Fix the problem

2026-04-28 18:25:24 +02:00 · 2021-03-17 15:28:04 +08:00
parent c5577cb09a
commit 98204a15a6
44 changed files with 1075 additions and 388 deletions
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonStringLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonStringLib.qll
@@ -3,7 +3,7 @@ import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.FlowSources
 import DataFlow::PathGraph

-/** Json string type data */
+/** Json string type data. */
 abstract class JsonpStringSource extends DataFlow::Node { }

 /** Convert to String using Gson library. */
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.java
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.java
@@ -1,31 +1,39 @@
 import com.alibaba.fastjson.JSONObject;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.gson.Gson;
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStreamReader;
 import java.io.PrintWriter;
 import java.util.HashMap;
-import java.util.Random;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.multipart.MultipartFile;

@Controller
 public class JsonpInjection {
-private static HashMap hashMap = new HashMap();
+
+    private static HashMap hashMap = new HashMap();

    static {
        hashMap.put("username","admin");
        hashMap.put("password","123456");
    }

+    private String name = null;
+

    @GetMapping(value = "jsonp1")
    @ResponseBody
    public String bad1(HttpServletRequest request) {
        String resultStr = null;
        String jsonpCallback = request.getParameter("jsonpCallback");
-
        Gson gson = new Gson();
        String result = gson.toJson(hashMap);
        resultStr = jsonpCallback + "(" + result + ")";
@@ -37,9 +45,7 @@ private static HashMap hashMap = new HashMap();
    public String bad2(HttpServletRequest request) {
        String resultStr = null;
        String jsonpCallback = request.getParameter("jsonpCallback");
-
        resultStr = jsonpCallback + "(" + JSONObject.toJSONString(hashMap) + ")";
-
        return resultStr;
    }

@@ -67,7 +73,6 @@ private static HashMap hashMap = new HashMap();
    @ResponseBody
    public void bad5(HttpServletRequest request,
            HttpServletResponse response) throws Exception {
-        response.setContentType("application/json");
        String jsonpCallback = request.getParameter("jsonpCallback");
        PrintWriter pw = null;
        Gson gson = new Gson();
@@ -83,7 +88,6 @@ private static HashMap hashMap = new HashMap();
    @ResponseBody
    public void bad6(HttpServletRequest request,
            HttpServletResponse response) throws Exception {
-        response.setContentType("application/json");
        String jsonpCallback = request.getParameter("jsonpCallback");
        PrintWriter pw = null;
        ObjectMapper mapper = new ObjectMapper();
@@ -94,60 +98,96 @@ private static HashMap hashMap = new HashMap();
        pw.println(resultStr);
    }

-    @GetMapping(value = "jsonp7")
+    @RequestMapping(value = "jsonp7", method = RequestMethod.GET)
    @ResponseBody
-    public String good(HttpServletRequest request) {
+    public String bad7(HttpServletRequest request) {
        String resultStr = null;
        String jsonpCallback = request.getParameter("jsonpCallback");
-
-        String val = "";
-        Random random = new Random();
-        for (int i = 0; i < 10; i++) {
-            val += String.valueOf(random.nextInt(10));
-        }
-        // good
-        jsonpCallback = jsonpCallback + "_" + val;
-        String jsonStr = getJsonStr(hashMap);
-        resultStr = jsonpCallback + "(" + jsonStr + ")";
+        Gson gson = new Gson();
+        String result = gson.toJson(hashMap);
+        resultStr = jsonpCallback + "(" + result + ")";
        return resultStr;
    }

+
    @GetMapping(value = "jsonp8")
    @ResponseBody
    public String good1(HttpServletRequest request) {
        String resultStr = null;
-        String jsonpCallback = request.getParameter("jsonpCallback");
-
        String token = request.getParameter("token");
-
-        // good
        if (verifToken(token)){
-            System.out.println(token);
+            String jsonpCallback = request.getParameter("jsonpCallback");
            String jsonStr = getJsonStr(hashMap);
            resultStr = jsonpCallback + "(" + jsonStr + ")";
            return resultStr;
        }
-
        return "error";
    }

+
    @GetMapping(value = "jsonp9")
    @ResponseBody
    public String good2(HttpServletRequest request) {
        String resultStr = null;
-        String jsonpCallback = request.getParameter("jsonpCallback");
-
-        String referer = request.getHeader("Referer");
-
-        boolean result = verifReferer(referer);
-        // good
+        String token = request.getParameter("token");
+        boolean result = verifToken(token);
        if (result){
-            String jsonStr = getJsonStr(hashMap);
-            resultStr = jsonpCallback + "(" + jsonStr + ")";
-            return resultStr;
+            return "";
        }
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String jsonStr = getJsonStr(hashMap);
+        resultStr = jsonpCallback + "(" + jsonStr + ")";
+        return resultStr;
+    }

-        return "error";
+    @RequestMapping(value = "jsonp10")
+    @ResponseBody
+    public String good3(HttpServletRequest request) {
+        JSONObject parameterObj = readToJSONObect(request);
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String restr = JSONObject.toJSONString(hashMap);
+        resultStr = jsonpCallback + "(" + restr + ");";
+        return resultStr;
+    }
+
+    @RequestMapping(value = "jsonp11")
+    @ResponseBody
+    public String good4(@RequestParam("file") MultipartFile file,HttpServletRequest request) {
+        if(null == file){
+            return "upload file error";
+        }
+        String fileName = file.getOriginalFilename();
+        System.out.println("file operations");
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String restr = JSONObject.toJSONString(hashMap);
+        resultStr = jsonpCallback + "(" + restr + ");";
+        return resultStr;
+    }
+
+    public static JSONObject readToJSONObect(HttpServletRequest request){
+        String jsonText = readPostContent(request);
+        JSONObject jsonObj = JSONObject.parseObject(jsonText, JSONObject.class);
+        return jsonObj;
+    }
+
+    public static String readPostContent(HttpServletRequest request){
+        BufferedReader in= null;
+        String content = null;
+        String line = null;
+        try {
+            in = new BufferedReader(new InputStreamReader(request.getInputStream(),"UTF-8"));
+            StringBuilder buf = new StringBuilder();
+            while ((line = in.readLine()) != null) {
+                buf.append(line);
+            }
+            content = buf.toString();
+        } catch (IOException e) {
+            e.printStackTrace();
+        }
+        String uri = request.getRequestURI();
+        return content;
    }

    public static String getJsonStr(Object result) {
@@ -160,11 +200,4 @@ private static HashMap hashMap = new HashMap();
        }
        return true;
    }
-
-    public static boolean verifReferer(String referer){
-        if (!referer.startsWith("http://test.com/")){
-            return false;
-        }
-        return true;
-    }
 }
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp
@@ -3,18 +3,21 @@
  "qhelp.dtd">
 <qhelp>
 <overview>
-<p>The software uses external input as the function name to wrap JSON data and return it to the client as a request response. When there is a cross-domain problem, 
-there is a problem of sensitive information leakage.</p>
+<p>The software uses external input as the function name to wrap JSON data and returns it to the client as a request response. 
+When there is a cross-domain problem, the problem of sensitive information leakage may occur.</p>

 </overview>
 <recommendation>

-<p>Adding `Referer` or random `token` verification processing can effectively prevent the leakage of sensitive information.</p>
+<p>Adding <code>Referer</code>/<code>Origin</code> or random <code>token</code> verification processing can effectively prevent the leakage of sensitive information.</p>

 </recommendation>
 <example>

-<p>The following example shows the case of no verification processing and verification processing for the external input function name.</p>
+<p>The following examples show the bad case and the good case respectively. Bad case, such as <code>bad1</code> to <code>bad7</code>, 
+will cause information leakage problems when there are cross-domain problems. In a good case, for example, in the <code>good1</code> 
+method and the <code>good2</code> method, use the <code>verifToken</code> method to do the random <code>token</code> Verification can 
+solve the problem of information leakage caused by cross-domain.</p>

 <sample src="JsonpInjection.java" />

--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
@@ -14,25 +14,25 @@ import java
 import JsonpInjectionLib
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.deadcode.WebEntryPoints
-import semmle.code.java.security.XSS
 import DataFlow::PathGraph

 /** Determine whether there is a verification method for the remote streaming source data flow path method. */
 predicate existsFilterVerificationMethod() {
-  exists(MethodAccess ma,Node existsNode, Method m|
+  exists(MethodAccess ma, Node existsNode, Method m |
    ma.getMethod() instanceof VerificationMethodClass and
    existsNode.asExpr() = ma and
-    m = getAnMethod(existsNode.getEnclosingCallable()) and
+    m = getACallingCallableOrSelf(existsNode.getEnclosingCallable()) and
    isDoFilterMethod(m)
  )
 }

 /** Determine whether there is a verification method for the remote streaming source data flow path method. */
 predicate existsServletVerificationMethod(Node checkNode) {
-  exists(MethodAccess ma,Node existsNode|
+  exists(MethodAccess ma, Node existsNode |
    ma.getMethod() instanceof VerificationMethodClass and
    existsNode.asExpr() = ma and
-    getAnMethod(existsNode.getEnclosingCallable()) = getAnMethod(checkNode.getEnclosingCallable())
+    getACallingCallableOrSelf(existsNode.getEnclosingCallable()) =
+      getACallingCallableOrSelf(checkNode.getEnclosingCallable())
  )
 }

@@ -40,13 +40,15 @@ predicate existsServletVerificationMethod(Node checkNode) {
 class RequestResponseFlowConfig extends TaintTracking::Configuration {
  RequestResponseFlowConfig() { this = "RequestResponseFlowConfig" }

-  override predicate isSource(DataFlow::Node source) {
-    source instanceof RemoteFlowSource and
-    getAnMethod(source.getEnclosingCallable()) instanceof RequestGetMethod
-  }
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

  override predicate isSink(DataFlow::Node sink) { sink instanceof XssSink }

+  /** Eliminate the method of calling the node is not the get method. */
+  override predicate isSanitizer(DataFlow::Node node) {
+    not getACallingCallableOrSelf(node.getEnclosingCallable()) instanceof RequestGetMethod 
+  }
+
  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
    exists(MethodAccess ma |
      isRequestGetParamMethod(ma) and pred.asExpr() = ma.getQualifier() and succ.asExpr() = ma
@@ -60,5 +62,5 @@ where
  not existsFilterVerificationMethod() and
  conf.hasFlowPath(source, sink) and
  exists(JsonpInjectionFlowConfig jhfc | jhfc.hasFlowTo(sink.getNode()))
-select sink.getNode(), source, sink, "Jsonp Injection query might include code from $@.",
-  source.getNode(), "this user input"
+select sink.getNode(), source, sink, "Jsonp response might include code from $@.", source.getNode(),
+  "this user input"
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
@@ -6,28 +6,25 @@ import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.frameworks.spring.SpringController

-/** Taint-tracking configuration tracing flow from user-controllable function name jsonp data to output jsonp data. */
+/** Taint-tracking configuration tracing flow from untrusted inputs to verification of remote user input. */
 class VerificationMethodFlowConfig extends TaintTracking::Configuration {
  VerificationMethodFlowConfig() { this = "VerificationMethodFlowConfig" }

  override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }

  override predicate isSink(DataFlow::Node sink) {
-    exists(MethodAccess ma, BarrierGuard bg |
+    exists(MethodAccess ma |
      ma.getMethod().getAParameter().getName().regexpMatch("(?i).*(token|auth|referer|origin).*") and
-      bg = ma and
-      sink.asExpr() = ma.getAnArgument()
+      ma.getAnArgument() = sink.asExpr()
    )
  }
 }

-/** The parameter name of the method is `token`, `auth`, `referer`, `origin`. */
+/** The parameter names of this method are token/auth/referer/origin. */
 class VerificationMethodClass extends Method {
  VerificationMethodClass() {
-    exists(MethodAccess ma, BarrierGuard bg, VerificationMethodFlowConfig vmfc, Node node |
+    exists(MethodAccess ma, VerificationMethodFlowConfig vmfc, Node node |
      this = ma.getMethod() and
-      this.getAParameter().getName().regexpMatch("(?i).*(token|auth|referer|origin).*") and
-      bg = ma and
      node.asExpr() = ma.getAnArgument() and
      vmfc.hasFlowTo(node)
    )
@@ -35,38 +32,43 @@ class VerificationMethodClass extends Method {
 }

 /** Get Callable by recursive method. */
-Callable getAnMethod(Callable call) {
+Callable getACallingCallableOrSelf(Callable call) {
  result = call
  or
-  result = getAnMethod(call.getAReference().getEnclosingCallable())
+  result = getACallingCallableOrSelf(call.getAReference().getEnclosingCallable())
 }

 abstract class RequestGetMethod extends Method { }

-/** Holds if `m` is a method of some override of `HttpServlet.doGet`. */
+/** Override method of `doGet` of `Servlet` subclass. */
 private class ServletGetMethod extends RequestGetMethod {
-  ServletGetMethod() {
-    exists(Method m |
-      m = this and
-      isServletRequestMethod(m) and
-      m.getName() = "doGet"
-    )
+  ServletGetMethod() { this instanceof DoGetServletMethod }
+}
+
+/** The method of SpringController class processing `get` request. */
+abstract class SpringControllerGetMethod extends RequestGetMethod { }
+
+/** Method using `GetMapping` annotation in SpringController class. */
+class SpringControllerGetMappingGetMethod extends SpringControllerGetMethod {
+  SpringControllerGetMappingGetMethod() {
+    this.getAnAnnotation()
+        .getType()
+        .hasQualifiedName("org.springframework.web.bind.annotation", "GetMapping")
  }
 }

-/** Holds if `m` is a method of some override of `HttpServlet.doGet`. */
-private class SpringControllerGetMethod extends RequestGetMethod {
-  SpringControllerGetMethod() {
-    exists(Annotation a |
-      a = this.getAnAnnotation() and
-      a.getType().hasQualifiedName("org.springframework.web.bind.annotation", "GetMapping")
-    )
-    or
-    exists(Annotation a |
-      a = this.getAnAnnotation() and
-      a.getType().hasQualifiedName("org.springframework.web.bind.annotation", "RequestMapping") and
-      a.getValue("method").toString().regexpMatch("RequestMethod.GET|\\{...\\}")
-    )
+/** The method that uses the `RequestMapping` annotation in the SpringController class and only handles the get request. */
+class SpringControllerRequestMappingGetMethod extends SpringControllerGetMethod {
+  SpringControllerRequestMappingGetMethod() {
+    this.getAnAnnotation()
+        .getType()
+        .hasQualifiedName("org.springframework.web.bind.annotation", "RequestMapping") and
+    this.getAnAnnotation().getValue("method").toString().regexpMatch("RequestMethod.GET|\\{...\\}") and
+    not exists(MethodAccess ma |
+      ma.getMethod() instanceof ServletRequestGetBodyMethod and
+      this = getACallingCallableOrSelf(ma.getEnclosingCallable())
+    ) and
+    not this.getAParamType().getName() = "MultipartFile"
  }
 }

@@ -83,12 +85,12 @@ class JsonpInjectionExpr extends AddExpr {
        .regexpMatch("\"\\(\"")
  }

-  /** Get the jsonp function name of this expression */
+  /** Get the jsonp function name of this expression. */
  Expr getFunctionName() {
    result = getLeftOperand().(AddExpr).getLeftOperand().(AddExpr).getLeftOperand()
  }

-  /** Get the json data of this expression */
+  /** Get the json data of this expression. */
  Expr getJsonExpr() { result = getLeftOperand().(AddExpr).getRightOperand() }
 }

--- a/java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql
@@ -23,16 +23,6 @@ class SensitiveInfoExpr extends Expr {
  }
 }

-/** Holds if `m` is a method of some override of `HttpServlet.doGet`. */
-private predicate isGetServletMethod(Method m) {
-  isServletRequestMethod(m) and m.getName() = "doGet"
-}
-
-/** The `doGet` method of `HttpServlet`. */
-class DoGetServletMethod extends Method {
-  DoGetServletMethod() { isGetServletMethod(this) }
-}
-
 /** Holds if `ma` is (perhaps indirectly) called from the `doGet` method of `HttpServlet`. */
 predicate isReachableFromServletDoGet(MethodAccess ma) {
  ma.getEnclosingCallable() instanceof DoGetServletMethod
--- a/java/ql/src/semmle/code/java/frameworks/Servlets.qll
+++ b/java/ql/src/semmle/code/java/frameworks/Servlets.qll
@@ -354,9 +354,20 @@ class FilterChain extends Interface {

 /** Holds if `m` is a filter handler method (for example `doFilter`). */
 predicate isDoFilterMethod(Method m) {
+  m.getName().matches("doFilter") and
  m.getDeclaringType() instanceof FilterClass and
  m.getNumberOfParameters() = 3 and
  m.getParameter(0).getType() instanceof ServletRequest and
  m.getParameter(1).getType() instanceof ServletResponse and
  m.getParameter(2).getType() instanceof FilterChain
 }
+
+/** Holds if `m` is a method of some override of `HttpServlet.doGet`. */
+predicate isGetServletMethod(Method m) {
+  isServletRequestMethod(m) and m.getName() = "doGet"
+}
+
+/** The `doGet` method of `HttpServlet`. */
+class DoGetServletMethod extends Method {
+  DoGetServletMethod() { isGetServletMethod(this) }
+}
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.qlref
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.qlref
@@ -1 +0,0 @@
-Security/CWE/CWE-352/JsonpInjection.ql
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpController.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpController.java
@@ -1,16 +1,24 @@
 import com.alibaba.fastjson.JSONObject;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.gson.Gson;
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStreamReader;
 import java.io.PrintWriter;
 import java.util.HashMap;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.multipart.MultipartFile;

@Controller
 public class JsonpController {
+
    private static HashMap hashMap = new HashMap();

    static {
@@ -18,13 +26,14 @@ public class JsonpController {
        hashMap.put("password","123456");
    }

+    private String name = null;

-    @GetMapping(value = "jsonp1", produces="text/javascript")
+
+    @GetMapping(value = "jsonp1")
    @ResponseBody
    public String bad1(HttpServletRequest request) {
        String resultStr = null;
        String jsonpCallback = request.getParameter("jsonpCallback");
-
        Gson gson = new Gson();
        String result = gson.toJson(hashMap);
        resultStr = jsonpCallback + "(" + result + ")";
@@ -36,9 +45,7 @@ public class JsonpController {
    public String bad2(HttpServletRequest request) {
        String resultStr = null;
        String jsonpCallback = request.getParameter("jsonpCallback");
-
        resultStr = jsonpCallback + "(" + JSONObject.toJSONString(hashMap) + ")";
-
        return resultStr;
    }

@@ -91,23 +98,98 @@ public class JsonpController {
        pw.println(resultStr);
    }

-    @GetMapping(value = "jsonp7")
+    @RequestMapping(value = "jsonp7", method = RequestMethod.GET)
+    @ResponseBody
+    public String bad7(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        Gson gson = new Gson();
+        String result = gson.toJson(hashMap);
+        resultStr = jsonpCallback + "(" + result + ")";
+        return resultStr;
+    }
+
+
+    @GetMapping(value = "jsonp8")
    @ResponseBody
    public String good1(HttpServletRequest request) {
        String resultStr = null;
-
        String token = request.getParameter("token");
-
        if (verifToken(token)){
            String jsonpCallback = request.getParameter("jsonpCallback");
            String jsonStr = getJsonStr(hashMap);
            resultStr = jsonpCallback + "(" + jsonStr + ")";
            return resultStr;
        }
-
        return "error";
    }

+
+    @GetMapping(value = "jsonp9")
+    @ResponseBody
+    public String good2(HttpServletRequest request) {
+        String resultStr = null;
+        String token = request.getParameter("token");
+        boolean result = verifToken(token);
+        if (result){
+            return "";
+        }
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String jsonStr = getJsonStr(hashMap);
+        resultStr = jsonpCallback + "(" + jsonStr + ")";
+        return resultStr;
+    }
+
+    @RequestMapping(value = "jsonp10")
+    @ResponseBody
+    public String good3(HttpServletRequest request) {
+        JSONObject parameterObj = readToJSONObect(request);
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String restr = JSONObject.toJSONString(hashMap);
+        resultStr = jsonpCallback + "(" + restr + ");";
+        return resultStr;
+    }
+
+    @RequestMapping(value = "jsonp11")
+    @ResponseBody
+    public String good4(@RequestParam("file") MultipartFile file,HttpServletRequest request) {
+        if(null == file){
+            return "upload file error";
+        }
+        String fileName = file.getOriginalFilename();
+        System.out.println("file operations");
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String restr = JSONObject.toJSONString(hashMap);
+        resultStr = jsonpCallback + "(" + restr + ");";
+        return resultStr;
+    }
+
+    public static JSONObject readToJSONObect(HttpServletRequest request){
+        String jsonText = readPostContent(request);
+        JSONObject jsonObj = JSONObject.parseObject(jsonText, JSONObject.class);
+        return jsonObj;
+    }
+
+    public static String readPostContent(HttpServletRequest request){
+        BufferedReader in= null;
+        String content = null;
+        String line = null;
+        try {
+            in = new BufferedReader(new InputStreamReader(request.getInputStream(),"UTF-8"));
+            StringBuilder buf = new StringBuilder();
+            while ((line = in.readLine()) != null) {
+                buf.append(line);
+            }
+            content = buf.toString();
+        } catch (IOException e) {
+            e.printStackTrace();
+        }
+        String uri = request.getRequestURI();
+        return content;
+    }
+
    public static String getJsonStr(Object result) {
        return JSONObject.toJSONString(result);
    }
@@ -118,11 +200,4 @@ public class JsonpController {
        }
        return true;
    }
-
-    public static boolean verifReferer(String referer){
-        if (!referer.startsWith("http://test.com/")){
-            return false;
-        }
-        return true;
-    }
 }
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjection.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjection.expected
@@ -0,0 +1,87 @@
+edges
+| JsonpController.java:36:32:36:68 | getParameter(...) : String | JsonpController.java:40:16:40:24 | resultStr |
+| JsonpController.java:39:21:39:54 | ... + ... : String | JsonpController.java:40:16:40:24 | resultStr |
+| JsonpController.java:47:32:47:68 | getParameter(...) : String | JsonpController.java:49:16:49:24 | resultStr |
+| JsonpController.java:48:21:48:80 | ... + ... : String | JsonpController.java:49:16:49:24 | resultStr |
+| JsonpController.java:56:32:56:68 | getParameter(...) : String | JsonpController.java:59:16:59:24 | resultStr |
+| JsonpController.java:58:21:58:55 | ... + ... : String | JsonpController.java:59:16:59:24 | resultStr |
+| JsonpController.java:66:32:66:68 | getParameter(...) : String | JsonpController.java:69:16:69:24 | resultStr |
+| JsonpController.java:68:21:68:54 | ... + ... : String | JsonpController.java:69:16:69:24 | resultStr |
+| JsonpController.java:76:32:76:68 | getParameter(...) : String | JsonpController.java:84:20:84:28 | resultStr |
+| JsonpController.java:83:21:83:54 | ... + ... : String | JsonpController.java:84:20:84:28 | resultStr |
+| JsonpController.java:91:32:91:68 | getParameter(...) : String | JsonpController.java:98:20:98:28 | resultStr |
+| JsonpController.java:97:21:97:54 | ... + ... : String | JsonpController.java:98:20:98:28 | resultStr |
+| JsonpController.java:105:32:105:68 | getParameter(...) : String | JsonpController.java:109:16:109:24 | resultStr |
+| JsonpController.java:108:21:108:54 | ... + ... : String | JsonpController.java:109:16:109:24 | resultStr |
+| JsonpController.java:117:24:117:52 | getParameter(...) : String | JsonpController.java:118:24:118:28 | token |
+| JsonpController.java:119:36:119:72 | getParameter(...) : String | JsonpController.java:122:20:122:28 | resultStr |
+| JsonpController.java:121:25:121:59 | ... + ... : String | JsonpController.java:122:20:122:28 | resultStr |
+| JsonpController.java:132:24:132:52 | getParameter(...) : String | JsonpController.java:133:37:133:41 | token |
+| JsonpController.java:137:32:137:68 | getParameter(...) : String | JsonpController.java:140:16:140:24 | resultStr |
+| JsonpController.java:139:21:139:55 | ... + ... : String | JsonpController.java:140:16:140:24 | resultStr |
+| JsonpController.java:150:21:150:54 | ... + ... : String | JsonpController.java:151:16:151:24 | resultStr |
+| JsonpController.java:165:21:165:54 | ... + ... : String | JsonpController.java:166:16:166:24 | resultStr |
+| JsonpInjectionServlet1.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet1.java:45:24:45:32 | resultStr |
+| JsonpInjectionServlet1.java:36:26:36:49 | getHeader(...) : String | JsonpInjectionServlet1.java:38:39:38:45 | referer |
+| JsonpInjectionServlet1.java:44:25:44:62 | ... + ... : String | JsonpInjectionServlet1.java:45:24:45:32 | resultStr |
+| JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr |
+| JsonpInjectionServlet2.java:38:21:38:54 | ... + ... : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr |
+| RefererFilter.java:22:26:22:53 | getHeader(...) : String | RefererFilter.java:23:39:23:45 | refefer |
+nodes
+| JsonpController.java:36:32:36:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:39:21:39:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:40:16:40:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:40:16:40:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:47:32:47:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:48:21:48:80 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:49:16:49:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:49:16:49:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:56:32:56:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:58:21:58:55 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:59:16:59:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:59:16:59:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:66:32:66:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:68:21:68:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:69:16:69:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:69:16:69:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:76:32:76:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:83:21:83:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:84:20:84:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:84:20:84:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:91:32:91:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:97:21:97:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:98:20:98:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:98:20:98:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:105:32:105:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:108:21:108:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:109:16:109:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:109:16:109:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:117:24:117:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:118:24:118:28 | token | semmle.label | token |
+| JsonpController.java:119:36:119:72 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:121:25:121:59 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:122:20:122:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:122:20:122:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:132:24:132:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:133:37:133:41 | token | semmle.label | token |
+| JsonpController.java:137:32:137:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:139:21:139:55 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:140:16:140:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:140:16:140:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:150:21:150:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:151:16:151:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:165:21:165:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:166:16:166:24 | resultStr | semmle.label | resultStr |
+| JsonpInjectionServlet1.java:31:32:31:64 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpInjectionServlet1.java:36:26:36:49 | getHeader(...) : String | semmle.label | getHeader(...) : String |
+| JsonpInjectionServlet1.java:38:39:38:45 | referer | semmle.label | referer |
+| JsonpInjectionServlet1.java:44:25:44:62 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpInjectionServlet1.java:45:24:45:32 | resultStr | semmle.label | resultStr |
+| JsonpInjectionServlet1.java:45:24:45:32 | resultStr | semmle.label | resultStr |
+| JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpInjectionServlet2.java:38:21:38:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpInjectionServlet2.java:39:20:39:28 | resultStr | semmle.label | resultStr |
+| JsonpInjectionServlet2.java:39:20:39:28 | resultStr | semmle.label | resultStr |
+| RefererFilter.java:22:26:22:53 | getHeader(...) : String | semmle.label | getHeader(...) : String |
+| RefererFilter.java:23:39:23:45 | refefer | semmle.label | refefer |
+#select
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjection.qlref
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjection.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-352/JsonpInjection.ql
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjectionServlet1.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjectionServlet1.java
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjectionServlet2.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjectionServlet2.java
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/RefererFilter.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/RefererFilter.java
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/options
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/options
@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/apache-http-4.4.13/:${testdir}/../../../../../stubs/servlet-api-2.4:${testdir}/../../../../../stubs/fastjson-1.2.74/:${testdir}/../../../../../stubs/gson-2.8.6/:${testdir}/../../../../../stubs/jackson-databind-2.10/:${testdir}/../../../../../stubs/spring-context-5.3.2/:${testdir}/../../../../../stubs/spring-web-5.3.2/:${testdir}/../../../../../stubs/spring-core-5.3.2/:${testdir}/../../../../../stubs/tomcat-embed-core-9.0.41/
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpController.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpController.java
@@ -1,16 +1,24 @@
 import com.alibaba.fastjson.JSONObject;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.gson.Gson;
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStreamReader;
 import java.io.PrintWriter;
 import java.util.HashMap;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.multipart.MultipartFile;

@Controller
 public class JsonpController {
+
    private static HashMap hashMap = new HashMap();

    static {
@@ -18,13 +26,14 @@ public class JsonpController {
        hashMap.put("password","123456");
    }

+    private String name = null;

-    @GetMapping(value = "jsonp1", produces="text/javascript")
+
+    @GetMapping(value = "jsonp1")
    @ResponseBody
    public String bad1(HttpServletRequest request) {
        String resultStr = null;
        String jsonpCallback = request.getParameter("jsonpCallback");
-
        Gson gson = new Gson();
        String result = gson.toJson(hashMap);
        resultStr = jsonpCallback + "(" + result + ")";
@@ -36,9 +45,7 @@ public class JsonpController {
    public String bad2(HttpServletRequest request) {
        String resultStr = null;
        String jsonpCallback = request.getParameter("jsonpCallback");
-
        resultStr = jsonpCallback + "(" + JSONObject.toJSONString(hashMap) + ")";
-
        return resultStr;
    }

@@ -91,23 +98,98 @@ public class JsonpController {
        pw.println(resultStr);
    }

-    @GetMapping(value = "jsonp7")
+    @RequestMapping(value = "jsonp7", method = RequestMethod.GET)
+    @ResponseBody
+    public String bad7(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        Gson gson = new Gson();
+        String result = gson.toJson(hashMap);
+        resultStr = jsonpCallback + "(" + result + ")";
+        return resultStr;
+    }
+
+
+    @GetMapping(value = "jsonp8")
    @ResponseBody
    public String good1(HttpServletRequest request) {
        String resultStr = null;
-
        String token = request.getParameter("token");
-
        if (verifToken(token)){
            String jsonpCallback = request.getParameter("jsonpCallback");
            String jsonStr = getJsonStr(hashMap);
            resultStr = jsonpCallback + "(" + jsonStr + ")";
            return resultStr;
        }
-
        return "error";
    }

+
+    @GetMapping(value = "jsonp9")
+    @ResponseBody
+    public String good2(HttpServletRequest request) {
+        String resultStr = null;
+        String token = request.getParameter("token");
+        boolean result = verifToken(token);
+        if (result){
+            return "";
+        }
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String jsonStr = getJsonStr(hashMap);
+        resultStr = jsonpCallback + "(" + jsonStr + ")";
+        return resultStr;
+    }
+
+    @RequestMapping(value = "jsonp10")
+    @ResponseBody
+    public String good3(HttpServletRequest request) {
+        JSONObject parameterObj = readToJSONObect(request);
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String restr = JSONObject.toJSONString(hashMap);
+        resultStr = jsonpCallback + "(" + restr + ");";
+        return resultStr;
+    }
+
+    @RequestMapping(value = "jsonp11")
+    @ResponseBody
+    public String good4(@RequestParam("file") MultipartFile file,HttpServletRequest request) {
+        if(null == file){
+            return "upload file error";
+        }
+        String fileName = file.getOriginalFilename();
+        System.out.println("file operations");
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String restr = JSONObject.toJSONString(hashMap);
+        resultStr = jsonpCallback + "(" + restr + ");";
+        return resultStr;
+    }
+
+    public static JSONObject readToJSONObect(HttpServletRequest request){
+        String jsonText = readPostContent(request);
+        JSONObject jsonObj = JSONObject.parseObject(jsonText, JSONObject.class);
+        return jsonObj;
+    }
+
+    public static String readPostContent(HttpServletRequest request){
+        BufferedReader in= null;
+        String content = null;
+        String line = null;
+        try {
+            in = new BufferedReader(new InputStreamReader(request.getInputStream(),"UTF-8"));
+            StringBuilder buf = new StringBuilder();
+            while ((line = in.readLine()) != null) {
+                buf.append(line);
+            }
+            content = buf.toString();
+        } catch (IOException e) {
+            e.printStackTrace();
+        }
+        String uri = request.getRequestURI();
+        return content;
+    }
+
    public static String getJsonStr(Object result) {
        return JSONObject.toJSONString(result);
    }
@@ -118,11 +200,4 @@ public class JsonpController {
        }
        return true;
    }
-
-    public static boolean verifReferer(String referer){
-        if (!referer.startsWith("http://test.com/")){
-            return false;
-        }
-        return true;
-    }
-}
+}
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpInjection.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpInjection.expected
@@ -0,0 +1,76 @@
+edges
+| JsonpController.java:36:32:36:68 | getParameter(...) : String | JsonpController.java:40:16:40:24 | resultStr |
+| JsonpController.java:39:21:39:54 | ... + ... : String | JsonpController.java:40:16:40:24 | resultStr |
+| JsonpController.java:47:32:47:68 | getParameter(...) : String | JsonpController.java:49:16:49:24 | resultStr |
+| JsonpController.java:48:21:48:80 | ... + ... : String | JsonpController.java:49:16:49:24 | resultStr |
+| JsonpController.java:56:32:56:68 | getParameter(...) : String | JsonpController.java:59:16:59:24 | resultStr |
+| JsonpController.java:58:21:58:55 | ... + ... : String | JsonpController.java:59:16:59:24 | resultStr |
+| JsonpController.java:66:32:66:68 | getParameter(...) : String | JsonpController.java:69:16:69:24 | resultStr |
+| JsonpController.java:68:21:68:54 | ... + ... : String | JsonpController.java:69:16:69:24 | resultStr |
+| JsonpController.java:76:32:76:68 | getParameter(...) : String | JsonpController.java:84:20:84:28 | resultStr |
+| JsonpController.java:83:21:83:54 | ... + ... : String | JsonpController.java:84:20:84:28 | resultStr |
+| JsonpController.java:91:32:91:68 | getParameter(...) : String | JsonpController.java:98:20:98:28 | resultStr |
+| JsonpController.java:97:21:97:54 | ... + ... : String | JsonpController.java:98:20:98:28 | resultStr |
+| JsonpController.java:105:32:105:68 | getParameter(...) : String | JsonpController.java:109:16:109:24 | resultStr |
+| JsonpController.java:108:21:108:54 | ... + ... : String | JsonpController.java:109:16:109:24 | resultStr |
+| JsonpController.java:117:24:117:52 | getParameter(...) : String | JsonpController.java:118:24:118:28 | token |
+| JsonpController.java:119:36:119:72 | getParameter(...) : String | JsonpController.java:122:20:122:28 | resultStr |
+| JsonpController.java:121:25:121:59 | ... + ... : String | JsonpController.java:122:20:122:28 | resultStr |
+| JsonpController.java:132:24:132:52 | getParameter(...) : String | JsonpController.java:133:37:133:41 | token |
+| JsonpController.java:137:32:137:68 | getParameter(...) : String | JsonpController.java:140:16:140:24 | resultStr |
+| JsonpController.java:139:21:139:55 | ... + ... : String | JsonpController.java:140:16:140:24 | resultStr |
+| JsonpController.java:150:21:150:54 | ... + ... : String | JsonpController.java:151:16:151:24 | resultStr |
+| JsonpController.java:165:21:165:54 | ... + ... : String | JsonpController.java:166:16:166:24 | resultStr |
+nodes
+| JsonpController.java:36:32:36:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:39:21:39:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:40:16:40:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:40:16:40:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:47:32:47:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:48:21:48:80 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:49:16:49:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:49:16:49:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:56:32:56:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:58:21:58:55 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:59:16:59:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:59:16:59:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:66:32:66:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:68:21:68:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:69:16:69:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:69:16:69:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:76:32:76:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:83:21:83:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:84:20:84:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:84:20:84:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:91:32:91:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:97:21:97:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:98:20:98:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:98:20:98:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:105:32:105:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:108:21:108:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:109:16:109:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:109:16:109:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:117:24:117:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:118:24:118:28 | token | semmle.label | token |
+| JsonpController.java:119:36:119:72 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:121:25:121:59 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:122:20:122:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:122:20:122:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:132:24:132:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:133:37:133:41 | token | semmle.label | token |
+| JsonpController.java:137:32:137:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:139:21:139:55 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:140:16:140:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:140:16:140:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:150:21:150:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:151:16:151:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:165:21:165:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:166:16:166:24 | resultStr | semmle.label | resultStr |
+#select
+| JsonpController.java:40:16:40:24 | resultStr | JsonpController.java:36:32:36:68 | getParameter(...) : String | JsonpController.java:40:16:40:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:36:32:36:68 | getParameter(...) | this user input |
+| JsonpController.java:49:16:49:24 | resultStr | JsonpController.java:47:32:47:68 | getParameter(...) : String | JsonpController.java:49:16:49:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:47:32:47:68 | getParameter(...) | this user input |
+| JsonpController.java:59:16:59:24 | resultStr | JsonpController.java:56:32:56:68 | getParameter(...) : String | JsonpController.java:59:16:59:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:56:32:56:68 | getParameter(...) | this user input |
+| JsonpController.java:69:16:69:24 | resultStr | JsonpController.java:66:32:66:68 | getParameter(...) : String | JsonpController.java:69:16:69:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:66:32:66:68 | getParameter(...) | this user input |
+| JsonpController.java:84:20:84:28 | resultStr | JsonpController.java:76:32:76:68 | getParameter(...) : String | JsonpController.java:84:20:84:28 | resultStr | Jsonp response might include code from $@. | JsonpController.java:76:32:76:68 | getParameter(...) | this user input |
+| JsonpController.java:98:20:98:28 | resultStr | JsonpController.java:91:32:91:68 | getParameter(...) : String | JsonpController.java:98:20:98:28 | resultStr | Jsonp response might include code from $@. | JsonpController.java:91:32:91:68 | getParameter(...) | this user input |
+| JsonpController.java:109:16:109:24 | resultStr | JsonpController.java:105:32:105:68 | getParameter(...) : String | JsonpController.java:109:16:109:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:105:32:105:68 | getParameter(...) | this user input |
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpInjection.qlref
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpInjection.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-352/JsonpInjection.ql
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/options
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/options
@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/apache-http-4.4.13/:${testdir}/../../../../../stubs/servlet-api-2.4:${testdir}/../../../../../stubs/fastjson-1.2.74/:${testdir}/../../../../../stubs/gson-2.8.6/:${testdir}/../../../../../stubs/jackson-databind-2.10/:${testdir}/../../../../../stubs/spring-context-5.3.2/:${testdir}/../../../../../stubs/spring-web-5.3.2/:${testdir}/../../../../../stubs/spring-core-5.3.2/:${testdir}/../../../../../stubs/tomcat-embed-core-9.0.41/
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpController.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpController.java
@@ -0,0 +1,203 @@
+import com.alibaba.fastjson.JSONObject;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.gson.Gson;
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.io.PrintWriter;
+import java.util.HashMap;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.multipart.MultipartFile;
+
+@Controller
+public class JsonpController {
+
+    private static HashMap hashMap = new HashMap();
+
+    static {
+        hashMap.put("username","admin");
+        hashMap.put("password","123456");
+    }
+
+    private String name = null;
+
+
+    @GetMapping(value = "jsonp1")
+    @ResponseBody
+    public String bad1(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        Gson gson = new Gson();
+        String result = gson.toJson(hashMap);
+        resultStr = jsonpCallback + "(" + result + ")";
+        return resultStr;
+    }
+
+    @GetMapping(value = "jsonp2")
+    @ResponseBody
+    public String bad2(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        resultStr = jsonpCallback + "(" + JSONObject.toJSONString(hashMap) + ")";
+        return resultStr;
+    }
+
+    @GetMapping(value = "jsonp3")
+    @ResponseBody
+    public String bad3(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String jsonStr = getJsonStr(hashMap);
+        resultStr = jsonpCallback + "(" + jsonStr + ")";
+        return resultStr;
+    }
+
+    @GetMapping(value = "jsonp4")
+    @ResponseBody
+    public String bad4(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String restr = JSONObject.toJSONString(hashMap);
+        resultStr = jsonpCallback + "(" + restr + ");";
+        return resultStr;
+    }
+
+    @GetMapping(value = "jsonp5")
+    @ResponseBody
+    public void bad5(HttpServletRequest request,
+            HttpServletResponse response) throws Exception {
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        PrintWriter pw = null;
+        Gson gson = new Gson();
+        String result = gson.toJson(hashMap);
+
+        String resultStr = null;
+        pw = response.getWriter();
+        resultStr = jsonpCallback + "(" + result + ")";
+        pw.println(resultStr);
+    }
+
+    @GetMapping(value = "jsonp6")
+    @ResponseBody
+    public void bad6(HttpServletRequest request,
+            HttpServletResponse response) throws Exception {
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        PrintWriter pw = null;
+        ObjectMapper mapper = new ObjectMapper();
+        String result = mapper.writeValueAsString(hashMap);
+        String resultStr = null;
+        pw = response.getWriter();
+        resultStr = jsonpCallback + "(" + result + ")";
+        pw.println(resultStr);
+    }
+
+    @RequestMapping(value = "jsonp7", method = RequestMethod.GET)
+    @ResponseBody
+    public String bad7(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        Gson gson = new Gson();
+        String result = gson.toJson(hashMap);
+        resultStr = jsonpCallback + "(" + result + ")";
+        return resultStr;
+    }
+
+
+    @GetMapping(value = "jsonp8")
+    @ResponseBody
+    public String good1(HttpServletRequest request) {
+        String resultStr = null;
+        String token = request.getParameter("token");
+        if (verifToken(token)){
+            String jsonpCallback = request.getParameter("jsonpCallback");
+            String jsonStr = getJsonStr(hashMap);
+            resultStr = jsonpCallback + "(" + jsonStr + ")";
+            return resultStr;
+        }
+        return "error";
+    }
+
+
+    @GetMapping(value = "jsonp9")
+    @ResponseBody
+    public String good2(HttpServletRequest request) {
+        String resultStr = null;
+        String token = request.getParameter("token");
+        boolean result = verifToken(token);
+        if (result){
+            return "";
+        }
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String jsonStr = getJsonStr(hashMap);
+        resultStr = jsonpCallback + "(" + jsonStr + ")";
+        return resultStr;
+    }
+
+    @RequestMapping(value = "jsonp10")
+    @ResponseBody
+    public String good3(HttpServletRequest request) {
+        JSONObject parameterObj = readToJSONObect(request);
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String restr = JSONObject.toJSONString(hashMap);
+        resultStr = jsonpCallback + "(" + restr + ");";
+        return resultStr;
+    }
+
+    @RequestMapping(value = "jsonp11")
+    @ResponseBody
+    public String good4(@RequestParam("file") MultipartFile file,HttpServletRequest request) {
+        if(null == file){
+            return "upload file error";
+        }
+        String fileName = file.getOriginalFilename();
+        System.out.println("file operations");
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String restr = JSONObject.toJSONString(hashMap);
+        resultStr = jsonpCallback + "(" + restr + ");";
+        return resultStr;
+    }
+
+    public static JSONObject readToJSONObect(HttpServletRequest request){
+        String jsonText = readPostContent(request);
+        JSONObject jsonObj = JSONObject.parseObject(jsonText, JSONObject.class);
+        return jsonObj;
+    }
+
+    public static String readPostContent(HttpServletRequest request){
+        BufferedReader in= null;
+        String content = null;
+        String line = null;
+        try {
+            in = new BufferedReader(new InputStreamReader(request.getInputStream(),"UTF-8"));
+            StringBuilder buf = new StringBuilder();
+            while ((line = in.readLine()) != null) {
+                buf.append(line);
+            }
+            content = buf.toString();
+        } catch (IOException e) {
+            e.printStackTrace();
+        }
+        String uri = request.getRequestURI();
+        return content;
+    }
+
+    public static String getJsonStr(Object result) {
+        return JSONObject.toJSONString(result);
+    }
+
+    public static boolean verifToken(String token){
+        if (token != "xxxx"){
+            return false;
+        }
+        return true;
+    }
+}
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjection.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjection.expected
@@ -0,0 +1,92 @@
+edges
+| JsonpController.java:36:32:36:68 | getParameter(...) : String | JsonpController.java:40:16:40:24 | resultStr |
+| JsonpController.java:39:21:39:54 | ... + ... : String | JsonpController.java:40:16:40:24 | resultStr |
+| JsonpController.java:47:32:47:68 | getParameter(...) : String | JsonpController.java:49:16:49:24 | resultStr |
+| JsonpController.java:48:21:48:80 | ... + ... : String | JsonpController.java:49:16:49:24 | resultStr |
+| JsonpController.java:56:32:56:68 | getParameter(...) : String | JsonpController.java:59:16:59:24 | resultStr |
+| JsonpController.java:58:21:58:55 | ... + ... : String | JsonpController.java:59:16:59:24 | resultStr |
+| JsonpController.java:66:32:66:68 | getParameter(...) : String | JsonpController.java:69:16:69:24 | resultStr |
+| JsonpController.java:68:21:68:54 | ... + ... : String | JsonpController.java:69:16:69:24 | resultStr |
+| JsonpController.java:76:32:76:68 | getParameter(...) : String | JsonpController.java:84:20:84:28 | resultStr |
+| JsonpController.java:83:21:83:54 | ... + ... : String | JsonpController.java:84:20:84:28 | resultStr |
+| JsonpController.java:91:32:91:68 | getParameter(...) : String | JsonpController.java:98:20:98:28 | resultStr |
+| JsonpController.java:97:21:97:54 | ... + ... : String | JsonpController.java:98:20:98:28 | resultStr |
+| JsonpController.java:105:32:105:68 | getParameter(...) : String | JsonpController.java:109:16:109:24 | resultStr |
+| JsonpController.java:108:21:108:54 | ... + ... : String | JsonpController.java:109:16:109:24 | resultStr |
+| JsonpController.java:117:24:117:52 | getParameter(...) : String | JsonpController.java:118:24:118:28 | token |
+| JsonpController.java:119:36:119:72 | getParameter(...) : String | JsonpController.java:122:20:122:28 | resultStr |
+| JsonpController.java:121:25:121:59 | ... + ... : String | JsonpController.java:122:20:122:28 | resultStr |
+| JsonpController.java:132:24:132:52 | getParameter(...) : String | JsonpController.java:133:37:133:41 | token |
+| JsonpController.java:137:32:137:68 | getParameter(...) : String | JsonpController.java:140:16:140:24 | resultStr |
+| JsonpController.java:139:21:139:55 | ... + ... : String | JsonpController.java:140:16:140:24 | resultStr |
+| JsonpController.java:150:21:150:54 | ... + ... : String | JsonpController.java:151:16:151:24 | resultStr |
+| JsonpController.java:165:21:165:54 | ... + ... : String | JsonpController.java:166:16:166:24 | resultStr |
+| JsonpInjectionServlet1.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet1.java:45:24:45:32 | resultStr |
+| JsonpInjectionServlet1.java:36:26:36:49 | getHeader(...) : String | JsonpInjectionServlet1.java:38:39:38:45 | referer |
+| JsonpInjectionServlet1.java:44:25:44:62 | ... + ... : String | JsonpInjectionServlet1.java:45:24:45:32 | resultStr |
+| JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr |
+| JsonpInjectionServlet2.java:38:21:38:54 | ... + ... : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr |
+nodes
+| JsonpController.java:36:32:36:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:39:21:39:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:40:16:40:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:40:16:40:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:47:32:47:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:48:21:48:80 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:49:16:49:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:49:16:49:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:56:32:56:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:58:21:58:55 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:59:16:59:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:59:16:59:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:66:32:66:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:68:21:68:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:69:16:69:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:69:16:69:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:76:32:76:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:83:21:83:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:84:20:84:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:84:20:84:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:91:32:91:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:97:21:97:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:98:20:98:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:98:20:98:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:105:32:105:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:108:21:108:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:109:16:109:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:109:16:109:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:117:24:117:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:118:24:118:28 | token | semmle.label | token |
+| JsonpController.java:119:36:119:72 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:121:25:121:59 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:122:20:122:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:122:20:122:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:132:24:132:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:133:37:133:41 | token | semmle.label | token |
+| JsonpController.java:137:32:137:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:139:21:139:55 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:140:16:140:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:140:16:140:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:150:21:150:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:151:16:151:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:165:21:165:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:166:16:166:24 | resultStr | semmle.label | resultStr |
+| JsonpInjectionServlet1.java:31:32:31:64 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpInjectionServlet1.java:36:26:36:49 | getHeader(...) : String | semmle.label | getHeader(...) : String |
+| JsonpInjectionServlet1.java:38:39:38:45 | referer | semmle.label | referer |
+| JsonpInjectionServlet1.java:44:25:44:62 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpInjectionServlet1.java:45:24:45:32 | resultStr | semmle.label | resultStr |
+| JsonpInjectionServlet1.java:45:24:45:32 | resultStr | semmle.label | resultStr |
+| JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpInjectionServlet2.java:38:21:38:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpInjectionServlet2.java:39:20:39:28 | resultStr | semmle.label | resultStr |
+| JsonpInjectionServlet2.java:39:20:39:28 | resultStr | semmle.label | resultStr |
+#select
+| JsonpController.java:40:16:40:24 | resultStr | JsonpController.java:36:32:36:68 | getParameter(...) : String | JsonpController.java:40:16:40:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:36:32:36:68 | getParameter(...) | this user input |
+| JsonpController.java:49:16:49:24 | resultStr | JsonpController.java:47:32:47:68 | getParameter(...) : String | JsonpController.java:49:16:49:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:47:32:47:68 | getParameter(...) | this user input |
+| JsonpController.java:59:16:59:24 | resultStr | JsonpController.java:56:32:56:68 | getParameter(...) : String | JsonpController.java:59:16:59:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:56:32:56:68 | getParameter(...) | this user input |
+| JsonpController.java:69:16:69:24 | resultStr | JsonpController.java:66:32:66:68 | getParameter(...) : String | JsonpController.java:69:16:69:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:66:32:66:68 | getParameter(...) | this user input |
+| JsonpController.java:84:20:84:28 | resultStr | JsonpController.java:76:32:76:68 | getParameter(...) : String | JsonpController.java:84:20:84:28 | resultStr | Jsonp response might include code from $@. | JsonpController.java:76:32:76:68 | getParameter(...) | this user input |
+| JsonpController.java:98:20:98:28 | resultStr | JsonpController.java:91:32:91:68 | getParameter(...) : String | JsonpController.java:98:20:98:28 | resultStr | Jsonp response might include code from $@. | JsonpController.java:91:32:91:68 | getParameter(...) | this user input |
+| JsonpController.java:109:16:109:24 | resultStr | JsonpController.java:105:32:105:68 | getParameter(...) : String | JsonpController.java:109:16:109:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:105:32:105:68 | getParameter(...) | this user input |
+| JsonpInjectionServlet2.java:39:20:39:28 | resultStr | JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr | Jsonp response might include code from $@. | JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) | this user input |
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjection.qlref
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjection.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-352/JsonpInjection.ql
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjectionServlet1.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjectionServlet1.java
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjectionServlet2.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjectionServlet2.java
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/options
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/options
@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/apache-http-4.4.13/:${testdir}/../../../../../stubs/servlet-api-2.4:${testdir}/../../../../../stubs/fastjson-1.2.74/:${testdir}/../../../../../stubs/gson-2.8.6/:${testdir}/../../../../../stubs/jackson-databind-2.10/:${testdir}/../../../../../stubs/spring-context-5.3.2/:${testdir}/../../../../../stubs/spring-web-5.3.2/:${testdir}/../../../../../stubs/spring-core-5.3.2/:${testdir}/../../../../../stubs/tomcat-embed-core-9.0.41/
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection_1.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection_1.expected
@@ -1,60 +0,0 @@
-edges
-| JsonpController.java:26:32:26:68 | getParameter(...) : String | JsonpController.java:31:16:31:24 | resultStr |
-| JsonpController.java:30:21:30:54 | ... + ... : String | JsonpController.java:31:16:31:24 | resultStr |
-| JsonpController.java:38:32:38:68 | getParameter(...) : String | JsonpController.java:42:16:42:24 | resultStr |
-| JsonpController.java:40:21:40:80 | ... + ... : String | JsonpController.java:42:16:42:24 | resultStr |
-| JsonpController.java:49:32:49:68 | getParameter(...) : String | JsonpController.java:52:16:52:24 | resultStr |
-| JsonpController.java:51:21:51:55 | ... + ... : String | JsonpController.java:52:16:52:24 | resultStr |
-| JsonpController.java:59:32:59:68 | getParameter(...) : String | JsonpController.java:62:16:62:24 | resultStr |
-| JsonpController.java:61:21:61:54 | ... + ... : String | JsonpController.java:62:16:62:24 | resultStr |
-| JsonpController.java:69:32:69:68 | getParameter(...) : String | JsonpController.java:77:20:77:28 | resultStr |
-| JsonpController.java:76:21:76:54 | ... + ... : String | JsonpController.java:77:20:77:28 | resultStr |
-| JsonpController.java:84:32:84:68 | getParameter(...) : String | JsonpController.java:91:20:91:28 | resultStr |
-| JsonpController.java:90:21:90:54 | ... + ... : String | JsonpController.java:91:20:91:28 | resultStr |
-| JsonpController.java:99:24:99:52 | getParameter(...) : String | JsonpController.java:101:24:101:28 | token |
-| JsonpController.java:102:36:102:72 | getParameter(...) : String | JsonpController.java:105:20:105:28 | resultStr |
-| JsonpController.java:104:25:104:59 | ... + ... : String | JsonpController.java:105:20:105:28 | resultStr |
-nodes
-| JsonpController.java:26:32:26:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:30:21:30:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:31:16:31:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:31:16:31:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:38:32:38:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:40:21:40:80 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:42:16:42:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:42:16:42:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:49:32:49:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:51:21:51:55 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:52:16:52:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:52:16:52:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:59:32:59:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:61:21:61:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:62:16:62:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:62:16:62:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:69:32:69:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:76:21:76:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:77:20:77:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:77:20:77:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:84:32:84:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:90:21:90:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:91:20:91:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:91:20:91:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:99:24:99:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:101:24:101:28 | token | semmle.label | token |
-| JsonpController.java:102:36:102:72 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:104:25:104:59 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:105:20:105:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:105:20:105:28 | resultStr | semmle.label | resultStr |
-#select
-| JsonpController.java:31:16:31:24 | resultStr | JsonpController.java:26:32:26:68 | getParameter(...) : String | JsonpController.java:31:16:31:24 |
- resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:26:32:26:68 | getParameter(...) | this user input |
-| JsonpController.java:42:16:42:24 | resultStr | JsonpController.java:38:32:38:68 | getParameter(...) : String | JsonpController.java:42:16:42:24 |
- resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:38:32:38:68 | getParameter(...) | this user input |
-| JsonpController.java:52:16:52:24 | resultStr | JsonpController.java:49:32:49:68 | getParameter(...) : String | JsonpController.java:52:16:52:24 |
- resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:49:32:49:68 | getParameter(...) | this user input |
-| JsonpController.java:62:16:62:24 | resultStr | JsonpController.java:59:32:59:68 | getParameter(...) : String | JsonpController.java:62:16:62:24 |
- resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:59:32:59:68 | getParameter(...) | this user input |
-| JsonpController.java:77:20:77:28 | resultStr | JsonpController.java:69:32:69:68 | getParameter(...) : String | JsonpController.java:77:20:77:28 |
- resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:69:32:69:68 | getParameter(...) | this user input |
-| JsonpController.java:91:20:91:28 | resultStr | JsonpController.java:84:32:84:68 | getParameter(...) : String | JsonpController.java:91:20:91:28 |
- resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:84:32:84:68 | getParameter(...) | this user input |
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection_2.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection_2.expected
@@ -1,78 +0,0 @@
-edges
-| JsonpController.java:26:32:26:68 | getParameter(...) : String | JsonpController.java:31:16:31:24 | resultStr |
-| JsonpController.java:30:21:30:54 | ... + ... : String | JsonpController.java:31:16:31:24 | resultStr |
-| JsonpController.java:38:32:38:68 | getParameter(...) : String | JsonpController.java:42:16:42:24 | resultStr |
-| JsonpController.java:40:21:40:80 | ... + ... : String | JsonpController.java:42:16:42:24 | resultStr |
-| JsonpController.java:49:32:49:68 | getParameter(...) : String | JsonpController.java:52:16:52:24 | resultStr |
-| JsonpController.java:51:21:51:55 | ... + ... : String | JsonpController.java:52:16:52:24 | resultStr |
-| JsonpController.java:59:32:59:68 | getParameter(...) : String | JsonpController.java:62:16:62:24 | resultStr |
-| JsonpController.java:61:21:61:54 | ... + ... : String | JsonpController.java:62:16:62:24 | resultStr |
-| JsonpController.java:69:32:69:68 | getParameter(...) : String | JsonpController.java:77:20:77:28 | resultStr |
-| JsonpController.java:76:21:76:54 | ... + ... : String | JsonpController.java:77:20:77:28 | resultStr |
-| JsonpController.java:84:32:84:68 | getParameter(...) : String | JsonpController.java:91:20:91:28 | resultStr |
-| JsonpController.java:90:21:90:54 | ... + ... : String | JsonpController.java:91:20:91:28 | resultStr |
-| JsonpController.java:99:24:99:52 | getParameter(...) : String | JsonpController.java:101:24:101:28 | token |
-| JsonpController.java:102:36:102:72 | getParameter(...) : String | JsonpController.java:105:20:105:28 | resultStr |
-| JsonpController.java:104:25:104:59 | ... + ... : String | JsonpController.java:105:20:105:28 | resultStr |
-| JsonpInjectionServlet1.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet1.java:45:24:45:32 | resultStr |
-| JsonpInjectionServlet1.java:36:26:36:49 | getHeader(...) : String | JsonpInjectionServlet1.java:38:39:38:45 | referer |
-| JsonpInjectionServlet1.java:44:25:44:62 | ... + ... : String | JsonpInjectionServlet1.java:45:24:45:32 | resultStr |
-| JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr |
-| JsonpInjectionServlet2.java:38:21:38:54 | ... + ... : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr |
-nodes
-| JsonpController.java:26:32:26:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:30:21:30:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:31:16:31:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:31:16:31:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:38:32:38:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:40:21:40:80 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:42:16:42:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:42:16:42:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:49:32:49:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:51:21:51:55 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:52:16:52:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:52:16:52:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:59:32:59:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:61:21:61:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:62:16:62:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:62:16:62:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:69:32:69:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:76:21:76:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:77:20:77:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:77:20:77:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:84:32:84:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:90:21:90:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:91:20:91:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:91:20:91:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:99:24:99:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:101:24:101:28 | token | semmle.label | token |
-| JsonpController.java:102:36:102:72 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:104:25:104:59 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:105:20:105:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:105:20:105:28 | resultStr | semmle.label | resultStr |
-| JsonpInjectionServlet1.java:31:32:31:64 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpInjectionServlet1.java:36:26:36:49 | getHeader(...) : String | semmle.label | getHeader(...) : String |
-| JsonpInjectionServlet1.java:38:39:38:45 | referer | semmle.label | referer |
-| JsonpInjectionServlet1.java:44:25:44:62 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpInjectionServlet1.java:45:24:45:32 | resultStr | semmle.label | resultStr |
-| JsonpInjectionServlet1.java:45:24:45:32 | resultStr | semmle.label | resultStr |
-| JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpInjectionServlet2.java:38:21:38:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpInjectionServlet2.java:39:20:39:28 | resultStr | semmle.label | resultStr |
-| JsonpInjectionServlet2.java:39:20:39:28 | resultStr | semmle.label | resultStr |
-#select
-| JsonpController.java:31:16:31:24 | resultStr | JsonpController.java:26:32:26:68 | getParameter(...) : String | JsonpController.java:31:16:31:24 |
- resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:26:32:26:68 | getParameter(...) | this user input |
-| JsonpController.java:42:16:42:24 | resultStr | JsonpController.java:38:32:38:68 | getParameter(...) : String | JsonpController.java:42:16:42:24 |
- resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:38:32:38:68 | getParameter(...) | this user input |
-| JsonpController.java:52:16:52:24 | resultStr | JsonpController.java:49:32:49:68 | getParameter(...) : String | JsonpController.java:52:16:52:24 |
- resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:49:32:49:68 | getParameter(...) | this user input |
-| JsonpController.java:62:16:62:24 | resultStr | JsonpController.java:59:32:59:68 | getParameter(...) : String | JsonpController.java:62:16:62:24 |
- resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:59:32:59:68 | getParameter(...) | this user input |
-| JsonpController.java:77:20:77:28 | resultStr | JsonpController.java:69:32:69:68 | getParameter(...) : String | JsonpController.java:77:20:77:28 |
- resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:69:32:69:68 | getParameter(...) | this user input |
-| JsonpController.java:91:20:91:28 | resultStr | JsonpController.java:84:32:84:68 | getParameter(...) : String | JsonpController.java:91:20:91:28 |
- resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:84:32:84:68 | getParameter(...) | this user input |
-| JsonpInjectionServlet2.java:39:20:39:28 | resultStr | JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServle
-t2.java:39:20:39:28 | resultStr | Jsonp Injection query might include code from $@. | JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) |
- this user input |
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection_3.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection_3.expected
@@ -1,66 +0,0 @@
-edges
-| JsonpController.java:26:32:26:68 | getParameter(...) : String | JsonpController.java:31:16:31:24 | resultStr |
-| JsonpController.java:30:21:30:54 | ... + ... : String | JsonpController.java:31:16:31:24 | resultStr |
-| JsonpController.java:38:32:38:68 | getParameter(...) : String | JsonpController.java:42:16:42:24 | resultStr |
-| JsonpController.java:40:21:40:80 | ... + ... : String | JsonpController.java:42:16:42:24 | resultStr |
-| JsonpController.java:49:32:49:68 | getParameter(...) : String | JsonpController.java:52:16:52:24 | resultStr |
-| JsonpController.java:51:21:51:55 | ... + ... : String | JsonpController.java:52:16:52:24 | resultStr |
-| JsonpController.java:59:32:59:68 | getParameter(...) : String | JsonpController.java:62:16:62:24 | resultStr |
-| JsonpController.java:61:21:61:54 | ... + ... : String | JsonpController.java:62:16:62:24 | resultStr |
-| JsonpController.java:69:32:69:68 | getParameter(...) : String | JsonpController.java:77:20:77:28 | resultStr |
-| JsonpController.java:76:21:76:54 | ... + ... : String | JsonpController.java:77:20:77:28 | resultStr |
-| JsonpController.java:84:32:84:68 | getParameter(...) : String | JsonpController.java:91:20:91:28 | resultStr |
-| JsonpController.java:90:21:90:54 | ... + ... : String | JsonpController.java:91:20:91:28 | resultStr |
-| JsonpController.java:99:24:99:52 | getParameter(...) : String | JsonpController.java:101:24:101:28 | token |
-| JsonpController.java:102:36:102:72 | getParameter(...) : String | JsonpController.java:105:20:105:28 | resultStr |
-| JsonpController.java:104:25:104:59 | ... + ... : String | JsonpController.java:105:20:105:28 | resultStr |
-| JsonpInjectionServlet1.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet1.java:45:24:45:32 | resultStr |
-| JsonpInjectionServlet1.java:36:26:36:49 | getHeader(...) : String | JsonpInjectionServlet1.java:38:39:38:45 | referer |
-| JsonpInjectionServlet1.java:44:25:44:62 | ... + ... : String | JsonpInjectionServlet1.java:45:24:45:32 | resultStr |
-| JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr |
-| JsonpInjectionServlet2.java:38:21:38:54 | ... + ... : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr |
-| RefererFilter.java:22:26:22:53 | getHeader(...) : String | RefererFilter.java:23:39:23:45 | refefer |
-nodes
-| JsonpController.java:26:32:26:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:30:21:30:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:31:16:31:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:31:16:31:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:38:32:38:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:40:21:40:80 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:42:16:42:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:42:16:42:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:49:32:49:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:51:21:51:55 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:52:16:52:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:52:16:52:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:59:32:59:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:61:21:61:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:62:16:62:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:62:16:62:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:69:32:69:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:76:21:76:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:77:20:77:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:77:20:77:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:84:32:84:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:90:21:90:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:91:20:91:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:91:20:91:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:99:24:99:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:101:24:101:28 | token | semmle.label | token |
-| JsonpController.java:102:36:102:72 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:104:25:104:59 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:105:20:105:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:105:20:105:28 | resultStr | semmle.label | resultStr |
-| JsonpInjectionServlet1.java:31:32:31:64 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpInjectionServlet1.java:36:26:36:49 | getHeader(...) : String | semmle.label | getHeader(...) : String |
-| JsonpInjectionServlet1.java:38:39:38:45 | referer | semmle.label | referer |
-| JsonpInjectionServlet1.java:44:25:44:62 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpInjectionServlet1.java:45:24:45:32 | resultStr | semmle.label | resultStr |
-| JsonpInjectionServlet1.java:45:24:45:32 | resultStr | semmle.label | resultStr |
-| JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpInjectionServlet2.java:38:21:38:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpInjectionServlet2.java:39:20:39:28 | resultStr | semmle.label | resultStr |
-| JsonpInjectionServlet2.java:39:20:39:28 | resultStr | semmle.label | resultStr |
-| RefererFilter.java:22:26:22:53 | getHeader(...) : String | semmle.label | getHeader(...) : String |
-| RefererFilter.java:23:39:23:45 | refefer | semmle.label | refefer |
-#select
--- a/java/ql/test/experimental/query-tests/security/CWE-352/Readme
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/Readme
@@ -1,3 +0,0 @@
-1. The JsonpInjection_1.expected result is obtained through the test of `JsonpController.java`.
-2. The JsonpInjection_2.expected result is obtained through the test of `JsonpController.java`, `JsonpInjectionServlet1.java`, `JsonpInjectionServlet2.java`.
-3. The JsonpInjection_3.expected result is obtained through the test of `JsonpController.java`, `JsonpInjectionServlet1.java`, `JsonpInjectionServlet2.java`, `RefererFilter.java`.
--- a/java/ql/test/experimental/query-tests/security/CWE-352/RefererFilter.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/RefererFilter.java
@@ -1,43 +0,0 @@
-import java.io.IOException;
-import javax.servlet.Filter;
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import org.springframework.util.StringUtils;
-
-public class RefererFilter implements Filter {
-
-    @Override
-    public void init(FilterConfig filterConfig) throws ServletException {
-    }
-
-    @Override
-    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
-        HttpServletRequest request = (HttpServletRequest) servletRequest;
-        HttpServletResponse response = (HttpServletResponse) servletResponse;
-        String refefer = request.getHeader("Referer");
-        boolean result = verifReferer(refefer);
-        if (result){
-            filterChain.doFilter(servletRequest, servletResponse);
-        }
-        response.sendError(444, "Referer xxx.");
-    }
-
-    @Override
-    public void destroy() {
-    }
-
-    public static boolean verifReferer(String referer){
-        if (StringUtils.isEmpty(referer)){
-            return false;
-        }
-        if (referer.startsWith("http://www.baidu.com/")){
-            return true;
-        }
-        return false;
-    }
-}
--- a/java/ql/test/experimental/query-tests/security/CWE-352/options
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/options
@@ -1 +0,0 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/apache-http-4.4.13/:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/fastjson-1.2.74/:${testdir}/../../../../stubs/gson-2.8.6/:${testdir}/../../../../stubs/jackson-databind-2.10/:${testdir}/../../../../stubs/springframework-5.2.3/:${testdir}/../../../../stubs/spring-context-5.3.2/:${testdir}/../../../../stubs/spring-web-5.3.2/:${testdir}/../../../../stubs/spring-core-5.3.2/
--- a/java/ql/test/stubs/spring-core-5.3.2/org/springframework/core/annotation/AliasFor.java
+++ b/java/ql/test/stubs/spring-core-5.3.2/org/springframework/core/annotation/AliasFor.java
@@ -1,10 +1,21 @@
 package org.springframework.core.annotation;

+import java.lang.annotation.Annotation;
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+@Retention(RetentionPolicy.RUNTIME)
+@Target({ElementType.METHOD})
+@Documented
 public @interface AliasFor {
    @AliasFor("attribute")
    String value() default "";

    @AliasFor("value")
    String attribute() default "";
-
+ 
+    Class<? extends Annotation> annotation() default Annotation.class;
 }
--- a/java/ql/test/stubs/spring-core-5.3.2/org/springframework/core/io/InputStreamSource.java
+++ b/java/ql/test/stubs/spring-core-5.3.2/org/springframework/core/io/InputStreamSource.java
@@ -0,0 +1,8 @@
+package org.springframework.core.io;
+
+import java.io.IOException;
+import java.io.InputStream;
+
+public interface InputStreamSource {
+    InputStream getInputStream() throws IOException;
+}
--- a/java/ql/test/stubs/spring-core-5.3.2/org/springframework/core/io/Resource.java
+++ b/java/ql/test/stubs/spring-core-5.3.2/org/springframework/core/io/Resource.java
@@ -0,0 +1,46 @@
+package org.springframework.core.io;
+
+import java.io.File;
+import java.io.IOException;
+import java.net.URI;
+import java.net.URL;
+import java.nio.channels.Channels;
+import java.nio.channels.ReadableByteChannel;
+import org.springframework.lang.Nullable;
+
+public interface Resource extends InputStreamSource {
+    boolean exists();
+
+    default boolean isReadable() {
+        return this.exists();
+    }
+
+    default boolean isOpen() {
+        return false;
+    }
+
+    default boolean isFile() {
+        return false;
+    }
+
+    URL getURL() throws IOException;
+
+    URI getURI() throws IOException;
+
+    File getFile() throws IOException;
+
+    default ReadableByteChannel readableChannel() throws IOException {
+        return null;
+    }
+
+    long contentLength() throws IOException;
+
+    long lastModified() throws IOException;
+
+    Resource createRelative(String var1) throws IOException;
+
+    @Nullable
+    String getFilename();
+
+    String getDescription();
+}
--- a/java/ql/test/stubs/spring-core-5.3.2/org/springframework/lang/Nullable.java
+++ b/java/ql/test/stubs/spring-core-5.3.2/org/springframework/lang/Nullable.java
@@ -0,0 +1,13 @@
+package org.springframework.lang;
+
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+@Target({ElementType.METHOD, ElementType.PARAMETER, ElementType.FIELD})
+@Retention(RetentionPolicy.RUNTIME)
+@Documented
+public @interface Nullable {
+}
--- a/java/ql/test/stubs/spring-core-5.3.2/org/springframework/util/FileCopyUtils.java
+++ b/java/ql/test/stubs/spring-core-5.3.2/org/springframework/util/FileCopyUtils.java
@@ -0,0 +1,53 @@
+package org.springframework.util;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.Closeable;
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.Reader;
+import java.io.StringWriter;
+import java.io.Writer;
+import java.nio.file.Files;
+import org.springframework.lang.Nullable;
+
+public abstract class FileCopyUtils {
+    public static final int BUFFER_SIZE = 4096;
+
+    public FileCopyUtils() {
+    }
+
+    public static int copy(File in, File out) throws IOException {
+        return 1;
+    }
+
+    public static void copy(byte[] in, File out) throws IOException {}
+
+    public static byte[] copyToByteArray(File in) throws IOException {
+        return null;
+    }
+
+    public static int copy(InputStream in, OutputStream out) throws IOException {
+        return 1;
+    }
+
+    public static void copy(byte[] in, OutputStream out) throws IOException {}
+
+    public static byte[] copyToByteArray(@Nullable InputStream in) throws IOException {
+        return null;    
+    }
+
+    public static int copy(Reader in, Writer out) throws IOException {
+        return 1;
+    }
+
+    public static void copy(String in, Writer out) throws IOException {}
+
+    public static String copyToString(@Nullable Reader in) throws IOException {
+        return null;
+    }
+
+    private static void close(Closeable closeable) {}
+}
--- a/java/ql/test/stubs/spring-core-5.3.2/org/springframework/util/StringUtils.java
+++ b/java/ql/test/stubs/spring-core-5.3.2/org/springframework/util/StringUtils.java
@@ -5,4 +5,4 @@ public abstract class StringUtils {
    public static boolean isEmpty(Object str) {
        return str == null || "".equals(str);
    }
-}
+}
--- a/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/GetMapping.java
+++ b/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/GetMapping.java
@@ -1,19 +1,51 @@
 package org.springframework.web.bind.annotation;

+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
 import org.springframework.core.annotation.AliasFor;

-@RequestMapping
+@Target({ElementType.METHOD})
+@Retention(RetentionPolicy.RUNTIME)
+@Documented
+@RequestMapping(
+    method = {RequestMethod.GET}
+)
 public @interface GetMapping {
-   
+    @AliasFor(
+        annotation = RequestMapping.class
+    )
    String name() default "";

+    @AliasFor(
+        annotation = RequestMapping.class
+    )
    String[] value() default {};

+    @AliasFor(
+        annotation = RequestMapping.class
+    )
    String[] path() default {};

+    @AliasFor(
+        annotation = RequestMapping.class
+    )
    String[] params() default {};

+    @AliasFor(
+        annotation = RequestMapping.class
+    )
+    String[] headers() default {};
+
+    @AliasFor(
+        annotation = RequestMapping.class
+    )
    String[] consumes() default {};

+    @AliasFor(
+        annotation = RequestMapping.class
+    )
    String[] produces() default {};
 }
--- a/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/Mapping.java
+++ b/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/Mapping.java
@@ -0,0 +1,4 @@
+package org.springframework.web.bind.annotation;
+
+public @interface Mapping {
+}
--- a/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/RequestMapping.java
+++ b/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/RequestMapping.java
@@ -1,15 +1,32 @@
 package org.springframework.web.bind.annotation;

+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
 import org.springframework.core.annotation.AliasFor;

+@Target({ElementType.TYPE, ElementType.METHOD})
+@Retention(RetentionPolicy.RUNTIME)
+@Documented
+@Mapping
 public @interface RequestMapping {
    String name() default "";

    @AliasFor("path")
    String[] value() default {};
-
+    
    @AliasFor("value")
    String[] path() default {};

    RequestMethod[] method() default {};
+
+    String[] params() default {};
+
+    String[] headers() default {};
+
+    String[] consumes() default {};
+
+    String[] produces() default {};
 }
--- a/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/RequestParam.java
+++ b/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/RequestParam.java
@@ -0,0 +1,23 @@
+package org.springframework.web.bind.annotation;
+
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+import org.springframework.core.annotation.AliasFor;
+
+@Target({ElementType.PARAMETER})
+@Retention(RetentionPolicy.RUNTIME)
+@Documented
+public @interface RequestParam {
+    @AliasFor("name")
+    String value() default "";
+
+    @AliasFor("value")
+    String name() default "";
+
+    boolean required() default true;
+
+    String defaultValue() default "\n\t\t\n\t\t\n\ue000\ue001\ue002\n\t\t\t\t\n";
+}
--- a/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/ResponseBody.java
+++ b/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/ResponseBody.java
@@ -1,4 +1,13 @@
 package org.springframework.web.bind.annotation;

+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+@Target({ElementType.TYPE, ElementType.METHOD})
+@Retention(RetentionPolicy.RUNTIME)
+@Documented
 public @interface ResponseBody {
 }
--- a/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/multipart/MultipartFile.java
+++ b/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/multipart/MultipartFile.java
@@ -0,0 +1,38 @@
+package org.springframework.web.multipart;
+
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import org.springframework.core.io.InputStreamSource;
+import org.springframework.core.io.Resource;
+import org.springframework.lang.Nullable;
+import org.springframework.util.FileCopyUtils;
+
+public interface MultipartFile extends InputStreamSource {
+    String getName();
+
+    @Nullable
+    String getOriginalFilename();
+
+    @Nullable
+    String getContentType();
+
+    boolean isEmpty();
+
+    long getSize();
+
+    byte[] getBytes() throws IOException;
+
+    InputStream getInputStream() throws IOException;
+
+    default Resource getResource() {
+        return null;
+    }
+
+    void transferTo(File var1) throws IOException, IllegalStateException;
+
+    default void transferTo(Path dest) throws IOException, IllegalStateException {
+    }
+}
--- a/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/annotation/WebServlet.java
+++ b/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/annotation/WebServlet.java
@@ -0,0 +1,30 @@
+package javax.servlet.annotation;
+
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+@Target({ElementType.TYPE})
+@Retention(RetentionPolicy.RUNTIME)
+@Documented
+public @interface WebServlet {
+    String name() default "";
+
+    String[] value() default {};
+
+    String[] urlPatterns() default {};
+
+    int loadOnStartup() default -1;
+
+    boolean asyncSupported() default false;
+
+    String smallIcon() default "";
+
+    String largeIcon() default "";
+
+    String description() default "";
+
+    String displayName() default "";
+}
				`@@ -0,0 +1 @@`
				`experimental/Security/CWE/CWE-352/JsonpInjection.ql`
				`@@ -0,0 +1 @@`
				//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/apache-http-4.4.13/:${testdir}/../../../../../stubs/servlet-api-2.4:${testdir}/../../../../../stubs/fastjson-1.2.74/:${testdir}/../../../../../stubs/gson-2.8.6/:${testdir}/../../../../../stubs/jackson-databind-2.10/:${testdir}/../../../../../stubs/spring-context-5.3.2/:${testdir}/../../../../../stubs/spring-web-5.3.2/:${testdir}/../../../../../stubs/spring-core-5.3.2/:${testdir}/../../../../../stubs/tomcat-embed-core-9.0.41/
				`@@ -1 +0,0 @@`
				`//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/apache-http-4.4.13/:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/fastjson-1.2.74/:${testdir}/../../../../stubs/gson-2.8.6/:${testdir}/../../../../stubs/jackson-databind-2.10/:${testdir}/../../../../stubs/springframework-5.2.3/:${testdir}/../../../../stubs/spring-context-5.3.2/:${testdir}/../../../../stubs/spring-web-5.3.2/:${testdir}/../../../../stubs/spring-core-5.3.2/`