Java: Query for detecting JEXL injections

java/ql/test/experimental/query-tests/security/CWE-094/Jexl2Injection.java

@@ -0,0 +1,120 @@
+import org.apache.commons.jexl2.*;
+
+import java.io.StringWriter;
+import java.net.ServerSocket;
+import java.net.Socket;
+import java.util.function.Consumer;
+
+public class Jexl2Injection {
+
+    private static void runJexlExpression(String jexlExpr) {
+        JexlEngine jexl = new JexlEngine();
+        Expression e = jexl.createExpression(jexlExpr);
+        JexlContext jc = new MapContext();
+        e.evaluate(jc);
+    }
+
+    private static void runJexlExpressionWithJexlInfo(String jexlExpr) {
+        JexlEngine jexl = new JexlEngine();
+        Expression e = jexl.createExpression(
+                jexlExpr, new DebugInfo("unknown", 0, 0));
+        JexlContext jc = new MapContext();
+        e.evaluate(jc);
+    }
+
+    private static void runJexlScript(String jexlExpr) {
+        JexlEngine jexl = new JexlEngine();
+        Script script = jexl.createScript(jexlExpr);
+        JexlContext jc = new MapContext();
+        script.execute(jc);
+    }
+
+    private static void runJexlScriptViaCallable(String jexlExpr) {
+        JexlEngine jexl = new JexlEngine();
+        Script script = jexl.createScript(jexlExpr);
+        JexlContext jc = new MapContext();
+
+        try {
+            script.callable(jc).call();
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    private static void runJexlExpressionViaGetProperty(String jexlExpr) {
+        JexlEngine jexl = new JexlEngine();
+        jexl.getProperty(new Object(), jexlExpr);
+    }
+
+    private static void runJexlExpressionViaSetProperty(String jexlExpr) {
+        JexlEngine jexl = new JexlEngine();
+        jexl.setProperty(new Object(), jexlExpr, new Object());
+    }
+
+    private static void runJexlExpressionViaUnifiedJEXLParseAndEvaluate(String jexlExpr) {
+        JexlEngine jexl = new JexlEngine();
+        UnifiedJEXL unifiedJEXL = new UnifiedJEXL(jexl);
+        unifiedJEXL.parse(jexlExpr).evaluate(new MapContext());
+    }
+
+    private static void runJexlExpressionViaUnifiedJEXLParseAndPrepare(String jexlExpr) {
+        JexlEngine jexl = new JexlEngine();
+        UnifiedJEXL unifiedJEXL = new UnifiedJEXL(jexl);
+        unifiedJEXL.parse(jexlExpr).prepare(new MapContext());
+    }
+
+    private static void runJexlExpressionViaUnifiedJEXLTemplateEvaluate(String jexlExpr) {
+        JexlEngine jexl = new JexlEngine();
+        UnifiedJEXL unifiedJEXL = new UnifiedJEXL(jexl);
+        unifiedJEXL.createTemplate(jexlExpr).evaluate(new MapContext(), new StringWriter());
+    }
+
+    private static void testWithSocket(Consumer<String> action) throws Exception {
+        try (ServerSocket serverSocket = new ServerSocket(0)) {
+            try (Socket socket = serverSocket.accept()) {
+                byte[] bytes = new byte[1024];
+                int n = socket.getInputStream().read(bytes);
+                String jexlExpr = new String(bytes, 0, n);
+                action.accept(jexlExpr);
+            }
+        }
+    }
+
+    // below are tests for the query
+
+    public static void testWithJexlExpressionEvaluate() throws Exception {
+        testWithSocket(Jexl2Injection::runJexlExpression);
+    }
+
+    public static void testWithJexlExpressionEvaluateWithInfo() throws Exception {
+        testWithSocket(Jexl2Injection::runJexlExpressionWithJexlInfo);
+    }
+
+    public static void testWithJexlScriptExecute() throws Exception {
+        testWithSocket(Jexl2Injection::runJexlScript);
+    }
+
+    public static void testWithJexlScriptCallable() throws Exception {
+        testWithSocket(Jexl2Injection::runJexlScriptViaCallable);
+    }
+
+    public static void testWithJexlEngineGetProperty() throws Exception {
+        testWithSocket(Jexl2Injection::runJexlExpressionViaGetProperty);
+    }
+
+    public static void testWithJexlEngineSetProperty() throws Exception {
+        testWithSocket(Jexl2Injection::runJexlExpressionViaSetProperty);
+    }
+
+    public static void testWithUnifiedJEXLParseAndEvaluate() throws Exception {
+        testWithSocket(Jexl2Injection::runJexlExpressionViaUnifiedJEXLParseAndEvaluate);
+    }
+
+    public static void testWithUnifiedJEXLParseAndPrepare() throws Exception {
+        testWithSocket(Jexl2Injection::runJexlExpressionViaUnifiedJEXLParseAndPrepare);
+    }
+
+    public static void testWithUnifiedJEXLTemplateEvaluate() throws Exception {
+        testWithSocket(Jexl2Injection::runJexlExpressionViaUnifiedJEXLTemplateEvaluate);
+    }
+}

java/ql/test/experimental/query-tests/security/CWE-094/Jexl3Injection.java

@@ -0,0 +1,135 @@
+import java.io.StringWriter;
+import java.net.ServerSocket;
+import java.net.Socket;
+import java.util.function.Consumer;
+
+import org.apache.commons.jexl3.*;
+
+public class Jexl3Injection {
+
+    private static void runJexlExpression(String jexlExpr) {
+        JexlEngine jexl = new JexlBuilder().create();
+        JexlExpression e = jexl.createExpression(jexlExpr);
+        JexlContext jc = new MapContext();
+        e.evaluate(jc);
+    }
+
+    private static void runJexlExpressionWithJexlInfo(String jexlExpr) {
+        JexlEngine jexl = new JexlBuilder().create();
+        JexlExpression e = jexl.createExpression(new JexlInfo("unknown", 0, 0), jexlExpr);
+        JexlContext jc = new MapContext();
+        e.evaluate(jc);
+    }
+
+    private static void runJexlScript(String jexlExpr) {
+        JexlEngine jexl = new JexlBuilder().create();
+        JexlScript script = jexl.createScript(jexlExpr);
+        JexlContext jc = new MapContext();
+        script.execute(jc);
+    }
+
+    private static void runJexlScriptViaCallable(String jexlExpr) {
+        JexlEngine jexl = new JexlBuilder().create();
+        JexlScript script = jexl.createScript(jexlExpr);
+        JexlContext jc = new MapContext();
+
+        try {
+            script.callable(jc).call();
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    private static void runJexlExpressionViaGetProperty(String jexlExpr) {
+        JexlEngine jexl = new JexlBuilder().create();
+        jexl.getProperty(new Object(), jexlExpr);
+    }
+
+    private static void runJexlExpressionViaSetProperty(String jexlExpr) {
+        JexlEngine jexl = new JexlBuilder().create();
+        jexl.setProperty(new Object(), jexlExpr, new Object());
+    }
+
+    private static void runJexlExpressionViaJxltEngineExpressionEvaluate(String jexlExpr) {
+        JexlEngine jexl = new JexlBuilder().create();
+        JxltEngine jxlt = jexl.createJxltEngine();
+        jxlt.createExpression(jexlExpr).evaluate(new MapContext());
+    }
+
+    private static void runJexlExpressionViaJxltEngineExpressionPrepare(String jexlExpr) {
+        JexlEngine jexl = new JexlBuilder().create();
+        JxltEngine jxlt = jexl.createJxltEngine();
+        jxlt.createExpression(jexlExpr).prepare(new MapContext());
+    }
+
+    private static void runJexlExpressionViaJxltEngineTemplateEvaluate(String jexlExpr) {
+        JexlEngine jexl = new JexlBuilder().create();
+        JxltEngine jxlt = jexl.createJxltEngine();
+        jxlt.createTemplate(jexlExpr).evaluate(new MapContext(), new StringWriter());
+    }
+
+    private static void runJexlExpressionViaCallable(String jexlExpr) {
+        JexlEngine jexl = new JexlBuilder().create();
+        JexlExpression e = jexl.createExpression(jexlExpr);
+        JexlContext jc = new MapContext();
+
+        try {
+            e.callable(jc).call();
+        } catch (Exception ex) {
+            throw new RuntimeException(ex);
+        }
+    }
+
+    private static void testWithSocket(Consumer<String> action) throws Exception {
+        try (ServerSocket serverSocket = new ServerSocket(0)) {
+            try (Socket socket = serverSocket.accept()) {
+                byte[] bytes = new byte[1024];
+                int n = socket.getInputStream().read(bytes);
+                String jexlExpr = new String(bytes, 0, n);
+                action.accept(jexlExpr);
+            }
+        }
+    }
+
+    // below are tests for the query
+
+    public static void testWithJexlExpressionEvaluate() throws Exception {
+        testWithSocket(Jexl3Injection::runJexlExpression);
+    }
+
+    public static void testWithJexlExpressionEvaluateWithInfo() throws Exception {
+        testWithSocket(Jexl3Injection::runJexlExpressionWithJexlInfo);
+    }
+
+    public static void testWithJexlScriptExecute() throws Exception {
+        testWithSocket(Jexl3Injection::runJexlScript);
+    }
+
+    public static void testWithJexlScriptCallable() throws Exception {
+        testWithSocket(Jexl3Injection::runJexlScriptViaCallable);
+    }
+
+    public static void testWithJexlEngineGetProperty() throws Exception {
+        testWithSocket(Jexl3Injection::runJexlExpressionViaGetProperty);
+    }
+
+    public static void testWithJexlEngineSetProperty() throws Exception {
+        testWithSocket(Jexl3Injection::runJexlExpressionViaSetProperty);
+    }
+
+    public static void testWithJxltEngineExpressionEvaluate() throws Exception {
+        testWithSocket(Jexl3Injection::runJexlExpressionViaJxltEngineExpressionEvaluate);
+    }
+
+    public static void testWithJxltEngineExpressionPrepare() throws Exception {
+        testWithSocket(Jexl3Injection::runJexlExpressionViaJxltEngineExpressionPrepare);
+    }
+
+    public static void testWithJxltEngineTemplateEvaluate() throws Exception {
+        testWithSocket(Jexl3Injection::runJexlExpressionViaJxltEngineTemplateEvaluate);
+    }
+
+    public static void testWithJexlExpressionCallable() throws Exception {
+        testWithSocket(Jexl3Injection::runJexlExpressionViaCallable);
+    }
+}

java/ql/test/experimental/query-tests/security/CWE-094/JexlInjection.expected

@@ -0,0 +1,180 @@
+edges
+| Jexl2Injection.java:10:43:10:57 | jexlExpr : String | Jexl2Injection.java:14:9:14:9 | e |
+| Jexl2Injection.java:17:55:17:69 | jexlExpr : String | Jexl2Injection.java:22:9:22:9 | e |
+| Jexl2Injection.java:25:39:25:53 | jexlExpr : String | Jexl2Injection.java:29:9:29:14 | script |
+| Jexl2Injection.java:32:50:32:64 | jexlExpr : String | Jexl2Injection.java:38:13:38:31 | callable(...) |
+| Jexl2Injection.java:44:57:44:71 | jexlExpr : String | Jexl2Injection.java:46:40:46:47 | jexlExpr |
+| Jexl2Injection.java:49:57:49:71 | jexlExpr : String | Jexl2Injection.java:51:40:51:47 | jexlExpr |
+| Jexl2Injection.java:54:73:54:87 | jexlExpr : String | Jexl2Injection.java:57:9:57:35 | parse(...) |
+| Jexl2Injection.java:60:72:60:86 | jexlExpr : String | Jexl2Injection.java:63:9:63:35 | parse(...) |
+| Jexl2Injection.java:66:73:66:87 | jexlExpr : String | Jexl2Injection.java:69:9:69:44 | createTemplate(...) |
+| Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:78:31:78:38 | jexlExpr : String |
+| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:86:24:86:56 | jexlExpr : String |
+| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:90:24:90:68 | jexlExpr : String |
+| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:94:24:94:52 | jexlExpr : String |
+| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:98:24:98:63 | jexlExpr : String |
+| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:102:24:102:70 | jexlExpr : String |
+| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:106:24:106:70 | jexlExpr : String |
+| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:110:24:110:86 | jexlExpr : String |
+| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:114:24:114:85 | jexlExpr : String |
+| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:118:24:118:86 | jexlExpr : String |
+| Jexl2Injection.java:86:24:86:56 | jexlExpr : String | Jexl2Injection.java:10:43:10:57 | jexlExpr : String |
+| Jexl2Injection.java:86:24:86:56 | jexlExpr : String | Jexl2Injection.java:86:24:86:56 | jexlExpr : String |
+| Jexl2Injection.java:90:24:90:68 | jexlExpr : String | Jexl2Injection.java:17:55:17:69 | jexlExpr : String |
+| Jexl2Injection.java:90:24:90:68 | jexlExpr : String | Jexl2Injection.java:90:24:90:68 | jexlExpr : String |
+| Jexl2Injection.java:94:24:94:52 | jexlExpr : String | Jexl2Injection.java:25:39:25:53 | jexlExpr : String |
+| Jexl2Injection.java:94:24:94:52 | jexlExpr : String | Jexl2Injection.java:94:24:94:52 | jexlExpr : String |
+| Jexl2Injection.java:98:24:98:63 | jexlExpr : String | Jexl2Injection.java:32:50:32:64 | jexlExpr : String |
+| Jexl2Injection.java:98:24:98:63 | jexlExpr : String | Jexl2Injection.java:98:24:98:63 | jexlExpr : String |
+| Jexl2Injection.java:102:24:102:70 | jexlExpr : String | Jexl2Injection.java:44:57:44:71 | jexlExpr : String |
+| Jexl2Injection.java:102:24:102:70 | jexlExpr : String | Jexl2Injection.java:102:24:102:70 | jexlExpr : String |
+| Jexl2Injection.java:106:24:106:70 | jexlExpr : String | Jexl2Injection.java:49:57:49:71 | jexlExpr : String |
+| Jexl2Injection.java:106:24:106:70 | jexlExpr : String | Jexl2Injection.java:106:24:106:70 | jexlExpr : String |
+| Jexl2Injection.java:110:24:110:86 | jexlExpr : String | Jexl2Injection.java:54:73:54:87 | jexlExpr : String |
+| Jexl2Injection.java:110:24:110:86 | jexlExpr : String | Jexl2Injection.java:110:24:110:86 | jexlExpr : String |
+| Jexl2Injection.java:114:24:114:85 | jexlExpr : String | Jexl2Injection.java:60:72:60:86 | jexlExpr : String |
+| Jexl2Injection.java:114:24:114:85 | jexlExpr : String | Jexl2Injection.java:114:24:114:85 | jexlExpr : String |
+| Jexl2Injection.java:118:24:118:86 | jexlExpr : String | Jexl2Injection.java:66:73:66:87 | jexlExpr : String |
+| Jexl2Injection.java:118:24:118:86 | jexlExpr : String | Jexl2Injection.java:118:24:118:86 | jexlExpr : String |
+| Jexl3Injection.java:10:43:10:57 | jexlExpr : String | Jexl3Injection.java:14:9:14:9 | e |
+| Jexl3Injection.java:17:55:17:69 | jexlExpr : String | Jexl3Injection.java:21:9:21:9 | e |
+| Jexl3Injection.java:24:39:24:53 | jexlExpr : String | Jexl3Injection.java:28:9:28:14 | script |
+| Jexl3Injection.java:31:50:31:64 | jexlExpr : String | Jexl3Injection.java:37:13:37:31 | callable(...) |
+| Jexl3Injection.java:43:57:43:71 | jexlExpr : String | Jexl3Injection.java:45:40:45:47 | jexlExpr |
+| Jexl3Injection.java:48:57:48:71 | jexlExpr : String | Jexl3Injection.java:50:40:50:47 | jexlExpr |
+| Jexl3Injection.java:53:74:53:88 | jexlExpr : String | Jexl3Injection.java:56:9:56:39 | createExpression(...) |
+| Jexl3Injection.java:59:73:59:87 | jexlExpr : String | Jexl3Injection.java:62:9:62:39 | createExpression(...) |
+| Jexl3Injection.java:65:72:65:86 | jexlExpr : String | Jexl3Injection.java:68:9:68:37 | createTemplate(...) |
+| Jexl3Injection.java:71:54:71:68 | jexlExpr : String | Jexl3Injection.java:77:13:77:26 | callable(...) |
+| Jexl3Injection.java:87:25:87:47 | getInputStream(...) : InputStream | Jexl3Injection.java:89:31:89:38 | jexlExpr : String |
+| Jexl3Injection.java:89:31:89:38 | jexlExpr : String | Jexl3Injection.java:97:24:97:56 | jexlExpr : String |
+| Jexl3Injection.java:89:31:89:38 | jexlExpr : String | Jexl3Injection.java:101:24:101:68 | jexlExpr : String |
+| Jexl3Injection.java:89:31:89:38 | jexlExpr : String | Jexl3Injection.java:105:24:105:52 | jexlExpr : String |
+| Jexl3Injection.java:89:31:89:38 | jexlExpr : String | Jexl3Injection.java:109:24:109:63 | jexlExpr : String |
+| Jexl3Injection.java:89:31:89:38 | jexlExpr : String | Jexl3Injection.java:113:24:113:70 | jexlExpr : String |
+| Jexl3Injection.java:89:31:89:38 | jexlExpr : String | Jexl3Injection.java:117:24:117:70 | jexlExpr : String |
+| Jexl3Injection.java:89:31:89:38 | jexlExpr : String | Jexl3Injection.java:121:24:121:87 | jexlExpr : String |
+| Jexl3Injection.java:89:31:89:38 | jexlExpr : String | Jexl3Injection.java:125:24:125:86 | jexlExpr : String |
+| Jexl3Injection.java:89:31:89:38 | jexlExpr : String | Jexl3Injection.java:129:24:129:85 | jexlExpr : String |
+| Jexl3Injection.java:89:31:89:38 | jexlExpr : String | Jexl3Injection.java:133:24:133:67 | jexlExpr : String |
+| Jexl3Injection.java:97:24:97:56 | jexlExpr : String | Jexl3Injection.java:10:43:10:57 | jexlExpr : String |
+| Jexl3Injection.java:97:24:97:56 | jexlExpr : String | Jexl3Injection.java:97:24:97:56 | jexlExpr : String |
+| Jexl3Injection.java:101:24:101:68 | jexlExpr : String | Jexl3Injection.java:17:55:17:69 | jexlExpr : String |
+| Jexl3Injection.java:101:24:101:68 | jexlExpr : String | Jexl3Injection.java:101:24:101:68 | jexlExpr : String |
+| Jexl3Injection.java:105:24:105:52 | jexlExpr : String | Jexl3Injection.java:24:39:24:53 | jexlExpr : String |
+| Jexl3Injection.java:105:24:105:52 | jexlExpr : String | Jexl3Injection.java:105:24:105:52 | jexlExpr : String |
+| Jexl3Injection.java:109:24:109:63 | jexlExpr : String | Jexl3Injection.java:31:50:31:64 | jexlExpr : String |
+| Jexl3Injection.java:109:24:109:63 | jexlExpr : String | Jexl3Injection.java:109:24:109:63 | jexlExpr : String |
+| Jexl3Injection.java:113:24:113:70 | jexlExpr : String | Jexl3Injection.java:43:57:43:71 | jexlExpr : String |
+| Jexl3Injection.java:113:24:113:70 | jexlExpr : String | Jexl3Injection.java:113:24:113:70 | jexlExpr : String |
+| Jexl3Injection.java:117:24:117:70 | jexlExpr : String | Jexl3Injection.java:48:57:48:71 | jexlExpr : String |
+| Jexl3Injection.java:117:24:117:70 | jexlExpr : String | Jexl3Injection.java:117:24:117:70 | jexlExpr : String |
+| Jexl3Injection.java:121:24:121:87 | jexlExpr : String | Jexl3Injection.java:53:74:53:88 | jexlExpr : String |
+| Jexl3Injection.java:121:24:121:87 | jexlExpr : String | Jexl3Injection.java:121:24:121:87 | jexlExpr : String |
+| Jexl3Injection.java:125:24:125:86 | jexlExpr : String | Jexl3Injection.java:59:73:59:87 | jexlExpr : String |
+| Jexl3Injection.java:125:24:125:86 | jexlExpr : String | Jexl3Injection.java:125:24:125:86 | jexlExpr : String |
+| Jexl3Injection.java:129:24:129:85 | jexlExpr : String | Jexl3Injection.java:65:72:65:86 | jexlExpr : String |
+| Jexl3Injection.java:129:24:129:85 | jexlExpr : String | Jexl3Injection.java:129:24:129:85 | jexlExpr : String |
+| Jexl3Injection.java:133:24:133:67 | jexlExpr : String | Jexl3Injection.java:71:54:71:68 | jexlExpr : String |
+| Jexl3Injection.java:133:24:133:67 | jexlExpr : String | Jexl3Injection.java:133:24:133:67 | jexlExpr : String |
+nodes
+| Jexl2Injection.java:10:43:10:57 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:14:9:14:9 | e | semmle.label | e |
+| Jexl2Injection.java:17:55:17:69 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:22:9:22:9 | e | semmle.label | e |
+| Jexl2Injection.java:25:39:25:53 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:29:9:29:14 | script | semmle.label | script |
+| Jexl2Injection.java:32:50:32:64 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:38:13:38:31 | callable(...) | semmle.label | callable(...) |
+| Jexl2Injection.java:44:57:44:71 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:46:40:46:47 | jexlExpr | semmle.label | jexlExpr |
+| Jexl2Injection.java:49:57:49:71 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:51:40:51:47 | jexlExpr | semmle.label | jexlExpr |
+| Jexl2Injection.java:54:73:54:87 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:57:9:57:35 | parse(...) | semmle.label | parse(...) |
+| Jexl2Injection.java:60:72:60:86 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:63:9:63:35 | parse(...) | semmle.label | parse(...) |
+| Jexl2Injection.java:66:73:66:87 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:69:9:69:44 | createTemplate(...) | semmle.label | createTemplate(...) |
+| Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:86:24:86:56 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:86:24:86:56 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:90:24:90:68 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:90:24:90:68 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:94:24:94:52 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:94:24:94:52 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:98:24:98:63 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:98:24:98:63 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:102:24:102:70 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:102:24:102:70 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:106:24:106:70 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:106:24:106:70 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:110:24:110:86 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:110:24:110:86 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:114:24:114:85 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:114:24:114:85 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:118:24:118:86 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl2Injection.java:118:24:118:86 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:10:43:10:57 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:14:9:14:9 | e | semmle.label | e |
+| Jexl3Injection.java:17:55:17:69 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:21:9:21:9 | e | semmle.label | e |
+| Jexl3Injection.java:24:39:24:53 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:28:9:28:14 | script | semmle.label | script |
+| Jexl3Injection.java:31:50:31:64 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:37:13:37:31 | callable(...) | semmle.label | callable(...) |
+| Jexl3Injection.java:43:57:43:71 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:45:40:45:47 | jexlExpr | semmle.label | jexlExpr |
+| Jexl3Injection.java:48:57:48:71 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:50:40:50:47 | jexlExpr | semmle.label | jexlExpr |
+| Jexl3Injection.java:53:74:53:88 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:56:9:56:39 | createExpression(...) | semmle.label | createExpression(...) |
+| Jexl3Injection.java:59:73:59:87 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:62:9:62:39 | createExpression(...) | semmle.label | createExpression(...) |
+| Jexl3Injection.java:65:72:65:86 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:68:9:68:37 | createTemplate(...) | semmle.label | createTemplate(...) |
+| Jexl3Injection.java:71:54:71:68 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:77:13:77:26 | callable(...) | semmle.label | callable(...) |
+| Jexl3Injection.java:87:25:87:47 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| Jexl3Injection.java:89:31:89:38 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:97:24:97:56 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:97:24:97:56 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:101:24:101:68 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:101:24:101:68 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:105:24:105:52 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:105:24:105:52 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:109:24:109:63 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:109:24:109:63 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:113:24:113:70 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:113:24:113:70 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:117:24:117:70 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:117:24:117:70 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:121:24:121:87 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:121:24:121:87 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:125:24:125:86 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:125:24:125:86 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:129:24:129:85 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:129:24:129:85 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:133:24:133:67 | jexlExpr : String | semmle.label | jexlExpr : String |
+| Jexl3Injection.java:133:24:133:67 | jexlExpr : String | semmle.label | jexlExpr : String |
+#select
+| Jexl2Injection.java:14:9:14:9 | e | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:14:9:14:9 | e | Jexl injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
+| Jexl2Injection.java:22:9:22:9 | e | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:22:9:22:9 | e | Jexl injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
+| Jexl2Injection.java:29:9:29:14 | script | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:29:9:29:14 | script | Jexl injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
+| Jexl2Injection.java:38:13:38:31 | callable(...) | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:38:13:38:31 | callable(...) | Jexl injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
+| Jexl2Injection.java:46:40:46:47 | jexlExpr | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:46:40:46:47 | jexlExpr | Jexl injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
+| Jexl2Injection.java:51:40:51:47 | jexlExpr | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:51:40:51:47 | jexlExpr | Jexl injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
+| Jexl2Injection.java:57:9:57:35 | parse(...) | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:57:9:57:35 | parse(...) | Jexl injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
+| Jexl2Injection.java:63:9:63:35 | parse(...) | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:63:9:63:35 | parse(...) | Jexl injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
+| Jexl2Injection.java:69:9:69:44 | createTemplate(...) | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:69:9:69:44 | createTemplate(...) | Jexl injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
+| Jexl3Injection.java:14:9:14:9 | e | Jexl3Injection.java:87:25:87:47 | getInputStream(...) : InputStream | Jexl3Injection.java:14:9:14:9 | e | Jexl injection from $@. | Jexl3Injection.java:87:25:87:47 | getInputStream(...) | this user input |
+| Jexl3Injection.java:21:9:21:9 | e | Jexl3Injection.java:87:25:87:47 | getInputStream(...) : InputStream | Jexl3Injection.java:21:9:21:9 | e | Jexl injection from $@. | Jexl3Injection.java:87:25:87:47 | getInputStream(...) | this user input |
+| Jexl3Injection.java:28:9:28:14 | script | Jexl3Injection.java:87:25:87:47 | getInputStream(...) : InputStream | Jexl3Injection.java:28:9:28:14 | script | Jexl injection from $@. | Jexl3Injection.java:87:25:87:47 | getInputStream(...) | this user input |
+| Jexl3Injection.java:37:13:37:31 | callable(...) | Jexl3Injection.java:87:25:87:47 | getInputStream(...) : InputStream | Jexl3Injection.java:37:13:37:31 | callable(...) | Jexl injection from $@. | Jexl3Injection.java:87:25:87:47 | getInputStream(...) | this user input |
+| Jexl3Injection.java:45:40:45:47 | jexlExpr | Jexl3Injection.java:87:25:87:47 | getInputStream(...) : InputStream | Jexl3Injection.java:45:40:45:47 | jexlExpr | Jexl injection from $@. | Jexl3Injection.java:87:25:87:47 | getInputStream(...) | this user input |
+| Jexl3Injection.java:50:40:50:47 | jexlExpr | Jexl3Injection.java:87:25:87:47 | getInputStream(...) : InputStream | Jexl3Injection.java:50:40:50:47 | jexlExpr | Jexl injection from $@. | Jexl3Injection.java:87:25:87:47 | getInputStream(...) | this user input |
+| Jexl3Injection.java:56:9:56:39 | createExpression(...) | Jexl3Injection.java:87:25:87:47 | getInputStream(...) : InputStream | Jexl3Injection.java:56:9:56:39 | createExpression(...) | Jexl injection from $@. | Jexl3Injection.java:87:25:87:47 | getInputStream(...) | this user input |
+| Jexl3Injection.java:62:9:62:39 | createExpression(...) | Jexl3Injection.java:87:25:87:47 | getInputStream(...) : InputStream | Jexl3Injection.java:62:9:62:39 | createExpression(...) | Jexl injection from $@. | Jexl3Injection.java:87:25:87:47 | getInputStream(...) | this user input |
+| Jexl3Injection.java:68:9:68:37 | createTemplate(...) | Jexl3Injection.java:87:25:87:47 | getInputStream(...) : InputStream | Jexl3Injection.java:68:9:68:37 | createTemplate(...) | Jexl injection from $@. | Jexl3Injection.java:87:25:87:47 | getInputStream(...) | this user input |
+| Jexl3Injection.java:77:13:77:26 | callable(...) | Jexl3Injection.java:87:25:87:47 | getInputStream(...) : InputStream | Jexl3Injection.java:77:13:77:26 | callable(...) | Jexl injection from $@. | Jexl3Injection.java:87:25:87:47 | getInputStream(...) | this user input |

java/ql/test/experimental/query-tests/security/CWE-094/JexlInjection.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-094/JexlInjection.ql

java/ql/test/experimental/query-tests/security/CWE-094/options

@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/jsr223-api
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../../stubs/apache-commons-jexl-3.1

java/ql/test/stubs/apache-commons-jexl-2.1.1/org/apache/commons/jexl2/DebugInfo.java

@@ -0,0 +1,14 @@
+package org.apache.commons.jexl2;
+
+public class DebugInfo implements JexlInfo {
+
+    public DebugInfo(String tn, int l, int c) {}
+
+    public String debugString() {
+        return null;
+    }
+
+    public DebugInfo debugInfo() {
+        return null;
+    }
+}

java/ql/test/stubs/apache-commons-jexl-2.1.1/org/apache/commons/jexl2/Expression.java

@@ -0,0 +1,7 @@
+package org.apache.commons.jexl2;
+
+public interface Expression {
+    Object evaluate(JexlContext var1);
+    String getExpression();
+    String dump();
+}

java/ql/test/stubs/apache-commons-jexl-2.1.1/org/apache/commons/jexl2/JexlContext.java

@@ -0,0 +1,7 @@
+package org.apache.commons.jexl2;
+
+public interface JexlContext {
+    Object get(String var1);
+    void set(String var1, Object var2);
+    boolean has(String var1);
+}

java/ql/test/stubs/apache-commons-jexl-2.1.1/org/apache/commons/jexl2/JexlEngine.java

@@ -0,0 +1,42 @@
+package org.apache.commons.jexl2;
+
+public class JexlEngine {
+
+    public Expression createExpression(String expression) {
+        return null;
+    }
+
+    public Expression createExpression(String expression, JexlInfo info) {
+        return null;
+    }
+
+    public Script createScript(String scriptText) {
+        return null;
+    }
+
+    public Script createScript(String scriptText, JexlInfo info) {
+        return null;
+    }
+
+    public Script createScript(String scriptText, String... names) {
+        return null;
+    }
+
+    public Script createScript(String scriptText, JexlInfo info, String[] names) {
+        return null;
+    }
+
+    public Object getProperty(Object bean, String expr) {
+        return null;
+    }
+
+    public Object getProperty(JexlContext context, Object bean, String expr) {
+        return null;
+    }
+
+    public void setProperty(Object bean, String expr, Object value) {}
+
+    public void setProperty(JexlContext context, Object bean, String expr, Object value) {}
+    
+      
+}

java/ql/test/stubs/apache-commons-jexl-2.1.1/org/apache/commons/jexl2/JexlInfo.java

@@ -0,0 +1,6 @@
+package org.apache.commons.jexl2;
+
+public interface JexlInfo {
+    String debugString();
+    DebugInfo debugInfo();
+}

java/ql/test/stubs/apache-commons-jexl-2.1.1/org/apache/commons/jexl2/MapContext.java

@@ -0,0 +1,14 @@
+package org.apache.commons.jexl2;
+
+public class MapContext implements JexlContext {
+
+    public Object get(String var1) {
+        return null;
+    }
+
+    public void set(String var1, Object var2) {}
+
+    public boolean has(String var1) {
+        return false;
+    }
+}

java/ql/test/stubs/apache-commons-jexl-2.1.1/org/apache/commons/jexl2/Script.java

@@ -0,0 +1,24 @@
+package org.apache.commons.jexl2;
+
+import java.util.List;
+import java.util.Set;
+import java.util.concurrent.Callable;
+
+public interface Script {
+    
+    Object execute(JexlContext var1);
+
+    Object execute(JexlContext var1, Object... var2);
+
+    String getText();
+
+    String[] getParameters();
+
+    String[] getLocalVariables();
+
+    Set<List<String>> getVariables();
+
+    Callable<Object> callable(JexlContext var1);
+
+    Callable<Object> callable(JexlContext var1, Object... var2);
+}

java/ql/test/stubs/apache-commons-jexl-2.1.1/org/apache/commons/jexl2/UnifiedJEXL.java

@@ -0,0 +1,47 @@
+package org.apache.commons.jexl2;
+
+import java.io.Writer;
+import java.io.Reader;
+
+public final class UnifiedJEXL {
+
+    public UnifiedJEXL(JexlEngine jexl) {}
+
+    public UnifiedJEXL.Expression parse(String expression) {
+        return null;
+    }
+
+    public UnifiedJEXL.Template createTemplate(String prefix, Reader source, String... parms) {
+        return null;
+    }
+
+    public UnifiedJEXL.Template createTemplate(String source, String... parms) {
+        return null;
+    }
+
+    public UnifiedJEXL.Template createTemplate(String source) {
+        return null;
+    }
+
+    public final class Template {
+
+        public UnifiedJEXL.Template prepare(JexlContext context) {
+            return null;
+        }
+
+        public void evaluate(JexlContext context, Writer writer) {}
+
+        public void evaluate(JexlContext context, Writer writer, Object... args) {}
+    }
+
+    public abstract class Expression {
+
+        public UnifiedJEXL.Expression prepare(JexlContext context) {
+            return null;
+        }
+
+        public Object evaluate(JexlContext context) {
+            return null;
+        }
+    }
+}

java/ql/test/stubs/apache-commons-jexl-3.1/org/apache/commons/jexl3/JexlBuilder.java

@@ -0,0 +1,8 @@
+package org.apache.commons.jexl3;
+
+public class JexlBuilder {
+
+    public JexlEngine create() {
+        return null;
+    }
+}

java/ql/test/stubs/apache-commons-jexl-3.1/org/apache/commons/jexl3/JexlContext.java

@@ -0,0 +1,3 @@
+package org.apache.commons.jexl3;
+
+public interface JexlContext {}

java/ql/test/stubs/apache-commons-jexl-3.1/org/apache/commons/jexl3/JexlEngine.java

@@ -0,0 +1,34 @@
+package org.apache.commons.jexl3;
+
+public abstract class JexlEngine {
+
+    public JexlExpression createExpression(JexlInfo info, String expression) {
+        return null;
+    }
+
+    public JexlExpression createExpression(String expression) {
+        return null;
+    }
+
+    public JexlScript createScript(JexlInfo info, String source, String[] names) {
+        return null;
+    }
+
+    public JexlScript createScript(String scriptText) {
+        return null;
+    }
+
+    public JexlScript createScript(String scriptText, String... names) {
+        return null;
+    }
+
+    public JxltEngine createJxltEngine() {
+        return null;
+    }
+
+    public void setProperty(Object bean, String expr, Object value) {}
+
+    public Object getProperty(Object bean, String expr) {
+        return null;
+    }
+}

java/ql/test/stubs/apache-commons-jexl-3.1/org/apache/commons/jexl3/JexlExpression.java

@@ -0,0 +1,8 @@
+package org.apache.commons.jexl3;
+
+import java.util.concurrent.Callable;
+
+public interface JexlExpression {
+    Object evaluate(JexlContext context);
+    Callable<Object> callable(JexlContext context);
+}

java/ql/test/stubs/apache-commons-jexl-3.1/org/apache/commons/jexl3/JexlInfo.java

@@ -0,0 +1,5 @@
+package org.apache.commons.jexl3;
+
+public class JexlInfo {
+    public JexlInfo(String source, int l, int c) {}
+}

java/ql/test/stubs/apache-commons-jexl-3.1/org/apache/commons/jexl3/JexlScript.java

@@ -0,0 +1,11 @@
+package org.apache.commons.jexl3;
+
+import java.util.concurrent.Callable;
+
+public interface JexlScript {
+
+    Object execute(JexlContext context);
+    Object execute(JexlContext context, Object... args);
+    Callable<Object> callable(JexlContext context);
+    Callable<Object> callable(JexlContext context, Object... args);
+}

java/ql/test/stubs/apache-commons-jexl-3.1/org/apache/commons/jexl3/JxltEngine.java

@@ -0,0 +1,25 @@
+package org.apache.commons.jexl3;
+
+import java.io.Writer;
+
+public class JxltEngine {
+
+    public Expression createExpression(String expression) {
+        return null;
+    }
+
+    public Template createTemplate(String source) {
+        return null;
+    }
+
+    public interface Expression {
+        Object evaluate(JexlContext context);
+        Expression prepare(JexlContext context);
+    }
+
+    public interface Template {
+        void evaluate(JexlContext context, Writer writer);
+        void evaluate(JexlContext context, Writer writer, Object... args);
+        Template prepare(JexlContext context);
+    }
+}

java/ql/test/stubs/apache-commons-jexl-3.1/org/apache/commons/jexl3/MapContext.java

@@ -0,0 +1,3 @@
+package org.apache.commons.jexl3;
+
+public class MapContext implements JexlContext {}