Merge pull request #7702 from atorralba/atorralba/fix-jndi-injection-sinks

Java: Remove some JNDI Injection sinks

java/ql/test/query-tests/security/CWE-074/JndiInjectionTest.java

@@ -110,7 +110,17 @@ public class JndiInjectionTest {
     LdapTemplate ctx = new LdapTemplate();
     Name name = new CompositeName().add(nameStr);
 
+    ctx.lookup(name); // $hasJndiInjection
+    ctx.lookup(name, (AttributesMapper) null); // Safe
+    ctx.lookup(name, (ContextMapper) null); // $hasJndiInjection
+    ctx.lookup(name, new String[] {}, (AttributesMapper) null); // Safe
+    ctx.lookup(name, new String[] {}, (ContextMapper) null); // $hasJndiInjection
     ctx.lookup(nameStr); // $hasJndiInjection
+    ctx.lookup(nameStr, (AttributesMapper) null); // Safe
+    ctx.lookup(nameStr, (ContextMapper) null); // $hasJndiInjection
+    ctx.lookup(nameStr, new String[] {}, (AttributesMapper) null); // Safe
+    ctx.lookup(nameStr, new String[] {}, (ContextMapper) null); // $hasJndiInjection
+    ctx.lookupContext(name); // $hasJndiInjection
     ctx.lookupContext(nameStr); // $hasJndiInjection
     ctx.findByDn(name, null); // $hasJndiInjection
     ctx.rename(name, null); // $hasJndiInjection

java/ql/test/query-tests/security/CWE-074/options

@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/shiro-core-1.5.2:${testdir}/../../../stubs/spring-ldap-2.3.2:${testdir}/../../../stubs/Saxon-HE-9.9.1-7
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/shiro-core-1.5.2:${testdir}/../../../stubs/spring-ldap-2.3.2:${testdir}/../../../stubs/Saxon-HE-9.9.1-7:${testdir}/../../../stubs/apache-commons-logging-1.2