update tests, is not completed yet :)

java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/CommonsCompressHandler.java

@@ -1,5 +1,3 @@
-package com.Bombs;
-
 import java.io.*;
 import java.nio.file.Files;
 import java.nio.file.Path;

java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/DecompressionBombs.qlref

@@ -1 +1 @@
-experimental/Security/CWE/CWE-522-DecompressionBombs/DecompressionBombFlowState.ql
+experimental/Security/CWE/CWE-522-DecompressionBombs/DecompressionBomb.ql

java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/HelloServlet.java

@@ -0,0 +1,59 @@
+import org.apache.commons.compress.archivers.ArchiveException;
+import org.apache.commons.compress.compressors.CompressorException;
+import org.apache.commons.io.IOUtils;
+
+import java.io.*;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.util.zip.DataFormatException;
+import javax.servlet.http.*;
+import javax.servlet.ServletException;
+import java.io.IOException;
+
+public class Bombs extends HttpServlet {
+
+    protected void doGet(HttpServletRequest request, HttpServletResponse response)
+            throws IOException, ServletException, ServletException, IOException {
+        response.setContentType("text/html");
+        Part remoteFile = request.getPart("zipFile");
+        // Zip
+        ZipHandler.ZipInputStreamSafe2(remoteFile.getInputStream());
+        ZipHandler.ZipInputStreamSafe(request.getPart("zipFile").getInputStream());
+        ZipHandler.ZipInputStreamUnsafe(remoteFile.getInputStream());
+        ZipHandler.GZipInputStreamUnsafe(request.getPart("zipFile").getInputStream());
+        ZipHandler.InflaterInputStreamUnsafe(request.getPart("zipFile").getInputStream());
+        try {
+            ZipHandler.InflaterUnsafe(request.getParameter("data").getBytes(StandardCharsets.UTF_8));
+        } catch (DataFormatException e) {
+            throw new RuntimeException(e);
+        }
+        try {
+           ZipHandler. ZipFile1(request.getParameter("zipFileName"));
+        } catch (DataFormatException e) {
+            throw new RuntimeException(e);
+        }
+
+        // Zip4j
+        Zip4jHandler.zip4jZipInputStream(remoteFile.getInputStream());
+        Zip4jHandler.zip4jZipInputStreamSafe(remoteFile.getInputStream());
+        // SnappyZip
+        SnappyHandler.SnappyZipInputStream(remoteFile.getInputStream());
+        // apache Commons
+        commonsCompressArchiveInputStream2(remoteFile.getInputStream());
+        CommonsCompressHandler.commonsCompressorInputStream(remoteFile.getInputStream());
+        try {
+            CommonsCompressHandler.commonsCompressArchiveInputStream(remoteFile.getInputStream());
+            CommonsCompressHandler.commonsCompressArchiveStreamFactory(remoteFile.getInputStream());
+        } catch (ArchiveException e) {
+            throw new RuntimeException(e);
+        }
+        try {
+            CommonsCompressHandler.commonsCompressCompressorStreamFactory(remoteFile.getInputStream());
+        } catch (CompressorException e) {
+            throw new RuntimeException(e);
+        }
+
+        PrintWriter out = response.getWriter();
+        out.println("<html><body>end</body></html>");
+    }
+}

java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/SnappyHandler.java

@@ -1,5 +1,3 @@
-package com.Bombs;
-
 import java.io.*;
 import java.nio.file.Files;
 import java.nio.file.Paths;

java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/Zip4jHandler.java

@@ -1,5 +1,3 @@
-package com.Bombs;
-
 import net.lingala.zip4j.model.LocalFileHeader;
 import net.lingala.zip4j.io.inputstream.ZipInputStream;
 import java.io.*;

java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/ZipHandler.java

@@ -1,5 +1,3 @@
-package com.Bombs;
-
 import java.io.*;
 import java.io.FileOutputStream;
 import java.nio.ByteBuffer;

java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/stubs

java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/pom.xml

@@ -1,5 +1,6 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
     <modelVersion>4.0.0</modelVersion>
     <groupId>org.example</groupId>
     <artifactId>BombsRemoteSourceMavenJavax2</artifactId>
@@ -76,4 +77,4 @@
             <version>1.23.0</version>
         </dependency>
     </dependencies>
-</project>
+</project>

java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/src/main/java/com/Bombs/HelloServlet.java

@@ -1,84 +0,0 @@
-package com.Bombs;
-
-import org.apache.commons.compress.archivers.ArchiveException;
-import org.apache.commons.compress.compressors.CompressorException;
-import org.apache.commons.io.IOUtils;
-
-import static com.Bombs.CommonsCompressHandler.*;
-import static com.Bombs.SnappyHandler.*;
-import static com.Bombs.Zip4jHandler.*;
-import static com.Bombs.ZipHandler.*;
-
-import java.io.*;
-import java.io.IOException;
-import java.nio.charset.StandardCharsets;
-import java.util.zip.DataFormatException;
-import javax.servlet.ServletException;
-import javax.servlet.annotation.MultipartConfig;
-import javax.servlet.annotation.WebServlet;
-import javax.servlet.http.HttpServlet;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.Part;
-
-@WebServlet(
-        name = "helloServlet",
-        urlPatterns = {"/hello-servlet"})
-@MultipartConfig()
-public class HelloServlet extends HttpServlet {
-
-    public void init() {
-    }
-
-    public void doPost(HttpServletRequest request, HttpServletResponse response)
-            throws IOException, ServletException {
-        response.setContentType("text/html");
-        Part remoteFile = request.getPart("zipFile");
-        // Zip
-        ZipInputStreamSafe2(remoteFile.getInputStream());
-        ZipInputStreamSafe(request.getPart("zipFile").getInputStream());
-        ZipInputStreamUnsafe(remoteFile.getInputStream());
-        GZipInputStreamUnsafe(request.getPart("zipFile").getInputStream());
-        InflaterInputStreamUnsafe(request.getPart("zipFile").getInputStream());
-        try {
-            InflaterUnsafe(request.getParameter("data").getBytes(StandardCharsets.UTF_8));
-        } catch (DataFormatException e) {
-            throw new RuntimeException(e);
-        }
-        try {
-            ZipFile1(request.getParameter("zipFileName"));
-        } catch (DataFormatException e) {
-            throw new RuntimeException(e);
-        }
-
-        // Zip4j
-        zip4jZipInputStream(remoteFile.getInputStream());
-        zip4jZipInputStreamSafe(remoteFile.getInputStream());
-        // SnappyZip
-        SnappyZipInputStream(remoteFile.getInputStream());
-        // apache Commons
-        commonsCompressArchiveInputStream2(remoteFile.getInputStream());
-        commonsCompressorInputStream(remoteFile.getInputStream());
-        try {
-            commonsCompressArchiveInputStream(remoteFile.getInputStream());
-            commonsCompressArchiveStreamFactory(remoteFile.getInputStream());
-        } catch (ArchiveException e) {
-            throw new RuntimeException(e);
-        }
-        try {
-            commonsCompressCompressorStreamFactory(remoteFile.getInputStream());
-        } catch (CompressorException e) {
-            throw new RuntimeException(e);
-        }
-
-        // FP
-        String xmlResult = IOUtils.toString(request.getInputStream(), request.getCharacterEncoding());
-        byte[] inputStreamResult = request.getInputStream().readAllBytes();
-
-        PrintWriter out = response.getWriter();
-        out.println("<html><body>end</body></html>");
-    }
-
-    public void destroy() {
-    }
-}

java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/src/main/webapp/WEB-INF/web.xml

@@ -1,7 +0,0 @@
-<!DOCTYPE web-app PUBLIC
- "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
- "http://java.sun.com/dtd/web-app_2_3.dtd" >
-
-<web-app>
-  <display-name>Archetype Created Web Application</display-name>
-</web-app>

java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/src/main/webapp/index.jsp

@@ -1,5 +0,0 @@
-<html>
-<body>
-<h2>Hello World!</h2>
-</body>
-</html>