Merge branch 'main' into am0o0-java-PathInjection

java/ql/test/TestUtilities/PrettyPrintModels.ql

@@ -0,0 +1,18 @@
+/**
+ * @kind test-postprocess
+ */
+
+import codeql.dataflow.test.ProvenancePathGraph
+import semmle.code.java.dataflow.ExternalFlow
+
+external predicate queryResults(string relation, int row, int column, string data);
+
+external predicate queryRelations(string relation);
+
+query predicate resultRelations(string relation) { queryRelations(relation) }
+
+module Res = TranslateProvenanceResults<interpretModelForTest/2, queryResults/4>;
+
+from string relation, int row, int column, string data
+where Res::results(relation, row, column, data)
+select relation, row, column, data

java/ql/test/experimental/query-tests/security/CWE-020/Log4jInjectionTest.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql
+query: experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql
+postprocess: TestUtilities/PrettyPrintModels.ql

java/ql/test/experimental/query-tests/security/CWE-073/FilePathInjection.expected

@@ -1,13 +1,26 @@
+#select
+| FilePathInjection.java:26:47:26:59 | finalFilePath | FilePathInjection.java:21:21:21:34 | getPara(...) : String | FilePathInjection.java:26:47:26:59 | finalFilePath | External control of file name or path due to $@. | FilePathInjection.java:21:21:21:34 | getPara(...) | user-provided value |
+| FilePathInjection.java:72:47:72:59 | finalFilePath | FilePathInjection.java:64:21:64:34 | getPara(...) : String | FilePathInjection.java:72:47:72:59 | finalFilePath | External control of file name or path due to $@. | FilePathInjection.java:64:21:64:34 | getPara(...) | user-provided value |
+| FilePathInjection.java:95:47:95:59 | finalFilePath | FilePathInjection.java:87:21:87:34 | getPara(...) : String | FilePathInjection.java:95:47:95:59 | finalFilePath | External control of file name or path due to $@. | FilePathInjection.java:87:21:87:34 | getPara(...) | user-provided value |
+| FilePathInjection.java:182:30:182:33 | file | FilePathInjection.java:205:17:205:44 | getParameter(...) : String | FilePathInjection.java:182:30:182:33 | file | External control of file name or path due to $@. | FilePathInjection.java:205:17:205:44 | getParameter(...) | user-provided value |
+| FilePathInjection.java:210:23:210:26 | file | FilePathInjection.java:205:17:205:44 | getParameter(...) : String | FilePathInjection.java:210:23:210:26 | file | External control of file name or path due to $@. | FilePathInjection.java:205:17:205:44 | getParameter(...) | user-provided value |
 edges
-| FilePathInjection.java:21:21:21:34 | getPara(...) : String | FilePathInjection.java:26:47:26:59 | finalFilePath | provenance | Src:MaD:1972  Sink:MaD:42535 |
-| FilePathInjection.java:64:21:64:34 | getPara(...) : String | FilePathInjection.java:72:47:72:59 | finalFilePath | provenance | Src:MaD:1972 AdditionalValueStep Sink:MaD:42535 |
-| FilePathInjection.java:87:21:87:34 | getPara(...) : String | FilePathInjection.java:95:47:95:59 | finalFilePath | provenance | Src:MaD:1972 AdditionalValueStep Sink:MaD:42535 |
-| FilePathInjection.java:177:50:177:58 | file : File | FilePathInjection.java:182:30:182:33 | file | provenance |  Sink:MaD:42532 |
-| FilePathInjection.java:205:17:205:44 | getParameter(...) : String | FilePathInjection.java:209:24:209:31 | filePath : String | provenance | Src:MaD:44663  |
-| FilePathInjection.java:209:15:209:32 | new File(...) : File | FilePathInjection.java:210:23:210:26 | file | provenance |  Sink:MaD:42529 |
+| FilePathInjection.java:21:21:21:34 | getPara(...) : String | FilePathInjection.java:26:47:26:59 | finalFilePath | provenance | Src:MaD:1  Sink:MaD:4 |
+| FilePathInjection.java:64:21:64:34 | getPara(...) : String | FilePathInjection.java:72:47:72:59 | finalFilePath | provenance | Src:MaD:1 AdditionalValueStep Sink:MaD:4 |
+| FilePathInjection.java:87:21:87:34 | getPara(...) : String | FilePathInjection.java:95:47:95:59 | finalFilePath | provenance | Src:MaD:1 AdditionalValueStep Sink:MaD:4 |
+| FilePathInjection.java:177:50:177:58 | file : File | FilePathInjection.java:182:30:182:33 | file | provenance |  Sink:MaD:3 |
+| FilePathInjection.java:205:17:205:44 | getParameter(...) : String | FilePathInjection.java:209:24:209:31 | filePath : String | provenance | Src:MaD:6  |
+| FilePathInjection.java:209:15:209:32 | new File(...) : File | FilePathInjection.java:210:23:210:26 | file | provenance |  Sink:MaD:2 |
 | FilePathInjection.java:209:15:209:32 | new File(...) : File | FilePathInjection.java:217:19:217:22 | file : File | provenance |  |
-| FilePathInjection.java:209:24:209:31 | filePath : String | FilePathInjection.java:209:15:209:32 | new File(...) : File | provenance | MaD:42591 |
+| FilePathInjection.java:209:24:209:31 | filePath : String | FilePathInjection.java:209:15:209:32 | new File(...) : File | provenance | MaD:5 |
 | FilePathInjection.java:217:19:217:22 | file : File | FilePathInjection.java:177:50:177:58 | file : File | provenance |  |
+models
+| 1 | Source: com.jfinal.core; Controller; true; getPara; ; ; ReturnValue; remote; manual |
+| 2 | Sink: java.io; File; true; exists; (); ; Argument[this]; path-injection; manual |
+| 3 | Sink: java.io; FileInputStream; true; FileInputStream; (File); ; Argument[0]; path-injection; ai-manual |
+| 4 | Sink: java.io; FileOutputStream; false; FileOutputStream; ; ; Argument[0]; path-injection; manual |
+| 5 | Summary: java.io; File; false; File; ; ; Argument[0]; Argument[this]; taint; manual |
+| 6 | Source: javax.servlet; ServletRequest; false; getParameter; (String); ; ReturnValue; remote; manual |
 nodes
 | FilePathInjection.java:21:21:21:34 | getPara(...) : String | semmle.label | getPara(...) : String |
 | FilePathInjection.java:26:47:26:59 | finalFilePath | semmle.label | finalFilePath |
@@ -23,9 +36,3 @@ nodes
 | FilePathInjection.java:210:23:210:26 | file | semmle.label | file |
 | FilePathInjection.java:217:19:217:22 | file : File | semmle.label | file : File |
 subpaths
-#select
-| FilePathInjection.java:26:47:26:59 | finalFilePath | FilePathInjection.java:21:21:21:34 | getPara(...) : String | FilePathInjection.java:26:47:26:59 | finalFilePath | External control of file name or path due to $@. | FilePathInjection.java:21:21:21:34 | getPara(...) | user-provided value |
-| FilePathInjection.java:72:47:72:59 | finalFilePath | FilePathInjection.java:64:21:64:34 | getPara(...) : String | FilePathInjection.java:72:47:72:59 | finalFilePath | External control of file name or path due to $@. | FilePathInjection.java:64:21:64:34 | getPara(...) | user-provided value |
-| FilePathInjection.java:95:47:95:59 | finalFilePath | FilePathInjection.java:87:21:87:34 | getPara(...) : String | FilePathInjection.java:95:47:95:59 | finalFilePath | External control of file name or path due to $@. | FilePathInjection.java:87:21:87:34 | getPara(...) | user-provided value |
-| FilePathInjection.java:182:30:182:33 | file | FilePathInjection.java:205:17:205:44 | getParameter(...) : String | FilePathInjection.java:182:30:182:33 | file | External control of file name or path due to $@. | FilePathInjection.java:205:17:205:44 | getParameter(...) | user-provided value |
-| FilePathInjection.java:210:23:210:26 | file | FilePathInjection.java:205:17:205:44 | getParameter(...) : String | FilePathInjection.java:210:23:210:26 | file | External control of file name or path due to $@. | FilePathInjection.java:205:17:205:44 | getParameter(...) | user-provided value |

java/ql/test/experimental/query-tests/security/CWE-073/FilePathInjection.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-073/FilePathInjection.ql
+query: experimental/Security/CWE/CWE-073/FilePathInjection.ql
+postprocess: TestUtilities/PrettyPrintModels.ql

java/ql/test/experimental/query-tests/security/CWE-078/CommandInjectionRuntimeExecLocal.expected

@@ -1,20 +1,31 @@
+#select
+| RuntimeExecTest.java:22:43:22:73 | new String[] | RuntimeExecTest.java:17:25:17:51 | getenv(...) : String | RuntimeExecTest.java:22:43:22:73 | new String[] | Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@' | RuntimeExecTest.java:22:56:22:64 | "/bin/sh" | "/bin/sh" | RuntimeExecTest.java:17:25:17:51 | getenv(...) | getenv(...) : String |
+| RuntimeExecTest.java:26:43:26:55 | commandArray1 | RuntimeExecTest.java:17:25:17:51 | getenv(...) : String | RuntimeExecTest.java:26:43:26:55 | commandArray1 | Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@' | RuntimeExecTest.java:25:55:25:63 | "/bin/sh" | "/bin/sh" | RuntimeExecTest.java:17:25:17:51 | getenv(...) | getenv(...) : String |
+| RuntimeExecTest.java:32:43:32:55 | commandArray2 | RuntimeExecTest.java:17:25:17:51 | getenv(...) : String | RuntimeExecTest.java:32:43:32:55 | commandArray2 | Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@' | RuntimeExecTest.java:30:36:30:44 | "/bin/sh" | "/bin/sh" | RuntimeExecTest.java:17:25:17:51 | getenv(...) | getenv(...) : String |
+| RuntimeExecTest.java:36:21:39:44 | toArray(...) | RuntimeExecTest.java:17:25:17:51 | getenv(...) : String | RuntimeExecTest.java:36:21:39:44 | toArray(...) | Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@' | RuntimeExecTest.java:37:52:37:60 | "/bin/sh" | "/bin/sh" | RuntimeExecTest.java:17:25:17:51 | getenv(...) | getenv(...) : String |
 edges
-| RuntimeExecTest.java:17:25:17:51 | getenv(...) : String | RuntimeExecTest.java:22:67:22:72 | script : String | provenance | Src:MaD:42685  |
-| RuntimeExecTest.java:17:25:17:51 | getenv(...) : String | RuntimeExecTest.java:25:66:25:71 | script : String | provenance | Src:MaD:42685  |
-| RuntimeExecTest.java:17:25:17:51 | getenv(...) : String | RuntimeExecTest.java:31:36:31:41 | script : String | provenance | Src:MaD:42685  |
-| RuntimeExecTest.java:17:25:17:51 | getenv(...) : String | RuntimeExecTest.java:38:52:38:57 | script : String | provenance | Src:MaD:42685  |
-| RuntimeExecTest.java:22:43:22:73 | {...} : String[] [[]] : String | RuntimeExecTest.java:22:43:22:73 | new String[] | provenance |  Sink:MaD:42664 |
+| RuntimeExecTest.java:17:25:17:51 | getenv(...) : String | RuntimeExecTest.java:22:67:22:72 | script : String | provenance | Src:MaD:2  |
+| RuntimeExecTest.java:17:25:17:51 | getenv(...) : String | RuntimeExecTest.java:25:66:25:71 | script : String | provenance | Src:MaD:2  |
+| RuntimeExecTest.java:17:25:17:51 | getenv(...) : String | RuntimeExecTest.java:31:36:31:41 | script : String | provenance | Src:MaD:2  |
+| RuntimeExecTest.java:17:25:17:51 | getenv(...) : String | RuntimeExecTest.java:38:52:38:57 | script : String | provenance | Src:MaD:2  |
+| RuntimeExecTest.java:22:43:22:73 | {...} : String[] [[]] : String | RuntimeExecTest.java:22:43:22:73 | new String[] | provenance |  Sink:MaD:1 |
 | RuntimeExecTest.java:22:67:22:72 | script : String | RuntimeExecTest.java:22:43:22:73 | {...} : String[] [[]] : String | provenance |  |
-| RuntimeExecTest.java:25:42:25:72 | {...} : String[] [[]] : String | RuntimeExecTest.java:26:43:26:55 | commandArray1 | provenance |  Sink:MaD:42664 |
+| RuntimeExecTest.java:25:42:25:72 | {...} : String[] [[]] : String | RuntimeExecTest.java:26:43:26:55 | commandArray1 | provenance |  Sink:MaD:1 |
 | RuntimeExecTest.java:25:66:25:71 | script : String | RuntimeExecTest.java:25:42:25:72 | {...} : String[] [[]] : String | provenance |  |
-| RuntimeExecTest.java:31:17:31:29 | commandArray2 [post update] : String[] [[]] : String | RuntimeExecTest.java:32:43:32:55 | commandArray2 | provenance |  Sink:MaD:42664 |
+| RuntimeExecTest.java:31:17:31:29 | commandArray2 [post update] : String[] [[]] : String | RuntimeExecTest.java:32:43:32:55 | commandArray2 | provenance |  Sink:MaD:1 |
 | RuntimeExecTest.java:31:36:31:41 | script : String | RuntimeExecTest.java:31:17:31:29 | commandArray2 [post update] : String[] [[]] : String | provenance |  |
-| RuntimeExecTest.java:36:21:39:21 | concat(...) : Stream [<element>] : String | RuntimeExecTest.java:36:21:39:44 | toArray(...) : String[] [[]] : String | provenance | MaD:44347 |
-| RuntimeExecTest.java:36:21:39:44 | toArray(...) : String[] [[]] : String | RuntimeExecTest.java:36:21:39:44 | toArray(...) | provenance |  Sink:MaD:42664 |
-| RuntimeExecTest.java:38:25:38:59 | stream(...) : Stream [<element>] : String | RuntimeExecTest.java:36:21:39:21 | concat(...) : Stream [<element>] : String | provenance | MaD:44282 |
-| RuntimeExecTest.java:38:39:38:58 | new String[] : String[] [[]] : String | RuntimeExecTest.java:38:25:38:59 | stream(...) : Stream [<element>] : String | provenance | MaD:43716 |
+| RuntimeExecTest.java:36:21:39:21 | concat(...) : Stream [<element>] : String | RuntimeExecTest.java:36:21:39:44 | toArray(...) : String[] [[]] : String | provenance | MaD:5 |
+| RuntimeExecTest.java:36:21:39:44 | toArray(...) : String[] [[]] : String | RuntimeExecTest.java:36:21:39:44 | toArray(...) | provenance |  Sink:MaD:1 |
+| RuntimeExecTest.java:38:25:38:59 | stream(...) : Stream [<element>] : String | RuntimeExecTest.java:36:21:39:21 | concat(...) : Stream [<element>] : String | provenance | MaD:4 |
+| RuntimeExecTest.java:38:39:38:58 | new String[] : String[] [[]] : String | RuntimeExecTest.java:38:25:38:59 | stream(...) : Stream [<element>] : String | provenance | MaD:3 |
 | RuntimeExecTest.java:38:39:38:58 | {...} : String[] [[]] : String | RuntimeExecTest.java:38:39:38:58 | new String[] : String[] [[]] : String | provenance |  |
 | RuntimeExecTest.java:38:52:38:57 | script : String | RuntimeExecTest.java:38:39:38:58 | {...} : String[] [[]] : String | provenance |  |
+models
+| 1 | Sink: java.lang; Runtime; true; exec; (String[]); ; Argument[0]; command-injection; ai-manual |
+| 2 | Source: java.lang; System; false; getenv; ; ; ReturnValue; environment; manual |
+| 3 | Summary: java.util; Arrays; false; stream; ; ; Argument[0].ArrayElement; ReturnValue.Element; value; manual |
+| 4 | Summary: java.util.stream; Stream; true; concat; (Stream,Stream); ; Argument[0..1].Element; ReturnValue.Element; value; manual |
+| 5 | Summary: java.util.stream; Stream; true; toArray; ; ; Argument[this].Element; ReturnValue.ArrayElement; value; manual |
 nodes
 | RuntimeExecTest.java:17:25:17:51 | getenv(...) : String | semmle.label | getenv(...) : String |
 | RuntimeExecTest.java:22:43:22:73 | new String[] | semmle.label | new String[] |
@@ -34,8 +45,3 @@ nodes
 | RuntimeExecTest.java:38:39:38:58 | {...} : String[] [[]] : String | semmle.label | {...} : String[] [[]] : String |
 | RuntimeExecTest.java:38:52:38:57 | script : String | semmle.label | script : String |
 subpaths
-#select
-| RuntimeExecTest.java:22:43:22:73 | new String[] | RuntimeExecTest.java:17:25:17:51 | getenv(...) : String | RuntimeExecTest.java:22:43:22:73 | new String[] | Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@' | RuntimeExecTest.java:22:56:22:64 | "/bin/sh" | "/bin/sh" | RuntimeExecTest.java:17:25:17:51 | getenv(...) | getenv(...) : String |
-| RuntimeExecTest.java:26:43:26:55 | commandArray1 | RuntimeExecTest.java:17:25:17:51 | getenv(...) : String | RuntimeExecTest.java:26:43:26:55 | commandArray1 | Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@' | RuntimeExecTest.java:25:55:25:63 | "/bin/sh" | "/bin/sh" | RuntimeExecTest.java:17:25:17:51 | getenv(...) | getenv(...) : String |
-| RuntimeExecTest.java:32:43:32:55 | commandArray2 | RuntimeExecTest.java:17:25:17:51 | getenv(...) : String | RuntimeExecTest.java:32:43:32:55 | commandArray2 | Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@' | RuntimeExecTest.java:30:36:30:44 | "/bin/sh" | "/bin/sh" | RuntimeExecTest.java:17:25:17:51 | getenv(...) | getenv(...) : String |
-| RuntimeExecTest.java:36:21:39:44 | toArray(...) | RuntimeExecTest.java:17:25:17:51 | getenv(...) : String | RuntimeExecTest.java:36:21:39:44 | toArray(...) | Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@' | RuntimeExecTest.java:37:52:37:60 | "/bin/sh" | "/bin/sh" | RuntimeExecTest.java:17:25:17:51 | getenv(...) | getenv(...) : String |

java/ql/test/experimental/query-tests/security/CWE-078/CommandInjectionRuntimeExecLocal.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExecLocal.ql
+query: experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExecLocal.ql
+postprocess: TestUtilities/PrettyPrintModels.ql

java/ql/test/experimental/query-tests/security/CWE-078/ExecTainted.expected

@@ -1,12 +1,15 @@
+#select
+| JSchOSInjectionTest.java:27:52:27:68 | ... + ... | JSchOSInjectionTest.java:14:30:14:60 | getParameter(...) : String | JSchOSInjectionTest.java:27:52:27:68 | ... + ... | This command line depends on a $@. | JSchOSInjectionTest.java:14:30:14:60 | getParameter(...) | user-provided value |
+| JSchOSInjectionTest.java:53:36:53:52 | ... + ... | JSchOSInjectionTest.java:40:30:40:60 | getParameter(...) : String | JSchOSInjectionTest.java:53:36:53:52 | ... + ... | This command line depends on a $@. | JSchOSInjectionTest.java:40:30:40:60 | getParameter(...) | user-provided value |
 edges
-| JSchOSInjectionTest.java:14:30:14:60 | getParameter(...) : String | JSchOSInjectionTest.java:27:52:27:68 | ... + ... | provenance | Src:MaD:44663  Sink:MaD:1957 |
-| JSchOSInjectionTest.java:40:30:40:60 | getParameter(...) : String | JSchOSInjectionTest.java:53:36:53:52 | ... + ... | provenance | Src:MaD:44663  Sink:MaD:1957 |
+| JSchOSInjectionTest.java:14:30:14:60 | getParameter(...) : String | JSchOSInjectionTest.java:27:52:27:68 | ... + ... | provenance | Src:MaD:2  Sink:MaD:1 |
+| JSchOSInjectionTest.java:40:30:40:60 | getParameter(...) : String | JSchOSInjectionTest.java:53:36:53:52 | ... + ... | provenance | Src:MaD:2  Sink:MaD:1 |
+models
+| 1 | Sink: com.jcraft.jsch; ChannelExec; true; setCommand; ; ; Argument[0]; command-injection; manual |
+| 2 | Source: javax.servlet; ServletRequest; false; getParameter; (String); ; ReturnValue; remote; manual |
 nodes
 | JSchOSInjectionTest.java:14:30:14:60 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | JSchOSInjectionTest.java:27:52:27:68 | ... + ... | semmle.label | ... + ... |
 | JSchOSInjectionTest.java:40:30:40:60 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | JSchOSInjectionTest.java:53:36:53:52 | ... + ... | semmle.label | ... + ... |
 subpaths
-#select
-| JSchOSInjectionTest.java:27:52:27:68 | ... + ... | JSchOSInjectionTest.java:14:30:14:60 | getParameter(...) : String | JSchOSInjectionTest.java:27:52:27:68 | ... + ... | This command line depends on a $@. | JSchOSInjectionTest.java:14:30:14:60 | getParameter(...) | user-provided value |
-| JSchOSInjectionTest.java:53:36:53:52 | ... + ... | JSchOSInjectionTest.java:40:30:40:60 | getParameter(...) : String | JSchOSInjectionTest.java:53:36:53:52 | ... + ... | This command line depends on a $@. | JSchOSInjectionTest.java:40:30:40:60 | getParameter(...) | user-provided value |

java/ql/test/experimental/query-tests/security/CWE-078/ExecTainted.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-078/ExecTainted.ql
+query: experimental/Security/CWE/CWE-078/ExecTainted.ql
+postprocess: TestUtilities/PrettyPrintModels.ql

java/ql/test/experimental/query-tests/security/CWE-089/src/main/MyBatisAnnotationSqlInjection.expected

@@ -1,3 +1,6 @@
+#select
+| MybatisSqlInjectionService.java:51:27:51:33 | hashMap | MybatisSqlInjection.java:62:19:62:43 | name : String | MybatisSqlInjectionService.java:51:27:51:33 | hashMap | MyBatis annotation SQL injection might include code from $@ to $@. | MybatisSqlInjection.java:62:19:62:43 | name | this user input | SqlInjectionMapper.java:33:2:33:54 | Select | this SQL operation |
+| MybatisSqlInjectionService.java:55:32:55:35 | name | MybatisSqlInjection.java:67:46:67:70 | name : String | MybatisSqlInjectionService.java:55:32:55:35 | name | MyBatis annotation SQL injection might include code from $@ to $@. | MybatisSqlInjection.java:67:46:67:70 | name | this user input | SqlInjectionMapper.java:36:2:36:72 | Select | this SQL operation |
 edges
 | MybatisSqlInjection.java:62:19:62:43 | name : String | MybatisSqlInjection.java:63:35:63:38 | name : String | provenance |  |
 | MybatisSqlInjection.java:63:35:63:38 | name : String | MybatisSqlInjectionService.java:48:19:48:29 | name : String | provenance |  |
@@ -11,11 +14,13 @@ edges
 | MybatisSqlInjection.java:110:40:110:43 | name : String | MybatisSqlInjectionService.java:88:32:88:42 | name : String | provenance |  |
 | MybatisSqlInjectionService.java:48:19:48:29 | name : String | MybatisSqlInjectionService.java:50:23:50:26 | name : String | provenance |  |
 | MybatisSqlInjectionService.java:50:3:50:9 | hashMap [post update] : HashMap [<map.value>] : String | MybatisSqlInjectionService.java:51:27:51:33 | hashMap | provenance |  |
-| MybatisSqlInjectionService.java:50:23:50:26 | name : String | MybatisSqlInjectionService.java:50:3:50:9 | hashMap [post update] : HashMap [<map.value>] : String | provenance | MaD:43892 |
+| MybatisSqlInjectionService.java:50:23:50:26 | name : String | MybatisSqlInjectionService.java:50:3:50:9 | hashMap [post update] : HashMap [<map.value>] : String | provenance | MaD:1 |
 | MybatisSqlInjectionService.java:54:32:54:42 | name : String | MybatisSqlInjectionService.java:55:32:55:35 | name | provenance |  |
 | MybatisSqlInjectionService.java:80:20:80:30 | name : String | MybatisSqlInjectionService.java:81:28:81:31 | name | provenance |  |
 | MybatisSqlInjectionService.java:84:20:84:29 | age : String | MybatisSqlInjectionService.java:85:28:85:30 | age | provenance |  |
 | MybatisSqlInjectionService.java:88:32:88:42 | name : String | MybatisSqlInjectionService.java:89:32:89:35 | name | provenance |  |
+models
+| 1 | Summary: java.util; Map; true; put; (Object,Object); ; Argument[1]; Argument[this].MapValue; value; manual |
 nodes
 | MybatisSqlInjection.java:62:19:62:43 | name : String | semmle.label | name : String |
 | MybatisSqlInjection.java:63:35:63:38 | name : String | semmle.label | name : String |
@@ -40,6 +45,3 @@ nodes
 | MybatisSqlInjectionService.java:88:32:88:42 | name : String | semmle.label | name : String |
 | MybatisSqlInjectionService.java:89:32:89:35 | name | semmle.label | name |
 subpaths
-#select
-| MybatisSqlInjectionService.java:51:27:51:33 | hashMap | MybatisSqlInjection.java:62:19:62:43 | name : String | MybatisSqlInjectionService.java:51:27:51:33 | hashMap | MyBatis annotation SQL injection might include code from $@ to $@. | MybatisSqlInjection.java:62:19:62:43 | name | this user input | SqlInjectionMapper.java:33:2:33:54 | Select | this SQL operation |
-| MybatisSqlInjectionService.java:55:32:55:35 | name | MybatisSqlInjection.java:67:46:67:70 | name : String | MybatisSqlInjectionService.java:55:32:55:35 | name | MyBatis annotation SQL injection might include code from $@ to $@. | MybatisSqlInjection.java:67:46:67:70 | name | this user input | SqlInjectionMapper.java:36:2:36:72 | Select | this SQL operation |

java/ql/test/experimental/query-tests/security/CWE-089/src/main/MyBatisAnnotationSqlInjection.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql
+query: experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql
+postprocess: TestUtilities/PrettyPrintModels.ql

java/ql/test/experimental/query-tests/security/CWE-089/src/main/MyBatisMapperXmlSqlInjection.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql
+query: experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql
+postprocess: TestUtilities/PrettyPrintModels.ql

java/ql/test/experimental/query-tests/security/CWE-094/BeanShellInjection.expected

@@ -1,10 +1,16 @@
+#select
+| BeanShellInjection.java:15:22:15:49 | new StaticScriptSource(...) | BeanShellInjection.java:13:17:13:44 | getParameter(...) : String | BeanShellInjection.java:15:22:15:49 | new StaticScriptSource(...) | BeanShell injection from $@. | BeanShellInjection.java:13:17:13:44 | getParameter(...) | this user input |
+| BeanShellInjection.java:22:20:22:23 | code | BeanShellInjection.java:20:17:20:44 | getParameter(...) : String | BeanShellInjection.java:22:20:22:23 | code | BeanShell injection from $@. | BeanShellInjection.java:20:17:20:44 | getParameter(...) | this user input |
+| BeanShellInjection.java:31:22:31:39 | staticScriptSource | BeanShellInjection.java:27:17:27:44 | getParameter(...) : String | BeanShellInjection.java:31:22:31:39 | staticScriptSource | BeanShell injection from $@. | BeanShellInjection.java:27:17:27:44 | getParameter(...) | this user input |
 edges
-| BeanShellInjection.java:13:17:13:44 | getParameter(...) : String | BeanShellInjection.java:15:45:15:48 | code : String | provenance | Src:MaD:44663  |
+| BeanShellInjection.java:13:17:13:44 | getParameter(...) : String | BeanShellInjection.java:15:45:15:48 | code : String | provenance | Src:MaD:1  |
 | BeanShellInjection.java:15:45:15:48 | code : String | BeanShellInjection.java:15:22:15:49 | new StaticScriptSource(...) | provenance | Config |
-| BeanShellInjection.java:20:17:20:44 | getParameter(...) : String | BeanShellInjection.java:22:20:22:23 | code | provenance | Src:MaD:44663  |
-| BeanShellInjection.java:27:17:27:44 | getParameter(...) : String | BeanShellInjection.java:29:32:29:35 | code : String | provenance | Src:MaD:44663  |
+| BeanShellInjection.java:20:17:20:44 | getParameter(...) : String | BeanShellInjection.java:22:20:22:23 | code | provenance | Src:MaD:1  |
+| BeanShellInjection.java:27:17:27:44 | getParameter(...) : String | BeanShellInjection.java:29:32:29:35 | code : String | provenance | Src:MaD:1  |
 | BeanShellInjection.java:29:3:29:20 | staticScriptSource : StaticScriptSource | BeanShellInjection.java:31:22:31:39 | staticScriptSource | provenance |  |
 | BeanShellInjection.java:29:32:29:35 | code : String | BeanShellInjection.java:29:3:29:20 | staticScriptSource : StaticScriptSource | provenance | Config |
+models
+| 1 | Source: javax.servlet; ServletRequest; false; getParameter; (String); ; ReturnValue; remote; manual |
 nodes
 | BeanShellInjection.java:13:17:13:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | BeanShellInjection.java:15:22:15:49 | new StaticScriptSource(...) | semmle.label | new StaticScriptSource(...) |
@@ -16,7 +22,3 @@ nodes
 | BeanShellInjection.java:29:32:29:35 | code : String | semmle.label | code : String |
 | BeanShellInjection.java:31:22:31:39 | staticScriptSource | semmle.label | staticScriptSource |
 subpaths
-#select
-| BeanShellInjection.java:15:22:15:49 | new StaticScriptSource(...) | BeanShellInjection.java:13:17:13:44 | getParameter(...) : String | BeanShellInjection.java:15:22:15:49 | new StaticScriptSource(...) | BeanShell injection from $@. | BeanShellInjection.java:13:17:13:44 | getParameter(...) | this user input |
-| BeanShellInjection.java:22:20:22:23 | code | BeanShellInjection.java:20:17:20:44 | getParameter(...) : String | BeanShellInjection.java:22:20:22:23 | code | BeanShell injection from $@. | BeanShellInjection.java:20:17:20:44 | getParameter(...) | this user input |
-| BeanShellInjection.java:31:22:31:39 | staticScriptSource | BeanShellInjection.java:27:17:27:44 | getParameter(...) : String | BeanShellInjection.java:31:22:31:39 | staticScriptSource | BeanShell injection from $@. | BeanShellInjection.java:27:17:27:44 | getParameter(...) | this user input |

java/ql/test/experimental/query-tests/security/CWE-094/BeanShellInjection.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-094/BeanShellInjection.ql
+query: experimental/Security/CWE/CWE-094/BeanShellInjection.ql
+postprocess: TestUtilities/PrettyPrintModels.ql

java/ql/test/experimental/query-tests/security/CWE-094/JShellInjection.expected

@@ -1,7 +1,11 @@
+#select
+| JShellInjection.java:15:15:15:19 | input | JShellInjection.java:12:18:12:45 | getParameter(...) : String | JShellInjection.java:15:15:15:19 | input | JShell injection from $@. | JShellInjection.java:12:18:12:45 | getParameter(...) | this user input |
+| JShellInjection.java:24:31:24:35 | input | JShellInjection.java:20:18:20:45 | getParameter(...) : String | JShellInjection.java:24:31:24:35 | input | JShell injection from $@. | JShellInjection.java:20:18:20:45 | getParameter(...) | this user input |
+| JShellInjection.java:37:16:37:28 | source(...) | JShellInjection.java:29:18:29:45 | getParameter(...) : String | JShellInjection.java:37:16:37:28 | source(...) | JShell injection from $@. | JShellInjection.java:29:18:29:45 | getParameter(...) | this user input |
 edges
-| JShellInjection.java:12:18:12:45 | getParameter(...) : String | JShellInjection.java:15:15:15:19 | input | provenance | Src:MaD:44663  |
-| JShellInjection.java:20:18:20:45 | getParameter(...) : String | JShellInjection.java:24:31:24:35 | input | provenance | Src:MaD:44663  |
-| JShellInjection.java:29:18:29:45 | getParameter(...) : String | JShellInjection.java:33:37:33:41 | input : String | provenance | Src:MaD:44663  |
+| JShellInjection.java:12:18:12:45 | getParameter(...) : String | JShellInjection.java:15:15:15:19 | input | provenance | Src:MaD:1  |
+| JShellInjection.java:20:18:20:45 | getParameter(...) : String | JShellInjection.java:24:31:24:35 | input | provenance | Src:MaD:1  |
+| JShellInjection.java:29:18:29:45 | getParameter(...) : String | JShellInjection.java:33:37:33:41 | input : String | provenance | Src:MaD:1  |
 | JShellInjection.java:33:15:33:42 | analyzeCompletion(...) : CompletionInfo | JShellInjection.java:37:16:37:19 | info : CompletionInfo | provenance |  |
 | JShellInjection.java:33:37:33:41 | input : String | JShellInjection.java:33:15:33:42 | analyzeCompletion(...) : CompletionInfo | provenance | Config |
 | JShellInjection.java:35:12:35:50 | analyzeCompletion(...) : CompletionInfo | JShellInjection.java:37:16:37:19 | info : CompletionInfo | provenance |  |
@@ -9,6 +13,8 @@ edges
 | JShellInjection.java:35:34:35:49 | remaining(...) : String | JShellInjection.java:35:12:35:50 | analyzeCompletion(...) : CompletionInfo | provenance | Config |
 | JShellInjection.java:37:16:37:19 | info : CompletionInfo | JShellInjection.java:35:34:35:37 | info : CompletionInfo | provenance |  |
 | JShellInjection.java:37:16:37:19 | info : CompletionInfo | JShellInjection.java:37:16:37:28 | source(...) | provenance | Config |
+models
+| 1 | Source: javax.servlet; ServletRequest; false; getParameter; (String); ; ReturnValue; remote; manual |
 nodes
 | JShellInjection.java:12:18:12:45 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | JShellInjection.java:15:15:15:19 | input | semmle.label | input |
@@ -23,7 +29,3 @@ nodes
 | JShellInjection.java:37:16:37:19 | info : CompletionInfo | semmle.label | info : CompletionInfo |
 | JShellInjection.java:37:16:37:28 | source(...) | semmle.label | source(...) |
 subpaths
-#select
-| JShellInjection.java:15:15:15:19 | input | JShellInjection.java:12:18:12:45 | getParameter(...) : String | JShellInjection.java:15:15:15:19 | input | JShell injection from $@. | JShellInjection.java:12:18:12:45 | getParameter(...) | this user input |
-| JShellInjection.java:24:31:24:35 | input | JShellInjection.java:20:18:20:45 | getParameter(...) : String | JShellInjection.java:24:31:24:35 | input | JShell injection from $@. | JShellInjection.java:20:18:20:45 | getParameter(...) | this user input |
-| JShellInjection.java:37:16:37:28 | source(...) | JShellInjection.java:29:18:29:45 | getParameter(...) : String | JShellInjection.java:37:16:37:28 | source(...) | JShell injection from $@. | JShellInjection.java:29:18:29:45 | getParameter(...) | this user input |

java/ql/test/experimental/query-tests/security/CWE-094/JShellInjection.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-094/JShellInjection.ql
+query: experimental/Security/CWE/CWE-094/JShellInjection.ql
+postprocess: TestUtilities/PrettyPrintModels.ql

java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.expected

@@ -1,8 +1,17 @@
+#select
+| JakartaExpressionInjection.java:34:28:34:37 | expression | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:34:28:34:37 | expression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) | this user input |
+| JakartaExpressionInjection.java:42:32:42:41 | expression | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:42:32:42:41 | expression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) | this user input |
+| JakartaExpressionInjection.java:53:13:53:28 | lambdaExpression | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:53:13:53:28 | lambdaExpression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) | this user input |
+| JakartaExpressionInjection.java:61:32:61:41 | expression | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:61:32:61:41 | expression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) | this user input |
+| JakartaExpressionInjection.java:69:43:69:52 | expression | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:69:43:69:52 | expression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) | this user input |
+| JakartaExpressionInjection.java:79:13:79:13 | e | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:79:13:79:13 | e | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) | this user input |
+| JakartaExpressionInjection.java:89:13:89:13 | e | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:89:13:89:13 | e | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) | this user input |
+| JakartaExpressionInjection.java:99:13:99:13 | e | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:99:13:99:13 | e | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) | this user input |
 edges
-| JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:23:54:23:58 | bytes [post update] : byte[] | provenance | Src:MaD:42917 MaD:42607 |
+| JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:23:54:23:58 | bytes [post update] : byte[] | provenance | Src:MaD:3 MaD:1 |
 | JakartaExpressionInjection.java:23:54:23:58 | bytes [post update] : byte[] | JakartaExpressionInjection.java:24:48:24:52 | bytes : byte[] | provenance |  |
 | JakartaExpressionInjection.java:24:37:24:59 | new String(...) : String | JakartaExpressionInjection.java:25:31:25:40 | expression : String | provenance |  |
-| JakartaExpressionInjection.java:24:48:24:52 | bytes : byte[] | JakartaExpressionInjection.java:24:37:24:59 | new String(...) : String | provenance | MaD:42726 |
+| JakartaExpressionInjection.java:24:48:24:52 | bytes : byte[] | JakartaExpressionInjection.java:24:37:24:59 | new String(...) : String | provenance | MaD:2 |
 | JakartaExpressionInjection.java:25:31:25:40 | expression : String | JakartaExpressionInjection.java:32:24:32:33 | expression : String | provenance |  |
 | JakartaExpressionInjection.java:25:31:25:40 | expression : String | JakartaExpressionInjection.java:40:24:40:33 | expression : String | provenance |  |
 | JakartaExpressionInjection.java:25:31:25:40 | expression : String | JakartaExpressionInjection.java:48:24:48:33 | expression : String | provenance |  |
@@ -29,6 +38,10 @@ edges
 | JakartaExpressionInjection.java:95:24:95:33 | expression : String | JakartaExpressionInjection.java:98:74:98:83 | expression : String | provenance |  |
 | JakartaExpressionInjection.java:98:34:98:112 | createMethodExpression(...) : MethodExpression | JakartaExpressionInjection.java:99:13:99:13 | e | provenance |  |
 | JakartaExpressionInjection.java:98:74:98:83 | expression : String | JakartaExpressionInjection.java:98:34:98:112 | createMethodExpression(...) : MethodExpression | provenance | Config |
+models
+| 1 | Summary: java.io; InputStream; true; read; (byte[]); ; Argument[this]; Argument[0]; taint; manual |
+| 2 | Summary: java.lang; String; false; String; ; ; Argument[0]; Argument[this]; taint; manual |
+| 3 | Source: java.net; Socket; false; getInputStream; (); ; ReturnValue; remote; manual |
 nodes
 | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | JakartaExpressionInjection.java:23:54:23:58 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
@@ -62,12 +75,3 @@ nodes
 | JakartaExpressionInjection.java:98:74:98:83 | expression : String | semmle.label | expression : String |
 | JakartaExpressionInjection.java:99:13:99:13 | e | semmle.label | e |
 subpaths
-#select
-| JakartaExpressionInjection.java:34:28:34:37 | expression | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:34:28:34:37 | expression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) | this user input |
-| JakartaExpressionInjection.java:42:32:42:41 | expression | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:42:32:42:41 | expression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) | this user input |
-| JakartaExpressionInjection.java:53:13:53:28 | lambdaExpression | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:53:13:53:28 | lambdaExpression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) | this user input |
-| JakartaExpressionInjection.java:61:32:61:41 | expression | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:61:32:61:41 | expression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) | this user input |
-| JakartaExpressionInjection.java:69:43:69:52 | expression | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:69:43:69:52 | expression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) | this user input |
-| JakartaExpressionInjection.java:79:13:79:13 | e | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:79:13:79:13 | e | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) | this user input |
-| JakartaExpressionInjection.java:89:13:89:13 | e | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:89:13:89:13 | e | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) | this user input |
-| JakartaExpressionInjection.java:99:13:99:13 | e | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:99:13:99:13 | e | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) | this user input |

java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-094/JakartaExpressionInjection.ql
+query: experimental/Security/CWE/CWE-094/JakartaExpressionInjection.ql
+postprocess: TestUtilities/PrettyPrintModels.ql

java/ql/test/experimental/query-tests/security/CWE-094/JythonInjection.expected

@@ -1,9 +1,18 @@
+#select
+| JythonInjection.java:36:13:36:34 | exec(...) | JythonInjection.java:28:23:28:50 | getParameter(...) : String | JythonInjection.java:36:30:36:33 | code | Jython evaluate $@. | JythonInjection.java:28:23:28:50 | getParameter(...) | user input |
+| JythonInjection.java:58:27:58:48 | eval(...) | JythonInjection.java:53:23:53:50 | getParameter(...) : String | JythonInjection.java:58:44:58:47 | code | Jython evaluate $@. | JythonInjection.java:53:23:53:50 | getParameter(...) | user input |
+| JythonInjection.java:81:13:81:39 | runsource(...) | JythonInjection.java:73:23:73:50 | getParameter(...) : String | JythonInjection.java:81:35:81:38 | code | Jython evaluate $@. | JythonInjection.java:73:23:73:50 | getParameter(...) | user input |
+| JythonInjection.java:106:29:106:134 | makeCode(...) | JythonInjection.java:97:23:97:50 | getParameter(...) : String | JythonInjection.java:106:61:106:75 | getBytes(...) | Jython evaluate $@. | JythonInjection.java:97:23:97:50 | getParameter(...) | user input |
+| JythonInjection.java:131:29:131:109 | compile(...) | JythonInjection.java:131:40:131:63 | getInputStream(...) | JythonInjection.java:131:40:131:63 | getInputStream(...) | Jython evaluate $@. | JythonInjection.java:131:40:131:63 | getInputStream(...) | user input |
 edges
-| JythonInjection.java:28:23:28:50 | getParameter(...) : String | JythonInjection.java:36:30:36:33 | code | provenance | Src:MaD:44663  |
-| JythonInjection.java:53:23:53:50 | getParameter(...) : String | JythonInjection.java:58:44:58:47 | code | provenance | Src:MaD:44663  |
-| JythonInjection.java:73:23:73:50 | getParameter(...) : String | JythonInjection.java:81:35:81:38 | code | provenance | Src:MaD:44663  |
-| JythonInjection.java:97:23:97:50 | getParameter(...) : String | JythonInjection.java:106:61:106:64 | code : String | provenance | Src:MaD:44663  |
-| JythonInjection.java:106:61:106:64 | code : String | JythonInjection.java:106:61:106:75 | getBytes(...) | provenance | MaD:42737 |
+| JythonInjection.java:28:23:28:50 | getParameter(...) : String | JythonInjection.java:36:30:36:33 | code | provenance | Src:MaD:2  |
+| JythonInjection.java:53:23:53:50 | getParameter(...) : String | JythonInjection.java:58:44:58:47 | code | provenance | Src:MaD:2  |
+| JythonInjection.java:73:23:73:50 | getParameter(...) : String | JythonInjection.java:81:35:81:38 | code | provenance | Src:MaD:2  |
+| JythonInjection.java:97:23:97:50 | getParameter(...) : String | JythonInjection.java:106:61:106:64 | code : String | provenance | Src:MaD:2  |
+| JythonInjection.java:106:61:106:64 | code : String | JythonInjection.java:106:61:106:75 | getBytes(...) | provenance | MaD:1 |
+models
+| 1 | Summary: java.lang; String; false; getBytes; ; ; Argument[this]; ReturnValue; taint; manual |
+| 2 | Source: javax.servlet; ServletRequest; false; getParameter; (String); ; ReturnValue; remote; manual |
 nodes
 | JythonInjection.java:28:23:28:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | JythonInjection.java:36:30:36:33 | code | semmle.label | code |
@@ -16,9 +25,3 @@ nodes
 | JythonInjection.java:106:61:106:75 | getBytes(...) | semmle.label | getBytes(...) |
 | JythonInjection.java:131:40:131:63 | getInputStream(...) | semmle.label | getInputStream(...) |
 subpaths
-#select
-| JythonInjection.java:36:13:36:34 | exec(...) | JythonInjection.java:28:23:28:50 | getParameter(...) : String | JythonInjection.java:36:30:36:33 | code | Jython evaluate $@. | JythonInjection.java:28:23:28:50 | getParameter(...) | user input |
-| JythonInjection.java:58:27:58:48 | eval(...) | JythonInjection.java:53:23:53:50 | getParameter(...) : String | JythonInjection.java:58:44:58:47 | code | Jython evaluate $@. | JythonInjection.java:53:23:53:50 | getParameter(...) | user input |
-| JythonInjection.java:81:13:81:39 | runsource(...) | JythonInjection.java:73:23:73:50 | getParameter(...) : String | JythonInjection.java:81:35:81:38 | code | Jython evaluate $@. | JythonInjection.java:73:23:73:50 | getParameter(...) | user input |
-| JythonInjection.java:106:29:106:134 | makeCode(...) | JythonInjection.java:97:23:97:50 | getParameter(...) : String | JythonInjection.java:106:61:106:75 | getBytes(...) | Jython evaluate $@. | JythonInjection.java:97:23:97:50 | getParameter(...) | user input |
-| JythonInjection.java:131:29:131:109 | compile(...) | JythonInjection.java:131:40:131:63 | getInputStream(...) | JythonInjection.java:131:40:131:63 | getInputStream(...) | Jython evaluate $@. | JythonInjection.java:131:40:131:63 | getInputStream(...) | user input |

java/ql/test/experimental/query-tests/security/CWE-094/JythonInjection.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-094/JythonInjection.ql
+query: experimental/Security/CWE/CWE-094/JythonInjection.ql
+postprocess: TestUtilities/PrettyPrintModels.ql

java/ql/test/experimental/query-tests/security/CWE-094/ScriptInjection.expected

@@ -1,26 +1,39 @@
+#select
+| RhinoServlet.java:32:29:32:78 | evaluateString(...) | RhinoServlet.java:28:23:28:50 | getParameter(...) : String | RhinoServlet.java:32:55:32:58 | code | Java Script Engine evaluate $@. | RhinoServlet.java:28:23:28:50 | getParameter(...) | user input |
+| RhinoServlet.java:83:25:83:97 | compileToClassFiles(...) | RhinoServlet.java:81:23:81:50 | getParameter(...) : String | RhinoServlet.java:83:54:83:57 | code | Java Script Engine evaluate $@. | RhinoServlet.java:81:23:81:50 | getParameter(...) | user input |
+| RhinoServlet.java:89:23:89:89 | defineClass(...) | RhinoServlet.java:88:23:88:50 | getParameter(...) : String | RhinoServlet.java:89:74:89:88 | getBytes(...) | Java Script Engine evaluate $@. | RhinoServlet.java:88:23:88:50 | getParameter(...) | user input |
+| ScriptEngineTest.java:24:19:24:42 | eval(...) | ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:24:37:24:41 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:91:18:91:45 | getParameter(...) | user input |
+| ScriptEngineTest.java:31:19:31:36 | eval(...) | ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:31:31:31:35 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:91:18:91:45 | getParameter(...) | user input |
+| ScriptEngineTest.java:39:19:39:36 | eval(...) | ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:39:31:39:35 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:91:18:91:45 | getParameter(...) | user input |
+| ScriptEngineTest.java:46:19:46:36 | eval(...) | ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:46:31:46:35 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:91:18:91:45 | getParameter(...) | user input |
+| ScriptEngineTest.java:52:27:52:47 | compile(...) | ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:52:42:52:46 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:91:18:91:45 | getParameter(...) | user input |
+| ScriptEngineTest.java:59:20:59:56 | getProgram(...) | ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:59:51:59:55 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:91:18:91:45 | getParameter(...) | user input |
 edges
-| RhinoServlet.java:28:23:28:50 | getParameter(...) : String | RhinoServlet.java:32:55:32:58 | code | provenance | Src:MaD:44663  |
-| RhinoServlet.java:81:23:81:50 | getParameter(...) : String | RhinoServlet.java:83:54:83:57 | code | provenance | Src:MaD:44663  |
-| RhinoServlet.java:88:23:88:50 | getParameter(...) : String | RhinoServlet.java:89:74:89:77 | code : String | provenance | Src:MaD:44663  |
-| RhinoServlet.java:89:74:89:77 | code : String | RhinoServlet.java:89:74:89:88 | getBytes(...) | provenance | MaD:42737 |
+| RhinoServlet.java:28:23:28:50 | getParameter(...) : String | RhinoServlet.java:32:55:32:58 | code | provenance | Src:MaD:2  |
+| RhinoServlet.java:81:23:81:50 | getParameter(...) : String | RhinoServlet.java:83:54:83:57 | code | provenance | Src:MaD:2  |
+| RhinoServlet.java:88:23:88:50 | getParameter(...) : String | RhinoServlet.java:89:74:89:77 | code : String | provenance | Src:MaD:2  |
+| RhinoServlet.java:89:74:89:77 | code : String | RhinoServlet.java:89:74:89:88 | getBytes(...) | provenance | MaD:1 |
 | ScriptEngineTest.java:20:44:20:55 | input : String | ScriptEngineTest.java:24:37:24:41 | input | provenance |  |
 | ScriptEngineTest.java:27:51:27:62 | input : String | ScriptEngineTest.java:31:31:31:35 | input | provenance |  |
 | ScriptEngineTest.java:35:58:35:69 | input : String | ScriptEngineTest.java:39:31:39:35 | input | provenance |  |
 | ScriptEngineTest.java:42:46:42:57 | input : String | ScriptEngineTest.java:46:31:46:35 | input | provenance |  |
 | ScriptEngineTest.java:49:41:49:52 | input : String | ScriptEngineTest.java:52:42:52:46 | input | provenance |  |
 | ScriptEngineTest.java:56:41:56:52 | input : String | ScriptEngineTest.java:59:51:59:55 | input | provenance |  |
-| ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:93:57:93:60 | code : String | provenance | Src:MaD:44663  |
-| ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:94:64:94:67 | code : String | provenance | Src:MaD:44663  |
-| ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:95:71:95:74 | code : String | provenance | Src:MaD:44663  |
-| ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:96:59:96:62 | code : String | provenance | Src:MaD:44663  |
-| ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:97:54:97:57 | code : String | provenance | Src:MaD:44663  |
-| ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:98:54:98:57 | code : String | provenance | Src:MaD:44663  |
+| ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:93:57:93:60 | code : String | provenance | Src:MaD:2  |
+| ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:94:64:94:67 | code : String | provenance | Src:MaD:2  |
+| ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:95:71:95:74 | code : String | provenance | Src:MaD:2  |
+| ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:96:59:96:62 | code : String | provenance | Src:MaD:2  |
+| ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:97:54:97:57 | code : String | provenance | Src:MaD:2  |
+| ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:98:54:98:57 | code : String | provenance | Src:MaD:2  |
 | ScriptEngineTest.java:93:57:93:60 | code : String | ScriptEngineTest.java:20:44:20:55 | input : String | provenance |  |
 | ScriptEngineTest.java:94:64:94:67 | code : String | ScriptEngineTest.java:27:51:27:62 | input : String | provenance |  |
 | ScriptEngineTest.java:95:71:95:74 | code : String | ScriptEngineTest.java:35:58:35:69 | input : String | provenance |  |
 | ScriptEngineTest.java:96:59:96:62 | code : String | ScriptEngineTest.java:42:46:42:57 | input : String | provenance |  |
 | ScriptEngineTest.java:97:54:97:57 | code : String | ScriptEngineTest.java:49:41:49:52 | input : String | provenance |  |
 | ScriptEngineTest.java:98:54:98:57 | code : String | ScriptEngineTest.java:56:41:56:52 | input : String | provenance |  |
+models
+| 1 | Summary: java.lang; String; false; getBytes; ; ; Argument[this]; ReturnValue; taint; manual |
+| 2 | Source: javax.servlet; ServletRequest; false; getParameter; (String); ; ReturnValue; remote; manual |
 nodes
 | RhinoServlet.java:28:23:28:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | RhinoServlet.java:32:55:32:58 | code | semmle.label | code |
@@ -49,13 +62,3 @@ nodes
 | ScriptEngineTest.java:97:54:97:57 | code : String | semmle.label | code : String |
 | ScriptEngineTest.java:98:54:98:57 | code : String | semmle.label | code : String |
 subpaths
-#select
-| RhinoServlet.java:32:29:32:78 | evaluateString(...) | RhinoServlet.java:28:23:28:50 | getParameter(...) : String | RhinoServlet.java:32:55:32:58 | code | Java Script Engine evaluate $@. | RhinoServlet.java:28:23:28:50 | getParameter(...) | user input |
-| RhinoServlet.java:83:25:83:97 | compileToClassFiles(...) | RhinoServlet.java:81:23:81:50 | getParameter(...) : String | RhinoServlet.java:83:54:83:57 | code | Java Script Engine evaluate $@. | RhinoServlet.java:81:23:81:50 | getParameter(...) | user input |
-| RhinoServlet.java:89:23:89:89 | defineClass(...) | RhinoServlet.java:88:23:88:50 | getParameter(...) : String | RhinoServlet.java:89:74:89:88 | getBytes(...) | Java Script Engine evaluate $@. | RhinoServlet.java:88:23:88:50 | getParameter(...) | user input |
-| ScriptEngineTest.java:24:19:24:42 | eval(...) | ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:24:37:24:41 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:91:18:91:45 | getParameter(...) | user input |
-| ScriptEngineTest.java:31:19:31:36 | eval(...) | ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:31:31:31:35 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:91:18:91:45 | getParameter(...) | user input |
-| ScriptEngineTest.java:39:19:39:36 | eval(...) | ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:39:31:39:35 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:91:18:91:45 | getParameter(...) | user input |
-| ScriptEngineTest.java:46:19:46:36 | eval(...) | ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:46:31:46:35 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:91:18:91:45 | getParameter(...) | user input |
-| ScriptEngineTest.java:52:27:52:47 | compile(...) | ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:52:42:52:46 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:91:18:91:45 | getParameter(...) | user input |
-| ScriptEngineTest.java:59:20:59:56 | getProgram(...) | ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:59:51:59:55 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:91:18:91:45 | getParameter(...) | user input |

java/ql/test/experimental/query-tests/security/CWE-094/ScriptInjection.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-094/ScriptInjection.ql
+query: experimental/Security/CWE/CWE-094/ScriptInjection.ql
+postprocess: TestUtilities/PrettyPrintModels.ql

java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected

@@ -1,25 +1,43 @@
+#select
+| SensitiveCookieNotHttpOnly.java:31:28:31:36 | jwtCookie | SensitiveCookieNotHttpOnly.java:24:33:24:43 | "jwt_token" : String | SensitiveCookieNotHttpOnly.java:31:28:31:36 | jwtCookie | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:24:33:24:43 | "jwt_token" | This sensitive cookie |
+| SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... | SensitiveCookieNotHttpOnly.java:42:42:42:49 | "token=" : String | SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:42:42:42:49 | "token=" | This sensitive cookie |
+| SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... | SensitiveCookieNotHttpOnly.java:42:42:42:57 | ... + ... : String | SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:42:42:42:57 | ... + ... | This sensitive cookie |
+| SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... | SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... | SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... | This sensitive cookie |
+| SensitiveCookieNotHttpOnly.java:52:42:52:124 | toString(...) | SensitiveCookieNotHttpOnly.java:52:56:52:75 | "session-access-key" : String | SensitiveCookieNotHttpOnly.java:52:42:52:124 | toString(...) | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:52:56:52:75 | "session-access-key" | This sensitive cookie |
+| SensitiveCookieNotHttpOnly.java:65:42:65:47 | keyStr | SensitiveCookieNotHttpOnly.java:63:51:63:70 | "session-access-key" : String | SensitiveCookieNotHttpOnly.java:65:42:65:47 | keyStr | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:63:51:63:70 | "session-access-key" | This sensitive cookie |
+| SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | SensitiveCookieNotHttpOnly.java:70:28:70:35 | "token=" : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:70:28:70:35 | "token=" | This sensitive cookie |
+| SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | SensitiveCookieNotHttpOnly.java:70:28:70:43 | ... + ... : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:70:28:70:43 | ... + ... | This sensitive cookie |
+| SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | SensitiveCookieNotHttpOnly.java:70:28:70:55 | ... + ... : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:70:28:70:55 | ... + ... | This sensitive cookie |
+| SensitiveCookieNotHttpOnly.java:111:28:111:33 | cookie | SensitiveCookieNotHttpOnly.java:88:35:88:51 | "Presto-UI-Token" : String | SensitiveCookieNotHttpOnly.java:111:28:111:33 | cookie | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:88:35:88:51 | "Presto-UI-Token" | This sensitive cookie |
 edges
 | SensitiveCookieNotHttpOnly.java:24:33:24:43 | "jwt_token" : String | SensitiveCookieNotHttpOnly.java:25:39:25:52 | tokenCookieStr : String | provenance |  |
-| SensitiveCookieNotHttpOnly.java:25:28:25:64 | new Cookie(...) : Cookie | SensitiveCookieNotHttpOnly.java:31:28:31:36 | jwtCookie | provenance |  Sink:MaD:44654 |
+| SensitiveCookieNotHttpOnly.java:25:28:25:64 | new Cookie(...) : Cookie | SensitiveCookieNotHttpOnly.java:31:28:31:36 | jwtCookie | provenance |  Sink:MaD:1 |
 | SensitiveCookieNotHttpOnly.java:25:39:25:52 | tokenCookieStr : String | SensitiveCookieNotHttpOnly.java:25:28:25:64 | new Cookie(...) : Cookie | provenance | Config |
-| SensitiveCookieNotHttpOnly.java:25:39:25:52 | tokenCookieStr : String | SensitiveCookieNotHttpOnly.java:25:28:25:64 | new Cookie(...) : Cookie | provenance | MaD:44660 |
-| SensitiveCookieNotHttpOnly.java:42:42:42:49 | "token=" : String | SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... | provenance |  Sink:MaD:44655 |
-| SensitiveCookieNotHttpOnly.java:42:42:42:57 | ... + ... : String | SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... | provenance |  Sink:MaD:44655 |
-| SensitiveCookieNotHttpOnly.java:52:42:52:113 | new NewCookie(...) : NewCookie | SensitiveCookieNotHttpOnly.java:52:42:52:124 | toString(...) | provenance | MaD:44702 Sink:MaD:44657 |
-| SensitiveCookieNotHttpOnly.java:52:56:52:75 | "session-access-key" : String | SensitiveCookieNotHttpOnly.java:52:42:52:113 | new NewCookie(...) : NewCookie | provenance | MaD:44740 |
+| SensitiveCookieNotHttpOnly.java:25:39:25:52 | tokenCookieStr : String | SensitiveCookieNotHttpOnly.java:25:28:25:64 | new Cookie(...) : Cookie | provenance | MaD:4 |
+| SensitiveCookieNotHttpOnly.java:42:42:42:49 | "token=" : String | SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... | provenance |  Sink:MaD:2 |
+| SensitiveCookieNotHttpOnly.java:42:42:42:57 | ... + ... : String | SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... | provenance |  Sink:MaD:2 |
+| SensitiveCookieNotHttpOnly.java:52:42:52:113 | new NewCookie(...) : NewCookie | SensitiveCookieNotHttpOnly.java:52:42:52:124 | toString(...) | provenance | MaD:5 Sink:MaD:3 |
+| SensitiveCookieNotHttpOnly.java:52:56:52:75 | "session-access-key" : String | SensitiveCookieNotHttpOnly.java:52:42:52:113 | new NewCookie(...) : NewCookie | provenance | MaD:6 |
 | SensitiveCookieNotHttpOnly.java:63:37:63:115 | new NewCookie(...) : NewCookie | SensitiveCookieNotHttpOnly.java:64:25:64:39 | accessKeyCookie : NewCookie | provenance |  |
-| SensitiveCookieNotHttpOnly.java:63:51:63:70 | "session-access-key" : String | SensitiveCookieNotHttpOnly.java:63:37:63:115 | new NewCookie(...) : NewCookie | provenance | MaD:44740 |
-| SensitiveCookieNotHttpOnly.java:64:25:64:39 | accessKeyCookie : NewCookie | SensitiveCookieNotHttpOnly.java:64:25:64:50 | toString(...) : String | provenance | MaD:44702 |
-| SensitiveCookieNotHttpOnly.java:64:25:64:50 | toString(...) : String | SensitiveCookieNotHttpOnly.java:65:42:65:47 | keyStr | provenance |  Sink:MaD:44657 |
-| SensitiveCookieNotHttpOnly.java:70:28:70:35 | "token=" : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | provenance |  Sink:MaD:44655 |
-| SensitiveCookieNotHttpOnly.java:70:28:70:43 | ... + ... : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | provenance |  Sink:MaD:44655 |
-| SensitiveCookieNotHttpOnly.java:70:28:70:55 | ... + ... : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | provenance |  Sink:MaD:44655 |
+| SensitiveCookieNotHttpOnly.java:63:51:63:70 | "session-access-key" : String | SensitiveCookieNotHttpOnly.java:63:37:63:115 | new NewCookie(...) : NewCookie | provenance | MaD:6 |
+| SensitiveCookieNotHttpOnly.java:64:25:64:39 | accessKeyCookie : NewCookie | SensitiveCookieNotHttpOnly.java:64:25:64:50 | toString(...) : String | provenance | MaD:5 |
+| SensitiveCookieNotHttpOnly.java:64:25:64:50 | toString(...) : String | SensitiveCookieNotHttpOnly.java:65:42:65:47 | keyStr | provenance |  Sink:MaD:3 |
+| SensitiveCookieNotHttpOnly.java:70:28:70:35 | "token=" : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | provenance |  Sink:MaD:2 |
+| SensitiveCookieNotHttpOnly.java:70:28:70:43 | ... + ... : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | provenance |  Sink:MaD:2 |
+| SensitiveCookieNotHttpOnly.java:70:28:70:55 | ... + ... : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | provenance |  Sink:MaD:2 |
 | SensitiveCookieNotHttpOnly.java:88:35:88:51 | "Presto-UI-Token" : String | SensitiveCookieNotHttpOnly.java:89:36:89:51 | PRESTO_UI_COOKIE : String | provenance |  |
 | SensitiveCookieNotHttpOnly.java:89:25:89:57 | new Cookie(...) : Cookie | SensitiveCookieNotHttpOnly.java:91:16:91:21 | cookie : Cookie | provenance |  |
 | SensitiveCookieNotHttpOnly.java:89:36:89:51 | PRESTO_UI_COOKIE : String | SensitiveCookieNotHttpOnly.java:89:25:89:57 | new Cookie(...) : Cookie | provenance | Config |
-| SensitiveCookieNotHttpOnly.java:89:36:89:51 | PRESTO_UI_COOKIE : String | SensitiveCookieNotHttpOnly.java:89:25:89:57 | new Cookie(...) : Cookie | provenance | MaD:44660 |
+| SensitiveCookieNotHttpOnly.java:89:36:89:51 | PRESTO_UI_COOKIE : String | SensitiveCookieNotHttpOnly.java:89:25:89:57 | new Cookie(...) : Cookie | provenance | MaD:4 |
 | SensitiveCookieNotHttpOnly.java:91:16:91:21 | cookie : Cookie | SensitiveCookieNotHttpOnly.java:110:25:110:64 | createAuthenticationCookie(...) : Cookie | provenance |  |
-| SensitiveCookieNotHttpOnly.java:110:25:110:64 | createAuthenticationCookie(...) : Cookie | SensitiveCookieNotHttpOnly.java:111:28:111:33 | cookie | provenance |  Sink:MaD:44654 |
+| SensitiveCookieNotHttpOnly.java:110:25:110:64 | createAuthenticationCookie(...) : Cookie | SensitiveCookieNotHttpOnly.java:111:28:111:33 | cookie | provenance |  Sink:MaD:1 |
+models
+| 1 | Sink: javax.servlet.http; HttpServletResponse; false; addCookie; ; ; Argument[0]; response-splitting; manual |
+| 2 | Sink: javax.servlet.http; HttpServletResponse; false; addHeader; ; ; Argument[0..1]; response-splitting; manual |
+| 3 | Sink: javax.servlet.http; HttpServletResponse; false; setHeader; ; ; Argument[0..1]; response-splitting; manual |
+| 4 | Summary: javax.servlet.http; Cookie; false; Cookie; ; ; Argument[0]; Argument[this]; taint; manual |
+| 5 | Summary: javax.ws.rs.core; Cookie; true; toString; ; ; Argument[this]; ReturnValue; taint; manual |
+| 6 | Summary: javax.ws.rs.core; NewCookie; false; NewCookie; ; ; Argument[0..9]; Argument[this]; taint; manual |
 nodes
 | SensitiveCookieNotHttpOnly.java:24:33:24:43 | "jwt_token" : String | semmle.label | "jwt_token" : String |
 | SensitiveCookieNotHttpOnly.java:25:28:25:64 | new Cookie(...) : Cookie | semmle.label | new Cookie(...) : Cookie |
@@ -47,14 +65,3 @@ nodes
 | SensitiveCookieNotHttpOnly.java:110:25:110:64 | createAuthenticationCookie(...) : Cookie | semmle.label | createAuthenticationCookie(...) : Cookie |
 | SensitiveCookieNotHttpOnly.java:111:28:111:33 | cookie | semmle.label | cookie |
 subpaths
-#select
-| SensitiveCookieNotHttpOnly.java:31:28:31:36 | jwtCookie | SensitiveCookieNotHttpOnly.java:24:33:24:43 | "jwt_token" : String | SensitiveCookieNotHttpOnly.java:31:28:31:36 | jwtCookie | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:24:33:24:43 | "jwt_token" | This sensitive cookie |
-| SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... | SensitiveCookieNotHttpOnly.java:42:42:42:49 | "token=" : String | SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:42:42:42:49 | "token=" | This sensitive cookie |
-| SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... | SensitiveCookieNotHttpOnly.java:42:42:42:57 | ... + ... : String | SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:42:42:42:57 | ... + ... | This sensitive cookie |
-| SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... | SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... | SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... | This sensitive cookie |
-| SensitiveCookieNotHttpOnly.java:52:42:52:124 | toString(...) | SensitiveCookieNotHttpOnly.java:52:56:52:75 | "session-access-key" : String | SensitiveCookieNotHttpOnly.java:52:42:52:124 | toString(...) | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:52:56:52:75 | "session-access-key" | This sensitive cookie |
-| SensitiveCookieNotHttpOnly.java:65:42:65:47 | keyStr | SensitiveCookieNotHttpOnly.java:63:51:63:70 | "session-access-key" : String | SensitiveCookieNotHttpOnly.java:65:42:65:47 | keyStr | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:63:51:63:70 | "session-access-key" | This sensitive cookie |
-| SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | SensitiveCookieNotHttpOnly.java:70:28:70:35 | "token=" : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:70:28:70:35 | "token=" | This sensitive cookie |
-| SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | SensitiveCookieNotHttpOnly.java:70:28:70:43 | ... + ... : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:70:28:70:43 | ... + ... | This sensitive cookie |
-| SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | SensitiveCookieNotHttpOnly.java:70:28:70:55 | ... + ... : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:70:28:70:55 | ... + ... | This sensitive cookie |
-| SensitiveCookieNotHttpOnly.java:111:28:111:33 | cookie | SensitiveCookieNotHttpOnly.java:88:35:88:51 | "Presto-UI-Token" : String | SensitiveCookieNotHttpOnly.java:111:28:111:33 | cookie | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:88:35:88:51 | "Presto-UI-Token" | This sensitive cookie |

java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
+query: experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
+postprocess: TestUtilities/PrettyPrintModels.ql

java/ql/test/experimental/query-tests/security/CWE-200/InsecureWebResourceResponse.expected

@@ -1,5 +1,12 @@
+#select
+| InsecureWebResourceResponse.java:68:71:68:81 | inputStream | InsecureWebResourceResponse.java:28:27:28:37 | getIntent(...) : Intent | InsecureWebResourceResponse.java:68:71:68:81 | inputStream | Leaking arbitrary content in Android from $@. | InsecureWebResourceResponse.java:28:27:28:37 | getIntent(...) | this user input |
+| InsecureWebResourceResponse.java:91:75:91:85 | inputStream | InsecureWebResourceResponse.java:28:27:28:37 | getIntent(...) : Intent | InsecureWebResourceResponse.java:91:75:91:85 | inputStream | Leaking arbitrary content in Android from $@. | InsecureWebResourceResponse.java:28:27:28:37 | getIntent(...) | this user input |
+| InsecureWebResourceResponse.java:117:75:117:85 | inputStream | InsecureWebResourceResponse.java:28:27:28:37 | getIntent(...) : Intent | InsecureWebResourceResponse.java:117:75:117:85 | inputStream | Leaking arbitrary content in Android from $@. | InsecureWebResourceResponse.java:28:27:28:37 | getIntent(...) | this user input |
+| InsecureWebResourceResponse.java:199:75:199:85 | inputStream | InsecureWebResourceResponse.java:28:27:28:37 | getIntent(...) : Intent | InsecureWebResourceResponse.java:199:75:199:85 | inputStream | Leaking arbitrary content in Android from $@. | InsecureWebResourceResponse.java:28:27:28:37 | getIntent(...) | this user input |
+| InsecureWebResourceResponse.java:237:63:237:73 | inputStream | InsecureWebResourceResponse.java:28:27:28:37 | getIntent(...) : Intent | InsecureWebResourceResponse.java:237:63:237:73 | inputStream | Leaking arbitrary content in Android from $@. | InsecureWebResourceResponse.java:28:27:28:37 | getIntent(...) | this user input |
+| InsecureWebViewActivity.java:58:71:58:81 | inputStream | InsecureWebViewActivity.java:27:27:27:37 | getIntent(...) : Intent | InsecureWebViewActivity.java:58:71:58:81 | inputStream | Leaking arbitrary content in Android from $@. | InsecureWebViewActivity.java:27:27:27:37 | getIntent(...) | this user input |
 edges
-| InsecureWebResourceResponse.java:28:27:28:37 | getIntent(...) : Intent | InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : String | provenance | MaD:330 |
+| InsecureWebResourceResponse.java:28:27:28:37 | getIntent(...) : Intent | InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : String | provenance | MaD:1 |
 | InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : String | InsecureWebResourceResponse.java:30:25:30:32 | inputUrl : String | provenance |  |
 | InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : String | InsecureWebResourceResponse.java:32:25:32:32 | inputUrl : String | provenance |  |
 | InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : String | InsecureWebResourceResponse.java:34:25:34:32 | inputUrl : String | provenance |  |
@@ -19,10 +26,10 @@ edges
 | InsecureWebResourceResponse.java:59:34:59:43 | url : String | InsecureWebResourceResponse.java:75:20:75:22 | url : String | provenance |  |
 | InsecureWebResourceResponse.java:63:77:63:86 | url : String | InsecureWebResourceResponse.java:65:41:65:43 | url : String | provenance |  |
 | InsecureWebResourceResponse.java:65:31:65:44 | parse(...) : Uri | InsecureWebResourceResponse.java:66:71:66:73 | uri : Uri | provenance |  |
-| InsecureWebResourceResponse.java:65:41:65:43 | url : String | InsecureWebResourceResponse.java:65:31:65:44 | parse(...) : Uri | provenance | MaD:514 |
+| InsecureWebResourceResponse.java:65:41:65:43 | url : String | InsecureWebResourceResponse.java:65:31:65:44 | parse(...) : Uri | provenance | MaD:4 |
 | InsecureWebResourceResponse.java:66:51:66:84 | new FileInputStream(...) : FileInputStream | InsecureWebResourceResponse.java:68:71:68:81 | inputStream | provenance |  |
-| InsecureWebResourceResponse.java:66:71:66:73 | uri : Uri | InsecureWebResourceResponse.java:66:71:66:83 | getPath(...) : String | provenance | MaD:504 |
-| InsecureWebResourceResponse.java:66:71:66:83 | getPath(...) : String | InsecureWebResourceResponse.java:66:51:66:84 | new FileInputStream(...) : FileInputStream | provenance | MaD:1981 |
+| InsecureWebResourceResponse.java:66:71:66:73 | uri : Uri | InsecureWebResourceResponse.java:66:71:66:83 | getPath(...) : String | provenance | MaD:3 |
+| InsecureWebResourceResponse.java:66:71:66:83 | getPath(...) : String | InsecureWebResourceResponse.java:66:51:66:84 | new FileInputStream(...) : FileInputStream | provenance | MaD:6 |
 | InsecureWebResourceResponse.java:75:20:75:22 | url : String | InsecureWebResourceResponse.java:63:77:63:86 | url : String | provenance | AdditionalTaintStep |
 | InsecureWebResourceResponse.java:75:20:75:22 | url : String | InsecureWebResourceResponse.java:84:77:84:86 | url : String | provenance | AdditionalTaintStep |
 | InsecureWebResourceResponse.java:75:20:75:22 | url : String | InsecureWebResourceResponse.java:110:77:110:86 | url : String | provenance | AdditionalTaintStep |
@@ -31,12 +38,12 @@ edges
 | InsecureWebResourceResponse.java:80:34:80:43 | url : String | InsecureWebResourceResponse.java:101:20:101:22 | url : String | provenance |  |
 | InsecureWebResourceResponse.java:84:77:84:86 | url : String | InsecureWebResourceResponse.java:86:41:86:43 | url : String | provenance |  |
 | InsecureWebResourceResponse.java:86:31:86:44 | parse(...) : Uri | InsecureWebResourceResponse.java:88:66:88:68 | uri : Uri | provenance |  |
-| InsecureWebResourceResponse.java:86:41:86:43 | url : String | InsecureWebResourceResponse.java:86:31:86:44 | parse(...) : Uri | provenance | MaD:514 |
+| InsecureWebResourceResponse.java:86:41:86:43 | url : String | InsecureWebResourceResponse.java:86:31:86:44 | parse(...) : Uri | provenance | MaD:4 |
 | InsecureWebResourceResponse.java:88:42:88:90 | new File(...) : File | InsecureWebResourceResponse.java:89:75:89:83 | cacheFile : File | provenance |  |
-| InsecureWebResourceResponse.java:88:66:88:68 | uri : Uri | InsecureWebResourceResponse.java:88:66:88:89 | getLastPathSegment(...) : String | provenance | MaD:503 |
-| InsecureWebResourceResponse.java:88:66:88:89 | getLastPathSegment(...) : String | InsecureWebResourceResponse.java:88:42:88:90 | new File(...) : File | provenance | MaD:42592 |
+| InsecureWebResourceResponse.java:88:66:88:68 | uri : Uri | InsecureWebResourceResponse.java:88:66:88:89 | getLastPathSegment(...) : String | provenance | MaD:2 |
+| InsecureWebResourceResponse.java:88:66:88:89 | getLastPathSegment(...) : String | InsecureWebResourceResponse.java:88:42:88:90 | new File(...) : File | provenance | MaD:7 |
 | InsecureWebResourceResponse.java:89:55:89:84 | new FileInputStream(...) : FileInputStream | InsecureWebResourceResponse.java:91:75:91:85 | inputStream | provenance |  |
-| InsecureWebResourceResponse.java:89:75:89:83 | cacheFile : File | InsecureWebResourceResponse.java:89:55:89:84 | new FileInputStream(...) : FileInputStream | provenance | MaD:1981 |
+| InsecureWebResourceResponse.java:89:75:89:83 | cacheFile : File | InsecureWebResourceResponse.java:89:55:89:84 | new FileInputStream(...) : FileInputStream | provenance | MaD:6 |
 | InsecureWebResourceResponse.java:101:20:101:22 | url : String | InsecureWebResourceResponse.java:63:77:63:86 | url : String | provenance | AdditionalTaintStep |
 | InsecureWebResourceResponse.java:101:20:101:22 | url : String | InsecureWebResourceResponse.java:84:77:84:86 | url : String | provenance | AdditionalTaintStep |
 | InsecureWebResourceResponse.java:101:20:101:22 | url : String | InsecureWebResourceResponse.java:110:77:110:86 | url : String | provenance | AdditionalTaintStep |
@@ -45,13 +52,13 @@ edges
 | InsecureWebResourceResponse.java:106:34:106:43 | url : String | InsecureWebResourceResponse.java:127:20:127:22 | url : String | provenance |  |
 | InsecureWebResourceResponse.java:110:77:110:86 | url : String | InsecureWebResourceResponse.java:112:41:112:43 | url : String | provenance |  |
 | InsecureWebResourceResponse.java:112:31:112:44 | parse(...) : Uri | InsecureWebResourceResponse.java:113:35:113:37 | uri : Uri | provenance |  |
-| InsecureWebResourceResponse.java:112:41:112:43 | url : String | InsecureWebResourceResponse.java:112:31:112:44 | parse(...) : Uri | provenance | MaD:514 |
-| InsecureWebResourceResponse.java:113:35:113:37 | uri : Uri | InsecureWebResourceResponse.java:113:35:113:47 | getPath(...) : String | provenance | MaD:504 |
-| InsecureWebResourceResponse.java:113:35:113:47 | getPath(...) : String | InsecureWebResourceResponse.java:113:35:113:60 | substring(...) : String | provenance | MaD:42755 |
+| InsecureWebResourceResponse.java:112:41:112:43 | url : String | InsecureWebResourceResponse.java:112:31:112:44 | parse(...) : Uri | provenance | MaD:4 |
+| InsecureWebResourceResponse.java:113:35:113:37 | uri : Uri | InsecureWebResourceResponse.java:113:35:113:47 | getPath(...) : String | provenance | MaD:3 |
+| InsecureWebResourceResponse.java:113:35:113:47 | getPath(...) : String | InsecureWebResourceResponse.java:113:35:113:60 | substring(...) : String | provenance | MaD:8 |
 | InsecureWebResourceResponse.java:113:35:113:60 | substring(...) : String | InsecureWebResourceResponse.java:115:75:115:78 | path : String | provenance |  |
 | InsecureWebResourceResponse.java:115:55:115:108 | new FileInputStream(...) : FileInputStream | InsecureWebResourceResponse.java:117:75:117:85 | inputStream | provenance |  |
-| InsecureWebResourceResponse.java:115:75:115:78 | path : String | InsecureWebResourceResponse.java:115:75:115:107 | substring(...) : String | provenance | MaD:42755 |
-| InsecureWebResourceResponse.java:115:75:115:107 | substring(...) : String | InsecureWebResourceResponse.java:115:55:115:108 | new FileInputStream(...) : FileInputStream | provenance | MaD:1981 |
+| InsecureWebResourceResponse.java:115:75:115:78 | path : String | InsecureWebResourceResponse.java:115:75:115:107 | substring(...) : String | provenance | MaD:8 |
+| InsecureWebResourceResponse.java:115:75:115:107 | substring(...) : String | InsecureWebResourceResponse.java:115:55:115:108 | new FileInputStream(...) : FileInputStream | provenance | MaD:6 |
 | InsecureWebResourceResponse.java:127:20:127:22 | url : String | InsecureWebResourceResponse.java:63:77:63:86 | url : String | provenance | AdditionalTaintStep |
 | InsecureWebResourceResponse.java:127:20:127:22 | url : String | InsecureWebResourceResponse.java:84:77:84:86 | url : String | provenance | AdditionalTaintStep |
 | InsecureWebResourceResponse.java:127:20:127:22 | url : String | InsecureWebResourceResponse.java:110:77:110:86 | url : String | provenance | AdditionalTaintStep |
@@ -77,13 +84,13 @@ edges
 | InsecureWebResourceResponse.java:184:20:184:22 | url : String | InsecureWebResourceResponse.java:232:69:232:78 | url : String | provenance | AdditionalTaintStep |
 | InsecureWebResourceResponse.java:188:34:188:43 | url : String | InsecureWebResourceResponse.java:209:20:209:22 | url : String | provenance |  |
 | InsecureWebResourceResponse.java:192:77:192:102 | request : WebResourceRequest | InsecureWebResourceResponse.java:194:31:194:37 | request : WebResourceRequest | provenance |  |
-| InsecureWebResourceResponse.java:194:31:194:37 | request : WebResourceRequest | InsecureWebResourceResponse.java:194:31:194:46 | getUrl(...) : Uri | provenance | MaD:1950 |
+| InsecureWebResourceResponse.java:194:31:194:37 | request : WebResourceRequest | InsecureWebResourceResponse.java:194:31:194:46 | getUrl(...) : Uri | provenance | MaD:5 |
 | InsecureWebResourceResponse.java:194:31:194:46 | getUrl(...) : Uri | InsecureWebResourceResponse.java:196:66:196:68 | uri : Uri | provenance |  |
 | InsecureWebResourceResponse.java:196:42:196:90 | new File(...) : File | InsecureWebResourceResponse.java:197:75:197:83 | cacheFile : File | provenance |  |
-| InsecureWebResourceResponse.java:196:66:196:68 | uri : Uri | InsecureWebResourceResponse.java:196:66:196:89 | getLastPathSegment(...) : String | provenance | MaD:503 |
-| InsecureWebResourceResponse.java:196:66:196:89 | getLastPathSegment(...) : String | InsecureWebResourceResponse.java:196:42:196:90 | new File(...) : File | provenance | MaD:42592 |
+| InsecureWebResourceResponse.java:196:66:196:68 | uri : Uri | InsecureWebResourceResponse.java:196:66:196:89 | getLastPathSegment(...) : String | provenance | MaD:2 |
+| InsecureWebResourceResponse.java:196:66:196:89 | getLastPathSegment(...) : String | InsecureWebResourceResponse.java:196:42:196:90 | new File(...) : File | provenance | MaD:7 |
 | InsecureWebResourceResponse.java:197:55:197:84 | new FileInputStream(...) : FileInputStream | InsecureWebResourceResponse.java:199:75:199:85 | inputStream | provenance |  |
-| InsecureWebResourceResponse.java:197:75:197:83 | cacheFile : File | InsecureWebResourceResponse.java:197:55:197:84 | new FileInputStream(...) : FileInputStream | provenance | MaD:1981 |
+| InsecureWebResourceResponse.java:197:75:197:83 | cacheFile : File | InsecureWebResourceResponse.java:197:55:197:84 | new FileInputStream(...) : FileInputStream | provenance | MaD:6 |
 | InsecureWebResourceResponse.java:209:20:209:22 | url : String | InsecureWebResourceResponse.java:63:77:63:86 | url : String | provenance | AdditionalTaintStep |
 | InsecureWebResourceResponse.java:209:20:209:22 | url : String | InsecureWebResourceResponse.java:84:77:84:86 | url : String | provenance | AdditionalTaintStep |
 | InsecureWebResourceResponse.java:209:20:209:22 | url : String | InsecureWebResourceResponse.java:110:77:110:86 | url : String | provenance | AdditionalTaintStep |
@@ -97,21 +104,30 @@ edges
 | InsecureWebResourceResponse.java:226:20:226:22 | url : String | InsecureWebResourceResponse.java:232:69:232:78 | url : String | provenance | AdditionalTaintStep |
 | InsecureWebResourceResponse.java:232:69:232:78 | url : String | InsecureWebResourceResponse.java:234:33:234:35 | url : String | provenance |  |
 | InsecureWebResourceResponse.java:234:23:234:36 | parse(...) : Uri | InsecureWebResourceResponse.java:235:63:235:65 | uri : Uri | provenance |  |
-| InsecureWebResourceResponse.java:234:33:234:35 | url : String | InsecureWebResourceResponse.java:234:23:234:36 | parse(...) : Uri | provenance | MaD:514 |
+| InsecureWebResourceResponse.java:234:33:234:35 | url : String | InsecureWebResourceResponse.java:234:23:234:36 | parse(...) : Uri | provenance | MaD:4 |
 | InsecureWebResourceResponse.java:235:43:235:76 | new FileInputStream(...) : FileInputStream | InsecureWebResourceResponse.java:237:63:237:73 | inputStream | provenance |  |
-| InsecureWebResourceResponse.java:235:63:235:65 | uri : Uri | InsecureWebResourceResponse.java:235:63:235:75 | getPath(...) : String | provenance | MaD:504 |
-| InsecureWebResourceResponse.java:235:63:235:75 | getPath(...) : String | InsecureWebResourceResponse.java:235:43:235:76 | new FileInputStream(...) : FileInputStream | provenance | MaD:1981 |
-| InsecureWebViewActivity.java:27:27:27:37 | getIntent(...) : Intent | InsecureWebViewActivity.java:27:27:27:64 | getStringExtra(...) : String | provenance | MaD:330 |
+| InsecureWebResourceResponse.java:235:63:235:65 | uri : Uri | InsecureWebResourceResponse.java:235:63:235:75 | getPath(...) : String | provenance | MaD:3 |
+| InsecureWebResourceResponse.java:235:63:235:75 | getPath(...) : String | InsecureWebResourceResponse.java:235:43:235:76 | new FileInputStream(...) : FileInputStream | provenance | MaD:6 |
+| InsecureWebViewActivity.java:27:27:27:37 | getIntent(...) : Intent | InsecureWebViewActivity.java:27:27:27:64 | getStringExtra(...) : String | provenance | MaD:1 |
 | InsecureWebViewActivity.java:27:27:27:64 | getStringExtra(...) : String | InsecureWebViewActivity.java:28:20:28:27 | inputUrl : String | provenance |  |
 | InsecureWebViewActivity.java:28:20:28:27 | inputUrl : String | InsecureWebViewActivity.java:42:28:42:37 | url : String | provenance |  |
 | InsecureWebViewActivity.java:42:28:42:37 | url : String | InsecureWebViewActivity.java:43:25:43:27 | url : String | provenance |  |
 | InsecureWebViewActivity.java:43:25:43:27 | url : String | InsecureWebViewActivity.java:53:77:53:86 | url : String | provenance | AdditionalTaintStep |
 | InsecureWebViewActivity.java:53:77:53:86 | url : String | InsecureWebViewActivity.java:55:41:55:43 | url : String | provenance |  |
 | InsecureWebViewActivity.java:55:31:55:44 | parse(...) : Uri | InsecureWebViewActivity.java:56:71:56:73 | uri : Uri | provenance |  |
-| InsecureWebViewActivity.java:55:41:55:43 | url : String | InsecureWebViewActivity.java:55:31:55:44 | parse(...) : Uri | provenance | MaD:514 |
+| InsecureWebViewActivity.java:55:41:55:43 | url : String | InsecureWebViewActivity.java:55:31:55:44 | parse(...) : Uri | provenance | MaD:4 |
 | InsecureWebViewActivity.java:56:51:56:84 | new FileInputStream(...) : FileInputStream | InsecureWebViewActivity.java:58:71:58:81 | inputStream | provenance |  |
-| InsecureWebViewActivity.java:56:71:56:73 | uri : Uri | InsecureWebViewActivity.java:56:71:56:83 | getPath(...) : String | provenance | MaD:504 |
-| InsecureWebViewActivity.java:56:71:56:83 | getPath(...) : String | InsecureWebViewActivity.java:56:51:56:84 | new FileInputStream(...) : FileInputStream | provenance | MaD:1981 |
+| InsecureWebViewActivity.java:56:71:56:73 | uri : Uri | InsecureWebViewActivity.java:56:71:56:83 | getPath(...) : String | provenance | MaD:3 |
+| InsecureWebViewActivity.java:56:71:56:83 | getPath(...) : String | InsecureWebViewActivity.java:56:51:56:84 | new FileInputStream(...) : FileInputStream | provenance | MaD:6 |
+models
+| 1 | Summary: android.content; Intent; true; getStringExtra; (String); ; Argument[this].SyntheticField[android.content.Intent.extras].MapValue; ReturnValue; value; manual |
+| 2 | Summary: android.net; Uri; true; getLastPathSegment; ; ; Argument[this]; ReturnValue; taint; manual |
+| 3 | Summary: android.net; Uri; true; getPath; ; ; Argument[this]; ReturnValue; taint; manual |
+| 4 | Summary: android.net; Uri; false; parse; ; ; Argument[0]; ReturnValue; taint; manual |
+| 5 | Summary: android.webkit; WebResourceRequest; false; getUrl; ; ; Argument[this]; ReturnValue; taint; manual |
+| 6 | Summary: java.io; FileInputStream; true; FileInputStream; ; ; Argument[0]; Argument[this]; taint; manual |
+| 7 | Summary: java.io; File; false; File; ; ; Argument[1]; Argument[this]; taint; manual |
+| 8 | Summary: java.lang; String; false; substring; ; ; Argument[this]; ReturnValue; taint; manual |
 nodes
 | InsecureWebResourceResponse.java:28:27:28:37 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
 | InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : String | semmle.label | getStringExtra(...) : String |
@@ -194,10 +210,3 @@ nodes
 | InsecureWebViewActivity.java:56:71:56:83 | getPath(...) : String | semmle.label | getPath(...) : String |
 | InsecureWebViewActivity.java:58:71:58:81 | inputStream | semmle.label | inputStream |
 subpaths
-#select
-| InsecureWebResourceResponse.java:68:71:68:81 | inputStream | InsecureWebResourceResponse.java:28:27:28:37 | getIntent(...) : Intent | InsecureWebResourceResponse.java:68:71:68:81 | inputStream | Leaking arbitrary content in Android from $@. | InsecureWebResourceResponse.java:28:27:28:37 | getIntent(...) | this user input |
-| InsecureWebResourceResponse.java:91:75:91:85 | inputStream | InsecureWebResourceResponse.java:28:27:28:37 | getIntent(...) : Intent | InsecureWebResourceResponse.java:91:75:91:85 | inputStream | Leaking arbitrary content in Android from $@. | InsecureWebResourceResponse.java:28:27:28:37 | getIntent(...) | this user input |
-| InsecureWebResourceResponse.java:117:75:117:85 | inputStream | InsecureWebResourceResponse.java:28:27:28:37 | getIntent(...) : Intent | InsecureWebResourceResponse.java:117:75:117:85 | inputStream | Leaking arbitrary content in Android from $@. | InsecureWebResourceResponse.java:28:27:28:37 | getIntent(...) | this user input |
-| InsecureWebResourceResponse.java:199:75:199:85 | inputStream | InsecureWebResourceResponse.java:28:27:28:37 | getIntent(...) : Intent | InsecureWebResourceResponse.java:199:75:199:85 | inputStream | Leaking arbitrary content in Android from $@. | InsecureWebResourceResponse.java:28:27:28:37 | getIntent(...) | this user input |
-| InsecureWebResourceResponse.java:237:63:237:73 | inputStream | InsecureWebResourceResponse.java:28:27:28:37 | getIntent(...) : Intent | InsecureWebResourceResponse.java:237:63:237:73 | inputStream | Leaking arbitrary content in Android from $@. | InsecureWebResourceResponse.java:28:27:28:37 | getIntent(...) | this user input |
-| InsecureWebViewActivity.java:58:71:58:81 | inputStream | InsecureWebViewActivity.java:27:27:27:37 | getIntent(...) : Intent | InsecureWebViewActivity.java:58:71:58:81 | inputStream | Leaking arbitrary content in Android from $@. | InsecureWebViewActivity.java:27:27:27:37 | getIntent(...) | this user input |

java/ql/test/experimental/query-tests/security/CWE-200/InsecureWebResourceResponse.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-200/InsecureWebResourceResponse.ql
+query: experimental/Security/CWE/CWE-200/InsecureWebResourceResponse.ql
+postprocess: TestUtilities/PrettyPrintModels.ql

java/ql/test/experimental/query-tests/security/CWE-200/SensitiveAndroidFileLeak.expected

@@ -1,6 +1,10 @@
+#select
+| FileService.java:45:53:45:59 | ...[...] | LeakFileActivity2.java:15:13:15:18 | intent : Intent | FileService.java:45:53:45:59 | ...[...] | Leaking arbitrary Android file from $@. | LeakFileActivity2.java:15:13:15:18 | intent | this user input |
+| FileService.java:45:53:45:59 | ...[...] | LeakFileActivity2.java:16:26:16:31 | intent : Intent | FileService.java:45:53:45:59 | ...[...] | Leaking arbitrary Android file from $@. | LeakFileActivity2.java:16:26:16:31 | intent | this user input |
+| LeakFileActivity.java:21:58:21:82 | getPath(...) | LeakFileActivity.java:14:35:14:38 | data : Intent | LeakFileActivity.java:21:58:21:82 | getPath(...) | Leaking arbitrary Android file from $@. | LeakFileActivity.java:14:35:14:38 | data | this user input |
 edges
 | FileService.java:20:31:20:43 | intent : Intent | FileService.java:21:28:21:33 | intent : Intent | provenance |  |
-| FileService.java:21:28:21:33 | intent : Intent | FileService.java:21:28:21:64 | getStringExtra(...) : String | provenance | MaD:330 |
+| FileService.java:21:28:21:33 | intent : Intent | FileService.java:21:28:21:64 | getStringExtra(...) : String | provenance | MaD:2 |
 | FileService.java:21:28:21:64 | getStringExtra(...) : String | FileService.java:25:42:25:50 | localPath : String | provenance |  |
 | FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] | FileService.java:40:41:40:55 | params : Object[] | provenance | Config |
 | FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] [[]] : String | FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] | provenance |  |
@@ -10,15 +14,21 @@ edges
 | FileService.java:34:20:36:13 | {...} : Object[] [[]] : String | FileService.java:34:20:36:13 | new Object[] : Object[] [[]] : String | provenance |  |
 | FileService.java:35:17:35:25 | sourceUri : String | FileService.java:34:20:36:13 | {...} : Object[] [[]] : String | provenance |  |
 | FileService.java:40:41:40:55 | params : Object[] | FileService.java:44:33:44:52 | (...)... : String[] | provenance |  |
-| FileService.java:44:33:44:52 | (...)... : String[] | FileService.java:45:53:45:59 | ...[...] | provenance |  Sink:MaD:42535 |
+| FileService.java:44:33:44:52 | (...)... : String[] | FileService.java:45:53:45:59 | ...[...] | provenance |  Sink:MaD:4 |
 | LeakFileActivity2.java:15:13:15:18 | intent : Intent | LeakFileActivity2.java:16:26:16:31 | intent : Intent | provenance |  |
 | LeakFileActivity2.java:16:26:16:31 | intent : Intent | FileService.java:20:31:20:43 | intent : Intent | provenance |  |
 | LeakFileActivity2.java:16:26:16:31 | intent : Intent | FileService.java:20:31:20:43 | intent : Intent | provenance | Config |
 | LeakFileActivity.java:14:35:14:38 | data : Intent | LeakFileActivity.java:18:40:18:59 | contentIntent : Intent | provenance |  |
 | LeakFileActivity.java:18:40:18:59 | contentIntent : Intent | LeakFileActivity.java:19:31:19:43 | contentIntent : Intent | provenance |  |
-| LeakFileActivity.java:19:31:19:43 | contentIntent : Intent | LeakFileActivity.java:19:31:19:53 | getData(...) : Uri | provenance | MaD:317 |
+| LeakFileActivity.java:19:31:19:43 | contentIntent : Intent | LeakFileActivity.java:19:31:19:53 | getData(...) : Uri | provenance | MaD:1 |
 | LeakFileActivity.java:19:31:19:53 | getData(...) : Uri | LeakFileActivity.java:21:58:21:72 | streamsToUpload : Uri | provenance |  |
-| LeakFileActivity.java:21:58:21:72 | streamsToUpload : Uri | LeakFileActivity.java:21:58:21:82 | getPath(...) | provenance | MaD:504 Sink:MaD:42571 |
+| LeakFileActivity.java:21:58:21:72 | streamsToUpload : Uri | LeakFileActivity.java:21:58:21:82 | getPath(...) | provenance | MaD:3 Sink:MaD:5 |
+models
+| 1 | Summary: android.content; Intent; true; getData; ; ; Argument[this].SyntheticField[android.content.Intent.data]; ReturnValue; value; manual |
+| 2 | Summary: android.content; Intent; true; getStringExtra; (String); ; Argument[this].SyntheticField[android.content.Intent.extras].MapValue; ReturnValue; value; manual |
+| 3 | Summary: android.net; Uri; true; getPath; ; ; Argument[this]; ReturnValue; taint; manual |
+| 4 | Sink: java.io; FileOutputStream; false; FileOutputStream; ; ; Argument[0]; path-injection; manual |
+| 5 | Sink: java.io; RandomAccessFile; false; RandomAccessFile; ; ; Argument[0]; path-injection; manual |
 nodes
 | FileService.java:20:31:20:43 | intent : Intent | semmle.label | intent : Intent |
 | FileService.java:21:28:21:33 | intent : Intent | semmle.label | intent : Intent |
@@ -43,7 +53,3 @@ nodes
 | LeakFileActivity.java:21:58:21:82 | getPath(...) | semmle.label | getPath(...) |
 subpaths
 | FileService.java:25:42:25:50 | localPath : String | FileService.java:32:13:32:28 | sourceUri : String | FileService.java:34:20:36:13 | new Object[] : Object[] [[]] : String | FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] [[]] : String |
-#select
-| FileService.java:45:53:45:59 | ...[...] | LeakFileActivity2.java:15:13:15:18 | intent : Intent | FileService.java:45:53:45:59 | ...[...] | Leaking arbitrary Android file from $@. | LeakFileActivity2.java:15:13:15:18 | intent | this user input |
-| FileService.java:45:53:45:59 | ...[...] | LeakFileActivity2.java:16:26:16:31 | intent : Intent | FileService.java:45:53:45:59 | ...[...] | Leaking arbitrary Android file from $@. | LeakFileActivity2.java:16:26:16:31 | intent | this user input |
-| LeakFileActivity.java:21:58:21:82 | getPath(...) | LeakFileActivity.java:14:35:14:38 | data : Intent | LeakFileActivity.java:21:58:21:82 | getPath(...) | Leaking arbitrary Android file from $@. | LeakFileActivity.java:14:35:14:38 | data | this user input |

java/ql/test/experimental/query-tests/security/CWE-200/SensitiveAndroidFileLeak.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-200/SensitiveAndroidFileLeak.ql
+query: experimental/Security/CWE/CWE-200/SensitiveAndroidFileLeak.ql
+postprocess: TestUtilities/PrettyPrintModels.ql

java/ql/test/experimental/query-tests/security/CWE-208/NotConstantTimeCheckOnSignature/Test.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-208/PossibleTimingAttackAgainstSignature.ql
+query: experimental/Security/CWE/CWE-208/PossibleTimingAttackAgainstSignature.ql
+postprocess: TestUtilities/PrettyPrintModels.ql

java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstSignagure/Test.expected

@@ -1,3 +1,13 @@
+#select
+| Test.java:23:47:23:55 | actualMac | Test.java:21:32:21:48 | doFinal(...) : byte[] | Test.java:23:47:23:55 | actualMac | Timing attack against $@ validation. | Test.java:21:32:21:48 | doFinal(...) : byte[] | MAC |
+| Test.java:36:47:36:55 | actualMac | Test.java:34:25:34:33 | actualMac : byte[] | Test.java:36:47:36:55 | actualMac | Timing attack against $@ validation. | Test.java:34:25:34:33 | actualMac : byte[] | MAC |
+| Test.java:61:44:61:52 | signature | Test.java:59:32:59:44 | sign(...) : byte[] | Test.java:61:44:61:52 | signature | Timing attack against $@ validation. | Test.java:59:32:59:44 | sign(...) : byte[] | signature |
+| Test.java:75:44:75:52 | signature | Test.java:73:25:73:33 | signature : byte[] | Test.java:75:44:75:52 | signature | Timing attack against $@ validation. | Test.java:73:25:73:33 | signature : byte[] | signature |
+| Test.java:101:49:101:51 | tag | Test.java:99:26:99:45 | doFinal(...) : byte[] | Test.java:101:49:101:51 | tag | Timing attack against $@ validation. | Test.java:99:26:99:45 | doFinal(...) : byte[] | ciphertext |
+| Test.java:118:44:118:46 | tag | Test.java:116:28:116:30 | tag : byte[] | Test.java:118:44:118:46 | tag | Timing attack against $@ validation. | Test.java:116:28:116:30 | tag : byte[] | ciphertext |
+| Test.java:136:44:136:54 | array(...) | Test.java:134:56:134:58 | tag : ByteBuffer | Test.java:136:44:136:54 | array(...) | Timing attack against $@ validation. | Test.java:134:56:134:58 | tag : ByteBuffer | ciphertext |
+| Test.java:150:53:150:55 | tag | Test.java:148:56:148:58 | tag : ByteBuffer | Test.java:150:53:150:55 | tag | Timing attack against $@ validation. | Test.java:148:56:148:58 | tag : ByteBuffer | ciphertext |
+| Test.java:176:44:176:46 | tag | Test.java:174:26:174:50 | doFinal(...) : byte[] | Test.java:176:44:176:46 | tag | Timing attack against $@ validation. | Test.java:174:26:174:50 | doFinal(...) : byte[] | ciphertext |
 edges
 | Test.java:21:32:21:48 | doFinal(...) : byte[] | Test.java:23:47:23:55 | actualMac | provenance |  |
 | Test.java:34:25:34:33 | actualMac : byte[] | Test.java:36:47:36:55 | actualMac | provenance |  |
@@ -6,10 +16,12 @@ edges
 | Test.java:99:26:99:45 | doFinal(...) : byte[] | Test.java:101:49:101:51 | tag | provenance |  |
 | Test.java:116:28:116:30 | tag : byte[] | Test.java:118:44:118:46 | tag | provenance |  |
 | Test.java:134:56:134:58 | tag : ByteBuffer | Test.java:136:44:136:46 | tag : ByteBuffer | provenance |  |
-| Test.java:136:44:136:46 | tag : ByteBuffer | Test.java:136:44:136:54 | array(...) | provenance | MaD:43104 |
+| Test.java:136:44:136:46 | tag : ByteBuffer | Test.java:136:44:136:54 | array(...) | provenance | MaD:1 |
 | Test.java:148:56:148:58 | tag : ByteBuffer | Test.java:150:53:150:55 | tag | provenance |  |
 | Test.java:174:26:174:50 | doFinal(...) : byte[] | Test.java:176:44:176:46 | tag | provenance |  |
 | Test.java:201:34:201:50 | doFinal(...) : byte[] | Test.java:204:26:204:36 | computedTag | provenance |  |
+models
+| 1 | Summary: java.nio; ByteBuffer; false; array; (); ; Argument[this]; ReturnValue; taint; manual |
 nodes
 | Test.java:21:32:21:48 | doFinal(...) : byte[] | semmle.label | doFinal(...) : byte[] |
 | Test.java:23:47:23:55 | actualMac | semmle.label | actualMac |
@@ -33,13 +45,3 @@ nodes
 | Test.java:201:34:201:50 | doFinal(...) : byte[] | semmle.label | doFinal(...) : byte[] |
 | Test.java:204:26:204:36 | computedTag | semmle.label | computedTag |
 subpaths
-#select
-| Test.java:23:47:23:55 | actualMac | Test.java:21:32:21:48 | doFinal(...) : byte[] | Test.java:23:47:23:55 | actualMac | Timing attack against $@ validation. | Test.java:21:32:21:48 | doFinal(...) : byte[] | MAC |
-| Test.java:36:47:36:55 | actualMac | Test.java:34:25:34:33 | actualMac : byte[] | Test.java:36:47:36:55 | actualMac | Timing attack against $@ validation. | Test.java:34:25:34:33 | actualMac : byte[] | MAC |
-| Test.java:61:44:61:52 | signature | Test.java:59:32:59:44 | sign(...) : byte[] | Test.java:61:44:61:52 | signature | Timing attack against $@ validation. | Test.java:59:32:59:44 | sign(...) : byte[] | signature |
-| Test.java:75:44:75:52 | signature | Test.java:73:25:73:33 | signature : byte[] | Test.java:75:44:75:52 | signature | Timing attack against $@ validation. | Test.java:73:25:73:33 | signature : byte[] | signature |
-| Test.java:101:49:101:51 | tag | Test.java:99:26:99:45 | doFinal(...) : byte[] | Test.java:101:49:101:51 | tag | Timing attack against $@ validation. | Test.java:99:26:99:45 | doFinal(...) : byte[] | ciphertext |
-| Test.java:118:44:118:46 | tag | Test.java:116:28:116:30 | tag : byte[] | Test.java:118:44:118:46 | tag | Timing attack against $@ validation. | Test.java:116:28:116:30 | tag : byte[] | ciphertext |
-| Test.java:136:44:136:54 | array(...) | Test.java:134:56:134:58 | tag : ByteBuffer | Test.java:136:44:136:54 | array(...) | Timing attack against $@ validation. | Test.java:134:56:134:58 | tag : ByteBuffer | ciphertext |
-| Test.java:150:53:150:55 | tag | Test.java:148:56:148:58 | tag : ByteBuffer | Test.java:150:53:150:55 | tag | Timing attack against $@ validation. | Test.java:148:56:148:58 | tag : ByteBuffer | ciphertext |
-| Test.java:176:44:176:46 | tag | Test.java:174:26:174:50 | doFinal(...) : byte[] | Test.java:176:44:176:46 | tag | Timing attack against $@ validation. | Test.java:174:26:174:50 | doFinal(...) : byte[] | ciphertext |

java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstSignagure/Test.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-208/TimingAttackAgainstSignature.ql
+query: experimental/Security/CWE/CWE-208/TimingAttackAgainstSignature.ql
+postprocess: TestUtilities/PrettyPrintModels.ql

java/ql/test/experimental/query-tests/security/CWE-299/DisabledRevocationChecking.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-299/DisabledRevocationChecking.ql
+query: experimental/Security/CWE/CWE-299/DisabledRevocationChecking.ql
+postprocess: TestUtilities/PrettyPrintModels.ql

java/ql/test/experimental/query-tests/security/CWE-327/UnsafeTlsVersion.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-327/UnsafeTlsVersion.ql
+query: experimental/Security/CWE/CWE-327/UnsafeTlsVersion.ql
+postprocess: TestUtilities/PrettyPrintModels.ql

java/ql/test/experimental/query-tests/security/CWE-346/UnvalidatedCors.expected

@@ -1,8 +1,11 @@
+#select
+| UnvalidatedCors.java:27:67:27:69 | url | UnvalidatedCors.java:21:22:21:48 | getHeader(...) : String | UnvalidatedCors.java:27:67:27:69 | url | CORS header is being set using user controlled value $@. | UnvalidatedCors.java:21:22:21:48 | getHeader(...) | user-provided value |
 edges
-| UnvalidatedCors.java:21:22:21:48 | getHeader(...) : String | UnvalidatedCors.java:27:67:27:69 | url | provenance | Src:MaD:44641  Sink:MaD:44655 |
+| UnvalidatedCors.java:21:22:21:48 | getHeader(...) : String | UnvalidatedCors.java:27:67:27:69 | url | provenance | Src:MaD:1  Sink:MaD:2 |
+models
+| 1 | Source: javax.servlet.http; HttpServletRequest; false; getHeader; (String); ; ReturnValue; remote; manual |
+| 2 | Sink: javax.servlet.http; HttpServletResponse; false; addHeader; ; ; Argument[0..1]; response-splitting; manual |
 nodes
 | UnvalidatedCors.java:21:22:21:48 | getHeader(...) : String | semmle.label | getHeader(...) : String |
 | UnvalidatedCors.java:27:67:27:69 | url | semmle.label | url |
 subpaths
-#select
-| UnvalidatedCors.java:27:67:27:69 | url | UnvalidatedCors.java:21:22:21:48 | getHeader(...) : String | UnvalidatedCors.java:27:67:27:69 | url | CORS header is being set using user controlled value $@. | UnvalidatedCors.java:21:22:21:48 | getHeader(...) | user-provided value |

java/ql/test/experimental/query-tests/security/CWE-346/UnvalidatedCors.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-346/UnvalidatedCors.ql
+query: experimental/Security/CWE/CWE-346/UnvalidatedCors.ql
+postprocess: TestUtilities/PrettyPrintModels.ql

java/ql/test/experimental/query-tests/security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.expected

@@ -1,11 +1,17 @@
+#select
+| ClientSuppliedIpUsedInSecurityCheck.java:17:37:17:38 | ip | ClientSuppliedIpUsedInSecurityCheck.java:43:27:43:62 | getHeader(...) : String | ClientSuppliedIpUsedInSecurityCheck.java:17:37:17:38 | ip | IP address spoofing might include code from $@. | ClientSuppliedIpUsedInSecurityCheck.java:43:27:43:62 | getHeader(...) | this user input |
+| ClientSuppliedIpUsedInSecurityCheck.java:25:33:25:34 | ip | ClientSuppliedIpUsedInSecurityCheck.java:43:27:43:62 | getHeader(...) : String | ClientSuppliedIpUsedInSecurityCheck.java:25:33:25:34 | ip | IP address spoofing might include code from $@. | ClientSuppliedIpUsedInSecurityCheck.java:43:27:43:62 | getHeader(...) | this user input |
 edges
 | ClientSuppliedIpUsedInSecurityCheck.java:16:21:16:33 | getClientIP(...) : String | ClientSuppliedIpUsedInSecurityCheck.java:17:37:17:38 | ip | provenance |  |
 | ClientSuppliedIpUsedInSecurityCheck.java:24:21:24:33 | getClientIP(...) : String | ClientSuppliedIpUsedInSecurityCheck.java:25:33:25:34 | ip | provenance |  |
-| ClientSuppliedIpUsedInSecurityCheck.java:43:27:43:62 | getHeader(...) : String | ClientSuppliedIpUsedInSecurityCheck.java:47:16:47:23 | xfHeader : String | provenance | Src:MaD:44641  |
-| ClientSuppliedIpUsedInSecurityCheck.java:47:16:47:23 | xfHeader : String | ClientSuppliedIpUsedInSecurityCheck.java:47:16:47:34 | split(...) : String[] | provenance | MaD:42750 |
+| ClientSuppliedIpUsedInSecurityCheck.java:43:27:43:62 | getHeader(...) : String | ClientSuppliedIpUsedInSecurityCheck.java:47:16:47:23 | xfHeader : String | provenance | Src:MaD:2  |
+| ClientSuppliedIpUsedInSecurityCheck.java:47:16:47:23 | xfHeader : String | ClientSuppliedIpUsedInSecurityCheck.java:47:16:47:34 | split(...) : String[] | provenance | MaD:1 |
 | ClientSuppliedIpUsedInSecurityCheck.java:47:16:47:34 | split(...) : String[] | ClientSuppliedIpUsedInSecurityCheck.java:47:16:47:37 | ...[...] : String | provenance |  |
 | ClientSuppliedIpUsedInSecurityCheck.java:47:16:47:37 | ...[...] : String | ClientSuppliedIpUsedInSecurityCheck.java:16:21:16:33 | getClientIP(...) : String | provenance |  |
 | ClientSuppliedIpUsedInSecurityCheck.java:47:16:47:37 | ...[...] : String | ClientSuppliedIpUsedInSecurityCheck.java:24:21:24:33 | getClientIP(...) : String | provenance |  |
+models
+| 1 | Summary: java.lang; String; false; split; ; ; Argument[this]; ReturnValue; taint; manual |
+| 2 | Source: javax.servlet.http; HttpServletRequest; false; getHeader; (String); ; ReturnValue; remote; manual |
 nodes
 | ClientSuppliedIpUsedInSecurityCheck.java:16:21:16:33 | getClientIP(...) : String | semmle.label | getClientIP(...) : String |
 | ClientSuppliedIpUsedInSecurityCheck.java:17:37:17:38 | ip | semmle.label | ip |
@@ -16,6 +22,3 @@ nodes
 | ClientSuppliedIpUsedInSecurityCheck.java:47:16:47:34 | split(...) : String[] | semmle.label | split(...) : String[] |
 | ClientSuppliedIpUsedInSecurityCheck.java:47:16:47:37 | ...[...] : String | semmle.label | ...[...] : String |
 subpaths
-#select
-| ClientSuppliedIpUsedInSecurityCheck.java:17:37:17:38 | ip | ClientSuppliedIpUsedInSecurityCheck.java:43:27:43:62 | getHeader(...) : String | ClientSuppliedIpUsedInSecurityCheck.java:17:37:17:38 | ip | IP address spoofing might include code from $@. | ClientSuppliedIpUsedInSecurityCheck.java:43:27:43:62 | getHeader(...) | this user input |
-| ClientSuppliedIpUsedInSecurityCheck.java:25:33:25:34 | ip | ClientSuppliedIpUsedInSecurityCheck.java:43:27:43:62 | getHeader(...) : String | ClientSuppliedIpUsedInSecurityCheck.java:25:33:25:34 | ip | IP address spoofing might include code from $@. | ClientSuppliedIpUsedInSecurityCheck.java:43:27:43:62 | getHeader(...) | this user input |

java/ql/test/experimental/query-tests/security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql
+query: experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql
+postprocess: TestUtilities/PrettyPrintModels.ql

java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.expected

@@ -1,11 +1,22 @@
+#select
+| JsonpController.java:37:16:37:24 | resultStr | JsonpController.java:33:32:33:68 | getParameter(...) : String | JsonpController.java:37:16:37:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:33:32:33:68 | getParameter(...) | this user input |
+| JsonpController.java:46:16:46:24 | resultStr | JsonpController.java:44:32:44:68 | getParameter(...) : String | JsonpController.java:46:16:46:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:44:32:44:68 | getParameter(...) | this user input |
+| JsonpController.java:56:16:56:24 | resultStr | JsonpController.java:53:32:53:68 | getParameter(...) : String | JsonpController.java:56:16:56:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:53:32:53:68 | getParameter(...) | this user input |
+| JsonpController.java:66:16:66:24 | resultStr | JsonpController.java:63:32:63:68 | getParameter(...) : String | JsonpController.java:66:16:66:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:63:32:63:68 | getParameter(...) | this user input |
+| JsonpController.java:80:20:80:28 | resultStr | JsonpController.java:73:32:73:68 | getParameter(...) : String | JsonpController.java:80:20:80:28 | resultStr | Jsonp response might include code from $@. | JsonpController.java:73:32:73:68 | getParameter(...) | this user input |
+| JsonpController.java:94:20:94:28 | resultStr | JsonpController.java:87:32:87:68 | getParameter(...) : String | JsonpController.java:94:20:94:28 | resultStr | Jsonp response might include code from $@. | JsonpController.java:87:32:87:68 | getParameter(...) | this user input |
+| JsonpController.java:105:16:105:24 | resultStr | JsonpController.java:101:32:101:68 | getParameter(...) : String | JsonpController.java:105:16:105:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:101:32:101:68 | getParameter(...) | this user input |
 edges
-| JsonpController.java:33:32:33:68 | getParameter(...) : String | JsonpController.java:37:16:37:24 | resultStr | provenance | Src:MaD:44663  |
-| JsonpController.java:44:32:44:68 | getParameter(...) : String | JsonpController.java:46:16:46:24 | resultStr | provenance | Src:MaD:44663  |
-| JsonpController.java:53:32:53:68 | getParameter(...) : String | JsonpController.java:56:16:56:24 | resultStr | provenance | Src:MaD:44663  |
-| JsonpController.java:63:32:63:68 | getParameter(...) : String | JsonpController.java:66:16:66:24 | resultStr | provenance | Src:MaD:44663  |
-| JsonpController.java:73:32:73:68 | getParameter(...) : String | JsonpController.java:80:20:80:28 | resultStr | provenance | Src:MaD:44663  Sink:MaD:42570 |
-| JsonpController.java:87:32:87:68 | getParameter(...) : String | JsonpController.java:94:20:94:28 | resultStr | provenance | Src:MaD:44663  Sink:MaD:42570 |
-| JsonpController.java:101:32:101:68 | getParameter(...) : String | JsonpController.java:105:16:105:24 | resultStr | provenance | Src:MaD:44663  |
+| JsonpController.java:33:32:33:68 | getParameter(...) : String | JsonpController.java:37:16:37:24 | resultStr | provenance | Src:MaD:2  |
+| JsonpController.java:44:32:44:68 | getParameter(...) : String | JsonpController.java:46:16:46:24 | resultStr | provenance | Src:MaD:2  |
+| JsonpController.java:53:32:53:68 | getParameter(...) : String | JsonpController.java:56:16:56:24 | resultStr | provenance | Src:MaD:2  |
+| JsonpController.java:63:32:63:68 | getParameter(...) : String | JsonpController.java:66:16:66:24 | resultStr | provenance | Src:MaD:2  |
+| JsonpController.java:73:32:73:68 | getParameter(...) : String | JsonpController.java:80:20:80:28 | resultStr | provenance | Src:MaD:2  Sink:MaD:1 |
+| JsonpController.java:87:32:87:68 | getParameter(...) : String | JsonpController.java:94:20:94:28 | resultStr | provenance | Src:MaD:2  Sink:MaD:1 |
+| JsonpController.java:101:32:101:68 | getParameter(...) : String | JsonpController.java:105:16:105:24 | resultStr | provenance | Src:MaD:2  |
+models
+| 1 | Sink: java.io; PrintWriter; false; println; ; ; Argument[0]; file-content-store; manual |
+| 2 | Source: javax.servlet; ServletRequest; false; getParameter; (String); ; ReturnValue; remote; manual |
 nodes
 | JsonpController.java:33:32:33:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | JsonpController.java:37:16:37:24 | resultStr | semmle.label | resultStr |
@@ -22,11 +33,3 @@ nodes
 | JsonpController.java:101:32:101:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | JsonpController.java:105:16:105:24 | resultStr | semmle.label | resultStr |
 subpaths
-#select
-| JsonpController.java:37:16:37:24 | resultStr | JsonpController.java:33:32:33:68 | getParameter(...) : String | JsonpController.java:37:16:37:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:33:32:33:68 | getParameter(...) | this user input |
-| JsonpController.java:46:16:46:24 | resultStr | JsonpController.java:44:32:44:68 | getParameter(...) : String | JsonpController.java:46:16:46:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:44:32:44:68 | getParameter(...) | this user input |
-| JsonpController.java:56:16:56:24 | resultStr | JsonpController.java:53:32:53:68 | getParameter(...) : String | JsonpController.java:56:16:56:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:53:32:53:68 | getParameter(...) | this user input |
-| JsonpController.java:66:16:66:24 | resultStr | JsonpController.java:63:32:63:68 | getParameter(...) : String | JsonpController.java:66:16:66:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:63:32:63:68 | getParameter(...) | this user input |
-| JsonpController.java:80:20:80:28 | resultStr | JsonpController.java:73:32:73:68 | getParameter(...) : String | JsonpController.java:80:20:80:28 | resultStr | Jsonp response might include code from $@. | JsonpController.java:73:32:73:68 | getParameter(...) | this user input |
-| JsonpController.java:94:20:94:28 | resultStr | JsonpController.java:87:32:87:68 | getParameter(...) : String | JsonpController.java:94:20:94:28 | resultStr | Jsonp response might include code from $@. | JsonpController.java:87:32:87:68 | getParameter(...) | this user input |
-| JsonpController.java:105:16:105:24 | resultStr | JsonpController.java:101:32:101:68 | getParameter(...) : String | JsonpController.java:105:16:105:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:101:32:101:68 | getParameter(...) | this user input |

java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-352/JsonpInjection.ql
+query: experimental/Security/CWE/CWE-352/JsonpInjection.ql
+postprocess: TestUtilities/PrettyPrintModels.ql

java/ql/test/experimental/query-tests/security/CWE-400/LocalThreadResourceAbuse.expected

@@ -1,3 +1,5 @@
+#select
+| ThreadResourceAbuse.java:74:18:74:25 | waitTime | ThreadResourceAbuse.java:37:25:37:73 | getInitParameter(...) : String | ThreadResourceAbuse.java:74:18:74:25 | waitTime | Possible uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:37:25:37:73 | getInitParameter(...) | local user-provided value |
 edges
 | ThreadResourceAbuse.java:37:25:37:73 | getInitParameter(...) : String | ThreadResourceAbuse.java:40:28:40:36 | delayTime : Number | provenance | TaintPreservingCallable |
 | ThreadResourceAbuse.java:40:4:40:37 | new UncheckedSyncAction(...) : UncheckedSyncAction [waitTime] : Number | ThreadResourceAbuse.java:71:15:71:17 | parameter this : UncheckedSyncAction [waitTime] : Number | provenance |  |
@@ -7,7 +9,9 @@ edges
 | ThreadResourceAbuse.java:67:4:67:7 | this [post update] : UncheckedSyncAction [waitTime] : Number | ThreadResourceAbuse.java:66:10:66:28 | parameter this [Return] : UncheckedSyncAction [waitTime] : Number | provenance |  |
 | ThreadResourceAbuse.java:67:20:67:27 | waitTime : Number | ThreadResourceAbuse.java:67:4:67:7 | this [post update] : UncheckedSyncAction [waitTime] : Number | provenance |  |
 | ThreadResourceAbuse.java:71:15:71:17 | parameter this : UncheckedSyncAction [waitTime] : Number | ThreadResourceAbuse.java:74:18:74:25 | this <.field> : UncheckedSyncAction [waitTime] : Number | provenance |  |
-| ThreadResourceAbuse.java:74:18:74:25 | this <.field> : UncheckedSyncAction [waitTime] : Number | ThreadResourceAbuse.java:74:18:74:25 | waitTime | provenance |  Sink:MaD:1982 |
+| ThreadResourceAbuse.java:74:18:74:25 | this <.field> : UncheckedSyncAction [waitTime] : Number | ThreadResourceAbuse.java:74:18:74:25 | waitTime | provenance |  Sink:MaD:1 |
+models
+| 1 | Sink: java.lang; Thread; true; sleep; ; ; Argument[0]; thread-pause; manual |
 nodes
 | ThreadResourceAbuse.java:37:25:37:73 | getInitParameter(...) : String | semmle.label | getInitParameter(...) : String |
 | ThreadResourceAbuse.java:40:4:40:37 | new UncheckedSyncAction(...) : UncheckedSyncAction [waitTime] : Number | semmle.label | new UncheckedSyncAction(...) : UncheckedSyncAction [waitTime] : Number |
@@ -21,5 +25,3 @@ nodes
 | ThreadResourceAbuse.java:74:18:74:25 | waitTime | semmle.label | waitTime |
 subpaths
 | ThreadResourceAbuse.java:40:28:40:36 | delayTime : Number | ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number | ThreadResourceAbuse.java:66:10:66:28 | parameter this [Return] : UncheckedSyncAction [waitTime] : Number | ThreadResourceAbuse.java:40:4:40:37 | new UncheckedSyncAction(...) : UncheckedSyncAction [waitTime] : Number |
-#select
-| ThreadResourceAbuse.java:74:18:74:25 | waitTime | ThreadResourceAbuse.java:37:25:37:73 | getInitParameter(...) : String | ThreadResourceAbuse.java:74:18:74:25 | waitTime | Possible uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:37:25:37:73 | getInitParameter(...) | local user-provided value |

java/ql/test/experimental/query-tests/security/CWE-400/LocalThreadResourceAbuse.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-400/LocalThreadResourceAbuse.ql
+query: experimental/Security/CWE/CWE-400/LocalThreadResourceAbuse.ql
+postprocess: TestUtilities/PrettyPrintModels.ql

java/ql/test/experimental/query-tests/security/CWE-400/ThreadResourceAbuse.expected

@@ -1,9 +1,17 @@
+#select
+| ThreadResourceAbuse.java:74:18:74:25 | waitTime | ThreadResourceAbuse.java:18:25:18:57 | getParameter(...) : String | ThreadResourceAbuse.java:74:18:74:25 | waitTime | Vulnerability of uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:18:25:18:57 | getParameter(...) | user-provided value |
+| ThreadResourceAbuse.java:74:18:74:25 | waitTime | ThreadResourceAbuse.java:29:82:29:114 | getParameter(...) : String | ThreadResourceAbuse.java:74:18:74:25 | waitTime | Vulnerability of uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:29:82:29:114 | getParameter(...) | user-provided value |
+| ThreadResourceAbuse.java:144:34:144:42 | delayTime | ThreadResourceAbuse.java:141:27:141:43 | getValue(...) : String | ThreadResourceAbuse.java:144:34:144:42 | delayTime | Vulnerability of uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:141:27:141:43 | getValue(...) | user-provided value |
+| ThreadResourceAbuse.java:176:17:176:26 | retryAfter | ThreadResourceAbuse.java:172:19:172:50 | getHeader(...) : String | ThreadResourceAbuse.java:176:17:176:26 | retryAfter | Vulnerability of uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:172:19:172:50 | getHeader(...) | user-provided value |
+| ThreadResourceAbuse.java:219:17:219:33 | ... * ... | ThreadResourceAbuse.java:215:19:215:50 | getHeader(...) : String | ThreadResourceAbuse.java:219:17:219:33 | ... * ... | Vulnerability of uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:215:19:215:50 | getHeader(...) | user-provided value |
+| ThreadResourceAbuse.java:233:17:233:26 | retryAfter | ThreadResourceAbuse.java:227:19:227:50 | getHeader(...) : String | ThreadResourceAbuse.java:233:17:233:26 | retryAfter | Vulnerability of uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:227:19:227:50 | getHeader(...) | user-provided value |
+| UploadListener.java:35:18:35:28 | slowUploads | ThreadResourceAbuse.java:206:28:206:56 | getParameter(...) : String | UploadListener.java:35:18:35:28 | slowUploads | Vulnerability of uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:206:28:206:56 | getParameter(...) | user-provided value |
 edges
-| ThreadResourceAbuse.java:18:25:18:57 | getParameter(...) : String | ThreadResourceAbuse.java:21:28:21:36 | delayTime : Number | provenance | Src:MaD:44663 TaintPreservingCallable |
+| ThreadResourceAbuse.java:18:25:18:57 | getParameter(...) : String | ThreadResourceAbuse.java:21:28:21:36 | delayTime : Number | provenance | Src:MaD:5 TaintPreservingCallable |
 | ThreadResourceAbuse.java:21:4:21:37 | new UncheckedSyncAction(...) : UncheckedSyncAction [waitTime] : Number | ThreadResourceAbuse.java:71:15:71:17 | parameter this : UncheckedSyncAction [waitTime] : Number | provenance |  |
 | ThreadResourceAbuse.java:21:28:21:36 | delayTime : Number | ThreadResourceAbuse.java:21:4:21:37 | new UncheckedSyncAction(...) : UncheckedSyncAction [waitTime] : Number | provenance |  |
 | ThreadResourceAbuse.java:21:28:21:36 | delayTime : Number | ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number | provenance |  |
-| ThreadResourceAbuse.java:29:82:29:114 | getParameter(...) : String | ThreadResourceAbuse.java:30:28:30:36 | delayTime : Number | provenance | Src:MaD:44663 TaintPreservingCallable |
+| ThreadResourceAbuse.java:29:82:29:114 | getParameter(...) : String | ThreadResourceAbuse.java:30:28:30:36 | delayTime : Number | provenance | Src:MaD:5 TaintPreservingCallable |
 | ThreadResourceAbuse.java:30:4:30:37 | new UncheckedSyncAction(...) : UncheckedSyncAction [waitTime] : Number | ThreadResourceAbuse.java:71:15:71:17 | parameter this : UncheckedSyncAction [waitTime] : Number | provenance |  |
 | ThreadResourceAbuse.java:30:28:30:36 | delayTime : Number | ThreadResourceAbuse.java:30:4:30:37 | new UncheckedSyncAction(...) : UncheckedSyncAction [waitTime] : Number | provenance |  |
 | ThreadResourceAbuse.java:30:28:30:36 | delayTime : Number | ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number | provenance |  |
@@ -11,18 +19,18 @@ edges
 | ThreadResourceAbuse.java:67:4:67:7 | this [post update] : UncheckedSyncAction [waitTime] : Number | ThreadResourceAbuse.java:66:10:66:28 | parameter this [Return] : UncheckedSyncAction [waitTime] : Number | provenance |  |
 | ThreadResourceAbuse.java:67:20:67:27 | waitTime : Number | ThreadResourceAbuse.java:67:4:67:7 | this [post update] : UncheckedSyncAction [waitTime] : Number | provenance |  |
 | ThreadResourceAbuse.java:71:15:71:17 | parameter this : UncheckedSyncAction [waitTime] : Number | ThreadResourceAbuse.java:74:18:74:25 | this <.field> : UncheckedSyncAction [waitTime] : Number | provenance |  |
-| ThreadResourceAbuse.java:74:18:74:25 | this <.field> : UncheckedSyncAction [waitTime] : Number | ThreadResourceAbuse.java:74:18:74:25 | waitTime | provenance |  Sink:MaD:1982 |
-| ThreadResourceAbuse.java:141:27:141:43 | getValue(...) : String | ThreadResourceAbuse.java:144:34:144:42 | delayTime | provenance | Src:MaD:44640 TaintPreservingCallable Sink:MaD:1985 |
-| ThreadResourceAbuse.java:172:19:172:50 | getHeader(...) : String | ThreadResourceAbuse.java:176:17:176:26 | retryAfter | provenance | Src:MaD:44641 TaintPreservingCallable Sink:MaD:1982 |
-| ThreadResourceAbuse.java:206:28:206:56 | getParameter(...) : String | ThreadResourceAbuse.java:209:49:209:59 | uploadDelay : Number | provenance | Src:MaD:44663 TaintPreservingCallable |
+| ThreadResourceAbuse.java:74:18:74:25 | this <.field> : UncheckedSyncAction [waitTime] : Number | ThreadResourceAbuse.java:74:18:74:25 | waitTime | provenance |  Sink:MaD:1 |
+| ThreadResourceAbuse.java:141:27:141:43 | getValue(...) : String | ThreadResourceAbuse.java:144:34:144:42 | delayTime | provenance | Src:MaD:3 TaintPreservingCallable Sink:MaD:2 |
+| ThreadResourceAbuse.java:172:19:172:50 | getHeader(...) : String | ThreadResourceAbuse.java:176:17:176:26 | retryAfter | provenance | Src:MaD:4 TaintPreservingCallable Sink:MaD:1 |
+| ThreadResourceAbuse.java:206:28:206:56 | getParameter(...) : String | ThreadResourceAbuse.java:209:49:209:59 | uploadDelay : Number | provenance | Src:MaD:5 TaintPreservingCallable |
 | ThreadResourceAbuse.java:209:30:209:87 | new UploadListener(...) : UploadListener [slowUploads] : Number | UploadListener.java:28:14:28:19 | parameter this : UploadListener [slowUploads] : Number | provenance |  |
 | ThreadResourceAbuse.java:209:49:209:59 | uploadDelay : Number | ThreadResourceAbuse.java:209:30:209:87 | new UploadListener(...) : UploadListener [slowUploads] : Number | provenance |  |
 | ThreadResourceAbuse.java:209:49:209:59 | uploadDelay : Number | UploadListener.java:15:24:15:44 | sleepMilliseconds : Number | provenance |  |
-| ThreadResourceAbuse.java:215:19:215:50 | getHeader(...) : String | ThreadResourceAbuse.java:219:17:219:26 | retryAfter : Number | provenance | Src:MaD:44641 TaintPreservingCallable |
-| ThreadResourceAbuse.java:219:17:219:26 | retryAfter : Number | ThreadResourceAbuse.java:219:17:219:33 | ... * ... | provenance | Config Sink:MaD:1982 |
-| ThreadResourceAbuse.java:227:19:227:50 | getHeader(...) : String | ThreadResourceAbuse.java:230:3:230:12 | retryAfter : Number | provenance | Src:MaD:44641 TaintPreservingCallable |
+| ThreadResourceAbuse.java:215:19:215:50 | getHeader(...) : String | ThreadResourceAbuse.java:219:17:219:26 | retryAfter : Number | provenance | Src:MaD:4 TaintPreservingCallable |
+| ThreadResourceAbuse.java:219:17:219:26 | retryAfter : Number | ThreadResourceAbuse.java:219:17:219:33 | ... * ... | provenance | Config Sink:MaD:1 |
+| ThreadResourceAbuse.java:227:19:227:50 | getHeader(...) : String | ThreadResourceAbuse.java:230:3:230:12 | retryAfter : Number | provenance | Src:MaD:4 TaintPreservingCallable |
 | ThreadResourceAbuse.java:230:3:230:12 | retryAfter : Number | ThreadResourceAbuse.java:230:3:230:20 | ...*=... : Number | provenance | Config |
-| ThreadResourceAbuse.java:230:3:230:20 | ...*=... : Number | ThreadResourceAbuse.java:233:17:233:26 | retryAfter | provenance |  Sink:MaD:1982 |
+| ThreadResourceAbuse.java:230:3:230:20 | ...*=... : Number | ThreadResourceAbuse.java:233:17:233:26 | retryAfter | provenance |  Sink:MaD:1 |
 | UploadListener.java:15:24:15:44 | sleepMilliseconds : Number | UploadListener.java:16:17:16:33 | sleepMilliseconds : Number | provenance |  |
 | UploadListener.java:16:3:16:13 | this <.field> [post update] : UploadListener [slowUploads] : Number | UploadListener.java:15:9:15:22 | parameter this [Return] : UploadListener [slowUploads] : Number | provenance |  |
 | UploadListener.java:16:17:16:33 | sleepMilliseconds : Number | UploadListener.java:16:3:16:13 | this <.field> [post update] : UploadListener [slowUploads] : Number | provenance |  |
@@ -30,9 +38,15 @@ edges
 | UploadListener.java:29:3:29:11 | this <.field> : UploadListener [slowUploads] : Number | UploadListener.java:30:3:30:15 | this <.field> : UploadListener [slowUploads] : Number | provenance |  |
 | UploadListener.java:30:3:30:15 | this <.field> : UploadListener [slowUploads] : Number | UploadListener.java:33:7:33:17 | this <.field> : UploadListener [slowUploads] : Number | provenance |  |
 | UploadListener.java:30:3:30:15 | this <.field> : UploadListener [slowUploads] : Number | UploadListener.java:35:18:35:28 | this <.field> : UploadListener [slowUploads] : Number | provenance |  |
-| UploadListener.java:33:7:33:17 | slowUploads : Number | UploadListener.java:35:18:35:28 | slowUploads | provenance |  Sink:MaD:1982 |
+| UploadListener.java:33:7:33:17 | slowUploads : Number | UploadListener.java:35:18:35:28 | slowUploads | provenance |  Sink:MaD:1 |
 | UploadListener.java:33:7:33:17 | this <.field> : UploadListener [slowUploads] : Number | UploadListener.java:33:7:33:17 | slowUploads : Number | provenance |  |
-| UploadListener.java:35:18:35:28 | this <.field> : UploadListener [slowUploads] : Number | UploadListener.java:35:18:35:28 | slowUploads | provenance |  Sink:MaD:1982 |
+| UploadListener.java:35:18:35:28 | this <.field> : UploadListener [slowUploads] : Number | UploadListener.java:35:18:35:28 | slowUploads | provenance |  Sink:MaD:1 |
+models
+| 1 | Sink: java.lang; Thread; true; sleep; ; ; Argument[0]; thread-pause; manual |
+| 2 | Sink: java.util.concurrent; TimeUnit; true; sleep; ; ; Argument[0]; thread-pause; manual |
+| 3 | Source: javax.servlet.http; Cookie; false; getValue; (); ; ReturnValue; remote; manual |
+| 4 | Source: javax.servlet.http; HttpServletRequest; false; getHeader; (String); ; ReturnValue; remote; manual |
+| 5 | Source: javax.servlet; ServletRequest; false; getParameter; (String); ; ReturnValue; remote; manual |
 nodes
 | ThreadResourceAbuse.java:18:25:18:57 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | ThreadResourceAbuse.java:21:4:21:37 | new UncheckedSyncAction(...) : UncheckedSyncAction [waitTime] : Number | semmle.label | new UncheckedSyncAction(...) : UncheckedSyncAction [waitTime] : Number |
@@ -76,11 +90,3 @@ subpaths
 | ThreadResourceAbuse.java:21:28:21:36 | delayTime : Number | ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number | ThreadResourceAbuse.java:66:10:66:28 | parameter this [Return] : UncheckedSyncAction [waitTime] : Number | ThreadResourceAbuse.java:21:4:21:37 | new UncheckedSyncAction(...) : UncheckedSyncAction [waitTime] : Number |
 | ThreadResourceAbuse.java:30:28:30:36 | delayTime : Number | ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number | ThreadResourceAbuse.java:66:10:66:28 | parameter this [Return] : UncheckedSyncAction [waitTime] : Number | ThreadResourceAbuse.java:30:4:30:37 | new UncheckedSyncAction(...) : UncheckedSyncAction [waitTime] : Number |
 | ThreadResourceAbuse.java:209:49:209:59 | uploadDelay : Number | UploadListener.java:15:24:15:44 | sleepMilliseconds : Number | UploadListener.java:15:9:15:22 | parameter this [Return] : UploadListener [slowUploads] : Number | ThreadResourceAbuse.java:209:30:209:87 | new UploadListener(...) : UploadListener [slowUploads] : Number |
-#select
-| ThreadResourceAbuse.java:74:18:74:25 | waitTime | ThreadResourceAbuse.java:18:25:18:57 | getParameter(...) : String | ThreadResourceAbuse.java:74:18:74:25 | waitTime | Vulnerability of uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:18:25:18:57 | getParameter(...) | user-provided value |
-| ThreadResourceAbuse.java:74:18:74:25 | waitTime | ThreadResourceAbuse.java:29:82:29:114 | getParameter(...) : String | ThreadResourceAbuse.java:74:18:74:25 | waitTime | Vulnerability of uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:29:82:29:114 | getParameter(...) | user-provided value |
-| ThreadResourceAbuse.java:144:34:144:42 | delayTime | ThreadResourceAbuse.java:141:27:141:43 | getValue(...) : String | ThreadResourceAbuse.java:144:34:144:42 | delayTime | Vulnerability of uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:141:27:141:43 | getValue(...) | user-provided value |
-| ThreadResourceAbuse.java:176:17:176:26 | retryAfter | ThreadResourceAbuse.java:172:19:172:50 | getHeader(...) : String | ThreadResourceAbuse.java:176:17:176:26 | retryAfter | Vulnerability of uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:172:19:172:50 | getHeader(...) | user-provided value |
-| ThreadResourceAbuse.java:219:17:219:33 | ... * ... | ThreadResourceAbuse.java:215:19:215:50 | getHeader(...) : String | ThreadResourceAbuse.java:219:17:219:33 | ... * ... | Vulnerability of uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:215:19:215:50 | getHeader(...) | user-provided value |
-| ThreadResourceAbuse.java:233:17:233:26 | retryAfter | ThreadResourceAbuse.java:227:19:227:50 | getHeader(...) : String | ThreadResourceAbuse.java:233:17:233:26 | retryAfter | Vulnerability of uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:227:19:227:50 | getHeader(...) | user-provided value |
-| UploadListener.java:35:18:35:28 | slowUploads | ThreadResourceAbuse.java:206:28:206:56 | getParameter(...) : String | UploadListener.java:35:18:35:28 | slowUploads | Vulnerability of uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:206:28:206:56 | getParameter(...) | user-provided value |

java/ql/test/experimental/query-tests/security/CWE-400/ThreadResourceAbuse.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-400/ThreadResourceAbuse.ql
+query: experimental/Security/CWE/CWE-400/ThreadResourceAbuse.ql
+postprocess: TestUtilities/PrettyPrintModels.ql

java/ql/test/experimental/query-tests/security/CWE-470/LoadClassNoSignatureCheck.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-470/LoadClassNoSignatureCheck.ql
+query: experimental/Security/CWE/CWE-470/LoadClassNoSignatureCheck.ql
+postprocess: TestUtilities/PrettyPrintModels.ql

java/ql/test/experimental/query-tests/security/CWE-470/UnsafeReflection.expected

@@ -1,12 +1,16 @@
+#select
+| UnsafeReflection.java:25:29:25:62 | ...[...] | UnsafeReflection.java:21:28:21:60 | getParameter(...) : String | UnsafeReflection.java:25:29:25:62 | ...[...] | Unsafe reflection of $@. | UnsafeReflection.java:21:28:21:60 | getParameter(...) | user input |
+| UnsafeReflection.java:39:13:39:41 | ...[...] | UnsafeReflection.java:33:28:33:60 | getParameter(...) : String | UnsafeReflection.java:39:13:39:41 | ...[...] | Unsafe reflection of $@. | UnsafeReflection.java:33:28:33:60 | getParameter(...) | user input |
+| UnsafeReflection.java:119:21:119:26 | method | UnsafeReflection.java:46:24:46:82 | beanIdOrClassName : String | UnsafeReflection.java:119:21:119:26 | method | Unsafe reflection of $@. | UnsafeReflection.java:46:24:46:82 | beanIdOrClassName | user input |
 edges
-| UnsafeReflection.java:21:28:21:60 | getParameter(...) : String | UnsafeReflection.java:24:41:24:49 | className : String | provenance | Src:MaD:44663  |
-| UnsafeReflection.java:22:33:22:70 | getParameter(...) : String | UnsafeReflection.java:25:76:25:89 | parameterValue | provenance | Src:MaD:44663  |
+| UnsafeReflection.java:21:28:21:60 | getParameter(...) : String | UnsafeReflection.java:24:41:24:49 | className : String | provenance | Src:MaD:2  |
+| UnsafeReflection.java:22:33:22:70 | getParameter(...) : String | UnsafeReflection.java:25:76:25:89 | parameterValue | provenance | Src:MaD:2  |
 | UnsafeReflection.java:24:27:24:50 | forName(...) : Class | UnsafeReflection.java:25:29:25:33 | clazz : Class | provenance |  |
 | UnsafeReflection.java:24:41:24:49 | className : String | UnsafeReflection.java:24:27:24:50 | forName(...) : Class | provenance | Config |
 | UnsafeReflection.java:25:29:25:33 | clazz : Class | UnsafeReflection.java:25:29:25:59 | getDeclaredConstructors(...) : Constructor[] | provenance | Config |
 | UnsafeReflection.java:25:29:25:59 | getDeclaredConstructors(...) : Constructor[] | UnsafeReflection.java:25:29:25:62 | ...[...] | provenance |  |
-| UnsafeReflection.java:33:28:33:60 | getParameter(...) : String | UnsafeReflection.java:37:49:37:57 | className : String | provenance | Src:MaD:44663  |
-| UnsafeReflection.java:34:33:34:70 | getParameter(...) : String | UnsafeReflection.java:39:58:39:71 | parameterValue | provenance | Src:MaD:44663  |
+| UnsafeReflection.java:33:28:33:60 | getParameter(...) : String | UnsafeReflection.java:37:49:37:57 | className : String | provenance | Src:MaD:2  |
+| UnsafeReflection.java:34:33:34:70 | getParameter(...) : String | UnsafeReflection.java:39:58:39:71 | parameterValue | provenance | Src:MaD:2  |
 | UnsafeReflection.java:37:27:37:58 | loadClass(...) : Class | UnsafeReflection.java:38:29:38:33 | clazz : Class | provenance |  |
 | UnsafeReflection.java:37:49:37:57 | className : String | UnsafeReflection.java:37:27:37:58 | loadClass(...) : Class | provenance | Config |
 | UnsafeReflection.java:38:29:38:33 | clazz : Class | UnsafeReflection.java:38:29:38:47 | newInstance(...) : Object | provenance | Config |
@@ -17,13 +21,13 @@ edges
 | UnsafeReflection.java:46:24:46:82 | beanIdOrClassName : String | UnsafeReflection.java:53:30:53:46 | beanIdOrClassName : String | provenance |  |
 | UnsafeReflection.java:46:132:46:168 | body : Map | UnsafeReflection.java:49:37:49:40 | body : Map | provenance |  |
 | UnsafeReflection.java:49:23:49:59 | (...)... : List | UnsafeReflection.java:53:67:53:73 | rawData : List | provenance |  |
-| UnsafeReflection.java:49:37:49:40 | body : Map | UnsafeReflection.java:49:37:49:59 | get(...) : Object | provenance | MaD:43863 |
+| UnsafeReflection.java:49:37:49:40 | body : Map | UnsafeReflection.java:49:37:49:59 | get(...) : Object | provenance | MaD:1 |
 | UnsafeReflection.java:49:37:49:59 | get(...) : Object | UnsafeReflection.java:49:23:49:59 | (...)... : List | provenance |  |
 | UnsafeReflection.java:53:30:53:46 | beanIdOrClassName : String | UnsafeReflection.java:104:34:104:57 | beanIdOrClassName : String | provenance |  |
 | UnsafeReflection.java:53:67:53:73 | rawData : List | UnsafeReflection.java:104:102:104:118 | data : List | provenance |  |
-| UnsafeReflection.java:62:33:62:70 | getParameter(...) : String | UnsafeReflection.java:68:76:68:89 | parameterValue | provenance | Src:MaD:44663  |
-| UnsafeReflection.java:77:33:77:70 | getParameter(...) : String | UnsafeReflection.java:83:76:83:89 | parameterValue | provenance | Src:MaD:44663  |
-| UnsafeReflection.java:92:33:92:70 | getParameter(...) : String | UnsafeReflection.java:98:76:98:89 | parameterValue | provenance | Src:MaD:44663  |
+| UnsafeReflection.java:62:33:62:70 | getParameter(...) : String | UnsafeReflection.java:68:76:68:89 | parameterValue | provenance | Src:MaD:2  |
+| UnsafeReflection.java:77:33:77:70 | getParameter(...) : String | UnsafeReflection.java:83:76:83:89 | parameterValue | provenance | Src:MaD:2  |
+| UnsafeReflection.java:92:33:92:70 | getParameter(...) : String | UnsafeReflection.java:98:76:98:89 | parameterValue | provenance | Src:MaD:2  |
 | UnsafeReflection.java:104:34:104:57 | beanIdOrClassName : String | UnsafeReflection.java:108:39:108:55 | beanIdOrClassName : String | provenance |  |
 | UnsafeReflection.java:104:102:104:118 | data : List | UnsafeReflection.java:119:41:119:44 | data | provenance |  |
 | UnsafeReflection.java:108:25:108:56 | forName(...) : Class | UnsafeReflection.java:109:31:109:39 | beanClass : Class | provenance |  |
@@ -34,6 +38,9 @@ edges
 | UnsafeReflection.java:113:30:113:33 | bean : Object | UnsafeReflection.java:119:35:119:38 | bean | provenance |  |
 | UnsafeReflection.java:113:30:113:44 | getClass(...) : Class | UnsafeReflection.java:113:30:113:57 | getMethods(...) : Method[] | provenance | Config |
 | UnsafeReflection.java:113:30:113:57 | getMethods(...) : Method[] | UnsafeReflection.java:119:21:119:26 | method | provenance |  |
+models
+| 1 | Summary: java.util; Map; true; get; ; ; Argument[this].MapValue; ReturnValue; value; manual |
+| 2 | Source: javax.servlet; ServletRequest; false; getParameter; (String); ; ReturnValue; remote; manual |
 nodes
 | UnsafeReflection.java:21:28:21:60 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | UnsafeReflection.java:22:33:22:70 | getParameter(...) : String | semmle.label | getParameter(...) : String |
@@ -80,7 +87,3 @@ nodes
 | UnsafeReflection.java:119:35:119:38 | bean | semmle.label | bean |
 | UnsafeReflection.java:119:41:119:44 | data | semmle.label | data |
 subpaths
-#select
-| UnsafeReflection.java:25:29:25:62 | ...[...] | UnsafeReflection.java:21:28:21:60 | getParameter(...) : String | UnsafeReflection.java:25:29:25:62 | ...[...] | Unsafe reflection of $@. | UnsafeReflection.java:21:28:21:60 | getParameter(...) | user input |
-| UnsafeReflection.java:39:13:39:41 | ...[...] | UnsafeReflection.java:33:28:33:60 | getParameter(...) : String | UnsafeReflection.java:39:13:39:41 | ...[...] | Unsafe reflection of $@. | UnsafeReflection.java:33:28:33:60 | getParameter(...) | user input |
-| UnsafeReflection.java:119:21:119:26 | method | UnsafeReflection.java:46:24:46:82 | beanIdOrClassName : String | UnsafeReflection.java:119:21:119:26 | method | Unsafe reflection of $@. | UnsafeReflection.java:46:24:46:82 | beanIdOrClassName | user input |

java/ql/test/experimental/query-tests/security/CWE-470/UnsafeReflection.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-470/UnsafeReflection.ql
+query: experimental/Security/CWE/CWE-470/UnsafeReflection.ql
+postprocess: TestUtilities/PrettyPrintModels.ql

java/ql/test/experimental/query-tests/security/CWE-502/UnsafeDeserializationRmi.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.ql
+query: experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.ql
+postprocess: TestUtilities/PrettyPrintModels.ql

java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/Bombs.java

@@ -0,0 +1,55 @@
+import org.apache.commons.compress.archivers.ArchiveException;
+import org.apache.commons.compress.compressors.CompressorException;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.io.BufferedReader;
+import java.net.Socket;
+import java.util.zip.DataFormatException;
+
+public class Bombs {
+    public void sendUserFileGood2(Socket sock) throws IOException {
+        InputStream remoteFile = sock.getInputStream();
+        // Zip
+        ZipHandler.ZipInputStreamSafe2(remoteFile);
+        ZipHandler.ZipInputStreamSafe(remoteFile);
+        ZipHandler.ZipInputStreamUnsafe(remoteFile);
+        ZipHandler.GZipInputStreamUnsafe(remoteFile);
+        ZipHandler.InflaterInputStreamUnsafe(remoteFile);
+
+        BufferedReader filenameReader =
+                new BufferedReader(new InputStreamReader(sock.getInputStream(), "UTF-8"));
+        String filename = filenameReader.readLine();
+        try {
+            ZipHandler.InflaterUnsafe(filename.getBytes());
+        } catch (DataFormatException e) {
+            throw new RuntimeException(e);
+        }
+        try {
+            ZipHandler.ZipFile1(filename);
+        } catch (DataFormatException e) {
+            throw new RuntimeException(e);
+        }
+
+        // Zip4j
+        Zip4jHandler.zip4jZipInputStream(remoteFile);
+        Zip4jHandler.zip4jZipInputStreamSafe(remoteFile);
+        // SnappyZip
+        SnappyHandler.SnappyZipInputStream(remoteFile);
+        // apache Commons
+        CommonsCompressHandler.commonsCompressorInputStream(remoteFile);
+        try {
+            CommonsCompressHandler.commonsCompressArchiveInputStream(remoteFile);
+            CommonsCompressHandler.commonsCompressArchiveStreamFactory(remoteFile);
+        } catch (ArchiveException e) {
+            throw new RuntimeException(e);
+        }
+        try {
+            CommonsCompressHandler.commonsCompressCompressorStreamFactory(remoteFile);
+        } catch (CompressorException e) {
+            throw new RuntimeException(e);
+        }
+
+    }
+}

java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/CommonsCompressHandler.java

@@ -0,0 +1,128 @@
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.IOException;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.BufferedInputStream;
+import java.nio.file.Files;
+import java.nio.file.Path;
+
+import org.apache.commons.compress.archivers.ArchiveEntry;
+import org.apache.commons.compress.archivers.ArchiveException;
+import org.apache.commons.compress.archivers.ArchiveInputStream;
+import org.apache.commons.compress.archivers.ArchiveStreamFactory;
+import org.apache.commons.compress.compressors.CompressorException;
+import org.apache.commons.compress.compressors.CompressorInputStream;
+import org.apache.commons.compress.compressors.CompressorStreamFactory;
+import org.apache.commons.compress.compressors.lz4.*;
+import org.apache.commons.compress.archivers.ar.ArArchiveInputStream;
+import org.apache.commons.compress.archivers.arj.ArjArchiveInputStream;
+import org.apache.commons.compress.archivers.cpio.CpioArchiveInputStream;
+import org.apache.commons.compress.archivers.jar.JarArchiveInputStream;
+import org.apache.commons.compress.archivers.zip.ZipArchiveInputStream;
+import org.apache.commons.compress.compressors.lzma.LZMACompressorInputStream;
+import org.apache.commons.compress.compressors.pack200.Pack200CompressorInputStream;
+import org.apache.commons.compress.compressors.snappy.SnappyCompressorInputStream;
+import org.apache.commons.compress.compressors.xz.XZCompressorInputStream;
+import org.apache.commons.compress.compressors.zstandard.ZstdCompressorInputStream;
+import org.apache.commons.compress.compressors.gzip.GzipCompressorInputStream;
+import org.apache.commons.compress.compressors.brotli.BrotliCompressorInputStream;
+import org.apache.commons.compress.compressors.bzip2.BZip2CompressorInputStream;
+import org.apache.commons.compress.compressors.deflate.DeflateCompressorInputStream;
+import org.apache.commons.compress.compressors.deflate64.Deflate64CompressorInputStream;
+import org.apache.commons.compress.compressors.z.ZCompressorInputStream;
+
+public class CommonsCompressHandler {
+
+    public static void commonsCompressorInputStream(InputStream inputStream) throws IOException {
+        BufferedInputStream in = new BufferedInputStream(inputStream);
+        OutputStream out = Files.newOutputStream(Path.of("tmpfile"));
+        GzipCompressorInputStream gzIn = new GzipCompressorInputStream(in);
+        // Also, the `new GzipCompressorInputStream(in)` can be the following:
+        // new BrotliCompressorInputStream(in);
+        // new BZip2CompressorInputStream(in);
+        // new DeflateCompressorInputStream(in);
+        // new Deflate64CompressorInputStream(in);
+        // new BlockLZ4CompressorInputStream(in);
+        // new LZMACompressorInputStream(in);
+        // new Pack200CompressorInputStream(in);
+        // new SnappyCompressorInputStream(in);
+        // new XZCompressorInputStream(in);
+        // new ZCompressorInputStream(in);
+        // new ZstdCompressorInputStream(in);
+
+        int buffersize = 4096;
+        final byte[] buffer = new byte[buffersize];
+        int n = 0;
+        while (-1 != (n = gzIn.read(buffer))) {  // $ hasTaintFlow="gzIn"
+            out.write(buffer, 0, n);
+        }
+        out.close();
+        gzIn.close();
+    }
+
+    static void commonsCompressArchiveInputStream(InputStream inputStream) {
+        byte[] readBuffer = new byte[4096];
+
+        // Also, the `new ZipArchiveInputStream(inputStream)` can be the following:
+        // new ArArchiveInputStream(inputStream);
+        // new ArjArchiveInputStream(inputStream);
+        // new CpioArchiveInputStream(inputStream);
+        // new JarArchiveInputStream(inputStream);
+        // new ZipArchiveInputStream(inputStream);
+
+        try (ZipArchiveInputStream zipInputStream =
+                     new ZipArchiveInputStream(inputStream)) { 
+            ArchiveEntry entry = null;
+            while ((entry = zipInputStream.getNextEntry()) != null) {
+                if (!zipInputStream.canReadEntryData(entry)) {
+                    continue;
+                }
+                File f = new File("tmpfile");
+                try (OutputStream outputStream = new FileOutputStream(f)) {
+                    int readLen;
+                    while ((readLen = zipInputStream.read(readBuffer)) != -1) {  // $ hasTaintFlow="zipInputStream"
+                        outputStream.write(readBuffer, 0, readLen);
+                    }
+                }
+            }
+        } catch (IOException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    static void commonsCompressArchiveStreamFactory(InputStream inputStream)
+            throws IOException, ArchiveException {
+        BufferedInputStream bin = new BufferedInputStream(inputStream);
+        ArchiveInputStream zipInputStream = new ArchiveStreamFactory().createArchiveInputStream(bin);
+        ArchiveEntry entry = null;
+        byte[] readBuffer = new byte[4096];
+        while ((entry = zipInputStream.getNextEntry()) != null) {
+            if (!zipInputStream.canReadEntryData(entry)) {
+                continue;
+            }
+            File f = new File("tmpfile");
+            try (OutputStream outputStream = new FileOutputStream(f)) {
+                int readLen;
+                while ((readLen = zipInputStream.read(readBuffer)) != -1) {  // $ hasTaintFlow="zipInputStream"
+                    outputStream.write(readBuffer, 0, readLen);
+                }
+            }
+        }
+    }
+
+    static void commonsCompressCompressorStreamFactory(InputStream inputStream)
+            throws IOException, CompressorException {
+        BufferedInputStream bin = new BufferedInputStream(inputStream);
+        CompressorInputStream in = new CompressorStreamFactory().createCompressorInputStream(bin);
+        OutputStream out = Files.newOutputStream(Path.of("tmpfile"));
+        int buffersize = 4096;
+        final byte[] buffer = new byte[buffersize];
+        int n = 0;
+        while (-1 != (n = in.read(buffer))) { // $ hasTaintFlow="in"
+            out.write(buffer, 0, n);
+        }
+        out.close();
+        in.close();
+    }
+}

java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/SnappyHandler.java

@@ -0,0 +1,21 @@
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.nio.file.Files;
+import java.nio.file.Paths;
+
+import org.xerial.snappy.SnappyInputStream;
+
+public class SnappyHandler {
+    public static void SnappyZipInputStream(InputStream inputStream) throws IOException {
+        int readLen;
+        byte[] readBuffer = new byte[4096];
+        try (SnappyInputStream zipInputStream = new SnappyInputStream(inputStream)) {
+            try (OutputStream outputStream = Files.newOutputStream(Paths.get("extractedFile"))) {
+                while ((readLen = zipInputStream.read(readBuffer)) != -1) { // $ hasTaintFlow="zipInputStream"
+                    outputStream.write(readBuffer, 0, readLen);
+                }
+            }
+        }
+    }
+}

java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/Zip4jHandler.java

@@ -0,0 +1,48 @@
+import net.lingala.zip4j.model.LocalFileHeader;
+import net.lingala.zip4j.io.inputstream.ZipInputStream;
+
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.FileOutputStream;
+
+public class Zip4jHandler {
+    public static void zip4jZipInputStream(InputStream inputStream) throws IOException {
+        LocalFileHeader localFileHeader;
+        int readLen;
+        byte[] readBuffer = new byte[4096];
+        try (ZipInputStream zipInputStream = new ZipInputStream(inputStream)) {
+            while ((localFileHeader = zipInputStream.getNextEntry()) != null) {
+                File extractedFile = new File(localFileHeader.getFileName());
+                try (OutputStream outputStream = new FileOutputStream(extractedFile)) {
+                    while ((readLen = zipInputStream.read(readBuffer)) != -1) { // $ hasTaintFlow="zipInputStream"
+                        outputStream.write(readBuffer, 0, readLen);
+                    }
+                }
+            }
+        }
+    }
+
+    public static void zip4jZipInputStreamSafe(InputStream inputStream) throws IOException {
+        LocalFileHeader localFileHeader;
+        int readLen;
+        byte[] readBuffer = new byte[4096];
+        try (ZipInputStream zipInputStream = new ZipInputStream(inputStream)) { 
+            while ((localFileHeader = zipInputStream.getNextEntry()) != null) {
+                File extractedFile = new File(localFileHeader.getFileName());
+                try (OutputStream outputStream = new FileOutputStream(extractedFile)) {
+                    int totallRead = 0;
+                    while ((readLen = zipInputStream.read(readBuffer)) != -1) { // $ SPURIOUS: hasTaintFlow="zipInputStream"
+                        totallRead += readLen;
+                        if (totallRead > 1024 * 1024 * 4) {
+                            System.out.println("potential Bomb");
+                            break;
+                        }
+                        outputStream.write(readBuffer, 0, readLen);
+                    }
+                }
+            }
+        }
+    }
+}

java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/ZipHandler.java

@@ -0,0 +1,187 @@
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.BufferedOutputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.BufferedInputStream;
+import java.util.Enumeration;
+import java.util.zip.CRC32;
+import java.util.zip.CheckedInputStream;
+import java.util.zip.ZipFile;
+import java.util.zip.ZipInputStream;
+import java.util.zip.ZipEntry;
+import java.util.zip.GZIPInputStream;
+import java.util.zip.InflaterInputStream;
+import java.util.zip.Inflater;
+import java.util.zip.DataFormatException;
+
+public class ZipHandler {
+    public static void ZipInputStreamSafe(InputStream inputStream) throws IOException {
+        final int BUFFER = 512;
+        final long TOOBIG = 0x6400000; // Max size of unzipped data, 100MB
+        final int TOOMANY = 1024;
+        // FileInputStream fis = new FileInputStream(filename);
+        CRC32 checkSum = new CRC32();
+        CheckedInputStream gzis = new CheckedInputStream(inputStream, checkSum);
+        try (ZipInputStream zis = new ZipInputStream(new BufferedInputStream(inputStream))) {
+            ZipEntry entry;
+            int entries = 0;
+            long total = 0;
+            while ((entry = zis.getNextEntry()) != null) {
+                System.out.println("Extracting: " + entry);
+                int count;
+                byte[] data = new byte[BUFFER];
+                if (entry.isDirectory()) {
+                    System.out.println("Creating directory " + entry.getName());
+                    continue;
+                }
+                FileOutputStream fos = new FileOutputStream("/tmp/tmptmp");
+                BufferedOutputStream dest = new BufferedOutputStream(fos, BUFFER);
+                while (total + BUFFER <= TOOBIG && (count = zis.read(data, 0, BUFFER)) != -1) { // $ SPURIOUS: hasTaintFlow="zis"
+                    dest.write(data, 0, count);
+                    total += count;
+                }
+                dest.flush();
+                dest.close();
+                zis.closeEntry();
+                entries++;
+                if (entries > TOOMANY) {
+                    throw new IllegalStateException("Too many files to unzip.");
+                }
+                if (total + BUFFER > TOOBIG) {
+                    throw new IllegalStateException("File being unzipped is too big.");
+                }
+            }
+        }
+    }
+
+    // it seems that previously getSize could be bypassed by forged headers, so I tested following
+    // method with a forged header zip bomb, the getSize() return the forged header but read method
+    // will read bytes until the getSize() value that this makes getSize() safe for now.
+    public static void ZipInputStreamSafe2(InputStream inputStream) throws IOException {
+        int BUFFER = 512;
+        int TOOBIG = 100 * 1024 * 1024; // 100MB
+        //        FileInputStream fis = new FileInputStream(filename);
+        try (ZipInputStream zis = new ZipInputStream(new BufferedInputStream(inputStream))) { 
+            ZipEntry entry;
+            while ((entry = zis.getNextEntry()) != null) {
+                System.out.println("Extracting: " + entry);
+                int count;
+                byte[] data = new byte[BUFFER];
+                // Write the files to the disk, but only if the file is not insanely big
+                if (entry.getSize() > TOOBIG) {
+                    throw new IllegalStateException("File to be unzipped is huge.");
+                }
+                if (entry.getSize() == -1) {
+                    throw new IllegalStateException("File to be unzipped might be huge.");
+                }
+                FileOutputStream fos = new FileOutputStream(entry.getName());
+                BufferedOutputStream dest = new BufferedOutputStream(fos, BUFFER);
+                while ((count = zis.read(data, 0, BUFFER)) != -1) { // $ SPURIOUS: hasTaintFlow="zis"
+                    dest.write(data, 0, count);
+                }
+                dest.flush();
+                dest.close();
+                zis.closeEntry();
+            }
+        }
+    }
+
+    public static void ZipInputStreamUnsafe(InputStream inputStream) throws IOException {
+        int BUFFER = 512;
+        //        FileInputStream fis = new FileInputStream(filename);
+        try (ZipInputStream zis = new ZipInputStream(new BufferedInputStream(inputStream))) { 
+            ZipEntry entry;
+            while ((entry = zis.getNextEntry()) != null) {
+                System.out.println("Extracting: " + entry);
+                int count;
+                byte[] data = new byte[BUFFER];
+                // Write the files to the disk
+                FileOutputStream fos = new FileOutputStream(entry.getName()); 
+                BufferedOutputStream dest = new BufferedOutputStream(fos, BUFFER);
+                while ((count = zis.read(data, 0, BUFFER)) != -1) { // $ hasTaintFlow="zis" 
+                    dest.write(data, 0, count);
+                }
+                dest.flush();
+                dest.close();
+                zis.closeEntry();
+            }
+        }
+    }
+
+    public static void GZipInputStreamUnsafe(InputStream inputStream) throws IOException {
+        int BUFFER = 512;
+        try (GZIPInputStream gzis = new GZIPInputStream(inputStream)) { 
+            int count;
+            byte[] data = new byte[BUFFER];
+            FileOutputStream fos = new FileOutputStream("/tmp/tmp");
+            BufferedOutputStream dest = new BufferedOutputStream(fos, BUFFER);
+            while ((count = gzis.read(data, 0, BUFFER)) != -1) { // $ hasTaintFlow="gzis"
+                dest.write(data, 0, count);
+            }
+            dest.flush();
+            dest.close();
+        }
+    }
+
+    public static void InflaterInputStreamUnsafe(InputStream inputStream) throws IOException {
+        int BUFFER = 512;
+        try (InflaterInputStream Izis = new InflaterInputStream(inputStream)) { 
+            int count;
+            byte[] data = new byte[BUFFER];
+            FileOutputStream fos = new FileOutputStream("/tmp/tmp");
+            BufferedOutputStream dest = new BufferedOutputStream(fos, BUFFER);
+            while ((count = Izis.read(data, 0, BUFFER)) != -1) { // $ hasTaintFlow="Izis"
+                dest.write(data, 0, count);
+            }
+            dest.flush();
+            dest.close();
+        }
+    }
+
+    public static void InflaterUnsafe(byte[] inputBytes) throws DataFormatException, IOException {
+        Inflater inflater = new Inflater();
+        inflater.setInput(inputBytes); // $ hasTaintFlow="inputBytes"
+        try (final ByteArrayOutputStream outputStream = new ByteArrayOutputStream(inputBytes.length)) {
+            byte[] buffer = new byte[1024];
+            while (!inflater.finished()) {
+                final int count = inflater.inflate(buffer);
+                outputStream.write(buffer, 0, count);
+            }
+            outputStream.toByteArray();
+        }
+    }
+
+    public static void ZipFile1(String zipFilePath) throws DataFormatException, IOException {
+        try {
+            System.out.println("zipFilePath = " + zipFilePath);
+            ZipFile zipFile = new ZipFile(zipFilePath);
+            Enumeration<? extends ZipEntry> entries = zipFile.entries();
+            while (entries.hasMoreElements()) {
+                ZipEntry entry = entries.nextElement();
+                if (entry.isDirectory()) {
+                    System.out.print("dir  : " + entry.getName());
+                    String destPath = "tmp" + File.separator + entry.getName();
+                    System.out.println(" => " + destPath);
+                    File file = new File(destPath);
+                    file.mkdirs();
+                } else {
+                    String destPath = "tmp" + File.separator + entry.getName();
+
+                    try (InputStream inputStream = zipFile.getInputStream(entry); // $ hasTaintFlow="zipFile"
+                         FileOutputStream outputStream = new FileOutputStream(destPath);) {
+                        int data = inputStream.read();
+                        while (data != -1) {
+                            outputStream.write(data);
+                            data = inputStream.read();
+                        }
+                    }
+                    System.out.println("file : " + entry.getName() + " => " + destPath);
+                }
+            }
+        } catch (IOException e) {
+            throw new RuntimeException("Error unzipping file " + zipFilePath, e);
+        }
+    }
+}

java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/apache-commons-compress-1.23.0:${testdir}/../../../stubs/lingala-zip4j-2.11.5:${testdir}/../../../stubs/zstd-jni-1.5.5

java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/test.ql

@@ -0,0 +1,9 @@
+import java
+import experimental.semmle.code.java.security.DecompressionBombQuery
+import TestUtilities.InlineFlowTest
+import TaintFlowTestArgString<DecompressionBombsConfig, getArgString/2>
+
+string getArgString(DataFlow::Node src, DataFlow::Node sink) {
+  exists(src) and
+  result = "\"" + sink.toString() + "\""
+}

java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery.expected

@@ -1,19 +1,30 @@
+#select
+| SensitiveGetQuery2.java:15:29:15:36 | password | SensitiveGetQuery2.java:12:13:12:37 | getParameterMap(...) : Map | SensitiveGetQuery2.java:15:29:15:36 | password | $@ uses the GET request method to transmit sensitive information. | SensitiveGetQuery2.java:12:13:12:37 | getParameterMap(...) | This request |
+| SensitiveGetQuery2.java:19:61:19:68 | password | SensitiveGetQuery2.java:12:13:12:37 | getParameterMap(...) : Map | SensitiveGetQuery2.java:19:61:19:68 | password | $@ uses the GET request method to transmit sensitive information. | SensitiveGetQuery2.java:12:13:12:37 | getParameterMap(...) | This request |
+| SensitiveGetQuery3.java:13:57:13:64 | password | SensitiveGetQuery3.java:17:10:17:40 | getParameter(...) : String | SensitiveGetQuery3.java:13:57:13:64 | password | $@ uses the GET request method to transmit sensitive information. | SensitiveGetQuery3.java:17:10:17:40 | getParameter(...) | This request |
+| SensitiveGetQuery4.java:16:37:16:47 | accessToken | SensitiveGetQuery4.java:20:10:20:40 | getParameter(...) : String | SensitiveGetQuery4.java:16:37:16:47 | accessToken | $@ uses the GET request method to transmit sensitive information. | SensitiveGetQuery4.java:20:10:20:40 | getParameter(...) | This request |
+| SensitiveGetQuery.java:14:29:14:36 | password | SensitiveGetQuery.java:12:21:12:52 | getParameter(...) : String | SensitiveGetQuery.java:14:29:14:36 | password | $@ uses the GET request method to transmit sensitive information. | SensitiveGetQuery.java:12:21:12:52 | getParameter(...) | This request |
+| SensitiveGetQuery.java:18:61:18:68 | password | SensitiveGetQuery.java:12:21:12:52 | getParameter(...) : String | SensitiveGetQuery.java:18:61:18:68 | password | $@ uses the GET request method to transmit sensitive information. | SensitiveGetQuery.java:12:21:12:52 | getParameter(...) | This request |
 edges
-| SensitiveGetQuery2.java:12:13:12:37 | getParameterMap(...) : Map | SensitiveGetQuery2.java:14:30:14:32 | map : Map | provenance | Src:MaD:44664  |
+| SensitiveGetQuery2.java:12:13:12:37 | getParameterMap(...) : Map | SensitiveGetQuery2.java:14:30:14:32 | map : Map | provenance | Src:MaD:3  |
 | SensitiveGetQuery2.java:14:21:14:48 | (...)... : String | SensitiveGetQuery2.java:15:29:15:36 | password | provenance |  |
 | SensitiveGetQuery2.java:14:21:14:48 | (...)... : String | SensitiveGetQuery2.java:15:29:15:36 | password : String | provenance |  |
-| SensitiveGetQuery2.java:14:30:14:32 | map : Map | SensitiveGetQuery2.java:14:30:14:48 | get(...) : Object | provenance | MaD:43863 |
+| SensitiveGetQuery2.java:14:30:14:32 | map : Map | SensitiveGetQuery2.java:14:30:14:48 | get(...) : Object | provenance | MaD:1 |
 | SensitiveGetQuery2.java:14:30:14:48 | get(...) : Object | SensitiveGetQuery2.java:14:21:14:48 | (...)... : String | provenance |  |
 | SensitiveGetQuery2.java:15:29:15:36 | password : String | SensitiveGetQuery2.java:18:40:18:54 | password : String | provenance |  |
 | SensitiveGetQuery2.java:18:40:18:54 | password : String | SensitiveGetQuery2.java:19:61:19:68 | password | provenance |  |
 | SensitiveGetQuery3.java:12:21:12:60 | getRequestParameter(...) : String | SensitiveGetQuery3.java:13:57:13:64 | password | provenance |  |
-| SensitiveGetQuery3.java:17:10:17:40 | getParameter(...) : String | SensitiveGetQuery3.java:12:21:12:60 | getRequestParameter(...) : String | provenance | Src:MaD:44663  |
+| SensitiveGetQuery3.java:17:10:17:40 | getParameter(...) : String | SensitiveGetQuery3.java:12:21:12:60 | getRequestParameter(...) : String | provenance | Src:MaD:2  |
 | SensitiveGetQuery4.java:14:24:14:66 | getRequestParameter(...) : String | SensitiveGetQuery4.java:16:37:16:47 | accessToken | provenance |  |
-| SensitiveGetQuery4.java:20:10:20:40 | getParameter(...) : String | SensitiveGetQuery4.java:14:24:14:66 | getRequestParameter(...) : String | provenance | Src:MaD:44663  |
-| SensitiveGetQuery.java:12:21:12:52 | getParameter(...) : String | SensitiveGetQuery.java:14:29:14:36 | password | provenance | Src:MaD:44663  |
-| SensitiveGetQuery.java:12:21:12:52 | getParameter(...) : String | SensitiveGetQuery.java:14:29:14:36 | password : String | provenance | Src:MaD:44663  |
+| SensitiveGetQuery4.java:20:10:20:40 | getParameter(...) : String | SensitiveGetQuery4.java:14:24:14:66 | getRequestParameter(...) : String | provenance | Src:MaD:2  |
+| SensitiveGetQuery.java:12:21:12:52 | getParameter(...) : String | SensitiveGetQuery.java:14:29:14:36 | password | provenance | Src:MaD:2  |
+| SensitiveGetQuery.java:12:21:12:52 | getParameter(...) : String | SensitiveGetQuery.java:14:29:14:36 | password : String | provenance | Src:MaD:2  |
 | SensitiveGetQuery.java:14:29:14:36 | password : String | SensitiveGetQuery.java:17:40:17:54 | password : String | provenance |  |
 | SensitiveGetQuery.java:17:40:17:54 | password : String | SensitiveGetQuery.java:18:61:18:68 | password | provenance |  |
+models
+| 1 | Summary: java.util; Map; true; get; ; ; Argument[this].MapValue; ReturnValue; value; manual |
+| 2 | Source: javax.servlet; ServletRequest; false; getParameter; (String); ; ReturnValue; remote; manual |
+| 3 | Source: javax.servlet; ServletRequest; false; getParameterMap; (); ; ReturnValue; remote; manual |
 nodes
 | SensitiveGetQuery2.java:12:13:12:37 | getParameterMap(...) : Map | semmle.label | getParameterMap(...) : Map |
 | SensitiveGetQuery2.java:14:21:14:48 | (...)... : String | semmle.label | (...)... : String |
@@ -35,10 +46,3 @@ nodes
 | SensitiveGetQuery.java:17:40:17:54 | password : String | semmle.label | password : String |
 | SensitiveGetQuery.java:18:61:18:68 | password | semmle.label | password |
 subpaths
-#select
-| SensitiveGetQuery2.java:15:29:15:36 | password | SensitiveGetQuery2.java:12:13:12:37 | getParameterMap(...) : Map | SensitiveGetQuery2.java:15:29:15:36 | password | $@ uses the GET request method to transmit sensitive information. | SensitiveGetQuery2.java:12:13:12:37 | getParameterMap(...) | This request |
-| SensitiveGetQuery2.java:19:61:19:68 | password | SensitiveGetQuery2.java:12:13:12:37 | getParameterMap(...) : Map | SensitiveGetQuery2.java:19:61:19:68 | password | $@ uses the GET request method to transmit sensitive information. | SensitiveGetQuery2.java:12:13:12:37 | getParameterMap(...) | This request |
-| SensitiveGetQuery3.java:13:57:13:64 | password | SensitiveGetQuery3.java:17:10:17:40 | getParameter(...) : String | SensitiveGetQuery3.java:13:57:13:64 | password | $@ uses the GET request method to transmit sensitive information. | SensitiveGetQuery3.java:17:10:17:40 | getParameter(...) | This request |
-| SensitiveGetQuery4.java:16:37:16:47 | accessToken | SensitiveGetQuery4.java:20:10:20:40 | getParameter(...) : String | SensitiveGetQuery4.java:16:37:16:47 | accessToken | $@ uses the GET request method to transmit sensitive information. | SensitiveGetQuery4.java:20:10:20:40 | getParameter(...) | This request |
-| SensitiveGetQuery.java:14:29:14:36 | password | SensitiveGetQuery.java:12:21:12:52 | getParameter(...) : String | SensitiveGetQuery.java:14:29:14:36 | password | $@ uses the GET request method to transmit sensitive information. | SensitiveGetQuery.java:12:21:12:52 | getParameter(...) | This request |
-| SensitiveGetQuery.java:18:61:18:68 | password | SensitiveGetQuery.java:12:21:12:52 | getParameter(...) : String | SensitiveGetQuery.java:18:61:18:68 | password | $@ uses the GET request method to transmit sensitive information. | SensitiveGetQuery.java:12:21:12:52 | getParameter(...) | This request |

java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql
+query: experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql
+postprocess: TestUtilities/PrettyPrintModels.ql

java/ql/test/experimental/query-tests/security/CWE-600/UncaughtServletException.expected

@@ -1,8 +1,16 @@
+#select
+| UncaughtServletException.java:14:44:14:45 | ip | UncaughtServletException.java:13:15:13:43 | getParameter(...) : String | UncaughtServletException.java:14:44:14:45 | ip | This value depends on a $@ and can throw uncaught exception. | UncaughtServletException.java:13:15:13:43 | getParameter(...) | user-provided value |
+| UncaughtServletException.java:17:20:17:25 | userId | UncaughtServletException.java:16:19:16:41 | getRemoteUser(...) : String | UncaughtServletException.java:17:20:17:25 | userId | This value depends on a $@ and can throw uncaught exception. | UncaughtServletException.java:16:19:16:41 | getRemoteUser(...) | user-provided value |
+| UncaughtServletException.java:55:45:55:46 | ip | UncaughtServletException.java:54:16:54:44 | getParameter(...) : String | UncaughtServletException.java:55:45:55:46 | ip | This value depends on a $@ and can throw uncaught exception. | UncaughtServletException.java:54:16:54:44 | getParameter(...) | user-provided value |
+| UncaughtServletException.java:76:22:76:27 | userId | UncaughtServletException.java:75:21:75:43 | getRemoteUser(...) : String | UncaughtServletException.java:76:22:76:27 | userId | This value depends on a $@ and can throw uncaught exception. | UncaughtServletException.java:75:21:75:43 | getRemoteUser(...) | user-provided value |
 edges
-| UncaughtServletException.java:13:15:13:43 | getParameter(...) : String | UncaughtServletException.java:14:44:14:45 | ip | provenance | Src:MaD:44663  |
-| UncaughtServletException.java:16:19:16:41 | getRemoteUser(...) : String | UncaughtServletException.java:17:20:17:25 | userId | provenance | Src:MaD:44650  |
-| UncaughtServletException.java:54:16:54:44 | getParameter(...) : String | UncaughtServletException.java:55:45:55:46 | ip | provenance | Src:MaD:44663  |
-| UncaughtServletException.java:75:21:75:43 | getRemoteUser(...) : String | UncaughtServletException.java:76:22:76:27 | userId | provenance | Src:MaD:44650  |
+| UncaughtServletException.java:13:15:13:43 | getParameter(...) : String | UncaughtServletException.java:14:44:14:45 | ip | provenance | Src:MaD:2  |
+| UncaughtServletException.java:16:19:16:41 | getRemoteUser(...) : String | UncaughtServletException.java:17:20:17:25 | userId | provenance | Src:MaD:1  |
+| UncaughtServletException.java:54:16:54:44 | getParameter(...) : String | UncaughtServletException.java:55:45:55:46 | ip | provenance | Src:MaD:2  |
+| UncaughtServletException.java:75:21:75:43 | getRemoteUser(...) : String | UncaughtServletException.java:76:22:76:27 | userId | provenance | Src:MaD:1  |
+models
+| 1 | Source: javax.servlet.http; HttpServletRequest; false; getRemoteUser; (); ; ReturnValue; remote; manual |
+| 2 | Source: javax.servlet; ServletRequest; false; getParameter; (String); ; ReturnValue; remote; manual |
 nodes
 | UncaughtServletException.java:13:15:13:43 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | UncaughtServletException.java:14:44:14:45 | ip | semmle.label | ip |
@@ -13,8 +21,3 @@ nodes
 | UncaughtServletException.java:75:21:75:43 | getRemoteUser(...) : String | semmle.label | getRemoteUser(...) : String |
 | UncaughtServletException.java:76:22:76:27 | userId | semmle.label | userId |
 subpaths
-#select
-| UncaughtServletException.java:14:44:14:45 | ip | UncaughtServletException.java:13:15:13:43 | getParameter(...) : String | UncaughtServletException.java:14:44:14:45 | ip | This value depends on a $@ and can throw uncaught exception. | UncaughtServletException.java:13:15:13:43 | getParameter(...) | user-provided value |
-| UncaughtServletException.java:17:20:17:25 | userId | UncaughtServletException.java:16:19:16:41 | getRemoteUser(...) : String | UncaughtServletException.java:17:20:17:25 | userId | This value depends on a $@ and can throw uncaught exception. | UncaughtServletException.java:16:19:16:41 | getRemoteUser(...) | user-provided value |
-| UncaughtServletException.java:55:45:55:46 | ip | UncaughtServletException.java:54:16:54:44 | getParameter(...) : String | UncaughtServletException.java:55:45:55:46 | ip | This value depends on a $@ and can throw uncaught exception. | UncaughtServletException.java:54:16:54:44 | getParameter(...) | user-provided value |
-| UncaughtServletException.java:76:22:76:27 | userId | UncaughtServletException.java:75:21:75:43 | getRemoteUser(...) : String | UncaughtServletException.java:76:22:76:27 | userId | This value depends on a $@ and can throw uncaught exception. | UncaughtServletException.java:75:21:75:43 | getRemoteUser(...) | user-provided value |

java/ql/test/experimental/query-tests/security/CWE-600/UncaughtServletException.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-600/UncaughtServletException.ql
+query: experimental/Security/CWE/CWE-600/UncaughtServletException.ql
+postprocess: TestUtilities/PrettyPrintModels.ql

java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.expected

@@ -1,3 +1,18 @@
+#select
+| SpringUrlRedirect.java:19:19:19:29 | redirectUrl | SpringUrlRedirect.java:17:30:17:47 | redirectUrl : String | SpringUrlRedirect.java:19:19:19:29 | redirectUrl | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:17:30:17:47 | redirectUrl | user-provided value |
+| SpringUrlRedirect.java:25:36:25:46 | redirectUrl | SpringUrlRedirect.java:24:24:24:41 | redirectUrl : String | SpringUrlRedirect.java:25:36:25:46 | redirectUrl | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:24:24:24:41 | redirectUrl | user-provided value |
+| SpringUrlRedirect.java:31:44:31:54 | redirectUrl | SpringUrlRedirect.java:30:30:30:47 | redirectUrl : String | SpringUrlRedirect.java:31:44:31:54 | redirectUrl | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:30:30:30:47 | redirectUrl | user-provided value |
+| SpringUrlRedirect.java:37:47:37:57 | redirectUrl | SpringUrlRedirect.java:36:30:36:47 | redirectUrl : String | SpringUrlRedirect.java:37:47:37:57 | redirectUrl | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:36:30:36:47 | redirectUrl | user-provided value |
+| SpringUrlRedirect.java:44:29:44:39 | redirectUrl | SpringUrlRedirect.java:41:24:41:41 | redirectUrl : String | SpringUrlRedirect.java:44:29:44:39 | redirectUrl | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:41:24:41:41 | redirectUrl | user-provided value |
+| SpringUrlRedirect.java:52:30:52:40 | redirectUrl | SpringUrlRedirect.java:49:24:49:41 | redirectUrl : String | SpringUrlRedirect.java:52:30:52:40 | redirectUrl | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:49:24:49:41 | redirectUrl | user-provided value |
+| SpringUrlRedirect.java:58:30:58:66 | format(...) | SpringUrlRedirect.java:57:24:57:41 | redirectUrl : String | SpringUrlRedirect.java:58:30:58:66 | format(...) | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:57:24:57:41 | redirectUrl | user-provided value |
+| SpringUrlRedirect.java:63:30:63:76 | format(...) | SpringUrlRedirect.java:62:24:62:41 | redirectUrl : String | SpringUrlRedirect.java:63:30:63:76 | format(...) | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:62:24:62:41 | redirectUrl | user-provided value |
+| SpringUrlRedirect.java:91:27:91:49 | create(...) | SpringUrlRedirect.java:89:38:89:55 | redirectUrl : String | SpringUrlRedirect.java:91:27:91:49 | create(...) | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:89:38:89:55 | redirectUrl | user-provided value |
+| SpringUrlRedirect.java:100:37:100:47 | httpHeaders | SpringUrlRedirect.java:96:39:96:56 | redirectUrl : String | SpringUrlRedirect.java:100:37:100:47 | httpHeaders | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:96:39:96:56 | redirectUrl | user-provided value |
+| SpringUrlRedirect.java:108:68:108:78 | httpHeaders | SpringUrlRedirect.java:104:39:104:56 | redirectUrl : String | SpringUrlRedirect.java:108:68:108:78 | httpHeaders | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:104:39:104:56 | redirectUrl | user-provided value |
+| SpringUrlRedirect.java:116:37:116:47 | httpHeaders | SpringUrlRedirect.java:112:39:112:56 | redirectUrl : String | SpringUrlRedirect.java:116:37:116:47 | httpHeaders | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:112:39:112:56 | redirectUrl | user-provided value |
+| SpringUrlRedirect.java:124:49:124:59 | httpHeaders | SpringUrlRedirect.java:120:33:120:50 | redirectUrl : String | SpringUrlRedirect.java:124:49:124:59 | httpHeaders | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:120:33:120:50 | redirectUrl | user-provided value |
+| SpringUrlRedirect.java:132:49:132:59 | httpHeaders | SpringUrlRedirect.java:128:33:128:50 | redirectUrl : String | SpringUrlRedirect.java:132:49:132:59 | httpHeaders | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:128:33:128:50 | redirectUrl | user-provided value |
 edges
 | SpringUrlRedirect.java:17:30:17:47 | redirectUrl : String | SpringUrlRedirect.java:19:19:19:29 | redirectUrl | provenance |  |
 | SpringUrlRedirect.java:24:24:24:41 | redirectUrl : String | SpringUrlRedirect.java:25:36:25:46 | redirectUrl | provenance |  |
@@ -6,35 +21,41 @@ edges
 | SpringUrlRedirect.java:41:24:41:41 | redirectUrl : String | SpringUrlRedirect.java:44:29:44:39 | redirectUrl | provenance |  |
 | SpringUrlRedirect.java:49:24:49:41 | redirectUrl : String | SpringUrlRedirect.java:52:30:52:40 | redirectUrl | provenance |  |
 | SpringUrlRedirect.java:57:24:57:41 | redirectUrl : String | SpringUrlRedirect.java:58:55:58:65 | redirectUrl : String | provenance |  |
-| SpringUrlRedirect.java:58:30:58:66 | new ..[] { .. } : Object[] [[]] : String | SpringUrlRedirect.java:58:30:58:66 | format(...) | provenance | MaD:42733 |
+| SpringUrlRedirect.java:58:30:58:66 | new ..[] { .. } : Object[] [[]] : String | SpringUrlRedirect.java:58:30:58:66 | format(...) | provenance | MaD:2 |
 | SpringUrlRedirect.java:58:55:58:65 | redirectUrl : String | SpringUrlRedirect.java:58:30:58:66 | new ..[] { .. } : Object[] [[]] : String | provenance |  |
 | SpringUrlRedirect.java:62:24:62:41 | redirectUrl : String | SpringUrlRedirect.java:63:44:63:68 | ... + ... : String | provenance |  |
-| SpringUrlRedirect.java:63:44:63:68 | ... + ... : String | SpringUrlRedirect.java:63:30:63:76 | format(...) | provenance | MaD:42732 |
+| SpringUrlRedirect.java:63:44:63:68 | ... + ... : String | SpringUrlRedirect.java:63:30:63:76 | format(...) | provenance | MaD:1 |
 | SpringUrlRedirect.java:89:38:89:55 | redirectUrl : String | SpringUrlRedirect.java:91:38:91:48 | redirectUrl : String | provenance |  |
-| SpringUrlRedirect.java:91:38:91:48 | redirectUrl : String | SpringUrlRedirect.java:91:27:91:49 | create(...) | provenance | MaD:42953 |
+| SpringUrlRedirect.java:91:38:91:48 | redirectUrl : String | SpringUrlRedirect.java:91:27:91:49 | create(...) | provenance | MaD:3 |
 | SpringUrlRedirect.java:96:39:96:56 | redirectUrl : String | SpringUrlRedirect.java:98:44:98:54 | redirectUrl : String | provenance |  |
 | SpringUrlRedirect.java:98:9:98:19 | httpHeaders : HttpHeaders | SpringUrlRedirect.java:100:37:100:47 | httpHeaders | provenance |  |
 | SpringUrlRedirect.java:98:33:98:55 | create(...) : URI | SpringUrlRedirect.java:98:9:98:19 | httpHeaders : HttpHeaders | provenance | Config |
-| SpringUrlRedirect.java:98:44:98:54 | redirectUrl : String | SpringUrlRedirect.java:98:33:98:55 | create(...) : URI | provenance | MaD:42953 |
+| SpringUrlRedirect.java:98:44:98:54 | redirectUrl : String | SpringUrlRedirect.java:98:33:98:55 | create(...) : URI | provenance | MaD:3 |
 | SpringUrlRedirect.java:104:39:104:56 | redirectUrl : String | SpringUrlRedirect.java:106:37:106:47 | redirectUrl : String | provenance |  |
 | SpringUrlRedirect.java:106:9:106:19 | httpHeaders [post update] : HttpHeaders | SpringUrlRedirect.java:108:68:108:78 | httpHeaders | provenance |  |
 | SpringUrlRedirect.java:106:9:106:19 | httpHeaders [post update] : HttpHeaders [<map.value>, <element>] : String | SpringUrlRedirect.java:108:68:108:78 | httpHeaders | provenance |  |
-| SpringUrlRedirect.java:106:37:106:47 | redirectUrl : String | SpringUrlRedirect.java:106:9:106:19 | httpHeaders [post update] : HttpHeaders | provenance | MaD:49198 |
-| SpringUrlRedirect.java:106:37:106:47 | redirectUrl : String | SpringUrlRedirect.java:106:9:106:19 | httpHeaders [post update] : HttpHeaders [<map.value>, <element>] : String | provenance | MaD:49439 |
+| SpringUrlRedirect.java:106:37:106:47 | redirectUrl : String | SpringUrlRedirect.java:106:9:106:19 | httpHeaders [post update] : HttpHeaders | provenance | MaD:4 |
+| SpringUrlRedirect.java:106:37:106:47 | redirectUrl : String | SpringUrlRedirect.java:106:9:106:19 | httpHeaders [post update] : HttpHeaders [<map.value>, <element>] : String | provenance | MaD:5 |
 | SpringUrlRedirect.java:112:39:112:56 | redirectUrl : String | SpringUrlRedirect.java:114:37:114:47 | redirectUrl : String | provenance |  |
 | SpringUrlRedirect.java:114:9:114:19 | httpHeaders [post update] : HttpHeaders | SpringUrlRedirect.java:116:37:116:47 | httpHeaders | provenance |  |
 | SpringUrlRedirect.java:114:9:114:19 | httpHeaders [post update] : HttpHeaders [<map.value>, <element>] : String | SpringUrlRedirect.java:116:37:116:47 | httpHeaders | provenance |  |
-| SpringUrlRedirect.java:114:37:114:47 | redirectUrl : String | SpringUrlRedirect.java:114:9:114:19 | httpHeaders [post update] : HttpHeaders | provenance | MaD:49198 |
-| SpringUrlRedirect.java:114:37:114:47 | redirectUrl : String | SpringUrlRedirect.java:114:9:114:19 | httpHeaders [post update] : HttpHeaders [<map.value>, <element>] : String | provenance | MaD:49439 |
+| SpringUrlRedirect.java:114:37:114:47 | redirectUrl : String | SpringUrlRedirect.java:114:9:114:19 | httpHeaders [post update] : HttpHeaders | provenance | MaD:4 |
+| SpringUrlRedirect.java:114:37:114:47 | redirectUrl : String | SpringUrlRedirect.java:114:9:114:19 | httpHeaders [post update] : HttpHeaders [<map.value>, <element>] : String | provenance | MaD:5 |
 | SpringUrlRedirect.java:120:33:120:50 | redirectUrl : String | SpringUrlRedirect.java:122:37:122:47 | redirectUrl : String | provenance |  |
 | SpringUrlRedirect.java:122:9:122:19 | httpHeaders [post update] : HttpHeaders | SpringUrlRedirect.java:124:49:124:59 | httpHeaders | provenance |  |
 | SpringUrlRedirect.java:122:9:122:19 | httpHeaders [post update] : HttpHeaders [<map.value>, <element>] : String | SpringUrlRedirect.java:124:49:124:59 | httpHeaders | provenance |  |
-| SpringUrlRedirect.java:122:37:122:47 | redirectUrl : String | SpringUrlRedirect.java:122:9:122:19 | httpHeaders [post update] : HttpHeaders | provenance | MaD:49198 |
-| SpringUrlRedirect.java:122:37:122:47 | redirectUrl : String | SpringUrlRedirect.java:122:9:122:19 | httpHeaders [post update] : HttpHeaders [<map.value>, <element>] : String | provenance | MaD:49439 |
+| SpringUrlRedirect.java:122:37:122:47 | redirectUrl : String | SpringUrlRedirect.java:122:9:122:19 | httpHeaders [post update] : HttpHeaders | provenance | MaD:4 |
+| SpringUrlRedirect.java:122:37:122:47 | redirectUrl : String | SpringUrlRedirect.java:122:9:122:19 | httpHeaders [post update] : HttpHeaders [<map.value>, <element>] : String | provenance | MaD:5 |
 | SpringUrlRedirect.java:128:33:128:50 | redirectUrl : String | SpringUrlRedirect.java:130:44:130:54 | redirectUrl : String | provenance |  |
 | SpringUrlRedirect.java:130:9:130:19 | httpHeaders : HttpHeaders | SpringUrlRedirect.java:132:49:132:59 | httpHeaders | provenance |  |
 | SpringUrlRedirect.java:130:33:130:55 | create(...) : URI | SpringUrlRedirect.java:130:9:130:19 | httpHeaders : HttpHeaders | provenance | Config |
-| SpringUrlRedirect.java:130:44:130:54 | redirectUrl : String | SpringUrlRedirect.java:130:33:130:55 | create(...) : URI | provenance | MaD:42953 |
+| SpringUrlRedirect.java:130:44:130:54 | redirectUrl : String | SpringUrlRedirect.java:130:33:130:55 | create(...) : URI | provenance | MaD:3 |
+models
+| 1 | Summary: java.lang; String; false; format; (String,Object[]); ; Argument[0]; ReturnValue; taint; manual |
+| 2 | Summary: java.lang; String; false; format; (String,Object[]); ; Argument[1].ArrayElement; ReturnValue; taint; manual |
+| 3 | Summary: java.net; URI; false; create; ; ; Argument[0]; ReturnValue; taint; manual |
+| 4 | Summary: org.springframework.http; HttpHeaders; true; add; (String,String); ; Argument[0..1]; Argument[this]; taint; manual |
+| 5 | Summary: org.springframework.util; MultiValueMap; true; add; ; ; Argument[1]; Argument[this].MapValue.Element; value; manual |
 nodes
 | SpringUrlRedirect.java:17:30:17:47 | redirectUrl : String | semmle.label | redirectUrl : String |
 | SpringUrlRedirect.java:19:19:19:29 | redirectUrl | semmle.label | redirectUrl |
@@ -84,18 +105,3 @@ nodes
 | SpringUrlRedirect.java:130:44:130:54 | redirectUrl : String | semmle.label | redirectUrl : String |
 | SpringUrlRedirect.java:132:49:132:59 | httpHeaders | semmle.label | httpHeaders |
 subpaths
-#select
-| SpringUrlRedirect.java:19:19:19:29 | redirectUrl | SpringUrlRedirect.java:17:30:17:47 | redirectUrl : String | SpringUrlRedirect.java:19:19:19:29 | redirectUrl | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:17:30:17:47 | redirectUrl | user-provided value |
-| SpringUrlRedirect.java:25:36:25:46 | redirectUrl | SpringUrlRedirect.java:24:24:24:41 | redirectUrl : String | SpringUrlRedirect.java:25:36:25:46 | redirectUrl | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:24:24:24:41 | redirectUrl | user-provided value |
-| SpringUrlRedirect.java:31:44:31:54 | redirectUrl | SpringUrlRedirect.java:30:30:30:47 | redirectUrl : String | SpringUrlRedirect.java:31:44:31:54 | redirectUrl | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:30:30:30:47 | redirectUrl | user-provided value |
-| SpringUrlRedirect.java:37:47:37:57 | redirectUrl | SpringUrlRedirect.java:36:30:36:47 | redirectUrl : String | SpringUrlRedirect.java:37:47:37:57 | redirectUrl | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:36:30:36:47 | redirectUrl | user-provided value |
-| SpringUrlRedirect.java:44:29:44:39 | redirectUrl | SpringUrlRedirect.java:41:24:41:41 | redirectUrl : String | SpringUrlRedirect.java:44:29:44:39 | redirectUrl | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:41:24:41:41 | redirectUrl | user-provided value |
-| SpringUrlRedirect.java:52:30:52:40 | redirectUrl | SpringUrlRedirect.java:49:24:49:41 | redirectUrl : String | SpringUrlRedirect.java:52:30:52:40 | redirectUrl | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:49:24:49:41 | redirectUrl | user-provided value |
-| SpringUrlRedirect.java:58:30:58:66 | format(...) | SpringUrlRedirect.java:57:24:57:41 | redirectUrl : String | SpringUrlRedirect.java:58:30:58:66 | format(...) | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:57:24:57:41 | redirectUrl | user-provided value |
-| SpringUrlRedirect.java:63:30:63:76 | format(...) | SpringUrlRedirect.java:62:24:62:41 | redirectUrl : String | SpringUrlRedirect.java:63:30:63:76 | format(...) | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:62:24:62:41 | redirectUrl | user-provided value |
-| SpringUrlRedirect.java:91:27:91:49 | create(...) | SpringUrlRedirect.java:89:38:89:55 | redirectUrl : String | SpringUrlRedirect.java:91:27:91:49 | create(...) | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:89:38:89:55 | redirectUrl | user-provided value |
-| SpringUrlRedirect.java:100:37:100:47 | httpHeaders | SpringUrlRedirect.java:96:39:96:56 | redirectUrl : String | SpringUrlRedirect.java:100:37:100:47 | httpHeaders | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:96:39:96:56 | redirectUrl | user-provided value |
-| SpringUrlRedirect.java:108:68:108:78 | httpHeaders | SpringUrlRedirect.java:104:39:104:56 | redirectUrl : String | SpringUrlRedirect.java:108:68:108:78 | httpHeaders | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:104:39:104:56 | redirectUrl | user-provided value |
-| SpringUrlRedirect.java:116:37:116:47 | httpHeaders | SpringUrlRedirect.java:112:39:112:56 | redirectUrl : String | SpringUrlRedirect.java:116:37:116:47 | httpHeaders | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:112:39:112:56 | redirectUrl | user-provided value |
-| SpringUrlRedirect.java:124:49:124:59 | httpHeaders | SpringUrlRedirect.java:120:33:120:50 | redirectUrl : String | SpringUrlRedirect.java:124:49:124:59 | httpHeaders | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:120:33:120:50 | redirectUrl | user-provided value |
-| SpringUrlRedirect.java:132:49:132:59 | httpHeaders | SpringUrlRedirect.java:128:33:128:50 | redirectUrl : String | SpringUrlRedirect.java:132:49:132:59 | httpHeaders | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:128:33:128:50 | redirectUrl | user-provided value |

java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql
+query: experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql
+postprocess: TestUtilities/PrettyPrintModels.ql

java/ql/test/experimental/query-tests/security/CWE-625/PermissiveDotRegex.expected

@@ -1,27 +1,48 @@
+#select
+| DotRegexFilter.java:32:25:32:30 | source | DotRegexFilter.java:29:19:29:43 | getPathInfo(...) : String | DotRegexFilter.java:32:25:32:30 | source | Potentially authentication bypass due to $@. | DotRegexFilter.java:29:19:29:43 | getPathInfo(...) | user-provided value |
+| DotRegexServlet.java:22:25:22:30 | source | DotRegexServlet.java:19:19:19:39 | getPathInfo(...) : String | DotRegexServlet.java:22:25:22:30 | source | Potentially authentication bypass due to $@. | DotRegexServlet.java:19:19:19:39 | getPathInfo(...) | user-provided value |
+| DotRegexServlet.java:59:21:59:26 | source | DotRegexServlet.java:57:19:57:41 | getRequestURI(...) : String | DotRegexServlet.java:59:21:59:26 | source | Potentially authentication bypass due to $@. | DotRegexServlet.java:57:19:57:41 | getRequestURI(...) | user-provided value |
+| DotRegexServlet.java:77:56:77:61 | source | DotRegexServlet.java:75:19:75:39 | getPathInfo(...) : String | DotRegexServlet.java:77:56:77:61 | source | Potentially authentication bypass due to $@. | DotRegexServlet.java:75:19:75:39 | getPathInfo(...) | user-provided value |
+| DotRegexServlet.java:115:25:115:30 | source | DotRegexServlet.java:112:19:112:39 | getPathInfo(...) : String | DotRegexServlet.java:115:25:115:30 | source | Potentially authentication bypass due to $@. | DotRegexServlet.java:112:19:112:39 | getPathInfo(...) | user-provided value |
+| DotRegexSpring.java:23:25:23:28 | path | DotRegexSpring.java:20:26:20:50 | path : String | DotRegexSpring.java:23:25:23:28 | path | Potentially authentication bypass due to $@. | DotRegexSpring.java:20:26:20:50 | path | user-provided value |
+| DotRegexSpring.java:40:25:40:28 | path | DotRegexSpring.java:37:40:37:64 | path : String | DotRegexSpring.java:40:25:40:28 | path | Potentially authentication bypass due to $@. | DotRegexSpring.java:37:40:37:64 | path | user-provided value |
 edges
-| DotRegexFilter.java:29:19:29:43 | getPathInfo(...) : String | DotRegexFilter.java:32:25:32:30 | source | provenance | Src:MaD:1986  |
-| DotRegexFilter.java:29:19:29:43 | getPathInfo(...) : String | DotRegexFilter.java:32:25:32:30 | source | provenance | Src:MaD:44648  |
-| DotRegexServlet.java:19:19:19:39 | getPathInfo(...) : String | DotRegexServlet.java:22:25:22:30 | source | provenance | Src:MaD:1986  |
-| DotRegexServlet.java:19:19:19:39 | getPathInfo(...) : String | DotRegexServlet.java:22:25:22:30 | source | provenance | Src:MaD:44648  |
-| DotRegexServlet.java:57:19:57:41 | getRequestURI(...) : String | DotRegexServlet.java:59:21:59:26 | source | provenance | Src:MaD:1988  |
-| DotRegexServlet.java:57:19:57:41 | getRequestURI(...) : String | DotRegexServlet.java:59:21:59:26 | source | provenance | Src:MaD:44651  |
-| DotRegexServlet.java:75:19:75:39 | getPathInfo(...) : String | DotRegexServlet.java:77:56:77:61 | source | provenance | Src:MaD:1986  |
-| DotRegexServlet.java:75:19:75:39 | getPathInfo(...) : String | DotRegexServlet.java:77:56:77:61 | source | provenance | Src:MaD:44648  |
-| DotRegexServlet.java:112:19:112:39 | getPathInfo(...) : String | DotRegexServlet.java:115:25:115:30 | source | provenance | Src:MaD:1986  |
-| DotRegexServlet.java:112:19:112:39 | getPathInfo(...) : String | DotRegexServlet.java:115:25:115:30 | source | provenance | Src:MaD:44648  |
+| DotRegexFilter.java:29:19:29:43 | getPathInfo(...) : String | DotRegexFilter.java:32:25:32:30 | source | provenance | Src:MaD:1  |
+| DotRegexFilter.java:29:19:29:43 | getPathInfo(...) : String | DotRegexFilter.java:32:25:32:30 | source | provenance | Src:MaD:4  |
+| DotRegexServlet.java:19:19:19:39 | getPathInfo(...) : String | DotRegexServlet.java:22:25:22:30 | source | provenance | Src:MaD:1  |
+| DotRegexServlet.java:19:19:19:39 | getPathInfo(...) : String | DotRegexServlet.java:22:25:22:30 | source | provenance | Src:MaD:4  |
+| DotRegexServlet.java:57:19:57:41 | getRequestURI(...) : String | DotRegexServlet.java:59:21:59:26 | source | provenance | Src:MaD:2  |
+| DotRegexServlet.java:57:19:57:41 | getRequestURI(...) : String | DotRegexServlet.java:59:21:59:26 | source | provenance | Src:MaD:5  |
+| DotRegexServlet.java:75:19:75:39 | getPathInfo(...) : String | DotRegexServlet.java:77:56:77:61 | source | provenance | Src:MaD:1  |
+| DotRegexServlet.java:75:19:75:39 | getPathInfo(...) : String | DotRegexServlet.java:77:56:77:61 | source | provenance | Src:MaD:4  |
+| DotRegexServlet.java:112:19:112:39 | getPathInfo(...) : String | DotRegexServlet.java:115:25:115:30 | source | provenance | Src:MaD:1  |
+| DotRegexServlet.java:112:19:112:39 | getPathInfo(...) : String | DotRegexServlet.java:115:25:115:30 | source | provenance | Src:MaD:4  |
 | DotRegexSpring.java:20:26:20:50 | path : String | DotRegexSpring.java:22:21:22:24 | path : String | provenance |  |
 | DotRegexSpring.java:22:10:22:25 | decodePath(...) : String | DotRegexSpring.java:23:25:23:28 | path | provenance |  |
 | DotRegexSpring.java:22:21:22:24 | path : String | DotRegexSpring.java:22:10:22:25 | decodePath(...) : String | provenance |  |
+| DotRegexSpring.java:22:21:22:24 | path : String | DotRegexSpring.java:22:10:22:25 | decodePath(...) : String | provenance | MaD:3 |
 | DotRegexSpring.java:22:21:22:24 | path : String | DotRegexSpring.java:69:28:69:38 | path : String | provenance |  |
 | DotRegexSpring.java:37:40:37:64 | path : String | DotRegexSpring.java:39:21:39:24 | path : String | provenance |  |
 | DotRegexSpring.java:39:10:39:25 | decodePath(...) : String | DotRegexSpring.java:40:25:40:28 | path | provenance |  |
 | DotRegexSpring.java:39:21:39:24 | path : String | DotRegexSpring.java:39:10:39:25 | decodePath(...) : String | provenance |  |
+| DotRegexSpring.java:39:21:39:24 | path : String | DotRegexSpring.java:39:10:39:25 | decodePath(...) : String | provenance | MaD:3 |
 | DotRegexSpring.java:39:21:39:24 | path : String | DotRegexSpring.java:69:28:69:38 | path : String | provenance |  |
 | DotRegexSpring.java:69:28:69:38 | path : String | DotRegexSpring.java:71:29:71:32 | path : String | provenance |  |
+| DotRegexSpring.java:69:28:69:38 | path : String | DotRegexSpring.java:71:29:71:32 | path : String | provenance |  |
+| DotRegexSpring.java:69:28:69:38 | path : String | DotRegexSpring.java:73:10:73:13 | path : String | provenance |  |
 | DotRegexSpring.java:69:28:69:38 | path : String | DotRegexSpring.java:73:10:73:13 | path : String | provenance |  |
 | DotRegexSpring.java:71:11:71:42 | decode(...) : String | DotRegexSpring.java:71:29:71:32 | path : String | provenance |  |
+| DotRegexSpring.java:71:11:71:42 | decode(...) : String | DotRegexSpring.java:71:29:71:32 | path : String | provenance |  |
 | DotRegexSpring.java:71:11:71:42 | decode(...) : String | DotRegexSpring.java:73:10:73:13 | path : String | provenance |  |
-| DotRegexSpring.java:71:29:71:32 | path : String | DotRegexSpring.java:71:11:71:42 | decode(...) : String | provenance | MaD:42974 |
+| DotRegexSpring.java:71:11:71:42 | decode(...) : String | DotRegexSpring.java:73:10:73:13 | path : String | provenance |  |
+| DotRegexSpring.java:71:29:71:32 | path : String | DotRegexSpring.java:71:11:71:42 | decode(...) : String | provenance | MaD:3 |
+| DotRegexSpring.java:71:29:71:32 | path : String | DotRegexSpring.java:71:11:71:42 | decode(...) : String | provenance | MaD:3 |
+models
+| 1 | Source: javax.servlet.http; HttpServletRequest; false; getPathInfo; (); ; ReturnValue; uri-path; manual |
+| 2 | Source: javax.servlet.http; HttpServletRequest; false; getRequestURI; (); ; ReturnValue; uri-path; manual |
+| 3 | Summary: java.net; URLDecoder; false; decode; ; ; Argument[0]; ReturnValue; taint; manual |
+| 4 | Source: javax.servlet.http; HttpServletRequest; false; getPathInfo; (); ; ReturnValue; remote; manual |
+| 5 | Source: javax.servlet.http; HttpServletRequest; false; getRequestURI; (); ; ReturnValue; remote; manual |
 nodes
 | DotRegexFilter.java:29:19:29:43 | getPathInfo(...) : String | semmle.label | getPathInfo(...) : String |
 | DotRegexFilter.java:32:25:32:30 | source | semmle.label | source |
@@ -44,15 +65,11 @@ nodes
 | DotRegexSpring.java:69:28:69:38 | path : String | semmle.label | path : String |
 | DotRegexSpring.java:71:11:71:42 | decode(...) : String | semmle.label | decode(...) : String |
 | DotRegexSpring.java:71:29:71:32 | path : String | semmle.label | path : String |
+| DotRegexSpring.java:71:29:71:32 | path : String | semmle.label | path : String |
+| DotRegexSpring.java:73:10:73:13 | path : String | semmle.label | path : String |
 | DotRegexSpring.java:73:10:73:13 | path : String | semmle.label | path : String |
 subpaths
 | DotRegexSpring.java:22:21:22:24 | path : String | DotRegexSpring.java:69:28:69:38 | path : String | DotRegexSpring.java:73:10:73:13 | path : String | DotRegexSpring.java:22:10:22:25 | decodePath(...) : String |
+| DotRegexSpring.java:22:21:22:24 | path : String | DotRegexSpring.java:69:28:69:38 | path : String | DotRegexSpring.java:73:10:73:13 | path : String | DotRegexSpring.java:22:10:22:25 | decodePath(...) : String |
+| DotRegexSpring.java:39:21:39:24 | path : String | DotRegexSpring.java:69:28:69:38 | path : String | DotRegexSpring.java:73:10:73:13 | path : String | DotRegexSpring.java:39:10:39:25 | decodePath(...) : String |
 | DotRegexSpring.java:39:21:39:24 | path : String | DotRegexSpring.java:69:28:69:38 | path : String | DotRegexSpring.java:73:10:73:13 | path : String | DotRegexSpring.java:39:10:39:25 | decodePath(...) : String |
-#select
-| DotRegexFilter.java:32:25:32:30 | source | DotRegexFilter.java:29:19:29:43 | getPathInfo(...) : String | DotRegexFilter.java:32:25:32:30 | source | Potentially authentication bypass due to $@. | DotRegexFilter.java:29:19:29:43 | getPathInfo(...) | user-provided value |
-| DotRegexServlet.java:22:25:22:30 | source | DotRegexServlet.java:19:19:19:39 | getPathInfo(...) : String | DotRegexServlet.java:22:25:22:30 | source | Potentially authentication bypass due to $@. | DotRegexServlet.java:19:19:19:39 | getPathInfo(...) | user-provided value |
-| DotRegexServlet.java:59:21:59:26 | source | DotRegexServlet.java:57:19:57:41 | getRequestURI(...) : String | DotRegexServlet.java:59:21:59:26 | source | Potentially authentication bypass due to $@. | DotRegexServlet.java:57:19:57:41 | getRequestURI(...) | user-provided value |
-| DotRegexServlet.java:77:56:77:61 | source | DotRegexServlet.java:75:19:75:39 | getPathInfo(...) : String | DotRegexServlet.java:77:56:77:61 | source | Potentially authentication bypass due to $@. | DotRegexServlet.java:75:19:75:39 | getPathInfo(...) | user-provided value |
-| DotRegexServlet.java:115:25:115:30 | source | DotRegexServlet.java:112:19:112:39 | getPathInfo(...) : String | DotRegexServlet.java:115:25:115:30 | source | Potentially authentication bypass due to $@. | DotRegexServlet.java:112:19:112:39 | getPathInfo(...) | user-provided value |
-| DotRegexSpring.java:23:25:23:28 | path | DotRegexSpring.java:20:26:20:50 | path : String | DotRegexSpring.java:23:25:23:28 | path | Potentially authentication bypass due to $@. | DotRegexSpring.java:20:26:20:50 | path | user-provided value |
-| DotRegexSpring.java:40:25:40:28 | path | DotRegexSpring.java:37:40:37:64 | path : String | DotRegexSpring.java:40:25:40:28 | path | Potentially authentication bypass due to $@. | DotRegexSpring.java:37:40:37:64 | path | user-provided value |

java/ql/test/experimental/query-tests/security/CWE-625/PermissiveDotRegex.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-625/PermissiveDotRegex.ql
+query: experimental/Security/CWE/CWE-625/PermissiveDotRegex.ql
+postprocess: TestUtilities/PrettyPrintModels.ql

java/ql/test/experimental/query-tests/security/CWE-652/XQueryInjection.expected

@@ -1,31 +1,47 @@
+#select
+| XQueryInjection.java:51:35:51:38 | xqpe | XQueryInjection.java:45:23:45:50 | getParameter(...) : String | XQueryInjection.java:51:35:51:38 | xqpe | XQuery query might include code from $@. | XQueryInjection.java:45:23:45:50 | getParameter(...) | this user input |
+| XQueryInjection.java:65:53:65:57 | query | XQueryInjection.java:59:23:59:50 | getParameter(...) : String | XQueryInjection.java:65:53:65:57 | query | XQuery query might include code from $@. | XQueryInjection.java:59:23:59:50 | getParameter(...) | this user input |
+| XQueryInjection.java:79:35:79:38 | xqpe | XQueryInjection.java:73:32:73:59 | nameStr : String | XQueryInjection.java:79:35:79:38 | xqpe | XQuery query might include code from $@. | XQueryInjection.java:73:32:73:59 | nameStr | this user input |
+| XQueryInjection.java:92:53:92:57 | query | XQueryInjection.java:86:33:86:60 | nameStr : String | XQueryInjection.java:92:53:92:57 | query | XQuery query might include code from $@. | XQueryInjection.java:86:33:86:60 | nameStr | this user input |
+| XQueryInjection.java:104:35:104:38 | xqpe | XQueryInjection.java:100:28:100:51 | getInputStream(...) : ServletInputStream | XQueryInjection.java:104:35:104:38 | xqpe | XQuery query might include code from $@. | XQueryInjection.java:100:28:100:51 | getInputStream(...) | this user input |
+| XQueryInjection.java:116:53:116:56 | name | XQueryInjection.java:112:28:112:51 | getInputStream(...) : ServletInputStream | XQueryInjection.java:116:53:116:56 | name | XQuery query might include code from $@. | XQueryInjection.java:112:28:112:51 | getInputStream(...) | this user input |
+| XQueryInjection.java:129:35:129:38 | xqpe | XQueryInjection.java:124:28:124:51 | getInputStream(...) : ServletInputStream | XQueryInjection.java:129:35:129:38 | xqpe | XQuery query might include code from $@. | XQueryInjection.java:124:28:124:51 | getInputStream(...) | this user input |
+| XQueryInjection.java:142:53:142:54 | br | XQueryInjection.java:137:28:137:51 | getInputStream(...) : ServletInputStream | XQueryInjection.java:142:53:142:54 | br | XQuery query might include code from $@. | XQueryInjection.java:137:28:137:51 | getInputStream(...) | this user input |
+| XQueryInjection.java:155:29:155:32 | name | XQueryInjection.java:150:23:150:50 | getParameter(...) : String | XQueryInjection.java:155:29:155:32 | name | XQuery query might include code from $@. | XQueryInjection.java:150:23:150:50 | getParameter(...) | this user input |
+| XQueryInjection.java:159:29:159:30 | br | XQueryInjection.java:157:26:157:49 | getInputStream(...) : ServletInputStream | XQueryInjection.java:159:29:159:30 | br | XQuery query might include code from $@. | XQueryInjection.java:157:26:157:49 | getInputStream(...) | this user input |
 edges
-| XQueryInjection.java:45:23:45:50 | getParameter(...) : String | XQueryInjection.java:50:60:50:64 | query : String | provenance | Src:MaD:44663  |
+| XQueryInjection.java:45:23:45:50 | getParameter(...) : String | XQueryInjection.java:50:60:50:64 | query : String | provenance | Src:MaD:4  |
 | XQueryInjection.java:50:37:50:65 | prepareExpression(...) : XQPreparedExpression | XQueryInjection.java:51:35:51:38 | xqpe | provenance |  |
 | XQueryInjection.java:50:60:50:64 | query : String | XQueryInjection.java:50:37:50:65 | prepareExpression(...) : XQPreparedExpression | provenance | Config |
-| XQueryInjection.java:59:23:59:50 | getParameter(...) : String | XQueryInjection.java:65:53:65:57 | query | provenance | Src:MaD:44663  |
+| XQueryInjection.java:59:23:59:50 | getParameter(...) : String | XQueryInjection.java:65:53:65:57 | query | provenance | Src:MaD:4  |
 | XQueryInjection.java:73:32:73:59 | nameStr : String | XQueryInjection.java:78:60:78:64 | query : String | provenance |  |
 | XQueryInjection.java:78:37:78:65 | prepareExpression(...) : XQPreparedExpression | XQueryInjection.java:79:35:79:38 | xqpe | provenance |  |
 | XQueryInjection.java:78:60:78:64 | query : String | XQueryInjection.java:78:37:78:65 | prepareExpression(...) : XQPreparedExpression | provenance | Config |
 | XQueryInjection.java:86:33:86:60 | nameStr : String | XQueryInjection.java:92:53:92:57 | query | provenance |  |
-| XQueryInjection.java:100:28:100:51 | getInputStream(...) : ServletInputStream | XQueryInjection.java:103:60:103:63 | name : ServletInputStream | provenance | Src:MaD:44662  |
+| XQueryInjection.java:100:28:100:51 | getInputStream(...) : ServletInputStream | XQueryInjection.java:103:60:103:63 | name : ServletInputStream | provenance | Src:MaD:3  |
 | XQueryInjection.java:103:37:103:64 | prepareExpression(...) : XQPreparedExpression | XQueryInjection.java:104:35:104:38 | xqpe | provenance |  |
 | XQueryInjection.java:103:60:103:63 | name : ServletInputStream | XQueryInjection.java:103:37:103:64 | prepareExpression(...) : XQPreparedExpression | provenance | Config |
-| XQueryInjection.java:112:28:112:51 | getInputStream(...) : ServletInputStream | XQueryInjection.java:116:53:116:56 | name | provenance | Src:MaD:44662  |
-| XQueryInjection.java:124:28:124:51 | getInputStream(...) : ServletInputStream | XQueryInjection.java:125:70:125:73 | name : ServletInputStream | provenance | Src:MaD:44662  |
+| XQueryInjection.java:112:28:112:51 | getInputStream(...) : ServletInputStream | XQueryInjection.java:116:53:116:56 | name | provenance | Src:MaD:3  |
+| XQueryInjection.java:124:28:124:51 | getInputStream(...) : ServletInputStream | XQueryInjection.java:125:70:125:73 | name : ServletInputStream | provenance | Src:MaD:3  |
 | XQueryInjection.java:125:29:125:75 | new BufferedReader(...) : BufferedReader | XQueryInjection.java:128:60:128:61 | br : BufferedReader | provenance |  |
-| XQueryInjection.java:125:48:125:74 | new InputStreamReader(...) : InputStreamReader | XQueryInjection.java:125:29:125:75 | new BufferedReader(...) : BufferedReader | provenance | MaD:42579 |
-| XQueryInjection.java:125:70:125:73 | name : ServletInputStream | XQueryInjection.java:125:48:125:74 | new InputStreamReader(...) : InputStreamReader | provenance | MaD:42613 |
+| XQueryInjection.java:125:48:125:74 | new InputStreamReader(...) : InputStreamReader | XQueryInjection.java:125:29:125:75 | new BufferedReader(...) : BufferedReader | provenance | MaD:1 |
+| XQueryInjection.java:125:70:125:73 | name : ServletInputStream | XQueryInjection.java:125:48:125:74 | new InputStreamReader(...) : InputStreamReader | provenance | MaD:2 |
 | XQueryInjection.java:128:37:128:62 | prepareExpression(...) : XQPreparedExpression | XQueryInjection.java:129:35:129:38 | xqpe | provenance |  |
 | XQueryInjection.java:128:60:128:61 | br : BufferedReader | XQueryInjection.java:128:37:128:62 | prepareExpression(...) : XQPreparedExpression | provenance | Config |
-| XQueryInjection.java:137:28:137:51 | getInputStream(...) : ServletInputStream | XQueryInjection.java:138:70:138:73 | name : ServletInputStream | provenance | Src:MaD:44662  |
+| XQueryInjection.java:137:28:137:51 | getInputStream(...) : ServletInputStream | XQueryInjection.java:138:70:138:73 | name : ServletInputStream | provenance | Src:MaD:3  |
 | XQueryInjection.java:138:29:138:75 | new BufferedReader(...) : BufferedReader | XQueryInjection.java:142:53:142:54 | br | provenance |  |
-| XQueryInjection.java:138:48:138:74 | new InputStreamReader(...) : InputStreamReader | XQueryInjection.java:138:29:138:75 | new BufferedReader(...) : BufferedReader | provenance | MaD:42579 |
-| XQueryInjection.java:138:70:138:73 | name : ServletInputStream | XQueryInjection.java:138:48:138:74 | new InputStreamReader(...) : InputStreamReader | provenance | MaD:42613 |
-| XQueryInjection.java:150:23:150:50 | getParameter(...) : String | XQueryInjection.java:155:29:155:32 | name | provenance | Src:MaD:44663  |
-| XQueryInjection.java:157:26:157:49 | getInputStream(...) : ServletInputStream | XQueryInjection.java:158:70:158:71 | is : ServletInputStream | provenance | Src:MaD:44662  |
+| XQueryInjection.java:138:48:138:74 | new InputStreamReader(...) : InputStreamReader | XQueryInjection.java:138:29:138:75 | new BufferedReader(...) : BufferedReader | provenance | MaD:1 |
+| XQueryInjection.java:138:70:138:73 | name : ServletInputStream | XQueryInjection.java:138:48:138:74 | new InputStreamReader(...) : InputStreamReader | provenance | MaD:2 |
+| XQueryInjection.java:150:23:150:50 | getParameter(...) : String | XQueryInjection.java:155:29:155:32 | name | provenance | Src:MaD:4  |
+| XQueryInjection.java:157:26:157:49 | getInputStream(...) : ServletInputStream | XQueryInjection.java:158:70:158:71 | is : ServletInputStream | provenance | Src:MaD:3  |
 | XQueryInjection.java:158:29:158:73 | new BufferedReader(...) : BufferedReader | XQueryInjection.java:159:29:159:30 | br | provenance |  |
-| XQueryInjection.java:158:48:158:72 | new InputStreamReader(...) : InputStreamReader | XQueryInjection.java:158:29:158:73 | new BufferedReader(...) : BufferedReader | provenance | MaD:42579 |
-| XQueryInjection.java:158:70:158:71 | is : ServletInputStream | XQueryInjection.java:158:48:158:72 | new InputStreamReader(...) : InputStreamReader | provenance | MaD:42613 |
+| XQueryInjection.java:158:48:158:72 | new InputStreamReader(...) : InputStreamReader | XQueryInjection.java:158:29:158:73 | new BufferedReader(...) : BufferedReader | provenance | MaD:1 |
+| XQueryInjection.java:158:70:158:71 | is : ServletInputStream | XQueryInjection.java:158:48:158:72 | new InputStreamReader(...) : InputStreamReader | provenance | MaD:2 |
+models
+| 1 | Summary: java.io; BufferedReader; false; BufferedReader; ; ; Argument[0]; Argument[this]; taint; manual |
+| 2 | Summary: java.io; InputStreamReader; false; InputStreamReader; ; ; Argument[0]; Argument[this]; taint; manual |
+| 3 | Source: javax.servlet; ServletRequest; false; getInputStream; (); ; ReturnValue; remote; manual |
+| 4 | Source: javax.servlet; ServletRequest; false; getParameter; (String); ; ReturnValue; remote; manual |
 nodes
 | XQueryInjection.java:45:23:45:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | XQueryInjection.java:50:37:50:65 | prepareExpression(...) : XQPreparedExpression | semmle.label | prepareExpression(...) : XQPreparedExpression |
@@ -65,14 +81,3 @@ nodes
 | XQueryInjection.java:158:70:158:71 | is : ServletInputStream | semmle.label | is : ServletInputStream |
 | XQueryInjection.java:159:29:159:30 | br | semmle.label | br |
 subpaths
-#select
-| XQueryInjection.java:51:35:51:38 | xqpe | XQueryInjection.java:45:23:45:50 | getParameter(...) : String | XQueryInjection.java:51:35:51:38 | xqpe | XQuery query might include code from $@. | XQueryInjection.java:45:23:45:50 | getParameter(...) | this user input |
-| XQueryInjection.java:65:53:65:57 | query | XQueryInjection.java:59:23:59:50 | getParameter(...) : String | XQueryInjection.java:65:53:65:57 | query | XQuery query might include code from $@. | XQueryInjection.java:59:23:59:50 | getParameter(...) | this user input |
-| XQueryInjection.java:79:35:79:38 | xqpe | XQueryInjection.java:73:32:73:59 | nameStr : String | XQueryInjection.java:79:35:79:38 | xqpe | XQuery query might include code from $@. | XQueryInjection.java:73:32:73:59 | nameStr | this user input |
-| XQueryInjection.java:92:53:92:57 | query | XQueryInjection.java:86:33:86:60 | nameStr : String | XQueryInjection.java:92:53:92:57 | query | XQuery query might include code from $@. | XQueryInjection.java:86:33:86:60 | nameStr | this user input |
-| XQueryInjection.java:104:35:104:38 | xqpe | XQueryInjection.java:100:28:100:51 | getInputStream(...) : ServletInputStream | XQueryInjection.java:104:35:104:38 | xqpe | XQuery query might include code from $@. | XQueryInjection.java:100:28:100:51 | getInputStream(...) | this user input |
-| XQueryInjection.java:116:53:116:56 | name | XQueryInjection.java:112:28:112:51 | getInputStream(...) : ServletInputStream | XQueryInjection.java:116:53:116:56 | name | XQuery query might include code from $@. | XQueryInjection.java:112:28:112:51 | getInputStream(...) | this user input |
-| XQueryInjection.java:129:35:129:38 | xqpe | XQueryInjection.java:124:28:124:51 | getInputStream(...) : ServletInputStream | XQueryInjection.java:129:35:129:38 | xqpe | XQuery query might include code from $@. | XQueryInjection.java:124:28:124:51 | getInputStream(...) | this user input |
-| XQueryInjection.java:142:53:142:54 | br | XQueryInjection.java:137:28:137:51 | getInputStream(...) : ServletInputStream | XQueryInjection.java:142:53:142:54 | br | XQuery query might include code from $@. | XQueryInjection.java:137:28:137:51 | getInputStream(...) | this user input |
-| XQueryInjection.java:155:29:155:32 | name | XQueryInjection.java:150:23:150:50 | getParameter(...) : String | XQueryInjection.java:155:29:155:32 | name | XQuery query might include code from $@. | XQueryInjection.java:150:23:150:50 | getParameter(...) | this user input |
-| XQueryInjection.java:159:29:159:30 | br | XQueryInjection.java:157:26:157:49 | getInputStream(...) : ServletInputStream | XQueryInjection.java:159:29:159:30 | br | XQuery query might include code from $@. | XQueryInjection.java:157:26:157:49 | getInputStream(...) | this user input |

java/ql/test/experimental/query-tests/security/CWE-652/XQueryInjection.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-652/XQueryInjection.ql
+query: experimental/Security/CWE/CWE-652/XQueryInjection.ql
+postprocess: TestUtilities/PrettyPrintModels.ql

java/ql/test/experimental/query-tests/security/CWE-755/NFEAndroidDoS.expected

@@ -1,13 +1,21 @@
+#select
+| NFEAndroidDoS.java:14:21:14:51 | parseDouble(...) | NFEAndroidDoS.java:13:24:13:34 | getIntent(...) : Intent | NFEAndroidDoS.java:14:21:14:51 | parseDouble(...) | Uncaught NumberFormatException in an exported Android component due to $@. | NFEAndroidDoS.java:13:24:13:34 | getIntent(...) | user-provided value |
+| NFEAndroidDoS.java:23:15:23:40 | parseInt(...) | NFEAndroidDoS.java:22:21:22:31 | getIntent(...) : Intent | NFEAndroidDoS.java:23:15:23:40 | parseInt(...) | Uncaught NumberFormatException in an exported Android component due to $@. | NFEAndroidDoS.java:22:21:22:31 | getIntent(...) | user-provided value |
+| NFEAndroidDoS.java:26:16:26:42 | parseInt(...) | NFEAndroidDoS.java:25:22:25:32 | getIntent(...) : Intent | NFEAndroidDoS.java:26:16:26:42 | parseInt(...) | Uncaught NumberFormatException in an exported Android component due to $@. | NFEAndroidDoS.java:25:22:25:32 | getIntent(...) | user-provided value |
+| NFEAndroidDoS.java:44:21:44:43 | new Double(...) | NFEAndroidDoS.java:43:24:43:34 | getIntent(...) : Intent | NFEAndroidDoS.java:44:21:44:43 | new Double(...) | Uncaught NumberFormatException in an exported Android component due to $@. | NFEAndroidDoS.java:43:24:43:34 | getIntent(...) | user-provided value |
+| NFEAndroidDoS.java:47:21:47:47 | valueOf(...) | NFEAndroidDoS.java:43:24:43:34 | getIntent(...) : Intent | NFEAndroidDoS.java:47:21:47:47 | valueOf(...) | Uncaught NumberFormatException in an exported Android component due to $@. | NFEAndroidDoS.java:43:24:43:34 | getIntent(...) | user-provided value |
 edges
-| NFEAndroidDoS.java:13:24:13:34 | getIntent(...) : Intent | NFEAndroidDoS.java:13:24:13:61 | getStringExtra(...) : String | provenance | MaD:330 |
+| NFEAndroidDoS.java:13:24:13:34 | getIntent(...) : Intent | NFEAndroidDoS.java:13:24:13:61 | getStringExtra(...) : String | provenance | MaD:1 |
 | NFEAndroidDoS.java:13:24:13:61 | getStringExtra(...) : String | NFEAndroidDoS.java:14:21:14:51 | parseDouble(...) | provenance | TaintPreservingCallable |
-| NFEAndroidDoS.java:22:21:22:31 | getIntent(...) : Intent | NFEAndroidDoS.java:22:21:22:55 | getStringExtra(...) : String | provenance | MaD:330 |
+| NFEAndroidDoS.java:22:21:22:31 | getIntent(...) : Intent | NFEAndroidDoS.java:22:21:22:55 | getStringExtra(...) : String | provenance | MaD:1 |
 | NFEAndroidDoS.java:22:21:22:55 | getStringExtra(...) : String | NFEAndroidDoS.java:23:15:23:40 | parseInt(...) | provenance | TaintPreservingCallable |
-| NFEAndroidDoS.java:25:22:25:32 | getIntent(...) : Intent | NFEAndroidDoS.java:25:22:25:57 | getStringExtra(...) : String | provenance | MaD:330 |
+| NFEAndroidDoS.java:25:22:25:32 | getIntent(...) : Intent | NFEAndroidDoS.java:25:22:25:57 | getStringExtra(...) : String | provenance | MaD:1 |
 | NFEAndroidDoS.java:25:22:25:57 | getStringExtra(...) : String | NFEAndroidDoS.java:26:16:26:42 | parseInt(...) | provenance | TaintPreservingCallable |
-| NFEAndroidDoS.java:43:24:43:34 | getIntent(...) : Intent | NFEAndroidDoS.java:43:24:43:61 | getStringExtra(...) : String | provenance | MaD:330 |
+| NFEAndroidDoS.java:43:24:43:34 | getIntent(...) : Intent | NFEAndroidDoS.java:43:24:43:61 | getStringExtra(...) : String | provenance | MaD:1 |
 | NFEAndroidDoS.java:43:24:43:61 | getStringExtra(...) : String | NFEAndroidDoS.java:44:21:44:43 | new Double(...) | provenance | TaintPreservingCallable |
 | NFEAndroidDoS.java:43:24:43:61 | getStringExtra(...) : String | NFEAndroidDoS.java:47:21:47:47 | valueOf(...) | provenance | TaintPreservingCallable |
+models
+| 1 | Summary: android.content; Intent; true; getStringExtra; (String); ; Argument[this].SyntheticField[android.content.Intent.extras].MapValue; ReturnValue; value; manual |
 nodes
 | NFEAndroidDoS.java:13:24:13:34 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
 | NFEAndroidDoS.java:13:24:13:61 | getStringExtra(...) : String | semmle.label | getStringExtra(...) : String |
@@ -23,9 +31,3 @@ nodes
 | NFEAndroidDoS.java:44:21:44:43 | new Double(...) | semmle.label | new Double(...) |
 | NFEAndroidDoS.java:47:21:47:47 | valueOf(...) | semmle.label | valueOf(...) |
 subpaths
-#select
-| NFEAndroidDoS.java:14:21:14:51 | parseDouble(...) | NFEAndroidDoS.java:13:24:13:34 | getIntent(...) : Intent | NFEAndroidDoS.java:14:21:14:51 | parseDouble(...) | Uncaught NumberFormatException in an exported Android component due to $@. | NFEAndroidDoS.java:13:24:13:34 | getIntent(...) | user-provided value |
-| NFEAndroidDoS.java:23:15:23:40 | parseInt(...) | NFEAndroidDoS.java:22:21:22:31 | getIntent(...) : Intent | NFEAndroidDoS.java:23:15:23:40 | parseInt(...) | Uncaught NumberFormatException in an exported Android component due to $@. | NFEAndroidDoS.java:22:21:22:31 | getIntent(...) | user-provided value |
-| NFEAndroidDoS.java:26:16:26:42 | parseInt(...) | NFEAndroidDoS.java:25:22:25:32 | getIntent(...) : Intent | NFEAndroidDoS.java:26:16:26:42 | parseInt(...) | Uncaught NumberFormatException in an exported Android component due to $@. | NFEAndroidDoS.java:25:22:25:32 | getIntent(...) | user-provided value |
-| NFEAndroidDoS.java:44:21:44:43 | new Double(...) | NFEAndroidDoS.java:43:24:43:34 | getIntent(...) : Intent | NFEAndroidDoS.java:44:21:44:43 | new Double(...) | Uncaught NumberFormatException in an exported Android component due to $@. | NFEAndroidDoS.java:43:24:43:34 | getIntent(...) | user-provided value |
-| NFEAndroidDoS.java:47:21:47:47 | valueOf(...) | NFEAndroidDoS.java:43:24:43:34 | getIntent(...) : Intent | NFEAndroidDoS.java:47:21:47:47 | valueOf(...) | Uncaught NumberFormatException in an exported Android component due to $@. | NFEAndroidDoS.java:43:24:43:34 | getIntent(...) | user-provided value |

java/ql/test/experimental/query-tests/security/CWE-755/NFEAndroidDoS.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-755/NFEAndroidDoS.ql
+query: experimental/Security/CWE/CWE-755/NFEAndroidDoS.ql
+postprocess: TestUtilities/PrettyPrintModels.ql

java/ql/test/experimental/query-tests/security/CWE-759/HashWithoutSalt.expected

@@ -1,10 +1,17 @@
+#select
+| HashWithoutSalt.java:10:36:10:54 | getBytes(...) | HashWithoutSalt.java:10:36:10:43 | password : String | HashWithoutSalt.java:10:36:10:54 | getBytes(...) | $@ is hashed without a salt. | HashWithoutSalt.java:10:36:10:43 | password : String | The password |
+| HashWithoutSalt.java:25:13:25:31 | getBytes(...) | HashWithoutSalt.java:25:13:25:20 | password : String | HashWithoutSalt.java:25:13:25:31 | getBytes(...) | $@ is hashed without a salt. | HashWithoutSalt.java:25:13:25:20 | password : String | The password |
+| HashWithoutSalt.java:94:17:94:25 | passBytes | HashWithoutSalt.java:93:22:93:29 | password : String | HashWithoutSalt.java:94:17:94:25 | passBytes | $@ is hashed without a salt. | HashWithoutSalt.java:93:22:93:29 | password : String | The password |
+| HashWithoutSalt.java:112:18:112:26 | passBytes | HashWithoutSalt.java:111:22:111:29 | password : String | HashWithoutSalt.java:112:18:112:26 | passBytes | $@ is hashed without a salt. | HashWithoutSalt.java:111:22:111:29 | password : String | The password |
 edges
-| HashWithoutSalt.java:10:36:10:43 | password : String | HashWithoutSalt.java:10:36:10:54 | getBytes(...) | provenance | MaD:42737 |
-| HashWithoutSalt.java:25:13:25:20 | password : String | HashWithoutSalt.java:25:13:25:31 | getBytes(...) | provenance | MaD:42737 |
-| HashWithoutSalt.java:93:22:93:29 | password : String | HashWithoutSalt.java:93:22:93:40 | getBytes(...) : byte[] | provenance | MaD:42737 |
+| HashWithoutSalt.java:10:36:10:43 | password : String | HashWithoutSalt.java:10:36:10:54 | getBytes(...) | provenance | MaD:1 |
+| HashWithoutSalt.java:25:13:25:20 | password : String | HashWithoutSalt.java:25:13:25:31 | getBytes(...) | provenance | MaD:1 |
+| HashWithoutSalt.java:93:22:93:29 | password : String | HashWithoutSalt.java:93:22:93:40 | getBytes(...) : byte[] | provenance | MaD:1 |
 | HashWithoutSalt.java:93:22:93:40 | getBytes(...) : byte[] | HashWithoutSalt.java:94:17:94:25 | passBytes | provenance |  |
-| HashWithoutSalt.java:111:22:111:29 | password : String | HashWithoutSalt.java:111:22:111:40 | getBytes(...) : byte[] | provenance | MaD:42737 |
+| HashWithoutSalt.java:111:22:111:29 | password : String | HashWithoutSalt.java:111:22:111:40 | getBytes(...) : byte[] | provenance | MaD:1 |
 | HashWithoutSalt.java:111:22:111:40 | getBytes(...) : byte[] | HashWithoutSalt.java:112:18:112:26 | passBytes | provenance |  |
+models
+| 1 | Summary: java.lang; String; false; getBytes; ; ; Argument[this]; ReturnValue; taint; manual |
 nodes
 | HashWithoutSalt.java:10:36:10:43 | password : String | semmle.label | password : String |
 | HashWithoutSalt.java:10:36:10:54 | getBytes(...) | semmle.label | getBytes(...) |
@@ -17,8 +24,3 @@ nodes
 | HashWithoutSalt.java:111:22:111:40 | getBytes(...) : byte[] | semmle.label | getBytes(...) : byte[] |
 | HashWithoutSalt.java:112:18:112:26 | passBytes | semmle.label | passBytes |
 subpaths
-#select
-| HashWithoutSalt.java:10:36:10:54 | getBytes(...) | HashWithoutSalt.java:10:36:10:43 | password : String | HashWithoutSalt.java:10:36:10:54 | getBytes(...) | $@ is hashed without a salt. | HashWithoutSalt.java:10:36:10:43 | password : String | The password |
-| HashWithoutSalt.java:25:13:25:31 | getBytes(...) | HashWithoutSalt.java:25:13:25:20 | password : String | HashWithoutSalt.java:25:13:25:31 | getBytes(...) | $@ is hashed without a salt. | HashWithoutSalt.java:25:13:25:20 | password : String | The password |
-| HashWithoutSalt.java:94:17:94:25 | passBytes | HashWithoutSalt.java:93:22:93:29 | password : String | HashWithoutSalt.java:94:17:94:25 | passBytes | $@ is hashed without a salt. | HashWithoutSalt.java:93:22:93:29 | password : String | The password |
-| HashWithoutSalt.java:112:18:112:26 | passBytes | HashWithoutSalt.java:111:22:111:29 | password : String | HashWithoutSalt.java:112:18:112:26 | passBytes | $@ is hashed without a salt. | HashWithoutSalt.java:111:22:111:29 | password : String | The password |

java/ql/test/experimental/query-tests/security/CWE-759/HashWithoutSalt.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-759/HashWithoutSalt.ql
+query: experimental/Security/CWE/CWE-759/HashWithoutSalt.ql
+postprocess: TestUtilities/PrettyPrintModels.ql

java/ql/test/experimental/stubs/apache-commons-compress-1.23.0/org/apache/commons/compress/archivers/ArchiveEntry.java

@@ -0,0 +1,14 @@
+// Generated automatically from org.apache.commons.compress.archivers.ArchiveEntry for testing purposes
+
+package org.apache.commons.compress.archivers;
+
+import java.util.Date;
+
+public interface ArchiveEntry
+{
+    Date getLastModifiedDate();
+    String getName();
+    boolean isDirectory();
+    long getSize();
+    static long SIZE_UNKNOWN = 0;
+}

java/ql/test/experimental/stubs/apache-commons-compress-1.23.0/org/apache/commons/compress/archivers/ArchiveException.java

@@ -0,0 +1,11 @@
+// Generated automatically from org.apache.commons.compress.archivers.ArchiveException for testing purposes
+
+package org.apache.commons.compress.archivers;
+
+
+public class ArchiveException extends Exception
+{
+    protected ArchiveException() {}
+    public ArchiveException(String p0){}
+    public ArchiveException(String p0, Exception p1){}
+}

java/ql/test/experimental/stubs/apache-commons-compress-1.23.0/org/apache/commons/compress/archivers/ArchiveInputStream.java

@@ -0,0 +1,19 @@
+// Generated automatically from org.apache.commons.compress.archivers.ArchiveInputStream for testing purposes
+
+package org.apache.commons.compress.archivers;
+
+import java.io.InputStream;
+import org.apache.commons.compress.archivers.ArchiveEntry;
+
+abstract public class ArchiveInputStream extends InputStream
+{
+    protected void count(int p0){}
+    protected void count(long p0){}
+    protected void pushedBackBytes(long p0){}
+    public ArchiveInputStream(){}
+    public abstract ArchiveEntry getNextEntry();
+    public boolean canReadEntryData(ArchiveEntry p0){ return false; }
+    public int getCount(){ return 0; }
+    public int read(){ return 0; }
+    public long getBytesRead(){ return 0; }
+}

java/ql/test/experimental/stubs/apache-commons-compress-1.23.0/org/apache/commons/compress/archivers/ArchiveOutputStream.java

@@ -0,0 +1,25 @@
+// Generated automatically from org.apache.commons.compress.archivers.ArchiveOutputStream for testing purposes
+
+package org.apache.commons.compress.archivers;
+
+import java.io.File;
+import java.io.OutputStream;
+import java.nio.file.LinkOption;
+import java.nio.file.Path;
+import org.apache.commons.compress.archivers.ArchiveEntry;
+
+abstract public class ArchiveOutputStream extends OutputStream
+{
+    protected void count(int p0){}
+    protected void count(long p0){}
+    public ArchiveEntry createArchiveEntry(Path p0, String p1, LinkOption... p2){ return null; }
+    public ArchiveOutputStream(){}
+    public abstract ArchiveEntry createArchiveEntry(File p0, String p1);
+    public abstract void closeArchiveEntry();
+    public abstract void finish();
+    public abstract void putArchiveEntry(ArchiveEntry p0);
+    public boolean canWriteEntryData(ArchiveEntry p0){ return false; }
+    public int getCount(){ return 0; }
+    public long getBytesWritten(){ return 0; }
+    public void write(int p0){}
+}

java/ql/test/experimental/stubs/apache-commons-compress-1.23.0/org/apache/commons/compress/archivers/ArchiveStreamFactory.java

@@ -0,0 +1,44 @@
+// Generated automatically from org.apache.commons.compress.archivers.ArchiveStreamFactory for testing purposes
+
+package org.apache.commons.compress.archivers;
+
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.util.Set;
+import java.util.SortedMap;
+import org.apache.commons.compress.archivers.ArchiveInputStream;
+import org.apache.commons.compress.archivers.ArchiveOutputStream;
+import org.apache.commons.compress.archivers.ArchiveStreamProvider;
+
+public class ArchiveStreamFactory implements ArchiveStreamProvider
+{
+    public ArchiveInputStream createArchiveInputStream(InputStream p0){ return null; }
+    public ArchiveInputStream createArchiveInputStream(String p0, InputStream p1){ return null; }
+    public ArchiveInputStream createArchiveInputStream(String p0, InputStream p1, String p2){ return null; }
+    public ArchiveOutputStream createArchiveOutputStream(String p0, OutputStream p1){ return null; }
+    public ArchiveOutputStream createArchiveOutputStream(String p0, OutputStream p1, String p2){ return null; }
+    public ArchiveStreamFactory(){}
+    public ArchiveStreamFactory(String p0){}
+    public Set<String> getInputStreamArchiveNames(){ return null; }
+    public Set<String> getOutputStreamArchiveNames(){ return null; }
+    public SortedMap<String, ArchiveStreamProvider> getArchiveInputStreamProviders(){ return null; }
+    public SortedMap<String, ArchiveStreamProvider> getArchiveOutputStreamProviders(){ return null; }
+    public String getEntryEncoding(){ return null; }
+    public static ArchiveStreamFactory DEFAULT = null;
+    public static SortedMap<String, ArchiveStreamProvider> findAvailableArchiveInputStreamProviders(){ return null; }
+    public static SortedMap<String, ArchiveStreamProvider> findAvailableArchiveOutputStreamProviders(){ return null; }
+    public static String APK = null;
+    public static String APKM = null;
+    public static String APKS = null;
+    public static String AR = null;
+    public static String ARJ = null;
+    public static String CPIO = null;
+    public static String DUMP = null;
+    public static String JAR = null;
+    public static String SEVEN_Z = null;
+    public static String TAR = null;
+    public static String XAPK = null;
+    public static String ZIP = null;
+    public static String detect(InputStream p0){ return null; }
+    public void setEntryEncoding(String p0){}
+}

java/ql/test/experimental/stubs/apache-commons-compress-1.23.0/org/apache/commons/compress/archivers/ArchiveStreamProvider.java

@@ -0,0 +1,17 @@
+// Generated automatically from org.apache.commons.compress.archivers.ArchiveStreamProvider for testing purposes
+
+package org.apache.commons.compress.archivers;
+
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.util.Set;
+import org.apache.commons.compress.archivers.ArchiveInputStream;
+import org.apache.commons.compress.archivers.ArchiveOutputStream;
+
+public interface ArchiveStreamProvider
+{
+    ArchiveInputStream createArchiveInputStream(String p0, InputStream p1, String p2);
+    ArchiveOutputStream createArchiveOutputStream(String p0, OutputStream p1, String p2);
+    Set<String> getInputStreamArchiveNames();
+    Set<String> getOutputStreamArchiveNames();
+}

java/ql/test/experimental/stubs/apache-commons-compress-1.23.0/org/apache/commons/compress/archivers/EntryStreamOffsets.java

@@ -0,0 +1,11 @@
+// Generated automatically from org.apache.commons.compress.archivers.EntryStreamOffsets for testing purposes
+
+package org.apache.commons.compress.archivers;
+
+
+public interface EntryStreamOffsets
+{
+    boolean isStreamContiguous();
+    long getDataOffset();
+    static long OFFSET_UNKNOWN = 0;
+}

java/ql/test/experimental/stubs/apache-commons-compress-1.23.0/org/apache/commons/compress/archivers/ar/ArArchiveEntry.java

@@ -0,0 +1,31 @@
+// Generated automatically from org.apache.commons.compress.archivers.ar.ArArchiveEntry for testing purposes
+
+package org.apache.commons.compress.archivers.ar;
+
+import java.io.File;
+import java.nio.file.LinkOption;
+import java.nio.file.Path;
+import java.util.Date;
+import org.apache.commons.compress.archivers.ArchiveEntry;
+
+public class ArArchiveEntry implements ArchiveEntry
+{
+    protected ArArchiveEntry() {}
+    public ArArchiveEntry(File p0, String p1){}
+    public ArArchiveEntry(Path p0, String p1, LinkOption... p2){}
+    public ArArchiveEntry(String p0, long p1){}
+    public ArArchiveEntry(String p0, long p1, int p2, int p3, int p4, long p5){}
+    public Date getLastModifiedDate(){ return null; }
+    public String getName(){ return null; }
+    public boolean equals(Object p0){ return false; }
+    public boolean isDirectory(){ return false; }
+    public int getGroupId(){ return 0; }
+    public int getMode(){ return 0; }
+    public int getUserId(){ return 0; }
+    public int hashCode(){ return 0; }
+    public long getLastModified(){ return 0; }
+    public long getLength(){ return 0; }
+    public long getSize(){ return 0; }
+    public static String HEADER = null;
+    public static String TRAILER = null;
+}

java/ql/test/experimental/stubs/apache-commons-compress-1.23.0/org/apache/commons/compress/archivers/ar/ArArchiveInputStream.java

@@ -0,0 +1,19 @@
+// Generated automatically from org.apache.commons.compress.archivers.ar.ArArchiveInputStream for testing purposes
+
+package org.apache.commons.compress.archivers.ar;
+
+import java.io.InputStream;
+import org.apache.commons.compress.archivers.ArchiveEntry;
+import org.apache.commons.compress.archivers.ArchiveInputStream;
+import org.apache.commons.compress.archivers.ar.ArArchiveEntry;
+
+public class ArArchiveInputStream extends ArchiveInputStream
+{
+    protected ArArchiveInputStream() {}
+    public ArArchiveEntry getNextArEntry(){ return null; }
+    public ArArchiveInputStream(InputStream p0){}
+    public ArchiveEntry getNextEntry(){ return null; }
+    public int read(byte[] p0, int p1, int p2){ return 0; }
+    public static boolean matches(byte[] p0, int p1){ return false; }
+    public void close(){}
+}

java/ql/test/experimental/stubs/apache-commons-compress-1.23.0/org/apache/commons/compress/archivers/arj/ArjArchiveEntry.java

@@ -0,0 +1,21 @@
+// Generated automatically from org.apache.commons.compress.archivers.arj.ArjArchiveEntry for testing purposes
+
+package org.apache.commons.compress.archivers.arj;
+
+import java.util.Date;
+import org.apache.commons.compress.archivers.ArchiveEntry;
+
+public class ArjArchiveEntry implements ArchiveEntry
+{
+    public ArjArchiveEntry(){}
+    public Date getLastModifiedDate(){ return null; }
+    public String getName(){ return null; }
+    public boolean equals(Object p0){ return false; }
+    public boolean isDirectory(){ return false; }
+    public boolean isHostOsUnix(){ return false; }
+    public int getHostOs(){ return 0; }
+    public int getMode(){ return 0; }
+    public int getUnixMode(){ return 0; }
+    public int hashCode(){ return 0; }
+    public long getSize(){ return 0; }
+}

java/ql/test/experimental/stubs/apache-commons-compress-1.23.0/org/apache/commons/compress/archivers/arj/ArjArchiveInputStream.java

@@ -0,0 +1,22 @@
+// Generated automatically from org.apache.commons.compress.archivers.arj.ArjArchiveInputStream for testing purposes
+
+package org.apache.commons.compress.archivers.arj;
+
+import java.io.InputStream;
+import org.apache.commons.compress.archivers.ArchiveEntry;
+import org.apache.commons.compress.archivers.ArchiveInputStream;
+import org.apache.commons.compress.archivers.arj.ArjArchiveEntry;
+
+public class ArjArchiveInputStream extends ArchiveInputStream
+{
+    protected ArjArchiveInputStream() {}
+    public ArjArchiveEntry getNextEntry(){ return null; }
+    public ArjArchiveInputStream(InputStream p0){}
+    public ArjArchiveInputStream(InputStream p0, String p1){}
+    public String getArchiveComment(){ return null; }
+    public String getArchiveName(){ return null; }
+    public boolean canReadEntryData(ArchiveEntry p0){ return false; }
+    public int read(byte[] p0, int p1, int p2){ return 0; }
+    public static boolean matches(byte[] p0, int p1){ return false; }
+    public void close(){}
+}

java/ql/test/experimental/stubs/apache-commons-compress-1.23.0/org/apache/commons/compress/archivers/cpio/CpioArchiveEntry.java

@@ -0,0 +1,75 @@
+// Generated automatically from org.apache.commons.compress.archivers.cpio.CpioArchiveEntry for testing purposes
+
+package org.apache.commons.compress.archivers.cpio;
+
+import java.io.File;
+import java.nio.charset.Charset;
+import java.nio.file.LinkOption;
+import java.nio.file.Path;
+import java.nio.file.attribute.FileTime;
+import java.util.Date;
+import org.apache.commons.compress.archivers.ArchiveEntry;
+import org.apache.commons.compress.archivers.cpio.CpioConstants;
+
+public class CpioArchiveEntry implements ArchiveEntry, CpioConstants
+{
+    protected CpioArchiveEntry() {}
+    public CpioArchiveEntry(File p0, String p1){}
+    public CpioArchiveEntry(Path p0, String p1, LinkOption... p2){}
+    public CpioArchiveEntry(String p0){}
+    public CpioArchiveEntry(String p0, long p1){}
+    public CpioArchiveEntry(short p0){}
+    public CpioArchiveEntry(short p0, File p1, String p2){}
+    public CpioArchiveEntry(short p0, Path p1, String p2, LinkOption... p3){}
+    public CpioArchiveEntry(short p0, String p1){}
+    public CpioArchiveEntry(short p0, String p1, long p2){}
+    public Date getLastModifiedDate(){ return null; }
+    public String getName(){ return null; }
+    public boolean equals(Object p0){ return false; }
+    public boolean isBlockDevice(){ return false; }
+    public boolean isCharacterDevice(){ return false; }
+    public boolean isDirectory(){ return false; }
+    public boolean isNetwork(){ return false; }
+    public boolean isPipe(){ return false; }
+    public boolean isRegularFile(){ return false; }
+    public boolean isSocket(){ return false; }
+    public boolean isSymbolicLink(){ return false; }
+    public int getAlignmentBoundary(){ return 0; }
+    public int getDataPadCount(){ return 0; }
+    public int getHeaderPadCount(){ return 0; }
+    public int getHeaderPadCount(Charset p0){ return 0; }
+    public int getHeaderPadCount(long p0){ return 0; }
+    public int getHeaderSize(){ return 0; }
+    public int hashCode(){ return 0; }
+    public long getChksum(){ return 0; }
+    public long getDevice(){ return 0; }
+    public long getDeviceMaj(){ return 0; }
+    public long getDeviceMin(){ return 0; }
+    public long getGID(){ return 0; }
+    public long getInode(){ return 0; }
+    public long getMode(){ return 0; }
+    public long getNumberOfLinks(){ return 0; }
+    public long getRemoteDevice(){ return 0; }
+    public long getRemoteDeviceMaj(){ return 0; }
+    public long getRemoteDeviceMin(){ return 0; }
+    public long getSize(){ return 0; }
+    public long getTime(){ return 0; }
+    public long getUID(){ return 0; }
+    public short getFormat(){ return 0; }
+    public void setChksum(long p0){}
+    public void setDevice(long p0){}
+    public void setDeviceMaj(long p0){}
+    public void setDeviceMin(long p0){}
+    public void setGID(long p0){}
+    public void setInode(long p0){}
+    public void setMode(long p0){}
+    public void setName(String p0){}
+    public void setNumberOfLinks(long p0){}
+    public void setRemoteDevice(long p0){}
+    public void setRemoteDeviceMaj(long p0){}
+    public void setRemoteDeviceMin(long p0){}
+    public void setSize(long p0){}
+    public void setTime(FileTime p0){}
+    public void setTime(long p0){}
+    public void setUID(long p0){}
+}

java/ql/test/experimental/stubs/apache-commons-compress-1.23.0/org/apache/commons/compress/archivers/cpio/CpioArchiveInputStream.java

@@ -0,0 +1,25 @@
+// Generated automatically from org.apache.commons.compress.archivers.cpio.CpioArchiveInputStream for testing purposes
+
+package org.apache.commons.compress.archivers.cpio;
+
+import java.io.InputStream;
+import org.apache.commons.compress.archivers.ArchiveEntry;
+import org.apache.commons.compress.archivers.ArchiveInputStream;
+import org.apache.commons.compress.archivers.cpio.CpioArchiveEntry;
+import org.apache.commons.compress.archivers.cpio.CpioConstants;
+
+public class CpioArchiveInputStream extends ArchiveInputStream implements CpioConstants
+{
+    protected CpioArchiveInputStream() {}
+    public ArchiveEntry getNextEntry(){ return null; }
+    public CpioArchiveEntry getNextCPIOEntry(){ return null; }
+    public CpioArchiveInputStream(InputStream p0){}
+    public CpioArchiveInputStream(InputStream p0, String p1){}
+    public CpioArchiveInputStream(InputStream p0, int p1){}
+    public CpioArchiveInputStream(InputStream p0, int p1, String p2){}
+    public int available(){ return 0; }
+    public int read(byte[] p0, int p1, int p2){ return 0; }
+    public long skip(long p0){ return 0; }
+    public static boolean matches(byte[] p0, int p1){ return false; }
+    public void close(){}
+}

java/ql/test/experimental/stubs/apache-commons-compress-1.23.0/org/apache/commons/compress/archivers/cpio/CpioConstants.java

@@ -0,0 +1,41 @@
+// Generated automatically from org.apache.commons.compress.archivers.cpio.CpioConstants for testing purposes
+
+package org.apache.commons.compress.archivers.cpio;
+
+
+public interface CpioConstants
+{
+    static String CPIO_TRAILER = null;
+    static String MAGIC_NEW = null;
+    static String MAGIC_NEW_CRC = null;
+    static String MAGIC_OLD_ASCII = null;
+    static int BLOCK_SIZE = 0;
+    static int C_IRGRP = 0;
+    static int C_IROTH = 0;
+    static int C_IRUSR = 0;
+    static int C_ISBLK = 0;
+    static int C_ISCHR = 0;
+    static int C_ISDIR = 0;
+    static int C_ISFIFO = 0;
+    static int C_ISGID = 0;
+    static int C_ISLNK = 0;
+    static int C_ISNWK = 0;
+    static int C_ISREG = 0;
+    static int C_ISSOCK = 0;
+    static int C_ISUID = 0;
+    static int C_ISVTX = 0;
+    static int C_IWGRP = 0;
+    static int C_IWOTH = 0;
+    static int C_IWUSR = 0;
+    static int C_IXGRP = 0;
+    static int C_IXOTH = 0;
+    static int C_IXUSR = 0;
+    static int MAGIC_OLD_BINARY = 0;
+    static int S_IFMT = 0;
+    static short FORMAT_NEW = 0;
+    static short FORMAT_NEW_CRC = 0;
+    static short FORMAT_NEW_MASK = 0;
+    static short FORMAT_OLD_ASCII = 0;
+    static short FORMAT_OLD_BINARY = 0;
+    static short FORMAT_OLD_MASK = 0;
+}

java/ql/test/experimental/stubs/apache-commons-compress-1.23.0/org/apache/commons/compress/archivers/jar/JarArchiveEntry.java

@@ -0,0 +1,20 @@
+// Generated automatically from org.apache.commons.compress.archivers.jar.JarArchiveEntry for testing purposes
+
+package org.apache.commons.compress.archivers.jar;
+
+import java.security.cert.Certificate;
+import java.util.jar.Attributes;
+import java.util.jar.JarEntry;
+import java.util.zip.ZipEntry;
+import org.apache.commons.compress.archivers.zip.ZipArchiveEntry;
+
+public class JarArchiveEntry extends ZipArchiveEntry
+{
+    protected JarArchiveEntry() {}
+    public Attributes getManifestAttributes(){ return null; }
+    public Certificate[] getCertificates(){ return null; }
+    public JarArchiveEntry(JarEntry p0){}
+    public JarArchiveEntry(String p0){}
+    public JarArchiveEntry(ZipArchiveEntry p0){}
+    public JarArchiveEntry(ZipEntry p0){}
+}

java/ql/test/experimental/stubs/apache-commons-compress-1.23.0/org/apache/commons/compress/archivers/jar/JarArchiveInputStream.java

@@ -0,0 +1,18 @@
+// Generated automatically from org.apache.commons.compress.archivers.jar.JarArchiveInputStream for testing purposes
+
+package org.apache.commons.compress.archivers.jar;
+
+import java.io.InputStream;
+import org.apache.commons.compress.archivers.ArchiveEntry;
+import org.apache.commons.compress.archivers.jar.JarArchiveEntry;
+import org.apache.commons.compress.archivers.zip.ZipArchiveInputStream;
+
+public class JarArchiveInputStream extends ZipArchiveInputStream
+{
+    protected JarArchiveInputStream() {}
+    public ArchiveEntry getNextEntry(){ return null; }
+    public JarArchiveEntry getNextJarEntry(){ return null; }
+    public JarArchiveInputStream(InputStream p0){}
+    public JarArchiveInputStream(InputStream p0, String p1){}
+    public static boolean matches(byte[] p0, int p1){ return false; }
+}

java/ql/test/experimental/stubs/apache-commons-compress-1.23.0/org/apache/commons/compress/archivers/zip/ExtraFieldParsingBehavior.java

@@ -0,0 +1,13 @@
+// Generated automatically from org.apache.commons.compress.archivers.zip.ExtraFieldParsingBehavior for testing purposes
+
+package org.apache.commons.compress.archivers.zip;
+
+import org.apache.commons.compress.archivers.zip.UnparseableExtraFieldBehavior;
+import org.apache.commons.compress.archivers.zip.ZipExtraField;
+import org.apache.commons.compress.archivers.zip.ZipShort;
+
+public interface ExtraFieldParsingBehavior extends UnparseableExtraFieldBehavior
+{
+    ZipExtraField createExtraField(ZipShort p0);
+    ZipExtraField fill(ZipExtraField p0, byte[] p1, int p2, int p3, boolean p4);
+}

java/ql/test/experimental/stubs/apache-commons-compress-1.23.0/org/apache/commons/compress/archivers/zip/GeneralPurposeBit.java

@@ -0,0 +1,24 @@
+// Generated automatically from org.apache.commons.compress.archivers.zip.GeneralPurposeBit for testing purposes
+
+package org.apache.commons.compress.archivers.zip;
+
+
+public class GeneralPurposeBit implements Cloneable
+{
+    public GeneralPurposeBit(){}
+    public Object clone(){ return null; }
+    public boolean equals(Object p0){ return false; }
+    public boolean usesDataDescriptor(){ return false; }
+    public boolean usesEncryption(){ return false; }
+    public boolean usesStrongEncryption(){ return false; }
+    public boolean usesUTF8ForNames(){ return false; }
+    public byte[] encode(){ return null; }
+    public int hashCode(){ return 0; }
+    public static GeneralPurposeBit parse(byte[] p0, int p1){ return null; }
+    public static int UFT8_NAMES_FLAG = 0;
+    public void encode(byte[] p0, int p1){}
+    public void useDataDescriptor(boolean p0){}
+    public void useEncryption(boolean p0){}
+    public void useStrongEncryption(boolean p0){}
+    public void useUTF8ForNames(boolean p0){}
+}

java/ql/test/experimental/stubs/apache-commons-compress-1.23.0/org/apache/commons/compress/archivers/zip/UnparseableExtraFieldBehavior.java

@@ -0,0 +1,10 @@
+// Generated automatically from org.apache.commons.compress.archivers.zip.UnparseableExtraFieldBehavior for testing purposes
+
+package org.apache.commons.compress.archivers.zip;
+
+import org.apache.commons.compress.archivers.zip.ZipExtraField;
+
+public interface UnparseableExtraFieldBehavior
+{
+    ZipExtraField onUnparseableExtraField(byte[] p0, int p1, int p2, boolean p3, int p4);
+}

java/ql/test/experimental/stubs/apache-commons-compress-1.23.0/org/apache/commons/compress/archivers/zip/UnparseableExtraFieldData.java

@@ -0,0 +1,18 @@
+// Generated automatically from org.apache.commons.compress.archivers.zip.UnparseableExtraFieldData for testing purposes
+
+package org.apache.commons.compress.archivers.zip;
+
+import org.apache.commons.compress.archivers.zip.ZipExtraField;
+import org.apache.commons.compress.archivers.zip.ZipShort;
+
+public class UnparseableExtraFieldData implements ZipExtraField
+{
+    public UnparseableExtraFieldData(){}
+    public ZipShort getCentralDirectoryLength(){ return null; }
+    public ZipShort getHeaderId(){ return null; }
+    public ZipShort getLocalFileDataLength(){ return null; }
+    public byte[] getCentralDirectoryData(){ return null; }
+    public byte[] getLocalFileDataData(){ return null; }
+    public void parseFromCentralDirectoryData(byte[] p0, int p1, int p2){}
+    public void parseFromLocalFileData(byte[] p0, int p1, int p2){}
+}

java/ql/test/experimental/stubs/apache-commons-compress-1.23.0/org/apache/commons/compress/archivers/zip/ZipArchiveEntry.java

@@ -0,0 +1,105 @@
+// Generated automatically from org.apache.commons.compress.archivers.zip.ZipArchiveEntry for testing purposes
+
+package org.apache.commons.compress.archivers.zip;
+
+import java.io.File;
+import java.nio.file.LinkOption;
+import java.nio.file.Path;
+import java.nio.file.attribute.FileTime;
+import java.util.Date;
+import java.util.zip.ZipEntry;
+import org.apache.commons.compress.archivers.ArchiveEntry;
+import org.apache.commons.compress.archivers.EntryStreamOffsets;
+import org.apache.commons.compress.archivers.zip.ExtraFieldParsingBehavior;
+import org.apache.commons.compress.archivers.zip.GeneralPurposeBit;
+import org.apache.commons.compress.archivers.zip.UnparseableExtraFieldData;
+import org.apache.commons.compress.archivers.zip.ZipExtraField;
+import org.apache.commons.compress.archivers.zip.ZipShort;
+
+public class ZipArchiveEntry extends ZipEntry implements ArchiveEntry, EntryStreamOffsets
+{
+    protected ZipArchiveEntry(){super("");}
+    protected int getAlignment(){ return 0; }
+    protected long getLocalHeaderOffset(){ return 0; }
+    protected void setDataOffset(long p0){}
+    protected void setExtra(){}
+    protected void setLocalHeaderOffset(long p0){}
+    protected void setName(String p0){}
+    protected void setName(String p0, byte[] p1){}
+    protected void setPlatform(int p0){}
+    protected void setStreamContiguous(boolean p0){}
+    public Date getLastModifiedDate(){ return null; }
+    public GeneralPurposeBit getGeneralPurposeBit(){ return null; }
+    public Object clone(){ return null; }
+    public String getName(){ return null; }
+    public UnparseableExtraFieldData getUnparseableExtraFieldData(){ return null; }
+    public ZipArchiveEntry(File p0, String p1){super("");}
+    public ZipArchiveEntry(Path p0, String p1, LinkOption... p2){super("");}
+    public ZipArchiveEntry(String p0){super("");}
+    public ZipArchiveEntry(ZipArchiveEntry p0){super("");}
+    public ZipArchiveEntry(ZipEntry p0){super("");}
+    public ZipArchiveEntry.CommentSource getCommentSource(){ return null; }
+    public ZipArchiveEntry.NameSource getNameSource(){ return null; }
+    public ZipEntry setCreationTime(FileTime p0){ return null; }
+    public ZipEntry setLastAccessTime(FileTime p0){ return null; }
+    public ZipEntry setLastModifiedTime(FileTime p0){ return null; }
+    public ZipExtraField getExtraField(ZipShort p0){ return null; }
+    public ZipExtraField[] getExtraFields(){ return null; }
+    public ZipExtraField[] getExtraFields(ExtraFieldParsingBehavior p0){ return null; }
+    public ZipExtraField[] getExtraFields(boolean p0){ return null; }
+    public boolean equals(Object p0){ return false; }
+    public boolean isDirectory(){ return false; }
+    public boolean isStreamContiguous(){ return false; }
+    public boolean isUnixSymlink(){ return false; }
+    public byte[] getCentralDirectoryExtra(){ return null; }
+    public byte[] getLocalFileDataExtra(){ return null; }
+    public byte[] getRawName(){ return null; }
+    public int getInternalAttributes(){ return 0; }
+    public int getMethod(){ return 0; }
+    public int getPlatform(){ return 0; }
+    public int getRawFlag(){ return 0; }
+    public int getUnixMode(){ return 0; }
+    public int getVersionMadeBy(){ return 0; }
+    public int getVersionRequired(){ return 0; }
+    public int hashCode(){ return 0; }
+    public long getDataOffset(){ return 0; }
+    public long getDiskNumberStart(){ return 0; }
+    public long getExternalAttributes(){ return 0; }
+    public long getSize(){ return 0; }
+    public long getTime(){ return 0; }
+    public static int CRC_UNKNOWN = 0;
+    public static int PLATFORM_FAT = 0;
+    public static int PLATFORM_UNIX = 0;
+    public void addAsFirstExtraField(ZipExtraField p0){}
+    public void addExtraField(ZipExtraField p0){}
+    public void removeExtraField(ZipShort p0){}
+    public void removeUnparseableExtraFieldData(){}
+    public void setAlignment(int p0){}
+    public void setCentralDirectoryExtra(byte[] p0){}
+    public void setCommentSource(ZipArchiveEntry.CommentSource p0){}
+    public void setDiskNumberStart(long p0){}
+    public void setExternalAttributes(long p0){}
+    public void setExtra(byte[] p0){}
+    public void setExtraFields(ZipExtraField[] p0){}
+    public void setGeneralPurposeBit(GeneralPurposeBit p0){}
+    public void setInternalAttributes(int p0){}
+    public void setMethod(int p0){}
+    public void setNameSource(ZipArchiveEntry.NameSource p0){}
+    public void setRawFlag(int p0){}
+    public void setSize(long p0){}
+    public void setTime(FileTime p0){}
+    public void setTime(long p0){}
+    public void setUnixMode(int p0){}
+    public void setVersionMadeBy(int p0){}
+    public void setVersionRequired(int p0){}
+    static public enum CommentSource
+    {
+        COMMENT, UNICODE_EXTRA_FIELD;
+        private CommentSource() {}
+    }
+    static public enum NameSource
+    {
+        NAME, NAME_WITH_EFS_FLAG, UNICODE_EXTRA_FIELD;
+        private NameSource() {}
+    }
+}

java/ql/test/experimental/stubs/apache-commons-compress-1.23.0/org/apache/commons/compress/archivers/zip/ZipArchiveInputStream.java

@@ -0,0 +1,28 @@
+// Generated automatically from org.apache.commons.compress.archivers.zip.ZipArchiveInputStream for testing purposes
+
+package org.apache.commons.compress.archivers.zip;
+
+import java.io.InputStream;
+import org.apache.commons.compress.archivers.ArchiveEntry;
+import org.apache.commons.compress.archivers.ArchiveInputStream;
+import org.apache.commons.compress.archivers.zip.ZipArchiveEntry;
+import org.apache.commons.compress.utils.InputStreamStatistics;
+
+public class ZipArchiveInputStream extends ArchiveInputStream implements InputStreamStatistics
+{
+    protected ZipArchiveInputStream() {}
+    public ArchiveEntry getNextEntry(){ return null; }
+    public ZipArchiveEntry getNextZipEntry(){ return null; }
+    public ZipArchiveInputStream(InputStream p0){}
+    public ZipArchiveInputStream(InputStream p0, String p1){}
+    public ZipArchiveInputStream(InputStream p0, String p1, boolean p2){}
+    public ZipArchiveInputStream(InputStream p0, String p1, boolean p2, boolean p3){}
+    public ZipArchiveInputStream(InputStream p0, String p1, boolean p2, boolean p3, boolean p4){}
+    public boolean canReadEntryData(ArchiveEntry p0){ return false; }
+    public int read(byte[] p0, int p1, int p2){ return 0; }
+    public long getCompressedCount(){ return 0; }
+    public long getUncompressedCount(){ return 0; }
+    public long skip(long p0){ return 0; }
+    public static boolean matches(byte[] p0, int p1){ return false; }
+    public void close(){}
+}

java/ql/test/experimental/stubs/apache-commons-compress-1.23.0/org/apache/commons/compress/archivers/zip/ZipExtraField.java

@@ -0,0 +1,17 @@
+// Generated automatically from org.apache.commons.compress.archivers.zip.ZipExtraField for testing purposes
+
+package org.apache.commons.compress.archivers.zip;
+
+import org.apache.commons.compress.archivers.zip.ZipShort;
+
+public interface ZipExtraField
+{
+    ZipShort getCentralDirectoryLength();
+    ZipShort getHeaderId();
+    ZipShort getLocalFileDataLength();
+    byte[] getCentralDirectoryData();
+    byte[] getLocalFileDataData();
+    static int EXTRAFIELD_HEADER_SIZE = 0;
+    void parseFromCentralDirectoryData(byte[] p0, int p1, int p2);
+    void parseFromLocalFileData(byte[] p0, int p1, int p2);
+}

java/ql/test/experimental/stubs/apache-commons-compress-1.23.0/org/apache/commons/compress/archivers/zip/ZipShort.java

@@ -0,0 +1,24 @@
+// Generated automatically from org.apache.commons.compress.archivers.zip.ZipShort for testing purposes
+
+package org.apache.commons.compress.archivers.zip;
+
+import java.io.Serializable;
+
+public class ZipShort implements Cloneable, Serializable
+{
+    protected ZipShort() {}
+    public Object clone(){ return null; }
+    public String toString(){ return null; }
+    public ZipShort(byte[] p0){}
+    public ZipShort(byte[] p0, int p1){}
+    public ZipShort(int p0){}
+    public boolean equals(Object p0){ return false; }
+    public byte[] getBytes(){ return null; }
+    public int getValue(){ return 0; }
+    public int hashCode(){ return 0; }
+    public static ZipShort ZERO = null;
+    public static byte[] getBytes(int p0){ return null; }
+    public static int getValue(byte[] p0){ return 0; }
+    public static int getValue(byte[] p0, int p1){ return 0; }
+    public static void putShort(int p0, byte[] p1, int p2){}
+}

java/ql/test/experimental/stubs/apache-commons-compress-1.23.0/org/apache/commons/compress/compressors/CompressorException.java

@@ -0,0 +1,11 @@
+// Generated automatically from org.apache.commons.compress.compressors.CompressorException for testing purposes
+
+package org.apache.commons.compress.compressors;
+
+
+public class CompressorException extends Exception
+{
+    protected CompressorException() {}
+    public CompressorException(String p0){}
+    public CompressorException(String p0, Throwable p1){}
+}

java/ql/test/experimental/stubs/apache-commons-compress-1.23.0/org/apache/commons/compress/compressors/CompressorInputStream.java

@@ -0,0 +1,16 @@
+// Generated automatically from org.apache.commons.compress.compressors.CompressorInputStream for testing purposes
+
+package org.apache.commons.compress.compressors;
+
+import java.io.InputStream;
+
+abstract public class CompressorInputStream extends InputStream
+{
+    protected void count(int p0){}
+    protected void count(long p0){}
+    protected void pushedBackBytes(long p0){}
+    public CompressorInputStream(){}
+    public int getCount(){ return 0; }
+    public long getBytesRead(){ return 0; }
+    public long getUncompressedCount(){ return 0; }
+}

java/ql/test/experimental/stubs/apache-commons-compress-1.23.0/org/apache/commons/compress/compressors/CompressorOutputStream.java

@@ -0,0 +1,10 @@
+// Generated automatically from org.apache.commons.compress.compressors.CompressorOutputStream for testing purposes
+
+package org.apache.commons.compress.compressors;
+
+import java.io.OutputStream;
+
+abstract public class CompressorOutputStream extends OutputStream
+{
+    public CompressorOutputStream(){}
+}

java/ql/test/experimental/stubs/apache-commons-compress-1.23.0/org/apache/commons/compress/compressors/CompressorStreamFactory.java

@@ -0,0 +1,60 @@
+// Generated automatically from org.apache.commons.compress.compressors.CompressorStreamFactory for testing purposes
+
+package org.apache.commons.compress.compressors;
+
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.util.Set;
+import java.util.SortedMap;
+import org.apache.commons.compress.compressors.CompressorInputStream;
+import org.apache.commons.compress.compressors.CompressorOutputStream;
+import org.apache.commons.compress.compressors.CompressorStreamProvider;
+
+public class CompressorStreamFactory implements CompressorStreamProvider
+{
+    public Boolean getDecompressUntilEOF(){ return null; }
+    public CompressorInputStream createCompressorInputStream(InputStream p0){ return null; }
+    public CompressorInputStream createCompressorInputStream(String p0, InputStream p1){ return null; }
+    public CompressorInputStream createCompressorInputStream(String p0, InputStream p1, boolean p2){ return null; }
+    public CompressorOutputStream createCompressorOutputStream(String p0, OutputStream p1){ return null; }
+    public CompressorStreamFactory(){}
+    public CompressorStreamFactory(boolean p0){}
+    public CompressorStreamFactory(boolean p0, int p1){}
+    public Set<String> getInputStreamCompressorNames(){ return null; }
+    public Set<String> getOutputStreamCompressorNames(){ return null; }
+    public SortedMap<String, CompressorStreamProvider> getCompressorInputStreamProviders(){ return null; }
+    public SortedMap<String, CompressorStreamProvider> getCompressorOutputStreamProviders(){ return null; }
+    public static CompressorStreamFactory getSingleton(){ return null; }
+    public static SortedMap<String, CompressorStreamProvider> findAvailableCompressorInputStreamProviders(){ return null; }
+    public static SortedMap<String, CompressorStreamProvider> findAvailableCompressorOutputStreamProviders(){ return null; }
+    public static String BROTLI = null;
+    public static String BZIP2 = null;
+    public static String DEFLATE = null;
+    public static String DEFLATE64 = null;
+    public static String GZIP = null;
+    public static String LZ4_BLOCK = null;
+    public static String LZ4_FRAMED = null;
+    public static String LZMA = null;
+    public static String PACK200 = null;
+    public static String SNAPPY_FRAMED = null;
+    public static String SNAPPY_RAW = null;
+    public static String XZ = null;
+    public static String Z = null;
+    public static String ZSTANDARD = null;
+    public static String detect(InputStream p0){ return null; }
+    public static String getBrotli(){ return null; }
+    public static String getBzip2(){ return null; }
+    public static String getDeflate(){ return null; }
+    public static String getDeflate64(){ return null; }
+    public static String getGzip(){ return null; }
+    public static String getLZ4Block(){ return null; }
+    public static String getLZ4Framed(){ return null; }
+    public static String getLzma(){ return null; }
+    public static String getPack200(){ return null; }
+    public static String getSnappyFramed(){ return null; }
+    public static String getSnappyRaw(){ return null; }
+    public static String getXz(){ return null; }
+    public static String getZ(){ return null; }
+    public static String getZstandard(){ return null; }
+    public void setDecompressConcatenated(boolean p0){}
+}

java/ql/test/experimental/stubs/apache-commons-compress-1.23.0/org/apache/commons/compress/compressors/CompressorStreamProvider.java

@@ -0,0 +1,17 @@
+// Generated automatically from org.apache.commons.compress.compressors.CompressorStreamProvider for testing purposes
+
+package org.apache.commons.compress.compressors;
+
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.util.Set;
+import org.apache.commons.compress.compressors.CompressorInputStream;
+import org.apache.commons.compress.compressors.CompressorOutputStream;
+
+public interface CompressorStreamProvider
+{
+    CompressorInputStream createCompressorInputStream(String p0, InputStream p1, boolean p2);
+    CompressorOutputStream createCompressorOutputStream(String p0, OutputStream p1);
+    Set<String> getInputStreamCompressorNames();
+    Set<String> getOutputStreamCompressorNames();
+}

java/ql/test/experimental/stubs/apache-commons-compress-1.23.0/org/apache/commons/compress/compressors/brotli/BrotliCompressorInputStream.java

@@ -0,0 +1,24 @@
+// Generated automatically from org.apache.commons.compress.compressors.brotli.BrotliCompressorInputStream for testing purposes
+
+package org.apache.commons.compress.compressors.brotli;
+
+import java.io.InputStream;
+import org.apache.commons.compress.compressors.CompressorInputStream;
+import org.apache.commons.compress.utils.InputStreamStatistics;
+
+public class BrotliCompressorInputStream extends CompressorInputStream implements InputStreamStatistics
+{
+    protected BrotliCompressorInputStream() {}
+    public BrotliCompressorInputStream(InputStream p0){}
+    public String toString(){ return null; }
+    public boolean markSupported(){ return false; }
+    public int available(){ return 0; }
+    public int read(){ return 0; }
+    public int read(byte[] p0){ return 0; }
+    public int read(byte[] p0, int p1, int p2){ return 0; }
+    public long getCompressedCount(){ return 0; }
+    public long skip(long p0){ return 0; }
+    public void close(){}
+    public void mark(int p0){}
+    public void reset(){}
+}

java/ql/test/experimental/stubs/apache-commons-compress-1.23.0/org/apache/commons/compress/compressors/bzip2/BZip2CompressorInputStream.java

@@ -0,0 +1,20 @@
+// Generated automatically from org.apache.commons.compress.compressors.bzip2.BZip2CompressorInputStream for testing purposes
+
+package org.apache.commons.compress.compressors.bzip2;
+
+import java.io.InputStream;
+import org.apache.commons.compress.compressors.CompressorInputStream;
+import org.apache.commons.compress.compressors.bzip2.BZip2Constants;
+import org.apache.commons.compress.utils.InputStreamStatistics;
+
+public class BZip2CompressorInputStream extends CompressorInputStream implements BZip2Constants, InputStreamStatistics
+{
+    protected BZip2CompressorInputStream() {}
+    public BZip2CompressorInputStream(InputStream p0){}
+    public BZip2CompressorInputStream(InputStream p0, boolean p1){}
+    public int read(){ return 0; }
+    public int read(byte[] p0, int p1, int p2){ return 0; }
+    public long getCompressedCount(){ return 0; }
+    public static boolean matches(byte[] p0, int p1){ return false; }
+    public void close(){}
+}