Merge pull request #5894 from atorralba/atorralba/promote-ognl-injection

Java: Promote OGNL Injection query from experimental
2026-05-05 21:55:19 +02:00 · 2021-08-03 15:31:40 +02:00
parent be6fd7c22e f5cbec4938
commit 7fb1e1578e
68 changed files with 3033 additions and 475 deletions
--- a/java/ql/test/library-tests/dataflow/taint-jackson/Test.java
+++ b/java/ql/test/library-tests/dataflow/taint-jackson/Test.java
@@ -29,7 +29,7 @@ class Test {

 	public static void sink(Object any) {}

-	public static void jacksonObjectMapper() throws java.io.FileNotFoundException, java.io.UnsupportedEncodingException {
+	public static void jacksonObjectMapper() throws Exception {
 		String s = taint();
 		ObjectMapper om = new ObjectMapper();
 		File file = new File("testFile");
@@ -52,7 +52,7 @@ class Test {
 		sink(reconstructed); //$hasTaintFlow
 	}

-	public static void jacksonObjectWriter() throws java.io.FileNotFoundException, java.io.UnsupportedEncodingException {
+	public static void jacksonObjectWriter() throws Exception {
 		String s = taint();
 		ObjectWriter ow = new ObjectWriter();
 		File file = new File("testFile");
@@ -89,7 +89,7 @@ class Test {
 		ObjectMapper om = new ObjectMapper();
 		ObjectReader reader = om.readerFor(Potato.class);
 		sink(reader.readValues(s));  //$hasTaintFlow
-		Iterator<Potato> pIterator = reader.readValues(s, Potato.class);
+		Iterator<Potato> pIterator = reader.readValues(s);
 		while(pIterator.hasNext()) {
 			Potato p = pIterator.next();
 			sink(p); //$hasTaintFlow
--- a/java/ql/test/library-tests/dataflow/taint-jackson/options
+++ b/java/ql/test/library-tests/dataflow/taint-jackson/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jackson-databind-2.10
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jackson-databind-2.12:${testdir}/../../../stubs/jackson-core-2.12
--- a/java/ql/test/library-tests/dataflow/taintsources/options
+++ b/java/ql/test/library-tests/dataflow/taintsources/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/google-android-9.0.0:${testdir}/../../../stubs/playframework-2.6.x:${testdir}/../../../stubs/jackson-databind-2.10:${testdir}/../../../stubs/akka-2.6.x
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/google-android-9.0.0:${testdir}/../../../stubs/playframework-2.6.x:${testdir}/../../../stubs/jackson-databind-2.12:${testdir}/../../../stubs/jackson-core-2.12:${testdir}/../../../stubs/akka-2.6.x