diff --git a/java/change-notes/2021-05-17-add-unsafe-deserialization-sinks.md b/java/change-notes/2021-05-17-add-unsafe-deserialization-sinks.md
new file mode 100644
index 00000000000..f294b223d01
--- /dev/null
+++ b/java/change-notes/2021-05-17-add-unsafe-deserialization-sinks.md
@@ -0,0 +1,3 @@
+lgtm,codescanning
+* The "Deserialization of user-controlled data" (`java/unsafe-deserialization`) query
+ now recognizes `JYaml`, `JsonIO`, `YAMLBeans`, `Castor`, `Hessian` and `Burlap` deserialization.
diff --git a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp
index 0d1f21ca87f..e9600f11b93 100644
--- a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp
+++ b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp
@@ -14,8 +14,8 @@ may have unforeseen effects, such as the execution of arbitrary code.
There are many different serialization frameworks. This query currently
-supports Kryo, XmlDecoder, XStream, SnakeYaml, and Java IO serialization through
-ObjectInputStream/ObjectOutputStream.
+supports Kryo, XmlDecoder, XStream, SnakeYaml, JYaml, JsonIO, YAMLBeans, HessianBurlap, Castor, Burlap
+and Java IO serialization through ObjectInputStream/ObjectOutputStream.
@@ -75,6 +75,22 @@ Alvaro Muñoz & Christian Schneider, RSAConference 2016:
SnakeYaml documentation on deserialization:
SnakeYaml deserialization.
+
+Hessian deserialization and related gadget chains:
+Hessian deserialization.
+
+
+Castor and Hessian java deserialization vulnerabilities:
+Castor and Hessian deserialization.
+
+
+Remote code execution in JYaml library:
+JYaml deserialization.
+
+
+JsonIO deserialization vulnerabilities:
+JsonIO deserialization.
+
diff --git a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql
index 82dd42c3c32..8fbeb16d63c 100644
--- a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql
+++ b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql
@@ -22,6 +22,39 @@ class UnsafeDeserializationConfig extends TaintTracking::Configuration {
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeDeserializationSink }
+
+ override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+ exists(ClassInstanceExpr cie |
+ cie.getArgument(0) = pred.asExpr() and
+ cie = succ.asExpr() and
+ (
+ cie.getConstructor().getDeclaringType() instanceof JsonIoJsonReader or
+ cie.getConstructor().getDeclaringType() instanceof YamlBeansReader or
+ cie.getConstructor().getDeclaringType().getASupertype*() instanceof UnsafeHessianInput or
+ cie.getConstructor().getDeclaringType() instanceof BurlapInput
+ )
+ )
+ or
+ exists(MethodAccess ma |
+ ma.getMethod() instanceof BurlapInputInitMethod and
+ ma.getArgument(0) = pred.asExpr() and
+ ma.getQualifier() = succ.asExpr()
+ )
+ }
+
+ override predicate isSanitizer(DataFlow::Node node) {
+ exists(ClassInstanceExpr cie |
+ cie.getConstructor().getDeclaringType() instanceof JsonIoJsonReader and
+ cie = node.asExpr() and
+ exists(SafeJsonIoConfig sji | sji.hasFlowToExpr(cie.getArgument(1)))
+ )
+ or
+ exists(MethodAccess ma |
+ ma.getMethod() instanceof JsonIoJsonToJavaMethod and
+ ma.getArgument(0) = node.asExpr() and
+ exists(SafeJsonIoConfig sji | sji.hasFlowToExpr(ma.getArgument(1)))
+ )
+ }
}
from DataFlow::PathNode source, DataFlow::PathNode sink, UnsafeDeserializationConfig conf
diff --git a/java/ql/src/semmle/code/java/frameworks/Castor.qll b/java/ql/src/semmle/code/java/frameworks/Castor.qll
new file mode 100644
index 00000000000..f1e1b825725
--- /dev/null
+++ b/java/ql/src/semmle/code/java/frameworks/Castor.qll
@@ -0,0 +1,20 @@
+/**
+ * Provides classes and predicates for working with the Castor framework.
+ */
+
+import java
+
+/**
+ * The class `org.exolab.castor.xml.Unmarshaller`.
+ */
+class CastorUnmarshaller extends RefType {
+ CastorUnmarshaller() { this.hasQualifiedName("org.exolab.castor.xml", "Unmarshaller") }
+}
+
+/** A method with the name `unmarshal` declared in `org.exolab.castor.xml.Unmarshaller`. */
+class CastorUnmarshalMethod extends Method {
+ CastorUnmarshalMethod() {
+ this.getDeclaringType() instanceof CastorUnmarshaller and
+ this.getName() = "unmarshal"
+ }
+}
diff --git a/java/ql/src/semmle/code/java/frameworks/HessianBurlap.qll b/java/ql/src/semmle/code/java/frameworks/HessianBurlap.qll
new file mode 100644
index 00000000000..95803d192a7
--- /dev/null
+++ b/java/ql/src/semmle/code/java/frameworks/HessianBurlap.qll
@@ -0,0 +1,49 @@
+/**
+ * Provides classes and predicates for working with the HessianBurlap framework.
+ */
+
+import java
+
+/**
+ * The classes `[com.alibaba.]com.caucho.hessian.io.AbstractHessianInput` or `[com.alibaba.]com.caucho.hessian.io.Hessian2StreamingInput`.
+ */
+class UnsafeHessianInput extends RefType {
+ UnsafeHessianInput() {
+ this.hasQualifiedName(["com.caucho.hessian.io", "com.alibaba.com.caucho.hessian.io"],
+ ["AbstractHessianInput", "Hessian2StreamingInput"])
+ }
+}
+
+/**
+ * A AbstractHessianInput or Hessian2StreamingInput subclass readObject method.
+ * This is either `AbstractHessianInput.readObject` or `Hessian2StreamingInput.readObject`.
+ */
+class UnsafeHessianInputReadObjectMethod extends Method {
+ UnsafeHessianInputReadObjectMethod() {
+ this.getDeclaringType().getASupertype*() instanceof UnsafeHessianInput and
+ this.getName() = "readObject"
+ }
+}
+
+/**
+ * The class `com.caucho.burlap.io.BurlapInput`.
+ */
+class BurlapInput extends RefType {
+ BurlapInput() { this.hasQualifiedName("com.caucho.burlap.io", "BurlapInput") }
+}
+
+/** A method with the name `readObject` declared in `com.caucho.burlap.io.BurlapInput`. */
+class BurlapInputReadObjectMethod extends Method {
+ BurlapInputReadObjectMethod() {
+ this.getDeclaringType() instanceof BurlapInput and
+ this.getName() = "readObject"
+ }
+}
+
+/** A method with the name `init` declared in `com.caucho.burlap.io.BurlapInput`. */
+class BurlapInputInitMethod extends Method {
+ BurlapInputInitMethod() {
+ this.getDeclaringType() instanceof BurlapInput and
+ this.getName() = "init"
+ }
+}
diff --git a/java/ql/src/semmle/code/java/frameworks/JYaml.qll b/java/ql/src/semmle/code/java/frameworks/JYaml.qll
new file mode 100644
index 00000000000..9d77b86f6c1
--- /dev/null
+++ b/java/ql/src/semmle/code/java/frameworks/JYaml.qll
@@ -0,0 +1,22 @@
+/**
+ * Provides classes and predicates for working with the JYaml framework.
+ */
+
+import java
+
+/**
+ * The class `org.ho.yaml.Yaml` or `org.ho.yaml.YamlConfig`.
+ */
+class JYamlLoader extends RefType {
+ JYamlLoader() { this.hasQualifiedName("org.ho.yaml", ["Yaml", "YamlConfig"]) }
+}
+
+/**
+ * A JYaml unsafe load method, declared on either `Yaml` or `YamlConfig`.
+ */
+class JYamlLoaderUnsafeLoadMethod extends Method {
+ JYamlLoaderUnsafeLoadMethod() {
+ this.getDeclaringType() instanceof JYamlLoader and
+ this.getName() in ["load", "loadType", "loadStream", "loadStreamOfType"]
+ }
+}
diff --git a/java/ql/src/semmle/code/java/frameworks/JsonIo.qll b/java/ql/src/semmle/code/java/frameworks/JsonIo.qll
new file mode 100644
index 00000000000..ab4c1b115d9
--- /dev/null
+++ b/java/ql/src/semmle/code/java/frameworks/JsonIo.qll
@@ -0,0 +1,67 @@
+/**
+ * Provides classes and predicates for working with the Json-io framework.
+ */
+
+import java
+import semmle.code.java.Maps
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.DataFlow2
+
+/**
+ * The class `com.cedarsoftware.util.io.JsonReader`.
+ */
+class JsonIoJsonReader extends RefType {
+ JsonIoJsonReader() { this.hasQualifiedName("com.cedarsoftware.util.io", "JsonReader") }
+}
+
+/** A method with the name `jsonToJava` declared in `com.cedarsoftware.util.io.JsonReader`. */
+class JsonIoJsonToJavaMethod extends Method {
+ JsonIoJsonToJavaMethod() {
+ this.getDeclaringType() instanceof JsonIoJsonReader and
+ this.getName() = "jsonToJava"
+ }
+}
+
+/** A method with the name `readObject` declared in `com.cedarsoftware.util.io.JsonReader`. */
+class JsonIoReadObjectMethod extends Method {
+ JsonIoReadObjectMethod() {
+ this.getDeclaringType() instanceof JsonIoJsonReader and
+ this.getName() = "readObject"
+ }
+}
+
+/**
+ * A call to `Map.put` method, set the value of the `USE_MAPS` key to `true`.
+ */
+class JsonIoUseMapsSetter extends MethodAccess {
+ JsonIoUseMapsSetter() {
+ this.getMethod().getDeclaringType().getASourceSupertype*() instanceof MapType and
+ this.getMethod().hasName("put") and
+ this.getArgument(0).(CompileTimeConstantExpr).getStringValue() = "USE_MAPS" and
+ this.getArgument(1).(CompileTimeConstantExpr).getBooleanValue() = true
+ }
+}
+
+/** A data flow configuration tracing flow from JsonIo safe settings. */
+class SafeJsonIoConfig extends DataFlow2::Configuration {
+ SafeJsonIoConfig() { this = "UnsafeDeserialization::SafeJsonIoConfig" }
+
+ override predicate isSource(DataFlow::Node src) {
+ exists(MethodAccess ma |
+ ma instanceof JsonIoUseMapsSetter and
+ src.asExpr() = ma.getQualifier()
+ )
+ }
+
+ override predicate isSink(DataFlow::Node sink) {
+ exists(MethodAccess ma |
+ ma.getMethod() instanceof JsonIoJsonToJavaMethod and
+ sink.asExpr() = ma.getArgument(1)
+ )
+ or
+ exists(ClassInstanceExpr cie |
+ cie.getConstructor().getDeclaringType() instanceof JsonIoJsonReader and
+ sink.asExpr() = cie.getArgument(1)
+ )
+ }
+}
diff --git a/java/ql/src/semmle/code/java/frameworks/YamlBeans.qll b/java/ql/src/semmle/code/java/frameworks/YamlBeans.qll
new file mode 100644
index 00000000000..b5db59926be
--- /dev/null
+++ b/java/ql/src/semmle/code/java/frameworks/YamlBeans.qll
@@ -0,0 +1,20 @@
+/**
+ * Provides classes and predicates for working with the YamlBeans framework.
+ */
+
+import java
+
+/**
+ * The class `com.esotericsoftware.yamlbeans.YamlReader`.
+ */
+class YamlBeansReader extends RefType {
+ YamlBeansReader() { this.hasQualifiedName("com.esotericsoftware.yamlbeans", "YamlReader") }
+}
+
+/** A method with the name `read` declared in `com.esotericsoftware.yamlbeans.YamlReader`. */
+class YamlBeansReaderReadMethod extends Method {
+ YamlBeansReaderReadMethod() {
+ this.getDeclaringType() instanceof YamlBeansReader and
+ this.getName() = "read"
+ }
+}
diff --git a/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll b/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll
index a1561c0e6cd..d035837ad6a 100644
--- a/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll
+++ b/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll
@@ -2,6 +2,11 @@ import semmle.code.java.frameworks.Kryo
import semmle.code.java.frameworks.XStream
import semmle.code.java.frameworks.SnakeYaml
import semmle.code.java.frameworks.FastJson
+import semmle.code.java.frameworks.JYaml
+import semmle.code.java.frameworks.JsonIo
+import semmle.code.java.frameworks.YamlBeans
+import semmle.code.java.frameworks.HessianBurlap
+import semmle.code.java.frameworks.Castor
import semmle.code.java.frameworks.apache.Lang
class ObjectInputStreamReadObjectMethod extends Method {
@@ -140,6 +145,23 @@ predicate unsafeDeserialization(MethodAccess ma, Expr sink) {
ma.getMethod() instanceof FastJsonParseMethod and
not fastJsonLooksSafe() and
sink = ma.getArgument(0)
+ or
+ ma.getMethod() instanceof JYamlLoaderUnsafeLoadMethod and
+ sink = ma.getArgument(0)
+ or
+ ma.getMethod() instanceof JsonIoJsonToJavaMethod and
+ sink = ma.getArgument(0)
+ or
+ ma.getMethod() instanceof JsonIoReadObjectMethod and
+ sink = ma.getQualifier()
+ or
+ ma.getMethod() instanceof YamlBeansReaderReadMethod and sink = ma.getQualifier()
+ or
+ ma.getMethod() instanceof UnsafeHessianInputReadObjectMethod and sink = ma.getQualifier()
+ or
+ ma.getMethod() instanceof CastorUnmarshalMethod and sink = ma.getAnArgument()
+ or
+ ma.getMethod() instanceof BurlapInputReadObjectMethod and sink = ma.getQualifier()
)
}
diff --git a/java/ql/test/query-tests/security/CWE-502/C.java b/java/ql/test/query-tests/security/CWE-502/C.java
new file mode 100644
index 00000000000..bae0ca8ceae
--- /dev/null
+++ b/java/ql/test/query-tests/security/CWE-502/C.java
@@ -0,0 +1,114 @@
+import java.util.HashMap;
+import java.io.StringReader;
+import javax.servlet.http.HttpServletRequest;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+import com.cedarsoftware.util.io.JsonReader;
+import com.esotericsoftware.yamlbeans.YamlReader;
+import org.ho.yaml.Yaml;
+import org.ho.yaml.YamlConfig;
+import org.exolab.castor.xml.Unmarshaller;
+import com.caucho.hessian.io.Hessian2Input;
+import com.caucho.hessian.io.HessianInput;
+import com.caucho.burlap.io.BurlapInput;
+import com.caucho.hessian.io.Hessian2Input;
+import com.caucho.hessian.io.HessianInput;
+import java.io.ByteArrayInputStream;
+
+@Controller
+public class C {
+
+ @GetMapping(value = "jyaml")
+ public void bad1(HttpServletRequest request) throws Exception {
+ String data = request.getParameter("data");
+ Yaml.load(data); //bad
+ Yaml.loadStream(data); //bad
+ Yaml.loadStreamOfType(data, Object.class); //bad
+ Yaml.loadType(data, Object.class); //bad
+
+ org.ho.yaml.YamlConfig yamlConfig = new YamlConfig();
+ yamlConfig.load(data); //bad
+ yamlConfig.loadStream(data); //bad
+ yamlConfig.loadStreamOfType(data, Object.class); //bad
+ yamlConfig.loadType(data, Object.class); //bad
+ }
+
+ @GetMapping(value = "jsonio")
+ public void bad2(HttpServletRequest request) {
+ String data = request.getParameter("data");
+
+ HashMap hashMap = new HashMap();
+ hashMap.put("USE_MAPS", true);
+
+ JsonReader.jsonToJava(data); //bad
+
+ JsonReader jr = new JsonReader(data, null); //bad
+ jr.readObject();
+ }
+
+ @GetMapping(value = "yamlbeans")
+ public void bad3(HttpServletRequest request) throws Exception {
+ String data = request.getParameter("data");
+ YamlReader r = new YamlReader(data);
+ r.read(); //bad
+ r.read(Object.class); //bad
+ r.read(Object.class, Object.class); //bad
+ }
+
+ @GetMapping(value = "hessian")
+ public void bad4(HttpServletRequest request) throws Exception {
+ byte[] bytes = request.getParameter("data").getBytes();
+ ByteArrayInputStream bis = new ByteArrayInputStream(bytes);
+ HessianInput hessianInput = new HessianInput(bis);
+ hessianInput.readObject(); //bad
+ hessianInput.readObject(Object.class); //bad
+ }
+
+ @GetMapping(value = "hessian2")
+ public void bad5(HttpServletRequest request) throws Exception {
+ byte[] bytes = request.getParameter("data").getBytes();
+ ByteArrayInputStream bis = new ByteArrayInputStream(bytes);
+ Hessian2Input hessianInput = new Hessian2Input(bis);
+ hessianInput.readObject(); //bad
+ hessianInput.readObject(Object.class); //bad
+ }
+
+ @GetMapping(value = "castor")
+ public void bad6(HttpServletRequest request) throws Exception {
+ Unmarshaller unmarshaller = new Unmarshaller();
+ unmarshaller.unmarshal(new StringReader(request.getParameter("data"))); //bad
+ }
+
+ @GetMapping(value = "burlap")
+ public void bad7(HttpServletRequest request) throws Exception {
+ byte[] serializedData = request.getParameter("data").getBytes();
+ ByteArrayInputStream is = new ByteArrayInputStream(serializedData);
+ BurlapInput burlapInput = new BurlapInput(is);
+ burlapInput.readObject(); //bad
+
+ BurlapInput burlapInput1 = new BurlapInput();
+ burlapInput1.init(is);
+ burlapInput1.readObject(); //bad
+ }
+
+ @GetMapping(value = "jsonio1")
+ public void good1(HttpServletRequest request) {
+ String data = request.getParameter("data");
+
+ HashMap hashMap = new HashMap();
+ hashMap.put("USE_MAPS", true);
+
+ JsonReader.jsonToJava(data, hashMap); //good
+ }
+
+ @GetMapping(value = "jsonio2")
+ public void good2(HttpServletRequest request) {
+ String data = request.getParameter("data");
+
+ HashMap hashMap = new HashMap();
+ hashMap.put("USE_MAPS", true);
+
+ JsonReader jr1 = new JsonReader(data, hashMap); //good
+ jr1.readObject();
+ }
+}
diff --git a/java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.expected b/java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.expected
index 2af8369c111..7b02131cd73 100644
--- a/java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.expected
+++ b/java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.expected
@@ -48,6 +48,38 @@ edges
| B.java:27:31:27:51 | getInputStream(...) : InputStream | B.java:29:5:29:15 | inputStream : InputStream |
| B.java:29:5:29:15 | inputStream : InputStream | B.java:29:22:29:26 | bytes [post update] : byte[] |
| B.java:29:22:29:26 | bytes [post update] : byte[] | B.java:31:23:31:23 | s |
+| C.java:23:17:23:44 | getParameter(...) : String | C.java:24:13:24:16 | data |
+| C.java:23:17:23:44 | getParameter(...) : String | C.java:25:19:25:22 | data |
+| C.java:23:17:23:44 | getParameter(...) : String | C.java:26:25:26:28 | data |
+| C.java:23:17:23:44 | getParameter(...) : String | C.java:27:17:27:20 | data |
+| C.java:23:17:23:44 | getParameter(...) : String | C.java:30:19:30:22 | data |
+| C.java:23:17:23:44 | getParameter(...) : String | C.java:31:25:31:28 | data |
+| C.java:23:17:23:44 | getParameter(...) : String | C.java:32:31:32:34 | data |
+| C.java:23:17:23:44 | getParameter(...) : String | C.java:33:23:33:26 | data |
+| C.java:38:17:38:44 | getParameter(...) : String | C.java:43:25:43:28 | data |
+| C.java:38:17:38:44 | getParameter(...) : String | C.java:46:3:46:4 | jr |
+| C.java:51:17:51:44 | getParameter(...) : String | C.java:53:3:53:3 | r |
+| C.java:51:17:51:44 | getParameter(...) : String | C.java:54:3:54:3 | r |
+| C.java:51:17:51:44 | getParameter(...) : String | C.java:55:3:55:3 | r |
+| C.java:60:18:60:45 | getParameter(...) : String | C.java:61:55:61:59 | bytes : byte[] |
+| C.java:60:18:60:45 | getParameter(...) : String | C.java:63:3:63:14 | hessianInput |
+| C.java:60:18:60:45 | getParameter(...) : String | C.java:64:3:64:14 | hessianInput |
+| C.java:61:30:61:60 | new ByteArrayInputStream(...) : ByteArrayInputStream | C.java:63:3:63:14 | hessianInput |
+| C.java:61:30:61:60 | new ByteArrayInputStream(...) : ByteArrayInputStream | C.java:64:3:64:14 | hessianInput |
+| C.java:61:55:61:59 | bytes : byte[] | C.java:61:30:61:60 | new ByteArrayInputStream(...) : ByteArrayInputStream |
+| C.java:69:18:69:45 | getParameter(...) : String | C.java:70:55:70:59 | bytes : byte[] |
+| C.java:69:18:69:45 | getParameter(...) : String | C.java:72:3:72:14 | hessianInput |
+| C.java:69:18:69:45 | getParameter(...) : String | C.java:73:3:73:14 | hessianInput |
+| C.java:70:30:70:60 | new ByteArrayInputStream(...) : ByteArrayInputStream | C.java:72:3:72:14 | hessianInput |
+| C.java:70:30:70:60 | new ByteArrayInputStream(...) : ByteArrayInputStream | C.java:73:3:73:14 | hessianInput |
+| C.java:70:55:70:59 | bytes : byte[] | C.java:70:30:70:60 | new ByteArrayInputStream(...) : ByteArrayInputStream |
+| C.java:79:43:79:70 | getParameter(...) : String | C.java:79:26:79:71 | new StringReader(...) |
+| C.java:84:27:84:54 | getParameter(...) : String | C.java:85:54:85:67 | serializedData : byte[] |
+| C.java:84:27:84:54 | getParameter(...) : String | C.java:87:3:87:13 | burlapInput |
+| C.java:84:27:84:54 | getParameter(...) : String | C.java:91:3:91:14 | burlapInput1 |
+| C.java:85:29:85:68 | new ByteArrayInputStream(...) : ByteArrayInputStream | C.java:87:3:87:13 | burlapInput |
+| C.java:85:29:85:68 | new ByteArrayInputStream(...) : ByteArrayInputStream | C.java:91:3:91:14 | burlapInput1 |
+| C.java:85:54:85:67 | serializedData : byte[] | C.java:85:29:85:68 | new ByteArrayInputStream(...) : ByteArrayInputStream |
| TestMessageBodyReader.java:20:55:20:78 | entityStream : InputStream | TestMessageBodyReader.java:22:18:22:52 | new ObjectInputStream(...) |
| TestMessageBodyReader.java:20:55:20:78 | entityStream : InputStream | TestMessageBodyReader.java:22:40:22:51 | entityStream : InputStream |
| TestMessageBodyReader.java:22:40:22:51 | entityStream : InputStream | TestMessageBodyReader.java:22:18:22:52 | new ObjectInputStream(...) |
@@ -111,6 +143,39 @@ nodes
| B.java:29:5:29:15 | inputStream : InputStream | semmle.label | inputStream : InputStream |
| B.java:29:22:29:26 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
| B.java:31:23:31:23 | s | semmle.label | s |
+| C.java:23:17:23:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| C.java:24:13:24:16 | data | semmle.label | data |
+| C.java:25:19:25:22 | data | semmle.label | data |
+| C.java:26:25:26:28 | data | semmle.label | data |
+| C.java:27:17:27:20 | data | semmle.label | data |
+| C.java:30:19:30:22 | data | semmle.label | data |
+| C.java:31:25:31:28 | data | semmle.label | data |
+| C.java:32:31:32:34 | data | semmle.label | data |
+| C.java:33:23:33:26 | data | semmle.label | data |
+| C.java:38:17:38:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| C.java:43:25:43:28 | data | semmle.label | data |
+| C.java:46:3:46:4 | jr | semmle.label | jr |
+| C.java:51:17:51:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| C.java:53:3:53:3 | r | semmle.label | r |
+| C.java:54:3:54:3 | r | semmle.label | r |
+| C.java:55:3:55:3 | r | semmle.label | r |
+| C.java:60:18:60:45 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| C.java:61:30:61:60 | new ByteArrayInputStream(...) : ByteArrayInputStream | semmle.label | new ByteArrayInputStream(...) : ByteArrayInputStream |
+| C.java:61:55:61:59 | bytes : byte[] | semmle.label | bytes : byte[] |
+| C.java:63:3:63:14 | hessianInput | semmle.label | hessianInput |
+| C.java:64:3:64:14 | hessianInput | semmle.label | hessianInput |
+| C.java:69:18:69:45 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| C.java:70:30:70:60 | new ByteArrayInputStream(...) : ByteArrayInputStream | semmle.label | new ByteArrayInputStream(...) : ByteArrayInputStream |
+| C.java:70:55:70:59 | bytes : byte[] | semmle.label | bytes : byte[] |
+| C.java:72:3:72:14 | hessianInput | semmle.label | hessianInput |
+| C.java:73:3:73:14 | hessianInput | semmle.label | hessianInput |
+| C.java:79:26:79:71 | new StringReader(...) | semmle.label | new StringReader(...) |
+| C.java:79:43:79:70 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| C.java:84:27:84:54 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| C.java:85:29:85:68 | new ByteArrayInputStream(...) : ByteArrayInputStream | semmle.label | new ByteArrayInputStream(...) : ByteArrayInputStream |
+| C.java:85:54:85:67 | serializedData : byte[] | semmle.label | serializedData : byte[] |
+| C.java:87:3:87:13 | burlapInput | semmle.label | burlapInput |
+| C.java:91:3:91:14 | burlapInput1 | semmle.label | burlapInput1 |
| TestMessageBodyReader.java:20:55:20:78 | entityStream : InputStream | semmle.label | entityStream : InputStream |
| TestMessageBodyReader.java:22:18:22:52 | new ObjectInputStream(...) | semmle.label | new ObjectInputStream(...) |
| TestMessageBodyReader.java:22:40:22:51 | entityStream : InputStream | semmle.label | entityStream : InputStream |
@@ -141,4 +206,24 @@ nodes
| B.java:15:12:15:28 | parse(...) | B.java:12:31:12:51 | getInputStream(...) : InputStream | B.java:15:23:15:27 | bytes | Unsafe deserialization of $@. | B.java:12:31:12:51 | getInputStream(...) | user input |
| B.java:23:12:23:30 | parseObject(...) | B.java:19:31:19:51 | getInputStream(...) : InputStream | B.java:23:29:23:29 | s | Unsafe deserialization of $@. | B.java:19:31:19:51 | getInputStream(...) | user input |
| B.java:31:12:31:24 | parse(...) | B.java:27:31:27:51 | getInputStream(...) : InputStream | B.java:31:23:31:23 | s | Unsafe deserialization of $@. | B.java:27:31:27:51 | getInputStream(...) | user input |
+| C.java:24:3:24:17 | load(...) | C.java:23:17:23:44 | getParameter(...) : String | C.java:24:13:24:16 | data | Unsafe deserialization of $@. | C.java:23:17:23:44 | getParameter(...) | user input |
+| C.java:25:3:25:23 | loadStream(...) | C.java:23:17:23:44 | getParameter(...) : String | C.java:25:19:25:22 | data | Unsafe deserialization of $@. | C.java:23:17:23:44 | getParameter(...) | user input |
+| C.java:26:3:26:43 | loadStreamOfType(...) | C.java:23:17:23:44 | getParameter(...) : String | C.java:26:25:26:28 | data | Unsafe deserialization of $@. | C.java:23:17:23:44 | getParameter(...) | user input |
+| C.java:27:3:27:35 | loadType(...) | C.java:23:17:23:44 | getParameter(...) : String | C.java:27:17:27:20 | data | Unsafe deserialization of $@. | C.java:23:17:23:44 | getParameter(...) | user input |
+| C.java:30:3:30:23 | load(...) | C.java:23:17:23:44 | getParameter(...) : String | C.java:30:19:30:22 | data | Unsafe deserialization of $@. | C.java:23:17:23:44 | getParameter(...) | user input |
+| C.java:31:3:31:29 | loadStream(...) | C.java:23:17:23:44 | getParameter(...) : String | C.java:31:25:31:28 | data | Unsafe deserialization of $@. | C.java:23:17:23:44 | getParameter(...) | user input |
+| C.java:32:3:32:49 | loadStreamOfType(...) | C.java:23:17:23:44 | getParameter(...) : String | C.java:32:31:32:34 | data | Unsafe deserialization of $@. | C.java:23:17:23:44 | getParameter(...) | user input |
+| C.java:33:3:33:41 | loadType(...) | C.java:23:17:23:44 | getParameter(...) : String | C.java:33:23:33:26 | data | Unsafe deserialization of $@. | C.java:23:17:23:44 | getParameter(...) | user input |
+| C.java:43:3:43:29 | jsonToJava(...) | C.java:38:17:38:44 | getParameter(...) : String | C.java:43:25:43:28 | data | Unsafe deserialization of $@. | C.java:38:17:38:44 | getParameter(...) | user input |
+| C.java:46:3:46:17 | readObject(...) | C.java:38:17:38:44 | getParameter(...) : String | C.java:46:3:46:4 | jr | Unsafe deserialization of $@. | C.java:38:17:38:44 | getParameter(...) | user input |
+| C.java:53:3:53:10 | read(...) | C.java:51:17:51:44 | getParameter(...) : String | C.java:53:3:53:3 | r | Unsafe deserialization of $@. | C.java:51:17:51:44 | getParameter(...) | user input |
+| C.java:54:3:54:22 | read(...) | C.java:51:17:51:44 | getParameter(...) : String | C.java:54:3:54:3 | r | Unsafe deserialization of $@. | C.java:51:17:51:44 | getParameter(...) | user input |
+| C.java:55:3:55:36 | read(...) | C.java:51:17:51:44 | getParameter(...) : String | C.java:55:3:55:3 | r | Unsafe deserialization of $@. | C.java:51:17:51:44 | getParameter(...) | user input |
+| C.java:63:3:63:27 | readObject(...) | C.java:60:18:60:45 | getParameter(...) : String | C.java:63:3:63:14 | hessianInput | Unsafe deserialization of $@. | C.java:60:18:60:45 | getParameter(...) | user input |
+| C.java:64:3:64:39 | readObject(...) | C.java:60:18:60:45 | getParameter(...) : String | C.java:64:3:64:14 | hessianInput | Unsafe deserialization of $@. | C.java:60:18:60:45 | getParameter(...) | user input |
+| C.java:72:3:72:27 | readObject(...) | C.java:69:18:69:45 | getParameter(...) : String | C.java:72:3:72:14 | hessianInput | Unsafe deserialization of $@. | C.java:69:18:69:45 | getParameter(...) | user input |
+| C.java:73:3:73:39 | readObject(...) | C.java:69:18:69:45 | getParameter(...) : String | C.java:73:3:73:14 | hessianInput | Unsafe deserialization of $@. | C.java:69:18:69:45 | getParameter(...) | user input |
+| C.java:79:3:79:72 | unmarshal(...) | C.java:79:43:79:70 | getParameter(...) : String | C.java:79:26:79:71 | new StringReader(...) | Unsafe deserialization of $@. | C.java:79:43:79:70 | getParameter(...) | user input |
+| C.java:87:3:87:26 | readObject(...) | C.java:84:27:84:54 | getParameter(...) : String | C.java:87:3:87:13 | burlapInput | Unsafe deserialization of $@. | C.java:84:27:84:54 | getParameter(...) | user input |
+| C.java:91:3:91:27 | readObject(...) | C.java:84:27:84:54 | getParameter(...) : String | C.java:91:3:91:14 | burlapInput1 | Unsafe deserialization of $@. | C.java:84:27:84:54 | getParameter(...) | user input |
| TestMessageBodyReader.java:22:18:22:65 | readObject(...) | TestMessageBodyReader.java:20:55:20:78 | entityStream : InputStream | TestMessageBodyReader.java:22:18:22:52 | new ObjectInputStream(...) | Unsafe deserialization of $@. | TestMessageBodyReader.java:20:55:20:78 | entityStream | user input |
diff --git a/java/ql/test/query-tests/security/CWE-502/options b/java/ql/test/query-tests/security/CWE-502/options
index 6df0c9374c2..ebf1581cc8a 100644
--- a/java/ql/test/query-tests/security/CWE-502/options
+++ b/java/ql/test/query-tests/security/CWE-502/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/snakeyaml-1.21:${testdir}/../../../stubs/xstream-1.4.10:${testdir}/../../../stubs/kryo-4.0.2:${testdir}/../../../stubs/jsr311-api-1.1.1:${testdir}/../../../stubs/fastjson-1.2.74
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/snakeyaml-1.21:${testdir}/../../../stubs/xstream-1.4.10:${testdir}/../../../stubs/kryo-4.0.2:${testdir}/../../../stubs/jsr311-api-1.1.1:${testdir}/../../../stubs/fastjson-1.2.74:${testdir}/../../../stubs/springframework-5.2.3:${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/jyaml-1.3:${testdir}/../../../stubs/json-io-4.10.0:${testdir}/../../../stubs/yamlbeans-1.09:${testdir}/../../../stubs/hessian-4.0.38:${testdir}/../../../stubs/castor-1.4.1
diff --git a/java/ql/test/stubs/castor-1.4.1/org/exolab/castor/types/AnyNode.java b/java/ql/test/stubs/castor-1.4.1/org/exolab/castor/types/AnyNode.java
new file mode 100644
index 00000000000..f29270d2521
--- /dev/null
+++ b/java/ql/test/stubs/castor-1.4.1/org/exolab/castor/types/AnyNode.java
@@ -0,0 +1,11 @@
+package org.exolab.castor.types;
+
+import java.io.Serializable;
+
+public final class AnyNode implements Serializable {
+
+ private static final long serialVersionUID = -4104117996051705975L;
+
+ public AnyNode() { }
+}
+
diff --git a/java/ql/test/stubs/castor-1.4.1/org/exolab/castor/xml/EventProducer.java b/java/ql/test/stubs/castor-1.4.1/org/exolab/castor/xml/EventProducer.java
new file mode 100644
index 00000000000..08893c95a48
--- /dev/null
+++ b/java/ql/test/stubs/castor-1.4.1/org/exolab/castor/xml/EventProducer.java
@@ -0,0 +1,12 @@
+package org.exolab.castor.xml;
+
+import org.xml.sax.DocumentHandler;
+import org.xml.sax.SAXException;
+
+/** @deprecated */
+public interface EventProducer {
+ void setDocumentHandler(DocumentHandler var1);
+
+ void start() throws SAXException;
+}
+
diff --git a/java/ql/test/stubs/castor-1.4.1/org/exolab/castor/xml/SAX2EventAndErrorProducer.java b/java/ql/test/stubs/castor-1.4.1/org/exolab/castor/xml/SAX2EventAndErrorProducer.java
new file mode 100644
index 00000000000..77978b53f01
--- /dev/null
+++ b/java/ql/test/stubs/castor-1.4.1/org/exolab/castor/xml/SAX2EventAndErrorProducer.java
@@ -0,0 +1,8 @@
+package org.exolab.castor.xml;
+
+import org.xml.sax.ErrorHandler;
+
+public interface SAX2EventAndErrorProducer extends SAX2EventProducer {
+ void setErrorHandler(ErrorHandler var1);
+}
+
diff --git a/java/ql/test/stubs/castor-1.4.1/org/exolab/castor/xml/SAX2EventProducer.java b/java/ql/test/stubs/castor-1.4.1/org/exolab/castor/xml/SAX2EventProducer.java
new file mode 100644
index 00000000000..66b2cf8259f
--- /dev/null
+++ b/java/ql/test/stubs/castor-1.4.1/org/exolab/castor/xml/SAX2EventProducer.java
@@ -0,0 +1,11 @@
+package org.exolab.castor.xml;
+
+import org.xml.sax.ContentHandler;
+import org.xml.sax.SAXException;
+
+public interface SAX2EventProducer {
+ void setContentHandler(ContentHandler var1);
+
+ void start() throws SAXException;
+}
+
diff --git a/java/ql/test/stubs/castor-1.4.1/org/exolab/castor/xml/Unmarshaller.java b/java/ql/test/stubs/castor-1.4.1/org/exolab/castor/xml/Unmarshaller.java
new file mode 100644
index 00000000000..cc76c2c5e6a
--- /dev/null
+++ b/java/ql/test/stubs/castor-1.4.1/org/exolab/castor/xml/Unmarshaller.java
@@ -0,0 +1,74 @@
+package org.exolab.castor.xml;
+
+import java.io.Reader;
+import javax.xml.stream.XMLEventReader;
+import javax.xml.stream.XMLStreamReader;
+import javax.xml.transform.Source;
+import org.exolab.castor.types.AnyNode;
+import org.w3c.dom.Node;
+import org.xml.sax.InputSource;
+import org.xml.sax.Parser;
+import org.xml.sax.SAXException;
+import org.xml.sax.XMLReader;
+
+public class Unmarshaller {
+
+ public Unmarshaller() { }
+
+ public Object unmarshal(Reader reader) {
+ return null;
+ }
+
+ public Object unmarshal(EventProducer eventProducer) {
+ return null;
+ }
+
+ public Object unmarshal(SAX2EventProducer eventProducer) {
+ return null;
+ }
+
+ public Object unmarshal(AnyNode anyNode) {
+ return null;
+ }
+
+ public Object unmarshal(InputSource source) {
+ return null;
+ }
+
+ public Object unmarshal(Node node) {
+ return null;
+ }
+
+ public Object unmarshal(XMLEventReader eventReader) {
+ return null;
+ }
+
+ public Object unmarshal(XMLStreamReader streamReader) {
+ return null;
+ }
+
+ public Object unmarshal(SAX2EventAndErrorProducer eventProducer) {
+ return null;
+ }
+
+ public Object unmarshal(Source source) {
+ return null;
+ }
+
+ public static Object unmarshal(Class c, Reader reader) {
+ return null;
+ }
+
+ private static Unmarshaller createUnmarshaller(Class clazz) {
+ return null;
+ }
+
+ public static Object unmarshal(Class c, InputSource source) {
+ return null;
+ }
+
+ public static Object unmarshal(Class c, Node node) {
+ return null;
+ }
+}
+
diff --git a/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/AbstractBurlapInput.java b/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/AbstractBurlapInput.java
new file mode 100644
index 00000000000..9bf1892ea5b
--- /dev/null
+++ b/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/AbstractBurlapInput.java
@@ -0,0 +1,9 @@
+package com.caucho.burlap.io;
+
+import com.caucho.hessian.io.AbstractHessianInput;
+
+public abstract class AbstractBurlapInput extends AbstractHessianInput {
+ public AbstractBurlapInput() {
+ }
+}
+
diff --git a/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/AbstractHessianInput.java b/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/AbstractHessianInput.java
new file mode 100644
index 00000000000..aff9f533850
--- /dev/null
+++ b/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/AbstractHessianInput.java
@@ -0,0 +1,110 @@
+package com.caucho.hessian.io;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.Reader;
+import org.w3c.dom.Node;
+
+public abstract class AbstractHessianInput {
+
+ public AbstractHessianInput() {
+ }
+
+ public void init(InputStream is) {
+ }
+
+ public abstract String getMethod();
+
+ public void setSerializerFactory(SerializerFactory ser) {
+ }
+
+ public abstract int readCall() throws IOException;
+
+ public void skipOptionalCall() throws IOException {
+ }
+
+ public abstract String readHeader() throws IOException;
+
+ public abstract String readMethod() throws IOException;
+
+ public int readMethodArgLength() throws IOException {
+ return -1;
+ }
+
+ public abstract void startCall() throws IOException;
+
+ public abstract void completeCall() throws IOException;
+
+ public abstract Object readReply(Class var1) throws Throwable;
+
+ public abstract void startReply() throws Throwable;
+
+ public void startReplyBody() throws Throwable {
+ }
+
+ public abstract void completeReply() throws IOException;
+
+ public abstract boolean readBoolean() throws IOException;
+
+ public abstract void readNull() throws IOException;
+
+ public abstract int readInt() throws IOException;
+
+ public abstract long readLong() throws IOException;
+
+ public abstract double readDouble() throws IOException;
+
+ public abstract long readUTCDate() throws IOException;
+
+ public abstract String readString() throws IOException;
+
+ public Node readNode() throws IOException {
+ return null;
+ }
+
+ public abstract Reader getReader() throws IOException;
+
+ public abstract InputStream readInputStream() throws IOException;
+
+ public boolean readToOutputStream(OutputStream os) throws IOException {
+ return true;
+ }
+
+ public abstract byte[] readBytes() throws IOException;
+
+ public abstract Object readObject(Class var1) throws IOException;
+
+ public abstract Object readObject() throws IOException;
+
+ public abstract Object readRemote() throws IOException;
+
+ public abstract Object readRef() throws IOException;
+
+ public abstract int addRef(Object var1) throws IOException;
+
+ public abstract void setRef(int var1, Object var2) throws IOException;
+
+ public void resetReferences() {
+ }
+
+ public abstract int readListStart() throws IOException;
+
+ public abstract int readLength() throws IOException;
+
+ public abstract int readMapStart() throws IOException;
+
+ public abstract String readType() throws IOException;
+
+ public abstract boolean isEnd() throws IOException;
+
+ public abstract void readEnd() throws IOException;
+
+ public abstract void readMapEnd() throws IOException;
+
+ public abstract void readListEnd() throws IOException;
+
+ public void close() throws IOException {
+ }
+}
+
diff --git a/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/AbstractSerializerFactory.java b/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/AbstractSerializerFactory.java
new file mode 100644
index 00000000000..d4bc523ec87
--- /dev/null
+++ b/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/AbstractSerializerFactory.java
@@ -0,0 +1,11 @@
+package com.caucho.hessian.io;
+
+public abstract class AbstractSerializerFactory {
+ public AbstractSerializerFactory() {
+ }
+
+ public abstract Serializer getSerializer(Class var1) throws HessianProtocolException;
+
+ public abstract Deserializer getDeserializer(Class var1) throws HessianProtocolException;
+}
+
diff --git a/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/BurlapInput.java b/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/BurlapInput.java
new file mode 100644
index 00000000000..ec02d2f302b
--- /dev/null
+++ b/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/BurlapInput.java
@@ -0,0 +1,274 @@
+package com.caucho.burlap.io;
+
+import com.caucho.hessian.io.SerializerFactory;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.Reader;
+import java.lang.reflect.Field;
+import java.util.ArrayList;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.TimeZone;
+import org.w3c.dom.Node;
+
+public class BurlapInput extends AbstractBurlapInput {
+
+ public BurlapInput() { }
+
+ public BurlapInput(InputStream is) { }
+
+ public void setSerializerFactory(SerializerFactory factory) { }
+
+ public SerializerFactory getSerializerFactory() {
+ return null;
+ }
+
+ public void init(InputStream is) { }
+
+ public String getMethod() {
+ return null;
+ }
+
+ public Throwable getReplyFault() {
+ return null;
+ }
+
+ public void startCall() throws IOException { }
+
+ public int readCall() throws IOException {
+ return 1;
+ }
+
+ public String readMethod() throws IOException {
+ return null;
+ }
+
+ public void completeCall() throws IOException { }
+
+ public Object readReply(Class expectedClass) throws Throwable {
+ return null;
+ }
+
+ public void startReply() throws Throwable { }
+
+ private Throwable prepareFault() throws IOException {
+ return null;
+ }
+
+ public void completeReply() throws IOException { }
+
+ public String readHeader() throws IOException {
+ return null;
+ }
+
+ public void readNull() throws IOException { }
+
+ public boolean readBoolean() throws IOException {
+ return true;
+ }
+
+ public byte readByte() throws IOException {
+ return 1;
+ }
+
+ public short readShort() throws IOException {
+ return 1;
+ }
+
+ public int readInt() throws IOException {
+ return 1;
+ }
+
+ public long readLong() throws IOException {
+ return 1L;
+ }
+
+ public float readFloat() throws IOException {
+ return 1.1F;
+ }
+
+ public double readDouble() throws IOException {
+ return 1.1;
+ }
+
+ public long readUTCDate() throws IOException {
+ return 1L;
+ }
+
+ public long readLocalDate() throws IOException {
+ return 1L;
+ }
+
+ public String readString() throws IOException {
+ return null;
+ }
+
+ public Node readNode() throws IOException {
+ return null;
+ }
+
+ public byte[] readBytes() throws IOException {
+ return null;
+ }
+
+ public int readLength() throws IOException {
+ return 1;
+ }
+
+ private HashMap readFault() throws IOException {
+ return null;
+ }
+
+ public Object readObject(Class cl) throws IOException {
+ return null;
+ }
+
+ public Object readObject() throws IOException {
+ return null;
+ }
+
+ public Object readRemote() throws IOException {
+ return null;
+ }
+
+ public Object readRef() throws IOException {
+ return null;
+ }
+
+ public int readListStart() throws IOException {
+ return 1;
+ }
+
+ public int readMapStart() throws IOException {
+ return 1;
+ }
+
+ public boolean isEnd() throws IOException {
+ return true;
+ }
+
+ public void readEnd() throws IOException { }
+
+ public void readMapEnd() throws IOException { }
+
+ public void readListEnd() throws IOException { }
+
+ public int addRef(Object ref) {
+ return 1;
+ }
+
+ public void setRef(int i, Object ref) { }
+
+ public Object resolveRemote(String type, String url) throws IOException {
+ return null;
+ }
+
+ public String readType() throws IOException {
+ return null;
+ }
+
+ private int parseInt() throws IOException {
+ return 1;
+ }
+
+ private long parseLong() throws IOException {
+ return 1L;
+ }
+
+ private double parseDouble() throws IOException {
+ return 1.1;
+ }
+
+ protected long parseDate() throws IOException {
+ return 1L;
+ }
+
+ protected long parseDate(Calendar calendar) throws IOException {
+ return 1L;
+ }
+
+ protected String parseString() throws IOException {
+ return null;
+ }
+
+ protected StringBuffer parseString(StringBuffer sbuf) throws IOException {
+ return null;
+ }
+
+ Node parseXML() throws IOException {
+ return null;
+ }
+
+ int readChar() throws IOException {
+ return 1;
+ }
+
+ protected byte[] parseBytes() throws IOException {
+ return null;
+ }
+
+ protected ByteArrayOutputStream parseBytes(ByteArrayOutputStream bos) throws IOException {
+ return null;
+ }
+
+ public void expectTag(int expectTag) throws IOException { }
+
+ protected int parseTag() throws IOException {
+ return 1;
+ }
+
+ private boolean isTagChar(int ch) {
+ return true;
+ }
+
+ protected int skipWhitespace() throws IOException {
+ return 1;
+ }
+
+ protected boolean isWhitespace(int ch) throws IOException {
+ return true;
+ }
+
+ int read(byte[] buffer, int offset, int length) throws IOException {
+ return 1;
+ }
+
+ int read() throws IOException {
+ return 1;
+ }
+
+ public Reader getReader() {
+ return null;
+ }
+
+ public InputStream readInputStream() {
+ return null;
+ }
+
+ public InputStream getInputStream() {
+ return null;
+ }
+
+ protected IOException expectBeginTag(String expect, String tag) {
+ return null;
+ }
+
+ protected IOException expectedChar(String expect, int ch) {
+ return null;
+ }
+
+ protected IOException expectedTag(String expect, int tag) {
+ return null;
+ }
+
+ protected IOException error(String message) {
+ return null;
+ }
+
+ protected static String tagName(int tag) {
+ return null;
+ }
+}
+
diff --git a/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/Deserializer.java b/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/Deserializer.java
new file mode 100644
index 00000000000..2a96e53c397
--- /dev/null
+++ b/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/Deserializer.java
@@ -0,0 +1,26 @@
+package com.caucho.hessian.io;
+
+import java.io.IOException;
+
+public interface Deserializer {
+ Class getType();
+
+ boolean isReadResolve();
+
+ Object readObject(AbstractHessianInput var1) throws IOException;
+
+ Object readList(AbstractHessianInput var1, int var2) throws IOException;
+
+ Object readLengthList(AbstractHessianInput var1, int var2) throws IOException;
+
+ Object readMap(AbstractHessianInput var1) throws IOException;
+
+ Object[] createFields(int var1);
+
+ Object createField(String var1);
+
+ Object readObject(AbstractHessianInput var1, Object[] var2) throws IOException;
+
+ Object readObject(AbstractHessianInput var1, String[] var2) throws IOException;
+}
+
diff --git a/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/HessianProtocolException.java b/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/HessianProtocolException.java
new file mode 100644
index 00000000000..173d5876c03
--- /dev/null
+++ b/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/HessianProtocolException.java
@@ -0,0 +1,24 @@
+package com.caucho.hessian.io;
+
+import java.io.IOException;
+
+public class HessianProtocolException extends IOException {
+
+ public HessianProtocolException() {
+ }
+
+ public HessianProtocolException(String message) { }
+
+ public HessianProtocolException(String message, Throwable rootCause) { }
+
+ public HessianProtocolException(Throwable rootCause) { }
+
+ public Throwable getRootCause() {
+ return null;
+ }
+
+ public Throwable getCause() {
+ return null;
+ }
+}
+
diff --git a/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/Serializer.java b/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/Serializer.java
new file mode 100644
index 00000000000..fbd3f5bc9c8
--- /dev/null
+++ b/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/Serializer.java
@@ -0,0 +1,8 @@
+package com.caucho.hessian.io;
+
+import java.io.IOException;
+
+public interface Serializer {
+
+}
+
diff --git a/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/SerializerFactory.java b/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/SerializerFactory.java
new file mode 100644
index 00000000000..96716eca3ae
--- /dev/null
+++ b/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/SerializerFactory.java
@@ -0,0 +1,12 @@
+package com.caucho.hessian.io;
+
+public class SerializerFactory extends AbstractSerializerFactory {
+
+ public Serializer getSerializer(Class cl) throws HessianProtocolException {
+ return null;
+ }
+
+ public Deserializer getDeserializer(Class cl) throws HessianProtocolException {
+ return null;
+ }
+}
diff --git a/java/ql/test/stubs/hessian-4.0.38/com/caucho/hessian/io/AbstractHessianInput.java b/java/ql/test/stubs/hessian-4.0.38/com/caucho/hessian/io/AbstractHessianInput.java
new file mode 100644
index 00000000000..4b9d3b7ad44
--- /dev/null
+++ b/java/ql/test/stubs/hessian-4.0.38/com/caucho/hessian/io/AbstractHessianInput.java
@@ -0,0 +1,111 @@
+package com.caucho.hessian.io;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.Reader;
+
+public abstract class AbstractHessianInput {
+
+ public AbstractHessianInput() {
+ }
+
+ public void init(InputStream is) {
+ }
+
+ public abstract String getMethod();
+
+ public void setRemoteResolver(HessianRemoteResolver resolver) { }
+
+ public HessianRemoteResolver getRemoteResolver() {
+ return null;
+ }
+
+ public void setSerializerFactory(SerializerFactory ser) {
+ }
+
+ public abstract int readCall() throws IOException;
+
+ public void skipOptionalCall() throws IOException {
+ }
+
+ public abstract String readHeader() throws IOException;
+
+ public abstract String readMethod() throws IOException;
+
+ public int readMethodArgLength() throws IOException {
+ return -1;
+ }
+
+ public abstract void startCall() throws IOException;
+
+ public abstract void completeCall() throws IOException;
+
+ public abstract Object readReply(Class var1) throws Throwable;
+
+ public abstract void startReply() throws Throwable;
+
+ public void startReplyBody() throws Throwable {
+ }
+
+ public abstract void completeReply() throws IOException;
+
+ public abstract boolean readBoolean() throws IOException;
+
+ public abstract void readNull() throws IOException;
+
+ public abstract int readInt() throws IOException;
+
+ public abstract long readLong() throws IOException;
+
+ public abstract double readDouble() throws IOException;
+
+ public abstract long readUTCDate() throws IOException;
+
+ public abstract String readString() throws IOException;
+
+ public abstract Reader getReader() throws IOException;
+
+ public abstract InputStream readInputStream() throws IOException;
+
+ public boolean readToOutputStream(OutputStream os) throws IOException {
+ return true;
+ }
+
+ public abstract byte[] readBytes() throws IOException;
+
+ public abstract Object readObject(Class var1) throws IOException;
+
+ public abstract Object readObject() throws IOException;
+
+ public abstract Object readRemote() throws IOException;
+
+ public abstract Object readRef() throws IOException;
+
+ public abstract int addRef(Object var1) throws IOException;
+
+ public abstract void setRef(int var1, Object var2) throws IOException;
+
+ public void resetReferences() {
+ }
+
+ public abstract int readListStart() throws IOException;
+
+ public abstract int readLength() throws IOException;
+
+ public abstract int readMapStart() throws IOException;
+
+ public abstract String readType() throws IOException;
+
+ public abstract boolean isEnd() throws IOException;
+
+ public abstract void readEnd() throws IOException;
+
+ public abstract void readMapEnd() throws IOException;
+
+ public abstract void readListEnd() throws IOException;
+
+ public void close() throws IOException {
+ }
+}
+
diff --git a/java/ql/test/stubs/hessian-4.0.38/com/caucho/hessian/io/Hessian2Input.java b/java/ql/test/stubs/hessian-4.0.38/com/caucho/hessian/io/Hessian2Input.java
new file mode 100644
index 00000000000..1ed011945e1
--- /dev/null
+++ b/java/ql/test/stubs/hessian-4.0.38/com/caucho/hessian/io/Hessian2Input.java
@@ -0,0 +1,297 @@
+package com.caucho.hessian.io;
+
+import java.io.ByteArrayOutputStream;
+import java.io.EOFException;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.Reader;
+import java.lang.reflect.Field;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+public class Hessian2Input extends AbstractHessianInput {
+
+ public Hessian2Input() { }
+
+ public Hessian2Input(InputStream is) { }
+
+ public String getMethod() {
+ return null;
+ }
+
+ public Throwable getReplyFault() {
+ return null;
+ }
+
+ public int readCall() throws IOException {
+ return 1;
+ }
+
+ public int readEnvelope() throws IOException {
+ return 1;
+ }
+
+ public void completeEnvelope() throws IOException { }
+
+ public String readMethod() throws IOException {
+ return null;
+ }
+
+ public int readMethodArgLength() throws IOException {
+ return 1;
+ }
+
+ public void startCall() throws IOException { }
+
+ public Object[] readArguments() throws IOException {
+ return null;
+ }
+
+ public void completeCall() throws IOException { }
+
+ public Object readReply(Class expectedClass) throws Throwable {
+ return null;
+ }
+
+ public void startReply() throws Throwable { }
+
+ private Throwable prepareFault(HashMap fault) throws IOException {
+ return null;
+ }
+
+ public void completeReply() throws IOException { }
+
+ public void completeValueReply() throws IOException { }
+
+ public String readHeader() throws IOException {
+ return null;
+ }
+
+ public int startMessage() throws IOException {
+ return 1;
+ }
+
+ public void completeMessage() throws IOException { }
+
+ public void readNull() throws IOException { }
+
+ public boolean readBoolean() throws IOException {
+ return true;
+ }
+
+ public short readShort() throws IOException {
+ return 11111;
+ }
+
+ public final int readInt() throws IOException {
+ return 1;
+ }
+
+ public long readLong() throws IOException {
+ return 1L;
+ }
+
+ public float readFloat() throws IOException {
+ return 1.1F;
+ }
+
+ public double readDouble() throws IOException {
+ return 1.1;
+ }
+
+ public long readUTCDate() throws IOException {
+ return 1L;
+ }
+
+ public int readChar() throws IOException {
+ return 1;
+ }
+
+ public int readString(char[] buffer, int offset, int length) throws IOException {
+ return 1;
+ }
+
+ public String readString() throws IOException {
+ return null;
+ }
+
+ public byte[] readBytes() throws IOException {
+ return null;
+ }
+
+ public int readByte() throws IOException {
+ return 1;
+ }
+
+ public int readBytes(byte[] buffer, int offset, int length) throws IOException {
+ return 1;
+ }
+
+ private HashMap readFault() throws IOException {
+ return null;
+ }
+
+ public Object readObject(Class cl) throws IOException {
+ return null;
+ }
+
+ public Object readObject() throws IOException {
+ return null;
+ }
+
+ private void readObjectDefinition(Class cl) throws IOException { }
+
+ private Object readObjectInstance(Class cl, Hessian2Input.ObjectDefinition def) throws IOException {
+ return null;
+ }
+
+ public Object readRemote() throws IOException {
+ return null;
+ }
+
+ public Object readRef() throws IOException {
+ return null;
+ }
+
+ public int readListStart() throws IOException {
+ return 1;
+ }
+
+ public int readMapStart() throws IOException {
+ return 1;
+ }
+
+ public boolean isEnd() throws IOException {
+ return true;
+ }
+
+ public void readEnd() throws IOException { }
+
+ public void readMapEnd() throws IOException { }
+
+ public void readListEnd() throws IOException { }
+
+ public int addRef(Object ref) {
+ return 1;
+ }
+
+ public void setRef(int i, Object ref) { }
+
+ public void resetReferences() { }
+
+ public void reset() { }
+
+ public void resetBuffer() { }
+
+ public Object readStreamingObject() throws IOException {
+ return null;
+ }
+
+ public Object resolveRemote(String type, String url) throws IOException {
+ return null;
+ }
+
+ public String readType() throws IOException {
+ return null;
+ }
+
+ public int readLength() throws IOException {
+ return 1;
+ }
+
+ private int parseInt() throws IOException {
+ return 1;
+ }
+
+ private long parseLong() throws IOException {
+ return 1L;
+ }
+
+ private double parseDouble() throws IOException {
+ return 1.1;
+ }
+
+ private void parseString(StringBuilder sbuf) throws IOException { }
+
+ private int parseChar() throws IOException {
+ return 1;
+ }
+
+ private boolean parseChunkLength() throws IOException {
+ return true;
+ }
+
+ private int parseUTF8Char() throws IOException {
+ return 1;
+ }
+
+ private int parseByte() throws IOException {
+ return 1;
+ }
+
+ public InputStream readInputStream() throws IOException {
+ return null;
+ }
+
+ int read(byte[] buffer, int offset, int length) throws IOException {
+ return 1;
+ }
+
+ public final int read() throws IOException {
+ return 1;
+ }
+
+ protected void unread() { }
+
+ private final boolean readBuffer() throws IOException {
+ return true;
+ }
+
+ public Reader getReader() {
+ return null;
+ }
+
+ protected IOException expect(String expect, int ch) throws IOException {
+ return null;
+ }
+
+ private String buildDebugContext(byte[] buffer, int offset, int length, int errorOffset) {
+ return null;
+ }
+
+ private void addDebugChar(StringBuilder sb, int ch) { }
+
+ protected String codeName(int ch) {
+ return null;
+ }
+
+ protected IOException error(String message) {
+ return null;
+ }
+
+ public void free() { }
+
+ public void close() throws IOException { }
+
+ static final class ObjectDefinition {
+ }
+
+ class ReadInputStream extends InputStream {
+
+ ReadInputStream() { }
+
+ public int read() throws IOException {
+ return 1;
+ }
+
+ public int read(byte[] buffer, int offset, int length) throws IOException {
+ return 1;
+ }
+
+ public void close() throws IOException { }
+ }
+}
+
diff --git a/java/ql/test/stubs/hessian-4.0.38/com/caucho/hessian/io/HessianInput.java b/java/ql/test/stubs/hessian-4.0.38/com/caucho/hessian/io/HessianInput.java
new file mode 100644
index 00000000000..e10a11ad706
--- /dev/null
+++ b/java/ql/test/stubs/hessian-4.0.38/com/caucho/hessian/io/HessianInput.java
@@ -0,0 +1,229 @@
+package com.caucho.hessian.io;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.Reader;
+import java.lang.reflect.Field;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.HashMap;
+
+public class HessianInput extends AbstractHessianInput {
+
+ public HessianInput() {
+ }
+
+ public HessianInput(InputStream is) { }
+
+ public void init(InputStream is) { }
+
+ public String getMethod() {
+ return null;
+ }
+
+ public Throwable getReplyFault() {
+ return null;
+ }
+
+ public int readCall() throws IOException {
+ return 0;
+ }
+
+ public void skipOptionalCall() throws IOException { }
+
+ public String readMethod() throws IOException {
+ return null;
+ }
+
+ public void startCall() throws IOException { }
+
+ public void completeCall() throws IOException { }
+
+ public Object readReply(Class expectedClass) throws Throwable {
+ return null;
+ }
+
+ public void startReply() throws Throwable { }
+
+ public void startReplyBody() throws Throwable { }
+
+ private Throwable prepareFault() throws IOException {
+ return null;
+ }
+
+ public void completeReply() throws IOException { }
+
+ public void completeValueReply() throws IOException { }
+
+ public String readHeader() throws IOException {
+ return null;
+ }
+
+ public void readNull() throws IOException { }
+
+ public boolean readBoolean() throws IOException {
+ return true;
+ }
+
+ public short readShort() throws IOException {
+ return 11111;
+ }
+
+ public int readInt() throws IOException {
+ return 1;
+ }
+
+ public long readLong() throws IOException {
+ return 1L;
+ }
+
+ public float readFloat() throws IOException {
+ return 1.1F;
+ }
+
+ public double readDouble() throws IOException {
+ return 1.1;
+ }
+
+ public long readUTCDate() throws IOException {
+ return 1L;
+ }
+
+ public int readChar() throws IOException {
+ return 1;
+ }
+
+ public int readString(char[] buffer, int offset, int length) throws IOException {
+ return 1;
+ }
+
+ public String readString() throws IOException {
+ return null;
+ }
+
+ public byte[] readBytes() throws IOException {
+ return null;
+ }
+
+ public int readByte() throws IOException {
+ return 1;
+ }
+
+ public int readBytes(byte[] buffer, int offset, int length) throws IOException {
+ return 1;
+ }
+
+ private HashMap readFault() throws IOException {
+ return null;
+ }
+
+ public Object readObject(Class cl) throws IOException {
+ return null;
+ }
+
+ public Object readObject() throws IOException {
+ return null;
+ }
+
+ public Object readRemote() throws IOException {
+ return null;
+ }
+
+ public Object readRef() throws IOException {
+ return null;
+ }
+
+ public int readListStart() throws IOException {
+ return 1;
+ }
+
+ public int readMapStart() throws IOException {
+ return 1;
+ }
+
+ public boolean isEnd() throws IOException {
+ return true;
+ }
+
+ public void readEnd() throws IOException { }
+
+ public void readMapEnd() throws IOException { }
+
+ public void readListEnd() throws IOException { }
+
+ public int addRef(Object ref) {
+ return 1;
+ }
+
+ public void setRef(int i, Object ref) { }
+
+ public void resetReferences() { }
+
+ public Object resolveRemote(String type, String url) throws IOException {
+ return null;
+ }
+
+ public String readType() throws IOException {
+ return null;
+ }
+
+ public int readLength() throws IOException {
+ return 1;
+ }
+
+ private int parseInt() throws IOException {
+ return 1;
+ }
+
+ private long parseLong() throws IOException {
+ return 1L;
+ }
+
+ private double parseDouble() throws IOException {
+ return 1.1;
+ }
+
+ private int parseChar() throws IOException {
+ return 1;
+ }
+
+ private int parseUTF8Char() throws IOException {
+ return 1;
+ }
+
+ private int parseByte() throws IOException {
+ return 1;
+ }
+
+ public InputStream readInputStream() throws IOException {
+ return null;
+ }
+
+ int read(byte[] buffer, int offset, int length) throws IOException {
+ return 1;
+ }
+
+ final int read() throws IOException {
+ return 1;
+ }
+
+ public void close() { }
+
+ public Reader getReader() {
+ return null;
+ }
+
+ protected IOException expect(String expect, int ch) {
+ return null;
+ }
+
+ protected String codeName(int ch) {
+ return null;
+ }
+
+ protected IOException error(String message) {
+ return null;
+ }
+}
+
diff --git a/java/ql/test/stubs/hessian-4.0.38/com/caucho/hessian/io/HessianRemoteResolver.java b/java/ql/test/stubs/hessian-4.0.38/com/caucho/hessian/io/HessianRemoteResolver.java
new file mode 100644
index 00000000000..3a6b7f86604
--- /dev/null
+++ b/java/ql/test/stubs/hessian-4.0.38/com/caucho/hessian/io/HessianRemoteResolver.java
@@ -0,0 +1,8 @@
+package com.caucho.hessian.io;
+
+import java.io.IOException;
+
+public interface HessianRemoteResolver {
+ Object lookup(String var1, String var2) throws IOException;
+}
+
diff --git a/java/ql/test/stubs/hessian-4.0.38/com/caucho/hessian/io/SerializerFactory.java b/java/ql/test/stubs/hessian-4.0.38/com/caucho/hessian/io/SerializerFactory.java
new file mode 100644
index 00000000000..2e87899e6dd
--- /dev/null
+++ b/java/ql/test/stubs/hessian-4.0.38/com/caucho/hessian/io/SerializerFactory.java
@@ -0,0 +1,5 @@
+package com.caucho.hessian.io;
+
+public class SerializerFactory {
+
+}
diff --git a/java/ql/test/stubs/json-io-4.10.0/com/cedarsoftware/util/io/JsonReader.java b/java/ql/test/stubs/json-io-4.10.0/com/cedarsoftware/util/io/JsonReader.java
new file mode 100644
index 00000000000..75bfce50eeb
--- /dev/null
+++ b/java/ql/test/stubs/json-io-4.10.0/com/cedarsoftware/util/io/JsonReader.java
@@ -0,0 +1,41 @@
+package com.cedarsoftware.util.io;
+
+import java.io.Closeable;
+import java.io.InputStream;
+import java.util.Map;
+
+public class JsonReader implements Closeable {
+
+ public static Object jsonToJava(String json) {
+ return null;
+ }
+
+ public static Object jsonToJava(String json, Map optionalArgs) {
+ return null;
+ }
+
+ public static Object jsonToJava(InputStream inputStream, Map optionalArgs) {
+ return null;
+ }
+
+ public JsonReader() { }
+
+ public JsonReader(InputStream inp) { }
+
+ public JsonReader(Map optionalArgs) { }
+
+ public JsonReader(InputStream inp, boolean useMaps) { }
+
+ public JsonReader(InputStream inp, Map optionalArgs) { }
+
+ public JsonReader(String inp, Map optionalArgs) { }
+
+ public JsonReader(byte[] inp, Map optionalArgs) { }
+
+ public Object readObject() {
+ return null;
+ }
+
+ public void close() { }
+}
+
diff --git a/java/ql/test/stubs/jyaml-1.3/org/ho/yaml/Yaml.java b/java/ql/test/stubs/jyaml-1.3/org/ho/yaml/Yaml.java
new file mode 100644
index 00000000000..43c10a12142
--- /dev/null
+++ b/java/ql/test/stubs/jyaml-1.3/org/ho/yaml/Yaml.java
@@ -0,0 +1,77 @@
+package org.ho.yaml;
+
+import java.io.File;
+import java.io.FileNotFoundException;
+import java.io.InputStream;
+import java.io.Reader;
+
+public class Yaml {
+
+ public Yaml() {
+ }
+
+ public static Object load(Reader var0) {
+ return null;
+ }
+
+ public static Object load(InputStream var0) {
+ return null;
+ }
+
+ public static Object load(File var0) throws FileNotFoundException {
+ return null;
+ }
+
+ public static Object load(String var0) {
+ return null;
+ }
+
+ public static T loadType(Reader var0, Class var1) {
+ return null;
+ }
+
+ public static T loadType(InputStream var0, Class var1) throws FileNotFoundException {
+ return null;
+ }
+
+ public static T loadType(File var0, Class var1) throws FileNotFoundException {
+ return null;
+ }
+
+ public static T loadType(String var0, Class var1) {
+ return null;
+ }
+
+ public static YamlStream loadStream(Reader var0) {
+ return null;
+ }
+
+ public static YamlStream loadStream(InputStream var0) {
+ return null;
+ }
+
+ public static YamlStream loadStream(File var0) throws FileNotFoundException {
+ return null;
+ }
+
+ public static YamlStream loadStream(String var0) {
+ return null;
+ }
+
+ public static YamlStream loadStreamOfType(Reader var0, Class var1) {
+ return null;
+ }
+
+ public static YamlStream loadStreamOfType(InputStream var0, Class var1) {
+ return null;
+ }
+
+ public static YamlStream loadStreamOfType(File var0, Class var1) throws FileNotFoundException {
+ return null;
+ }
+
+ public static YamlStream loadStreamOfType(String var0, Class var1) throws FileNotFoundException {
+ return null;
+ }
+}
+
diff --git a/java/ql/test/stubs/jyaml-1.3/org/ho/yaml/YamlConfig.java b/java/ql/test/stubs/jyaml-1.3/org/ho/yaml/YamlConfig.java
new file mode 100644
index 00000000000..bdf3059eec7
--- /dev/null
+++ b/java/ql/test/stubs/jyaml-1.3/org/ho/yaml/YamlConfig.java
@@ -0,0 +1,122 @@
+package org.ho.yaml;
+
+import java.io.File;
+import java.io.FileNotFoundException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.Reader;
+import java.util.Iterator;
+
+public class YamlConfig implements YamlOperations, Cloneable {
+
+ public YamlConfig() { }
+
+ public Object load(YamlDecoder var1) {
+ return null;
+ }
+
+ public Object load(InputStream var1) {
+ return null;
+ }
+
+ public Object load(Reader var1) {
+ return null;
+ }
+
+ public Object load(File var1) throws FileNotFoundException {
+ return null;
+ }
+
+ public Object load(String var1) {
+ return null;
+ }
+
+ public T loadType(YamlDecoder var1, Class var2) {
+ return null;
+ }
+
+ public T loadType(InputStream var1, Class var2) {
+ return null;
+ }
+
+ public T loadType(Reader var1, Class var2) {
+ return null;
+ }
+
+ public T loadType(File var1, Class var2) throws FileNotFoundException {
+ return null;
+ }
+
+ public T loadType(String var1, Class var2) {
+ return null;
+ }
+
+ public YamlStream loadStream(YamlDecoder var1) {
+ return null;
+ }
+
+ public YamlStream loadStream(Reader var1) {
+ return null;
+ }
+
+ public YamlStream loadStream(InputStream var1) {
+ return null;
+ }
+
+ public YamlStream loadStream(File var1) throws FileNotFoundException {
+ return null;
+ }
+
+ public YamlStream loadStream(String var1) {
+ return null;
+ }
+
+ public YamlStream loadStreamOfType(YamlDecoder var1, Class var2) {
+ return null;
+ }
+
+ public YamlStream loadStreamOfType(Reader var1, Class var2) {
+ return null;
+ }
+
+ public YamlStream loadStreamOfType(InputStream var1, Class var2) {
+ return null;
+ }
+
+ public YamlStream loadStreamOfType(File var1, Class var2) throws FileNotFoundException {
+ return null;
+ }
+
+ public YamlStream loadStreamOfType(String var1, Class var2) {
+ return null;
+ }
+
+ public void dump(Object var1, File var2) throws FileNotFoundException { }
+
+ public void dump(Object var1, File var2, boolean var3) throws FileNotFoundException { }
+
+ public String dump(Object var1) {
+ return null;
+ }
+
+ public String dump(Object var1, boolean var2) {
+ return null;
+ }
+
+ public void dump(Object var1, OutputStream var2, boolean var3) { }
+
+ public void dump(Object var1, OutputStream var2) { }
+
+ public void dumpStream(Iterator var1, File var2, boolean var3) throws FileNotFoundException { }
+
+ public void dumpStream(Iterator var1, File var2) throws FileNotFoundException { }
+
+ public String dumpStream(Iterator var1) {
+ return null;
+ }
+
+ public String dumpStream(Iterator var1, boolean var2) {
+ return null;
+ }
+}
+
diff --git a/java/ql/test/stubs/jyaml-1.3/org/ho/yaml/YamlDecoder.java b/java/ql/test/stubs/jyaml-1.3/org/ho/yaml/YamlDecoder.java
new file mode 100644
index 00000000000..b3bd4982a77
--- /dev/null
+++ b/java/ql/test/stubs/jyaml-1.3/org/ho/yaml/YamlDecoder.java
@@ -0,0 +1,16 @@
+package org.ho.yaml;
+
+import java.io.InputStream;
+import java.io.Reader;
+
+public class YamlDecoder {
+
+ YamlDecoder(InputStream var1, YamlConfig var2) { }
+
+ public YamlDecoder(InputStream var1) { }
+
+ public YamlDecoder(Reader var1) { }
+
+ public YamlDecoder(Reader var1, YamlConfig var2) { }
+}
+
diff --git a/java/ql/test/stubs/jyaml-1.3/org/ho/yaml/YamlOperations.java b/java/ql/test/stubs/jyaml-1.3/org/ho/yaml/YamlOperations.java
new file mode 100644
index 00000000000..b4af6ee7125
--- /dev/null
+++ b/java/ql/test/stubs/jyaml-1.3/org/ho/yaml/YamlOperations.java
@@ -0,0 +1,63 @@
+package org.ho.yaml;
+
+import java.io.File;
+import java.io.FileNotFoundException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.Reader;
+import java.util.Iterator;
+
+public interface YamlOperations {
+ Object load(InputStream var1);
+
+ Object load(Reader var1);
+
+ Object load(File var1) throws FileNotFoundException;
+
+ Object load(String var1);
+
+ T loadType(InputStream var1, Class var2);
+
+ T loadType(Reader var1, Class var2);
+
+ T loadType(File var1, Class var2) throws FileNotFoundException;
+
+ T loadType(String var1, Class var2);
+
+ YamlStream loadStream(InputStream var1);
+
+ YamlStream loadStream(Reader var1);
+
+ YamlStream loadStream(File var1) throws FileNotFoundException;
+
+ YamlStream loadStream(String var1);
+
+ YamlStream loadStreamOfType(InputStream var1, Class var2);
+
+ YamlStream loadStreamOfType(Reader var1, Class var2);
+
+ YamlStream loadStreamOfType(File var1, Class var2) throws FileNotFoundException;
+
+ YamlStream loadStreamOfType(String var1, Class var2);
+
+ void dump(Object var1, File var2) throws FileNotFoundException;
+
+ void dump(Object var1, File var2, boolean var3) throws FileNotFoundException;
+
+ String dump(Object var1);
+
+ String dump(Object var1, boolean var2);
+
+ void dumpStream(Iterator var1, File var2) throws FileNotFoundException;
+
+ void dumpStream(Iterator var1, File var2, boolean var3) throws FileNotFoundException;
+
+ String dumpStream(Iterator var1);
+
+ String dumpStream(Iterator var1, boolean var2);
+
+ void dump(Object var1, OutputStream var2);
+
+ void dump(Object var1, OutputStream var2, boolean var3);
+}
+
diff --git a/java/ql/test/stubs/jyaml-1.3/org/ho/yaml/YamlStream.java b/java/ql/test/stubs/jyaml-1.3/org/ho/yaml/YamlStream.java
new file mode 100644
index 00000000000..53f0ddf144e
--- /dev/null
+++ b/java/ql/test/stubs/jyaml-1.3/org/ho/yaml/YamlStream.java
@@ -0,0 +1,7 @@
+package org.ho.yaml;
+
+import java.util.Iterator;
+
+public interface YamlStream extends Iterable, Iterator {
+}
+
diff --git a/java/ql/test/stubs/yamlbeans-1.09/com/esotericsoftware/yamlbeans/YamlConfig.java b/java/ql/test/stubs/yamlbeans-1.09/com/esotericsoftware/yamlbeans/YamlConfig.java
new file mode 100644
index 00000000000..3488ef83dab
--- /dev/null
+++ b/java/ql/test/stubs/yamlbeans-1.09/com/esotericsoftware/yamlbeans/YamlConfig.java
@@ -0,0 +1,7 @@
+package com.esotericsoftware.yamlbeans;
+
+public class YamlConfig {
+
+ public YamlConfig() { }
+}
+
diff --git a/java/ql/test/stubs/yamlbeans-1.09/com/esotericsoftware/yamlbeans/YamlException.java b/java/ql/test/stubs/yamlbeans-1.09/com/esotericsoftware/yamlbeans/YamlException.java
new file mode 100644
index 00000000000..cb2e54f97e0
--- /dev/null
+++ b/java/ql/test/stubs/yamlbeans-1.09/com/esotericsoftware/yamlbeans/YamlException.java
@@ -0,0 +1,18 @@
+package com.esotericsoftware.yamlbeans;
+
+import java.io.IOException;
+
+public class YamlException extends IOException {
+ public YamlException() {
+ }
+
+ public YamlException(String message, Throwable cause) {
+ }
+
+ public YamlException(String message) {
+ }
+
+ public YamlException(Throwable cause) {
+ }
+}
+
diff --git a/java/ql/test/stubs/yamlbeans-1.09/com/esotericsoftware/yamlbeans/YamlReader.java b/java/ql/test/stubs/yamlbeans-1.09/com/esotericsoftware/yamlbeans/YamlReader.java
new file mode 100644
index 00000000000..edaeeb911e0
--- /dev/null
+++ b/java/ql/test/stubs/yamlbeans-1.09/com/esotericsoftware/yamlbeans/YamlReader.java
@@ -0,0 +1,28 @@
+package com.esotericsoftware.yamlbeans;
+
+
+import java.io.Reader;
+
+public class YamlReader {
+
+ public YamlReader(Reader reader) { }
+
+ public YamlReader(Reader reader, YamlConfig config) { }
+
+ public YamlReader(String yaml) { }
+
+ public YamlReader(String yaml, YamlConfig config) { }
+
+ public Object read() throws YamlException {
+ return null;
+ }
+
+ public T read(Class type) throws YamlException {
+ return null;
+ }
+
+ public T read(Class type, Class elementType) throws YamlException {
+ return null;
+ }
+}
+