Use InlineExpectationsTest

2026-05-01 19:55:15 +02:00 · 2021-05-11 16:23:12 +02:00
parent fc03b92e11
commit 8754c85a57
5 changed files with 45 additions and 62 deletions
--- a/java/ql/test/query-tests/security/CWE-917/OgnlInjection.expected
+++ b/java/ql/test/query-tests/security/CWE-917/OgnlInjection.expected
@@ -1,48 +0,0 @@
-edges
-| OgnlInjection.java:15:39:15:63 | expr : String | OgnlInjection.java:17:19:17:22 | tree |
-| OgnlInjection.java:15:39:15:63 | expr : String | OgnlInjection.java:18:19:18:22 | tree |
-| OgnlInjection.java:15:39:15:63 | expr : String | OgnlInjection.java:20:17:20:27 | (...)... : Object |
-| OgnlInjection.java:20:17:20:27 | (...)... : Object | OgnlInjection.java:21:5:21:8 | node |
-| OgnlInjection.java:20:17:20:27 | (...)... : Object | OgnlInjection.java:22:5:22:8 | node |
-| OgnlInjection.java:26:41:26:65 | expr : String | OgnlInjection.java:28:19:28:22 | tree |
-| OgnlInjection.java:26:41:26:65 | expr : String | OgnlInjection.java:29:19:29:22 | tree |
-| OgnlInjection.java:26:41:26:65 | expr : String | OgnlInjection.java:31:5:31:8 | tree |
-| OgnlInjection.java:26:41:26:65 | expr : String | OgnlInjection.java:32:5:32:8 | tree |
-| OgnlInjection.java:36:40:36:64 | expr : String | OgnlInjection.java:37:19:37:22 | expr |
-| OgnlInjection.java:36:40:36:64 | expr : String | OgnlInjection.java:38:19:38:22 | expr |
-| OgnlInjection.java:42:26:42:50 | expr : String | OgnlInjection.java:44:19:44:22 | expr |
-| OgnlInjection.java:42:26:42:50 | expr : String | OgnlInjection.java:45:19:45:22 | expr |
-| OgnlInjection.java:42:26:42:50 | expr : String | OgnlInjection.java:46:31:46:34 | expr |
-nodes
-| OgnlInjection.java:15:39:15:63 | expr : String | semmle.label | expr : String |
-| OgnlInjection.java:17:19:17:22 | tree | semmle.label | tree |
-| OgnlInjection.java:18:19:18:22 | tree | semmle.label | tree |
-| OgnlInjection.java:20:17:20:27 | (...)... : Object | semmle.label | (...)... : Object |
-| OgnlInjection.java:21:5:21:8 | node | semmle.label | node |
-| OgnlInjection.java:22:5:22:8 | node | semmle.label | node |
-| OgnlInjection.java:26:41:26:65 | expr : String | semmle.label | expr : String |
-| OgnlInjection.java:28:19:28:22 | tree | semmle.label | tree |
-| OgnlInjection.java:29:19:29:22 | tree | semmle.label | tree |
-| OgnlInjection.java:31:5:31:8 | tree | semmle.label | tree |
-| OgnlInjection.java:32:5:32:8 | tree | semmle.label | tree |
-| OgnlInjection.java:36:40:36:64 | expr : String | semmle.label | expr : String |
-| OgnlInjection.java:37:19:37:22 | expr | semmle.label | expr |
-| OgnlInjection.java:38:19:38:22 | expr | semmle.label | expr |
-| OgnlInjection.java:42:26:42:50 | expr : String | semmle.label | expr : String |
-| OgnlInjection.java:44:19:44:22 | expr | semmle.label | expr |
-| OgnlInjection.java:45:19:45:22 | expr | semmle.label | expr |
-| OgnlInjection.java:46:31:46:34 | expr | semmle.label | expr |
-#select
-| OgnlInjection.java:17:19:17:22 | tree | OgnlInjection.java:15:39:15:63 | expr : String | OgnlInjection.java:17:19:17:22 | tree | OGNL expression might include input from $@. | OgnlInjection.java:15:39:15:63 | expr | this user input |
-| OgnlInjection.java:18:19:18:22 | tree | OgnlInjection.java:15:39:15:63 | expr : String | OgnlInjection.java:18:19:18:22 | tree | OGNL expression might include input from $@. | OgnlInjection.java:15:39:15:63 | expr | this user input |
-| OgnlInjection.java:21:5:21:8 | node | OgnlInjection.java:15:39:15:63 | expr : String | OgnlInjection.java:21:5:21:8 | node | OGNL expression might include input from $@. | OgnlInjection.java:15:39:15:63 | expr | this user input |
-| OgnlInjection.java:22:5:22:8 | node | OgnlInjection.java:15:39:15:63 | expr : String | OgnlInjection.java:22:5:22:8 | node | OGNL expression might include input from $@. | OgnlInjection.java:15:39:15:63 | expr | this user input |
-| OgnlInjection.java:28:19:28:22 | tree | OgnlInjection.java:26:41:26:65 | expr : String | OgnlInjection.java:28:19:28:22 | tree | OGNL expression might include input from $@. | OgnlInjection.java:26:41:26:65 | expr | this user input |
-| OgnlInjection.java:29:19:29:22 | tree | OgnlInjection.java:26:41:26:65 | expr : String | OgnlInjection.java:29:19:29:22 | tree | OGNL expression might include input from $@. | OgnlInjection.java:26:41:26:65 | expr | this user input |
-| OgnlInjection.java:31:5:31:8 | tree | OgnlInjection.java:26:41:26:65 | expr : String | OgnlInjection.java:31:5:31:8 | tree | OGNL expression might include input from $@. | OgnlInjection.java:26:41:26:65 | expr | this user input |
-| OgnlInjection.java:32:5:32:8 | tree | OgnlInjection.java:26:41:26:65 | expr : String | OgnlInjection.java:32:5:32:8 | tree | OGNL expression might include input from $@. | OgnlInjection.java:26:41:26:65 | expr | this user input |
-| OgnlInjection.java:37:19:37:22 | expr | OgnlInjection.java:36:40:36:64 | expr : String | OgnlInjection.java:37:19:37:22 | expr | OGNL expression might include input from $@. | OgnlInjection.java:36:40:36:64 | expr | this user input |
-| OgnlInjection.java:38:19:38:22 | expr | OgnlInjection.java:36:40:36:64 | expr : String | OgnlInjection.java:38:19:38:22 | expr | OGNL expression might include input from $@. | OgnlInjection.java:36:40:36:64 | expr | this user input |
-| OgnlInjection.java:44:19:44:22 | expr | OgnlInjection.java:42:26:42:50 | expr : String | OgnlInjection.java:44:19:44:22 | expr | OGNL expression might include input from $@. | OgnlInjection.java:42:26:42:50 | expr | this user input |
-| OgnlInjection.java:45:19:45:22 | expr | OgnlInjection.java:42:26:42:50 | expr : String | OgnlInjection.java:45:19:45:22 | expr | OGNL expression might include input from $@. | OgnlInjection.java:42:26:42:50 | expr | this user input |
-| OgnlInjection.java:46:31:46:34 | expr | OgnlInjection.java:42:26:42:50 | expr : String | OgnlInjection.java:46:31:46:34 | expr | OGNL expression might include input from $@. | OgnlInjection.java:42:26:42:50 | expr | this user input |
--- a/java/ql/test/query-tests/security/CWE-917/OgnlInjection.java
+++ b/java/ql/test/query-tests/security/CWE-917/OgnlInjection.java
@@ -14,35 +14,35 @@ public class OgnlInjection {
  @RequestMapping
  public void testOgnlParseExpression(@RequestParam String expr) throws Exception {
    Object tree = Ognl.parseExpression(expr);
-    Ognl.getValue(tree, new HashMap<>(), new Object());
-    Ognl.setValue(tree, new HashMap<>(), new Object());
+    Ognl.getValue(tree, new HashMap<>(), new Object()); // $hasOgnlInjection
+    Ognl.setValue(tree, new HashMap<>(), new Object()); // $hasOgnlInjection

    Node node = (Node) tree;
-    node.getValue(null, new Object());
-    node.setValue(null, new Object(), new Object());
+    node.getValue(null, new Object()); // $hasOgnlInjection
+    node.setValue(null, new Object(), new Object()); // $hasOgnlInjection
  }

  @RequestMapping
  public void testOgnlCompileExpression(@RequestParam String expr) throws Exception {
    Node tree = Ognl.compileExpression(null, new Object(), expr);
-    Ognl.getValue(tree, new HashMap<>(), new Object());
-    Ognl.setValue(tree, new HashMap<>(), new Object());
+    Ognl.getValue(tree, new HashMap<>(), new Object()); // $hasOgnlInjection
+    Ognl.setValue(tree, new HashMap<>(), new Object()); // $hasOgnlInjection

-    tree.getValue(null, new Object());
-    tree.setValue(null, new Object(), new Object());
+    tree.getValue(null, new Object()); // $hasOgnlInjection
+    tree.setValue(null, new Object(), new Object()); // $hasOgnlInjection
  }

  @RequestMapping
  public void testOgnlDirectlyToGetSet(@RequestParam String expr) throws Exception {
-    Ognl.getValue(expr, new Object());
-    Ognl.setValue(expr, new Object(), new Object());
+    Ognl.getValue(expr, new Object()); // $hasOgnlInjection
+    Ognl.setValue(expr, new Object(), new Object()); // $hasOgnlInjection
  }

  @RequestMapping
  public void testStruts(@RequestParam String expr) throws Exception {
    OgnlUtil ognl = new OgnlUtil();
-    ognl.getValue(expr, new HashMap<>(), new Object());
-    ognl.setValue(expr, new HashMap<>(), new Object(), new Object());
-    new OgnlUtil().callMethod(expr, new HashMap<>(), new Object());
+    ognl.getValue(expr, new HashMap<>(), new Object()); // $hasOgnlInjection
+    ognl.setValue(expr, new HashMap<>(), new Object(), new Object()); // $hasOgnlInjection
+    new OgnlUtil().callMethod(expr, new HashMap<>(), new Object()); // $hasOgnlInjection
  }
 }
--- a/java/ql/test/query-tests/security/CWE-917/OgnlInjection.qlref
+++ b/java/ql/test/query-tests/security/CWE-917/OgnlInjection.qlref
@@ -1 +0,0 @@
-Security/CWE/CWE-917/OgnlInjection.ql
--- a/java/ql/test/query-tests/security/CWE-917/OgnlInjectionTest.expected
+++ b/java/ql/test/query-tests/security/CWE-917/OgnlInjectionTest.expected
--- a/java/ql/test/query-tests/security/CWE-917/OgnlInjectionTest.ql
+++ b/java/ql/test/query-tests/security/CWE-917/OgnlInjectionTest.ql
@@ -0,0 +1,32 @@
+import java
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.security.OgnlInjection
+import TestUtilities.InlineExpectationsTest
+
+class Conf extends TaintTracking::Configuration {
+  Conf() { this = "qltest:cwe:ognl-injection" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof OgnlInjectionSink }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(OgnlInjectionAdditionalTaintStep c).step(node1, node2)
+  }
+}
+
+class OgnlInjectionTest extends InlineExpectationsTest {
+  OgnlInjectionTest() { this = "HasOgnlInjection" }
+
+  override string getARelevantTag() { result = "hasOgnlInjection" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasOgnlInjection" and
+    exists(DataFlow::Node src, DataFlow::Node sink, Conf conf | conf.hasFlow(src, sink) |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+  }
+}