurityContext {
/**
* String identifier for Basic authentication. Value "BASIC"
*/
public static final String BASIC_AUTH = "BASIC";
/**
* String identifier for Client Certificate authentication. Value "CLIENT_CERT"
*/
public static final String CLIENT_CERT_AUTH = "CLIENT_CERT";
/**
* String identifier for Digest authentication. Value "DIGEST"
*/
public static final String DIGEST_AUTH = "DIGEST";
/**
* String identifier for Form authentication. Value "FORM"
*/
public static final String FORM_AUTH = "FORM";
/**
* Returns a <code>java.security.Principal</code> object containing the name of the current authenticated user. If the
* user has not been authenticated, the method returns null.
*
* @return a <code>java.security.Principal</code> containing the name of the user making this request; null if the user
* has not been authenticated
* @throws java.lang.IllegalStateException if called outside the scope of a request
*/
public Principal getUserPrincipal();
/**
* Returns a boolean indicating whether the authenticated user is included in the specified logical "role". If the user
* has not been authenticated, the method returns <code>false</code>.
*
* @param role a <code>String</code> specifying the name of the role
* @return a <code>boolean</code> indicating whether the user making the request belongs to a given role;
* <code>false</code> if the user has not been authenticated
* @throws java.lang.IllegalStateException if called outside the scope of a request
*/
public boolean isUserInRole(String role);
/**
* Returns a boolean indicating whether this request was made using a secure channel, such as HTTPS.
*
* @return <code>true</code> if the request was made using a secure channel, <code>false</code> otherwise
* @throws java.lang.IllegalStateException if called outside the scope of a request
*/
public boolean isSecure();
/**
* Returns the string value of the authentication scheme used to protect the resource. If the resource is not
* authenticated, null is returned.
*
* Values are the same as the CGI variable AUTH_TYPE
*
* @return one of the static members BASIC_AUTH, FORM_AUTH, CLIENT_CERT_AUTH, DIGEST_AUTH (suitable for == comparison)
* or the container-specific string indicating the authentication scheme, or null if the request was not authenticated.
* @throws java.lang.IllegalStateException if called outside the scope of a request
*/
public String getAuthenticationScheme();
}