Add query for initCause and addSuppressed

2026-04-28 02:05:14 +02:00 · 2020-11-02 11:59:14 +00:00
parent 78d7fe2fbb
commit 6a8ce37428
3 changed files with 58 additions and 3 deletions
--- a/java/ql/test/experimental/query-tests/security/CWE-600/UncaughtServletException.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-600/UncaughtServletException.expected
@@ -1,9 +1,15 @@
 edges
+| UncaughtServletException2.java:14:16:14:44 | getParameter(...) : String | UncaughtServletException2.java:15:45:15:46 | ip |
+| UncaughtServletException2.java:26:16:26:44 | getParameter(...) : String | UncaughtServletException2.java:27:45:27:46 | ip |
 | UncaughtServletException.java:13:15:13:43 | getParameter(...) : String | UncaughtServletException.java:14:44:14:45 | ip |
 | UncaughtServletException.java:16:19:16:41 | getRemoteUser(...) : String | UncaughtServletException.java:17:20:17:25 | userId |
 | UncaughtServletException.java:54:16:54:44 | getParameter(...) : String | UncaughtServletException.java:55:45:55:46 | ip |
 | UncaughtServletException.java:74:21:74:43 | getRemoteUser(...) : String | UncaughtServletException.java:75:22:75:27 | userId |
 nodes
+| UncaughtServletException2.java:14:16:14:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| UncaughtServletException2.java:15:45:15:46 | ip | semmle.label | ip |
+| UncaughtServletException2.java:26:16:26:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| UncaughtServletException2.java:27:45:27:46 | ip | semmle.label | ip |
 | UncaughtServletException.java:13:15:13:43 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | UncaughtServletException.java:14:44:14:45 | ip | semmle.label | ip |
 | UncaughtServletException.java:16:19:16:41 | getRemoteUser(...) : String | semmle.label | getRemoteUser(...) : String |
@@ -13,6 +19,8 @@ nodes
 | UncaughtServletException.java:74:21:74:43 | getRemoteUser(...) : String | semmle.label | getRemoteUser(...) : String |
 | UncaughtServletException.java:75:22:75:27 | userId | semmle.label | userId |
 #select
+| UncaughtServletException2.java:15:45:15:46 | ip | UncaughtServletException2.java:14:16:14:44 | getParameter(...) : String | UncaughtServletException2.java:15:45:15:46 | ip | $@ flows to here and can throw uncaught exception. | UncaughtServletException2.java:14:16:14:44 | getParameter(...) | User-provided value |
+| UncaughtServletException2.java:27:45:27:46 | ip | UncaughtServletException2.java:26:16:26:44 | getParameter(...) : String | UncaughtServletException2.java:27:45:27:46 | ip | $@ flows to here and can throw uncaught exception. | UncaughtServletException2.java:26:16:26:44 | getParameter(...) | User-provided value |
 | UncaughtServletException.java:14:44:14:45 | ip | UncaughtServletException.java:13:15:13:43 | getParameter(...) : String | UncaughtServletException.java:14:44:14:45 | ip | $@ flows to here and can throw uncaught exception. | UncaughtServletException.java:13:15:13:43 | getParameter(...) | User-provided value |
 | UncaughtServletException.java:17:20:17:25 | userId | UncaughtServletException.java:16:19:16:41 | getRemoteUser(...) : String | UncaughtServletException.java:17:20:17:25 | userId | $@ flows to here and can throw uncaught exception. | UncaughtServletException.java:16:19:16:41 | getRemoteUser(...) | User-provided value |
 | UncaughtServletException.java:55:45:55:46 | ip | UncaughtServletException.java:54:16:54:44 | getParameter(...) : String | UncaughtServletException.java:55:45:55:46 | ip | $@ flows to here and can throw uncaught exception. | UncaughtServletException.java:54:16:54:44 | getParameter(...) | User-provided value |
--- a/java/ql/test/experimental/query-tests/security/CWE-600/UncaughtServletException2.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-600/UncaughtServletException2.java
@@ -0,0 +1,33 @@
+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.ServletException;
+
+class UncaughtServletException2 extends HttpServlet {
+	// BAD - Tests rethrowing caught exceptions with stack trace using an exception variable.
+	public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
+		try {
+			String ip = request.getParameter("srcIP");
+			InetAddress addr = InetAddress.getByName(ip);
+		} catch (UnknownHostException uhex) {
+			IOException ioException = new IOException();
+			ioException.initCause(uhex);
+			throw ioException;
+		}
+	}
+
+	// BAD - Tests rethrowing caught exceptions with stack trace using class instance directly.
+	public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
+		try {
+			String ip = request.getParameter("srcIP");
+			InetAddress addr = InetAddress.getByName(ip);
+		} catch (UnknownHostException uhex) {
+			throw new IOException().initCause(uhex);
+		}
+	}
+}
+