hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-30 20:28:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #21405 from owen-mc/java/consistent-inline-expectation-tests

Browse Source 
Inline expectation tests should always have space before and after `$`
This commit is contained in:
Owen Mansel-Chan
2026-03-05 11:27:37 +00:00
committed by GitHub
parent b5bf1c578c c82f75604a
commit 926725a87f
297 changed files with 5490 additions and 5458 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
cpp/ql/lib/change-notes/2026-03-05-inline-expectation-space-after-$.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Inline expectations test comments, which are of the form `// $ tag` or `// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the `$` symbol.

2
cpp/ql/test/library-tests/dataflow/fields/A.cpp
View File

@@ -46,7 +46,7 @@ public:
{
C *c = new C();
B *b = B::make(c);
sink(b->c); // $ast,ir
sink(b->c); // $ ast,ir
}
void f2()

4
cpp/ql/test/library-tests/dataflow/fields/C.cpp
View File

@@ -26,9 +26,9 @@ public:
void func()
{
sink(s1); // $ast,ir
sink(s1); // $ ast,ir
sink(s2); // $ MISSING: ast,ir
sink(s3); // $ast,ir
sink(s3); // $ ast,ir
sink(s4); // $ MISSING: ast,ir
}
};

2
cpp/ql/test/library-tests/dataflow/fields/D.cpp
View File

@@ -19,7 +19,7 @@ public:
};
static void sinkWrap(Box2* b2) {
sink(b2->getBox1()->getElem()); // $ast,ir=28:15 ast,ir=35:15 ast,ir=42:15 ast,ir=49:15
sink(b2->getBox1()->getElem()); // $ ast,ir=28:15 ast,ir=35:15 ast,ir=42:15 ast,ir=49:15
}
Box2* boxfield;

10
cpp/ql/test/library-tests/dataflow/fields/by_reference.cpp
View File

@@ -48,25 +48,25 @@ struct S {
void test_setDirectly() {
S s;
s.setDirectly(user_input());
sink(s.getDirectly()); // $ast ir
sink(s.getDirectly()); // $ ast ir
}
void test_setIndirectly() {
S s;
s.setIndirectly(user_input());
sink(s.getIndirectly()); // $ast ir
sink(s.getIndirectly()); // $ ast ir
}
void test_setThroughNonMember() {
S s;
s.setThroughNonMember(user_input());
sink(s.getThroughNonMember()); // $ast ir
sink(s.getThroughNonMember()); // $ ast ir
}
void test_nonMemberSetA() {
S s;
nonMemberSetA(&s, user_input());
sink(nonMemberGetA(&s)); // $ast,ir
sink(nonMemberGetA(&s)); // $ ast,ir
}
////////////////////
@@ -112,7 +112,7 @@ void test_outer_with_ptr(Outer *pouter) {
sink(outer.a); // $ ast,ir
sink(pouter->inner_nested.a); // $ ast,ir
sink(pouter->inner_ptr->a); // $ast,ir
sink(pouter->inner_ptr->a); // $ ast,ir
sink(pouter->a); // $ ast,ir
}

8
cpp/ql/test/library-tests/dataflow/fields/simple.cpp
View File

@@ -64,7 +64,7 @@ void single_field_test()
A a;
a.i = user_input();
A a2 = a;
sink(a2.i); //$ ast,ir
sink(a2.i); // $ ast,ir
}
struct C {
@@ -81,7 +81,7 @@ struct C2
void m() {
f2.f1 = user_input();
sink(getf2f1()); //$ ast,ir
sink(getf2f1()); // $ ast,ir
}
};
@@ -91,7 +91,7 @@ void single_field_test_typedef(A_typedef a)
{
a.i = user_input();
A_typedef a2 = a;
sink(a2.i); //$ ast,ir
sink(a2.i); // $ ast,ir
}
namespace TestAdditionalCallTargets {
@@ -168,4 +168,4 @@ void test_union_with_two_instantiations_of_different_sizes() {
sink(u_int.y); // $ MISSING: ir
}
} // namespace Simple
} // namespace Simple

8
cpp/ql/test/library-tests/dataflow/fields/struct_init.c
View File

@@ -12,14 +12,14 @@ struct Outer {
};
void absink(struct AB *ab) {
sink(ab->a); //$ ast,ir=20:20 ast,ir=27:7 ast,ir=40:20
sink(ab->a); // $ ast,ir=20:20 ast,ir=27:7 ast,ir=40:20
sink(ab->b); // no flow
}
int struct_init(void) {
struct AB ab = { user_input(), 0 };
sink(ab.a); //$ ast,ir
sink(ab.a); // $ ast,ir
sink(ab.b); // no flow
absink(&ab);
@@ -28,9 +28,9 @@ int struct_init(void) {
&ab,
};
sink(outer.nestedAB.a); //$ ast,ir
sink(outer.nestedAB.a); // $ ast,ir
sink(outer.nestedAB.b); // no flow
sink(outer.pointerAB->a); //$ ast,ir
sink(outer.pointerAB->a); // $ ast,ir
sink(outer.pointerAB->b); // no flow
absink(&outer.nestedAB);

4
cpp/ql/test/library-tests/dataflow/models-as-data/tests.cpp
View File

@@ -75,7 +75,7 @@ void test_sources() {
int e = localMadSource();
sink(e); // $ ir
sink(MyNamespace::namespaceLocalMadSource()); // $: ir
sink(MyNamespace::namespaceLocalMadSource()); // $ ir
sink(MyNamespace::namespaceLocalMadSourceVar); // $ ir
sink(MyNamespace::MyNamespace2::namespace2LocalMadSource()); // $ ir
sink(MyNamespace::localMadSource()); // $ (the MyNamespace version of this function is not a source)
@@ -475,4 +475,4 @@ void test_receive_array() {
int array[10] = {x};
int y = receive_array(array);
sink(y); // $ ir
}
}

4
cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp
View File

@@ -450,7 +450,7 @@ void test_qualifiers()
b.member = source();
sink(b); // $ ir MISSING: ast
sink(b.member); // $ ast,ir
sink(b.getMember()); // $ MISSING: ir ast
sink(b.getMember()); // $ MISSING: ir ast
c = new MyClass2(0);
@@ -865,4 +865,4 @@ void test_iconv(size_t size) {
size_t size_out;
iconv(0, &s, &size, &p, &size_out);
sink(*p); // $ ast,ir
}
}

100
cpp/ql/test/library-tests/ir/points_to/points_to.cpp
View File

@@ -24,64 +24,64 @@ struct DerivedVI : virtual Base1 {
};
void Locals() {
Point pt = { //$ussa=pt
1, //$ussa=pt[0..4)<int>
2 //$ussa=pt[4..8)<int>
Point pt = { // $ ussa=pt
1, // $ ussa=pt[0..4)<int>
2 // $ ussa=pt[4..8)<int>
};
int i = pt.x; //$ussa=pt[0..4)<int>
i = pt.y; //$ussa=pt[4..8)<int>
int i = pt.x; // $ ussa=pt[0..4)<int>
i = pt.y; // $ ussa=pt[4..8)<int>
int* p = &pt.x;
i = *p; //$ussa=pt[0..4)<int>
i = *p; // $ ussa=pt[0..4)<int>
p = &pt.y;
i = *p; //$ussa=pt[4..8)<int>
i = *p; // $ ussa=pt[4..8)<int>
}
void PointsTo(
int a, //$raw=a
Point& b, //$raw=b ussa=*b
Point* c, //$raw=c ussa=*c
int* d, //$raw=d ussa=*d
DerivedSI* e, //$raw=e ussa=*e
DerivedMI* f, //$raw=f ussa=*f
DerivedVI* g //$raw=g ussa=*g
int a, // $ raw=a
Point& b, // $ raw=b ussa=*b
Point* c, // $ raw=c ussa=*c
int* d, // $ raw=d ussa=*d
DerivedSI* e, // $ raw=e ussa=*e
DerivedMI* f, // $ raw=f ussa=*f
DerivedVI* g // $ raw=g ussa=*g
) {
int i = a; //$raw=a
i = *&a; //$raw=a
i = *(&a + 0); //$raw=a
i = b.x; //$raw=b ussa=*b[0..4)<int>
i = b.y; //$raw=b ussa=*b[4..8)<int>
i = c->x; //$raw=c ussa=*c[0..4)<int>
i = c->y; //$raw=c ussa=*c[4..8)<int>
i = *d; //$raw=d ussa=*d[0..4)<int>
i = *(d + 0); //$raw=d ussa=*d[0..4)<int>
i = d[5]; //$raw=d ussa=*d[20..24)<int>
i = 5[d]; //$raw=d ussa=*d[20..24)<int>
i = d[a]; //$raw=d raw=a ussa=*d[?..?)<int>
i = a[d]; //$raw=d raw=a ussa=*d[?..?)<int>
int i = a; // $ raw=a
i = *&a; // $ raw=a
i = *(&a + 0); // $ raw=a
i = b.x; // $ raw=b ussa=*b[0..4)<int>
i = b.y; // $ raw=b ussa=*b[4..8)<int>
i = c->x; // $ raw=c ussa=*c[0..4)<int>
i = c->y; // $ raw=c ussa=*c[4..8)<int>
i = *d; // $ raw=d ussa=*d[0..4)<int>
i = *(d + 0); // $ raw=d ussa=*d[0..4)<int>
i = d[5]; // $ raw=d ussa=*d[20..24)<int>
i = 5[d]; // $ raw=d ussa=*d[20..24)<int>
i = d[a]; // $ raw=d raw=a ussa=*d[?..?)<int>
i = a[d]; // $ raw=d raw=a ussa=*d[?..?)<int>
int* p = &b.x; //$raw=b
i = *p; //$ussa=*b[0..4)<int>
p = &b.y; //$raw=b
i = *p; //$ussa=*b[4..8)<int>
p = &c->x; //$raw=c
i = *p; //$ussa=*c[0..4)<int>
p = &c->y; //$raw=c
i = *p; //$ussa=*c[4..8)<int>
p = &d[5]; //$raw=d
i = *p; //$ussa=*d[20..24)<int>
p = &d[a]; //$raw=d raw=a
i = *p; //$ussa=*d[?..?)<int>
int* p = &b.x; // $ raw=b
i = *p; // $ ussa=*b[0..4)<int>
p = &b.y; // $ raw=b
i = *p; // $ ussa=*b[4..8)<int>
p = &c->x; // $ raw=c
i = *p; // $ ussa=*c[0..4)<int>
p = &c->y; // $ raw=c
i = *p; // $ ussa=*c[4..8)<int>
p = &d[5]; // $ raw=d
i = *p; // $ ussa=*d[20..24)<int>
p = &d[a]; // $ raw=d raw=a
i = *p; // $ ussa=*d[?..?)<int>
Point* q = &c[a]; //$raw=c raw=a
i = q->x; //$ussa=*c[?..?)<int>
i = q->y; //$ussa=*c[?..?)<int>
Point* q = &c[a]; // $ raw=c raw=a
i = q->x; // $ ussa=*c[?..?)<int>
i = q->y; // $ ussa=*c[?..?)<int>
i = e->b1; //$raw=e ussa=*e[0..4)<int>
i = e->dsi; //$raw=e ussa=*e[4..8)<int>
i = f->b1; //$raw=f ussa=*f[0..4)<int>
i = f->b2; //$raw=f ussa=*f[4..8)<int>
i = f->dmi; //$raw=f ussa=*f[8..12)<int>
i = g->b1; //$raw=g ussa=*g[?..?)<int>
i = g->dvi; //$raw=g ussa=*g[8..12)<int>
}
i = e->b1; // $ raw=e ussa=*e[0..4)<int>
i = e->dsi; // $ raw=e ussa=*e[4..8)<int>
i = f->b1; // $ raw=f ussa=*f[0..4)<int>
i = f->b2; // $ raw=f ussa=*f[4..8)<int>
i = f->dmi; // $ raw=f ussa=*f[8..12)<int>
i = g->b1; // $ raw=g ussa=*g[?..?)<int>
i = g->dvi; // $ raw=g ussa=*g[8..12)<int>
}

26
cpp/ql/test/library-tests/ir/points_to/smart_pointer.cpp
View File

@@ -10,24 +10,24 @@ struct S {
void unique_ptr_init(S s) {
unique_ptr<S> p(new S); // MISSING: $ussa=dynamic{1}
int i = (*p).x; //$ MISSING: ussa=dynamic{1}[0..4)<int>
*p = s; //$ MISSING: ussa=dynamic{1}[0..4)<S>
int i = (*p).x; // $ MISSING: ussa=dynamic{1}[0..4)<int>
*p = s; // $ MISSING: ussa=dynamic{1}[0..4)<S>
unique_ptr<S> q = std::move(p);
*(q.get()) = s; //$ MISSING: ussa=dynamic{1}[0..4)<S>
*(q.get()) = s; // $ MISSING: ussa=dynamic{1}[0..4)<S>
shared_ptr<S> t(std::move(q));
t->x = 5; //$ MISSING: ussa=dynamic{1}[0..4)<int>
*t = s; //$ MISSING: ussa=dynamic{1}[0..4)<S>
*(t.get()) = s; //$ MISSING: ussa=dynamic{1}[0..4)<S>
t->x = 5; // $ MISSING: ussa=dynamic{1}[0..4)<int>
*t = s; // $ MISSING: ussa=dynamic{1}[0..4)<S>
*(t.get()) = s; // $ MISSING: ussa=dynamic{1}[0..4)<S>
}
void shared_ptr_init(S s) {
shared_ptr<S> p(new S); //$ MISSING: ussa=dynamic{1}
int i = (*p).x; //$ MISSING: ussa=dynamic{1}[0..4)<int>
*p = s; //$ MISSING: ussa=dynamic{1}[0..4)<S>
shared_ptr<S> p(new S); // $ MISSING: ussa=dynamic{1}
int i = (*p).x; // $ MISSING: ussa=dynamic{1}[0..4)<int>
*p = s; // $ MISSING: ussa=dynamic{1}[0..4)<S>
shared_ptr<S> q = std::move(p);
*(q.get()) = s; //$ MISSING: ussa=dynamic{1}[0..4)<S>
*(q.get()) = s; // $ MISSING: ussa=dynamic{1}[0..4)<S>
shared_ptr<S> t(q);
t->x = 5; //$ MISSING: ussa=dynamic{1}[0..4)<int>
*t = s; //$ MISSING: ussa=dynamic{1}[0..4)<S>
*(t.get()) = s; //$ MISSING: ussa=dynamic{1}[0..4)<S>
t->x = 5; // $ MISSING: ussa=dynamic{1}[0..4)<int>
*t = s; // $ MISSING: ussa=dynamic{1}[0..4)<S>
*(t.get()) = s; // $ MISSING: ussa=dynamic{1}[0..4)<S>
}

22
cpp/ql/test/library-tests/ir/range-analysis/SimpleRangeAnalysis_tests.cpp
View File

@@ -46,7 +46,7 @@ int test4() {
}
range(total); // $ MISSING: range=>=0
range(i); // $ range===2
range(total + i); // $ range="<=Phi: i+2" MISSING: range===i+2 range=>=2 range=>=i+0
range(total + i); // $ range="<=Phi: i+2" MISSING: range===i+2 range=>=2 range=>=i+0
return total + i;
}
@@ -210,7 +210,7 @@ int test14(int x) {
int x3 = (int)(unsigned int)x;
range(x3);
char c0 = x;
range(c0);
range(c0);
unsigned short s0 = x;
range(s0);
range(x0 + x1 + x2 + x3 + c0 + s0); // $ overflow=+ overflow=+-
@@ -218,7 +218,7 @@ int test14(int x) {
}
long long test15(long long x) {
return (x > 0 && (range(x), x == (int)x)) ? // $ range=>=1
return (x > 0 && (range(x), x == (int)x)) ? // $ range=>=1
(range(x), x) : // $ range=>=1
(range(x), -1);
}
@@ -228,7 +228,7 @@ int test_unary(int a) {
int total = 0;
if (3 <= a && a <= 11) {
range(a); // $ range=<=11 range=>=3
range(a); // $ range=<=11 range=>=3
int b = +a;
range(b); // $ range=<=11 range=>=3
int c = -a;
@@ -384,7 +384,7 @@ int test_mult02(int a, int b) {
total += r;
range(total); // $ range=">=Phi: 0-143" range=">=Phi: 0-286"
}
range(total); // $range=">=Phi: 0-143" range=">=Phi: 0-286"
range(total); // $ range=">=Phi: 0-143" range=">=Phi: 0-286"
return total;
}
@@ -467,7 +467,7 @@ int test_mult04(int a, int b) {
range(a); // $ range=<=0 range=>=-17
range(b); // $ range=<=0 range=>=-13
int r = a*b; // 0 .. 221
range(r); // $ range=<=221 range=>=0
range(r); // $ range=<=221 range=>=0
total += r;
range(total); // $ range="<=Phi: - ...+221"
}
@@ -1030,7 +1030,7 @@ void test_negate_signed(int s) {
}
}
// By setting the guard after the use in another guard we
// By setting the guard after the use in another guard we
// don't get the useful information
void test_guard_after_use(int pos, int size, int offset) {
if (pos + offset >= size) { // $ overflow=+-
@@ -1040,12 +1040,12 @@ void test_guard_after_use(int pos, int size, int offset) {
return;
}
range(pos + 1); // $ overflow=+ range="==InitializeParameter: pos+1" MISSING: range="<=InitializeParameter: size-1"
}
}
int cond();
// This is basically what we get when we have a loop that calls
// This is basically what we get when we have a loop that calls
// realloc in some iterations
void alloc_in_loop(int origLen) {
if (origLen <= 10) {
@@ -1066,12 +1066,12 @@ void alloc_in_loop(int origLen) {
}
}
// This came from a case where it handled the leftovers before an unrolled loop
// This came from a case where it handled the leftovers before an unrolled loop
void mask_at_start(int len) {
if (len < 0) {
return;
}
int leftOver = len & 63;
int leftOver = len & 63;
for (int i = 0; i < leftOver; i++) {
range(i); // $ range=<=62 range=>=0 range="<=Store: ... & ... | Store: leftOver-1" range="<=InitializeParameter: len-1"
}

12
cpp/ql/test/library-tests/ir/types/complex.c
View File

@@ -1,14 +1,14 @@
void Complex(void) {
_Complex float cf; //$irtype=cfloat8
_Complex double cd; //$irtype=cfloat16
_Complex long double cld; //$irtype=cfloat32
_Complex float cf; // $ irtype=cfloat8
_Complex double cd; // $ irtype=cfloat16
_Complex long double cld; // $ irtype=cfloat32
// _Complex __float128 cf128;
}
void Imaginary(void) {
_Imaginary float jf; //$irtype=ifloat4
_Imaginary double jd; //$irtype=ifloat8
_Imaginary long double jld; //$irtype=ifloat16
_Imaginary float jf; // $ irtype=ifloat4
_Imaginary double jd; // $ irtype=ifloat8
_Imaginary long double jld; // $ irtype=ifloat16
// _Imaginary __float128 jf128;
}

66
cpp/ql/test/library-tests/ir/types/irtypes.cpp
View File

@@ -22,44 +22,44 @@ enum class ScopedE {
};
void IRTypes() {
char c; //$irtype=int1
signed char sc; //$irtype=int1
unsigned char uc; //$irtype=uint1
short s; //$irtype=int2
signed short ss; //$irtype=int2
unsigned short us; //$irtype=uint2
int i; //$irtype=int4
signed int si; //$irtype=int4
unsigned int ui; //$irtype=uint4
long l; //$irtype=int8
signed long sl; //$irtype=int8
unsigned long ul; //$irtype=uint8
long long ll; //$irtype=int8
signed long long sll; //$irtype=int8
unsigned long long ull; //$irtype=uint8
bool b; //$irtype=bool1
float f; //$irtype=float4
double d; //$irtype=float8
long double ld; //$irtype=float16
__float128 f128; //$irtype=float16
char c; // $ irtype=int1
signed char sc; // $ irtype=int1
unsigned char uc; // $ irtype=uint1
short s; // $ irtype=int2
signed short ss; // $ irtype=int2
unsigned short us; // $ irtype=uint2
int i; // $ irtype=int4
signed int si; // $ irtype=int4
unsigned int ui; // $ irtype=uint4
long l; // $ irtype=int8
signed long sl; // $ irtype=int8
unsigned long ul; // $ irtype=uint8
long long ll; // $ irtype=int8
signed long long sll; // $ irtype=int8
unsigned long long ull; // $ irtype=uint8
bool b; // $ irtype=bool1
float f; // $ irtype=float4
double d; // $ irtype=float8
long double ld; // $ irtype=float16
__float128 f128; // $ irtype=float16
wchar_t wc; //$irtype=uint4
// char8_t c8; //$irtype=uint1
char16_t c16; //$irtype=uint2
char32_t c32; //$irtype=uint4
wchar_t wc; // $ irtype=uint4
// char8_t c8; // $ irtype=uint1
char16_t c16; // $ irtype=uint2
char32_t c32; // $ irtype=uint4
int* pi; //$irtype=addr8
int& ri = i; //$irtype=addr8
void (*pfn)() = nullptr; //$irtype=func8
void (&rfn)() = IRTypes; //$irtype=func8
int* pi; // $ irtype=addr8
int& ri = i; // $ irtype=addr8
void (*pfn)() = nullptr; // $ irtype=func8
void (&rfn)() = IRTypes; // $ irtype=func8
A s_a; //$irtype=opaque4{A}
B s_b; //$irtype=opaque16{B}
A s_a; // $ irtype=opaque4{A}
B s_b; // $ irtype=opaque16{B}
E e; //$irtype=uint4
ScopedE se; //$irtype=uint4
E e; // $ irtype=uint4
ScopedE se; // $ irtype=uint4
B a_b[10]; //$irtype=opaque160{B[10]}
B a_b[10]; // $ irtype=opaque160{B[10]}
}
// semmle-extractor-options: -std=c++17 --clang

2
cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/test.cpp
View File

@@ -1338,7 +1338,7 @@ void indirect_time_conversion_check(WORD year, WORD offset){
void set_time(WORD year, WORD month, WORD day){
SYSTEMTIME tmp;
tmp.wYear = year; //$ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification]
tmp.wYear = year; // $ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification]
tmp.wMonth = month;
tmp.wDay = day;
}

4
csharp/ql/lib/change-notes/2026-03-05-inline-expectation-space-after-$.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Inline expectations test comments, which are of the form `// $ tag` or `// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the `$` symbol.

12
csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/AspNetCore/NoPolicy/Program.cs
View File

@@ -2,12 +2,12 @@ public class MyController : Microsoft.AspNetCore.Mvc.Controller
{
public void CookieDefault()
{
Response.Cookies.Append("auth", "value"); // $Alert // BAD: HttpOnly is set to false by default
Response.Cookies.Append("auth", "value"); // $ Alert // BAD: HttpOnly is set to false by default
}
public void CookieDefault2()
{
var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $Alert
var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $ Alert
Response.Cookies.Append("auth", "value", cookieOptions); // BAD: HttpOnly is set to false by default
}
@@ -39,14 +39,14 @@ public class MyController : Microsoft.AspNetCore.Mvc.Controller
void CookieDirectFalse()
{
var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $Alert
var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $ Alert
cookieOptions.HttpOnly = false;
Response.Cookies.Append("auth", "secret", cookieOptions); // BAD
}
void CookieDirectFalseInitializer()
{
var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { HttpOnly = false }; // $Alert
var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { HttpOnly = false }; // $ Alert
Response.Cookies.Append("auth", "secret", cookieOptions); // BAD
}
@@ -67,7 +67,7 @@ public class MyController : Microsoft.AspNetCore.Mvc.Controller
void CookieIntermediateFalse()
{
var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $MISSING:Alert
var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $ MISSING:Alert
bool v = false;
cookieOptions.HttpOnly = v;
Response.Cookies.Append("auth", "secret", cookieOptions); // BAD, but not detected
@@ -76,7 +76,7 @@ public class MyController : Microsoft.AspNetCore.Mvc.Controller
void CookieIntermediateFalseInitializer()
{
bool v = false;
var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { HttpOnly = v }; // $MISSING:Alert
var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { HttpOnly = v }; // $ MISSING:Alert
Response.Cookies.Append("auth", "secret", cookieOptions); // BAD, but not detected
}
}

10
csharp/ql/test/query-tests/Security Features/CWE-1004/HttpOnlyCookie/SystemWeb/HttpOnlyCookiesFalse/Program.cs
View File

@@ -13,7 +13,7 @@ class Program
void CookieDefault()
{
var cookie = new System.Web.HttpCookie("sessionID"); // $Alert // BAD: httpOnlyCookies is set to false by default
var cookie = new System.Web.HttpCookie("sessionID"); // $ Alert // BAD: httpOnlyCookies is set to false by default
}
void CookieDefaultForgery()
@@ -29,13 +29,13 @@ class Program
void CookieDirectFalse()
{
var cookie = new System.Web.HttpCookie("sessionID"); // $Alert
var cookie = new System.Web.HttpCookie("sessionID"); // $ Alert
cookie.HttpOnly = false; // BAD
}
void CookieDirectFalseInitializer()
{
var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = false }; // $Alert // BAD
var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = false }; // $ Alert // BAD
}
void CookieIntermediateTrue()
@@ -53,7 +53,7 @@ class Program
void CookieIntermediateFalse()
{
var cookie = new System.Web.HttpCookie("sessionID"); // MISSING:Alert
var cookie = new System.Web.HttpCookie("sessionID"); // MISSING:Alert
bool v = false;
cookie.HttpOnly = v; // BAD
}
@@ -61,6 +61,6 @@ class Program
void CookieIntermediateFalseInitializer()
{
bool v = false;
var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = v }; // $MISSING:Alert // BAD
var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = v }; // $ MISSING:Alert // BAD
}
}

12
csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/AspNetCore/NoPolicy/Program.cs
View File

@@ -2,12 +2,12 @@ public class MyController : Microsoft.AspNetCore.Mvc.Controller
{
public void CookieDefault()
{
Response.Cookies.Append("name", "value"); // $Alert // BAD: Secure is set to false by default
Response.Cookies.Append("name", "value"); // $ Alert // BAD: Secure is set to false by default
}
public void CookieDefault2()
{
var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $Alert
var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $ Alert
Response.Cookies.Append("name", "value", cookieOptions); // BAD: Secure is set to false by default
}
@@ -32,14 +32,14 @@ public class MyController : Microsoft.AspNetCore.Mvc.Controller
void CookieDirectFalse()
{
var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $Alert
var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $ Alert
cookieOptions.Secure = false;
Response.Cookies.Append("auth", "secret", cookieOptions); // BAD
}
void CookieDirectFalseInitializer()
{
var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { Secure = false }; // $Alert
var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { Secure = false }; // $ Alert
Response.Cookies.Append("auth", "secret", cookieOptions); // BAD
}
@@ -60,7 +60,7 @@ public class MyController : Microsoft.AspNetCore.Mvc.Controller
void CookieIntermediateFalse()
{
var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $MISSING:Alert
var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $ MISSING:Alert
bool v = false;
cookieOptions.Secure = v;
Response.Cookies.Append("auth", "secret", cookieOptions); // BAD, but not detected
@@ -69,7 +69,7 @@ public class MyController : Microsoft.AspNetCore.Mvc.Controller
void CookieIntermediateFalseInitializer()
{
bool v = false;
var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { Secure = v }; // $MISSING:Alert
var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { Secure = v }; // $ MISSING:Alert
Response.Cookies.Append("auth", "secret", cookieOptions); // BAD, but not detected
}
}

10
csharp/ql/test/query-tests/Security Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLFalse/Program.cs
View File

@@ -2,7 +2,7 @@ class Program
{
void CookieDefault()
{
var cookie = new System.Web.HttpCookie("cookieName"); // $Alert // BAD: requireSSL is set to false by default
var cookie = new System.Web.HttpCookie("cookieName"); // $ Alert // BAD: requireSSL is set to false by default
}
void CookieDirectTrue()
@@ -31,18 +31,18 @@ class Program
void CookieDirectFalse()
{
var cookie = new System.Web.HttpCookie("cookieName"); // $Alert
var cookie = new System.Web.HttpCookie("cookieName"); // $ Alert
cookie.Secure = false; // BAD
}
void CookieDirectFalseInitializer()
{
var cookie = new System.Web.HttpCookie("cookieName") { Secure = false }; // $Alert // BAD
var cookie = new System.Web.HttpCookie("cookieName") { Secure = false }; // $ Alert // BAD
}
void CookieIntermediateFalse()
{
var cookie = new System.Web.HttpCookie("cookieName"); // $MISSING:Alert
var cookie = new System.Web.HttpCookie("cookieName"); // $ MISSING:Alert
bool v = false;
cookie.Secure = v; // BAD, but not detected
}
@@ -50,6 +50,6 @@ class Program
void CookieIntermediateFalseInitializer()
{
bool v = false;
var cookie = new System.Web.HttpCookie("cookieName") { Secure = v }; // $MISSING:Alert // BAD, but not detected
var cookie = new System.Web.HttpCookie("cookieName") { Secure = v }; // $ MISSING:Alert // BAD, but not detected
}
}

4
go/ql/lib/change-notes/2026-03-05-inline-expectation-space-after-$.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Inline expectations test comments, which are of the form `// $ tag` or `// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the `$` symbol.

12
go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/file/test.go
View File

@@ -16,7 +16,7 @@ func open() {
}
func openFile() {
file, err := os.OpenFile("file.txt", os.O_RDWR, 0) // $source
file, err := os.OpenFile("file.txt", os.O_RDWR, 0) // $ source
if err != nil {
return
}
@@ -25,7 +25,7 @@ func openFile() {
}
func readFile() {
data, err := os.ReadFile("file.txt") // $source
data, err := os.ReadFile("file.txt") // $ source
if err != nil {
return
}
@@ -33,7 +33,7 @@ func readFile() {
}
func readFileIoUtil() {
data, err := ioutil.ReadFile("file.txt") // $source
data, err := ioutil.ReadFile("file.txt") // $ source
if err != nil {
return
}
@@ -45,14 +45,14 @@ func getFileFS() fs.ReadFileFS {
}
func readFileFs() {
data, err := fs.ReadFile(os.DirFS("."), "file.txt") // $source
data, err := fs.ReadFile(os.DirFS("."), "file.txt") // $ source
if err != nil {
return
}
_ = data
dir := getFileFS()
data, err = dir.ReadFile("file.txt") // $source
data, err = dir.ReadFile("file.txt") // $ source
if err != nil {
return
@@ -61,7 +61,7 @@ func readFileFs() {
}
func fsOpen() {
file, err := os.DirFS(".").Open("file.txt") // $source
file, err := os.DirFS(".").Open("file.txt") // $ source
if err != nil {
return
}

20
go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/stdin/test.go
View File

@@ -12,37 +12,37 @@ func sink(string) {
func readStdinBuffer() {
buf := make([]byte, 1024)
n, err := os.Stdin.Read(buf) // $source
n, err := os.Stdin.Read(buf) // $ source
if err != nil {
return
}
sink(string(buf[:n])) // $hasTaintFlow="type conversion"
sink(string(buf[:n])) // $ hasTaintFlow="type conversion"
}
func readStdinBuffReader() {
buf := make([]byte, 1024)
r := bufio.NewReader(os.Stdin) // $source
r := bufio.NewReader(os.Stdin) // $ source
n, err := r.Read(buf)
if err != nil {
return
}
sink(string(buf[:n])) // $hasTaintFlow="type conversion"
sink(string(buf[:n])) // $ hasTaintFlow="type conversion"
}
func scan() {
var username, email string
fmt.Scan(&username, &email) // $source
sink(username) // $hasTaintFlow="username"
fmt.Scan(&username, &email) // $ source
sink(username) // $ hasTaintFlow="username"
}
func scanf() {
var s string
fmt.Scanf("%s", &s) // $source
sink(s) // $hasTaintFlow="s"
fmt.Scanf("%s", &s) // $ source
sink(s) // $ hasTaintFlow="s"
}
func scanl() {
var s string
fmt.Scanln(&s) // $source
sink(s) // $hasTaintFlow="s"
fmt.Scanln(&s) // $ source
sink(s) // $ hasTaintFlow="s"
}

24
go/ql/test/library-tests/semmle/go/frameworks/Macaron/sources.go
View File

@@ -7,16 +7,16 @@ import (
)
func sources(ctx *macaron.Context, body *macaron.RequestBody) {
_ = ctx.AllParams() // $RemoteFlowSource
_ = ctx.GetCookie("") // $RemoteFlowSource
_, _ = ctx.GetSecureCookie("") // $RemoteFlowSource
_, _ = ctx.GetSuperSecureCookie("", "") // $RemoteFlowSource
_, _, _ = ctx.GetFile("") // $RemoteFlowSource
_ = ctx.Params("") // $RemoteFlowSource
_ = ctx.ParamsEscape("") // $RemoteFlowSource
_ = ctx.Query("") // $RemoteFlowSource
_ = ctx.QueryEscape("") // $RemoteFlowSource
_ = ctx.QueryStrings("") // $RemoteFlowSource
_, _ = body.Bytes() // $RemoteFlowSource
_, _ = body.String() // $RemoteFlowSource
_ = ctx.AllParams() // $ RemoteFlowSource
_ = ctx.GetCookie("") // $ RemoteFlowSource
_, _ = ctx.GetSecureCookie("") // $ RemoteFlowSource
_, _ = ctx.GetSuperSecureCookie("", "") // $ RemoteFlowSource
_, _, _ = ctx.GetFile("") // $ RemoteFlowSource
_ = ctx.Params("") // $ RemoteFlowSource
_ = ctx.ParamsEscape("") // $ RemoteFlowSource
_ = ctx.Query("") // $ RemoteFlowSource
_ = ctx.QueryEscape("") // $ RemoteFlowSource
_ = ctx.QueryStrings("") // $ RemoteFlowSource
_, _ = body.Bytes() // $ RemoteFlowSource
_, _ = body.String() // $ RemoteFlowSource
}

4
java/ql/lib/change-notes/2026-03-05-inline-expectation-space-after-$.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Inline expectations test comments, which are of the form `// $ tag` or `// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the `$` symbol.

10
java/ql/src/Security/CWE/CWE-295/ImproperWebViewCertificateValidation.java
View File

@@ -1,7 +1,7 @@
class Bad extends WebViewClient {
// BAD: All certificates are trusted.
public void onReceivedSslError (WebView view, SslErrorHandler handler, SslError error) { // $hasResult
handler.proceed();
public void onReceivedSslError (WebView view, SslErrorHandler handler, SslError error) { // $ hasResult
handler.proceed();
}
}
@@ -9,7 +9,7 @@ class Good extends WebViewClient {
PublicKey myPubKey = ...;
// GOOD: Only certificates signed by a certain public key are trusted.
public void onReceivedSslError (WebView view, SslErrorHandler handler, SslError error) { // $hasResult
public void onReceivedSslError (WebView view, SslErrorHandler handler, SslError error) { // $ hasResult
try {
X509Certificate cert = error.getCertificate().getX509Certificate();
cert.verify(this.myPubKey);
@@ -18,5 +18,5 @@ class Good extends WebViewClient {
catch (CertificateException|NoSuchAlgorithmException|InvalidKeyException|NoSuchProviderException|SignatureException e) {
handler.cancel();
}
}
}
}
}

6
java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacOrderDecryptThenMac.expected
View File

@@ -30,7 +30,7 @@ nodes
| BadMacUse.java:152:42:152:51 | ciphertext | semmle.label | ciphertext |
subpaths
testFailures
| BadMacUse.java:50:56:50:65 | // $Source | Missing result: Source |
| BadMacUse.java:63:118:63:127 | // $Source | Missing result: Source |
| BadMacUse.java:50:56:50:66 | // $ Source | Missing result: Source |
| BadMacUse.java:63:118:63:128 | // $ Source | Missing result: Source |
| BadMacUse.java:92:31:92:35 | bytes : byte[] | Unexpected result: Source |
| BadMacUse.java:146:95:146:104 | // $Source | Missing result: Source |
| BadMacUse.java:146:95:146:105 | // $ Source | Missing result: Source |

4
java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacOrderDecryptToMac.expected
View File

@@ -31,7 +31,7 @@ nodes
| BadMacUse.java:124:42:124:51 | ciphertext | semmle.label | ciphertext |
subpaths
testFailures
| BadMacUse.java:63:118:63:127 | // $Source | Missing result: Source |
| BadMacUse.java:63:118:63:128 | // $ Source | Missing result: Source |
| BadMacUse.java:92:16:92:36 | doFinal(...) : byte[] | Unexpected result: Source |
| BadMacUse.java:124:42:124:51 | ciphertext | Unexpected result: Alert |
| BadMacUse.java:146:95:146:104 | // $Source | Missing result: Source |
| BadMacUse.java:146:95:146:105 | // $ Source | Missing result: Source |

4
java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacOrderMacOnEncryptPlaintext.expected
View File

@@ -45,7 +45,7 @@ nodes
| BadMacUse.java:152:42:152:51 | ciphertext | semmle.label | ciphertext |
subpaths
testFailures
| BadMacUse.java:50:56:50:65 | // $Source | Missing result: Source |
| BadMacUse.java:50:56:50:66 | // $ Source | Missing result: Source |
| BadMacUse.java:139:79:139:90 | input : byte[] | Unexpected result: Source |
| BadMacUse.java:146:95:146:104 | // $Source | Missing result: Source |
| BadMacUse.java:146:95:146:105 | // $ Source | Missing result: Source |
| BadMacUse.java:152:42:152:51 | ciphertext | Unexpected result: Alert |

14
java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacUse.java
View File

@@ -47,20 +47,20 @@ class BadMacUse {
SecretKey encryptionKey = new SecretKeySpec(encryptionKeyBytes, "AES");
Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
cipher.init(Cipher.DECRYPT_MODE, encryptionKey, new SecureRandom());
byte[] plaintext = cipher.doFinal(ciphertext); // $Source
byte[] plaintext = cipher.doFinal(ciphertext); // $ Source
// Now verify MAC (too late)
SecretKey macKey = new SecretKeySpec(macKeyBytes, "HmacSHA256");
Mac mac = Mac.getInstance("HmacSHA256");
mac.init(macKey);
byte[] computedMac = mac.doFinal(plaintext); // $Alert[java/quantum/examples/bad-mac-order-decrypt-to-mac]
byte[] computedMac = mac.doFinal(plaintext); // $ Alert[java/quantum/examples/bad-mac-order-decrypt-to-mac]
if (!MessageDigest.isEqual(receivedMac, computedMac)) {
throw new SecurityException("MAC verification failed");
}
}
public void BadMacOnPlaintext(byte[] encryptionKeyBytes, byte[] macKeyBytes, byte[] plaintext) throws Exception {// $Source
public void BadMacOnPlaintext(byte[] encryptionKeyBytes, byte[] macKeyBytes, byte[] plaintext) throws Exception {// $ Source
// Create keys directly from provided byte arrays
SecretKey encryptionKey = new SecretKeySpec(encryptionKeyBytes, "AES");
SecretKey macKey = new SecretKeySpec(macKeyBytes, "HmacSHA256");
@@ -73,7 +73,7 @@ class BadMacUse {
// Encrypt the plaintext
Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
cipher.init(Cipher.ENCRYPT_MODE, encryptionKey, new SecureRandom());
byte[] ciphertext = cipher.doFinal(plaintext); // $Alert[java/quantum/examples/bad-mac-order-encrypt-plaintext-also-in-mac]
byte[] ciphertext = cipher.doFinal(plaintext); // $ Alert[java/quantum/examples/bad-mac-order-encrypt-plaintext-also-in-mac]
// Concatenate ciphertext and MAC
byte[] output = new byte[ciphertext.length + computedMac.length];
@@ -132,7 +132,7 @@ class BadMacUse {
/**
* Correct inputs to a decrypt and MAC operation, but the ordering is unsafe.
* Correct inputs to a decrypt and MAC operation, but the ordering is unsafe.
* The function decrypts THEN computes the MAC on the plaintext.
* It should have the MAC computed on the ciphertext first.
*/
@@ -143,13 +143,13 @@ class BadMacUse {
byte[] receivedMac = Arrays.copyOfRange(input, input.length - macLength, input.length);
// Decrypt first (unsafe)
byte[] plaintext = decryptUsingWrapper(ciphertext, encryptionKeyBytes, new byte[16]); // $Source
byte[] plaintext = decryptUsingWrapper(ciphertext, encryptionKeyBytes, new byte[16]); // $ Source
// Now verify MAC (too late)
SecretKey macKey = new SecretKeySpec(macKeyBytes, "HmacSHA256");
Mac mac = Mac.getInstance("HmacSHA256");
mac.init(macKey);
byte[] computedMac = mac.doFinal(ciphertext); // $Alert[java/quantum/examples/bad-mac-order-decrypt-then-mac], False positive for Plaintext reuse
byte[] computedMac = mac.doFinal(ciphertext); // $ Alert[java/quantum/examples/bad-mac-order-decrypt-then-mac], False positive for Plaintext reuse
if (!MessageDigest.isEqual(receivedMac, computedMac)) {
throw new SecurityException("MAC verification failed");

44
java/ql/test/experimental/query-tests/quantum/examples/InsecureOrUnknownNonceSource/InsecureIVorNonceSource.java
View File

@@ -11,33 +11,33 @@ public class InsecureIVorNonceSource {
// BAD: AES-GCM with static IV from a byte array
public byte[] encryptWithStaticIvByteArrayWithInitializer(byte[] key, byte[] plaintext) throws Exception {
byte[] iv = new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5 }; // $Source
byte[] iv = new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5 }; // $ Source
GCMParameterSpec ivSpec = new GCMParameterSpec(128, iv);
SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING");
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/examples/insecure-iv-or-nonce]
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $ Alert[java/quantum/examples/insecure-iv-or-nonce]
cipher.update(plaintext);
return cipher.doFinal();
}
// BAD: AES-GCM with static IV from zero-initialized byte array
public byte[] encryptWithZeroStaticIvByteArray(byte[] key, byte[] plaintext) throws Exception {
byte[] iv = new byte[16];
byte[] iv = new byte[16];
GCMParameterSpec ivSpec = new GCMParameterSpec(128, iv);
SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING");
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/examples/unknown-iv-or-nonce-source]
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $ Alert[java/quantum/examples/unknown-iv-or-nonce-source]
cipher.update(plaintext);
return cipher.doFinal();
}
// BAD: AES-CBC with static IV from 1-initialized byte array
public byte[] encryptWithStaticIvByteArray(byte[] key, byte[] plaintext) throws Exception {
byte[] iv = new byte[16];
byte[] iv = new byte[16];
for (byte i = 0; i < iv.length; i++) {
iv[i] = 1;
}
@@ -46,7 +46,7 @@ public class InsecureIVorNonceSource {
SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/examples/insecure-iv-or-nonce]
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $ Alert[java/quantum/examples/insecure-iv-or-nonce]
cipher.update(plaintext);
return cipher.doFinal();
}
@@ -54,15 +54,15 @@ public class InsecureIVorNonceSource {
// BAD: AES-GCM with static IV from a multidimensional byte array
public byte[] encryptWithOneOfStaticIvs01(byte[] key, byte[] plaintext) throws Exception {
byte[][] staticIvs = new byte[][] {
{ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5 }, // $Source
{ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 42 } // $Source
};
{ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5 }, // $ Source
{ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 42 } // $ Source
};
GCMParameterSpec ivSpec = new GCMParameterSpec(128, staticIvs[1]);
SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING");
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/examples/insecure-iv-or-nonce]
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $ Alert[java/quantum/examples/insecure-iv-or-nonce]
cipher.update(plaintext);
return cipher.doFinal();
}
@@ -70,15 +70,15 @@ public class InsecureIVorNonceSource {
// BAD: AES-GCM with static IV from a multidimensional byte array
public byte[] encryptWithOneOfStaticIvs02(byte[] key, byte[] plaintext) throws Exception {
byte[][] staticIvs = new byte[][] {
new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5 }, // $Source
new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 42 } // $Source
};
new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5 }, // $ Source
new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 42 } // $ Source
};
GCMParameterSpec ivSpec = new GCMParameterSpec(128, staticIvs[1]);
SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING");
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/examples/insecure-iv-or-nonce]
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $ Alert[java/quantum/examples/insecure-iv-or-nonce]
cipher.update(plaintext);
return cipher.doFinal();
}
@@ -86,15 +86,15 @@ public class InsecureIVorNonceSource {
// BAD: AES-GCM with static IV from a zero-initialized multidimensional byte array
public byte[] encryptWithOneOfStaticZeroIvs(byte[] key, byte[] plaintext) throws Exception {
byte[][] ivs = new byte[][] {
new byte[8],
new byte[16]
new byte[8],
new byte[16]
};
GCMParameterSpec ivSpec = new GCMParameterSpec(128, ivs[1]);
SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING");
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/examples/unknown-iv-or-nonce-source]
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $ Alert[java/quantum/examples/unknown-iv-or-nonce-source]
cipher.update(plaintext);
return cipher.doFinal();
}
@@ -166,8 +166,8 @@ public class InsecureIVorNonceSource {
return cipher.doFinal();
}
public byte[] generate(int size) throws Exception {
if (size == 0) {
public byte[] generate(int size) throws Exception {
if (size == 0) {
return new byte[0];
}
byte[] randomBytes = new byte[size];
@@ -183,7 +183,7 @@ public class InsecureIVorNonceSource {
SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec);
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec);
cipher.update(plaintext);
return cipher.doFinal();
}
@@ -191,7 +191,7 @@ public class InsecureIVorNonceSource {
public byte[] generateInsecureRandomBytes(int numBytes) {
Random random = new Random();
byte[] bytes = new byte[numBytes];
random.nextBytes(bytes); // $Source
random.nextBytes(bytes); // $ Source
return bytes;
}
@@ -203,7 +203,7 @@ public class InsecureIVorNonceSource {
SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/examples/insecure-iv-or-nonce]]
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $ Alert[java/quantum/examples/insecure-iv-or-nonce]]
cipher.update(plaintext);
return cipher.doFinal();
}

8
java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownAsymmetricKeySize/InsufficientAsymmetricKeySize.java
View File

@@ -2,15 +2,15 @@ import java.security.*;
public class InsufficientAsymmetricKeySize{
public static void test() throws Exception{
KeyPairGenerator keyPairGen1 = KeyPairGenerator.getInstance("RSA");
keyPairGen1.initialize(1024); // $Alert[java/quantum/examples/weak-asymmetric-key-gen-size]
keyPairGen1.initialize(1024); // $ Alert[java/quantum/examples/weak-asymmetric-key-gen-size]
keyPairGen1.generateKeyPair();
KeyPairGenerator keyPairGen2 = KeyPairGenerator.getInstance("DSA");
keyPairGen2.initialize(1024); // $Alert[java/quantum/examples/weak-asymmetric-key-gen-size]
keyPairGen2.initialize(1024); // $ Alert[java/quantum/examples/weak-asymmetric-key-gen-size]
keyPairGen2.generateKeyPair();
KeyPairGenerator keyPairGen3 = KeyPairGenerator.getInstance("DH");
keyPairGen3.initialize(1024); // $Alert[java/quantum/examples/weak-asymmetric-key-gen-size]
keyPairGen3.initialize(1024); // $ Alert[java/quantum/examples/weak-asymmetric-key-gen-size]
keyPairGen3.generateKeyPair();
KeyPairGenerator keyPairGen4 = KeyPairGenerator.getInstance("RSA");
@@ -25,4 +25,4 @@ public class InsufficientAsymmetricKeySize{
keyPairGen6.initialize(2048); // GOOD
keyPairGen6.generateKeyPair();
}
}
}

10
java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownBlockMode/Test.java
View File

@@ -10,25 +10,25 @@ public class Test {
byte[] data = "SensitiveData".getBytes();
// Insecure block mode: ECB
Cipher cipherECB = Cipher.getInstance("AES/ECB/PKCS5Padding"); // $Alert
Cipher cipherECB = Cipher.getInstance("AES/ECB/PKCS5Padding"); // $ Alert
cipherECB.init(Cipher.ENCRYPT_MODE, key);
byte[] ecbEncrypted = cipherECB.doFinal(data);
System.out.println("ECB encrypted: " + bytesToHex(ecbEncrypted));
// Insecure block mode: CFB
Cipher cipherCFB = Cipher.getInstance("AES/CFB/PKCS5Padding"); // $Alert
Cipher cipherCFB = Cipher.getInstance("AES/CFB/PKCS5Padding"); // $ Alert
cipherCFB.init(Cipher.ENCRYPT_MODE, key, iv);
byte[] cfbEncrypted = cipherCFB.doFinal(data);
System.out.println("CFB encrypted: " + bytesToHex(cfbEncrypted));
// Insecure block mode: OFB
Cipher cipherOFB = Cipher.getInstance("AES/OFB/PKCS5Padding"); // $Alert
Cipher cipherOFB = Cipher.getInstance("AES/OFB/PKCS5Padding"); // $ Alert
cipherOFB.init(Cipher.ENCRYPT_MODE, key, iv);
byte[] ofbEncrypted = cipherOFB.doFinal(data);
System.out.println("OFB encrypted: " + bytesToHex(ofbEncrypted));
// Insecure block mode: CTR
Cipher cipherCTR = Cipher.getInstance("AES/CTR/NoPadding"); // $Alert
Cipher cipherCTR = Cipher.getInstance("AES/CTR/NoPadding"); // $ Alert
cipherCTR.init(Cipher.ENCRYPT_MODE, key, iv);
byte[] ctrEncrypted = cipherCTR.doFinal(data);
System.out.println("CTR encrypted: " + bytesToHex(ctrEncrypted));
@@ -54,4 +54,4 @@ public class Test {
sb.append(String.format("%02x", b));
return sb.toString();
}
}
}

16
java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownHash/WeakHashing.java
View File

@@ -12,33 +12,33 @@ public class WeakHashing {
props.load(new FileInputStream("example.properties"));
// BAD: Using a weak hashing algorithm even with a secure default
MessageDigest bad = MessageDigest.getInstance(props.getProperty("hashAlg1")); // $Alert[java/quantum/examples/weak-hash]
MessageDigest bad = MessageDigest.getInstance(props.getProperty("hashAlg1")); // $ Alert[java/quantum/examples/weak-hash]
// BAD: Using a weak hashing algorithm even with a secure default
MessageDigest bad2 = MessageDigest.getInstance(props.getProperty("hashAlg1", "SHA-256")); // $Alert[java/quantum/examples/weak-hash]
MessageDigest bad2 = MessageDigest.getInstance(props.getProperty("hashAlg1", "SHA-256")); // $ Alert[java/quantum/examples/weak-hash]
// BAD: Using a strong hashing algorithm but with a weak default
MessageDigest bad3 = MessageDigest.getInstance(props.getProperty("hashAlg2", "MD5")); // $Alert[java/quantum/examples/weak-hash]
MessageDigest bad3 = MessageDigest.getInstance(props.getProperty("hashAlg2", "MD5")); // $ Alert[java/quantum/examples/weak-hash]
// BAD: Using a weak hash
MessageDigest bad4 = MessageDigest.getInstance("SHA-1"); // $Alert[java/quantum/examples/weak-hash]
MessageDigest bad4 = MessageDigest.getInstance("SHA-1"); // $ Alert[java/quantum/examples/weak-hash]
// BAD: Property does not exist and default (used value) is unknown
MessageDigest bad5 = MessageDigest.getInstance(props.getProperty("non-existent_property", "non-existent_default")); // $Alert[java/quantum/examples/unknown-hash]
MessageDigest bad5 = MessageDigest.getInstance(props.getProperty("non-existent_property", "non-existent_default")); // $ Alert[java/quantum/examples/unknown-hash]
java.util.Properties props2 = new java.util.Properties();
props2.load(new FileInputStream("unobserved-file.properties"));
// BAD: "hashAlg2" is not visible in the file loaded for props2, should be an unknown
// BAD: "hashAlg2" is not visible in the file loaded for props2, should be an unknown
// FALSE NEGATIVE for unknown hash
MessageDigest bad6 = MessageDigest.getInstance(props2.getProperty("hashAlg2", "SHA-256")); // $Alert[java/quantum/examples/unknown-hash]
MessageDigest bad6 = MessageDigest.getInstance(props2.getProperty("hashAlg2", "SHA-256")); // $ Alert[java/quantum/examples/unknown-hash]
// GOOD: Using a strong hashing algorithm
MessageDigest ok = MessageDigest.getInstance(props.getProperty("hashAlg2"));
// BAD?: Property does not exist (considered unknown) and but default is secure
MessageDigest ok2 = MessageDigest.getInstance(props.getProperty("non-existent-property", "SHA-256")); // $Alert[java/quantum/examples/unknown-hash]
MessageDigest ok2 = MessageDigest.getInstance(props.getProperty("non-existent-property", "SHA-256")); // $ Alert[java/quantum/examples/unknown-hash]
// GOOD: Using a strong hashing algorithm
MessageDigest ok3 = MessageDigest.getInstance("SHA3-512");

14
java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownKDFIterationCount/Test.java
View File

@@ -28,8 +28,8 @@ public class Test {
*/
public void pbkdf2LowIteration(String password) throws Exception {
byte[] salt = generateSalt(16);
int iterationCount = 10; // $Source
PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterationCount, 256); // $Alert[java/quantum/examples/weak-kdf-iteration-count]
int iterationCount = 10; // $ Source
PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterationCount, 256); // $ Alert[java/quantum/examples/weak-kdf-iteration-count]
SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
byte[] key = factory.generateSecret(spec).getEncoded();
}
@@ -40,9 +40,9 @@ public class Test {
* SAST/CBOM: - Parent: PBKDF2. - Iteration count is only 10, which is far
* below acceptable security standards. - Flagged as insecure.
*/
public void pbkdf2LowIteration(String password, int iterationCount) throws Exception { // $Source
public void pbkdf2LowIteration(String password, int iterationCount) throws Exception { // $ Source
byte[] salt = generateSalt(16);
PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterationCount, 256); // $Alert[java/quantum/examples/unknown-kdf-iteration-count]
PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterationCount, 256); // $ Alert[java/quantum/examples/unknown-kdf-iteration-count]
SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
byte[] key = factory.generateSecret(spec).getEncoded();
}
@@ -55,9 +55,9 @@ public class Test {
*/
public void pbkdf2HighIteration(String password) throws Exception {
byte[] salt = generateSalt(16);
int iterationCount = 1_000_000;
PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterationCount, 256);
int iterationCount = 1_000_000;
PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterationCount, 256);
SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
byte[] key = factory.generateSecret(spec).getEncoded();
}
}
}

2
java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownKDFIterationCount/UnknownKDFIterationCount.expected
View File

@@ -1,5 +1,5 @@
#select
| Test.java:47:22:47:49 | KeyDerivation | Key derivation operation with unknown iteration: $@ | Test.java:43:53:43:70 | iterationCount | iterationCount |
testFailures
| Test.java:45:94:45:153 | // $Alert[java/quantum/examples/unknown-kdf-iteration-count] | Missing result: Alert[java/quantum/examples/unknown-kdf-iteration-count] |
| Test.java:45:94:45:154 | // $ Alert[java/quantum/examples/unknown-kdf-iteration-count] | Missing result: Alert[java/quantum/examples/unknown-kdf-iteration-count] |
| Test.java:47:22:47:49 | Key derivation operation with unknown iteration: $@ | Unexpected result: Alert |

2
java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownKDFIterationCount/WeakKDFIterationCount.expected
View File

@@ -13,4 +13,4 @@ nodes
| Test.java:59:72:59:85 | iterationCount | semmle.label | iterationCount |
subpaths
testFailures
| Test.java:43:92:43:101 | // $Source | Missing result: Source |
| Test.java:43:92:43:102 | // $ Source | Missing result: Source |

6
java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownKDFKeySize/Test.java
View File

@@ -20,8 +20,8 @@ public class Test {
public void pbkdf2WeakKeySize(String password) throws Exception {
byte[] salt = generateSalt(16);
int iterationCount = 100_000;
int keySize = 64; // $Source
PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterationCount, keySize); // $Alert[java/quantum/examples/weak-kdf-key-size]
int keySize = 64; // $ Source
PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterationCount, keySize); // $ Alert[java/quantum/examples/weak-kdf-key-size]
SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
byte[] key = factory.generateSecret(spec).getEncoded();
}
@@ -39,4 +39,4 @@ public class Test {
SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
byte[] key = factory.generateSecret(spec).getEncoded();
}
}
}

30
java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownSymmetricCipher/Test.java
View File

@@ -10,51 +10,51 @@ public class Test {
byte[] data = "Sensitive Data".getBytes();
// BAD: DES (unsafe)
KeyGenerator desKeyGen = KeyGenerator.getInstance("DES"); // $Alert
KeyGenerator desKeyGen = KeyGenerator.getInstance("DES"); // $ Alert
SecretKey desKey = desKeyGen.generateKey();
Cipher desCipher = Cipher.getInstance("DES"); // $Alert
Cipher desCipher = Cipher.getInstance("DES"); // $ Alert
desCipher.init(Cipher.ENCRYPT_MODE, desKey);
byte[] desEncrypted = desCipher.doFinal(data);
// BAD: DESede (Triple DES, considered weak)
KeyGenerator desedeKeyGen = KeyGenerator.getInstance("DESede"); // $Alert
KeyGenerator desedeKeyGen = KeyGenerator.getInstance("DESede"); // $ Alert
SecretKey desedeKey = desedeKeyGen.generateKey();
Cipher desedeCipher = Cipher.getInstance("DESede"); // $Alert
Cipher desedeCipher = Cipher.getInstance("DESede"); // $ Alert
desedeCipher.init(Cipher.ENCRYPT_MODE, desedeKey);
byte[] desedeEncrypted = desedeCipher.doFinal(data);
// BAD: Blowfish (considered weak)
KeyGenerator blowfishKeyGen = KeyGenerator.getInstance("Blowfish"); // $Alert
KeyGenerator blowfishKeyGen = KeyGenerator.getInstance("Blowfish"); // $ Alert
SecretKey blowfishKey = blowfishKeyGen.generateKey();
Cipher blowfishCipher = Cipher.getInstance("Blowfish"); // $Alert
Cipher blowfishCipher = Cipher.getInstance("Blowfish"); // $ Alert
blowfishCipher.init(Cipher.ENCRYPT_MODE, blowfishKey);
byte[] blowfishEncrypted = blowfishCipher.doFinal(data);
// BAD: RC2 (unsafe)
KeyGenerator rc2KeyGen = KeyGenerator.getInstance("RC2"); // $Alert
KeyGenerator rc2KeyGen = KeyGenerator.getInstance("RC2"); // $ Alert
SecretKey rc2Key = rc2KeyGen.generateKey();
Cipher rc2Cipher = Cipher.getInstance("RC2"); // $Alert
Cipher rc2Cipher = Cipher.getInstance("RC2"); // $ Alert
rc2Cipher.init(Cipher.ENCRYPT_MODE, rc2Key);
byte[] rc2Encrypted = rc2Cipher.doFinal(data);
// BAD: RC4 (stream cipher, unsafe)
KeyGenerator rc4KeyGen = KeyGenerator.getInstance("RC4"); // $Alert
KeyGenerator rc4KeyGen = KeyGenerator.getInstance("RC4"); // $ Alert
SecretKey rc4Key = rc4KeyGen.generateKey();
Cipher rc4Cipher = Cipher.getInstance("RC4"); // $Alert
Cipher rc4Cipher = Cipher.getInstance("RC4"); // $ Alert
rc4Cipher.init(Cipher.ENCRYPT_MODE, rc4Key);
byte[] rc4Encrypted = rc4Cipher.doFinal(data);
// BAD: IDEA (considered weak)
KeyGenerator ideaKeyGen = KeyGenerator.getInstance("IDEA"); // $Alert
KeyGenerator ideaKeyGen = KeyGenerator.getInstance("IDEA"); // $ Alert
SecretKey ideaKey = ideaKeyGen.generateKey();
Cipher ideaCipher = Cipher.getInstance("IDEA"); // $Alert
Cipher ideaCipher = Cipher.getInstance("IDEA"); // $ Alert
ideaCipher.init(Cipher.ENCRYPT_MODE, ideaKey);
byte[] ideaEncrypted = ideaCipher.doFinal(data);
// BAD: Skipjack (unsafe)
KeyGenerator skipjackKeyGen = KeyGenerator.getInstance("Skipjack"); // $Alert
KeyGenerator skipjackKeyGen = KeyGenerator.getInstance("Skipjack"); // $ Alert
SecretKey skipjackKey = skipjackKeyGen.generateKey();
Cipher skipjackCipher = Cipher.getInstance("Skipjack"); // $Alert
Cipher skipjackCipher = Cipher.getInstance("Skipjack"); // $ Alert
skipjackCipher.init(Cipher.ENCRYPT_MODE, skipjackKey);
byte[] skipjackEncrypted = skipjackCipher.doFinal(data);
@@ -78,4 +78,4 @@ public class Test {
// GOOD: not a symmetric cipher (Sanity check)
SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
}
}
}

90
java/ql/test/ext/TestModels/Test.java
View File

@@ -33,50 +33,50 @@ public class Test {
// top 100 JDK APIs tests
{
Exception e1 = new RuntimeException((String)source());
sink((String)e1.getMessage()); // $hasValueFlow
sink((String)e1.getMessage()); // $ hasValueFlow
Exception e2 = new RuntimeException((Throwable)source());
sink((Throwable)e2.getCause()); // $hasValueFlow
sink((Throwable)e2.getCause()); // $ hasValueFlow
Exception e3 = new IllegalArgumentException((String)source());
sink((String)e3.getMessage()); // $hasValueFlow
sink((String)e3.getMessage()); // $ hasValueFlow
Exception e4 = new IllegalStateException((String)source());
sink((String)e4.getMessage()); // $hasValueFlow
sink((String)e4.getMessage()); // $ hasValueFlow
Exception e5 = new UnsupportedOperationException((String)source());
sink((String)e5.getMessage()); // $hasValueFlow
sink((String)e5.getMessage()); // $ hasValueFlow
Throwable t = new Throwable((Throwable)source());
sink((Throwable)t.getCause()); // $hasValueFlow
sink((Throwable)t.getCause()); // $ hasValueFlow
String s2 = (String)source();
int i = 0;
sink(s2.charAt(i)); // $hasTaintFlow
sink(s2.charAt(i)); // $ hasTaintFlow
ResultSet rs = (ResultSet)source();
sink(rs.getString("")); // $hasTaintFlow
sink(rs.getString("")); // $ hasTaintFlow
}
// top 200 JDK APIs tests
{
// java.io
Exception e1 = new IOException((String)source());
sink((String)e1.getMessage()); // $hasValueFlow
sink((String)e1.getMessage()); // $ hasValueFlow
File f = (File)source();
sink(f.getName()); // $hasTaintFlow
sink(f.getName()); // $ hasTaintFlow
// java.lang
Exception e2 = new Exception((String)source());
sink((String)e2.getMessage()); // $hasValueFlow
sink((String)e2.getMessage()); // $ hasValueFlow
Exception e3 = new IndexOutOfBoundsException((String)source());
sink((String)e3.getMessage()); // $hasValueFlow
sink((String)e3.getMessage()); // $ hasValueFlow
Exception e4 = new RuntimeException((String)source(), (Throwable)source());
sink((String)e4.getMessage()); // $hasValueFlow
sink((Throwable)e4.getCause()); // $hasValueFlow
sink((String)e4.getMessage()); // $ hasValueFlow
sink((Throwable)e4.getCause()); // $ hasValueFlow
// java.sql
Connection con = DriverManager.getConnection("");
@@ -86,14 +86,14 @@ public class Test {
// java.util.concurrent.atomic
AtomicReference ar = new AtomicReference(source());
sink(ar.get()); // $hasValueFlow
sink(ar.get()); // $ hasValueFlow
// java.util
StringJoiner sj1 = new StringJoiner(",");
sink(sj1.add((CharSequence)source())); // $hasTaintFlow
sink(sj1.add((CharSequence)source())); // $ hasTaintFlow
StringJoiner sj2 = (StringJoiner)source();
sink(sj2.add("test")); // $hasValueFlow
sink(sj2.add("test")); // $ hasValueFlow
}
// top 300-500 JDK APIs tests
@@ -101,62 +101,62 @@ public class Test {
// java.awt
Container container = new Container();
sink(container.add((Component)source())); // $hasValueFlow
sink(container.add((Component)source())); // $ hasValueFlow
// java.io
File f1 = (File)source();
sink(f1.getParentFile()); // $hasTaintFlow
sink(f1.getParentFile()); // $ hasTaintFlow
File f2 = (File)source();
sink(f2.getPath()); // $hasTaintFlow
sink(f2.getPath()); // $ hasTaintFlow
StringWriter sw = (StringWriter)source();
sink(sw.toString()); // $hasTaintFlow
sink(sw.toString()); // $ hasTaintFlow
Exception e = new UncheckedIOException((IOException)source());
sink((Throwable)e.getCause()); // $hasValueFlow
sink((Throwable)e.getCause()); // $ hasValueFlow
// java.net
URL url = (URL)source();
sink(url.toURI()); // $hasTaintFlow
sink(url.toURI()); // $ hasTaintFlow
// java.nio.file
Path p = (Path)source();
sink(p.getFileName()); // $hasTaintFlow
sink(p.getFileName()); // $ hasTaintFlow
// java.util.concurrent.atomic
AtomicReference ar = new AtomicReference();
ar.set(source());
sink(ar.get()); // $hasValueFlow
sink(ar.get()); // $ hasValueFlow
// java.util.concurrent
// `ThreadPoolExecutor` implements the `java.util.concurrent.ExecutorService` interface
ThreadPoolExecutor tpe = new ThreadPoolExecutor(0, 0, 0, null, null);
sink(tpe.submit((Runnable)source())); // $hasTaintFlow
sink(tpe.submit((Runnable)source())); // $ hasTaintFlow
CompletionStage cs = (CompletionStage)source();
sink(cs.toCompletableFuture()); // $hasTaintFlow
sink(cs.toCompletableFuture()); // $ hasTaintFlow
CompletableFuture cf1 = new CompletableFuture();
cf1.complete(source());
sink(cf1.get()); // $hasValueFlow
sink(cf1.join()); // $hasValueFlow
sink(cf1.get()); // $ hasValueFlow
sink(cf1.join()); // $ hasValueFlow
CompletableFuture cf2 = CompletableFuture.completedFuture(source());
sink(cf2.get()); // $hasValueFlow
sink(cf2.join()); // $hasValueFlow
sink(cf2.get()); // $ hasValueFlow
sink(cf2.join()); // $ hasValueFlow
// java.util.logging
Logger logger = Logger.getLogger((String)source());
sink(logger.getName()); // $hasValueFlow
sink(logger.getName()); // $ hasValueFlow
// java.util.regex
Pattern pattern = Pattern.compile((String)source());
sink(pattern); // $hasTaintFlow
sink(pattern); // $ hasTaintFlow
// java.util
EventObject eventObj = new EventObject(source());
sink(eventObj.getSource()); // $hasValueFlow
sink(eventObj.getSource()); // $ hasValueFlow
// "java.util;ResourceBundle;true;getString;(String);;Argument[-1].MapValue;ReturnValue;value;manual"
String out = null;
@@ -166,33 +166,33 @@ public class Test {
// java.lang
AssertionError assertErr = new AssertionError(source());
sink((String)assertErr.getMessage()); // $hasValueFlow
sink((String)assertErr.getMessage()); // $ hasValueFlow
sink(Test.class.cast(source())); // $hasValueFlow
sink(Test.class.cast(source())); // $ hasValueFlow
Exception excep1 = new Exception((String)source(), (Throwable)source());
sink((String)excep1.getMessage()); // $hasValueFlow
sink((Throwable)excep1.getCause()); // $hasValueFlow
sink((String)excep1.getMessage()); // $ hasValueFlow
sink((Throwable)excep1.getCause()); // $ hasValueFlow
Exception excep2 = new NullPointerException((String)source());
sink((String)excep2.getMessage()); // $hasValueFlow
sink((String)excep2.getMessage()); // $ hasValueFlow
StringBuilder sb = (StringBuilder)source();
sink(sb.delete(0, 1)); // $hasValueFlow
sink(sb.delete(0, 1)); // $ hasValueFlow
Thread thread1 = new Thread((Runnable)source());
sink(thread1); // $hasTaintFlow
sink(thread1); // $ hasTaintFlow
Thread thread2 = new Thread((String)source());
sink(thread2.getName()); // $hasValueFlow
sink(thread2.getName()); // $ hasValueFlow
ThreadLocal threadloc = new ThreadLocal();
threadloc.set(source());
sink(threadloc.get()); // $hasValueFlow
sink(threadloc.get()); // $ hasValueFlow
Throwable th = new Throwable((String)source());
sink((String)th.getLocalizedMessage()); // $hasValueFlow
sink(th.toString()); // $hasTaintFlow
sink((String)th.getLocalizedMessage()); // $ hasValueFlow
sink(th.toString()); // $ hasTaintFlow
}
}
}

30
java/ql/test/library-tests/dataflow/entrypoint-types/EntryPointTypesTest.java
View File

@@ -48,34 +48,34 @@ public class EntryPointTypesTest {
private static void sink(String sink) {}
public static void test(TestObject source) {
sink(source.field1); // $hasTaintFlow
sink(source.getField2()); // $hasTaintFlow
sink(source.getField3().field4); // $hasTaintFlow
sink(source.getField3().getField5()); // $hasTaintFlow
sink(source.field1); // $ hasTaintFlow
sink(source.getField2()); // $ hasTaintFlow
sink(source.getField3().field4); // $ hasTaintFlow
sink(source.getField3().getField5()); // $ hasTaintFlow
}
public static void testParameterized(
ParameterizedTestObject<TestObject, AnotherTestObject> source) {
sink(source.field6); // $hasTaintFlow
sink(source.field7.field1); // $hasTaintFlow
sink(source.field7.getField2()); // $hasTaintFlow
sink(source.getField8().field4); // $hasTaintFlow
sink(source.getField8().getField5()); // $hasTaintFlow
sink(source.field6); // $ hasTaintFlow
sink(source.field7.field1); // $ hasTaintFlow
sink(source.field7.getField2()); // $ hasTaintFlow
sink(source.getField8().field4); // $ hasTaintFlow
sink(source.getField8().getField5()); // $ hasTaintFlow
}
public static void testSubtype(ParameterizedTestObject<?, ?> source) {
ChildObject subtypeSource = (ChildObject) source;
sink(subtypeSource.field6); // $hasTaintFlow
sink(subtypeSource.field7.field1); // $hasTaintFlow
sink(subtypeSource.field7.getField2()); // $hasTaintFlow
sink((String) subtypeSource.getField8()); // $hasTaintFlow
sink((String) subtypeSource.field9); // $hasTaintFlow
sink(subtypeSource.field6); // $ hasTaintFlow
sink(subtypeSource.field7.field1); // $ hasTaintFlow
sink(subtypeSource.field7.getField2()); // $ hasTaintFlow
sink((String) subtypeSource.getField8()); // $ hasTaintFlow
sink((String) subtypeSource.field9); // $ hasTaintFlow
// Ensure that we are not tainting every subclass of Object
UnrelatedObject unrelated = (UnrelatedObject) subtypeSource.getField8();
sink(unrelated.safeField); // Safe
}
public static void testArray(ArrayElemObject[] source) {
sink(source[0].field); // $hasTaintFlow
sink(source[0].field); // $ hasTaintFlow
}
}

10
java/ql/test/library-tests/dataflow/fluent-methods/Test.java
View File

@@ -42,31 +42,31 @@ public class Test {
public static void test1() {
Test t = new Test();
t.fluentNoop().fluentSet(source()).fluentNoop();
sink(t.get()); // $hasValueFlow
sink(t.get()); // $ hasValueFlow
}
public static void test2() {
Test t = new Test();
Test.identity(t).fluentNoop().fluentSet(source()).fluentNoop();
sink(t.get()); // $hasValueFlow
sink(t.get()); // $ hasValueFlow
}
public static void test3() {
Test t = new Test();
t.indirectlyFluentNoop().fluentSet(source()).fluentNoop();
sink(t.get()); // $hasValueFlow
sink(t.get()); // $ hasValueFlow
}
public static void testModel1() {
Test t = new Test();
t.indirectlyFluentNoop().modelledFluentMethod().fluentSet(source()).fluentNoop();
sink(t.get()); // $hasValueFlow
sink(t.get()); // $ hasValueFlow
}
public static void testModel2() {
Test t = new Test();
Test.modelledIdentity(t).indirectlyFluentNoop().modelledFluentMethod().fluentSet(source()).fluentNoop();
sink(t.get()); // $hasValueFlow
sink(t.get()); // $ hasValueFlow
}
}

48
java/ql/test/library-tests/dataflow/taint-jackson/Test.java
View File

@@ -34,22 +34,22 @@ class Test {
ObjectMapper om = new ObjectMapper();
File file = new File("testFile");
om.writeValue(file, s);
sink(file); //$hasTaintFlow
sink(file); // $ hasTaintFlow
OutputStream out = new FileOutputStream(file);
om.writeValue(out, s);
sink(file); //$hasTaintFlow
sink(file); // $ hasTaintFlow
Writer writer = new StringWriter();
om.writeValue(writer, s);
sink(writer); //$hasTaintFlow
sink(writer); // $ hasTaintFlow
JsonGenerator generator = new JsonFactory().createGenerator(new StringWriter());
om.writeValue(generator, s);
sink(generator); //$hasTaintFlow
sink(generator); // $ hasTaintFlow
String t = om.writeValueAsString(s);
sink(t); //$hasTaintFlow
sink(t); // $ hasTaintFlow
byte[] bs = om.writeValueAsBytes(s);
String reconstructed = new String(bs, "utf-8");
sink(bs); //$hasTaintFlow
sink(reconstructed); //$hasTaintFlow
sink(bs); // $ hasTaintFlow
sink(reconstructed); // $ hasTaintFlow
}
public static void jacksonObjectWriter() throws Exception {
@@ -57,44 +57,44 @@ class Test {
ObjectWriter ow = new ObjectWriter();
File file = new File("testFile");
ow.writeValue(file, s);
sink(file); //$hasTaintFlow
sink(file); // $ hasTaintFlow
OutputStream out = new FileOutputStream(file);
ow.writeValue(out, s);
sink(out); //$hasTaintFlow
sink(out); // $ hasTaintFlow
Writer writer = new StringWriter();
ow.writeValue(writer, s);
sink(writer); //$hasTaintFlow
sink(writer); // $ hasTaintFlow
JsonGenerator generator = new JsonFactory().createGenerator(new StringWriter());
ow.writeValue(generator, s);
sink(generator); //$hasTaintFlow
sink(generator); // $ hasTaintFlow
String t = ow.writeValueAsString(s);
sink(t); //$hasTaintFlow
sink(t); // $ hasTaintFlow
byte[] bs = ow.writeValueAsBytes(s);
String reconstructed = new String(bs, "utf-8");
sink(bs); //$hasTaintFlow
sink(reconstructed); //$hasTaintFlow
sink(bs); // $ hasTaintFlow
sink(reconstructed); // $ hasTaintFlow
}
public static void jacksonObjectReader() throws java.io.IOException {
String s = taint();
ObjectMapper om = new ObjectMapper();
ObjectReader reader = om.readerFor(Potato.class);
sink(reader.readValue(s)); //$hasTaintFlow
sink(reader.readValue(s, Potato.class).name); //$hasTaintFlow
sink(reader.readValue(s, Potato.class).getName()); //$hasTaintFlow
sink(reader.readValue(s)); // $ hasTaintFlow
sink(reader.readValue(s, Potato.class).name); // $ hasTaintFlow
sink(reader.readValue(s, Potato.class).getName()); // $ hasTaintFlow
}
public static void jacksonObjectReaderIterable() throws java.io.IOException {
String s = taint();
ObjectMapper om = new ObjectMapper();
ObjectReader reader = om.readerFor(Potato.class);
sink(reader.readValues(s)); //$hasTaintFlow
sink(reader.readValues(s)); // $ hasTaintFlow
Iterator<Potato> pIterator = reader.readValues(s);
while(pIterator.hasNext()) {
Potato p = pIterator.next();
sink(p); //$hasTaintFlow
sink(p.name); //$hasTaintFlow
sink(p.getName()); //$hasTaintFlow
sink(p); // $ hasTaintFlow
sink(p.name); // $ hasTaintFlow
sink(p.getName()); // $ hasTaintFlow
}
}
@@ -104,9 +104,9 @@ class Test {
taintedParams.put("name", s);
ObjectMapper om = new ObjectMapper();
JsonNode jn = om.valueToTree(taintedParams);
sink(jn); //$hasTaintFlow
sink(jn); // $ hasTaintFlow
Potato p = om.convertValue(jn, Potato.class);
sink(p); //$hasTaintFlow
sink(p.getName()); //$hasTaintFlow
sink(p); // $ hasTaintFlow
sink(p.getName()); // $ hasTaintFlow
}
}

32
java/ql/test/library-tests/dataflow/taintsources/A.java
View File

@@ -18,40 +18,40 @@ public class A {
private static void sink(Object o) {}
public static void main(String[] args) {
sink(args); // $hasLocalValueFlow
sink(args[0]); // $hasLocalTaintFlow
sink(args); // $ hasLocalValueFlow
sink(args[0]); // $ hasLocalTaintFlow
}
public static void userInput() throws SQLException, IOException, MalformedURLException {
sink(System.getenv("test")); // $hasLocalValueFlow
sink(System.getenv("test")); // $ hasLocalValueFlow
class TestServlet extends HttpServlet {
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
sink(req.getParameter("test")); // $hasRemoteValueFlow
sink(req.getHeader("test")); // $hasRemoteValueFlow
sink(req.getQueryString()); // $hasRemoteValueFlow
sink(req.getCookies()[0].getValue()); // $hasRemoteValueFlow
sink(req.getParameter("test")); // $ hasRemoteValueFlow
sink(req.getHeader("test")); // $ hasRemoteValueFlow
sink(req.getQueryString()); // $ hasRemoteValueFlow
sink(req.getCookies()[0].getValue()); // $ hasRemoteValueFlow
}
}
sink(new Properties().getProperty("test")); // $hasLocalValueFlow
sink(System.getProperty("test")); // $hasLocalValueFlow
sink(new Properties().getProperty("test")); // $ hasLocalValueFlow
sink(System.getProperty("test")); // $ hasLocalValueFlow
new Object() {
public void test(ResultSet rs) throws SQLException {
sink(rs.getString(0)); // $hasLocalValueFlow
sink(rs.getString(0)); // $ hasLocalValueFlow
}
};
sink(new URL("test").openConnection().getInputStream()); // $hasRemoteValueFlow
sink(new Socket("test", 1234).getInputStream()); // $hasRemoteValueFlow
sink(InetAddress.getByName("test").getHostName()); // $hasReverseDnsValueFlow
sink(new URL("test").openConnection().getInputStream()); // $ hasRemoteValueFlow
sink(new Socket("test", 1234).getInputStream()); // $ hasRemoteValueFlow
sink(InetAddress.getByName("test").getHostName()); // $ hasReverseDnsValueFlow
sink(InetAddress.getLocalHost().getHostName());
sink(InetAddress.getLoopbackAddress().getHostName());
sink(InetAddress.getByName("test").getCanonicalHostName()); // $hasReverseDnsValueFlow
sink(InetAddress.getByName("test").getCanonicalHostName()); // $ hasReverseDnsValueFlow
sink(InetAddress.getLocalHost().getCanonicalHostName());
sink(InetAddress.getLoopbackAddress().getCanonicalHostName());
sink(System.in); // $hasLocalValueFlow
sink(new FileInputStream("test")); // $hasLocalValueFlow
sink(System.in); // $ hasLocalValueFlow
sink(new FileInputStream("test")); // $ hasLocalValueFlow
}
}

2
java/ql/test/library-tests/dataflow/taintsources/AndroidExposedObject.java
View File

@@ -6,6 +6,6 @@ public class AndroidExposedObject {
@JavascriptInterface
public void test(String arg) {
sink(arg); // $hasRemoteValueFlow
sink(arg); // $ hasRemoteValueFlow
}
}

12
java/ql/test/library-tests/dataflow/taintsources/Hudson.java
View File

@@ -6,11 +6,11 @@ public class Hudson {
public static void test() throws Exception {
FilePath fp = null;
sink(FilePath.newInputStreamDenyingSymlinkAsNeeded(null, null, null)); // $hasLocalValueFlow
sink(FilePath.openInputStream(null, null)); // $hasLocalValueFlow
sink(fp.read()); // $hasLocalValueFlow
sink(fp.read(null)); // $hasLocalValueFlow
sink(fp.readFromOffset(-1)); // $hasLocalValueFlow
sink(fp.readToString()); // $hasLocalValueFlow
sink(FilePath.newInputStreamDenyingSymlinkAsNeeded(null, null, null)); // $ hasLocalValueFlow
sink(FilePath.openInputStream(null, null)); // $ hasLocalValueFlow
sink(fp.read()); // $ hasLocalValueFlow
sink(fp.read(null)); // $ hasLocalValueFlow
sink(fp.readFromOffset(-1)); // $ hasLocalValueFlow
sink(fp.readToString()); // $ hasLocalValueFlow
}
}

8
java/ql/test/library-tests/dataflow/taintsources/IntentSourcesActivity.java
View File

@@ -9,21 +9,21 @@ public class IntentSourcesActivity extends Activity {
public void test() throws java.io.IOException {
String trouble = this.getIntent().getStringExtra("key");
sink(trouble); // $hasRemoteTaintFlow
sink(trouble); // $ hasRemoteTaintFlow
}
public void test2() throws java.io.IOException {
String trouble = getIntent().getStringExtra("key");
sink(trouble); // $hasRemoteTaintFlow
sink(trouble); // $ hasRemoteTaintFlow
}
public void test3() throws java.io.IOException {
String trouble = getIntent().getExtras().getString("key");
sink(trouble); // $hasRemoteTaintFlow
sink(trouble); // $ hasRemoteTaintFlow
}
}
@@ -34,7 +34,7 @@ class OtherClass {
public void test(IntentSourcesActivity is) throws java.io.IOException {
String trouble = is.getIntent().getStringExtra("key");
sink(trouble); // $hasRemoteTaintFlow
sink(trouble); // $ hasRemoteTaintFlow
}
}

2
java/ql/test/library-tests/dataflow/taintsources/RmiFlowImpl.java
View File

@@ -6,7 +6,7 @@ public class RmiFlowImpl implements RmiFlow {
public String listDirectory(String path) throws java.io.IOException {
String command = "ls " + path;
sink(command); // $hasRemoteTaintFlow
sink(command); // $ hasRemoteTaintFlow
return "pretend there are some results here";
}

24
java/ql/test/library-tests/dataflow/taintsources/SpringMultiPart.java
View File

@@ -7,21 +7,21 @@ public class SpringMultiPart {
private static void sink(Object o) {}
public void test() throws Exception {
sink(file.getBytes()); // $hasRemoteValueFlow
sink(file.getBytes()); // $ hasRemoteValueFlow
sink(file.isEmpty()); // Safe
sink(file.getInputStream()); // $hasRemoteValueFlow
sink(file.getResource()); // $hasRemoteValueFlow
sink(file.getName()); // $hasRemoteValueFlow
sink(file.getContentType()); // $hasRemoteValueFlow
sink(file.getOriginalFilename()); // $hasRemoteValueFlow
sink(file.getInputStream()); // $ hasRemoteValueFlow
sink(file.getResource()); // $ hasRemoteValueFlow
sink(file.getName()); // $ hasRemoteValueFlow
sink(file.getContentType()); // $ hasRemoteValueFlow
sink(file.getOriginalFilename()); // $ hasRemoteValueFlow
}
public void test(MultipartRequest request) {
sink(request.getFile("name"));// $hasRemoteValueFlow
sink(request.getFileMap());// $hasRemoteValueFlow
sink(request.getFileNames());// $hasRemoteValueFlow
sink(request.getFiles("name"));// $hasRemoteValueFlow
sink(request.getMultiFileMap());// $hasRemoteValueFlow
sink(request.getMultipartContentType("name")); // $hasRemoteValueFlow
sink(request.getFile("name"));// $ hasRemoteValueFlow
sink(request.getFileMap());// $ hasRemoteValueFlow
sink(request.getFileNames());// $ hasRemoteValueFlow
sink(request.getFiles("name"));// $ hasRemoteValueFlow
sink(request.getMultiFileMap());// $ hasRemoteValueFlow
sink(request.getMultipartContentType("name")); // $ hasRemoteValueFlow
}
}

24
java/ql/test/library-tests/dataflow/taintsources/SpringSavedRequest.java
View File

@@ -7,22 +7,22 @@ public class SpringSavedRequest {
private static void sink(Object o) {}
public void test() {
sink(sr.getRedirectUrl()); // $hasRemoteValueFlow
sink(sr.getCookies()); // $hasRemoteValueFlow
sink(sr.getHeaderValues("name")); // $hasRemoteValueFlow
sink(sr.getHeaderNames()); // $hasRemoteValueFlow
sink(sr.getParameterValues("name")); // $hasRemoteValueFlow
sink(sr.getParameterMap()); // $hasRemoteValueFlow
sink(sr.getRedirectUrl()); // $ hasRemoteValueFlow
sink(sr.getCookies()); // $ hasRemoteValueFlow
sink(sr.getHeaderValues("name")); // $ hasRemoteValueFlow
sink(sr.getHeaderNames()); // $ hasRemoteValueFlow
sink(sr.getParameterValues("name")); // $ hasRemoteValueFlow
sink(sr.getParameterMap()); // $ hasRemoteValueFlow
}
SimpleSavedRequest ssr;
public void test2() {
sink(ssr.getRedirectUrl()); // $hasRemoteValueFlow
sink(ssr.getCookies()); // $hasRemoteValueFlow
sink(ssr.getHeaderValues("name")); // $hasRemoteValueFlow
sink(ssr.getHeaderNames()); // $hasRemoteValueFlow
sink(ssr.getParameterValues("name")); // $hasRemoteValueFlow
sink(ssr.getParameterMap()); // $hasRemoteValueFlow
sink(ssr.getRedirectUrl()); // $ hasRemoteValueFlow
sink(ssr.getCookies()); // $ hasRemoteValueFlow
sink(ssr.getHeaderValues("name")); // $ hasRemoteValueFlow
sink(ssr.getHeaderNames()); // $ hasRemoteValueFlow
sink(ssr.getParameterValues("name")); // $ hasRemoteValueFlow
sink(ssr.getParameterMap()); // $ hasRemoteValueFlow
}
}

2
java/ql/test/library-tests/frameworks/android/intent/TestStartBroadcastReceiverToIntent.java
View File

@@ -79,7 +79,7 @@ public class TestStartBroadcastReceiverToIntent {
// test method that receives an Intent as a parameter
@Override
public void onReceive(Context context, Intent intent) {
sink(intent.getStringExtra("data")); // $ hasValueFlow=send hasValueFlow=send-as-user hasValueFlow=send-with-perm hasValueFlow=send-ordered hasValueFlow=send-ordered-as-user hasValueFlow=send-sticky hasValueFlow=send-sticky-as-user hasValueFlow=send-sticky-ordered hasValueFlow=send-sticky-ordered-as-user hasValueFlow=4-arg
sink(intent.getStringExtra("data")); // $ hasValueFlow=send hasValueFlow=send-as-user hasValueFlow=send-with-perm hasValueFlow=send-ordered hasValueFlow=send-ordered-as-user hasValueFlow=send-sticky hasValueFlow=send-sticky-as-user hasValueFlow=send-sticky-ordered hasValueFlow=send-sticky-ordered-as-user hasValueFlow=4-arg
}
}

10
java/ql/test/library-tests/frameworks/android/slice/TestSources.java
View File

@@ -18,14 +18,14 @@ public class TestSources extends SliceProvider {
// "androidx.slice;SliceProvider;true;onBindSlice;;;Parameter[0];contentprovider;manual",
@Override
public Slice onBindSlice(Uri sliceUri) {
sink(sliceUri); // $hasValueFlow
sink(sliceUri); // $ hasValueFlow
return null;
}
// "androidx.slice;SliceProvider;true;onCreatePermissionRequest;;;Parameter[0];contentprovider;manual",
@Override
public PendingIntent onCreatePermissionRequest(Uri sliceUri, String callingPackage) {
sink(sliceUri); // $hasValueFlow
sink(sliceUri); // $ hasValueFlow
sink(callingPackage); // Safe
return null;
}
@@ -33,18 +33,18 @@ public class TestSources extends SliceProvider {
// "androidx.slice;SliceProvider;true;onMapIntentToUri;;;Parameter[0];contentprovider;manual",
@Override
public Uri onMapIntentToUri(Intent intent) {
sink(intent); // $hasValueFlow
sink(intent); // $ hasValueFlow
return null;
}
// "androidx.slice;SliceProvider;true;onSlicePinned;;;Parameter[0];contentprovider;manual",
public void onSlicePinned(Uri sliceUri) {
sink(sliceUri); // $hasValueFlow
sink(sliceUri); // $ hasValueFlow
}
// "androidx.slice;SliceProvider;true;onSliceUnpinned;;;Parameter[0];contentprovider;manual"
public void onSliceUnpinned(Uri sliceUri) {
sink(sliceUri); // $hasValueFlow
sink(sliceUri); // $ hasValueFlow
}
// Methods needed for compilation

134
java/ql/test/library-tests/frameworks/android/taint-database/FlowSteps.java
View File

@@ -29,96 +29,96 @@ public class FlowSteps {
}
public static String appendSelectionArgs() {
String[] originalValues = {taint()}; // $taintReachesReturn
String[] newValues = {taint()}; // $taintReachesReturn
String[] originalValues = {taint()}; // $ taintReachesReturn
String[] newValues = {taint()}; // $ taintReachesReturn
return DatabaseUtils.appendSelectionArgs(originalValues, newValues)[0];
}
public static String concatenateWhere() {
String a = taint(); // $taintReachesReturn
String b = taint(); // $taintReachesReturn
String a = taint(); // $ taintReachesReturn
String b = taint(); // $ taintReachesReturn
return DatabaseUtils.concatenateWhere(a, b);
}
public static String buildQueryString(MySQLiteQueryBuilder target) {
target = taint();
boolean distinct = taint();
String tables = taint(); // $taintReachesReturn
String[] columns = {taint()}; // $taintReachesReturn
String where = taint(); // $taintReachesReturn
String groupBy = taint(); // $taintReachesReturn
String having = taint(); // $taintReachesReturn
String orderBy = taint(); // $taintReachesReturn
String limit = taint(); // $taintReachesReturn
boolean distinct = taint();
String tables = taint(); // $ taintReachesReturn
String[] columns = {taint()}; // $ taintReachesReturn
String where = taint(); // $ taintReachesReturn
String groupBy = taint(); // $ taintReachesReturn
String having = taint(); // $ taintReachesReturn
String orderBy = taint(); // $ taintReachesReturn
String limit = taint(); // $ taintReachesReturn
return SQLiteQueryBuilder.buildQueryString(distinct, tables, columns, where, groupBy, having, orderBy, limit);
}
public static String buildQuery(MySQLiteQueryBuilder target) {
target = taint(); // $taintReachesReturn
String[] projectionIn = {taint()}; // $taintReachesReturn
String selection = taint(); // $taintReachesReturn
String groupBy = taint(); // $taintReachesReturn
String having = taint(); // $taintReachesReturn
String sortOrder = taint(); // $taintReachesReturn
String limit = taint(); // $taintReachesReturn
target = taint(); // $ taintReachesReturn
String[] projectionIn = {taint()}; // $ taintReachesReturn
String selection = taint(); // $ taintReachesReturn
String groupBy = taint(); // $ taintReachesReturn
String having = taint(); // $ taintReachesReturn
String sortOrder = taint(); // $ taintReachesReturn
String limit = taint(); // $ taintReachesReturn
return target.buildQuery(projectionIn, selection, groupBy, having, sortOrder, limit);
}
public static String buildQuery2(MySQLiteQueryBuilder target) {
target = taint(); // $taintReachesReturn
String[] projectionIn = {taint()}; // $taintReachesReturn
String selection = taint(); // $taintReachesReturn
String[] selectionArgs = {taint()};
String groupBy = taint(); // $taintReachesReturn
String having = taint(); // $taintReachesReturn
String sortOrder = taint(); // $taintReachesReturn
String limit = taint(); // $taintReachesReturn
target = taint(); // $ taintReachesReturn
String[] projectionIn = {taint()}; // $ taintReachesReturn
String selection = taint(); // $ taintReachesReturn
String[] selectionArgs = {taint()};
String groupBy = taint(); // $ taintReachesReturn
String having = taint(); // $ taintReachesReturn
String sortOrder = taint(); // $ taintReachesReturn
String limit = taint(); // $ taintReachesReturn
return target.buildQuery(projectionIn, selection, selectionArgs, groupBy, having, sortOrder, limit);
}
public static String buildUnionQuery(MySQLiteQueryBuilder target) {
target = taint(); // $taintReachesReturn
String[] subQueries = {taint()}; // $taintReachesReturn
String sortOrder = taint(); // $taintReachesReturn
String limit = taint(); // $taintReachesReturn
target = taint(); // $ taintReachesReturn
String[] subQueries = {taint()}; // $ taintReachesReturn
String sortOrder = taint(); // $ taintReachesReturn
String limit = taint(); // $ taintReachesReturn
return target.buildUnionQuery(subQueries, sortOrder, limit);
}
public static String buildUnionSubQuery2(MySQLiteQueryBuilder target) {
target = taint(); // $taintReachesReturn
String typeDiscriminatorColumn = taint(); // $taintReachesReturn
String[] unionColumns = {taint()}; // $taintReachesReturn
target = taint(); // $ taintReachesReturn
String typeDiscriminatorColumn = taint(); // $ taintReachesReturn
String[] unionColumns = {taint()}; // $ taintReachesReturn
Set<String> columnsPresentInTable = new HashSet();
columnsPresentInTable.add(taint()); // $taintReachesReturn
columnsPresentInTable.add(taint()); // $ taintReachesReturn
int computedColumnsOffset = taint();
String typeDiscriminatorValue = taint(); // $taintReachesReturn
String selection = taint(); // $taintReachesReturn
String typeDiscriminatorValue = taint(); // $ taintReachesReturn
String selection = taint(); // $ taintReachesReturn
String[] selectionArgs = {taint()};
String groupBy = taint(); // $taintReachesReturn
String having = taint(); // $taintReachesReturn
String groupBy = taint(); // $ taintReachesReturn
String having = taint(); // $ taintReachesReturn
return target.buildUnionSubQuery(typeDiscriminatorColumn, unionColumns, columnsPresentInTable,
computedColumnsOffset, typeDiscriminatorValue, selection, selectionArgs, groupBy, having);
}
public static String buildUnionSubQuery3(MySQLiteQueryBuilder target) {
target = taint(); // $taintReachesReturn
String typeDiscriminatorColumn = taint(); // $taintReachesReturn
String[] unionColumns = {taint()}; // $taintReachesReturn
target = taint(); // $ taintReachesReturn
String typeDiscriminatorColumn = taint(); // $ taintReachesReturn
String[] unionColumns = {taint()}; // $ taintReachesReturn
Set<String> columnsPresentInTable = new HashSet();
columnsPresentInTable.add(taint()); // $taintReachesReturn
columnsPresentInTable.add(taint()); // $ taintReachesReturn
int computedColumnsOffset = taint();
String typeDiscriminatorValue = taint(); // $taintReachesReturn
String selection = taint(); // $taintReachesReturn
String groupBy = taint(); // $taintReachesReturn
String having = taint(); // $taintReachesReturn
String typeDiscriminatorValue = taint(); // $ taintReachesReturn
String selection = taint(); // $ taintReachesReturn
String groupBy = taint(); // $ taintReachesReturn
String having = taint(); // $ taintReachesReturn
return target.buildUnionSubQuery(typeDiscriminatorColumn, unionColumns, columnsPresentInTable, computedColumnsOffset,
typeDiscriminatorValue, selection, groupBy, having);
}
public static Cursor query(MyContentResolver target) {
Uri uri = taint(); // $taintReachesReturn
Uri uri = taint(); // $ taintReachesReturn
String[] projection = {taint()};
String selection = taint(); // $taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
String sortOrder = taint();
CancellationSignal cancellationSignal = taint();
@@ -126,9 +126,9 @@ public class FlowSteps {
}
public static Cursor query(MyContentProvider target) {
Uri uri = taint(); // $taintReachesReturn
Uri uri = taint(); // $ taintReachesReturn
String[] projection = {taint()};
String selection = taint(); // $taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
String sortOrder = taint();
CancellationSignal cancellationSignal = taint();
@@ -136,57 +136,57 @@ public class FlowSteps {
}
public static Cursor query2(MyContentResolver target) {
Uri uri = taint(); // $taintReachesReturn
Uri uri = taint(); // $ taintReachesReturn
String[] projection = {taint()};
String selection = taint(); // $taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
String sortOrder = taint();
return target.query(uri, projection, selection, selectionArgs, sortOrder);
}
public static Cursor query2(MyContentProvider target) {
Uri uri = taint(); // $taintReachesReturn
Uri uri = taint(); // $ taintReachesReturn
String[] projection = {taint()};
String selection = taint(); // $taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
String sortOrder = taint();
return target.query(uri, projection, selection, selectionArgs, sortOrder);
}
public static StringBuilder appendColumns() {
StringBuilder s = taint(); // $taintReachesReturn
String[] columns = {taint()}; // $taintReachesReturn
StringBuilder s = taint(); // $ taintReachesReturn
String[] columns = {taint()}; // $ taintReachesReturn
SQLiteQueryBuilder.appendColumns(s, columns);
return s;
}
public static SQLiteQueryBuilder setProjectionMap(MySQLiteQueryBuilder target) {
target = taint(); // $taintReachesReturn
Map<String, String> columnMap = new HashMap();
String k = taint(); // $taintReachesReturn
String v = taint(); // $taintReachesReturn
target = taint(); // $ taintReachesReturn
Map<String, String> columnMap = new HashMap();
String k = taint(); // $ taintReachesReturn
String v = taint(); // $ taintReachesReturn
columnMap.put(k, v);
target.setProjectionMap(columnMap);
return target;
}
public static SQLiteQueryBuilder setTables(MySQLiteQueryBuilder target) {
target = taint(); // $taintReachesReturn
String inTables = taint(); // $taintReachesReturn
target = taint(); // $ taintReachesReturn
String inTables = taint(); // $ taintReachesReturn
target.setTables(inTables);
return target;
}
public static SQLiteQueryBuilder appendWhere(MySQLiteQueryBuilder target) {
target = taint(); // $taintReachesReturn
CharSequence inWhere = taint(); // $taintReachesReturn
target = taint(); // $ taintReachesReturn
CharSequence inWhere = taint(); // $ taintReachesReturn
target.appendWhere(inWhere);
return target;
}
public static SQLiteQueryBuilder appendWhereStandalone(MySQLiteQueryBuilder target) {
target = taint(); // $taintReachesReturn
CharSequence inWhere = taint(); // $taintReachesReturn
target = taint(); // $ taintReachesReturn
CharSequence inWhere = taint(); // $ taintReachesReturn
target.appendWhereStandalone(inWhere);
return target;
}

192
java/ql/test/library-tests/frameworks/android/taint-database/Sinks.java
View File

@@ -25,58 +25,58 @@ public class Sinks {
}
public static void compileStatement(SQLiteDatabase target) {
String sql = taint(); // $taintReachesSink
String sql = taint(); // $ taintReachesSink
target.compileStatement(sql);
}
public static void delete1(MySQLiteQueryBuilder target) {
target = taint(); // $taintReachesSink
target = taint(); // $ taintReachesSink
SQLiteDatabase db = taint();
String selection = taint(); // $taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
target.delete(db, selection, selectionArgs);
}
public static void delete(SQLiteDatabase target) {
String table = taint(); // $taintReachesSink
String whereClause = taint(); // $taintReachesSink
String table = taint(); // $ taintReachesSink
String whereClause = taint(); // $ taintReachesSink
String[] whereArgs = {taint()};
target.delete(table, whereClause, whereArgs);
}
public static void delete(MyContentResolver target) {
Uri uri = taint();
String selection = taint(); // $taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
target.delete(uri, selection, selectionArgs);
}
public static void delete(MyContentProvider target) {
Uri uri = taint();
String selection = taint(); // $taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
target.delete(uri, selection, selectionArgs);
}
public static void execPerConnectionSQL(SQLiteDatabase target) {
String sql = taint(); // $taintReachesSink
String sql = taint(); // $ taintReachesSink
Object[] bindArgs = {taint()};
target.execPerConnectionSQL(sql, bindArgs);
}
public static void execSQL(SQLiteDatabase target) {
String sql = taint(); // $taintReachesSink
String sql = taint(); // $ taintReachesSink
target.execSQL(sql);
}
public static void execSQL2(SQLiteDatabase target) {
String sql = taint(); // $taintReachesSink
String sql = taint(); // $ taintReachesSink
Object[] bindArgs = {taint()};
target.execSQL(sql, bindArgs);
}
public static void insert(MySQLiteQueryBuilder target) {
target = taint(); // $taintReachesSink
target = taint(); // $ taintReachesSink
SQLiteDatabase db = taint();
ContentValues values = taint();
target.insert(db, values);
@@ -84,90 +84,90 @@ public class Sinks {
public static void query(SQLiteDatabase target) {
boolean distinct = taint();
String table = taint(); // $taintReachesSink
String[] columns = {taint()}; // $taintReachesSink
String selection = taint(); // $taintReachesSink
String table = taint(); // $ taintReachesSink
String[] columns = {taint()}; // $ taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
String groupBy = taint(); // $taintReachesSink
String having = taint(); // $taintReachesSink
String orderBy = taint(); // $taintReachesSink
String limit = taint(); // $taintReachesSink
String groupBy = taint(); // $ taintReachesSink
String having = taint(); // $ taintReachesSink
String orderBy = taint(); // $ taintReachesSink
String limit = taint(); // $ taintReachesSink
target.query(distinct, table, columns, selection, selectionArgs, groupBy, having, orderBy, limit);
}
public static void query2(SQLiteDatabase target) {
boolean distinct = taint();
String table = taint(); // $taintReachesSink
String[] columns = {taint()}; // $taintReachesSink
String selection = taint(); // $taintReachesSink
String table = taint(); // $ taintReachesSink
String[] columns = {taint()}; // $ taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
String groupBy = taint(); // $taintReachesSink
String having = taint(); // $taintReachesSink
String orderBy = taint(); // $taintReachesSink
String limit = taint(); // $taintReachesSink
String groupBy = taint(); // $ taintReachesSink
String having = taint(); // $ taintReachesSink
String orderBy = taint(); // $ taintReachesSink
String limit = taint(); // $ taintReachesSink
CancellationSignal cancellationSignal = taint();
target.query(distinct, table, columns, selection, selectionArgs, groupBy, having, orderBy, limit,
cancellationSignal);
}
public static void query3(SQLiteDatabase target) {
String table = taint(); // $taintReachesSink
String[] columns = {taint()}; // $taintReachesSink
String selection = taint(); // $taintReachesSink
String table = taint(); // $ taintReachesSink
String[] columns = {taint()}; // $ taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
String groupBy = taint(); // $taintReachesSink
String having = taint(); // $taintReachesSink
String orderBy = taint(); // $taintReachesSink
String groupBy = taint(); // $ taintReachesSink
String having = taint(); // $ taintReachesSink
String orderBy = taint(); // $ taintReachesSink
target.query(table, columns, selection, selectionArgs, groupBy, having, orderBy);
}
public static void query4(SQLiteDatabase target) {
String table = taint(); // $taintReachesSink
String[] columns = {taint()}; // $taintReachesSink
String selection = taint(); // $taintReachesSink
String table = taint(); // $ taintReachesSink
String[] columns = {taint()}; // $ taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
String groupBy = taint(); // $taintReachesSink
String having = taint(); // $taintReachesSink
String orderBy = taint(); // $taintReachesSink
String limit = taint(); // $taintReachesSink
String groupBy = taint(); // $ taintReachesSink
String having = taint(); // $ taintReachesSink
String orderBy = taint(); // $ taintReachesSink
String limit = taint(); // $ taintReachesSink
target.query(table, columns, selection, selectionArgs, groupBy, having, orderBy, limit);
}
public static void query(MySQLiteQueryBuilder target) {
target = taint(); // $taintReachesSink
target = taint(); // $ taintReachesSink
SQLiteDatabase db = taint();
String[] projectionIn = {taint()}; // $taintReachesSink
String selection = taint(); // $taintReachesSink
String[] projectionIn = {taint()}; // $ taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
String groupBy = taint(); // $taintReachesSink
String having = taint(); // $taintReachesSink
String sortOrder = taint(); // $taintReachesSink
String groupBy = taint(); // $ taintReachesSink
String having = taint(); // $ taintReachesSink
String sortOrder = taint(); // $ taintReachesSink
target.query(db, projectionIn, selection, selectionArgs, groupBy, having, sortOrder);
}
public static void query2(MySQLiteQueryBuilder target) {
target = taint(); // $taintReachesSink
target = taint(); // $ taintReachesSink
SQLiteDatabase db = taint();
String[] projectionIn = {taint()}; // $taintReachesSink
String selection = taint(); // $taintReachesSink
String[] projectionIn = {taint()}; // $ taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
String groupBy = taint(); // $taintReachesSink
String having = taint(); // $taintReachesSink
String sortOrder = taint(); // $taintReachesSink
String limit = taint(); // $taintReachesSink
String groupBy = taint(); // $ taintReachesSink
String having = taint(); // $ taintReachesSink
String sortOrder = taint(); // $ taintReachesSink
String limit = taint(); // $ taintReachesSink
target.query(db, projectionIn, selection, selectionArgs, groupBy, having, sortOrder, limit);
}
public static void query3(MySQLiteQueryBuilder target) {
target = taint(); // $taintReachesSink
target = taint(); // $ taintReachesSink
SQLiteDatabase db = taint();
String[] projectionIn = {taint()}; // $taintReachesSink
String selection = taint(); // $taintReachesSink
String[] projectionIn = {taint()}; // $ taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
String groupBy = taint(); // $taintReachesSink
String having = taint(); // $taintReachesSink
String sortOrder = taint(); // $taintReachesSink
String limit = taint(); // $taintReachesSink
String groupBy = taint(); // $ taintReachesSink
String having = taint(); // $ taintReachesSink
String sortOrder = taint(); // $ taintReachesSink
String limit = taint(); // $ taintReachesSink
CancellationSignal cancellationSignal = taint();
target.query(db, projectionIn, selection, selectionArgs, groupBy, having, sortOrder, limit, cancellationSignal);
}
@@ -175,7 +175,7 @@ public class Sinks {
public static void query3(MyContentProvider target) {
Uri uri = taint();
String[] projection = {taint()};
String selection = taint(); // $taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
String sortOrder = taint();
target.query(uri, projection, selection, selectionArgs, sortOrder);
@@ -184,7 +184,7 @@ public class Sinks {
public static void query(MyContentProvider target) {
Uri uri = taint();
String[] projection = {taint()};
String selection = taint(); // $taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
String sortOrder = taint();
CancellationSignal cancellationSignal = taint();
@@ -194,7 +194,7 @@ public class Sinks {
public static void query3(MyContentResolver target) {
Uri uri = taint();
String[] projection = {taint()};
String selection = taint(); // $taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
String sortOrder = taint();
target.query(uri, projection, selection, selectionArgs, sortOrder);
@@ -203,7 +203,7 @@ public class Sinks {
public static void query(MyContentResolver target) {
Uri uri = taint();
String[] projection = {taint()};
String selection = taint(); // $taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
String sortOrder = taint();
CancellationSignal cancellationSignal = taint();
@@ -213,14 +213,14 @@ public class Sinks {
public static void queryWithFactory(SQLiteDatabase target) {
SQLiteDatabase.CursorFactory cursorFactory = taint();
boolean distinct = taint();
String table = taint(); // $taintReachesSink
String[] columns = {taint()}; // $taintReachesSink
String selection = taint(); // $taintReachesSink
String table = taint(); // $ taintReachesSink
String[] columns = {taint()}; // $ taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
String groupBy = taint(); // $taintReachesSink
String having = taint(); // $taintReachesSink
String orderBy = taint(); // $taintReachesSink
String limit = taint(); // $taintReachesSink
String groupBy = taint(); // $ taintReachesSink
String having = taint(); // $ taintReachesSink
String orderBy = taint(); // $ taintReachesSink
String limit = taint(); // $ taintReachesSink
target.queryWithFactory(cursorFactory, distinct, table, columns, selection, selectionArgs, groupBy, having,
orderBy, limit);
}
@@ -228,27 +228,27 @@ public class Sinks {
public static void queryWithFactory2(SQLiteDatabase target) {
SQLiteDatabase.CursorFactory cursorFactory = taint();
boolean distinct = taint();
String table = taint(); // $taintReachesSink
String[] columns = {taint()}; // $taintReachesSink
String selection = taint(); // $taintReachesSink
String table = taint(); // $ taintReachesSink
String[] columns = {taint()}; // $ taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
String groupBy = taint(); // $taintReachesSink
String having = taint(); // $taintReachesSink
String orderBy = taint(); // $taintReachesSink
String limit = taint(); // $taintReachesSink
String groupBy = taint(); // $ taintReachesSink
String having = taint(); // $ taintReachesSink
String orderBy = taint(); // $ taintReachesSink
String limit = taint(); // $ taintReachesSink
CancellationSignal cancellationSignal = taint();
target.queryWithFactory(cursorFactory, distinct, table, columns, selection, selectionArgs, groupBy, having,
orderBy, limit, cancellationSignal);
}
public static void rawQuery(SQLiteDatabase target) {
String sql = taint(); // $taintReachesSink
String sql = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
target.rawQuery(sql, selectionArgs);
}
public static void rawQuery2(SQLiteDatabase target) {
String sql = taint(); // $taintReachesSink
String sql = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
CancellationSignal cancellationSignal = taint();
target.rawQuery(sql, selectionArgs, cancellationSignal);
@@ -256,7 +256,7 @@ public class Sinks {
public static void rawQueryWithFactory(SQLiteDatabase target) {
SQLiteDatabase.CursorFactory cursorFactory = taint();
String sql = taint(); // $taintReachesSink
String sql = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
String editTable = taint();
target.rawQueryWithFactory(cursorFactory, sql, selectionArgs, editTable);
@@ -264,7 +264,7 @@ public class Sinks {
public static void rawQueryWithFactory2(SQLiteDatabase target) {
SQLiteDatabase.CursorFactory cursorFactory = taint();
String sql = taint(); // $taintReachesSink
String sql = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
String editTable = taint();
CancellationSignal cancellationSignal = taint();
@@ -272,18 +272,18 @@ public class Sinks {
}
public static void update(MySQLiteQueryBuilder target) {
target = taint(); // $taintReachesSink
target = taint(); // $ taintReachesSink
SQLiteDatabase db = taint();
ContentValues values = taint();
String selection = taint(); // $taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
target.update(db, values, selection, selectionArgs);
}
public static void update(SQLiteDatabase target) {
String table = taint(); // $taintReachesSink
String table = taint(); // $ taintReachesSink
ContentValues values = taint();
String whereClause = taint(); // $taintReachesSink
String whereClause = taint(); // $ taintReachesSink
String[] whereArgs = {taint()};
target.update(table, values, whereClause, whereArgs);
}
@@ -291,7 +291,7 @@ public class Sinks {
public static void update(MyContentResolver target) {
Uri uri = taint();
ContentValues values = taint();
String selection = taint(); // $taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
target.update(uri, values, selection, selectionArgs);
}
@@ -299,15 +299,15 @@ public class Sinks {
public static void update(MyContentProvider target) {
Uri uri = taint();
ContentValues values = taint();
String selection = taint(); // $taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
target.update(uri, values, selection, selectionArgs);
}
public static void updateWithOnConflict(SQLiteDatabase target) {
String table = taint(); // $taintReachesSink
String table = taint(); // $ taintReachesSink
ContentValues values = taint();
String whereClause = taint(); // $taintReachesSink
String whereClause = taint(); // $ taintReachesSink
String[] whereArgs = {taint()};
int conflictAlgorithm = taint();
target.updateWithOnConflict(table, values, whereClause, whereArgs, conflictAlgorithm);
@@ -315,15 +315,15 @@ public class Sinks {
public static void queryNumEntries() {
SQLiteDatabase db = taint();
String table = taint(); // $taintReachesSink
String selection = taint(); // $taintReachesSink
String table = taint(); // $ taintReachesSink
String selection = taint(); // $ taintReachesSink
DatabaseUtils.queryNumEntries(db, table, selection);
}
public static void queryNumEntries2() {
SQLiteDatabase db = taint();
String table = taint(); // $taintReachesSink
String selection = taint(); // $taintReachesSink
String table = taint(); // $ taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
DatabaseUtils.queryNumEntries(db, table, selection, selectionArgs);
}
@@ -332,27 +332,27 @@ public class Sinks {
Context context = taint();
String dbName = taint();
int dbVersion = taint();
String sqlStatements = taint(); // $taintReachesSink
String sqlStatements = taint(); // $ taintReachesSink
DatabaseUtils.createDbFromSqlStatements(context, dbName, dbVersion, sqlStatements);
}
public static void blobFileDescriptorForQuery() {
SQLiteDatabase db = taint();
String query = taint(); // $taintReachesSink
String query = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
DatabaseUtils.blobFileDescriptorForQuery(db, query, selectionArgs);
}
public static void longForQuery() {
SQLiteDatabase db = taint();
String query = taint(); // $taintReachesSink
String query = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
DatabaseUtils.longForQuery(db, query, selectionArgs);
}
public static void stringForQuery() {
SQLiteDatabase db = taint();
String query = taint(); // $taintReachesSink
String query = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
DatabaseUtils.stringForQuery(db, query, selectionArgs);
}

62
java/ql/test/library-tests/frameworks/apache-commons-lang3/ArrayUtilsTest.java
View File

@@ -20,56 +20,56 @@ class ArrayUtilsTest {
String[] alreadyTainted = new String[] { taint() };
String[] clean = new String[] { "Untainted" };
sink(ArrayUtils.add(clean, 0, taint())); // $hasTaintFlow
sink(ArrayUtils.add(alreadyTainted, 0, "clean")); // $hasTaintFlow
sink(ArrayUtils.add(clean, 0, taint())); // $ hasTaintFlow
sink(ArrayUtils.add(alreadyTainted, 0, "clean")); // $ hasTaintFlow
sink(ArrayUtils.add(clean, IntSource.taint(), "clean")); // Index argument does not contribute taint
sink(ArrayUtils.add(clean, taint())); // $hasTaintFlow
sink(ArrayUtils.add(alreadyTainted, "clean")); // $hasTaintFlow
sink(ArrayUtils.addAll(clean, "clean", taint())); // $hasTaintFlow
sink(ArrayUtils.addAll(clean, taint(), "clean")); // $hasTaintFlow
sink(ArrayUtils.addAll(alreadyTainted, "clean", "also clean")); // $hasTaintFlow
sink(ArrayUtils.addFirst(clean, taint())); // $hasTaintFlow
sink(ArrayUtils.addFirst(alreadyTainted, "clean")); // $hasTaintFlow
sink(ArrayUtils.clone(alreadyTainted)); // $hasTaintFlow
sink(ArrayUtils.get(alreadyTainted, 0)); // $hasValueFlow
sink(ArrayUtils.add(clean, taint())); // $ hasTaintFlow
sink(ArrayUtils.add(alreadyTainted, "clean")); // $ hasTaintFlow
sink(ArrayUtils.addAll(clean, "clean", taint())); // $ hasTaintFlow
sink(ArrayUtils.addAll(clean, taint(), "clean")); // $ hasTaintFlow
sink(ArrayUtils.addAll(alreadyTainted, "clean", "also clean")); // $ hasTaintFlow
sink(ArrayUtils.addFirst(clean, taint())); // $ hasTaintFlow
sink(ArrayUtils.addFirst(alreadyTainted, "clean")); // $ hasTaintFlow
sink(ArrayUtils.clone(alreadyTainted)); // $ hasTaintFlow
sink(ArrayUtils.get(alreadyTainted, 0)); // $ hasValueFlow
sink(ArrayUtils.get(clean, IntSource.taint())); // Index argument does not contribute taint
sink(ArrayUtils.get(alreadyTainted, 0, "default value")); // $hasValueFlow
sink(ArrayUtils.get(alreadyTainted, 0, "default value")); // $ hasValueFlow
sink(ArrayUtils.get(clean, IntSource.taint(), "default value")); // Index argument does not contribute taint
sink(ArrayUtils.get(clean, 0, taint())); // $hasValueFlow
sink(ArrayUtils.get(clean, 0, taint())); // $ hasValueFlow
sink(ArrayUtils.insert(IntSource.taint(), clean, "value1", "value2")); // Index argument does not contribute taint
sink(ArrayUtils.insert(0, alreadyTainted, "value1", "value2")); // $hasTaintFlow
sink(ArrayUtils.insert(0, clean, taint(), "value2")); // $hasTaintFlow
sink(ArrayUtils.insert(0, clean, "value1", taint())); // $hasTaintFlow
sink(ArrayUtils.nullToEmpty(alreadyTainted)); // $hasTaintFlow
sink(ArrayUtils.nullToEmpty(alreadyTainted, String[].class)); // $hasTaintFlow
sink(ArrayUtils.remove(alreadyTainted, 0)); // $hasTaintFlow
sink(ArrayUtils.insert(0, alreadyTainted, "value1", "value2")); // $ hasTaintFlow
sink(ArrayUtils.insert(0, clean, taint(), "value2")); // $ hasTaintFlow
sink(ArrayUtils.insert(0, clean, "value1", taint())); // $ hasTaintFlow
sink(ArrayUtils.nullToEmpty(alreadyTainted)); // $ hasTaintFlow
sink(ArrayUtils.nullToEmpty(alreadyTainted, String[].class)); // $ hasTaintFlow
sink(ArrayUtils.remove(alreadyTainted, 0)); // $ hasTaintFlow
sink(ArrayUtils.remove(clean, IntSource.taint())); // Index argument does not contribute taint
sink(ArrayUtils.removeAll(alreadyTainted, 0, 1)); // $hasTaintFlow
sink(ArrayUtils.removeAll(alreadyTainted, 0, 1)); // $ hasTaintFlow
sink(ArrayUtils.removeAll(clean, IntSource.taint(), 1)); // Index argument does not contribute taint
sink(ArrayUtils.removeAll(clean, 0, IntSource.taint())); // Index argument does not contribute taint
sink(ArrayUtils.removeAllOccurences(clean, taint())); // Removed argument does not contribute taint
sink(ArrayUtils.removeAllOccurences(alreadyTainted, "value to remove")); // $hasTaintFlow
sink(ArrayUtils.removeAllOccurences(alreadyTainted, "value to remove")); // $ hasTaintFlow
sink(ArrayUtils.removeAllOccurrences(clean, taint())); // Removed argument does not contribute taint
sink(ArrayUtils.removeAllOccurrences(alreadyTainted, "value to remove")); // $hasTaintFlow
sink(ArrayUtils.removeAllOccurrences(alreadyTainted, "value to remove")); // $ hasTaintFlow
sink(ArrayUtils.removeElement(clean, taint())); // Removed argument does not contribute taint
sink(ArrayUtils.removeElement(alreadyTainted, "value to remove")); // $hasTaintFlow
sink(ArrayUtils.removeElements(alreadyTainted, 0, 1)); // $hasTaintFlow
sink(ArrayUtils.removeElement(alreadyTainted, "value to remove")); // $ hasTaintFlow
sink(ArrayUtils.removeElements(alreadyTainted, 0, 1)); // $ hasTaintFlow
sink(ArrayUtils.removeElements(clean, IntSource.taint(), 1)); // Index argument does not contribute taint
sink(ArrayUtils.removeElements(clean, 0, IntSource.taint())); // Index argument does not contribute taint
sink(ArrayUtils.subarray(alreadyTainted, 0, 0)); // $hasTaintFlow
sink(ArrayUtils.subarray(alreadyTainted, 0, 0)); // $ hasTaintFlow
sink(ArrayUtils.subarray(clean, IntSource.taint(), IntSource.taint())); // Index arguments do not contribute taint
sink(ArrayUtils.toArray("clean", taint())); // $hasTaintFlow
sink(ArrayUtils.toArray(taint(), "clean")); // $hasTaintFlow
sink(ArrayUtils.toMap(alreadyTainted).get("key")); // $hasTaintFlow
sink(ArrayUtils.toArray("clean", taint())); // $ hasTaintFlow
sink(ArrayUtils.toArray(taint(), "clean")); // $ hasTaintFlow
sink(ArrayUtils.toMap(alreadyTainted).get("key")); // $ hasTaintFlow
// Check that none of the above had an effect on `clean`:
sink(clean);
int[] taintedInts = new int[] { IntSource.taint() };
Integer[] taintedBoxedInts = ArrayUtils.toObject(taintedInts);
sink(taintedBoxedInts); // $hasTaintFlow
sink(ArrayUtils.toPrimitive(taintedBoxedInts)); // $hasTaintFlow
sink(ArrayUtils.toPrimitive(new Integer[] {}, IntSource.taint())); // $hasTaintFlow
sink(taintedBoxedInts); // $ hasTaintFlow
sink(ArrayUtils.toPrimitive(taintedBoxedInts)); // $ hasTaintFlow
sink(ArrayUtils.toPrimitive(new Integer[] {}, IntSource.taint())); // $ hasTaintFlow
}
}

14
java/ql/test/library-tests/frameworks/apache-commons-lang3/MutableTest.java
View File

@@ -17,14 +17,14 @@ class MutableTest {
Mutable<String> taintSetAlias = taintSet;
Mutable<String> taintClearedAlias = taintCleared;
sink(tainted.getValue()); // $hasValueFlow
sink(taintedAlias.getValue()); // $hasValueFlow
sink(taintSet.getValue()); // $hasValueFlow
sink(taintSetAlias.getValue()); // $hasValueFlow
sink(tainted.getValue()); // $ hasValueFlow
sink(taintedAlias.getValue()); // $ hasValueFlow
sink(taintSet.getValue()); // $ hasValueFlow
sink(taintSetAlias.getValue()); // $ hasValueFlow
// These two cases don't work currently because synthetic fields are always weakly updated,
// so no taint clearing takes place.
sink(taintCleared.getValue()); // $SPURIOUS: hasValueFlow
sink(taintClearedAlias.getValue()); // $SPURIOUS: hasValueFlow
sink(taintCleared.getValue()); // $ SPURIOUS: hasValueFlow
sink(taintClearedAlias.getValue()); // $ SPURIOUS: hasValueFlow
}
}
}

20
java/ql/test/library-tests/frameworks/apache-commons-lang3/ObjectUtilsTest.java
View File

@@ -10,17 +10,17 @@ public class ObjectUtilsTest {
void sink(Object o) {}
void test() throws Exception {
sink(ObjectUtils.clone(taint())); // $hasValueFlow
sink(ObjectUtils.cloneIfPossible(taint())); // $hasValueFlow
sink(ObjectUtils.CONST(taint())); // $hasValueFlow
sink(ObjectUtils.CONST_SHORT(IntSource.taint())); // $hasValueFlow
sink(ObjectUtils.CONST_BYTE(IntSource.taint())); // $hasValueFlow
sink(ObjectUtils.defaultIfNull(taint(), null)); // $hasValueFlow
sink(ObjectUtils.defaultIfNull(null, taint())); // $hasValueFlow
sink(ObjectUtils.clone(taint())); // $ hasValueFlow
sink(ObjectUtils.cloneIfPossible(taint())); // $ hasValueFlow
sink(ObjectUtils.CONST(taint())); // $ hasValueFlow
sink(ObjectUtils.CONST_SHORT(IntSource.taint())); // $ hasValueFlow
sink(ObjectUtils.CONST_BYTE(IntSource.taint())); // $ hasValueFlow
sink(ObjectUtils.defaultIfNull(taint(), null)); // $ hasValueFlow
sink(ObjectUtils.defaultIfNull(null, taint())); // $ hasValueFlow
sink(ObjectUtils.firstNonNull(taint(), null, null)); // $ hasValueFlow
sink(ObjectUtils.firstNonNull(null, taint(), null)); // $ hasValueFlow
sink(ObjectUtils.firstNonNull(null, null, taint())); // $ hasValueFlow
sink(ObjectUtils.getIfNull(taint(), null)); // $hasValueFlow
sink(ObjectUtils.getIfNull(taint(), null)); // $ hasValueFlow
sink(ObjectUtils.max(taint(), null, null)); // $ hasValueFlow
sink(ObjectUtils.max(null, taint(), null)); // $ hasValueFlow
sink(ObjectUtils.max(null, null, taint())); // $ hasValueFlow
@@ -33,9 +33,9 @@ public class ObjectUtilsTest {
sink(ObjectUtils.mode(taint(), null, null)); // $ hasValueFlow
sink(ObjectUtils.mode(null, taint(), null)); // $ hasValueFlow
sink(ObjectUtils.mode(null, null, taint())); // $ hasValueFlow
sink(ObjectUtils.requireNonEmpty(taint(), "message")); // $hasValueFlow
sink(ObjectUtils.requireNonEmpty(taint(), "message")); // $ hasValueFlow
sink(ObjectUtils.requireNonEmpty("not null", taint())); // GOOD (message doesn't propagate to the return)
sink(ObjectUtils.toString(taint(), "default string")); // GOOD (first argument is stringified)
sink(ObjectUtils.toString(null, taint())); // $hasValueFlow
sink(ObjectUtils.toString(null, taint())); // $ hasValueFlow
}
}

104
java/ql/test/library-tests/frameworks/apache-commons-lang3/PairTest.java
View File

@@ -25,60 +25,60 @@ class PairTest {
ImmutablePair<String, String> taintedRight4 = new ImmutablePair("clean-left", taint());
// Check flow through ImmutablePairs:
sink(taintedLeft.getLeft()); // $hasValueFlow
sink(taintedLeft.getLeft()); // $ hasValueFlow
sink(taintedLeft.getRight());
sink(taintedLeft.getKey()); // $hasValueFlow
sink(taintedLeft.getKey()); // $ hasValueFlow
sink(taintedLeft.getValue());
sink(taintedLeft.left); // $hasValueFlow
sink(taintedLeft.left); // $ hasValueFlow
sink(taintedLeft.right);
sink(taintedRight.getLeft());
sink(taintedRight.getRight()); // $hasValueFlow
sink(taintedRight.getRight()); // $ hasValueFlow
sink(taintedRight.getKey());
sink(taintedRight.getValue()); // $hasValueFlow
sink(taintedRight.getValue()); // $ hasValueFlow
sink(taintedRight.left);
sink(taintedRight.right); // $hasValueFlow
sink(taintedLeft2.getLeft()); // $hasValueFlow
sink(taintedRight.right); // $ hasValueFlow
sink(taintedLeft2.getLeft()); // $ hasValueFlow
sink(taintedLeft2.getRight());
sink(taintedLeft2.getKey()); // $hasValueFlow
sink(taintedLeft2.getKey()); // $ hasValueFlow
sink(taintedLeft2.getValue());
sink(taintedLeft2.left); // $hasValueFlow
sink(taintedLeft2.left); // $ hasValueFlow
sink(taintedLeft2.right);
sink(taintedRight2.getLeft());
sink(taintedRight2.getRight()); // $hasValueFlow
sink(taintedRight2.getRight()); // $ hasValueFlow
sink(taintedRight2.getKey());
sink(taintedRight2.getValue()); // $hasValueFlow
sink(taintedRight2.getValue()); // $ hasValueFlow
sink(taintedRight2.left);
sink(taintedRight2.right); // $hasValueFlow
sink(taintedLeft3.getLeft()); // $hasValueFlow
sink(taintedRight2.right); // $ hasValueFlow
sink(taintedLeft3.getLeft()); // $ hasValueFlow
sink(taintedLeft3.getRight());
sink(taintedLeft3.getKey()); // $hasValueFlow
sink(taintedLeft3.getKey()); // $ hasValueFlow
sink(taintedLeft3.getValue());
sink(taintedRight3.getLeft());
sink(taintedRight3.getRight()); // $hasValueFlow
sink(taintedRight3.getRight()); // $ hasValueFlow
sink(taintedRight3.getKey());
sink(taintedRight3.getValue()); // $hasValueFlow
sink(taintedLeft4.getLeft()); // $hasValueFlow
sink(taintedRight3.getValue()); // $ hasValueFlow
sink(taintedLeft4.getLeft()); // $ hasValueFlow
sink(taintedLeft4.getRight());
sink(taintedLeft4.getKey()); // $hasValueFlow
sink(taintedLeft4.getKey()); // $ hasValueFlow
sink(taintedLeft4.getValue());
sink(taintedLeft4.left); // $hasValueFlow
sink(taintedLeft4.left); // $ hasValueFlow
sink(taintedLeft4.right);
sink(taintedRight4.getLeft());
sink(taintedRight4.getRight()); // $hasValueFlow
sink(taintedRight4.getRight()); // $ hasValueFlow
sink(taintedRight4.getKey());
sink(taintedRight4.getValue()); // $hasValueFlow
sink(taintedRight4.getValue()); // $ hasValueFlow
sink(taintedRight4.left);
sink(taintedRight4.right); // $hasValueFlow
sink(taintedRight4.right); // $ hasValueFlow
// Check flow also works via an alias of type Pair:
sink(taintedLeft2_.getLeft()); // $hasValueFlow
sink(taintedLeft2_.getLeft()); // $ hasValueFlow
sink(taintedLeft2_.getRight());
sink(taintedLeft2_.getKey()); // $hasValueFlow
sink(taintedLeft2_.getKey()); // $ hasValueFlow
sink(taintedLeft2_.getValue());
sink(taintedRight2_.getLeft());
sink(taintedRight2_.getRight()); // $hasValueFlow
sink(taintedRight2_.getRight()); // $ hasValueFlow
sink(taintedRight2_.getKey());
sink(taintedRight2_.getValue()); // $hasValueFlow
sink(taintedRight2_.getValue()); // $ hasValueFlow
// Check flow through MutablePairs:
MutablePair<String, String> taintedLeftMutable = MutablePair.of(taint(), "clean-right");
@@ -92,59 +92,59 @@ class PairTest {
MutablePair<String, String> taintedLeftMutableConstructed = new MutablePair(taint(), "clean-right");
MutablePair<String, String> taintedRightMutableConstructed = new MutablePair("clean-left", taint());
sink(taintedLeftMutable.getLeft()); // $hasValueFlow
sink(taintedLeftMutable.getLeft()); // $ hasValueFlow
sink(taintedLeftMutable.getRight());
sink(taintedLeftMutable.getKey()); // $hasValueFlow
sink(taintedLeftMutable.getKey()); // $ hasValueFlow
sink(taintedLeftMutable.getValue());
sink(taintedLeftMutable.left); // $hasValueFlow
sink(taintedLeftMutable.left); // $ hasValueFlow
sink(taintedLeftMutable.right);
sink(taintedRightMutable.getLeft());
sink(taintedRightMutable.getRight()); // $hasValueFlow
sink(taintedRightMutable.getRight()); // $ hasValueFlow
sink(taintedRightMutable.getKey());
sink(taintedRightMutable.getValue()); // $hasValueFlow
sink(taintedRightMutable.getValue()); // $ hasValueFlow
sink(taintedRightMutable.left);
sink(taintedRightMutable.right); // $hasValueFlow
sink(setTaintLeft.getLeft()); // $hasValueFlow
sink(taintedRightMutable.right); // $ hasValueFlow
sink(setTaintLeft.getLeft()); // $ hasValueFlow
sink(setTaintLeft.getRight());
sink(setTaintLeft.getKey()); // $hasValueFlow
sink(setTaintLeft.getKey()); // $ hasValueFlow
sink(setTaintLeft.getValue());
sink(setTaintLeft.left); // $hasValueFlow
sink(setTaintLeft.left); // $ hasValueFlow
sink(setTaintLeft.right);
sink(setTaintRight.getLeft());
sink(setTaintRight.getRight()); // $hasValueFlow
sink(setTaintRight.getRight()); // $ hasValueFlow
sink(setTaintRight.getKey());
sink(setTaintRight.getValue()); // $hasValueFlow
sink(setTaintRight.getValue()); // $ hasValueFlow
sink(setTaintRight.left);
sink(setTaintRight.right); // $hasValueFlow
sink(setTaintRight.right); // $ hasValueFlow
sink(setTaintValue.getLeft());
sink(setTaintValue.getRight()); // $hasValueFlow
sink(setTaintValue.getRight()); // $ hasValueFlow
sink(setTaintValue.getKey());
sink(setTaintValue.getValue()); // $hasValueFlow
sink(setTaintValue.getValue()); // $ hasValueFlow
sink(setTaintValue.left);
sink(setTaintValue.right); // $hasValueFlow
sink(taintedLeftMutableConstructed.getLeft()); // $hasValueFlow
sink(setTaintValue.right); // $ hasValueFlow
sink(taintedLeftMutableConstructed.getLeft()); // $ hasValueFlow
sink(taintedLeftMutableConstructed.getRight());
sink(taintedLeftMutableConstructed.getKey()); // $hasValueFlow
sink(taintedLeftMutableConstructed.getKey()); // $ hasValueFlow
sink(taintedLeftMutableConstructed.getValue());
sink(taintedLeftMutableConstructed.left); // $hasValueFlow
sink(taintedLeftMutableConstructed.left); // $ hasValueFlow
sink(taintedLeftMutableConstructed.right);
sink(taintedRightMutableConstructed.getLeft());
sink(taintedRightMutableConstructed.getRight()); // $hasValueFlow
sink(taintedRightMutableConstructed.getRight()); // $ hasValueFlow
sink(taintedRightMutableConstructed.getKey());
sink(taintedRightMutableConstructed.getValue()); // $hasValueFlow
sink(taintedRightMutableConstructed.getValue()); // $ hasValueFlow
sink(taintedRightMutableConstructed.left);
sink(taintedRightMutableConstructed.right); // $hasValueFlow
sink(taintedRightMutableConstructed.right); // $ hasValueFlow
// Check flow also works via an alias of type Pair:
Pair<String, String> taintedLeftMutableAlias = taintedLeftMutable;
Pair<String, String> taintedRightMutableAlias = taintedRightMutable;
sink(taintedLeftMutableAlias.getLeft()); // $hasValueFlow
sink(taintedLeftMutableAlias.getLeft()); // $ hasValueFlow
sink(taintedLeftMutableAlias.getRight());
sink(taintedLeftMutableAlias.getKey()); // $hasValueFlow
sink(taintedLeftMutableAlias.getKey()); // $ hasValueFlow
sink(taintedLeftMutableAlias.getValue());
sink(taintedRightMutableAlias.getLeft());
sink(taintedRightMutableAlias.getRight()); // $hasValueFlow
sink(taintedRightMutableAlias.getRight()); // $ hasValueFlow
sink(taintedRightMutableAlias.getKey());
sink(taintedRightMutableAlias.getValue()); // $hasValueFlow
sink(taintedRightMutableAlias.getValue()); // $ hasValueFlow
}
}
}

32
java/ql/test/library-tests/frameworks/apache-commons-lang3/RegExUtilsTest.java
View File

@@ -10,21 +10,21 @@ public class RegExUtilsTest {
Pattern cleanPattern = Pattern.compile("clean");
Pattern taintedPattern = Pattern.compile(taint());
sink(RegExUtils.removeAll(taint(), cleanPattern)); // $hasTaintFlow
sink(RegExUtils.removeAll(taint(), "clean")); // $hasTaintFlow
sink(RegExUtils.removeFirst(taint(), cleanPattern)); // $hasTaintFlow
sink(RegExUtils.removeFirst(taint(), "clean")); // $hasTaintFlow
sink(RegExUtils.removePattern(taint(), "clean")); // $hasTaintFlow
sink(RegExUtils.replaceAll(taint(), cleanPattern, "replacement")); // $hasTaintFlow
sink(RegExUtils.replaceAll(taint(), "clean", "replacement")); // $hasTaintFlow
sink(RegExUtils.replaceFirst(taint(), cleanPattern, "replacement")); // $hasTaintFlow
sink(RegExUtils.replaceFirst(taint(), "clean", "replacement")); // $hasTaintFlow
sink(RegExUtils.replacePattern(taint(), "clean", "replacement")); // $hasTaintFlow
sink(RegExUtils.replaceAll("original", cleanPattern, taint())); // $hasTaintFlow
sink(RegExUtils.replaceAll("original", "clean", taint())); // $hasTaintFlow
sink(RegExUtils.replaceFirst("original", cleanPattern, taint())); // $hasTaintFlow
sink(RegExUtils.replaceFirst("original", "clean", taint())); // $hasTaintFlow
sink(RegExUtils.replacePattern("original", "clean", taint())); // $hasTaintFlow
sink(RegExUtils.removeAll(taint(), cleanPattern)); // $ hasTaintFlow
sink(RegExUtils.removeAll(taint(), "clean")); // $ hasTaintFlow
sink(RegExUtils.removeFirst(taint(), cleanPattern)); // $ hasTaintFlow
sink(RegExUtils.removeFirst(taint(), "clean")); // $ hasTaintFlow
sink(RegExUtils.removePattern(taint(), "clean")); // $ hasTaintFlow
sink(RegExUtils.replaceAll(taint(), cleanPattern, "replacement")); // $ hasTaintFlow
sink(RegExUtils.replaceAll(taint(), "clean", "replacement")); // $ hasTaintFlow
sink(RegExUtils.replaceFirst(taint(), cleanPattern, "replacement")); // $ hasTaintFlow
sink(RegExUtils.replaceFirst(taint(), "clean", "replacement")); // $ hasTaintFlow
sink(RegExUtils.replacePattern(taint(), "clean", "replacement")); // $ hasTaintFlow
sink(RegExUtils.replaceAll("original", cleanPattern, taint())); // $ hasTaintFlow
sink(RegExUtils.replaceAll("original", "clean", taint())); // $ hasTaintFlow
sink(RegExUtils.replaceFirst("original", cleanPattern, taint())); // $ hasTaintFlow
sink(RegExUtils.replaceFirst("original", "clean", taint())); // $ hasTaintFlow
sink(RegExUtils.replacePattern("original", "clean", taint())); // $ hasTaintFlow
// Subsequent calls don't propagate taint, as regex search patterns don't propagate to the return value.
sink(RegExUtils.removeAll("original", taintedPattern));
sink(RegExUtils.removeAll("original", taint()));
@@ -42,4 +42,4 @@ public class RegExUtilsTest {
sink(RegExUtils.replaceFirst("original", taint(), "replacement"));
sink(RegExUtils.replacePattern("original", taint(), "replacement"));
}
}
}

152
java/ql/test/library-tests/frameworks/apache-commons-lang3/StrBuilderTest.java
View File

@@ -14,134 +14,134 @@ class StrBuilderTest {
void test() throws Exception {
StrBuilder cons1 = new StrBuilder(taint()); sink(cons1.toString()); // $hasTaintFlow
StrBuilder cons1 = new StrBuilder(taint()); sink(cons1.toString()); // $ hasTaintFlow
StrBuilder sb1 = new StrBuilder(); sb1.append(taint().toCharArray()); sink(sb1.toString()); // $hasTaintFlow
StrBuilder sb2 = new StrBuilder(); sb2.append(taint().toCharArray(), 0, 0); sink(sb2.toString()); // $hasTaintFlow
StrBuilder sb1 = new StrBuilder(); sb1.append(taint().toCharArray()); sink(sb1.toString()); // $ hasTaintFlow
StrBuilder sb2 = new StrBuilder(); sb2.append(taint().toCharArray(), 0, 0); sink(sb2.toString()); // $ hasTaintFlow
StrBuilder sb3 = new StrBuilder(); sb3.append(CharBuffer.wrap(taint().toCharArray())); sink(sb3.toString()); // $ hasTaintFlow
StrBuilder sb4 = new StrBuilder(); sb4.append(CharBuffer.wrap(taint().toCharArray()), 0, 0); sink(sb4.toString()); // $ hasTaintFlow
StrBuilder sb5 = new StrBuilder(); sb5.append((CharSequence)taint()); sink(sb5.toString()); // $hasTaintFlow
StrBuilder sb6 = new StrBuilder(); sb6.append((CharSequence)taint(), 0, 0); sink(sb6.toString()); // $hasTaintFlow
StrBuilder sb7 = new StrBuilder(); sb7.append((Object)taint()); sink(sb7.toString()); // $hasTaintFlow
StrBuilder sb5 = new StrBuilder(); sb5.append((CharSequence)taint()); sink(sb5.toString()); // $ hasTaintFlow
StrBuilder sb6 = new StrBuilder(); sb6.append((CharSequence)taint(), 0, 0); sink(sb6.toString()); // $ hasTaintFlow
StrBuilder sb7 = new StrBuilder(); sb7.append((Object)taint()); sink(sb7.toString()); // $ hasTaintFlow
{
StrBuilder auxsb = new StrBuilder(); auxsb.append(taint());
StrBuilder sb8 = new StrBuilder(); sb8.append(auxsb); sink(sb8.toString()); // $hasTaintFlow
StrBuilder sb8 = new StrBuilder(); sb8.append(auxsb); sink(sb8.toString()); // $ hasTaintFlow
}
StrBuilder sb9 = new StrBuilder(); sb9.append(new StringBuffer(taint())); sink(sb9.toString()); // $hasTaintFlow
StrBuilder sb10 = new StrBuilder(); sb10.append(new StringBuffer(taint()), 0, 0); sink(sb10.toString()); // $hasTaintFlow
StrBuilder sb11 = new StrBuilder(); sb11.append(new StringBuilder(taint())); sink(sb11.toString()); // $hasTaintFlow
StrBuilder sb12 = new StrBuilder(); sb12.append(new StringBuilder(taint()), 0, 0); sink(sb12.toString()); // $hasTaintFlow
StrBuilder sb13 = new StrBuilder(); sb13.append(taint()); sink(sb13.toString()); // $hasTaintFlow
StrBuilder sb14 = new StrBuilder(); sb14.append(taint(), 0, 0); sink(sb14.toString()); // $hasTaintFlow
StrBuilder sb15 = new StrBuilder(); sb15.append(taint(), "format", "args"); sink(sb15.toString()); // $hasTaintFlow
StrBuilder sb16 = new StrBuilder(); sb16.append("Format string", taint(), "args"); sink(sb16.toString()); // $hasTaintFlow
StrBuilder sb9 = new StrBuilder(); sb9.append(new StringBuffer(taint())); sink(sb9.toString()); // $ hasTaintFlow
StrBuilder sb10 = new StrBuilder(); sb10.append(new StringBuffer(taint()), 0, 0); sink(sb10.toString()); // $ hasTaintFlow
StrBuilder sb11 = new StrBuilder(); sb11.append(new StringBuilder(taint())); sink(sb11.toString()); // $ hasTaintFlow
StrBuilder sb12 = new StrBuilder(); sb12.append(new StringBuilder(taint()), 0, 0); sink(sb12.toString()); // $ hasTaintFlow
StrBuilder sb13 = new StrBuilder(); sb13.append(taint()); sink(sb13.toString()); // $ hasTaintFlow
StrBuilder sb14 = new StrBuilder(); sb14.append(taint(), 0, 0); sink(sb14.toString()); // $ hasTaintFlow
StrBuilder sb15 = new StrBuilder(); sb15.append(taint(), "format", "args"); sink(sb15.toString()); // $ hasTaintFlow
StrBuilder sb16 = new StrBuilder(); sb16.append("Format string", taint(), "args"); sink(sb16.toString()); // $ hasTaintFlow
{
List<String> taintedList = new ArrayList<>();
taintedList.add(taint());
StrBuilder sb17 = new StrBuilder(); sb17.appendAll(taintedList); sink(sb17.toString()); // $hasTaintFlow
StrBuilder sb18 = new StrBuilder(); sb18.appendAll(taintedList.iterator()); sink(sb18.toString()); // $hasTaintFlow
StrBuilder sb17 = new StrBuilder(); sb17.appendAll(taintedList); sink(sb17.toString()); // $ hasTaintFlow
StrBuilder sb18 = new StrBuilder(); sb18.appendAll(taintedList.iterator()); sink(sb18.toString()); // $ hasTaintFlow
}
StrBuilder sb19 = new StrBuilder(); sb19.appendAll("clean", taint()); sink(sb19.toString()); // $hasTaintFlow
StrBuilder sb20 = new StrBuilder(); sb20.appendAll(taint(), "clean"); sink(sb20.toString()); // $hasTaintFlow
StrBuilder sb21 = new StrBuilder(); sb21.appendFixedWidthPadLeft(taint(), 0, ' '); sink(sb21.toString()); // $hasTaintFlow
StrBuilder sb22 = new StrBuilder(); sb22.appendFixedWidthPadRight(taint(), 0, ' '); sink(sb22.toString()); // $hasTaintFlow
StrBuilder sb23 = new StrBuilder(); sb23.appendln(taint().toCharArray()); sink(sb23.toString()); // $hasTaintFlow
StrBuilder sb24 = new StrBuilder(); sb24.appendln(taint().toCharArray(), 0, 0); sink(sb24.toString()); // $hasTaintFlow
StrBuilder sb25 = new StrBuilder(); sb25.appendln((Object)taint()); sink(sb25.toString()); // $hasTaintFlow
StrBuilder sb19 = new StrBuilder(); sb19.appendAll("clean", taint()); sink(sb19.toString()); // $ hasTaintFlow
StrBuilder sb20 = new StrBuilder(); sb20.appendAll(taint(), "clean"); sink(sb20.toString()); // $ hasTaintFlow
StrBuilder sb21 = new StrBuilder(); sb21.appendFixedWidthPadLeft(taint(), 0, ' '); sink(sb21.toString()); // $ hasTaintFlow
StrBuilder sb22 = new StrBuilder(); sb22.appendFixedWidthPadRight(taint(), 0, ' '); sink(sb22.toString()); // $ hasTaintFlow
StrBuilder sb23 = new StrBuilder(); sb23.appendln(taint().toCharArray()); sink(sb23.toString()); // $ hasTaintFlow
StrBuilder sb24 = new StrBuilder(); sb24.appendln(taint().toCharArray(), 0, 0); sink(sb24.toString()); // $ hasTaintFlow
StrBuilder sb25 = new StrBuilder(); sb25.appendln((Object)taint()); sink(sb25.toString()); // $ hasTaintFlow
{
StrBuilder auxsb = new StrBuilder(); auxsb.appendln(taint());
StrBuilder sb26 = new StrBuilder(); sb26.appendln(auxsb); sink(sb26.toString()); // $hasTaintFlow
StrBuilder sb26 = new StrBuilder(); sb26.appendln(auxsb); sink(sb26.toString()); // $ hasTaintFlow
}
StrBuilder sb27 = new StrBuilder(); sb27.appendln(new StringBuffer(taint())); sink(sb27.toString()); // $hasTaintFlow
StrBuilder sb28 = new StrBuilder(); sb28.appendln(new StringBuffer(taint()), 0, 0); sink(sb28.toString()); // $hasTaintFlow
StrBuilder sb29 = new StrBuilder(); sb29.appendln(new StringBuilder(taint())); sink(sb29.toString()); // $hasTaintFlow
StrBuilder sb30 = new StrBuilder(); sb30.appendln(new StringBuilder(taint()), 0, 0); sink(sb30.toString()); // $hasTaintFlow
StrBuilder sb31 = new StrBuilder(); sb31.appendln(taint()); sink(sb31.toString()); // $hasTaintFlow
StrBuilder sb32 = new StrBuilder(); sb32.appendln(taint(), 0, 0); sink(sb32.toString()); // $hasTaintFlow
StrBuilder sb33 = new StrBuilder(); sb33.appendln(taint(), "format", "args"); sink(sb33.toString()); // $hasTaintFlow
StrBuilder sb34 = new StrBuilder(); sb34.appendln("Format string", taint(), "args"); sink(sb34.toString()); // $hasTaintFlow
StrBuilder sb35 = new StrBuilder(); sb35.appendSeparator(taint()); sink(sb35.toString()); // $hasTaintFlow
StrBuilder sb36 = new StrBuilder(); sb36.appendSeparator(taint(), 0); sink(sb36.toString()); // $hasTaintFlow
StrBuilder sb37 = new StrBuilder(); sb37.appendSeparator(taint(), "default"); sink(sb37.toString()); // $hasTaintFlow
StrBuilder sb38 = new StrBuilder(); sb38.appendSeparator("", taint()); sink(sb38.toString()); // $hasTaintFlow
StrBuilder sb27 = new StrBuilder(); sb27.appendln(new StringBuffer(taint())); sink(sb27.toString()); // $ hasTaintFlow
StrBuilder sb28 = new StrBuilder(); sb28.appendln(new StringBuffer(taint()), 0, 0); sink(sb28.toString()); // $ hasTaintFlow
StrBuilder sb29 = new StrBuilder(); sb29.appendln(new StringBuilder(taint())); sink(sb29.toString()); // $ hasTaintFlow
StrBuilder sb30 = new StrBuilder(); sb30.appendln(new StringBuilder(taint()), 0, 0); sink(sb30.toString()); // $ hasTaintFlow
StrBuilder sb31 = new StrBuilder(); sb31.appendln(taint()); sink(sb31.toString()); // $ hasTaintFlow
StrBuilder sb32 = new StrBuilder(); sb32.appendln(taint(), 0, 0); sink(sb32.toString()); // $ hasTaintFlow
StrBuilder sb33 = new StrBuilder(); sb33.appendln(taint(), "format", "args"); sink(sb33.toString()); // $ hasTaintFlow
StrBuilder sb34 = new StrBuilder(); sb34.appendln("Format string", taint(), "args"); sink(sb34.toString()); // $ hasTaintFlow
StrBuilder sb35 = new StrBuilder(); sb35.appendSeparator(taint()); sink(sb35.toString()); // $ hasTaintFlow
StrBuilder sb36 = new StrBuilder(); sb36.appendSeparator(taint(), 0); sink(sb36.toString()); // $ hasTaintFlow
StrBuilder sb37 = new StrBuilder(); sb37.appendSeparator(taint(), "default"); sink(sb37.toString()); // $ hasTaintFlow
StrBuilder sb38 = new StrBuilder(); sb38.appendSeparator("", taint()); sink(sb38.toString()); // $ hasTaintFlow
{
StrBuilder auxsb = new StrBuilder(); auxsb.appendln(taint());
StrBuilder sb39 = new StrBuilder(); auxsb.appendTo(sb39); sink(sb39.toString()); // $hasTaintFlow
StrBuilder sb39 = new StrBuilder(); auxsb.appendTo(sb39); sink(sb39.toString()); // $ hasTaintFlow
}
{
List<String> taintedList = new ArrayList<>();
taintedList.add(taint());
StrBuilder sb40 = new StrBuilder(); sb40.appendWithSeparators(taintedList, ", "); sink(sb40.toString()); // $hasTaintFlow
StrBuilder sb41 = new StrBuilder(); sb41.appendWithSeparators(taintedList.iterator(), ", "); sink(sb41.toString()); // $hasTaintFlow
StrBuilder sb40 = new StrBuilder(); sb40.appendWithSeparators(taintedList, ", "); sink(sb40.toString()); // $ hasTaintFlow
StrBuilder sb41 = new StrBuilder(); sb41.appendWithSeparators(taintedList.iterator(), ", "); sink(sb41.toString()); // $ hasTaintFlow
List<String> untaintedList = new ArrayList<>();
StrBuilder sb42 = new StrBuilder(); sb42.appendWithSeparators(untaintedList, taint()); sink(sb42.toString()); // $hasTaintFlow
StrBuilder sb43 = new StrBuilder(); sb43.appendWithSeparators(untaintedList.iterator(), taint()); sink(sb43.toString()); // $hasTaintFlow
StrBuilder sb42 = new StrBuilder(); sb42.appendWithSeparators(untaintedList, taint()); sink(sb42.toString()); // $ hasTaintFlow
StrBuilder sb43 = new StrBuilder(); sb43.appendWithSeparators(untaintedList.iterator(), taint()); sink(sb43.toString()); // $ hasTaintFlow
String[] taintedArray = new String[] { taint() };
String[] untaintedArray = new String[] {};
StrBuilder sb44 = new StrBuilder(); sb44.appendWithSeparators(taintedArray, ", "); sink(sb44.toString()); // $hasTaintFlow
StrBuilder sb45 = new StrBuilder(); sb45.appendWithSeparators(untaintedArray, taint()); sink(sb45.toString()); // $hasTaintFlow
StrBuilder sb44 = new StrBuilder(); sb44.appendWithSeparators(taintedArray, ", "); sink(sb44.toString()); // $ hasTaintFlow
StrBuilder sb45 = new StrBuilder(); sb45.appendWithSeparators(untaintedArray, taint()); sink(sb45.toString()); // $ hasTaintFlow
}
{
StrBuilder sb46 = new StrBuilder(); sb46.append(taint());
char[] target = new char[100];
sb46.asReader().read(target);
sink(target); // $hasTaintFlow
sink(target); // $ hasTaintFlow
}
StrBuilder sb47 = new StrBuilder(); sb47.append(taint()); sink(sb47.asTokenizer().next()); // $hasTaintFlow
StrBuilder sb48 = new StrBuilder(); sb48.append(taint()); sink(sb48.build()); // $hasTaintFlow
StrBuilder sb49 = new StrBuilder(); sb49.append(taint()); sink(sb49.getChars(null)); // $hasTaintFlow
StrBuilder sb47 = new StrBuilder(); sb47.append(taint()); sink(sb47.asTokenizer().next()); // $ hasTaintFlow
StrBuilder sb48 = new StrBuilder(); sb48.append(taint()); sink(sb48.build()); // $ hasTaintFlow
StrBuilder sb49 = new StrBuilder(); sb49.append(taint()); sink(sb49.getChars(null)); // $ hasTaintFlow
{
StrBuilder sb50 = new StrBuilder(); sb50.append(taint());
char[] target = new char[100];
sb50.getChars(target);
sink(target); // $hasTaintFlow
sink(target); // $ hasTaintFlow
}
{
StrBuilder sb51 = new StrBuilder(); sb51.append(taint());
char[] target = new char[100];
sb51.getChars(0, 0, target, 0);
sink(target); // $hasTaintFlow
sink(target); // $ hasTaintFlow
}
StrBuilder sb52 = new StrBuilder(); sb52.insert(0, taint().toCharArray()); sink(sb52.toString()); // $hasTaintFlow
StrBuilder sb53 = new StrBuilder(); sb53.insert(0, taint().toCharArray(), 0, 0); sink(sb53.toString()); // $hasTaintFlow
StrBuilder sb54 = new StrBuilder(); sb54.insert(0, taint()); sink(sb54.toString()); // $hasTaintFlow
StrBuilder sb55 = new StrBuilder(); sb55.insert(0, (Object)taint()); sink(sb55.toString()); // $hasTaintFlow
StrBuilder sb56 = new StrBuilder(); sb56.append(taint()); sink(sb56.leftString(0)); // $hasTaintFlow
StrBuilder sb57 = new StrBuilder(); sb57.append(taint()); sink(sb57.midString(0, 0)); // $hasTaintFlow
StrBuilder sb52 = new StrBuilder(); sb52.insert(0, taint().toCharArray()); sink(sb52.toString()); // $ hasTaintFlow
StrBuilder sb53 = new StrBuilder(); sb53.insert(0, taint().toCharArray(), 0, 0); sink(sb53.toString()); // $ hasTaintFlow
StrBuilder sb54 = new StrBuilder(); sb54.insert(0, taint()); sink(sb54.toString()); // $ hasTaintFlow
StrBuilder sb55 = new StrBuilder(); sb55.insert(0, (Object)taint()); sink(sb55.toString()); // $ hasTaintFlow
StrBuilder sb56 = new StrBuilder(); sb56.append(taint()); sink(sb56.leftString(0)); // $ hasTaintFlow
StrBuilder sb57 = new StrBuilder(); sb57.append(taint()); sink(sb57.midString(0, 0)); // $ hasTaintFlow
{
StringReader reader = new StringReader(taint());
StrBuilder sb58 = new StrBuilder(); sb58.readFrom(reader); sink(sb58.toString()); // $hasTaintFlow
StrBuilder sb58 = new StrBuilder(); sb58.readFrom(reader); sink(sb58.toString()); // $ hasTaintFlow
}
StrBuilder sb59 = new StrBuilder(); sb59.replace(0, 0, taint()); sink(sb59.toString()); // $hasTaintFlow
StrBuilder sb60 = new StrBuilder(); sb60.replace(null, taint(), 0, 0, 0); sink(sb60.toString()); // $hasTaintFlow
StrBuilder sb61 = new StrBuilder(); sb61.replaceAll((StrMatcher)null, taint()); sink(sb61.toString()); // $hasTaintFlow
StrBuilder sb62 = new StrBuilder(); sb62.replaceAll("search", taint()); sink(sb62.toString()); // $hasTaintFlow
StrBuilder sb59 = new StrBuilder(); sb59.replace(0, 0, taint()); sink(sb59.toString()); // $ hasTaintFlow
StrBuilder sb60 = new StrBuilder(); sb60.replace(null, taint(), 0, 0, 0); sink(sb60.toString()); // $ hasTaintFlow
StrBuilder sb61 = new StrBuilder(); sb61.replaceAll((StrMatcher)null, taint()); sink(sb61.toString()); // $ hasTaintFlow
StrBuilder sb62 = new StrBuilder(); sb62.replaceAll("search", taint()); sink(sb62.toString()); // $ hasTaintFlow
StrBuilder sb63 = new StrBuilder(); sb63.replaceAll(taint(), "replace"); sink(sb63.toString()); // GOOD (search string doesn't convey taint)
StrBuilder sb64 = new StrBuilder(); sb64.replaceFirst((StrMatcher)null, taint()); sink(sb64.toString()); // $hasTaintFlow
StrBuilder sb65 = new StrBuilder(); sb65.replaceFirst("search", taint()); sink(sb65.toString()); // $hasTaintFlow
StrBuilder sb64 = new StrBuilder(); sb64.replaceFirst((StrMatcher)null, taint()); sink(sb64.toString()); // $ hasTaintFlow
StrBuilder sb65 = new StrBuilder(); sb65.replaceFirst("search", taint()); sink(sb65.toString()); // $ hasTaintFlow
StrBuilder sb66 = new StrBuilder(); sb66.replaceFirst(taint(), "replace"); sink(sb66.toString()); // GOOD (search string doesn't convey taint)
StrBuilder sb67 = new StrBuilder(); sb67.append(taint()); sink(sb67.rightString(0)); // $hasTaintFlow
StrBuilder sb68 = new StrBuilder(); sb68.append(taint()); sink(sb68.subSequence(0, 0)); // $hasTaintFlow
StrBuilder sb69 = new StrBuilder(); sb69.append(taint()); sink(sb69.substring(0)); // $hasTaintFlow
StrBuilder sb70 = new StrBuilder(); sb70.append(taint()); sink(sb70.substring(0, 0)); // $hasTaintFlow
StrBuilder sb71 = new StrBuilder(); sb71.append(taint()); sink(sb71.toCharArray()); // $hasTaintFlow
StrBuilder sb72 = new StrBuilder(); sb72.append(taint()); sink(sb72.toCharArray(0, 0)); // $hasTaintFlow
StrBuilder sb73 = new StrBuilder(); sb73.append(taint()); sink(sb73.toStringBuffer()); // $hasTaintFlow
StrBuilder sb74 = new StrBuilder(); sb74.append(taint()); sink(sb74.toStringBuilder()); // $hasTaintFlow
StrBuilder sb67 = new StrBuilder(); sb67.append(taint()); sink(sb67.rightString(0)); // $ hasTaintFlow
StrBuilder sb68 = new StrBuilder(); sb68.append(taint()); sink(sb68.subSequence(0, 0)); // $ hasTaintFlow
StrBuilder sb69 = new StrBuilder(); sb69.append(taint()); sink(sb69.substring(0)); // $ hasTaintFlow
StrBuilder sb70 = new StrBuilder(); sb70.append(taint()); sink(sb70.substring(0, 0)); // $ hasTaintFlow
StrBuilder sb71 = new StrBuilder(); sb71.append(taint()); sink(sb71.toCharArray()); // $ hasTaintFlow
StrBuilder sb72 = new StrBuilder(); sb72.append(taint()); sink(sb72.toCharArray(0, 0)); // $ hasTaintFlow
StrBuilder sb73 = new StrBuilder(); sb73.append(taint()); sink(sb73.toStringBuffer()); // $ hasTaintFlow
StrBuilder sb74 = new StrBuilder(); sb74.append(taint()); sink(sb74.toStringBuilder()); // $ hasTaintFlow
// Tests for fluent methods (those returning `this`):
StrBuilder fluentTest = new StrBuilder();
sink(fluentTest.append("Harmless").append(taint()).append("Also harmless").toString()); // $hasTaintFlow
sink(fluentTest.append("Harmless").append(taint()).append("Also harmless").toString()); // $ hasTaintFlow
StrBuilder fluentBackflowTest = new StrBuilder();
fluentBackflowTest.append("Harmless").append(taint()).append("Also harmless");
sink(fluentBackflowTest.toString()); // $hasTaintFlow
sink(fluentBackflowTest.toString()); // $ hasTaintFlow
// Test the case where the fluent method contributing taint is at the end of a statement:
StrBuilder fluentBackflowTest2 = new StrBuilder();
fluentBackflowTest2.append("Harmless").append(taint());
sink(fluentBackflowTest2.toString()); // $hasTaintFlow
sink(fluentBackflowTest2.toString()); // $ hasTaintFlow
// Test all fluent methods are passing taint through to their result:
StrBuilder fluentAllMethodsTest = new StrBuilder(taint());
@@ -171,7 +171,7 @@ class StrBuilderTest {
.setLength(500)
.setNewLineText("newline")
.setNullText("NULL")
.trim()); // $hasTaintFlow
.trim()); // $ hasTaintFlow
// Test all fluent methods are passing taint back to their qualifier:
StrBuilder fluentAllMethodsTest2 = new StrBuilder();
@@ -203,7 +203,7 @@ class StrBuilderTest {
.setNullText("NULL")
.trim()
.append(taint());
sink(fluentAllMethodsTest2); // $hasTaintFlow
sink(fluentAllMethodsTest2); // $ hasTaintFlow
}
}

152
java/ql/test/library-tests/frameworks/apache-commons-lang3/StrBuilderTextTest.java
View File

@@ -14,134 +14,134 @@ class StrBuilderTextTest {
void test() throws Exception {
StrBuilder cons1 = new StrBuilder(taint()); sink(cons1.toString()); // $hasTaintFlow
StrBuilder cons1 = new StrBuilder(taint()); sink(cons1.toString()); // $ hasTaintFlow
StrBuilder sb1 = new StrBuilder(); sb1.append(taint().toCharArray()); sink(sb1.toString()); // $hasTaintFlow
StrBuilder sb2 = new StrBuilder(); sb2.append(taint().toCharArray(), 0, 0); sink(sb2.toString()); // $hasTaintFlow
StrBuilder sb1 = new StrBuilder(); sb1.append(taint().toCharArray()); sink(sb1.toString()); // $ hasTaintFlow
StrBuilder sb2 = new StrBuilder(); sb2.append(taint().toCharArray(), 0, 0); sink(sb2.toString()); // $ hasTaintFlow
StrBuilder sb3 = new StrBuilder(); sb3.append(CharBuffer.wrap(taint().toCharArray())); sink(sb3.toString()); // $ hasTaintFlow
StrBuilder sb4 = new StrBuilder(); sb4.append(CharBuffer.wrap(taint().toCharArray()), 0, 0); sink(sb4.toString()); // $ hasTaintFlow
StrBuilder sb5 = new StrBuilder(); sb5.append((CharSequence)taint()); sink(sb5.toString()); // $hasTaintFlow
StrBuilder sb6 = new StrBuilder(); sb6.append((CharSequence)taint(), 0, 0); sink(sb6.toString()); // $hasTaintFlow
StrBuilder sb7 = new StrBuilder(); sb7.append((Object)taint()); sink(sb7.toString()); // $hasTaintFlow
StrBuilder sb5 = new StrBuilder(); sb5.append((CharSequence)taint()); sink(sb5.toString()); // $ hasTaintFlow
StrBuilder sb6 = new StrBuilder(); sb6.append((CharSequence)taint(), 0, 0); sink(sb6.toString()); // $ hasTaintFlow
StrBuilder sb7 = new StrBuilder(); sb7.append((Object)taint()); sink(sb7.toString()); // $ hasTaintFlow
{
StrBuilder auxsb = new StrBuilder(); auxsb.append(taint());
StrBuilder sb8 = new StrBuilder(); sb8.append(auxsb); sink(sb8.toString()); // $hasTaintFlow
StrBuilder sb8 = new StrBuilder(); sb8.append(auxsb); sink(sb8.toString()); // $ hasTaintFlow
}
StrBuilder sb9 = new StrBuilder(); sb9.append(new StringBuffer(taint())); sink(sb9.toString()); // $hasTaintFlow
StrBuilder sb10 = new StrBuilder(); sb10.append(new StringBuffer(taint()), 0, 0); sink(sb10.toString()); // $hasTaintFlow
StrBuilder sb11 = new StrBuilder(); sb11.append(new StringBuilder(taint())); sink(sb11.toString()); // $hasTaintFlow
StrBuilder sb12 = new StrBuilder(); sb12.append(new StringBuilder(taint()), 0, 0); sink(sb12.toString()); // $hasTaintFlow
StrBuilder sb13 = new StrBuilder(); sb13.append(taint()); sink(sb13.toString()); // $hasTaintFlow
StrBuilder sb14 = new StrBuilder(); sb14.append(taint(), 0, 0); sink(sb14.toString()); // $hasTaintFlow
StrBuilder sb15 = new StrBuilder(); sb15.append(taint(), "format", "args"); sink(sb15.toString()); // $hasTaintFlow
StrBuilder sb16 = new StrBuilder(); sb16.append("Format string", taint(), "args"); sink(sb16.toString()); // $hasTaintFlow
StrBuilder sb9 = new StrBuilder(); sb9.append(new StringBuffer(taint())); sink(sb9.toString()); // $ hasTaintFlow
StrBuilder sb10 = new StrBuilder(); sb10.append(new StringBuffer(taint()), 0, 0); sink(sb10.toString()); // $ hasTaintFlow
StrBuilder sb11 = new StrBuilder(); sb11.append(new StringBuilder(taint())); sink(sb11.toString()); // $ hasTaintFlow
StrBuilder sb12 = new StrBuilder(); sb12.append(new StringBuilder(taint()), 0, 0); sink(sb12.toString()); // $ hasTaintFlow
StrBuilder sb13 = new StrBuilder(); sb13.append(taint()); sink(sb13.toString()); // $ hasTaintFlow
StrBuilder sb14 = new StrBuilder(); sb14.append(taint(), 0, 0); sink(sb14.toString()); // $ hasTaintFlow
StrBuilder sb15 = new StrBuilder(); sb15.append(taint(), "format", "args"); sink(sb15.toString()); // $ hasTaintFlow
StrBuilder sb16 = new StrBuilder(); sb16.append("Format string", taint(), "args"); sink(sb16.toString()); // $ hasTaintFlow
{
List<String> taintedList = new ArrayList<>();
taintedList.add(taint());
StrBuilder sb17 = new StrBuilder(); sb17.appendAll(taintedList); sink(sb17.toString()); // $hasTaintFlow
StrBuilder sb18 = new StrBuilder(); sb18.appendAll(taintedList.iterator()); sink(sb18.toString()); // $hasTaintFlow
StrBuilder sb17 = new StrBuilder(); sb17.appendAll(taintedList); sink(sb17.toString()); // $ hasTaintFlow
StrBuilder sb18 = new StrBuilder(); sb18.appendAll(taintedList.iterator()); sink(sb18.toString()); // $ hasTaintFlow
}
StrBuilder sb19 = new StrBuilder(); sb19.appendAll("clean", taint()); sink(sb19.toString()); // $hasTaintFlow
StrBuilder sb20 = new StrBuilder(); sb20.appendAll(taint(), "clean"); sink(sb20.toString()); // $hasTaintFlow
StrBuilder sb21 = new StrBuilder(); sb21.appendFixedWidthPadLeft(taint(), 0, ' '); sink(sb21.toString()); // $hasTaintFlow
StrBuilder sb22 = new StrBuilder(); sb22.appendFixedWidthPadRight(taint(), 0, ' '); sink(sb22.toString()); // $hasTaintFlow
StrBuilder sb23 = new StrBuilder(); sb23.appendln(taint().toCharArray()); sink(sb23.toString()); // $hasTaintFlow
StrBuilder sb24 = new StrBuilder(); sb24.appendln(taint().toCharArray(), 0, 0); sink(sb24.toString()); // $hasTaintFlow
StrBuilder sb25 = new StrBuilder(); sb25.appendln((Object)taint()); sink(sb25.toString()); // $hasTaintFlow
StrBuilder sb19 = new StrBuilder(); sb19.appendAll("clean", taint()); sink(sb19.toString()); // $ hasTaintFlow
StrBuilder sb20 = new StrBuilder(); sb20.appendAll(taint(), "clean"); sink(sb20.toString()); // $ hasTaintFlow
StrBuilder sb21 = new StrBuilder(); sb21.appendFixedWidthPadLeft(taint(), 0, ' '); sink(sb21.toString()); // $ hasTaintFlow
StrBuilder sb22 = new StrBuilder(); sb22.appendFixedWidthPadRight(taint(), 0, ' '); sink(sb22.toString()); // $ hasTaintFlow
StrBuilder sb23 = new StrBuilder(); sb23.appendln(taint().toCharArray()); sink(sb23.toString()); // $ hasTaintFlow
StrBuilder sb24 = new StrBuilder(); sb24.appendln(taint().toCharArray(), 0, 0); sink(sb24.toString()); // $ hasTaintFlow
StrBuilder sb25 = new StrBuilder(); sb25.appendln((Object)taint()); sink(sb25.toString()); // $ hasTaintFlow
{
StrBuilder auxsb = new StrBuilder(); auxsb.appendln(taint());
StrBuilder sb26 = new StrBuilder(); sb26.appendln(auxsb); sink(sb26.toString()); // $hasTaintFlow
StrBuilder sb26 = new StrBuilder(); sb26.appendln(auxsb); sink(sb26.toString()); // $ hasTaintFlow
}
StrBuilder sb27 = new StrBuilder(); sb27.appendln(new StringBuffer(taint())); sink(sb27.toString()); // $hasTaintFlow
StrBuilder sb28 = new StrBuilder(); sb28.appendln(new StringBuffer(taint()), 0, 0); sink(sb28.toString()); // $hasTaintFlow
StrBuilder sb29 = new StrBuilder(); sb29.appendln(new StringBuilder(taint())); sink(sb29.toString()); // $hasTaintFlow
StrBuilder sb30 = new StrBuilder(); sb30.appendln(new StringBuilder(taint()), 0, 0); sink(sb30.toString()); // $hasTaintFlow
StrBuilder sb31 = new StrBuilder(); sb31.appendln(taint()); sink(sb31.toString()); // $hasTaintFlow
StrBuilder sb32 = new StrBuilder(); sb32.appendln(taint(), 0, 0); sink(sb32.toString()); // $hasTaintFlow
StrBuilder sb33 = new StrBuilder(); sb33.appendln(taint(), "format", "args"); sink(sb33.toString()); // $hasTaintFlow
StrBuilder sb34 = new StrBuilder(); sb34.appendln("Format string", taint(), "args"); sink(sb34.toString()); // $hasTaintFlow
StrBuilder sb35 = new StrBuilder(); sb35.appendSeparator(taint()); sink(sb35.toString()); // $hasTaintFlow
StrBuilder sb36 = new StrBuilder(); sb36.appendSeparator(taint(), 0); sink(sb36.toString()); // $hasTaintFlow
StrBuilder sb37 = new StrBuilder(); sb37.appendSeparator(taint(), "default"); sink(sb37.toString()); // $hasTaintFlow
StrBuilder sb38 = new StrBuilder(); sb38.appendSeparator("", taint()); sink(sb38.toString()); // $hasTaintFlow
StrBuilder sb27 = new StrBuilder(); sb27.appendln(new StringBuffer(taint())); sink(sb27.toString()); // $ hasTaintFlow
StrBuilder sb28 = new StrBuilder(); sb28.appendln(new StringBuffer(taint()), 0, 0); sink(sb28.toString()); // $ hasTaintFlow
StrBuilder sb29 = new StrBuilder(); sb29.appendln(new StringBuilder(taint())); sink(sb29.toString()); // $ hasTaintFlow
StrBuilder sb30 = new StrBuilder(); sb30.appendln(new StringBuilder(taint()), 0, 0); sink(sb30.toString()); // $ hasTaintFlow
StrBuilder sb31 = new StrBuilder(); sb31.appendln(taint()); sink(sb31.toString()); // $ hasTaintFlow
StrBuilder sb32 = new StrBuilder(); sb32.appendln(taint(), 0, 0); sink(sb32.toString()); // $ hasTaintFlow
StrBuilder sb33 = new StrBuilder(); sb33.appendln(taint(), "format", "args"); sink(sb33.toString()); // $ hasTaintFlow
StrBuilder sb34 = new StrBuilder(); sb34.appendln("Format string", taint(), "args"); sink(sb34.toString()); // $ hasTaintFlow
StrBuilder sb35 = new StrBuilder(); sb35.appendSeparator(taint()); sink(sb35.toString()); // $ hasTaintFlow
StrBuilder sb36 = new StrBuilder(); sb36.appendSeparator(taint(), 0); sink(sb36.toString()); // $ hasTaintFlow
StrBuilder sb37 = new StrBuilder(); sb37.appendSeparator(taint(), "default"); sink(sb37.toString()); // $ hasTaintFlow
StrBuilder sb38 = new StrBuilder(); sb38.appendSeparator("", taint()); sink(sb38.toString()); // $ hasTaintFlow
{
StrBuilder auxsb = new StrBuilder(); auxsb.appendln(taint());
StrBuilder sb39 = new StrBuilder(); auxsb.appendTo(sb39); sink(sb39.toString()); // $hasTaintFlow
StrBuilder sb39 = new StrBuilder(); auxsb.appendTo(sb39); sink(sb39.toString()); // $ hasTaintFlow
}
{
List<String> taintedList = new ArrayList<>();
taintedList.add(taint());
StrBuilder sb40 = new StrBuilder(); sb40.appendWithSeparators(taintedList, ", "); sink(sb40.toString()); // $hasTaintFlow
StrBuilder sb41 = new StrBuilder(); sb41.appendWithSeparators(taintedList.iterator(), ", "); sink(sb41.toString()); // $hasTaintFlow
StrBuilder sb40 = new StrBuilder(); sb40.appendWithSeparators(taintedList, ", "); sink(sb40.toString()); // $ hasTaintFlow
StrBuilder sb41 = new StrBuilder(); sb41.appendWithSeparators(taintedList.iterator(), ", "); sink(sb41.toString()); // $ hasTaintFlow
List<String> untaintedList = new ArrayList<>();
StrBuilder sb42 = new StrBuilder(); sb42.appendWithSeparators(untaintedList, taint()); sink(sb42.toString()); // $hasTaintFlow
StrBuilder sb43 = new StrBuilder(); sb43.appendWithSeparators(untaintedList.iterator(), taint()); sink(sb43.toString()); // $hasTaintFlow
StrBuilder sb42 = new StrBuilder(); sb42.appendWithSeparators(untaintedList, taint()); sink(sb42.toString()); // $ hasTaintFlow
StrBuilder sb43 = new StrBuilder(); sb43.appendWithSeparators(untaintedList.iterator(), taint()); sink(sb43.toString()); // $ hasTaintFlow
String[] taintedArray = new String[] { taint() };
String[] untaintedArray = new String[] {};
StrBuilder sb44 = new StrBuilder(); sb44.appendWithSeparators(taintedArray, ", "); sink(sb44.toString()); // $hasTaintFlow
StrBuilder sb45 = new StrBuilder(); sb45.appendWithSeparators(untaintedArray, taint()); sink(sb45.toString()); // $hasTaintFlow
StrBuilder sb44 = new StrBuilder(); sb44.appendWithSeparators(taintedArray, ", "); sink(sb44.toString()); // $ hasTaintFlow
StrBuilder sb45 = new StrBuilder(); sb45.appendWithSeparators(untaintedArray, taint()); sink(sb45.toString()); // $ hasTaintFlow
}
{
StrBuilder sb46 = new StrBuilder(); sb46.append(taint());
char[] target = new char[100];
sb46.asReader().read(target);
sink(target); // $hasTaintFlow
sink(target); // $ hasTaintFlow
}
StrBuilder sb47 = new StrBuilder(); sb47.append(taint()); sink(sb47.asTokenizer().next()); // $hasTaintFlow
StrBuilder sb48 = new StrBuilder(); sb48.append(taint()); sink(sb48.build()); // $hasTaintFlow
StrBuilder sb49 = new StrBuilder(); sb49.append(taint()); sink(sb49.getChars(null)); // $hasTaintFlow
StrBuilder sb47 = new StrBuilder(); sb47.append(taint()); sink(sb47.asTokenizer().next()); // $ hasTaintFlow
StrBuilder sb48 = new StrBuilder(); sb48.append(taint()); sink(sb48.build()); // $ hasTaintFlow
StrBuilder sb49 = new StrBuilder(); sb49.append(taint()); sink(sb49.getChars(null)); // $ hasTaintFlow
{
StrBuilder sb50 = new StrBuilder(); sb50.append(taint());
char[] target = new char[100];
sb50.getChars(target);
sink(target); // $hasTaintFlow
sink(target); // $ hasTaintFlow
}
{
StrBuilder sb51 = new StrBuilder(); sb51.append(taint());
char[] target = new char[100];
sb51.getChars(0, 0, target, 0);
sink(target); // $hasTaintFlow
sink(target); // $ hasTaintFlow
}
StrBuilder sb52 = new StrBuilder(); sb52.insert(0, taint().toCharArray()); sink(sb52.toString()); // $hasTaintFlow
StrBuilder sb53 = new StrBuilder(); sb53.insert(0, taint().toCharArray(), 0, 0); sink(sb53.toString()); // $hasTaintFlow
StrBuilder sb54 = new StrBuilder(); sb54.insert(0, taint()); sink(sb54.toString()); // $hasTaintFlow
StrBuilder sb55 = new StrBuilder(); sb55.insert(0, (Object)taint()); sink(sb55.toString()); // $hasTaintFlow
StrBuilder sb56 = new StrBuilder(); sb56.append(taint()); sink(sb56.leftString(0)); // $hasTaintFlow
StrBuilder sb57 = new StrBuilder(); sb57.append(taint()); sink(sb57.midString(0, 0)); // $hasTaintFlow
StrBuilder sb52 = new StrBuilder(); sb52.insert(0, taint().toCharArray()); sink(sb52.toString()); // $ hasTaintFlow
StrBuilder sb53 = new StrBuilder(); sb53.insert(0, taint().toCharArray(), 0, 0); sink(sb53.toString()); // $ hasTaintFlow
StrBuilder sb54 = new StrBuilder(); sb54.insert(0, taint()); sink(sb54.toString()); // $ hasTaintFlow
StrBuilder sb55 = new StrBuilder(); sb55.insert(0, (Object)taint()); sink(sb55.toString()); // $ hasTaintFlow
StrBuilder sb56 = new StrBuilder(); sb56.append(taint()); sink(sb56.leftString(0)); // $ hasTaintFlow
StrBuilder sb57 = new StrBuilder(); sb57.append(taint()); sink(sb57.midString(0, 0)); // $ hasTaintFlow
{
StringReader reader = new StringReader(taint());
StrBuilder sb58 = new StrBuilder(); sb58.readFrom(reader); sink(sb58.toString()); // $hasTaintFlow
StrBuilder sb58 = new StrBuilder(); sb58.readFrom(reader); sink(sb58.toString()); // $ hasTaintFlow
}
StrBuilder sb59 = new StrBuilder(); sb59.replace(0, 0, taint()); sink(sb59.toString()); // $hasTaintFlow
StrBuilder sb60 = new StrBuilder(); sb60.replace(null, taint(), 0, 0, 0); sink(sb60.toString()); // $hasTaintFlow
StrBuilder sb61 = new StrBuilder(); sb61.replaceAll((StrMatcher)null, taint()); sink(sb61.toString()); // $hasTaintFlow
StrBuilder sb62 = new StrBuilder(); sb62.replaceAll("search", taint()); sink(sb62.toString()); // $hasTaintFlow
StrBuilder sb59 = new StrBuilder(); sb59.replace(0, 0, taint()); sink(sb59.toString()); // $ hasTaintFlow
StrBuilder sb60 = new StrBuilder(); sb60.replace(null, taint(), 0, 0, 0); sink(sb60.toString()); // $ hasTaintFlow
StrBuilder sb61 = new StrBuilder(); sb61.replaceAll((StrMatcher)null, taint()); sink(sb61.toString()); // $ hasTaintFlow
StrBuilder sb62 = new StrBuilder(); sb62.replaceAll("search", taint()); sink(sb62.toString()); // $ hasTaintFlow
StrBuilder sb63 = new StrBuilder(); sb63.replaceAll(taint(), "replace"); sink(sb63.toString()); // GOOD (search string doesn't convey taint)
StrBuilder sb64 = new StrBuilder(); sb64.replaceFirst((StrMatcher)null, taint()); sink(sb64.toString()); // $hasTaintFlow
StrBuilder sb65 = new StrBuilder(); sb65.replaceFirst("search", taint()); sink(sb65.toString()); // $hasTaintFlow
StrBuilder sb64 = new StrBuilder(); sb64.replaceFirst((StrMatcher)null, taint()); sink(sb64.toString()); // $ hasTaintFlow
StrBuilder sb65 = new StrBuilder(); sb65.replaceFirst("search", taint()); sink(sb65.toString()); // $ hasTaintFlow
StrBuilder sb66 = new StrBuilder(); sb66.replaceFirst(taint(), "replace"); sink(sb66.toString()); // GOOD (search string doesn't convey taint)
StrBuilder sb67 = new StrBuilder(); sb67.append(taint()); sink(sb67.rightString(0)); // $hasTaintFlow
StrBuilder sb68 = new StrBuilder(); sb68.append(taint()); sink(sb68.subSequence(0, 0)); // $hasTaintFlow
StrBuilder sb69 = new StrBuilder(); sb69.append(taint()); sink(sb69.substring(0)); // $hasTaintFlow
StrBuilder sb70 = new StrBuilder(); sb70.append(taint()); sink(sb70.substring(0, 0)); // $hasTaintFlow
StrBuilder sb71 = new StrBuilder(); sb71.append(taint()); sink(sb71.toCharArray()); // $hasTaintFlow
StrBuilder sb72 = new StrBuilder(); sb72.append(taint()); sink(sb72.toCharArray(0, 0)); // $hasTaintFlow
StrBuilder sb73 = new StrBuilder(); sb73.append(taint()); sink(sb73.toStringBuffer()); // $hasTaintFlow
StrBuilder sb74 = new StrBuilder(); sb74.append(taint()); sink(sb74.toStringBuilder()); // $hasTaintFlow
StrBuilder sb67 = new StrBuilder(); sb67.append(taint()); sink(sb67.rightString(0)); // $ hasTaintFlow
StrBuilder sb68 = new StrBuilder(); sb68.append(taint()); sink(sb68.subSequence(0, 0)); // $ hasTaintFlow
StrBuilder sb69 = new StrBuilder(); sb69.append(taint()); sink(sb69.substring(0)); // $ hasTaintFlow
StrBuilder sb70 = new StrBuilder(); sb70.append(taint()); sink(sb70.substring(0, 0)); // $ hasTaintFlow
StrBuilder sb71 = new StrBuilder(); sb71.append(taint()); sink(sb71.toCharArray()); // $ hasTaintFlow
StrBuilder sb72 = new StrBuilder(); sb72.append(taint()); sink(sb72.toCharArray(0, 0)); // $ hasTaintFlow
StrBuilder sb73 = new StrBuilder(); sb73.append(taint()); sink(sb73.toStringBuffer()); // $ hasTaintFlow
StrBuilder sb74 = new StrBuilder(); sb74.append(taint()); sink(sb74.toStringBuilder()); // $ hasTaintFlow
// Tests for fluent methods (those returning `this`):
StrBuilder fluentTest = new StrBuilder();
sink(fluentTest.append("Harmless").append(taint()).append("Also harmless").toString()); // $hasTaintFlow
sink(fluentTest.append("Harmless").append(taint()).append("Also harmless").toString()); // $ hasTaintFlow
StrBuilder fluentBackflowTest = new StrBuilder();
fluentBackflowTest.append("Harmless").append(taint()).append("Also harmless");
sink(fluentBackflowTest.toString()); // $hasTaintFlow
sink(fluentBackflowTest.toString()); // $ hasTaintFlow
// Test the case where the fluent method contributing taint is at the end of a statement:
StrBuilder fluentBackflowTest2 = new StrBuilder();
fluentBackflowTest2.append("Harmless").append(taint());
sink(fluentBackflowTest2.toString()); // $hasTaintFlow
sink(fluentBackflowTest2.toString()); // $ hasTaintFlow
// Test all fluent methods are passing taint through to their result:
StrBuilder fluentAllMethodsTest = new StrBuilder(taint());
@@ -171,7 +171,7 @@ class StrBuilderTextTest {
.setLength(500)
.setNewLineText("newline")
.setNullText("NULL")
.trim()); // $hasTaintFlow
.trim()); // $ hasTaintFlow
// Test all fluent methods are passing taint back to their qualifier:
StrBuilder fluentAllMethodsTest2 = new StrBuilder();
@@ -203,7 +203,7 @@ class StrBuilderTextTest {
.setNullText("NULL")
.trim()
.append(taint());
sink(fluentAllMethodsTest2); // $hasTaintFlow
sink(fluentAllMethodsTest2); // $ hasTaintFlow
}
}

2
java/ql/test/library-tests/frameworks/apache-commons-lang3/StrLookupTest.java
View File

@@ -11,7 +11,7 @@ class StrLookupTest {
Map<String, String> map = new HashMap<String, String>();
map.put("key", taint());
StrLookup<String> lookup = StrLookup.mapLookup(map);
sink(lookup.lookup("key")); // $hasTaintFlow
sink(lookup.lookup("key")); // $ hasTaintFlow
}
}

96
java/ql/test/library-tests/frameworks/apache-commons-lang3/StrSubstitutorTest.java
View File

@@ -17,66 +17,66 @@ class StrSubstitutorTest {
StrLookup<String> taintedLookup = StrLookup.mapLookup(taintedMap);
// Test constructors:
StrSubstitutor ss1 = new StrSubstitutor(); ss1.setVariableResolver(taintedLookup); sink(ss1.replace("input")); // $hasTaintFlow
StrSubstitutor ss2 = new StrSubstitutor(taintedMap); sink(ss2.replace("input")); // $hasTaintFlow
StrSubstitutor ss3 = new StrSubstitutor(taintedMap, "{", "}"); sink(ss3.replace("input")); // $hasTaintFlow
StrSubstitutor ss4 = new StrSubstitutor(taintedMap, "{", "}", ' '); sink(ss4.replace("input")); // $hasTaintFlow
StrSubstitutor ss5 = new StrSubstitutor(taintedMap, "{", "}", ' ', ","); sink(ss5.replace("input")); // $hasTaintFlow
StrSubstitutor ss6 = new StrSubstitutor(taintedLookup); sink(ss6.replace("input")); // $hasTaintFlow
StrSubstitutor ss7 = new StrSubstitutor(taintedLookup, "{", "}", ' '); sink(ss7.replace("input")); // $hasTaintFlow
StrSubstitutor ss8 = new StrSubstitutor(taintedLookup, "{", "}", ' ', ","); sink(ss8.replace("input")); // $hasTaintFlow
StrSubstitutor ss9 = new StrSubstitutor(taintedLookup, (StrMatcher)null, null, ' '); sink(ss9.replace("input")); // $hasTaintFlow
StrSubstitutor ss10 = new StrSubstitutor(taintedLookup, (StrMatcher)null, null, ' ', null); sink(ss10.replace("input")); // $hasTaintFlow
StrSubstitutor ss1 = new StrSubstitutor(); ss1.setVariableResolver(taintedLookup); sink(ss1.replace("input")); // $ hasTaintFlow
StrSubstitutor ss2 = new StrSubstitutor(taintedMap); sink(ss2.replace("input")); // $ hasTaintFlow
StrSubstitutor ss3 = new StrSubstitutor(taintedMap, "{", "}"); sink(ss3.replace("input")); // $ hasTaintFlow
StrSubstitutor ss4 = new StrSubstitutor(taintedMap, "{", "}", ' '); sink(ss4.replace("input")); // $ hasTaintFlow
StrSubstitutor ss5 = new StrSubstitutor(taintedMap, "{", "}", ' ', ","); sink(ss5.replace("input")); // $ hasTaintFlow
StrSubstitutor ss6 = new StrSubstitutor(taintedLookup); sink(ss6.replace("input")); // $ hasTaintFlow
StrSubstitutor ss7 = new StrSubstitutor(taintedLookup, "{", "}", ' '); sink(ss7.replace("input")); // $ hasTaintFlow
StrSubstitutor ss8 = new StrSubstitutor(taintedLookup, "{", "}", ' ', ","); sink(ss8.replace("input")); // $ hasTaintFlow
StrSubstitutor ss9 = new StrSubstitutor(taintedLookup, (StrMatcher)null, null, ' '); sink(ss9.replace("input")); // $ hasTaintFlow
StrSubstitutor ss10 = new StrSubstitutor(taintedLookup, (StrMatcher)null, null, ' ', null); sink(ss10.replace("input")); // $ hasTaintFlow
// Test replace overloads (tainted substitution map):
StrSubstitutor taintedSubst = ss2;
sink(taintedSubst.replace((Object)"input")); // $hasTaintFlow
sink(taintedSubst.replace("input")); // $hasTaintFlow
sink(taintedSubst.replace("input", 0, 0)); // $hasTaintFlow
sink(taintedSubst.replace("input".toCharArray())); // $hasTaintFlow
sink(taintedSubst.replace("input".toCharArray(), 0, 0)); // $hasTaintFlow
sink(taintedSubst.replace((CharSequence)"input")); // $hasTaintFlow
sink(taintedSubst.replace((CharSequence)"input", 0, 0)); // $hasTaintFlow
sink(taintedSubst.replace(new StrBuilder("input"))); // $hasTaintFlow
sink(taintedSubst.replace(new StrBuilder("input"), 0, 0)); // $hasTaintFlow
sink(taintedSubst.replace(new StringBuilder("input"))); // $hasTaintFlow
sink(taintedSubst.replace(new StringBuilder("input"), 0, 0)); // $hasTaintFlow
sink(taintedSubst.replace(new StringBuffer("input"))); // $hasTaintFlow
sink(taintedSubst.replace(new StringBuffer("input"), 0, 0)); // $hasTaintFlow
sink(taintedSubst.replace((Object)"input")); // $ hasTaintFlow
sink(taintedSubst.replace("input")); // $ hasTaintFlow
sink(taintedSubst.replace("input", 0, 0)); // $ hasTaintFlow
sink(taintedSubst.replace("input".toCharArray())); // $ hasTaintFlow
sink(taintedSubst.replace("input".toCharArray(), 0, 0)); // $ hasTaintFlow
sink(taintedSubst.replace((CharSequence)"input")); // $ hasTaintFlow
sink(taintedSubst.replace((CharSequence)"input", 0, 0)); // $ hasTaintFlow
sink(taintedSubst.replace(new StrBuilder("input"))); // $ hasTaintFlow
sink(taintedSubst.replace(new StrBuilder("input"), 0, 0)); // $ hasTaintFlow
sink(taintedSubst.replace(new StringBuilder("input"))); // $ hasTaintFlow
sink(taintedSubst.replace(new StringBuilder("input"), 0, 0)); // $ hasTaintFlow
sink(taintedSubst.replace(new StringBuffer("input"))); // $ hasTaintFlow
sink(taintedSubst.replace(new StringBuffer("input"), 0, 0)); // $ hasTaintFlow
// Test replace overloads (tainted input):
StrSubstitutor untaintedSubst = ss1;
sink(untaintedSubst.replace((Object)taint())); // $hasTaintFlow
sink(untaintedSubst.replace(taint())); // $hasTaintFlow
sink(untaintedSubst.replace(taint(), 0, 0)); // $hasTaintFlow
sink(untaintedSubst.replace(taint().toCharArray())); // $hasTaintFlow
sink(untaintedSubst.replace(taint().toCharArray(), 0, 0)); // $hasTaintFlow
sink(untaintedSubst.replace((CharSequence)taint())); // $hasTaintFlow
sink(untaintedSubst.replace((CharSequence)taint(), 0, 0)); // $hasTaintFlow
sink(untaintedSubst.replace(new StrBuilder(taint()))); // $hasTaintFlow
sink(untaintedSubst.replace(new StrBuilder(taint()), 0, 0)); // $hasTaintFlow
sink(untaintedSubst.replace(new StringBuilder(taint()))); // $hasTaintFlow
sink(untaintedSubst.replace(new StringBuilder(taint()), 0, 0)); // $hasTaintFlow
sink(untaintedSubst.replace(new StringBuffer(taint()))); // $hasTaintFlow
sink(untaintedSubst.replace(new StringBuffer(taint()), 0, 0)); // $hasTaintFlow
sink(untaintedSubst.replace((Object)taint())); // $ hasTaintFlow
sink(untaintedSubst.replace(taint())); // $ hasTaintFlow
sink(untaintedSubst.replace(taint(), 0, 0)); // $ hasTaintFlow
sink(untaintedSubst.replace(taint().toCharArray())); // $ hasTaintFlow
sink(untaintedSubst.replace(taint().toCharArray(), 0, 0)); // $ hasTaintFlow
sink(untaintedSubst.replace((CharSequence)taint())); // $ hasTaintFlow
sink(untaintedSubst.replace((CharSequence)taint(), 0, 0)); // $ hasTaintFlow
sink(untaintedSubst.replace(new StrBuilder(taint()))); // $ hasTaintFlow
sink(untaintedSubst.replace(new StrBuilder(taint()), 0, 0)); // $ hasTaintFlow
sink(untaintedSubst.replace(new StringBuilder(taint()))); // $ hasTaintFlow
sink(untaintedSubst.replace(new StringBuilder(taint()), 0, 0)); // $ hasTaintFlow
sink(untaintedSubst.replace(new StringBuffer(taint()))); // $ hasTaintFlow
sink(untaintedSubst.replace(new StringBuffer(taint()), 0, 0)); // $ hasTaintFlow
// Test static replace methods:
sink(StrSubstitutor.replace(taint(), new HashMap<String, String>())); // $hasTaintFlow
sink(StrSubstitutor.replace(taint(), new HashMap<String, String>(), "{", "}")); // $hasTaintFlow
sink(StrSubstitutor.replace("input", taintedMap)); // $hasTaintFlow
sink(StrSubstitutor.replace("input", taintedMap, "{", "}")); // $hasTaintFlow
sink(StrSubstitutor.replace(taint(), new HashMap<String, String>())); // $ hasTaintFlow
sink(StrSubstitutor.replace(taint(), new HashMap<String, String>(), "{", "}")); // $ hasTaintFlow
sink(StrSubstitutor.replace("input", taintedMap)); // $ hasTaintFlow
sink(StrSubstitutor.replace("input", taintedMap, "{", "}")); // $ hasTaintFlow
Properties taintedProps = new Properties();
taintedProps.put("key", taint());
sink(StrSubstitutor.replace(taint(), new Properties())); // $hasTaintFlow
sink(StrSubstitutor.replace("input", taintedProps)); // $hasTaintFlow
sink(StrSubstitutor.replace(taint(), new Properties())); // $ hasTaintFlow
sink(StrSubstitutor.replace("input", taintedProps)); // $ hasTaintFlow
// Test replaceIn methods:
StrBuilder strBuilder1 = new StrBuilder(); taintedSubst.replaceIn(strBuilder1); sink(strBuilder1.toString()); // $hasTaintFlow
StrBuilder strBuilder2 = new StrBuilder(); taintedSubst.replaceIn(strBuilder2, 0, 0); sink(strBuilder2.toString()); // $hasTaintFlow
StringBuilder stringBuilder1 = new StringBuilder(); taintedSubst.replaceIn(stringBuilder1); sink(stringBuilder1.toString()); // $hasTaintFlow
StringBuilder stringBuilder2 = new StringBuilder(); taintedSubst.replaceIn(stringBuilder2, 0, 0); sink(stringBuilder2.toString()); // $hasTaintFlow
StringBuffer stringBuffer1 = new StringBuffer(); taintedSubst.replaceIn(stringBuffer1); sink(stringBuffer1.toString()); // $hasTaintFlow
StringBuffer stringBuffer2 = new StringBuffer(); taintedSubst.replaceIn(stringBuffer2, 0, 0); sink(stringBuffer2.toString()); // $hasTaintFlow
StrBuilder strBuilder1 = new StrBuilder(); taintedSubst.replaceIn(strBuilder1); sink(strBuilder1.toString()); // $ hasTaintFlow
StrBuilder strBuilder2 = new StrBuilder(); taintedSubst.replaceIn(strBuilder2, 0, 0); sink(strBuilder2.toString()); // $ hasTaintFlow
StringBuilder stringBuilder1 = new StringBuilder(); taintedSubst.replaceIn(stringBuilder1); sink(stringBuilder1.toString()); // $ hasTaintFlow
StringBuilder stringBuilder2 = new StringBuilder(); taintedSubst.replaceIn(stringBuilder2, 0, 0); sink(stringBuilder2.toString()); // $ hasTaintFlow
StringBuffer stringBuffer1 = new StringBuffer(); taintedSubst.replaceIn(stringBuffer1); sink(stringBuffer1.toString()); // $ hasTaintFlow
StringBuffer stringBuffer2 = new StringBuffer(); taintedSubst.replaceIn(stringBuffer2, 0, 0); sink(stringBuffer2.toString()); // $ hasTaintFlow
}
}

52
java/ql/test/library-tests/frameworks/apache-commons-lang3/StrTokenizerTest.java
View File

@@ -9,38 +9,38 @@ public class StrTokenizerTest {
void test() throws Exception {
// Test constructors:
sink((new StrTokenizer(taint().toCharArray())).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint().toCharArray(), ',')).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint().toCharArray(), ',', '"')).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint().toCharArray(), ",")).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint().toCharArray(), (StrMatcher)null)).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint().toCharArray(), (StrMatcher)null, (StrMatcher)null)).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint())).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint(), ',')).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint(), ',', '"')).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint(), ",")).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint(), (StrMatcher)null)).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint(), (StrMatcher)null, (StrMatcher)null)).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint().toCharArray())).toString()); // $ hasTaintFlow
sink((new StrTokenizer(taint().toCharArray(), ',')).toString()); // $ hasTaintFlow
sink((new StrTokenizer(taint().toCharArray(), ',', '"')).toString()); // $ hasTaintFlow
sink((new StrTokenizer(taint().toCharArray(), ",")).toString()); // $ hasTaintFlow
sink((new StrTokenizer(taint().toCharArray(), (StrMatcher)null)).toString()); // $ hasTaintFlow
sink((new StrTokenizer(taint().toCharArray(), (StrMatcher)null, (StrMatcher)null)).toString()); // $ hasTaintFlow
sink((new StrTokenizer(taint())).toString()); // $ hasTaintFlow
sink((new StrTokenizer(taint(), ',')).toString()); // $ hasTaintFlow
sink((new StrTokenizer(taint(), ',', '"')).toString()); // $ hasTaintFlow
sink((new StrTokenizer(taint(), ",")).toString()); // $ hasTaintFlow
sink((new StrTokenizer(taint(), (StrMatcher)null)).toString()); // $ hasTaintFlow
sink((new StrTokenizer(taint(), (StrMatcher)null, (StrMatcher)null)).toString()); // $ hasTaintFlow
// Test constructing static methods:
sink(StrTokenizer.getCSVInstance(taint().toCharArray()).toString()); // $hasTaintFlow
sink(StrTokenizer.getCSVInstance(taint()).toString()); // $hasTaintFlow
sink(StrTokenizer.getTSVInstance(taint().toCharArray()).toString()); // $hasTaintFlow
sink(StrTokenizer.getTSVInstance(taint()).toString()); // $hasTaintFlow
sink(StrTokenizer.getCSVInstance(taint().toCharArray()).toString()); // $ hasTaintFlow
sink(StrTokenizer.getCSVInstance(taint()).toString()); // $ hasTaintFlow
sink(StrTokenizer.getTSVInstance(taint().toCharArray()).toString()); // $ hasTaintFlow
sink(StrTokenizer.getTSVInstance(taint()).toString()); // $ hasTaintFlow
// Test accessors:
sink((new StrTokenizer(taint())).clone()); // $hasTaintFlow
sink((new StrTokenizer(taint())).getContent()); // $hasTaintFlow
sink((new StrTokenizer(taint())).getTokenArray()); // $hasTaintFlow
sink((new StrTokenizer(taint())).getTokenList()); // $hasTaintFlow
sink((new StrTokenizer(taint())).next()); // $hasTaintFlow
sink((new StrTokenizer(taint())).nextToken()); // $hasTaintFlow
sink((new StrTokenizer(taint())).previous()); // $hasTaintFlow
sink((new StrTokenizer(taint())).previousToken()); // $hasTaintFlow
sink((new StrTokenizer(taint())).clone()); // $ hasTaintFlow
sink((new StrTokenizer(taint())).getContent()); // $ hasTaintFlow
sink((new StrTokenizer(taint())).getTokenArray()); // $ hasTaintFlow
sink((new StrTokenizer(taint())).getTokenList()); // $ hasTaintFlow
sink((new StrTokenizer(taint())).next()); // $ hasTaintFlow
sink((new StrTokenizer(taint())).nextToken()); // $ hasTaintFlow
sink((new StrTokenizer(taint())).previous()); // $ hasTaintFlow
sink((new StrTokenizer(taint())).previousToken()); // $ hasTaintFlow
// Test mutators:
sink((new StrTokenizer()).reset(taint().toCharArray()).toString()); // $hasTaintFlow
sink((new StrTokenizer()).reset(taint()).toString()); // $hasTaintFlow
sink((new StrTokenizer()).reset(taint().toCharArray()).toString()); // $ hasTaintFlow
sink((new StrTokenizer()).reset(taint()).toString()); // $ hasTaintFlow
}
}

52
java/ql/test/library-tests/frameworks/apache-commons-lang3/StrTokenizerTextTest.java
View File

@@ -9,38 +9,38 @@ public class StrTokenizerTextTest {
void test() throws Exception {
// Test constructors:
sink((new StrTokenizer(taint().toCharArray())).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint().toCharArray(), ',')).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint().toCharArray(), ',', '"')).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint().toCharArray(), ",")).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint().toCharArray(), (StrMatcher)null)).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint().toCharArray(), (StrMatcher)null, (StrMatcher)null)).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint())).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint(), ',')).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint(), ',', '"')).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint(), ",")).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint(), (StrMatcher)null)).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint(), (StrMatcher)null, (StrMatcher)null)).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint().toCharArray())).toString()); // $ hasTaintFlow
sink((new StrTokenizer(taint().toCharArray(), ',')).toString()); // $ hasTaintFlow
sink((new StrTokenizer(taint().toCharArray(), ',', '"')).toString()); // $ hasTaintFlow
sink((new StrTokenizer(taint().toCharArray(), ",")).toString()); // $ hasTaintFlow
sink((new StrTokenizer(taint().toCharArray(), (StrMatcher)null)).toString()); // $ hasTaintFlow
sink((new StrTokenizer(taint().toCharArray(), (StrMatcher)null, (StrMatcher)null)).toString()); // $ hasTaintFlow
sink((new StrTokenizer(taint())).toString()); // $ hasTaintFlow
sink((new StrTokenizer(taint(), ',')).toString()); // $ hasTaintFlow
sink((new StrTokenizer(taint(), ',', '"')).toString()); // $ hasTaintFlow
sink((new StrTokenizer(taint(), ",")).toString()); // $ hasTaintFlow
sink((new StrTokenizer(taint(), (StrMatcher)null)).toString()); // $ hasTaintFlow
sink((new StrTokenizer(taint(), (StrMatcher)null, (StrMatcher)null)).toString()); // $ hasTaintFlow
// Test constructing static methods:
sink(StrTokenizer.getCSVInstance(taint().toCharArray()).toString()); // $hasTaintFlow
sink(StrTokenizer.getCSVInstance(taint()).toString()); // $hasTaintFlow
sink(StrTokenizer.getTSVInstance(taint().toCharArray()).toString()); // $hasTaintFlow
sink(StrTokenizer.getTSVInstance(taint()).toString()); // $hasTaintFlow
sink(StrTokenizer.getCSVInstance(taint().toCharArray()).toString()); // $ hasTaintFlow
sink(StrTokenizer.getCSVInstance(taint()).toString()); // $ hasTaintFlow
sink(StrTokenizer.getTSVInstance(taint().toCharArray()).toString()); // $ hasTaintFlow
sink(StrTokenizer.getTSVInstance(taint()).toString()); // $ hasTaintFlow
// Test accessors:
sink((new StrTokenizer(taint())).clone()); // $hasTaintFlow
sink((new StrTokenizer(taint())).getContent()); // $hasTaintFlow
sink((new StrTokenizer(taint())).getTokenArray()); // $hasTaintFlow
sink((new StrTokenizer(taint())).getTokenList()); // $hasTaintFlow
sink((new StrTokenizer(taint())).next()); // $hasTaintFlow
sink((new StrTokenizer(taint())).nextToken()); // $hasTaintFlow
sink((new StrTokenizer(taint())).previous()); // $hasTaintFlow
sink((new StrTokenizer(taint())).previousToken()); // $hasTaintFlow
sink((new StrTokenizer(taint())).clone()); // $ hasTaintFlow
sink((new StrTokenizer(taint())).getContent()); // $ hasTaintFlow
sink((new StrTokenizer(taint())).getTokenArray()); // $ hasTaintFlow
sink((new StrTokenizer(taint())).getTokenList()); // $ hasTaintFlow
sink((new StrTokenizer(taint())).next()); // $ hasTaintFlow
sink((new StrTokenizer(taint())).nextToken()); // $ hasTaintFlow
sink((new StrTokenizer(taint())).previous()); // $ hasTaintFlow
sink((new StrTokenizer(taint())).previousToken()); // $ hasTaintFlow
// Test mutators:
sink((new StrTokenizer()).reset(taint().toCharArray()).toString()); // $hasTaintFlow
sink((new StrTokenizer()).reset(taint()).toString()); // $hasTaintFlow
sink((new StrTokenizer()).reset(taint().toCharArray()).toString()); // $ hasTaintFlow
sink((new StrTokenizer()).reset(taint()).toString()); // $ hasTaintFlow
}
}

2
java/ql/test/library-tests/frameworks/apache-commons-lang3/StringEscapeUtilsTest.java
View File

@@ -6,6 +6,6 @@ public class StringEscapeUtilsTest {
void sink(Object o) {}
void test() throws Exception {
sink(StringEscapeUtils.escapeJson(taint())); // $hasTaintFlow
sink(StringEscapeUtils.escapeJson(taint())); // $ hasTaintFlow
}
}

2
java/ql/test/library-tests/frameworks/apache-commons-lang3/StringLookupTextTest.java
View File

@@ -12,7 +12,7 @@ class StringLookupTextTest {
Map<String, String> map = new HashMap<String, String>();
map.put("key", taint());
StringLookup lookup = StringLookupFactory.INSTANCE.mapStringLookup(map);
sink(lookup.lookup("key")); // $hasTaintFlow
sink(lookup.lookup("key")); // $ hasTaintFlow
}
}

96
java/ql/test/library-tests/frameworks/apache-commons-lang3/StringSubstitutorTextTest.java
View File

@@ -18,66 +18,66 @@ class StringSubstitutorTextTest {
StringLookup taintedLookup = StringLookupFactory.INSTANCE.mapStringLookup(taintedMap);
// Test constructors:
StringSubstitutor ss1 = new StringSubstitutor(); ss1.setVariableResolver(taintedLookup); sink(ss1.replace("input")); // $hasTaintFlow
StringSubstitutor ss2 = new StringSubstitutor(taintedMap); sink(ss2.replace("input")); // $hasTaintFlow
StringSubstitutor ss3 = new StringSubstitutor(taintedMap, "{", "}"); sink(ss3.replace("input")); // $hasTaintFlow
StringSubstitutor ss4 = new StringSubstitutor(taintedMap, "{", "}", ' '); sink(ss4.replace("input")); // $hasTaintFlow
StringSubstitutor ss5 = new StringSubstitutor(taintedMap, "{", "}", ' ', ","); sink(ss5.replace("input")); // $hasTaintFlow
StringSubstitutor ss6 = new StringSubstitutor(taintedLookup); sink(ss6.replace("input")); // $hasTaintFlow
StringSubstitutor ss7 = new StringSubstitutor(taintedLookup, "{", "}", ' '); sink(ss7.replace("input")); // $hasTaintFlow
StringSubstitutor ss8 = new StringSubstitutor(taintedLookup, "{", "}", ' ', ","); sink(ss8.replace("input")); // $hasTaintFlow
StringSubstitutor ss9 = new StringSubstitutor(taintedLookup, (StringMatcher)null, null, ' '); sink(ss9.replace("input")); // $hasTaintFlow
StringSubstitutor ss10 = new StringSubstitutor(taintedLookup, (StringMatcher)null, null, ' ', null); sink(ss10.replace("input")); // $hasTaintFlow
StringSubstitutor ss1 = new StringSubstitutor(); ss1.setVariableResolver(taintedLookup); sink(ss1.replace("input")); // $ hasTaintFlow
StringSubstitutor ss2 = new StringSubstitutor(taintedMap); sink(ss2.replace("input")); // $ hasTaintFlow
StringSubstitutor ss3 = new StringSubstitutor(taintedMap, "{", "}"); sink(ss3.replace("input")); // $ hasTaintFlow
StringSubstitutor ss4 = new StringSubstitutor(taintedMap, "{", "}", ' '); sink(ss4.replace("input")); // $ hasTaintFlow
StringSubstitutor ss5 = new StringSubstitutor(taintedMap, "{", "}", ' ', ","); sink(ss5.replace("input")); // $ hasTaintFlow
StringSubstitutor ss6 = new StringSubstitutor(taintedLookup); sink(ss6.replace("input")); // $ hasTaintFlow
StringSubstitutor ss7 = new StringSubstitutor(taintedLookup, "{", "}", ' '); sink(ss7.replace("input")); // $ hasTaintFlow
StringSubstitutor ss8 = new StringSubstitutor(taintedLookup, "{", "}", ' ', ","); sink(ss8.replace("input")); // $ hasTaintFlow
StringSubstitutor ss9 = new StringSubstitutor(taintedLookup, (StringMatcher)null, null, ' '); sink(ss9.replace("input")); // $ hasTaintFlow
StringSubstitutor ss10 = new StringSubstitutor(taintedLookup, (StringMatcher)null, null, ' ', null); sink(ss10.replace("input")); // $ hasTaintFlow
// Test replace overloads (tainted substitution map):
StringSubstitutor taintedSubst = ss2;
sink(taintedSubst.replace((Object)"input")); // $hasTaintFlow
sink(taintedSubst.replace("input")); // $hasTaintFlow
sink(taintedSubst.replace("input", 0, 0)); // $hasTaintFlow
sink(taintedSubst.replace("input".toCharArray())); // $hasTaintFlow
sink(taintedSubst.replace("input".toCharArray(), 0, 0)); // $hasTaintFlow
sink(taintedSubst.replace((CharSequence)"input")); // $hasTaintFlow
sink(taintedSubst.replace((CharSequence)"input", 0, 0)); // $hasTaintFlow
sink(taintedSubst.replace(new TextStringBuilder("input"))); // $hasTaintFlow
sink(taintedSubst.replace(new TextStringBuilder("input"), 0, 0)); // $hasTaintFlow
sink(taintedSubst.replace(new StringBuilder("input"))); // $hasTaintFlow
sink(taintedSubst.replace(new StringBuilder("input"), 0, 0)); // $hasTaintFlow
sink(taintedSubst.replace(new StringBuffer("input"))); // $hasTaintFlow
sink(taintedSubst.replace(new StringBuffer("input"), 0, 0)); // $hasTaintFlow
sink(taintedSubst.replace((Object)"input")); // $ hasTaintFlow
sink(taintedSubst.replace("input")); // $ hasTaintFlow
sink(taintedSubst.replace("input", 0, 0)); // $ hasTaintFlow
sink(taintedSubst.replace("input".toCharArray())); // $ hasTaintFlow
sink(taintedSubst.replace("input".toCharArray(), 0, 0)); // $ hasTaintFlow
sink(taintedSubst.replace((CharSequence)"input")); // $ hasTaintFlow
sink(taintedSubst.replace((CharSequence)"input", 0, 0)); // $ hasTaintFlow
sink(taintedSubst.replace(new TextStringBuilder("input"))); // $ hasTaintFlow
sink(taintedSubst.replace(new TextStringBuilder("input"), 0, 0)); // $ hasTaintFlow
sink(taintedSubst.replace(new StringBuilder("input"))); // $ hasTaintFlow
sink(taintedSubst.replace(new StringBuilder("input"), 0, 0)); // $ hasTaintFlow
sink(taintedSubst.replace(new StringBuffer("input"))); // $ hasTaintFlow
sink(taintedSubst.replace(new StringBuffer("input"), 0, 0)); // $ hasTaintFlow
// Test replace overloads (tainted input):
StringSubstitutor untaintedSubst = ss1;
sink(untaintedSubst.replace((Object)taint())); // $hasTaintFlow
sink(untaintedSubst.replace(taint())); // $hasTaintFlow
sink(untaintedSubst.replace(taint(), 0, 0)); // $hasTaintFlow
sink(untaintedSubst.replace(taint().toCharArray())); // $hasTaintFlow
sink(untaintedSubst.replace(taint().toCharArray(), 0, 0)); // $hasTaintFlow
sink(untaintedSubst.replace((CharSequence)taint())); // $hasTaintFlow
sink(untaintedSubst.replace((CharSequence)taint(), 0, 0)); // $hasTaintFlow
sink(untaintedSubst.replace(new TextStringBuilder(taint()))); // $hasTaintFlow
sink(untaintedSubst.replace(new TextStringBuilder(taint()), 0, 0)); // $hasTaintFlow
sink(untaintedSubst.replace(new StringBuilder(taint()))); // $hasTaintFlow
sink(untaintedSubst.replace(new StringBuilder(taint()), 0, 0)); // $hasTaintFlow
sink(untaintedSubst.replace(new StringBuffer(taint()))); // $hasTaintFlow
sink(untaintedSubst.replace(new StringBuffer(taint()), 0, 0)); // $hasTaintFlow
sink(untaintedSubst.replace((Object)taint())); // $ hasTaintFlow
sink(untaintedSubst.replace(taint())); // $ hasTaintFlow
sink(untaintedSubst.replace(taint(), 0, 0)); // $ hasTaintFlow
sink(untaintedSubst.replace(taint().toCharArray())); // $ hasTaintFlow
sink(untaintedSubst.replace(taint().toCharArray(), 0, 0)); // $ hasTaintFlow
sink(untaintedSubst.replace((CharSequence)taint())); // $ hasTaintFlow
sink(untaintedSubst.replace((CharSequence)taint(), 0, 0)); // $ hasTaintFlow
sink(untaintedSubst.replace(new TextStringBuilder(taint()))); // $ hasTaintFlow
sink(untaintedSubst.replace(new TextStringBuilder(taint()), 0, 0)); // $ hasTaintFlow
sink(untaintedSubst.replace(new StringBuilder(taint()))); // $ hasTaintFlow
sink(untaintedSubst.replace(new StringBuilder(taint()), 0, 0)); // $ hasTaintFlow
sink(untaintedSubst.replace(new StringBuffer(taint()))); // $ hasTaintFlow
sink(untaintedSubst.replace(new StringBuffer(taint()), 0, 0)); // $ hasTaintFlow
// Test static replace methods:
sink(StringSubstitutor.replace(taint(), new HashMap<String, String>())); // $hasTaintFlow
sink(StringSubstitutor.replace(taint(), new HashMap<String, String>(), "{", "}")); // $hasTaintFlow
sink(StringSubstitutor.replace("input", taintedMap)); // $hasTaintFlow
sink(StringSubstitutor.replace("input", taintedMap, "{", "}")); // $hasTaintFlow
sink(StringSubstitutor.replace(taint(), new HashMap<String, String>())); // $ hasTaintFlow
sink(StringSubstitutor.replace(taint(), new HashMap<String, String>(), "{", "}")); // $ hasTaintFlow
sink(StringSubstitutor.replace("input", taintedMap)); // $ hasTaintFlow
sink(StringSubstitutor.replace("input", taintedMap, "{", "}")); // $ hasTaintFlow
Properties taintedProps = new Properties();
taintedProps.put("key", taint());
sink(StringSubstitutor.replace(taint(), new Properties())); // $hasTaintFlow
sink(StringSubstitutor.replace("input", taintedProps)); // $hasTaintFlow
sink(StringSubstitutor.replace(taint(), new Properties())); // $ hasTaintFlow
sink(StringSubstitutor.replace("input", taintedProps)); // $ hasTaintFlow
// Test replaceIn methods:
TextStringBuilder strBuilder1 = new TextStringBuilder(); taintedSubst.replaceIn(strBuilder1); sink(strBuilder1.toString()); // $hasTaintFlow
TextStringBuilder strBuilder2 = new TextStringBuilder(); taintedSubst.replaceIn(strBuilder2, 0, 0); sink(strBuilder2.toString()); // $hasTaintFlow
StringBuilder stringBuilder1 = new StringBuilder(); taintedSubst.replaceIn(stringBuilder1); sink(stringBuilder1.toString()); // $hasTaintFlow
StringBuilder stringBuilder2 = new StringBuilder(); taintedSubst.replaceIn(stringBuilder2, 0, 0); sink(stringBuilder2.toString()); // $hasTaintFlow
StringBuffer stringBuffer1 = new StringBuffer(); taintedSubst.replaceIn(stringBuffer1); sink(stringBuffer1.toString()); // $hasTaintFlow
StringBuffer stringBuffer2 = new StringBuffer(); taintedSubst.replaceIn(stringBuffer2, 0, 0); sink(stringBuffer2.toString()); // $hasTaintFlow
TextStringBuilder strBuilder1 = new TextStringBuilder(); taintedSubst.replaceIn(strBuilder1); sink(strBuilder1.toString()); // $ hasTaintFlow
TextStringBuilder strBuilder2 = new TextStringBuilder(); taintedSubst.replaceIn(strBuilder2, 0, 0); sink(strBuilder2.toString()); // $ hasTaintFlow
StringBuilder stringBuilder1 = new StringBuilder(); taintedSubst.replaceIn(stringBuilder1); sink(stringBuilder1.toString()); // $ hasTaintFlow
StringBuilder stringBuilder2 = new StringBuilder(); taintedSubst.replaceIn(stringBuilder2, 0, 0); sink(stringBuilder2.toString()); // $ hasTaintFlow
StringBuffer stringBuffer1 = new StringBuffer(); taintedSubst.replaceIn(stringBuffer1); sink(stringBuffer1.toString()); // $ hasTaintFlow
StringBuffer stringBuffer2 = new StringBuffer(); taintedSubst.replaceIn(stringBuffer2, 0, 0); sink(stringBuffer2.toString()); // $ hasTaintFlow
}
}

52
java/ql/test/library-tests/frameworks/apache-commons-lang3/StringTokenizerTest.java
View File

@@ -9,38 +9,38 @@ public class StringTokenizerTest {
void test() throws Exception {
// Test constructors:
sink((new StringTokenizer(taint().toCharArray())).toString()); // $hasTaintFlow
sink((new StringTokenizer(taint().toCharArray(), ',')).toString()); // $hasTaintFlow
sink((new StringTokenizer(taint().toCharArray(), ',', '"')).toString()); // $hasTaintFlow
sink((new StringTokenizer(taint().toCharArray(), ",")).toString()); // $hasTaintFlow
sink((new StringTokenizer(taint().toCharArray(), (StringMatcher)null)).toString()); // $hasTaintFlow
sink((new StringTokenizer(taint().toCharArray(), (StringMatcher)null, (StringMatcher)null)).toString()); // $hasTaintFlow
sink((new StringTokenizer(taint())).toString()); // $hasTaintFlow
sink((new StringTokenizer(taint(), ',')).toString()); // $hasTaintFlow
sink((new StringTokenizer(taint(), ',', '"')).toString()); // $hasTaintFlow
sink((new StringTokenizer(taint(), ",")).toString()); // $hasTaintFlow
sink((new StringTokenizer(taint(), (StringMatcher)null)).toString()); // $hasTaintFlow
sink((new StringTokenizer(taint(), (StringMatcher)null, (StringMatcher)null)).toString()); // $hasTaintFlow
sink((new StringTokenizer(taint().toCharArray())).toString()); // $ hasTaintFlow
sink((new StringTokenizer(taint().toCharArray(), ',')).toString()); // $ hasTaintFlow
sink((new StringTokenizer(taint().toCharArray(), ',', '"')).toString()); // $ hasTaintFlow
sink((new StringTokenizer(taint().toCharArray(), ",")).toString()); // $ hasTaintFlow
sink((new StringTokenizer(taint().toCharArray(), (StringMatcher)null)).toString()); // $ hasTaintFlow
sink((new StringTokenizer(taint().toCharArray(), (StringMatcher)null, (StringMatcher)null)).toString()); // $ hasTaintFlow
sink((new StringTokenizer(taint())).toString()); // $ hasTaintFlow
sink((new StringTokenizer(taint(), ',')).toString()); // $ hasTaintFlow
sink((new StringTokenizer(taint(), ',', '"')).toString()); // $ hasTaintFlow
sink((new StringTokenizer(taint(), ",")).toString()); // $ hasTaintFlow
sink((new StringTokenizer(taint(), (StringMatcher)null)).toString()); // $ hasTaintFlow
sink((new StringTokenizer(taint(), (StringMatcher)null, (StringMatcher)null)).toString()); // $ hasTaintFlow
// Test constructing static methods:
sink(StringTokenizer.getCSVInstance(taint().toCharArray()).toString()); // $hasTaintFlow
sink(StringTokenizer.getCSVInstance(taint()).toString()); // $hasTaintFlow
sink(StringTokenizer.getTSVInstance(taint().toCharArray()).toString()); // $hasTaintFlow
sink(StringTokenizer.getTSVInstance(taint()).toString()); // $hasTaintFlow
sink(StringTokenizer.getCSVInstance(taint().toCharArray()).toString()); // $ hasTaintFlow
sink(StringTokenizer.getCSVInstance(taint()).toString()); // $ hasTaintFlow
sink(StringTokenizer.getTSVInstance(taint().toCharArray()).toString()); // $ hasTaintFlow
sink(StringTokenizer.getTSVInstance(taint()).toString()); // $ hasTaintFlow
// Test accessors:
sink((new StringTokenizer(taint())).clone()); // $hasTaintFlow
sink((new StringTokenizer(taint())).getContent()); // $hasTaintFlow
sink((new StringTokenizer(taint())).getTokenArray()); // $hasTaintFlow
sink((new StringTokenizer(taint())).getTokenList()); // $hasTaintFlow
sink((new StringTokenizer(taint())).next()); // $hasTaintFlow
sink((new StringTokenizer(taint())).nextToken()); // $hasTaintFlow
sink((new StringTokenizer(taint())).previous()); // $hasTaintFlow
sink((new StringTokenizer(taint())).previousToken()); // $hasTaintFlow
sink((new StringTokenizer(taint())).clone()); // $ hasTaintFlow
sink((new StringTokenizer(taint())).getContent()); // $ hasTaintFlow
sink((new StringTokenizer(taint())).getTokenArray()); // $ hasTaintFlow
sink((new StringTokenizer(taint())).getTokenList()); // $ hasTaintFlow
sink((new StringTokenizer(taint())).next()); // $ hasTaintFlow
sink((new StringTokenizer(taint())).nextToken()); // $ hasTaintFlow
sink((new StringTokenizer(taint())).previous()); // $ hasTaintFlow
sink((new StringTokenizer(taint())).previousToken()); // $ hasTaintFlow
// Test mutators:
sink((new StringTokenizer()).reset(taint().toCharArray()).toString()); // $hasTaintFlow
sink((new StringTokenizer()).reset(taint()).toString()); // $hasTaintFlow
sink((new StringTokenizer()).reset(taint().toCharArray()).toString()); // $ hasTaintFlow
sink((new StringTokenizer()).reset(taint()).toString()); // $ hasTaintFlow
}
}

356
java/ql/test/library-tests/frameworks/apache-commons-lang3/Test.java
View File

@@ -12,57 +12,57 @@ class Test {
void test() throws Exception {
// All these calls should convey taint to `sink` except as noted.
sink(StringUtils.abbreviate(taint(), 0)); // $hasTaintFlow
sink(StringUtils.abbreviate(taint(), 0, 0)); // $hasTaintFlow
sink(StringUtils.abbreviate(taint(), "...", 0)); // $hasTaintFlow
sink(StringUtils.abbreviate("Untainted", taint(), 0)); // $hasTaintFlow
sink(StringUtils.abbreviate(taint(), "...", 0, 0)); // $hasTaintFlow
sink(StringUtils.abbreviate("Untainted", taint(), 0, 0)); // $hasTaintFlow
sink(StringUtils.abbreviateMiddle(taint(), "...", 0)); // $hasTaintFlow
sink(StringUtils.abbreviateMiddle("Untainted", taint(), 0)); // $hasTaintFlow
sink(StringUtils.appendIfMissing(taint(), "suffix", "candsuffix1", "candsuffix2")); // $hasTaintFlow
sink(StringUtils.appendIfMissing("prefix", taint(), "candsuffix1", "candsuffix2")); // $hasTaintFlow
sink(StringUtils.abbreviate(taint(), 0)); // $ hasTaintFlow
sink(StringUtils.abbreviate(taint(), 0, 0)); // $ hasTaintFlow
sink(StringUtils.abbreviate(taint(), "...", 0)); // $ hasTaintFlow
sink(StringUtils.abbreviate("Untainted", taint(), 0)); // $ hasTaintFlow
sink(StringUtils.abbreviate(taint(), "...", 0, 0)); // $ hasTaintFlow
sink(StringUtils.abbreviate("Untainted", taint(), 0, 0)); // $ hasTaintFlow
sink(StringUtils.abbreviateMiddle(taint(), "...", 0)); // $ hasTaintFlow
sink(StringUtils.abbreviateMiddle("Untainted", taint(), 0)); // $ hasTaintFlow
sink(StringUtils.appendIfMissing(taint(), "suffix", "candsuffix1", "candsuffix2")); // $ hasTaintFlow
sink(StringUtils.appendIfMissing("prefix", taint(), "candsuffix1", "candsuffix2")); // $ hasTaintFlow
// (next 2 calls) GOOD: candidate suffixes do not flow to the return value.
sink(StringUtils.appendIfMissing("prefix", "suffix", taint(), "candsuffix2"));
sink(StringUtils.appendIfMissing("prefix", "suffix", "candsuffix1", taint()));
sink(StringUtils.appendIfMissingIgnoreCase(taint(), "suffix", "candsuffix1", "candsuffix2")); // $hasTaintFlow
sink(StringUtils.appendIfMissingIgnoreCase("prefix", taint(), "candsuffix1", "candsuffix2")); // $hasTaintFlow
sink(StringUtils.appendIfMissingIgnoreCase(taint(), "suffix", "candsuffix1", "candsuffix2")); // $ hasTaintFlow
sink(StringUtils.appendIfMissingIgnoreCase("prefix", taint(), "candsuffix1", "candsuffix2")); // $ hasTaintFlow
// (next 2 calls) GOOD: candidate suffixes do not flow to the return value.
sink(StringUtils.appendIfMissingIgnoreCase("prefix", "suffix", taint(), "candsuffix2"));
sink(StringUtils.appendIfMissingIgnoreCase("prefix", "suffix", "candsuffix1", taint()));
sink(StringUtils.capitalize(taint())); // $hasTaintFlow
sink(StringUtils.center(taint(), 0)); // $hasTaintFlow
sink(StringUtils.center(taint(), 0, 'x')); // $hasTaintFlow
sink(StringUtils.center(taint(), 0, "padding string")); // $hasTaintFlow
sink(StringUtils.center("Center me", 0, taint())); // $hasTaintFlow
sink(StringUtils.chomp(taint())); // $hasTaintFlow
sink(StringUtils.chomp(taint(), "separator")); // $hasTaintFlow
sink(StringUtils.capitalize(taint())); // $ hasTaintFlow
sink(StringUtils.center(taint(), 0)); // $ hasTaintFlow
sink(StringUtils.center(taint(), 0, 'x')); // $ hasTaintFlow
sink(StringUtils.center(taint(), 0, "padding string")); // $ hasTaintFlow
sink(StringUtils.center("Center me", 0, taint())); // $ hasTaintFlow
sink(StringUtils.chomp(taint())); // $ hasTaintFlow
sink(StringUtils.chomp(taint(), "separator")); // $ hasTaintFlow
// GOOD: separator does not flow to the return value.
sink(StringUtils.chomp("Chomp me", taint()));
sink(StringUtils.chop(taint())); // $hasTaintFlow
sink(StringUtils.defaultIfBlank(taint(), "default")); // $hasTaintFlow
sink(StringUtils.defaultIfBlank("Perhaps blank", taint())); // $hasTaintFlow
sink(StringUtils.defaultIfEmpty(taint(), "default")); // $hasTaintFlow
sink(StringUtils.defaultIfEmpty("Perhaps empty", taint())); // $hasTaintFlow
sink(StringUtils.defaultString(taint())); // $hasTaintFlow
sink(StringUtils.defaultString(taint(), "default string")); // $hasTaintFlow
sink(StringUtils.defaultString("perhaps null", taint())); // $hasTaintFlow
sink(StringUtils.deleteWhitespace(taint())); // $hasTaintFlow
sink(StringUtils.difference(taint(), "rhs")); // $hasTaintFlow
sink(StringUtils.difference("lhs", taint())); // $hasTaintFlow
sink(StringUtils.firstNonBlank(taint(), "second string")); // $hasValueFlow
sink(StringUtils.firstNonBlank("first string", taint())); // $hasValueFlow
sink(StringUtils.firstNonEmpty(taint(), "second string")); // $hasValueFlow
sink(StringUtils.firstNonEmpty("first string", taint())); // $hasValueFlow
sink(StringUtils.getBytes(taint(), (Charset)null)); // $hasTaintFlow
sink(StringUtils.getBytes(taint(), "some charset")); // $hasTaintFlow
sink(StringUtils.chop(taint())); // $ hasTaintFlow
sink(StringUtils.defaultIfBlank(taint(), "default")); // $ hasTaintFlow
sink(StringUtils.defaultIfBlank("Perhaps blank", taint())); // $ hasTaintFlow
sink(StringUtils.defaultIfEmpty(taint(), "default")); // $ hasTaintFlow
sink(StringUtils.defaultIfEmpty("Perhaps empty", taint())); // $ hasTaintFlow
sink(StringUtils.defaultString(taint())); // $ hasTaintFlow
sink(StringUtils.defaultString(taint(), "default string")); // $ hasTaintFlow
sink(StringUtils.defaultString("perhaps null", taint())); // $ hasTaintFlow
sink(StringUtils.deleteWhitespace(taint())); // $ hasTaintFlow
sink(StringUtils.difference(taint(), "rhs")); // $ hasTaintFlow
sink(StringUtils.difference("lhs", taint())); // $ hasTaintFlow
sink(StringUtils.firstNonBlank(taint(), "second string")); // $ hasValueFlow
sink(StringUtils.firstNonBlank("first string", taint())); // $ hasValueFlow
sink(StringUtils.firstNonEmpty(taint(), "second string")); // $ hasValueFlow
sink(StringUtils.firstNonEmpty("first string", taint())); // $ hasValueFlow
sink(StringUtils.getBytes(taint(), (Charset)null)); // $ hasTaintFlow
sink(StringUtils.getBytes(taint(), "some charset")); // $ hasTaintFlow
// GOOD: charset names are not a source of taint
sink(StringUtils.getBytes("some string", taint()));
sink(StringUtils.getCommonPrefix(taint(), "second string")); // $hasTaintFlow
sink(StringUtils.getCommonPrefix("first string", taint())); // $hasTaintFlow
sink(StringUtils.getDigits(taint())); // $hasTaintFlow
sink(StringUtils.getIfBlank(taint(), () -> "default")); // $hasTaintFlow
sink(StringUtils.getIfEmpty(taint(), () -> "default")); // $hasTaintFlow
sink(StringUtils.getCommonPrefix(taint(), "second string")); // $ hasTaintFlow
sink(StringUtils.getCommonPrefix("first string", taint())); // $ hasTaintFlow
sink(StringUtils.getDigits(taint())); // $ hasTaintFlow
sink(StringUtils.getIfBlank(taint(), () -> "default")); // $ hasTaintFlow
sink(StringUtils.getIfEmpty(taint(), () -> "default")); // $ hasTaintFlow
// BAD (but not detected yet): latent taint in lambdas
sink(StringUtils.getIfBlank("maybe blank", () -> taint()));
sink(StringUtils.getIfEmpty("maybe blank", () -> taint()));
@@ -70,70 +70,70 @@ class Test {
// of tainted data.
sink(StringUtils.join(StringUtils.getBytes(taint(), "UTF-8"), ' '));
sink(StringUtils.join(StringUtils.getBytes(taint(), "UTF-8"), ' ', 0, 0));
sink(StringUtils.join(taint().toCharArray(), ' ')); // $hasTaintFlow
sink(StringUtils.join(taint().toCharArray(), ' ', 0, 0)); // $hasTaintFlow
sink(StringUtils.join(taint().toCharArray(), ' ')); // $ hasTaintFlow
sink(StringUtils.join(taint().toCharArray(), ' ', 0, 0)); // $ hasTaintFlow
// Testing the Iterable<?> overloads of `join`
List<String> taintedList = new ArrayList<>();
taintedList.add(taint());
sink(StringUtils.join(taintedList, ' ')); // $hasTaintFlow
sink(StringUtils.join(taintedList, "sep")); // $hasTaintFlow
sink(StringUtils.join(taintedList, ' ')); // $ hasTaintFlow
sink(StringUtils.join(taintedList, "sep")); // $ hasTaintFlow
List<String> untaintedList = new ArrayList<>();
sink(StringUtils.join(untaintedList, taint())); // $hasTaintFlow
sink(StringUtils.join(untaintedList, taint())); // $ hasTaintFlow
// Testing the Iterator<?> overloads of `join`
sink(StringUtils.join(taintedList.iterator(), ' ')); // $hasTaintFlow
sink(StringUtils.join(taintedList.iterator(), "sep")); // $hasTaintFlow
sink(StringUtils.join(untaintedList.iterator(), taint())); // $hasTaintFlow
sink(StringUtils.join(taintedList.iterator(), ' ')); // $ hasTaintFlow
sink(StringUtils.join(taintedList.iterator(), "sep")); // $ hasTaintFlow
sink(StringUtils.join(untaintedList.iterator(), taint())); // $ hasTaintFlow
// Testing the List<?> overloads of `join`, which have start/end indices
sink(StringUtils.join(taintedList, ' ', 0, 0)); // $hasTaintFlow
sink(StringUtils.join(taintedList, "sep", 0, 0)); // $hasTaintFlow
sink(StringUtils.join(untaintedList, taint(), 0, 0)); // $hasTaintFlow
sink(StringUtils.join(taintedList, ' ', 0, 0)); // $ hasTaintFlow
sink(StringUtils.join(taintedList, "sep", 0, 0)); // $ hasTaintFlow
sink(StringUtils.join(untaintedList, taint(), 0, 0)); // $ hasTaintFlow
// Testing the Object[] overloads of `join`, which may have start/end indices
Object[] taintedArray = new Object[] { taint() };
sink(StringUtils.join(taintedArray, ' ')); // $hasTaintFlow
sink(StringUtils.join(taintedArray, "sep")); // $hasTaintFlow
sink(StringUtils.join(taintedArray, ' ', 0, 0)); // $hasTaintFlow
sink(StringUtils.join(taintedArray, "sep", 0, 0)); // $hasTaintFlow
sink(StringUtils.join(taintedArray, ' ')); // $ hasTaintFlow
sink(StringUtils.join(taintedArray, "sep")); // $ hasTaintFlow
sink(StringUtils.join(taintedArray, ' ', 0, 0)); // $ hasTaintFlow
sink(StringUtils.join(taintedArray, "sep", 0, 0)); // $ hasTaintFlow
Object[] untaintedArray = new Object[] { "safe" };
sink(StringUtils.join(untaintedArray, taint())); // $hasTaintFlow
sink(StringUtils.join(untaintedArray, taint(), 0, 0)); // $hasTaintFlow
sink(StringUtils.join(untaintedArray, taint())); // $ hasTaintFlow
sink(StringUtils.join(untaintedArray, taint(), 0, 0)); // $ hasTaintFlow
// Testing the variadic overload of `join` and `joinWith`
sink(StringUtils.join(taint(), "other string")); // $hasTaintFlow
sink(StringUtils.join("other string before", taint())); // $hasTaintFlow
sink(StringUtils.joinWith("separator", taint(), "other string")); // $hasTaintFlow
sink(StringUtils.joinWith("separator", "other string before", taint())); // $hasTaintFlow
sink(StringUtils.joinWith(taint(), "other string before", "other string after")); // $hasTaintFlow
sink(StringUtils.join(taint(), "other string")); // $ hasTaintFlow
sink(StringUtils.join("other string before", taint())); // $ hasTaintFlow
sink(StringUtils.joinWith("separator", taint(), "other string")); // $ hasTaintFlow
sink(StringUtils.joinWith("separator", "other string before", taint())); // $ hasTaintFlow
sink(StringUtils.joinWith(taint(), "other string before", "other string after")); // $ hasTaintFlow
// End of `join` tests
sink(StringUtils.left(taint(), 0)); // $hasTaintFlow
sink(StringUtils.leftPad(taint(), 0)); // $hasTaintFlow
sink(StringUtils.leftPad(taint(), 0, ' ')); // $hasTaintFlow
sink(StringUtils.leftPad(taint(), 0, "padding")); // $hasTaintFlow
sink(StringUtils.leftPad("to pad", 0, taint())); // $hasTaintFlow
sink(StringUtils.lowerCase(taint())); // $hasTaintFlow
sink(StringUtils.lowerCase(taint(), Locale.UK)); // $hasTaintFlow
sink(StringUtils.mid(taint(), 0, 0)); // $hasTaintFlow
sink(StringUtils.normalizeSpace(taint())); // $hasTaintFlow
sink(StringUtils.overlay(taint(), "overlay", 0, 0)); // $hasTaintFlow
sink(StringUtils.overlay("underlay", taint(), 0, 0)); // $hasTaintFlow
sink(StringUtils.prependIfMissing(taint(), "append prefix", "check prefix 1", "check prefix 2")); // $hasTaintFlow
sink(StringUtils.prependIfMissing("original string", taint(), "check prefix 1", "check prefix 2")); // $hasTaintFlow
sink(StringUtils.left(taint(), 0)); // $ hasTaintFlow
sink(StringUtils.leftPad(taint(), 0)); // $ hasTaintFlow
sink(StringUtils.leftPad(taint(), 0, ' ')); // $ hasTaintFlow
sink(StringUtils.leftPad(taint(), 0, "padding")); // $ hasTaintFlow
sink(StringUtils.leftPad("to pad", 0, taint())); // $ hasTaintFlow
sink(StringUtils.lowerCase(taint())); // $ hasTaintFlow
sink(StringUtils.lowerCase(taint(), Locale.UK)); // $ hasTaintFlow
sink(StringUtils.mid(taint(), 0, 0)); // $ hasTaintFlow
sink(StringUtils.normalizeSpace(taint())); // $ hasTaintFlow
sink(StringUtils.overlay(taint(), "overlay", 0, 0)); // $ hasTaintFlow
sink(StringUtils.overlay("underlay", taint(), 0, 0)); // $ hasTaintFlow
sink(StringUtils.prependIfMissing(taint(), "append prefix", "check prefix 1", "check prefix 2")); // $ hasTaintFlow
sink(StringUtils.prependIfMissing("original string", taint(), "check prefix 1", "check prefix 2")); // $ hasTaintFlow
// (next 2 calls) GOOD: args 3+ are checked against but do not propagate to the return value
sink(StringUtils.prependIfMissing("original string", "append prefix", taint(), "check prefix 2"));
sink(StringUtils.prependIfMissing("original string", "append prefix", "check prefix 1", taint()));
sink(StringUtils.prependIfMissingIgnoreCase(taint(), "append prefix", "check prefix 1", "check prefix 2")); // $hasTaintFlow
sink(StringUtils.prependIfMissingIgnoreCase("original string", taint(), "check prefix 1", "check prefix 2")); // $hasTaintFlow
sink(StringUtils.prependIfMissingIgnoreCase(taint(), "append prefix", "check prefix 1", "check prefix 2")); // $ hasTaintFlow
sink(StringUtils.prependIfMissingIgnoreCase("original string", taint(), "check prefix 1", "check prefix 2")); // $ hasTaintFlow
// (next 2 calls) GOOD: args 3+ are checked against but do not propagate to the return value
sink(StringUtils.prependIfMissingIgnoreCase("original string", "append prefix", taint(), "check prefix 2"));
sink(StringUtils.prependIfMissingIgnoreCase("original string", "append prefix", "check prefix 1", taint()));
sink(StringUtils.remove(taint(), ' ')); // $hasTaintFlow
sink(StringUtils.remove(taint(), "delete me")); // $hasTaintFlow
sink(StringUtils.removeAll(taint(), "delete me")); // $hasTaintFlow
sink(StringUtils.removeEnd(taint(), "delete me")); // $hasTaintFlow
sink(StringUtils.removeEndIgnoreCase(taint(), "delete me")); // $hasTaintFlow
sink(StringUtils.removeFirst(taint(), "delete me")); // $hasTaintFlow
sink(StringUtils.removeIgnoreCase(taint(), "delete me")); // $hasTaintFlow
sink(StringUtils.removePattern(taint(), "delete me")); // $hasTaintFlow
sink(StringUtils.removeStart(taint(), "delete me")); // $hasTaintFlow
sink(StringUtils.removeStartIgnoreCase(taint(), "delete me")); // $hasTaintFlow
sink(StringUtils.remove(taint(), ' ')); // $ hasTaintFlow
sink(StringUtils.remove(taint(), "delete me")); // $ hasTaintFlow
sink(StringUtils.removeAll(taint(), "delete me")); // $ hasTaintFlow
sink(StringUtils.removeEnd(taint(), "delete me")); // $ hasTaintFlow
sink(StringUtils.removeEndIgnoreCase(taint(), "delete me")); // $ hasTaintFlow
sink(StringUtils.removeFirst(taint(), "delete me")); // $ hasTaintFlow
sink(StringUtils.removeIgnoreCase(taint(), "delete me")); // $ hasTaintFlow
sink(StringUtils.removePattern(taint(), "delete me")); // $ hasTaintFlow
sink(StringUtils.removeStart(taint(), "delete me")); // $ hasTaintFlow
sink(StringUtils.removeStartIgnoreCase(taint(), "delete me")); // $ hasTaintFlow
// GOOD (next 9 calls): the removed string doesn't propagate to the return value
sink(StringUtils.remove("remove from", taint()));
sink(StringUtils.removeAll("remove from", taint()));
@@ -144,32 +144,32 @@ class Test {
sink(StringUtils.removePattern("remove from", taint()));
sink(StringUtils.removeStart("remove from", taint()));
sink(StringUtils.removeStartIgnoreCase("remove from", taint()));
sink(StringUtils.repeat(taint(), 1)); // $hasTaintFlow
sink(StringUtils.repeat(taint(), "separator", 1)); // $hasTaintFlow
sink(StringUtils.repeat("repeat me", taint(), 1)); // $hasTaintFlow
sink(StringUtils.replace(taint(), "search", "replacement")); // $hasTaintFlow
sink(StringUtils.replace("haystack", "search", taint())); // $hasTaintFlow
sink(StringUtils.replace(taint(), "search", "replacement", 0)); // $hasTaintFlow
sink(StringUtils.replace("haystack", "search", taint(), 0)); // $hasTaintFlow
sink(StringUtils.replaceAll(taint(), "search", "replacement")); // $hasTaintFlow
sink(StringUtils.replaceAll("haystack", "search", taint())); // $hasTaintFlow
sink(StringUtils.replaceChars(taint(), 'a', 'b')); // $hasTaintFlow
sink(StringUtils.replaceChars(taint(), "abc", "xyz")); // $hasTaintFlow
sink(StringUtils.replaceChars("haystack", "abc", taint())); // $hasTaintFlow
sink(StringUtils.replaceEach(taint(), new String[] { "search" }, new String[] { "replacement" })); // $hasTaintFlow
sink(StringUtils.replaceEach("haystack", new String[] { "search" }, new String[] { taint() })); // $hasTaintFlow
sink(StringUtils.replaceEachRepeatedly(taint(), new String[] { "search" }, new String[] { "replacement" })); // $hasTaintFlow
sink(StringUtils.replaceEachRepeatedly("haystack", new String[] { "search" }, new String[] { taint() })); // $hasTaintFlow
sink(StringUtils.replaceFirst(taint(), "search", "replacement")); // $hasTaintFlow
sink(StringUtils.replaceFirst("haystack", "search", taint())); // $hasTaintFlow
sink(StringUtils.replaceIgnoreCase(taint(), "search", "replacement")); // $hasTaintFlow
sink(StringUtils.replaceIgnoreCase("haystack", "search", taint())); // $hasTaintFlow
sink(StringUtils.replaceOnce(taint(), "search", "replacement")); // $hasTaintFlow
sink(StringUtils.replaceOnce("haystack", "search", taint())); // $hasTaintFlow
sink(StringUtils.replaceOnceIgnoreCase(taint(), "search", "replacement")); // $hasTaintFlow
sink(StringUtils.replaceOnceIgnoreCase("haystack", "search", taint())); // $hasTaintFlow
sink(StringUtils.replacePattern(taint(), "search", "replacement")); // $hasTaintFlow
sink(StringUtils.replacePattern("haystack", "search", taint())); // $hasTaintFlow
sink(StringUtils.repeat(taint(), 1)); // $ hasTaintFlow
sink(StringUtils.repeat(taint(), "separator", 1)); // $ hasTaintFlow
sink(StringUtils.repeat("repeat me", taint(), 1)); // $ hasTaintFlow
sink(StringUtils.replace(taint(), "search", "replacement")); // $ hasTaintFlow
sink(StringUtils.replace("haystack", "search", taint())); // $ hasTaintFlow
sink(StringUtils.replace(taint(), "search", "replacement", 0)); // $ hasTaintFlow
sink(StringUtils.replace("haystack", "search", taint(), 0)); // $ hasTaintFlow
sink(StringUtils.replaceAll(taint(), "search", "replacement")); // $ hasTaintFlow
sink(StringUtils.replaceAll("haystack", "search", taint())); // $ hasTaintFlow
sink(StringUtils.replaceChars(taint(), 'a', 'b')); // $ hasTaintFlow
sink(StringUtils.replaceChars(taint(), "abc", "xyz")); // $ hasTaintFlow
sink(StringUtils.replaceChars("haystack", "abc", taint())); // $ hasTaintFlow
sink(StringUtils.replaceEach(taint(), new String[] { "search" }, new String[] { "replacement" })); // $ hasTaintFlow
sink(StringUtils.replaceEach("haystack", new String[] { "search" }, new String[] { taint() })); // $ hasTaintFlow
sink(StringUtils.replaceEachRepeatedly(taint(), new String[] { "search" }, new String[] { "replacement" })); // $ hasTaintFlow
sink(StringUtils.replaceEachRepeatedly("haystack", new String[] { "search" }, new String[] { taint() })); // $ hasTaintFlow
sink(StringUtils.replaceFirst(taint(), "search", "replacement")); // $ hasTaintFlow
sink(StringUtils.replaceFirst("haystack", "search", taint())); // $ hasTaintFlow
sink(StringUtils.replaceIgnoreCase(taint(), "search", "replacement")); // $ hasTaintFlow
sink(StringUtils.replaceIgnoreCase("haystack", "search", taint())); // $ hasTaintFlow
sink(StringUtils.replaceOnce(taint(), "search", "replacement")); // $ hasTaintFlow
sink(StringUtils.replaceOnce("haystack", "search", taint())); // $ hasTaintFlow
sink(StringUtils.replaceOnceIgnoreCase(taint(), "search", "replacement")); // $ hasTaintFlow
sink(StringUtils.replaceOnceIgnoreCase("haystack", "search", taint())); // $ hasTaintFlow
sink(StringUtils.replacePattern(taint(), "search", "replacement")); // $ hasTaintFlow
sink(StringUtils.replacePattern("haystack", "search", taint())); // $ hasTaintFlow
// GOOD (next 11 calls): searched string in replace methods does not flow to the return value.
sink(StringUtils.replace("haystack", taint(), "replacement"));
sink(StringUtils.replace("haystack", taint(), "replacement", 0));
@@ -182,28 +182,28 @@ class Test {
sink(StringUtils.replaceOnce("haystack", taint(), "replacement"));
sink(StringUtils.replaceOnceIgnoreCase("haystack", taint(), "replacement"));
sink(StringUtils.replacePattern("haystack", taint(), "replacement"));
sink(StringUtils.reverse(taint())); // $hasTaintFlow
sink(StringUtils.reverseDelimited(taint(), ',')); // $hasTaintFlow
sink(StringUtils.right(taint(), 0)); // $hasTaintFlow
sink(StringUtils.rightPad(taint(), 0)); // $hasTaintFlow
sink(StringUtils.rightPad(taint(), 0, ' ')); // $hasTaintFlow
sink(StringUtils.rightPad(taint(), 0, "padding")); // $hasTaintFlow
sink(StringUtils.rightPad("to pad", 0, taint())); // $hasTaintFlow
sink(StringUtils.rotate(taint(), 0)); // $hasTaintFlow
sink(StringUtils.split(taint())); // $hasTaintFlow
sink(StringUtils.split(taint(), ' ')); // $hasTaintFlow
sink(StringUtils.split(taint(), " ,;")); // $hasTaintFlow
sink(StringUtils.split(taint(), " ,;", 0)); // $hasTaintFlow
sink(StringUtils.splitByCharacterType(taint())); // $hasTaintFlow
sink(StringUtils.splitByCharacterTypeCamelCase(taint())); // $hasTaintFlow
sink(StringUtils.splitByWholeSeparator(taint(), "separator")); // $hasTaintFlow
sink(StringUtils.splitByWholeSeparator(taint(), "separator", 0)); // $hasTaintFlow
sink(StringUtils.splitByWholeSeparatorPreserveAllTokens(taint(), "separator")); // $hasTaintFlow
sink(StringUtils.splitByWholeSeparatorPreserveAllTokens(taint(), "separator", 0)); // $hasTaintFlow
sink(StringUtils.splitPreserveAllTokens(taint())); // $hasTaintFlow
sink(StringUtils.splitPreserveAllTokens(taint(), ' ')); // $hasTaintFlow
sink(StringUtils.splitPreserveAllTokens(taint(), " ,;")); // $hasTaintFlow
sink(StringUtils.splitPreserveAllTokens(taint(), " ,;", 0)); // $hasTaintFlow
sink(StringUtils.reverse(taint())); // $ hasTaintFlow
sink(StringUtils.reverseDelimited(taint(), ',')); // $ hasTaintFlow
sink(StringUtils.right(taint(), 0)); // $ hasTaintFlow
sink(StringUtils.rightPad(taint(), 0)); // $ hasTaintFlow
sink(StringUtils.rightPad(taint(), 0, ' ')); // $ hasTaintFlow
sink(StringUtils.rightPad(taint(), 0, "padding")); // $ hasTaintFlow
sink(StringUtils.rightPad("to pad", 0, taint())); // $ hasTaintFlow
sink(StringUtils.rotate(taint(), 0)); // $ hasTaintFlow
sink(StringUtils.split(taint())); // $ hasTaintFlow
sink(StringUtils.split(taint(), ' ')); // $ hasTaintFlow
sink(StringUtils.split(taint(), " ,;")); // $ hasTaintFlow
sink(StringUtils.split(taint(), " ,;", 0)); // $ hasTaintFlow
sink(StringUtils.splitByCharacterType(taint())); // $ hasTaintFlow
sink(StringUtils.splitByCharacterTypeCamelCase(taint())); // $ hasTaintFlow
sink(StringUtils.splitByWholeSeparator(taint(), "separator")); // $ hasTaintFlow
sink(StringUtils.splitByWholeSeparator(taint(), "separator", 0)); // $ hasTaintFlow
sink(StringUtils.splitByWholeSeparatorPreserveAllTokens(taint(), "separator")); // $ hasTaintFlow
sink(StringUtils.splitByWholeSeparatorPreserveAllTokens(taint(), "separator", 0)); // $ hasTaintFlow
sink(StringUtils.splitPreserveAllTokens(taint())); // $ hasTaintFlow
sink(StringUtils.splitPreserveAllTokens(taint(), ' ')); // $ hasTaintFlow
sink(StringUtils.splitPreserveAllTokens(taint(), " ,;")); // $ hasTaintFlow
sink(StringUtils.splitPreserveAllTokens(taint(), " ,;", 0)); // $ hasTaintFlow
// GOOD (next 8 calls): separators don't propagate to the return value
sink(StringUtils.split("to split", taint()));
sink(StringUtils.split("to split", taint(), 0));
@@ -213,30 +213,30 @@ class Test {
sink(StringUtils.splitByWholeSeparatorPreserveAllTokens("to split", taint()));
sink(StringUtils.splitByWholeSeparatorPreserveAllTokens("to split", taint(), 0));
sink(StringUtils.splitPreserveAllTokens("to split", taint()));
sink(StringUtils.strip(taint())); // $hasTaintFlow
sink(StringUtils.strip(taint(), "charstoremove")); // $hasTaintFlow
sink(StringUtils.stripAccents(taint())); // $hasTaintFlow
sink(StringUtils.stripAll(new String[] { taint() }, "charstoremove")[0]); // $hasTaintFlow
sink(StringUtils.stripEnd(taint(), "charstoremove")); // $hasTaintFlow
sink(StringUtils.stripStart(taint(), "charstoremove")); // $hasTaintFlow
sink(StringUtils.strip(taint())); // $ hasTaintFlow
sink(StringUtils.strip(taint(), "charstoremove")); // $ hasTaintFlow
sink(StringUtils.stripAccents(taint())); // $ hasTaintFlow
sink(StringUtils.stripAll(new String[] { taint() }, "charstoremove")[0]); // $ hasTaintFlow
sink(StringUtils.stripEnd(taint(), "charstoremove")); // $ hasTaintFlow
sink(StringUtils.stripStart(taint(), "charstoremove")); // $ hasTaintFlow
// GOOD (next 4 calls): stripped chars do not flow to the return value.
sink(StringUtils.strip("original text", taint()));
sink(StringUtils.stripAll(new String[] { "original text" }, taint())[0]);
sink(StringUtils.stripEnd("original text", taint()));
sink(StringUtils.stripStart("original text", taint()));
sink(StringUtils.stripToEmpty(taint())); // $hasTaintFlow
sink(StringUtils.stripToNull(taint())); // $hasTaintFlow
sink(StringUtils.substring(taint(), 0)); // $hasTaintFlow
sink(StringUtils.substring(taint(), 0, 0)); // $hasTaintFlow
sink(StringUtils.substringAfter(taint(), 0)); // $hasTaintFlow
sink(StringUtils.substringAfter(taint(), "separator")); // $hasTaintFlow
sink(StringUtils.substringAfterLast(taint(), 0)); // $hasTaintFlow
sink(StringUtils.substringAfterLast(taint(), "separator")); // $hasTaintFlow
sink(StringUtils.substringBefore(taint(), "separator")); // $hasTaintFlow
sink(StringUtils.substringBeforeLast(taint(), "separator")); // $hasTaintFlow
sink(StringUtils.substringBetween(taint(), "separator")); // $hasTaintFlow
sink(StringUtils.substringBetween(taint(), "start-tag", "end-tag")); // $hasTaintFlow
sink(StringUtils.substringsBetween(taint(), "start-tag", "end-tag")[0]); // $hasTaintFlow
sink(StringUtils.stripToEmpty(taint())); // $ hasTaintFlow
sink(StringUtils.stripToNull(taint())); // $ hasTaintFlow
sink(StringUtils.substring(taint(), 0)); // $ hasTaintFlow
sink(StringUtils.substring(taint(), 0, 0)); // $ hasTaintFlow
sink(StringUtils.substringAfter(taint(), 0)); // $ hasTaintFlow
sink(StringUtils.substringAfter(taint(), "separator")); // $ hasTaintFlow
sink(StringUtils.substringAfterLast(taint(), 0)); // $ hasTaintFlow
sink(StringUtils.substringAfterLast(taint(), "separator")); // $ hasTaintFlow
sink(StringUtils.substringBefore(taint(), "separator")); // $ hasTaintFlow
sink(StringUtils.substringBeforeLast(taint(), "separator")); // $ hasTaintFlow
sink(StringUtils.substringBetween(taint(), "separator")); // $ hasTaintFlow
sink(StringUtils.substringBetween(taint(), "start-tag", "end-tag")); // $ hasTaintFlow
sink(StringUtils.substringsBetween(taint(), "start-tag", "end-tag")[0]); // $ hasTaintFlow
// GOOD (next 9 calls): separators and bounding tags do not flow to the return value.
sink(StringUtils.substringAfter("original text", taint()));
sink(StringUtils.substringAfterLast("original text", taint()));
@@ -247,31 +247,31 @@ class Test {
sink(StringUtils.substringBetween("original text", "start-tag", taint()));
sink(StringUtils.substringsBetween("original text", taint(), "end-tag")[0]);
sink(StringUtils.substringsBetween("original text", "start-tag", taint())[0]);
sink(StringUtils.swapCase(taint())); // $hasTaintFlow
sink(StringUtils.toCodePoints(taint())); // $hasTaintFlow
sink(StringUtils.toEncodedString(StringUtils.getBytes(taint(), "charset"), null)); // $hasTaintFlow
sink(StringUtils.toRootLowerCase(taint())); // $hasTaintFlow
sink(StringUtils.toRootUpperCase(taint())); // $hasTaintFlow
sink(StringUtils.toString(StringUtils.getBytes(taint(), "charset"), "charset")); // $hasTaintFlow
sink(StringUtils.trim(taint())); // $hasTaintFlow
sink(StringUtils.trimToEmpty(taint())); // $hasTaintFlow
sink(StringUtils.trimToNull(taint())); // $hasTaintFlow
sink(StringUtils.truncate(taint(), 0)); // $hasTaintFlow
sink(StringUtils.truncate(taint(), 0, 0)); // $hasTaintFlow
sink(StringUtils.uncapitalize(taint())); // $hasTaintFlow
sink(StringUtils.unwrap(taint(), '"')); // $hasTaintFlow
sink(StringUtils.unwrap(taint(), "separator")); // $hasTaintFlow
sink(StringUtils.swapCase(taint())); // $ hasTaintFlow
sink(StringUtils.toCodePoints(taint())); // $ hasTaintFlow
sink(StringUtils.toEncodedString(StringUtils.getBytes(taint(), "charset"), null)); // $ hasTaintFlow
sink(StringUtils.toRootLowerCase(taint())); // $ hasTaintFlow
sink(StringUtils.toRootUpperCase(taint())); // $ hasTaintFlow
sink(StringUtils.toString(StringUtils.getBytes(taint(), "charset"), "charset")); // $ hasTaintFlow
sink(StringUtils.trim(taint())); // $ hasTaintFlow
sink(StringUtils.trimToEmpty(taint())); // $ hasTaintFlow
sink(StringUtils.trimToNull(taint())); // $ hasTaintFlow
sink(StringUtils.truncate(taint(), 0)); // $ hasTaintFlow
sink(StringUtils.truncate(taint(), 0, 0)); // $ hasTaintFlow
sink(StringUtils.uncapitalize(taint())); // $ hasTaintFlow
sink(StringUtils.unwrap(taint(), '"')); // $ hasTaintFlow
sink(StringUtils.unwrap(taint(), "separator")); // $ hasTaintFlow
// GOOD: the wrapper string does not flow to the return value.
sink(StringUtils.unwrap("original string", taint()));
sink(StringUtils.upperCase(taint())); // $hasTaintFlow
sink(StringUtils.upperCase(taint(), null)); // $hasTaintFlow
sink(StringUtils.valueOf(taint().toCharArray())); // $hasTaintFlow
sink(StringUtils.wrap(taint(), '"')); // $hasTaintFlow
sink(StringUtils.wrap(taint(), "wrapper token")); // $hasTaintFlow
sink(StringUtils.wrap("wrap me", taint())); // $hasTaintFlow
sink(StringUtils.wrapIfMissing(taint(), '"')); // $hasTaintFlow
sink(StringUtils.wrapIfMissing(taint(), "wrapper token")); // $hasTaintFlow
sink(StringUtils.wrapIfMissing("wrap me", taint())); // $hasTaintFlow
sink(StringUtils.upperCase(taint())); // $ hasTaintFlow
sink(StringUtils.upperCase(taint(), null)); // $ hasTaintFlow
sink(StringUtils.valueOf(taint().toCharArray())); // $ hasTaintFlow
sink(StringUtils.wrap(taint(), '"')); // $ hasTaintFlow
sink(StringUtils.wrap(taint(), "wrapper token")); // $ hasTaintFlow
sink(StringUtils.wrap("wrap me", taint())); // $ hasTaintFlow
sink(StringUtils.wrapIfMissing(taint(), '"')); // $ hasTaintFlow
sink(StringUtils.wrapIfMissing(taint(), "wrapper token")); // $ hasTaintFlow
sink(StringUtils.wrapIfMissing("wrap me", taint())); // $ hasTaintFlow
}

154
java/ql/test/library-tests/frameworks/apache-commons-lang3/TextStringBuilderTest.java
View File

@@ -14,135 +14,135 @@ class TextStringBuilderTest {
void test() throws Exception {
TextStringBuilder cons1 = new TextStringBuilder(taint()); sink(cons1.toString()); // $hasTaintFlow
TextStringBuilder cons2 = new TextStringBuilder((CharSequence)taint()); sink(cons2.toString()); // $hasTaintFlow
TextStringBuilder cons1 = new TextStringBuilder(taint()); sink(cons1.toString()); // $ hasTaintFlow
TextStringBuilder cons2 = new TextStringBuilder((CharSequence)taint()); sink(cons2.toString()); // $ hasTaintFlow
TextStringBuilder sb1 = new TextStringBuilder(); sb1.append(taint().toCharArray()); sink(sb1.toString()); // $hasTaintFlow
TextStringBuilder sb2 = new TextStringBuilder(); sb2.append(taint().toCharArray(), 0, 0); sink(sb2.toString()); // $hasTaintFlow
TextStringBuilder sb1 = new TextStringBuilder(); sb1.append(taint().toCharArray()); sink(sb1.toString()); // $ hasTaintFlow
TextStringBuilder sb2 = new TextStringBuilder(); sb2.append(taint().toCharArray(), 0, 0); sink(sb2.toString()); // $ hasTaintFlow
TextStringBuilder sb3 = new TextStringBuilder(); sb3.append(CharBuffer.wrap(taint().toCharArray())); sink(sb3.toString()); // $ hasTaintFlow
TextStringBuilder sb4 = new TextStringBuilder(); sb4.append(CharBuffer.wrap(taint().toCharArray()), 0, 0); sink(sb4.toString()); // $ hasTaintFlow
TextStringBuilder sb5 = new TextStringBuilder(); sb5.append((CharSequence)taint()); sink(sb5.toString()); // $hasTaintFlow
TextStringBuilder sb6 = new TextStringBuilder(); sb6.append((CharSequence)taint(), 0, 0); sink(sb6.toString()); // $hasTaintFlow
TextStringBuilder sb7 = new TextStringBuilder(); sb7.append((Object)taint()); sink(sb7.toString()); // $hasTaintFlow
TextStringBuilder sb5 = new TextStringBuilder(); sb5.append((CharSequence)taint()); sink(sb5.toString()); // $ hasTaintFlow
TextStringBuilder sb6 = new TextStringBuilder(); sb6.append((CharSequence)taint(), 0, 0); sink(sb6.toString()); // $ hasTaintFlow
TextStringBuilder sb7 = new TextStringBuilder(); sb7.append((Object)taint()); sink(sb7.toString()); // $ hasTaintFlow
{
TextStringBuilder auxsb = new TextStringBuilder(); auxsb.append(taint());
TextStringBuilder sb8 = new TextStringBuilder(); sb8.append(auxsb); sink(sb8.toString()); // $hasTaintFlow
TextStringBuilder sb8 = new TextStringBuilder(); sb8.append(auxsb); sink(sb8.toString()); // $ hasTaintFlow
}
TextStringBuilder sb9 = new TextStringBuilder(); sb9.append(new StringBuffer(taint())); sink(sb9.toString()); // $hasTaintFlow
TextStringBuilder sb10 = new TextStringBuilder(); sb10.append(new StringBuffer(taint()), 0, 0); sink(sb10.toString()); // $hasTaintFlow
TextStringBuilder sb11 = new TextStringBuilder(); sb11.append(new StringBuilder(taint())); sink(sb11.toString()); // $hasTaintFlow
TextStringBuilder sb12 = new TextStringBuilder(); sb12.append(new StringBuilder(taint()), 0, 0); sink(sb12.toString()); // $hasTaintFlow
TextStringBuilder sb13 = new TextStringBuilder(); sb13.append(taint()); sink(sb13.toString()); // $hasTaintFlow
TextStringBuilder sb14 = new TextStringBuilder(); sb14.append(taint(), 0, 0); sink(sb14.toString()); // $hasTaintFlow
TextStringBuilder sb15 = new TextStringBuilder(); sb15.append(taint(), "format", "args"); sink(sb15.toString()); // $hasTaintFlow
TextStringBuilder sb16 = new TextStringBuilder(); sb16.append("Format string", taint(), "args"); sink(sb16.toString()); // $hasTaintFlow
TextStringBuilder sb9 = new TextStringBuilder(); sb9.append(new StringBuffer(taint())); sink(sb9.toString()); // $ hasTaintFlow
TextStringBuilder sb10 = new TextStringBuilder(); sb10.append(new StringBuffer(taint()), 0, 0); sink(sb10.toString()); // $ hasTaintFlow
TextStringBuilder sb11 = new TextStringBuilder(); sb11.append(new StringBuilder(taint())); sink(sb11.toString()); // $ hasTaintFlow
TextStringBuilder sb12 = new TextStringBuilder(); sb12.append(new StringBuilder(taint()), 0, 0); sink(sb12.toString()); // $ hasTaintFlow
TextStringBuilder sb13 = new TextStringBuilder(); sb13.append(taint()); sink(sb13.toString()); // $ hasTaintFlow
TextStringBuilder sb14 = new TextStringBuilder(); sb14.append(taint(), 0, 0); sink(sb14.toString()); // $ hasTaintFlow
TextStringBuilder sb15 = new TextStringBuilder(); sb15.append(taint(), "format", "args"); sink(sb15.toString()); // $ hasTaintFlow
TextStringBuilder sb16 = new TextStringBuilder(); sb16.append("Format string", taint(), "args"); sink(sb16.toString()); // $ hasTaintFlow
{
List<String> taintedList = new ArrayList<>();
taintedList.add(taint());
TextStringBuilder sb17 = new TextStringBuilder(); sb17.appendAll(taintedList); sink(sb17.toString()); // $hasTaintFlow
TextStringBuilder sb18 = new TextStringBuilder(); sb18.appendAll(taintedList.iterator()); sink(sb18.toString()); // $hasTaintFlow
TextStringBuilder sb17 = new TextStringBuilder(); sb17.appendAll(taintedList); sink(sb17.toString()); // $ hasTaintFlow
TextStringBuilder sb18 = new TextStringBuilder(); sb18.appendAll(taintedList.iterator()); sink(sb18.toString()); // $ hasTaintFlow
}
TextStringBuilder sb19 = new TextStringBuilder(); sb19.appendAll("clean", taint()); sink(sb19.toString()); // $hasTaintFlow
TextStringBuilder sb20 = new TextStringBuilder(); sb20.appendAll(taint(), "clean"); sink(sb20.toString()); // $hasTaintFlow
TextStringBuilder sb21 = new TextStringBuilder(); sb21.appendFixedWidthPadLeft(taint(), 0, ' '); sink(sb21.toString()); // $hasTaintFlow
TextStringBuilder sb22 = new TextStringBuilder(); sb22.appendFixedWidthPadRight(taint(), 0, ' '); sink(sb22.toString()); // $hasTaintFlow
TextStringBuilder sb23 = new TextStringBuilder(); sb23.appendln(taint().toCharArray()); sink(sb23.toString()); // $hasTaintFlow
TextStringBuilder sb24 = new TextStringBuilder(); sb24.appendln(taint().toCharArray(), 0, 0); sink(sb24.toString()); // $hasTaintFlow
TextStringBuilder sb25 = new TextStringBuilder(); sb25.appendln((Object)taint()); sink(sb25.toString()); // $hasTaintFlow
TextStringBuilder sb19 = new TextStringBuilder(); sb19.appendAll("clean", taint()); sink(sb19.toString()); // $ hasTaintFlow
TextStringBuilder sb20 = new TextStringBuilder(); sb20.appendAll(taint(), "clean"); sink(sb20.toString()); // $ hasTaintFlow
TextStringBuilder sb21 = new TextStringBuilder(); sb21.appendFixedWidthPadLeft(taint(), 0, ' '); sink(sb21.toString()); // $ hasTaintFlow
TextStringBuilder sb22 = new TextStringBuilder(); sb22.appendFixedWidthPadRight(taint(), 0, ' '); sink(sb22.toString()); // $ hasTaintFlow
TextStringBuilder sb23 = new TextStringBuilder(); sb23.appendln(taint().toCharArray()); sink(sb23.toString()); // $ hasTaintFlow
TextStringBuilder sb24 = new TextStringBuilder(); sb24.appendln(taint().toCharArray(), 0, 0); sink(sb24.toString()); // $ hasTaintFlow
TextStringBuilder sb25 = new TextStringBuilder(); sb25.appendln((Object)taint()); sink(sb25.toString()); // $ hasTaintFlow
{
TextStringBuilder auxsb = new TextStringBuilder(); auxsb.appendln(taint());
TextStringBuilder sb26 = new TextStringBuilder(); sb26.appendln(auxsb); sink(sb26.toString()); // $hasTaintFlow
TextStringBuilder sb26 = new TextStringBuilder(); sb26.appendln(auxsb); sink(sb26.toString()); // $ hasTaintFlow
}
TextStringBuilder sb27 = new TextStringBuilder(); sb27.appendln(new StringBuffer(taint())); sink(sb27.toString()); // $hasTaintFlow
TextStringBuilder sb28 = new TextStringBuilder(); sb28.appendln(new StringBuffer(taint()), 0, 0); sink(sb28.toString()); // $hasTaintFlow
TextStringBuilder sb29 = new TextStringBuilder(); sb29.appendln(new StringBuilder(taint())); sink(sb29.toString()); // $hasTaintFlow
TextStringBuilder sb30 = new TextStringBuilder(); sb30.appendln(new StringBuilder(taint()), 0, 0); sink(sb30.toString()); // $hasTaintFlow
TextStringBuilder sb31 = new TextStringBuilder(); sb31.appendln(taint()); sink(sb31.toString()); // $hasTaintFlow
TextStringBuilder sb32 = new TextStringBuilder(); sb32.appendln(taint(), 0, 0); sink(sb32.toString()); // $hasTaintFlow
TextStringBuilder sb33 = new TextStringBuilder(); sb33.appendln(taint(), "format", "args"); sink(sb33.toString()); // $hasTaintFlow
TextStringBuilder sb34 = new TextStringBuilder(); sb34.appendln("Format string", taint(), "args"); sink(sb34.toString()); // $hasTaintFlow
TextStringBuilder sb35 = new TextStringBuilder(); sb35.appendSeparator(taint()); sink(sb35.toString()); // $hasTaintFlow
TextStringBuilder sb36 = new TextStringBuilder(); sb36.appendSeparator(taint(), 0); sink(sb36.toString()); // $hasTaintFlow
TextStringBuilder sb37 = new TextStringBuilder(); sb37.appendSeparator(taint(), "default"); sink(sb37.toString()); // $hasTaintFlow
TextStringBuilder sb38 = new TextStringBuilder(); sb38.appendSeparator("", taint()); sink(sb38.toString()); // $hasTaintFlow
TextStringBuilder sb27 = new TextStringBuilder(); sb27.appendln(new StringBuffer(taint())); sink(sb27.toString()); // $ hasTaintFlow
TextStringBuilder sb28 = new TextStringBuilder(); sb28.appendln(new StringBuffer(taint()), 0, 0); sink(sb28.toString()); // $ hasTaintFlow
TextStringBuilder sb29 = new TextStringBuilder(); sb29.appendln(new StringBuilder(taint())); sink(sb29.toString()); // $ hasTaintFlow
TextStringBuilder sb30 = new TextStringBuilder(); sb30.appendln(new StringBuilder(taint()), 0, 0); sink(sb30.toString()); // $ hasTaintFlow
TextStringBuilder sb31 = new TextStringBuilder(); sb31.appendln(taint()); sink(sb31.toString()); // $ hasTaintFlow
TextStringBuilder sb32 = new TextStringBuilder(); sb32.appendln(taint(), 0, 0); sink(sb32.toString()); // $ hasTaintFlow
TextStringBuilder sb33 = new TextStringBuilder(); sb33.appendln(taint(), "format", "args"); sink(sb33.toString()); // $ hasTaintFlow
TextStringBuilder sb34 = new TextStringBuilder(); sb34.appendln("Format string", taint(), "args"); sink(sb34.toString()); // $ hasTaintFlow
TextStringBuilder sb35 = new TextStringBuilder(); sb35.appendSeparator(taint()); sink(sb35.toString()); // $ hasTaintFlow
TextStringBuilder sb36 = new TextStringBuilder(); sb36.appendSeparator(taint(), 0); sink(sb36.toString()); // $ hasTaintFlow
TextStringBuilder sb37 = new TextStringBuilder(); sb37.appendSeparator(taint(), "default"); sink(sb37.toString()); // $ hasTaintFlow
TextStringBuilder sb38 = new TextStringBuilder(); sb38.appendSeparator("", taint()); sink(sb38.toString()); // $ hasTaintFlow
{
TextStringBuilder auxsb = new TextStringBuilder(); auxsb.appendln(taint());
TextStringBuilder sb39 = new TextStringBuilder(); auxsb.appendTo(sb39); sink(sb39.toString()); // $hasTaintFlow
TextStringBuilder sb39 = new TextStringBuilder(); auxsb.appendTo(sb39); sink(sb39.toString()); // $ hasTaintFlow
}
{
List<String> taintedList = new ArrayList<>();
taintedList.add(taint());
TextStringBuilder sb40 = new TextStringBuilder(); sb40.appendWithSeparators(taintedList, ", "); sink(sb40.toString()); // $hasTaintFlow
TextStringBuilder sb41 = new TextStringBuilder(); sb41.appendWithSeparators(taintedList.iterator(), ", "); sink(sb41.toString()); // $hasTaintFlow
TextStringBuilder sb40 = new TextStringBuilder(); sb40.appendWithSeparators(taintedList, ", "); sink(sb40.toString()); // $ hasTaintFlow
TextStringBuilder sb41 = new TextStringBuilder(); sb41.appendWithSeparators(taintedList.iterator(), ", "); sink(sb41.toString()); // $ hasTaintFlow
List<String> untaintedList = new ArrayList<>();
TextStringBuilder sb42 = new TextStringBuilder(); sb42.appendWithSeparators(untaintedList, taint()); sink(sb42.toString()); // $hasTaintFlow
TextStringBuilder sb43 = new TextStringBuilder(); sb43.appendWithSeparators(untaintedList.iterator(), taint()); sink(sb43.toString()); // $hasTaintFlow
TextStringBuilder sb42 = new TextStringBuilder(); sb42.appendWithSeparators(untaintedList, taint()); sink(sb42.toString()); // $ hasTaintFlow
TextStringBuilder sb43 = new TextStringBuilder(); sb43.appendWithSeparators(untaintedList.iterator(), taint()); sink(sb43.toString()); // $ hasTaintFlow
String[] taintedArray = new String[] { taint() };
String[] untaintedArray = new String[] {};
TextStringBuilder sb44 = new TextStringBuilder(); sb44.appendWithSeparators(taintedArray, ", "); sink(sb44.toString()); // $hasTaintFlow
TextStringBuilder sb45 = new TextStringBuilder(); sb45.appendWithSeparators(untaintedArray, taint()); sink(sb45.toString()); // $hasTaintFlow
TextStringBuilder sb44 = new TextStringBuilder(); sb44.appendWithSeparators(taintedArray, ", "); sink(sb44.toString()); // $ hasTaintFlow
TextStringBuilder sb45 = new TextStringBuilder(); sb45.appendWithSeparators(untaintedArray, taint()); sink(sb45.toString()); // $ hasTaintFlow
}
{
TextStringBuilder sb46 = new TextStringBuilder(); sb46.append(taint());
char[] target = new char[100];
sb46.asReader().read(target);
sink(target); // $hasTaintFlow
sink(target); // $ hasTaintFlow
}
TextStringBuilder sb47 = new TextStringBuilder(); sb47.append(taint()); sink(sb47.asTokenizer().next()); // $hasTaintFlow
TextStringBuilder sb48 = new TextStringBuilder(); sb48.append(taint()); sink(sb48.build()); // $hasTaintFlow
TextStringBuilder sb49 = new TextStringBuilder(); sb49.append(taint()); sink(sb49.getChars(null)); // $hasTaintFlow
TextStringBuilder sb47 = new TextStringBuilder(); sb47.append(taint()); sink(sb47.asTokenizer().next()); // $ hasTaintFlow
TextStringBuilder sb48 = new TextStringBuilder(); sb48.append(taint()); sink(sb48.build()); // $ hasTaintFlow
TextStringBuilder sb49 = new TextStringBuilder(); sb49.append(taint()); sink(sb49.getChars(null)); // $ hasTaintFlow
{
TextStringBuilder sb50 = new TextStringBuilder(); sb50.append(taint());
char[] target = new char[100];
sb50.getChars(target);
sink(target); // $hasTaintFlow
sink(target); // $ hasTaintFlow
}
{
TextStringBuilder sb51 = new TextStringBuilder(); sb51.append(taint());
char[] target = new char[100];
sb51.getChars(0, 0, target, 0);
sink(target); // $hasTaintFlow
sink(target); // $ hasTaintFlow
}
TextStringBuilder sb52 = new TextStringBuilder(); sb52.insert(0, taint().toCharArray()); sink(sb52.toString()); // $hasTaintFlow
TextStringBuilder sb53 = new TextStringBuilder(); sb53.insert(0, taint().toCharArray(), 0, 0); sink(sb53.toString()); // $hasTaintFlow
TextStringBuilder sb54 = new TextStringBuilder(); sb54.insert(0, taint()); sink(sb54.toString()); // $hasTaintFlow
TextStringBuilder sb55 = new TextStringBuilder(); sb55.insert(0, (Object)taint()); sink(sb55.toString()); // $hasTaintFlow
TextStringBuilder sb56 = new TextStringBuilder(); sb56.append(taint()); sink(sb56.leftString(0)); // $hasTaintFlow
TextStringBuilder sb57 = new TextStringBuilder(); sb57.append(taint()); sink(sb57.midString(0, 0)); // $hasTaintFlow
TextStringBuilder sb52 = new TextStringBuilder(); sb52.insert(0, taint().toCharArray()); sink(sb52.toString()); // $ hasTaintFlow
TextStringBuilder sb53 = new TextStringBuilder(); sb53.insert(0, taint().toCharArray(), 0, 0); sink(sb53.toString()); // $ hasTaintFlow
TextStringBuilder sb54 = new TextStringBuilder(); sb54.insert(0, taint()); sink(sb54.toString()); // $ hasTaintFlow
TextStringBuilder sb55 = new TextStringBuilder(); sb55.insert(0, (Object)taint()); sink(sb55.toString()); // $ hasTaintFlow
TextStringBuilder sb56 = new TextStringBuilder(); sb56.append(taint()); sink(sb56.leftString(0)); // $ hasTaintFlow
TextStringBuilder sb57 = new TextStringBuilder(); sb57.append(taint()); sink(sb57.midString(0, 0)); // $ hasTaintFlow
{
StringReader reader = new StringReader(taint());
TextStringBuilder sb58 = new TextStringBuilder(); sb58.readFrom(reader); sink(sb58.toString()); // $hasTaintFlow
TextStringBuilder sb58 = new TextStringBuilder(); sb58.readFrom(reader); sink(sb58.toString()); // $ hasTaintFlow
}
TextStringBuilder sb59 = new TextStringBuilder(); sb59.replace(0, 0, taint()); sink(sb59.toString()); // $hasTaintFlow
TextStringBuilder sb60 = new TextStringBuilder(); sb60.replace(null, taint(), 0, 0, 0); sink(sb60.toString()); // $hasTaintFlow
TextStringBuilder sb61 = new TextStringBuilder(); sb61.replaceAll((StringMatcher)null, taint()); sink(sb61.toString()); // $hasTaintFlow
TextStringBuilder sb62 = new TextStringBuilder(); sb62.replaceAll("search", taint()); sink(sb62.toString()); // $hasTaintFlow
TextStringBuilder sb59 = new TextStringBuilder(); sb59.replace(0, 0, taint()); sink(sb59.toString()); // $ hasTaintFlow
TextStringBuilder sb60 = new TextStringBuilder(); sb60.replace(null, taint(), 0, 0, 0); sink(sb60.toString()); // $ hasTaintFlow
TextStringBuilder sb61 = new TextStringBuilder(); sb61.replaceAll((StringMatcher)null, taint()); sink(sb61.toString()); // $ hasTaintFlow
TextStringBuilder sb62 = new TextStringBuilder(); sb62.replaceAll("search", taint()); sink(sb62.toString()); // $ hasTaintFlow
TextStringBuilder sb63 = new TextStringBuilder(); sb63.replaceAll(taint(), "replace"); sink(sb63.toString()); // GOOD (search string doesn't convey taint)
TextStringBuilder sb64 = new TextStringBuilder(); sb64.replaceFirst((StringMatcher)null, taint()); sink(sb64.toString()); // $hasTaintFlow
TextStringBuilder sb65 = new TextStringBuilder(); sb65.replaceFirst("search", taint()); sink(sb65.toString()); // $hasTaintFlow
TextStringBuilder sb64 = new TextStringBuilder(); sb64.replaceFirst((StringMatcher)null, taint()); sink(sb64.toString()); // $ hasTaintFlow
TextStringBuilder sb65 = new TextStringBuilder(); sb65.replaceFirst("search", taint()); sink(sb65.toString()); // $ hasTaintFlow
TextStringBuilder sb66 = new TextStringBuilder(); sb66.replaceFirst(taint(), "replace"); sink(sb66.toString()); // GOOD (search string doesn't convey taint)
TextStringBuilder sb67 = new TextStringBuilder(); sb67.append(taint()); sink(sb67.rightString(0)); // $hasTaintFlow
TextStringBuilder sb68 = new TextStringBuilder(); sb68.append(taint()); sink(sb68.subSequence(0, 0)); // $hasTaintFlow
TextStringBuilder sb69 = new TextStringBuilder(); sb69.append(taint()); sink(sb69.substring(0)); // $hasTaintFlow
TextStringBuilder sb70 = new TextStringBuilder(); sb70.append(taint()); sink(sb70.substring(0, 0)); // $hasTaintFlow
TextStringBuilder sb71 = new TextStringBuilder(); sb71.append(taint()); sink(sb71.toCharArray()); // $hasTaintFlow
TextStringBuilder sb72 = new TextStringBuilder(); sb72.append(taint()); sink(sb72.toCharArray(0, 0)); // $hasTaintFlow
TextStringBuilder sb73 = new TextStringBuilder(); sb73.append(taint()); sink(sb73.toStringBuffer()); // $hasTaintFlow
TextStringBuilder sb74 = new TextStringBuilder(); sb74.append(taint()); sink(sb74.toStringBuilder()); // $hasTaintFlow
TextStringBuilder sb67 = new TextStringBuilder(); sb67.append(taint()); sink(sb67.rightString(0)); // $ hasTaintFlow
TextStringBuilder sb68 = new TextStringBuilder(); sb68.append(taint()); sink(sb68.subSequence(0, 0)); // $ hasTaintFlow
TextStringBuilder sb69 = new TextStringBuilder(); sb69.append(taint()); sink(sb69.substring(0)); // $ hasTaintFlow
TextStringBuilder sb70 = new TextStringBuilder(); sb70.append(taint()); sink(sb70.substring(0, 0)); // $ hasTaintFlow
TextStringBuilder sb71 = new TextStringBuilder(); sb71.append(taint()); sink(sb71.toCharArray()); // $ hasTaintFlow
TextStringBuilder sb72 = new TextStringBuilder(); sb72.append(taint()); sink(sb72.toCharArray(0, 0)); // $ hasTaintFlow
TextStringBuilder sb73 = new TextStringBuilder(); sb73.append(taint()); sink(sb73.toStringBuffer()); // $ hasTaintFlow
TextStringBuilder sb74 = new TextStringBuilder(); sb74.append(taint()); sink(sb74.toStringBuilder()); // $ hasTaintFlow
// Tests for fluent methods (those returning `this`):
TextStringBuilder fluentTest = new TextStringBuilder();
sink(fluentTest.append("Harmless").append(taint()).append("Also harmless").toString()); // $hasTaintFlow
sink(fluentTest.append("Harmless").append(taint()).append("Also harmless").toString()); // $ hasTaintFlow
TextStringBuilder fluentBackflowTest = new TextStringBuilder();
fluentBackflowTest.append("Harmless").append(taint()).append("Also harmless");
sink(fluentBackflowTest.toString()); // $hasTaintFlow
sink(fluentBackflowTest.toString()); // $ hasTaintFlow
// Test the case where the fluent method contributing taint is at the end of a statement:
TextStringBuilder fluentBackflowTest2 = new TextStringBuilder();
fluentBackflowTest2.append("Harmless").append(taint());
sink(fluentBackflowTest2.toString()); // $hasTaintFlow
sink(fluentBackflowTest2.toString()); // $ hasTaintFlow
// Test all fluent methods are passing taint through to their result:
TextStringBuilder fluentAllMethodsTest = new TextStringBuilder(taint());
@@ -172,7 +172,7 @@ class TextStringBuilderTest {
.setLength(500)
.setNewLineText("newline")
.setNullText("NULL")
.trim()); // $hasTaintFlow
.trim()); // $ hasTaintFlow
// Test all fluent methods are passing taint back to their qualifier:
TextStringBuilder fluentAllMethodsTest2 = new TextStringBuilder();
@@ -204,7 +204,7 @@ class TextStringBuilderTest {
.setNullText("NULL")
.trim()
.append(taint());
sink(fluentAllMethodsTest2); // $hasTaintFlow
sink(fluentAllMethodsTest2); // $ hasTaintFlow
}
}

28
java/ql/test/library-tests/frameworks/apache-commons-lang3/ToStringBuilderTest.java
View File

@@ -7,31 +7,31 @@ class ToStringBuilderTest {
void test() throws Exception {
ToStringBuilder sb1 = new ToStringBuilder(null); sb1.append((Object)taint()); sink(sb1.toString()); // $hasTaintFlow
ToStringBuilder sb2 = new ToStringBuilder(null); sb2.append(new Object[] { taint() }); sink(sb2.toString()); // $hasTaintFlow
ToStringBuilder sb3 = new ToStringBuilder(null); sb3.append(taint(), true); sink(sb3.toString()); // $hasTaintFlow
ToStringBuilder sb4 = new ToStringBuilder(null); sb4.append("fieldname", taint()); sink(sb4.toString()); // $hasTaintFlow
ToStringBuilder sb5 = new ToStringBuilder(null); sb5.append("fieldname", new Object[] { taint() }); sink(sb5.toString()); // $hasTaintFlow
ToStringBuilder sb6 = new ToStringBuilder(null); sb6.append("fieldname", new Object[] { taint() }, true); sink(sb6.toString()); // $hasTaintFlow
ToStringBuilder sb1 = new ToStringBuilder(null); sb1.append((Object)taint()); sink(sb1.toString()); // $ hasTaintFlow
ToStringBuilder sb2 = new ToStringBuilder(null); sb2.append(new Object[] { taint() }); sink(sb2.toString()); // $ hasTaintFlow
ToStringBuilder sb3 = new ToStringBuilder(null); sb3.append(taint(), true); sink(sb3.toString()); // $ hasTaintFlow
ToStringBuilder sb4 = new ToStringBuilder(null); sb4.append("fieldname", taint()); sink(sb4.toString()); // $ hasTaintFlow
ToStringBuilder sb5 = new ToStringBuilder(null); sb5.append("fieldname", new Object[] { taint() }); sink(sb5.toString()); // $ hasTaintFlow
ToStringBuilder sb6 = new ToStringBuilder(null); sb6.append("fieldname", new Object[] { taint() }, true); sink(sb6.toString()); // $ hasTaintFlow
// GOOD: this appends an Object using the Object.toString style, which does not expose fields or String content.
ToStringBuilder sb7 = new ToStringBuilder(null); sb7.appendAsObjectToString(taint()); sink(sb7.toString());
ToStringBuilder sb8 = new ToStringBuilder(null); sb8.appendSuper(taint()); sink(sb8.toString()); // $hasTaintFlow
ToStringBuilder sb9 = new ToStringBuilder(null); sb9.appendToString(taint()); sink(sb9.toString()); // $hasTaintFlow
ToStringBuilder sb10 = new ToStringBuilder(null); sb10.append((Object)taint()); sink(sb10.build()); // $hasTaintFlow
ToStringBuilder sb11 = new ToStringBuilder(null); sb11.append((Object)taint()); sink(sb11.getStringBuffer().toString()); // $hasTaintFlow
ToStringBuilder sb8 = new ToStringBuilder(null); sb8.appendSuper(taint()); sink(sb8.toString()); // $ hasTaintFlow
ToStringBuilder sb9 = new ToStringBuilder(null); sb9.appendToString(taint()); sink(sb9.toString()); // $ hasTaintFlow
ToStringBuilder sb10 = new ToStringBuilder(null); sb10.append((Object)taint()); sink(sb10.build()); // $ hasTaintFlow
ToStringBuilder sb11 = new ToStringBuilder(null); sb11.append((Object)taint()); sink(sb11.getStringBuffer().toString()); // $ hasTaintFlow
// Test fluent methods:
ToStringBuilder fluentTest = new ToStringBuilder(null);
sink(fluentTest.append("Harmless").append(taint()).append("Also harmless").toString()); // $hasTaintFlow
sink(fluentTest.append("Harmless").append(taint()).append("Also harmless").toString()); // $ hasTaintFlow
ToStringBuilder fluentBackflowTest = new ToStringBuilder(null);
fluentBackflowTest.append("Harmless").append(taint()).append("Also harmless");
sink(fluentBackflowTest.toString()); // $hasTaintFlow
sink(fluentBackflowTest.toString()); // $ hasTaintFlow
// Test the case where the fluent method contributing taint is at the end of a statement:
ToStringBuilder fluentBackflowTest2 = new ToStringBuilder(null);
fluentBackflowTest2.append("Harmless").append(taint());
sink(fluentBackflowTest2.toString()); // $hasTaintFlow
sink(fluentBackflowTest2.toString()); // $ hasTaintFlow
}
}
}

80
java/ql/test/library-tests/frameworks/apache-commons-lang3/TripleTest.java
View File

@@ -18,69 +18,69 @@ class TripleTest {
ImmutableTriple<String, String, String> taintedRight = ImmutableTriple.of("clean-left", "clean-middle", taint());
// Check flow through ImmutableTriples:
sink(taintedLeft.getLeft()); // $hasValueFlow
sink(taintedLeft.getLeft()); // $ hasValueFlow
sink(taintedLeft.getMiddle());
sink(taintedLeft.getRight());
sink(taintedLeft.left); // $hasValueFlow
sink(taintedLeft.left); // $ hasValueFlow
sink(taintedLeft.middle);
sink(taintedLeft.right);
sink(taintedMiddle.getLeft());
sink(taintedMiddle.getMiddle()); // $hasValueFlow
sink(taintedMiddle.getMiddle()); // $ hasValueFlow
sink(taintedMiddle.getRight());
sink(taintedMiddle.left);
sink(taintedMiddle.middle); // $hasValueFlow
sink(taintedMiddle.middle); // $ hasValueFlow
sink(taintedMiddle.right);
sink(taintedRight.getLeft());
sink(taintedRight.getMiddle());
sink(taintedRight.getRight()); // $hasValueFlow
sink(taintedRight.getRight()); // $ hasValueFlow
sink(taintedRight.left);
sink(taintedRight.middle);
sink(taintedRight.right); // $hasValueFlow
sink(taintedRight.right); // $ hasValueFlow
Triple<String, String, String> taintedLeft2 = taintedLeft;
Triple<String, String, String> taintedMiddle2 = taintedMiddle;
Triple<String, String, String> taintedRight2 = taintedRight;
// Check flow also works via an alias of type Triple:
sink(taintedLeft2.getLeft()); // $hasValueFlow
sink(taintedLeft2.getLeft()); // $ hasValueFlow
sink(taintedLeft2.getMiddle());
sink(taintedLeft2.getRight());
sink(taintedMiddle2.getLeft());
sink(taintedMiddle2.getMiddle()); // $hasValueFlow
sink(taintedMiddle2.getMiddle()); // $ hasValueFlow
sink(taintedMiddle2.getRight());
sink(taintedRight2.getLeft());
sink(taintedRight2.getMiddle());
sink(taintedRight2.getRight()); // $hasValueFlow
sink(taintedRight2.getRight()); // $ hasValueFlow
// Check flow via Triple.of:
Triple<String, String, String> taintedLeft3 = Triple.of(taint(), "clean-middle", "clean-right");
Triple<String, String, String> taintedMiddle3 = Triple.of("clean-left", taint(), "clean-right");
Triple<String, String, String> taintedRight3 = Triple.of("clean-left", "clean-middle", taint());
sink(taintedLeft3.getLeft()); // $hasValueFlow
sink(taintedLeft3.getLeft()); // $ hasValueFlow
sink(taintedLeft3.getMiddle());
sink(taintedLeft3.getRight());
sink(taintedMiddle3.getLeft());
sink(taintedMiddle3.getMiddle()); // $hasValueFlow
sink(taintedMiddle3.getMiddle()); // $ hasValueFlow
sink(taintedMiddle3.getRight());
sink(taintedRight3.getLeft());
sink(taintedRight3.getMiddle());
sink(taintedRight3.getRight()); // $hasValueFlow
sink(taintedRight3.getRight()); // $ hasValueFlow
// Check flow via constructor:
ImmutableTriple<String, String, String> taintedLeft4 = new ImmutableTriple(taint(), "clean-middle", "clean-right");
ImmutableTriple<String, String, String> taintedMiddle4 = new ImmutableTriple("clean-left", taint(), "clean-right");
ImmutableTriple<String, String, String> taintedRight4 = new ImmutableTriple("clean-left", "clean-middle", taint());
sink(taintedLeft4.getLeft()); // $hasValueFlow
sink(taintedLeft4.getLeft()); // $ hasValueFlow
sink(taintedLeft4.getMiddle());
sink(taintedLeft4.getRight());
sink(taintedMiddle4.getLeft());
sink(taintedMiddle4.getMiddle()); // $hasValueFlow
sink(taintedMiddle4.getMiddle()); // $ hasValueFlow
sink(taintedMiddle4.getRight());
sink(taintedRight4.getLeft());
sink(taintedRight4.getMiddle());
sink(taintedRight4.getRight()); // $hasValueFlow
sink(taintedRight4.getRight()); // $ hasValueFlow
MutableTriple<String, String, String> mutableTaintedLeft = MutableTriple.of(taint(), "clean-middle", "clean-right");
MutableTriple<String, String, String> mutableTaintedMiddle = MutableTriple.of("clean-left", taint(), "clean-right");
@@ -96,60 +96,60 @@ class TripleTest {
MutableTriple<String, String, String> mutableTaintedRightConstructed = new MutableTriple("clean-left", "clean-middle", taint());
// Check flow through MutableTriples:
sink(mutableTaintedLeft.getLeft()); // $hasValueFlow
sink(mutableTaintedLeft.getLeft()); // $ hasValueFlow
sink(mutableTaintedLeft.getMiddle());
sink(mutableTaintedLeft.getRight());
sink(mutableTaintedLeft.left); // $hasValueFlow
sink(mutableTaintedLeft.left); // $ hasValueFlow
sink(mutableTaintedLeft.middle);
sink(mutableTaintedLeft.right);
sink(mutableTaintedMiddle.getLeft());
sink(mutableTaintedMiddle.getMiddle()); // $hasValueFlow
sink(mutableTaintedMiddle.getMiddle()); // $ hasValueFlow
sink(mutableTaintedMiddle.getRight());
sink(mutableTaintedMiddle.left);
sink(mutableTaintedMiddle.middle); // $hasValueFlow
sink(mutableTaintedMiddle.middle); // $ hasValueFlow
sink(mutableTaintedMiddle.right);
sink(mutableTaintedRight.getLeft());
sink(mutableTaintedRight.getMiddle());
sink(mutableTaintedRight.getRight()); // $hasValueFlow
sink(mutableTaintedRight.getRight()); // $ hasValueFlow
sink(mutableTaintedRight.left);
sink(mutableTaintedRight.middle);
sink(mutableTaintedRight.right); // $hasValueFlow
sink(setTaintedLeft.getLeft()); // $hasValueFlow
sink(mutableTaintedRight.right); // $ hasValueFlow
sink(setTaintedLeft.getLeft()); // $ hasValueFlow
sink(setTaintedLeft.getMiddle());
sink(setTaintedLeft.getRight());
sink(setTaintedLeft.left); // $hasValueFlow
sink(setTaintedLeft.left); // $ hasValueFlow
sink(setTaintedLeft.middle);
sink(setTaintedLeft.right);
sink(setTaintedMiddle.getLeft());
sink(setTaintedMiddle.getMiddle()); // $hasValueFlow
sink(setTaintedMiddle.getMiddle()); // $ hasValueFlow
sink(setTaintedMiddle.getRight());
sink(setTaintedMiddle.left);
sink(setTaintedMiddle.middle); // $hasValueFlow
sink(setTaintedMiddle.middle); // $ hasValueFlow
sink(setTaintedMiddle.right);
sink(setTaintedRight.getLeft());
sink(setTaintedRight.getMiddle());
sink(setTaintedRight.getRight()); // $hasValueFlow
sink(setTaintedRight.getRight()); // $ hasValueFlow
sink(setTaintedRight.left);
sink(setTaintedRight.middle);
sink(setTaintedRight.right); // $hasValueFlow
sink(mutableTaintedLeftConstructed.getLeft()); // $hasValueFlow
sink(setTaintedRight.right); // $ hasValueFlow
sink(mutableTaintedLeftConstructed.getLeft()); // $ hasValueFlow
sink(mutableTaintedLeftConstructed.getMiddle());
sink(mutableTaintedLeftConstructed.getRight());
sink(mutableTaintedLeftConstructed.left); // $hasValueFlow
sink(mutableTaintedLeftConstructed.left); // $ hasValueFlow
sink(mutableTaintedLeftConstructed.middle);
sink(mutableTaintedLeftConstructed.right);
sink(mutableTaintedMiddleConstructed.getLeft());
sink(mutableTaintedMiddleConstructed.getMiddle()); // $hasValueFlow
sink(mutableTaintedMiddleConstructed.getMiddle()); // $ hasValueFlow
sink(mutableTaintedMiddleConstructed.getRight());
sink(mutableTaintedMiddleConstructed.left);
sink(mutableTaintedMiddleConstructed.middle); // $hasValueFlow
sink(mutableTaintedMiddleConstructed.middle); // $ hasValueFlow
sink(mutableTaintedMiddleConstructed.right);
sink(mutableTaintedRightConstructed.getLeft());
sink(mutableTaintedRightConstructed.getMiddle());
sink(mutableTaintedRightConstructed.getRight()); // $hasValueFlow
sink(mutableTaintedRightConstructed.getRight()); // $ hasValueFlow
sink(mutableTaintedRightConstructed.left);
sink(mutableTaintedRightConstructed.middle);
sink(mutableTaintedRightConstructed.right); // $hasValueFlow
sink(mutableTaintedRightConstructed.right); // $ hasValueFlow
Triple<String, String, String> mutableTaintedLeft2 = mutableTaintedLeft;
Triple<String, String, String> mutableTaintedMiddle2 = mutableTaintedMiddle;
@@ -159,23 +159,23 @@ class TripleTest {
Triple<String, String, String> setTaintedRight2 = setTaintedRight;
// Check flow also works via an alias of type Triple:
sink(mutableTaintedLeft2.getLeft()); // $hasValueFlow
sink(mutableTaintedLeft2.getLeft()); // $ hasValueFlow
sink(mutableTaintedLeft2.getMiddle());
sink(mutableTaintedLeft2.getRight());
sink(mutableTaintedMiddle2.getLeft());
sink(mutableTaintedMiddle2.getMiddle()); // $hasValueFlow
sink(mutableTaintedMiddle2.getMiddle()); // $ hasValueFlow
sink(mutableTaintedMiddle2.getRight());
sink(mutableTaintedRight2.getLeft());
sink(mutableTaintedRight2.getMiddle());
sink(mutableTaintedRight2.getRight()); // $hasValueFlow
sink(setTaintedLeft2.getLeft()); // $hasValueFlow
sink(mutableTaintedRight2.getRight()); // $ hasValueFlow
sink(setTaintedLeft2.getLeft()); // $ hasValueFlow
sink(setTaintedLeft2.getMiddle());
sink(setTaintedLeft2.getRight());
sink(setTaintedMiddle2.getLeft());
sink(setTaintedMiddle2.getMiddle()); // $hasValueFlow
sink(setTaintedMiddle2.getMiddle()); // $ hasValueFlow
sink(setTaintedMiddle2.getRight());
sink(setTaintedRight2.getLeft());
sink(setTaintedRight2.getMiddle());
sink(setTaintedRight2.getRight()); // $hasValueFlow
sink(setTaintedRight2.getRight()); // $ hasValueFlow
}
}
}

28
java/ql/test/library-tests/frameworks/apache-commons-lang3/WordUtilsTest.java
View File

@@ -6,20 +6,20 @@ public class WordUtilsTest {
void sink(Object o) {}
void test() throws Exception {
sink(WordUtils.capitalize(taint())); // $hasTaintFlow
sink(WordUtils.capitalize(taint(), ' ', ',')); // $hasTaintFlow
sink(WordUtils.capitalizeFully(taint())); // $hasTaintFlow
sink(WordUtils.capitalizeFully(taint(), ' ', ',')); // $hasTaintFlow
sink(WordUtils.initials(taint())); // $hasTaintFlow
sink(WordUtils.initials(taint(), ' ', ',')); // $hasTaintFlow
sink(WordUtils.swapCase(taint())); // $hasTaintFlow
sink(WordUtils.uncapitalize(taint())); // $hasTaintFlow
sink(WordUtils.uncapitalize(taint(), ' ', ',')); // $hasTaintFlow
sink(WordUtils.wrap(taint(), 0)); // $hasTaintFlow
sink(WordUtils.wrap(taint(), 0, "\n", false)); // $hasTaintFlow
sink(WordUtils.wrap("wrap me", 0, taint(), false)); // $hasTaintFlow
sink(WordUtils.wrap(taint(), 0, "\n", false, "\n")); // $hasTaintFlow
sink(WordUtils.wrap("wrap me", 0, taint(), false, "\n")); // $hasTaintFlow
sink(WordUtils.capitalize(taint())); // $ hasTaintFlow
sink(WordUtils.capitalize(taint(), ' ', ',')); // $ hasTaintFlow
sink(WordUtils.capitalizeFully(taint())); // $ hasTaintFlow
sink(WordUtils.capitalizeFully(taint(), ' ', ',')); // $ hasTaintFlow
sink(WordUtils.initials(taint())); // $ hasTaintFlow
sink(WordUtils.initials(taint(), ' ', ',')); // $ hasTaintFlow
sink(WordUtils.swapCase(taint())); // $ hasTaintFlow
sink(WordUtils.uncapitalize(taint())); // $ hasTaintFlow
sink(WordUtils.uncapitalize(taint(), ' ', ',')); // $ hasTaintFlow
sink(WordUtils.wrap(taint(), 0)); // $ hasTaintFlow
sink(WordUtils.wrap(taint(), 0, "\n", false)); // $ hasTaintFlow
sink(WordUtils.wrap("wrap me", 0, taint(), false)); // $ hasTaintFlow
sink(WordUtils.wrap(taint(), 0, "\n", false, "\n")); // $ hasTaintFlow
sink(WordUtils.wrap("wrap me", 0, taint(), false, "\n")); // $ hasTaintFlow
// GOOD: the wrap-on line terminator does not propagate to the return value
sink(WordUtils.wrap("wrap me", 0, "\n", false, taint()));
}

32
java/ql/test/library-tests/frameworks/apache-commons-lang3/WordUtilsTextTest.java
View File

@@ -6,22 +6,22 @@ public class WordUtilsTextTest {
void sink(Object o) {}
void test() throws Exception {
sink(WordUtils.abbreviate(taint(), 0, 0, "append me")); // $hasTaintFlow
sink(WordUtils.abbreviate("abbreviate me", 0, 0, taint())); // $hasTaintFlow
sink(WordUtils.capitalize(taint())); // $hasTaintFlow
sink(WordUtils.capitalize(taint(), ' ', ',')); // $hasTaintFlow
sink(WordUtils.capitalizeFully(taint())); // $hasTaintFlow
sink(WordUtils.capitalizeFully(taint(), ' ', ',')); // $hasTaintFlow
sink(WordUtils.initials(taint())); // $hasTaintFlow
sink(WordUtils.initials(taint(), ' ', ',')); // $hasTaintFlow
sink(WordUtils.swapCase(taint())); // $hasTaintFlow
sink(WordUtils.uncapitalize(taint())); // $hasTaintFlow
sink(WordUtils.uncapitalize(taint(), ' ', ',')); // $hasTaintFlow
sink(WordUtils.wrap(taint(), 0)); // $hasTaintFlow
sink(WordUtils.wrap(taint(), 0, "\n", false)); // $hasTaintFlow
sink(WordUtils.wrap("wrap me", 0, taint(), false)); // $hasTaintFlow
sink(WordUtils.wrap(taint(), 0, "\n", false, "\n")); // $hasTaintFlow
sink(WordUtils.wrap("wrap me", 0, taint(), false, "\n")); // $hasTaintFlow
sink(WordUtils.abbreviate(taint(), 0, 0, "append me")); // $ hasTaintFlow
sink(WordUtils.abbreviate("abbreviate me", 0, 0, taint())); // $ hasTaintFlow
sink(WordUtils.capitalize(taint())); // $ hasTaintFlow
sink(WordUtils.capitalize(taint(), ' ', ',')); // $ hasTaintFlow
sink(WordUtils.capitalizeFully(taint())); // $ hasTaintFlow
sink(WordUtils.capitalizeFully(taint(), ' ', ',')); // $ hasTaintFlow
sink(WordUtils.initials(taint())); // $ hasTaintFlow
sink(WordUtils.initials(taint(), ' ', ',')); // $ hasTaintFlow
sink(WordUtils.swapCase(taint())); // $ hasTaintFlow
sink(WordUtils.uncapitalize(taint())); // $ hasTaintFlow
sink(WordUtils.uncapitalize(taint(), ' ', ',')); // $ hasTaintFlow
sink(WordUtils.wrap(taint(), 0)); // $ hasTaintFlow
sink(WordUtils.wrap(taint(), 0, "\n", false)); // $ hasTaintFlow
sink(WordUtils.wrap("wrap me", 0, taint(), false)); // $ hasTaintFlow
sink(WordUtils.wrap(taint(), 0, "\n", false, "\n")); // $ hasTaintFlow
sink(WordUtils.wrap("wrap me", 0, taint(), false, "\n")); // $ hasTaintFlow
// GOOD: the wrap-on line terminator does not propagate to the return value
sink(WordUtils.wrap("wrap me", 0, "\n", false, taint()));
}

70
java/ql/test/library-tests/frameworks/apache-http/A.java
View File

@@ -12,54 +12,54 @@ class A {
class Test1 implements HttpRequestHandler {
public void handle(HttpRequest req, HttpResponse res, HttpContext ctx) throws IOException {
A.sink(req.getRequestLine()); //$hasTaintFlow
A.sink(req.getRequestLine().getUri()); //$hasTaintFlow
A.sink(req.getRequestLine().getMethod()); //$hasTaintFlow
A.sink(req.getAllHeaders()); //$hasTaintFlow
A.sink(req.getRequestLine()); // $ hasTaintFlow
A.sink(req.getRequestLine().getUri()); // $ hasTaintFlow
A.sink(req.getRequestLine().getMethod()); // $ hasTaintFlow
A.sink(req.getAllHeaders()); // $ hasTaintFlow
HeaderIterator it = req.headerIterator();
A.sink(it.next()); //$hasTaintFlow
A.sink(it.nextHeader()); //$hasTaintFlow
A.sink(it.next()); // $ hasTaintFlow
A.sink(it.nextHeader()); // $ hasTaintFlow
Header h = req.getHeaders("abc")[3];
A.sink(h.getName()); //$hasTaintFlow
A.sink(h.getValue()); //$hasTaintFlow
A.sink(h.getName()); // $ hasTaintFlow
A.sink(h.getValue()); // $ hasTaintFlow
HeaderElement el = h.getElements()[0];
A.sink(el.getName()); //$hasTaintFlow
A.sink(el.getValue()); //$hasTaintFlow
A.sink(el.getParameters()); //$hasTaintFlow
A.sink(el.getParameterByName("abc").getValue()); //$hasTaintFlow
A.sink(el.getParameter(0).getName()); //$hasTaintFlow
A.sink(el.getName()); // $ hasTaintFlow
A.sink(el.getValue()); // $ hasTaintFlow
A.sink(el.getParameters()); // $ hasTaintFlow
A.sink(el.getParameterByName("abc").getValue()); // $ hasTaintFlow
A.sink(el.getParameter(0).getName()); // $ hasTaintFlow
HttpEntity ent = ((HttpEntityEnclosingRequest)req).getEntity();
A.sink(ent.getContent()); //$hasTaintFlow
A.sink(ent.getContentEncoding()); //$hasTaintFlow
A.sink(ent.getContentType()); //$hasTaintFlow
A.sink(EntityUtils.toString(ent)); //$hasTaintFlow
A.sink(EntityUtils.toByteArray(ent)); //$hasTaintFlow
A.sink(EntityUtils.getContentCharSet(ent)); //$hasTaintFlow
A.sink(EntityUtils.getContentMimeType(ent)); //$hasTaintFlow
res.setEntity(new StringEntity("<a href='" + req.getRequestLine().getUri() + "'>a</a>")); //$hasTaintFlow
EntityUtils.updateEntity(res, new ByteArrayEntity(EntityUtils.toByteArray(ent))); //$hasTaintFlow
res.setHeader("Location", req.getRequestLine().getUri()); //$hasTaintFlow
res.setHeader(new BasicHeader("Location", req.getRequestLine().getUri())); //$hasTaintFlow
A.sink(ent.getContent()); // $ hasTaintFlow
A.sink(ent.getContentEncoding()); // $ hasTaintFlow
A.sink(ent.getContentType()); // $ hasTaintFlow
A.sink(EntityUtils.toString(ent)); // $ hasTaintFlow
A.sink(EntityUtils.toByteArray(ent)); // $ hasTaintFlow
A.sink(EntityUtils.getContentCharSet(ent)); // $ hasTaintFlow
A.sink(EntityUtils.getContentMimeType(ent)); // $ hasTaintFlow
res.setEntity(new StringEntity("<a href='" + req.getRequestLine().getUri() + "'>a</a>")); // $ hasTaintFlow
EntityUtils.updateEntity(res, new ByteArrayEntity(EntityUtils.toByteArray(ent))); // $ hasTaintFlow
res.setHeader("Location", req.getRequestLine().getUri()); // $ hasTaintFlow
res.setHeader(new BasicHeader("Location", req.getRequestLine().getUri())); // $ hasTaintFlow
}
}
void test2() {
ByteArrayBuffer bbuf = new ByteArrayBuffer(42);
bbuf.append((byte[]) taint(), 0, 3);
sink(bbuf.buffer()); //$hasTaintFlow
sink(bbuf.toByteArray()); //$hasTaintFlow
sink(bbuf.buffer()); // $ hasTaintFlow
sink(bbuf.toByteArray()); // $ hasTaintFlow
CharArrayBuffer cbuf = new CharArrayBuffer(42);
cbuf.append(bbuf.toByteArray(), 0, 3);
sink(cbuf.toCharArray()); //$hasTaintFlow
sink(cbuf.toString()); //$hasTaintFlow
sink(cbuf.subSequence(0, 3)); //$hasTaintFlow
sink(cbuf.substring(0, 3)); //$hasTaintFlow
sink(cbuf.substringTrimmed(0, 3)); //$hasTaintFlow
sink(cbuf.toCharArray()); // $ hasTaintFlow
sink(cbuf.toString()); // $ hasTaintFlow
sink(cbuf.subSequence(0, 3)); // $ hasTaintFlow
sink(cbuf.substring(0, 3)); // $ hasTaintFlow
sink(cbuf.substringTrimmed(0, 3)); // $ hasTaintFlow
sink(Args.notNull(taint(), "x")); //$hasTaintFlow
sink(Args.notEmpty((String) taint(), "x")); //$hasTaintFlow
sink(Args.notBlank((String) taint(), "x")); //$hasTaintFlow
sink(Args.notNull(taint(), "x")); // $ hasTaintFlow
sink(Args.notEmpty((String) taint(), "x")); // $ hasTaintFlow
sink(Args.notBlank((String) taint(), "x")); // $ hasTaintFlow
sink(Args.notNull("x", (String) taint())); // Good
}
}
}

86
java/ql/test/library-tests/frameworks/apache-http/B.java
View File

@@ -14,63 +14,63 @@ class B {
class Test1 implements HttpRequestHandler {
public void handle(ClassicHttpRequest req, ClassicHttpResponse res, HttpContext ctx) throws IOException, ParseException {
B.sink(req.getAuthority().getHostName()); //$hasTaintFlow
B.sink(req.getAuthority().toString()); //$hasTaintFlow
B.sink(req.getMethod()); //$hasTaintFlow
B.sink(req.getPath()); //$hasTaintFlow
B.sink(req.getScheme());
B.sink(req.getRequestUri()); //$hasTaintFlow
B.sink(req.getAuthority().getHostName()); // $ hasTaintFlow
B.sink(req.getAuthority().toString()); // $ hasTaintFlow
B.sink(req.getMethod()); // $ hasTaintFlow
B.sink(req.getPath()); // $ hasTaintFlow
B.sink(req.getScheme());
B.sink(req.getRequestUri()); // $ hasTaintFlow
RequestLine line = new RequestLine(req);
B.sink(line.getUri()); //$hasTaintFlow
B.sink(line.getMethod()); //$hasTaintFlow
B.sink(req.getHeaders()); //$hasTaintFlow
B.sink(req.headerIterator()); //$hasTaintFlow
B.sink(line.getUri()); // $ hasTaintFlow
B.sink(line.getMethod()); // $ hasTaintFlow
B.sink(req.getHeaders()); // $ hasTaintFlow
B.sink(req.headerIterator()); // $ hasTaintFlow
Header h = req.getHeaders("abc")[3];
B.sink(h.getName()); //$hasTaintFlow
B.sink(h.getValue()); //$hasTaintFlow
B.sink(req.getFirstHeader("abc")); //$hasTaintFlow
B.sink(req.getLastHeader("abc")); //$hasTaintFlow
B.sink(h.getName()); // $ hasTaintFlow
B.sink(h.getValue()); // $ hasTaintFlow
B.sink(req.getFirstHeader("abc")); // $ hasTaintFlow
B.sink(req.getLastHeader("abc")); // $ hasTaintFlow
HttpEntity ent = req.getEntity();
B.sink(ent.getContent()); //$hasTaintFlow
B.sink(ent.getContentEncoding()); //$hasTaintFlow
B.sink(ent.getContentType()); //$hasTaintFlow
B.sink(ent.getTrailerNames()); //$hasTaintFlow
B.sink(ent.getTrailers().get()); //$hasTaintFlow
B.sink(EntityUtils.toString(ent)); //$hasTaintFlow
B.sink(EntityUtils.toByteArray(ent)); //$hasTaintFlow
B.sink(EntityUtils.parse(ent)); //$hasTaintFlow
res.setEntity(new StringEntity("<a href='" + req.getRequestUri() + "'>a</a>")); //$hasTaintFlow
res.setEntity(new ByteArrayEntity(EntityUtils.toByteArray(ent), ContentType.TEXT_HTML)); //$hasTaintFlow
res.setEntity(HttpEntities.create("<a href='" + req.getRequestUri() + "'>a</a>")); //$hasTaintFlow
res.setHeader("Location", req.getRequestUri()); //$hasTaintFlow
res.setHeader(new BasicHeader("Location", req.getRequestUri())); //$hasTaintFlow
B.sink(ent.getContent()); // $ hasTaintFlow
B.sink(ent.getContentEncoding()); // $ hasTaintFlow
B.sink(ent.getContentType()); // $ hasTaintFlow
B.sink(ent.getTrailerNames()); // $ hasTaintFlow
B.sink(ent.getTrailers().get()); // $ hasTaintFlow
B.sink(EntityUtils.toString(ent)); // $ hasTaintFlow
B.sink(EntityUtils.toByteArray(ent)); // $ hasTaintFlow
B.sink(EntityUtils.parse(ent)); // $ hasTaintFlow
res.setEntity(new StringEntity("<a href='" + req.getRequestUri() + "'>a</a>")); // $ hasTaintFlow
res.setEntity(new ByteArrayEntity(EntityUtils.toByteArray(ent), ContentType.TEXT_HTML)); // $ hasTaintFlow
res.setEntity(HttpEntities.create("<a href='" + req.getRequestUri() + "'>a</a>")); // $ hasTaintFlow
res.setHeader("Location", req.getRequestUri()); // $ hasTaintFlow
res.setHeader(new BasicHeader("Location", req.getRequestUri())); // $ hasTaintFlow
}
}
void test2() {
ByteArrayBuffer bbuf = new ByteArrayBuffer(42);
bbuf.append((byte[]) taint(), 0, 3);
sink(bbuf.array()); //$hasTaintFlow
sink(bbuf.toByteArray()); //$hasTaintFlow
sink(bbuf.toString());
bbuf.append((byte[]) taint(), 0, 3);
sink(bbuf.array()); // $ hasTaintFlow
sink(bbuf.toByteArray()); // $ hasTaintFlow
sink(bbuf.toString());
CharArrayBuffer cbuf = new CharArrayBuffer(42);
cbuf.append(bbuf.toByteArray(), 0, 3);
sink(cbuf.toCharArray()); //$hasTaintFlow
sink(cbuf.toString()); //$hasTaintFlow
sink(cbuf.subSequence(0, 3)); //$hasTaintFlow
sink(cbuf.substring(0, 3)); //$hasTaintFlow
sink(cbuf.substringTrimmed(0, 3)); //$hasTaintFlow
cbuf.append(bbuf.toByteArray(), 0, 3);
sink(cbuf.toCharArray()); // $ hasTaintFlow
sink(cbuf.toString()); // $ hasTaintFlow
sink(cbuf.subSequence(0, 3)); // $ hasTaintFlow
sink(cbuf.substring(0, 3)); // $ hasTaintFlow
sink(cbuf.substringTrimmed(0, 3)); // $ hasTaintFlow
sink(Args.notNull(taint(), "x")); //$hasTaintFlow
sink(Args.notEmpty((String) taint(), "x")); //$hasTaintFlow
sink(Args.notBlank((String) taint(), "x")); //$hasTaintFlow
sink(Args.notNull("x", (String) taint()));
sink(Args.notNull(taint(), "x")); // $ hasTaintFlow
sink(Args.notEmpty((String) taint(), "x")); // $ hasTaintFlow
sink(Args.notBlank((String) taint(), "x")); // $ hasTaintFlow
sink(Args.notNull("x", (String) taint()));
}
class Test3 implements HttpServerRequestHandler {
public void handle(ClassicHttpRequest req, HttpServerRequestHandler.ResponseTrigger restr, HttpContext ctx) throws HttpException, IOException {
B.sink(req.getEntity()); //$hasTaintFlow
B.sink(req.getEntity()); // $ hasTaintFlow
}
}
}
}

92
java/ql/test/library-tests/frameworks/guava/handwritten/TestBase.java
View File

@@ -13,13 +13,13 @@ class TestBase {
void test1() {
String x = taint();
sink(Strings.padStart(x, 10, ' ')); // $numTaintFlow=1
sink(Strings.padEnd(x, 10, ' ')); // $numTaintFlow=1
sink(Strings.repeat(x, 3)); // $numTaintFlow=1
sink(Strings.emptyToNull(Strings.nullToEmpty(x))); // $numValueFlow=1
sink(Strings.lenientFormat(x, 3)); // $numTaintFlow=1
sink(Strings.commonPrefix(x, "abc"));
sink(Strings.commonSuffix(x, "cde"));
sink(Strings.padStart(x, 10, ' ')); // $ numTaintFlow=1
sink(Strings.padEnd(x, 10, ' ')); // $ numTaintFlow=1
sink(Strings.repeat(x, 3)); // $ numTaintFlow=1
sink(Strings.emptyToNull(Strings.nullToEmpty(x))); // $ numValueFlow=1
sink(Strings.lenientFormat(x, 3)); // $ numTaintFlow=1
sink(Strings.commonPrefix(x, "abc"));
sink(Strings.commonSuffix(x, "cde"));
sink(Strings.lenientFormat("%s = %s", x, 3)); // $ numTaintFlow=1
}
@@ -28,10 +28,10 @@ class TestBase {
Splitter s = Splitter.on(x).omitEmptyStrings();
sink(s.split("x y z"));
sink(s.split(x)); // $numTaintFlow=1
sink(s.splitToList(x)); // $numTaintFlow=1
sink(s.split(x)); // $ numTaintFlow=1
sink(s.splitToList(x)); // $ numTaintFlow=1
sink(s.withKeyValueSeparator("=").split("a=b"));
sink(s.withKeyValueSeparator("=").split(x)); // $numTaintFlow=1
sink(s.withKeyValueSeparator("=").split(x)); // $ numTaintFlow=1
}
void test3() {
@@ -42,68 +42,68 @@ class TestBase {
StringBuilder sb = new StringBuilder();
sink(safeJoiner.appendTo(sb, "a", "b", "c"));
sink(sb.toString());
sink(taintedJoiner.appendTo(sb, "a", "b", "c")); // $numTaintFlow=1
sink(sb.toString()); // $numTaintFlow=1
sink(safeJoiner.appendTo(sb, "a", "b", "c")); // $numTaintFlow=1
sink(sb.toString()); // $numTaintFlow=1
sink(taintedJoiner.appendTo(sb, "a", "b", "c")); // $ numTaintFlow=1
sink(sb.toString()); // $ numTaintFlow=1
sink(safeJoiner.appendTo(sb, "a", "b", "c")); // $ numTaintFlow=1
sink(sb.toString()); // $ numTaintFlow=1
sb = new StringBuilder();
sink(safeJoiner.appendTo(sb, x, x)); // $numTaintFlow=1
sink(safeJoiner.appendTo(sb, x, x)); // $ numTaintFlow=1
Map<String, String> m = new HashMap<String, String>();
m.put("k", "v");
sink(safeJoiner.withKeyValueSeparator("=").join(m));
sink(safeJoiner.withKeyValueSeparator(x).join(m)); // $numTaintFlow=1
sink(taintedJoiner.useForNull("(null)").withKeyValueSeparator("=").join(m)); // $numTaintFlow=1
sink(safeJoiner.withKeyValueSeparator(x).join(m)); // $ numTaintFlow=1
sink(taintedJoiner.useForNull("(null)").withKeyValueSeparator("=").join(m)); // $ numTaintFlow=1
m.put("k2", x);
sink(safeJoiner.withKeyValueSeparator("=").join(m)); // $numTaintFlow=1
sink(safeJoiner.withKeyValueSeparator("=").join(m)); // $ numTaintFlow=1
}
void test4() {
sink(Preconditions.checkNotNull(taint())); // $numValueFlow=1
sink(Verify.verifyNotNull(taint())); // $numValueFlow=1
sink(Preconditions.checkNotNull(taint())); // $ numValueFlow=1
sink(Verify.verifyNotNull(taint())); // $ numValueFlow=1
}
void test5() {
sink(Ascii.toLowerCase(taint())); // $numTaintFlow=1
sink(Ascii.toUpperCase(taint())); // $numTaintFlow=1
sink(Ascii.truncate(taint(), 3, "...")); // $numTaintFlow=1
sink(Ascii.truncate("abcabcabc", 3, taint())); // $numTaintFlow=1
sink(CaseFormat.LOWER_CAMEL.to(CaseFormat.UPPER_UNDERSCORE, taint())); // $numTaintFlow=1
sink(CaseFormat.LOWER_HYPHEN.converterTo(CaseFormat.UPPER_CAMEL).convert(taint())); // $numTaintFlow=1
sink(CaseFormat.LOWER_UNDERSCORE.converterTo(CaseFormat.LOWER_HYPHEN).reverse().convert(taint())); // $numTaintFlow=1
sink(Ascii.toLowerCase(taint())); // $ numTaintFlow=1
sink(Ascii.toUpperCase(taint())); // $ numTaintFlow=1
sink(Ascii.truncate(taint(), 3, "...")); // $ numTaintFlow=1
sink(Ascii.truncate("abcabcabc", 3, taint())); // $ numTaintFlow=1
sink(CaseFormat.LOWER_CAMEL.to(CaseFormat.UPPER_UNDERSCORE, taint())); // $ numTaintFlow=1
sink(CaseFormat.LOWER_HYPHEN.converterTo(CaseFormat.UPPER_CAMEL).convert(taint())); // $ numTaintFlow=1
sink(CaseFormat.LOWER_UNDERSCORE.converterTo(CaseFormat.LOWER_HYPHEN).reverse().convert(taint())); // $ numTaintFlow=1
}
void test6() {
sink(Suppliers.memoize(Suppliers.memoizeWithExpiration(Suppliers.synchronizedSupplier(Suppliers.ofInstance(taint())), 3, TimeUnit.HOURS)).get()); // $numTaintFlow=1
sink(Suppliers.memoize(Suppliers.memoizeWithExpiration(Suppliers.synchronizedSupplier(Suppliers.ofInstance(taint())), 3, TimeUnit.HOURS)).get()); // $ numTaintFlow=1
}
void test7() {
sink(MoreObjects.firstNonNull(taint(), taint())); // $numValueFlow=2
sink(MoreObjects.firstNonNull(null, taint())); // $numValueFlow=1
sink(MoreObjects.firstNonNull(taint(), null)); // $numValueFlow=1
sink(MoreObjects.toStringHelper(taint()).add("x", 3).omitNullValues().toString()); // $numTaintFlow=1
sink(MoreObjects.firstNonNull(taint(), taint())); // $ numValueFlow=2
sink(MoreObjects.firstNonNull(null, taint())); // $ numValueFlow=1
sink(MoreObjects.firstNonNull(taint(), null)); // $ numValueFlow=1
sink(MoreObjects.toStringHelper(taint()).add("x", 3).omitNullValues().toString()); // $ numTaintFlow=1
sink(MoreObjects.toStringHelper((Object) taint()).toString());
sink(MoreObjects.toStringHelper("a").add("x", 3).add(taint(), 4).toString()); // $numTaintFlow=1
sink(MoreObjects.toStringHelper("a").add("x", taint()).toString()); // $numTaintFlow=1
sink(MoreObjects.toStringHelper("a").addValue(taint()).toString()); // $numTaintFlow=1
sink(MoreObjects.toStringHelper("a").add("x", 3).add(taint(), 4).toString()); // $ numTaintFlow=1
sink(MoreObjects.toStringHelper("a").add("x", taint()).toString()); // $ numTaintFlow=1
sink(MoreObjects.toStringHelper("a").addValue(taint()).toString()); // $ numTaintFlow=1
MoreObjects.ToStringHelper h = MoreObjects.toStringHelper("a");
h.add("x", 3).add(taint(), 4);
sink(h.add("z",5).toString()); // $numTaintFlow=1
sink(h.add("z",5).toString()); // $ numTaintFlow=1
}
void test8() {
Optional<String> x = Optional.of(taint());
sink(x); // no flow
sink(x.get()); // $numValueFlow=1
sink(x.or("hi")); // $numValueFlow=1
sink(x.orNull()); // $numValueFlow=1
sink(x.asSet().toArray()[0]); // $numValueFlow=1
sink(Optional.fromJavaUtil(x.toJavaUtil()).get()); // $numValueFlow=1
sink(Optional.fromJavaUtil(Optional.toJavaUtil(x)).get()); // $numValueFlow=1
sink(Optional.fromNullable(taint()).get()); // $numValueFlow=1
sink(Optional.absent().or(x).get()); // $numValueFlow=1
sink(Optional.absent().or(taint())); // $numValueFlow=1
sink(Optional.presentInstances(Set.of(x)).iterator().next()); // $numValueFlow=1
sink(x.get()); // $ numValueFlow=1
sink(x.or("hi")); // $ numValueFlow=1
sink(x.orNull()); // $ numValueFlow=1
sink(x.asSet().toArray()[0]); // $ numValueFlow=1
sink(Optional.fromJavaUtil(x.toJavaUtil()).get()); // $ numValueFlow=1
sink(Optional.fromJavaUtil(Optional.toJavaUtil(x)).get()); // $ numValueFlow=1
sink(Optional.fromNullable(taint()).get()); // $ numValueFlow=1
sink(Optional.absent().or(x).get()); // $ numValueFlow=1
sink(Optional.absent().or(taint())); // $ numValueFlow=1
sink(Optional.presentInstances(Set.of(x)).iterator().next()); // $ numValueFlow=1
}
}

82
java/ql/test/library-tests/frameworks/guava/handwritten/TestCollect.java
View File

@@ -47,25 +47,25 @@ class TestCollect {
String x = taint();
ImmutableSet<String> xs = ImmutableSet.of(x, "y", "z");
sink(element(xs.asList())); // $numValueFlow=1
sink(element(xs.asList())); // $ numValueFlow=1
ImmutableSet<String> ys = ImmutableSet.of("a", "b", "c");
sink(element(Sets.filter(Sets.union(xs, ys), y -> true))); // $numValueFlow=1
sink(element(Sets.filter(Sets.union(xs, ys), y -> true))); // $ numValueFlow=1
sink(element(Sets.newHashSet("a", "b", "c", "d", x))); // $numValueFlow=1
sink(element(Sets.newHashSet("a", "b", "c", "d", x))); // $ numValueFlow=1
}
void test2() {
sink(element(ImmutableList.of(taint(), taint(), taint(), taint(),taint(), taint(), taint(), taint(),taint(), taint(), taint(), taint(),taint(), taint(), taint(), taint()))); // $numValueFlow=16
sink(element(ImmutableSet.of(taint(), taint(), taint(), taint(),taint(), taint(), taint(), taint(),taint(), taint(), taint(), taint(),taint(), taint(), taint(), taint()))); // $numValueFlow=16
sink(mapKey(ImmutableMap.of(taint(), taint(), taint(), taint()))); // $numValueFlow=2
sink(mapValue(ImmutableMap.of(taint(), taint(), taint(), taint()))); // $numValueFlow=2
sink(multimapKey(ImmutableMultimap.of(taint(), taint(), taint(), taint()))); // $numValueFlow=2
sink(multimapValue(ImmutableMultimap.of(taint(), taint(), taint(), taint()))); // $numValueFlow=2
sink(tableRow(ImmutableTable.of(taint(), taint(), taint()))); // $numValueFlow=1
sink(tableColumn(ImmutableTable.of(taint(), taint(), taint()))); // $numValueFlow=1
sink(tableValue(ImmutableTable.of(taint(), taint(), taint()))); // $numValueFlow=1
sink(element(ImmutableList.of(taint(), taint(), taint(), taint(),taint(), taint(), taint(), taint(),taint(), taint(), taint(), taint(),taint(), taint(), taint(), taint()))); // $ numValueFlow=16
sink(element(ImmutableSet.of(taint(), taint(), taint(), taint(),taint(), taint(), taint(), taint(),taint(), taint(), taint(), taint(),taint(), taint(), taint(), taint()))); // $ numValueFlow=16
sink(mapKey(ImmutableMap.of(taint(), taint(), taint(), taint()))); // $ numValueFlow=2
sink(mapValue(ImmutableMap.of(taint(), taint(), taint(), taint()))); // $ numValueFlow=2
sink(multimapKey(ImmutableMultimap.of(taint(), taint(), taint(), taint()))); // $ numValueFlow=2
sink(multimapValue(ImmutableMultimap.of(taint(), taint(), taint(), taint()))); // $ numValueFlow=2
sink(tableRow(ImmutableTable.of(taint(), taint(), taint()))); // $ numValueFlow=1
sink(tableColumn(ImmutableTable.of(taint(), taint(), taint()))); // $ numValueFlow=1
sink(tableValue(ImmutableTable.of(taint(), taint(), taint()))); // $ numValueFlow=1
}
void test3() {
@@ -76,60 +76,60 @@ class TestCollect {
b.add("a");
sink(b);
b.add(x);
sink(element(b.build())); // $numValueFlow=1
sink(element(b.build())); // $ numValueFlow=1
b = ImmutableList.builder();
b.add("a").add(x);
sink(element(b.build())); // $numValueFlow=1
sink(element(b.build())); // $ numValueFlow=1
sink(ImmutableList.builder().add("a").add(x).build().toArray()[0]); // $numValueFlow=1
sink(ImmutableList.builder().add("a").add(x).build().toArray()[0]); // $ numValueFlow=1
ImmutableMap.Builder<String, String> b2 = ImmutableMap.builder();
b2.put(x,"v");
sink(mapKey(b2.build())); // $numValueFlow=1
sink(mapKey(b2.build())); // $ numValueFlow=1
b2.put("k",x);
sink(mapValue(b2.build())); // $numValueFlow=1
sink(mapValue(b2.build())); // $ numValueFlow=1
}
void test4(Table<String, String, String> t1, Table<String, String, String> t2, Table<String, String, String> t3) {
String x = taint();
t1.put(x, "c", "v");
sink(tableRow(t1)); // $numValueFlow=1
sink(tableRow(t1)); // $ numValueFlow=1
t1.put("r", x, "v");
sink(tableColumn(t1)); // $numValueFlow=1
sink(tableColumn(t1)); // $ numValueFlow=1
t1.put("r", "c", x);
sink(tableValue(t1)); // $numValueFlow=1
sink(mapKey(t1.row("r"))); // $numValueFlow=1
sink(mapValue(t1.row("r"))); // $numValueFlow=1
sink(tableValue(t1)); // $ numValueFlow=1
sink(mapKey(t1.row("r"))); // $ numValueFlow=1
sink(mapValue(t1.row("r"))); // $ numValueFlow=1
t2.putAll(t1);
for (Table.Cell<String,String,String> c : t2.cellSet()) {
sink(c.getValue()); // $numValueFlow=1
sink(c.getValue()); // $ numValueFlow=1
}
sink(t1.remove("r", "c")); // $numValueFlow=1
sink(t1.remove("r", "c")); // $ numValueFlow=1
t3.row("r").put("c", x);
sink(tableValue(t3)); // $ MISSING:numValueFlow=1 // depends on aliasing
}
void test5(Multimap<String, String> m1, Multimap<String, String> m2, Multimap<String, String> m3,
void test5(Multimap<String, String> m1, Multimap<String, String> m2, Multimap<String, String> m3,
Multimap<String, String> m4, Multimap<String, String> m5){
String x = taint();
m1.put("k", x);
sink(multimapValue(m1)); // $numValueFlow=1
sink(element(m1.get("k"))); // $numValueFlow=1
sink(multimapValue(m1)); // $ numValueFlow=1
sink(element(m1.get("k"))); // $ numValueFlow=1
m2.putAll("k", ImmutableList.of("a", x, "b"));
sink(multimapValue(m2)); // $numValueFlow=1
sink(multimapValue(m2)); // $ numValueFlow=1
m3.putAll(m1);
sink(multimapValue(m3)); // $numValueFlow=1
sink(multimapValue(m3)); // $ numValueFlow=1
m4.replaceValues("k", m1.replaceValues("k", ImmutableList.of("a")));
for (Map.Entry<String, String> e : m4.entries()) {
sink(e.getValue()); // $numValueFlow=1
sink(e.getValue()); // $ numValueFlow=1
}
m5.asMap().get("k").add(x);
@@ -139,23 +139,23 @@ class TestCollect {
void test6(Comparator<String> comp, SortedSet<String> sorS, SortedMap<String, String> sorM) {
ImmutableSortedSet<String> s = ImmutableSortedSet.of(taint());
sink(element(s)); // $numValueFlow=1
sink(element(ImmutableSortedSet.copyOf(s))); // $numValueFlow=1
sink(element(ImmutableSortedSet.copyOf(comp, s))); // $numValueFlow=1
sink(element(s)); // $ numValueFlow=1
sink(element(ImmutableSortedSet.copyOf(s))); // $ numValueFlow=1
sink(element(ImmutableSortedSet.copyOf(comp, s))); // $ numValueFlow=1
sorS.add(taint());
sink(element(ImmutableSortedSet.copyOfSorted(sorS))); // $numValueFlow=1
sink(element(ImmutableSortedSet.copyOfSorted(sorS))); // $ numValueFlow=1
sink(element(ImmutableList.sortedCopyOf(s))); // $numValueFlow=1
sink(element(ImmutableList.sortedCopyOf(comp, s))); // $numValueFlow=1
sink(element(ImmutableList.sortedCopyOf(s))); // $ numValueFlow=1
sink(element(ImmutableList.sortedCopyOf(comp, s))); // $ numValueFlow=1
ImmutableSortedMap<String, String> m = ImmutableSortedMap.of("k", taint());
sink(mapValue(m)); // $numValueFlow=1
sink(mapValue(ImmutableSortedMap.copyOf(m))); // $numValueFlow=1
sink(mapValue(ImmutableSortedMap.copyOf(m, comp))); // $numValueFlow=1
sink(mapValue(m)); // $ numValueFlow=1
sink(mapValue(ImmutableSortedMap.copyOf(m))); // $ numValueFlow=1
sink(mapValue(ImmutableSortedMap.copyOf(m, comp))); // $ numValueFlow=1
sorM.put("k", taint());
sink(mapValue(ImmutableSortedMap.copyOfSorted(sorM))); // $numValueFlow=1
sink(mapValue(ImmutableSortedMap.copyOfSorted(sorM))); // $ numValueFlow=1
}
}

108
java/ql/test/library-tests/frameworks/guava/handwritten/TestIO.java
View File

@@ -28,43 +28,43 @@ class TestIO {
void test1() {
BaseEncoding enc = BaseEncoding.base64();
sink(enc.decode(staint())); // $numTaintFlow=1
sink(enc.encode(btaint())); // $numTaintFlow=1
sink(enc.encode(btaint(), 0, 42)); // $numTaintFlow=1
sink(enc.decodingStream(rtaint())); // $numTaintFlow=1
sink(enc.decodingSource(CharSource.wrap(staint()))); // $numTaintFlow=1
sink(enc.withSeparator(staint(), 10).omitPadding().lowerCase().decode("abc")); // $numTaintFlow=1
sink(enc.decode(staint())); // $ numTaintFlow=1
sink(enc.encode(btaint())); // $ numTaintFlow=1
sink(enc.encode(btaint(), 0, 42)); // $ numTaintFlow=1
sink(enc.decodingStream(rtaint())); // $ numTaintFlow=1
sink(enc.decodingSource(CharSource.wrap(staint()))); // $ numTaintFlow=1
sink(enc.withSeparator(staint(), 10).omitPadding().lowerCase().decode("abc")); // $ numTaintFlow=1
}
void test2() throws IOException {
ByteSource b = ByteSource.wrap(btaint());
sink(b.openStream()); // $numTaintFlow=1
sink(b.openBufferedStream()); // $numTaintFlow=1
sink(b.asCharSource(null)); // $numTaintFlow=1
sink(b.slice(42,1337)); // $numTaintFlow=1
sink(b.read()); // $numTaintFlow=1
sink(ByteSource.concat(ByteSource.empty(), ByteSource.empty(), b)); // $numTaintFlow=1
sink(ByteSource.concat(ImmutableList.of(ByteSource.empty(), ByteSource.empty(), b))); // $numTaintFlow=1
sink(b.openStream()); // $ numTaintFlow=1
sink(b.openBufferedStream()); // $ numTaintFlow=1
sink(b.asCharSource(null)); // $ numTaintFlow=1
sink(b.slice(42,1337)); // $ numTaintFlow=1
sink(b.read()); // $ numTaintFlow=1
sink(ByteSource.concat(ByteSource.empty(), ByteSource.empty(), b)); // $ numTaintFlow=1
sink(ByteSource.concat(ImmutableList.of(ByteSource.empty(), ByteSource.empty(), b))); // $ numTaintFlow=1
sink(b.read(new MyByteProcessor())); // $ MISSING:numTaintFlow=1
ByteArrayOutputStream out = new ByteArrayOutputStream();
b.copyTo(out);
sink(out.toByteArray()); // $numTaintFlow=1
sink(out.toByteArray()); // $ numTaintFlow=1
CharSource c = CharSource.wrap(staint());
sink(c.openStream()); // $numTaintFlow=1
sink(c.openBufferedStream()); // $numTaintFlow=1
sink(c.asByteSource(null)); // $numTaintFlow=1
sink(c.readFirstLine()); // $numTaintFlow=1
sink(c.readLines()); // $numTaintFlow=1
sink(c.read()); // $numTaintFlow=1
sink(c.lines()); // $numTaintFlow=1
sink(CharSource.concat(CharSource.empty(), CharSource.empty(), c)); // $numTaintFlow=1
sink(CharSource.concat(ImmutableList.of(CharSource.empty(), CharSource.empty(), c))); // $numTaintFlow=1
sink(c.openStream()); // $ numTaintFlow=1
sink(c.openBufferedStream()); // $ numTaintFlow=1
sink(c.asByteSource(null)); // $ numTaintFlow=1
sink(c.readFirstLine()); // $ numTaintFlow=1
sink(c.readLines()); // $ numTaintFlow=1
sink(c.read()); // $ numTaintFlow=1
sink(c.lines()); // $ numTaintFlow=1
sink(CharSource.concat(CharSource.empty(), CharSource.empty(), c)); // $ numTaintFlow=1
sink(CharSource.concat(ImmutableList.of(CharSource.empty(), CharSource.empty(), c))); // $ numTaintFlow=1
sink(c.readLines(new MyLineProcessor())); // $ MISSING:numTaintFlow=1
c.forEachLine(l -> sink(l)); // $ MISSING:numTaintFlow=1
StringBuffer buf = new StringBuffer();
c.copyTo(buf);
sink(buf); // $numTaintFlow=1
sink(buf); // $ numTaintFlow=1
}
class MyByteProcessor implements ByteProcessor<Object> {
@@ -83,59 +83,59 @@ class TestIO {
{
ByteArrayOutputStream out = new ByteArrayOutputStream();
ByteStreams.copy(itaint(), out);
sink(out); // $numTaintFlow=1
sink(out); // $ numTaintFlow=1
}
{
WritableByteChannel out = FileChannel.open(Paths.get("/tmp/xyz"));
ByteStreams.copy(rbctaint(), out);
sink(out); // $numTaintFlow=1
sink(out); // $ numTaintFlow=1
}
sink(ByteStreams.limit(itaint(), 1337)); // $numTaintFlow=1
sink(ByteStreams.newDataInput(btaint())); // $numTaintFlow=1
sink(ByteStreams.newDataInput(btaint(), 0)); // $numTaintFlow=1
sink(ByteStreams.newDataInput(btaint())); // $numTaintFlow=1
sink(ByteStreams.newDataInput(btaint()).readLine()); // $numTaintFlow=1
sink(ByteStreams.newDataInput(new ByteArrayInputStream(btaint()))); // $numTaintFlow=1
sink(ByteStreams.limit(itaint(), 1337)); // $ numTaintFlow=1
sink(ByteStreams.newDataInput(btaint())); // $ numTaintFlow=1
sink(ByteStreams.newDataInput(btaint(), 0)); // $ numTaintFlow=1
sink(ByteStreams.newDataInput(btaint())); // $ numTaintFlow=1
sink(ByteStreams.newDataInput(btaint()).readLine()); // $ numTaintFlow=1
sink(ByteStreams.newDataInput(new ByteArrayInputStream(btaint()))); // $ numTaintFlow=1
ByteArrayOutputStream out = new ByteArrayOutputStream();
out.write(btaint());
sink(ByteStreams.newDataOutput(out)); // $numTaintFlow=1
sink(ByteStreams.newDataOutput(out)); // $ numTaintFlow=1
byte[] b1 = null, b2 = null, b3 = null;
ByteStreams.read(itaint(), b1, 0, 42);
sink(b1); // $numTaintFlow=1
sink(b1); // $ numTaintFlow=1
ByteStreams.readFully(itaint(), b2);
sink(b2); // $numTaintFlow=1
sink(b2); // $ numTaintFlow=1
ByteStreams.readFully(itaint(), b3, 0, 42);
sink(b3); // $numTaintFlow=1
sink(b3); // $ numTaintFlow=1
sink(ByteStreams.readBytes(itaint(), new MyByteProcessor())); // $ MISSING:numTaintFlow=1
sink(ByteStreams.toByteArray(itaint())); // $numTaintFlow=1
sink(ByteStreams.toByteArray(itaint())); // $ numTaintFlow=1
ByteArrayDataOutput out2 = ByteStreams.newDataOutput();
out2.writeUTF(staint());
sink(out2.toByteArray()); // $numTaintFlow=1
sink(out2.toByteArray()); // $ numTaintFlow=1
StringBuffer buf = new StringBuffer();
CharStreams.copy(rtaint(), buf);
sink(buf); // $numTaintFlow=1
sink(CharStreams.readLines(rtaint())); // $numTaintFlow=1
sink(buf); // $ numTaintFlow=1
sink(CharStreams.readLines(rtaint())); // $ numTaintFlow=1
sink(CharStreams.readLines(rtaint(), new MyLineProcessor())); // $ MISSING:numTaintFlow=1
sink(CharStreams.toString(rtaint())); // $numTaintFlow=1
sink(CharStreams.toString(rtaint())); // $ numTaintFlow=1
}
void test4() throws IOException {
sink(Closer.create().register((Closeable) taint())); // $numValueFlow=1
sink(new LineReader(rtaint()).readLine()); // $numTaintFlow=1
sink(Files.simplifyPath(staint())); // $numTaintFlow=1
sink(Files.getFileExtension(staint())); // $numTaintFlow=1
sink(Files.getNameWithoutExtension(staint())); // $numTaintFlow=1
sink(MoreFiles.getFileExtension(ptaint())); // $numTaintFlow=1
sink(MoreFiles.getNameWithoutExtension(ptaint())); // $numTaintFlow=1
sink(Closer.create().register((Closeable) taint())); // $ numValueFlow=1
sink(new LineReader(rtaint()).readLine()); // $ numTaintFlow=1
sink(Files.simplifyPath(staint())); // $ numTaintFlow=1
sink(Files.getFileExtension(staint())); // $ numTaintFlow=1
sink(Files.getNameWithoutExtension(staint())); // $ numTaintFlow=1
sink(MoreFiles.getFileExtension(ptaint())); // $ numTaintFlow=1
sink(MoreFiles.getNameWithoutExtension(ptaint())); // $ numTaintFlow=1
}
void test6() throws IOException {
sink(new CountingInputStream(itaint())); // $numTaintFlow=1
sink(new CountingInputStream(itaint())); // $ numTaintFlow=1
byte[] buf = null;
new CountingInputStream(itaint()).read(buf, 0, 42);
sink(buf); // $numTaintFlow=1
sink(new LittleEndianDataInputStream(itaint())); // $numTaintFlow=1
sink(new LittleEndianDataInputStream(itaint()).readUTF()); // $numTaintFlow=1
new CountingInputStream(itaint()).read(buf, 0, 42);
sink(buf); // $ numTaintFlow=1
sink(new LittleEndianDataInputStream(itaint())); // $ numTaintFlow=1
sink(new LittleEndianDataInputStream(itaint()).readUTF()); // $ numTaintFlow=1
}
}
}

956
java/ql/test/library-tests/frameworks/javax-json/Test.java
View File

File diff suppressed because it is too large Load Diff

40
java/ql/test/library-tests/frameworks/jms/MessageListenerImpl.java
View File

@@ -13,59 +13,59 @@ import javax.jms.TopicRequestor;
public class MessageListenerImpl implements MessageListener {
@Override
public void onMessage(Message message) { // $source
public void onMessage(Message message) { // $ source
try {
if (message instanceof TextMessage) {
TextMessage textMessage = (TextMessage) message;
String text = textMessage.getText();
sink(text); // $tainted
sink(text); // $ tainted
} else if (message instanceof BytesMessage) {
BytesMessage bytesMessage = (BytesMessage) message;
byte[] data = new byte[1024];
bytesMessage.readBytes(data, 42);
sink(new String(data)); // $tainted
sink(bytesMessage.readUTF()); // $tainted
sink(new String(data)); // $ tainted
sink(bytesMessage.readUTF()); // $ tainted
} else if (message instanceof MapMessage) {
MapMessage mapMessage = (MapMessage) message;
sink(mapMessage.getString("data")); // $tainted
sink(new String(mapMessage.getBytes("bytes"))); // $tainted
sink(mapMessage.getString("data")); // $ tainted
sink(new String(mapMessage.getBytes("bytes"))); // $ tainted
} else if (message instanceof ObjectMessage) {
ObjectMessage objectMessage = (ObjectMessage) message;
sink((String) objectMessage.getObject()); // $tainted
sink((String) objectMessage.getObject()); // $ tainted
} else if (message instanceof StreamMessage) {
StreamMessage streamMessage = (StreamMessage) message;
byte[] data = new byte[1024];
streamMessage.readBytes(data);
sink(new String(data)); // $tainted
sink(streamMessage.readString()); // $tainted
sink((String) streamMessage.readObject()); // $tainted
sink(new String(data)); // $ tainted
sink(streamMessage.readString()); // $ tainted
sink((String) streamMessage.readObject()); // $ tainted
}
} catch (Exception e) {
}
}
public void readFromCounsumer(MessageConsumer consumer) throws Exception {
TextMessage message = (TextMessage) consumer.receive(5000); // $source
TextMessage message = (TextMessage) consumer.receive(5000); // $ source
String text = message.getText();
sink(text); // $tainted
message = (TextMessage) consumer.receive(); // $source
sink(text); // $ tainted
message = (TextMessage) consumer.receive(); // $ source
text = message.getText();
sink(text); // $tainted
message = (TextMessage) consumer.receiveNoWait(); // $source
sink(text); // $ tainted
message = (TextMessage) consumer.receiveNoWait(); // $ source
text = message.getText();
sink(text); // $tainted
sink(text); // $ tainted
}
public void readFromQueueRequestor(QueueRequestor requestor, Message message) throws Exception {
TextMessage reply = (TextMessage) requestor.request(message); // $source
TextMessage reply = (TextMessage) requestor.request(message); // $ source
String text = reply.getText();
sink(text); // $tainted
sink(text); // $ tainted
}
public void readFromTopicRequestor(TopicRequestor requestor, Message message) throws Exception {
TextMessage reply = (TextMessage) requestor.request(message); // $source
TextMessage reply = (TextMessage) requestor.request(message); // $ source
String text = reply.getText();
sink(text); // $tainted
sink(text); // $ tainted
}
private void sink(String data) {

6
java/ql/test/library-tests/frameworks/lastaflute/Test.java
View File

@@ -16,12 +16,10 @@ public class Test {
public String index(TestForm form) throws IOException {
MultipartFormFile file = form.file;
sink(file.getFileData()); // $hasTaintFlow
sink(file.getInputStream()); // $hasTaintFlow
sink(file.getFileData()); // $ hasTaintFlow
sink(file.getInputStream()); // $ hasTaintFlow
return "index.jsp";
}
}

6
java/ql/test/library-tests/frameworks/netty/manual/Test.java
View File

@@ -12,7 +12,7 @@ class Test {
class A extends ChannelInboundHandlerAdapter {
public void channelRead(ChannelHandlerContext ctx, Object msg) {
sink(msg); // $hasTaintFlow
sink(msg); // $ hasTaintFlow
}
}
@@ -21,7 +21,7 @@ class Test {
ByteBuf bb = (ByteBuf) msg;
byte[] data = new byte[1024];
bb.readBytes(data);
sink(data); // $hasTaintFlow
sink(data); // $ hasTaintFlow
}
}
@@ -73,4 +73,4 @@ class Test {
sink(payload); // $ hasTaintFlow
}
}
}
}

14
java/ql/test/library-tests/frameworks/rabbitmq/Test.java
View File

@@ -11,20 +11,20 @@ public class Test {
@Override
public void handleDelivery(
String consumerTag, Envelope envelope, AMQP.BasicProperties properties,
byte[] body) { // $source
String consumerTag, Envelope envelope, AMQP.BasicProperties properties,
byte[] body) { // $ source
sink(body); // $hasTaintFlow
sink(body); // $ hasTaintFlow
}
};
}
public void queueingConsumerTest(QueueingConsumer consumer) {
while (true) {
QueueingConsumer.Delivery delivery = consumer.nextDelivery(); // $source
sink(delivery.getBody()); // $hasTaintFlow
delivery = consumer.nextDelivery(42); // $source
sink(delivery.getBody()); // $hasTaintFlow
QueueingConsumer.Delivery delivery = consumer.nextDelivery(); // $ source
sink(delivery.getBody()); // $ hasTaintFlow
delivery = consumer.nextDelivery(42); // $ source
sink(delivery.getBody()); // $ hasTaintFlow
}
}

14
java/ql/test/library-tests/frameworks/ratpack/resources/CollectionPassingTest.java
View File

@@ -29,11 +29,11 @@ public class CollectionPassingTest {
Map<String, Object> pojoMap = new HashMap<>();
merge(form.asMultimap().asMap(), pojoMap);
// Then
sink(pojoMap.get("value")); //$hasTaintFlow
sink(pojoMap.get("value")); // $ hasTaintFlow
pojoMap.forEach((key, value) -> {
sink(value); //$hasTaintFlow
sink(value); // $ hasTaintFlow
List<Object> values = (List<Object>) value;
sink(values.get(0)); //$hasTaintFlow
sink(values.get(0)); // $ hasTaintFlow
});
});
}
@@ -46,11 +46,11 @@ public class CollectionPassingTest {
// When
merge(taintedMap, pojoMap);
// Then
sink(pojoMap.get("value")); //$hasTaintFlow
sink(pojoMap.get("value")); // $ hasTaintFlow
pojoMap.forEach((key, value) -> {
sink(value); //$hasTaintFlow
sink(value); // $ hasTaintFlow
List<Object> values = (List<Object>) value;
sink(values.get(0)); //$hasTaintFlow
sink(values.get(0)); // $ hasTaintFlow
});
}
@@ -66,5 +66,5 @@ public class CollectionPassingTest {
private static Object extractSingleValueIfPossible(Collection<String> values) {
return values.size() == 1 ? values.iterator().next() : ImmutableList.copyOf(values);
}
}

44
java/ql/test/library-tests/frameworks/ratpack/resources/IntegrationTest.java
View File

@@ -53,32 +53,32 @@ class IntegrationTest {
void test1(Context ctx) {
bindJson(ctx, Pojo.class)
.then(pojo ->{
sink(pojo); //$hasTaintFlow
sink(pojo.value); //$hasTaintFlow
sink(pojo.getValue()); //$hasTaintFlow
sink(pojo); // $ hasTaintFlow
sink(pojo.value); // $ hasTaintFlow
sink(pojo.getValue()); // $ hasTaintFlow
});
}
void test2(Context ctx) {
bindForm(ctx, Pojo.class, defaults -> defaults.put("another", "potato"))
.then(pojo ->{
sink(pojo); //$hasTaintFlow
sink(pojo.value); //$hasTaintFlow
sink(pojo.getValue()); //$hasTaintFlow
sink(pojo); // $ hasTaintFlow
sink(pojo.value); // $ hasTaintFlow
sink(pojo.getValue()); // $ hasTaintFlow
});
}
void test3() {
Object value = extractSingleValueIfPossible(ImmutableList.of("a", taint()));
sink(value); //$hasTaintFlow
sink(value); // $ hasTaintFlow
List<Object> values = (List<Object>) value;
sink(values.get(1)); //$hasTaintFlow
sink(values.get(1)); // $ hasTaintFlow
Map<String, Object> weirdMap = new HashMap<>();
weirdMap.put("a", value);
weirdMap.forEach((key, mapValue) -> {
sink(mapValue); //$hasTaintFlow
sink(mapValue); // $ hasTaintFlow
List<Object> values2 = (List<Object>) mapValue;
sink(values2.get(0)); //$hasTaintFlow
sink(values2.get(0)); // $ hasTaintFlow
});
}
@@ -89,13 +89,13 @@ class IntegrationTest {
filterAndMerge(pojoForm, mergedParams, name -> false);
return mergedParams;
}).then(pojoMap -> {
sink(pojoMap.keySet().iterator().next()); //$hasTaintFlow
sink(pojoMap.get("value")); //$hasTaintFlow
sink(pojoMap.keySet().iterator().next()); // $ hasTaintFlow
sink(pojoMap.get("value")); // $ hasTaintFlow
pojoMap.forEach((key, value) -> {
sink(key); //$hasTaintFlow
sink(value); //$hasTaintFlow
sink(key); // $ hasTaintFlow
sink(value); // $ hasTaintFlow
List<Object> values = (List<Object>) value;
sink(values.get(0)); //$hasTaintFlow
sink(values.get(0)); // $ hasTaintFlow
});
});
}
@@ -107,13 +107,13 @@ class IntegrationTest {
filterAndMerge_2(pojoForm, mergedParams, name -> false);
return mergedParams;
}).then(pojoMap -> {
sink(pojoMap.keySet().iterator().next()); //$hasTaintFlow
sink(pojoMap.get("value")); //$hasTaintFlow
sink(pojoMap.keySet().iterator().next()); // $ hasTaintFlow
sink(pojoMap.get("value")); // $ hasTaintFlow
pojoMap.forEach((key, value) -> {
sink(key); //$hasTaintFlow
sink(value); //$hasTaintFlow
sink(key); // $ hasTaintFlow
sink(value); // $ hasTaintFlow
List<Object> values = (List<Object>) value;
sink(values.get(0)); //$hasTaintFlow
sink(values.get(0)); // $ hasTaintFlow
});
});
}
@@ -121,8 +121,8 @@ class IntegrationTest {
void test6(Context ctx) {
bindQuery(ctx, Pojo.class)
.then(pojo -> {
sink(pojo.getValue()); //$hasTaintFlow
sink(pojo.getValues()); //$hasTaintFlow
sink(pojo.getValue()); // $ hasTaintFlow
sink(pojo.getValues()); // $ hasTaintFlow
});
}

132
java/ql/test/library-tests/frameworks/ratpack/resources/PairTest.java
View File

@@ -5,7 +5,7 @@ import ratpack.func.Pair;
public class PairTest {
void sink(Object o) {}
String taint() {
@@ -21,9 +21,9 @@ public class PairTest {
sink(pair.right()); // no taint flow
sink(pair.getRight()); // no taint flow
Pair<String, String> updatedLeftPair = pair.left(taint());
sink(updatedLeftPair.left); //$hasTaintFlow
sink(updatedLeftPair.left()); //$hasTaintFlow
sink(updatedLeftPair.getLeft()); //$hasTaintFlow
sink(updatedLeftPair.left); // $ hasTaintFlow
sink(updatedLeftPair.left()); // $ hasTaintFlow
sink(updatedLeftPair.getLeft()); // $ hasTaintFlow
sink(updatedLeftPair.right); // no taint flow
sink(updatedLeftPair.right()); // no taint flow
sink(updatedLeftPair.getRight()); // no taint flow
@@ -31,33 +31,33 @@ public class PairTest {
sink(updatedRightPair.left); // no taint flow
sink(updatedRightPair.left()); // no taint flow
sink(updatedRightPair.getLeft()); // no taint flow
sink(updatedRightPair.right); //$hasTaintFlow
sink(updatedRightPair.right()); //$hasTaintFlow
sink(updatedRightPair.getRight()); //$hasTaintFlow
sink(updatedRightPair.right); // $ hasTaintFlow
sink(updatedRightPair.right()); // $ hasTaintFlow
sink(updatedRightPair.getRight()); // $ hasTaintFlow
Pair<String, String> updatedBothPair = pair.left(taint()).right(taint());
sink(updatedBothPair.left); //$hasTaintFlow
sink(updatedBothPair.left()); //$hasTaintFlow
sink(updatedBothPair.getLeft()); //$hasTaintFlow
sink(updatedBothPair.right); //$hasTaintFlow
sink(updatedBothPair.right()); //$hasTaintFlow
sink(updatedBothPair.getRight()); //$hasTaintFlow
sink(updatedBothPair.left); // $ hasTaintFlow
sink(updatedBothPair.left()); // $ hasTaintFlow
sink(updatedBothPair.getLeft()); // $ hasTaintFlow
sink(updatedBothPair.right); // $ hasTaintFlow
sink(updatedBothPair.right()); // $ hasTaintFlow
sink(updatedBothPair.getRight()); // $ hasTaintFlow
}
void test2() {
Pair<String, String> pair = Pair.of(taint(), taint());
sink(pair.left); //$hasTaintFlow
sink(pair.left()); //$hasTaintFlow
sink(pair.getLeft()); //$hasTaintFlow
sink(pair.right); //$hasTaintFlow
sink(pair.right()); //$hasTaintFlow
sink(pair.getRight()); //$hasTaintFlow
sink(pair.left); // $ hasTaintFlow
sink(pair.left()); // $ hasTaintFlow
sink(pair.getLeft()); // $ hasTaintFlow
sink(pair.right); // $ hasTaintFlow
sink(pair.right()); // $ hasTaintFlow
sink(pair.getRight()); // $ hasTaintFlow
Pair<String, Pair<String, String>> pushedLeftPair = pair.pushLeft("safe");
sink(pushedLeftPair.left()); // no taint flow
sink(pushedLeftPair.right().left()); //$hasTaintFlow
sink(pushedLeftPair.right().right()); //$hasTaintFlow
sink(pushedLeftPair.right().left()); // $ hasTaintFlow
sink(pushedLeftPair.right().right()); // $ hasTaintFlow
Pair<Pair<String, String>, String> pushedRightPair = pair.pushRight("safe");
sink(pushedRightPair.left().left()); //$hasTaintFlow
sink(pushedRightPair.left().right()); //$hasTaintFlow
sink(pushedRightPair.left().left()); // $ hasTaintFlow
sink(pushedRightPair.left().right()); // $ hasTaintFlow
sink(pushedRightPair.right()); // no taint flow
}
@@ -70,39 +70,39 @@ public class PairTest {
sink(pair.right()); // no taint flow
sink(pair.getRight()); // no taint flow
Pair<String, Pair<String, String>> pushedLeftPair = pair.pushLeft(taint());
sink(pushedLeftPair.left()); //$hasTaintFlow
sink(pushedLeftPair.left()); // $ hasTaintFlow
sink(pushedLeftPair.right().left()); // no taint flow
sink(pushedLeftPair.right().right()); // no taint flow
Pair<Pair<String, String>, String> pushedRightPair = pair.pushRight(taint());
sink(pushedRightPair.left().left()); // no taint flow
sink(pushedRightPair.left().right()); // no taint flow
sink(pushedRightPair.right()); //$hasTaintFlow
sink(pushedRightPair.right()); // $ hasTaintFlow
}
void test4() {
Pair<String, String> pair = Pair.of(taint(), taint());
sink(pair.left()); //$hasTaintFlow
sink(pair.right()); //$hasTaintFlow
sink(pair.left()); // $ hasTaintFlow
sink(pair.right()); // $ hasTaintFlow
Pair<Pair<String, String>, String> nestLeftPair = pair.nestLeft("safe");
sink(nestLeftPair.left().left()); // no taint flow
sink(nestLeftPair.left().right()); //$hasTaintFlow
sink(nestLeftPair.right()); //$hasTaintFlow
sink(nestLeftPair.left().right()); // $ hasTaintFlow
sink(nestLeftPair.right()); // $ hasTaintFlow
Pair<String, Pair<String, String>> nestRightPair = pair.nestRight("safe");
sink(nestRightPair.left()); //$hasTaintFlow
sink(nestRightPair.left()); // $ hasTaintFlow
sink(nestRightPair.right().left()); // no taint flow
sink(nestRightPair.right().right()); //$hasTaintFlow
sink(nestRightPair.right().right()); // $ hasTaintFlow
}
void test5() {
Pair<String, String> pair = Pair.of(taint(), "safe");
sink(pair.left()); //$hasTaintFlow
sink(pair.left()); // $ hasTaintFlow
sink(pair.right()); // no taint flow
Pair<Pair<String, String>, String> nestLeftPair = pair.nestLeft("safe");
sink(nestLeftPair.left().left()); // no taint flow
sink(nestLeftPair.left().right()); //$hasTaintFlow
sink(nestLeftPair.left().right()); // $ hasTaintFlow
sink(nestLeftPair.right()); // no taint flow
Pair<String, Pair<String, String>> nestRightPair = pair.nestRight("safe");
sink(nestRightPair.left()); //$hasTaintFlow
sink(nestRightPair.left()); // $ hasTaintFlow
sink(nestRightPair.right().left()); // no taint flow
sink(nestRightPair.right().right()); // no taint flow
}
@@ -110,15 +110,15 @@ public class PairTest {
void test6() {
Pair<String, String> pair = Pair.of("safe", taint());
sink(pair.left()); // no taint flow
sink(pair.right()); //$hasTaintFlow
sink(pair.right()); // $ hasTaintFlow
Pair<Pair<String, String>, String> nestLeftPair = pair.nestLeft("safe");
sink(nestLeftPair.left().left()); // no taint flow
sink(nestLeftPair.left().right()); // no taint flow
sink(nestLeftPair.right()); //$hasTaintFlow
sink(nestLeftPair.right()); // $ hasTaintFlow
Pair<String, Pair<String, String>> nestRightPair = pair.nestRight("safe");
sink(nestRightPair.left()); // no taint flow
sink(nestRightPair.right().left()); // no taint flow
sink(nestRightPair.right().right()); //$hasTaintFlow
sink(nestRightPair.right().right()); // $ hasTaintFlow
}
void test7() {
@@ -126,12 +126,12 @@ public class PairTest {
sink(pair.left()); // no taint flow
sink(pair.right()); // no taint flow
Pair<Pair<String, String>, String> nestLeftPair = pair.nestLeft(taint());
sink(nestLeftPair.left().left()); // $hasTaintFlow
sink(nestLeftPair.left().left()); // $ hasTaintFlow
sink(nestLeftPair.left().right()); // no taint flow
sink(nestLeftPair.right()); // no taint flow
Pair<String, Pair<String, String>> nestRightPair = pair.nestRight(taint());
sink(nestRightPair.left()); // no taint flow
sink(nestRightPair.right().left()); // $hasTaintFlow
sink(nestRightPair.right().left()); // $ hasTaintFlow
sink(nestRightPair.right().right()); // no taint flow
}
@@ -141,7 +141,7 @@ public class PairTest {
sink(left); // no taint flow
return taint();
});
sink(taintLeft.left()); //$hasTaintFlow
sink(taintLeft.left()); // $ hasTaintFlow
sink(taintLeft.right()); // no taint flow
}
@@ -152,43 +152,43 @@ public class PairTest {
return taint();
});
sink(taintRight.left()); // no taint flow
sink(taintRight.right()); //$hasTaintFlow
sink(taintRight.right()); // $ hasTaintFlow
}
void test10() throws Exception {
Pair<String, String> pair = Pair.of(taint(), taint());
Pair<String, String> taintLeft = pair.mapLeft(left -> {
sink(left); //$hasTaintFlow
sink(left); // $ hasTaintFlow
return "safe";
});
sink(taintLeft.left()); // no taint flow
sink(taintLeft.right()); //$hasTaintFlow
sink(taintLeft.right()); // $ hasTaintFlow
}
void test11() throws Exception {
Pair<String, String> pair = Pair.of(taint(), taint());
Pair<String, String> taintRight = pair.mapRight(right -> {
sink(right); //$hasTaintFlow
sink(right); // $ hasTaintFlow
return "safe";
});
sink(taintRight.left()); //$hasTaintFlow
sink(taintRight.left()); // $ hasTaintFlow
sink(taintRight.right()); // no taint flow
}
void test12() throws Exception {
Pair<String, String> pair = Pair.of(taint(), taint());
String safe = pair.map(p -> {
sink(p.left()); //$hasTaintFlow
sink(p.right()); //$hasTaintFlow
sink(p.left()); // $ hasTaintFlow
sink(p.right()); // $ hasTaintFlow
return "safe";
});
sink(safe); // no taint flow
String unsafe = pair.map(p -> {
sink(p.left()); //$hasTaintFlow
sink(p.right()); //$hasTaintFlow
sink(p.left()); // $ hasTaintFlow
sink(p.right()); // $ hasTaintFlow
return taint();
});
sink(unsafe); //$hasTaintFlow
sink(unsafe); // $ hasTaintFlow
}
void test13() {
@@ -197,20 +197,20 @@ public class PairTest {
.left(Promise.value("safe"))
.then(pair -> {
sink(pair.left()); // no taint flow
sink(pair.right()); //$hasTaintFlow
sink(pair.right()); // $ hasTaintFlow
});
Promise
.value(taint())
.right(Promise.value("safe"))
.then(pair -> {
sink(pair.left()); //$hasTaintFlow
sink(pair.left()); // $ hasTaintFlow
sink(pair.right()); // no taint flow
});
Promise
.value("safe")
.left(Promise.value(taint()))
.then(pair -> {
sink(pair.left()); //$hasTaintFlow
sink(pair.left()); // $ hasTaintFlow
sink(pair.right()); // no taint flow
});
Promise
@@ -218,7 +218,7 @@ public class PairTest {
.right(Promise.value(taint()))
.then(pair -> {
sink(pair.left()); // no taint flow
sink(pair.right()); //$hasTaintFlow
sink(pair.right()); // $ hasTaintFlow
});
}
@@ -226,21 +226,21 @@ public class PairTest {
Promise
.value(taint())
.left(value -> {
sink(value); //$hasTaintFlow
sink(value); // $ hasTaintFlow
return "safe";
})
.then(pair -> {
sink(pair.left()); // no taint flow
sink(pair.right()); //$hasTaintFlow
sink(pair.right()); // $ hasTaintFlow
});
Promise
.value(taint())
.right(value -> {
sink(value); //$hasTaintFlow
sink(value); // $ hasTaintFlow
return "safe";
})
.then(pair -> {
sink(pair.left()); //$hasTaintFlow
sink(pair.left()); // $ hasTaintFlow
sink(pair.right()); // no taint flow
});
Promise
@@ -250,7 +250,7 @@ public class PairTest {
return taint();
})
.then(pair -> {
sink(pair.left()); //$hasTaintFlow
sink(pair.left()); // $ hasTaintFlow
sink(pair.right()); // no taint flow
});
Promise
@@ -261,7 +261,7 @@ public class PairTest {
})
.then(pair -> {
sink(pair.left()); // no taint flow
sink(pair.right()); //$hasTaintFlow
sink(pair.right()); // $ hasTaintFlow
});
}
@@ -269,21 +269,21 @@ public class PairTest {
Promise
.value(taint())
.flatLeft(value -> {
sink(value); //$hasTaintFlow
sink(value); // $ hasTaintFlow
return Promise.value("safe");
})
.then(pair -> {
sink(pair.left()); // no taint flow
sink(pair.right()); //$hasTaintFlow
sink(pair.right()); // $ hasTaintFlow
});
Promise
.value(taint())
.flatRight(value -> {
sink(value); //$hasTaintFlow
sink(value); // $ hasTaintFlow
return Promise.value("safe");
})
.then(pair -> {
sink(pair.left()); //$hasTaintFlow
sink(pair.left()); // $ hasTaintFlow
sink(pair.right()); // no taint flow
});
Promise
@@ -292,7 +292,7 @@ public class PairTest {
return Promise.value(taint());
})
.then(pair -> {
sink(pair.left()); //$hasTaintFlow
sink(pair.left()); // $ hasTaintFlow
sink(pair.right()); // no taint flow
});
Promise
@@ -302,7 +302,7 @@ public class PairTest {
})
.then(pair -> {
sink(pair.left()); // no taint flow
sink(pair.right()); //$hasTaintFlow
sink(pair.right()); // $ hasTaintFlow
});
}
}

184
java/ql/test/library-tests/frameworks/ratpack/resources/Resource.java
View File

@@ -19,59 +19,59 @@ class Resource {
}
void test1(Context ctx) {
sink(ctx.getRequest().getContentLength()); //$hasTaintFlow
sink(ctx.getRequest().getCookies()); //$hasTaintFlow
sink(ctx.getRequest().oneCookie("Magic-Cookie")); //$hasTaintFlow
sink(ctx.getRequest().getHeaders()); //$hasTaintFlow
sink(ctx.getRequest().getHeaders().get("questionable_header")); //$hasTaintFlow
sink(ctx.getRequest().getHeaders().getAll("questionable_header")); //$hasTaintFlow
sink(ctx.getRequest().getHeaders().getNames()); //$hasTaintFlow
sink(ctx.getRequest().getHeaders().asMultiValueMap()); //$hasTaintFlow
sink(ctx.getRequest().getHeaders().asMultiValueMap().get("questionable_header")); //$hasTaintFlow
sink(ctx.getRequest().getPath()); //$hasTaintFlow
sink(ctx.getRequest().getQuery()); //$hasTaintFlow
sink(ctx.getRequest().getQueryParams()); //$hasTaintFlow
sink(ctx.getRequest().getQueryParams().get("questionable_parameter")); //$hasTaintFlow
sink(ctx.getRequest().getRawUri()); //$hasTaintFlow
sink(ctx.getRequest().getUri()); //$hasTaintFlow
sink(ctx.getRequest().getContentLength()); // $ hasTaintFlow
sink(ctx.getRequest().getCookies()); // $ hasTaintFlow
sink(ctx.getRequest().oneCookie("Magic-Cookie")); // $ hasTaintFlow
sink(ctx.getRequest().getHeaders()); // $ hasTaintFlow
sink(ctx.getRequest().getHeaders().get("questionable_header")); // $ hasTaintFlow
sink(ctx.getRequest().getHeaders().getAll("questionable_header")); // $ hasTaintFlow
sink(ctx.getRequest().getHeaders().getNames()); // $ hasTaintFlow
sink(ctx.getRequest().getHeaders().asMultiValueMap()); // $ hasTaintFlow
sink(ctx.getRequest().getHeaders().asMultiValueMap().get("questionable_header")); // $ hasTaintFlow
sink(ctx.getRequest().getPath()); // $ hasTaintFlow
sink(ctx.getRequest().getQuery()); // $ hasTaintFlow
sink(ctx.getRequest().getQueryParams()); // $ hasTaintFlow
sink(ctx.getRequest().getQueryParams().get("questionable_parameter")); // $ hasTaintFlow
sink(ctx.getRequest().getRawUri()); // $ hasTaintFlow
sink(ctx.getRequest().getUri()); // $ hasTaintFlow
}
void test2(Context ctx, OutputStream os) {
ctx.getRequest().getBody().then(td -> {
sink(td); //$hasTaintFlow
sink(td.getText()); //$hasTaintFlow
sink(td.getBuffer()); //$hasTaintFlow
sink(td.getBytes()); //$hasTaintFlow
sink(td.getContentType()); //$hasTaintFlow
sink(td.getInputStream()); //$hasTaintFlow
sink(td); // $ hasTaintFlow
sink(td.getText()); // $ hasTaintFlow
sink(td.getBuffer()); // $ hasTaintFlow
sink(td.getBytes()); // $ hasTaintFlow
sink(td.getContentType()); // $ hasTaintFlow
sink(td.getInputStream()); // $ hasTaintFlow
sink(os);
td.writeTo(os);
sink(os); //$hasTaintFlow
sink(os); // $ hasTaintFlow
if (td instanceof UploadedFile) {
UploadedFile uf = (UploadedFile) td;
sink(uf.getFileName()); //$hasTaintFlow
sink(uf.getFileName()); // $ hasTaintFlow
}
});
}
void test3(Context ctx) {
ctx.getRequest().getBody().map(TypedData::getText).then(s -> {
sink(s); //$hasTaintFlow
sink(s); // $ hasTaintFlow
});
ctx.getRequest().getBody().map(b -> {
sink(b); //$hasTaintFlow
sink(b.getText()); //$hasTaintFlow
sink(b); // $ hasTaintFlow
sink(b.getText()); // $ hasTaintFlow
return b.getText();
}).then(t -> {
sink(t); //$hasTaintFlow
sink(t); // $ hasTaintFlow
});
ctx.getRequest().getBody().map(TypedData::getText).then(this::sink); //$hasTaintFlow
ctx.getRequest().getBody().map(TypedData::getText).then(this::sink); // $ hasTaintFlow
ctx
.getRequest()
.getBody()
.map(TypedData::getText)
.next(this::sink) //$hasTaintFlow
.then(this::sink); //$hasTaintFlow
.next(this::sink) // $ hasTaintFlow
.then(this::sink); // $ hasTaintFlow
}
void test4() {
@@ -79,11 +79,11 @@ class Resource {
Promise.value(tainted);
Promise
.value(tainted)
.then(this::sink); //$hasTaintFlow
.then(this::sink); // $ hasTaintFlow
Promise
.value(tainted)
.map(a -> a)
.then(this::sink); //$hasTaintFlow
.then(this::sink); // $ hasTaintFlow
}
void test5(Context ctx) {
@@ -92,22 +92,22 @@ class Resource {
.getBody()
.map(data -> {
Form form = ctx.parse(data, Form.form());
sink(form); //$hasTaintFlow
sink(form); // $ hasTaintFlow
return form;
})
.then(form -> {
sink(form.file("questionable_file")); //$hasTaintFlow
sink(form.file("questionable_file").getFileName()); //$hasTaintFlow
sink(form.files("questionable_files")); //$hasTaintFlow
sink(form.files()); //$hasTaintFlow
sink(form.get("questionable_parameter")); //$hasTaintFlow
sink(form.getAll().get("questionable_parameter").get(0)); //$hasTaintFlow
sink(form.getAll("questionable_parameter").get(0)); //$hasTaintFlow
sink(form.asMultimap().get("questionable_parameter")); //$hasTaintFlow
sink(form.asMultimap().asMap()); //$hasTaintFlow
sink(form.file("questionable_file")); // $ hasTaintFlow
sink(form.file("questionable_file").getFileName()); // $ hasTaintFlow
sink(form.files("questionable_files")); // $ hasTaintFlow
sink(form.files()); // $ hasTaintFlow
sink(form.get("questionable_parameter")); // $ hasTaintFlow
sink(form.getAll().get("questionable_parameter").get(0)); // $ hasTaintFlow
sink(form.getAll("questionable_parameter").get(0)); // $ hasTaintFlow
sink(form.asMultimap().get("questionable_parameter")); // $ hasTaintFlow
sink(form.asMultimap().asMap()); // $ hasTaintFlow
form.asMultimap().asMap().forEach((name, values) -> {
sink(name); //$hasTaintFlow
sink(values); //$hasTaintFlow
sink(name); // $ hasTaintFlow
sink(values); // $ hasTaintFlow
});
});
}
@@ -116,17 +116,17 @@ class Resource {
ctx
.parse(Parse.of(Form.class))
.then(form -> {
sink(form); //$hasTaintFlow
sink(form); // $ hasTaintFlow
});
ctx
.parse(Form.class)
.then(form -> {
sink(form); //$hasTaintFlow
sink(form); // $ hasTaintFlow
});
ctx
.parse(Form.class, "Some Object")
.then(form -> {
sink(form); //$hasTaintFlow
sink(form); // $ hasTaintFlow
});
}
@@ -135,50 +135,50 @@ class Resource {
Promise
.flatten(() -> Promise.value(tainted))
.next(value -> {
sink(value); //$hasTaintFlow
sink(value); // $ hasTaintFlow
})
.onError(Action.noop())
.next(value -> {
sink(value); //$hasTaintFlow
sink(value); // $ hasTaintFlow
})
.cache()
.next(value -> {
sink(value); //$hasTaintFlow
sink(value); // $ hasTaintFlow
})
.fork()
.next(value -> {
sink(value); //$hasTaintFlow
sink(value); // $ hasTaintFlow
})
.route(value -> {
sink(value); //$hasTaintFlow
sink(value); // $ hasTaintFlow
return false;
}, value -> {
sink(value); //$hasTaintFlow
sink(value); // $ hasTaintFlow
})
.next(value -> {
sink(value); //$hasTaintFlow
sink(value); // $ hasTaintFlow
})
.cacheIf(value -> {
sink(value); //$hasTaintFlow
sink(value); // $ hasTaintFlow
return true;
})
.next(value -> {
sink(value); //$hasTaintFlow
sink(value); // $ hasTaintFlow
})
.onError(RuntimeException.class, Action.noop())
.next(value -> {
sink(value); //$hasTaintFlow
sink(value); // $ hasTaintFlow
})
.map(value -> {
sink(value); //$hasTaintFlow
sink(value); // $ hasTaintFlow
return value;
})
.blockingMap(value -> {
sink(value); //$hasTaintFlow
sink(value); // $ hasTaintFlow
return value;
})
.then(value -> {
sink(value); //$hasTaintFlow
sink(value); // $ hasTaintFlow
});
}
@@ -191,7 +191,7 @@ class Resource {
return "potato";
})
.then(value -> {
sink(value); //$hasTaintFlow
sink(value); // $ hasTaintFlow
});
Promise
.value("potato")
@@ -199,7 +199,7 @@ class Resource {
return taint();
})
.then(value -> {
sink(value); //$hasTaintFlow
sink(value); // $ hasTaintFlow
});
Promise
.value(tainted)
@@ -208,7 +208,7 @@ class Resource {
return Promise.value("potato");
})
.then(value -> {
sink(value); //$hasTaintFlow
sink(value); // $ hasTaintFlow
});
Promise
.value("potato")
@@ -216,7 +216,7 @@ class Resource {
return Promise.value(taint());
})
.then(value -> {
sink(value); //$hasTaintFlow
sink(value); // $ hasTaintFlow
});
}
@@ -226,7 +226,7 @@ class Resource {
.value(tainted)
.map(Resource::identity)
.then(value -> {
sink(value); //$hasTaintFlow
sink(value); // $ hasTaintFlow
});
Promise
.value("potato")
@@ -238,7 +238,7 @@ class Resource {
.value(tainted)
.flatMap(v -> Promise.value(v))
.then(value -> {
sink(value); //$hasTaintFlow
sink(value); // $ hasTaintFlow
});
}
@@ -252,7 +252,7 @@ class Resource {
.value(tainted)
.apply(Resource::promiseIdentity)
.then(value -> {
sink(value); //$hasTaintFlow
sink(value); // $ hasTaintFlow
});
Promise
.value("potato")
@@ -261,7 +261,7 @@ class Resource {
sink(value); // no taints flow
});
}
public static Promise<String> promiseIdentity(Promise<String> input) {
return input.map(i -> i);
}
@@ -272,7 +272,7 @@ class Resource {
.value(tainted)
.map(a -> a)
.then(value -> {
sink(value); //$hasTaintFlow
sink(value); // $ hasTaintFlow
});
Promise
.value("potato")
@@ -287,40 +287,40 @@ class Resource {
Promise
.sync(() -> tainted)
.mapIf(v -> {
sink(v); //$hasTaintFlow
sink(v); // $ hasTaintFlow
return true;
}, v -> {
sink(v); //$hasTaintFlow
sink(v); // $ hasTaintFlow
return v;
})
.then(value -> {
sink(value); //$hasTaintFlow
sink(value); // $ hasTaintFlow
});
Promise
.sync(() -> tainted)
.mapIf(v -> {
sink(v); //$hasTaintFlow
sink(v); // $ hasTaintFlow
return true;
}, vTrue -> {
sink(vTrue); //$hasTaintFlow
sink(vTrue); // $ hasTaintFlow
return vTrue;
}, vFalse -> {
sink(vFalse); //$hasTaintFlow
sink(vFalse); // $ hasTaintFlow
return vFalse;
})
.then(value -> {
sink(value); //$hasTaintFlow
sink(value); // $ hasTaintFlow
});
Promise
.sync(() -> tainted)
.mapIf(v -> {
sink(v); //$hasTaintFlow
sink(v); // $ hasTaintFlow
return true;
}, vTrue -> {
sink(vTrue); //$hasTaintFlow
sink(vTrue); // $ hasTaintFlow
return "potato";
}, vFalse -> {
sink(vFalse); //$hasTaintFlow
sink(vFalse); // $ hasTaintFlow
return "potato";
})
.then(value -> {
@@ -340,7 +340,7 @@ class Resource {
.value("safe")
.replace(Promise.value(tainted))
.then(value -> {
sink(value); //$hasTaintFlow
sink(value); // $ hasTaintFlow
});
}
@@ -349,10 +349,10 @@ class Resource {
Promise
.value(tainted)
.blockingOp(value -> {
sink(value); //$hasTaintFlow
sink(value); // $ hasTaintFlow
})
.then(value -> {
sink(value); //$hasTaintFlow
sink(value); // $ hasTaintFlow
});
}
@@ -361,16 +361,16 @@ class Resource {
Promise
.value(tainted)
.nextOp(value -> Operation.of(() -> {
sink(value); //$hasTaintFlow
sink(value); // $ hasTaintFlow
}))
.nextOpIf(value -> {
sink(value); //$hasTaintFlow
sink(value); // $ hasTaintFlow
return true;
}, value -> Operation.of(() -> {
sink(value); //$hasTaintFlow
sink(value); // $ hasTaintFlow
}))
.then(value -> {
sink(value); //$hasTaintFlow
sink(value); // $ hasTaintFlow
});
}
@@ -379,23 +379,23 @@ class Resource {
Promise
.value(tainted)
.flatOp(value -> Operation.of(() -> {
sink(value); //$hasTaintFlow
sink(value); // $ hasTaintFlow
}));
}
void test17() throws Exception {
String tainted = taint();
Result<String> result = Result.success(tainted);
sink(result.getValue()); //$hasTaintFlow
sink(result.getValueOrThrow()); //$hasTaintFlow
sink(result.getValue()); // $ hasTaintFlow
sink(result.getValueOrThrow()); // $ hasTaintFlow
Promise
.value(tainted)
.wiretap(r -> {
sink(r.getValue()); //$hasTaintFlow
sink(r.getValueOrThrow()); //$hasTaintFlow
sink(r.getValue()); // $ hasTaintFlow
sink(r.getValueOrThrow()); // $ hasTaintFlow
})
.then(value -> {
sink(value); //$hasTaintFlow
sink(value); // $ hasTaintFlow
});
}

26
java/ql/test/library-tests/frameworks/spring/cache/Test.java vendored
View File

@@ -50,91 +50,91 @@ public class Test {
Cache.ValueRetrievalException out = null;
Object in = source();
out = new Cache.ValueRetrievalException(in, null, null);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.cache;Cache$ValueRetrievalException;false;getKey;;;MapKey of Argument[this];ReturnValue;value;manual"
Object out = null;
Cache.ValueRetrievalException in = new Cache.ValueRetrievalException(source(), null, null);
out = in.getKey();
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "org.springframework.cache;Cache$ValueWrapper;true;get;;;MapValue of Argument[this];ReturnValue;value;manual"
Object out = null;
Cache.ValueWrapper in = new ValueWrapper(source());
out = in.get();
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "org.springframework.cache;Cache;true;get;(Object);;MapValue of Argument[this];MapValue of ReturnValue;value;manual"
Cache.ValueWrapper out = null;
Cache in = new DummyCache(null, source());
out = in.get(null);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.cache;Cache;true;get;(Object,Callable);;MapValue of Argument[this];ReturnValue;value;manual"
Object out = null;
Cache in = new DummyCache(null, source());
out = in.get(null, (Callable)null);
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "org.springframework.cache;Cache;true;get;(Object,Class);;MapValue of Argument[this];ReturnValue;value;manual"
Object out = null;
Cache in = new DummyCache(null, source());
out = in.get(null, (Class)null);
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "org.springframework.cache;Cache;true;getNativeCache;;;MapKey of Argument[this];MapKey of ReturnValue;value;manual"
Object out = null;
Cache in = new DummyCache(source(), null);
out = in.getNativeCache();
sink(getMapKey((Cache)out)); // $hasValueFlow
sink(getMapKey((Cache)out)); // $ hasValueFlow
}
{
// "org.springframework.cache;Cache;true;getNativeCache;;;MapValue of Argument[this];MapValue of ReturnValue;value;manual"
Object out = null;
Cache in = new DummyCache(null, source());
out = in.getNativeCache();
sink(getMapValue((Cache)out)); // $hasValueFlow
sink(getMapValue((Cache)out)); // $ hasValueFlow
}
{
// "org.springframework.cache;Cache;true;put;;;Argument[0];MapKey of Argument[this];value;manual"
Cache out = null;
Object in = source();
out.put(in, null);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.cache;Cache;true;put;;;Argument[1];MapValue of Argument[this];value;manual"
Cache out = null;
Object in = source();
out.put(null, in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.cache;Cache;true;putIfAbsent;;;Argument[0];MapKey of Argument[this];value;manual"
Cache out = null;
Object in = source();
out.putIfAbsent(in, null);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.cache;Cache;true;putIfAbsent;;;Argument[1];MapValue of Argument[this];value;manual"
Cache out = null;
Object in = source();
out.putIfAbsent(null, in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.cache;Cache;true;putIfAbsent;;;MapValue of Argument[this];MapValue of ReturnValue;value;manual"
Cache.ValueWrapper out = null;
Cache in = new DummyCache(null, source());
out = in.putIfAbsent(null, null);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
}

6
java/ql/test/library-tests/frameworks/spring/context/Test.java
View File

@@ -13,8 +13,8 @@ public class Test {
public void test() {
StaticMessageSource sms = new StaticMessageSource();
sms.addMessage(code, locale, "hello {0}");
sink(sms.getMessage(code, new String[]{ taint() }, locale)); // $hasTaintFlow
sink(sms.getMessage(code, new String[]{ taint() }, "", locale)); // $hasTaintFlow
sink(sms.getMessage(code, null, taint(), locale)); // $hasTaintFlow
sink(sms.getMessage(code, new String[]{ taint() }, locale)); // $ hasTaintFlow
sink(sms.getMessage(code, new String[]{ taint() }, "", locale)); // $ hasTaintFlow
sink(sms.getMessage(code, null, taint(), locale)); // $ hasTaintFlow
}
}

28
java/ql/test/library-tests/frameworks/spring/controller/Test.java
View File

@@ -127,62 +127,62 @@ public class Test {
static class ExplicitlyTaintedTest {
@RequestMapping("/")
public void get(InputStream src) { // $ RequestMappingURL="/"
sink(src); // $hasValueFlow
sink(src); // $ hasValueFlow
}
@RequestMapping("/")
public void get(Reader src) { // $ RequestMappingURL="/"
sink(src); // $hasValueFlow
sink(src); // $ hasValueFlow
}
@RequestMapping("/")
public void matrixVariable(@MatrixVariable Object src) { // $ RequestMappingURL="/"
sink(src); // $hasValueFlow
sink(src); // $ hasValueFlow
}
@RequestMapping("/")
public void requestParam(@RequestParam Object src) { // $ RequestMappingURL="/"
sink(src); // $hasValueFlow
sink(src); // $ hasValueFlow
}
@RequestMapping("/")
public void requestHeader(@RequestHeader Object src) { // $ RequestMappingURL="/"
sink(src); // $hasValueFlow
sink(src); // $ hasValueFlow
}
@RequestMapping("/")
public void cookieValue(@CookieValue Object src) { // $ RequestMappingURL="/"
sink(src); // $hasValueFlow
sink(src); // $ hasValueFlow
}
@RequestMapping("/")
public void requestPart(@RequestPart Object src) { // $ RequestMappingURL="/"
sink(src); // $hasValueFlow
sink(src); // $ hasValueFlow
}
@RequestMapping("/")
public void pathVariable(@PathVariable Object src) { // $ RequestMappingURL="/"
sink(src); // $hasValueFlow
sink(src); // $ hasValueFlow
}
@RequestMapping("/")
public void requestBody(@RequestBody Object src) { // $ RequestMappingURL="/"
sink(src); // $hasValueFlow
sink(src); // $ hasValueFlow
}
@RequestMapping("/")
public void get(HttpEntity src) { // $ RequestMappingURL="/"
sink(src); // $hasValueFlow
sink(src); // $ hasValueFlow
}
@RequestMapping("/")
public void requestAttribute(@RequestAttribute Object src) { // $ RequestMappingURL="/"
sink(src); // $hasValueFlow
sink(src); // $ hasValueFlow
}
@RequestMapping("/")
public void sessionAttribute(@SessionAttribute Object src) { // $ RequestMappingURL="/"
sink(src); // $hasValueFlow
sink(src); // $ hasValueFlow
}
}
@@ -193,12 +193,12 @@ public class Test {
@RequestMapping("/")
public void get(String src) { // $ RequestMappingURL="/"
sink(src); // $hasValueFlow
sink(src); // $ hasValueFlow
}
@RequestMapping("/")
public void get1(Pojo src) { // $ RequestMappingURL="/"
sink(src); // $hasValueFlow
sink(src); // $ hasValueFlow
}
}

2
java/ql/test/library-tests/frameworks/spring/data/Test.java
View File

@@ -14,6 +14,6 @@ public class Test {
void testCrudRepository(CrudRepository<Struct, Integer> cr) {
Struct s = new Struct(source());
s = cr.save(s);
sink(s.field); //$hasValueFlow
sink(s.field); // $ hasValueFlow
}
}

148
java/ql/test/library-tests/frameworks/spring/http/TestHttp.java
View File

@@ -14,149 +14,149 @@ class TestHttp {
void test1() {
String x = taint();
sink(new HttpEntity(x)); // $hasTaintFlow
sink(new HttpEntity(x)); // $ hasTaintFlow
MultiValueMap<String,String> m1 = new LinkedMultiValueMap();
sink(new HttpEntity(x, m1)); // $hasTaintFlow
sink(new HttpEntity(x, m1)); // $ hasTaintFlow
m1.add("a", taint());
sink(new HttpEntity("a", m1)); // $hasTaintFlow
sink(new HttpEntity<String>(m1)); // $hasTaintFlow
sink(new HttpEntity("a", m1)); // $ hasTaintFlow
sink(new HttpEntity<String>(m1)); // $ hasTaintFlow
MultiValueMap<String,String> m2 = new LinkedMultiValueMap();
m2.add(taint(), "a");
sink(new HttpEntity<String>(m2)); // $hasTaintFlow
sink(new HttpEntity<String>(m2)); // $ hasTaintFlow
HttpEntity<String> ent = taint();
sink(ent.getBody()); // $hasTaintFlow
sink(ent.getHeaders()); // $hasTaintFlow
sink(ent.getBody()); // $ hasTaintFlow
sink(ent.getHeaders()); // $ hasTaintFlow
RequestEntity<String> req = taint();
sink(req.getUrl()); // $hasTaintFlow
sink(req.getUrl()); // $ hasTaintFlow
}
void test2() {
String x = taint();
sink(ResponseEntity.ok(x)); // $hasTaintFlow
sink(ResponseEntity.of(Optional.of(x))); // $hasTaintFlow
sink(ResponseEntity.ok(x)); // $ hasTaintFlow
sink(ResponseEntity.of(Optional.of(x))); // $ hasTaintFlow
sink(ResponseEntity.status(200).contentLength(2048).body(x)); // $hasTaintFlow
sink(ResponseEntity.created(taint()).contentType(null).body("a")); // $hasTaintFlow
sink(ResponseEntity.status(200).header(x, "a", "b", "c").build()); // $hasTaintFlow
sink(ResponseEntity.status(200).header("h", "a", "b", x).build()); // $hasTaintFlow
sink(ResponseEntity.status(200).contentLength(2048).body(x)); // $ hasTaintFlow
sink(ResponseEntity.created(taint()).contentType(null).body("a")); // $ hasTaintFlow
sink(ResponseEntity.status(200).header(x, "a", "b", "c").build()); // $ hasTaintFlow
sink(ResponseEntity.status(200).header("h", "a", "b", x).build()); // $ hasTaintFlow
HttpHeaders h = new HttpHeaders();
h.add("h", taint());
sink(ResponseEntity.status(200).headers(h).allow().build()); // $hasTaintFlow
sink(ResponseEntity.status(200).eTag(x).allow().build()); // $hasTaintFlow
sink(ResponseEntity.status(200).location(taint()).lastModified(10000000).build()); // $hasTaintFlow
sink(ResponseEntity.status(200).varyBy(x).build());
sink(ResponseEntity.status(200).headers(h).allow().build()); // $ hasTaintFlow
sink(ResponseEntity.status(200).eTag(x).allow().build()); // $ hasTaintFlow
sink(ResponseEntity.status(200).location(taint()).lastModified(10000000).build()); // $ hasTaintFlow
sink(ResponseEntity.status(200).varyBy(x).build());
}
void test3() {
String x = taint();
MultiValueMap<String,String> m1 = new LinkedMultiValueMap();
sink(new ResponseEntity(x, HttpStatus.ACCEPTED)); // $hasTaintFlow
sink(new ResponseEntity(x, m1, HttpStatus.ACCEPTED)); // $hasTaintFlow
sink(new ResponseEntity(x, m1, 200)); // $hasTaintFlow
sink(new ResponseEntity(x, HttpStatus.ACCEPTED)); // $ hasTaintFlow
sink(new ResponseEntity(x, m1, HttpStatus.ACCEPTED)); // $ hasTaintFlow
sink(new ResponseEntity(x, m1, 200)); // $ hasTaintFlow
m1.add("a", taint());
sink(new ResponseEntity("a", m1, HttpStatus.ACCEPTED)); // $hasTaintFlow
sink(new ResponseEntity<String>(m1, HttpStatus.ACCEPTED)); // $hasTaintFlow
sink(new ResponseEntity("a", m1, 200)); // $hasTaintFlow
sink(new ResponseEntity("a", m1, HttpStatus.ACCEPTED)); // $ hasTaintFlow
sink(new ResponseEntity<String>(m1, HttpStatus.ACCEPTED)); // $ hasTaintFlow
sink(new ResponseEntity("a", m1, 200)); // $ hasTaintFlow
MultiValueMap<String,String> m2 = new LinkedMultiValueMap();
m2.add(taint(), "a");
sink(new ResponseEntity("a", m2, HttpStatus.ACCEPTED)); // $hasTaintFlow
sink(new ResponseEntity<String>(m2, HttpStatus.ACCEPTED)); // $hasTaintFlow
sink(new ResponseEntity("a", m2, 200)); // $hasTaintFlow
sink(new ResponseEntity("a", m2, HttpStatus.ACCEPTED)); // $ hasTaintFlow
sink(new ResponseEntity<String>(m2, HttpStatus.ACCEPTED)); // $ hasTaintFlow
sink(new ResponseEntity("a", m2, 200)); // $ hasTaintFlow
ResponseEntity<String> ent = taint();
sink(ent.getBody()); // $hasTaintFlow
sink(ent.getHeaders()); // $hasTaintFlow
sink(ent.getBody()); // $ hasTaintFlow
sink(ent.getHeaders()); // $ hasTaintFlow
}
void test4() {
MultiValueMap<String,String> m1 = new LinkedMultiValueMap();
m1.add("a", taint());
sink(new HttpHeaders(m1)); // $hasTaintFlow
sink(new HttpHeaders(m1)); // $ hasTaintFlow
MultiValueMap<String,String> m2 = new LinkedMultiValueMap();
m2.add(taint(), "a");
sink(new HttpHeaders(m2)); // $hasTaintFlow
sink(new HttpHeaders(m2)); // $ hasTaintFlow
HttpHeaders h1 = new HttpHeaders();
h1.add(taint(), "a");
sink(h1); // $hasTaintFlow
h1.add(taint(), "a");
sink(h1); // $ hasTaintFlow
HttpHeaders h2 = new HttpHeaders();
h2.add("a", taint());
sink(h2); // $hasTaintFlow
h2.add("a", taint());
sink(h2); // $ hasTaintFlow
HttpHeaders h3 = new HttpHeaders();
h3.addAll(m1);
sink(h3); // $hasTaintFlow
h3.addAll(m1);
sink(h3); // $ hasTaintFlow
HttpHeaders h4 = new HttpHeaders();
h4.addAll(m2);
sink(h4); // $hasTaintFlow
h4.addAll(m2);
sink(h4); // $ hasTaintFlow
HttpHeaders h5 = new HttpHeaders();
h5.addAll(taint(), List.of());
sink(h5); // $hasTaintFlow
h5.addAll(taint(), List.of());
sink(h5); // $ hasTaintFlow
HttpHeaders h6 = new HttpHeaders();
h6.addAll("a", List.of(taint()));
sink(h6); // $hasTaintFlow
h6.addAll("a", List.of(taint()));
sink(h6); // $ hasTaintFlow
sink(HttpHeaders.formatHeaders(m1)); // $hasTaintFlow
sink(HttpHeaders.formatHeaders(m2)); // $hasTaintFlow
sink(HttpHeaders.formatHeaders(m1)); // $ hasTaintFlow
sink(HttpHeaders.formatHeaders(m2)); // $ hasTaintFlow
sink(HttpHeaders.encodeBasicAuth(taint(), "a", null)); // $hasTaintFlow
sink(HttpHeaders.encodeBasicAuth("a", taint(), null)); // $hasTaintFlow
sink(HttpHeaders.encodeBasicAuth(taint(), "a", null)); // $ hasTaintFlow
sink(HttpHeaders.encodeBasicAuth("a", taint(), null)); // $ hasTaintFlow
}
void test5() {
HttpHeaders h = taint();
sink(h.get(null).get(0)); // $hasTaintFlow
sink(h.get(null).get(0)); // $ hasTaintFlow
sink(h.getAccept().get(0));
sink(h.getAcceptCharset().get(0));
sink(h.getAcceptLanguage().get(0));
sink(h.getAcceptLanguageAsLocales().get(0));
sink(h.getAccessControlAllowCredentials());
sink(h.getAccessControlAllowHeaders().get(0)); // $hasTaintFlow
sink(h.getAccessControlAllowHeaders().get(0)); // $ hasTaintFlow
sink(h.getAccessControlAllowMethods().get(0));
sink(h.getAccessControlAllowOrigin()); // $hasTaintFlow
sink(h.getAccessControlExposeHeaders().get(0)); // $hasTaintFlow
sink(h.getAccessControlAllowOrigin()); // $ hasTaintFlow
sink(h.getAccessControlExposeHeaders().get(0)); // $ hasTaintFlow
sink(h.getAccessControlMaxAge());
sink(h.getAccessControlRequestHeaders().get(0)); // $hasTaintFlow
sink(h.getAccessControlRequestMethod());
sink(h.getAccessControlRequestHeaders().get(0)); // $ hasTaintFlow
sink(h.getAccessControlRequestMethod());
sink(h.getAllow().toArray()[0]);
sink(h.getCacheControl()); // $hasTaintFlow
sink(h.getConnection().get(0)); // $hasTaintFlow
sink(h.getCacheControl()); // $ hasTaintFlow
sink(h.getConnection().get(0)); // $ hasTaintFlow
sink(h.getContentDisposition());
sink(h.getContentLanguage());
sink(h.getContentLength());
sink(h.getContentType());
sink(h.getDate());
sink(h.getETag()); // $hasTaintFlow
sink(h.getETag()); // $ hasTaintFlow
sink(h.getExpires());
sink(h.getFirst("a")); // $hasTaintFlow
sink(h.getFirstDate("a"));
sink(h.getFirstZonedDateTime("a"));
sink(h.getHost()); // $hasTaintFlow
sink(h.getIfMatch().get(0)); // $hasTaintFlow
sink(h.getIfModifiedSince());
sink(h.getIfNoneMatch().get(0)); // $hasTaintFlow
sink(h.getIfUnmodifiedSince());
sink(h.getLastModified());
sink(h.getLocation()); // $hasTaintFlow
sink(h.getOrEmpty("a").get(0)); // $hasTaintFlow
sink(h.getOrigin()); // $hasTaintFlow
sink(h.getPragma()); // $hasTaintFlow
sink(h.getUpgrade()); // $hasTaintFlow
sink(h.getValuesAsList("a").get(0)); // $hasTaintFlow
sink(h.getVary().get(0)); // $hasTaintFlow
sink(h.getFirst("a")); // $ hasTaintFlow
sink(h.getFirstDate("a"));
sink(h.getFirstZonedDateTime("a"));
sink(h.getHost()); // $ hasTaintFlow
sink(h.getIfMatch().get(0)); // $ hasTaintFlow
sink(h.getIfModifiedSince());
sink(h.getIfNoneMatch().get(0)); // $ hasTaintFlow
sink(h.getIfUnmodifiedSince());
sink(h.getLastModified());
sink(h.getLocation()); // $ hasTaintFlow
sink(h.getOrEmpty("a").get(0)); // $ hasTaintFlow
sink(h.getOrigin()); // $ hasTaintFlow
sink(h.getPragma()); // $ hasTaintFlow
sink(h.getUpgrade()); // $ hasTaintFlow
sink(h.getValuesAsList("a").get(0)); // $ hasTaintFlow
sink(h.getVary().get(0)); // $ hasTaintFlow
}
}
}

152
java/ql/test/library-tests/frameworks/spring/ui/Test.java
View File

@@ -28,35 +28,35 @@ public class Test {
ConcurrentModel out = null;
Object in = source();
out = new ConcurrentModel(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;ConcurrentModel;false;ConcurrentModel;(String,Object);;Argument[0];MapKey of Argument[this];value;manual"
ConcurrentModel out = null;
String in = (String)source();
out = new ConcurrentModel(in, null);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;ConcurrentModel;false;ConcurrentModel;(String,Object);;Argument[1];MapValue of Argument[this];value;manual"
ConcurrentModel out = null;
Object in = source();
out = new ConcurrentModel(null, in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;(Collection);;Element of Argument[0];MapValue of Argument[this];value;manual"
Model out = null;
Collection in = List.of(source());
out.addAllAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;(Collection);;Element of Argument[0];MapValue of Argument[this];value;manual"
ConcurrentModel out = null;
Collection in = List.of(source());
out.addAllAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;(Collection);;Element of Argument[0];MapValue of ReturnValue;value;manual"
@@ -64,7 +64,7 @@ public class Test {
Collection in = List.of(source());
Model instance = null;
out = instance.addAllAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;(Collection);;Element of Argument[0];MapValue of ReturnValue;value;manual"
@@ -72,21 +72,21 @@ public class Test {
Collection in = List.of(source());
ConcurrentModel instance = null;
out = instance.addAllAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;(Map);;MapKey of Argument[0];MapKey of Argument[this];value;manual"
Model out = null;
Map in = Map.of(source(), null);
out.addAllAttributes(in);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;(Map);;MapKey of Argument[0];MapKey of Argument[this];value;manual"
ConcurrentModel out = null;
Map in = Map.of(source(), null);
out.addAllAttributes(in);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;(Map);;MapKey of Argument[0];MapKey of ReturnValue;value;manual"
@@ -94,7 +94,7 @@ public class Test {
Map in = Map.of(source(), null);
Model instance = null;
out = instance.addAllAttributes(in);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;(Map);;MapKey of Argument[0];MapKey of ReturnValue;value;manual"
@@ -102,21 +102,21 @@ public class Test {
Map in = Map.of(source(), null);
ConcurrentModel instance = null;
out = instance.addAllAttributes(in);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;(Map);;MapValue of Argument[0];MapValue of Argument[this];value;manual"
Model out = null;
Map in = Map.of(null, source());
out.addAllAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;(Map);;MapValue of Argument[0];MapValue of Argument[this];value;manual"
ConcurrentModel out = null;
Map in = Map.of(null, source());
out.addAllAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;(Map);;MapValue of Argument[0];MapValue of ReturnValue;value;manual"
@@ -124,7 +124,7 @@ public class Test {
Map in = Map.of(null, source());
Model instance = null;
out = instance.addAllAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;(Map);;MapValue of Argument[0];MapValue of ReturnValue;value;manual"
@@ -132,49 +132,49 @@ public class Test {
Map in = Map.of(null, source());
ConcurrentModel instance = null;
out = instance.addAllAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;;;Argument[this];ReturnValue;value;manual"
Model out = null;
Model in = (Model)source();
out = in.addAllAttributes((Map)null);
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;;;Argument[this];ReturnValue;value;manual"
Model out = null;
Model in = (Model)source();
out = in.addAllAttributes((Collection)null);
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;;;Argument[this];ReturnValue;value;manual"
ConcurrentModel out = null;
ConcurrentModel in = (ConcurrentModel)source();
out = in.addAllAttributes((Map)null);
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;;;Argument[this];ReturnValue;value;manual"
ConcurrentModel out = null;
ConcurrentModel in = (ConcurrentModel)source();
out = in.addAllAttributes((Collection)null);
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;(Object);;Argument[0];MapValue of Argument[this];value;manual"
Model out = null;
Object in = source();
out.addAttribute(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;(Object);;Argument[0];MapValue of Argument[this];value;manual"
ConcurrentModel out = null;
Object in = source();
out.addAttribute(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;(Object);;Argument[0];MapValue of ReturnValue;value;manual"
@@ -182,7 +182,7 @@ public class Test {
Object in = source();
Model instance = null;
out = instance.addAttribute(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;(Object);;Argument[0];MapValue of ReturnValue;value;manual"
@@ -190,21 +190,21 @@ public class Test {
Object in = source();
ConcurrentModel instance = null;
out = instance.addAttribute(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;(String,Object);;Argument[0];MapKey of Argument[this];value;manual"
Model out = null;
String in = (String)source();
out.addAttribute(in, null);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;(String,Object);;Argument[0];MapKey of Argument[this];value;manual"
ConcurrentModel out = null;
String in = (String)source();
out.addAttribute(in, null);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;(String,Object);;Argument[0];MapKey of ReturnValue;value;manual"
@@ -212,7 +212,7 @@ public class Test {
String in = (String)source();
Model instance = null;
out = instance.addAttribute(in, null);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;(String,Object);;Argument[0];MapKey of ReturnValue;value;manual"
@@ -220,21 +220,21 @@ public class Test {
String in = (String)source();
ConcurrentModel instance = null;
out = instance.addAttribute(in, null);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;(String,Object);;Argument[1];MapValue of Argument[this];value;manual"
Model out = null;
Object in = source();
out.addAttribute(null, in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;(String,Object);;Argument[1];MapValue of Argument[this];value;manual"
ConcurrentModel out = null;
Object in = source();
out.addAttribute(null, in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;(String,Object);;Argument[1];MapValue of ReturnValue;value;manual"
@@ -242,7 +242,7 @@ public class Test {
Object in = source();
Model instance = null;
out = instance.addAttribute(null, in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;(String,Object);;Argument[1];MapValue of ReturnValue;value;manual"
@@ -250,175 +250,175 @@ public class Test {
Object in = source();
ConcurrentModel instance = null;
out = instance.addAttribute(null, in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;;;Argument[this];ReturnValue;value;manual"
Model out = null;
Model in = (Model)source();
out = in.addAttribute(null, null);
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;;;Argument[this];ReturnValue;value;manual"
Model out = null;
Model in = (Model)source();
out = in.addAttribute(null);
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;;;Argument[this];ReturnValue;value;manual"
ConcurrentModel out = null;
ConcurrentModel in = (ConcurrentModel)source();
out = in.addAttribute(null, null);
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;;;Argument[this];ReturnValue;value;manual"
ConcurrentModel out = null;
ConcurrentModel in = (ConcurrentModel)source();
out = in.addAttribute(null);
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;asMap;;;MapKey of Argument[this];MapKey of ReturnValue;value;manual"
Map out = null;
Model in = new ConcurrentModel((String)source(), null);
out = in.asMap();
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;asMap;;;MapKey of Argument[this];MapKey of ReturnValue;value;manual"
Map out = null;
ConcurrentModel in = new ConcurrentModel((String)source(), null);
out = in.asMap();
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;asMap;;;MapValue of Argument[this];MapValue of ReturnValue;value;manual"
Map out = null;
Model in = (Model)Map.of(null, source());
out = in.asMap();
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;asMap;;;MapValue of Argument[this];MapValue of ReturnValue;value;manual"
Map out = null;
ConcurrentModel in = new ConcurrentModel(null, source());
out = in.asMap();
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;getAttribute;;;MapValue of Argument[this];ReturnValue;value;manual"
Object out = null;
Model in = (Model)Map.of(null, source());
out = in.getAttribute(null);
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;getAttribute;;;MapValue of Argument[this];ReturnValue;value;manual"
Object out = null;
ConcurrentModel in = new ConcurrentModel(null, source());
out = in.getAttribute(null);
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;mergeAttributes;;;Argument[this];ReturnValue;value;manual"
Model out = null;
Model in = (Model)source();
out = in.mergeAttributes(null);
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;mergeAttributes;;;Argument[this];ReturnValue;value;manual"
ConcurrentModel out = null;
ConcurrentModel in = (ConcurrentModel)source();
out = in.mergeAttributes(null);
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;mergeAttributes;;;MapKey of Argument[this];MapKey of ReturnValue;value;manual"
Model out = null;
Model in = new ConcurrentModel((String)source(), null);
out = in.mergeAttributes(null);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;mergeAttributes;;;MapKey of Argument[this];MapKey of ReturnValue;value;manual"
ConcurrentModel out = null;
ConcurrentModel in = new ConcurrentModel((String)source(), null);
out = in.mergeAttributes(null);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;mergeAttributes;;;MapKey of Argument[0];MapKey of Argument[this];value;manual"
Model out = null;
Map in = Map.of(source(), null);
out.mergeAttributes(in);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;mergeAttributes;;;MapKey of Argument[0];MapKey of Argument[this];value;manual"
ConcurrentModel out = null;
Map in = Map.of(source(), null);
out.mergeAttributes(in);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;mergeAttributes;;;MapValue of Argument[this];MapValue of ReturnValue;value;manual"
Model out = null;
Model in = (Model)Map.of(null, source());
out = in.mergeAttributes(null);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;mergeAttributes;;;MapValue of Argument[this];MapValue of ReturnValue;value;manual"
ConcurrentModel out = null;
ConcurrentModel in = new ConcurrentModel(null, source());
out = in.mergeAttributes(null);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;mergeAttributes;;;MapValue of Argument[0];MapValue of Argument[this];value;manual"
Model out = null;
Map in = Map.of(null, source());
out.mergeAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;mergeAttributes;;;MapValue of Argument[0];MapValue of Argument[this];value;manual"
ConcurrentModel out = null;
Map in = Map.of(null, source());
out.mergeAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;ModelMap;(Object);;Argument[0];MapValue of Argument[this];value;manual"
ModelMap out = null;
Object in = source();
out = new ModelMap(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;ModelMap;(String,Object);;Argument[0];MapKey of Argument[this];value;manual"
ModelMap out = null;
String in = (String)source();
out = new ModelMap(in, null);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;ModelMap;(String,Object);;Argument[1];MapValue of Argument[this];value;manual"
ModelMap out = null;
Object in = source();
out = new ModelMap(null, in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAllAttributes;(Collection);;Element of Argument[0];MapValue of Argument[this];value;manual"
ModelMap out = null;
Collection in = List.of(source());
out.addAllAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAllAttributes;(Collection);;Element of Argument[0];MapValue of ReturnValue;value;manual"
@@ -426,14 +426,14 @@ public class Test {
Collection in = List.of(source());
ModelMap instance = null;
out = instance.addAllAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAllAttributes;(Map);;MapKey of Argument[0];MapKey of Argument[this];value;manual"
ModelMap out = null;
Map in = Map.of(source(), null);
out.addAllAttributes(in);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAllAttributes;(Map);;MapKey of Argument[0];MapKey of ReturnValue;value;manual"
@@ -441,14 +441,14 @@ public class Test {
Map in = Map.of(source(), null);
ModelMap instance = null;
out = instance.addAllAttributes(in);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAllAttributes;(Map);;MapValue of Argument[0];MapValue of Argument[this];value;manual"
ModelMap out = null;
Map in = Map.of(null, source());
out.addAllAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAllAttributes;(Map);;MapValue of Argument[0];MapValue of ReturnValue;value;manual"
@@ -456,28 +456,28 @@ public class Test {
Map in = Map.of(null, source());
ModelMap instance = null;
out = instance.addAllAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAllAttributes;;;Argument[this];ReturnValue;value;manual"
ModelMap out = null;
ModelMap in = (ModelMap)source();
out = in.addAllAttributes((Map)null);
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAllAttributes;;;Argument[this];ReturnValue;value;manual"
ModelMap out = null;
ModelMap in = (ModelMap)source();
out = in.addAllAttributes((Collection)null);
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAttribute;(Object);;Argument[0];MapValue of Argument[this];value;manual"
ModelMap out = null;
Object in = source();
out.addAttribute(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAttribute;(Object);;Argument[0];MapValue of ReturnValue;value;manual"
@@ -485,14 +485,14 @@ public class Test {
Object in = source();
ModelMap instance = null;
out = instance.addAttribute(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAttribute;(String,Object);;Argument[0];MapKey of Argument[this];value;manual"
ModelMap out = null;
String in = (String)source();
out.addAttribute(in, null);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAttribute;(String,Object);;Argument[0];MapKey of ReturnValue;value;manual"
@@ -500,14 +500,14 @@ public class Test {
String in = (String)source();
ModelMap instance = null;
out = instance.addAttribute(in, null);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAttribute;(String,Object);;Argument[1];MapValue of Argument[this];value;manual"
ModelMap out = null;
Object in = source();
out.addAttribute(null, in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAttribute;(String,Object);;Argument[1];MapValue of ReturnValue;value;manual"
@@ -515,63 +515,63 @@ public class Test {
Object in = source();
ModelMap instance = null;
out = instance.addAttribute(null, in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAttribute;;;Argument[this];ReturnValue;value;manual"
ModelMap out = null;
ModelMap in = (ModelMap)source();
out = in.addAttribute(null, null);
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAttribute;;;Argument[this];ReturnValue;value;manual"
ModelMap out = null;
ModelMap in = (ModelMap)source();
out = in.addAttribute(null);
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;getAttribute;;;MapValue of Argument[this];ReturnValue;value;manual"
Object out = null;
ModelMap in = new ModelMap(null, source());
out = in.getAttribute(null);
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;mergeAttributes;;;Argument[this];ReturnValue;value;manual"
ModelMap out = null;
ModelMap in = (ModelMap)source();
out = in.mergeAttributes(null);
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;mergeAttributes;;;MapKey of Argument[this];MapKey of ReturnValue;value;manual"
ModelMap out = null;
ModelMap in = new ModelMap((String)source(), null);
out = in.mergeAttributes(null);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;mergeAttributes;;;MapKey of Argument[0];MapKey of Argument[this];value;manual"
ModelMap out = null;
Map in = Map.of(source(), null);
out.mergeAttributes(in);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;mergeAttributes;;;MapValue of Argument[this];MapValue of ReturnValue;value;manual"
ModelMap out = null;
ModelMap in = new ModelMap(null, source());
out = in.mergeAttributes(null);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;mergeAttributes;;;MapValue of Argument[0];MapValue of Argument[this];value;manual"
ModelMap out = null;
Map in = Map.of(null, source());
out.mergeAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
}

378
java/ql/test/library-tests/frameworks/spring/util/Test.java
View File

File diff suppressed because it is too large Load Diff

36
java/ql/test/library-tests/frameworks/spring/validation/Test.java
View File

@@ -11,68 +11,68 @@ class ValidationErrorsTest {
void test() {
Errors es0 = errors();
es0.addAllErrors(sourceErrs());
sink(es0); // $hasTaintFlow
sink(es0); // $ hasTaintFlow
sink(sourceErrs().getAllErrors()); // $hasTaintFlow
sink(sourceErrs().getAllErrors()); // $ hasTaintFlow
sink(sourceErrs().getFieldError()); // $hasTaintFlow
sink(sourceErrs().getFieldError("field")); // $hasTaintFlow
sink(sourceErrs().getFieldError()); // $ hasTaintFlow
sink(sourceErrs().getFieldError("field")); // $ hasTaintFlow
sink(sourceErrs().getGlobalError()); // $hasTaintFlow
sink(sourceErrs().getGlobalErrors()); // $hasTaintFlow
sink(sourceErrs().getGlobalError()); // $ hasTaintFlow
sink(sourceErrs().getGlobalErrors()); // $ hasTaintFlow
Errors es1 = errors();
es1.reject((String)source());
sink(es1); // $hasTaintFlow
sink(es1); // $ hasTaintFlow
Errors es2 = errors();
es2.reject((String)source(), null, "");
sink(es2); // $hasTaintFlow
sink(es2); // $ hasTaintFlow
Errors es3 = errors();
es3.reject((String)source(), null, "");
sink(es3); // $hasTaintFlow
sink(es3); // $ hasTaintFlow
{
Errors es4 = errors();
Object[] in = { (String)source() };
es4.reject("", in, "");
sink(in); // $hasTaintFlow
sink(in); // $ hasTaintFlow
}
{
Errors es5 = errors();
es5.reject("", null, (String)source());
sink(es5); // $hasTaintFlow
sink(es5); // $ hasTaintFlow
}
Errors es6 = errors();
es6.reject((String)source(), "");
sink(es6); // $hasTaintFlow
sink(es6); // $ hasTaintFlow
Errors es7 = errors();
es7.reject("", (String)source());
sink(es7); // $hasTaintFlow
sink(es7); // $ hasTaintFlow
Errors es8 = errors();
es8.rejectValue("", (String)source(), null, "");
sink(es8); // $hasTaintFlow
sink(es8); // $ hasTaintFlow
Errors es9 = errors();
Object[] in = {source()};
es9.rejectValue("", "", in, "");
sink(es9); // $hasTaintFlow
sink(es9); // $ hasTaintFlow
Errors es10 = errors();
es10.rejectValue("", "", null, (String)source());
sink(es10); // $hasTaintFlow
sink(es10); // $ hasTaintFlow
Errors es11 = errors();
es11.rejectValue("", (String)source(), "");
sink(es11); // $hasTaintFlow
sink(es11); // $ hasTaintFlow
Errors es12 = errors();
es12.rejectValue("", "", (String)source());
sink(es12); // $hasTaintFlow
sink(es12); // $ hasTaintFlow
}
}

26
java/ql/test/library-tests/frameworks/spring/webmultipart/Test.java
View File

@@ -30,84 +30,84 @@ public class Test {
byte[] out = null;
MultipartFile in = (MultipartFile)source();
out = in.getBytes();
sink(out); // $hasTaintFlow
sink(out); // $ hasTaintFlow
}
{
// "org.springframework.web.multipart;MultipartFile;true;getInputStream;;;Argument[this];ReturnValue;taint;manual"
InputStream out = null;
MultipartFile in = (MultipartFile)source();
out = in.getInputStream();
sink(out); // $hasTaintFlow
sink(out); // $ hasTaintFlow
}
{
// "org.springframework.web.multipart;MultipartFile;true;getName;;;Argument[this];ReturnValue;taint;manual"
String out = null;
MultipartFile in = (MultipartFile)source();
out = in.getName();
sink(out); // $hasTaintFlow
sink(out); // $ hasTaintFlow
}
{
// "org.springframework.web.multipart;MultipartFile;true;getOriginalFilename;;;Argument[this];ReturnValue;taint;manual"
String out = null;
MultipartFile in = (MultipartFile)source();
out = in.getOriginalFilename();
sink(out); // $hasTaintFlow
sink(out); // $ hasTaintFlow
}
{
// "org.springframework.web.multipart;MultipartFile;true;getResource;;;Argument[this];ReturnValue;taint;manual"
Resource out = null;
MultipartFile in = (MultipartFile)source();
out = in.getResource();
sink(out); // $hasTaintFlow
sink(out); // $ hasTaintFlow
}
{
// "org.springframework.web.multipart;MultipartHttpServletRequest;true;getMultipartHeaders;;;Argument[this];ReturnValue;taint;manual"
HttpHeaders out = null;
MultipartHttpServletRequest in = (MultipartHttpServletRequest)source();
out = in.getMultipartHeaders(null);
sink(out); // $hasTaintFlow
sink(out); // $ hasTaintFlow
}
{
// "org.springframework.web.multipart;MultipartHttpServletRequest;true;getRequestHeaders;;;Argument[this];ReturnValue;taint;manual"
HttpHeaders out = null;
MultipartHttpServletRequest in = (MultipartHttpServletRequest)source();
out = in.getRequestHeaders();
sink(out); // $hasTaintFlow
sink(out); // $ hasTaintFlow
}
{
// "org.springframework.web.multipart;MultipartRequest;true;getFile;;;Argument[this];ReturnValue;taint;manual"
MultipartFile out = null;
MultipartRequest in = (MultipartRequest)source();
out = in.getFile(null);
sink(out); // $hasTaintFlow
sink(out); // $ hasTaintFlow
}
{
// "org.springframework.web.multipart;MultipartRequest;true;getFileMap;;;Argument[this];MapValue of ReturnValue;taint;manual"
Map out = null;
MultipartRequest in = (MultipartRequest)source();
out = in.getFileMap();
sink(getMapValue(out)); // $hasTaintFlow
sink(getMapValue(out)); // $ hasTaintFlow
}
{
// "org.springframework.web.multipart;MultipartRequest;true;getFileNames;;;Argument[this];Element of ReturnValue;taint;manual"
Iterator out = null;
MultipartRequest in = (MultipartRequest)source();
out = in.getFileNames();
sink(getElement(out)); // $hasTaintFlow
sink(getElement(out)); // $ hasTaintFlow
}
{
// "org.springframework.web.multipart;MultipartRequest;true;getFiles;;;Argument[this];Element of ReturnValue;taint;manual"
List out = null;
MultipartRequest in = (MultipartRequest)source();
out = in.getFiles(null);
sink(getElement(out)); // $hasTaintFlow
sink(getElement(out)); // $ hasTaintFlow
}
{
// "org.springframework.web.multipart;MultipartRequest;true;getMultiFileMap;;;Argument[this];MapValue of ReturnValue;taint;manual"
MultiValueMap out = null;
MultipartRequest in = (MultipartRequest)source();
out = in.getMultiFileMap();
sink(getMapValue(out)); // $hasTaintFlow
sink(getMapValue(out)); // $ hasTaintFlow
}
{
// "org.springframework.web.multipart;MultipartResolver;true;resolveMultipart;;;Argument[0];ReturnValue;taint;manual"
@@ -115,7 +115,7 @@ public class Test {
HttpServletRequest in = (HttpServletRequest)source();
MultipartResolver instance = null;
out = instance.resolveMultipart(in);
sink(out); // $hasTaintFlow
sink(out); // $ hasTaintFlow
}
}

46
java/ql/test/library-tests/frameworks/spring/websocket/Test.java
View File

@@ -14,51 +14,51 @@ public class Test {
public class A extends TextWebSocketHandler {
@Override
public void handleMessage(WebSocketSession s, WebSocketMessage<?> m) {
sink(s); // $hasTaintFlow
sink(s.getAcceptedProtocol()); // $hasTaintFlow
sink(s.getHandshakeHeaders()); // $hasTaintFlow
sink(s.getPrincipal()); // $hasTaintFlow
sink(s.getUri()); // $hasTaintFlow
sink(s); // $ hasTaintFlow
sink(s.getAcceptedProtocol()); // $ hasTaintFlow
sink(s.getHandshakeHeaders()); // $ hasTaintFlow
sink(s.getPrincipal()); // $ hasTaintFlow
sink(s.getUri()); // $ hasTaintFlow
sink(m); // $hasTaintFlow
sink(m.getPayload()); // $hasTaintFlow
sink(m); // $ hasTaintFlow
sink(m.getPayload()); // $ hasTaintFlow
}
@Override
@Override
protected void handleTextMessage(WebSocketSession s, TextMessage m) {
sink(s); // $hasTaintFlow
sink(m); // $hasTaintFlow
sink(m.asBytes()); // $hasTaintFlow
sink(s); // $ hasTaintFlow
sink(m); // $ hasTaintFlow
sink(m.asBytes()); // $ hasTaintFlow
}
@Override
@Override
protected void handleBinaryMessage(WebSocketSession s, BinaryMessage m) {
sink(s); // $hasTaintFlow
sink(m); // $hasTaintFlow
sink(s); // $ hasTaintFlow
sink(m); // $ hasTaintFlow
}
@Override
protected void handlePongMessage(WebSocketSession s, PongMessage m) {
sink(s); // $hasTaintFlow
sink(m); // $hasTaintFlow
sink(s); // $ hasTaintFlow
sink(m); // $ hasTaintFlow
}
@Override
public void afterConnectionEstablished(WebSocketSession s) {
sink(s); // $hasTaintFlow
sink(s); // $ hasTaintFlow
}
@Override
@Override
public void afterConnectionClosed(WebSocketSession s, CloseStatus c) {
sink(s); // $hasTaintFlow
sink(s); // $ hasTaintFlow
}
@Override
public void handleTransportError(WebSocketSession s, Throwable exc) {
sink(s); // $hasTaintFlow
@Override
public void handleTransportError(WebSocketSession s, Throwable exc) {
sink(s); // $ hasTaintFlow
}
}
}
}

662
java/ql/test/library-tests/frameworks/spring/webutil/Test.java
View File

File diff suppressed because it is too large Load Diff

Some files were not shown because too many files have changed in this diff Show More