From cc497bf213f290280bb7118bd12e158714a084ed Mon Sep 17 00:00:00 2001 From: "lcartey@github.com" Date: Tue, 16 Jun 2020 11:27:47 +0100 Subject: [PATCH 01/36] Java: Improve JaxRS modelling - Handle inherited annotations - Fix `ResponseBuilder` charpred. - Model `@Produces` annotations. --- .../src/semmle/code/java/frameworks/JaxWS.qll | 64 ++++++++++++++++++- 1 file changed, 62 insertions(+), 2 deletions(-) diff --git a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll index 50471d68fbf..5e4999bcd31 100644 --- a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll +++ b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll @@ -50,6 +50,27 @@ class JaxRsResourceMethod extends Method { a.hasName("OPTIONS") or a.hasName("HEAD") ) + or + // A JaxRS resource method can also inherit these annotations from a supertype, but only if + // there are no JaxRS annotations on the method itself + getAnOverride() instanceof JaxRsResourceMethod and + not exists(getAnAnnotation().(JaxRSAnnotation)) + } + + /** Gets an `@Produces` annotation that applies to this method */ + JaxRSProducesAnnotation getProducesAnnotation() { + result = getAnAnnotation() + or + // No direct annotations + not exists(getAnAnnotation().(JaxRSProducesAnnotation)) and + ( + // Annotations on a method we've overridden + result = getAnOverride().getAnAnnotation() + or + // No annotations on this method, or a method we've overridden, so look to the class + not exists(getAnOverride().getAnAnnotation().(JaxRSProducesAnnotation)) and + result = getDeclaringType().getAnAnnotation() + ) } } @@ -139,11 +160,21 @@ class JaxRsResourceClass extends Class { } } +/** An annotation from the `javax.ws.rs` package hierarchy. */ +class JaxRSAnnotation extends Annotation { + JaxRSAnnotation() { + exists(AnnotationType a | + a = getType() and + a.getPackage().getName().regexpMatch("javax\\.ws\\.rs(\\..*)?") + ) + } +} + /** * An annotation that is used by JaxRS containers to determine a value to inject into the annotated * element. */ -class JaxRsInjectionAnnotation extends Annotation { +class JaxRsInjectionAnnotation extends JaxRSAnnotation { JaxRsInjectionAnnotation() { exists(AnnotationType a | a = getType() and @@ -167,7 +198,7 @@ class JaxRsResponse extends Class { } class JaxRsResponseBuilder extends Class { - JaxRsResponseBuilder() { this.hasQualifiedName("javax.ws.rs.core", "ResponseBuilder") } + JaxRsResponseBuilder() { this.hasQualifiedName("javax.ws.rs.core", "Response$ResponseBuilder") } } /** @@ -223,3 +254,32 @@ class MessageBodyReaderRead extends Method { ) } } + +/** An `@Produces` annotation that describes which MIME types can be produced by this resource. */ +class JaxRSProducesAnnotation extends JaxRSAnnotation { + JaxRSProducesAnnotation() { + getType().hasQualifiedName("javax.ws.rs", "Produces") + } + + /** + * Gets a declared MIME type that can be produced by this resource. + */ + string getADeclaredMimeType() { + result = getAValue().(CompileTimeConstantExpr).getStringValue() or + exists(Field jaxMediaType | + // Accesses to static fields on `MediaType` class do not have constant strings in the database + // so convert the field name to a mime type string + jaxMediaType.getDeclaringType().hasQualifiedName("javax.ws.rs.core", "MediaType") and + jaxMediaType.getAnAccess() = getAValue() and + // e.g. MediaType.TEXT_PLAIN => text/plain + result = jaxMediaType.getName().toLowerCase().replaceAll("_", "/") + ) + } +} + +/** An `@Consumes` annotation that describes MIME types can be consumed by this resource. */ +class JaxRSConsumesAnnotation extends JaxRSAnnotation { + JaxRSConsumesAnnotation() { + getType().hasQualifiedName("javax.ws.rs", "Consumes") + } +} From 5f7165efbbf1108820487197d275eb5baad6afec Mon Sep 17 00:00:00 2001 From: Chris Smowton Date: Fri, 19 Mar 2021 17:43:11 +0000 Subject: [PATCH 02/36] Add JaxWS XSS sink Based on https://github.com/lcartey/codeql/commit/d44e4d0e63af44f2683f7175d3114226d7316aa6 by @lcartey --- java/ql/src/semmle/code/java/frameworks/JaxWS.qll | 11 ++++------- java/ql/src/semmle/code/java/security/XSS.qll | 11 +++++++++++ 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll index 5e4999bcd31..a8c1478ed84 100644 --- a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll +++ b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll @@ -257,15 +257,14 @@ class MessageBodyReaderRead extends Method { /** An `@Produces` annotation that describes which MIME types can be produced by this resource. */ class JaxRSProducesAnnotation extends JaxRSAnnotation { - JaxRSProducesAnnotation() { - getType().hasQualifiedName("javax.ws.rs", "Produces") - } + JaxRSProducesAnnotation() { getType().hasQualifiedName("javax.ws.rs", "Produces") } /** * Gets a declared MIME type that can be produced by this resource. */ string getADeclaredMimeType() { - result = getAValue().(CompileTimeConstantExpr).getStringValue() or + result = getAValue().(CompileTimeConstantExpr).getStringValue() + or exists(Field jaxMediaType | // Accesses to static fields on `MediaType` class do not have constant strings in the database // so convert the field name to a mime type string @@ -279,7 +278,5 @@ class JaxRSProducesAnnotation extends JaxRSAnnotation { /** An `@Consumes` annotation that describes MIME types can be consumed by this resource. */ class JaxRSConsumesAnnotation extends JaxRSAnnotation { - JaxRSConsumesAnnotation() { - getType().hasQualifiedName("javax.ws.rs", "Consumes") - } + JaxRSConsumesAnnotation() { getType().hasQualifiedName("javax.ws.rs", "Consumes") } } diff --git a/java/ql/src/semmle/code/java/security/XSS.qll b/java/ql/src/semmle/code/java/security/XSS.qll index 14f10cad9c8..e0a15753334 100644 --- a/java/ql/src/semmle/code/java/security/XSS.qll +++ b/java/ql/src/semmle/code/java/security/XSS.qll @@ -1,6 +1,7 @@ /** Provides classes to reason about Cross-site scripting (XSS) vulnerabilities. */ import java +import semmle.code.java.frameworks.JaxWS import semmle.code.java.frameworks.Servlets import semmle.code.java.frameworks.android.WebView import semmle.code.java.frameworks.spring.SpringController @@ -93,6 +94,16 @@ private class DefaultXssSink extends XssSink { returnType instanceof RawClass ) ) + or + exists(JaxRsResourceMethod resourceMethod, ReturnStmt rs | + resourceMethod = any(JaxRsResourceClass resourceClass).getAResourceMethod() and + rs.getEnclosingCallable() = resourceMethod and + this.asExpr() = rs.getResult() + | + not exists(resourceMethod.getProducesAnnotation()) + or + resourceMethod.getProducesAnnotation().getADeclaredMimeType() = "text/plain" + ) } } From 9335e095a92bf3ef83ec094dc884ec8fcea0aac6 Mon Sep 17 00:00:00 2001 From: Chris Smowton Date: Fri, 19 Mar 2021 17:44:45 +0000 Subject: [PATCH 03/36] MIME type -> content type This matches the terminology used elsewhere --- java/ql/src/semmle/code/java/frameworks/JaxWS.qll | 10 +++++----- java/ql/src/semmle/code/java/security/XSS.qll | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll index a8c1478ed84..330124004c5 100644 --- a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll +++ b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll @@ -255,19 +255,19 @@ class MessageBodyReaderRead extends Method { } } -/** An `@Produces` annotation that describes which MIME types can be produced by this resource. */ +/** An `@Produces` annotation that describes which content types can be produced by this resource. */ class JaxRSProducesAnnotation extends JaxRSAnnotation { JaxRSProducesAnnotation() { getType().hasQualifiedName("javax.ws.rs", "Produces") } /** - * Gets a declared MIME type that can be produced by this resource. + * Gets a declared content type that can be produced by this resource. */ - string getADeclaredMimeType() { + string getADeclaredContentType() { result = getAValue().(CompileTimeConstantExpr).getStringValue() or exists(Field jaxMediaType | // Accesses to static fields on `MediaType` class do not have constant strings in the database - // so convert the field name to a mime type string + // so convert the field name to a content type string jaxMediaType.getDeclaringType().hasQualifiedName("javax.ws.rs.core", "MediaType") and jaxMediaType.getAnAccess() = getAValue() and // e.g. MediaType.TEXT_PLAIN => text/plain @@ -276,7 +276,7 @@ class JaxRSProducesAnnotation extends JaxRSAnnotation { } } -/** An `@Consumes` annotation that describes MIME types can be consumed by this resource. */ +/** An `@Consumes` annotation that describes content types can be consumed by this resource. */ class JaxRSConsumesAnnotation extends JaxRSAnnotation { JaxRSConsumesAnnotation() { getType().hasQualifiedName("javax.ws.rs", "Consumes") } } diff --git a/java/ql/src/semmle/code/java/security/XSS.qll b/java/ql/src/semmle/code/java/security/XSS.qll index e0a15753334..471dd8a9124 100644 --- a/java/ql/src/semmle/code/java/security/XSS.qll +++ b/java/ql/src/semmle/code/java/security/XSS.qll @@ -102,7 +102,7 @@ private class DefaultXssSink extends XssSink { | not exists(resourceMethod.getProducesAnnotation()) or - resourceMethod.getProducesAnnotation().getADeclaredMimeType() = "text/plain" + resourceMethod.getProducesAnnotation().getADeclaredContentType() = "text/plain" ) } } From 314980c64cb225c4ae2dc14f39db08a1116ae0c7 Mon Sep 17 00:00:00 2001 From: Chris Smowton Date: Mon, 22 Mar 2021 16:46:58 +0000 Subject: [PATCH 04/36] Model taint-propagating methods in the core JAX-WS library. --- .../code/java/dataflow/ExternalFlow.qll | 1 + .../src/semmle/code/java/frameworks/JaxWS.qll | 248 ++++++++++++++++++ 2 files changed, 249 insertions(+) diff --git a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll index 8080bd28ab6..71b11b0900b 100644 --- a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll +++ b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll @@ -81,6 +81,7 @@ private module Frameworks { private import semmle.code.java.frameworks.apache.Lang private import semmle.code.java.frameworks.guava.Guava private import semmle.code.java.frameworks.jackson.JacksonSerializability + private import semmle.code.java.frameworks.JaxWS private import semmle.code.java.security.ResponseSplitting private import semmle.code.java.security.InformationLeak private import semmle.code.java.security.XSS diff --git a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll index 330124004c5..e62bd1ebd48 100644 --- a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll +++ b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll @@ -1,4 +1,5 @@ import java +private import semmle.code.java.dataflow.ExternalFlow /** * A JAX WS endpoint is constructed by the container, and its methods @@ -280,3 +281,250 @@ class JaxRSProducesAnnotation extends JaxRSAnnotation { class JaxRSConsumesAnnotation extends JaxRSAnnotation { JaxRSConsumesAnnotation() { getType().hasQualifiedName("javax.ws.rs", "Consumes") } } + +/** + * Model Response: + * + * - the returned ResponseBuilder gains taint from a tainted entity or existing Response + */ +private class ResponseModel extends SummaryModelCsv { + override predicate row(string row) { + row = + [ + "javax.ws.rs.core;Response;false;accepted;;;Argument[0];ReturnValue;taint", + "javax.ws.rs.core;Response;false;fromResponse;;;Argument[0];ReturnValue;taint", + "javax.ws.rs.core;Response;false;ok;;;Argument[0];ReturnValue;taint" + ] + } +} + +/** + * Model ResponseBuilder: + * + * - becomes tainted by a tainted entity, but not by metadata, headers etc + * - build() method returns taint + * - almost all methods are fluent, and so preserve value + */ +private class ResponseBuilderModel extends SummaryModelCsv { + override predicate row(string row) { + row = + [ + "javax.ws.rs.core;Response$ResponseBuilder;true;build;;;Argument[-1];ReturnValue;taint", + "javax.ws.rs.core;Response$ResponseBuilder;true;entity;;;Argument[0];Argument[-1];taint", + "javax.ws.rs.core;Response$ResponseBuilder;true;allow;;;Argument[-1];ReturnValue;value", + "javax.ws.rs.core;Response$ResponseBuilder;true;cacheControl;;;Argument[-1];ReturnValue;value", + "javax.ws.rs.core;Response$ResponseBuilder;true;clone;;;Argument[-1];ReturnValue;taint", + "javax.ws.rs.core;Response$ResponseBuilder;true;contentLocation;;;Argument[-1];ReturnValue;value", + "javax.ws.rs.core;Response$ResponseBuilder;true;cookie;;;Argument[-1];ReturnValue;value", + "javax.ws.rs.core;Response$ResponseBuilder;true;encoding;;;Argument[-1];ReturnValue;value", + "javax.ws.rs.core;Response$ResponseBuilder;true;entity;;;Argument[-1];ReturnValue;value", + "javax.ws.rs.core;Response$ResponseBuilder;true;expires;;;Argument[-1];ReturnValue;value", + "javax.ws.rs.core;Response$ResponseBuilder;true;header;;;Argument[-1];ReturnValue;value", + "javax.ws.rs.core;Response$ResponseBuilder;true;language;;;Argument[-1];ReturnValue;value", + "javax.ws.rs.core;Response$ResponseBuilder;true;lastModified;;;Argument[-1];ReturnValue;value", + "javax.ws.rs.core;Response$ResponseBuilder;true;link;;;Argument[-1];ReturnValue;value", + "javax.ws.rs.core;Response$ResponseBuilder;true;links;;;Argument[-1];ReturnValue;value", + "javax.ws.rs.core;Response$ResponseBuilder;true;location;;;Argument[-1];ReturnValue;value", + "javax.ws.rs.core;Response$ResponseBuilder;true;replaceAll;;;Argument[-1];ReturnValue;value", + "javax.ws.rs.core;Response$ResponseBuilder;true;status;;;Argument[-1];ReturnValue;value", + "javax.ws.rs.core;Response$ResponseBuilder;true;tag;;;Argument[-1];ReturnValue;value", + "javax.ws.rs.core;Response$ResponseBuilder;true;type;;;Argument[-1];ReturnValue;value", + "javax.ws.rs.core;Response$ResponseBuilder;true;variant;;;Argument[-1];ReturnValue;value", + "javax.ws.rs.core;Response$ResponseBuilder;true;variants;;;Argument[-1];ReturnValue;value" + ] + } +} + +/** + * Model HttpHeaders: methods that Date have to be syntax-checked, but those returning MediaType + * or Locale are assumed potentially dangerous, as these types do not generally check that the + * input data is recognised, only that it conforms to the expected syntax. + */ +private class HttpHeadersModel extends SummaryModelCsv { + override predicate row(string row) { + row = + [ + "javax.ws.rs.core;HttpHeaders;true;getAcceptableLanguages;;;Argument[-1];ReturnValue;taint", + "javax.ws.rs.core;HttpHeaders;true;getAcceptableMediaTypes;;;Argument[-1];ReturnValue;taint", + "javax.ws.rs.core;HttpHeaders;true;getCookies;;;Argument[-1];ReturnValue;taint", + "javax.ws.rs.core;HttpHeaders;true;getHeaderString;;;Argument[-1];ReturnValue;taint", + "javax.ws.rs.core;HttpHeaders;true;getLanguage;;;Argument[-1];ReturnValue;taint", + "javax.ws.rs.core;HttpHeaders;true;getMediaType;;;Argument[-1];ReturnValue;taint", + "javax.ws.rs.core;HttpHeaders;true;getRequestHeader;;;Argument[-1];ReturnValue;taint", + "javax.ws.rs.core;HttpHeaders;true;getRequestHeaders;;;Argument[-1];ReturnValue;taint" + ] + } +} + +/** + * Model MultivaluedMap, which extends Map, V> and provides a few extra helper methods. + */ +private class MultivaluedMapModel extends SummaryModelCsv { + override predicate row(string row) { + row = + [ + "javax.ws.rs.core;MultivaluedMap;true;add;;;Argument;Argument[-1];taint", + "javax.ws.rs.core;MultivaluedMap;true;addAll;;;Argument;Argument[-1];taint", + "javax.ws.rs.core;MultivaluedMap;true;addFirst;;;Argument;Argument[-1];taint", + "javax.ws.rs.core;MultivaluedMap;true;getFirst;;;Argument[-1];ReturnValue;taint", + "javax.ws.rs.core;MultivaluedMap;true;putSingle;;;Argument;Argument[-1];taint" + ] + } +} + +/** + * Model PathSegment, which wraps a path and its associated matrix parameters. + */ +private class PathSegmentModel extends SummaryModelCsv { + override predicate row(string row) { + row = + [ + "javax.ws.rs.core;PathSegment;true;getMatrixParameters;;;Argument[-1];ReturnValue;taint", + "javax.ws.rs.core;PathSegment;true;getPath;;;Argument[-1];ReturnValue;taint" + ] + } +} + +/** + * Model UriInfo, which provides URI element accessors. + */ +private class UriInfoModel extends SummaryModelCsv { + override predicate row(string row) { + row = + [ + "javax.ws.rs.core;UriInfo;true;getPathParameters;;;Argument[-1];ReturnValue;taint", + "javax.ws.rs.core;UriInfo;true;getPathSegments;;;Argument[-1];ReturnValue;taint", + "javax.ws.rs.core;UriInfo;true;getQueryParameters;;;Argument[-1];ReturnValue;taint", + "javax.ws.rs.core;UriInfo;true;getRequestUri;;;Argument[-1];ReturnValue;taint", + "javax.ws.rs.core;UriInfo;true;getRequestUriBuilder;;;Argument[-1];ReturnValue;taint" + ] + } +} + +/** + * Model Cookie, a simple tuple type. + */ +private class CookieModel extends SummaryModelCsv { + override predicate row(string row) { + row = + [ + "javax.ws.rs.core;Cookie;true;getDomain;;;Argument[-1];ReturnValue;taint", + "javax.ws.rs.core;Cookie;true;getName;;;Argument[-1];ReturnValue;taint", + "javax.ws.rs.core;Cookie;true;getPath;;;Argument[-1];ReturnValue;taint", + "javax.ws.rs.core;Cookie;true;getValue;;;Argument[-1];ReturnValue;taint", + "javax.ws.rs.core;Cookie;true;getVersion;;;Argument[-1];ReturnValue;taint", + "javax.ws.rs.core;Cookie;true;toString;;;Argument[-1];ReturnValue;taint", + "javax.ws.rs.core;Cookie;false;Cookie;;;Argument;Argument[-1];taint", + "javax.ws.rs.core;Cookie;false;valueOf;;;Argument;ReturnValue;taint" + ] + } +} + +/** + * Model Form, a simple container type. + */ +private class FormModel extends SummaryModelCsv { + override predicate row(string row) { + row = + [ + "javax.ws.rs.core;Form;true;asMap;;;Argument[-1];ReturnValue;taint", + "javax.ws.rs.core;Form;true;param;;;Argument;Argument[-1];taint", + "javax.ws.rs.core;Form;true;param;;;Argument[-1];ReturnValue;value" + ] + } +} + +/** + * Model GenericEntity, a wrapper for HTTP entities (e.g., documents). + */ +private class GenericEntityModel extends SummaryModelCsv { + override predicate row(string row) { + row = + [ + "javax.ws.rs.core;GenericEntity;false;GenericEntity;;;Argument[0];Argument[-1];taint", + "javax.ws.rs.core;GenericEntity;true;getEntity;;;Argument[-1];ReturnValue;taint" + ] + } +} + +/** + * Model MediaType, which provides accessors for elements of Content-Type and similar + * media type specifications. + */ +private class MediaTypeModel extends SummaryModelCsv { + override predicate row(string row) { + row = + [ + "javax.ws.rs.core;MediaType;false;MediaType;;;Argument;Argument[-1];taint", + "javax.ws.rs.core;MediaType;true;getParameters;;;Argument[-1];ReturnValue;taint", + "javax.ws.rs.core;MediaType;true;getSubtype;;;Argument[-1];ReturnValue;taint", + "javax.ws.rs.core;MediaType;true;getType;;;Argument[-1];ReturnValue;taint", + "javax.ws.rs.core;MediaType;false;valueOf;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;MediaType;true;withCharset;;;Argument[-1];ReturnValue;taint" + ] + } +} + +/** + * Model UriBuilder, which provides a fluent interface to build a URI from components. + */ +private class UriBuilderModel extends SummaryModelCsv { + override predicate row(string row) { + row = + [ + "javax.ws.rs.core;UriBuilder;true;build;;;Argument[0];ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;build;;;Argument[-1];ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;buildFromEncoded;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;buildFromEncoded;;;Argument[-1];ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;buildFromEncodedMap;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;buildFromEncodedMap;;;Argument[-1];ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;buildFromMap;;;Argument[0];ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;buildFromMap;;;Argument[-1];ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;clone;;;Argument[-1];ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;fragment;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;fragment;;;Argument[-1];ReturnValue;value", + "javax.ws.rs.core;UriBuilder;false;fromLink;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;false;fromPath;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;false;fromUri;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;host;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;host;;;Argument[-1];ReturnValue;value", + "javax.ws.rs.core;UriBuilder;true;matrixParam;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;matrixParam;;;Argument[-1];ReturnValue;value", + "javax.ws.rs.core;UriBuilder;true;path;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;path;;;Argument[-1];ReturnValue;value", + "javax.ws.rs.core;UriBuilder;true;queryParam;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;queryParam;;;Argument[-1];ReturnValue;value", + "javax.ws.rs.core;UriBuilder;true;replaceMatrix;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;replaceMatrix;;;Argument[-1];ReturnValue;value", + "javax.ws.rs.core;UriBuilder;true;replaceMatrixParam;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;replaceMatrixParam;;;Argument[-1];ReturnValue;value", + "javax.ws.rs.core;UriBuilder;true;replacePath;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;replacePath;;;Argument[-1];ReturnValue;value", + "javax.ws.rs.core;UriBuilder;true;replaceQuery;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;replaceQuery;;;Argument[-1];ReturnValue;value", + "javax.ws.rs.core;UriBuilder;true;replaceQueryParam;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;replaceQueryParam;;;Argument[-1];ReturnValue;value", + "javax.ws.rs.core;UriBuilder;true;resolveTemplate;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;resolveTemplate;;;Argument[-1];ReturnValue;value", + "javax.ws.rs.core;UriBuilder;true;resolveTemplateFromEncoded;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;resolveTemplateFromEncoded;;;Argument[-1];ReturnValue;value", + "javax.ws.rs.core;UriBuilder;true;resolveTemplates;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;resolveTemplates;;;Argument[-1];ReturnValue;value", + "javax.ws.rs.core;UriBuilder;true;resolveTemplatesFromEncoded;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;resolveTemplatesFromEncoded;;;Argument[-1];ReturnValue;value", + "javax.ws.rs.core;UriBuilder;true;scheme;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;scheme;;;Argument[-1];ReturnValue;value", + "javax.ws.rs.core;UriBuilder;true;schemeSpecificPart;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;schemeSpecificPart;;;Argument[-1];ReturnValue;value", + "javax.ws.rs.core;UriBuilder;true;segment;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;segment;;;Argument[-1];ReturnValue;value", + "javax.ws.rs.core;UriBuilder;true;schemeSpecificPart;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;schemeSpecificPart;;;Argument[-1];ReturnValue;value", + "javax.ws.rs.core;UriBuilder;true;toTemplate;;;Argument[-1];ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;uri;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;uri;;;Argument[-1];ReturnValue;value", + "javax.ws.rs.core;UriBuilder;true;userInfo;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;userInfo;;;Argument[-1];ReturnValue;value" + ] + } +} From 260a2283673dcada2fe89650b4801c1c3f66019f Mon Sep 17 00:00:00 2001 From: Chris Smowton Date: Mon, 22 Mar 2021 16:53:31 +0000 Subject: [PATCH 05/36] Add change note --- java/change-notes/2021-03-22-jax-ws-improvements.md | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 java/change-notes/2021-03-22-jax-ws-improvements.md diff --git a/java/change-notes/2021-03-22-jax-ws-improvements.md b/java/change-notes/2021-03-22-jax-ws-improvements.md new file mode 100644 index 00000000000..2fbd33fa109 --- /dev/null +++ b/java/change-notes/2021-03-22-jax-ws-improvements.md @@ -0,0 +1,2 @@ +lgtm,codescanning +* Added support for detecting XSS via JAX-WS sinks, and propagating tainted data via various container types (e.g. Form, Cookie, MultivaluedMap). From adb5764aacd999f7743bdb48239500c0662bca27 Mon Sep 17 00:00:00 2001 From: Chris Smowton Date: Tue, 23 Mar 2021 11:25:32 +0000 Subject: [PATCH 06/36] Add URL redirect sinks relating to JAX-WS --- .../src/semmle/code/java/security/UrlRedirect.qll | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/java/ql/src/semmle/code/java/security/UrlRedirect.qll b/java/ql/src/semmle/code/java/security/UrlRedirect.qll index d2be51d2fae..e42738c4efc 100644 --- a/java/ql/src/semmle/code/java/security/UrlRedirect.qll +++ b/java/ql/src/semmle/code/java/security/UrlRedirect.qll @@ -35,3 +35,17 @@ private class ApacheUrlRedirectSink extends UrlRedirectSink { ) } } + +/** A URL redirection sink from JAX-WS */ +private class JaxWsUrlRedirectSink extends UrlRedirectSink { + JaxWsUrlRedirectSink() { + exists(MethodAccess ma | + ma.getMethod() + .getDeclaringType() + .getAnAncestor() + .hasQualifiedName("javax.ws.rs.core", "Response") and + ma.getMethod().getName() in ["seeOther", "temporaryRedirect"] and + this.asExpr() = ma.getArgument(0) + ) + } +} From ca684bea0ea4d1f6ccf98e26ebc8ecb5ac08509f Mon Sep 17 00:00:00 2001 From: Chris Smowton Date: Tue, 23 Mar 2021 11:49:29 +0000 Subject: [PATCH 07/36] Jax-WS: support jakarta.ws.rs package everywhere Releases since Java EE 9 use this. --- .../src/semmle/code/java/frameworks/JaxWS.qll | 170 +++++++++++++++--- .../semmle/code/java/security/UrlRedirect.qll | 3 +- 2 files changed, 149 insertions(+), 24 deletions(-) diff --git a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll index e62bd1ebd48..a131cdc41bc 100644 --- a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll +++ b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll @@ -1,6 +1,11 @@ import java private import semmle.code.java.dataflow.ExternalFlow +string getAJaxWsPackage() { result in ["javax.ws.rs", "jakarta.ws.rs"] } + +bindingset[subpackage] +string getAJaxWsPackage(string subpackage) { result = getAJaxWsPackage() + "." + subpackage } + /** * A JAX WS endpoint is constructed by the container, and its methods * are -- where annotated -- called remotely. @@ -29,7 +34,7 @@ class JaxWsEndpoint extends Class { private predicate hasPathAnnotation(Annotatable annotatable) { exists(AnnotationType a | a = annotatable.getAnAnnotation().getType() and - a.getPackage().getName() = "javax.ws.rs" + a.getPackage().getName() = getAJaxWsPackage() | a.hasName("Path") ) @@ -42,7 +47,7 @@ class JaxRsResourceMethod extends Method { JaxRsResourceMethod() { exists(AnnotationType a | a = this.getAnAnnotation().getType() and - a.getPackage().getName() = "javax.ws.rs" + a.getPackage().getName() = getAJaxWsPackage() | a.hasName("GET") or a.hasName("POST") or @@ -179,7 +184,7 @@ class JaxRsInjectionAnnotation extends JaxRSAnnotation { JaxRsInjectionAnnotation() { exists(AnnotationType a | a = getType() and - a.getPackage().getName() = "javax.ws.rs" + a.getPackage().getName() = getAJaxWsPackage() | a.hasName("BeanParam") or a.hasName("CookieParam") or @@ -190,23 +195,25 @@ class JaxRsInjectionAnnotation extends JaxRSAnnotation { a.hasName("QueryParam") ) or - getType().hasQualifiedName("javax.ws.rs.core", "Context") + getType().hasQualifiedName(getAJaxWsPackage("core"), "Context") } } class JaxRsResponse extends Class { - JaxRsResponse() { this.hasQualifiedName("javax.ws.rs.core", "Response") } + JaxRsResponse() { this.hasQualifiedName(getAJaxWsPackage("core"), "Response") } } class JaxRsResponseBuilder extends Class { - JaxRsResponseBuilder() { this.hasQualifiedName("javax.ws.rs.core", "Response$ResponseBuilder") } + JaxRsResponseBuilder() { + this.hasQualifiedName(getAJaxWsPackage("core"), "Response$ResponseBuilder") + } } /** * The class `javax.ws.rs.client.Client`. */ class JaxRsClient extends RefType { - JaxRsClient() { this.hasQualifiedName("javax.ws.rs.client", "Client") } + JaxRsClient() { this.hasQualifiedName(getAJaxWsPackage("client"), "Client") } } /** @@ -219,7 +226,7 @@ class JaxRsBeanParamConstructor extends Constructor { c = resourceClass.getAnInjectableCallable() | p = c.getAParameter() and - p.getAnAnnotation().getType().hasQualifiedName("javax.ws.rs", "BeanParam") and + p.getAnAnnotation().getType().hasQualifiedName(getAJaxWsPackage(), "BeanParam") and this.getDeclaringType().getSourceDeclaration() = p.getType().(RefType).getSourceDeclaration() ) and forall(Parameter p | p = getAParameter() | @@ -232,7 +239,7 @@ class JaxRsBeanParamConstructor extends Constructor { * The class `javax.ws.rs.ext.MessageBodyReader`. */ class MessageBodyReader extends GenericInterface { - MessageBodyReader() { this.hasQualifiedName("javax.ws.rs.ext", "MessageBodyReader") } + MessageBodyReader() { this.hasQualifiedName(getAJaxWsPackage("ext"), "MessageBodyReader") } } /** @@ -258,7 +265,7 @@ class MessageBodyReaderRead extends Method { /** An `@Produces` annotation that describes which content types can be produced by this resource. */ class JaxRSProducesAnnotation extends JaxRSAnnotation { - JaxRSProducesAnnotation() { getType().hasQualifiedName("javax.ws.rs", "Produces") } + JaxRSProducesAnnotation() { getType().hasQualifiedName(getAJaxWsPackage(), "Produces") } /** * Gets a declared content type that can be produced by this resource. @@ -269,7 +276,7 @@ class JaxRSProducesAnnotation extends JaxRSAnnotation { exists(Field jaxMediaType | // Accesses to static fields on `MediaType` class do not have constant strings in the database // so convert the field name to a content type string - jaxMediaType.getDeclaringType().hasQualifiedName("javax.ws.rs.core", "MediaType") and + jaxMediaType.getDeclaringType().hasQualifiedName(getAJaxWsPackage("core"), "MediaType") and jaxMediaType.getAnAccess() = getAValue() and // e.g. MediaType.TEXT_PLAIN => text/plain result = jaxMediaType.getName().toLowerCase().replaceAll("_", "/") @@ -279,7 +286,7 @@ class JaxRSProducesAnnotation extends JaxRSAnnotation { /** An `@Consumes` annotation that describes content types can be consumed by this resource. */ class JaxRSConsumesAnnotation extends JaxRSAnnotation { - JaxRSConsumesAnnotation() { getType().hasQualifiedName("javax.ws.rs", "Consumes") } + JaxRSConsumesAnnotation() { getType().hasQualifiedName(getAJaxWsPackage(), "Consumes") } } /** @@ -293,7 +300,10 @@ private class ResponseModel extends SummaryModelCsv { [ "javax.ws.rs.core;Response;false;accepted;;;Argument[0];ReturnValue;taint", "javax.ws.rs.core;Response;false;fromResponse;;;Argument[0];ReturnValue;taint", - "javax.ws.rs.core;Response;false;ok;;;Argument[0];ReturnValue;taint" + "javax.ws.rs.core;Response;false;ok;;;Argument[0];ReturnValue;taint", + "jakarta.ws.rs.core;Response;false;accepted;;;Argument[0];ReturnValue;taint", + "jakarta.ws.rs.core;Response;false;fromResponse;;;Argument[0];ReturnValue;taint", + "jakarta.ws.rs.core;Response;false;ok;;;Argument[0];ReturnValue;taint" ] } } @@ -330,7 +340,29 @@ private class ResponseBuilderModel extends SummaryModelCsv { "javax.ws.rs.core;Response$ResponseBuilder;true;tag;;;Argument[-1];ReturnValue;value", "javax.ws.rs.core;Response$ResponseBuilder;true;type;;;Argument[-1];ReturnValue;value", "javax.ws.rs.core;Response$ResponseBuilder;true;variant;;;Argument[-1];ReturnValue;value", - "javax.ws.rs.core;Response$ResponseBuilder;true;variants;;;Argument[-1];ReturnValue;value" + "javax.ws.rs.core;Response$ResponseBuilder;true;variants;;;Argument[-1];ReturnValue;value", + "jakarta.ws.rs.core;Response$ResponseBuilder;true;build;;;Argument[-1];ReturnValue;taint", + "jakarta.ws.rs.core;Response$ResponseBuilder;true;entity;;;Argument[0];Argument[-1];taint", + "jakarta.ws.rs.core;Response$ResponseBuilder;true;allow;;;Argument[-1];ReturnValue;value", + "jakarta.ws.rs.core;Response$ResponseBuilder;true;cacheControl;;;Argument[-1];ReturnValue;value", + "jakarta.ws.rs.core;Response$ResponseBuilder;true;clone;;;Argument[-1];ReturnValue;taint", + "jakarta.ws.rs.core;Response$ResponseBuilder;true;contentLocation;;;Argument[-1];ReturnValue;value", + "jakarta.ws.rs.core;Response$ResponseBuilder;true;cookie;;;Argument[-1];ReturnValue;value", + "jakarta.ws.rs.core;Response$ResponseBuilder;true;encoding;;;Argument[-1];ReturnValue;value", + "jakarta.ws.rs.core;Response$ResponseBuilder;true;entity;;;Argument[-1];ReturnValue;value", + "jakarta.ws.rs.core;Response$ResponseBuilder;true;expires;;;Argument[-1];ReturnValue;value", + "jakarta.ws.rs.core;Response$ResponseBuilder;true;header;;;Argument[-1];ReturnValue;value", + "jakarta.ws.rs.core;Response$ResponseBuilder;true;language;;;Argument[-1];ReturnValue;value", + "jakarta.ws.rs.core;Response$ResponseBuilder;true;lastModified;;;Argument[-1];ReturnValue;value", + "jakarta.ws.rs.core;Response$ResponseBuilder;true;link;;;Argument[-1];ReturnValue;value", + "jakarta.ws.rs.core;Response$ResponseBuilder;true;links;;;Argument[-1];ReturnValue;value", + "jakarta.ws.rs.core;Response$ResponseBuilder;true;location;;;Argument[-1];ReturnValue;value", + "jakarta.ws.rs.core;Response$ResponseBuilder;true;replaceAll;;;Argument[-1];ReturnValue;value", + "jakarta.ws.rs.core;Response$ResponseBuilder;true;status;;;Argument[-1];ReturnValue;value", + "jakarta.ws.rs.core;Response$ResponseBuilder;true;tag;;;Argument[-1];ReturnValue;value", + "jakarta.ws.rs.core;Response$ResponseBuilder;true;type;;;Argument[-1];ReturnValue;value", + "jakarta.ws.rs.core;Response$ResponseBuilder;true;variant;;;Argument[-1];ReturnValue;value", + "jakarta.ws.rs.core;Response$ResponseBuilder;true;variants;;;Argument[-1];ReturnValue;value" ] } } @@ -351,7 +383,15 @@ private class HttpHeadersModel extends SummaryModelCsv { "javax.ws.rs.core;HttpHeaders;true;getLanguage;;;Argument[-1];ReturnValue;taint", "javax.ws.rs.core;HttpHeaders;true;getMediaType;;;Argument[-1];ReturnValue;taint", "javax.ws.rs.core;HttpHeaders;true;getRequestHeader;;;Argument[-1];ReturnValue;taint", - "javax.ws.rs.core;HttpHeaders;true;getRequestHeaders;;;Argument[-1];ReturnValue;taint" + "javax.ws.rs.core;HttpHeaders;true;getRequestHeaders;;;Argument[-1];ReturnValue;taint", + "jakarta.ws.rs.core;HttpHeaders;true;getAcceptableLanguages;;;Argument[-1];ReturnValue;taint", + "jakarta.ws.rs.core;HttpHeaders;true;getAcceptableMediaTypes;;;Argument[-1];ReturnValue;taint", + "jakarta.ws.rs.core;HttpHeaders;true;getCookies;;;Argument[-1];ReturnValue;taint", + "jakarta.ws.rs.core;HttpHeaders;true;getHeaderString;;;Argument[-1];ReturnValue;taint", + "jakarta.ws.rs.core;HttpHeaders;true;getLanguage;;;Argument[-1];ReturnValue;taint", + "jakarta.ws.rs.core;HttpHeaders;true;getMediaType;;;Argument[-1];ReturnValue;taint", + "jakarta.ws.rs.core;HttpHeaders;true;getRequestHeader;;;Argument[-1];ReturnValue;taint", + "jakarta.ws.rs.core;HttpHeaders;true;getRequestHeaders;;;Argument[-1];ReturnValue;taint" ] } } @@ -367,7 +407,12 @@ private class MultivaluedMapModel extends SummaryModelCsv { "javax.ws.rs.core;MultivaluedMap;true;addAll;;;Argument;Argument[-1];taint", "javax.ws.rs.core;MultivaluedMap;true;addFirst;;;Argument;Argument[-1];taint", "javax.ws.rs.core;MultivaluedMap;true;getFirst;;;Argument[-1];ReturnValue;taint", - "javax.ws.rs.core;MultivaluedMap;true;putSingle;;;Argument;Argument[-1];taint" + "javax.ws.rs.core;MultivaluedMap;true;putSingle;;;Argument;Argument[-1];taint", + "jakarta.ws.rs.core;MultivaluedMap;true;add;;;Argument;Argument[-1];taint", + "jakarta.ws.rs.core;MultivaluedMap;true;addAll;;;Argument;Argument[-1];taint", + "jakarta.ws.rs.core;MultivaluedMap;true;addFirst;;;Argument;Argument[-1];taint", + "jakarta.ws.rs.core;MultivaluedMap;true;getFirst;;;Argument[-1];ReturnValue;taint", + "jakarta.ws.rs.core;MultivaluedMap;true;putSingle;;;Argument;Argument[-1];taint" ] } } @@ -380,7 +425,9 @@ private class PathSegmentModel extends SummaryModelCsv { row = [ "javax.ws.rs.core;PathSegment;true;getMatrixParameters;;;Argument[-1];ReturnValue;taint", - "javax.ws.rs.core;PathSegment;true;getPath;;;Argument[-1];ReturnValue;taint" + "javax.ws.rs.core;PathSegment;true;getPath;;;Argument[-1];ReturnValue;taint", + "jakarta.ws.rs.core;PathSegment;true;getMatrixParameters;;;Argument[-1];ReturnValue;taint", + "jakarta.ws.rs.core;PathSegment;true;getPath;;;Argument[-1];ReturnValue;taint" ] } } @@ -396,7 +443,12 @@ private class UriInfoModel extends SummaryModelCsv { "javax.ws.rs.core;UriInfo;true;getPathSegments;;;Argument[-1];ReturnValue;taint", "javax.ws.rs.core;UriInfo;true;getQueryParameters;;;Argument[-1];ReturnValue;taint", "javax.ws.rs.core;UriInfo;true;getRequestUri;;;Argument[-1];ReturnValue;taint", - "javax.ws.rs.core;UriInfo;true;getRequestUriBuilder;;;Argument[-1];ReturnValue;taint" + "javax.ws.rs.core;UriInfo;true;getRequestUriBuilder;;;Argument[-1];ReturnValue;taint", + "jakarta.ws.rs.core;UriInfo;true;getPathParameters;;;Argument[-1];ReturnValue;taint", + "jakarta.ws.rs.core;UriInfo;true;getPathSegments;;;Argument[-1];ReturnValue;taint", + "jakarta.ws.rs.core;UriInfo;true;getQueryParameters;;;Argument[-1];ReturnValue;taint", + "jakarta.ws.rs.core;UriInfo;true;getRequestUri;;;Argument[-1];ReturnValue;taint", + "jakarta.ws.rs.core;UriInfo;true;getRequestUriBuilder;;;Argument[-1];ReturnValue;taint" ] } } @@ -415,7 +467,15 @@ private class CookieModel extends SummaryModelCsv { "javax.ws.rs.core;Cookie;true;getVersion;;;Argument[-1];ReturnValue;taint", "javax.ws.rs.core;Cookie;true;toString;;;Argument[-1];ReturnValue;taint", "javax.ws.rs.core;Cookie;false;Cookie;;;Argument;Argument[-1];taint", - "javax.ws.rs.core;Cookie;false;valueOf;;;Argument;ReturnValue;taint" + "javax.ws.rs.core;Cookie;false;valueOf;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;Cookie;true;getDomain;;;Argument[-1];ReturnValue;taint", + "jakarta.ws.rs.core;Cookie;true;getName;;;Argument[-1];ReturnValue;taint", + "jakarta.ws.rs.core;Cookie;true;getPath;;;Argument[-1];ReturnValue;taint", + "jakarta.ws.rs.core;Cookie;true;getValue;;;Argument[-1];ReturnValue;taint", + "jakarta.ws.rs.core;Cookie;true;getVersion;;;Argument[-1];ReturnValue;taint", + "jakarta.ws.rs.core;Cookie;true;toString;;;Argument[-1];ReturnValue;taint", + "jakarta.ws.rs.core;Cookie;false;Cookie;;;Argument;Argument[-1];taint", + "jakarta.ws.rs.core;Cookie;false;valueOf;;;Argument;ReturnValue;taint" ] } } @@ -429,7 +489,10 @@ private class FormModel extends SummaryModelCsv { [ "javax.ws.rs.core;Form;true;asMap;;;Argument[-1];ReturnValue;taint", "javax.ws.rs.core;Form;true;param;;;Argument;Argument[-1];taint", - "javax.ws.rs.core;Form;true;param;;;Argument[-1];ReturnValue;value" + "javax.ws.rs.core;Form;true;param;;;Argument[-1];ReturnValue;value", + "jakarta.ws.rs.core;Form;true;asMap;;;Argument[-1];ReturnValue;taint", + "jakarta.ws.rs.core;Form;true;param;;;Argument;Argument[-1];taint", + "jakarta.ws.rs.core;Form;true;param;;;Argument[-1];ReturnValue;value" ] } } @@ -442,7 +505,9 @@ private class GenericEntityModel extends SummaryModelCsv { row = [ "javax.ws.rs.core;GenericEntity;false;GenericEntity;;;Argument[0];Argument[-1];taint", - "javax.ws.rs.core;GenericEntity;true;getEntity;;;Argument[-1];ReturnValue;taint" + "javax.ws.rs.core;GenericEntity;true;getEntity;;;Argument[-1];ReturnValue;taint", + "jakarta.ws.rs.core;GenericEntity;false;GenericEntity;;;Argument[0];Argument[-1];taint", + "jakarta.ws.rs.core;GenericEntity;true;getEntity;;;Argument[-1];ReturnValue;taint" ] } } @@ -460,7 +525,13 @@ private class MediaTypeModel extends SummaryModelCsv { "javax.ws.rs.core;MediaType;true;getSubtype;;;Argument[-1];ReturnValue;taint", "javax.ws.rs.core;MediaType;true;getType;;;Argument[-1];ReturnValue;taint", "javax.ws.rs.core;MediaType;false;valueOf;;;Argument;ReturnValue;taint", - "javax.ws.rs.core;MediaType;true;withCharset;;;Argument[-1];ReturnValue;taint" + "javax.ws.rs.core;MediaType;true;withCharset;;;Argument[-1];ReturnValue;taint", + "jakarta.ws.rs.core;MediaType;false;MediaType;;;Argument;Argument[-1];taint", + "jakarta.ws.rs.core;MediaType;true;getParameters;;;Argument[-1];ReturnValue;taint", + "jakarta.ws.rs.core;MediaType;true;getSubtype;;;Argument[-1];ReturnValue;taint", + "jakarta.ws.rs.core;MediaType;true;getType;;;Argument[-1];ReturnValue;taint", + "jakarta.ws.rs.core;MediaType;false;valueOf;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;MediaType;true;withCharset;;;Argument[-1];ReturnValue;taint" ] } } @@ -524,7 +595,60 @@ private class UriBuilderModel extends SummaryModelCsv { "javax.ws.rs.core;UriBuilder;true;uri;;;Argument;ReturnValue;taint", "javax.ws.rs.core;UriBuilder;true;uri;;;Argument[-1];ReturnValue;value", "javax.ws.rs.core;UriBuilder;true;userInfo;;;Argument;ReturnValue;taint", - "javax.ws.rs.core;UriBuilder;true;userInfo;;;Argument[-1];ReturnValue;value" + "javax.ws.rs.core;UriBuilder;true;userInfo;;;Argument[-1];ReturnValue;value", + "jakarta.ws.rs.core;UriBuilder;true;build;;;Argument[0];ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;build;;;Argument[-1];ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;buildFromEncoded;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;buildFromEncoded;;;Argument[-1];ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;buildFromEncodedMap;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;buildFromEncodedMap;;;Argument[-1];ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;buildFromMap;;;Argument[0];ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;buildFromMap;;;Argument[-1];ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;clone;;;Argument[-1];ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;fragment;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;fragment;;;Argument[-1];ReturnValue;value", + "jakarta.ws.rs.core;UriBuilder;false;fromLink;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;false;fromPath;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;false;fromUri;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;host;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;host;;;Argument[-1];ReturnValue;value", + "jakarta.ws.rs.core;UriBuilder;true;matrixParam;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;matrixParam;;;Argument[-1];ReturnValue;value", + "jakarta.ws.rs.core;UriBuilder;true;path;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;path;;;Argument[-1];ReturnValue;value", + "jakarta.ws.rs.core;UriBuilder;true;queryParam;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;queryParam;;;Argument[-1];ReturnValue;value", + "jakarta.ws.rs.core;UriBuilder;true;replaceMatrix;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;replaceMatrix;;;Argument[-1];ReturnValue;value", + "jakarta.ws.rs.core;UriBuilder;true;replaceMatrixParam;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;replaceMatrixParam;;;Argument[-1];ReturnValue;value", + "jakarta.ws.rs.core;UriBuilder;true;replacePath;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;replacePath;;;Argument[-1];ReturnValue;value", + "jakarta.ws.rs.core;UriBuilder;true;replaceQuery;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;replaceQuery;;;Argument[-1];ReturnValue;value", + "jakarta.ws.rs.core;UriBuilder;true;replaceQueryParam;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;replaceQueryParam;;;Argument[-1];ReturnValue;value", + "jakarta.ws.rs.core;UriBuilder;true;resolveTemplate;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;resolveTemplate;;;Argument[-1];ReturnValue;value", + "jakarta.ws.rs.core;UriBuilder;true;resolveTemplateFromEncoded;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;resolveTemplateFromEncoded;;;Argument[-1];ReturnValue;value", + "jakarta.ws.rs.core;UriBuilder;true;resolveTemplates;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;resolveTemplates;;;Argument[-1];ReturnValue;value", + "jakarta.ws.rs.core;UriBuilder;true;resolveTemplatesFromEncoded;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;resolveTemplatesFromEncoded;;;Argument[-1];ReturnValue;value", + "jakarta.ws.rs.core;UriBuilder;true;scheme;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;scheme;;;Argument[-1];ReturnValue;value", + "jakarta.ws.rs.core;UriBuilder;true;schemeSpecificPart;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;schemeSpecificPart;;;Argument[-1];ReturnValue;value", + "jakarta.ws.rs.core;UriBuilder;true;segment;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;segment;;;Argument[-1];ReturnValue;value", + "jakarta.ws.rs.core;UriBuilder;true;schemeSpecificPart;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;schemeSpecificPart;;;Argument[-1];ReturnValue;value", + "jakarta.ws.rs.core;UriBuilder;true;toTemplate;;;Argument[-1];ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;uri;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;uri;;;Argument[-1];ReturnValue;value", + "jakarta.ws.rs.core;UriBuilder;true;userInfo;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;userInfo;;;Argument[-1];ReturnValue;value" ] } } diff --git a/java/ql/src/semmle/code/java/security/UrlRedirect.qll b/java/ql/src/semmle/code/java/security/UrlRedirect.qll index e42738c4efc..8c7ce5112c7 100644 --- a/java/ql/src/semmle/code/java/security/UrlRedirect.qll +++ b/java/ql/src/semmle/code/java/security/UrlRedirect.qll @@ -4,6 +4,7 @@ import java import semmle.code.java.dataflow.DataFlow import semmle.code.java.frameworks.Servlets import semmle.code.java.frameworks.ApacheHttp +private import semmle.code.java.frameworks.JaxWS /** A URL redirection sink */ abstract class UrlRedirectSink extends DataFlow::Node { } @@ -43,7 +44,7 @@ private class JaxWsUrlRedirectSink extends UrlRedirectSink { ma.getMethod() .getDeclaringType() .getAnAncestor() - .hasQualifiedName("javax.ws.rs.core", "Response") and + .hasQualifiedName(getAJaxWsPackage("core"), "Response") and ma.getMethod().getName() in ["seeOther", "temporaryRedirect"] and this.asExpr() = ma.getArgument(0) ) From f71897d1667ac29fc42bce308ac656d928dc9b42 Mon Sep 17 00:00:00 2001 From: Chris Smowton Date: Tue, 6 Apr 2021 11:19:55 +0100 Subject: [PATCH 08/36] Rename JAX-WS -> JAX-RS where necessary. Improve change note and fix missing QLDoc. --- ...s.md => 2021-03-22-jax-rs-improvements.md} | 2 +- .../src/semmle/code/java/frameworks/JaxWS.qll | 34 +++++++++++-------- .../semmle/code/java/security/UrlRedirect.qll | 8 ++--- 3 files changed, 25 insertions(+), 19 deletions(-) rename java/change-notes/{2021-03-22-jax-ws-improvements.md => 2021-03-22-jax-rs-improvements.md} (60%) diff --git a/java/change-notes/2021-03-22-jax-ws-improvements.md b/java/change-notes/2021-03-22-jax-rs-improvements.md similarity index 60% rename from java/change-notes/2021-03-22-jax-ws-improvements.md rename to java/change-notes/2021-03-22-jax-rs-improvements.md index 2fbd33fa109..0fe567fab89 100644 --- a/java/change-notes/2021-03-22-jax-ws-improvements.md +++ b/java/change-notes/2021-03-22-jax-rs-improvements.md @@ -1,2 +1,2 @@ lgtm,codescanning -* Added support for detecting XSS via JAX-WS sinks, and propagating tainted data via various container types (e.g. Form, Cookie, MultivaluedMap). +* Added support for detecting XSS via JAX-RS sinks, and propagating tainted data via various container types (e.g. Form, Cookie, MultivaluedMap). diff --git a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll index a131cdc41bc..b45ad93e59f 100644 --- a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll +++ b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll @@ -1,10 +1,16 @@ import java private import semmle.code.java.dataflow.ExternalFlow -string getAJaxWsPackage() { result in ["javax.ws.rs", "jakarta.ws.rs"] } +/** + * Gets a name for the root package of JAX-RS. + */ +string getAJaxRsPackage() { result in ["javax.ws.rs", "jakarta.ws.rs"] } +/** + * Gets a name for package `subpackage` within the JAX-RS hierarchy. + */ bindingset[subpackage] -string getAJaxWsPackage(string subpackage) { result = getAJaxWsPackage() + "." + subpackage } +string getAJaxRsPackage(string subpackage) { result = getAJaxRsPackage() + "." + subpackage } /** * A JAX WS endpoint is constructed by the container, and its methods @@ -34,7 +40,7 @@ class JaxWsEndpoint extends Class { private predicate hasPathAnnotation(Annotatable annotatable) { exists(AnnotationType a | a = annotatable.getAnAnnotation().getType() and - a.getPackage().getName() = getAJaxWsPackage() + a.getPackage().getName() = getAJaxRsPackage() | a.hasName("Path") ) @@ -47,7 +53,7 @@ class JaxRsResourceMethod extends Method { JaxRsResourceMethod() { exists(AnnotationType a | a = this.getAnAnnotation().getType() and - a.getPackage().getName() = getAJaxWsPackage() + a.getPackage().getName() = getAJaxRsPackage() | a.hasName("GET") or a.hasName("POST") or @@ -184,7 +190,7 @@ class JaxRsInjectionAnnotation extends JaxRSAnnotation { JaxRsInjectionAnnotation() { exists(AnnotationType a | a = getType() and - a.getPackage().getName() = getAJaxWsPackage() + a.getPackage().getName() = getAJaxRsPackage() | a.hasName("BeanParam") or a.hasName("CookieParam") or @@ -195,17 +201,17 @@ class JaxRsInjectionAnnotation extends JaxRSAnnotation { a.hasName("QueryParam") ) or - getType().hasQualifiedName(getAJaxWsPackage("core"), "Context") + getType().hasQualifiedName(getAJaxRsPackage("core"), "Context") } } class JaxRsResponse extends Class { - JaxRsResponse() { this.hasQualifiedName(getAJaxWsPackage("core"), "Response") } + JaxRsResponse() { this.hasQualifiedName(getAJaxRsPackage("core"), "Response") } } class JaxRsResponseBuilder extends Class { JaxRsResponseBuilder() { - this.hasQualifiedName(getAJaxWsPackage("core"), "Response$ResponseBuilder") + this.hasQualifiedName(getAJaxRsPackage("core"), "Response$ResponseBuilder") } } @@ -213,7 +219,7 @@ class JaxRsResponseBuilder extends Class { * The class `javax.ws.rs.client.Client`. */ class JaxRsClient extends RefType { - JaxRsClient() { this.hasQualifiedName(getAJaxWsPackage("client"), "Client") } + JaxRsClient() { this.hasQualifiedName(getAJaxRsPackage("client"), "Client") } } /** @@ -226,7 +232,7 @@ class JaxRsBeanParamConstructor extends Constructor { c = resourceClass.getAnInjectableCallable() | p = c.getAParameter() and - p.getAnAnnotation().getType().hasQualifiedName(getAJaxWsPackage(), "BeanParam") and + p.getAnAnnotation().getType().hasQualifiedName(getAJaxRsPackage(), "BeanParam") and this.getDeclaringType().getSourceDeclaration() = p.getType().(RefType).getSourceDeclaration() ) and forall(Parameter p | p = getAParameter() | @@ -239,7 +245,7 @@ class JaxRsBeanParamConstructor extends Constructor { * The class `javax.ws.rs.ext.MessageBodyReader`. */ class MessageBodyReader extends GenericInterface { - MessageBodyReader() { this.hasQualifiedName(getAJaxWsPackage("ext"), "MessageBodyReader") } + MessageBodyReader() { this.hasQualifiedName(getAJaxRsPackage("ext"), "MessageBodyReader") } } /** @@ -265,7 +271,7 @@ class MessageBodyReaderRead extends Method { /** An `@Produces` annotation that describes which content types can be produced by this resource. */ class JaxRSProducesAnnotation extends JaxRSAnnotation { - JaxRSProducesAnnotation() { getType().hasQualifiedName(getAJaxWsPackage(), "Produces") } + JaxRSProducesAnnotation() { getType().hasQualifiedName(getAJaxRsPackage(), "Produces") } /** * Gets a declared content type that can be produced by this resource. @@ -276,7 +282,7 @@ class JaxRSProducesAnnotation extends JaxRSAnnotation { exists(Field jaxMediaType | // Accesses to static fields on `MediaType` class do not have constant strings in the database // so convert the field name to a content type string - jaxMediaType.getDeclaringType().hasQualifiedName(getAJaxWsPackage("core"), "MediaType") and + jaxMediaType.getDeclaringType().hasQualifiedName(getAJaxRsPackage("core"), "MediaType") and jaxMediaType.getAnAccess() = getAValue() and // e.g. MediaType.TEXT_PLAIN => text/plain result = jaxMediaType.getName().toLowerCase().replaceAll("_", "/") @@ -286,7 +292,7 @@ class JaxRSProducesAnnotation extends JaxRSAnnotation { /** An `@Consumes` annotation that describes content types can be consumed by this resource. */ class JaxRSConsumesAnnotation extends JaxRSAnnotation { - JaxRSConsumesAnnotation() { getType().hasQualifiedName(getAJaxWsPackage(), "Consumes") } + JaxRSConsumesAnnotation() { getType().hasQualifiedName(getAJaxRsPackage(), "Consumes") } } /** diff --git a/java/ql/src/semmle/code/java/security/UrlRedirect.qll b/java/ql/src/semmle/code/java/security/UrlRedirect.qll index 8c7ce5112c7..ee3e9cb9b1c 100644 --- a/java/ql/src/semmle/code/java/security/UrlRedirect.qll +++ b/java/ql/src/semmle/code/java/security/UrlRedirect.qll @@ -37,14 +37,14 @@ private class ApacheUrlRedirectSink extends UrlRedirectSink { } } -/** A URL redirection sink from JAX-WS */ -private class JaxWsUrlRedirectSink extends UrlRedirectSink { - JaxWsUrlRedirectSink() { +/** A URL redirection sink from JAX-RS */ +private class JaxRsUrlRedirectSink extends UrlRedirectSink { + JaxRsUrlRedirectSink() { exists(MethodAccess ma | ma.getMethod() .getDeclaringType() .getAnAncestor() - .hasQualifiedName(getAJaxWsPackage("core"), "Response") and + .hasQualifiedName(getAJaxRsPackage("core"), "Response") and ma.getMethod().getName() in ["seeOther", "temporaryRedirect"] and this.asExpr() = ma.getArgument(0) ) From 55d584b0445f04bf6510fa1d79d83d6b9d562e0b Mon Sep 17 00:00:00 2001 From: Chris Smowton Date: Wed, 7 Apr 2021 10:55:46 +0100 Subject: [PATCH 09/36] Add doc comment for JaxWS file --- java/ql/src/semmle/code/java/frameworks/JaxWS.qll | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll index b45ad93e59f..4c2627f85f8 100644 --- a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll +++ b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll @@ -1,3 +1,8 @@ +/** + * Definitions relating to JAX-WS (Java/Jakarta API for XML Web Services) and JAX-RS + * (Java/Jakarta API for RESTful Web Services). + */ + import java private import semmle.code.java.dataflow.ExternalFlow From d9cf1aaf391a9ce48e175c7aa2e95534071cb79f Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 18 Mar 2021 11:18:52 +0000 Subject: [PATCH 10/36] Add stubs for JAX-WS --- .../code/java/frameworks/JavaxAnnotations.qll | 7 + java/ql/test/stubs/jaxws-api-2.0/LICENSE.md | 761 ++++++++++++++++++ .../javax/xml/ws/WebEndpoint.java | 73 ++ .../javax/xml/ws/WebServiceClient.java | 84 ++ .../javax/xml/ws/WebServiceProvider.java | 85 ++ java/ql/test/stubs/jsr181-api/LICENSE | 759 +++++++++++++++++ .../stubs/jsr181-api/javax/jws/WebMethod.java | 48 ++ .../jsr181-api/javax/jws/WebService.java | 97 +++ 8 files changed, 1914 insertions(+) create mode 100644 java/ql/test/stubs/jaxws-api-2.0/LICENSE.md create mode 100644 java/ql/test/stubs/jaxws-api-2.0/javax/xml/ws/WebEndpoint.java create mode 100644 java/ql/test/stubs/jaxws-api-2.0/javax/xml/ws/WebServiceClient.java create mode 100644 java/ql/test/stubs/jaxws-api-2.0/javax/xml/ws/WebServiceProvider.java create mode 100644 java/ql/test/stubs/jsr181-api/LICENSE create mode 100644 java/ql/test/stubs/jsr181-api/javax/jws/WebMethod.java create mode 100644 java/ql/test/stubs/jsr181-api/javax/jws/WebService.java diff --git a/java/ql/src/semmle/code/java/frameworks/JavaxAnnotations.qll b/java/ql/src/semmle/code/java/frameworks/JavaxAnnotations.qll index 833db9a9e44..0f5da6c39ea 100644 --- a/java/ql/src/semmle/code/java/frameworks/JavaxAnnotations.qll +++ b/java/ql/src/semmle/code/java/frameworks/JavaxAnnotations.qll @@ -137,6 +137,13 @@ class InterceptorsAnnotation extends Annotation { * Annotations in the package `javax.jws`. */ +/** + * A `@javax.jws.WebMethod` annotation. + */ +class WebMethodAnnotation extends Annotation { + WebMethodAnnotation() { this.getType().hasQualifiedName("javax.jws", "WebMethod") } +} + /** * A `@javax.jws.WebService` annotation. */ diff --git a/java/ql/test/stubs/jaxws-api-2.0/LICENSE.md b/java/ql/test/stubs/jaxws-api-2.0/LICENSE.md new file mode 100644 index 00000000000..1c4d55ea74f --- /dev/null +++ b/java/ql/test/stubs/jaxws-api-2.0/LICENSE.md @@ -0,0 +1,761 @@ +--- +--- + +## COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.1 + + 1. Definitions. + + 1.1. "Contributor" means each individual or entity that creates or + contributes to the creation of Modifications. + + 1.2. "Contributor Version" means the combination of the Original + Software, prior Modifications used by a Contributor (if any), and + the Modifications made by that particular Contributor. + + 1.3. "Covered Software" means (a) the Original Software, or (b) + Modifications, or (c) the combination of files containing Original + Software with files containing Modifications, in each case including + portions thereof. + + 1.4. "Executable" means the Covered Software in any form other than + Source Code. + + 1.5. "Initial Developer" means the individual or entity that first + makes Original Software available under this License. + + 1.6. "Larger Work" means a work which combines Covered Software or + portions thereof with code not governed by the terms of this License. + + 1.7. "License" means this document. + + 1.8. "Licensable" means having the right to grant, to the maximum + extent possible, whether at the time of the initial grant or + subsequently acquired, any and all of the rights conveyed herein. + + 1.9. "Modifications" means the Source Code and Executable form of + any of the following: + + A. Any file that results from an addition to, deletion from or + modification of the contents of a file containing Original Software + or previous Modifications; + + B. Any new file that contains any part of the Original Software or + previous Modification; or + + C. Any new file that is contributed or otherwise made available + under the terms of this License. + + 1.10. "Original Software" means the Source Code and Executable form + of computer software code that is originally released under this + License. + + 1.11. "Patent Claims" means any patent claim(s), now owned or + hereafter acquired, including without limitation, method, process, + and apparatus claims, in any patent Licensable by grantor. + + 1.12. "Source Code" means (a) the common form of computer software + code in which modifications are made and (b) associated + documentation included in or with such code. + + 1.13. "You" (or "Your") means an individual or a legal entity + exercising rights under, and complying with all of the terms of, + this License. For legal entities, "You" includes any entity which + controls, is controlled by, or is under common control with You. For + purposes of this definition, "control" means (a) the power, direct + or indirect, to cause the direction or management of such entity, + whether by contract or otherwise, or (b) ownership of more than + fifty percent (50%) of the outstanding shares or beneficial + ownership of such entity. + + 2. License Grants. + + 2.1. The Initial Developer Grant. + + Conditioned upon Your compliance with Section 3.1 below and subject + to third party intellectual property claims, the Initial Developer + hereby grants You a world-wide, royalty-free, non-exclusive license: + + (a) under intellectual property rights (other than patent or + trademark) Licensable by Initial Developer, to use, reproduce, + modify, display, perform, sublicense and distribute the Original + Software (or portions thereof), with or without Modifications, + and/or as part of a Larger Work; and + + (b) under Patent Claims infringed by the making, using or selling of + Original Software, to make, have made, use, practice, sell, and + offer for sale, and/or otherwise dispose of the Original Software + (or portions thereof). + + (c) The licenses granted in Sections 2.1(a) and (b) are effective on + the date Initial Developer first distributes or otherwise makes the + Original Software available to a third party under the terms of this + License. + + (d) Notwithstanding Section 2.1(b) above, no patent license is + granted: (1) for code that You delete from the Original Software, or + (2) for infringements caused by: (i) the modification of the + Original Software, or (ii) the combination of the Original Software + with other software or devices. + + 2.2. Contributor Grant. + + Conditioned upon Your compliance with Section 3.1 below and subject + to third party intellectual property claims, each Contributor hereby + grants You a world-wide, royalty-free, non-exclusive license: + + (a) under intellectual property rights (other than patent or + trademark) Licensable by Contributor to use, reproduce, modify, + display, perform, sublicense and distribute the Modifications + created by such Contributor (or portions thereof), either on an + unmodified basis, with other Modifications, as Covered Software + and/or as part of a Larger Work; and + + (b) under Patent Claims infringed by the making, using, or selling + of Modifications made by that Contributor either alone and/or in + combination with its Contributor Version (or portions of such + combination), to make, use, sell, offer for sale, have made, and/or + otherwise dispose of: (1) Modifications made by that Contributor (or + portions thereof); and (2) the combination of Modifications made by + that Contributor with its Contributor Version (or portions of such + combination). + + (c) The licenses granted in Sections 2.2(a) and 2.2(b) are effective + on the date Contributor first distributes or otherwise makes the + Modifications available to a third party. + + (d) Notwithstanding Section 2.2(b) above, no patent license is + granted: (1) for any code that Contributor has deleted from the + Contributor Version; (2) for infringements caused by: (i) third + party modifications of Contributor Version, or (ii) the combination + of Modifications made by that Contributor with other software + (except as part of the Contributor Version) or other devices; or (3) + under Patent Claims infringed by Covered Software in the absence of + Modifications made by that Contributor. + + 3. Distribution Obligations. + + 3.1. Availability of Source Code. + + Any Covered Software that You distribute or otherwise make available + in Executable form must also be made available in Source Code form + and that Source Code form must be distributed only under the terms + of this License. You must include a copy of this License with every + copy of the Source Code form of the Covered Software You distribute + or otherwise make available. You must inform recipients of any such + Covered Software in Executable form as to how they can obtain such + Covered Software in Source Code form in a reasonable manner on or + through a medium customarily used for software exchange. + + 3.2. Modifications. + + The Modifications that You create or to which You contribute are + governed by the terms of this License. You represent that You + believe Your Modifications are Your original creation(s) and/or You + have sufficient rights to grant the rights conveyed by this License. + + 3.3. Required Notices. + + You must include a notice in each of Your Modifications that + identifies You as the Contributor of the Modification. You may not + remove or alter any copyright, patent or trademark notices contained + within the Covered Software, or any notices of licensing or any + descriptive text giving attribution to any Contributor or the + Initial Developer. + + 3.4. Application of Additional Terms. + + You may not offer or impose any terms on any Covered Software in + Source Code form that alters or restricts the applicable version of + this License or the recipients' rights hereunder. You may choose to + offer, and to charge a fee for, warranty, support, indemnity or + liability obligations to one or more recipients of Covered Software. + However, you may do so only on Your own behalf, and not on behalf of + the Initial Developer or any Contributor. You must make it + absolutely clear that any such warranty, support, indemnity or + liability obligation is offered by You alone, and You hereby agree + to indemnify the Initial Developer and every Contributor for any + liability incurred by the Initial Developer or such Contributor as a + result of warranty, support, indemnity or liability terms You offer. + + 3.5. Distribution of Executable Versions. + + You may distribute the Executable form of the Covered Software under + the terms of this License or under the terms of a license of Your + choice, which may contain terms different from this License, + provided that You are in compliance with the terms of this License + and that the license for the Executable form does not attempt to + limit or alter the recipient's rights in the Source Code form from + the rights set forth in this License. If You distribute the Covered + Software in Executable form under a different license, You must make + it absolutely clear that any terms which differ from this License + are offered by You alone, not by the Initial Developer or + Contributor. You hereby agree to indemnify the Initial Developer and + every Contributor for any liability incurred by the Initial + Developer or such Contributor as a result of any such terms You offer. + + 3.6. Larger Works. + + You may create a Larger Work by combining Covered Software with + other code not governed by the terms of this License and distribute + the Larger Work as a single product. In such a case, You must make + sure the requirements of this License are fulfilled for the Covered + Software. + + 4. Versions of the License. + + 4.1. New Versions. + + Oracle is the initial license steward and may publish revised and/or + new versions of this License from time to time. Each version will be + given a distinguishing version number. Except as provided in Section + 4.3, no one other than the license steward has the right to modify + this License. + + 4.2. Effect of New Versions. + + You may always continue to use, distribute or otherwise make the + Covered Software available under the terms of the version of the + License under which You originally received the Covered Software. If + the Initial Developer includes a notice in the Original Software + prohibiting it from being distributed or otherwise made available + under any subsequent version of the License, You must distribute and + make the Covered Software available under the terms of the version + of the License under which You originally received the Covered + Software. Otherwise, You may also choose to use, distribute or + otherwise make the Covered Software available under the terms of any + subsequent version of the License published by the license steward. + + 4.3. Modified Versions. + + When You are an Initial Developer and You want to create a new + license for Your Original Software, You may create and use a + modified version of this License if You: (a) rename the license and + remove any references to the name of the license steward (except to + note that the license differs from this License); and (b) otherwise + make it clear that the license contains terms which differ from this + License. + + 5. DISCLAIMER OF WARRANTY. + + COVERED SOFTWARE IS PROVIDED UNDER THIS LICENSE ON AN "AS IS" BASIS, + WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, + INCLUDING, WITHOUT LIMITATION, WARRANTIES THAT THE COVERED SOFTWARE + IS FREE OF DEFECTS, MERCHANTABLE, FIT FOR A PARTICULAR PURPOSE OR + NON-INFRINGING. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF + THE COVERED SOFTWARE IS WITH YOU. SHOULD ANY COVERED SOFTWARE PROVE + DEFECTIVE IN ANY RESPECT, YOU (NOT THE INITIAL DEVELOPER OR ANY + OTHER CONTRIBUTOR) ASSUME THE COST OF ANY NECESSARY SERVICING, + REPAIR OR CORRECTION. THIS DISCLAIMER OF WARRANTY CONSTITUTES AN + ESSENTIAL PART OF THIS LICENSE. NO USE OF ANY COVERED SOFTWARE IS + AUTHORIZED HEREUNDER EXCEPT UNDER THIS DISCLAIMER. + + 6. TERMINATION. + + 6.1. This License and the rights granted hereunder will terminate + automatically if You fail to comply with terms herein and fail to + cure such breach within 30 days of becoming aware of the breach. + Provisions which, by their nature, must remain in effect beyond the + termination of this License shall survive. + + 6.2. If You assert a patent infringement claim (excluding + declaratory judgment actions) against Initial Developer or a + Contributor (the Initial Developer or Contributor against whom You + assert such claim is referred to as "Participant") alleging that the + Participant Software (meaning the Contributor Version where the + Participant is a Contributor or the Original Software where the + Participant is the Initial Developer) directly or indirectly + infringes any patent, then any and all rights granted directly or + indirectly to You by such Participant, the Initial Developer (if the + Initial Developer is not the Participant) and all Contributors under + Sections 2.1 and/or 2.2 of this License shall, upon 60 days notice + from Participant terminate prospectively and automatically at the + expiration of such 60 day notice period, unless if within such 60 + day period You withdraw Your claim with respect to the Participant + Software against such Participant either unilaterally or pursuant to + a written agreement with Participant. + + 6.3. If You assert a patent infringement claim against Participant + alleging that the Participant Software directly or indirectly + infringes any patent where such claim is resolved (such as by + license or settlement) prior to the initiation of patent + infringement litigation, then the reasonable value of the licenses + granted by such Participant under Sections 2.1 or 2.2 shall be taken + into account in determining the amount or value of any payment or + license. + + 6.4. In the event of termination under Sections 6.1 or 6.2 above, + all end user licenses that have been validly granted by You or any + distributor hereunder prior to termination (excluding licenses + granted to You by any distributor) shall survive termination. + + 7. LIMITATION OF LIABILITY. + + UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, WHETHER TORT + (INCLUDING NEGLIGENCE), CONTRACT, OR OTHERWISE, SHALL YOU, THE + INITIAL DEVELOPER, ANY OTHER CONTRIBUTOR, OR ANY DISTRIBUTOR OF + COVERED SOFTWARE, OR ANY SUPPLIER OF ANY OF SUCH PARTIES, BE LIABLE + TO ANY PERSON FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR + CONSEQUENTIAL DAMAGES OF ANY CHARACTER INCLUDING, WITHOUT + LIMITATION, DAMAGES FOR LOSS OF GOODWILL, WORK STOPPAGE, COMPUTER + FAILURE OR MALFUNCTION, OR ANY AND ALL OTHER COMMERCIAL DAMAGES OR + LOSSES, EVEN IF SUCH PARTY SHALL HAVE BEEN INFORMED OF THE + POSSIBILITY OF SUCH DAMAGES. THIS LIMITATION OF LIABILITY SHALL NOT + APPLY TO LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH + PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH + LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR + LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS EXCLUSION + AND LIMITATION MAY NOT APPLY TO YOU. + + 8. U.S. GOVERNMENT END USERS. + + The Covered Software is a "commercial item," as that term is defined + in 48 C.F.R. 2.101 (Oct. 1995), consisting of "commercial computer + software" (as that term is defined at 48 C.F.R. § + 252.227-7014(a)(1)) and "commercial computer software documentation" + as such terms are used in 48 C.F.R. 12.212 (Sept. 1995). Consistent + with 48 C.F.R. 12.212 and 48 C.F.R. 227.7202-1 through 227.7202-4 + (June 1995), all U.S. Government End Users acquire Covered Software + with only those rights set forth herein. This U.S. Government Rights + clause is in lieu of, and supersedes, any other FAR, DFAR, or other + clause or provision that addresses Government rights in computer + software under this License. + + 9. MISCELLANEOUS. + + This License represents the complete agreement concerning subject + matter hereof. If any provision of this License is held to be + unenforceable, such provision shall be reformed only to the extent + necessary to make it enforceable. This License shall be governed by + the law of the jurisdiction specified in a notice contained within + the Original Software (except to the extent applicable law, if any, + provides otherwise), excluding such jurisdiction's conflict-of-law + provisions. Any litigation relating to this License shall be subject + to the jurisdiction of the courts located in the jurisdiction and + venue specified in a notice contained within the Original Software, + with the losing party responsible for costs, including, without + limitation, court costs and reasonable attorneys' fees and expenses. + The application of the United Nations Convention on Contracts for + the International Sale of Goods is expressly excluded. Any law or + regulation which provides that the language of a contract shall be + construed against the drafter shall not apply to this License. You + agree that You alone are responsible for compliance with the United + States export administration regulations (and the export control + laws and regulation of any other countries) when You use, distribute + or otherwise make available any Covered Software. + + 10. RESPONSIBILITY FOR CLAIMS. + + As between Initial Developer and the Contributors, each party is + responsible for claims and damages arising, directly or indirectly, + out of its utilization of rights under this License and You agree to + work with Initial Developer and Contributors to distribute such + responsibility on an equitable basis. Nothing herein is intended or + shall be deemed to constitute any admission of liability. + +--- + +## NOTICE PURSUANT TO SECTION 9 OF THE COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) + + The code released under the CDDL shall be governed by the laws of the + State of California (excluding conflict-of-law provisions). Any + litigation relating to this License shall be subject to the jurisdiction + of the Federal Courts of the Northern District of California and the + state courts of the State of California, with venue lying in Santa Clara + County, California. + +--- + +## The GNU General Public License (GPL) Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc. + 51 Franklin Street, Fifth Floor + Boston, MA 02110-1335 + USA + + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your freedom to + share and change it. By contrast, the GNU General Public License is + intended to guarantee your freedom to share and change free software--to + make sure the software is free for all its users. This General Public + License applies to most of the Free Software Foundation's software and + to any other program whose authors commit to using it. (Some other Free + Software Foundation software is covered by the GNU Library General + Public License instead.) You can apply it to your programs, too. + + When we speak of free software, we are referring to freedom, not price. + Our General Public Licenses are designed to make sure that you have the + freedom to distribute copies of free software (and charge for this + service if you wish), that you receive source code or can get it if you + want it, that you can change the software or use pieces of it in new + free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid anyone + to deny you these rights or to ask you to surrender the rights. These + restrictions translate to certain responsibilities for you if you + distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether gratis + or for a fee, you must give the recipients all the rights that you have. + You must make sure that they, too, receive or can get the source code. + And you must show them these terms so they know their rights. + + We protect your rights with two steps: (1) copyright the software, and + (2) offer you this license which gives you legal permission to copy, + distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain + that everyone understands that there is no warranty for this free + software. If the software is modified by someone else and passed on, we + want its recipients to know that what they have is not the original, so + that any problems introduced by others will not reflect on the original + authors' reputations. + + Finally, any free program is threatened constantly by software patents. + We wish to avoid the danger that redistributors of a free program will + individually obtain patent licenses, in effect making the program + proprietary. To prevent this, we have made it clear that any patent must + be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and + modification follow. + + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains a + notice placed by the copyright holder saying it may be distributed under + the terms of this General Public License. The "Program", below, refers + to any such program or work, and a "work based on the Program" means + either the Program or any derivative work under copyright law: that is + to say, a work containing the Program or a portion of it, either + verbatim or with modifications and/or translated into another language. + (Hereinafter, translation is included without limitation in the term + "modification".) Each licensee is addressed as "you". + + Activities other than copying, distribution and modification are not + covered by this License; they are outside its scope. The act of running + the Program is not restricted, and the output from the Program is + covered only if its contents constitute a work based on the Program + (independent of having been made by running the Program). Whether that + is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's source + code as you receive it, in any medium, provided that you conspicuously + and appropriately publish on each copy an appropriate copyright notice + and disclaimer of warranty; keep intact all the notices that refer to + this License and to the absence of any warranty; and give any other + recipients of the Program a copy of this License along with the Program. + + You may charge a fee for the physical act of transferring a copy, and + you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion of + it, thus forming a work based on the Program, and copy and distribute + such modifications or work under the terms of Section 1 above, provided + that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any part + thereof, to be licensed as a whole at no charge to all third parties + under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a notice + that there is no warranty (or else, saying that you provide a + warranty) and that users may redistribute the program under these + conditions, and telling the user how to view a copy of this License. + (Exception: if the Program itself is interactive but does not + normally print such an announcement, your work based on the Program + is not required to print an announcement.) + + These requirements apply to the modified work as a whole. If + identifiable sections of that work are not derived from the Program, and + can be reasonably considered independent and separate works in + themselves, then this License, and its terms, do not apply to those + sections when you distribute them as separate works. But when you + distribute the same sections as part of a whole which is a work based on + the Program, the distribution of the whole must be on the terms of this + License, whose permissions for other licensees extend to the entire + whole, and thus to each and every part regardless of who wrote it. + + Thus, it is not the intent of this section to claim rights or contest + your rights to work written entirely by you; rather, the intent is to + exercise the right to control the distribution of derivative or + collective works based on the Program. + + In addition, mere aggregation of another work not based on the Program + with the Program (or with a work based on the Program) on a volume of a + storage or distribution medium does not bring the other work under the + scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, + under Section 2) in object code or executable form under the terms of + Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections 1 + and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your cost + of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer to + distribute corresponding source code. (This alternative is allowed + only for noncommercial distribution and only if you received the + program in object code or executable form with such an offer, in + accord with Subsection b above.) + + The source code for a work means the preferred form of the work for + making modifications to it. For an executable work, complete source code + means all the source code for all modules it contains, plus any + associated interface definition files, plus the scripts used to control + compilation and installation of the executable. However, as a special + exception, the source code distributed need not include anything that is + normally distributed (in either source or binary form) with the major + components (compiler, kernel, and so on) of the operating system on + which the executable runs, unless that component itself accompanies the + executable. + + If distribution of executable or object code is made by offering access + to copy from a designated place, then offering equivalent access to copy + the source code from the same place counts as distribution of the source + code, even though third parties are not compelled to copy the source + along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program + except as expressly provided under this License. Any attempt otherwise + to copy, modify, sublicense or distribute the Program is void, and will + automatically terminate your rights under this License. However, parties + who have received copies, or rights, from you under this License will + not have their licenses terminated so long as such parties remain in + full compliance. + + 5. You are not required to accept this License, since you have not + signed it. However, nothing else grants you permission to modify or + distribute the Program or its derivative works. These actions are + prohibited by law if you do not accept this License. Therefore, by + modifying or distributing the Program (or any work based on the + Program), you indicate your acceptance of this License to do so, and all + its terms and conditions for copying, distributing or modifying the + Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the + Program), the recipient automatically receives a license from the + original licensor to copy, distribute or modify the Program subject to + these terms and conditions. You may not impose any further restrictions + on the recipients' exercise of the rights granted herein. You are not + responsible for enforcing compliance by third parties to this License. + + 7. If, as a consequence of a court judgment or allegation of patent + infringement or for any other reason (not limited to patent issues), + conditions are imposed on you (whether by court order, agreement or + otherwise) that contradict the conditions of this License, they do not + excuse you from the conditions of this License. If you cannot distribute + so as to satisfy simultaneously your obligations under this License and + any other pertinent obligations, then as a consequence you may not + distribute the Program at all. For example, if a patent license would + not permit royalty-free redistribution of the Program by all those who + receive copies directly or indirectly through you, then the only way you + could satisfy both it and this License would be to refrain entirely from + distribution of the Program. + + If any portion of this section is held invalid or unenforceable under + any particular circumstance, the balance of the section is intended to + apply and the section as a whole is intended to apply in other + circumstances. + + It is not the purpose of this section to induce you to infringe any + patents or other property right claims or to contest validity of any + such claims; this section has the sole purpose of protecting the + integrity of the free software distribution system, which is implemented + by public license practices. Many people have made generous + contributions to the wide range of software distributed through that + system in reliance on consistent application of that system; it is up to + the author/donor to decide if he or she is willing to distribute + software through any other system and a licensee cannot impose that choice. + + This section is intended to make thoroughly clear what is believed to be + a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in + certain countries either by patents or by copyrighted interfaces, the + original copyright holder who places the Program under this License may + add an explicit geographical distribution limitation excluding those + countries, so that distribution is permitted only in or among countries + not thus excluded. In such case, this License incorporates the + limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new + versions of the General Public License from time to time. Such new + versions will be similar in spirit to the present version, but may + differ in detail to address new problems or concerns. + + Each version is given a distinguishing version number. If the Program + specifies a version number of this License which applies to it and "any + later version", you have the option of following the terms and + conditions either of that version or of any later version published by + the Free Software Foundation. If the Program does not specify a version + number of this License, you may choose any version ever published by the + Free Software Foundation. + + 10. If you wish to incorporate parts of the Program into other free + programs whose distribution conditions are different, write to the + author to ask for permission. For software which is copyrighted by the + Free Software Foundation, write to the Free Software Foundation; we + sometimes make exceptions for this. Our decision will be guided by the + two goals of preserving the free status of all derivatives of our free + software and of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO + WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. + EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR + OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, + EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE + ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH + YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL + NECESSARY SERVICING, REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN + WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY + AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR + DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL + DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM + (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED + INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF + THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR + OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest + possible use to the public, the best way to achieve this is to make it + free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest to + attach them to the start of each source file to most effectively convey + the exclusion of warranty; and each file should have at least the + "copyright" line and a pointer to where the full notice is found. + + One line to give the program's name and a brief idea of what it does. + Copyright (C) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335 USA + + Also add information on how to contact you by electronic and paper mail. + + If the program is interactive, make it output a short notice like this + when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type + `show w'. This is free software, and you are welcome to redistribute + it under certain conditions; type `show c' for details. + + The hypothetical commands `show w' and `show c' should show the + appropriate parts of the General Public License. Of course, the commands + you use may be called something other than `show w' and `show c'; they + could even be mouse-clicks or menu items--whatever suits your program. + + You should also get your employer (if you work as a programmer) or your + school, if any, to sign a "copyright disclaimer" for the program, if + necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the + program `Gnomovision' (which makes passes at compilers) written by + James Hacker. + + signature of Ty Coon, 1 April 1989 + Ty Coon, President of Vice + + This General Public License does not permit incorporating your program + into proprietary programs. If your program is a subroutine library, you + may consider it more useful to permit linking proprietary applications + with the library. If this is what you want to do, use the GNU Library + General Public License instead of this License. + +--- + + Certain source files distributed by Oracle America, Inc. and/or its + affiliates are subject to the following clarification and special + exception to the GPLv2, based on the GNU Project exception for its + Classpath libraries, known as the GNU Classpath Exception, but only + where Oracle has expressly included in the particular source file's + header the words "Oracle designates this particular file as subject to + the "Classpath" exception as provided by Oracle in the LICENSE file + that accompanied this code." + + You should also note that Oracle includes multiple, independent + programs in this software package. Some of those programs are provided + under licenses deemed incompatible with the GPLv2 by the Free Software + Foundation and others. For example, the package includes programs + licensed under the Apache License, Version 2.0. Such programs are + licensed to you under their original licenses. + + Oracle facilitates your further distribution of this package by adding + the Classpath Exception to the necessary parts of its GPLv2 code, which + permits you to use that code in combination with other independent + modules not licensed under the GPLv2. However, note that this would + not permit you to commingle code under an incompatible license with + Oracle's GPLv2 licensed code by, for example, cutting and pasting such + code into a file also containing Oracle's GPLv2 licensed code and then + distributing the result. Additionally, if you were to remove the + Classpath Exception from any of the files to which it applies and + distribute the result, you would likely be required to license some or + all of the other code in that distribution under the GPLv2 as well, and + since the GPLv2 is incompatible with the license terms of some items + included in the distribution by Oracle, removing the Classpath + Exception could therefore effectively compromise your ability to + further distribute the package. + + Proceed with caution and we recommend that you obtain the advice of a + lawyer skilled in open source matters before removing the Classpath + Exception or making modifications to this package which may + subsequently be redistributed and/or involve the use of third party + software. + + CLASSPATH EXCEPTION + Linking this library statically or dynamically with other modules is + making a combined work based on this library. Thus, the terms and + conditions of the GNU General Public License version 2 cover the whole + combination. + + As a special exception, the copyright holders of this library give you + permission to link this library with independent modules to produce an + executable, regardless of the license terms of these independent + modules, and to copy and distribute the resulting executable under + terms of your choice, provided that you also meet, for each linked + independent module, the terms and conditions of the license of that + module. An independent module is a module which is not derived from or + based on this library. If you modify this library, you may extend this + exception to your version of the library, but you are not obligated to + do so. If you do not wish to do so, delete this exception statement + from your version. diff --git a/java/ql/test/stubs/jaxws-api-2.0/javax/xml/ws/WebEndpoint.java b/java/ql/test/stubs/jaxws-api-2.0/javax/xml/ws/WebEndpoint.java new file mode 100644 index 00000000000..9a149cde585 --- /dev/null +++ b/java/ql/test/stubs/jaxws-api-2.0/javax/xml/ws/WebEndpoint.java @@ -0,0 +1,73 @@ +/* + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. + * + * Copyright (c) 2005-2017 Oracle and/or its affiliates. All rights reserved. + * + * The contents of this file are subject to the terms of either the GNU + * General Public License Version 2 only ("GPL") or the Common Development + * and Distribution License("CDDL") (collectively, the "License"). You + * may not use this file except in compliance with the License. You can + * obtain a copy of the License at + * https://oss.oracle.com/licenses/CDDL+GPL-1.1 + * or LICENSE.txt. See the License for the specific + * language governing permissions and limitations under the License. + * + * When distributing the software, include this License Header Notice in each + * file and include the License file at LICENSE.txt. + * + * GPL Classpath Exception: + * Oracle designates this particular file as subject to the "Classpath" + * exception as provided by Oracle in the GPL Version 2 section of the License + * file that accompanied this code. + * + * Modifications: + * If applicable, add the following below the License Header, with the fields + * enclosed by brackets [] replaced by your own identifying information: + * "Portions Copyright [year] [name of copyright owner]" + * + * Contributor(s): + * If you wish your version of this file to be governed by only the CDDL or + * only the GPL Version 2, indicate your decision by adding "[Contributor] + * elects to include this software in this distribution under the [CDDL or GPL + * Version 2] license." If you don't indicate a single choice of license, a + * recipient has the option to distribute your version of this file under + * either the CDDL, the GPL Version 2 or to extend the choice of license to + * its licensees as provided above. However, if you add GPL Version 2 code + * and therefore, elected the GPL Version 2 license, then the option applies + * only if the new code is made subject to such option by the copyright + * holder. + */ + +package javax.xml.ws; + +import java.lang.annotation.Documented; +import java.lang.annotation.Target; +import java.lang.annotation.Retention; +import java.lang.annotation.ElementType; +import java.lang.annotation.RetentionPolicy; + +/** + * Used to annotate the getPortName() + * methods of a generated service interface. + * + *

The information specified in this annotation is sufficient + * to uniquely identify a {@code wsdl:port} element + * inside a {@code wsdl:service}. The latter is + * determined based on the value of the {@code WebServiceClient} + * annotation on the generated service interface itself. + * + * @since 1.6, JAX-WS 2.0 + * + * @see javax.xml.ws.WebServiceClient +**/ +@Target({ElementType.METHOD}) +@Retention(RetentionPolicy.RUNTIME) +@Documented +public @interface WebEndpoint { + /** + * The local name of the endpoint. + * + * @return ocal name of the endpoint + **/ + String name() default ""; +} diff --git a/java/ql/test/stubs/jaxws-api-2.0/javax/xml/ws/WebServiceClient.java b/java/ql/test/stubs/jaxws-api-2.0/javax/xml/ws/WebServiceClient.java new file mode 100644 index 00000000000..635a86440da --- /dev/null +++ b/java/ql/test/stubs/jaxws-api-2.0/javax/xml/ws/WebServiceClient.java @@ -0,0 +1,84 @@ +/* + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. + * + * Copyright (c) 2005-2017 Oracle and/or its affiliates. All rights reserved. + * + * The contents of this file are subject to the terms of either the GNU + * General Public License Version 2 only ("GPL") or the Common Development + * and Distribution License("CDDL") (collectively, the "License"). You + * may not use this file except in compliance with the License. You can + * obtain a copy of the License at + * https://oss.oracle.com/licenses/CDDL+GPL-1.1 + * or LICENSE.txt. See the License for the specific + * language governing permissions and limitations under the License. + * + * When distributing the software, include this License Header Notice in each + * file and include the License file at LICENSE.txt. + * + * GPL Classpath Exception: + * Oracle designates this particular file as subject to the "Classpath" + * exception as provided by Oracle in the GPL Version 2 section of the License + * file that accompanied this code. + * + * Modifications: + * If applicable, add the following below the License Header, with the fields + * enclosed by brackets [] replaced by your own identifying information: + * "Portions Copyright [year] [name of copyright owner]" + * + * Contributor(s): + * If you wish your version of this file to be governed by only the CDDL or + * only the GPL Version 2, indicate your decision by adding "[Contributor] + * elects to include this software in this distribution under the [CDDL or GPL + * Version 2] license." If you don't indicate a single choice of license, a + * recipient has the option to distribute your version of this file under + * either the CDDL, the GPL Version 2 or to extend the choice of license to + * its licensees as provided above. However, if you add GPL Version 2 code + * and therefore, elected the GPL Version 2 license, then the option applies + * only if the new code is made subject to such option by the copyright + * holder. + */ + +package javax.xml.ws; + +import java.lang.annotation.Documented; +import java.lang.annotation.Target; +import java.lang.annotation.Retention; +import java.lang.annotation.ElementType; +import java.lang.annotation.RetentionPolicy; + +/** + * Used to annotate a generated service interface. + * + *

The information specified in this annotation is sufficient + * to uniquely identify a {@code wsdl:service} + * element inside a WSDL document. This {@code wsdl:service} + * element represents the Web service for which the generated + * service interface provides a client view. + * + * @since 1.6, JAX-WS 2.0 +**/ +@Target({ElementType.TYPE}) +@Retention(RetentionPolicy.RUNTIME) +@Documented +public @interface WebServiceClient { + /** + * The local name of the Web service. + * + * @return local name + */ + String name() default ""; + + /** + * The namespace for the Web service. + * + * @return target namespace name + */ + String targetNamespace() default ""; + + /** + * The location of the WSDL document for the service (a URL). + * + * @return location of the WSDL document (a URL) + */ + String wsdlLocation() default ""; +} diff --git a/java/ql/test/stubs/jaxws-api-2.0/javax/xml/ws/WebServiceProvider.java b/java/ql/test/stubs/jaxws-api-2.0/javax/xml/ws/WebServiceProvider.java new file mode 100644 index 00000000000..f54713fed23 --- /dev/null +++ b/java/ql/test/stubs/jaxws-api-2.0/javax/xml/ws/WebServiceProvider.java @@ -0,0 +1,85 @@ +/* + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. + * + * Copyright (c) 2005-2017 Oracle and/or its affiliates. All rights reserved. + * + * The contents of this file are subject to the terms of either the GNU + * General Public License Version 2 only ("GPL") or the Common Development + * and Distribution License("CDDL") (collectively, the "License"). You + * may not use this file except in compliance with the License. You can + * obtain a copy of the License at + * https://oss.oracle.com/licenses/CDDL+GPL-1.1 + * or LICENSE.txt. See the License for the specific + * language governing permissions and limitations under the License. + * + * When distributing the software, include this License Header Notice in each + * file and include the License file at LICENSE.txt. + * + * GPL Classpath Exception: + * Oracle designates this particular file as subject to the "Classpath" + * exception as provided by Oracle in the GPL Version 2 section of the License + * file that accompanied this code. + * + * Modifications: + * If applicable, add the following below the License Header, with the fields + * enclosed by brackets [] replaced by your own identifying information: + * "Portions Copyright [year] [name of copyright owner]" + * + * Contributor(s): + * If you wish your version of this file to be governed by only the CDDL or + * only the GPL Version 2, indicate your decision by adding "[Contributor] + * elects to include this software in this distribution under the [CDDL or GPL + * Version 2] license." If you don't indicate a single choice of license, a + * recipient has the option to distribute your version of this file under + * either the CDDL, the GPL Version 2 or to extend the choice of license to + * its licensees as provided above. However, if you add GPL Version 2 code + * and therefore, elected the GPL Version 2 license, then the option applies + * only if the new code is made subject to such option by the copyright + * holder. + */ + +package javax.xml.ws; + +import java.lang.annotation.Documented; +import java.lang.annotation.Target; +import java.lang.annotation.Retention; +import java.lang.annotation.ElementType; +import java.lang.annotation.RetentionPolicy; +/** + * Used to annotate a Provider implementation class. + * + * @since 1.6, JAX-WS 2.0 + * @see javax.xml.ws.Provider + */ +@Target(ElementType.TYPE) +@Retention(RetentionPolicy.RUNTIME) +@Documented +public @interface WebServiceProvider { + /** + * Location of the WSDL description for the service. + * + * @return location of the WSDL description + */ + String wsdlLocation() default ""; + + /** + * Service name. + * + * @return service name + */ + String serviceName() default ""; + + /** + * Target namespace for the service + * + * @return target namespace + */ + String targetNamespace() default ""; + + /** + * Port name. + * + * @return port name + */ + String portName() default ""; +} diff --git a/java/ql/test/stubs/jsr181-api/LICENSE b/java/ql/test/stubs/jsr181-api/LICENSE new file mode 100644 index 00000000000..b1c74f95ede --- /dev/null +++ b/java/ql/test/stubs/jsr181-api/LICENSE @@ -0,0 +1,759 @@ +COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.1 + +1. Definitions. + + 1.1. "Contributor" means each individual or entity that creates or + contributes to the creation of Modifications. + + 1.2. "Contributor Version" means the combination of the Original + Software, prior Modifications used by a Contributor (if any), and + the Modifications made by that particular Contributor. + + 1.3. "Covered Software" means (a) the Original Software, or (b) + Modifications, or (c) the combination of files containing Original + Software with files containing Modifications, in each case including + portions thereof. + + 1.4. "Executable" means the Covered Software in any form other than + Source Code. + + 1.5. "Initial Developer" means the individual or entity that first + makes Original Software available under this License. + + 1.6. "Larger Work" means a work which combines Covered Software or + portions thereof with code not governed by the terms of this License. + + 1.7. "License" means this document. + + 1.8. "Licensable" means having the right to grant, to the maximum + extent possible, whether at the time of the initial grant or + subsequently acquired, any and all of the rights conveyed herein. + + 1.9. "Modifications" means the Source Code and Executable form of + any of the following: + + A. Any file that results from an addition to, deletion from or + modification of the contents of a file containing Original Software + or previous Modifications; + + B. Any new file that contains any part of the Original Software or + previous Modification; or + + C. Any new file that is contributed or otherwise made available + under the terms of this License. + + 1.10. "Original Software" means the Source Code and Executable form + of computer software code that is originally released under this + License. + + 1.11. "Patent Claims" means any patent claim(s), now owned or + hereafter acquired, including without limitation, method, process, + and apparatus claims, in any patent Licensable by grantor. + + 1.12. "Source Code" means (a) the common form of computer software + code in which modifications are made and (b) associated + documentation included in or with such code. + + 1.13. "You" (or "Your") means an individual or a legal entity + exercising rights under, and complying with all of the terms of, + this License. For legal entities, "You" includes any entity which + controls, is controlled by, or is under common control with You. For + purposes of this definition, "control" means (a) the power, direct + or indirect, to cause the direction or management of such entity, + whether by contract or otherwise, or (b) ownership of more than + fifty percent (50%) of the outstanding shares or beneficial + ownership of such entity. + +2. License Grants. + + 2.1. The Initial Developer Grant. + + Conditioned upon Your compliance with Section 3.1 below and subject + to third party intellectual property claims, the Initial Developer + hereby grants You a world-wide, royalty-free, non-exclusive license: + + (a) under intellectual property rights (other than patent or + trademark) Licensable by Initial Developer, to use, reproduce, + modify, display, perform, sublicense and distribute the Original + Software (or portions thereof), with or without Modifications, + and/or as part of a Larger Work; and + + (b) under Patent Claims infringed by the making, using or selling of + Original Software, to make, have made, use, practice, sell, and + offer for sale, and/or otherwise dispose of the Original Software + (or portions thereof). + + (c) The licenses granted in Sections 2.1(a) and (b) are effective on + the date Initial Developer first distributes or otherwise makes the + Original Software available to a third party under the terms of this + License. + + (d) Notwithstanding Section 2.1(b) above, no patent license is + granted: (1) for code that You delete from the Original Software, or + (2) for infringements caused by: (i) the modification of the + Original Software, or (ii) the combination of the Original Software + with other software or devices. + + 2.2. Contributor Grant. + + Conditioned upon Your compliance with Section 3.1 below and subject + to third party intellectual property claims, each Contributor hereby + grants You a world-wide, royalty-free, non-exclusive license: + + (a) under intellectual property rights (other than patent or + trademark) Licensable by Contributor to use, reproduce, modify, + display, perform, sublicense and distribute the Modifications + created by such Contributor (or portions thereof), either on an + unmodified basis, with other Modifications, as Covered Software + and/or as part of a Larger Work; and + + (b) under Patent Claims infringed by the making, using, or selling + of Modifications made by that Contributor either alone and/or in + combination with its Contributor Version (or portions of such + combination), to make, use, sell, offer for sale, have made, and/or + otherwise dispose of: (1) Modifications made by that Contributor (or + portions thereof); and (2) the combination of Modifications made by + that Contributor with its Contributor Version (or portions of such + combination). + + (c) The licenses granted in Sections 2.2(a) and 2.2(b) are effective + on the date Contributor first distributes or otherwise makes the + Modifications available to a third party. + + (d) Notwithstanding Section 2.2(b) above, no patent license is + granted: (1) for any code that Contributor has deleted from the + Contributor Version; (2) for infringements caused by: (i) third + party modifications of Contributor Version, or (ii) the combination + of Modifications made by that Contributor with other software + (except as part of the Contributor Version) or other devices; or (3) + under Patent Claims infringed by Covered Software in the absence of + Modifications made by that Contributor. + +3. Distribution Obligations. + + 3.1. Availability of Source Code. + + Any Covered Software that You distribute or otherwise make available + in Executable form must also be made available in Source Code form + and that Source Code form must be distributed only under the terms + of this License. You must include a copy of this License with every + copy of the Source Code form of the Covered Software You distribute + or otherwise make available. You must inform recipients of any such + Covered Software in Executable form as to how they can obtain such + Covered Software in Source Code form in a reasonable manner on or + through a medium customarily used for software exchange. + + 3.2. Modifications. + + The Modifications that You create or to which You contribute are + governed by the terms of this License. You represent that You + believe Your Modifications are Your original creation(s) and/or You + have sufficient rights to grant the rights conveyed by this License. + + 3.3. Required Notices. + + You must include a notice in each of Your Modifications that + identifies You as the Contributor of the Modification. You may not + remove or alter any copyright, patent or trademark notices contained + within the Covered Software, or any notices of licensing or any + descriptive text giving attribution to any Contributor or the + Initial Developer. + + 3.4. Application of Additional Terms. + + You may not offer or impose any terms on any Covered Software in + Source Code form that alters or restricts the applicable version of + this License or the recipients' rights hereunder. You may choose to + offer, and to charge a fee for, warranty, support, indemnity or + liability obligations to one or more recipients of Covered Software. + However, you may do so only on Your own behalf, and not on behalf of + the Initial Developer or any Contributor. You must make it + absolutely clear that any such warranty, support, indemnity or + liability obligation is offered by You alone, and You hereby agree + to indemnify the Initial Developer and every Contributor for any + liability incurred by the Initial Developer or such Contributor as a + result of warranty, support, indemnity or liability terms You offer. + + 3.5. Distribution of Executable Versions. + + You may distribute the Executable form of the Covered Software under + the terms of this License or under the terms of a license of Your + choice, which may contain terms different from this License, + provided that You are in compliance with the terms of this License + and that the license for the Executable form does not attempt to + limit or alter the recipient's rights in the Source Code form from + the rights set forth in this License. If You distribute the Covered + Software in Executable form under a different license, You must make + it absolutely clear that any terms which differ from this License + are offered by You alone, not by the Initial Developer or + Contributor. You hereby agree to indemnify the Initial Developer and + every Contributor for any liability incurred by the Initial + Developer or such Contributor as a result of any such terms You offer. + + 3.6. Larger Works. + + You may create a Larger Work by combining Covered Software with + other code not governed by the terms of this License and distribute + the Larger Work as a single product. In such a case, You must make + sure the requirements of this License are fulfilled for the Covered + Software. + +4. Versions of the License. + + 4.1. New Versions. + + Oracle is the initial license steward and may publish revised and/or + new versions of this License from time to time. Each version will be + given a distinguishing version number. Except as provided in Section + 4.3, no one other than the license steward has the right to modify + this License. + + 4.2. Effect of New Versions. + + You may always continue to use, distribute or otherwise make the + Covered Software available under the terms of the version of the + License under which You originally received the Covered Software. If + the Initial Developer includes a notice in the Original Software + prohibiting it from being distributed or otherwise made available + under any subsequent version of the License, You must distribute and + make the Covered Software available under the terms of the version + of the License under which You originally received the Covered + Software. Otherwise, You may also choose to use, distribute or + otherwise make the Covered Software available under the terms of any + subsequent version of the License published by the license steward. + + 4.3. Modified Versions. + + When You are an Initial Developer and You want to create a new + license for Your Original Software, You may create and use a + modified version of this License if You: (a) rename the license and + remove any references to the name of the license steward (except to + note that the license differs from this License); and (b) otherwise + make it clear that the license contains terms which differ from this + License. + +5. DISCLAIMER OF WARRANTY. + + COVERED SOFTWARE IS PROVIDED UNDER THIS LICENSE ON AN "AS IS" BASIS, + WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, + INCLUDING, WITHOUT LIMITATION, WARRANTIES THAT THE COVERED SOFTWARE + IS FREE OF DEFECTS, MERCHANTABLE, FIT FOR A PARTICULAR PURPOSE OR + NON-INFRINGING. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF + THE COVERED SOFTWARE IS WITH YOU. SHOULD ANY COVERED SOFTWARE PROVE + DEFECTIVE IN ANY RESPECT, YOU (NOT THE INITIAL DEVELOPER OR ANY + OTHER CONTRIBUTOR) ASSUME THE COST OF ANY NECESSARY SERVICING, + REPAIR OR CORRECTION. THIS DISCLAIMER OF WARRANTY CONSTITUTES AN + ESSENTIAL PART OF THIS LICENSE. NO USE OF ANY COVERED SOFTWARE IS + AUTHORIZED HEREUNDER EXCEPT UNDER THIS DISCLAIMER. + +6. TERMINATION. + + 6.1. This License and the rights granted hereunder will terminate + automatically if You fail to comply with terms herein and fail to + cure such breach within 30 days of becoming aware of the breach. + Provisions which, by their nature, must remain in effect beyond the + termination of this License shall survive. + + 6.2. If You assert a patent infringement claim (excluding + declaratory judgment actions) against Initial Developer or a + Contributor (the Initial Developer or Contributor against whom You + assert such claim is referred to as "Participant") alleging that the + Participant Software (meaning the Contributor Version where the + Participant is a Contributor or the Original Software where the + Participant is the Initial Developer) directly or indirectly + infringes any patent, then any and all rights granted directly or + indirectly to You by such Participant, the Initial Developer (if the + Initial Developer is not the Participant) and all Contributors under + Sections 2.1 and/or 2.2 of this License shall, upon 60 days notice + from Participant terminate prospectively and automatically at the + expiration of such 60 day notice period, unless if within such 60 + day period You withdraw Your claim with respect to the Participant + Software against such Participant either unilaterally or pursuant to + a written agreement with Participant. + + 6.3. If You assert a patent infringement claim against Participant + alleging that the Participant Software directly or indirectly + infringes any patent where such claim is resolved (such as by + license or settlement) prior to the initiation of patent + infringement litigation, then the reasonable value of the licenses + granted by such Participant under Sections 2.1 or 2.2 shall be taken + into account in determining the amount or value of any payment or + license. + + 6.4. In the event of termination under Sections 6.1 or 6.2 above, + all end user licenses that have been validly granted by You or any + distributor hereunder prior to termination (excluding licenses + granted to You by any distributor) shall survive termination. + +7. LIMITATION OF LIABILITY. + + UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, WHETHER TORT + (INCLUDING NEGLIGENCE), CONTRACT, OR OTHERWISE, SHALL YOU, THE + INITIAL DEVELOPER, ANY OTHER CONTRIBUTOR, OR ANY DISTRIBUTOR OF + COVERED SOFTWARE, OR ANY SUPPLIER OF ANY OF SUCH PARTIES, BE LIABLE + TO ANY PERSON FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR + CONSEQUENTIAL DAMAGES OF ANY CHARACTER INCLUDING, WITHOUT + LIMITATION, DAMAGES FOR LOSS OF GOODWILL, WORK STOPPAGE, COMPUTER + FAILURE OR MALFUNCTION, OR ANY AND ALL OTHER COMMERCIAL DAMAGES OR + LOSSES, EVEN IF SUCH PARTY SHALL HAVE BEEN INFORMED OF THE + POSSIBILITY OF SUCH DAMAGES. THIS LIMITATION OF LIABILITY SHALL NOT + APPLY TO LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH + PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH + LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR + LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS EXCLUSION + AND LIMITATION MAY NOT APPLY TO YOU. + +8. U.S. GOVERNMENT END USERS. + + The Covered Software is a "commercial item," as that term is defined + in 48 C.F.R. 2.101 (Oct. 1995), consisting of "commercial computer + software" (as that term is defined at 48 C.F.R. § + 252.227-7014(a)(1)) and "commercial computer software documentation" + as such terms are used in 48 C.F.R. 12.212 (Sept. 1995). Consistent + with 48 C.F.R. 12.212 and 48 C.F.R. 227.7202-1 through 227.7202-4 + (June 1995), all U.S. Government End Users acquire Covered Software + with only those rights set forth herein. This U.S. Government Rights + clause is in lieu of, and supersedes, any other FAR, DFAR, or other + clause or provision that addresses Government rights in computer + software under this License. + +9. MISCELLANEOUS. + + This License represents the complete agreement concerning subject + matter hereof. If any provision of this License is held to be + unenforceable, such provision shall be reformed only to the extent + necessary to make it enforceable. This License shall be governed by + the law of the jurisdiction specified in a notice contained within + the Original Software (except to the extent applicable law, if any, + provides otherwise), excluding such jurisdiction's conflict-of-law + provisions. Any litigation relating to this License shall be subject + to the jurisdiction of the courts located in the jurisdiction and + venue specified in a notice contained within the Original Software, + with the losing party responsible for costs, including, without + limitation, court costs and reasonable attorneys' fees and expenses. + The application of the United Nations Convention on Contracts for + the International Sale of Goods is expressly excluded. Any law or + regulation which provides that the language of a contract shall be + construed against the drafter shall not apply to this License. You + agree that You alone are responsible for compliance with the United + States export administration regulations (and the export control + laws and regulation of any other countries) when You use, distribute + or otherwise make available any Covered Software. + +10. RESPONSIBILITY FOR CLAIMS. + + As between Initial Developer and the Contributors, each party is + responsible for claims and damages arising, directly or indirectly, + out of its utilization of rights under this License and You agree to + work with Initial Developer and Contributors to distribute such + responsibility on an equitable basis. Nothing herein is intended or + shall be deemed to constitute any admission of liability. + +------------------------------------------------------------------------ + +NOTICE PURSUANT TO SECTION 9 OF THE COMMON DEVELOPMENT AND DISTRIBUTION +LICENSE (CDDL) + +The code released under the CDDL shall be governed by the laws of the +State of California (excluding conflict-of-law provisions). Any +litigation relating to this License shall be subject to the jurisdiction +of the Federal Courts of the Northern District of California and the +state courts of the State of California, with venue lying in Santa Clara +County, California. + + + + The GNU General Public License (GPL) Version 2, June 1991 + +Copyright (C) 1989, 1991 Free Software Foundation, Inc. +51 Franklin Street, Fifth Floor +Boston, MA 02110-1335 +USA + +Everyone is permitted to copy and distribute verbatim copies +of this license document, but changing it is not allowed. + +Preamble + +The licenses for most software are designed to take away your freedom to +share and change it. By contrast, the GNU General Public License is +intended to guarantee your freedom to share and change free software--to +make sure the software is free for all its users. This General Public +License applies to most of the Free Software Foundation's software and +to any other program whose authors commit to using it. (Some other Free +Software Foundation software is covered by the GNU Library General +Public License instead.) You can apply it to your programs, too. + +When we speak of free software, we are referring to freedom, not price. +Our General Public Licenses are designed to make sure that you have the +freedom to distribute copies of free software (and charge for this +service if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs; and that you know you can do these things. + +To protect your rights, we need to make restrictions that forbid anyone +to deny you these rights or to ask you to surrender the rights. These +restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + +For example, if you distribute copies of such a program, whether gratis +or for a fee, you must give the recipients all the rights that you have. +You must make sure that they, too, receive or can get the source code. +And you must show them these terms so they know their rights. + +We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + +Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + +Finally, any free program is threatened constantly by software patents. +We wish to avoid the danger that redistributors of a free program will +individually obtain patent licenses, in effect making the program +proprietary. To prevent this, we have made it clear that any patent must +be licensed for everyone's free use or not licensed at all. + +The precise terms and conditions for copying, distribution and +modification follow. + +TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + +0. This License applies to any program or other work which contains a +notice placed by the copyright holder saying it may be distributed under +the terms of this General Public License. The "Program", below, refers +to any such program or work, and a "work based on the Program" means +either the Program or any derivative work under copyright law: that is +to say, a work containing the Program or a portion of it, either +verbatim or with modifications and/or translated into another language. +(Hereinafter, translation is included without limitation in the term +"modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of running +the Program is not restricted, and the output from the Program is +covered only if its contents constitute a work based on the Program +(independent of having been made by running the Program). Whether that +is true depends on what the Program does. + +1. You may copy and distribute verbatim copies of the Program's source +code as you receive it, in any medium, provided that you conspicuously +and appropriately publish on each copy an appropriate copyright notice +and disclaimer of warranty; keep intact all the notices that refer to +this License and to the absence of any warranty; and give any other +recipients of the Program a copy of this License along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + +2. You may modify your copy or copies of the Program or any portion of +it, thus forming a work based on the Program, and copy and distribute +such modifications or work under the terms of Section 1 above, provided +that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any part + thereof, to be licensed as a whole at no charge to all third parties + under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a notice + that there is no warranty (or else, saying that you provide a + warranty) and that users may redistribute the program under these + conditions, and telling the user how to view a copy of this License. + (Exception: if the Program itself is interactive but does not + normally print such an announcement, your work based on the Program + is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, and +can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based on +the Program, the distribution of the whole must be on the terms of this +License, whose permissions for other licensees extend to the entire +whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of a +storage or distribution medium does not bring the other work under the +scope of this License. + +3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections 1 + and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your cost + of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer to + distribute corresponding source code. (This alternative is allowed + only for noncommercial distribution and only if you received the + program in object code or executable form with such an offer, in + accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source code +means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to control +compilation and installation of the executable. However, as a special +exception, the source code distributed need not include anything that is +normally distributed (in either source or binary form) with the major +components (compiler, kernel, and so on) of the operating system on +which the executable runs, unless that component itself accompanies the +executable. + +If distribution of executable or object code is made by offering access +to copy from a designated place, then offering equivalent access to copy +the source code from the same place counts as distribution of the source +code, even though third parties are not compelled to copy the source +along with the object code. + +4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt otherwise +to copy, modify, sublicense or distribute the Program is void, and will +automatically terminate your rights under this License. However, parties +who have received copies, or rights, from you under this License will +not have their licenses terminated so long as such parties remain in +full compliance. + +5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and all +its terms and conditions for copying, distributing or modifying the +Program or works based on it. + +6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further restrictions +on the recipients' exercise of the rights granted herein. You are not +responsible for enforcing compliance by third parties to this License. + +7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot distribute +so as to satisfy simultaneously your obligations under this License and +any other pertinent obligations, then as a consequence you may not +distribute the Program at all. For example, if a patent license would +not permit royalty-free redistribution of the Program by all those who +receive copies directly or indirectly through you, then the only way you +could satisfy both it and this License would be to refrain entirely from +distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is implemented +by public license practices. Many people have made generous +contributions to the wide range of software distributed through that +system in reliance on consistent application of that system; it is up to +the author/donor to decide if he or she is willing to distribute +software through any other system and a licensee cannot impose that choice. + +This section is intended to make thoroughly clear what is believed to be +a consequence of the rest of this License. + +8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License may +add an explicit geographical distribution limitation excluding those +countries, so that distribution is permitted only in or among countries +not thus excluded. In such case, this License incorporates the +limitation as if written in the body of this License. + +9. The Free Software Foundation may publish revised and/or new +versions of the General Public License from time to time. Such new +versions will be similar in spirit to the present version, but may +differ in detail to address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and +conditions either of that version or of any later version published by +the Free Software Foundation. If the Program does not specify a version +number of this License, you may choose any version ever published by the +Free Software Foundation. + +10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the +author to ask for permission. For software which is copyrighted by the +Free Software Foundation, write to the Free Software Foundation; we +sometimes make exceptions for this. Our decision will be guided by the +two goals of preserving the free status of all derivatives of our free +software and of promoting the sharing and reuse of software generally. + +NO WARRANTY + +11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO +WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. +EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR +OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, +EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE +ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH +YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL +NECESSARY SERVICING, REPAIR OR CORRECTION. + +12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN +WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY +AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR +DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL +DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM +(INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED +INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF +THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR +OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. + +END OF TERMS AND CONDITIONS + +How to Apply These Terms to Your New Programs + +If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + +To do so, attach the following notices to the program. It is safest to +attach them to the start of each source file to most effectively convey +the exclusion of warranty; and each file should have at least the +"copyright" line and a pointer to where the full notice is found. + + One line to give the program's name and a brief idea of what it does. + Copyright (C) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335 USA + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type + `show w'. This is free software, and you are welcome to redistribute + it under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the +appropriate parts of the General Public License. Of course, the commands +you use may be called something other than `show w' and `show c'; they +could even be mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the + program `Gnomovision' (which makes passes at compilers) written by + James Hacker. + + signature of Ty Coon, 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program +into proprietary programs. If your program is a subroutine library, you +may consider it more useful to permit linking proprietary applications +with the library. If this is what you want to do, use the GNU Library +General Public License instead of this License. + +# + +Certain source files distributed by Oracle America, Inc. and/or its +affiliates are subject to the following clarification and special +exception to the GPLv2, based on the GNU Project exception for its +Classpath libraries, known as the GNU Classpath Exception, but only +where Oracle has expressly included in the particular source file's +header the words "Oracle designates this particular file as subject to +the "Classpath" exception as provided by Oracle in the LICENSE file +that accompanied this code." + +You should also note that Oracle includes multiple, independent +programs in this software package. Some of those programs are provided +under licenses deemed incompatible with the GPLv2 by the Free Software +Foundation and others. For example, the package includes programs +licensed under the Apache License, Version 2.0. Such programs are +licensed to you under their original licenses. + +Oracle facilitates your further distribution of this package by adding +the Classpath Exception to the necessary parts of its GPLv2 code, which +permits you to use that code in combination with other independent +modules not licensed under the GPLv2. However, note that this would +not permit you to commingle code under an incompatible license with +Oracle's GPLv2 licensed code by, for example, cutting and pasting such +code into a file also containing Oracle's GPLv2 licensed code and then +distributing the result. Additionally, if you were to remove the +Classpath Exception from any of the files to which it applies and +distribute the result, you would likely be required to license some or +all of the other code in that distribution under the GPLv2 as well, and +since the GPLv2 is incompatible with the license terms of some items +included in the distribution by Oracle, removing the Classpath +Exception could therefore effectively compromise your ability to +further distribute the package. + +Proceed with caution and we recommend that you obtain the advice of a +lawyer skilled in open source matters before removing the Classpath +Exception or making modifications to this package which may +subsequently be redistributed and/or involve the use of third party +software. + +CLASSPATH EXCEPTION +Linking this library statically or dynamically with other modules is +making a combined work based on this library. Thus, the terms and +conditions of the GNU General Public License version 2 cover the whole +combination. + +As a special exception, the copyright holders of this library give you +permission to link this library with independent modules to produce an +executable, regardless of the license terms of these independent +modules, and to copy and distribute the resulting executable under +terms of your choice, provided that you also meet, for each linked +independent module, the terms and conditions of the license of that +module. An independent module is a module which is not derived from or +based on this library. If you modify this library, you may extend this +exception to your version of the library, but you are not obligated to +do so. If you do not wish to do so, delete this exception statement +from your version. diff --git a/java/ql/test/stubs/jsr181-api/javax/jws/WebMethod.java b/java/ql/test/stubs/jsr181-api/javax/jws/WebMethod.java new file mode 100644 index 00000000000..92813b5a255 --- /dev/null +++ b/java/ql/test/stubs/jsr181-api/javax/jws/WebMethod.java @@ -0,0 +1,48 @@ +package javax.jws; + +import java.lang.annotation.Target; +import java.lang.annotation.ElementType; +import java.lang.annotation.Retention; +import java.lang.annotation.RetentionPolicy; + +/** + * Customizes a method that is exposed as a Web Service operation. + * The associated method must be public and its parameters return value, + * and exceptions must follow the rules defined in JAX-RPC 1.1, section 5. + * + * The method is not required to throw java.rmi.RemoteException. + * + * @author Copyright (c) 2004 by BEA Systems, Inc. All Rights Reserved. + * + * @since 1.6 + */ +@Retention(value = RetentionPolicy.RUNTIME) +@Target({ElementType.METHOD}) +public @interface WebMethod { + + /** + * Name of the wsdl:operation matching this method. + * + * @specdefault Name of the Java method. + */ + String operationName() default ""; + + /** + * The action for this operation. + *

+ * For SOAP bindings, this determines the value of the soap action. + */ + String action() default ""; + + /** + * Marks a method to NOT be exposed as a web method. + *

+ * Used to stop an inherited method from being exposed as part of this web service. + * If this element is specified, other elements MUST NOT be specified for the @WebMethod. + *

+ * This member-value is not allowed on endpoint interfaces. + * + * @since 2.0 + */ + boolean exclude() default false; +}; diff --git a/java/ql/test/stubs/jsr181-api/javax/jws/WebService.java b/java/ql/test/stubs/jsr181-api/javax/jws/WebService.java new file mode 100644 index 00000000000..67eebee9ca3 --- /dev/null +++ b/java/ql/test/stubs/jsr181-api/javax/jws/WebService.java @@ -0,0 +1,97 @@ +package javax.jws; + +import java.lang.annotation.Target; +import java.lang.annotation.Retention; +import java.lang.annotation.RetentionPolicy; +import java.lang.annotation.ElementType; + +/** + * Marks a Java class as implementing a Web Service, or a Java interface as defining a Web Service interface. + * + * @author Copyright (c) 2004 by BEA Systems, Inc. All Rights Reserved. + * + * @since 1.6 + */ +@Retention(value = RetentionPolicy.RUNTIME) +@Target(value = {ElementType.TYPE}) +public @interface WebService { + + /** + * The name of the Web Service. + *

+ * Used as the name of the wsdl:portType when mapped to WSDL 1.1. + * + * @specdefault The simple name of the Java class or interface. + */ + String name() default ""; + + /** + * If the @WebService.targetNamespace annotation is on a service endpoint interface, the targetNamespace is used + * for the namespace for the wsdl:portType (and associated XML elements). + *

+ * If the @WebService.targetNamespace annotation is on a service implementation bean that does NOT reference a + * service endpoint interface (through the endpointInterface attribute), the targetNamespace is used for both the + * wsdl:portType and the wsdl:service (and associated XML elements). + *

+ * If the @WebService.targetNamespace annotation is on a service implementation bean that does reference a service + * endpoint interface (through the endpointInterface attribute), the targetNamespace is used for only the + * wsdl:service (and associated XML elements). + * + * @specdefault Implementation-defined, as described in JAX-WS 2.0 [5], section 3.2. + */ + String targetNamespace() default ""; + + /** + * The service name of the Web Service. + *

+ * Used as the name of the wsdl:service when mapped to WSDL 1.1. + *

+ * This member-value is not allowed on endpoint interfaces. + * + * @specdefault The simple name of the Java class + Service". + */ + String serviceName() default ""; + + /** + * The port name of the Web Service. + *

+ * Used as the name of the wsdl:port when mapped to WSDL 1.1. + *

+ * This member-value is not allowed on endpoint interfaces. + * + * @specdefault {@code @WebService.name}+Port. + * + * @since 2.0 + */ + String portName() default ""; + + /** + * The location of a pre-defined WSDL describing the service. + *

+ * The wsdlLocation is a URL (relative or absolute) that refers to a pre-existing WSDL file. The presence of a + * wsdlLocation value indicates that the service implementation bean is implementing a pre-defined WSDL contract. + * The JSR-181 tool MUST provide feedback if the service implementation bean is inconsistent with the portType and + * bindings declared in this WSDL. Note that a single WSDL file might contain multiple portTypes and multiple + * bindings. The annotations on the service implementation bean determine the specific portType and bindings that + * correspond to the Web Service. + */ + String wsdlLocation() default ""; + + /** + * The complete name of the service endpoint interface defining the service's abstract Web Service contract. + *

+ * This annotation allows the developer to separate the interface contract from the implementation. If this + * annotation is present, the service endpoint interface is used to determine the abstract WSDL contract (portType + * and bindings). The service endpoint interface MAY include JSR-181 annotations to customize the mapping from + * Java to WSDL. + *
+ * The service implementation bean MAY implement the service endpoint interface, but is not REQUIRED to do so. + *
+ * If this member-value is not present, the Web Service contract is generated from annotations on the service + * implementation bean. If a service endpoint interface is required by the target environment, it will be + * generated into an implementation-defined package with an implementation- defined name + *

+ * This member-value is not allowed on endpoint interfaces. + */ + String endpointInterface() default ""; +}; From 2cb76fe4071ae1011764054c5447f31780a54096 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 24 Mar 2021 16:32:51 +0000 Subject: [PATCH 11/36] Test JAX-WS endpoints --- .../frameworks/JaxWs/JaxWsEndpoint.expected | 0 .../frameworks/JaxWs/JaxWsEndpoint.java | 44 +++++++++++++++++++ .../frameworks/JaxWs/JaxWsEndpoint.ql | 27 ++++++++++++ .../library-tests/frameworks/JaxWs/options | 1 + 4 files changed, 72 insertions(+) create mode 100644 java/ql/test/library-tests/frameworks/JaxWs/JaxWsEndpoint.expected create mode 100644 java/ql/test/library-tests/frameworks/JaxWs/JaxWsEndpoint.java create mode 100644 java/ql/test/library-tests/frameworks/JaxWs/JaxWsEndpoint.ql create mode 100644 java/ql/test/library-tests/frameworks/JaxWs/options diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JaxWsEndpoint.expected b/java/ql/test/library-tests/frameworks/JaxWs/JaxWsEndpoint.expected new file mode 100644 index 00000000000..e69de29bb2d diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JaxWsEndpoint.java b/java/ql/test/library-tests/frameworks/JaxWs/JaxWsEndpoint.java new file mode 100644 index 00000000000..5817f433aaf --- /dev/null +++ b/java/ql/test/library-tests/frameworks/JaxWs/JaxWsEndpoint.java @@ -0,0 +1,44 @@ +import javax.jws.WebMethod; +import javax.jws.WebService; +import javax.xml.ws.WebEndpoint; +import javax.xml.ws.WebServiceClient; +import javax.xml.ws.WebServiceProvider; + +@WebService +class WebServiceClass { // $JaxWsEndpoint + + @WebMethod + void WebMethodMethod() { // $JaxWsEndpointRemoteMethod + } + + @WebEndpoint + void WebEndpointMethod() { // $JaxWsEndpointRemoteMethod + } + +} + +@WebServiceProvider +class WebServiceProviderClass { // $JaxWsEndpoint + + @WebMethod + void WebMethodMethod() { // $JaxWsEndpointRemoteMethod + } + + @WebEndpoint + void WebEndpointMethod() { // $JaxWsEndpointRemoteMethod + } + +} + +@WebServiceClient +class WebServiceClientClass { // $JaxWsEndpoint + + @WebMethod + void WebMethodMethod() { // $JaxWsEndpointRemoteMethod + } + + @WebEndpoint + void WebEndpointMethod() { // $JaxWsEndpointRemoteMethod + } + +} diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JaxWsEndpoint.ql b/java/ql/test/library-tests/frameworks/JaxWs/JaxWsEndpoint.ql new file mode 100644 index 00000000000..6ebd597bb0a --- /dev/null +++ b/java/ql/test/library-tests/frameworks/JaxWs/JaxWsEndpoint.ql @@ -0,0 +1,27 @@ +import java +import semmle.code.java.frameworks.JaxWS +import TestUtilities.InlineExpectationsTest + +class JaxWsEndpointTest extends InlineExpectationsTest { + JaxWsEndpointTest() { this = "JaxWsEndpointTest" } + + override string getARelevantTag() { result = ["JaxWsEndpoint", "JaxWsEndpointRemoteMethod"] } + + override predicate hasActualResult(Location location, string element, string tag, string value) { + tag = "JaxWsEndpoint" and + exists(JaxWsEndpoint jaxWsEndpoint | + jaxWsEndpoint.getLocation() = location and + element = jaxWsEndpoint.toString() and + value = "" + ) + or + tag = "JaxWsEndpointRemoteMethod" and + exists(Callable remoteMethod | + remoteMethod = any(JaxWsEndpoint jaxWsEndpoint).getARemoteMethod() + | + remoteMethod.getLocation() = location and + element = remoteMethod.toString() and + value = "" + ) + } +} diff --git a/java/ql/test/library-tests/frameworks/JaxWs/options b/java/ql/test/library-tests/frameworks/JaxWs/options new file mode 100644 index 00000000000..e64ee74d9bc --- /dev/null +++ b/java/ql/test/library-tests/frameworks/JaxWs/options @@ -0,0 +1 @@ +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jsr311-api-1.1.1:${testdir}/../../../stubs/jsr181-api:${testdir}/../../../stubs/jaxws-api-2.0 From 07f7fd0342cbab3f708cefbd81787e3174a4ac8d Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Sun, 25 Apr 2021 06:27:55 +0100 Subject: [PATCH 12/36] Add missing QLDocs in JaxWS.qll And correct one QLDoc --- java/ql/src/semmle/code/java/frameworks/JaxWS.qll | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll index 4c2627f85f8..982ef463729 100644 --- a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll +++ b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll @@ -30,6 +30,7 @@ class JaxWsEndpoint extends Class { ) } + /** Gets a method annotated with `@WebMethod` or `@WebEndpoint`. */ Callable getARemoteMethod() { result = this.getACallable() and exists(AnnotationType a | a = result.getAnAnnotation().getType() | @@ -210,10 +211,16 @@ class JaxRsInjectionAnnotation extends JaxRSAnnotation { } } +/** + * The class `javax.ws.rs.core.Response`. + */ class JaxRsResponse extends Class { JaxRsResponse() { this.hasQualifiedName(getAJaxRsPackage("core"), "Response") } } +/** + * The class `javax.ws.rs.core.Response$ResponseBuilder`. + */ class JaxRsResponseBuilder extends Class { JaxRsResponseBuilder() { this.hasQualifiedName(getAJaxRsPackage("core"), "Response$ResponseBuilder") @@ -408,7 +415,7 @@ private class HttpHeadersModel extends SummaryModelCsv { } /** - * Model MultivaluedMap, which extends Map, V> and provides a few extra helper methods. + * Model MultivaluedMap, which extends Map> and provides a few extra helper methods. */ private class MultivaluedMapModel extends SummaryModelCsv { override predicate row(string row) { From 7b3acd8b459ac6e226f1f7147e852f9850c89dab Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 29 Apr 2021 10:52:47 +0100 Subject: [PATCH 13/36] (Minor) Add missing `this.` --- .../src/semmle/code/java/frameworks/JaxWS.qll | 49 +++++++++---------- 1 file changed, 24 insertions(+), 25 deletions(-) diff --git a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll index 982ef463729..25fcdab3ad7 100644 --- a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll +++ b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll @@ -71,23 +71,23 @@ class JaxRsResourceMethod extends Method { or // A JaxRS resource method can also inherit these annotations from a supertype, but only if // there are no JaxRS annotations on the method itself - getAnOverride() instanceof JaxRsResourceMethod and - not exists(getAnAnnotation().(JaxRSAnnotation)) + this.getAnOverride() instanceof JaxRsResourceMethod and + not exists(this.getAnAnnotation().(JaxRSAnnotation)) } /** Gets an `@Produces` annotation that applies to this method */ JaxRSProducesAnnotation getProducesAnnotation() { - result = getAnAnnotation() + result = this.getAnAnnotation() or // No direct annotations - not exists(getAnAnnotation().(JaxRSProducesAnnotation)) and + not exists(this.getAnAnnotation().(JaxRSProducesAnnotation)) and ( // Annotations on a method we've overridden - result = getAnOverride().getAnAnnotation() + result = this.getAnOverride().getAnAnnotation() or // No annotations on this method, or a method we've overridden, so look to the class - not exists(getAnOverride().getAnAnnotation().(JaxRSProducesAnnotation)) and - result = getDeclaringType().getAnAnnotation() + not exists(this.getAnOverride().getAnAnnotation().(JaxRSProducesAnnotation)) and + result = this.getDeclaringType().getAnAnnotation() ) } } @@ -120,7 +120,7 @@ class JaxRsResourceClass extends Class { * annotations leading to this resource method. */ JaxRsResourceMethod getAResourceMethod() { - isPublic() and + this.isPublic() and result = this.getACallable() } @@ -129,7 +129,7 @@ class JaxRsResourceClass extends Class { * but is not a resource method e.g. it is not annotated with `@GET` etc. */ Callable getASubResourceLocator() { - result = getAMethod() and + result = this.getAMethod() and not result instanceof JaxRsResourceMethod and hasPathAnnotation(result) } @@ -148,10 +148,10 @@ class JaxRsResourceClass extends Class { * (existence of particular parameters). */ Constructor getAnInjectableConstructor() { - result = getAConstructor() and + result = this.getAConstructor() and // JaxRs Spec v2.0 - 3.12 // Only root resources are constructed by the JaxRS container. - isRootResource() and + this.isRootResource() and // JaxRS can only construct the class using constructors that are public, and where the // container can provide all of the parameters. This includes the no-arg constructor. result.isPublic() and @@ -164,16 +164,16 @@ class JaxRsResourceClass extends Class { * Gets a Callable that may be executed by the JaxRs container, injecting parameters as required. */ Callable getAnInjectableCallable() { - result = getAResourceMethod() or - result = getAnInjectableConstructor() or - result = getASubResourceLocator() + result = this.getAResourceMethod() or + result = this.getAnInjectableConstructor() or + result = this.getASubResourceLocator() } /** * Gets a Field that may be injected with a value by the JaxRs container. */ Field getAnInjectableField() { - result = getAField() and + result = this.getAField() and result.getAnAnnotation() instanceof JaxRsInjectionAnnotation } } @@ -182,7 +182,7 @@ class JaxRsResourceClass extends Class { class JaxRSAnnotation extends Annotation { JaxRSAnnotation() { exists(AnnotationType a | - a = getType() and + a = this.getType() and a.getPackage().getName().regexpMatch("javax\\.ws\\.rs(\\..*)?") ) } @@ -195,7 +195,7 @@ class JaxRSAnnotation extends Annotation { class JaxRsInjectionAnnotation extends JaxRSAnnotation { JaxRsInjectionAnnotation() { exists(AnnotationType a | - a = getType() and + a = this.getType() and a.getPackage().getName() = getAJaxRsPackage() | a.hasName("BeanParam") or @@ -207,7 +207,7 @@ class JaxRsInjectionAnnotation extends JaxRSAnnotation { a.hasName("QueryParam") ) or - getType().hasQualifiedName(getAJaxRsPackage("core"), "Context") + this.getType().hasQualifiedName(getAJaxRsPackage("core"), "Context") } } @@ -241,13 +241,12 @@ class JaxRsClient extends RefType { class JaxRsBeanParamConstructor extends Constructor { JaxRsBeanParamConstructor() { exists(JaxRsResourceClass resourceClass, Callable c, Parameter p | - c = resourceClass.getAnInjectableCallable() - | + c = resourceClass.getAnInjectableCallable() and p = c.getAParameter() and p.getAnAnnotation().getType().hasQualifiedName(getAJaxRsPackage(), "BeanParam") and this.getDeclaringType().getSourceDeclaration() = p.getType().(RefType).getSourceDeclaration() ) and - forall(Parameter p | p = getAParameter() | + forall(Parameter p | p = this.getAParameter() | p.getAnAnnotation() instanceof JaxRsInjectionAnnotation ) } @@ -283,19 +282,19 @@ class MessageBodyReaderRead extends Method { /** An `@Produces` annotation that describes which content types can be produced by this resource. */ class JaxRSProducesAnnotation extends JaxRSAnnotation { - JaxRSProducesAnnotation() { getType().hasQualifiedName(getAJaxRsPackage(), "Produces") } + JaxRSProducesAnnotation() { this.getType().hasQualifiedName(getAJaxRsPackage(), "Produces") } /** * Gets a declared content type that can be produced by this resource. */ string getADeclaredContentType() { - result = getAValue().(CompileTimeConstantExpr).getStringValue() + result = this.getAValue().(CompileTimeConstantExpr).getStringValue() or exists(Field jaxMediaType | // Accesses to static fields on `MediaType` class do not have constant strings in the database // so convert the field name to a content type string jaxMediaType.getDeclaringType().hasQualifiedName(getAJaxRsPackage("core"), "MediaType") and - jaxMediaType.getAnAccess() = getAValue() and + jaxMediaType.getAnAccess() = this.getAValue() and // e.g. MediaType.TEXT_PLAIN => text/plain result = jaxMediaType.getName().toLowerCase().replaceAll("_", "/") ) @@ -304,7 +303,7 @@ class JaxRSProducesAnnotation extends JaxRSAnnotation { /** An `@Consumes` annotation that describes content types can be consumed by this resource. */ class JaxRSConsumesAnnotation extends JaxRSAnnotation { - JaxRSConsumesAnnotation() { getType().hasQualifiedName(getAJaxRsPackage(), "Consumes") } + JaxRSConsumesAnnotation() { this.getType().hasQualifiedName(getAJaxRsPackage(), "Consumes") } } /** From caf96b01e1c29c61e2bcb015e5257120fe83f28b Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 8 Apr 2021 16:54:54 +0100 Subject: [PATCH 14/36] Stubs in javax-ws-rs-api-2.1.1 Generated using java-autostub --- .../javax/ws/rs/BeanParam.java | 20 ++ .../javax/ws/rs/Consumes.java | 21 ++ .../javax/ws/rs/CookieParam.java | 22 ++ .../javax/ws/rs/DELETE.java | 20 ++ .../javax/ws/rs/FormParam.java | 22 ++ .../javax/ws/rs/GET.java | 20 ++ .../javax/ws/rs/HEAD.java | 20 ++ .../javax/ws/rs/HeaderParam.java | 22 ++ .../javax/ws/rs/MatrixParam.java | 22 ++ .../javax/ws/rs/OPTIONS.java | 20 ++ .../javax/ws/rs/POST.java | 20 ++ .../javax/ws/rs/PUT.java | 20 ++ .../javax/ws/rs/Path.java | 22 ++ .../javax/ws/rs/PathParam.java | 22 ++ .../javax/ws/rs/Produces.java | 21 ++ .../javax/ws/rs/QueryParam.java | 22 ++ .../javax/ws/rs/client/Client.java | 42 +++ .../javax/ws/rs/core/CacheControl.java | 112 +++++++ .../javax/ws/rs/core/Configurable.java | 41 +++ .../javax/ws/rs/core/Context.java | 20 ++ .../javax/ws/rs/core/Cookie.java | 71 +++++ .../javax/ws/rs/core/EntityTag.java | 53 ++++ .../javax/ws/rs/core/Form.java | 37 +++ .../javax/ws/rs/core/GenericEntity.java | 55 ++++ .../javax/ws/rs/core/HttpHeaders.java | 44 +++ .../javax/ws/rs/core/Link.java | 143 +++++++++ .../javax/ws/rs/core/MediaType.java | 108 +++++++ .../javax/ws/rs/core/MultivaluedMap.java | 36 +++ .../javax/ws/rs/core/NewCookie.java | 117 ++++++++ .../javax/ws/rs/core/PathSegment.java | 24 ++ .../javax/ws/rs/core/Response.java | 281 ++++++++++++++++++ .../javax/ws/rs/core/UriBuilder.java | 122 ++++++++ .../javax/ws/rs/core/UriBuilderException.java | 32 ++ .../javax/ws/rs/core/UriInfo.java | 60 ++++ .../javax/ws/rs/core/Variant.java | 93 ++++++ .../javax/ws/rs/ext/MessageBodyReader.java | 33 ++ 36 files changed, 1860 insertions(+) create mode 100644 java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/BeanParam.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/Consumes.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/CookieParam.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/DELETE.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/FormParam.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/GET.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/HEAD.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/HeaderParam.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/MatrixParam.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/OPTIONS.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/POST.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/PUT.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/Path.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/PathParam.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/Produces.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/QueryParam.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/client/Client.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/CacheControl.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Configurable.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Context.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Cookie.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/EntityTag.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Form.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/GenericEntity.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/HttpHeaders.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Link.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/MediaType.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/MultivaluedMap.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/NewCookie.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/PathSegment.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Response.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/UriBuilder.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/UriBuilderException.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/UriInfo.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Variant.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/ext/MessageBodyReader.java diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/BeanParam.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/BeanParam.java new file mode 100644 index 00000000000..9d0e62bf127 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/BeanParam.java @@ -0,0 +1,20 @@ +/* + * Copyright (c) 2012, 2017 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package javax.ws.rs; + +public @interface BeanParam { +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/Consumes.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/Consumes.java new file mode 100644 index 00000000000..9aef14670fd --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/Consumes.java @@ -0,0 +1,21 @@ +/* + * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package javax.ws.rs; + +public @interface Consumes { + String[] value() default "*/*"; +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/CookieParam.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/CookieParam.java new file mode 100644 index 00000000000..d8c9ced5ae0 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/CookieParam.java @@ -0,0 +1,22 @@ +/* + * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package javax.ws.rs; + +public @interface CookieParam { + String value(); + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/DELETE.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/DELETE.java new file mode 100644 index 00000000000..a0db648c970 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/DELETE.java @@ -0,0 +1,20 @@ +/* + * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package javax.ws.rs; + +public @interface DELETE { +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/FormParam.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/FormParam.java new file mode 100644 index 00000000000..f811e756462 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/FormParam.java @@ -0,0 +1,22 @@ +/* + * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package javax.ws.rs; + +public @interface FormParam { + String value(); + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/GET.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/GET.java new file mode 100644 index 00000000000..da2fae0883d --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/GET.java @@ -0,0 +1,20 @@ +/* + * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package javax.ws.rs; + +public @interface GET { +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/HEAD.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/HEAD.java new file mode 100644 index 00000000000..300d85bdd06 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/HEAD.java @@ -0,0 +1,20 @@ +/* + * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package javax.ws.rs; + +public @interface HEAD { +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/HeaderParam.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/HeaderParam.java new file mode 100644 index 00000000000..4d91be981d3 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/HeaderParam.java @@ -0,0 +1,22 @@ +/* + * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package javax.ws.rs; + +public @interface HeaderParam { + String value(); + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/MatrixParam.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/MatrixParam.java new file mode 100644 index 00000000000..193fdaccfae --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/MatrixParam.java @@ -0,0 +1,22 @@ +/* + * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package javax.ws.rs; + +public @interface MatrixParam { + String value(); + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/OPTIONS.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/OPTIONS.java new file mode 100644 index 00000000000..6f796d32300 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/OPTIONS.java @@ -0,0 +1,20 @@ +/* + * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package javax.ws.rs; + +public @interface OPTIONS { +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/POST.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/POST.java new file mode 100644 index 00000000000..b7069865714 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/POST.java @@ -0,0 +1,20 @@ +/* + * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package javax.ws.rs; + +public @interface POST { +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/PUT.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/PUT.java new file mode 100644 index 00000000000..68f6ecfc66e --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/PUT.java @@ -0,0 +1,20 @@ +/* + * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package javax.ws.rs; + +public @interface PUT { +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/Path.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/Path.java new file mode 100644 index 00000000000..506a7140d27 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/Path.java @@ -0,0 +1,22 @@ +/* + * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package javax.ws.rs; + +public @interface Path { + String value(); + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/PathParam.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/PathParam.java new file mode 100644 index 00000000000..cf363361b48 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/PathParam.java @@ -0,0 +1,22 @@ +/* + * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package javax.ws.rs; + +public @interface PathParam { + String value(); + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/Produces.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/Produces.java new file mode 100644 index 00000000000..2cf426effaa --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/Produces.java @@ -0,0 +1,21 @@ +/* + * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package javax.ws.rs; + +public @interface Produces { + String[] value() default "*/*"; +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/QueryParam.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/QueryParam.java new file mode 100644 index 00000000000..81b2143902a --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/QueryParam.java @@ -0,0 +1,22 @@ +/* + * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package javax.ws.rs; + +public @interface QueryParam { + String value(); + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/client/Client.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/client/Client.java new file mode 100644 index 00000000000..a5fa9671b54 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/client/Client.java @@ -0,0 +1,42 @@ +/* + * Copyright (c) 2011, 2017 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package javax.ws.rs.client; +import java.net.URI; +import javax.ws.rs.core.Configurable; +import javax.ws.rs.core.Link; +import javax.ws.rs.core.UriBuilder; +import javax.net.ssl.HostnameVerifier; +import javax.net.ssl.SSLContext; + +public interface Client extends Configurable { + public void close(); + + public WebTarget target(String uri); + + public WebTarget target(URI uri); + + public WebTarget target(UriBuilder uriBuilder); + + public WebTarget target(Link link); + + public Invocation.Builder invocation(Link link); + + public SSLContext getSslContext(); + + public HostnameVerifier getHostnameVerifier(); + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/CacheControl.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/CacheControl.java new file mode 100644 index 00000000000..21f6f14b343 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/CacheControl.java @@ -0,0 +1,112 @@ +/* + * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package javax.ws.rs.core; +import java.util.List; +import java.util.Map; + +public class CacheControl { + public CacheControl() { + } + + public static CacheControl valueOf(final String value) { + return null; + } + + public boolean isMustRevalidate() { + return false; + } + + public void setMustRevalidate(final boolean mustRevalidate) { + } + + public boolean isProxyRevalidate() { + return false; + } + + public void setProxyRevalidate(final boolean proxyRevalidate) { + } + + public int getMaxAge() { + return 0; + } + + public void setMaxAge(final int maxAge) { + } + + public int getSMaxAge() { + return 0; + } + + public void setSMaxAge(final int sMaxAge) { + } + + public List getNoCacheFields() { + return null; + } + + public void setNoCache(final boolean noCache) { + } + + public boolean isNoCache() { + return false; + } + + public boolean isPrivate() { + return false; + } + + public List getPrivateFields() { + return null; + } + + public void setPrivate(final boolean flag) { + } + + public boolean isNoTransform() { + return false; + } + + public void setNoTransform(final boolean noTransform) { + } + + public boolean isNoStore() { + return false; + } + + public void setNoStore(final boolean noStore) { + } + + public Map getCacheExtension() { + return null; + } + + @Override + public String toString() { + return null; + } + + @Override + public int hashCode() { + return 0; + } + + @Override + public boolean equals(final Object obj) { + return false; + } + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Configurable.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Configurable.java new file mode 100644 index 00000000000..9d32b9d0c61 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Configurable.java @@ -0,0 +1,41 @@ +/* + * Copyright (c) 2011, 2017 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package javax.ws.rs.core; +import java.util.Map; + +public interface Configurable { + public Configuration getConfiguration(); + + public C property(String name, Object value); + + public C register(Class componentClass); + + public C register(Class componentClass, int priority); + + public C register(Class componentClass, Class... contracts); + + public C register(Class componentClass, Map, Integer> contracts); + + public C register(Object component); + + public C register(Object component, int priority); + + public C register(Object component, Class... contracts); + + public C register(Object component, Map, Integer> contracts); + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Context.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Context.java new file mode 100644 index 00000000000..765e0bb7301 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Context.java @@ -0,0 +1,20 @@ +/* + * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package javax.ws.rs.core; + +public @interface Context { +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Cookie.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Cookie.java new file mode 100644 index 00000000000..7d69fb2bf9a --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Cookie.java @@ -0,0 +1,71 @@ +/* + * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package javax.ws.rs.core; + +public class Cookie { + public Cookie(final String name, final String value, final String path, final String domain, final int version) + throws IllegalArgumentException { + } + + public Cookie(final String name, final String value, final String path, final String domain) + throws IllegalArgumentException { + } + + public Cookie(final String name, final String value) + throws IllegalArgumentException { + } + + public static Cookie valueOf(final String value) { + return null; + } + + public String getName() { + return null; + } + + public String getValue() { + return null; + } + + public int getVersion() { + return 0; + } + + public String getDomain() { + return null; + } + + public String getPath() { + return null; + } + + @Override + public String toString() { + return null; + } + + @Override + public int hashCode() { + return 0; + } + + @Override + public boolean equals(final Object obj) { + return false; + } + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/EntityTag.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/EntityTag.java new file mode 100644 index 00000000000..7d21487c774 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/EntityTag.java @@ -0,0 +1,53 @@ +/* + * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package javax.ws.rs.core; + +public class EntityTag { + public EntityTag(final String value) { + } + + public EntityTag(final String value, final boolean weak) { + } + + public static EntityTag valueOf(final String value) { + return null; + } + + public boolean isWeak() { + return false; + } + + public String getValue() { + return null; + } + + @Override + public boolean equals(final Object obj) { + return false; + } + + @Override + public int hashCode() { + return 0; + } + + @Override + public String toString() { + return null; + } + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Form.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Form.java new file mode 100644 index 00000000000..e14c6f30b13 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Form.java @@ -0,0 +1,37 @@ +/* + * Copyright (c) 2011, 2017 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package javax.ws.rs.core; + +public class Form { + public Form() { + } + + public Form(final String parameterName, final String parameterValue) { + } + + public Form(final MultivaluedMap store) { + } + + public Form param(final String name, final String value) { + return null; + } + + public MultivaluedMap asMap() { + return null; + } + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/GenericEntity.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/GenericEntity.java new file mode 100644 index 00000000000..b3ea7c8553f --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/GenericEntity.java @@ -0,0 +1,55 @@ +/* + * Copyright (c) 2011, 2017 Oracle and/or its affiliates. All rights reserved. + * + * Copyright (c) 2006 Google Inc. + * + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package javax.ws.rs.core; +import java.lang.reflect.Type; + +public class GenericEntity { + public GenericEntity(final T entity, final Type genericType) { + } + + public final Class getRawType() { + return null; + } + + public final Type getType() { + return null; + } + + public final T getEntity() { + return null; + } + + @Override + public boolean equals(Object obj) { + return false; + } + + @Override + public int hashCode() { + return 0; + } + + @Override + public String toString() { + return null; + } + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/HttpHeaders.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/HttpHeaders.java new file mode 100644 index 00000000000..f375bcb2a9a --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/HttpHeaders.java @@ -0,0 +1,44 @@ +/* + * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package javax.ws.rs.core; +import java.util.Date; +import java.util.List; +import java.util.Locale; +import java.util.Map; + +public interface HttpHeaders { + public List getRequestHeader(String name); + + public String getHeaderString(String name); + + public MultivaluedMap getRequestHeaders(); + + public List getAcceptableMediaTypes(); + + public List getAcceptableLanguages(); + + public MediaType getMediaType(); + + public Locale getLanguage(); + + public Map getCookies(); + + public Date getDate(); + + public int getLength(); + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Link.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Link.java new file mode 100644 index 00000000000..7d16e33c757 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Link.java @@ -0,0 +1,143 @@ +/* + * Copyright (c) 2011, 2017 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package javax.ws.rs.core; +import java.net.URI; +import java.util.List; +import java.util.Map; +import javax.xml.bind.annotation.adapters.XmlAdapter; +import javax.xml.namespace.QName; + +public abstract class Link { + public abstract URI getUri(); + + public abstract UriBuilder getUriBuilder(); + + public abstract String getRel(); + + public abstract List getRels(); + + public abstract String getTitle(); + + public abstract String getType(); + + public abstract Map getParams(); + + @Override + public abstract String toString(); + + public static Link valueOf(String value) { + return null; + } + + public static Builder fromUri(URI uri) { + return null; + } + + public static Builder fromUri(String uri) { + return null; + } + + public static Builder fromUriBuilder(UriBuilder uriBuilder) { + return null; + } + + public static Builder fromLink(Link link) { + return null; + } + + public static Builder fromPath(String path) { + return null; + } + + public static Builder fromResource(Class resource) { + return null; + } + + public static Builder fromMethod(Class resource, String method) { + return null; + } + + public interface Builder { + public Builder link(Link link); + + public Builder link(String link); + + public Builder uri(URI uri); + + public Builder uri(String uri); + + public Builder baseUri(URI uri); + + public Builder baseUri(String uri); + + public Builder uriBuilder(UriBuilder uriBuilder); + + public Builder rel(String rel); + + public Builder title(String title); + + public Builder type(String type); + + public Builder param(String name, String value); + + public Link build(Object... values); + + public Link buildRelativized(URI uri, Object... values); + + } + public static class JaxbLink { + public JaxbLink() { + } + + public JaxbLink(URI uri) { + } + + public JaxbLink(URI uri, Map params) { + } + + public URI getUri() { + return null; + } + + public Map getParams() { + return null; + } + + @Override + public boolean equals(Object o) { + return false; + } + + @Override + public int hashCode() { + return 0; + } + + } + public static class JaxbAdapter extends XmlAdapter { + @Override + public Link unmarshal(JaxbLink v) { + return null; + } + + @Override + public JaxbLink marshal(Link v) { + return null; + } + + } +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/MediaType.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/MediaType.java new file mode 100644 index 00000000000..7cb06b36d78 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/MediaType.java @@ -0,0 +1,108 @@ +/* + * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package javax.ws.rs.core; +import java.util.Map; + +public class MediaType { + public final static MediaType WILDCARD_TYPE = new MediaType(); + + public final static MediaType APPLICATION_XML_TYPE = new MediaType("application", "xml"); + + public final static MediaType APPLICATION_ATOM_XML_TYPE = new MediaType("application", "atom+xml"); + + public final static MediaType APPLICATION_XHTML_XML_TYPE = new MediaType("application", "xhtml+xml"); + + public final static MediaType APPLICATION_SVG_XML_TYPE = new MediaType("application", "svg+xml"); + + public final static MediaType APPLICATION_JSON_TYPE = new MediaType("application", "json"); + + public final static MediaType APPLICATION_FORM_URLENCODED_TYPE = new MediaType("application", "x-www-form-urlencoded"); + + public final static MediaType MULTIPART_FORM_DATA_TYPE = new MediaType("multipart", "form-data"); + + public final static MediaType APPLICATION_OCTET_STREAM_TYPE = new MediaType("application", "octet-stream"); + + public final static MediaType TEXT_PLAIN_TYPE = new MediaType("text", "plain"); + + public final static MediaType TEXT_XML_TYPE = new MediaType("text", "xml"); + + public final static MediaType TEXT_HTML_TYPE = new MediaType("text", "html"); + + public static final MediaType SERVER_SENT_EVENTS_TYPE = new MediaType("text", "event-stream"); + + public static final MediaType APPLICATION_JSON_PATCH_JSON_TYPE = new MediaType("application", "json-patch+json"); + + public static MediaType valueOf(String type){ + return null; + } + + public MediaType(String type, String subtype, Map parameters) { + } + + public MediaType(String type, String subtype) { + } + + public MediaType(String type, String subtype, String charset) { + } + + public MediaType() { + } + + public String getType() { + return null; + } + + public boolean isWildcardType() { + return false; + } + + public String getSubtype() { + return null; + } + + public boolean isWildcardSubtype() { + return false; + } + + public Map getParameters() { + return null; + } + + public MediaType withCharset(String charset) { + return null; + } + + public boolean isCompatible(MediaType other) { + return false; + } + + @Override + public boolean equals(Object obj) { + return false; + } + + @Override + public int hashCode() { + return 0; + } + + @Override + public String toString() { + return null; + } + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/MultivaluedMap.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/MultivaluedMap.java new file mode 100644 index 00000000000..e34f32328cc --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/MultivaluedMap.java @@ -0,0 +1,36 @@ +/* + * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package javax.ws.rs.core; +import java.util.List; +import java.util.Map; + +public interface MultivaluedMap extends Map> { + void putSingle(K key, V value); + + void add(K key, V value); + + V getFirst(K key); + + void addAll(K key, V... newValues); + + void addAll(K key, List valueList); + + void addFirst(K key, V value); + + boolean equalsIgnoreValueOrder(MultivaluedMap otherMap); + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/NewCookie.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/NewCookie.java new file mode 100644 index 00000000000..60b257cd9b7 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/NewCookie.java @@ -0,0 +1,117 @@ +/* + * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package javax.ws.rs.core; +import java.util.Date; + +public class NewCookie extends Cookie { + public NewCookie(String name, String value) { + } + + public NewCookie(String name, + String value, + String path, + String domain, + String comment, + int maxAge, + boolean secure) { + } + + public NewCookie(String name, + String value, + String path, + String domain, + String comment, + int maxAge, + boolean secure, + boolean httpOnly) { + } + + public NewCookie(String name, + String value, + String path, + String domain, + int version, + String comment, + int maxAge, + boolean secure) { + } + + public NewCookie(String name, + String value, + String path, + String domain, + int version, + String comment, + int maxAge, + Date expiry, + boolean secure, + boolean httpOnly) { + } + + public NewCookie(Cookie cookie) { + } + + public NewCookie(Cookie cookie, String comment, int maxAge, boolean secure) { + } + + public NewCookie(Cookie cookie, String comment, int maxAge, Date expiry, boolean secure, boolean httpOnly) { + } + + public static NewCookie valueOf(String value) { + return null; + } + + public String getComment() { + return null; + } + + public int getMaxAge() { + return 0; + } + + public Date getExpiry() { + return null; + } + + public boolean isSecure() { + return false; + } + + public boolean isHttpOnly() { + return false; + } + + public Cookie toCookie() { + return null; + } + + @Override + public String toString() { + return null; + } + + @Override + public int hashCode() { + return 0; + } + + @Override + public boolean equals(Object obj) { + return false; + } + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/PathSegment.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/PathSegment.java new file mode 100644 index 00000000000..b34e059e68e --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/PathSegment.java @@ -0,0 +1,24 @@ +/* + * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package javax.ws.rs.core; + +public interface PathSegment { + String getPath(); + + MultivaluedMap getMatrixParameters(); + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Response.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Response.java new file mode 100644 index 00000000000..416d016d201 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Response.java @@ -0,0 +1,281 @@ +/* + * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package javax.ws.rs.core; +import java.lang.annotation.Annotation; +import java.net.URI; +import java.util.Date; +import java.util.List; +import java.util.Locale; +import java.util.Map; +import java.util.Set; + +public abstract class Response implements AutoCloseable { + public abstract int getStatus(); + + public abstract StatusType getStatusInfo(); + + public abstract Object getEntity(); + + public abstract T readEntity(Class entityType); + + public abstract T readEntity(GenericType entityType); + + public abstract T readEntity(Class entityType, Annotation[] annotations); + + public abstract T readEntity(GenericType entityType, Annotation[] annotations); + + public abstract boolean hasEntity(); + + public abstract boolean bufferEntity(); + + @Override + public abstract void close(); + + public abstract MediaType getMediaType(); + + public abstract Locale getLanguage(); + + public abstract int getLength(); + + public abstract Set getAllowedMethods(); + + public abstract Map getCookies(); + + public abstract EntityTag getEntityTag(); + + public abstract Date getDate(); + + public abstract Date getLastModified(); + + public abstract URI getLocation(); + + public abstract Set getLinks(); + + public abstract boolean hasLink(String relation); + + public abstract Link getLink(String relation); + + public abstract Link.Builder getLinkBuilder(String relation); + + public abstract MultivaluedMap getMetadata(); + + public MultivaluedMap getHeaders() { + return null; + } + + public abstract MultivaluedMap getStringHeaders(); + + public abstract String getHeaderString(String name); + + public static ResponseBuilder fromResponse(Response response) { + return null; + } + + public static ResponseBuilder status(StatusType status) { + return null; + } + + public static ResponseBuilder status(Status status) { + return null; + } + + public static ResponseBuilder status(int status) { + return null; + } + + public static ResponseBuilder status(int status, String reasonPhrase) { + return null; + } + + public static ResponseBuilder ok() { + return null; + } + + public static ResponseBuilder ok(Object entity) { + return null; + } + + public static ResponseBuilder ok(Object entity, MediaType type) { + return null; + } + + public static ResponseBuilder ok(Object entity, String type) { + return null; + } + + public static ResponseBuilder ok(Object entity, Variant variant) { + return null; + } + + public static ResponseBuilder serverError() { + return null; + } + + public static ResponseBuilder created(URI location) { + return null; + } + + public static ResponseBuilder accepted() { + return null; + } + + public static ResponseBuilder accepted(Object entity) { + return null; + } + + public static ResponseBuilder noContent() { + return null; + } + + public static ResponseBuilder notModified() { + return null; + } + + public static ResponseBuilder notModified(EntityTag tag) { + return null; + } + + public static ResponseBuilder notModified(String tag) { + return null; + } + + public static ResponseBuilder seeOther(URI location) { + return null; + } + + public static ResponseBuilder temporaryRedirect(URI location) { + return null; + } + + public static ResponseBuilder notAcceptable(List variants) { + return null; + } + + public static abstract class ResponseBuilder { + public abstract Response build(); + + @Override + public abstract ResponseBuilder clone(); + + public abstract ResponseBuilder status(int status); + + public abstract ResponseBuilder status(int status, String reasonPhrase); + + public ResponseBuilder status(StatusType status) { + return null; + } + + public ResponseBuilder status(Status status) { + return null; + } + + public abstract ResponseBuilder entity(Object entity); + + public abstract ResponseBuilder entity(Object entity, Annotation[] annotations); + + public abstract ResponseBuilder allow(String... methods); + + public abstract ResponseBuilder allow(Set methods); + + public abstract ResponseBuilder cacheControl(CacheControl cacheControl); + + public abstract ResponseBuilder encoding(String encoding); + + public abstract ResponseBuilder header(String name, Object value); + + public abstract ResponseBuilder replaceAll(MultivaluedMap headers); + + public abstract ResponseBuilder language(String language); + + public abstract ResponseBuilder language(Locale language); + + public abstract ResponseBuilder type(MediaType type); + + public abstract ResponseBuilder type(String type); + + public abstract ResponseBuilder variant(Variant variant); + + public abstract ResponseBuilder contentLocation(URI location); + + public abstract ResponseBuilder cookie(NewCookie... cookies); + + public abstract ResponseBuilder expires(Date expires); + + public abstract ResponseBuilder lastModified(Date lastModified); + + public abstract ResponseBuilder location(URI location); + + public abstract ResponseBuilder tag(EntityTag tag); + + public abstract ResponseBuilder tag(String tag); + + public abstract ResponseBuilder variants(Variant... variants); + + public abstract ResponseBuilder variants(List variants); + + public abstract ResponseBuilder links(Link... links); + + public abstract ResponseBuilder link(URI uri, String rel); + + public abstract ResponseBuilder link(String uri, String rel); + + } + public interface StatusType { + public int getStatusCode(); + + public Status.Family getFamily(); + + public String getReasonPhrase(); + + public default Status toEnum() { + return null; + } + + } + public enum Status implements StatusType { + public enum Family { + public static Family familyOf(final int statusCode) { + return null; + } + + } + @Override + public Family getFamily() { + return null; + } + + @Override + public int getStatusCode() { + return 0; + } + + @Override + public String getReasonPhrase() { + return null; + } + + @Override + public String toString() { + return null; + } + + public static Status fromStatusCode(final int statusCode) { + return null; + } + + } +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/UriBuilder.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/UriBuilder.java new file mode 100644 index 00000000000..0a5685c32c0 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/UriBuilder.java @@ -0,0 +1,122 @@ +/* + * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package javax.ws.rs.core; +import java.lang.reflect.Method; +import java.net.URI; +import java.util.Map; + +public abstract class UriBuilder { + public static UriBuilder fromUri(URI uri) { + return null; + } + + public static UriBuilder fromUri(String uriTemplate) { + return null; + } + + public static UriBuilder fromLink(Link link) { + return null; + } + + public static UriBuilder fromPath(String path) throws IllegalArgumentException { + return null; + } + + public static UriBuilder fromResource(Class resource) { + return null; + } + + public static UriBuilder fromMethod(Class resource, String method) { + return null; + } + + @Override + public abstract UriBuilder clone(); + + public abstract UriBuilder uri(URI uri); + + public abstract UriBuilder uri(String uriTemplate); + + public abstract UriBuilder scheme(String scheme); + + public abstract UriBuilder schemeSpecificPart(String ssp); + + public abstract UriBuilder userInfo(String ui); + + public abstract UriBuilder host(String host); + + public abstract UriBuilder port(int port); + + public abstract UriBuilder replacePath(String path); + + public abstract UriBuilder path(String path); + + public abstract UriBuilder path(Class resource); + + public abstract UriBuilder path(Class resource, String method); + + public abstract UriBuilder path(Method method); + + public abstract UriBuilder segment(String... segments); + + public abstract UriBuilder replaceMatrix(String matrix); + + public abstract UriBuilder matrixParam(String name, Object... values); + + public abstract UriBuilder replaceMatrixParam(String name, Object... values); + + public abstract UriBuilder replaceQuery(String query); + + public abstract UriBuilder queryParam(String name, Object... values); + + public abstract UriBuilder replaceQueryParam(String name, Object... values); + + public abstract UriBuilder fragment(String fragment); + + public abstract UriBuilder resolveTemplate(String name, Object value); + + public abstract UriBuilder resolveTemplate(String name, Object value, boolean encodeSlashInPath); + + public abstract UriBuilder resolveTemplateFromEncoded(String name, Object value); + + public abstract UriBuilder resolveTemplates(Map templateValues); + + public abstract UriBuilder resolveTemplates(Map templateValues, boolean encodeSlashInPath) + throws IllegalArgumentException; + + public abstract UriBuilder resolveTemplatesFromEncoded(Map templateValues); + + public abstract URI buildFromMap(Map values); + + public abstract URI buildFromMap(Map values, boolean encodeSlashInPath) + throws IllegalArgumentException, UriBuilderException; + + public abstract URI buildFromEncodedMap(Map values) + throws IllegalArgumentException, UriBuilderException; + + public abstract URI build(Object... values) + throws IllegalArgumentException, UriBuilderException; + + public abstract URI build(Object[] values, boolean encodeSlashInPath) + throws IllegalArgumentException, UriBuilderException; + + public abstract URI buildFromEncoded(Object... values) + throws IllegalArgumentException, UriBuilderException; + + public abstract String toTemplate(); + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/UriBuilderException.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/UriBuilderException.java new file mode 100644 index 00000000000..05f6ad1a4bc --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/UriBuilderException.java @@ -0,0 +1,32 @@ +/* + * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package javax.ws.rs.core; + +public class UriBuilderException extends java.lang.RuntimeException { + public UriBuilderException() { + } + + public UriBuilderException(String msg) { + } + + public UriBuilderException(String msg, Throwable cause) { + } + + public UriBuilderException(Throwable cause) { + } + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/UriInfo.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/UriInfo.java new file mode 100644 index 00000000000..9903e7f6b97 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/UriInfo.java @@ -0,0 +1,60 @@ +/* + * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package javax.ws.rs.core; +import java.net.URI; +import java.util.List; + +public interface UriInfo { + public String getPath(); + + public String getPath(boolean decode); + + public List getPathSegments(); + + public List getPathSegments(boolean decode); + + public URI getRequestUri(); + + public UriBuilder getRequestUriBuilder(); + + public URI getAbsolutePath(); + + public UriBuilder getAbsolutePathBuilder(); + + public URI getBaseUri(); + + public UriBuilder getBaseUriBuilder(); + + public MultivaluedMap getPathParameters(); + + public MultivaluedMap getPathParameters(boolean decode); + + public MultivaluedMap getQueryParameters(); + + public MultivaluedMap getQueryParameters(boolean decode); + + public List getMatchedURIs(); + + public List getMatchedURIs(boolean decode); + + public List getMatchedResources(); + + public URI resolve(URI uri); + + public URI relativize(URI uri); + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Variant.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Variant.java new file mode 100644 index 00000000000..59aa203d67f --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Variant.java @@ -0,0 +1,93 @@ +/* + * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package javax.ws.rs.core; +import java.util.List; +import java.util.Locale; + +public class Variant { + public Variant(MediaType mediaType, String language, String encoding) { + } + + public Variant(MediaType mediaType, String language, String country, String encoding) { + } + + public Variant(MediaType mediaType, String language, String country, String languageVariant, String encoding) { + } + + public Variant(MediaType mediaType, Locale language, String encoding) { + } + + public Locale getLanguage() { + return null; + } + + public String getLanguageString() { + return null; + } + + public MediaType getMediaType() { + return null; + } + + public String getEncoding() { + return null; + } + + public static VariantListBuilder mediaTypes(MediaType... mediaTypes) { + return null; + } + + public static VariantListBuilder languages(Locale... languages) { + return null; + } + + public static VariantListBuilder encodings(String... encodings) { + return null; + } + + @Override + public int hashCode() { + return 0; + } + + @Override + public boolean equals(Object obj) { + return false; + } + + @Override + public String toString() { + return null; + } + + public static abstract class VariantListBuilder { + public static VariantListBuilder newInstance() { + return null; + } + + public abstract List build(); + + public abstract VariantListBuilder add(); + + public abstract VariantListBuilder languages(Locale... languages); + + public abstract VariantListBuilder encodings(String... encodings); + + public abstract VariantListBuilder mediaTypes(MediaType... mediaTypes); + + } +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/ext/MessageBodyReader.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/ext/MessageBodyReader.java new file mode 100644 index 00000000000..77a03c7d3d8 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/ext/MessageBodyReader.java @@ -0,0 +1,33 @@ +/* + * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package javax.ws.rs.ext; +import java.io.InputStream; +import java.lang.annotation.Annotation; +import java.lang.reflect.Type; +import javax.ws.rs.core.MediaType; +import javax.ws.rs.core.MultivaluedMap; + +public interface MessageBodyReader { + public boolean isReadable(Class type, Type genericType, + Annotation[] annotations, MediaType mediaType); + + public T readFrom(Class type, Type genericType, + Annotation[] annotations, MediaType mediaType, + MultivaluedMap httpHeaders, + InputStream entityStream) throws java.io.IOException, javax.ws.rs.WebApplicationException; + +} From baa21c5bcf5fc243f22e37c2d93e0d7563b4bc68 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 29 Apr 2021 12:39:19 +0100 Subject: [PATCH 15/36] Manually comment out parts of stubs This is to avoid having to make more stubs, which we don't really need --- .../javax/ws/rs/client/Client.java | 24 ++++++------- .../javax/ws/rs/core/Configurable.java | 2 +- .../javax/ws/rs/core/Link.java | 34 +++++++++---------- .../javax/ws/rs/core/MediaType.java | 6 ++++ .../javax/ws/rs/core/NewCookie.java | 8 +++++ .../javax/ws/rs/core/Response.java | 30 +++++++++------- .../javax/ws/rs/ext/MessageBodyReader.java | 2 +- 7 files changed, 62 insertions(+), 44 deletions(-) diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/client/Client.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/client/Client.java index a5fa9671b54..e9ff1a33665 100644 --- a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/client/Client.java +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/client/Client.java @@ -15,28 +15,28 @@ */ package javax.ws.rs.client; -import java.net.URI; +// import java.net.URI; import javax.ws.rs.core.Configurable; -import javax.ws.rs.core.Link; -import javax.ws.rs.core.UriBuilder; -import javax.net.ssl.HostnameVerifier; -import javax.net.ssl.SSLContext; +// import javax.ws.rs.core.Link; +// import javax.ws.rs.core.UriBuilder; +// import javax.net.ssl.HostnameVerifier; +// import javax.net.ssl.SSLContext; public interface Client extends Configurable { public void close(); - public WebTarget target(String uri); + // public WebTarget target(String uri); - public WebTarget target(URI uri); + // public WebTarget target(URI uri); - public WebTarget target(UriBuilder uriBuilder); + // public WebTarget target(UriBuilder uriBuilder); - public WebTarget target(Link link); + // public WebTarget target(Link link); - public Invocation.Builder invocation(Link link); + // public Invocation.Builder invocation(Link link); - public SSLContext getSslContext(); + // public SSLContext getSslContext(); - public HostnameVerifier getHostnameVerifier(); + // public HostnameVerifier getHostnameVerifier(); } diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Configurable.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Configurable.java index 9d32b9d0c61..fdf0a85e55e 100644 --- a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Configurable.java +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Configurable.java @@ -18,7 +18,7 @@ package javax.ws.rs.core; import java.util.Map; public interface Configurable { - public Configuration getConfiguration(); + // public Configuration getConfiguration(); public C property(String name, Object value); diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Link.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Link.java index 7d16e33c757..d6586ecb759 100644 --- a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Link.java +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Link.java @@ -18,8 +18,8 @@ package javax.ws.rs.core; import java.net.URI; import java.util.List; import java.util.Map; -import javax.xml.bind.annotation.adapters.XmlAdapter; -import javax.xml.namespace.QName; +// import javax.xml.bind.annotation.adapters.XmlAdapter; +// import javax.xml.namespace.QName; public abstract class Link { public abstract URI getUri(); @@ -106,16 +106,16 @@ public abstract class Link { public JaxbLink(URI uri) { } - public JaxbLink(URI uri, Map params) { - } + // public JaxbLink(URI uri, Map params) { + // } public URI getUri() { return null; } - public Map getParams() { - return null; - } + // public Map getParams() { + // return null; + // } @Override public boolean equals(Object o) { @@ -128,16 +128,16 @@ public abstract class Link { } } - public static class JaxbAdapter extends XmlAdapter { - @Override - public Link unmarshal(JaxbLink v) { - return null; - } + // public static class JaxbAdapter extends XmlAdapter { + // @Override + // public Link unmarshal(JaxbLink v) { + // return null; + // } - @Override - public JaxbLink marshal(Link v) { - return null; - } + // @Override + // public JaxbLink marshal(Link v) { + // return null; + // } - } + // } } diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/MediaType.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/MediaType.java index 7cb06b36d78..7a026fa016a 100644 --- a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/MediaType.java +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/MediaType.java @@ -36,10 +36,16 @@ public class MediaType { public final static MediaType APPLICATION_OCTET_STREAM_TYPE = new MediaType("application", "octet-stream"); + public final static String TEXT_PLAIN = "text/plain"; + public final static MediaType TEXT_PLAIN_TYPE = new MediaType("text", "plain"); + public final static String TEXT_XML = "text/xml"; + public final static MediaType TEXT_XML_TYPE = new MediaType("text", "xml"); + public final static String TEXT_HTML = "text/html"; + public final static MediaType TEXT_HTML_TYPE = new MediaType("text", "html"); public static final MediaType SERVER_SENT_EVENTS_TYPE = new MediaType("text", "event-stream"); diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/NewCookie.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/NewCookie.java index 60b257cd9b7..570757baf23 100644 --- a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/NewCookie.java +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/NewCookie.java @@ -19,6 +19,7 @@ import java.util.Date; public class NewCookie extends Cookie { public NewCookie(String name, String value) { + super("", ""); } public NewCookie(String name, @@ -28,6 +29,7 @@ public class NewCookie extends Cookie { String comment, int maxAge, boolean secure) { + super("", ""); } public NewCookie(String name, @@ -38,6 +40,7 @@ public class NewCookie extends Cookie { int maxAge, boolean secure, boolean httpOnly) { + super("", ""); } public NewCookie(String name, @@ -48,6 +51,7 @@ public class NewCookie extends Cookie { String comment, int maxAge, boolean secure) { + super("", ""); } public NewCookie(String name, @@ -60,15 +64,19 @@ public class NewCookie extends Cookie { Date expiry, boolean secure, boolean httpOnly) { + super("", ""); } public NewCookie(Cookie cookie) { + super("", ""); } public NewCookie(Cookie cookie, String comment, int maxAge, boolean secure) { + super("", ""); } public NewCookie(Cookie cookie, String comment, int maxAge, Date expiry, boolean secure, boolean httpOnly) { + super("", ""); } public static NewCookie valueOf(String value) { diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Response.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Response.java index 416d016d201..a0e6b700c86 100644 --- a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Response.java +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Response.java @@ -32,11 +32,11 @@ public abstract class Response implements AutoCloseable { public abstract T readEntity(Class entityType); - public abstract T readEntity(GenericType entityType); + // public abstract T readEntity(GenericType entityType); public abstract T readEntity(Class entityType, Annotation[] annotations); - public abstract T readEntity(GenericType entityType, Annotation[] annotations); + // public abstract T readEntity(GenericType entityType, Annotation[] annotations); public abstract boolean hasEntity(); @@ -53,9 +53,9 @@ public abstract class Response implements AutoCloseable { public abstract Set getAllowedMethods(); - public abstract Map getCookies(); + // public abstract Map getCookies(); - public abstract EntityTag getEntityTag(); + // public abstract EntityTag getEntityTag(); public abstract Date getDate(); @@ -63,13 +63,13 @@ public abstract class Response implements AutoCloseable { public abstract URI getLocation(); - public abstract Set getLinks(); + // public abstract Set getLinks(); public abstract boolean hasLink(String relation); - public abstract Link getLink(String relation); + // public abstract Link getLink(String relation); - public abstract Link.Builder getLinkBuilder(String relation); + // public abstract Link.Builder getLinkBuilder(String relation); public abstract MultivaluedMap getMetadata(); @@ -145,9 +145,9 @@ public abstract class Response implements AutoCloseable { return null; } - public static ResponseBuilder notModified(EntityTag tag) { - return null; - } + // public static ResponseBuilder notModified(EntityTag tag) { + // return null; + // } public static ResponseBuilder notModified(String tag) { return null; @@ -161,9 +161,9 @@ public abstract class Response implements AutoCloseable { return null; } - public static ResponseBuilder notAcceptable(List variants) { - return null; - } + // public static ResponseBuilder notAcceptable(List variants) { + // return null; + // } public static abstract class ResponseBuilder { public abstract Response build(); @@ -247,7 +247,11 @@ public abstract class Response implements AutoCloseable { } public enum Status implements StatusType { + DUMMY_STATUS; + public enum Family { + DUMMY_FAMILY; + public static Family familyOf(final int statusCode) { return null; } diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/ext/MessageBodyReader.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/ext/MessageBodyReader.java index 77a03c7d3d8..5d590ace407 100644 --- a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/ext/MessageBodyReader.java +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/ext/MessageBodyReader.java @@ -28,6 +28,6 @@ public interface MessageBodyReader { public T readFrom(Class type, Type genericType, Annotation[] annotations, MediaType mediaType, MultivaluedMap httpHeaders, - InputStream entityStream) throws java.io.IOException, javax.ws.rs.WebApplicationException; + InputStream entityStream) throws java.io.IOException /*, javax.ws.rs.WebApplicationException */; } From 2b8bb5c23134ff4cc29f8ea6d72940b92814da51 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 29 Apr 2021 16:17:21 +0100 Subject: [PATCH 16/36] Fix JAX-RS models --- java/ql/src/semmle/code/java/frameworks/JaxWS.qll | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll index 25fcdab3ad7..b8cb0afcd5c 100644 --- a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll +++ b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll @@ -178,12 +178,14 @@ class JaxRsResourceClass extends Class { } } -/** An annotation from the `javax.ws.rs` package hierarchy. */ +/** + * An annotation from the `javax.ws.rs` or `jakarta.ws.rs` package hierarchy. + */ class JaxRSAnnotation extends Annotation { JaxRSAnnotation() { exists(AnnotationType a | a = this.getType() and - a.getPackage().getName().regexpMatch("javax\\.ws\\.rs(\\..*)?") + a.getPackage().getName().regexpMatch(["javax\\.ws\\.rs(\\..*)?", "jakarta\\.ws\\.rs(\\..*)?"]) ) } } @@ -264,7 +266,7 @@ class MessageBodyReader extends GenericInterface { */ class MessageBodyReaderReadFrom extends Method { MessageBodyReaderReadFrom() { - this.getDeclaringType() instanceof MessageBodyReader and + this.getDeclaringType().(RefType).getSourceDeclaration() instanceof MessageBodyReader and this.hasName("readFrom") } } @@ -504,9 +506,11 @@ private class FormModel extends SummaryModelCsv { override predicate row(string row) { row = [ + "javax.ws.rs.core;Form;false;Form;;;Argument;Argument[-1];taint", "javax.ws.rs.core;Form;true;asMap;;;Argument[-1];ReturnValue;taint", "javax.ws.rs.core;Form;true;param;;;Argument;Argument[-1];taint", "javax.ws.rs.core;Form;true;param;;;Argument[-1];ReturnValue;value", + "jakarta.ws.rs.core;Form;false;Form;;;Argument;Argument[-1];taint", "jakarta.ws.rs.core;Form;true;asMap;;;Argument[-1];ReturnValue;taint", "jakarta.ws.rs.core;Form;true;param;;;Argument;Argument[-1];taint", "jakarta.ws.rs.core;Form;true;param;;;Argument[-1];ReturnValue;value" From e929de98ec4c945796f1f602f9c3a3d399dd1683 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 19 May 2021 11:18:29 +0100 Subject: [PATCH 17/36] Delete duplicated taint summary rows --- java/ql/src/semmle/code/java/frameworks/JaxWS.qll | 4 ---- 1 file changed, 4 deletions(-) diff --git a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll index b8cb0afcd5c..483f0164997 100644 --- a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll +++ b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll @@ -610,8 +610,6 @@ private class UriBuilderModel extends SummaryModelCsv { "javax.ws.rs.core;UriBuilder;true;schemeSpecificPart;;;Argument[-1];ReturnValue;value", "javax.ws.rs.core;UriBuilder;true;segment;;;Argument;ReturnValue;taint", "javax.ws.rs.core;UriBuilder;true;segment;;;Argument[-1];ReturnValue;value", - "javax.ws.rs.core;UriBuilder;true;schemeSpecificPart;;;Argument;ReturnValue;taint", - "javax.ws.rs.core;UriBuilder;true;schemeSpecificPart;;;Argument[-1];ReturnValue;value", "javax.ws.rs.core;UriBuilder;true;toTemplate;;;Argument[-1];ReturnValue;taint", "javax.ws.rs.core;UriBuilder;true;uri;;;Argument;ReturnValue;taint", "javax.ws.rs.core;UriBuilder;true;uri;;;Argument[-1];ReturnValue;value", @@ -663,8 +661,6 @@ private class UriBuilderModel extends SummaryModelCsv { "jakarta.ws.rs.core;UriBuilder;true;schemeSpecificPart;;;Argument[-1];ReturnValue;value", "jakarta.ws.rs.core;UriBuilder;true;segment;;;Argument;ReturnValue;taint", "jakarta.ws.rs.core;UriBuilder;true;segment;;;Argument[-1];ReturnValue;value", - "jakarta.ws.rs.core;UriBuilder;true;schemeSpecificPart;;;Argument;ReturnValue;taint", - "jakarta.ws.rs.core;UriBuilder;true;schemeSpecificPart;;;Argument[-1];ReturnValue;value", "jakarta.ws.rs.core;UriBuilder;true;toTemplate;;;Argument[-1];ReturnValue;taint", "jakarta.ws.rs.core;UriBuilder;true;uri;;;Argument;ReturnValue;taint", "jakarta.ws.rs.core;UriBuilder;true;uri;;;Argument[-1];ReturnValue;value", From f63fd68bfb8380a1b87c8589659217f715dfed0a Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 9 Jun 2021 09:12:43 +0100 Subject: [PATCH 18/36] Fix models to work with collection flow And also removal of `Argument` with indices --- .../src/semmle/code/java/frameworks/JaxWS.qll | 178 ++++++++++-------- 1 file changed, 104 insertions(+), 74 deletions(-) diff --git a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll index 483f0164997..cff79fc280d 100644 --- a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll +++ b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll @@ -422,16 +422,26 @@ private class MultivaluedMapModel extends SummaryModelCsv { override predicate row(string row) { row = [ - "javax.ws.rs.core;MultivaluedMap;true;add;;;Argument;Argument[-1];taint", - "javax.ws.rs.core;MultivaluedMap;true;addAll;;;Argument;Argument[-1];taint", - "javax.ws.rs.core;MultivaluedMap;true;addFirst;;;Argument;Argument[-1];taint", - "javax.ws.rs.core;MultivaluedMap;true;getFirst;;;Argument[-1];ReturnValue;taint", - "javax.ws.rs.core;MultivaluedMap;true;putSingle;;;Argument;Argument[-1];taint", - "jakarta.ws.rs.core;MultivaluedMap;true;add;;;Argument;Argument[-1];taint", - "jakarta.ws.rs.core;MultivaluedMap;true;addAll;;;Argument;Argument[-1];taint", - "jakarta.ws.rs.core;MultivaluedMap;true;addFirst;;;Argument;Argument[-1];taint", - "jakarta.ws.rs.core;MultivaluedMap;true;getFirst;;;Argument[-1];ReturnValue;taint", - "jakarta.ws.rs.core;MultivaluedMap;true;putSingle;;;Argument;Argument[-1];taint" + "javax.ws.rs.core;MultivaluedMap;true;add;;;Argument[0];MapKey of Argument[-1];value", + "javax.ws.rs.core;MultivaluedMap;true;add;;;Argument[1];Element of MapValue of Argument[-1];value", + "javax.ws.rs.core;MultivaluedMap;true;addAll;;;Argument[0];MapKey of Argument[-1];value", + "javax.ws.rs.core;MultivaluedMap;true;addAll;(Object,List);;Element of Argument[1];Element of MapValue of Argument[-1];value", + "javax.ws.rs.core;MultivaluedMap;true;addAll;(Object,Object[]);;ArrayElement of Argument[1];Element of MapValue of Argument[-1];value", + "javax.ws.rs.core;MultivaluedMap;true;addFirst;;;Argument[0];MapKey of Argument[-1];value", + "javax.ws.rs.core;MultivaluedMap;true;addFirst;;;Argument[1];Element of MapValue of Argument[-1];value", + "javax.ws.rs.core;MultivaluedMap;true;getFirst;;;Element of MapValue of Argument[-1];ReturnValue;value", + "javax.ws.rs.core;MultivaluedMap;true;putSingle;;;Argument[0];MapKey of Argument[-1];value", + "javax.ws.rs.core;MultivaluedMap;true;putSingle;;;Argument[1];Element of MapValue of Argument[-1];value", + "jakarta.ws.rs.core;MultivaluedMap;true;add;;;Argument[0];MapKey of Argument[-1];value", + "jakarta.ws.rs.core;MultivaluedMap;true;add;;;Argument[1];Element of MapValue of Argument[-1];value", + "jakarta.ws.rs.core;MultivaluedMap;true;addAll;;;Argument[0];MapKey of Argument[-1];value", + "jakarta.ws.rs.core;MultivaluedMap;true;addAll;(Object,List);;Element of Argument[1];Element of MapValue of Argument[-1];value", + "jakarta.ws.rs.core;MultivaluedMap;true;addAll;(Object,Object[]);;ArrayElement of Argument[1];Element of MapValue of Argument[-1];value", + "jakarta.ws.rs.core;MultivaluedMap;true;addFirst;;;Argument[0];MapKey of Argument[-1];value", + "jakarta.ws.rs.core;MultivaluedMap;true;addFirst;;;Argument[1];Element of MapValue of Argument[-1];value", + "jakarta.ws.rs.core;MultivaluedMap;true;getFirst;;;Element of MapValue of Argument[-1];ReturnValue;value", + "jakarta.ws.rs.core;MultivaluedMap;true;putSingle;;;Argument[0];MapKey of Argument[-1];value", + "jakarta.ws.rs.core;MultivaluedMap;true;putSingle;;;Argument[1];Element of MapValue of Argument[-1];value" ] } } @@ -485,16 +495,16 @@ private class CookieModel extends SummaryModelCsv { "javax.ws.rs.core;Cookie;true;getValue;;;Argument[-1];ReturnValue;taint", "javax.ws.rs.core;Cookie;true;getVersion;;;Argument[-1];ReturnValue;taint", "javax.ws.rs.core;Cookie;true;toString;;;Argument[-1];ReturnValue;taint", - "javax.ws.rs.core;Cookie;false;Cookie;;;Argument;Argument[-1];taint", - "javax.ws.rs.core;Cookie;false;valueOf;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;Cookie;false;Cookie;;;Argument[0..4];Argument[-1];taint", + "javax.ws.rs.core;Cookie;false;valueOf;;;Argument[0];ReturnValue;taint", "jakarta.ws.rs.core;Cookie;true;getDomain;;;Argument[-1];ReturnValue;taint", "jakarta.ws.rs.core;Cookie;true;getName;;;Argument[-1];ReturnValue;taint", "jakarta.ws.rs.core;Cookie;true;getPath;;;Argument[-1];ReturnValue;taint", "jakarta.ws.rs.core;Cookie;true;getValue;;;Argument[-1];ReturnValue;taint", "jakarta.ws.rs.core;Cookie;true;getVersion;;;Argument[-1];ReturnValue;taint", "jakarta.ws.rs.core;Cookie;true;toString;;;Argument[-1];ReturnValue;taint", - "jakarta.ws.rs.core;Cookie;false;Cookie;;;Argument;Argument[-1];taint", - "jakarta.ws.rs.core;Cookie;false;valueOf;;;Argument;ReturnValue;taint" + "jakarta.ws.rs.core;Cookie;false;Cookie;;;Argument[0..4];Argument[-1];taint", + "jakarta.ws.rs.core;Cookie;false;valueOf;;;Argument[0];ReturnValue;taint" ] } } @@ -506,13 +516,17 @@ private class FormModel extends SummaryModelCsv { override predicate row(string row) { row = [ - "javax.ws.rs.core;Form;false;Form;;;Argument;Argument[-1];taint", + "javax.ws.rs.core;Form;false;Form;;;MapKey of Argument[0];Argument[-1];taint", + "javax.ws.rs.core;Form;false;Form;;;MapValue of Argument[0];Argument[-1];taint", + "javax.ws.rs.core;Form;false;Form;;;Argument[0..1];Argument[-1];taint", "javax.ws.rs.core;Form;true;asMap;;;Argument[-1];ReturnValue;taint", - "javax.ws.rs.core;Form;true;param;;;Argument;Argument[-1];taint", + "javax.ws.rs.core;Form;true;param;;;Argument[0..1];Argument[-1];taint", "javax.ws.rs.core;Form;true;param;;;Argument[-1];ReturnValue;value", - "jakarta.ws.rs.core;Form;false;Form;;;Argument;Argument[-1];taint", + "jakarta.ws.rs.core;Form;false;Form;;;MapKey of Argument[0];Argument[-1];taint", + "jakarta.ws.rs.core;Form;false;Form;;;MapValue of Argument[0];Argument[-1];taint", + "jakarta.ws.rs.core;Form;false;Form;;;Argument[0..1];Argument[-1];taint", "jakarta.ws.rs.core;Form;true;asMap;;;Argument[-1];ReturnValue;taint", - "jakarta.ws.rs.core;Form;true;param;;;Argument;Argument[-1];taint", + "jakarta.ws.rs.core;Form;true;param;;;Argument[0..1];Argument[-1];taint", "jakarta.ws.rs.core;Form;true;param;;;Argument[-1];ReturnValue;value" ] } @@ -541,17 +555,17 @@ private class MediaTypeModel extends SummaryModelCsv { override predicate row(string row) { row = [ - "javax.ws.rs.core;MediaType;false;MediaType;;;Argument;Argument[-1];taint", + "javax.ws.rs.core;MediaType;false;MediaType;;;Argument[0..2];Argument[-1];taint", "javax.ws.rs.core;MediaType;true;getParameters;;;Argument[-1];ReturnValue;taint", "javax.ws.rs.core;MediaType;true;getSubtype;;;Argument[-1];ReturnValue;taint", "javax.ws.rs.core;MediaType;true;getType;;;Argument[-1];ReturnValue;taint", - "javax.ws.rs.core;MediaType;false;valueOf;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;MediaType;false;valueOf;;;Argument[0];ReturnValue;taint", "javax.ws.rs.core;MediaType;true;withCharset;;;Argument[-1];ReturnValue;taint", - "jakarta.ws.rs.core;MediaType;false;MediaType;;;Argument;Argument[-1];taint", + "jakarta.ws.rs.core;MediaType;false;MediaType;;;Argument[0..2];Argument[-1];taint", "jakarta.ws.rs.core;MediaType;true;getParameters;;;Argument[-1];ReturnValue;taint", "jakarta.ws.rs.core;MediaType;true;getSubtype;;;Argument[-1];ReturnValue;taint", "jakarta.ws.rs.core;MediaType;true;getType;;;Argument[-1];ReturnValue;taint", - "jakarta.ws.rs.core;MediaType;false;valueOf;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;MediaType;false;valueOf;;;Argument[0];ReturnValue;taint", "jakarta.ws.rs.core;MediaType;true;withCharset;;;Argument[-1];ReturnValue;taint" ] } @@ -564,107 +578,123 @@ private class UriBuilderModel extends SummaryModelCsv { override predicate row(string row) { row = [ - "javax.ws.rs.core;UriBuilder;true;build;;;Argument[0];ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;build;;;ArrayElement of Argument[0];ReturnValue;taint", "javax.ws.rs.core;UriBuilder;true;build;;;Argument[-1];ReturnValue;taint", - "javax.ws.rs.core;UriBuilder;true;buildFromEncoded;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;buildFromEncoded;;;ArrayElement of Argument[0];ReturnValue;taint", "javax.ws.rs.core;UriBuilder;true;buildFromEncoded;;;Argument[-1];ReturnValue;taint", - "javax.ws.rs.core;UriBuilder;true;buildFromEncodedMap;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;buildFromEncodedMap;;;MapKey of Argument[0];ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;buildFromEncodedMap;;;MapValue of Argument[0];ReturnValue;taint", "javax.ws.rs.core;UriBuilder;true;buildFromEncodedMap;;;Argument[-1];ReturnValue;taint", - "javax.ws.rs.core;UriBuilder;true;buildFromMap;;;Argument[0];ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;buildFromMap;;;MapKey of Argument[0];ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;buildFromMap;;;MapValue of Argument[0];ReturnValue;taint", "javax.ws.rs.core;UriBuilder;true;buildFromMap;;;Argument[-1];ReturnValue;taint", "javax.ws.rs.core;UriBuilder;true;clone;;;Argument[-1];ReturnValue;taint", - "javax.ws.rs.core;UriBuilder;true;fragment;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;fragment;;;Argument[0];ReturnValue;taint", "javax.ws.rs.core;UriBuilder;true;fragment;;;Argument[-1];ReturnValue;value", - "javax.ws.rs.core;UriBuilder;false;fromLink;;;Argument;ReturnValue;taint", - "javax.ws.rs.core;UriBuilder;false;fromPath;;;Argument;ReturnValue;taint", - "javax.ws.rs.core;UriBuilder;false;fromUri;;;Argument;ReturnValue;taint", - "javax.ws.rs.core;UriBuilder;true;host;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;false;fromLink;;;Argument[0];ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;false;fromPath;;;Argument[0];ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;false;fromUri;;;Argument[0];ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;host;;;Argument[0];ReturnValue;taint", "javax.ws.rs.core;UriBuilder;true;host;;;Argument[-1];ReturnValue;value", - "javax.ws.rs.core;UriBuilder;true;matrixParam;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;matrixParam;;;Argument[0];ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;matrixParam;;;ArrayElement of Argument[1];ReturnValue;taint", "javax.ws.rs.core;UriBuilder;true;matrixParam;;;Argument[-1];ReturnValue;value", - "javax.ws.rs.core;UriBuilder;true;path;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;path;;;Argument[0..1];ReturnValue;taint", "javax.ws.rs.core;UriBuilder;true;path;;;Argument[-1];ReturnValue;value", - "javax.ws.rs.core;UriBuilder;true;queryParam;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;queryParam;;;Argument[0];ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;queryParam;;;ArrayElement of Argument[1];ReturnValue;taint", "javax.ws.rs.core;UriBuilder;true;queryParam;;;Argument[-1];ReturnValue;value", - "javax.ws.rs.core;UriBuilder;true;replaceMatrix;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;replaceMatrix;;;Argument[0];ReturnValue;taint", "javax.ws.rs.core;UriBuilder;true;replaceMatrix;;;Argument[-1];ReturnValue;value", - "javax.ws.rs.core;UriBuilder;true;replaceMatrixParam;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;replaceMatrixParam;;;Argument[0];ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;replaceMatrixParam;;;ArrayElement of Argument[1];ReturnValue;taint", "javax.ws.rs.core;UriBuilder;true;replaceMatrixParam;;;Argument[-1];ReturnValue;value", - "javax.ws.rs.core;UriBuilder;true;replacePath;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;replacePath;;;Argument[0];ReturnValue;taint", "javax.ws.rs.core;UriBuilder;true;replacePath;;;Argument[-1];ReturnValue;value", - "javax.ws.rs.core;UriBuilder;true;replaceQuery;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;replaceQuery;;;Argument[0];ReturnValue;taint", "javax.ws.rs.core;UriBuilder;true;replaceQuery;;;Argument[-1];ReturnValue;value", - "javax.ws.rs.core;UriBuilder;true;replaceQueryParam;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;replaceQueryParam;;;Argument[0];ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;replaceQueryParam;;;ArrayElement of Argument[1];ReturnValue;taint", "javax.ws.rs.core;UriBuilder;true;replaceQueryParam;;;Argument[-1];ReturnValue;value", - "javax.ws.rs.core;UriBuilder;true;resolveTemplate;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;resolveTemplate;;;Argument[0..2];ReturnValue;taint", "javax.ws.rs.core;UriBuilder;true;resolveTemplate;;;Argument[-1];ReturnValue;value", - "javax.ws.rs.core;UriBuilder;true;resolveTemplateFromEncoded;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;resolveTemplateFromEncoded;;;Argument[0..1];ReturnValue;taint", "javax.ws.rs.core;UriBuilder;true;resolveTemplateFromEncoded;;;Argument[-1];ReturnValue;value", - "javax.ws.rs.core;UriBuilder;true;resolveTemplates;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;resolveTemplates;;;MapKey of Argument[0];ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;resolveTemplates;;;MapValue of Argument[0];ReturnValue;taint", "javax.ws.rs.core;UriBuilder;true;resolveTemplates;;;Argument[-1];ReturnValue;value", - "javax.ws.rs.core;UriBuilder;true;resolveTemplatesFromEncoded;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;resolveTemplatesFromEncoded;;;MapKey of Argument[0];ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;resolveTemplatesFromEncoded;;;MapValue of Argument[0];ReturnValue;taint", "javax.ws.rs.core;UriBuilder;true;resolveTemplatesFromEncoded;;;Argument[-1];ReturnValue;value", - "javax.ws.rs.core;UriBuilder;true;scheme;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;scheme;;;Argument[0];ReturnValue;taint", "javax.ws.rs.core;UriBuilder;true;scheme;;;Argument[-1];ReturnValue;value", - "javax.ws.rs.core;UriBuilder;true;schemeSpecificPart;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;schemeSpecificPart;;;Argument[0];ReturnValue;taint", "javax.ws.rs.core;UriBuilder;true;schemeSpecificPart;;;Argument[-1];ReturnValue;value", - "javax.ws.rs.core;UriBuilder;true;segment;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;segment;;;ArrayElement of Argument[0];ReturnValue;taint", "javax.ws.rs.core;UriBuilder;true;segment;;;Argument[-1];ReturnValue;value", "javax.ws.rs.core;UriBuilder;true;toTemplate;;;Argument[-1];ReturnValue;taint", - "javax.ws.rs.core;UriBuilder;true;uri;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;uri;;;Argument[0];ReturnValue;taint", "javax.ws.rs.core;UriBuilder;true;uri;;;Argument[-1];ReturnValue;value", - "javax.ws.rs.core;UriBuilder;true;userInfo;;;Argument;ReturnValue;taint", + "javax.ws.rs.core;UriBuilder;true;userInfo;;;Argument[0];ReturnValue;taint", "javax.ws.rs.core;UriBuilder;true;userInfo;;;Argument[-1];ReturnValue;value", - "jakarta.ws.rs.core;UriBuilder;true;build;;;Argument[0];ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;build;;;ArrayElement of Argument[0];ReturnValue;taint", "jakarta.ws.rs.core;UriBuilder;true;build;;;Argument[-1];ReturnValue;taint", - "jakarta.ws.rs.core;UriBuilder;true;buildFromEncoded;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;buildFromEncoded;;;ArrayElement of Argument[0];ReturnValue;taint", "jakarta.ws.rs.core;UriBuilder;true;buildFromEncoded;;;Argument[-1];ReturnValue;taint", - "jakarta.ws.rs.core;UriBuilder;true;buildFromEncodedMap;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;buildFromEncodedMap;;;MapKey of Argument[0];ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;buildFromEncodedMap;;;MapValue of Argument[0];ReturnValue;taint", "jakarta.ws.rs.core;UriBuilder;true;buildFromEncodedMap;;;Argument[-1];ReturnValue;taint", - "jakarta.ws.rs.core;UriBuilder;true;buildFromMap;;;Argument[0];ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;buildFromMap;;;MapKey of Argument[0];ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;buildFromMap;;;MapValue of Argument[0];ReturnValue;taint", "jakarta.ws.rs.core;UriBuilder;true;buildFromMap;;;Argument[-1];ReturnValue;taint", "jakarta.ws.rs.core;UriBuilder;true;clone;;;Argument[-1];ReturnValue;taint", - "jakarta.ws.rs.core;UriBuilder;true;fragment;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;fragment;;;Argument[0];ReturnValue;taint", "jakarta.ws.rs.core;UriBuilder;true;fragment;;;Argument[-1];ReturnValue;value", - "jakarta.ws.rs.core;UriBuilder;false;fromLink;;;Argument;ReturnValue;taint", - "jakarta.ws.rs.core;UriBuilder;false;fromPath;;;Argument;ReturnValue;taint", - "jakarta.ws.rs.core;UriBuilder;false;fromUri;;;Argument;ReturnValue;taint", - "jakarta.ws.rs.core;UriBuilder;true;host;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;false;fromLink;;;Argument[0];ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;false;fromPath;;;Argument[0];ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;false;fromUri;;;Argument[0];ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;host;;;Argument[0];ReturnValue;taint", "jakarta.ws.rs.core;UriBuilder;true;host;;;Argument[-1];ReturnValue;value", - "jakarta.ws.rs.core;UriBuilder;true;matrixParam;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;matrixParam;;;Argument[0];ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;matrixParam;;;ArrayElement of Argument[1];ReturnValue;taint", "jakarta.ws.rs.core;UriBuilder;true;matrixParam;;;Argument[-1];ReturnValue;value", - "jakarta.ws.rs.core;UriBuilder;true;path;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;path;;;Argument[0..1];ReturnValue;taint", "jakarta.ws.rs.core;UriBuilder;true;path;;;Argument[-1];ReturnValue;value", - "jakarta.ws.rs.core;UriBuilder;true;queryParam;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;queryParam;;;Argument[0];ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;queryParam;;;ArrayElement of Argument[1];ReturnValue;taint", "jakarta.ws.rs.core;UriBuilder;true;queryParam;;;Argument[-1];ReturnValue;value", - "jakarta.ws.rs.core;UriBuilder;true;replaceMatrix;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;replaceMatrix;;;Argument[0];ReturnValue;taint", "jakarta.ws.rs.core;UriBuilder;true;replaceMatrix;;;Argument[-1];ReturnValue;value", - "jakarta.ws.rs.core;UriBuilder;true;replaceMatrixParam;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;replaceMatrixParam;;;Argument[0];ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;replaceMatrixParam;;;ArrayElement of Argument[1];ReturnValue;taint", "jakarta.ws.rs.core;UriBuilder;true;replaceMatrixParam;;;Argument[-1];ReturnValue;value", - "jakarta.ws.rs.core;UriBuilder;true;replacePath;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;replacePath;;;Argument[0];ReturnValue;taint", "jakarta.ws.rs.core;UriBuilder;true;replacePath;;;Argument[-1];ReturnValue;value", - "jakarta.ws.rs.core;UriBuilder;true;replaceQuery;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;replaceQuery;;;Argument[0];ReturnValue;taint", "jakarta.ws.rs.core;UriBuilder;true;replaceQuery;;;Argument[-1];ReturnValue;value", - "jakarta.ws.rs.core;UriBuilder;true;replaceQueryParam;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;replaceQueryParam;;;Argument[0];ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;replaceQueryParam;;;ArrayElement of Argument[1];ReturnValue;taint", "jakarta.ws.rs.core;UriBuilder;true;replaceQueryParam;;;Argument[-1];ReturnValue;value", - "jakarta.ws.rs.core;UriBuilder;true;resolveTemplate;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;resolveTemplate;;;Argument[0..2];ReturnValue;taint", "jakarta.ws.rs.core;UriBuilder;true;resolveTemplate;;;Argument[-1];ReturnValue;value", - "jakarta.ws.rs.core;UriBuilder;true;resolveTemplateFromEncoded;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;resolveTemplateFromEncoded;;;Argument[0..1];ReturnValue;taint", "jakarta.ws.rs.core;UriBuilder;true;resolveTemplateFromEncoded;;;Argument[-1];ReturnValue;value", - "jakarta.ws.rs.core;UriBuilder;true;resolveTemplates;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;resolveTemplates;;;MapKey of Argument[0];ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;resolveTemplates;;;MapValue of Argument[0];ReturnValue;taint", "jakarta.ws.rs.core;UriBuilder;true;resolveTemplates;;;Argument[-1];ReturnValue;value", - "jakarta.ws.rs.core;UriBuilder;true;resolveTemplatesFromEncoded;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;resolveTemplatesFromEncoded;;;MapKey of Argument[0];ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;resolveTemplatesFromEncoded;;;MapValue of Argument[0];ReturnValue;taint", "jakarta.ws.rs.core;UriBuilder;true;resolveTemplatesFromEncoded;;;Argument[-1];ReturnValue;value", - "jakarta.ws.rs.core;UriBuilder;true;scheme;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;scheme;;;Argument[0];ReturnValue;taint", "jakarta.ws.rs.core;UriBuilder;true;scheme;;;Argument[-1];ReturnValue;value", - "jakarta.ws.rs.core;UriBuilder;true;schemeSpecificPart;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;schemeSpecificPart;;;Argument[0];ReturnValue;taint", "jakarta.ws.rs.core;UriBuilder;true;schemeSpecificPart;;;Argument[-1];ReturnValue;value", - "jakarta.ws.rs.core;UriBuilder;true;segment;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;segment;;;ArrayElement of Argument[0];ReturnValue;taint", "jakarta.ws.rs.core;UriBuilder;true;segment;;;Argument[-1];ReturnValue;value", "jakarta.ws.rs.core;UriBuilder;true;toTemplate;;;Argument[-1];ReturnValue;taint", - "jakarta.ws.rs.core;UriBuilder;true;uri;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;uri;;;Argument[0];ReturnValue;taint", "jakarta.ws.rs.core;UriBuilder;true;uri;;;Argument[-1];ReturnValue;value", - "jakarta.ws.rs.core;UriBuilder;true;userInfo;;;Argument;ReturnValue;taint", + "jakarta.ws.rs.core;UriBuilder;true;userInfo;;;Argument[0];ReturnValue;taint", "jakarta.ws.rs.core;UriBuilder;true;userInfo;;;Argument[-1];ReturnValue;value" ] } From 155d63d5f7947af802a7927d4de3bfc120bf2909 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 8 Apr 2021 16:55:49 +0100 Subject: [PATCH 19/36] Add tests for JAX-RS --- .../frameworks/JaxWs/JaxRs.expected | 0 .../library-tests/frameworks/JaxWs/JaxRs.ql | 147 +++++++++++++++ .../frameworks/JaxWs/JaxRs1.java | 173 ++++++++++++++++++ .../frameworks/JaxWs/JaxRs2.java | 86 +++++++++ .../library-tests/frameworks/JaxWs/options | 2 +- 5 files changed, 407 insertions(+), 1 deletion(-) create mode 100644 java/ql/test/library-tests/frameworks/JaxWs/JaxRs.expected create mode 100644 java/ql/test/library-tests/frameworks/JaxWs/JaxRs.ql create mode 100644 java/ql/test/library-tests/frameworks/JaxWs/JaxRs1.java create mode 100644 java/ql/test/library-tests/frameworks/JaxWs/JaxRs2.java diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JaxRs.expected b/java/ql/test/library-tests/frameworks/JaxWs/JaxRs.expected new file mode 100644 index 00000000000..e69de29bb2d diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JaxRs.ql b/java/ql/test/library-tests/frameworks/JaxWs/JaxRs.ql new file mode 100644 index 00000000000..eb34aa89812 --- /dev/null +++ b/java/ql/test/library-tests/frameworks/JaxWs/JaxRs.ql @@ -0,0 +1,147 @@ +import java +import semmle.code.java.frameworks.JaxWS +import TestUtilities.InlineExpectationsTest + +class JaxRsTest extends InlineExpectationsTest { + JaxRsTest() { this = "JaxRsTest" } + + override string getARelevantTag() { + result = + [ + "ResourceMethod", "RootResourceClass", "NonRootResourceClass", + "ResourceMethodOnResourceClass", "InjectableConstructor", "InjectableField", + "InjectionAnnotation", "ResponseDeclaration", "ResponseBuilderDeclaration", + "ClientDeclaration", "BeanParamConstructor", "MessageBodyReaderDeclaration", + "MessageBodyReaderReadFromCall", "MessageBodyReaderReadCall", "ProducesAnnotation", + "ConsumesAnnotation" + ] + } + + override predicate hasActualResult(Location location, string element, string tag, string value) { + tag = "ResourceMethod" and + exists(JaxRsResourceMethod resourceMethod | + resourceMethod.getLocation() = location and + element = resourceMethod.toString() and + if exists(resourceMethod.getProducesAnnotation()) + then value = resourceMethod.getProducesAnnotation().getADeclaredContentType() + else value = "" + ) + or + tag = "RootResourceClass" and + exists(JaxRsResourceClass resourceClass | + resourceClass.isRootResource() and + resourceClass.getLocation() = location and + element = resourceClass.toString() and + value = "" + ) + or + tag = "NonRootResourceClass" and + exists(JaxRsResourceClass resourceClass | + not resourceClass.isRootResource() and + resourceClass.getLocation() = location and + element = resourceClass.toString() and + value = "" + ) + or + tag = "ResourceMethodOnResourceClass" and + exists(JaxRsResourceMethod resourceMethod | + resourceMethod = any(JaxRsResourceClass ResourceClass).getAResourceMethod() + | + resourceMethod.getLocation() = location and + element = resourceMethod.toString() and + value = "" + ) + or + tag = "InjectableConstructor" and + exists(Constructor cons | + cons = any(JaxRsResourceClass resourceClass).getAnInjectableConstructor() + | + cons.getLocation() = location and + element = cons.toString() and + value = "" + ) + or + tag = "InjectableField" and + exists(Field field | field = any(JaxRsResourceClass resourceClass).getAnInjectableField() | + field.getLocation() = location and + element = field.toString() and + value = "" + ) + or + tag = "InjectionAnnotation" and + exists(JaxRsInjectionAnnotation injectionAnnotation | + injectionAnnotation.getLocation() = location and + element = injectionAnnotation.toString() and + value = "" + ) + or + tag = "ResponseDeclaration" and + exists(LocalVariableDecl decl | + decl.getType() instanceof JaxRsResponse and + decl.getLocation() = location and + element = decl.toString() and + value = "" + ) + or + tag = "ResponseBuilderDeclaration" and + exists(LocalVariableDecl decl | + decl.getType() instanceof JaxRsResponseBuilder and + decl.getLocation() = location and + element = decl.toString() and + value = "" + ) + or + tag = "ClientDeclaration" and + exists(LocalVariableDecl decl | + decl.getType() instanceof JaxRsClient and + decl.getLocation() = location and + element = decl.toString() and + value = "" + ) + or + tag = "BeanParamConstructor" and + exists(JaxRsBeanParamConstructor cons | + cons.getLocation() = location and + element = cons.toString() and + value = "" + ) + or + tag = "MessageBodyReaderDeclaration" and + exists(LocalVariableDecl decl | + decl.getType().(RefType).getSourceDeclaration() instanceof MessageBodyReader and + decl.getLocation() = location and + element = decl.toString() and + value = "" + ) + or + tag = "MessageBodyReaderReadFromCall" and + exists(MethodAccess ma | + ma.getMethod() instanceof MessageBodyReaderReadFrom and + ma.getLocation() = location and + element = ma.toString() and + value = "" + ) + or + tag = "MessageBodyReaderReadCall" and + exists(MethodAccess ma | + ma.getMethod() instanceof MessageBodyReaderRead and + ma.getLocation() = location and + element = ma.toString() and + value = "" + ) + or + tag = "ProducesAnnotation" and + exists(JaxRSProducesAnnotation producesAnnotation | + producesAnnotation.getLocation() = location and + element = producesAnnotation.toString() and + value = producesAnnotation.getADeclaredContentType() + ) + or + tag = "ConsumesAnnotation" and + exists(JaxRSConsumesAnnotation consumesAnnotation | + consumesAnnotation.getLocation() = location and + element = consumesAnnotation.toString() and + value = "" + ) + } +} diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JaxRs1.java b/java/ql/test/library-tests/frameworks/JaxWs/JaxRs1.java new file mode 100644 index 00000000000..a050d8b3873 --- /dev/null +++ b/java/ql/test/library-tests/frameworks/JaxWs/JaxRs1.java @@ -0,0 +1,173 @@ +import java.io.InputStream; +import java.io.IOException; +import java.lang.annotation.Annotation; +import java.lang.reflect.Type; +import javax.ws.rs.GET; +import javax.ws.rs.POST; +import javax.ws.rs.DELETE; +import javax.ws.rs.PUT; +import javax.ws.rs.OPTIONS; +import javax.ws.rs.HEAD; +import javax.ws.rs.Path; +import javax.ws.rs.BeanParam; +import javax.ws.rs.CookieParam; +import javax.ws.rs.FormParam; +import javax.ws.rs.HeaderParam; +import javax.ws.rs.MatrixParam; +import javax.ws.rs.PathParam; +import javax.ws.rs.Produces; +import javax.ws.rs.QueryParam; +import javax.ws.rs.client.Client; +import javax.ws.rs.core.Context; +import javax.ws.rs.core.MediaType; +import javax.ws.rs.core.MultivaluedMap; +import javax.ws.rs.core.Response; +import javax.ws.rs.ext.MessageBodyReader; + +@Path("") +public class JaxRs1 { // $RootResourceClass + public JaxRs1() { // $InjectableConstructor + } + + @GET + void Get() { // $ResourceMethod $ResourceMethodOnResourceClass + } + + @POST + void Post() { // $ResourceMethod $ResourceMethodOnResourceClass + } + + @Produces("text/plain") // $ProducesAnnotation=text/plain + @DELETE + void Delete() { // $ResourceMethod=text/plain $ResourceMethodOnResourceClass + } + + @Produces(MediaType.TEXT_HTML) // $ProducesAnnotation=text/html + @PUT + void Put() { // $ResourceMethod=text/html $ResourceMethodOnResourceClass + } + + @OPTIONS + void Options() { // $ResourceMethod $ResourceMethodOnResourceClass + } + + @HEAD + void Head() { // $ResourceMethod $ResourceMethodOnResourceClass + } + + @Path("") + NonRootResourceClass subResourceLocator() { // $SubResourceLocator + return null; + } +} + +class NonRootResourceClass { // $NonRootResourceClass + @Path("") + AnotherNonRootResourceClass subResourceLocator1() { // $SubResourceLocator + return null; + } + + @GET + @Path("") + NotAResourceClass1 NotASubResourceLocator1() { // $ResourceMethod + return null; + } + + @GET + NotAResourceClass2 NotASubResourceLocator2() { // $ResourceMethod + return null; + } + + NotAResourceClass2 NotASubResourceLocator3() { + return null; + } +} + +class AnotherNonRootResourceClass { // $NonRootResourceClass + public AnotherNonRootResourceClass() { + } + + public AnotherNonRootResourceClass(@BeanParam int beanParam, @CookieParam("") int cookieParam, @FormParam("") int formParam, // $InjectionAnnotation + @HeaderParam("") int headerParam, @MatrixParam("") int matrixParam, @PathParam("") int pathParam, @QueryParam("") int queryParam, // $InjectionAnnotation + @Context int context) { // $InjectionAnnotation + } + + @Path("") + public void resourceMethodWithBeanParamParameter(@BeanParam Foo foo) { // $SubResourceLocator $InjectionAnnotation + } +} + +class Foo { + Foo() { // $BeanParamConstructor + } + + public Foo(@BeanParam int beanParam, @CookieParam("") int cookieParam, @FormParam("") int formParam, // $InjectionAnnotation $BeanParamConstructor + @HeaderParam("") int headerParam, @MatrixParam("") int matrixParam, @PathParam("") int pathParam, @QueryParam("") int queryParam, // $InjectionAnnotation + @Context int context) { // $InjectionAnnotation + } + + public Foo(@BeanParam int beanParam, @CookieParam("") int cookieParam, @FormParam("") int formParam, // $InjectionAnnotation + @HeaderParam("") int headerParam, @MatrixParam("") int matrixParam, @PathParam("") int pathParam, @QueryParam("") int queryParam, // $InjectionAnnotation + @Context int context, int paramWithoutAnnotation) { // $InjectionAnnotation + } +} + +class NotAResourceClass1 { +} + +class NotAResourceClass2 { +} + +class ExtendsJaxRs1 extends JaxRs1 { + @Override + void Get() { // $ResourceMethod + } + + @Override + @QueryParam("") // $InjectionAnnotation + void Post() { + } + + @Override + void Delete() { // $ResourceMethod=text/plain + } + + @Override + void Put() { // $ResourceMethod=text/html + } + + @Produces("application/json") // $ProducesAnnotation=application/json + @Override + void Options() { + } + + @Produces(MediaType.TEXT_XML) // $ProducesAnnotation=text/xml + @Override + void Head() { + } + +} + +@Produces(MediaType.TEXT_XML) // $ProducesAnnotation=text/xml +class ExtendsJaxRs1WithProducesAnnotation extends JaxRs1 { + @Override + void Get() { // $ResourceMethod=text/xml + } + + @Override + @QueryParam("") // $InjectionAnnotation + void Post() { + } + + @Override + void Delete() { // $ResourceMethod=text/plain + } + + @Override + void Put() { // $ResourceMethod=text/html + } + + @Override + void Options() { // $ResourceMethod=text/xml + } +} \ No newline at end of file diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JaxRs2.java b/java/ql/test/library-tests/frameworks/JaxWs/JaxRs2.java new file mode 100644 index 00000000000..14cacc5bb2d --- /dev/null +++ b/java/ql/test/library-tests/frameworks/JaxWs/JaxRs2.java @@ -0,0 +1,86 @@ +import java.io.InputStream; +import java.io.IOException; +import java.lang.annotation.Annotation; +import java.lang.reflect.Type; +import javax.ws.rs.GET; +import javax.ws.rs.POST; +import javax.ws.rs.DELETE; +import javax.ws.rs.PUT; +import javax.ws.rs.OPTIONS; +import javax.ws.rs.HEAD; +import javax.ws.rs.Path; +import javax.ws.rs.BeanParam; +import javax.ws.rs.Consumes; +import javax.ws.rs.CookieParam; +import javax.ws.rs.FormParam; +import javax.ws.rs.HeaderParam; +import javax.ws.rs.MatrixParam; +import javax.ws.rs.PathParam; +import javax.ws.rs.QueryParam; +import javax.ws.rs.client.Client; +import javax.ws.rs.core.Context; +import javax.ws.rs.core.MediaType; +import javax.ws.rs.core.MultivaluedMap; +import javax.ws.rs.core.Response; +import javax.ws.rs.ext.MessageBodyReader; + +@Path("") +class JaxRs2 { // $RootResourceClass + JaxRs2() { + } + + public JaxRs2(@BeanParam int beanParam, @CookieParam("") int cookieParam, @FormParam("") int formParam, // $InjectionAnnotation $InjectableConstructor + @HeaderParam("") int headerParam, @MatrixParam("") int matrixParam, @PathParam("") int pathParam, @QueryParam("") int queryParam, // $InjectionAnnotation + @Context int context) { // $InjectionAnnotation + } + + public JaxRs2(@BeanParam int beanParam, @CookieParam("") int cookieParam, @FormParam("") int formParam, // $InjectionAnnotation + @HeaderParam("") int headerParam, @MatrixParam("") int matrixParam, @PathParam("") int pathParam, @QueryParam("") int queryParam, // $InjectionAnnotation + @Context int context, int paramWithoutAnnotation) { // $InjectionAnnotation + } + + @BeanParam // $InjectionAnnotation + int beanField; // $InjectableField + @CookieParam("") // $InjectionAnnotation + int cookieField; // $InjectableField + @FormParam("") // $InjectionAnnotation + int formField; // $InjectableField + @HeaderParam("") // $InjectionAnnotation + int headerField; // $InjectableField + @MatrixParam("") // $InjectionAnnotation + int matrixField; // $InjectableField + @PathParam("") // $InjectionAnnotation + int pathField; // $InjectableField + @QueryParam("") // $InjectionAnnotation + int queryField; // $InjectableField + @Context // $InjectionAnnotation + int context; // $InjectableField + int fieldWithoutAnnotation; +} + +class CustomUnmarshaller implements MessageBodyReader { + + @Override + public boolean isReadable(Class aClass, Type type, Annotation[] annotations, MediaType mediaType) { + return true; + } + + + @Override + public Object readFrom(Class aClass, Type type, Annotation[] annotations, MediaType mediaType, MultivaluedMap multivaluedMap, InputStream inputStream) { + return null; + } +} + +class Miscellaneous { + @Consumes("") // $ConsumesAnnotation + public static void miscellaneous() throws IOException { + Response.ResponseBuilder responseBuilder = Response.accepted(); // $ResponseBuilderDeclaration + Response response = responseBuilder.build(); // $ResponseDeclaration + Client client; // $ClientDeclaration + MessageBodyReader messageBodyReader = null; // $MessageBodyReaderDeclaration + messageBodyReader.readFrom(null, null, null, null, null, null); // $MessageBodyReaderReadFromCall $MessageBodyReaderReadCall + CustomUnmarshaller customUnmarshaller = null; + customUnmarshaller.readFrom(null, null, null, null, null, null); // $MessageBodyReaderReadCall + } +} \ No newline at end of file diff --git a/java/ql/test/library-tests/frameworks/JaxWs/options b/java/ql/test/library-tests/frameworks/JaxWs/options index e64ee74d9bc..92727b95566 100644 --- a/java/ql/test/library-tests/frameworks/JaxWs/options +++ b/java/ql/test/library-tests/frameworks/JaxWs/options @@ -1 +1 @@ -//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jsr311-api-1.1.1:${testdir}/../../../stubs/jsr181-api:${testdir}/../../../stubs/jaxws-api-2.0 +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/jsr311-api-1.1.1:${testdir}/../../../stubs/jsr181-api:${testdir}/../../../stubs/jaxws-api-2.0 From f2ff2aa3e18bf40415c9ca843b1ce36087de1f64 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Mon, 17 May 2021 16:20:53 +0100 Subject: [PATCH 20/36] Add flow tests for JAX-RS --- .../frameworks/JaxWs/JaxRsFlow.expected | 0 .../frameworks/JaxWs/JaxRsFlow.java | 301 ++++++++++++++++++ .../frameworks/JaxWs/JaxRsFlow.ql | 50 +++ 3 files changed, 351 insertions(+) create mode 100644 java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.expected create mode 100644 java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.java create mode 100644 java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.ql diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.expected b/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.expected new file mode 100644 index 00000000000..e69de29bb2d diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.java b/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.java new file mode 100644 index 00000000000..e8c8d6338ff --- /dev/null +++ b/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.java @@ -0,0 +1,301 @@ +import java.lang.reflect.Method; +import java.net.URI; +import java.util.ArrayList; +import java.util.Date; +import java.util.HashMap; +import java.util.HashSet; +import java.util.List; +import java.util.Map; +import java.util.Set; +import javax.ws.rs.core.CacheControl; +import javax.ws.rs.core.Cookie; +import javax.ws.rs.core.EntityTag; +import javax.ws.rs.core.Form; +import javax.ws.rs.core.GenericEntity; +import javax.ws.rs.core.HttpHeaders; +import javax.ws.rs.core.Link; +import javax.ws.rs.core.MediaType; +import javax.ws.rs.core.MultivaluedMap; +import javax.ws.rs.core.PathSegment; +import javax.ws.rs.core.Response; +import javax.ws.rs.core.UriBuilder; +import javax.ws.rs.core.UriInfo; +import javax.ws.rs.core.Variant; + +public class JaxRsFlow { + String taint() { return "tainted"; } + + private static class ResponseSource { + static Response taint() { return null; } + } + + private static class ResponseBuilderSource { + static Response.ResponseBuilder taint() { return Response.noContent(); } + } + + private static class IntSource { + static int taint() { return 0; } + } + + private static class SetStringSource { + static Set taint() { return new HashSet(); } + } + + static HttpHeaders taint(HttpHeaders h) { return h; } + + static PathSegment taint(PathSegment ps) { return ps; } + + static UriInfo taint(UriInfo ui) { return ui; } + + static Map taint(Map m) { return m; } + + static Link taint(Link l) { return l; } + + static Class taint(Class c) { return c; } + + private static class UriSource { + static URI taint() throws Exception { return new URI(""); } + } + + void sink(Object o) {} + + void testResponse() { + sink(Response.accepted(taint())); // $hasTaintFlow + sink(Response.fromResponse(ResponseSource.taint())); // $hasTaintFlow + sink(Response.ok(taint())); // $hasTaintFlow + sink(Response.ok(taint(), new MediaType())); // $hasTaintFlow + sink(Response.ok(taint(), "type")); // $hasTaintFlow + sink(Response.ok(taint(), new Variant(new MediaType(), "", ""))); // $hasTaintFlow + } + + void testResponseBuilder(MultivaluedMap multivaluedMap, List list) throws Exception { + sink(ResponseBuilderSource.taint().build()); // $hasTaintFlow + sink(Response.noContent().entity(taint())); // $hasTaintFlow + sink(ResponseBuilderSource.taint().allow(new HashSet())); // $hasValueFlow + sink(ResponseBuilderSource.taint().cacheControl(new CacheControl())); // $hasValueFlow + sink(ResponseBuilderSource.taint().clone()); // $hasTaintFlow + sink(ResponseBuilderSource.taint().contentLocation(new URI(""))); // $hasValueFlow + sink(ResponseBuilderSource.taint().cookie()); // $hasValueFlow + sink(ResponseBuilderSource.taint().encoding("")); // $hasValueFlow + sink(ResponseBuilderSource.taint().entity("")); // $hasValueFlow + sink(ResponseBuilderSource.taint().expires(new Date())); // $hasValueFlow + sink(ResponseBuilderSource.taint().header("", "")); // $hasValueFlow + sink(ResponseBuilderSource.taint().language("")); // $hasValueFlow + sink(ResponseBuilderSource.taint().lastModified(new Date())); // $hasValueFlow + sink(ResponseBuilderSource.taint().link("", "")); // $hasValueFlow + sink(ResponseBuilderSource.taint().link(new URI(""), "")); // $hasValueFlow + sink(ResponseBuilderSource.taint().links()); // $hasValueFlow + sink(ResponseBuilderSource.taint().location(new URI(""))); // $hasValueFlow + sink(ResponseBuilderSource.taint().replaceAll(multivaluedMap)); // $hasValueFlow + sink(ResponseBuilderSource.taint().status(400)); // $hasValueFlow + sink(ResponseBuilderSource.taint().tag(new EntityTag(""))); // $hasValueFlow + sink(ResponseBuilderSource.taint().tag("")); // $hasValueFlow + sink(ResponseBuilderSource.taint().type("")); // $hasValueFlow + sink(ResponseBuilderSource.taint().variant(new Variant(new MediaType(), "", ""))); // $hasValueFlow + sink(ResponseBuilderSource.taint().variants(list)); // $hasValueFlow + sink(ResponseBuilderSource.taint().variants()); // $hasValueFlow + } + + void testHttpHeaders(HttpHeaders h) { + sink(taint(h).getAcceptableLanguages()); // $hasTaintFlow + sink(taint(h).getAcceptableMediaTypes()); // $hasTaintFlow + sink(taint(h).getCookies()); // $hasTaintFlow + sink(taint(h).getHeaderString("")); // $hasTaintFlow + sink(taint(h).getLanguage()); // $hasTaintFlow + sink(taint(h).getMediaType()); // $hasTaintFlow + sink(taint(h).getRequestHeader("")); // $hasTaintFlow + sink(taint(h).getRequestHeaders()); // $hasTaintFlow + } + + void testMultivaluedMapAdd(MultivaluedMap mm1, MultivaluedMap mm2) { + mm1.add(taint(), "value"); + sink(mm1.keySet().iterator().next()); // $hasValueFlow + mm2.add("key", taint()); + sink(mm2.get("key").get(0)); // $hasValueFlow + } + + void testMultivaluedMapAddAll(MultivaluedMap mm1, MultivaluedMap mm2, MultivaluedMap mm3) { + mm1.addAll(taint(), "a", "b"); + sink(mm1.keySet().iterator().next()); // $hasValueFlow + List l = new ArrayList(); + l.add(taint()); + mm2.addAll("key", l); + sink(mm2.get("key").get(0)); // $hasValueFlow + mm3.addAll("key", "a", taint()); + sink(mm3.get("key").get(0)); // $hasValueFlow + } + + void testMultivaluedMapAddFirst(MultivaluedMap mm1, MultivaluedMap mm2) { + mm1.addFirst(taint(), "value"); + sink(mm1.keySet().iterator().next()); // $hasValueFlow + mm2.addFirst("key", taint()); + sink(mm2.get("key").get(0)); // $hasValueFlow + sink(mm2.getFirst("key")); // $hasValueFlow + } + + void testMultivaluedMapputSingle(MultivaluedMap mm1, MultivaluedMap mm2) { + mm1.putSingle(taint(), "value"); + sink(mm1.keySet().iterator().next()); // $hasValueFlow + mm2.putSingle("key", taint()); + sink(mm2.get("key").get(0)); // $hasValueFlow + } + + void testPathSegment(PathSegment ps1, PathSegment ps2) { + sink(taint(ps1).getMatrixParameters()); // $hasTaintFlow + sink(taint(ps2).getPath()); // $hasTaintFlow + } + + void testUriInfo(UriInfo ui1, UriInfo ui2, UriInfo ui3, UriInfo ui4, UriInfo ui5) { + sink(taint(ui1).getPathParameters()); // $hasTaintFlow + sink(taint(ui2).getPathSegments()); // $hasTaintFlow + sink(taint(ui2).getQueryParameters()); // $hasTaintFlow + sink(taint(ui2).getRequestUri()); // $hasTaintFlow + sink(taint(ui2).getRequestUriBuilder()); // $hasTaintFlow + } + + void testCookie() { + sink(new Cookie(taint(), "", "", "", 0)); // $hasTaintFlow + sink(new Cookie("", taint(), "", "", 0)); // $hasTaintFlow + sink(new Cookie("", "", taint(), "", 0)); // $hasTaintFlow + sink(new Cookie("", "", "", taint(), 0)); // $hasTaintFlow + sink(new Cookie("", "", "", "", IntSource.taint())); // $hasTaintFlow + sink(new Cookie(taint(), "", "", "")); // $hasTaintFlow + sink(new Cookie("", taint(), "", "")); // $hasTaintFlow + sink(new Cookie("", "", taint(), "")); // $hasTaintFlow + sink(new Cookie("", "", "", taint())); // $hasTaintFlow + sink(new Cookie(taint(), "")); // $hasTaintFlow + sink(new Cookie("", taint())); // $hasTaintFlow + sink(Cookie.valueOf(taint())); // $hasTaintFlow + sink(Cookie.valueOf(taint()).getDomain()); // $hasTaintFlow + sink(Cookie.valueOf(taint()).getName()); // $hasTaintFlow + sink(Cookie.valueOf(taint()).getPath()); // $hasTaintFlow + sink(Cookie.valueOf(taint()).getValue()); // $hasTaintFlow + sink(Cookie.valueOf(taint()).getVersion()); // $hasTaintFlow + sink(Cookie.valueOf(taint()).toString()); // $hasTaintFlow + } + + void testForm(MultivaluedMap mm1, MultivaluedMap mm2) { + sink(new Form(taint(), "")); // $hasTaintFlow + sink(new Form("", taint())); // $hasTaintFlow + mm1.add(taint(), "value"); + sink(new Form(mm1)); // $hasTaintFlow + mm2.add("key", taint()); + sink(new Form(mm2)); // $hasTaintFlow + Form f1 = new Form(taint(), ""); + sink(f1.asMap()); // $hasTaintFlow + Form f2 = new Form(); + sink(f2.param(taint(), "b")); // $hasTaintFlow + Form f3 = new Form(); + sink(f3.param("a", taint())); // $hasTaintFlow + Form f4 = new Form(taint(), ""); + sink(f4.param("a", "b")); // $hasTaintFlow + } + + void testGenericEntity() { + Method m = Dummy.class.getMethods()[0]; + GenericEntity> ge = new GenericEntity>(SetStringSource.taint(), m.getGenericReturnType()); + sink(ge); // $hasTaintFlow + sink(ge.getEntity()); // $hasTaintFlow + } + + void testMediaType(Map m) { + sink(new MediaType(taint(), "")); // $hasTaintFlow + sink(new MediaType("", taint())); // $hasTaintFlow + sink(new MediaType(taint(), "", m)); // $hasTaintFlow + sink(new MediaType("", taint(), m)); // $hasTaintFlow + sink(new MediaType("", "", taint(m))); // $hasTaintFlow + sink(new MediaType(taint(), "", "")); // $hasTaintFlow + sink(new MediaType("", taint(), "")); // $hasTaintFlow + sink(new MediaType("", "", taint())); // $hasTaintFlow + sink(MediaType.valueOf(taint()).getParameters()); // $hasTaintFlow + sink(MediaType.valueOf(taint()).getSubtype()); // $hasTaintFlow + sink(MediaType.valueOf(taint()).getType()); // $hasTaintFlow + sink(MediaType.valueOf(taint())); // $hasTaintFlow + } + + void testUriBuilder() throws Exception { + sink(UriBuilder.fromPath("").build(taint())); // $hasTaintFlow + sink(UriBuilder.fromPath("").build("", taint())); // $hasTaintFlow + sink(UriBuilder.fromPath("").build(taint(), false)); // $hasTaintFlow + sink(UriBuilder.fromPath("").build("", taint(), true)); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).build("")); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).build("", false)); // $hasTaintFlow + + sink(UriBuilder.fromPath("").buildFromEncoded(taint())); // $hasTaintFlow + sink(UriBuilder.fromPath("").buildFromEncoded("", taint())); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).buildFromEncoded("")); // $hasTaintFlow + sink(UriBuilder.fromPath("").buildFromEncodedMap(taint(new HashMap()))); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).buildFromEncodedMap(new HashMap())); // $hasTaintFlow + sink(UriBuilder.fromPath("").buildFromMap(taint(new HashMap()), false)); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).buildFromMap(new HashMap(), true)); // $hasTaintFlow + + sink(UriBuilder.fromPath(taint()).clone()); // $hasTaintFlow + sink(UriBuilder.fromPath("").fragment(taint())); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).fragment("")); // $hasTaintFlow + sink(UriBuilder.fromLink(taint(Link.valueOf("")))); // $hasTaintFlow + sink(UriBuilder.fromPath(taint())); // $hasTaintFlow + sink(UriBuilder.fromUri(taint())); // $hasTaintFlow + sink(UriBuilder.fromPath("").host(taint())); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).host("")); // $hasTaintFlow + + sink(UriBuilder.fromPath("").matrixParam(taint(), "")); // $hasTaintFlow + sink(UriBuilder.fromPath("").matrixParam("", "", taint())); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).matrixParam("", "")); // $hasTaintFlow + sink(UriBuilder.fromPath("").path(taint(Dummy.class))); // $hasTaintFlow + sink(UriBuilder.fromPath("").path(Dummy.class, taint())); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).path(Dummy.class)); // $hasTaintFlow + sink(UriBuilder.fromPath("").queryParam(taint(), "")); // $hasTaintFlow + sink(UriBuilder.fromPath("").queryParam("", "", taint())); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).queryParam("", "")); // $hasTaintFlow + + sink(UriBuilder.fromPath("").replaceMatrix(taint())); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).replaceMatrix("")); // $hasTaintFlow + sink(UriBuilder.fromPath("").replaceMatrixParam(taint(), "")); // $hasTaintFlow + sink(UriBuilder.fromPath("").replaceMatrixParam("", "", taint())); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).replaceMatrixParam("", "")); // $hasTaintFlow + sink(UriBuilder.fromPath("").replacePath(taint())); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).replacePath("")); // $hasTaintFlow + sink(UriBuilder.fromPath("").replaceQuery(taint())); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).replaceQuery("")); // $hasTaintFlow + sink(UriBuilder.fromPath("").replaceQueryParam(taint(), "")); // $hasTaintFlow + sink(UriBuilder.fromPath("").replaceQueryParam("", "", taint())); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).replaceQueryParam("", "")); // $hasTaintFlow + + sink(UriBuilder.fromPath("").resolveTemplate(taint(), "")); // $hasTaintFlow + sink(UriBuilder.fromPath("").resolveTemplate(taint(), "", false)); // $hasTaintFlow + sink(UriBuilder.fromPath("").resolveTemplate("", taint())); // $hasTaintFlow + sink(UriBuilder.fromPath("").resolveTemplate("", taint(), true)); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).resolveTemplate("", "")); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).resolveTemplate("", "", false)); // $hasTaintFlow + sink(UriBuilder.fromPath("").resolveTemplateFromEncoded(taint(), "")); // $hasTaintFlow + sink(UriBuilder.fromPath("").resolveTemplateFromEncoded("", taint())); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).resolveTemplateFromEncoded("", "")); // $hasTaintFlow + + sink(UriBuilder.fromPath("").resolveTemplates(taint(new HashMap()))); // $hasTaintFlow + sink(UriBuilder.fromPath("").resolveTemplates(taint(new HashMap()), true)); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).resolveTemplates(new HashMap())); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).resolveTemplates(new HashMap(), false)); // $hasTaintFlow + sink(UriBuilder.fromPath("").resolveTemplatesFromEncoded(taint(new HashMap()))); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).resolveTemplatesFromEncoded(new HashMap())); // $hasTaintFlow + + sink(UriBuilder.fromPath("").scheme(taint())); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).scheme("")); // $hasTaintFlow + sink(UriBuilder.fromPath("").schemeSpecificPart(taint())); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).schemeSpecificPart("")); // $hasTaintFlow + sink(UriBuilder.fromPath("").segment(taint(), "")); // $hasTaintFlow + sink(UriBuilder.fromPath("").segment("", "", taint())); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).segment("", "")); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).toTemplate()); // $hasTaintFlow + + sink(UriBuilder.fromPath("").uri(taint())); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).uri("")); // $hasTaintFlow + sink(UriBuilder.fromPath("").uri(UriSource.taint())); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).uri(new URI(""))); // $hasTaintFlow + sink(UriBuilder.fromPath("").userInfo(taint())); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).userInfo("")); // $hasTaintFlow + } +} + +class Dummy { + private static Set foo() { return null; } +} \ No newline at end of file diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.ql b/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.ql new file mode 100644 index 00000000000..d3b1db90764 --- /dev/null +++ b/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.ql @@ -0,0 +1,50 @@ +import java +import semmle.code.java.dataflow.TaintTracking +import TestUtilities.InlineExpectationsTest + +class TaintFlowConf extends TaintTracking::Configuration { + TaintFlowConf() { this = "qltest:frameworks:jax-rs-taint" } + + override predicate isSource(DataFlow::Node n) { + n.asExpr().(MethodAccess).getMethod().hasName("taint") + } + + override predicate isSink(DataFlow::Node n) { + exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument()) + } +} + +class ValueFlowConf extends DataFlow::Configuration { + ValueFlowConf() { this = "qltest:frameworks:jax-rs-value" } + + override predicate isSource(DataFlow::Node n) { + n.asExpr().(MethodAccess).getMethod().hasName("taint") + } + + override predicate isSink(DataFlow::Node n) { + exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument()) + } +} + +class HasFlowTest extends InlineExpectationsTest { + HasFlowTest() { this = "HasFlowTest" } + + override string getARelevantTag() { result = ["hasTaintFlow", "hasValueFlow"] } + + override predicate hasActualResult(Location location, string element, string tag, string value) { + tag = "hasTaintFlow" and + exists(DataFlow::Node src, DataFlow::Node sink, TaintFlowConf conf | conf.hasFlow(src, sink) | + not any(ValueFlowConf vconf).hasFlow(src, sink) and + sink.getLocation() = location and + element = sink.toString() and + value = "" + ) + or + tag = "hasValueFlow" and + exists(DataFlow::Node src, DataFlow::Node sink, ValueFlowConf conf | conf.hasFlow(src, sink) | + sink.getLocation() = location and + element = sink.toString() and + value = "" + ) + } +} From 1ae9d68409407404f2f355e8a2ee88ef9eefc46c Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 20 May 2021 12:15:30 +0100 Subject: [PATCH 21/36] Move and convert URL redirect sinks Adds for them as well --- java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql | 7 ++++++- java/ql/src/semmle/code/java/frameworks/JaxWS.qll | 14 ++++++++++++++ .../src/semmle/code/java/security/UrlRedirect.qll | 14 -------------- .../frameworks/JaxWs/UrlRedirect.expected | 11 +++++++++++ .../frameworks/JaxWs/UrlRedirect.qlref | 1 + .../frameworks/JaxWs/UrlRedirectJax.java | 15 +++++++++++++++ .../test/library-tests/frameworks/JaxWs/options | 2 +- 7 files changed, 48 insertions(+), 16 deletions(-) create mode 100644 java/ql/test/library-tests/frameworks/JaxWs/UrlRedirect.expected create mode 100644 java/ql/test/library-tests/frameworks/JaxWs/UrlRedirect.qlref create mode 100644 java/ql/test/library-tests/frameworks/JaxWs/UrlRedirectJax.java diff --git a/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql b/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql index 455f6add626..8e3741e436b 100644 --- a/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql +++ b/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql @@ -13,6 +13,7 @@ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.UrlRedirect +import semmle.code.java.dataflow.ExternalFlow import DataFlow::PathGraph class UrlRedirectConfig extends TaintTracking::Configuration { @@ -20,7 +21,11 @@ class UrlRedirectConfig extends TaintTracking::Configuration { override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } - override predicate isSink(DataFlow::Node sink) { sink instanceof UrlRedirectSink } + override predicate isSink(DataFlow::Node sink) { + sink instanceof UrlRedirectSink + or + sinkNode(sink, "url-redirect") + } } from DataFlow::PathNode source, DataFlow::PathNode sink, UrlRedirectConfig conf diff --git a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll index cff79fc280d..fa031e557fd 100644 --- a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll +++ b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll @@ -308,6 +308,20 @@ class JaxRSConsumesAnnotation extends JaxRSAnnotation { JaxRSConsumesAnnotation() { this.getType().hasQualifiedName(getAJaxRsPackage(), "Consumes") } } +/** A URL redirection sink from JAX-RS */ +private class JaxRsUrlRedirectSink extends SinkModelCsv { + override predicate row(string row) { + row = + [ + //`namespace; type; subtypes; name; signature; ext; input; kind` + "javax.ws.rs.core;Response;true;seeOther;;;Argument[0];url-redirect", + "javax.ws.rs.core;Response;true;temporaryRedirect;;;Argument[0];url-redirect", + "jakarta.ws.rs.core;Response;true;seeOther;;;Argument[0];url-redirect", + "jakarta.ws.rs.core;Response;true;temporaryRedirect;;;Argument[0];url-redirect" + ] + } +} + /** * Model Response: * diff --git a/java/ql/src/semmle/code/java/security/UrlRedirect.qll b/java/ql/src/semmle/code/java/security/UrlRedirect.qll index ee3e9cb9b1c..49ba24c77a9 100644 --- a/java/ql/src/semmle/code/java/security/UrlRedirect.qll +++ b/java/ql/src/semmle/code/java/security/UrlRedirect.qll @@ -36,17 +36,3 @@ private class ApacheUrlRedirectSink extends UrlRedirectSink { ) } } - -/** A URL redirection sink from JAX-RS */ -private class JaxRsUrlRedirectSink extends UrlRedirectSink { - JaxRsUrlRedirectSink() { - exists(MethodAccess ma | - ma.getMethod() - .getDeclaringType() - .getAnAncestor() - .hasQualifiedName(getAJaxRsPackage("core"), "Response") and - ma.getMethod().getName() in ["seeOther", "temporaryRedirect"] and - this.asExpr() = ma.getArgument(0) - ) - } -} diff --git a/java/ql/test/library-tests/frameworks/JaxWs/UrlRedirect.expected b/java/ql/test/library-tests/frameworks/JaxWs/UrlRedirect.expected new file mode 100644 index 00000000000..9ad1a630516 --- /dev/null +++ b/java/ql/test/library-tests/frameworks/JaxWs/UrlRedirect.expected @@ -0,0 +1,11 @@ +edges +| UrlRedirect.java:10:32:10:61 | getParameter(...) : String | UrlRedirect.java:10:24:10:62 | new URI(...) | +| UrlRedirect.java:13:41:13:70 | getParameter(...) : String | UrlRedirect.java:13:33:13:71 | new URI(...) | +nodes +| UrlRedirect.java:10:24:10:62 | new URI(...) | semmle.label | new URI(...) | +| UrlRedirect.java:10:32:10:61 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| UrlRedirect.java:13:33:13:71 | new URI(...) | semmle.label | new URI(...) | +| UrlRedirect.java:13:41:13:70 | getParameter(...) : String | semmle.label | getParameter(...) : String | +#select +| UrlRedirect.java:10:24:10:62 | new URI(...) | UrlRedirect.java:10:32:10:61 | getParameter(...) : String | UrlRedirect.java:10:24:10:62 | new URI(...) | Potentially untrusted URL redirection due to $@. | UrlRedirect.java:10:32:10:61 | getParameter(...) | user-provided value | +| UrlRedirect.java:13:33:13:71 | new URI(...) | UrlRedirect.java:13:41:13:70 | getParameter(...) : String | UrlRedirect.java:13:33:13:71 | new URI(...) | Potentially untrusted URL redirection due to $@. | UrlRedirect.java:13:41:13:70 | getParameter(...) | user-provided value | diff --git a/java/ql/test/library-tests/frameworks/JaxWs/UrlRedirect.qlref b/java/ql/test/library-tests/frameworks/JaxWs/UrlRedirect.qlref new file mode 100644 index 00000000000..b4772fb438f --- /dev/null +++ b/java/ql/test/library-tests/frameworks/JaxWs/UrlRedirect.qlref @@ -0,0 +1 @@ +Security/CWE/CWE-601/UrlRedirect.ql \ No newline at end of file diff --git a/java/ql/test/library-tests/frameworks/JaxWs/UrlRedirectJax.java b/java/ql/test/library-tests/frameworks/JaxWs/UrlRedirectJax.java new file mode 100644 index 00000000000..4ba3d1f1331 --- /dev/null +++ b/java/ql/test/library-tests/frameworks/JaxWs/UrlRedirectJax.java @@ -0,0 +1,15 @@ +import java.io.IOException; +import java.net.URI; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.ws.rs.core.Response; + +public class UrlRedirectJax extends HttpServlet { + protected void doGetJax(HttpServletRequest request, Response jaxResponse) throws Exception { + // BAD + jaxResponse.seeOther(new URI(request.getParameter("target"))); + + // BAD + jaxResponse.temporaryRedirect(new URI(request.getParameter("target"))); + } +} diff --git a/java/ql/test/library-tests/frameworks/JaxWs/options b/java/ql/test/library-tests/frameworks/JaxWs/options index 92727b95566..f84495b1c7e 100644 --- a/java/ql/test/library-tests/frameworks/JaxWs/options +++ b/java/ql/test/library-tests/frameworks/JaxWs/options @@ -1 +1 @@ -//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/jsr311-api-1.1.1:${testdir}/../../../stubs/jsr181-api:${testdir}/../../../stubs/jaxws-api-2.0 +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/jsr311-api-1.1.1:${testdir}/../../../stubs/jsr181-api:${testdir}/../../../stubs/jaxws-api-2.0:${testdir}/../../../stubs/servlet-api-2.4 From d1fe62d4d5e20e7075a68c07f73c413a0adb87a6 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 20 May 2021 12:17:05 +0100 Subject: [PATCH 22/36] (Minor) Update comments to match ExternalFlow docs --- java/ql/src/semmle/code/java/frameworks/guava/Base.qll | 2 +- java/ql/src/semmle/code/java/frameworks/guava/IO.qll | 4 ++-- java/ql/test/library-tests/dataflow/external-models/sinks.ql | 2 +- java/ql/test/library-tests/dataflow/external-models/srcs.ql | 2 +- java/ql/test/library-tests/dataflow/external-models/steps.ql | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/java/ql/src/semmle/code/java/frameworks/guava/Base.qll b/java/ql/src/semmle/code/java/frameworks/guava/Base.qll index fc1ee0e6cb7..45c8bc0e289 100644 --- a/java/ql/src/semmle/code/java/frameworks/guava/Base.qll +++ b/java/ql/src/semmle/code/java/frameworks/guava/Base.qll @@ -7,7 +7,7 @@ private class GuavaBaseCsv extends SummaryModelCsv { override predicate row(string row) { row = [ - //"package;type;overrides;name;signature;ext;inputspec;outputspec;kind", + //`namespace; type; subtypes; name; signature; ext; input; output; kind` "com.google.common.base;Strings;false;emptyToNull;(String);;Argument[0];ReturnValue;value", "com.google.common.base;Strings;false;nullToEmpty;(String);;Argument[0];ReturnValue;value", "com.google.common.base;Strings;false;padStart;(String,int,char);;Argument[0];ReturnValue;taint", diff --git a/java/ql/src/semmle/code/java/frameworks/guava/IO.qll b/java/ql/src/semmle/code/java/frameworks/guava/IO.qll index 305b4fbcfb7..60720a941ca 100644 --- a/java/ql/src/semmle/code/java/frameworks/guava/IO.qll +++ b/java/ql/src/semmle/code/java/frameworks/guava/IO.qll @@ -7,7 +7,7 @@ private class GuavaIoCsv extends SummaryModelCsv { override predicate row(string row) { row = [ - //"package;type;overrides;name;signature;ext;inputspec;outputspec;kind", + //`namespace; type; subtypes; name; signature; ext; input; output; kind` "com.google.common.io;BaseEncoding;true;decode;(CharSequence);;Argument[0];ReturnValue;taint", "com.google.common.io;BaseEncoding;true;decodingStream;(Reader);;Argument[0];ReturnValue;taint", "com.google.common.io;BaseEncoding;true;decodingSource;(CharSource);;Argument[0];ReturnValue;taint", @@ -89,7 +89,7 @@ private class GuavaIoSinkCsv extends SinkModelCsv { override predicate row(string row) { row = [ - //"package;type;overrides;name;signature;ext;inputspec;kind", + //`namespace; type; subtypes; name; signature; ext; input; kind` "com.google.common.io;Resources;false;asByteSource;(URL);;Argument[0];url-open-stream", "com.google.common.io;Resources;false;asCharSource;(URL,Charset);;Argument[0];url-open-stream", "com.google.common.io;Resources;false;copy;(URL,OutputStream);;Argument[0];url-open-stream", diff --git a/java/ql/test/library-tests/dataflow/external-models/sinks.ql b/java/ql/test/library-tests/dataflow/external-models/sinks.ql index eb7388fc289..cda440ff4e7 100644 --- a/java/ql/test/library-tests/dataflow/external-models/sinks.ql +++ b/java/ql/test/library-tests/dataflow/external-models/sinks.ql @@ -7,7 +7,7 @@ class SinkModelTest extends SinkModelCsv { override predicate row(string row) { row = [ - //"package;type;overrides;name;signature;ext;spec;kind", + //`namespace; type; subtypes; name; signature; ext; input; kind` "my.qltest;B;false;sink1;(Object);;Argument[0];qltest", "my.qltest;B;false;sinkMethod;();;ReturnValue;qltest", "my.qltest;B$Tag;false;;;Annotated;ReturnValue;qltest-retval", diff --git a/java/ql/test/library-tests/dataflow/external-models/srcs.ql b/java/ql/test/library-tests/dataflow/external-models/srcs.ql index daa3440d940..4ec1d6d3c83 100644 --- a/java/ql/test/library-tests/dataflow/external-models/srcs.ql +++ b/java/ql/test/library-tests/dataflow/external-models/srcs.ql @@ -7,7 +7,7 @@ class SourceModelTest extends SourceModelCsv { override predicate row(string row) { row = [ - //"package;type;overrides;name;signature;ext;spec;kind", + //`namespace; type; subtypes; name; signature; ext; output; kind` "my.qltest;A;false;src1;();;ReturnValue;qltest", "my.qltest;A;false;src1;(String);;ReturnValue;qltest", "my.qltest;A;false;src1;(java.lang.String);;ReturnValue;qltest-alt", diff --git a/java/ql/test/library-tests/dataflow/external-models/steps.ql b/java/ql/test/library-tests/dataflow/external-models/steps.ql index 58edd018587..5909f1e5222 100644 --- a/java/ql/test/library-tests/dataflow/external-models/steps.ql +++ b/java/ql/test/library-tests/dataflow/external-models/steps.ql @@ -8,7 +8,7 @@ class SummaryModelTest extends SummaryModelCsv { override predicate row(string row) { row = [ - //"package;type;overrides;name;signature;ext;inputspec;outputspec;kind", + //`namespace; type; subtypes; name; signature; ext; input; output; kind` "my.qltest;C;false;stepArgRes;(Object);;Argument[0];ReturnValue;taint", "my.qltest;C;false;stepArgArg;(Object,Object);;Argument[0];Argument[1];taint", "my.qltest;C;false;stepArgQual;(Object);;Argument[0];Argument[-1];taint", From e6a6a8898bdad12d689a8cc010b58f2c685896ff Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 20 May 2021 14:23:40 +0100 Subject: [PATCH 23/36] Move Jax XSS sinks to JaxWS.qll and add tests --- .../src/semmle/code/java/frameworks/JaxWS.qll | 16 +++++ java/ql/src/semmle/code/java/security/XSS.qll | 11 --- .../library-tests/frameworks/JaxWs/JaxRs.ql | 8 +++ .../frameworks/JaxWs/JaxRs1.java | 69 ++++++++++++------- 4 files changed, 70 insertions(+), 34 deletions(-) diff --git a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll index fa031e557fd..72623017926 100644 --- a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll +++ b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll @@ -5,6 +5,7 @@ import java private import semmle.code.java.dataflow.ExternalFlow +private import semmle.code.java.security.XSS /** * Gets a name for the root package of JAX-RS. @@ -308,6 +309,21 @@ class JaxRSConsumesAnnotation extends JaxRSAnnotation { JaxRSConsumesAnnotation() { this.getType().hasQualifiedName(getAJaxRsPackage(), "Consumes") } } +/** A default sink representing methods susceptible to XSS attacks. */ +private class JaxRSXssSink extends XssSink { + JaxRSXssSink() { + exists(JaxRsResourceMethod resourceMethod, ReturnStmt rs | + resourceMethod = any(JaxRsResourceClass resourceClass).getAResourceMethod() and + rs.getEnclosingCallable() = resourceMethod and + this.asExpr() = rs.getResult() + | + not exists(resourceMethod.getProducesAnnotation()) + or + resourceMethod.getProducesAnnotation().getADeclaredContentType() = "text/plain" + ) + } +} + /** A URL redirection sink from JAX-RS */ private class JaxRsUrlRedirectSink extends SinkModelCsv { override predicate row(string row) { diff --git a/java/ql/src/semmle/code/java/security/XSS.qll b/java/ql/src/semmle/code/java/security/XSS.qll index 471dd8a9124..14f10cad9c8 100644 --- a/java/ql/src/semmle/code/java/security/XSS.qll +++ b/java/ql/src/semmle/code/java/security/XSS.qll @@ -1,7 +1,6 @@ /** Provides classes to reason about Cross-site scripting (XSS) vulnerabilities. */ import java -import semmle.code.java.frameworks.JaxWS import semmle.code.java.frameworks.Servlets import semmle.code.java.frameworks.android.WebView import semmle.code.java.frameworks.spring.SpringController @@ -94,16 +93,6 @@ private class DefaultXssSink extends XssSink { returnType instanceof RawClass ) ) - or - exists(JaxRsResourceMethod resourceMethod, ReturnStmt rs | - resourceMethod = any(JaxRsResourceClass resourceClass).getAResourceMethod() and - rs.getEnclosingCallable() = resourceMethod and - this.asExpr() = rs.getResult() - | - not exists(resourceMethod.getProducesAnnotation()) - or - resourceMethod.getProducesAnnotation().getADeclaredContentType() = "text/plain" - ) } } diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JaxRs.ql b/java/ql/test/library-tests/frameworks/JaxWs/JaxRs.ql index eb34aa89812..721d46672e9 100644 --- a/java/ql/test/library-tests/frameworks/JaxWs/JaxRs.ql +++ b/java/ql/test/library-tests/frameworks/JaxWs/JaxRs.ql @@ -1,5 +1,6 @@ import java import semmle.code.java.frameworks.JaxWS +import semmle.code.java.security.XSS import TestUtilities.InlineExpectationsTest class JaxRsTest extends InlineExpectationsTest { @@ -143,5 +144,12 @@ class JaxRsTest extends InlineExpectationsTest { element = consumesAnnotation.toString() and value = "" ) + or + tag = "XssSink" and + exists(XssSink xssSink | + xssSink.getLocation() = location and + element = xssSink.toString() and + value = "" + ) } } diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JaxRs1.java b/java/ql/test/library-tests/frameworks/JaxWs/JaxRs1.java index a050d8b3873..271cba9b52c 100644 --- a/java/ql/test/library-tests/frameworks/JaxWs/JaxRs1.java +++ b/java/ql/test/library-tests/frameworks/JaxWs/JaxRs1.java @@ -30,7 +30,8 @@ public class JaxRs1 { // $RootResourceClass } @GET - void Get() { // $ResourceMethod $ResourceMethodOnResourceClass + int Get() { // $ResourceMethod $ResourceMethodOnResourceClass + return 0; // $XssSink } @POST @@ -39,7 +40,8 @@ public class JaxRs1 { // $RootResourceClass @Produces("text/plain") // $ProducesAnnotation=text/plain @DELETE - void Delete() { // $ResourceMethod=text/plain $ResourceMethodOnResourceClass + double Delete() { // $ResourceMethod=text/plain $ResourceMethodOnResourceClass + return 0.0; // $XssSink } @Produces(MediaType.TEXT_HTML) // $ProducesAnnotation=text/html @@ -59,27 +61,44 @@ public class JaxRs1 { // $RootResourceClass NonRootResourceClass subResourceLocator() { // $SubResourceLocator return null; } -} -class NonRootResourceClass { // $NonRootResourceClass - @Path("") - AnotherNonRootResourceClass subResourceLocator1() { // $SubResourceLocator - return null; - } + public class NonRootResourceClass { // $NonRootResourceClass + @GET + int Get() { // $ResourceMethod $ResourceMethodOnResourceClass + return 0; // $XssSink + } - @GET - @Path("") - NotAResourceClass1 NotASubResourceLocator1() { // $ResourceMethod - return null; - } + @Produces("text/html") // $ProducesAnnotation=text/html + @POST + boolean Post() { // $ResourceMethod=text/html $ResourceMethodOnResourceClass + return false; + } - @GET - NotAResourceClass2 NotASubResourceLocator2() { // $ResourceMethod - return null; - } + @Produces(MediaType.TEXT_PLAIN) // $ProducesAnnotation=text/plain + @DELETE + double Delete() { // $ResourceMethod=text/plain $ResourceMethodOnResourceClass + return 0.0; // $XssSink + } - NotAResourceClass2 NotASubResourceLocator3() { - return null; + @Path("") + AnotherNonRootResourceClass subResourceLocator1() { // $SubResourceLocator + return null; + } + + @GET + @Path("") + NotAResourceClass1 NotASubResourceLocator1() { // $ResourceMethod $ResourceMethodOnResourceClass + return null; // $XssSink + } + + @GET + NotAResourceClass2 NotASubResourceLocator2() { // $ResourceMethod $ResourceMethodOnResourceClass + return null; // $XssSink + } + + NotAResourceClass2 NotASubResourceLocator3() { + return null; + } } } @@ -120,7 +139,8 @@ class NotAResourceClass2 { class ExtendsJaxRs1 extends JaxRs1 { @Override - void Get() { // $ResourceMethod + int Get() { // $ResourceMethod + return 1; } @Override @@ -129,7 +149,8 @@ class ExtendsJaxRs1 extends JaxRs1 { } @Override - void Delete() { // $ResourceMethod=text/plain + double Delete() { // $ResourceMethod=text/plain + return 1.0; } @Override @@ -151,7 +172,8 @@ class ExtendsJaxRs1 extends JaxRs1 { @Produces(MediaType.TEXT_XML) // $ProducesAnnotation=text/xml class ExtendsJaxRs1WithProducesAnnotation extends JaxRs1 { @Override - void Get() { // $ResourceMethod=text/xml + int Get() { // $ResourceMethod=text/xml + return 2; } @Override @@ -160,7 +182,8 @@ class ExtendsJaxRs1WithProducesAnnotation extends JaxRs1 { } @Override - void Delete() { // $ResourceMethod=text/plain + double Delete() { // $ResourceMethod=text/plain + return 2.0; } @Override From 318d1ea484f1f0c72f11d24ccacda33620fcb610 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Mon, 7 Jun 2021 15:43:18 +0100 Subject: [PATCH 24/36] Stubs in javax-ws-rs-api-3.0.0 Generated using java-autostub --- .../jakarta/ws/rs/BeanParam.java | 20 ++ .../jakarta/ws/rs/Consumes.java | 21 ++ .../jakarta/ws/rs/CookieParam.java | 22 ++ .../jakarta/ws/rs/DELETE.java | 20 ++ .../jakarta/ws/rs/FormParam.java | 22 ++ .../jakarta/ws/rs/GET.java | 20 ++ .../jakarta/ws/rs/HEAD.java | 20 ++ .../jakarta/ws/rs/HeaderParam.java | 22 ++ .../jakarta/ws/rs/MatrixParam.java | 22 ++ .../jakarta/ws/rs/OPTIONS.java | 20 ++ .../jakarta/ws/rs/POST.java | 20 ++ .../jakarta/ws/rs/PUT.java | 20 ++ .../jakarta/ws/rs/Path.java | 22 ++ .../jakarta/ws/rs/PathParam.java | 22 ++ .../jakarta/ws/rs/Produces.java | 21 ++ .../jakarta/ws/rs/QueryParam.java | 22 ++ .../jakarta/ws/rs/client/Client.java | 42 +++ .../jakarta/ws/rs/core/CacheControl.java | 112 +++++++ .../jakarta/ws/rs/core/Configurable.java | 41 +++ .../jakarta/ws/rs/core/Context.java | 20 ++ .../jakarta/ws/rs/core/Cookie.java | 71 +++++ .../jakarta/ws/rs/core/EntityTag.java | 53 ++++ .../jakarta/ws/rs/core/Form.java | 37 +++ .../jakarta/ws/rs/core/GenericEntity.java | 55 ++++ .../jakarta/ws/rs/core/HttpHeaders.java | 44 +++ .../jakarta/ws/rs/core/Link.java | 143 +++++++++ .../jakarta/ws/rs/core/MediaType.java | 108 +++++++ .../jakarta/ws/rs/core/MultivaluedMap.java | 36 +++ .../jakarta/ws/rs/core/NewCookie.java | 117 +++++++ .../jakarta/ws/rs/core/PathSegment.java | 24 ++ .../jakarta/ws/rs/core/Response.java | 285 ++++++++++++++++++ .../jakarta/ws/rs/core/UriBuilder.java | 126 ++++++++ .../ws/rs/core/UriBuilderException.java | 32 ++ .../jakarta/ws/rs/core/UriInfo.java | 60 ++++ .../jakarta/ws/rs/core/Variant.java | 93 ++++++ .../jakarta/ws/rs/ext/MessageBodyReader.java | 33 ++ 36 files changed, 1868 insertions(+) create mode 100644 java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/BeanParam.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/Consumes.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/CookieParam.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/DELETE.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/FormParam.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/GET.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/HEAD.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/HeaderParam.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/MatrixParam.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/OPTIONS.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/POST.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/PUT.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/Path.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/PathParam.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/Produces.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/QueryParam.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/client/Client.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/CacheControl.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Configurable.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Context.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Cookie.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/EntityTag.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Form.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/GenericEntity.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/HttpHeaders.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Link.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/MediaType.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/MultivaluedMap.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/NewCookie.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/PathSegment.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Response.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/UriBuilder.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/UriBuilderException.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/UriInfo.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Variant.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/ext/MessageBodyReader.java diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/BeanParam.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/BeanParam.java new file mode 100644 index 00000000000..a98eeaf615c --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/BeanParam.java @@ -0,0 +1,20 @@ +/* + * Copyright (c) 2012, 2019 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package jakarta.ws.rs; + +public @interface BeanParam { +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/Consumes.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/Consumes.java new file mode 100644 index 00000000000..9fbebafe020 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/Consumes.java @@ -0,0 +1,21 @@ +/* + * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package jakarta.ws.rs; + +public @interface Consumes { + String[] value() default "*/*"; +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/CookieParam.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/CookieParam.java new file mode 100644 index 00000000000..a9d28569904 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/CookieParam.java @@ -0,0 +1,22 @@ +/* + * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package jakarta.ws.rs; + +public @interface CookieParam { + String value(); + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/DELETE.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/DELETE.java new file mode 100644 index 00000000000..4295e567f88 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/DELETE.java @@ -0,0 +1,20 @@ +/* + * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package jakarta.ws.rs; + +public @interface DELETE { +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/FormParam.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/FormParam.java new file mode 100644 index 00000000000..173c5b5def3 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/FormParam.java @@ -0,0 +1,22 @@ +/* + * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package jakarta.ws.rs; + +public @interface FormParam { + String value(); + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/GET.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/GET.java new file mode 100644 index 00000000000..d42fd28595c --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/GET.java @@ -0,0 +1,20 @@ +/* + * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package jakarta.ws.rs; + +public @interface GET { +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/HEAD.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/HEAD.java new file mode 100644 index 00000000000..72a6bd34e81 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/HEAD.java @@ -0,0 +1,20 @@ +/* + * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package jakarta.ws.rs; + +public @interface HEAD { +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/HeaderParam.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/HeaderParam.java new file mode 100644 index 00000000000..3fb97bb4d16 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/HeaderParam.java @@ -0,0 +1,22 @@ +/* + * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package jakarta.ws.rs; + +public @interface HeaderParam { + String value(); + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/MatrixParam.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/MatrixParam.java new file mode 100644 index 00000000000..2a5d855ae7f --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/MatrixParam.java @@ -0,0 +1,22 @@ +/* + * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package jakarta.ws.rs; + +public @interface MatrixParam { + String value(); + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/OPTIONS.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/OPTIONS.java new file mode 100644 index 00000000000..82067e5e3da --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/OPTIONS.java @@ -0,0 +1,20 @@ +/* + * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package jakarta.ws.rs; + +public @interface OPTIONS { +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/POST.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/POST.java new file mode 100644 index 00000000000..95bfc315d48 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/POST.java @@ -0,0 +1,20 @@ +/* + * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package jakarta.ws.rs; + +public @interface POST { +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/PUT.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/PUT.java new file mode 100644 index 00000000000..4f16d5174ea --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/PUT.java @@ -0,0 +1,20 @@ +/* + * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package jakarta.ws.rs; + +public @interface PUT { +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/Path.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/Path.java new file mode 100644 index 00000000000..2874d78ddfe --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/Path.java @@ -0,0 +1,22 @@ +/* + * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package jakarta.ws.rs; + +public @interface Path { + String value(); + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/PathParam.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/PathParam.java new file mode 100644 index 00000000000..9cd934afccf --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/PathParam.java @@ -0,0 +1,22 @@ +/* + * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package jakarta.ws.rs; + +public @interface PathParam { + String value(); + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/Produces.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/Produces.java new file mode 100644 index 00000000000..6c85c91a83c --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/Produces.java @@ -0,0 +1,21 @@ +/* + * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package jakarta.ws.rs; + +public @interface Produces { + String[] value() default "*/*"; +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/QueryParam.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/QueryParam.java new file mode 100644 index 00000000000..b64e357c028 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/QueryParam.java @@ -0,0 +1,22 @@ +/* + * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package jakarta.ws.rs; + +public @interface QueryParam { + String value(); + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/client/Client.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/client/Client.java new file mode 100644 index 00000000000..bd23ccf6f7e --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/client/Client.java @@ -0,0 +1,42 @@ +/* + * Copyright (c) 2011, 2019 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package jakarta.ws.rs.client; +import java.net.URI; +import javax.net.ssl.HostnameVerifier; +import javax.net.ssl.SSLContext; +import jakarta.ws.rs.core.Configurable; +import jakarta.ws.rs.core.Link; +import jakarta.ws.rs.core.UriBuilder; + +public interface Client extends Configurable { + public void close(); + + public WebTarget target(String uri); + + public WebTarget target(URI uri); + + public WebTarget target(UriBuilder uriBuilder); + + public WebTarget target(Link link); + + public Invocation.Builder invocation(Link link); + + public SSLContext getSslContext(); + + public HostnameVerifier getHostnameVerifier(); + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/CacheControl.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/CacheControl.java new file mode 100644 index 00000000000..2e8134e6d57 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/CacheControl.java @@ -0,0 +1,112 @@ +/* + * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package jakarta.ws.rs.core; +import java.util.List; +import java.util.Map; + +public class CacheControl { + public CacheControl() { + } + + public static CacheControl valueOf(final String value) { + return null; + } + + public boolean isMustRevalidate() { + return false; + } + + public void setMustRevalidate(final boolean mustRevalidate) { + } + + public boolean isProxyRevalidate() { + return false; + } + + public void setProxyRevalidate(final boolean proxyRevalidate) { + } + + public int getMaxAge() { + return 0; + } + + public void setMaxAge(final int maxAge) { + } + + public int getSMaxAge() { + return 0; + } + + public void setSMaxAge(final int sMaxAge) { + } + + public List getNoCacheFields() { + return null; + } + + public void setNoCache(final boolean noCache) { + } + + public boolean isNoCache() { + return false; + } + + public boolean isPrivate() { + return false; + } + + public List getPrivateFields() { + return null; + } + + public void setPrivate(final boolean flag) { + } + + public boolean isNoTransform() { + return false; + } + + public void setNoTransform(final boolean noTransform) { + } + + public boolean isNoStore() { + return false; + } + + public void setNoStore(final boolean noStore) { + } + + public Map getCacheExtension() { + return null; + } + + @Override + public String toString() { + return null; + } + + @Override + public int hashCode() { + return 0; + } + + @Override + public boolean equals(final Object obj) { + return false; + } + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Configurable.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Configurable.java new file mode 100644 index 00000000000..529c3562b2e --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Configurable.java @@ -0,0 +1,41 @@ +/* + * Copyright (c) 2011, 2020 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package jakarta.ws.rs.core; +import java.util.Map; + +public interface Configurable { + public Configuration getConfiguration(); + + public C property(String name, Object value); + + public C register(Class componentClass); + + public C register(Class componentClass, int priority); + + public C register(Class componentClass, Class... contracts); + + public C register(Class componentClass, Map, Integer> contracts); + + public C register(Object component); + + public C register(Object component, int priority); + + public C register(Object component, Class... contracts); + + public C register(Object component, Map, Integer> contracts); + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Context.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Context.java new file mode 100644 index 00000000000..cb4923f70e6 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Context.java @@ -0,0 +1,20 @@ +/* + * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package jakarta.ws.rs.core; + +public @interface Context { +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Cookie.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Cookie.java new file mode 100644 index 00000000000..b8639e0c1e6 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Cookie.java @@ -0,0 +1,71 @@ +/* + * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package jakarta.ws.rs.core; + +public class Cookie { + public Cookie(final String name, final String value, final String path, final String domain, final int version) + throws IllegalArgumentException { + } + + public Cookie(final String name, final String value, final String path, final String domain) + throws IllegalArgumentException { + } + + public Cookie(final String name, final String value) + throws IllegalArgumentException { + } + + public static Cookie valueOf(final String value) { + return null; + } + + public String getName() { + return null; + } + + public String getValue() { + return null; + } + + public int getVersion() { + return 0; + } + + public String getDomain() { + return null; + } + + public String getPath() { + return null; + } + + @Override + public String toString() { + return null; + } + + @Override + public int hashCode() { + return 0; + } + + @Override + public boolean equals(final Object obj) { + return false; + } + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/EntityTag.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/EntityTag.java new file mode 100644 index 00000000000..9e447119d4d --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/EntityTag.java @@ -0,0 +1,53 @@ +/* + * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package jakarta.ws.rs.core; + +public class EntityTag { + public EntityTag(final String value) { + } + + public EntityTag(final String value, final boolean weak) { + } + + public static EntityTag valueOf(final String value) { + return null; + } + + public boolean isWeak() { + return false; + } + + public String getValue() { + return null; + } + + @Override + public boolean equals(final Object obj) { + return false; + } + + @Override + public int hashCode() { + return 0; + } + + @Override + public String toString() { + return null; + } + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Form.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Form.java new file mode 100644 index 00000000000..c94aa9a4a34 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Form.java @@ -0,0 +1,37 @@ +/* + * Copyright (c) 2011, 2019 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package jakarta.ws.rs.core; + +public class Form { + public Form() { + } + + public Form(final String parameterName, final String parameterValue) { + } + + public Form(final MultivaluedMap store) { + } + + public Form param(final String name, final String value) { + return null; + } + + public MultivaluedMap asMap() { + return null; + } + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/GenericEntity.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/GenericEntity.java new file mode 100644 index 00000000000..d9d06f3fb95 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/GenericEntity.java @@ -0,0 +1,55 @@ +/* + * Copyright (c) 2011, 2019 Oracle and/or its affiliates. All rights reserved. + * + * Copyright (c) 2006 Google Inc. + * + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package jakarta.ws.rs.core; +import java.lang.reflect.Type; + +public class GenericEntity { + public GenericEntity(final T entity, final Type genericType) { + } + + public final Class getRawType() { + return null; + } + + public final Type getType() { + return null; + } + + public final T getEntity() { + return null; + } + + @Override + public boolean equals(final Object obj) { + return false; + } + + @Override + public int hashCode() { + return 0; + } + + @Override + public String toString() { + return null; + } + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/HttpHeaders.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/HttpHeaders.java new file mode 100644 index 00000000000..b5fc3e612f6 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/HttpHeaders.java @@ -0,0 +1,44 @@ +/* + * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package jakarta.ws.rs.core; +import java.util.Date; +import java.util.List; +import java.util.Locale; +import java.util.Map; + +public interface HttpHeaders { + public List getRequestHeader(String name); + + public String getHeaderString(String name); + + public MultivaluedMap getRequestHeaders(); + + public List getAcceptableMediaTypes(); + + public List getAcceptableLanguages(); + + public MediaType getMediaType(); + + public Locale getLanguage(); + + public Map getCookies(); + + public Date getDate(); + + public int getLength(); + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Link.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Link.java new file mode 100644 index 00000000000..b486aec9440 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Link.java @@ -0,0 +1,143 @@ +/* + * Copyright (c) 2011, 2020 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package jakarta.ws.rs.core; +import java.net.URI; +import java.util.List; +import java.util.Map; +import javax.xml.namespace.QName; +import jakarta.xml.bind.annotation.adapters.XmlAdapter; + +public abstract class Link { + public abstract URI getUri(); + + public abstract UriBuilder getUriBuilder(); + + public abstract String getRel(); + + public abstract List getRels(); + + public abstract String getTitle(); + + public abstract String getType(); + + public abstract Map getParams(); + + @Override + public abstract String toString(); + + public static Link valueOf(final String value) { + return null; + } + + public static Builder fromUri(final URI uri) { + return null; + } + + public static Builder fromUri(final String uri) { + return null; + } + + public static Builder fromUriBuilder(final UriBuilder uriBuilder) { + return null; + } + + public static Builder fromLink(final Link link) { + return null; + } + + public static Builder fromPath(final String path) { + return null; + } + + public static Builder fromResource(final Class resource) { + return null; + } + + public static Builder fromMethod(final Class resource, final String method) { + return null; + } + + public interface Builder { + public Builder link(Link link); + + public Builder link(String link); + + public Builder uri(URI uri); + + public Builder uri(String uri); + + public Builder baseUri(URI uri); + + public Builder baseUri(String uri); + + public Builder uriBuilder(UriBuilder uriBuilder); + + public Builder rel(String rel); + + public Builder title(String title); + + public Builder type(String type); + + public Builder param(String name, String value); + + public Link build(Object... values); + + public Link buildRelativized(URI uri, Object... values); + + } + public static class JaxbLink { + public JaxbLink() { + } + + public JaxbLink(final URI uri) { + } + + public JaxbLink(final URI uri, final Map params) { + } + + public URI getUri() { + return null; + } + + public Map getParams() { + return null; + } + + @Override + public boolean equals(final Object o) { + return false; + } + + @Override + public int hashCode() { + return 0; + } + + } + public static class JaxbAdapter extends XmlAdapter { + @Override + public Link unmarshal(final JaxbLink v) { + return null; + } + + @Override + public JaxbLink marshal(final Link v) { + return null; + } + + } +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/MediaType.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/MediaType.java new file mode 100644 index 00000000000..b03fb99c0dc --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/MediaType.java @@ -0,0 +1,108 @@ +/* + * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package jakarta.ws.rs.core; +import java.util.Map; + +public class MediaType { + public final static MediaType WILDCARD_TYPE = new MediaType(); + + public final static MediaType APPLICATION_XML_TYPE = new MediaType("application", "xml"); + + public final static MediaType APPLICATION_ATOM_XML_TYPE = new MediaType("application", "atom+xml"); + + public final static MediaType APPLICATION_XHTML_XML_TYPE = new MediaType("application", "xhtml+xml"); + + public final static MediaType APPLICATION_SVG_XML_TYPE = new MediaType("application", "svg+xml"); + + public final static MediaType APPLICATION_JSON_TYPE = new MediaType("application", "json"); + + public final static MediaType APPLICATION_FORM_URLENCODED_TYPE = new MediaType("application", "x-www-form-urlencoded"); + + public final static MediaType MULTIPART_FORM_DATA_TYPE = new MediaType("multipart", "form-data"); + + public final static MediaType APPLICATION_OCTET_STREAM_TYPE = new MediaType("application", "octet-stream"); + + public final static MediaType TEXT_PLAIN_TYPE = new MediaType("text", "plain"); + + public final static MediaType TEXT_XML_TYPE = new MediaType("text", "xml"); + + public final static MediaType TEXT_HTML_TYPE = new MediaType("text", "html"); + + public static final MediaType SERVER_SENT_EVENTS_TYPE = new MediaType("text", "event-stream"); + + public static final MediaType APPLICATION_JSON_PATCH_JSON_TYPE = new MediaType("application", "json-patch+json"); + + public static MediaType valueOf(final String type) { + return null; + } + + public MediaType(final String type, final String subtype, final Map parameters) { + } + + public MediaType(final String type, final String subtype) { + } + + public MediaType(final String type, final String subtype, final String charset) { + } + + public MediaType() { + } + + public String getType() { + return null; + } + + public boolean isWildcardType() { + return false; + } + + public String getSubtype() { + return null; + } + + public boolean isWildcardSubtype() { + return false; + } + + public Map getParameters() { + return null; + } + + public MediaType withCharset(final String charset) { + return null; + } + + public boolean isCompatible(final MediaType other) { + return false; + } + + @Override + public boolean equals(final Object obj) { + return false; + } + + @Override + public int hashCode() { + return 0; + } + + @Override + public String toString() { + return null; + } + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/MultivaluedMap.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/MultivaluedMap.java new file mode 100644 index 00000000000..e26a5a38256 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/MultivaluedMap.java @@ -0,0 +1,36 @@ +/* + * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package jakarta.ws.rs.core; +import java.util.List; +import java.util.Map; + +public interface MultivaluedMap extends Map> { + void putSingle(K key, V value); + + void add(K key, V value); + + V getFirst(K key); + + void addAll(K key, V... newValues); + + void addAll(K key, List valueList); + + void addFirst(K key, V value); + + boolean equalsIgnoreValueOrder(MultivaluedMap otherMap); + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/NewCookie.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/NewCookie.java new file mode 100644 index 00000000000..0816d26473e --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/NewCookie.java @@ -0,0 +1,117 @@ +/* + * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package jakarta.ws.rs.core; +import java.util.Date; + +public class NewCookie extends Cookie { + public NewCookie(final String name, final String value) { + } + + public NewCookie(final String name, + final String value, + final String path, + final String domain, + final String comment, + final int maxAge, + final boolean secure) { + } + + public NewCookie(final String name, + final String value, + final String path, + final String domain, + final String comment, + final int maxAge, + final boolean secure, + final boolean httpOnly) { + } + + public NewCookie(final String name, + final String value, + final String path, + final String domain, + final int version, + final String comment, + final int maxAge, + final boolean secure) { + } + + public NewCookie(final String name, + final String value, + final String path, + final String domain, + final int version, + final String comment, + final int maxAge, + final Date expiry, + final boolean secure, + final boolean httpOnly) { + } + + public NewCookie(final Cookie cookie) { + } + + public NewCookie(final Cookie cookie, final String comment, final int maxAge, final boolean secure) { + } + + public NewCookie(final Cookie cookie, final String comment, final int maxAge, final Date expiry, final boolean secure, final boolean httpOnly) { + } + + public static NewCookie valueOf(final String value) { + return null; + } + + public String getComment() { + return null; + } + + public int getMaxAge() { + return 0; + } + + public Date getExpiry() { + return null; + } + + public boolean isSecure() { + return false; + } + + public boolean isHttpOnly() { + return false; + } + + public Cookie toCookie() { + return null; + } + + @Override + public String toString() { + return null; + } + + @Override + public int hashCode() { + return 0; + } + + @Override + public boolean equals(final Object obj) { + return false; + } + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/PathSegment.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/PathSegment.java new file mode 100644 index 00000000000..5b7c70af044 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/PathSegment.java @@ -0,0 +1,24 @@ +/* + * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package jakarta.ws.rs.core; + +public interface PathSegment { + String getPath(); + + MultivaluedMap getMatrixParameters(); + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Response.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Response.java new file mode 100644 index 00000000000..bb09f3ffb48 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Response.java @@ -0,0 +1,285 @@ +/* + * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package jakarta.ws.rs.core; +import java.lang.annotation.Annotation; +import java.net.URI; +import java.util.Date; +import java.util.List; +import java.util.Locale; +import java.util.Map; +import java.util.Set; + +public abstract class Response implements AutoCloseable { + public abstract int getStatus(); + + public abstract StatusType getStatusInfo(); + + public abstract Object getEntity(); + + public abstract T readEntity(Class entityType); + + public abstract T readEntity(GenericType entityType); + + public abstract T readEntity(Class entityType, Annotation[] annotations); + + public abstract T readEntity(GenericType entityType, Annotation[] annotations); + + public abstract boolean hasEntity(); + + public abstract boolean bufferEntity(); + + @Override + public abstract void close(); + + public abstract MediaType getMediaType(); + + public abstract Locale getLanguage(); + + public abstract int getLength(); + + public abstract Set getAllowedMethods(); + + public abstract Map getCookies(); + + public abstract EntityTag getEntityTag(); + + public abstract Date getDate(); + + public abstract Date getLastModified(); + + public abstract URI getLocation(); + + public abstract Set getLinks(); + + public abstract boolean hasLink(String relation); + + public abstract Link getLink(String relation); + + public abstract Link.Builder getLinkBuilder(String relation); + + public abstract MultivaluedMap getMetadata(); + + public MultivaluedMap getHeaders() { + return null; + } + + public abstract MultivaluedMap getStringHeaders(); + + public abstract String getHeaderString(String name); + + public static ResponseBuilder fromResponse(final Response response) { + return null; + } + + public static ResponseBuilder status(final StatusType status) { + return null; + } + + public static ResponseBuilder status(final Status status) { + return null; + } + + public static ResponseBuilder status(final int status) { + return null; + } + + public static ResponseBuilder status(final int status, final String reasonPhrase) { + return null; + } + + public static ResponseBuilder ok() { + return null; + } + + public static ResponseBuilder ok(final Object entity) { + return null; + } + + public static ResponseBuilder ok(final Object entity, final MediaType type) { + return null; + } + + public static ResponseBuilder ok(final Object entity, final String type) { + return null; + } + + public static ResponseBuilder ok(final Object entity, final Variant variant) { + return null; + } + + public static ResponseBuilder serverError() { + return null; + } + + public static ResponseBuilder created(final URI location) { + return null; + } + + public static ResponseBuilder accepted() { + return null; + } + + public static ResponseBuilder accepted(final Object entity) { + return null; + } + + public static ResponseBuilder noContent() { + return null; + } + + public static ResponseBuilder notModified() { + return null; + } + + public static ResponseBuilder notModified(final EntityTag tag) { + return null; + } + + public static ResponseBuilder notModified(final String tag) { + return null; + } + + public static ResponseBuilder seeOther(final URI location) { + return null; + } + + public static ResponseBuilder temporaryRedirect(final URI location) { + return null; + } + + public static ResponseBuilder notAcceptable(final List variants) { + return null; + } + + public static abstract class ResponseBuilder { + public abstract Response build(); + + @Override + public abstract ResponseBuilder clone(); + + public abstract ResponseBuilder status(int status); + + public abstract ResponseBuilder status(int status, String reasonPhrase); + + public ResponseBuilder status(final StatusType status) { + return null; + } + + public ResponseBuilder status(final Status status) { + return null; + } + + public abstract ResponseBuilder entity(Object entity); + + public abstract ResponseBuilder entity(Object entity, Annotation[] annotations); + + public abstract ResponseBuilder allow(String... methods); + + public abstract ResponseBuilder allow(Set methods); + + public abstract ResponseBuilder cacheControl(CacheControl cacheControl); + + public abstract ResponseBuilder encoding(String encoding); + + public abstract ResponseBuilder header(String name, Object value); + + public abstract ResponseBuilder replaceAll(MultivaluedMap headers); + + public abstract ResponseBuilder language(String language); + + public abstract ResponseBuilder language(Locale language); + + public abstract ResponseBuilder type(MediaType type); + + public abstract ResponseBuilder type(String type); + + public abstract ResponseBuilder variant(Variant variant); + + public abstract ResponseBuilder contentLocation(URI location); + + public abstract ResponseBuilder cookie(NewCookie... cookies); + + public abstract ResponseBuilder expires(Date expires); + + public abstract ResponseBuilder lastModified(Date lastModified); + + public abstract ResponseBuilder location(URI location); + + public abstract ResponseBuilder tag(EntityTag tag); + + public abstract ResponseBuilder tag(String tag); + + public abstract ResponseBuilder variants(Variant... variants); + + public abstract ResponseBuilder variants(List variants); + + public abstract ResponseBuilder links(Link... links); + + public abstract ResponseBuilder link(URI uri, String rel); + + public abstract ResponseBuilder link(String uri, String rel); + + } + public interface StatusType { + public int getStatusCode(); + + public Status.Family getFamily(); + + public String getReasonPhrase(); + + public default Status toEnum() { + return null; + } + + } + public enum Status implements StatusType { + DUMMY_STATUS; + + public enum Family { + DUMMY_FAMILY; + + public static Family familyOf(final int statusCode) { + return null; + } + + } + @Override + public Family getFamily() { + return null; + } + + @Override + public int getStatusCode() { + return 0; + } + + @Override + public String getReasonPhrase() { + return null; + } + + @Override + public String toString() { + return null; + } + + public static Status fromStatusCode(final int statusCode) { + return null; + } + + } +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/UriBuilder.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/UriBuilder.java new file mode 100644 index 00000000000..befa54c24b5 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/UriBuilder.java @@ -0,0 +1,126 @@ +/* + * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package jakarta.ws.rs.core; +import java.lang.reflect.Method; +import java.net.URI; +import java.util.Map; + +public abstract class UriBuilder { + public static UriBuilder newInstance() { + return null; + } + + public static UriBuilder fromUri(final URI uri) { + return null; + } + + public static UriBuilder fromUri(final String uriTemplate) { + return null; + } + + public static UriBuilder fromLink(final Link link) { + return null; + } + + public static UriBuilder fromPath(final String path) throws IllegalArgumentException { + return null; + } + + public static UriBuilder fromResource(final Class resource) { + return null; + } + + public static UriBuilder fromMethod(final Class resource, final String method) { + return null; + } + + @Override + public abstract UriBuilder clone(); + + public abstract UriBuilder uri(URI uri); + + public abstract UriBuilder uri(String uriTemplate); + + public abstract UriBuilder scheme(String scheme); + + public abstract UriBuilder schemeSpecificPart(String ssp); + + public abstract UriBuilder userInfo(String ui); + + public abstract UriBuilder host(String host); + + public abstract UriBuilder port(int port); + + public abstract UriBuilder replacePath(String path); + + public abstract UriBuilder path(String path); + + public abstract UriBuilder path(Class resource); + + public abstract UriBuilder path(Class resource, String method); + + public abstract UriBuilder path(Method method); + + public abstract UriBuilder segment(String... segments); + + public abstract UriBuilder replaceMatrix(String matrix); + + public abstract UriBuilder matrixParam(String name, Object... values); + + public abstract UriBuilder replaceMatrixParam(String name, Object... values); + + public abstract UriBuilder replaceQuery(String query); + + public abstract UriBuilder queryParam(String name, Object... values); + + public abstract UriBuilder replaceQueryParam(String name, Object... values); + + public abstract UriBuilder fragment(String fragment); + + public abstract UriBuilder resolveTemplate(String name, Object value); + + public abstract UriBuilder resolveTemplate(String name, Object value, boolean encodeSlashInPath); + + public abstract UriBuilder resolveTemplateFromEncoded(String name, Object value); + + public abstract UriBuilder resolveTemplates(Map templateValues); + + public abstract UriBuilder resolveTemplates(Map templateValues, boolean encodeSlashInPath) + throws IllegalArgumentException; + + public abstract UriBuilder resolveTemplatesFromEncoded(Map templateValues); + + public abstract URI buildFromMap(Map values); + + public abstract URI buildFromMap(Map values, boolean encodeSlashInPath) + throws IllegalArgumentException, UriBuilderException; + + public abstract URI buildFromEncodedMap(Map values) + throws IllegalArgumentException, UriBuilderException; + + public abstract URI build(Object... values) + throws IllegalArgumentException, UriBuilderException; + + public abstract URI build(Object[] values, boolean encodeSlashInPath) + throws IllegalArgumentException, UriBuilderException; + + public abstract URI buildFromEncoded(Object... values) + throws IllegalArgumentException, UriBuilderException; + + public abstract String toTemplate(); + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/UriBuilderException.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/UriBuilderException.java new file mode 100644 index 00000000000..08e257c161d --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/UriBuilderException.java @@ -0,0 +1,32 @@ +/* + * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package jakarta.ws.rs.core; + +public class UriBuilderException extends java.lang.RuntimeException { + public UriBuilderException() { + } + + public UriBuilderException(final String msg) { + } + + public UriBuilderException(final String msg, final Throwable cause) { + } + + public UriBuilderException(final Throwable cause) { + } + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/UriInfo.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/UriInfo.java new file mode 100644 index 00000000000..1822f0253cd --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/UriInfo.java @@ -0,0 +1,60 @@ +/* + * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package jakarta.ws.rs.core; +import java.net.URI; +import java.util.List; + +public interface UriInfo { + public String getPath(); + + public String getPath(boolean decode); + + public List getPathSegments(); + + public List getPathSegments(boolean decode); + + public URI getRequestUri(); + + public UriBuilder getRequestUriBuilder(); + + public URI getAbsolutePath(); + + public UriBuilder getAbsolutePathBuilder(); + + public URI getBaseUri(); + + public UriBuilder getBaseUriBuilder(); + + public MultivaluedMap getPathParameters(); + + public MultivaluedMap getPathParameters(boolean decode); + + public MultivaluedMap getQueryParameters(); + + public MultivaluedMap getQueryParameters(boolean decode); + + public List getMatchedURIs(); + + public List getMatchedURIs(boolean decode); + + public List getMatchedResources(); + + public URI resolve(URI uri); + + public URI relativize(URI uri); + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Variant.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Variant.java new file mode 100644 index 00000000000..f87d15020f5 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Variant.java @@ -0,0 +1,93 @@ +/* + * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package jakarta.ws.rs.core; +import java.util.List; +import java.util.Locale; + +public class Variant { + public Variant(final MediaType mediaType, final String language, final String encoding) { + } + + public Variant(final MediaType mediaType, final String language, final String country, final String encoding) { + } + + public Variant(final MediaType mediaType, final String language, final String country, final String languageVariant, final String encoding) { + } + + public Variant(final MediaType mediaType, final Locale language, final String encoding) { + } + + public Locale getLanguage() { + return null; + } + + public String getLanguageString() { + return null; + } + + public MediaType getMediaType() { + return null; + } + + public String getEncoding() { + return null; + } + + public static VariantListBuilder mediaTypes(final MediaType... mediaTypes) { + return null; + } + + public static VariantListBuilder languages(final Locale... languages) { + return null; + } + + public static VariantListBuilder encodings(final String... encodings) { + return null; + } + + @Override + public int hashCode() { + return 0; + } + + @Override + public boolean equals(final Object obj) { + return false; + } + + @Override + public String toString() { + return null; + } + + public static abstract class VariantListBuilder { + public static VariantListBuilder newInstance() { + return null; + } + + public abstract List build(); + + public abstract VariantListBuilder add(); + + public abstract VariantListBuilder languages(Locale... languages); + + public abstract VariantListBuilder encodings(String... encodings); + + public abstract VariantListBuilder mediaTypes(MediaType... mediaTypes); + + } +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/ext/MessageBodyReader.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/ext/MessageBodyReader.java new file mode 100644 index 00000000000..a16ffaf72c1 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/ext/MessageBodyReader.java @@ -0,0 +1,33 @@ +/* + * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package jakarta.ws.rs.ext; +import java.io.InputStream; +import java.lang.annotation.Annotation; +import java.lang.reflect.Type; +import jakarta.ws.rs.core.MediaType; +import jakarta.ws.rs.core.MultivaluedMap; + +public interface MessageBodyReader { + public boolean isReadable(Class type, Type genericType, + Annotation[] annotations, MediaType mediaType); + + public T readFrom(Class type, Type genericType, + Annotation[] annotations, MediaType mediaType, + MultivaluedMap httpHeaders, + InputStream entityStream) throws java.io.IOException, jakarta.ws.rs.WebApplicationException; + +} From 0ad35421f276e9b1e8fea96c503fa4ee0e0639a8 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Mon, 7 Jun 2021 16:07:53 +0100 Subject: [PATCH 25/36] Comment out stubs (Jakarta) --- .../jakarta/ws/rs/client/Client.java | 24 ++++++------- .../jakarta/ws/rs/core/Configurable.java | 2 +- .../jakarta/ws/rs/core/Link.java | 34 +++++++++---------- .../jakarta/ws/rs/core/MediaType.java | 6 ++++ .../jakarta/ws/rs/core/NewCookie.java | 10 +++++- .../jakarta/ws/rs/core/Response.java | 4 +-- .../jakarta/ws/rs/ext/MessageBodyReader.java | 2 +- 7 files changed, 48 insertions(+), 34 deletions(-) diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/client/Client.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/client/Client.java index bd23ccf6f7e..d12858c331d 100644 --- a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/client/Client.java +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/client/Client.java @@ -15,28 +15,28 @@ */ package jakarta.ws.rs.client; -import java.net.URI; -import javax.net.ssl.HostnameVerifier; -import javax.net.ssl.SSLContext; +// import java.net.URI; +// import javax.net.ssl.HostnameVerifier; +// import javax.net.ssl.SSLContext; import jakarta.ws.rs.core.Configurable; -import jakarta.ws.rs.core.Link; -import jakarta.ws.rs.core.UriBuilder; +// import jakarta.ws.rs.core.Link; +// import jakarta.ws.rs.core.UriBuilder; public interface Client extends Configurable { public void close(); - public WebTarget target(String uri); + // public WebTarget target(String uri); - public WebTarget target(URI uri); + // public WebTarget target(URI uri); - public WebTarget target(UriBuilder uriBuilder); + // public WebTarget target(UriBuilder uriBuilder); - public WebTarget target(Link link); + // public WebTarget target(Link link); - public Invocation.Builder invocation(Link link); + // public Invocation.Builder invocation(Link link); - public SSLContext getSslContext(); + // public SSLContext getSslContext(); - public HostnameVerifier getHostnameVerifier(); + // public HostnameVerifier getHostnameVerifier(); } diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Configurable.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Configurable.java index 529c3562b2e..ba83791d6db 100644 --- a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Configurable.java +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Configurable.java @@ -18,7 +18,7 @@ package jakarta.ws.rs.core; import java.util.Map; public interface Configurable { - public Configuration getConfiguration(); + // public Configuration getConfiguration(); public C property(String name, Object value); diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Link.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Link.java index b486aec9440..c7c66a7cdee 100644 --- a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Link.java +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Link.java @@ -18,8 +18,8 @@ package jakarta.ws.rs.core; import java.net.URI; import java.util.List; import java.util.Map; -import javax.xml.namespace.QName; -import jakarta.xml.bind.annotation.adapters.XmlAdapter; +// import javax.xml.namespace.QName; +// import jakarta.xml.bind.annotation.adapters.XmlAdapter; public abstract class Link { public abstract URI getUri(); @@ -106,16 +106,16 @@ public abstract class Link { public JaxbLink(final URI uri) { } - public JaxbLink(final URI uri, final Map params) { - } + // public JaxbLink(final URI uri, final Map params) { + // } public URI getUri() { return null; } - public Map getParams() { - return null; - } + // public Map getParams() { + // return null; + // } @Override public boolean equals(final Object o) { @@ -128,16 +128,16 @@ public abstract class Link { } } - public static class JaxbAdapter extends XmlAdapter { - @Override - public Link unmarshal(final JaxbLink v) { - return null; - } + // public static class JaxbAdapter extends XmlAdapter { + // @Override + // public Link unmarshal(final JaxbLink v) { + // return null; + // } - @Override - public JaxbLink marshal(final Link v) { - return null; - } + // @Override + // public JaxbLink marshal(final Link v) { + // return null; + // } - } + // } } diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/MediaType.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/MediaType.java index b03fb99c0dc..0bd6e214ce7 100644 --- a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/MediaType.java +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/MediaType.java @@ -36,10 +36,16 @@ public class MediaType { public final static MediaType APPLICATION_OCTET_STREAM_TYPE = new MediaType("application", "octet-stream"); + public final static String TEXT_PLAIN = "text/plain"; + public final static MediaType TEXT_PLAIN_TYPE = new MediaType("text", "plain"); + public final static String TEXT_XML = "text/xml"; + public final static MediaType TEXT_XML_TYPE = new MediaType("text", "xml"); + public final static String TEXT_HTML = "text/html"; + public final static MediaType TEXT_HTML_TYPE = new MediaType("text", "html"); public static final MediaType SERVER_SENT_EVENTS_TYPE = new MediaType("text", "event-stream"); diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/NewCookie.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/NewCookie.java index 0816d26473e..949db1e1674 100644 --- a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/NewCookie.java +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/NewCookie.java @@ -19,6 +19,7 @@ import java.util.Date; public class NewCookie extends Cookie { public NewCookie(final String name, final String value) { + super("", ""); } public NewCookie(final String name, @@ -28,6 +29,7 @@ public class NewCookie extends Cookie { final String comment, final int maxAge, final boolean secure) { + super("", ""); } public NewCookie(final String name, @@ -38,6 +40,7 @@ public class NewCookie extends Cookie { final int maxAge, final boolean secure, final boolean httpOnly) { + super("", ""); } public NewCookie(final String name, @@ -48,6 +51,7 @@ public class NewCookie extends Cookie { final String comment, final int maxAge, final boolean secure) { + super("", ""); } public NewCookie(final String name, @@ -60,15 +64,19 @@ public class NewCookie extends Cookie { final Date expiry, final boolean secure, final boolean httpOnly) { - } + super("", ""); + } public NewCookie(final Cookie cookie) { + super("", ""); } public NewCookie(final Cookie cookie, final String comment, final int maxAge, final boolean secure) { + super("", ""); } public NewCookie(final Cookie cookie, final String comment, final int maxAge, final Date expiry, final boolean secure, final boolean httpOnly) { + super("", ""); } public static NewCookie valueOf(final String value) { diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Response.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Response.java index bb09f3ffb48..e056b757358 100644 --- a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Response.java +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Response.java @@ -32,11 +32,11 @@ public abstract class Response implements AutoCloseable { public abstract T readEntity(Class entityType); - public abstract T readEntity(GenericType entityType); + // public abstract T readEntity(GenericType entityType); public abstract T readEntity(Class entityType, Annotation[] annotations); - public abstract T readEntity(GenericType entityType, Annotation[] annotations); + // public abstract T readEntity(GenericType entityType, Annotation[] annotations); public abstract boolean hasEntity(); diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/ext/MessageBodyReader.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/ext/MessageBodyReader.java index a16ffaf72c1..11213118bea 100644 --- a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/ext/MessageBodyReader.java +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/ext/MessageBodyReader.java @@ -28,6 +28,6 @@ public interface MessageBodyReader { public T readFrom(Class type, Type genericType, Annotation[] annotations, MediaType mediaType, MultivaluedMap httpHeaders, - InputStream entityStream) throws java.io.IOException, jakarta.ws.rs.WebApplicationException; + InputStream entityStream) throws java.io.IOException /*, jakarta.ws.rs.WebApplicationException */; } From d5d27d5ccf5a4dc79bdbe87b1fcc0fc4ef2de8a3 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Mon, 7 Jun 2021 16:08:06 +0100 Subject: [PATCH 26/36] Duplicate tests for Jakarta --- .../frameworks/JaxWs/JakartaRs1.java | 196 ++++++++++++ .../frameworks/JaxWs/JakartaRs2.java | 86 +++++ .../frameworks/JaxWs/JakartaRsFlow.java | 301 ++++++++++++++++++ .../frameworks/JaxWs/UrlRedirect.expected | 24 +- .../frameworks/JaxWs/UrlRedirectJakarta.java | 15 + .../library-tests/frameworks/JaxWs/options | 2 +- 6 files changed, 615 insertions(+), 9 deletions(-) create mode 100644 java/ql/test/library-tests/frameworks/JaxWs/JakartaRs1.java create mode 100644 java/ql/test/library-tests/frameworks/JaxWs/JakartaRs2.java create mode 100644 java/ql/test/library-tests/frameworks/JaxWs/JakartaRsFlow.java create mode 100644 java/ql/test/library-tests/frameworks/JaxWs/UrlRedirectJakarta.java diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JakartaRs1.java b/java/ql/test/library-tests/frameworks/JaxWs/JakartaRs1.java new file mode 100644 index 00000000000..9c765361cb8 --- /dev/null +++ b/java/ql/test/library-tests/frameworks/JaxWs/JakartaRs1.java @@ -0,0 +1,196 @@ +import java.io.InputStream; +import java.io.IOException; +import java.lang.annotation.Annotation; +import java.lang.reflect.Type; +import jakarta.ws.rs.GET; +import jakarta.ws.rs.POST; +import jakarta.ws.rs.DELETE; +import jakarta.ws.rs.PUT; +import jakarta.ws.rs.OPTIONS; +import jakarta.ws.rs.HEAD; +import jakarta.ws.rs.Path; +import jakarta.ws.rs.BeanParam; +import jakarta.ws.rs.CookieParam; +import jakarta.ws.rs.FormParam; +import jakarta.ws.rs.HeaderParam; +import jakarta.ws.rs.MatrixParam; +import jakarta.ws.rs.PathParam; +import jakarta.ws.rs.Produces; +import jakarta.ws.rs.QueryParam; +import jakarta.ws.rs.client.Client; +import jakarta.ws.rs.core.Context; +import jakarta.ws.rs.core.MediaType; +import jakarta.ws.rs.core.MultivaluedMap; +import jakarta.ws.rs.core.Response; +import jakarta.ws.rs.ext.MessageBodyReader; + +@Path("") +public class JakartaRs1 { // $RootResourceClass + public JakartaRs1() { // $InjectableConstructor + } + + @GET + int Get() { // $ResourceMethod $ResourceMethodOnResourceClass + return 0; // $XssSink + } + + @POST + void Post() { // $ResourceMethod $ResourceMethodOnResourceClass + } + + @Produces("text/plain") // $ProducesAnnotation=text/plain + @DELETE + double Delete() { // $ResourceMethod=text/plain $ResourceMethodOnResourceClass + return 0.0; // $XssSink + } + + @Produces(MediaType.TEXT_HTML) // $ProducesAnnotation=text/html + @PUT + void Put() { // $ResourceMethod=text/html $ResourceMethodOnResourceClass + } + + @OPTIONS + void Options() { // $ResourceMethod $ResourceMethodOnResourceClass + } + + @HEAD + void Head() { // $ResourceMethod $ResourceMethodOnResourceClass + } + + @Path("") + NonRootResourceClassJakarta subResourceLocator() { // $SubResourceLocator + return null; + } + + public class NonRootResourceClassJakarta { // $NonRootResourceClass + @GET + int Get() { // $ResourceMethod $ResourceMethodOnResourceClass + return 0; // $XssSink + } + + @Produces("text/html") // $ProducesAnnotation=text/html + @POST + boolean Post() { // $ResourceMethod=text/html $ResourceMethodOnResourceClass + return false; + } + + @Produces(MediaType.TEXT_PLAIN) // $ProducesAnnotation=text/plain + @DELETE + double Delete() { // $ResourceMethod=text/plain $ResourceMethodOnResourceClass + return 0.0; // $XssSink + } + + @Path("") + AnotherNonRootResourceClassJakarta subResourceLocator1() { // $SubResourceLocator + return null; + } + + @GET + @Path("") + NotAResourceClass1Jakarta NotASubResourceLocator1() { // $ResourceMethod $ResourceMethodOnResourceClass + return null; // $XssSink + } + + @GET + NotAResourceClass2Jakarta NotASubResourceLocator2() { // $ResourceMethod $ResourceMethodOnResourceClass + return null; // $XssSink + } + + NotAResourceClass2Jakarta NotASubResourceLocator3() { + return null; + } + } +} + +class AnotherNonRootResourceClassJakarta { // $NonRootResourceClass + public AnotherNonRootResourceClassJakarta() { + } + + public AnotherNonRootResourceClassJakarta(@BeanParam int beanParam, @CookieParam("") int cookieParam, @FormParam("") int formParam, // $InjectionAnnotation + @HeaderParam("") int headerParam, @MatrixParam("") int matrixParam, @PathParam("") int pathParam, @QueryParam("") int queryParam, // $InjectionAnnotation + @Context int context) { // $InjectionAnnotation + } + + @Path("") + public void resourceMethodWithBeanParamParameter(@BeanParam FooJakarta FooJakarta) { // $SubResourceLocator $InjectionAnnotation + } +} + +class FooJakarta { + FooJakarta() { // $BeanParamConstructor + } + + public FooJakarta(@BeanParam int beanParam, @CookieParam("") int cookieParam, @FormParam("") int formParam, // $InjectionAnnotation $BeanParamConstructor + @HeaderParam("") int headerParam, @MatrixParam("") int matrixParam, @PathParam("") int pathParam, @QueryParam("") int queryParam, // $InjectionAnnotation + @Context int context) { // $InjectionAnnotation + } + + public FooJakarta(@BeanParam int beanParam, @CookieParam("") int cookieParam, @FormParam("") int formParam, // $InjectionAnnotation + @HeaderParam("") int headerParam, @MatrixParam("") int matrixParam, @PathParam("") int pathParam, @QueryParam("") int queryParam, // $InjectionAnnotation + @Context int context, int paramWithoutAnnotation) { // $InjectionAnnotation + } +} + +class NotAResourceClass1Jakarta { +} + +class NotAResourceClass2Jakarta { +} + +class ExtendsJakartaRs1 extends JakartaRs1 { + @Override + int Get() { // $ResourceMethod + return 1; + } + + @Override + @QueryParam("") // $InjectionAnnotation + void Post() { + } + + @Override + double Delete() { // $ResourceMethod=text/plain + return 1.0; + } + + @Override + void Put() { // $ResourceMethod=text/html + } + + @Produces("application/json") // $ProducesAnnotation=application/json + @Override + void Options() { + } + + @Produces(MediaType.TEXT_XML) // $ProducesAnnotation=text/xml + @Override + void Head() { + } + +} + +@Produces(MediaType.TEXT_XML) // $ProducesAnnotation=text/xml +class ExtendsJakartaRs1WithProducesAnnotation extends JakartaRs1 { + @Override + int Get() { // $ResourceMethod=text/xml + return 2; + } + + @Override + @QueryParam("") // $InjectionAnnotation + void Post() { + } + + @Override + double Delete() { // $ResourceMethod=text/plain + return 2.0; + } + + @Override + void Put() { // $ResourceMethod=text/html + } + + @Override + void Options() { // $ResourceMethod=text/xml + } +} \ No newline at end of file diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JakartaRs2.java b/java/ql/test/library-tests/frameworks/JaxWs/JakartaRs2.java new file mode 100644 index 00000000000..90cd9052cb7 --- /dev/null +++ b/java/ql/test/library-tests/frameworks/JaxWs/JakartaRs2.java @@ -0,0 +1,86 @@ +import java.io.InputStream; +import java.io.IOException; +import java.lang.annotation.Annotation; +import java.lang.reflect.Type; +import jakarta.ws.rs.GET; +import jakarta.ws.rs.POST; +import jakarta.ws.rs.DELETE; +import jakarta.ws.rs.PUT; +import jakarta.ws.rs.OPTIONS; +import jakarta.ws.rs.HEAD; +import jakarta.ws.rs.Path; +import jakarta.ws.rs.BeanParam; +import jakarta.ws.rs.Consumes; +import jakarta.ws.rs.CookieParam; +import jakarta.ws.rs.FormParam; +import jakarta.ws.rs.HeaderParam; +import jakarta.ws.rs.MatrixParam; +import jakarta.ws.rs.PathParam; +import jakarta.ws.rs.QueryParam; +import jakarta.ws.rs.client.Client; +import jakarta.ws.rs.core.Context; +import jakarta.ws.rs.core.MediaType; +import jakarta.ws.rs.core.MultivaluedMap; +import jakarta.ws.rs.core.Response; +import jakarta.ws.rs.ext.MessageBodyReader; + +@Path("") +class JakartaRs2 { // $RootResourceClass + JakartaRs2() { + } + + public JakartaRs2(@BeanParam int beanParam, @CookieParam("") int cookieParam, @FormParam("") int formParam, // $InjectionAnnotation $InjectableConstructor + @HeaderParam("") int headerParam, @MatrixParam("") int matrixParam, @PathParam("") int pathParam, @QueryParam("") int queryParam, // $InjectionAnnotation + @Context int context) { // $InjectionAnnotation + } + + public JakartaRs2(@BeanParam int beanParam, @CookieParam("") int cookieParam, @FormParam("") int formParam, // $InjectionAnnotation + @HeaderParam("") int headerParam, @MatrixParam("") int matrixParam, @PathParam("") int pathParam, @QueryParam("") int queryParam, // $InjectionAnnotation + @Context int context, int paramWithoutAnnotation) { // $InjectionAnnotation + } + + @BeanParam // $InjectionAnnotation + int beanField; // $InjectableField + @CookieParam("") // $InjectionAnnotation + int cookieField; // $InjectableField + @FormParam("") // $InjectionAnnotation + int formField; // $InjectableField + @HeaderParam("") // $InjectionAnnotation + int headerField; // $InjectableField + @MatrixParam("") // $InjectionAnnotation + int matrixField; // $InjectableField + @PathParam("") // $InjectionAnnotation + int pathField; // $InjectableField + @QueryParam("") // $InjectionAnnotation + int queryField; // $InjectableField + @Context // $InjectionAnnotation + int context; // $InjectableField + int fieldWithoutAnnotation; +} + +class CustomUnmarshallerJakarta implements MessageBodyReader { + + @Override + public boolean isReadable(Class aClass, Type type, Annotation[] annotations, MediaType mediaType) { + return true; + } + + + @Override + public Object readFrom(Class aClass, Type type, Annotation[] annotations, MediaType mediaType, MultivaluedMap multivaluedMap, InputStream inputStream) { + return null; + } +} + +class MiscellaneousJakarta { + @Consumes("") // $ConsumesAnnotation + public static void miscellaneousJakarta() throws IOException { + Response.ResponseBuilder responseBuilder = Response.accepted(); // $ResponseBuilderDeclaration + Response response = responseBuilder.build(); // $ResponseDeclaration + Client client; // $ClientDeclaration + MessageBodyReader messageBodyReader = null; // $MessageBodyReaderDeclaration + messageBodyReader.readFrom(null, null, null, null, null, null); // $MessageBodyReaderReadFromCall $MessageBodyReaderReadCall + CustomUnmarshallerJakarta CustomUnmarshallerJakarta = null; + CustomUnmarshallerJakarta.readFrom(null, null, null, null, null, null); // $MessageBodyReaderReadCall + } +} \ No newline at end of file diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JakartaRsFlow.java b/java/ql/test/library-tests/frameworks/JaxWs/JakartaRsFlow.java new file mode 100644 index 00000000000..131c622f93b --- /dev/null +++ b/java/ql/test/library-tests/frameworks/JaxWs/JakartaRsFlow.java @@ -0,0 +1,301 @@ +import java.lang.reflect.Method; +import java.net.URI; +import java.util.ArrayList; +import java.util.Date; +import java.util.HashMap; +import java.util.HashSet; +import java.util.List; +import java.util.Map; +import java.util.Set; +import jakarta.ws.rs.core.CacheControl; +import jakarta.ws.rs.core.Cookie; +import jakarta.ws.rs.core.EntityTag; +import jakarta.ws.rs.core.Form; +import jakarta.ws.rs.core.GenericEntity; +import jakarta.ws.rs.core.HttpHeaders; +import jakarta.ws.rs.core.Link; +import jakarta.ws.rs.core.MediaType; +import jakarta.ws.rs.core.MultivaluedMap; +import jakarta.ws.rs.core.PathSegment; +import jakarta.ws.rs.core.Response; +import jakarta.ws.rs.core.UriBuilder; +import jakarta.ws.rs.core.UriInfo; +import jakarta.ws.rs.core.Variant; + +public class JakartaRsFlow { + String taint() { return "tainted"; } + + private static class ResponseSource { + static Response taint() { return null; } + } + + private static class ResponseBuilderSource { + static Response.ResponseBuilder taint() { return Response.noContent(); } + } + + private static class IntSource { + static int taint() { return 0; } + } + + private static class SetStringSource { + static Set taint() { return new HashSet(); } + } + + static HttpHeaders taint(HttpHeaders h) { return h; } + + static PathSegment taint(PathSegment ps) { return ps; } + + static UriInfo taint(UriInfo ui) { return ui; } + + static Map taint(Map m) { return m; } + + static Link taint(Link l) { return l; } + + static Class taint(Class c) { return c; } + + private static class UriSource { + static URI taint() throws Exception { return new URI(""); } + } + + void sink(Object o) {} + + void testResponse() { + sink(Response.accepted(taint())); // $hasTaintFlow + sink(Response.fromResponse(ResponseSource.taint())); // $hasTaintFlow + sink(Response.ok(taint())); // $hasTaintFlow + sink(Response.ok(taint(), new MediaType())); // $hasTaintFlow + sink(Response.ok(taint(), "type")); // $hasTaintFlow + sink(Response.ok(taint(), new Variant(new MediaType(), "", ""))); // $hasTaintFlow + } + + void testResponseBuilder(MultivaluedMap multivaluedMap, List list) throws Exception { + sink(ResponseBuilderSource.taint().build()); // $hasTaintFlow + sink(Response.noContent().entity(taint())); // $hasTaintFlow + sink(ResponseBuilderSource.taint().allow(new HashSet())); // $hasValueFlow + sink(ResponseBuilderSource.taint().cacheControl(new CacheControl())); // $hasValueFlow + sink(ResponseBuilderSource.taint().clone()); // $hasTaintFlow + sink(ResponseBuilderSource.taint().contentLocation(new URI(""))); // $hasValueFlow + sink(ResponseBuilderSource.taint().cookie()); // $hasValueFlow + sink(ResponseBuilderSource.taint().encoding("")); // $hasValueFlow + sink(ResponseBuilderSource.taint().entity("")); // $hasValueFlow + sink(ResponseBuilderSource.taint().expires(new Date())); // $hasValueFlow + sink(ResponseBuilderSource.taint().header("", "")); // $hasValueFlow + sink(ResponseBuilderSource.taint().language("")); // $hasValueFlow + sink(ResponseBuilderSource.taint().lastModified(new Date())); // $hasValueFlow + sink(ResponseBuilderSource.taint().link("", "")); // $hasValueFlow + sink(ResponseBuilderSource.taint().link(new URI(""), "")); // $hasValueFlow + sink(ResponseBuilderSource.taint().links()); // $hasValueFlow + sink(ResponseBuilderSource.taint().location(new URI(""))); // $hasValueFlow + sink(ResponseBuilderSource.taint().replaceAll(multivaluedMap)); // $hasValueFlow + sink(ResponseBuilderSource.taint().status(400)); // $hasValueFlow + sink(ResponseBuilderSource.taint().tag(new EntityTag(""))); // $hasValueFlow + sink(ResponseBuilderSource.taint().tag("")); // $hasValueFlow + sink(ResponseBuilderSource.taint().type("")); // $hasValueFlow + sink(ResponseBuilderSource.taint().variant(new Variant(new MediaType(), "", ""))); // $hasValueFlow + sink(ResponseBuilderSource.taint().variants(list)); // $hasValueFlow + sink(ResponseBuilderSource.taint().variants()); // $hasValueFlow + } + + void testHttpHeaders(HttpHeaders h) { + sink(taint(h).getAcceptableLanguages()); // $hasTaintFlow + sink(taint(h).getAcceptableMediaTypes()); // $hasTaintFlow + sink(taint(h).getCookies()); // $hasTaintFlow + sink(taint(h).getHeaderString("")); // $hasTaintFlow + sink(taint(h).getLanguage()); // $hasTaintFlow + sink(taint(h).getMediaType()); // $hasTaintFlow + sink(taint(h).getRequestHeader("")); // $hasTaintFlow + sink(taint(h).getRequestHeaders()); // $hasTaintFlow + } + + void testMultivaluedMapAdd(MultivaluedMap mm1, MultivaluedMap mm2) { + mm1.add(taint(), "value"); + sink(mm1.keySet().iterator().next()); // $hasValueFlow + mm2.add("key", taint()); + sink(mm2.get("key").get(0)); // $hasValueFlow + } + + void testMultivaluedMapAddAll(MultivaluedMap mm1, MultivaluedMap mm2, MultivaluedMap mm3) { + mm1.addAll(taint(), "a", "b"); + sink(mm1.keySet().iterator().next()); // $hasValueFlow + List l = new ArrayList(); + l.add(taint()); + mm2.addAll("key", l); + sink(mm2.get("key").get(0)); // $hasValueFlow + mm3.addAll("key", "a", taint()); + sink(mm3.get("key").get(0)); // $hasValueFlow + } + + void testMultivaluedMapAddFirst(MultivaluedMap mm1, MultivaluedMap mm2) { + mm1.addFirst(taint(), "value"); + sink(mm1.keySet().iterator().next()); // $hasValueFlow + mm2.addFirst("key", taint()); + sink(mm2.get("key").get(0)); // $hasValueFlow + sink(mm2.getFirst("key")); // $hasValueFlow + } + + void testMultivaluedMapputSingle(MultivaluedMap mm1, MultivaluedMap mm2) { + mm1.putSingle(taint(), "value"); + sink(mm1.keySet().iterator().next()); // $hasValueFlow + mm2.putSingle("key", taint()); + sink(mm2.get("key").get(0)); // $hasValueFlow + } + + void testPathSegment(PathSegment ps1, PathSegment ps2) { + sink(taint(ps1).getMatrixParameters()); // $hasTaintFlow + sink(taint(ps2).getPath()); // $hasTaintFlow + } + + void testUriInfo(UriInfo ui1, UriInfo ui2, UriInfo ui3, UriInfo ui4, UriInfo ui5) { + sink(taint(ui1).getPathParameters()); // $hasTaintFlow + sink(taint(ui2).getPathSegments()); // $hasTaintFlow + sink(taint(ui2).getQueryParameters()); // $hasTaintFlow + sink(taint(ui2).getRequestUri()); // $hasTaintFlow + sink(taint(ui2).getRequestUriBuilder()); // $hasTaintFlow + } + + void testCookie() { + sink(new Cookie(taint(), "", "", "", 0)); // $hasTaintFlow + sink(new Cookie("", taint(), "", "", 0)); // $hasTaintFlow + sink(new Cookie("", "", taint(), "", 0)); // $hasTaintFlow + sink(new Cookie("", "", "", taint(), 0)); // $hasTaintFlow + sink(new Cookie("", "", "", "", IntSource.taint())); // $hasTaintFlow + sink(new Cookie(taint(), "", "", "")); // $hasTaintFlow + sink(new Cookie("", taint(), "", "")); // $hasTaintFlow + sink(new Cookie("", "", taint(), "")); // $hasTaintFlow + sink(new Cookie("", "", "", taint())); // $hasTaintFlow + sink(new Cookie(taint(), "")); // $hasTaintFlow + sink(new Cookie("", taint())); // $hasTaintFlow + sink(Cookie.valueOf(taint())); // $hasTaintFlow + sink(Cookie.valueOf(taint()).getDomain()); // $hasTaintFlow + sink(Cookie.valueOf(taint()).getName()); // $hasTaintFlow + sink(Cookie.valueOf(taint()).getPath()); // $hasTaintFlow + sink(Cookie.valueOf(taint()).getValue()); // $hasTaintFlow + sink(Cookie.valueOf(taint()).getVersion()); // $hasTaintFlow + sink(Cookie.valueOf(taint()).toString()); // $hasTaintFlow + } + + void testForm(MultivaluedMap mm1, MultivaluedMap mm2) { + sink(new Form(taint(), "")); // $hasTaintFlow + sink(new Form("", taint())); // $hasTaintFlow + mm1.add(taint(), "value"); + sink(new Form(mm1)); // $hasTaintFlow + mm2.add("key", taint()); + sink(new Form(mm2)); // $hasTaintFlow + Form f1 = new Form(taint(), ""); + sink(f1.asMap()); // $hasTaintFlow + Form f2 = new Form(); + sink(f2.param(taint(), "b")); // $hasTaintFlow + Form f3 = new Form(); + sink(f3.param("a", taint())); // $hasTaintFlow + Form f4 = new Form(taint(), ""); + sink(f4.param("a", "b")); // $hasTaintFlow + } + + void testGenericEntity() { + Method m = DummyJakarta.class.getMethods()[0]; + GenericEntity> ge = new GenericEntity>(SetStringSource.taint(), m.getGenericReturnType()); + sink(ge); // $hasTaintFlow + sink(ge.getEntity()); // $hasTaintFlow + } + + void testMediaType(Map m) { + sink(new MediaType(taint(), "")); // $hasTaintFlow + sink(new MediaType("", taint())); // $hasTaintFlow + sink(new MediaType(taint(), "", m)); // $hasTaintFlow + sink(new MediaType("", taint(), m)); // $hasTaintFlow + sink(new MediaType("", "", taint(m))); // $hasTaintFlow + sink(new MediaType(taint(), "", "")); // $hasTaintFlow + sink(new MediaType("", taint(), "")); // $hasTaintFlow + sink(new MediaType("", "", taint())); // $hasTaintFlow + sink(MediaType.valueOf(taint()).getParameters()); // $hasTaintFlow + sink(MediaType.valueOf(taint()).getSubtype()); // $hasTaintFlow + sink(MediaType.valueOf(taint()).getType()); // $hasTaintFlow + sink(MediaType.valueOf(taint())); // $hasTaintFlow + } + + void testUriBuilder() throws Exception { + sink(UriBuilder.fromPath("").build(taint())); // $hasTaintFlow + sink(UriBuilder.fromPath("").build("", taint())); // $hasTaintFlow + sink(UriBuilder.fromPath("").build(taint(), false)); // $hasTaintFlow + sink(UriBuilder.fromPath("").build("", taint(), true)); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).build("")); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).build("", false)); // $hasTaintFlow + + sink(UriBuilder.fromPath("").buildFromEncoded(taint())); // $hasTaintFlow + sink(UriBuilder.fromPath("").buildFromEncoded("", taint())); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).buildFromEncoded("")); // $hasTaintFlow + sink(UriBuilder.fromPath("").buildFromEncodedMap(taint(new HashMap()))); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).buildFromEncodedMap(new HashMap())); // $hasTaintFlow + sink(UriBuilder.fromPath("").buildFromMap(taint(new HashMap()), false)); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).buildFromMap(new HashMap(), true)); // $hasTaintFlow + + sink(UriBuilder.fromPath(taint()).clone()); // $hasTaintFlow + sink(UriBuilder.fromPath("").fragment(taint())); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).fragment("")); // $hasTaintFlow + sink(UriBuilder.fromLink(taint(Link.valueOf("")))); // $hasTaintFlow + sink(UriBuilder.fromPath(taint())); // $hasTaintFlow + sink(UriBuilder.fromUri(taint())); // $hasTaintFlow + sink(UriBuilder.fromPath("").host(taint())); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).host("")); // $hasTaintFlow + + sink(UriBuilder.fromPath("").matrixParam(taint(), "")); // $hasTaintFlow + sink(UriBuilder.fromPath("").matrixParam("", "", taint())); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).matrixParam("", "")); // $hasTaintFlow + sink(UriBuilder.fromPath("").path(taint(DummyJakarta.class))); // $hasTaintFlow + sink(UriBuilder.fromPath("").path(DummyJakarta.class, taint())); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).path(DummyJakarta.class)); // $hasTaintFlow + sink(UriBuilder.fromPath("").queryParam(taint(), "")); // $hasTaintFlow + sink(UriBuilder.fromPath("").queryParam("", "", taint())); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).queryParam("", "")); // $hasTaintFlow + + sink(UriBuilder.fromPath("").replaceMatrix(taint())); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).replaceMatrix("")); // $hasTaintFlow + sink(UriBuilder.fromPath("").replaceMatrixParam(taint(), "")); // $hasTaintFlow + sink(UriBuilder.fromPath("").replaceMatrixParam("", "", taint())); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).replaceMatrixParam("", "")); // $hasTaintFlow + sink(UriBuilder.fromPath("").replacePath(taint())); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).replacePath("")); // $hasTaintFlow + sink(UriBuilder.fromPath("").replaceQuery(taint())); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).replaceQuery("")); // $hasTaintFlow + sink(UriBuilder.fromPath("").replaceQueryParam(taint(), "")); // $hasTaintFlow + sink(UriBuilder.fromPath("").replaceQueryParam("", "", taint())); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).replaceQueryParam("", "")); // $hasTaintFlow + + sink(UriBuilder.fromPath("").resolveTemplate(taint(), "")); // $hasTaintFlow + sink(UriBuilder.fromPath("").resolveTemplate(taint(), "", false)); // $hasTaintFlow + sink(UriBuilder.fromPath("").resolveTemplate("", taint())); // $hasTaintFlow + sink(UriBuilder.fromPath("").resolveTemplate("", taint(), true)); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).resolveTemplate("", "")); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).resolveTemplate("", "", false)); // $hasTaintFlow + sink(UriBuilder.fromPath("").resolveTemplateFromEncoded(taint(), "")); // $hasTaintFlow + sink(UriBuilder.fromPath("").resolveTemplateFromEncoded("", taint())); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).resolveTemplateFromEncoded("", "")); // $hasTaintFlow + + sink(UriBuilder.fromPath("").resolveTemplates(taint(new HashMap()))); // $hasTaintFlow + sink(UriBuilder.fromPath("").resolveTemplates(taint(new HashMap()), true)); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).resolveTemplates(new HashMap())); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).resolveTemplates(new HashMap(), false)); // $hasTaintFlow + sink(UriBuilder.fromPath("").resolveTemplatesFromEncoded(taint(new HashMap()))); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).resolveTemplatesFromEncoded(new HashMap())); // $hasTaintFlow + + sink(UriBuilder.fromPath("").scheme(taint())); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).scheme("")); // $hasTaintFlow + sink(UriBuilder.fromPath("").schemeSpecificPart(taint())); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).schemeSpecificPart("")); // $hasTaintFlow + sink(UriBuilder.fromPath("").segment(taint(), "")); // $hasTaintFlow + sink(UriBuilder.fromPath("").segment("", "", taint())); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).segment("", "")); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).toTemplate()); // $hasTaintFlow + + sink(UriBuilder.fromPath("").uri(taint())); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).uri("")); // $hasTaintFlow + sink(UriBuilder.fromPath("").uri(UriSource.taint())); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).uri(new URI(""))); // $hasTaintFlow + sink(UriBuilder.fromPath("").userInfo(taint())); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).userInfo("")); // $hasTaintFlow + } +} + +class DummyJakarta { + private static Set foo() { return null; } +} \ No newline at end of file diff --git a/java/ql/test/library-tests/frameworks/JaxWs/UrlRedirect.expected b/java/ql/test/library-tests/frameworks/JaxWs/UrlRedirect.expected index 9ad1a630516..a3557062441 100644 --- a/java/ql/test/library-tests/frameworks/JaxWs/UrlRedirect.expected +++ b/java/ql/test/library-tests/frameworks/JaxWs/UrlRedirect.expected @@ -1,11 +1,19 @@ edges -| UrlRedirect.java:10:32:10:61 | getParameter(...) : String | UrlRedirect.java:10:24:10:62 | new URI(...) | -| UrlRedirect.java:13:41:13:70 | getParameter(...) : String | UrlRedirect.java:13:33:13:71 | new URI(...) | +| UrlRedirectJakarta.java:10:32:10:61 | getParameter(...) : String | UrlRedirectJakarta.java:10:24:10:62 | new URI(...) | +| UrlRedirectJakarta.java:13:41:13:70 | getParameter(...) : String | UrlRedirectJakarta.java:13:33:13:71 | new URI(...) | +| UrlRedirectJax.java:10:32:10:61 | getParameter(...) : String | UrlRedirectJax.java:10:24:10:62 | new URI(...) | +| UrlRedirectJax.java:13:41:13:70 | getParameter(...) : String | UrlRedirectJax.java:13:33:13:71 | new URI(...) | nodes -| UrlRedirect.java:10:24:10:62 | new URI(...) | semmle.label | new URI(...) | -| UrlRedirect.java:10:32:10:61 | getParameter(...) : String | semmle.label | getParameter(...) : String | -| UrlRedirect.java:13:33:13:71 | new URI(...) | semmle.label | new URI(...) | -| UrlRedirect.java:13:41:13:70 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| UrlRedirectJakarta.java:10:24:10:62 | new URI(...) | semmle.label | new URI(...) | +| UrlRedirectJakarta.java:10:32:10:61 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| UrlRedirectJakarta.java:13:33:13:71 | new URI(...) | semmle.label | new URI(...) | +| UrlRedirectJakarta.java:13:41:13:70 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| UrlRedirectJax.java:10:24:10:62 | new URI(...) | semmle.label | new URI(...) | +| UrlRedirectJax.java:10:32:10:61 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| UrlRedirectJax.java:13:33:13:71 | new URI(...) | semmle.label | new URI(...) | +| UrlRedirectJax.java:13:41:13:70 | getParameter(...) : String | semmle.label | getParameter(...) : String | #select -| UrlRedirect.java:10:24:10:62 | new URI(...) | UrlRedirect.java:10:32:10:61 | getParameter(...) : String | UrlRedirect.java:10:24:10:62 | new URI(...) | Potentially untrusted URL redirection due to $@. | UrlRedirect.java:10:32:10:61 | getParameter(...) | user-provided value | -| UrlRedirect.java:13:33:13:71 | new URI(...) | UrlRedirect.java:13:41:13:70 | getParameter(...) : String | UrlRedirect.java:13:33:13:71 | new URI(...) | Potentially untrusted URL redirection due to $@. | UrlRedirect.java:13:41:13:70 | getParameter(...) | user-provided value | +| UrlRedirectJakarta.java:10:24:10:62 | new URI(...) | UrlRedirectJakarta.java:10:32:10:61 | getParameter(...) : String | UrlRedirectJakarta.java:10:24:10:62 | new URI(...) | Potentially untrusted URL redirection due to $@. | UrlRedirectJakarta.java:10:32:10:61 | getParameter(...) | user-provided value | +| UrlRedirectJakarta.java:13:33:13:71 | new URI(...) | UrlRedirectJakarta.java:13:41:13:70 | getParameter(...) : String | UrlRedirectJakarta.java:13:33:13:71 | new URI(...) | Potentially untrusted URL redirection due to $@. | UrlRedirectJakarta.java:13:41:13:70 | getParameter(...) | user-provided value | +| UrlRedirectJax.java:10:24:10:62 | new URI(...) | UrlRedirectJax.java:10:32:10:61 | getParameter(...) : String | UrlRedirectJax.java:10:24:10:62 | new URI(...) | Potentially untrusted URL redirection due to $@. | UrlRedirectJax.java:10:32:10:61 | getParameter(...) | user-provided value | +| UrlRedirectJax.java:13:33:13:71 | new URI(...) | UrlRedirectJax.java:13:41:13:70 | getParameter(...) : String | UrlRedirectJax.java:13:33:13:71 | new URI(...) | Potentially untrusted URL redirection due to $@. | UrlRedirectJax.java:13:41:13:70 | getParameter(...) | user-provided value | diff --git a/java/ql/test/library-tests/frameworks/JaxWs/UrlRedirectJakarta.java b/java/ql/test/library-tests/frameworks/JaxWs/UrlRedirectJakarta.java new file mode 100644 index 00000000000..897ee7890bd --- /dev/null +++ b/java/ql/test/library-tests/frameworks/JaxWs/UrlRedirectJakarta.java @@ -0,0 +1,15 @@ +import java.io.IOException; +import java.net.URI; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import jakarta.ws.rs.core.Response; + +public class UrlRedirectJakarta extends HttpServlet { + protected void doGetJax(HttpServletRequest request, Response jaxResponse) throws Exception { + // BAD + jaxResponse.seeOther(new URI(request.getParameter("target"))); + + // BAD + jaxResponse.temporaryRedirect(new URI(request.getParameter("target"))); + } +} diff --git a/java/ql/test/library-tests/frameworks/JaxWs/options b/java/ql/test/library-tests/frameworks/JaxWs/options index f84495b1c7e..a2050069049 100644 --- a/java/ql/test/library-tests/frameworks/JaxWs/options +++ b/java/ql/test/library-tests/frameworks/JaxWs/options @@ -1 +1 @@ -//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/jsr311-api-1.1.1:${testdir}/../../../stubs/jsr181-api:${testdir}/../../../stubs/jaxws-api-2.0:${testdir}/../../../stubs/servlet-api-2.4 +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/javax-ws-rs-api-3.0.0:${testdir}/../../../stubs/jsr311-api-1.1.1:${testdir}/../../../stubs/jsr181-api:${testdir}/../../../stubs/jaxws-api-2.0:${testdir}/../../../stubs/servlet-api-2.4 From ee6019a2d87ec84792145f703fcf9fc24df0de64 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 10 Jun 2021 10:22:59 +0100 Subject: [PATCH 27/36] Fix tests for experimental httponly query --- .../Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql | 7 ++++--- .../security/CWE-1004/SensitiveCookieNotHttpOnly.expected | 8 ++++++++ 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql index 4c0dc624d07..5745b060903 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql @@ -74,11 +74,12 @@ class MatchesHttpOnlyConfiguration extends TaintTracking2::Configuration { } } -/** A class descended from `javax.servlet.http.Cookie` or `javax/jakarta.ws.rs.core.Cookie`. */ +/** A class descended from `javax.servlet.http.Cookie` or `javax/jakarta.ws.rs.core.NewCookie`. */ class CookieClass extends RefType { CookieClass() { - this.getASupertype*() - .hasQualifiedName(["javax.servlet.http", "javax.ws.rs.core", "jakarta.ws.rs.core"], "Cookie") + this.getASupertype*().hasQualifiedName("javax.servlet.http", "Cookie") + or + this.getASupertype*().hasQualifiedName(["javax.ws.rs.core", "jakarta.ws.rs.core"], "NewCookie") } } diff --git a/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected index 6c23f5d44e9..54b6ec3bb7b 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected +++ b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected @@ -5,8 +5,13 @@ edges | SensitiveCookieNotHttpOnly.java:25:39:25:52 | tokenCookieStr : String | SensitiveCookieNotHttpOnly.java:25:28:25:64 | new Cookie(...) : Cookie | | SensitiveCookieNotHttpOnly.java:42:42:42:49 | "token=" : String | SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... | | SensitiveCookieNotHttpOnly.java:42:42:42:57 | ... + ... : String | SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... | +| SensitiveCookieNotHttpOnly.java:52:42:52:113 | new NewCookie(...) : NewCookie | SensitiveCookieNotHttpOnly.java:52:42:52:124 | toString(...) | +| SensitiveCookieNotHttpOnly.java:52:56:52:75 | "session-access-key" : String | SensitiveCookieNotHttpOnly.java:52:42:52:113 | new NewCookie(...) : NewCookie | | SensitiveCookieNotHttpOnly.java:52:56:52:75 | "session-access-key" : String | SensitiveCookieNotHttpOnly.java:52:42:52:124 | toString(...) | +| SensitiveCookieNotHttpOnly.java:63:51:63:70 | "session-access-key" : String | SensitiveCookieNotHttpOnly.java:64:25:64:39 | accessKeyCookie : NewCookie | | SensitiveCookieNotHttpOnly.java:63:51:63:70 | "session-access-key" : String | SensitiveCookieNotHttpOnly.java:65:42:65:47 | keyStr | +| SensitiveCookieNotHttpOnly.java:64:25:64:39 | accessKeyCookie : NewCookie | SensitiveCookieNotHttpOnly.java:64:25:64:50 | toString(...) : String | +| SensitiveCookieNotHttpOnly.java:64:25:64:50 | toString(...) : String | SensitiveCookieNotHttpOnly.java:65:42:65:47 | keyStr | | SensitiveCookieNotHttpOnly.java:70:28:70:35 | "token=" : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | | SensitiveCookieNotHttpOnly.java:70:28:70:43 | ... + ... : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | | SensitiveCookieNotHttpOnly.java:70:28:70:55 | ... + ... : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | @@ -24,9 +29,12 @@ nodes | SensitiveCookieNotHttpOnly.java:42:42:42:49 | "token=" : String | semmle.label | "token=" : String | | SensitiveCookieNotHttpOnly.java:42:42:42:57 | ... + ... : String | semmle.label | ... + ... : String | | SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... | semmle.label | ... + ... | +| SensitiveCookieNotHttpOnly.java:52:42:52:113 | new NewCookie(...) : NewCookie | semmle.label | new NewCookie(...) : NewCookie | | SensitiveCookieNotHttpOnly.java:52:42:52:124 | toString(...) | semmle.label | toString(...) | | SensitiveCookieNotHttpOnly.java:52:56:52:75 | "session-access-key" : String | semmle.label | "session-access-key" : String | | SensitiveCookieNotHttpOnly.java:63:51:63:70 | "session-access-key" : String | semmle.label | "session-access-key" : String | +| SensitiveCookieNotHttpOnly.java:64:25:64:39 | accessKeyCookie : NewCookie | semmle.label | accessKeyCookie : NewCookie | +| SensitiveCookieNotHttpOnly.java:64:25:64:50 | toString(...) : String | semmle.label | toString(...) : String | | SensitiveCookieNotHttpOnly.java:65:42:65:47 | keyStr | semmle.label | keyStr | | SensitiveCookieNotHttpOnly.java:70:28:70:35 | "token=" : String | semmle.label | "token=" : String | | SensitiveCookieNotHttpOnly.java:70:28:70:43 | ... + ... : String | semmle.label | ... + ... : String | From c173b89529a5f56800869429ba7a1cbc4f50a349 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Mon, 7 Jun 2021 14:58:38 +0100 Subject: [PATCH 28/36] Model NewCookie --- .../src/semmle/code/java/frameworks/JaxWS.qll | 23 ++++++ .../frameworks/JaxWs/JakartaRsFlow.java | 71 +++++++++++++++++++ .../frameworks/JaxWs/JaxRsFlow.java | 71 +++++++++++++++++++ 3 files changed, 165 insertions(+) diff --git a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll index 72623017926..5b8f4e37dd7 100644 --- a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll +++ b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll @@ -539,6 +539,29 @@ private class CookieModel extends SummaryModelCsv { } } +/** + * Model NewCookie, a simple tuple type. + */ +private class NewCookieModel extends SummaryModelCsv { + override predicate row(string row) { + row = + [ + "javax.ws.rs.core;NewCookie;true;getComment;;;Argument[-1];ReturnValue;taint", + "javax.ws.rs.core;NewCookie;true;getExpiry;;;Argument[-1];ReturnValue;taint", + "javax.ws.rs.core;NewCookie;true;getMaxAge;;;Argument[-1];ReturnValue;taint", + "javax.ws.rs.core;NewCookie;true;toCookie;;;Argument[-1];ReturnValue;taint", + "javax.ws.rs.core;NewCookie;false;NewCookie;;;Argument[0..9];Argument[-1];taint", + "javax.ws.rs.core;NewCookie;false;valueOf;;;Argument[0];ReturnValue;taint", + "jakarta.ws.rs.core;NewCookie;true;getComment;;;Argument[-1];ReturnValue;taint", + "jakarta.ws.rs.core;NewCookie;true;getExpiry;;;Argument[-1];ReturnValue;taint", + "jakarta.ws.rs.core;NewCookie;true;getMaxAge;;;Argument[-1];ReturnValue;taint", + "jakarta.ws.rs.core;NewCookie;true;toCookie;;;Argument[-1];ReturnValue;taint", + "jakarta.ws.rs.core;NewCookie;false;NewCookie;;;Argument[0..9];Argument[-1];taint", + "jakarta.ws.rs.core;NewCookie;false;valueOf;;;Argument[0];ReturnValue;taint" + ] + } +} + /** * Model Form, a simple container type. */ diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JakartaRsFlow.java b/java/ql/test/library-tests/frameworks/JaxWs/JakartaRsFlow.java index 131c622f93b..8646347b5f7 100644 --- a/java/ql/test/library-tests/frameworks/JaxWs/JakartaRsFlow.java +++ b/java/ql/test/library-tests/frameworks/JaxWs/JakartaRsFlow.java @@ -16,6 +16,7 @@ import jakarta.ws.rs.core.HttpHeaders; import jakarta.ws.rs.core.Link; import jakarta.ws.rs.core.MediaType; import jakarta.ws.rs.core.MultivaluedMap; +import jakarta.ws.rs.core.NewCookie; import jakarta.ws.rs.core.PathSegment; import jakarta.ws.rs.core.Response; import jakarta.ws.rs.core.UriBuilder; @@ -37,6 +38,14 @@ public class JakartaRsFlow { static int taint() { return 0; } } + private static class BooleanSource { + static boolean taint() { return false; } + } + + private static class DateSource { + static Date taint() { return null; } + } + private static class SetStringSource { static Set taint() { return new HashSet(); } } @@ -174,6 +183,68 @@ public class JakartaRsFlow { sink(Cookie.valueOf(taint()).toString()); // $hasTaintFlow } + void testNewCookie() { + sink(new NewCookie(Cookie.valueOf(taint()))); // $hasTaintFlow + + sink(new NewCookie(Cookie.valueOf(taint()), "", 0, true)); // $hasTaintFlow + sink(new NewCookie(Cookie.valueOf(""), taint(), 0, false)); // $hasTaintFlow + sink(new NewCookie(Cookie.valueOf(""), "", IntSource.taint(), true)); // $hasTaintFlow + sink(new NewCookie(Cookie.valueOf(""), "", 0, BooleanSource.taint())); // $hasTaintFlow + + sink(new NewCookie(Cookie.valueOf(taint()), "", 0, new Date(), true, true)); // $hasTaintFlow + sink(new NewCookie(Cookie.valueOf(""), taint(), 0, new Date(), true, false)); // $hasTaintFlow + sink(new NewCookie(Cookie.valueOf(""), "", IntSource.taint(), new Date(), false, true)); // $hasTaintFlow + sink(new NewCookie(Cookie.valueOf(""), "", 0, DateSource.taint(), false, false)); // $hasTaintFlow + sink(new NewCookie(Cookie.valueOf(""), "", 0, new Date(), BooleanSource.taint(), false)); // $hasTaintFlow + sink(new NewCookie(Cookie.valueOf(""), "", 0, new Date(), true, BooleanSource.taint())); // $hasTaintFlow + + sink(new NewCookie(taint(), "")); // $hasTaintFlow + sink(new NewCookie("", taint())); // $hasTaintFlow + + sink(new NewCookie(taint(), "", "", "", 0, "", 0, true)); // $hasTaintFlow + sink(new NewCookie("", taint(), "", "", 0, "", 0, false)); // $hasTaintFlow + sink(new NewCookie("", "", taint(), "", 0, "", 0, true)); // $hasTaintFlow + sink(new NewCookie("", "", "", taint(), 0, "", 0, false)); // $hasTaintFlow + sink(new NewCookie("", "", "", "", IntSource.taint(), "", 0, true)); // $hasTaintFlow + sink(new NewCookie("", "", "", "", 0, taint(), 0, false)); // $hasTaintFlow + sink(new NewCookie("", "", "", "", 0, "", IntSource.taint(), true)); // $hasTaintFlow + sink(new NewCookie("", "", "", "", 0, "", 0, BooleanSource.taint())); // $hasTaintFlow + + sink(new NewCookie(taint(), "", "", "", 0, "", 0, new Date(), true, true)); // $hasTaintFlow + sink(new NewCookie("", taint(), "", "", 0, "", 0, new Date(), false, true)); // $hasTaintFlow + sink(new NewCookie("", "", taint(), "", 0, "", 0, new Date(), true, false)); // $hasTaintFlow + sink(new NewCookie("", "", "", taint(), 0, "", 0, new Date(), false, false)); // $hasTaintFlow + sink(new NewCookie("", "", "", "", IntSource.taint(), "", 0, new Date(), true, true)); // $hasTaintFlow + sink(new NewCookie("", "", "", "", 0, taint(), 0, new Date(), true, false)); // $hasTaintFlow + sink(new NewCookie("", "", "", "", 0, "", IntSource.taint(), new Date(), false, true)); // $hasTaintFlow + sink(new NewCookie("", "", "", "", 0, "", 0, DateSource.taint(), false, false)); // $hasTaintFlow + sink(new NewCookie("", "", "", "", 0, "", 0, new Date(), BooleanSource.taint(), true)); // $hasTaintFlow + sink(new NewCookie("", "", "", "", 0, "", 0, new Date(), false, BooleanSource.taint())); // $hasTaintFlow + + sink(new NewCookie(taint(), "", "", "", "", 0, true)); // $hasTaintFlow + sink(new NewCookie("", taint(), "", "", "", 0, false)); // $hasTaintFlow + sink(new NewCookie("", "", taint(), "", "", 0, true)); // $hasTaintFlow + sink(new NewCookie("", "", "", taint(), "", 0, false)); // $hasTaintFlow + sink(new NewCookie("", "", "", "", taint(), 0, false)); // $hasTaintFlow + sink(new NewCookie("", "", "", "", "", IntSource.taint(), true)); // $hasTaintFlow + sink(new NewCookie("", "", "", "", "", 0, BooleanSource.taint())); // $hasTaintFlow + + sink(new NewCookie(taint(), "", "", "", "", 0, true, true)); // $hasTaintFlow + sink(new NewCookie("", taint(), "", "", "", 0, false, true)); // $hasTaintFlow + sink(new NewCookie("", "", taint(), "", "", 0, true, false)); // $hasTaintFlow + sink(new NewCookie("", "", "", taint(), "", 0, false, false)); // $hasTaintFlow + sink(new NewCookie("", "", "", "", taint(), 0, true, true)); // $hasTaintFlow + sink(new NewCookie("", "", "", "", "", IntSource.taint(), false, true)); // $hasTaintFlow + sink(new NewCookie("", "", "", "", "", 0, BooleanSource.taint(), false)); // $hasTaintFlow + sink(new NewCookie("", "", "", "", "", 0, true, BooleanSource.taint())); // $hasTaintFlow + + sink(NewCookie.valueOf(taint()).getComment()); // $hasTaintFlow + sink(NewCookie.valueOf(taint()).getExpiry()); // $hasTaintFlow + sink(NewCookie.valueOf(taint()).getMaxAge()); // $hasTaintFlow + sink(NewCookie.valueOf(taint()).toCookie()); // $hasTaintFlow + sink(NewCookie.valueOf(taint())); // $hasTaintFlow + } + void testForm(MultivaluedMap mm1, MultivaluedMap mm2) { sink(new Form(taint(), "")); // $hasTaintFlow sink(new Form("", taint())); // $hasTaintFlow diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.java b/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.java index e8c8d6338ff..abe728a75fc 100644 --- a/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.java +++ b/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.java @@ -16,6 +16,7 @@ import javax.ws.rs.core.HttpHeaders; import javax.ws.rs.core.Link; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.MultivaluedMap; +import javax.ws.rs.core.NewCookie; import javax.ws.rs.core.PathSegment; import javax.ws.rs.core.Response; import javax.ws.rs.core.UriBuilder; @@ -37,6 +38,14 @@ public class JaxRsFlow { static int taint() { return 0; } } + private static class BooleanSource { + static boolean taint() { return false; } + } + + private static class DateSource { + static Date taint() { return null; } + } + private static class SetStringSource { static Set taint() { return new HashSet(); } } @@ -174,6 +183,68 @@ public class JaxRsFlow { sink(Cookie.valueOf(taint()).toString()); // $hasTaintFlow } + void testNewCookie() { + sink(new NewCookie(Cookie.valueOf(taint()))); // $hasTaintFlow + + sink(new NewCookie(Cookie.valueOf(taint()), "", 0, true)); // $hasTaintFlow + sink(new NewCookie(Cookie.valueOf(""), taint(), 0, false)); // $hasTaintFlow + sink(new NewCookie(Cookie.valueOf(""), "", IntSource.taint(), true)); // $hasTaintFlow + sink(new NewCookie(Cookie.valueOf(""), "", 0, BooleanSource.taint())); // $hasTaintFlow + + sink(new NewCookie(Cookie.valueOf(taint()), "", 0, new Date(), true, true)); // $hasTaintFlow + sink(new NewCookie(Cookie.valueOf(""), taint(), 0, new Date(), true, false)); // $hasTaintFlow + sink(new NewCookie(Cookie.valueOf(""), "", IntSource.taint(), new Date(), false, true)); // $hasTaintFlow + sink(new NewCookie(Cookie.valueOf(""), "", 0, DateSource.taint(), false, false)); // $hasTaintFlow + sink(new NewCookie(Cookie.valueOf(""), "", 0, new Date(), BooleanSource.taint(), false)); // $hasTaintFlow + sink(new NewCookie(Cookie.valueOf(""), "", 0, new Date(), true, BooleanSource.taint())); // $hasTaintFlow + + sink(new NewCookie(taint(), "")); // $hasTaintFlow + sink(new NewCookie("", taint())); // $hasTaintFlow + + sink(new NewCookie(taint(), "", "", "", 0, "", 0, true)); // $hasTaintFlow + sink(new NewCookie("", taint(), "", "", 0, "", 0, false)); // $hasTaintFlow + sink(new NewCookie("", "", taint(), "", 0, "", 0, true)); // $hasTaintFlow + sink(new NewCookie("", "", "", taint(), 0, "", 0, false)); // $hasTaintFlow + sink(new NewCookie("", "", "", "", IntSource.taint(), "", 0, true)); // $hasTaintFlow + sink(new NewCookie("", "", "", "", 0, taint(), 0, false)); // $hasTaintFlow + sink(new NewCookie("", "", "", "", 0, "", IntSource.taint(), true)); // $hasTaintFlow + sink(new NewCookie("", "", "", "", 0, "", 0, BooleanSource.taint())); // $hasTaintFlow + + sink(new NewCookie(taint(), "", "", "", 0, "", 0, new Date(), true, true)); // $hasTaintFlow + sink(new NewCookie("", taint(), "", "", 0, "", 0, new Date(), false, true)); // $hasTaintFlow + sink(new NewCookie("", "", taint(), "", 0, "", 0, new Date(), true, false)); // $hasTaintFlow + sink(new NewCookie("", "", "", taint(), 0, "", 0, new Date(), false, false)); // $hasTaintFlow + sink(new NewCookie("", "", "", "", IntSource.taint(), "", 0, new Date(), true, true)); // $hasTaintFlow + sink(new NewCookie("", "", "", "", 0, taint(), 0, new Date(), true, false)); // $hasTaintFlow + sink(new NewCookie("", "", "", "", 0, "", IntSource.taint(), new Date(), false, true)); // $hasTaintFlow + sink(new NewCookie("", "", "", "", 0, "", 0, DateSource.taint(), false, false)); // $hasTaintFlow + sink(new NewCookie("", "", "", "", 0, "", 0, new Date(), BooleanSource.taint(), true)); // $hasTaintFlow + sink(new NewCookie("", "", "", "", 0, "", 0, new Date(), false, BooleanSource.taint())); // $hasTaintFlow + + sink(new NewCookie(taint(), "", "", "", "", 0, true)); // $hasTaintFlow + sink(new NewCookie("", taint(), "", "", "", 0, false)); // $hasTaintFlow + sink(new NewCookie("", "", taint(), "", "", 0, true)); // $hasTaintFlow + sink(new NewCookie("", "", "", taint(), "", 0, false)); // $hasTaintFlow + sink(new NewCookie("", "", "", "", taint(), 0, false)); // $hasTaintFlow + sink(new NewCookie("", "", "", "", "", IntSource.taint(), true)); // $hasTaintFlow + sink(new NewCookie("", "", "", "", "", 0, BooleanSource.taint())); // $hasTaintFlow + + sink(new NewCookie(taint(), "", "", "", "", 0, true, true)); // $hasTaintFlow + sink(new NewCookie("", taint(), "", "", "", 0, false, true)); // $hasTaintFlow + sink(new NewCookie("", "", taint(), "", "", 0, true, false)); // $hasTaintFlow + sink(new NewCookie("", "", "", taint(), "", 0, false, false)); // $hasTaintFlow + sink(new NewCookie("", "", "", "", taint(), 0, true, true)); // $hasTaintFlow + sink(new NewCookie("", "", "", "", "", IntSource.taint(), false, true)); // $hasTaintFlow + sink(new NewCookie("", "", "", "", "", 0, BooleanSource.taint(), false)); // $hasTaintFlow + sink(new NewCookie("", "", "", "", "", 0, true, BooleanSource.taint())); // $hasTaintFlow + + sink(NewCookie.valueOf(taint()).getComment()); // $hasTaintFlow + sink(NewCookie.valueOf(taint()).getExpiry()); // $hasTaintFlow + sink(NewCookie.valueOf(taint()).getMaxAge()); // $hasTaintFlow + sink(NewCookie.valueOf(taint()).toCookie()); // $hasTaintFlow + sink(NewCookie.valueOf(taint())); // $hasTaintFlow + } + void testForm(MultivaluedMap mm1, MultivaluedMap mm2) { sink(new Form(taint(), "")); // $hasTaintFlow sink(new Form("", taint())); // $hasTaintFlow From e0130a932e3c4b15dc428a2f6e8f1d48e8ac487f Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 10 Jun 2021 10:33:33 +0100 Subject: [PATCH 29/36] Update experimental query using NewCookie --- .../Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql | 8 ++------ .../security/CWE-1004/SensitiveCookieNotHttpOnly.expected | 6 +++--- 2 files changed, 5 insertions(+), 9 deletions(-) diff --git a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql index 5745b060903..2aa2d487cae 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql @@ -74,13 +74,9 @@ class MatchesHttpOnlyConfiguration extends TaintTracking2::Configuration { } } -/** A class descended from `javax.servlet.http.Cookie` or `javax/jakarta.ws.rs.core.NewCookie`. */ +/** A class descended from `javax.servlet.http.Cookie`. */ class CookieClass extends RefType { - CookieClass() { - this.getASupertype*().hasQualifiedName("javax.servlet.http", "Cookie") - or - this.getASupertype*().hasQualifiedName(["javax.ws.rs.core", "jakarta.ws.rs.core"], "NewCookie") - } + CookieClass() { this.getASupertype*().hasQualifiedName("javax.servlet.http", "Cookie") } } /** Holds if `expr` is any boolean-typed expression other than literal `false`. */ diff --git a/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected index 54b6ec3bb7b..946932400c8 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected +++ b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected @@ -7,9 +7,8 @@ edges | SensitiveCookieNotHttpOnly.java:42:42:42:57 | ... + ... : String | SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... | | SensitiveCookieNotHttpOnly.java:52:42:52:113 | new NewCookie(...) : NewCookie | SensitiveCookieNotHttpOnly.java:52:42:52:124 | toString(...) | | SensitiveCookieNotHttpOnly.java:52:56:52:75 | "session-access-key" : String | SensitiveCookieNotHttpOnly.java:52:42:52:113 | new NewCookie(...) : NewCookie | -| SensitiveCookieNotHttpOnly.java:52:56:52:75 | "session-access-key" : String | SensitiveCookieNotHttpOnly.java:52:42:52:124 | toString(...) | -| SensitiveCookieNotHttpOnly.java:63:51:63:70 | "session-access-key" : String | SensitiveCookieNotHttpOnly.java:64:25:64:39 | accessKeyCookie : NewCookie | -| SensitiveCookieNotHttpOnly.java:63:51:63:70 | "session-access-key" : String | SensitiveCookieNotHttpOnly.java:65:42:65:47 | keyStr | +| SensitiveCookieNotHttpOnly.java:63:37:63:115 | new NewCookie(...) : NewCookie | SensitiveCookieNotHttpOnly.java:64:25:64:39 | accessKeyCookie : NewCookie | +| SensitiveCookieNotHttpOnly.java:63:51:63:70 | "session-access-key" : String | SensitiveCookieNotHttpOnly.java:63:37:63:115 | new NewCookie(...) : NewCookie | | SensitiveCookieNotHttpOnly.java:64:25:64:39 | accessKeyCookie : NewCookie | SensitiveCookieNotHttpOnly.java:64:25:64:50 | toString(...) : String | | SensitiveCookieNotHttpOnly.java:64:25:64:50 | toString(...) : String | SensitiveCookieNotHttpOnly.java:65:42:65:47 | keyStr | | SensitiveCookieNotHttpOnly.java:70:28:70:35 | "token=" : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | @@ -32,6 +31,7 @@ nodes | SensitiveCookieNotHttpOnly.java:52:42:52:113 | new NewCookie(...) : NewCookie | semmle.label | new NewCookie(...) : NewCookie | | SensitiveCookieNotHttpOnly.java:52:42:52:124 | toString(...) | semmle.label | toString(...) | | SensitiveCookieNotHttpOnly.java:52:56:52:75 | "session-access-key" : String | semmle.label | "session-access-key" : String | +| SensitiveCookieNotHttpOnly.java:63:37:63:115 | new NewCookie(...) : NewCookie | semmle.label | new NewCookie(...) : NewCookie | | SensitiveCookieNotHttpOnly.java:63:51:63:70 | "session-access-key" : String | semmle.label | "session-access-key" : String | | SensitiveCookieNotHttpOnly.java:64:25:64:39 | accessKeyCookie : NewCookie | semmle.label | accessKeyCookie : NewCookie | | SensitiveCookieNotHttpOnly.java:64:25:64:50 | toString(...) : String | semmle.label | toString(...) : String | From 8cf47f12b43f696d604d7adcb95793d0b81d5e30 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 10 Jun 2021 13:30:55 +0100 Subject: [PATCH 30/36] Model constructors of classes implementing MultivaluedMap --- .../src/semmle/code/java/frameworks/JaxWS.qll | 34 +++++ .../frameworks/JaxWs/JakartaRsFlow.java | 38 +++++ .../frameworks/JaxWs/JaxRsFlow.java | 38 +++++ .../ws/rs/core/AbstractMultivaluedMap.java | 130 +++++++++++++++++ .../javax/ws/rs/core/MultivaluedHashMap.java | 41 ++++++ .../ws/rs/core/AbstractMultivaluedMap.java | 131 ++++++++++++++++++ .../ws/rs/core/MultivaluedHashMap.java | 41 ++++++ 7 files changed, 453 insertions(+) create mode 100644 java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/AbstractMultivaluedMap.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/MultivaluedHashMap.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/AbstractMultivaluedMap.java create mode 100644 java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/MultivaluedHashMap.java diff --git a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll index 5b8f4e37dd7..157cf1ba18e 100644 --- a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll +++ b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll @@ -476,6 +476,40 @@ private class MultivaluedMapModel extends SummaryModelCsv { } } +/** + * Model AbstractMultivaluedMap, which implements MultivaluedMap. + */ +private class AbstractMultivaluedMapModel extends SummaryModelCsv { + override predicate row(string row) { + row = + [ + "javax.ws.rs.core;AbstractMultivaluedMap;false;AbstractMultivaluedMap;;;MapKey of Argument[0];MapKey of Argument[-1];value", + "javax.ws.rs.core;AbstractMultivaluedMap;false;AbstractMultivaluedMap;;;MapValue of Argument[0];MapValue of Argument[-1];value", + "jakarta.ws.rs.core;AbstractMultivaluedMap;false;AbstractMultivaluedMap;;;MapKey of Argument[0];MapKey of Argument[-1];value", + "jakarta.ws.rs.core;AbstractMultivaluedMap;false;AbstractMultivaluedMap;;;MapValue of Argument[0];MapValue of Argument[-1];value" + ] + } +} + +/** + * Model MultivaluedHashMap, which extends AbstractMultivaluedMap. + */ +private class MultivaluedHashMapModel extends SummaryModelCsv { + override predicate row(string row) { + row = + [ + "javax.ws.rs.core;MultivaluedHashMap;false;MultivaluedHashMap;(Map);;MapKey of Argument[0];MapKey of Argument[-1];value", + "javax.ws.rs.core;MultivaluedHashMap;false;MultivaluedHashMap;(Map);;MapValue of Argument[0];Element of MapValue of Argument[-1];value", + "javax.ws.rs.core;MultivaluedHashMap;false;MultivaluedHashMap;(MultivaluedMap);;MapKey of Argument[0];MapKey of Argument[-1];value", + "javax.ws.rs.core;MultivaluedHashMap;false;MultivaluedHashMap;(MultivaluedMap);;MapValue of Argument[0];MapValue of Argument[-1];value", + "jakarta.ws.rs.core;MultivaluedHashMap;false;MultivaluedHashMap;(Map);;MapKey of Argument[0];MapKey of Argument[-1];value", + "jakarta.ws.rs.core;MultivaluedHashMap;false;MultivaluedHashMap;(Map);;MapValue of Argument[0];Element of MapValue of Argument[-1];value", + "jakarta.ws.rs.core;MultivaluedHashMap;false;MultivaluedHashMap;(MultivaluedMap);;MapKey of Argument[0];MapKey of Argument[-1];value", + "jakarta.ws.rs.core;MultivaluedHashMap;false;MultivaluedHashMap;(MultivaluedMap);;MapValue of Argument[0];MapValue of Argument[-1];value" + ] + } +} + /** * Model PathSegment, which wraps a path and its associated matrix parameters. */ diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JakartaRsFlow.java b/java/ql/test/library-tests/frameworks/JaxWs/JakartaRsFlow.java index 8646347b5f7..000d497217a 100644 --- a/java/ql/test/library-tests/frameworks/JaxWs/JakartaRsFlow.java +++ b/java/ql/test/library-tests/frameworks/JaxWs/JakartaRsFlow.java @@ -7,6 +7,7 @@ import java.util.HashSet; import java.util.List; import java.util.Map; import java.util.Set; +import jakarta.ws.rs.core.AbstractMultivaluedMap; import jakarta.ws.rs.core.CacheControl; import jakarta.ws.rs.core.Cookie; import jakarta.ws.rs.core.EntityTag; @@ -15,6 +16,7 @@ import jakarta.ws.rs.core.GenericEntity; import jakarta.ws.rs.core.HttpHeaders; import jakarta.ws.rs.core.Link; import jakarta.ws.rs.core.MediaType; +import jakarta.ws.rs.core.MultivaluedHashMap; import jakarta.ws.rs.core.MultivaluedMap; import jakarta.ws.rs.core.NewCookie; import jakarta.ws.rs.core.PathSegment; @@ -149,6 +151,42 @@ public class JakartaRsFlow { sink(mm2.get("key").get(0)); // $hasValueFlow } + class MyAbstractMultivaluedMapJak extends AbstractMultivaluedMap { + public MyAbstractMultivaluedMapJak(Map> map) { + super(map); + } + } + + void testAbstractMultivaluedMap(Map> map1, Map> map2, List list) { + map1.put(taint(), list); + AbstractMultivaluedMap amm1 = new MyAbstractMultivaluedMapJak(map1); + sink(amm1.keySet().iterator().next()); // $hasValueFlow + + list.add(taint()); + map2.put("key", list); + AbstractMultivaluedMap amm2 = new MyAbstractMultivaluedMapJak(map2); + sink(amm2.get("key").get(0)); // $hasValueFlow + } + + void testMultivaluedHashMap(Map map1, Map map2, + MultivaluedMap mm1, MultivaluedMap mm2) { + map1.put(taint(), "value"); + MultivaluedHashMap mhm1 = new MultivaluedHashMap(map1); + sink(mhm1.keySet().iterator().next()); // $hasValueFlow + + map2.put("key", taint()); + MultivaluedHashMap mhm2 = new MultivaluedHashMap(map2); + sink(mhm2.get("key").get(0)); // $hasValueFlow + + mm1.add(taint(), "value"); + MultivaluedHashMap mhm3 = new MultivaluedHashMap(mm1); + sink(mhm3.keySet().iterator().next()); // $hasValueFlow + + mm2.add("key", taint()); + MultivaluedHashMap mhm4 = new MultivaluedHashMap(mm2); + sink(mhm4.get("key").get(0)); // $hasValueFlow + } + void testPathSegment(PathSegment ps1, PathSegment ps2) { sink(taint(ps1).getMatrixParameters()); // $hasTaintFlow sink(taint(ps2).getPath()); // $hasTaintFlow diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.java b/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.java index abe728a75fc..17390344a14 100644 --- a/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.java +++ b/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.java @@ -7,6 +7,7 @@ import java.util.HashSet; import java.util.List; import java.util.Map; import java.util.Set; +import javax.ws.rs.core.AbstractMultivaluedMap; import javax.ws.rs.core.CacheControl; import javax.ws.rs.core.Cookie; import javax.ws.rs.core.EntityTag; @@ -15,6 +16,7 @@ import javax.ws.rs.core.GenericEntity; import javax.ws.rs.core.HttpHeaders; import javax.ws.rs.core.Link; import javax.ws.rs.core.MediaType; +import javax.ws.rs.core.MultivaluedHashMap; import javax.ws.rs.core.MultivaluedMap; import javax.ws.rs.core.NewCookie; import javax.ws.rs.core.PathSegment; @@ -149,6 +151,42 @@ public class JaxRsFlow { sink(mm2.get("key").get(0)); // $hasValueFlow } + class MyAbstractMultivaluedMap extends AbstractMultivaluedMap { + public MyAbstractMultivaluedMap(Map> map) { + super(map); + } + } + + void testAbstractMultivaluedMap(Map> map1, Map> map2, List list) { + map1.put(taint(), list); + AbstractMultivaluedMap amm1 = new MyAbstractMultivaluedMap(map1); + sink(amm1.keySet().iterator().next()); // $hasValueFlow + + list.add(taint()); + map2.put("key", list); + AbstractMultivaluedMap amm2 = new MyAbstractMultivaluedMap(map2); + sink(amm2.get("key").get(0)); // $hasValueFlow + } + + void testMultivaluedHashMap(Map map1, Map map2, + MultivaluedMap mm1, MultivaluedMap mm2) { + map1.put(taint(), "value"); + MultivaluedHashMap mhm1 = new MultivaluedHashMap(map1); + sink(mhm1.keySet().iterator().next()); // $hasValueFlow + + map2.put("key", taint()); + MultivaluedHashMap mhm2 = new MultivaluedHashMap(map2); + sink(mhm2.get("key").get(0)); // $hasValueFlow + + mm1.add(taint(), "value"); + MultivaluedHashMap mhm3 = new MultivaluedHashMap(mm1); + sink(mhm3.keySet().iterator().next()); // $hasValueFlow + + mm2.add("key", taint()); + MultivaluedHashMap mhm4 = new MultivaluedHashMap(mm2); + sink(mhm4.get("key").get(0)); // $hasValueFlow + } + void testPathSegment(PathSegment ps1, PathSegment ps2) { sink(taint(ps1).getMatrixParameters()); // $hasTaintFlow sink(taint(ps2).getPath()); // $hasTaintFlow diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/AbstractMultivaluedMap.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/AbstractMultivaluedMap.java new file mode 100644 index 00000000000..99b50cd9f99 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/AbstractMultivaluedMap.java @@ -0,0 +1,130 @@ +/* + * Copyright (c) 2012, 2017 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package javax.ws.rs.core; +import java.util.Collection; +import java.util.List; +import java.util.Map; +import java.util.Set; + +public abstract class AbstractMultivaluedMap implements MultivaluedMap { + public AbstractMultivaluedMap(Map> store) { + } + + @Override + public final void putSingle(K key, V value) { + } + + @Override + public final void add(K key, V value) { + } + + @Override + public final void addAll(K key, V... newValues) { + } + + @Override + public final void addAll(K key, List valueList) { + } + + @Override + public final V getFirst(K key) { + return null; + } + + @Override + public final void addFirst(K key, V value) { + } + + @Override + public String toString() { + return null; + } + + @Override + public int hashCode() { + return 0; + } + + @Override + public boolean equals(Object o) { + return false; + } + + @Override + public Collection> values() { + return null; + } + + @Override + public int size() { + return 0; + } + + @Override + public List remove(Object key) { + return null; + } + + @Override + public void putAll(Map> m) { + } + + @Override + public List put(K key, List value) { + return null; + } + + @Override + public Set keySet() { + return null; + } + + @Override + public boolean isEmpty() { + return false; + } + + @Override + public List get(Object key) { + return null; + } + + @Override + public Set>> entrySet() { + return null; + } + + @Override + public boolean containsValue(Object value) { + return false; + } + + @Override + public boolean containsKey(Object key) { + return false; + } + + @Override + public void clear() { + } + + @Override + public boolean equalsIgnoreValueOrder(MultivaluedMap omap) { + return false; + } + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/MultivaluedHashMap.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/MultivaluedHashMap.java new file mode 100644 index 00000000000..b545e5f8577 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/MultivaluedHashMap.java @@ -0,0 +1,41 @@ +/* + * Copyright (c) 2011, 2017 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package javax.ws.rs.core; +import java.io.Serializable; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +public class MultivaluedHashMap extends AbstractMultivaluedMap implements Serializable { + // public MultivaluedHashMap() { + // } + + // public MultivaluedHashMap(int initialCapacity) { + // } + + // public MultivaluedHashMap(int initialCapacity, float loadFactor) { + // } + + public MultivaluedHashMap(MultivaluedMap map) { + super(new HashMap>()); + } + + public MultivaluedHashMap(Map map) { + super(new HashMap>()); + } + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/AbstractMultivaluedMap.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/AbstractMultivaluedMap.java new file mode 100644 index 00000000000..5af9c11cac3 --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/AbstractMultivaluedMap.java @@ -0,0 +1,131 @@ +/* + * Copyright (c) 2012, 2019 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package jakarta.ws.rs.core; +import java.io.Serializable; +import java.util.Collection; +import java.util.List; +import java.util.Map; +import java.util.Set; + +public abstract class AbstractMultivaluedMap implements MultivaluedMap, Serializable { + public AbstractMultivaluedMap(final Map> store) { + } + + @Override + public final void putSingle(final K key, final V value) { + } + + @Override + public final void add(final K key, final V value) { + } + + @Override + public final void addAll(final K key, final V... newValues) { + } + + @Override + public final void addAll(final K key, final List valueList) { + } + + @Override + public final V getFirst(final K key) { + return null; + } + + @Override + public final void addFirst(final K key, final V value) { + } + + @Override + public String toString() { + return null; + } + + @Override + public int hashCode() { + return 0; + } + + @Override + public boolean equals(final Object o) { + return false; + } + + @Override + public Collection> values() { + return null; + } + + @Override + public int size() { + return 0; + } + + @Override + public List remove(final Object key) { + return null; + } + + @Override + public void putAll(final Map> m) { + } + + @Override + public List put(final K key, final List value) { + return null; + } + + @Override + public Set keySet() { + return null; + } + + @Override + public boolean isEmpty() { + return false; + } + + @Override + public List get(final Object key) { + return null; + } + + @Override + public Set>> entrySet() { + return null; + } + + @Override + public boolean containsValue(final Object value) { + return false; + } + + @Override + public boolean containsKey(final Object key) { + return false; + } + + @Override + public void clear() { + } + + @Override + public boolean equalsIgnoreValueOrder(final MultivaluedMap omap) { + return false; + } + +} diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/MultivaluedHashMap.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/MultivaluedHashMap.java new file mode 100644 index 00000000000..94a825421da --- /dev/null +++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/MultivaluedHashMap.java @@ -0,0 +1,41 @@ +/* + * Copyright (c) 2011, 2019 Oracle and/or its affiliates. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0, which is available at + * http://www.eclipse.org/legal/epl-2.0. + * + * This Source Code may also be made available under the following Secondary + * Licenses when the conditions for such availability set forth in the + * Eclipse Public License v. 2.0 are satisfied: GNU General Public License, + * version 2 with the GNU Classpath Exception, which is available at + * https://www.gnu.org/software/classpath/license.html. + * + * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + */ + +package jakarta.ws.rs.core; +import java.io.Serializable; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +public class MultivaluedHashMap extends AbstractMultivaluedMap implements Serializable { + // public MultivaluedHashMap() { + // } + + // public MultivaluedHashMap(final int initialCapacity) { + // } + + // public MultivaluedHashMap(final int initialCapacity, final float loadFactor) { + // } + + public MultivaluedHashMap(final MultivaluedMap map) { + super(new HashMap>()); + } + + public MultivaluedHashMap(final Map map) { + super(new HashMap>()); + } + +} From 5e89fce7343c6fd1cde1f3b0c410304bbaed383b Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Mon, 14 Jun 2021 10:57:28 +0100 Subject: [PATCH 31/36] Avoid strange bug by commenting out two tests --- .../ql/test/library-tests/frameworks/JaxWs/JakartaRsFlow.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JakartaRsFlow.java b/java/ql/test/library-tests/frameworks/JaxWs/JakartaRsFlow.java index 000d497217a..997ffab5ebb 100644 --- a/java/ql/test/library-tests/frameworks/JaxWs/JakartaRsFlow.java +++ b/java/ql/test/library-tests/frameworks/JaxWs/JakartaRsFlow.java @@ -160,12 +160,12 @@ public class JakartaRsFlow { void testAbstractMultivaluedMap(Map> map1, Map> map2, List list) { map1.put(taint(), list); AbstractMultivaluedMap amm1 = new MyAbstractMultivaluedMapJak(map1); - sink(amm1.keySet().iterator().next()); // $hasValueFlow + // sink(amm1.keySet().iterator().next()); // $hasValueFlow list.add(taint()); map2.put("key", list); AbstractMultivaluedMap amm2 = new MyAbstractMultivaluedMapJak(map2); - sink(amm2.get("key").get(0)); // $hasValueFlow + // sink(amm2.get("key").get(0)); // $hasValueFlow } void testMultivaluedHashMap(Map map1, Map map2, From 5d00bb23e462d5e33585a6f0a62a7375fb29bf94 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 16 Jun 2021 12:48:11 +0100 Subject: [PATCH 32/36] Move logic for URL redirection sinks --- java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql | 7 +------ java/ql/src/semmle/code/java/security/UrlRedirect.qll | 8 +++++++- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql b/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql index 8e3741e436b..455f6add626 100644 --- a/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql +++ b/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql @@ -13,7 +13,6 @@ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.UrlRedirect -import semmle.code.java.dataflow.ExternalFlow import DataFlow::PathGraph class UrlRedirectConfig extends TaintTracking::Configuration { @@ -21,11 +20,7 @@ class UrlRedirectConfig extends TaintTracking::Configuration { override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } - override predicate isSink(DataFlow::Node sink) { - sink instanceof UrlRedirectSink - or - sinkNode(sink, "url-redirect") - } + override predicate isSink(DataFlow::Node sink) { sink instanceof UrlRedirectSink } } from DataFlow::PathNode source, DataFlow::PathNode sink, UrlRedirectConfig conf diff --git a/java/ql/src/semmle/code/java/security/UrlRedirect.qll b/java/ql/src/semmle/code/java/security/UrlRedirect.qll index 49ba24c77a9..254ea873fcc 100644 --- a/java/ql/src/semmle/code/java/security/UrlRedirect.qll +++ b/java/ql/src/semmle/code/java/security/UrlRedirect.qll @@ -2,13 +2,19 @@ import java import semmle.code.java.dataflow.DataFlow +import semmle.code.java.dataflow.ExternalFlow import semmle.code.java.frameworks.Servlets import semmle.code.java.frameworks.ApacheHttp private import semmle.code.java.frameworks.JaxWS -/** A URL redirection sink */ +/** A URL redirection sink. */ abstract class UrlRedirectSink extends DataFlow::Node { } +/** A default sink represeting methods susceptible to URL redirection attacks. */ +private class DefaultUrlRedirectSink extends UrlRedirectSink { + DefaultUrlRedirectSink() { sinkNode(this, "url-redirect") } +} + /** A Servlet URL redirection sink. */ private class ServletUrlRedirectSink extends UrlRedirectSink { ServletUrlRedirectSink() { From 5f82993b0bee647f807b65b93ee46c36a1fde77a Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 17 Jun 2021 06:16:14 +0100 Subject: [PATCH 33/36] Put parameters with inline expectation comments on their own lines --- .../frameworks/JaxWs/JakartaRs1.java | 33 +++++++++++++++---- .../frameworks/JaxWs/JakartaRs2.java | 22 ++++++++++--- .../frameworks/JaxWs/JaxRs1.java | 33 +++++++++++++++---- .../frameworks/JaxWs/JaxRs2.java | 23 ++++++++++--- 4 files changed, 87 insertions(+), 24 deletions(-) diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JakartaRs1.java b/java/ql/test/library-tests/frameworks/JaxWs/JakartaRs1.java index 9c765361cb8..40380f8913a 100644 --- a/java/ql/test/library-tests/frameworks/JaxWs/JakartaRs1.java +++ b/java/ql/test/library-tests/frameworks/JaxWs/JakartaRs1.java @@ -106,8 +106,14 @@ class AnotherNonRootResourceClassJakarta { // $NonRootResourceClass public AnotherNonRootResourceClassJakarta() { } - public AnotherNonRootResourceClassJakarta(@BeanParam int beanParam, @CookieParam("") int cookieParam, @FormParam("") int formParam, // $InjectionAnnotation - @HeaderParam("") int headerParam, @MatrixParam("") int matrixParam, @PathParam("") int pathParam, @QueryParam("") int queryParam, // $InjectionAnnotation + public AnotherNonRootResourceClassJakarta( + @BeanParam int beanParam, // $InjectionAnnotation + @CookieParam("") int cookieParam, // $InjectionAnnotation + @FormParam("") int formParam, // $InjectionAnnotation + @HeaderParam("") int headerParam, // $InjectionAnnotation + @MatrixParam("") int matrixParam, // $InjectionAnnotation + @PathParam("") int pathParam, // $InjectionAnnotation + @QueryParam("") int queryParam, // $InjectionAnnotation @Context int context) { // $InjectionAnnotation } @@ -120,14 +126,27 @@ class FooJakarta { FooJakarta() { // $BeanParamConstructor } - public FooJakarta(@BeanParam int beanParam, @CookieParam("") int cookieParam, @FormParam("") int formParam, // $InjectionAnnotation $BeanParamConstructor - @HeaderParam("") int headerParam, @MatrixParam("") int matrixParam, @PathParam("") int pathParam, @QueryParam("") int queryParam, // $InjectionAnnotation + public FooJakarta( // $BeanParamConstructor + @BeanParam int beanParam, // $InjectionAnnotation + @CookieParam("") int cookieParam, // $InjectionAnnotation + @FormParam("") int formParam, // $InjectionAnnotation + @HeaderParam("") int headerParam, // $InjectionAnnotation + @MatrixParam("") int matrixParam, // $InjectionAnnotation + @PathParam("") int pathParam, // $InjectionAnnotation + @QueryParam("") int queryParam, // $InjectionAnnotation @Context int context) { // $InjectionAnnotation } - public FooJakarta(@BeanParam int beanParam, @CookieParam("") int cookieParam, @FormParam("") int formParam, // $InjectionAnnotation - @HeaderParam("") int headerParam, @MatrixParam("") int matrixParam, @PathParam("") int pathParam, @QueryParam("") int queryParam, // $InjectionAnnotation - @Context int context, int paramWithoutAnnotation) { // $InjectionAnnotation + public FooJakarta( + @BeanParam int beanParam, // $InjectionAnnotation + @CookieParam("") int cookieParam, // $InjectionAnnotation + @FormParam("") int formParam, // $InjectionAnnotation + @HeaderParam("") int headerParam, // $InjectionAnnotation + @MatrixParam("") int matrixParam, // $InjectionAnnotation + @PathParam("") int pathParam, // $InjectionAnnotation + @QueryParam("") int queryParam, // $InjectionAnnotation + @Context int context, // $InjectionAnnotation + int paramWithoutAnnotation) { } } diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JakartaRs2.java b/java/ql/test/library-tests/frameworks/JaxWs/JakartaRs2.java index 90cd9052cb7..bfd7b147181 100644 --- a/java/ql/test/library-tests/frameworks/JaxWs/JakartaRs2.java +++ b/java/ql/test/library-tests/frameworks/JaxWs/JakartaRs2.java @@ -29,14 +29,26 @@ class JakartaRs2 { // $RootResourceClass JakartaRs2() { } - public JakartaRs2(@BeanParam int beanParam, @CookieParam("") int cookieParam, @FormParam("") int formParam, // $InjectionAnnotation $InjectableConstructor - @HeaderParam("") int headerParam, @MatrixParam("") int matrixParam, @PathParam("") int pathParam, @QueryParam("") int queryParam, // $InjectionAnnotation + public JakartaRs2(// $InjectableConstructor + @BeanParam int beanParam, // $InjectionAnnotation + @CookieParam("") int cookieParam, // $InjectionAnnotation + @FormParam("") int formParam, // $InjectionAnnotation + @HeaderParam("") int headerParam, // $InjectionAnnotation + @MatrixParam("") int matrixParam, // $InjectionAnnotation + @PathParam("") int pathParam, // $InjectionAnnotation + @QueryParam("") int queryParam, // $InjectionAnnotation @Context int context) { // $InjectionAnnotation } - public JakartaRs2(@BeanParam int beanParam, @CookieParam("") int cookieParam, @FormParam("") int formParam, // $InjectionAnnotation - @HeaderParam("") int headerParam, @MatrixParam("") int matrixParam, @PathParam("") int pathParam, @QueryParam("") int queryParam, // $InjectionAnnotation - @Context int context, int paramWithoutAnnotation) { // $InjectionAnnotation + public JakartaRs2(@BeanParam int beanParam, // $InjectionAnnotation + @CookieParam("") int cookieParam, // $InjectionAnnotation + @FormParam("") int formParam, // $InjectionAnnotation + @HeaderParam("") int headerParam, // $InjectionAnnotation + @MatrixParam("") int matrixParam, // $InjectionAnnotation + @PathParam("") int pathParam, // $InjectionAnnotation + @QueryParam("") int queryParam, // $InjectionAnnotation + @Context int context, // $InjectionAnnotation + int paramWithoutAnnotation) { } @BeanParam // $InjectionAnnotation diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JaxRs1.java b/java/ql/test/library-tests/frameworks/JaxWs/JaxRs1.java index 271cba9b52c..e8acd4a0507 100644 --- a/java/ql/test/library-tests/frameworks/JaxWs/JaxRs1.java +++ b/java/ql/test/library-tests/frameworks/JaxWs/JaxRs1.java @@ -106,8 +106,14 @@ class AnotherNonRootResourceClass { // $NonRootResourceClass public AnotherNonRootResourceClass() { } - public AnotherNonRootResourceClass(@BeanParam int beanParam, @CookieParam("") int cookieParam, @FormParam("") int formParam, // $InjectionAnnotation - @HeaderParam("") int headerParam, @MatrixParam("") int matrixParam, @PathParam("") int pathParam, @QueryParam("") int queryParam, // $InjectionAnnotation + public AnotherNonRootResourceClass( + @BeanParam int beanParam, // $InjectionAnnotation + @CookieParam("") int cookieParam, // $InjectionAnnotation + @FormParam("") int formParam, // $InjectionAnnotation + @HeaderParam("") int headerParam, // $InjectionAnnotation + @MatrixParam("") int matrixParam, // $InjectionAnnotation + @PathParam("") int pathParam, // $InjectionAnnotation + @QueryParam("") int queryParam, // $InjectionAnnotation @Context int context) { // $InjectionAnnotation } @@ -120,14 +126,27 @@ class Foo { Foo() { // $BeanParamConstructor } - public Foo(@BeanParam int beanParam, @CookieParam("") int cookieParam, @FormParam("") int formParam, // $InjectionAnnotation $BeanParamConstructor - @HeaderParam("") int headerParam, @MatrixParam("") int matrixParam, @PathParam("") int pathParam, @QueryParam("") int queryParam, // $InjectionAnnotation + public Foo( // $BeanParamConstructor + @BeanParam int beanParam, // $InjectionAnnotation + @CookieParam("") int cookieParam, // $InjectionAnnotation + @FormParam("") int formParam, // $InjectionAnnotation + @HeaderParam("") int headerParam, // $InjectionAnnotation + @MatrixParam("") int matrixParam, // $InjectionAnnotation + @PathParam("") int pathParam, // $InjectionAnnotation + @QueryParam("") int queryParam, // $InjectionAnnotation @Context int context) { // $InjectionAnnotation } - public Foo(@BeanParam int beanParam, @CookieParam("") int cookieParam, @FormParam("") int formParam, // $InjectionAnnotation - @HeaderParam("") int headerParam, @MatrixParam("") int matrixParam, @PathParam("") int pathParam, @QueryParam("") int queryParam, // $InjectionAnnotation - @Context int context, int paramWithoutAnnotation) { // $InjectionAnnotation + public Foo( + @BeanParam int beanParam, // $InjectionAnnotation + @CookieParam("") int cookieParam, // $InjectionAnnotation + @FormParam("") int formParam, // $InjectionAnnotation + @HeaderParam("") int headerParam, // $InjectionAnnotation + @MatrixParam("") int matrixParam, // $InjectionAnnotation + @PathParam("") int pathParam, // $InjectionAnnotation + @QueryParam("") int queryParam, // $InjectionAnnotation + @Context int context, // $InjectionAnnotation + int paramWithoutAnnotation) { } } diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JaxRs2.java b/java/ql/test/library-tests/frameworks/JaxWs/JaxRs2.java index 14cacc5bb2d..5913d0b998e 100644 --- a/java/ql/test/library-tests/frameworks/JaxWs/JaxRs2.java +++ b/java/ql/test/library-tests/frameworks/JaxWs/JaxRs2.java @@ -29,14 +29,27 @@ class JaxRs2 { // $RootResourceClass JaxRs2() { } - public JaxRs2(@BeanParam int beanParam, @CookieParam("") int cookieParam, @FormParam("") int formParam, // $InjectionAnnotation $InjectableConstructor - @HeaderParam("") int headerParam, @MatrixParam("") int matrixParam, @PathParam("") int pathParam, @QueryParam("") int queryParam, // $InjectionAnnotation + public JaxRs2(// $InjectableConstructor + @BeanParam int beanParam, // $InjectionAnnotation + @CookieParam("") int cookieParam, // $InjectionAnnotation + @FormParam("") int formParam, // $InjectionAnnotation + @HeaderParam("") int headerParam, // $InjectionAnnotation + @MatrixParam("") int matrixParam, // $InjectionAnnotation + @PathParam("") int pathParam, // $InjectionAnnotation + @QueryParam("") int queryParam, // $InjectionAnnotation @Context int context) { // $InjectionAnnotation } - public JaxRs2(@BeanParam int beanParam, @CookieParam("") int cookieParam, @FormParam("") int formParam, // $InjectionAnnotation - @HeaderParam("") int headerParam, @MatrixParam("") int matrixParam, @PathParam("") int pathParam, @QueryParam("") int queryParam, // $InjectionAnnotation - @Context int context, int paramWithoutAnnotation) { // $InjectionAnnotation + public JaxRs2( + @BeanParam int beanParam, // $InjectionAnnotation + @CookieParam("") int cookieParam, // $InjectionAnnotation + @FormParam("") int formParam, // $InjectionAnnotation + @HeaderParam("") int headerParam, // $InjectionAnnotation + @MatrixParam("") int matrixParam, // $InjectionAnnotation + @PathParam("") int pathParam, // $InjectionAnnotation + @QueryParam("") int queryParam, // $InjectionAnnotation + @Context int context, // $InjectionAnnotation + int paramWithoutAnnotation) { } @BeanParam // $InjectionAnnotation From 0987425f9469588ef8afa7183e3a7e35d7b93e52 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 17 Jun 2021 06:40:25 +0100 Subject: [PATCH 34/36] Reinstate failing tests with MISSING: prefix --- .../ql/test/library-tests/frameworks/JaxWs/JakartaRsFlow.java | 4 ++-- java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.java | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JakartaRsFlow.java b/java/ql/test/library-tests/frameworks/JaxWs/JakartaRsFlow.java index 997ffab5ebb..0a8cf67f229 100644 --- a/java/ql/test/library-tests/frameworks/JaxWs/JakartaRsFlow.java +++ b/java/ql/test/library-tests/frameworks/JaxWs/JakartaRsFlow.java @@ -160,12 +160,12 @@ public class JakartaRsFlow { void testAbstractMultivaluedMap(Map> map1, Map> map2, List list) { map1.put(taint(), list); AbstractMultivaluedMap amm1 = new MyAbstractMultivaluedMapJak(map1); - // sink(amm1.keySet().iterator().next()); // $hasValueFlow + sink(amm1.keySet().iterator().next()); // $ MISSING: hasValueFlow list.add(taint()); map2.put("key", list); AbstractMultivaluedMap amm2 = new MyAbstractMultivaluedMapJak(map2); - // sink(amm2.get("key").get(0)); // $hasValueFlow + sink(amm2.get("key").get(0)); // $ MISSING: hasValueFlow SPURIOUS: hasTaintFlow } void testMultivaluedHashMap(Map map1, Map map2, diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.java b/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.java index 17390344a14..91d1b384d37 100644 --- a/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.java +++ b/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.java @@ -160,12 +160,12 @@ public class JaxRsFlow { void testAbstractMultivaluedMap(Map> map1, Map> map2, List list) { map1.put(taint(), list); AbstractMultivaluedMap amm1 = new MyAbstractMultivaluedMap(map1); - sink(amm1.keySet().iterator().next()); // $hasValueFlow + sink(amm1.keySet().iterator().next()); // $ MISSING: hasValueFlow list.add(taint()); map2.put("key", list); AbstractMultivaluedMap amm2 = new MyAbstractMultivaluedMap(map2); - sink(amm2.get("key").get(0)); // $hasValueFlow + sink(amm2.get("key").get(0)); // $ MISSING: hasValueFlow SPURIOUS: hasTaintFlow } void testMultivaluedHashMap(Map map1, Map map2, From b9bc1f978ce8f18cc48b1414ec401e9696e13951 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 17 Jun 2021 10:04:15 +0100 Subject: [PATCH 35/36] Update style of inline expectation comments --- .../frameworks/JaxWs/JakartaRs1.java | 132 +++--- .../frameworks/JaxWs/JakartaRs2.java | 82 ++-- .../frameworks/JaxWs/JakartaRsFlow.java | 448 +++++++++--------- .../frameworks/JaxWs/JaxRs1.java | 132 +++--- .../frameworks/JaxWs/JaxRs2.java | 82 ++-- .../frameworks/JaxWs/JaxRsFlow.java | 448 +++++++++--------- .../frameworks/JaxWs/JaxWsEndpoint.java | 18 +- 7 files changed, 671 insertions(+), 671 deletions(-) diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JakartaRs1.java b/java/ql/test/library-tests/frameworks/JaxWs/JakartaRs1.java index 40380f8913a..271f3594eb0 100644 --- a/java/ql/test/library-tests/frameworks/JaxWs/JakartaRs1.java +++ b/java/ql/test/library-tests/frameworks/JaxWs/JakartaRs1.java @@ -25,75 +25,75 @@ import jakarta.ws.rs.core.Response; import jakarta.ws.rs.ext.MessageBodyReader; @Path("") -public class JakartaRs1 { // $RootResourceClass - public JakartaRs1() { // $InjectableConstructor +public class JakartaRs1 { // $ RootResourceClass + public JakartaRs1() { // $ InjectableConstructor } @GET - int Get() { // $ResourceMethod $ResourceMethodOnResourceClass - return 0; // $XssSink + int Get() { // $ ResourceMethod ResourceMethodOnResourceClass + return 0; // $ XssSink } @POST - void Post() { // $ResourceMethod $ResourceMethodOnResourceClass + void Post() { // $ ResourceMethod ResourceMethodOnResourceClass } - @Produces("text/plain") // $ProducesAnnotation=text/plain + @Produces("text/plain") // $ ProducesAnnotation=text/plain @DELETE - double Delete() { // $ResourceMethod=text/plain $ResourceMethodOnResourceClass - return 0.0; // $XssSink + double Delete() { // $ ResourceMethod=text/plain ResourceMethodOnResourceClass + return 0.0; // $ XssSink } - @Produces(MediaType.TEXT_HTML) // $ProducesAnnotation=text/html + @Produces(MediaType.TEXT_HTML) // $ ProducesAnnotation=text/html @PUT - void Put() { // $ResourceMethod=text/html $ResourceMethodOnResourceClass + void Put() { // $ ResourceMethod=text/html ResourceMethodOnResourceClass } @OPTIONS - void Options() { // $ResourceMethod $ResourceMethodOnResourceClass + void Options() { // $ ResourceMethod ResourceMethodOnResourceClass } @HEAD - void Head() { // $ResourceMethod $ResourceMethodOnResourceClass + void Head() { // $ ResourceMethod ResourceMethodOnResourceClass } @Path("") - NonRootResourceClassJakarta subResourceLocator() { // $SubResourceLocator + NonRootResourceClassJakarta subResourceLocator() { // $ SubResourceLocator return null; } - public class NonRootResourceClassJakarta { // $NonRootResourceClass + public class NonRootResourceClassJakarta { // $ NonRootResourceClass @GET - int Get() { // $ResourceMethod $ResourceMethodOnResourceClass - return 0; // $XssSink + int Get() { // $ ResourceMethod ResourceMethodOnResourceClass + return 0; // $ XssSink } - @Produces("text/html") // $ProducesAnnotation=text/html + @Produces("text/html") // $ ProducesAnnotation=text/html @POST - boolean Post() { // $ResourceMethod=text/html $ResourceMethodOnResourceClass + boolean Post() { // $ ResourceMethod=text/html ResourceMethodOnResourceClass return false; } - @Produces(MediaType.TEXT_PLAIN) // $ProducesAnnotation=text/plain + @Produces(MediaType.TEXT_PLAIN) // $ ProducesAnnotation=text/plain @DELETE - double Delete() { // $ResourceMethod=text/plain $ResourceMethodOnResourceClass - return 0.0; // $XssSink + double Delete() { // $ ResourceMethod=text/plain ResourceMethodOnResourceClass + return 0.0; // $ XssSink } @Path("") - AnotherNonRootResourceClassJakarta subResourceLocator1() { // $SubResourceLocator + AnotherNonRootResourceClassJakarta subResourceLocator1() { // $ SubResourceLocator return null; } @GET @Path("") - NotAResourceClass1Jakarta NotASubResourceLocator1() { // $ResourceMethod $ResourceMethodOnResourceClass - return null; // $XssSink + NotAResourceClass1Jakarta NotASubResourceLocator1() { // $ ResourceMethod ResourceMethodOnResourceClass + return null; // $ XssSink } @GET - NotAResourceClass2Jakarta NotASubResourceLocator2() { // $ResourceMethod $ResourceMethodOnResourceClass - return null; // $XssSink + NotAResourceClass2Jakarta NotASubResourceLocator2() { // $ ResourceMethod ResourceMethodOnResourceClass + return null; // $ XssSink } NotAResourceClass2Jakarta NotASubResourceLocator3() { @@ -102,50 +102,50 @@ public class JakartaRs1 { // $RootResourceClass } } -class AnotherNonRootResourceClassJakarta { // $NonRootResourceClass +class AnotherNonRootResourceClassJakarta { // $ NonRootResourceClass public AnotherNonRootResourceClassJakarta() { } public AnotherNonRootResourceClassJakarta( - @BeanParam int beanParam, // $InjectionAnnotation - @CookieParam("") int cookieParam, // $InjectionAnnotation - @FormParam("") int formParam, // $InjectionAnnotation - @HeaderParam("") int headerParam, // $InjectionAnnotation - @MatrixParam("") int matrixParam, // $InjectionAnnotation - @PathParam("") int pathParam, // $InjectionAnnotation - @QueryParam("") int queryParam, // $InjectionAnnotation - @Context int context) { // $InjectionAnnotation + @BeanParam int beanParam, // $ InjectionAnnotation + @CookieParam("") int cookieParam, // $ InjectionAnnotation + @FormParam("") int formParam, // $ InjectionAnnotation + @HeaderParam("") int headerParam, // $ InjectionAnnotation + @MatrixParam("") int matrixParam, // $ InjectionAnnotation + @PathParam("") int pathParam, // $ InjectionAnnotation + @QueryParam("") int queryParam, // $ InjectionAnnotation + @Context int context) { // $ InjectionAnnotation } @Path("") - public void resourceMethodWithBeanParamParameter(@BeanParam FooJakarta FooJakarta) { // $SubResourceLocator $InjectionAnnotation + public void resourceMethodWithBeanParamParameter(@BeanParam FooJakarta FooJakarta) { // $ SubResourceLocator InjectionAnnotation } } class FooJakarta { - FooJakarta() { // $BeanParamConstructor + FooJakarta() { // $ BeanParamConstructor } - public FooJakarta( // $BeanParamConstructor - @BeanParam int beanParam, // $InjectionAnnotation - @CookieParam("") int cookieParam, // $InjectionAnnotation - @FormParam("") int formParam, // $InjectionAnnotation - @HeaderParam("") int headerParam, // $InjectionAnnotation - @MatrixParam("") int matrixParam, // $InjectionAnnotation - @PathParam("") int pathParam, // $InjectionAnnotation - @QueryParam("") int queryParam, // $InjectionAnnotation - @Context int context) { // $InjectionAnnotation + public FooJakarta( // $ BeanParamConstructor + @BeanParam int beanParam, // $ InjectionAnnotation + @CookieParam("") int cookieParam, // $ InjectionAnnotation + @FormParam("") int formParam, // $ InjectionAnnotation + @HeaderParam("") int headerParam, // $ InjectionAnnotation + @MatrixParam("") int matrixParam, // $ InjectionAnnotation + @PathParam("") int pathParam, // $ InjectionAnnotation + @QueryParam("") int queryParam, // $ InjectionAnnotation + @Context int context) { // $ InjectionAnnotation } public FooJakarta( - @BeanParam int beanParam, // $InjectionAnnotation - @CookieParam("") int cookieParam, // $InjectionAnnotation - @FormParam("") int formParam, // $InjectionAnnotation - @HeaderParam("") int headerParam, // $InjectionAnnotation - @MatrixParam("") int matrixParam, // $InjectionAnnotation - @PathParam("") int pathParam, // $InjectionAnnotation - @QueryParam("") int queryParam, // $InjectionAnnotation - @Context int context, // $InjectionAnnotation + @BeanParam int beanParam, // $ InjectionAnnotation + @CookieParam("") int cookieParam, // $ InjectionAnnotation + @FormParam("") int formParam, // $ InjectionAnnotation + @HeaderParam("") int headerParam, // $ InjectionAnnotation + @MatrixParam("") int matrixParam, // $ InjectionAnnotation + @PathParam("") int pathParam, // $ InjectionAnnotation + @QueryParam("") int queryParam, // $ InjectionAnnotation + @Context int context, // $ InjectionAnnotation int paramWithoutAnnotation) { } } @@ -158,58 +158,58 @@ class NotAResourceClass2Jakarta { class ExtendsJakartaRs1 extends JakartaRs1 { @Override - int Get() { // $ResourceMethod + int Get() { // $ ResourceMethod return 1; } @Override - @QueryParam("") // $InjectionAnnotation + @QueryParam("") // $ InjectionAnnotation void Post() { } @Override - double Delete() { // $ResourceMethod=text/plain + double Delete() { // $ ResourceMethod=text/plain return 1.0; } @Override - void Put() { // $ResourceMethod=text/html + void Put() { // $ ResourceMethod=text/html } - @Produces("application/json") // $ProducesAnnotation=application/json + @Produces("application/json") // $ ProducesAnnotation=application/json @Override void Options() { } - @Produces(MediaType.TEXT_XML) // $ProducesAnnotation=text/xml + @Produces(MediaType.TEXT_XML) // $ ProducesAnnotation=text/xml @Override void Head() { } } -@Produces(MediaType.TEXT_XML) // $ProducesAnnotation=text/xml +@Produces(MediaType.TEXT_XML) // $ ProducesAnnotation=text/xml class ExtendsJakartaRs1WithProducesAnnotation extends JakartaRs1 { @Override - int Get() { // $ResourceMethod=text/xml + int Get() { // $ ResourceMethod=text/xml return 2; } @Override - @QueryParam("") // $InjectionAnnotation + @QueryParam("") // $ InjectionAnnotation void Post() { } @Override - double Delete() { // $ResourceMethod=text/plain + double Delete() { // $ ResourceMethod=text/plain return 2.0; } @Override - void Put() { // $ResourceMethod=text/html + void Put() { // $ ResourceMethod=text/html } @Override - void Options() { // $ResourceMethod=text/xml + void Options() { // $ ResourceMethod=text/xml } } \ No newline at end of file diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JakartaRs2.java b/java/ql/test/library-tests/frameworks/JaxWs/JakartaRs2.java index bfd7b147181..26537bae815 100644 --- a/java/ql/test/library-tests/frameworks/JaxWs/JakartaRs2.java +++ b/java/ql/test/library-tests/frameworks/JaxWs/JakartaRs2.java @@ -25,48 +25,48 @@ import jakarta.ws.rs.core.Response; import jakarta.ws.rs.ext.MessageBodyReader; @Path("") -class JakartaRs2 { // $RootResourceClass +class JakartaRs2 { // $ RootResourceClass JakartaRs2() { } - public JakartaRs2(// $InjectableConstructor - @BeanParam int beanParam, // $InjectionAnnotation - @CookieParam("") int cookieParam, // $InjectionAnnotation - @FormParam("") int formParam, // $InjectionAnnotation - @HeaderParam("") int headerParam, // $InjectionAnnotation - @MatrixParam("") int matrixParam, // $InjectionAnnotation - @PathParam("") int pathParam, // $InjectionAnnotation - @QueryParam("") int queryParam, // $InjectionAnnotation - @Context int context) { // $InjectionAnnotation + public JakartaRs2(// $ InjectableConstructor + @BeanParam int beanParam, // $ InjectionAnnotation + @CookieParam("") int cookieParam, // $ InjectionAnnotation + @FormParam("") int formParam, // $ InjectionAnnotation + @HeaderParam("") int headerParam, // $ InjectionAnnotation + @MatrixParam("") int matrixParam, // $ InjectionAnnotation + @PathParam("") int pathParam, // $ InjectionAnnotation + @QueryParam("") int queryParam, // $ InjectionAnnotation + @Context int context) { // $ InjectionAnnotation } - public JakartaRs2(@BeanParam int beanParam, // $InjectionAnnotation - @CookieParam("") int cookieParam, // $InjectionAnnotation - @FormParam("") int formParam, // $InjectionAnnotation - @HeaderParam("") int headerParam, // $InjectionAnnotation - @MatrixParam("") int matrixParam, // $InjectionAnnotation - @PathParam("") int pathParam, // $InjectionAnnotation - @QueryParam("") int queryParam, // $InjectionAnnotation - @Context int context, // $InjectionAnnotation + public JakartaRs2(@BeanParam int beanParam, // $ InjectionAnnotation + @CookieParam("") int cookieParam, // $ InjectionAnnotation + @FormParam("") int formParam, // $ InjectionAnnotation + @HeaderParam("") int headerParam, // $ InjectionAnnotation + @MatrixParam("") int matrixParam, // $ InjectionAnnotation + @PathParam("") int pathParam, // $ InjectionAnnotation + @QueryParam("") int queryParam, // $ InjectionAnnotation + @Context int context, // $ InjectionAnnotation int paramWithoutAnnotation) { } - @BeanParam // $InjectionAnnotation - int beanField; // $InjectableField - @CookieParam("") // $InjectionAnnotation - int cookieField; // $InjectableField - @FormParam("") // $InjectionAnnotation - int formField; // $InjectableField - @HeaderParam("") // $InjectionAnnotation - int headerField; // $InjectableField - @MatrixParam("") // $InjectionAnnotation - int matrixField; // $InjectableField - @PathParam("") // $InjectionAnnotation - int pathField; // $InjectableField - @QueryParam("") // $InjectionAnnotation - int queryField; // $InjectableField - @Context // $InjectionAnnotation - int context; // $InjectableField + @BeanParam // $ InjectionAnnotation + int beanField; // $ InjectableField + @CookieParam("") // $ InjectionAnnotation + int cookieField; // $ InjectableField + @FormParam("") // $ InjectionAnnotation + int formField; // $ InjectableField + @HeaderParam("") // $ InjectionAnnotation + int headerField; // $ InjectableField + @MatrixParam("") // $ InjectionAnnotation + int matrixField; // $ InjectableField + @PathParam("") // $ InjectionAnnotation + int pathField; // $ InjectableField + @QueryParam("") // $ InjectionAnnotation + int queryField; // $ InjectableField + @Context // $ InjectionAnnotation + int context; // $ InjectableField int fieldWithoutAnnotation; } @@ -85,14 +85,14 @@ class CustomUnmarshallerJakarta implements MessageBodyReader { } class MiscellaneousJakarta { - @Consumes("") // $ConsumesAnnotation + @Consumes("") // $ ConsumesAnnotation public static void miscellaneousJakarta() throws IOException { - Response.ResponseBuilder responseBuilder = Response.accepted(); // $ResponseBuilderDeclaration - Response response = responseBuilder.build(); // $ResponseDeclaration - Client client; // $ClientDeclaration - MessageBodyReader messageBodyReader = null; // $MessageBodyReaderDeclaration - messageBodyReader.readFrom(null, null, null, null, null, null); // $MessageBodyReaderReadFromCall $MessageBodyReaderReadCall + Response.ResponseBuilder responseBuilder = Response.accepted(); // $ ResponseBuilderDeclaration + Response response = responseBuilder.build(); // $ ResponseDeclaration + Client client; // $ ClientDeclaration + MessageBodyReader messageBodyReader = null; // $ MessageBodyReaderDeclaration + messageBodyReader.readFrom(null, null, null, null, null, null); // $ MessageBodyReaderReadFromCall MessageBodyReaderReadCall CustomUnmarshallerJakarta CustomUnmarshallerJakarta = null; - CustomUnmarshallerJakarta.readFrom(null, null, null, null, null, null); // $MessageBodyReaderReadCall + CustomUnmarshallerJakarta.readFrom(null, null, null, null, null, null); // $ MessageBodyReaderReadCall } } \ No newline at end of file diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JakartaRsFlow.java b/java/ql/test/library-tests/frameworks/JaxWs/JakartaRsFlow.java index 0a8cf67f229..f534e59b854 100644 --- a/java/ql/test/library-tests/frameworks/JaxWs/JakartaRsFlow.java +++ b/java/ql/test/library-tests/frameworks/JaxWs/JakartaRsFlow.java @@ -71,84 +71,84 @@ public class JakartaRsFlow { void sink(Object o) {} void testResponse() { - sink(Response.accepted(taint())); // $hasTaintFlow - sink(Response.fromResponse(ResponseSource.taint())); // $hasTaintFlow - sink(Response.ok(taint())); // $hasTaintFlow - sink(Response.ok(taint(), new MediaType())); // $hasTaintFlow - sink(Response.ok(taint(), "type")); // $hasTaintFlow - sink(Response.ok(taint(), new Variant(new MediaType(), "", ""))); // $hasTaintFlow + sink(Response.accepted(taint())); // $ hasTaintFlow + sink(Response.fromResponse(ResponseSource.taint())); // $ hasTaintFlow + sink(Response.ok(taint())); // $ hasTaintFlow + sink(Response.ok(taint(), new MediaType())); // $ hasTaintFlow + sink(Response.ok(taint(), "type")); // $ hasTaintFlow + sink(Response.ok(taint(), new Variant(new MediaType(), "", ""))); // $ hasTaintFlow } void testResponseBuilder(MultivaluedMap multivaluedMap, List list) throws Exception { - sink(ResponseBuilderSource.taint().build()); // $hasTaintFlow - sink(Response.noContent().entity(taint())); // $hasTaintFlow - sink(ResponseBuilderSource.taint().allow(new HashSet())); // $hasValueFlow - sink(ResponseBuilderSource.taint().cacheControl(new CacheControl())); // $hasValueFlow - sink(ResponseBuilderSource.taint().clone()); // $hasTaintFlow - sink(ResponseBuilderSource.taint().contentLocation(new URI(""))); // $hasValueFlow - sink(ResponseBuilderSource.taint().cookie()); // $hasValueFlow - sink(ResponseBuilderSource.taint().encoding("")); // $hasValueFlow - sink(ResponseBuilderSource.taint().entity("")); // $hasValueFlow - sink(ResponseBuilderSource.taint().expires(new Date())); // $hasValueFlow - sink(ResponseBuilderSource.taint().header("", "")); // $hasValueFlow - sink(ResponseBuilderSource.taint().language("")); // $hasValueFlow - sink(ResponseBuilderSource.taint().lastModified(new Date())); // $hasValueFlow - sink(ResponseBuilderSource.taint().link("", "")); // $hasValueFlow - sink(ResponseBuilderSource.taint().link(new URI(""), "")); // $hasValueFlow - sink(ResponseBuilderSource.taint().links()); // $hasValueFlow - sink(ResponseBuilderSource.taint().location(new URI(""))); // $hasValueFlow - sink(ResponseBuilderSource.taint().replaceAll(multivaluedMap)); // $hasValueFlow - sink(ResponseBuilderSource.taint().status(400)); // $hasValueFlow - sink(ResponseBuilderSource.taint().tag(new EntityTag(""))); // $hasValueFlow - sink(ResponseBuilderSource.taint().tag("")); // $hasValueFlow - sink(ResponseBuilderSource.taint().type("")); // $hasValueFlow - sink(ResponseBuilderSource.taint().variant(new Variant(new MediaType(), "", ""))); // $hasValueFlow - sink(ResponseBuilderSource.taint().variants(list)); // $hasValueFlow - sink(ResponseBuilderSource.taint().variants()); // $hasValueFlow + sink(ResponseBuilderSource.taint().build()); // $ hasTaintFlow + sink(Response.noContent().entity(taint())); // $ hasTaintFlow + sink(ResponseBuilderSource.taint().allow(new HashSet())); // $ hasValueFlow + sink(ResponseBuilderSource.taint().cacheControl(new CacheControl())); // $ hasValueFlow + sink(ResponseBuilderSource.taint().clone()); // $ hasTaintFlow + sink(ResponseBuilderSource.taint().contentLocation(new URI(""))); // $ hasValueFlow + sink(ResponseBuilderSource.taint().cookie()); // $ hasValueFlow + sink(ResponseBuilderSource.taint().encoding("")); // $ hasValueFlow + sink(ResponseBuilderSource.taint().entity("")); // $ hasValueFlow + sink(ResponseBuilderSource.taint().expires(new Date())); // $ hasValueFlow + sink(ResponseBuilderSource.taint().header("", "")); // $ hasValueFlow + sink(ResponseBuilderSource.taint().language("")); // $ hasValueFlow + sink(ResponseBuilderSource.taint().lastModified(new Date())); // $ hasValueFlow + sink(ResponseBuilderSource.taint().link("", "")); // $ hasValueFlow + sink(ResponseBuilderSource.taint().link(new URI(""), "")); // $ hasValueFlow + sink(ResponseBuilderSource.taint().links()); // $ hasValueFlow + sink(ResponseBuilderSource.taint().location(new URI(""))); // $ hasValueFlow + sink(ResponseBuilderSource.taint().replaceAll(multivaluedMap)); // $ hasValueFlow + sink(ResponseBuilderSource.taint().status(400)); // $ hasValueFlow + sink(ResponseBuilderSource.taint().tag(new EntityTag(""))); // $ hasValueFlow + sink(ResponseBuilderSource.taint().tag("")); // $ hasValueFlow + sink(ResponseBuilderSource.taint().type("")); // $ hasValueFlow + sink(ResponseBuilderSource.taint().variant(new Variant(new MediaType(), "", ""))); // $ hasValueFlow + sink(ResponseBuilderSource.taint().variants(list)); // $ hasValueFlow + sink(ResponseBuilderSource.taint().variants()); // $ hasValueFlow } void testHttpHeaders(HttpHeaders h) { - sink(taint(h).getAcceptableLanguages()); // $hasTaintFlow - sink(taint(h).getAcceptableMediaTypes()); // $hasTaintFlow - sink(taint(h).getCookies()); // $hasTaintFlow - sink(taint(h).getHeaderString("")); // $hasTaintFlow - sink(taint(h).getLanguage()); // $hasTaintFlow - sink(taint(h).getMediaType()); // $hasTaintFlow - sink(taint(h).getRequestHeader("")); // $hasTaintFlow - sink(taint(h).getRequestHeaders()); // $hasTaintFlow + sink(taint(h).getAcceptableLanguages()); // $ hasTaintFlow + sink(taint(h).getAcceptableMediaTypes()); // $ hasTaintFlow + sink(taint(h).getCookies()); // $ hasTaintFlow + sink(taint(h).getHeaderString("")); // $ hasTaintFlow + sink(taint(h).getLanguage()); // $ hasTaintFlow + sink(taint(h).getMediaType()); // $ hasTaintFlow + sink(taint(h).getRequestHeader("")); // $ hasTaintFlow + sink(taint(h).getRequestHeaders()); // $ hasTaintFlow } void testMultivaluedMapAdd(MultivaluedMap mm1, MultivaluedMap mm2) { mm1.add(taint(), "value"); - sink(mm1.keySet().iterator().next()); // $hasValueFlow + sink(mm1.keySet().iterator().next()); // $ hasValueFlow mm2.add("key", taint()); - sink(mm2.get("key").get(0)); // $hasValueFlow + sink(mm2.get("key").get(0)); // $ hasValueFlow } void testMultivaluedMapAddAll(MultivaluedMap mm1, MultivaluedMap mm2, MultivaluedMap mm3) { mm1.addAll(taint(), "a", "b"); - sink(mm1.keySet().iterator().next()); // $hasValueFlow + sink(mm1.keySet().iterator().next()); // $ hasValueFlow List l = new ArrayList(); l.add(taint()); mm2.addAll("key", l); - sink(mm2.get("key").get(0)); // $hasValueFlow + sink(mm2.get("key").get(0)); // $ hasValueFlow mm3.addAll("key", "a", taint()); - sink(mm3.get("key").get(0)); // $hasValueFlow + sink(mm3.get("key").get(0)); // $ hasValueFlow } void testMultivaluedMapAddFirst(MultivaluedMap mm1, MultivaluedMap mm2) { mm1.addFirst(taint(), "value"); - sink(mm1.keySet().iterator().next()); // $hasValueFlow + sink(mm1.keySet().iterator().next()); // $ hasValueFlow mm2.addFirst("key", taint()); - sink(mm2.get("key").get(0)); // $hasValueFlow - sink(mm2.getFirst("key")); // $hasValueFlow + sink(mm2.get("key").get(0)); // $ hasValueFlow + sink(mm2.getFirst("key")); // $ hasValueFlow } void testMultivaluedMapputSingle(MultivaluedMap mm1, MultivaluedMap mm2) { mm1.putSingle(taint(), "value"); - sink(mm1.keySet().iterator().next()); // $hasValueFlow + sink(mm1.keySet().iterator().next()); // $ hasValueFlow mm2.putSingle("key", taint()); - sink(mm2.get("key").get(0)); // $hasValueFlow + sink(mm2.get("key").get(0)); // $ hasValueFlow } class MyAbstractMultivaluedMapJak extends AbstractMultivaluedMap { @@ -160,248 +160,248 @@ public class JakartaRsFlow { void testAbstractMultivaluedMap(Map> map1, Map> map2, List list) { map1.put(taint(), list); AbstractMultivaluedMap amm1 = new MyAbstractMultivaluedMapJak(map1); - sink(amm1.keySet().iterator().next()); // $ MISSING: hasValueFlow + sink(amm1.keySet().iterator().next()); // $ MISSING: hasValueFlow list.add(taint()); map2.put("key", list); AbstractMultivaluedMap amm2 = new MyAbstractMultivaluedMapJak(map2); - sink(amm2.get("key").get(0)); // $ MISSING: hasValueFlow SPURIOUS: hasTaintFlow + sink(amm2.get("key").get(0)); // $ MISSING: hasValueFlow SPURIOUS: hasTaintFlow } void testMultivaluedHashMap(Map map1, Map map2, MultivaluedMap mm1, MultivaluedMap mm2) { map1.put(taint(), "value"); MultivaluedHashMap mhm1 = new MultivaluedHashMap(map1); - sink(mhm1.keySet().iterator().next()); // $hasValueFlow + sink(mhm1.keySet().iterator().next()); // $ hasValueFlow map2.put("key", taint()); MultivaluedHashMap mhm2 = new MultivaluedHashMap(map2); - sink(mhm2.get("key").get(0)); // $hasValueFlow + sink(mhm2.get("key").get(0)); // $ hasValueFlow mm1.add(taint(), "value"); MultivaluedHashMap mhm3 = new MultivaluedHashMap(mm1); - sink(mhm3.keySet().iterator().next()); // $hasValueFlow + sink(mhm3.keySet().iterator().next()); // $ hasValueFlow mm2.add("key", taint()); MultivaluedHashMap mhm4 = new MultivaluedHashMap(mm2); - sink(mhm4.get("key").get(0)); // $hasValueFlow + sink(mhm4.get("key").get(0)); // $ hasValueFlow } void testPathSegment(PathSegment ps1, PathSegment ps2) { - sink(taint(ps1).getMatrixParameters()); // $hasTaintFlow - sink(taint(ps2).getPath()); // $hasTaintFlow + sink(taint(ps1).getMatrixParameters()); // $ hasTaintFlow + sink(taint(ps2).getPath()); // $ hasTaintFlow } void testUriInfo(UriInfo ui1, UriInfo ui2, UriInfo ui3, UriInfo ui4, UriInfo ui5) { - sink(taint(ui1).getPathParameters()); // $hasTaintFlow - sink(taint(ui2).getPathSegments()); // $hasTaintFlow - sink(taint(ui2).getQueryParameters()); // $hasTaintFlow - sink(taint(ui2).getRequestUri()); // $hasTaintFlow - sink(taint(ui2).getRequestUriBuilder()); // $hasTaintFlow + sink(taint(ui1).getPathParameters()); // $ hasTaintFlow + sink(taint(ui2).getPathSegments()); // $ hasTaintFlow + sink(taint(ui2).getQueryParameters()); // $ hasTaintFlow + sink(taint(ui2).getRequestUri()); // $ hasTaintFlow + sink(taint(ui2).getRequestUriBuilder()); // $ hasTaintFlow } void testCookie() { - sink(new Cookie(taint(), "", "", "", 0)); // $hasTaintFlow - sink(new Cookie("", taint(), "", "", 0)); // $hasTaintFlow - sink(new Cookie("", "", taint(), "", 0)); // $hasTaintFlow - sink(new Cookie("", "", "", taint(), 0)); // $hasTaintFlow - sink(new Cookie("", "", "", "", IntSource.taint())); // $hasTaintFlow - sink(new Cookie(taint(), "", "", "")); // $hasTaintFlow - sink(new Cookie("", taint(), "", "")); // $hasTaintFlow - sink(new Cookie("", "", taint(), "")); // $hasTaintFlow - sink(new Cookie("", "", "", taint())); // $hasTaintFlow - sink(new Cookie(taint(), "")); // $hasTaintFlow - sink(new Cookie("", taint())); // $hasTaintFlow - sink(Cookie.valueOf(taint())); // $hasTaintFlow - sink(Cookie.valueOf(taint()).getDomain()); // $hasTaintFlow - sink(Cookie.valueOf(taint()).getName()); // $hasTaintFlow - sink(Cookie.valueOf(taint()).getPath()); // $hasTaintFlow - sink(Cookie.valueOf(taint()).getValue()); // $hasTaintFlow - sink(Cookie.valueOf(taint()).getVersion()); // $hasTaintFlow - sink(Cookie.valueOf(taint()).toString()); // $hasTaintFlow + sink(new Cookie(taint(), "", "", "", 0)); // $ hasTaintFlow + sink(new Cookie("", taint(), "", "", 0)); // $ hasTaintFlow + sink(new Cookie("", "", taint(), "", 0)); // $ hasTaintFlow + sink(new Cookie("", "", "", taint(), 0)); // $ hasTaintFlow + sink(new Cookie("", "", "", "", IntSource.taint())); // $ hasTaintFlow + sink(new Cookie(taint(), "", "", "")); // $ hasTaintFlow + sink(new Cookie("", taint(), "", "")); // $ hasTaintFlow + sink(new Cookie("", "", taint(), "")); // $ hasTaintFlow + sink(new Cookie("", "", "", taint())); // $ hasTaintFlow + sink(new Cookie(taint(), "")); // $ hasTaintFlow + sink(new Cookie("", taint())); // $ hasTaintFlow + sink(Cookie.valueOf(taint())); // $ hasTaintFlow + sink(Cookie.valueOf(taint()).getDomain()); // $ hasTaintFlow + sink(Cookie.valueOf(taint()).getName()); // $ hasTaintFlow + sink(Cookie.valueOf(taint()).getPath()); // $ hasTaintFlow + sink(Cookie.valueOf(taint()).getValue()); // $ hasTaintFlow + sink(Cookie.valueOf(taint()).getVersion()); // $ hasTaintFlow + sink(Cookie.valueOf(taint()).toString()); // $ hasTaintFlow } void testNewCookie() { - sink(new NewCookie(Cookie.valueOf(taint()))); // $hasTaintFlow + sink(new NewCookie(Cookie.valueOf(taint()))); // $ hasTaintFlow - sink(new NewCookie(Cookie.valueOf(taint()), "", 0, true)); // $hasTaintFlow - sink(new NewCookie(Cookie.valueOf(""), taint(), 0, false)); // $hasTaintFlow - sink(new NewCookie(Cookie.valueOf(""), "", IntSource.taint(), true)); // $hasTaintFlow - sink(new NewCookie(Cookie.valueOf(""), "", 0, BooleanSource.taint())); // $hasTaintFlow + sink(new NewCookie(Cookie.valueOf(taint()), "", 0, true)); // $ hasTaintFlow + sink(new NewCookie(Cookie.valueOf(""), taint(), 0, false)); // $ hasTaintFlow + sink(new NewCookie(Cookie.valueOf(""), "", IntSource.taint(), true)); // $ hasTaintFlow + sink(new NewCookie(Cookie.valueOf(""), "", 0, BooleanSource.taint())); // $ hasTaintFlow - sink(new NewCookie(Cookie.valueOf(taint()), "", 0, new Date(), true, true)); // $hasTaintFlow - sink(new NewCookie(Cookie.valueOf(""), taint(), 0, new Date(), true, false)); // $hasTaintFlow - sink(new NewCookie(Cookie.valueOf(""), "", IntSource.taint(), new Date(), false, true)); // $hasTaintFlow - sink(new NewCookie(Cookie.valueOf(""), "", 0, DateSource.taint(), false, false)); // $hasTaintFlow - sink(new NewCookie(Cookie.valueOf(""), "", 0, new Date(), BooleanSource.taint(), false)); // $hasTaintFlow - sink(new NewCookie(Cookie.valueOf(""), "", 0, new Date(), true, BooleanSource.taint())); // $hasTaintFlow + sink(new NewCookie(Cookie.valueOf(taint()), "", 0, new Date(), true, true)); // $ hasTaintFlow + sink(new NewCookie(Cookie.valueOf(""), taint(), 0, new Date(), true, false)); // $ hasTaintFlow + sink(new NewCookie(Cookie.valueOf(""), "", IntSource.taint(), new Date(), false, true)); // $ hasTaintFlow + sink(new NewCookie(Cookie.valueOf(""), "", 0, DateSource.taint(), false, false)); // $ hasTaintFlow + sink(new NewCookie(Cookie.valueOf(""), "", 0, new Date(), BooleanSource.taint(), false)); // $ hasTaintFlow + sink(new NewCookie(Cookie.valueOf(""), "", 0, new Date(), true, BooleanSource.taint())); // $ hasTaintFlow - sink(new NewCookie(taint(), "")); // $hasTaintFlow - sink(new NewCookie("", taint())); // $hasTaintFlow + sink(new NewCookie(taint(), "")); // $ hasTaintFlow + sink(new NewCookie("", taint())); // $ hasTaintFlow - sink(new NewCookie(taint(), "", "", "", 0, "", 0, true)); // $hasTaintFlow - sink(new NewCookie("", taint(), "", "", 0, "", 0, false)); // $hasTaintFlow - sink(new NewCookie("", "", taint(), "", 0, "", 0, true)); // $hasTaintFlow - sink(new NewCookie("", "", "", taint(), 0, "", 0, false)); // $hasTaintFlow - sink(new NewCookie("", "", "", "", IntSource.taint(), "", 0, true)); // $hasTaintFlow - sink(new NewCookie("", "", "", "", 0, taint(), 0, false)); // $hasTaintFlow - sink(new NewCookie("", "", "", "", 0, "", IntSource.taint(), true)); // $hasTaintFlow - sink(new NewCookie("", "", "", "", 0, "", 0, BooleanSource.taint())); // $hasTaintFlow + sink(new NewCookie(taint(), "", "", "", 0, "", 0, true)); // $ hasTaintFlow + sink(new NewCookie("", taint(), "", "", 0, "", 0, false)); // $ hasTaintFlow + sink(new NewCookie("", "", taint(), "", 0, "", 0, true)); // $ hasTaintFlow + sink(new NewCookie("", "", "", taint(), 0, "", 0, false)); // $ hasTaintFlow + sink(new NewCookie("", "", "", "", IntSource.taint(), "", 0, true)); // $ hasTaintFlow + sink(new NewCookie("", "", "", "", 0, taint(), 0, false)); // $ hasTaintFlow + sink(new NewCookie("", "", "", "", 0, "", IntSource.taint(), true)); // $ hasTaintFlow + sink(new NewCookie("", "", "", "", 0, "", 0, BooleanSource.taint())); // $ hasTaintFlow - sink(new NewCookie(taint(), "", "", "", 0, "", 0, new Date(), true, true)); // $hasTaintFlow - sink(new NewCookie("", taint(), "", "", 0, "", 0, new Date(), false, true)); // $hasTaintFlow - sink(new NewCookie("", "", taint(), "", 0, "", 0, new Date(), true, false)); // $hasTaintFlow - sink(new NewCookie("", "", "", taint(), 0, "", 0, new Date(), false, false)); // $hasTaintFlow - sink(new NewCookie("", "", "", "", IntSource.taint(), "", 0, new Date(), true, true)); // $hasTaintFlow - sink(new NewCookie("", "", "", "", 0, taint(), 0, new Date(), true, false)); // $hasTaintFlow - sink(new NewCookie("", "", "", "", 0, "", IntSource.taint(), new Date(), false, true)); // $hasTaintFlow - sink(new NewCookie("", "", "", "", 0, "", 0, DateSource.taint(), false, false)); // $hasTaintFlow - sink(new NewCookie("", "", "", "", 0, "", 0, new Date(), BooleanSource.taint(), true)); // $hasTaintFlow - sink(new NewCookie("", "", "", "", 0, "", 0, new Date(), false, BooleanSource.taint())); // $hasTaintFlow + sink(new NewCookie(taint(), "", "", "", 0, "", 0, new Date(), true, true)); // $ hasTaintFlow + sink(new NewCookie("", taint(), "", "", 0, "", 0, new Date(), false, true)); // $ hasTaintFlow + sink(new NewCookie("", "", taint(), "", 0, "", 0, new Date(), true, false)); // $ hasTaintFlow + sink(new NewCookie("", "", "", taint(), 0, "", 0, new Date(), false, false)); // $ hasTaintFlow + sink(new NewCookie("", "", "", "", IntSource.taint(), "", 0, new Date(), true, true)); // $ hasTaintFlow + sink(new NewCookie("", "", "", "", 0, taint(), 0, new Date(), true, false)); // $ hasTaintFlow + sink(new NewCookie("", "", "", "", 0, "", IntSource.taint(), new Date(), false, true)); // $ hasTaintFlow + sink(new NewCookie("", "", "", "", 0, "", 0, DateSource.taint(), false, false)); // $ hasTaintFlow + sink(new NewCookie("", "", "", "", 0, "", 0, new Date(), BooleanSource.taint(), true)); // $ hasTaintFlow + sink(new NewCookie("", "", "", "", 0, "", 0, new Date(), false, BooleanSource.taint())); // $ hasTaintFlow - sink(new NewCookie(taint(), "", "", "", "", 0, true)); // $hasTaintFlow - sink(new NewCookie("", taint(), "", "", "", 0, false)); // $hasTaintFlow - sink(new NewCookie("", "", taint(), "", "", 0, true)); // $hasTaintFlow - sink(new NewCookie("", "", "", taint(), "", 0, false)); // $hasTaintFlow - sink(new NewCookie("", "", "", "", taint(), 0, false)); // $hasTaintFlow - sink(new NewCookie("", "", "", "", "", IntSource.taint(), true)); // $hasTaintFlow - sink(new NewCookie("", "", "", "", "", 0, BooleanSource.taint())); // $hasTaintFlow + sink(new NewCookie(taint(), "", "", "", "", 0, true)); // $ hasTaintFlow + sink(new NewCookie("", taint(), "", "", "", 0, false)); // $ hasTaintFlow + sink(new NewCookie("", "", taint(), "", "", 0, true)); // $ hasTaintFlow + sink(new NewCookie("", "", "", taint(), "", 0, false)); // $ hasTaintFlow + sink(new NewCookie("", "", "", "", taint(), 0, false)); // $ hasTaintFlow + sink(new NewCookie("", "", "", "", "", IntSource.taint(), true)); // $ hasTaintFlow + sink(new NewCookie("", "", "", "", "", 0, BooleanSource.taint())); // $ hasTaintFlow - sink(new NewCookie(taint(), "", "", "", "", 0, true, true)); // $hasTaintFlow - sink(new NewCookie("", taint(), "", "", "", 0, false, true)); // $hasTaintFlow - sink(new NewCookie("", "", taint(), "", "", 0, true, false)); // $hasTaintFlow - sink(new NewCookie("", "", "", taint(), "", 0, false, false)); // $hasTaintFlow - sink(new NewCookie("", "", "", "", taint(), 0, true, true)); // $hasTaintFlow - sink(new NewCookie("", "", "", "", "", IntSource.taint(), false, true)); // $hasTaintFlow - sink(new NewCookie("", "", "", "", "", 0, BooleanSource.taint(), false)); // $hasTaintFlow - sink(new NewCookie("", "", "", "", "", 0, true, BooleanSource.taint())); // $hasTaintFlow + sink(new NewCookie(taint(), "", "", "", "", 0, true, true)); // $ hasTaintFlow + sink(new NewCookie("", taint(), "", "", "", 0, false, true)); // $ hasTaintFlow + sink(new NewCookie("", "", taint(), "", "", 0, true, false)); // $ hasTaintFlow + sink(new NewCookie("", "", "", taint(), "", 0, false, false)); // $ hasTaintFlow + sink(new NewCookie("", "", "", "", taint(), 0, true, true)); // $ hasTaintFlow + sink(new NewCookie("", "", "", "", "", IntSource.taint(), false, true)); // $ hasTaintFlow + sink(new NewCookie("", "", "", "", "", 0, BooleanSource.taint(), false)); // $ hasTaintFlow + sink(new NewCookie("", "", "", "", "", 0, true, BooleanSource.taint())); // $ hasTaintFlow - sink(NewCookie.valueOf(taint()).getComment()); // $hasTaintFlow - sink(NewCookie.valueOf(taint()).getExpiry()); // $hasTaintFlow - sink(NewCookie.valueOf(taint()).getMaxAge()); // $hasTaintFlow - sink(NewCookie.valueOf(taint()).toCookie()); // $hasTaintFlow - sink(NewCookie.valueOf(taint())); // $hasTaintFlow + sink(NewCookie.valueOf(taint()).getComment()); // $ hasTaintFlow + sink(NewCookie.valueOf(taint()).getExpiry()); // $ hasTaintFlow + sink(NewCookie.valueOf(taint()).getMaxAge()); // $ hasTaintFlow + sink(NewCookie.valueOf(taint()).toCookie()); // $ hasTaintFlow + sink(NewCookie.valueOf(taint())); // $ hasTaintFlow } void testForm(MultivaluedMap mm1, MultivaluedMap mm2) { - sink(new Form(taint(), "")); // $hasTaintFlow - sink(new Form("", taint())); // $hasTaintFlow + sink(new Form(taint(), "")); // $ hasTaintFlow + sink(new Form("", taint())); // $ hasTaintFlow mm1.add(taint(), "value"); - sink(new Form(mm1)); // $hasTaintFlow + sink(new Form(mm1)); // $ hasTaintFlow mm2.add("key", taint()); - sink(new Form(mm2)); // $hasTaintFlow + sink(new Form(mm2)); // $ hasTaintFlow Form f1 = new Form(taint(), ""); - sink(f1.asMap()); // $hasTaintFlow + sink(f1.asMap()); // $ hasTaintFlow Form f2 = new Form(); - sink(f2.param(taint(), "b")); // $hasTaintFlow + sink(f2.param(taint(), "b")); // $ hasTaintFlow Form f3 = new Form(); - sink(f3.param("a", taint())); // $hasTaintFlow + sink(f3.param("a", taint())); // $ hasTaintFlow Form f4 = new Form(taint(), ""); - sink(f4.param("a", "b")); // $hasTaintFlow + sink(f4.param("a", "b")); // $ hasTaintFlow } void testGenericEntity() { Method m = DummyJakarta.class.getMethods()[0]; GenericEntity> ge = new GenericEntity>(SetStringSource.taint(), m.getGenericReturnType()); - sink(ge); // $hasTaintFlow - sink(ge.getEntity()); // $hasTaintFlow + sink(ge); // $ hasTaintFlow + sink(ge.getEntity()); // $ hasTaintFlow } void testMediaType(Map m) { - sink(new MediaType(taint(), "")); // $hasTaintFlow - sink(new MediaType("", taint())); // $hasTaintFlow - sink(new MediaType(taint(), "", m)); // $hasTaintFlow - sink(new MediaType("", taint(), m)); // $hasTaintFlow - sink(new MediaType("", "", taint(m))); // $hasTaintFlow - sink(new MediaType(taint(), "", "")); // $hasTaintFlow - sink(new MediaType("", taint(), "")); // $hasTaintFlow - sink(new MediaType("", "", taint())); // $hasTaintFlow - sink(MediaType.valueOf(taint()).getParameters()); // $hasTaintFlow - sink(MediaType.valueOf(taint()).getSubtype()); // $hasTaintFlow - sink(MediaType.valueOf(taint()).getType()); // $hasTaintFlow - sink(MediaType.valueOf(taint())); // $hasTaintFlow + sink(new MediaType(taint(), "")); // $ hasTaintFlow + sink(new MediaType("", taint())); // $ hasTaintFlow + sink(new MediaType(taint(), "", m)); // $ hasTaintFlow + sink(new MediaType("", taint(), m)); // $ hasTaintFlow + sink(new MediaType("", "", taint(m))); // $ hasTaintFlow + sink(new MediaType(taint(), "", "")); // $ hasTaintFlow + sink(new MediaType("", taint(), "")); // $ hasTaintFlow + sink(new MediaType("", "", taint())); // $ hasTaintFlow + sink(MediaType.valueOf(taint()).getParameters()); // $ hasTaintFlow + sink(MediaType.valueOf(taint()).getSubtype()); // $ hasTaintFlow + sink(MediaType.valueOf(taint()).getType()); // $ hasTaintFlow + sink(MediaType.valueOf(taint())); // $ hasTaintFlow } void testUriBuilder() throws Exception { - sink(UriBuilder.fromPath("").build(taint())); // $hasTaintFlow - sink(UriBuilder.fromPath("").build("", taint())); // $hasTaintFlow - sink(UriBuilder.fromPath("").build(taint(), false)); // $hasTaintFlow - sink(UriBuilder.fromPath("").build("", taint(), true)); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).build("")); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).build("", false)); // $hasTaintFlow + sink(UriBuilder.fromPath("").build(taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath("").build("", taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath("").build(taint(), false)); // $ hasTaintFlow + sink(UriBuilder.fromPath("").build("", taint(), true)); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).build("")); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).build("", false)); // $ hasTaintFlow - sink(UriBuilder.fromPath("").buildFromEncoded(taint())); // $hasTaintFlow - sink(UriBuilder.fromPath("").buildFromEncoded("", taint())); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).buildFromEncoded("")); // $hasTaintFlow - sink(UriBuilder.fromPath("").buildFromEncodedMap(taint(new HashMap()))); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).buildFromEncodedMap(new HashMap())); // $hasTaintFlow - sink(UriBuilder.fromPath("").buildFromMap(taint(new HashMap()), false)); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).buildFromMap(new HashMap(), true)); // $hasTaintFlow + sink(UriBuilder.fromPath("").buildFromEncoded(taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath("").buildFromEncoded("", taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).buildFromEncoded("")); // $ hasTaintFlow + sink(UriBuilder.fromPath("").buildFromEncodedMap(taint(new HashMap()))); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).buildFromEncodedMap(new HashMap())); // $ hasTaintFlow + sink(UriBuilder.fromPath("").buildFromMap(taint(new HashMap()), false)); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).buildFromMap(new HashMap(), true)); // $ hasTaintFlow - sink(UriBuilder.fromPath(taint()).clone()); // $hasTaintFlow - sink(UriBuilder.fromPath("").fragment(taint())); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).fragment("")); // $hasTaintFlow - sink(UriBuilder.fromLink(taint(Link.valueOf("")))); // $hasTaintFlow - sink(UriBuilder.fromPath(taint())); // $hasTaintFlow - sink(UriBuilder.fromUri(taint())); // $hasTaintFlow - sink(UriBuilder.fromPath("").host(taint())); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).host("")); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).clone()); // $ hasTaintFlow + sink(UriBuilder.fromPath("").fragment(taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).fragment("")); // $ hasTaintFlow + sink(UriBuilder.fromLink(taint(Link.valueOf("")))); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint())); // $ hasTaintFlow + sink(UriBuilder.fromUri(taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath("").host(taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).host("")); // $ hasTaintFlow - sink(UriBuilder.fromPath("").matrixParam(taint(), "")); // $hasTaintFlow - sink(UriBuilder.fromPath("").matrixParam("", "", taint())); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).matrixParam("", "")); // $hasTaintFlow - sink(UriBuilder.fromPath("").path(taint(DummyJakarta.class))); // $hasTaintFlow - sink(UriBuilder.fromPath("").path(DummyJakarta.class, taint())); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).path(DummyJakarta.class)); // $hasTaintFlow - sink(UriBuilder.fromPath("").queryParam(taint(), "")); // $hasTaintFlow - sink(UriBuilder.fromPath("").queryParam("", "", taint())); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).queryParam("", "")); // $hasTaintFlow + sink(UriBuilder.fromPath("").matrixParam(taint(), "")); // $ hasTaintFlow + sink(UriBuilder.fromPath("").matrixParam("", "", taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).matrixParam("", "")); // $ hasTaintFlow + sink(UriBuilder.fromPath("").path(taint(DummyJakarta.class))); // $ hasTaintFlow + sink(UriBuilder.fromPath("").path(DummyJakarta.class, taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).path(DummyJakarta.class)); // $ hasTaintFlow + sink(UriBuilder.fromPath("").queryParam(taint(), "")); // $ hasTaintFlow + sink(UriBuilder.fromPath("").queryParam("", "", taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).queryParam("", "")); // $ hasTaintFlow - sink(UriBuilder.fromPath("").replaceMatrix(taint())); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).replaceMatrix("")); // $hasTaintFlow - sink(UriBuilder.fromPath("").replaceMatrixParam(taint(), "")); // $hasTaintFlow - sink(UriBuilder.fromPath("").replaceMatrixParam("", "", taint())); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).replaceMatrixParam("", "")); // $hasTaintFlow - sink(UriBuilder.fromPath("").replacePath(taint())); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).replacePath("")); // $hasTaintFlow - sink(UriBuilder.fromPath("").replaceQuery(taint())); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).replaceQuery("")); // $hasTaintFlow - sink(UriBuilder.fromPath("").replaceQueryParam(taint(), "")); // $hasTaintFlow - sink(UriBuilder.fromPath("").replaceQueryParam("", "", taint())); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).replaceQueryParam("", "")); // $hasTaintFlow + sink(UriBuilder.fromPath("").replaceMatrix(taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).replaceMatrix("")); // $ hasTaintFlow + sink(UriBuilder.fromPath("").replaceMatrixParam(taint(), "")); // $ hasTaintFlow + sink(UriBuilder.fromPath("").replaceMatrixParam("", "", taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).replaceMatrixParam("", "")); // $ hasTaintFlow + sink(UriBuilder.fromPath("").replacePath(taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).replacePath("")); // $ hasTaintFlow + sink(UriBuilder.fromPath("").replaceQuery(taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).replaceQuery("")); // $ hasTaintFlow + sink(UriBuilder.fromPath("").replaceQueryParam(taint(), "")); // $ hasTaintFlow + sink(UriBuilder.fromPath("").replaceQueryParam("", "", taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).replaceQueryParam("", "")); // $ hasTaintFlow - sink(UriBuilder.fromPath("").resolveTemplate(taint(), "")); // $hasTaintFlow - sink(UriBuilder.fromPath("").resolveTemplate(taint(), "", false)); // $hasTaintFlow - sink(UriBuilder.fromPath("").resolveTemplate("", taint())); // $hasTaintFlow - sink(UriBuilder.fromPath("").resolveTemplate("", taint(), true)); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).resolveTemplate("", "")); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).resolveTemplate("", "", false)); // $hasTaintFlow - sink(UriBuilder.fromPath("").resolveTemplateFromEncoded(taint(), "")); // $hasTaintFlow - sink(UriBuilder.fromPath("").resolveTemplateFromEncoded("", taint())); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).resolveTemplateFromEncoded("", "")); // $hasTaintFlow + sink(UriBuilder.fromPath("").resolveTemplate(taint(), "")); // $ hasTaintFlow + sink(UriBuilder.fromPath("").resolveTemplate(taint(), "", false)); // $ hasTaintFlow + sink(UriBuilder.fromPath("").resolveTemplate("", taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath("").resolveTemplate("", taint(), true)); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).resolveTemplate("", "")); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).resolveTemplate("", "", false)); // $ hasTaintFlow + sink(UriBuilder.fromPath("").resolveTemplateFromEncoded(taint(), "")); // $ hasTaintFlow + sink(UriBuilder.fromPath("").resolveTemplateFromEncoded("", taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).resolveTemplateFromEncoded("", "")); // $ hasTaintFlow - sink(UriBuilder.fromPath("").resolveTemplates(taint(new HashMap()))); // $hasTaintFlow - sink(UriBuilder.fromPath("").resolveTemplates(taint(new HashMap()), true)); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).resolveTemplates(new HashMap())); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).resolveTemplates(new HashMap(), false)); // $hasTaintFlow - sink(UriBuilder.fromPath("").resolveTemplatesFromEncoded(taint(new HashMap()))); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).resolveTemplatesFromEncoded(new HashMap())); // $hasTaintFlow + sink(UriBuilder.fromPath("").resolveTemplates(taint(new HashMap()))); // $ hasTaintFlow + sink(UriBuilder.fromPath("").resolveTemplates(taint(new HashMap()), true)); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).resolveTemplates(new HashMap())); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).resolveTemplates(new HashMap(), false)); // $ hasTaintFlow + sink(UriBuilder.fromPath("").resolveTemplatesFromEncoded(taint(new HashMap()))); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).resolveTemplatesFromEncoded(new HashMap())); // $ hasTaintFlow - sink(UriBuilder.fromPath("").scheme(taint())); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).scheme("")); // $hasTaintFlow - sink(UriBuilder.fromPath("").schemeSpecificPart(taint())); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).schemeSpecificPart("")); // $hasTaintFlow - sink(UriBuilder.fromPath("").segment(taint(), "")); // $hasTaintFlow - sink(UriBuilder.fromPath("").segment("", "", taint())); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).segment("", "")); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).toTemplate()); // $hasTaintFlow + sink(UriBuilder.fromPath("").scheme(taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).scheme("")); // $ hasTaintFlow + sink(UriBuilder.fromPath("").schemeSpecificPart(taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).schemeSpecificPart("")); // $ hasTaintFlow + sink(UriBuilder.fromPath("").segment(taint(), "")); // $ hasTaintFlow + sink(UriBuilder.fromPath("").segment("", "", taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).segment("", "")); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).toTemplate()); // $ hasTaintFlow - sink(UriBuilder.fromPath("").uri(taint())); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).uri("")); // $hasTaintFlow - sink(UriBuilder.fromPath("").uri(UriSource.taint())); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).uri(new URI(""))); // $hasTaintFlow - sink(UriBuilder.fromPath("").userInfo(taint())); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).userInfo("")); // $hasTaintFlow + sink(UriBuilder.fromPath("").uri(taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).uri("")); // $ hasTaintFlow + sink(UriBuilder.fromPath("").uri(UriSource.taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).uri(new URI(""))); // $ hasTaintFlow + sink(UriBuilder.fromPath("").userInfo(taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).userInfo("")); // $ hasTaintFlow } } diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JaxRs1.java b/java/ql/test/library-tests/frameworks/JaxWs/JaxRs1.java index e8acd4a0507..ba21f36069b 100644 --- a/java/ql/test/library-tests/frameworks/JaxWs/JaxRs1.java +++ b/java/ql/test/library-tests/frameworks/JaxWs/JaxRs1.java @@ -25,75 +25,75 @@ import javax.ws.rs.core.Response; import javax.ws.rs.ext.MessageBodyReader; @Path("") -public class JaxRs1 { // $RootResourceClass - public JaxRs1() { // $InjectableConstructor +public class JaxRs1 { // $ RootResourceClass + public JaxRs1() { // $ InjectableConstructor } @GET - int Get() { // $ResourceMethod $ResourceMethodOnResourceClass - return 0; // $XssSink + int Get() { // $ ResourceMethod ResourceMethodOnResourceClass + return 0; // $ XssSink } @POST - void Post() { // $ResourceMethod $ResourceMethodOnResourceClass + void Post() { // $ ResourceMethod ResourceMethodOnResourceClass } - @Produces("text/plain") // $ProducesAnnotation=text/plain + @Produces("text/plain") // $ ProducesAnnotation=text/plain @DELETE - double Delete() { // $ResourceMethod=text/plain $ResourceMethodOnResourceClass - return 0.0; // $XssSink + double Delete() { // $ ResourceMethod=text/plain ResourceMethodOnResourceClass + return 0.0; // $ XssSink } - @Produces(MediaType.TEXT_HTML) // $ProducesAnnotation=text/html + @Produces(MediaType.TEXT_HTML) // $ ProducesAnnotation=text/html @PUT - void Put() { // $ResourceMethod=text/html $ResourceMethodOnResourceClass + void Put() { // $ ResourceMethod=text/html ResourceMethodOnResourceClass } @OPTIONS - void Options() { // $ResourceMethod $ResourceMethodOnResourceClass + void Options() { // $ ResourceMethod ResourceMethodOnResourceClass } @HEAD - void Head() { // $ResourceMethod $ResourceMethodOnResourceClass + void Head() { // $ ResourceMethod ResourceMethodOnResourceClass } @Path("") - NonRootResourceClass subResourceLocator() { // $SubResourceLocator + NonRootResourceClass subResourceLocator() { // $ SubResourceLocator return null; } - public class NonRootResourceClass { // $NonRootResourceClass + public class NonRootResourceClass { // $ NonRootResourceClass @GET - int Get() { // $ResourceMethod $ResourceMethodOnResourceClass - return 0; // $XssSink + int Get() { // $ ResourceMethod ResourceMethodOnResourceClass + return 0; // $ XssSink } - @Produces("text/html") // $ProducesAnnotation=text/html + @Produces("text/html") // $ ProducesAnnotation=text/html @POST - boolean Post() { // $ResourceMethod=text/html $ResourceMethodOnResourceClass + boolean Post() { // $ ResourceMethod=text/html ResourceMethodOnResourceClass return false; } - @Produces(MediaType.TEXT_PLAIN) // $ProducesAnnotation=text/plain + @Produces(MediaType.TEXT_PLAIN) // $ ProducesAnnotation=text/plain @DELETE - double Delete() { // $ResourceMethod=text/plain $ResourceMethodOnResourceClass - return 0.0; // $XssSink + double Delete() { // $ ResourceMethod=text/plain ResourceMethodOnResourceClass + return 0.0; // $ XssSink } @Path("") - AnotherNonRootResourceClass subResourceLocator1() { // $SubResourceLocator + AnotherNonRootResourceClass subResourceLocator1() { // $ SubResourceLocator return null; } @GET @Path("") - NotAResourceClass1 NotASubResourceLocator1() { // $ResourceMethod $ResourceMethodOnResourceClass - return null; // $XssSink + NotAResourceClass1 NotASubResourceLocator1() { // $ ResourceMethod ResourceMethodOnResourceClass + return null; // $ XssSink } @GET - NotAResourceClass2 NotASubResourceLocator2() { // $ResourceMethod $ResourceMethodOnResourceClass - return null; // $XssSink + NotAResourceClass2 NotASubResourceLocator2() { // $ ResourceMethod ResourceMethodOnResourceClass + return null; // $ XssSink } NotAResourceClass2 NotASubResourceLocator3() { @@ -102,50 +102,50 @@ public class JaxRs1 { // $RootResourceClass } } -class AnotherNonRootResourceClass { // $NonRootResourceClass +class AnotherNonRootResourceClass { // $ NonRootResourceClass public AnotherNonRootResourceClass() { } public AnotherNonRootResourceClass( - @BeanParam int beanParam, // $InjectionAnnotation - @CookieParam("") int cookieParam, // $InjectionAnnotation - @FormParam("") int formParam, // $InjectionAnnotation - @HeaderParam("") int headerParam, // $InjectionAnnotation - @MatrixParam("") int matrixParam, // $InjectionAnnotation - @PathParam("") int pathParam, // $InjectionAnnotation - @QueryParam("") int queryParam, // $InjectionAnnotation - @Context int context) { // $InjectionAnnotation + @BeanParam int beanParam, // $ InjectionAnnotation + @CookieParam("") int cookieParam, // $ InjectionAnnotation + @FormParam("") int formParam, // $ InjectionAnnotation + @HeaderParam("") int headerParam, // $ InjectionAnnotation + @MatrixParam("") int matrixParam, // $ InjectionAnnotation + @PathParam("") int pathParam, // $ InjectionAnnotation + @QueryParam("") int queryParam, // $ InjectionAnnotation + @Context int context) { // $ InjectionAnnotation } @Path("") - public void resourceMethodWithBeanParamParameter(@BeanParam Foo foo) { // $SubResourceLocator $InjectionAnnotation + public void resourceMethodWithBeanParamParameter(@BeanParam Foo foo) { // $ SubResourceLocator InjectionAnnotation } } class Foo { - Foo() { // $BeanParamConstructor + Foo() { // $ BeanParamConstructor } - public Foo( // $BeanParamConstructor - @BeanParam int beanParam, // $InjectionAnnotation - @CookieParam("") int cookieParam, // $InjectionAnnotation - @FormParam("") int formParam, // $InjectionAnnotation - @HeaderParam("") int headerParam, // $InjectionAnnotation - @MatrixParam("") int matrixParam, // $InjectionAnnotation - @PathParam("") int pathParam, // $InjectionAnnotation - @QueryParam("") int queryParam, // $InjectionAnnotation - @Context int context) { // $InjectionAnnotation + public Foo( // $ BeanParamConstructor + @BeanParam int beanParam, // $ InjectionAnnotation + @CookieParam("") int cookieParam, // $ InjectionAnnotation + @FormParam("") int formParam, // $ InjectionAnnotation + @HeaderParam("") int headerParam, // $ InjectionAnnotation + @MatrixParam("") int matrixParam, // $ InjectionAnnotation + @PathParam("") int pathParam, // $ InjectionAnnotation + @QueryParam("") int queryParam, // $ InjectionAnnotation + @Context int context) { // $ InjectionAnnotation } public Foo( - @BeanParam int beanParam, // $InjectionAnnotation - @CookieParam("") int cookieParam, // $InjectionAnnotation - @FormParam("") int formParam, // $InjectionAnnotation - @HeaderParam("") int headerParam, // $InjectionAnnotation - @MatrixParam("") int matrixParam, // $InjectionAnnotation - @PathParam("") int pathParam, // $InjectionAnnotation - @QueryParam("") int queryParam, // $InjectionAnnotation - @Context int context, // $InjectionAnnotation + @BeanParam int beanParam, // $ InjectionAnnotation + @CookieParam("") int cookieParam, // $ InjectionAnnotation + @FormParam("") int formParam, // $ InjectionAnnotation + @HeaderParam("") int headerParam, // $ InjectionAnnotation + @MatrixParam("") int matrixParam, // $ InjectionAnnotation + @PathParam("") int pathParam, // $ InjectionAnnotation + @QueryParam("") int queryParam, // $ InjectionAnnotation + @Context int context, // $ InjectionAnnotation int paramWithoutAnnotation) { } } @@ -158,58 +158,58 @@ class NotAResourceClass2 { class ExtendsJaxRs1 extends JaxRs1 { @Override - int Get() { // $ResourceMethod + int Get() { // $ ResourceMethod return 1; } @Override - @QueryParam("") // $InjectionAnnotation + @QueryParam("") // $ InjectionAnnotation void Post() { } @Override - double Delete() { // $ResourceMethod=text/plain + double Delete() { // $ ResourceMethod=text/plain return 1.0; } @Override - void Put() { // $ResourceMethod=text/html + void Put() { // $ ResourceMethod=text/html } - @Produces("application/json") // $ProducesAnnotation=application/json + @Produces("application/json") // $ ProducesAnnotation=application/json @Override void Options() { } - @Produces(MediaType.TEXT_XML) // $ProducesAnnotation=text/xml + @Produces(MediaType.TEXT_XML) // $ ProducesAnnotation=text/xml @Override void Head() { } } -@Produces(MediaType.TEXT_XML) // $ProducesAnnotation=text/xml +@Produces(MediaType.TEXT_XML) // $ ProducesAnnotation=text/xml class ExtendsJaxRs1WithProducesAnnotation extends JaxRs1 { @Override - int Get() { // $ResourceMethod=text/xml + int Get() { // $ ResourceMethod=text/xml return 2; } @Override - @QueryParam("") // $InjectionAnnotation + @QueryParam("") // $ InjectionAnnotation void Post() { } @Override - double Delete() { // $ResourceMethod=text/plain + double Delete() { // $ ResourceMethod=text/plain return 2.0; } @Override - void Put() { // $ResourceMethod=text/html + void Put() { // $ ResourceMethod=text/html } @Override - void Options() { // $ResourceMethod=text/xml + void Options() { // $ ResourceMethod=text/xml } } \ No newline at end of file diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JaxRs2.java b/java/ql/test/library-tests/frameworks/JaxWs/JaxRs2.java index 5913d0b998e..7fa0413e841 100644 --- a/java/ql/test/library-tests/frameworks/JaxWs/JaxRs2.java +++ b/java/ql/test/library-tests/frameworks/JaxWs/JaxRs2.java @@ -25,49 +25,49 @@ import javax.ws.rs.core.Response; import javax.ws.rs.ext.MessageBodyReader; @Path("") -class JaxRs2 { // $RootResourceClass +class JaxRs2 { // $ RootResourceClass JaxRs2() { } - public JaxRs2(// $InjectableConstructor - @BeanParam int beanParam, // $InjectionAnnotation - @CookieParam("") int cookieParam, // $InjectionAnnotation - @FormParam("") int formParam, // $InjectionAnnotation - @HeaderParam("") int headerParam, // $InjectionAnnotation - @MatrixParam("") int matrixParam, // $InjectionAnnotation - @PathParam("") int pathParam, // $InjectionAnnotation - @QueryParam("") int queryParam, // $InjectionAnnotation - @Context int context) { // $InjectionAnnotation + public JaxRs2(// $ InjectableConstructor + @BeanParam int beanParam, // $ InjectionAnnotation + @CookieParam("") int cookieParam, // $ InjectionAnnotation + @FormParam("") int formParam, // $ InjectionAnnotation + @HeaderParam("") int headerParam, // $ InjectionAnnotation + @MatrixParam("") int matrixParam, // $ InjectionAnnotation + @PathParam("") int pathParam, // $ InjectionAnnotation + @QueryParam("") int queryParam, // $ InjectionAnnotation + @Context int context) { // $ InjectionAnnotation } public JaxRs2( - @BeanParam int beanParam, // $InjectionAnnotation - @CookieParam("") int cookieParam, // $InjectionAnnotation - @FormParam("") int formParam, // $InjectionAnnotation - @HeaderParam("") int headerParam, // $InjectionAnnotation - @MatrixParam("") int matrixParam, // $InjectionAnnotation - @PathParam("") int pathParam, // $InjectionAnnotation - @QueryParam("") int queryParam, // $InjectionAnnotation - @Context int context, // $InjectionAnnotation + @BeanParam int beanParam, // $ InjectionAnnotation + @CookieParam("") int cookieParam, // $ InjectionAnnotation + @FormParam("") int formParam, // $ InjectionAnnotation + @HeaderParam("") int headerParam, // $ InjectionAnnotation + @MatrixParam("") int matrixParam, // $ InjectionAnnotation + @PathParam("") int pathParam, // $ InjectionAnnotation + @QueryParam("") int queryParam, // $ InjectionAnnotation + @Context int context, // $ InjectionAnnotation int paramWithoutAnnotation) { } - @BeanParam // $InjectionAnnotation - int beanField; // $InjectableField - @CookieParam("") // $InjectionAnnotation - int cookieField; // $InjectableField - @FormParam("") // $InjectionAnnotation - int formField; // $InjectableField - @HeaderParam("") // $InjectionAnnotation - int headerField; // $InjectableField - @MatrixParam("") // $InjectionAnnotation - int matrixField; // $InjectableField - @PathParam("") // $InjectionAnnotation - int pathField; // $InjectableField - @QueryParam("") // $InjectionAnnotation - int queryField; // $InjectableField - @Context // $InjectionAnnotation - int context; // $InjectableField + @BeanParam // $ InjectionAnnotation + int beanField; // $ InjectableField + @CookieParam("") // $ InjectionAnnotation + int cookieField; // $ InjectableField + @FormParam("") // $ InjectionAnnotation + int formField; // $ InjectableField + @HeaderParam("") // $ InjectionAnnotation + int headerField; // $ InjectableField + @MatrixParam("") // $ InjectionAnnotation + int matrixField; // $ InjectableField + @PathParam("") // $ InjectionAnnotation + int pathField; // $ InjectableField + @QueryParam("") // $ InjectionAnnotation + int queryField; // $ InjectableField + @Context // $ InjectionAnnotation + int context; // $ InjectableField int fieldWithoutAnnotation; } @@ -86,14 +86,14 @@ class CustomUnmarshaller implements MessageBodyReader { } class Miscellaneous { - @Consumes("") // $ConsumesAnnotation + @Consumes("") // $ ConsumesAnnotation public static void miscellaneous() throws IOException { - Response.ResponseBuilder responseBuilder = Response.accepted(); // $ResponseBuilderDeclaration - Response response = responseBuilder.build(); // $ResponseDeclaration - Client client; // $ClientDeclaration - MessageBodyReader messageBodyReader = null; // $MessageBodyReaderDeclaration - messageBodyReader.readFrom(null, null, null, null, null, null); // $MessageBodyReaderReadFromCall $MessageBodyReaderReadCall + Response.ResponseBuilder responseBuilder = Response.accepted(); // $ ResponseBuilderDeclaration + Response response = responseBuilder.build(); // $ ResponseDeclaration + Client client; // $ ClientDeclaration + MessageBodyReader messageBodyReader = null; // $ MessageBodyReaderDeclaration + messageBodyReader.readFrom(null, null, null, null, null, null); // $ MessageBodyReaderReadFromCall MessageBodyReaderReadCall CustomUnmarshaller customUnmarshaller = null; - customUnmarshaller.readFrom(null, null, null, null, null, null); // $MessageBodyReaderReadCall + customUnmarshaller.readFrom(null, null, null, null, null, null); // $ MessageBodyReaderReadCall } } \ No newline at end of file diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.java b/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.java index 91d1b384d37..eecc3e444c9 100644 --- a/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.java +++ b/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.java @@ -71,84 +71,84 @@ public class JaxRsFlow { void sink(Object o) {} void testResponse() { - sink(Response.accepted(taint())); // $hasTaintFlow - sink(Response.fromResponse(ResponseSource.taint())); // $hasTaintFlow - sink(Response.ok(taint())); // $hasTaintFlow - sink(Response.ok(taint(), new MediaType())); // $hasTaintFlow - sink(Response.ok(taint(), "type")); // $hasTaintFlow - sink(Response.ok(taint(), new Variant(new MediaType(), "", ""))); // $hasTaintFlow + sink(Response.accepted(taint())); // $ hasTaintFlow + sink(Response.fromResponse(ResponseSource.taint())); // $ hasTaintFlow + sink(Response.ok(taint())); // $ hasTaintFlow + sink(Response.ok(taint(), new MediaType())); // $ hasTaintFlow + sink(Response.ok(taint(), "type")); // $ hasTaintFlow + sink(Response.ok(taint(), new Variant(new MediaType(), "", ""))); // $ hasTaintFlow } void testResponseBuilder(MultivaluedMap multivaluedMap, List list) throws Exception { - sink(ResponseBuilderSource.taint().build()); // $hasTaintFlow - sink(Response.noContent().entity(taint())); // $hasTaintFlow - sink(ResponseBuilderSource.taint().allow(new HashSet())); // $hasValueFlow - sink(ResponseBuilderSource.taint().cacheControl(new CacheControl())); // $hasValueFlow - sink(ResponseBuilderSource.taint().clone()); // $hasTaintFlow - sink(ResponseBuilderSource.taint().contentLocation(new URI(""))); // $hasValueFlow - sink(ResponseBuilderSource.taint().cookie()); // $hasValueFlow - sink(ResponseBuilderSource.taint().encoding("")); // $hasValueFlow - sink(ResponseBuilderSource.taint().entity("")); // $hasValueFlow - sink(ResponseBuilderSource.taint().expires(new Date())); // $hasValueFlow - sink(ResponseBuilderSource.taint().header("", "")); // $hasValueFlow - sink(ResponseBuilderSource.taint().language("")); // $hasValueFlow - sink(ResponseBuilderSource.taint().lastModified(new Date())); // $hasValueFlow - sink(ResponseBuilderSource.taint().link("", "")); // $hasValueFlow - sink(ResponseBuilderSource.taint().link(new URI(""), "")); // $hasValueFlow - sink(ResponseBuilderSource.taint().links()); // $hasValueFlow - sink(ResponseBuilderSource.taint().location(new URI(""))); // $hasValueFlow - sink(ResponseBuilderSource.taint().replaceAll(multivaluedMap)); // $hasValueFlow - sink(ResponseBuilderSource.taint().status(400)); // $hasValueFlow - sink(ResponseBuilderSource.taint().tag(new EntityTag(""))); // $hasValueFlow - sink(ResponseBuilderSource.taint().tag("")); // $hasValueFlow - sink(ResponseBuilderSource.taint().type("")); // $hasValueFlow - sink(ResponseBuilderSource.taint().variant(new Variant(new MediaType(), "", ""))); // $hasValueFlow - sink(ResponseBuilderSource.taint().variants(list)); // $hasValueFlow - sink(ResponseBuilderSource.taint().variants()); // $hasValueFlow + sink(ResponseBuilderSource.taint().build()); // $ hasTaintFlow + sink(Response.noContent().entity(taint())); // $ hasTaintFlow + sink(ResponseBuilderSource.taint().allow(new HashSet())); // $ hasValueFlow + sink(ResponseBuilderSource.taint().cacheControl(new CacheControl())); // $ hasValueFlow + sink(ResponseBuilderSource.taint().clone()); // $ hasTaintFlow + sink(ResponseBuilderSource.taint().contentLocation(new URI(""))); // $ hasValueFlow + sink(ResponseBuilderSource.taint().cookie()); // $ hasValueFlow + sink(ResponseBuilderSource.taint().encoding("")); // $ hasValueFlow + sink(ResponseBuilderSource.taint().entity("")); // $ hasValueFlow + sink(ResponseBuilderSource.taint().expires(new Date())); // $ hasValueFlow + sink(ResponseBuilderSource.taint().header("", "")); // $ hasValueFlow + sink(ResponseBuilderSource.taint().language("")); // $ hasValueFlow + sink(ResponseBuilderSource.taint().lastModified(new Date())); // $ hasValueFlow + sink(ResponseBuilderSource.taint().link("", "")); // $ hasValueFlow + sink(ResponseBuilderSource.taint().link(new URI(""), "")); // $ hasValueFlow + sink(ResponseBuilderSource.taint().links()); // $ hasValueFlow + sink(ResponseBuilderSource.taint().location(new URI(""))); // $ hasValueFlow + sink(ResponseBuilderSource.taint().replaceAll(multivaluedMap)); // $ hasValueFlow + sink(ResponseBuilderSource.taint().status(400)); // $ hasValueFlow + sink(ResponseBuilderSource.taint().tag(new EntityTag(""))); // $ hasValueFlow + sink(ResponseBuilderSource.taint().tag("")); // $ hasValueFlow + sink(ResponseBuilderSource.taint().type("")); // $ hasValueFlow + sink(ResponseBuilderSource.taint().variant(new Variant(new MediaType(), "", ""))); // $ hasValueFlow + sink(ResponseBuilderSource.taint().variants(list)); // $ hasValueFlow + sink(ResponseBuilderSource.taint().variants()); // $ hasValueFlow } void testHttpHeaders(HttpHeaders h) { - sink(taint(h).getAcceptableLanguages()); // $hasTaintFlow - sink(taint(h).getAcceptableMediaTypes()); // $hasTaintFlow - sink(taint(h).getCookies()); // $hasTaintFlow - sink(taint(h).getHeaderString("")); // $hasTaintFlow - sink(taint(h).getLanguage()); // $hasTaintFlow - sink(taint(h).getMediaType()); // $hasTaintFlow - sink(taint(h).getRequestHeader("")); // $hasTaintFlow - sink(taint(h).getRequestHeaders()); // $hasTaintFlow + sink(taint(h).getAcceptableLanguages()); // $ hasTaintFlow + sink(taint(h).getAcceptableMediaTypes()); // $ hasTaintFlow + sink(taint(h).getCookies()); // $ hasTaintFlow + sink(taint(h).getHeaderString("")); // $ hasTaintFlow + sink(taint(h).getLanguage()); // $ hasTaintFlow + sink(taint(h).getMediaType()); // $ hasTaintFlow + sink(taint(h).getRequestHeader("")); // $ hasTaintFlow + sink(taint(h).getRequestHeaders()); // $ hasTaintFlow } void testMultivaluedMapAdd(MultivaluedMap mm1, MultivaluedMap mm2) { mm1.add(taint(), "value"); - sink(mm1.keySet().iterator().next()); // $hasValueFlow + sink(mm1.keySet().iterator().next()); // $ hasValueFlow mm2.add("key", taint()); - sink(mm2.get("key").get(0)); // $hasValueFlow + sink(mm2.get("key").get(0)); // $ hasValueFlow } void testMultivaluedMapAddAll(MultivaluedMap mm1, MultivaluedMap mm2, MultivaluedMap mm3) { mm1.addAll(taint(), "a", "b"); - sink(mm1.keySet().iterator().next()); // $hasValueFlow + sink(mm1.keySet().iterator().next()); // $ hasValueFlow List l = new ArrayList(); l.add(taint()); mm2.addAll("key", l); - sink(mm2.get("key").get(0)); // $hasValueFlow + sink(mm2.get("key").get(0)); // $ hasValueFlow mm3.addAll("key", "a", taint()); - sink(mm3.get("key").get(0)); // $hasValueFlow + sink(mm3.get("key").get(0)); // $ hasValueFlow } void testMultivaluedMapAddFirst(MultivaluedMap mm1, MultivaluedMap mm2) { mm1.addFirst(taint(), "value"); - sink(mm1.keySet().iterator().next()); // $hasValueFlow + sink(mm1.keySet().iterator().next()); // $ hasValueFlow mm2.addFirst("key", taint()); - sink(mm2.get("key").get(0)); // $hasValueFlow - sink(mm2.getFirst("key")); // $hasValueFlow + sink(mm2.get("key").get(0)); // $ hasValueFlow + sink(mm2.getFirst("key")); // $ hasValueFlow } void testMultivaluedMapputSingle(MultivaluedMap mm1, MultivaluedMap mm2) { mm1.putSingle(taint(), "value"); - sink(mm1.keySet().iterator().next()); // $hasValueFlow + sink(mm1.keySet().iterator().next()); // $ hasValueFlow mm2.putSingle("key", taint()); - sink(mm2.get("key").get(0)); // $hasValueFlow + sink(mm2.get("key").get(0)); // $ hasValueFlow } class MyAbstractMultivaluedMap extends AbstractMultivaluedMap { @@ -160,248 +160,248 @@ public class JaxRsFlow { void testAbstractMultivaluedMap(Map> map1, Map> map2, List list) { map1.put(taint(), list); AbstractMultivaluedMap amm1 = new MyAbstractMultivaluedMap(map1); - sink(amm1.keySet().iterator().next()); // $ MISSING: hasValueFlow + sink(amm1.keySet().iterator().next()); // $ MISSING: hasValueFlow list.add(taint()); map2.put("key", list); AbstractMultivaluedMap amm2 = new MyAbstractMultivaluedMap(map2); - sink(amm2.get("key").get(0)); // $ MISSING: hasValueFlow SPURIOUS: hasTaintFlow + sink(amm2.get("key").get(0)); // $ MISSING: hasValueFlow SPURIOUS: hasTaintFlow } void testMultivaluedHashMap(Map map1, Map map2, MultivaluedMap mm1, MultivaluedMap mm2) { map1.put(taint(), "value"); MultivaluedHashMap mhm1 = new MultivaluedHashMap(map1); - sink(mhm1.keySet().iterator().next()); // $hasValueFlow + sink(mhm1.keySet().iterator().next()); // $ hasValueFlow map2.put("key", taint()); MultivaluedHashMap mhm2 = new MultivaluedHashMap(map2); - sink(mhm2.get("key").get(0)); // $hasValueFlow + sink(mhm2.get("key").get(0)); // $ hasValueFlow mm1.add(taint(), "value"); MultivaluedHashMap mhm3 = new MultivaluedHashMap(mm1); - sink(mhm3.keySet().iterator().next()); // $hasValueFlow + sink(mhm3.keySet().iterator().next()); // $ hasValueFlow mm2.add("key", taint()); MultivaluedHashMap mhm4 = new MultivaluedHashMap(mm2); - sink(mhm4.get("key").get(0)); // $hasValueFlow + sink(mhm4.get("key").get(0)); // $ hasValueFlow } void testPathSegment(PathSegment ps1, PathSegment ps2) { - sink(taint(ps1).getMatrixParameters()); // $hasTaintFlow - sink(taint(ps2).getPath()); // $hasTaintFlow + sink(taint(ps1).getMatrixParameters()); // $ hasTaintFlow + sink(taint(ps2).getPath()); // $ hasTaintFlow } void testUriInfo(UriInfo ui1, UriInfo ui2, UriInfo ui3, UriInfo ui4, UriInfo ui5) { - sink(taint(ui1).getPathParameters()); // $hasTaintFlow - sink(taint(ui2).getPathSegments()); // $hasTaintFlow - sink(taint(ui2).getQueryParameters()); // $hasTaintFlow - sink(taint(ui2).getRequestUri()); // $hasTaintFlow - sink(taint(ui2).getRequestUriBuilder()); // $hasTaintFlow + sink(taint(ui1).getPathParameters()); // $ hasTaintFlow + sink(taint(ui2).getPathSegments()); // $ hasTaintFlow + sink(taint(ui2).getQueryParameters()); // $ hasTaintFlow + sink(taint(ui2).getRequestUri()); // $ hasTaintFlow + sink(taint(ui2).getRequestUriBuilder()); // $ hasTaintFlow } void testCookie() { - sink(new Cookie(taint(), "", "", "", 0)); // $hasTaintFlow - sink(new Cookie("", taint(), "", "", 0)); // $hasTaintFlow - sink(new Cookie("", "", taint(), "", 0)); // $hasTaintFlow - sink(new Cookie("", "", "", taint(), 0)); // $hasTaintFlow - sink(new Cookie("", "", "", "", IntSource.taint())); // $hasTaintFlow - sink(new Cookie(taint(), "", "", "")); // $hasTaintFlow - sink(new Cookie("", taint(), "", "")); // $hasTaintFlow - sink(new Cookie("", "", taint(), "")); // $hasTaintFlow - sink(new Cookie("", "", "", taint())); // $hasTaintFlow - sink(new Cookie(taint(), "")); // $hasTaintFlow - sink(new Cookie("", taint())); // $hasTaintFlow - sink(Cookie.valueOf(taint())); // $hasTaintFlow - sink(Cookie.valueOf(taint()).getDomain()); // $hasTaintFlow - sink(Cookie.valueOf(taint()).getName()); // $hasTaintFlow - sink(Cookie.valueOf(taint()).getPath()); // $hasTaintFlow - sink(Cookie.valueOf(taint()).getValue()); // $hasTaintFlow - sink(Cookie.valueOf(taint()).getVersion()); // $hasTaintFlow - sink(Cookie.valueOf(taint()).toString()); // $hasTaintFlow + sink(new Cookie(taint(), "", "", "", 0)); // $ hasTaintFlow + sink(new Cookie("", taint(), "", "", 0)); // $ hasTaintFlow + sink(new Cookie("", "", taint(), "", 0)); // $ hasTaintFlow + sink(new Cookie("", "", "", taint(), 0)); // $ hasTaintFlow + sink(new Cookie("", "", "", "", IntSource.taint())); // $ hasTaintFlow + sink(new Cookie(taint(), "", "", "")); // $ hasTaintFlow + sink(new Cookie("", taint(), "", "")); // $ hasTaintFlow + sink(new Cookie("", "", taint(), "")); // $ hasTaintFlow + sink(new Cookie("", "", "", taint())); // $ hasTaintFlow + sink(new Cookie(taint(), "")); // $ hasTaintFlow + sink(new Cookie("", taint())); // $ hasTaintFlow + sink(Cookie.valueOf(taint())); // $ hasTaintFlow + sink(Cookie.valueOf(taint()).getDomain()); // $ hasTaintFlow + sink(Cookie.valueOf(taint()).getName()); // $ hasTaintFlow + sink(Cookie.valueOf(taint()).getPath()); // $ hasTaintFlow + sink(Cookie.valueOf(taint()).getValue()); // $ hasTaintFlow + sink(Cookie.valueOf(taint()).getVersion()); // $ hasTaintFlow + sink(Cookie.valueOf(taint()).toString()); // $ hasTaintFlow } void testNewCookie() { - sink(new NewCookie(Cookie.valueOf(taint()))); // $hasTaintFlow + sink(new NewCookie(Cookie.valueOf(taint()))); // $ hasTaintFlow - sink(new NewCookie(Cookie.valueOf(taint()), "", 0, true)); // $hasTaintFlow - sink(new NewCookie(Cookie.valueOf(""), taint(), 0, false)); // $hasTaintFlow - sink(new NewCookie(Cookie.valueOf(""), "", IntSource.taint(), true)); // $hasTaintFlow - sink(new NewCookie(Cookie.valueOf(""), "", 0, BooleanSource.taint())); // $hasTaintFlow + sink(new NewCookie(Cookie.valueOf(taint()), "", 0, true)); // $ hasTaintFlow + sink(new NewCookie(Cookie.valueOf(""), taint(), 0, false)); // $ hasTaintFlow + sink(new NewCookie(Cookie.valueOf(""), "", IntSource.taint(), true)); // $ hasTaintFlow + sink(new NewCookie(Cookie.valueOf(""), "", 0, BooleanSource.taint())); // $ hasTaintFlow - sink(new NewCookie(Cookie.valueOf(taint()), "", 0, new Date(), true, true)); // $hasTaintFlow - sink(new NewCookie(Cookie.valueOf(""), taint(), 0, new Date(), true, false)); // $hasTaintFlow - sink(new NewCookie(Cookie.valueOf(""), "", IntSource.taint(), new Date(), false, true)); // $hasTaintFlow - sink(new NewCookie(Cookie.valueOf(""), "", 0, DateSource.taint(), false, false)); // $hasTaintFlow - sink(new NewCookie(Cookie.valueOf(""), "", 0, new Date(), BooleanSource.taint(), false)); // $hasTaintFlow - sink(new NewCookie(Cookie.valueOf(""), "", 0, new Date(), true, BooleanSource.taint())); // $hasTaintFlow + sink(new NewCookie(Cookie.valueOf(taint()), "", 0, new Date(), true, true)); // $ hasTaintFlow + sink(new NewCookie(Cookie.valueOf(""), taint(), 0, new Date(), true, false)); // $ hasTaintFlow + sink(new NewCookie(Cookie.valueOf(""), "", IntSource.taint(), new Date(), false, true)); // $ hasTaintFlow + sink(new NewCookie(Cookie.valueOf(""), "", 0, DateSource.taint(), false, false)); // $ hasTaintFlow + sink(new NewCookie(Cookie.valueOf(""), "", 0, new Date(), BooleanSource.taint(), false)); // $ hasTaintFlow + sink(new NewCookie(Cookie.valueOf(""), "", 0, new Date(), true, BooleanSource.taint())); // $ hasTaintFlow - sink(new NewCookie(taint(), "")); // $hasTaintFlow - sink(new NewCookie("", taint())); // $hasTaintFlow + sink(new NewCookie(taint(), "")); // $ hasTaintFlow + sink(new NewCookie("", taint())); // $ hasTaintFlow - sink(new NewCookie(taint(), "", "", "", 0, "", 0, true)); // $hasTaintFlow - sink(new NewCookie("", taint(), "", "", 0, "", 0, false)); // $hasTaintFlow - sink(new NewCookie("", "", taint(), "", 0, "", 0, true)); // $hasTaintFlow - sink(new NewCookie("", "", "", taint(), 0, "", 0, false)); // $hasTaintFlow - sink(new NewCookie("", "", "", "", IntSource.taint(), "", 0, true)); // $hasTaintFlow - sink(new NewCookie("", "", "", "", 0, taint(), 0, false)); // $hasTaintFlow - sink(new NewCookie("", "", "", "", 0, "", IntSource.taint(), true)); // $hasTaintFlow - sink(new NewCookie("", "", "", "", 0, "", 0, BooleanSource.taint())); // $hasTaintFlow + sink(new NewCookie(taint(), "", "", "", 0, "", 0, true)); // $ hasTaintFlow + sink(new NewCookie("", taint(), "", "", 0, "", 0, false)); // $ hasTaintFlow + sink(new NewCookie("", "", taint(), "", 0, "", 0, true)); // $ hasTaintFlow + sink(new NewCookie("", "", "", taint(), 0, "", 0, false)); // $ hasTaintFlow + sink(new NewCookie("", "", "", "", IntSource.taint(), "", 0, true)); // $ hasTaintFlow + sink(new NewCookie("", "", "", "", 0, taint(), 0, false)); // $ hasTaintFlow + sink(new NewCookie("", "", "", "", 0, "", IntSource.taint(), true)); // $ hasTaintFlow + sink(new NewCookie("", "", "", "", 0, "", 0, BooleanSource.taint())); // $ hasTaintFlow - sink(new NewCookie(taint(), "", "", "", 0, "", 0, new Date(), true, true)); // $hasTaintFlow - sink(new NewCookie("", taint(), "", "", 0, "", 0, new Date(), false, true)); // $hasTaintFlow - sink(new NewCookie("", "", taint(), "", 0, "", 0, new Date(), true, false)); // $hasTaintFlow - sink(new NewCookie("", "", "", taint(), 0, "", 0, new Date(), false, false)); // $hasTaintFlow - sink(new NewCookie("", "", "", "", IntSource.taint(), "", 0, new Date(), true, true)); // $hasTaintFlow - sink(new NewCookie("", "", "", "", 0, taint(), 0, new Date(), true, false)); // $hasTaintFlow - sink(new NewCookie("", "", "", "", 0, "", IntSource.taint(), new Date(), false, true)); // $hasTaintFlow - sink(new NewCookie("", "", "", "", 0, "", 0, DateSource.taint(), false, false)); // $hasTaintFlow - sink(new NewCookie("", "", "", "", 0, "", 0, new Date(), BooleanSource.taint(), true)); // $hasTaintFlow - sink(new NewCookie("", "", "", "", 0, "", 0, new Date(), false, BooleanSource.taint())); // $hasTaintFlow + sink(new NewCookie(taint(), "", "", "", 0, "", 0, new Date(), true, true)); // $ hasTaintFlow + sink(new NewCookie("", taint(), "", "", 0, "", 0, new Date(), false, true)); // $ hasTaintFlow + sink(new NewCookie("", "", taint(), "", 0, "", 0, new Date(), true, false)); // $ hasTaintFlow + sink(new NewCookie("", "", "", taint(), 0, "", 0, new Date(), false, false)); // $ hasTaintFlow + sink(new NewCookie("", "", "", "", IntSource.taint(), "", 0, new Date(), true, true)); // $ hasTaintFlow + sink(new NewCookie("", "", "", "", 0, taint(), 0, new Date(), true, false)); // $ hasTaintFlow + sink(new NewCookie("", "", "", "", 0, "", IntSource.taint(), new Date(), false, true)); // $ hasTaintFlow + sink(new NewCookie("", "", "", "", 0, "", 0, DateSource.taint(), false, false)); // $ hasTaintFlow + sink(new NewCookie("", "", "", "", 0, "", 0, new Date(), BooleanSource.taint(), true)); // $ hasTaintFlow + sink(new NewCookie("", "", "", "", 0, "", 0, new Date(), false, BooleanSource.taint())); // $ hasTaintFlow - sink(new NewCookie(taint(), "", "", "", "", 0, true)); // $hasTaintFlow - sink(new NewCookie("", taint(), "", "", "", 0, false)); // $hasTaintFlow - sink(new NewCookie("", "", taint(), "", "", 0, true)); // $hasTaintFlow - sink(new NewCookie("", "", "", taint(), "", 0, false)); // $hasTaintFlow - sink(new NewCookie("", "", "", "", taint(), 0, false)); // $hasTaintFlow - sink(new NewCookie("", "", "", "", "", IntSource.taint(), true)); // $hasTaintFlow - sink(new NewCookie("", "", "", "", "", 0, BooleanSource.taint())); // $hasTaintFlow + sink(new NewCookie(taint(), "", "", "", "", 0, true)); // $ hasTaintFlow + sink(new NewCookie("", taint(), "", "", "", 0, false)); // $ hasTaintFlow + sink(new NewCookie("", "", taint(), "", "", 0, true)); // $ hasTaintFlow + sink(new NewCookie("", "", "", taint(), "", 0, false)); // $ hasTaintFlow + sink(new NewCookie("", "", "", "", taint(), 0, false)); // $ hasTaintFlow + sink(new NewCookie("", "", "", "", "", IntSource.taint(), true)); // $ hasTaintFlow + sink(new NewCookie("", "", "", "", "", 0, BooleanSource.taint())); // $ hasTaintFlow - sink(new NewCookie(taint(), "", "", "", "", 0, true, true)); // $hasTaintFlow - sink(new NewCookie("", taint(), "", "", "", 0, false, true)); // $hasTaintFlow - sink(new NewCookie("", "", taint(), "", "", 0, true, false)); // $hasTaintFlow - sink(new NewCookie("", "", "", taint(), "", 0, false, false)); // $hasTaintFlow - sink(new NewCookie("", "", "", "", taint(), 0, true, true)); // $hasTaintFlow - sink(new NewCookie("", "", "", "", "", IntSource.taint(), false, true)); // $hasTaintFlow - sink(new NewCookie("", "", "", "", "", 0, BooleanSource.taint(), false)); // $hasTaintFlow - sink(new NewCookie("", "", "", "", "", 0, true, BooleanSource.taint())); // $hasTaintFlow + sink(new NewCookie(taint(), "", "", "", "", 0, true, true)); // $ hasTaintFlow + sink(new NewCookie("", taint(), "", "", "", 0, false, true)); // $ hasTaintFlow + sink(new NewCookie("", "", taint(), "", "", 0, true, false)); // $ hasTaintFlow + sink(new NewCookie("", "", "", taint(), "", 0, false, false)); // $ hasTaintFlow + sink(new NewCookie("", "", "", "", taint(), 0, true, true)); // $ hasTaintFlow + sink(new NewCookie("", "", "", "", "", IntSource.taint(), false, true)); // $ hasTaintFlow + sink(new NewCookie("", "", "", "", "", 0, BooleanSource.taint(), false)); // $ hasTaintFlow + sink(new NewCookie("", "", "", "", "", 0, true, BooleanSource.taint())); // $ hasTaintFlow - sink(NewCookie.valueOf(taint()).getComment()); // $hasTaintFlow - sink(NewCookie.valueOf(taint()).getExpiry()); // $hasTaintFlow - sink(NewCookie.valueOf(taint()).getMaxAge()); // $hasTaintFlow - sink(NewCookie.valueOf(taint()).toCookie()); // $hasTaintFlow - sink(NewCookie.valueOf(taint())); // $hasTaintFlow + sink(NewCookie.valueOf(taint()).getComment()); // $ hasTaintFlow + sink(NewCookie.valueOf(taint()).getExpiry()); // $ hasTaintFlow + sink(NewCookie.valueOf(taint()).getMaxAge()); // $ hasTaintFlow + sink(NewCookie.valueOf(taint()).toCookie()); // $ hasTaintFlow + sink(NewCookie.valueOf(taint())); // $ hasTaintFlow } void testForm(MultivaluedMap mm1, MultivaluedMap mm2) { - sink(new Form(taint(), "")); // $hasTaintFlow - sink(new Form("", taint())); // $hasTaintFlow + sink(new Form(taint(), "")); // $ hasTaintFlow + sink(new Form("", taint())); // $ hasTaintFlow mm1.add(taint(), "value"); - sink(new Form(mm1)); // $hasTaintFlow + sink(new Form(mm1)); // $ hasTaintFlow mm2.add("key", taint()); - sink(new Form(mm2)); // $hasTaintFlow + sink(new Form(mm2)); // $ hasTaintFlow Form f1 = new Form(taint(), ""); - sink(f1.asMap()); // $hasTaintFlow + sink(f1.asMap()); // $ hasTaintFlow Form f2 = new Form(); - sink(f2.param(taint(), "b")); // $hasTaintFlow + sink(f2.param(taint(), "b")); // $ hasTaintFlow Form f3 = new Form(); - sink(f3.param("a", taint())); // $hasTaintFlow + sink(f3.param("a", taint())); // $ hasTaintFlow Form f4 = new Form(taint(), ""); - sink(f4.param("a", "b")); // $hasTaintFlow + sink(f4.param("a", "b")); // $ hasTaintFlow } void testGenericEntity() { Method m = Dummy.class.getMethods()[0]; GenericEntity> ge = new GenericEntity>(SetStringSource.taint(), m.getGenericReturnType()); - sink(ge); // $hasTaintFlow - sink(ge.getEntity()); // $hasTaintFlow + sink(ge); // $ hasTaintFlow + sink(ge.getEntity()); // $ hasTaintFlow } void testMediaType(Map m) { - sink(new MediaType(taint(), "")); // $hasTaintFlow - sink(new MediaType("", taint())); // $hasTaintFlow - sink(new MediaType(taint(), "", m)); // $hasTaintFlow - sink(new MediaType("", taint(), m)); // $hasTaintFlow - sink(new MediaType("", "", taint(m))); // $hasTaintFlow - sink(new MediaType(taint(), "", "")); // $hasTaintFlow - sink(new MediaType("", taint(), "")); // $hasTaintFlow - sink(new MediaType("", "", taint())); // $hasTaintFlow - sink(MediaType.valueOf(taint()).getParameters()); // $hasTaintFlow - sink(MediaType.valueOf(taint()).getSubtype()); // $hasTaintFlow - sink(MediaType.valueOf(taint()).getType()); // $hasTaintFlow - sink(MediaType.valueOf(taint())); // $hasTaintFlow + sink(new MediaType(taint(), "")); // $ hasTaintFlow + sink(new MediaType("", taint())); // $ hasTaintFlow + sink(new MediaType(taint(), "", m)); // $ hasTaintFlow + sink(new MediaType("", taint(), m)); // $ hasTaintFlow + sink(new MediaType("", "", taint(m))); // $ hasTaintFlow + sink(new MediaType(taint(), "", "")); // $ hasTaintFlow + sink(new MediaType("", taint(), "")); // $ hasTaintFlow + sink(new MediaType("", "", taint())); // $ hasTaintFlow + sink(MediaType.valueOf(taint()).getParameters()); // $ hasTaintFlow + sink(MediaType.valueOf(taint()).getSubtype()); // $ hasTaintFlow + sink(MediaType.valueOf(taint()).getType()); // $ hasTaintFlow + sink(MediaType.valueOf(taint())); // $ hasTaintFlow } void testUriBuilder() throws Exception { - sink(UriBuilder.fromPath("").build(taint())); // $hasTaintFlow - sink(UriBuilder.fromPath("").build("", taint())); // $hasTaintFlow - sink(UriBuilder.fromPath("").build(taint(), false)); // $hasTaintFlow - sink(UriBuilder.fromPath("").build("", taint(), true)); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).build("")); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).build("", false)); // $hasTaintFlow + sink(UriBuilder.fromPath("").build(taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath("").build("", taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath("").build(taint(), false)); // $ hasTaintFlow + sink(UriBuilder.fromPath("").build("", taint(), true)); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).build("")); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).build("", false)); // $ hasTaintFlow - sink(UriBuilder.fromPath("").buildFromEncoded(taint())); // $hasTaintFlow - sink(UriBuilder.fromPath("").buildFromEncoded("", taint())); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).buildFromEncoded("")); // $hasTaintFlow - sink(UriBuilder.fromPath("").buildFromEncodedMap(taint(new HashMap()))); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).buildFromEncodedMap(new HashMap())); // $hasTaintFlow - sink(UriBuilder.fromPath("").buildFromMap(taint(new HashMap()), false)); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).buildFromMap(new HashMap(), true)); // $hasTaintFlow + sink(UriBuilder.fromPath("").buildFromEncoded(taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath("").buildFromEncoded("", taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).buildFromEncoded("")); // $ hasTaintFlow + sink(UriBuilder.fromPath("").buildFromEncodedMap(taint(new HashMap()))); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).buildFromEncodedMap(new HashMap())); // $ hasTaintFlow + sink(UriBuilder.fromPath("").buildFromMap(taint(new HashMap()), false)); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).buildFromMap(new HashMap(), true)); // $ hasTaintFlow - sink(UriBuilder.fromPath(taint()).clone()); // $hasTaintFlow - sink(UriBuilder.fromPath("").fragment(taint())); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).fragment("")); // $hasTaintFlow - sink(UriBuilder.fromLink(taint(Link.valueOf("")))); // $hasTaintFlow - sink(UriBuilder.fromPath(taint())); // $hasTaintFlow - sink(UriBuilder.fromUri(taint())); // $hasTaintFlow - sink(UriBuilder.fromPath("").host(taint())); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).host("")); // $hasTaintFlow + sink(UriBuilder.fromPath(taint()).clone()); // $ hasTaintFlow + sink(UriBuilder.fromPath("").fragment(taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).fragment("")); // $ hasTaintFlow + sink(UriBuilder.fromLink(taint(Link.valueOf("")))); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint())); // $ hasTaintFlow + sink(UriBuilder.fromUri(taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath("").host(taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).host("")); // $ hasTaintFlow - sink(UriBuilder.fromPath("").matrixParam(taint(), "")); // $hasTaintFlow - sink(UriBuilder.fromPath("").matrixParam("", "", taint())); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).matrixParam("", "")); // $hasTaintFlow - sink(UriBuilder.fromPath("").path(taint(Dummy.class))); // $hasTaintFlow - sink(UriBuilder.fromPath("").path(Dummy.class, taint())); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).path(Dummy.class)); // $hasTaintFlow - sink(UriBuilder.fromPath("").queryParam(taint(), "")); // $hasTaintFlow - sink(UriBuilder.fromPath("").queryParam("", "", taint())); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).queryParam("", "")); // $hasTaintFlow + sink(UriBuilder.fromPath("").matrixParam(taint(), "")); // $ hasTaintFlow + sink(UriBuilder.fromPath("").matrixParam("", "", taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).matrixParam("", "")); // $ hasTaintFlow + sink(UriBuilder.fromPath("").path(taint(Dummy.class))); // $ hasTaintFlow + sink(UriBuilder.fromPath("").path(Dummy.class, taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).path(Dummy.class)); // $ hasTaintFlow + sink(UriBuilder.fromPath("").queryParam(taint(), "")); // $ hasTaintFlow + sink(UriBuilder.fromPath("").queryParam("", "", taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).queryParam("", "")); // $ hasTaintFlow - sink(UriBuilder.fromPath("").replaceMatrix(taint())); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).replaceMatrix("")); // $hasTaintFlow - sink(UriBuilder.fromPath("").replaceMatrixParam(taint(), "")); // $hasTaintFlow - sink(UriBuilder.fromPath("").replaceMatrixParam("", "", taint())); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).replaceMatrixParam("", "")); // $hasTaintFlow - sink(UriBuilder.fromPath("").replacePath(taint())); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).replacePath("")); // $hasTaintFlow - sink(UriBuilder.fromPath("").replaceQuery(taint())); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).replaceQuery("")); // $hasTaintFlow - sink(UriBuilder.fromPath("").replaceQueryParam(taint(), "")); // $hasTaintFlow - sink(UriBuilder.fromPath("").replaceQueryParam("", "", taint())); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).replaceQueryParam("", "")); // $hasTaintFlow + sink(UriBuilder.fromPath("").replaceMatrix(taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).replaceMatrix("")); // $ hasTaintFlow + sink(UriBuilder.fromPath("").replaceMatrixParam(taint(), "")); // $ hasTaintFlow + sink(UriBuilder.fromPath("").replaceMatrixParam("", "", taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).replaceMatrixParam("", "")); // $ hasTaintFlow + sink(UriBuilder.fromPath("").replacePath(taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).replacePath("")); // $ hasTaintFlow + sink(UriBuilder.fromPath("").replaceQuery(taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).replaceQuery("")); // $ hasTaintFlow + sink(UriBuilder.fromPath("").replaceQueryParam(taint(), "")); // $ hasTaintFlow + sink(UriBuilder.fromPath("").replaceQueryParam("", "", taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).replaceQueryParam("", "")); // $ hasTaintFlow - sink(UriBuilder.fromPath("").resolveTemplate(taint(), "")); // $hasTaintFlow - sink(UriBuilder.fromPath("").resolveTemplate(taint(), "", false)); // $hasTaintFlow - sink(UriBuilder.fromPath("").resolveTemplate("", taint())); // $hasTaintFlow - sink(UriBuilder.fromPath("").resolveTemplate("", taint(), true)); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).resolveTemplate("", "")); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).resolveTemplate("", "", false)); // $hasTaintFlow - sink(UriBuilder.fromPath("").resolveTemplateFromEncoded(taint(), "")); // $hasTaintFlow - sink(UriBuilder.fromPath("").resolveTemplateFromEncoded("", taint())); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).resolveTemplateFromEncoded("", "")); // $hasTaintFlow + sink(UriBuilder.fromPath("").resolveTemplate(taint(), "")); // $ hasTaintFlow + sink(UriBuilder.fromPath("").resolveTemplate(taint(), "", false)); // $ hasTaintFlow + sink(UriBuilder.fromPath("").resolveTemplate("", taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath("").resolveTemplate("", taint(), true)); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).resolveTemplate("", "")); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).resolveTemplate("", "", false)); // $ hasTaintFlow + sink(UriBuilder.fromPath("").resolveTemplateFromEncoded(taint(), "")); // $ hasTaintFlow + sink(UriBuilder.fromPath("").resolveTemplateFromEncoded("", taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).resolveTemplateFromEncoded("", "")); // $ hasTaintFlow - sink(UriBuilder.fromPath("").resolveTemplates(taint(new HashMap()))); // $hasTaintFlow - sink(UriBuilder.fromPath("").resolveTemplates(taint(new HashMap()), true)); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).resolveTemplates(new HashMap())); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).resolveTemplates(new HashMap(), false)); // $hasTaintFlow - sink(UriBuilder.fromPath("").resolveTemplatesFromEncoded(taint(new HashMap()))); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).resolveTemplatesFromEncoded(new HashMap())); // $hasTaintFlow + sink(UriBuilder.fromPath("").resolveTemplates(taint(new HashMap()))); // $ hasTaintFlow + sink(UriBuilder.fromPath("").resolveTemplates(taint(new HashMap()), true)); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).resolveTemplates(new HashMap())); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).resolveTemplates(new HashMap(), false)); // $ hasTaintFlow + sink(UriBuilder.fromPath("").resolveTemplatesFromEncoded(taint(new HashMap()))); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).resolveTemplatesFromEncoded(new HashMap())); // $ hasTaintFlow - sink(UriBuilder.fromPath("").scheme(taint())); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).scheme("")); // $hasTaintFlow - sink(UriBuilder.fromPath("").schemeSpecificPart(taint())); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).schemeSpecificPart("")); // $hasTaintFlow - sink(UriBuilder.fromPath("").segment(taint(), "")); // $hasTaintFlow - sink(UriBuilder.fromPath("").segment("", "", taint())); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).segment("", "")); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).toTemplate()); // $hasTaintFlow + sink(UriBuilder.fromPath("").scheme(taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).scheme("")); // $ hasTaintFlow + sink(UriBuilder.fromPath("").schemeSpecificPart(taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).schemeSpecificPart("")); // $ hasTaintFlow + sink(UriBuilder.fromPath("").segment(taint(), "")); // $ hasTaintFlow + sink(UriBuilder.fromPath("").segment("", "", taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).segment("", "")); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).toTemplate()); // $ hasTaintFlow - sink(UriBuilder.fromPath("").uri(taint())); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).uri("")); // $hasTaintFlow - sink(UriBuilder.fromPath("").uri(UriSource.taint())); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).uri(new URI(""))); // $hasTaintFlow - sink(UriBuilder.fromPath("").userInfo(taint())); // $hasTaintFlow - sink(UriBuilder.fromPath(taint()).userInfo("")); // $hasTaintFlow + sink(UriBuilder.fromPath("").uri(taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).uri("")); // $ hasTaintFlow + sink(UriBuilder.fromPath("").uri(UriSource.taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).uri(new URI(""))); // $ hasTaintFlow + sink(UriBuilder.fromPath("").userInfo(taint())); // $ hasTaintFlow + sink(UriBuilder.fromPath(taint()).userInfo("")); // $ hasTaintFlow } } diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JaxWsEndpoint.java b/java/ql/test/library-tests/frameworks/JaxWs/JaxWsEndpoint.java index 5817f433aaf..511508cd774 100644 --- a/java/ql/test/library-tests/frameworks/JaxWs/JaxWsEndpoint.java +++ b/java/ql/test/library-tests/frameworks/JaxWs/JaxWsEndpoint.java @@ -5,40 +5,40 @@ import javax.xml.ws.WebServiceClient; import javax.xml.ws.WebServiceProvider; @WebService -class WebServiceClass { // $JaxWsEndpoint +class WebServiceClass { // $ JaxWsEndpoint @WebMethod - void WebMethodMethod() { // $JaxWsEndpointRemoteMethod + void WebMethodMethod() { // $ JaxWsEndpointRemoteMethod } @WebEndpoint - void WebEndpointMethod() { // $JaxWsEndpointRemoteMethod + void WebEndpointMethod() { // $ JaxWsEndpointRemoteMethod } } @WebServiceProvider -class WebServiceProviderClass { // $JaxWsEndpoint +class WebServiceProviderClass { // $ JaxWsEndpoint @WebMethod - void WebMethodMethod() { // $JaxWsEndpointRemoteMethod + void WebMethodMethod() { // $ JaxWsEndpointRemoteMethod } @WebEndpoint - void WebEndpointMethod() { // $JaxWsEndpointRemoteMethod + void WebEndpointMethod() { // $ JaxWsEndpointRemoteMethod } } @WebServiceClient -class WebServiceClientClass { // $JaxWsEndpoint +class WebServiceClientClass { // $ JaxWsEndpoint @WebMethod - void WebMethodMethod() { // $JaxWsEndpointRemoteMethod + void WebMethodMethod() { // $ JaxWsEndpointRemoteMethod } @WebEndpoint - void WebEndpointMethod() { // $JaxWsEndpointRemoteMethod + void WebEndpointMethod() { // $ JaxWsEndpointRemoteMethod } } From 945db01f56bf38f77c63654cfb54adc25d0df019 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 17 Jun 2021 10:29:33 +0100 Subject: [PATCH 36/36] Address review comments --- java/ql/src/semmle/code/java/frameworks/JaxWS.qll | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll index 157cf1ba18e..bfe332da2b6 100644 --- a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll +++ b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll @@ -81,13 +81,13 @@ class JaxRsResourceMethod extends Method { result = this.getAnAnnotation() or // No direct annotations - not exists(this.getAnAnnotation().(JaxRSProducesAnnotation)) and + not this.getAnAnnotation() instanceof JaxRSProducesAnnotation and ( // Annotations on a method we've overridden result = this.getAnOverride().getAnAnnotation() or // No annotations on this method, or a method we've overridden, so look to the class - not exists(this.getAnOverride().getAnAnnotation().(JaxRSProducesAnnotation)) and + not this.getAnOverride().getAnAnnotation() instanceof JaxRSProducesAnnotation and result = this.getDeclaringType().getAnAnnotation() ) } @@ -267,7 +267,7 @@ class MessageBodyReader extends GenericInterface { */ class MessageBodyReaderReadFrom extends Method { MessageBodyReaderReadFrom() { - this.getDeclaringType().(RefType).getSourceDeclaration() instanceof MessageBodyReader and + this.getDeclaringType().getSourceDeclaration() instanceof MessageBodyReader and this.hasName("readFrom") } }