hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 02:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into atorralba/promote-unsafe-android-webview-fetch

Browse Source
This commit is contained in:
Tony Torralba
2021-07-20 17:30:56 +02:00
parent 1014400a08 5a489a386a
commit 99e66cffa2
2246 changed files with 205894 additions and 30303 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
java/ql/test/experimental/query-tests/security/CWE-016/options
View File

@@ -1 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.3.8

2
java/ql/test/experimental/query-tests/security/CWE-074-JndiInjection/options
View File

@@ -1 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../stubs/shiro-core-1.5.2:${testdir}/../../../../stubs/spring-ldap-2.3.2
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/shiro-core-1.5.2:${testdir}/../../../../stubs/spring-ldap-2.3.2

2
java/ql/test/experimental/query-tests/security/CWE-074/options
View File

@@ -1 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../stubs/Saxon-HE-9.9.1-7
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/Saxon-HE-9.9.1-7

15
java/ql/test/experimental/query-tests/security/CWE-094/BeanShellInjection.expected Normal file
View File

@@ -0,0 +1,15 @@
edges
| BeanShellInjection.java:13:17:13:44 | getParameter(...) : String | BeanShellInjection.java:15:22:15:49 | new StaticScriptSource(...) |
| BeanShellInjection.java:20:17:20:44 | getParameter(...) : String | BeanShellInjection.java:22:20:22:23 | code |
| BeanShellInjection.java:27:17:27:44 | getParameter(...) : String | BeanShellInjection.java:31:22:31:39 | staticScriptSource |
nodes
| BeanShellInjection.java:13:17:13:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| BeanShellInjection.java:15:22:15:49 | new StaticScriptSource(...) | semmle.label | new StaticScriptSource(...) |
| BeanShellInjection.java:20:17:20:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| BeanShellInjection.java:22:20:22:23 | code | semmle.label | code |
| BeanShellInjection.java:27:17:27:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| BeanShellInjection.java:31:22:31:39 | staticScriptSource | semmle.label | staticScriptSource |
#select
| BeanShellInjection.java:15:22:15:49 | new StaticScriptSource(...) | BeanShellInjection.java:13:17:13:44 | getParameter(...) : String | BeanShellInjection.java:15:22:15:49 | new StaticScriptSource(...) | BeanShell injection from $@. | BeanShellInjection.java:13:17:13:44 | getParameter(...) | this user input |
| BeanShellInjection.java:22:20:22:23 | code | BeanShellInjection.java:20:17:20:44 | getParameter(...) : String | BeanShellInjection.java:22:20:22:23 | code | BeanShell injection from $@. | BeanShellInjection.java:20:17:20:44 | getParameter(...) | this user input |
| BeanShellInjection.java:31:22:31:39 | staticScriptSource | BeanShellInjection.java:27:17:27:44 | getParameter(...) : String | BeanShellInjection.java:31:22:31:39 | staticScriptSource | BeanShell injection from $@. | BeanShellInjection.java:27:17:27:44 | getParameter(...) | this user input |

33
java/ql/test/experimental/query-tests/security/CWE-094/BeanShellInjection.java Normal file
View File

@@ -0,0 +1,33 @@
import bsh.Interpreter;
import javax.servlet.http.HttpServletRequest;
import org.springframework.scripting.bsh.BshScriptEvaluator;
import org.springframework.scripting.support.StaticScriptSource;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
@Controller
public class BeanShellInjection {
@GetMapping(value = "bad1")
public void bad1(HttpServletRequest request) {
String code = request.getParameter("code");
BshScriptEvaluator evaluator = new BshScriptEvaluator();
evaluator.evaluate(new StaticScriptSource(code)); //bad
}
@GetMapping(value = "bad2")
public void bad2(HttpServletRequest request) throws Exception {
String code = request.getParameter("code");
Interpreter interpreter = new Interpreter();
interpreter.eval(code); //bad
}
@GetMapping(value = "bad3")
public void bad3(HttpServletRequest request) {
String code = request.getParameter("code");
StaticScriptSource staticScriptSource = new StaticScriptSource("test");
staticScriptSource.setScript(code);
BshScriptEvaluator evaluator = new BshScriptEvaluator();
evaluator.evaluate(staticScriptSource); //bad
}
}

1
java/ql/test/experimental/query-tests/security/CWE-094/BeanShellInjection.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/Security/CWE/CWE-094/BeanShellInjection.ql

15
java/ql/test/experimental/query-tests/security/CWE-094/JShellInjection.expected Normal file
View File

@@ -0,0 +1,15 @@
edges
| JShellInjection.java:12:18:12:45 | getParameter(...) : String | JShellInjection.java:15:15:15:19 | input |
| JShellInjection.java:20:18:20:45 | getParameter(...) : String | JShellInjection.java:24:31:24:35 | input |
| JShellInjection.java:29:18:29:45 | getParameter(...) : String | JShellInjection.java:37:16:37:28 | source(...) |
nodes
| JShellInjection.java:12:18:12:45 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JShellInjection.java:15:15:15:19 | input | semmle.label | input |
| JShellInjection.java:20:18:20:45 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JShellInjection.java:24:31:24:35 | input | semmle.label | input |
| JShellInjection.java:29:18:29:45 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JShellInjection.java:37:16:37:28 | source(...) | semmle.label | source(...) |
#select
| JShellInjection.java:15:15:15:19 | input | JShellInjection.java:12:18:12:45 | getParameter(...) : String | JShellInjection.java:15:15:15:19 | input | JShell injection from $@. | JShellInjection.java:12:18:12:45 | getParameter(...) | this user input |
| JShellInjection.java:24:31:24:35 | input | JShellInjection.java:20:18:20:45 | getParameter(...) : String | JShellInjection.java:24:31:24:35 | input | JShell injection from $@. | JShellInjection.java:20:18:20:45 | getParameter(...) | this user input |
| JShellInjection.java:37:16:37:28 | source(...) | JShellInjection.java:29:18:29:45 | getParameter(...) : String | JShellInjection.java:37:16:37:28 | source(...) | JShell injection from $@. | JShellInjection.java:29:18:29:45 | getParameter(...) | this user input |

40
java/ql/test/experimental/query-tests/security/CWE-094/JShellInjection.java Normal file
View File

@@ -0,0 +1,40 @@
import javax.servlet.http.HttpServletRequest;
import jdk.jshell.JShell;
import jdk.jshell.SourceCodeAnalysis;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
@Controller
public class JShellInjection {
@GetMapping(value = "bad1")
public void bad1(HttpServletRequest request) {
String input = request.getParameter("code");
JShell jShell = JShell.builder().build();
// BAD: allow execution of arbitrary Java code
jShell.eval(input);
}
@GetMapping(value = "bad2")
public void bad2(HttpServletRequest request) {
String input = request.getParameter("code");
JShell jShell = JShell.builder().build();
SourceCodeAnalysis sourceCodeAnalysis = jShell.sourceCodeAnalysis();
// BAD: allow execution of arbitrary Java code
sourceCodeAnalysis.wrappers(input);
}
@GetMapping(value = "bad3")
public void bad3(HttpServletRequest request) {
String input = request.getParameter("code");
JShell jShell = JShell.builder().build();
SourceCodeAnalysis.CompletionInfo info;
SourceCodeAnalysis sca = jShell.sourceCodeAnalysis();
for (info = sca.analyzeCompletion(input);
info.completeness().isComplete();
info = sca.analyzeCompletion(info.remaining())) {
// BAD: allow execution of arbitrary Java code
jShell.eval(info.source());
}
}
}

1
java/ql/test/experimental/query-tests/security/CWE-094/JShellInjection.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/Security/CWE/CWE-094/JShellInjection.ql

2
java/ql/test/experimental/query-tests/security/CWE-094/options
View File

@@ -1 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/java-ee-el:${testdir}/../../../../stubs/juel-2.2:${testdir}/../../../stubs/groovy-all-3.0.7:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/jython-2.7.2:${testdir}/../../../../experimental/stubs/rhino-1.7.13
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.3.8:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/java-ee-el:${testdir}/../../../../stubs/juel-2.2:${testdir}/../../../stubs/groovy-all-3.0.7:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/jython-2.7.2:${testdir}/../../../../experimental/stubs/rhino-1.7.13:${testdir}/../../../../stubs/bsh-2.0b5:${testdir}/../../../../experimental/stubs/jshell

2
java/ql/test/experimental/query-tests/security/CWE-1004/options
View File

@@ -1 +1 @@
// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/jsr311-api-1.1.1:${testdir}/../../../../stubs/springframework-5.2.3
// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/jsr311-api-1.1.1:${testdir}/../../../../stubs/springframework-5.3.8

8
java/ql/test/experimental/query-tests/security/CWE-273/UnsafeCertTrust.expected
View File

@@ -1,5 +1,3 @@
| UnsafeCertTrustTest.java:27:4:27:74 | init(...) | Unsafe configuration of trusted certificates |
| UnsafeCertTrustTest.java:42:4:42:38 | init(...) | Unsafe configuration of trusted certificates |
| UnsafeCertTrustTest.java:92:25:92:52 | createSSLEngine(...) | Unsafe configuration of trusted certificates |
| UnsafeCertTrustTest.java:103:25:103:52 | createSSLEngine(...) | Unsafe configuration of trusted certificates |
| UnsafeCertTrustTest.java:112:34:112:83 | createSocket(...) | Unsafe configuration of trusted certificates |
| UnsafeCertTrustTest.java:26:25:26:52 | createSSLEngine(...) | Unsafe configuration of trusted certificates |
| UnsafeCertTrustTest.java:37:25:37:52 | createSSLEngine(...) | Unsafe configuration of trusted certificates |
| UnsafeCertTrustTest.java:46:34:46:83 | createSocket(...) | Unsafe configuration of trusted certificates |

66
java/ql/test/experimental/query-tests/security/CWE-273/UnsafeCertTrustTest.java
View File

@@ -18,72 +18,6 @@ import java.security.cert.X509Certificate;
public class UnsafeCertTrustTest {
/**
* Test the implementation of trusting all server certs as a variable
*/
public SSLSocketFactory testTrustAllCertManager() {
try {
final SSLContext context = SSLContext.getInstance("TLS");
context.init(null, new TrustManager[] { TRUST_ALL_CERTIFICATES }, null);
final SSLSocketFactory socketFactory = context.getSocketFactory();
return socketFactory;
} catch (final Exception x) {
throw new RuntimeException(x);
}
}
/**
* Test the implementation of trusting all server certs as an anonymous class
*/
public SSLSocketFactory testTrustAllCertManagerOfVariable() {
try {
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] serverTMs = new TrustManager[] { new X509TrustAllManager() };
context.init(null, serverTMs, null);
final SSLSocketFactory socketFactory = context.getSocketFactory();
return socketFactory;
} catch (final Exception x) {
throw new RuntimeException(x);
}
}
private static final X509TrustManager TRUST_ALL_CERTIFICATES = new X509TrustManager() {
@Override
public void checkClientTrusted(final X509Certificate[] chain, final String authType)
throws CertificateException {
}
@Override
public void checkServerTrusted(final X509Certificate[] chain, final String authType)
throws CertificateException {
// Noncompliant
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return null; // Noncompliant
}
};
private class X509TrustAllManager implements X509TrustManager {
@Override
public void checkClientTrusted(final X509Certificate[] chain, final String authType)
throws CertificateException {
}
@Override
public void checkServerTrusted(final X509Certificate[] chain, final String authType)
throws CertificateException {
// Noncompliant
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return null; // Noncompliant
}
};
/**
* Test the endpoint identification of SSL engine is set to null
*/

108
java/ql/test/experimental/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManager.expected Normal file
View File

@@ -0,0 +1,108 @@
edges
| InsecureTrustManagerTest.java:121:33:121:81 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:122:22:122:33 | trustManager |
| InsecureTrustManagerTest.java:121:54:121:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:121:33:121:81 | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:130:34:130:82 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:131:23:131:34 | trustManager |
| InsecureTrustManagerTest.java:130:55:130:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:130:34:130:82 | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:151:34:151:82 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:152:23:152:34 | trustManager |
| InsecureTrustManagerTest.java:151:55:151:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:151:34:151:82 | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:172:34:172:82 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:173:23:173:34 | trustManager |
| InsecureTrustManagerTest.java:172:55:172:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:172:34:172:82 | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:193:34:193:82 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:194:23:194:34 | trustManager |
| InsecureTrustManagerTest.java:193:55:193:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:193:34:193:82 | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:214:34:214:82 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:215:23:215:34 | trustManager |
| InsecureTrustManagerTest.java:214:55:214:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:214:34:214:82 | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:235:34:235:82 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:236:23:236:34 | trustManager |
| InsecureTrustManagerTest.java:235:55:235:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:235:34:235:82 | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:257:34:257:82 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:258:23:258:34 | trustManager |
| InsecureTrustManagerTest.java:257:55:257:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:257:34:257:82 | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:280:34:280:82 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:281:23:281:34 | trustManager |
| InsecureTrustManagerTest.java:280:55:280:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:280:34:280:82 | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:305:33:305:81 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:306:22:306:33 | trustManager |
| InsecureTrustManagerTest.java:305:54:305:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:305:33:305:81 | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:319:33:319:81 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:320:22:320:33 | trustManager |
| InsecureTrustManagerTest.java:319:54:319:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:319:33:319:81 | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:333:33:333:81 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:334:22:334:33 | trustManager |
| InsecureTrustManagerTest.java:333:54:333:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:333:33:333:81 | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:347:33:347:81 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:348:22:348:33 | trustManager |
| InsecureTrustManagerTest.java:347:54:347:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:347:33:347:81 | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:361:33:361:81 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:362:22:362:33 | trustManager |
| InsecureTrustManagerTest.java:361:54:361:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:361:33:361:81 | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:375:33:375:81 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:376:22:376:33 | trustManager |
| InsecureTrustManagerTest.java:375:54:375:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:375:33:375:81 | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:390:33:390:81 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:391:22:391:33 | trustManager |
| InsecureTrustManagerTest.java:390:54:390:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:390:33:390:81 | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:405:33:405:81 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:406:22:406:33 | trustManager |
| InsecureTrustManagerTest.java:405:54:405:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:405:33:405:81 | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:414:33:414:81 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:415:22:415:33 | trustManager |
| InsecureTrustManagerTest.java:414:54:414:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:414:33:414:81 | {...} [[]] : InsecureTrustManager |
nodes
| InsecureTrustManagerTest.java:121:33:121:81 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:121:54:121:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
| InsecureTrustManagerTest.java:122:22:122:33 | trustManager | semmle.label | trustManager |
| InsecureTrustManagerTest.java:130:34:130:82 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:130:55:130:80 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
| InsecureTrustManagerTest.java:131:23:131:34 | trustManager | semmle.label | trustManager |
| InsecureTrustManagerTest.java:151:34:151:82 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:151:55:151:80 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
| InsecureTrustManagerTest.java:152:23:152:34 | trustManager | semmle.label | trustManager |
| InsecureTrustManagerTest.java:172:34:172:82 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:172:55:172:80 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
| InsecureTrustManagerTest.java:173:23:173:34 | trustManager | semmle.label | trustManager |
| InsecureTrustManagerTest.java:193:34:193:82 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:193:55:193:80 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
| InsecureTrustManagerTest.java:194:23:194:34 | trustManager | semmle.label | trustManager |
| InsecureTrustManagerTest.java:214:34:214:82 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:214:55:214:80 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
| InsecureTrustManagerTest.java:215:23:215:34 | trustManager | semmle.label | trustManager |
| InsecureTrustManagerTest.java:235:34:235:82 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:235:55:235:80 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
| InsecureTrustManagerTest.java:236:23:236:34 | trustManager | semmle.label | trustManager |
| InsecureTrustManagerTest.java:257:34:257:82 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:257:55:257:80 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
| InsecureTrustManagerTest.java:258:23:258:34 | trustManager | semmle.label | trustManager |
| InsecureTrustManagerTest.java:280:34:280:82 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:280:55:280:80 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
| InsecureTrustManagerTest.java:281:23:281:34 | trustManager | semmle.label | trustManager |
| InsecureTrustManagerTest.java:305:33:305:81 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:305:54:305:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
| InsecureTrustManagerTest.java:306:22:306:33 | trustManager | semmle.label | trustManager |
| InsecureTrustManagerTest.java:319:33:319:81 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:319:54:319:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
| InsecureTrustManagerTest.java:320:22:320:33 | trustManager | semmle.label | trustManager |
| InsecureTrustManagerTest.java:333:33:333:81 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:333:54:333:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
| InsecureTrustManagerTest.java:334:22:334:33 | trustManager | semmle.label | trustManager |
| InsecureTrustManagerTest.java:347:33:347:81 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:347:54:347:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
| InsecureTrustManagerTest.java:348:22:348:33 | trustManager | semmle.label | trustManager |
| InsecureTrustManagerTest.java:361:33:361:81 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:361:54:361:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
| InsecureTrustManagerTest.java:362:22:362:33 | trustManager | semmle.label | trustManager |
| InsecureTrustManagerTest.java:375:33:375:81 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:375:54:375:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
| InsecureTrustManagerTest.java:376:22:376:33 | trustManager | semmle.label | trustManager |
| InsecureTrustManagerTest.java:390:33:390:81 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:390:54:390:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
| InsecureTrustManagerTest.java:391:22:391:33 | trustManager | semmle.label | trustManager |
| InsecureTrustManagerTest.java:405:33:405:81 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:405:54:405:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
| InsecureTrustManagerTest.java:406:22:406:33 | trustManager | semmle.label | trustManager |
| InsecureTrustManagerTest.java:414:33:414:81 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:414:54:414:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
| InsecureTrustManagerTest.java:415:22:415:33 | trustManager | semmle.label | trustManager |
#select
| InsecureTrustManagerTest.java:122:22:122:33 | trustManager | InsecureTrustManagerTest.java:121:54:121:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:122:22:122:33 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:121:54:121:79 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
| InsecureTrustManagerTest.java:152:23:152:34 | trustManager | InsecureTrustManagerTest.java:151:55:151:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:152:23:152:34 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:151:55:151:80 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
| InsecureTrustManagerTest.java:194:23:194:34 | trustManager | InsecureTrustManagerTest.java:193:55:193:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:194:23:194:34 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:193:55:193:80 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
| InsecureTrustManagerTest.java:236:23:236:34 | trustManager | InsecureTrustManagerTest.java:235:55:235:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:236:23:236:34 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:235:55:235:80 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
| InsecureTrustManagerTest.java:258:23:258:34 | trustManager | InsecureTrustManagerTest.java:257:55:257:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:258:23:258:34 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:257:55:257:80 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
| InsecureTrustManagerTest.java:281:23:281:34 | trustManager | InsecureTrustManagerTest.java:280:55:280:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:281:23:281:34 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:280:55:280:80 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
| InsecureTrustManagerTest.java:306:22:306:33 | trustManager | InsecureTrustManagerTest.java:305:54:305:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:306:22:306:33 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:305:54:305:79 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
| InsecureTrustManagerTest.java:320:22:320:33 | trustManager | InsecureTrustManagerTest.java:319:54:319:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:320:22:320:33 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:319:54:319:79 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
| InsecureTrustManagerTest.java:334:22:334:33 | trustManager | InsecureTrustManagerTest.java:333:54:333:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:334:22:334:33 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:333:54:333:79 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
| InsecureTrustManagerTest.java:348:22:348:33 | trustManager | InsecureTrustManagerTest.java:347:54:347:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:348:22:348:33 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:347:54:347:79 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
| InsecureTrustManagerTest.java:362:22:362:33 | trustManager | InsecureTrustManagerTest.java:361:54:361:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:362:22:362:33 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:361:54:361:79 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
| InsecureTrustManagerTest.java:376:22:376:33 | trustManager | InsecureTrustManagerTest.java:375:54:375:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:376:22:376:33 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:375:54:375:79 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
| InsecureTrustManagerTest.java:391:22:391:33 | trustManager | InsecureTrustManagerTest.java:390:54:390:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:391:22:391:33 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:390:54:390:79 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
| InsecureTrustManagerTest.java:406:22:406:33 | trustManager | InsecureTrustManagerTest.java:405:54:405:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:406:22:406:33 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:405:54:405:79 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
| InsecureTrustManagerTest.java:415:22:415:33 | trustManager | InsecureTrustManagerTest.java:414:54:414:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:415:22:415:33 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:414:54:414:79 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |

1
java/ql/test/experimental/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManager.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/Security/CWE/CWE-295/InsecureTrustManager.ql

420
java/ql/test/experimental/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManagerTest.java Normal file
View File

@@ -0,0 +1,420 @@
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
public class InsecureTrustManagerTest {
private static final boolean TRUST_ALL = true;
private static final boolean SOME_NAME_THAT_IS_NOT_A_FLAG_NAME = true;
private static boolean isDisableTrust() {
return true;
}
private static boolean is42TheAnswerForEverything() {
return true;
}
private static class InsecureTrustManager implements X509TrustManager {
@Override
public X509Certificate[] getAcceptedIssuers() {
return null;
}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
// BAD: Does not verify the certificate chain, allowing any certificate.
}
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
}
}
public static void main(String[] args) throws Exception {
directInsecureTrustManagerCall();
namedVariableFlagDirectInsecureTrustManagerCall();
noNamedVariableFlagDirectInsecureTrustManagerCall();
namedVariableFlagIndirectInsecureTrustManagerCall();
noNamedVariableFlagIndirectInsecureTrustManagerCall();
stringLiteralFlagDirectInsecureTrustManagerCall();
noStringLiteralFlagDirectInsecureTrustManagerCall();
stringLiteralFlagIndirectInsecureTrustManagerCall();
noStringLiteralFlagIndirectInsecureTrustManagerCall();
methodAccessFlagDirectInsecureTrustManagerCall();
noMethodAccessFlagDirectInsecureTrustManagerCall();
methodAccessFlagIndirectInsecureTrustManagerCall();
noMethodAccessFlagIndirectInsecureTrustManagerCall();
isEqualsIgnoreCaseDirectInsecureTrustManagerCall();
noIsEqualsIgnoreCaseDirectInsecureTrustManagerCall();
isEqualsIgnoreCaseIndirectInsecureTrustManagerCall();
noIsEqualsIgnoreCaseIndirectInsecureTrustManagerCall();
namedVariableFlagNOTGuardingDirectInsecureTrustManagerCall();
noNamedVariableFlagNOTGuardingDirectInsecureTrustManagerCall();
stringLiteralFlagNOTGuardingDirectInsecureTrustManagerCall();
noStringLiteralFlagNOTGuardingDirectInsecureTrustManagerCall();
methodAccessFlagNOTGuardingDirectInsecureTrustManagerCall();
noMethodAccessFlagNOTGuardingDirectInsecureTrustManagerCall();
isEqualsIgnoreCaseNOTGuardingDirectInsecureTrustManagerCall();
noIsEqualsIgnoreCaseNOTGuardingDirectInsecureTrustManagerCall();
directSecureTrustManagerCall();
}
private static void directSecureTrustManagerCall() throws NoSuchAlgorithmException, KeyStoreException, IOException,
CertificateException, FileNotFoundException, KeyManagementException, MalformedURLException {
SSLContext context = SSLContext.getInstance("TLS");
File certificateFile = new File("path/to/self-signed-certificate");
// Create a `KeyStore` with default type
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
// This causes `keyStore` to be empty
keyStore.load(null, null);
X509Certificate generatedCertificate;
try (InputStream cert = new FileInputStream(certificateFile)) {
generatedCertificate = (X509Certificate) CertificateFactory.getInstance("X509").generateCertificate(cert);
}
// Add the self-signed certificate to the key store
keyStore.setCertificateEntry(certificateFile.getName(), generatedCertificate);
// Get default `TrustManagerFactory`
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
// Use it with our modified key store that trusts our self-signed certificate
tmf.init(keyStore);
TrustManager[] trustManagers = tmf.getTrustManagers();
context.init(null, trustManagers, null); // GOOD, we are not using a custom `TrustManager` but instead have
// added the self-signed certificate we want to trust to the key
// store. Note, the `trustManagers` will **only** trust this one
// certificate.
URL url = new URL("https://self-signed.badssl.com/");
HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();
conn.setSSLSocketFactory(context.getSocketFactory());
}
private static void directInsecureTrustManagerCall() throws NoSuchAlgorithmException, KeyManagementException {
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
// chain, allowing any certificate.
}
private static void namedVariableFlagDirectInsecureTrustManagerCall()
throws NoSuchAlgorithmException, KeyManagementException {
if (TRUST_ALL) {
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
context.init(null, trustManager, null); // GOOD: Uses a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. BUT it is guarded
// by a feature flag.
}
}
private static void namedVariableFlagIndirectInsecureTrustManagerCall()
throws NoSuchAlgorithmException, KeyManagementException {
if (TRUST_ALL) {
disableTrustManager(); // GOOD [But the disableTrustManager method itself is still detected]: Calls a
// method that install a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. BUT it is guarded
// by a feature flag.
}
}
private static void noNamedVariableFlagDirectInsecureTrustManagerCall()
throws NoSuchAlgorithmException, KeyManagementException {
if (SOME_NAME_THAT_IS_NOT_A_FLAG_NAME) {
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. It is NOT guarded
// by a feature flag.
}
}
private static void noNamedVariableFlagIndirectInsecureTrustManagerCall()
throws NoSuchAlgorithmException, KeyManagementException {
if (SOME_NAME_THAT_IS_NOT_A_FLAG_NAME) {
disableTrustManager(); // BAD [This is detected in the disableTrustManager method]: Calls a method that
// install a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. It is NOT guarded
// by a feature flag.
}
}
private static void stringLiteralFlagDirectInsecureTrustManagerCall()
throws NoSuchAlgorithmException, KeyManagementException {
if (Boolean.parseBoolean(System.getProperty("TRUST_ALL"))) {
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
context.init(null, trustManager, null); // GOOD: Uses a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. BUT it is guarded
// by a feature flag.
}
}
private static void stringLiteralFlagIndirectInsecureTrustManagerCall()
throws NoSuchAlgorithmException, KeyManagementException {
if (Boolean.parseBoolean(System.getProperty("TRUST_ALL"))) {
disableTrustManager(); // GOOD [But the disableTrustManager method itself is still detected]: Calls a
// method that install a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. BUT it is guarded
// by a feature flag.
}
}
private static void noStringLiteralFlagDirectInsecureTrustManagerCall()
throws NoSuchAlgorithmException, KeyManagementException {
if (Boolean.parseBoolean(System.getProperty("SOME_NAME_THAT_IS_NOT_A_FLAG_NAME"))) {
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. It is NOT guarded
// by a feature flag.
}
}
private static void noStringLiteralFlagIndirectInsecureTrustManagerCall()
throws NoSuchAlgorithmException, KeyManagementException {
if (Boolean.parseBoolean(System.getProperty("SOME_NAME_THAT_IS_NOT_A_FLAG_NAME"))) {
disableTrustManager(); // BAD [This is detected in the disableTrustManager method]: Calls a method that
// install a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. It is NOT guarded
// by a feature flag.
}
}
private static void methodAccessFlagDirectInsecureTrustManagerCall()
throws NoSuchAlgorithmException, KeyManagementException {
if (isDisableTrust()) {
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
context.init(null, trustManager, null); // GOOD: Uses a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. BUT it is guarded
// by a feature flag.
}
}
private static void methodAccessFlagIndirectInsecureTrustManagerCall()
throws NoSuchAlgorithmException, KeyManagementException {
if (isDisableTrust()) {
disableTrustManager(); // GOOD [But the disableTrustManager method itself is still detected]: Calls a
// method that install a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. BUT it is guarded
// by a feature flag.
}
}
private static void noMethodAccessFlagDirectInsecureTrustManagerCall()
throws NoSuchAlgorithmException, KeyManagementException {
if (is42TheAnswerForEverything()) {
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. It is NOT guarded
// by a feature flag.
}
}
private static void noMethodAccessFlagIndirectInsecureTrustManagerCall()
throws NoSuchAlgorithmException, KeyManagementException {
if (is42TheAnswerForEverything()) {
disableTrustManager(); // BAD [This is detected in the disableTrustManager method]: Calls a method that
// install a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. It is NOT guarded
// by a feature flag.
}
}
private static void isEqualsIgnoreCaseDirectInsecureTrustManagerCall()
throws NoSuchAlgorithmException, KeyManagementException {
String schemaFromHttpRequest = "HTTPS";
if (schemaFromHttpRequest.equalsIgnoreCase("https")) {
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. It is NOT guarded
// by a feature flag.
}
}
private static void isEqualsIgnoreCaseIndirectInsecureTrustManagerCall()
throws NoSuchAlgorithmException, KeyManagementException {
String schemaFromHttpRequest = "HTTPS";
if (schemaFromHttpRequest.equalsIgnoreCase("https")) {
disableTrustManager(); // BAD [This is detected in the disableTrustManager method]: Calls a method that
// install a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. It is NOT guarded
// by a feature flag.
}
}
private static void noIsEqualsIgnoreCaseDirectInsecureTrustManagerCall()
throws NoSuchAlgorithmException, KeyManagementException {
String schemaFromHttpRequest = "HTTPS";
if (!schemaFromHttpRequest.equalsIgnoreCase("https")) {
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. It is NOT guarded
// by a feature flag.
}
}
private static void noIsEqualsIgnoreCaseIndirectInsecureTrustManagerCall()
throws NoSuchAlgorithmException, KeyManagementException {
String schemaFromHttpRequest = "HTTPS";
if (!schemaFromHttpRequest.equalsIgnoreCase("https")) {
disableTrustManager(); // BAD [This is detected in the disableTrustManager method]: Calls a method that
// install a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. It is NOT guarded
// by a feature flag.
}
}
private static void namedVariableFlagNOTGuardingDirectInsecureTrustManagerCall()
throws NoSuchAlgorithmException, KeyManagementException {
if (TRUST_ALL) {
System.out.println("Disabling trust!");
}
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. It is NOT guarded
// by a feature flag, because it is outside the if.
}
private static void noNamedVariableFlagNOTGuardingDirectInsecureTrustManagerCall()
throws NoSuchAlgorithmException, KeyManagementException {
if (SOME_NAME_THAT_IS_NOT_A_FLAG_NAME) {
System.out.println("Disabling trust!");
}
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. It is NOT guarded
// by a feature flag, because it is outside the if and it is NOT a valid flag.
}
private static void stringLiteralFlagNOTGuardingDirectInsecureTrustManagerCall()
throws NoSuchAlgorithmException, KeyManagementException {
if (Boolean.parseBoolean(System.getProperty("TRUST_ALL"))) {
System.out.println("Disabling trust!");
}
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. It is NOT guarded
// by a feature flag, because it is outside the if.
}
private static void noStringLiteralFlagNOTGuardingDirectInsecureTrustManagerCall()
throws NoSuchAlgorithmException, KeyManagementException {
if (Boolean.parseBoolean(System.getProperty("SOME_NAME_THAT_IS_NOT_A_FLAG_NAME"))) {
System.out.println("Disabling trust!");
}
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. It is NOT guarded
// by a feature flag, because it is outside the if and it is NOT a valid flag.
}
private static void methodAccessFlagNOTGuardingDirectInsecureTrustManagerCall()
throws NoSuchAlgorithmException, KeyManagementException {
if (isDisableTrust()) {
System.out.println("Disabling trust!");
}
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. It is NOT guarded
// by a feature flag, because it is outside the if.
}
private static void noMethodAccessFlagNOTGuardingDirectInsecureTrustManagerCall()
throws NoSuchAlgorithmException, KeyManagementException {
if (is42TheAnswerForEverything()) {
System.out.println("Disabling trust!");
}
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. It is NOT guarded
// by a feature flag, because it is outside the if and it is NOT a valid flag.
}
private static void isEqualsIgnoreCaseNOTGuardingDirectInsecureTrustManagerCall()
throws NoSuchAlgorithmException, KeyManagementException {
String schemaFromHttpRequest = "HTTPS";
if (schemaFromHttpRequest.equalsIgnoreCase("https")) {
System.out.println("Disabling trust!");
}
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. It is NOT guarded
// by a feature flag, because it is outside the if and it is NOT a valid flag.
}
private static void noIsEqualsIgnoreCaseNOTGuardingDirectInsecureTrustManagerCall()
throws NoSuchAlgorithmException, KeyManagementException {
String schemaFromHttpRequest = "HTTPS";
if (!schemaFromHttpRequest.equalsIgnoreCase("https")) {
System.out.println("Disabling trust!");
}
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. It is NOT guarded
// by a feature flag, because it is outside the if and it is NOT a valid flag.
}
private static void disableTrustManager() throws NoSuchAlgorithmException, KeyManagementException {
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the
// certificate
// chain, allowing any certificate. The method name suggests that this may be
// intentional, but we flag it anyway.
}
}

158
java/ql/test/experimental/query-tests/security/CWE-327/UnsafeTlsVersion.expected
View File

@@ -1,54 +1,59 @@
edges
| UnsafeTlsVersion.java:31:5:31:46 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:43:74:43:92 | protocols : String[] |
| UnsafeTlsVersion.java:31:39:31:45 | "SSLv3" : String | UnsafeTlsVersion.java:31:5:31:46 | new ..[] { .. } : String[] |
| UnsafeTlsVersion.java:32:5:32:44 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:43:74:43:92 | protocols : String[] |
| UnsafeTlsVersion.java:32:39:32:43 | "TLS" : String | UnsafeTlsVersion.java:32:5:32:44 | new ..[] { .. } : String[] |
| UnsafeTlsVersion.java:33:5:33:46 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:43:74:43:92 | protocols : String[] |
| UnsafeTlsVersion.java:33:39:33:45 | "TLSv1" : String | UnsafeTlsVersion.java:33:5:33:46 | new ..[] { .. } : String[] |
| UnsafeTlsVersion.java:34:5:34:48 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:43:74:43:92 | protocols : String[] |
| UnsafeTlsVersion.java:34:39:34:47 | "TLSv1.1" : String | UnsafeTlsVersion.java:34:5:34:48 | new ..[] { .. } : String[] |
| UnsafeTlsVersion.java:35:5:35:68 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:43:74:43:92 | protocols : String[] |
| UnsafeTlsVersion.java:35:39:35:45 | "TLSv1" : String | UnsafeTlsVersion.java:35:5:35:68 | new ..[] { .. } : String[] |
| UnsafeTlsVersion.java:35:48:35:56 | "TLSv1.1" : String | UnsafeTlsVersion.java:35:5:35:68 | new ..[] { .. } : String[] |
| UnsafeTlsVersion.java:43:74:43:92 | protocols : String[] | UnsafeTlsVersion.java:44:44:44:52 | protocols |
| UnsafeTlsVersion.java:50:53:50:59 | "SSLv3" : String | UnsafeTlsVersion.java:50:38:50:61 | new String[] |
| UnsafeTlsVersion.java:51:53:51:57 | "TLS" : String | UnsafeTlsVersion.java:51:38:51:59 | new String[] |
| UnsafeTlsVersion.java:52:53:52:59 | "TLSv1" : String | UnsafeTlsVersion.java:52:38:52:61 | new String[] |
| UnsafeTlsVersion.java:53:53:53:61 | "TLSv1.1" : String | UnsafeTlsVersion.java:53:38:53:63 | new String[] |
| UnsafeTlsVersion.java:56:44:56:52 | "TLSv1.1" : String | UnsafeTlsVersion.java:56:29:56:65 | new String[] |
| UnsafeTlsVersion.java:68:5:68:28 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:79:43:79:61 | protocols : String[] |
| UnsafeTlsVersion.java:68:21:68:27 | "SSLv3" : String | UnsafeTlsVersion.java:68:5:68:28 | new ..[] { .. } : String[] |
| UnsafeTlsVersion.java:69:5:69:26 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:79:43:79:61 | protocols : String[] |
| UnsafeTlsVersion.java:69:21:69:25 | "TLS" : String | UnsafeTlsVersion.java:69:5:69:26 | new ..[] { .. } : String[] |
| UnsafeTlsVersion.java:70:5:70:28 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:79:43:79:61 | protocols : String[] |
| UnsafeTlsVersion.java:70:21:70:27 | "TLSv1" : String | UnsafeTlsVersion.java:70:5:70:28 | new ..[] { .. } : String[] |
| UnsafeTlsVersion.java:71:5:71:30 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:79:43:79:61 | protocols : String[] |
| UnsafeTlsVersion.java:71:21:71:29 | "TLSv1.1" : String | UnsafeTlsVersion.java:71:5:71:30 | new ..[] { .. } : String[] |
| UnsafeTlsVersion.java:72:5:72:41 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:79:43:79:61 | protocols : String[] |
| UnsafeTlsVersion.java:72:21:72:29 | "TLSv1.1" : String | UnsafeTlsVersion.java:72:5:72:41 | new ..[] { .. } : String[] |
| UnsafeTlsVersion.java:79:43:79:61 | protocols : String[] | UnsafeTlsVersion.java:81:32:81:40 | protocols |
| UnsafeTlsVersion.java:88:5:88:34 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:99:55:99:73 | protocols : String[] |
| UnsafeTlsVersion.java:88:27:88:33 | "SSLv3" : String | UnsafeTlsVersion.java:88:5:88:34 | new ..[] { .. } : String[] |
| UnsafeTlsVersion.java:89:5:89:32 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:99:55:99:73 | protocols : String[] |
| UnsafeTlsVersion.java:89:27:89:31 | "TLS" : String | UnsafeTlsVersion.java:89:5:89:32 | new ..[] { .. } : String[] |
| UnsafeTlsVersion.java:90:5:90:34 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:99:55:99:73 | protocols : String[] |
| UnsafeTlsVersion.java:90:27:90:33 | "TLSv1" : String | UnsafeTlsVersion.java:90:5:90:34 | new ..[] { .. } : String[] |
| UnsafeTlsVersion.java:91:5:91:36 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:99:55:99:73 | protocols : String[] |
| UnsafeTlsVersion.java:91:27:91:35 | "TLSv1.1" : String | UnsafeTlsVersion.java:91:5:91:36 | new ..[] { .. } : String[] |
| UnsafeTlsVersion.java:92:5:92:47 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:99:55:99:73 | protocols : String[] |
| UnsafeTlsVersion.java:92:27:92:35 | "TLSv1.1" : String | UnsafeTlsVersion.java:92:5:92:47 | new ..[] { .. } : String[] |
| UnsafeTlsVersion.java:99:55:99:73 | protocols : String[] | UnsafeTlsVersion.java:101:32:101:40 | protocols |
| UnsafeTlsVersion.java:108:5:108:28 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:119:43:119:61 | protocols : String[] |
| UnsafeTlsVersion.java:108:21:108:27 | "SSLv3" : String | UnsafeTlsVersion.java:108:5:108:28 | new ..[] { .. } : String[] |
| UnsafeTlsVersion.java:109:5:109:26 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:119:43:119:61 | protocols : String[] |
| UnsafeTlsVersion.java:109:21:109:25 | "TLS" : String | UnsafeTlsVersion.java:109:5:109:26 | new ..[] { .. } : String[] |
| UnsafeTlsVersion.java:110:5:110:28 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:119:43:119:61 | protocols : String[] |
| UnsafeTlsVersion.java:110:21:110:27 | "TLSv1" : String | UnsafeTlsVersion.java:110:5:110:28 | new ..[] { .. } : String[] |
| UnsafeTlsVersion.java:111:5:111:30 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:119:43:119:61 | protocols : String[] |
| UnsafeTlsVersion.java:111:21:111:29 | "TLSv1.1" : String | UnsafeTlsVersion.java:111:5:111:30 | new ..[] { .. } : String[] |
| UnsafeTlsVersion.java:112:5:112:41 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:119:43:119:61 | protocols : String[] |
| UnsafeTlsVersion.java:112:21:112:29 | "TLSv1.1" : String | UnsafeTlsVersion.java:112:5:112:41 | new ..[] { .. } : String[] |
| UnsafeTlsVersion.java:119:43:119:61 | protocols : String[] | UnsafeTlsVersion.java:121:32:121:40 | protocols |
| UnsafeTlsVersion.java:31:5:31:46 | new ..[] { .. } [[]] : String | UnsafeTlsVersion.java:43:74:43:92 | protocols [[]] : String |
| UnsafeTlsVersion.java:31:39:31:45 | "SSLv3" : String | UnsafeTlsVersion.java:31:5:31:46 | new ..[] { .. } [[]] : String |
| UnsafeTlsVersion.java:32:5:32:44 | new ..[] { .. } [[]] : String | UnsafeTlsVersion.java:43:74:43:92 | protocols [[]] : String |
| UnsafeTlsVersion.java:32:39:32:43 | "TLS" : String | UnsafeTlsVersion.java:32:5:32:44 | new ..[] { .. } [[]] : String |
| UnsafeTlsVersion.java:33:5:33:46 | new ..[] { .. } [[]] : String | UnsafeTlsVersion.java:43:74:43:92 | protocols [[]] : String |
| UnsafeTlsVersion.java:33:39:33:45 | "TLSv1" : String | UnsafeTlsVersion.java:33:5:33:46 | new ..[] { .. } [[]] : String |
| UnsafeTlsVersion.java:34:5:34:48 | new ..[] { .. } [[]] : String | UnsafeTlsVersion.java:43:74:43:92 | protocols [[]] : String |
| UnsafeTlsVersion.java:34:39:34:47 | "TLSv1.1" : String | UnsafeTlsVersion.java:34:5:34:48 | new ..[] { .. } [[]] : String |
| UnsafeTlsVersion.java:35:5:35:68 | new ..[] { .. } [[]] : String | UnsafeTlsVersion.java:43:74:43:92 | protocols [[]] : String |
| UnsafeTlsVersion.java:35:39:35:45 | "TLSv1" : String | UnsafeTlsVersion.java:35:5:35:68 | new ..[] { .. } [[]] : String |
| UnsafeTlsVersion.java:35:48:35:56 | "TLSv1.1" : String | UnsafeTlsVersion.java:35:5:35:68 | new ..[] { .. } [[]] : String |
| UnsafeTlsVersion.java:43:74:43:92 | protocols [[]] : String | UnsafeTlsVersion.java:44:44:44:52 | protocols |
| UnsafeTlsVersion.java:50:38:50:61 | {...} [[]] : String | UnsafeTlsVersion.java:50:38:50:61 | new String[] |
| UnsafeTlsVersion.java:50:53:50:59 | "SSLv3" : String | UnsafeTlsVersion.java:50:38:50:61 | {...} [[]] : String |
| UnsafeTlsVersion.java:51:38:51:59 | {...} [[]] : String | UnsafeTlsVersion.java:51:38:51:59 | new String[] |
| UnsafeTlsVersion.java:51:53:51:57 | "TLS" : String | UnsafeTlsVersion.java:51:38:51:59 | {...} [[]] : String |
| UnsafeTlsVersion.java:52:38:52:61 | {...} [[]] : String | UnsafeTlsVersion.java:52:38:52:61 | new String[] |
| UnsafeTlsVersion.java:52:53:52:59 | "TLSv1" : String | UnsafeTlsVersion.java:52:38:52:61 | {...} [[]] : String |
| UnsafeTlsVersion.java:53:38:53:63 | {...} [[]] : String | UnsafeTlsVersion.java:53:38:53:63 | new String[] |
| UnsafeTlsVersion.java:53:53:53:61 | "TLSv1.1" : String | UnsafeTlsVersion.java:53:38:53:63 | {...} [[]] : String |
| UnsafeTlsVersion.java:56:29:56:65 | {...} [[]] : String | UnsafeTlsVersion.java:56:29:56:65 | new String[] |
| UnsafeTlsVersion.java:56:44:56:52 | "TLSv1.1" : String | UnsafeTlsVersion.java:56:29:56:65 | {...} [[]] : String |
| UnsafeTlsVersion.java:68:5:68:28 | new ..[] { .. } [[]] : String | UnsafeTlsVersion.java:79:43:79:61 | protocols [[]] : String |
| UnsafeTlsVersion.java:68:21:68:27 | "SSLv3" : String | UnsafeTlsVersion.java:68:5:68:28 | new ..[] { .. } [[]] : String |
| UnsafeTlsVersion.java:69:5:69:26 | new ..[] { .. } [[]] : String | UnsafeTlsVersion.java:79:43:79:61 | protocols [[]] : String |
| UnsafeTlsVersion.java:69:21:69:25 | "TLS" : String | UnsafeTlsVersion.java:69:5:69:26 | new ..[] { .. } [[]] : String |
| UnsafeTlsVersion.java:70:5:70:28 | new ..[] { .. } [[]] : String | UnsafeTlsVersion.java:79:43:79:61 | protocols [[]] : String |
| UnsafeTlsVersion.java:70:21:70:27 | "TLSv1" : String | UnsafeTlsVersion.java:70:5:70:28 | new ..[] { .. } [[]] : String |
| UnsafeTlsVersion.java:71:5:71:30 | new ..[] { .. } [[]] : String | UnsafeTlsVersion.java:79:43:79:61 | protocols [[]] : String |
| UnsafeTlsVersion.java:71:21:71:29 | "TLSv1.1" : String | UnsafeTlsVersion.java:71:5:71:30 | new ..[] { .. } [[]] : String |
| UnsafeTlsVersion.java:72:5:72:41 | new ..[] { .. } [[]] : String | UnsafeTlsVersion.java:79:43:79:61 | protocols [[]] : String |
| UnsafeTlsVersion.java:72:21:72:29 | "TLSv1.1" : String | UnsafeTlsVersion.java:72:5:72:41 | new ..[] { .. } [[]] : String |
| UnsafeTlsVersion.java:79:43:79:61 | protocols [[]] : String | UnsafeTlsVersion.java:81:32:81:40 | protocols |
| UnsafeTlsVersion.java:88:5:88:34 | new ..[] { .. } [[]] : String | UnsafeTlsVersion.java:99:55:99:73 | protocols [[]] : String |
| UnsafeTlsVersion.java:88:27:88:33 | "SSLv3" : String | UnsafeTlsVersion.java:88:5:88:34 | new ..[] { .. } [[]] : String |
| UnsafeTlsVersion.java:89:5:89:32 | new ..[] { .. } [[]] : String | UnsafeTlsVersion.java:99:55:99:73 | protocols [[]] : String |
| UnsafeTlsVersion.java:89:27:89:31 | "TLS" : String | UnsafeTlsVersion.java:89:5:89:32 | new ..[] { .. } [[]] : String |
| UnsafeTlsVersion.java:90:5:90:34 | new ..[] { .. } [[]] : String | UnsafeTlsVersion.java:99:55:99:73 | protocols [[]] : String |
| UnsafeTlsVersion.java:90:27:90:33 | "TLSv1" : String | UnsafeTlsVersion.java:90:5:90:34 | new ..[] { .. } [[]] : String |
| UnsafeTlsVersion.java:91:5:91:36 | new ..[] { .. } [[]] : String | UnsafeTlsVersion.java:99:55:99:73 | protocols [[]] : String |
| UnsafeTlsVersion.java:91:27:91:35 | "TLSv1.1" : String | UnsafeTlsVersion.java:91:5:91:36 | new ..[] { .. } [[]] : String |
| UnsafeTlsVersion.java:92:5:92:47 | new ..[] { .. } [[]] : String | UnsafeTlsVersion.java:99:55:99:73 | protocols [[]] : String |
| UnsafeTlsVersion.java:92:27:92:35 | "TLSv1.1" : String | UnsafeTlsVersion.java:92:5:92:47 | new ..[] { .. } [[]] : String |
| UnsafeTlsVersion.java:99:55:99:73 | protocols [[]] : String | UnsafeTlsVersion.java:101:32:101:40 | protocols |
| UnsafeTlsVersion.java:108:5:108:28 | new ..[] { .. } [[]] : String | UnsafeTlsVersion.java:119:43:119:61 | protocols [[]] : String |
| UnsafeTlsVersion.java:108:21:108:27 | "SSLv3" : String | UnsafeTlsVersion.java:108:5:108:28 | new ..[] { .. } [[]] : String |
| UnsafeTlsVersion.java:109:5:109:26 | new ..[] { .. } [[]] : String | UnsafeTlsVersion.java:119:43:119:61 | protocols [[]] : String |
| UnsafeTlsVersion.java:109:21:109:25 | "TLS" : String | UnsafeTlsVersion.java:109:5:109:26 | new ..[] { .. } [[]] : String |
| UnsafeTlsVersion.java:110:5:110:28 | new ..[] { .. } [[]] : String | UnsafeTlsVersion.java:119:43:119:61 | protocols [[]] : String |
| UnsafeTlsVersion.java:110:21:110:27 | "TLSv1" : String | UnsafeTlsVersion.java:110:5:110:28 | new ..[] { .. } [[]] : String |
| UnsafeTlsVersion.java:111:5:111:30 | new ..[] { .. } [[]] : String | UnsafeTlsVersion.java:119:43:119:61 | protocols [[]] : String |
| UnsafeTlsVersion.java:111:21:111:29 | "TLSv1.1" : String | UnsafeTlsVersion.java:111:5:111:30 | new ..[] { .. } [[]] : String |
| UnsafeTlsVersion.java:112:5:112:41 | new ..[] { .. } [[]] : String | UnsafeTlsVersion.java:119:43:119:61 | protocols [[]] : String |
| UnsafeTlsVersion.java:112:21:112:29 | "TLSv1.1" : String | UnsafeTlsVersion.java:112:5:112:41 | new ..[] { .. } [[]] : String |
| UnsafeTlsVersion.java:119:43:119:61 | protocols [[]] : String | UnsafeTlsVersion.java:121:32:121:40 | protocols |
nodes
| UnsafeTlsVersion.java:16:28:16:32 | "SSL" | semmle.label | "SSL" |
| UnsafeTlsVersion.java:17:28:17:34 | "SSLv2" | semmle.label | "SSLv2" |
@@ -56,64 +61,69 @@ nodes
| UnsafeTlsVersion.java:19:28:19:32 | "TLS" | semmle.label | "TLS" |
| UnsafeTlsVersion.java:20:28:20:34 | "TLSv1" | semmle.label | "TLSv1" |
| UnsafeTlsVersion.java:21:28:21:36 | "TLSv1.1" | semmle.label | "TLSv1.1" |
| UnsafeTlsVersion.java:31:5:31:46 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
| UnsafeTlsVersion.java:31:5:31:46 | new ..[] { .. } [[]] : String | semmle.label | new ..[] { .. } [[]] : String |
| UnsafeTlsVersion.java:31:39:31:45 | "SSLv3" : String | semmle.label | "SSLv3" : String |
| UnsafeTlsVersion.java:32:5:32:44 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
| UnsafeTlsVersion.java:32:5:32:44 | new ..[] { .. } [[]] : String | semmle.label | new ..[] { .. } [[]] : String |
| UnsafeTlsVersion.java:32:39:32:43 | "TLS" : String | semmle.label | "TLS" : String |
| UnsafeTlsVersion.java:33:5:33:46 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
| UnsafeTlsVersion.java:33:5:33:46 | new ..[] { .. } [[]] : String | semmle.label | new ..[] { .. } [[]] : String |
| UnsafeTlsVersion.java:33:39:33:45 | "TLSv1" : String | semmle.label | "TLSv1" : String |
| UnsafeTlsVersion.java:34:5:34:48 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
| UnsafeTlsVersion.java:34:5:34:48 | new ..[] { .. } [[]] : String | semmle.label | new ..[] { .. } [[]] : String |
| UnsafeTlsVersion.java:34:39:34:47 | "TLSv1.1" : String | semmle.label | "TLSv1.1" : String |
| UnsafeTlsVersion.java:35:5:35:68 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
| UnsafeTlsVersion.java:35:5:35:68 | new ..[] { .. } [[]] : String | semmle.label | new ..[] { .. } [[]] : String |
| UnsafeTlsVersion.java:35:39:35:45 | "TLSv1" : String | semmle.label | "TLSv1" : String |
| UnsafeTlsVersion.java:35:48:35:56 | "TLSv1.1" : String | semmle.label | "TLSv1.1" : String |
| UnsafeTlsVersion.java:43:74:43:92 | protocols : String[] | semmle.label | protocols : String[] |
| UnsafeTlsVersion.java:43:74:43:92 | protocols [[]] : String | semmle.label | protocols [[]] : String |
| UnsafeTlsVersion.java:44:44:44:52 | protocols | semmle.label | protocols |
| UnsafeTlsVersion.java:50:38:50:61 | new String[] | semmle.label | new String[] |
| UnsafeTlsVersion.java:50:38:50:61 | {...} [[]] : String | semmle.label | {...} [[]] : String |
| UnsafeTlsVersion.java:50:53:50:59 | "SSLv3" : String | semmle.label | "SSLv3" : String |
| UnsafeTlsVersion.java:51:38:51:59 | new String[] | semmle.label | new String[] |
| UnsafeTlsVersion.java:51:38:51:59 | {...} [[]] : String | semmle.label | {...} [[]] : String |
| UnsafeTlsVersion.java:51:53:51:57 | "TLS" : String | semmle.label | "TLS" : String |
| UnsafeTlsVersion.java:52:38:52:61 | new String[] | semmle.label | new String[] |
| UnsafeTlsVersion.java:52:38:52:61 | {...} [[]] : String | semmle.label | {...} [[]] : String |
| UnsafeTlsVersion.java:52:53:52:59 | "TLSv1" : String | semmle.label | "TLSv1" : String |
| UnsafeTlsVersion.java:53:38:53:63 | new String[] | semmle.label | new String[] |
| UnsafeTlsVersion.java:53:38:53:63 | {...} [[]] : String | semmle.label | {...} [[]] : String |
| UnsafeTlsVersion.java:53:53:53:61 | "TLSv1.1" : String | semmle.label | "TLSv1.1" : String |
| UnsafeTlsVersion.java:56:29:56:65 | new String[] | semmle.label | new String[] |
| UnsafeTlsVersion.java:56:29:56:65 | {...} [[]] : String | semmle.label | {...} [[]] : String |
| UnsafeTlsVersion.java:56:44:56:52 | "TLSv1.1" : String | semmle.label | "TLSv1.1" : String |
| UnsafeTlsVersion.java:68:5:68:28 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
| UnsafeTlsVersion.java:68:5:68:28 | new ..[] { .. } [[]] : String | semmle.label | new ..[] { .. } [[]] : String |
| UnsafeTlsVersion.java:68:21:68:27 | "SSLv3" : String | semmle.label | "SSLv3" : String |
| UnsafeTlsVersion.java:69:5:69:26 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
| UnsafeTlsVersion.java:69:5:69:26 | new ..[] { .. } [[]] : String | semmle.label | new ..[] { .. } [[]] : String |
| UnsafeTlsVersion.java:69:21:69:25 | "TLS" : String | semmle.label | "TLS" : String |
| UnsafeTlsVersion.java:70:5:70:28 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
| UnsafeTlsVersion.java:70:5:70:28 | new ..[] { .. } [[]] : String | semmle.label | new ..[] { .. } [[]] : String |
| UnsafeTlsVersion.java:70:21:70:27 | "TLSv1" : String | semmle.label | "TLSv1" : String |
| UnsafeTlsVersion.java:71:5:71:30 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
| UnsafeTlsVersion.java:71:5:71:30 | new ..[] { .. } [[]] : String | semmle.label | new ..[] { .. } [[]] : String |
| UnsafeTlsVersion.java:71:21:71:29 | "TLSv1.1" : String | semmle.label | "TLSv1.1" : String |
| UnsafeTlsVersion.java:72:5:72:41 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
| UnsafeTlsVersion.java:72:5:72:41 | new ..[] { .. } [[]] : String | semmle.label | new ..[] { .. } [[]] : String |
| UnsafeTlsVersion.java:72:21:72:29 | "TLSv1.1" : String | semmle.label | "TLSv1.1" : String |
| UnsafeTlsVersion.java:79:43:79:61 | protocols : String[] | semmle.label | protocols : String[] |
| UnsafeTlsVersion.java:79:43:79:61 | protocols [[]] : String | semmle.label | protocols [[]] : String |
| UnsafeTlsVersion.java:81:32:81:40 | protocols | semmle.label | protocols |
| UnsafeTlsVersion.java:88:5:88:34 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
| UnsafeTlsVersion.java:88:5:88:34 | new ..[] { .. } [[]] : String | semmle.label | new ..[] { .. } [[]] : String |
| UnsafeTlsVersion.java:88:27:88:33 | "SSLv3" : String | semmle.label | "SSLv3" : String |
| UnsafeTlsVersion.java:89:5:89:32 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
| UnsafeTlsVersion.java:89:5:89:32 | new ..[] { .. } [[]] : String | semmle.label | new ..[] { .. } [[]] : String |
| UnsafeTlsVersion.java:89:27:89:31 | "TLS" : String | semmle.label | "TLS" : String |
| UnsafeTlsVersion.java:90:5:90:34 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
| UnsafeTlsVersion.java:90:5:90:34 | new ..[] { .. } [[]] : String | semmle.label | new ..[] { .. } [[]] : String |
| UnsafeTlsVersion.java:90:27:90:33 | "TLSv1" : String | semmle.label | "TLSv1" : String |
| UnsafeTlsVersion.java:91:5:91:36 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
| UnsafeTlsVersion.java:91:5:91:36 | new ..[] { .. } [[]] : String | semmle.label | new ..[] { .. } [[]] : String |
| UnsafeTlsVersion.java:91:27:91:35 | "TLSv1.1" : String | semmle.label | "TLSv1.1" : String |
| UnsafeTlsVersion.java:92:5:92:47 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
| UnsafeTlsVersion.java:92:5:92:47 | new ..[] { .. } [[]] : String | semmle.label | new ..[] { .. } [[]] : String |
| UnsafeTlsVersion.java:92:27:92:35 | "TLSv1.1" : String | semmle.label | "TLSv1.1" : String |
| UnsafeTlsVersion.java:99:55:99:73 | protocols : String[] | semmle.label | protocols : String[] |
| UnsafeTlsVersion.java:99:55:99:73 | protocols [[]] : String | semmle.label | protocols [[]] : String |
| UnsafeTlsVersion.java:101:32:101:40 | protocols | semmle.label | protocols |
| UnsafeTlsVersion.java:108:5:108:28 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
| UnsafeTlsVersion.java:108:5:108:28 | new ..[] { .. } [[]] : String | semmle.label | new ..[] { .. } [[]] : String |
| UnsafeTlsVersion.java:108:21:108:27 | "SSLv3" : String | semmle.label | "SSLv3" : String |
| UnsafeTlsVersion.java:109:5:109:26 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
| UnsafeTlsVersion.java:109:5:109:26 | new ..[] { .. } [[]] : String | semmle.label | new ..[] { .. } [[]] : String |
| UnsafeTlsVersion.java:109:21:109:25 | "TLS" : String | semmle.label | "TLS" : String |
| UnsafeTlsVersion.java:110:5:110:28 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
| UnsafeTlsVersion.java:110:5:110:28 | new ..[] { .. } [[]] : String | semmle.label | new ..[] { .. } [[]] : String |
| UnsafeTlsVersion.java:110:21:110:27 | "TLSv1" : String | semmle.label | "TLSv1" : String |
| UnsafeTlsVersion.java:111:5:111:30 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
| UnsafeTlsVersion.java:111:5:111:30 | new ..[] { .. } [[]] : String | semmle.label | new ..[] { .. } [[]] : String |
| UnsafeTlsVersion.java:111:21:111:29 | "TLSv1.1" : String | semmle.label | "TLSv1.1" : String |
| UnsafeTlsVersion.java:112:5:112:41 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
| UnsafeTlsVersion.java:112:5:112:41 | new ..[] { .. } [[]] : String | semmle.label | new ..[] { .. } [[]] : String |
| UnsafeTlsVersion.java:112:21:112:29 | "TLSv1.1" : String | semmle.label | "TLSv1.1" : String |
| UnsafeTlsVersion.java:119:43:119:61 | protocols : String[] | semmle.label | protocols : String[] |
| UnsafeTlsVersion.java:119:43:119:61 | protocols [[]] : String | semmle.label | protocols [[]] : String |
| UnsafeTlsVersion.java:121:32:121:40 | protocols | semmle.label | protocols |
#select
| UnsafeTlsVersion.java:16:28:16:32 | "SSL" | UnsafeTlsVersion.java:16:28:16:32 | "SSL" | UnsafeTlsVersion.java:16:28:16:32 | "SSL" | $@ is unsafe | UnsafeTlsVersion.java:16:28:16:32 | "SSL" | SSL |

2
java/ql/test/experimental/query-tests/security/CWE-348/options
View File

@@ -1 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/springframework-5.2.3/:${testdir}/../../../../stubs/apache-commons-lang3-3.7/
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/springframework-5.3.8/:${testdir}/../../../../stubs/apache-commons-lang3-3.7/

2
java/ql/test/experimental/query-tests/security/CWE-352/options
View File

@@ -1 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/apache-http-4.4.13/:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/fastjson-1.2.74/:${testdir}/../../../../stubs/gson-2.8.6/:${testdir}/../../../../stubs/jackson-databind-2.10/:${testdir}/../../../../stubs/springframework-5.2.3/
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/apache-http-4.4.13/:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/fastjson-1.2.74/:${testdir}/../../../../stubs/gson-2.8.6/:${testdir}/../../../../stubs/jackson-databind-2.10/:${testdir}/../../../../stubs/springframework-5.3.8/

20
java/ql/test/experimental/query-tests/security/CWE-502/SpringExporterUnsafeDeserialization.java
View File

@@ -2,12 +2,32 @@ import org.springframework.boot.SpringBootConfiguration;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.remoting.caucho.HessianServiceExporter;
import org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter;
import org.springframework.remoting.rmi.RemoteInvocationSerializingExporter;
import org.springframework.remoting.rmi.RmiServiceExporter;
@Configuration
public class SpringExporterUnsafeDeserialization {
@Bean(name = "/unsafeRmiServiceExporter")
RmiServiceExporter unsafeRmiServiceExporter() {
RmiServiceExporter exporter = new RmiServiceExporter();
exporter.setServiceInterface(AccountService.class);
exporter.setService(new AccountServiceImpl());
exporter.setServiceName(AccountService.class.getSimpleName());
exporter.setRegistryPort(1099);
return exporter;
}
@Bean(name = "/unsafeHessianServiceExporter")
HessianServiceExporter unsafeHessianServiceExporter() {
HessianServiceExporter exporter = new HessianServiceExporter();
exporter.setService(new AccountServiceImpl());
exporter.setServiceInterface(AccountService.class);
return exporter;
}
@Bean(name = "/unsafeHttpInvokerServiceExporter")
HttpInvokerServiceExporter unsafeHttpInvokerServiceExporter() {
HttpInvokerServiceExporter exporter = new HttpInvokerServiceExporter();

10
java/ql/test/experimental/query-tests/security/CWE-502/UnsafeSpringExporterInConfigurationClass.expected
View File

@@ -1,4 +1,6 @@
| SpringExporterUnsafeDeserialization.java:12:32:12:63 | unsafeHttpInvokerServiceExporter | Unsafe deserialization in a Spring exporter bean '/unsafeHttpInvokerServiceExporter' |
| SpringExporterUnsafeDeserialization.java:20:41:20:88 | unsafeCustomeRemoteInvocationSerializingExporter | Unsafe deserialization in a Spring exporter bean '/unsafeCustomeRemoteInvocationSerializingExporter' |
| SpringExporterUnsafeDeserialization.java:36:32:36:63 | unsafeHttpInvokerServiceExporter | Unsafe deserialization in a Spring exporter bean '/unsafeHttpInvokerServiceExporter' |
| SpringExporterUnsafeDeserialization.java:48:32:48:63 | unsafeHttpInvokerServiceExporter | Unsafe deserialization in a Spring exporter bean '/unsafeHttpInvokerServiceExporter' |
| SpringExporterUnsafeDeserialization.java:14:24:14:47 | unsafeRmiServiceExporter | Unsafe deserialization in a Spring exporter bean '/unsafeRmiServiceExporter' |
| SpringExporterUnsafeDeserialization.java:24:28:24:55 | unsafeHessianServiceExporter | Unsafe deserialization in a Spring exporter bean '/unsafeHessianServiceExporter' |
| SpringExporterUnsafeDeserialization.java:32:32:32:63 | unsafeHttpInvokerServiceExporter | Unsafe deserialization in a Spring exporter bean '/unsafeHttpInvokerServiceExporter' |
| SpringExporterUnsafeDeserialization.java:40:41:40:88 | unsafeCustomeRemoteInvocationSerializingExporter | Unsafe deserialization in a Spring exporter bean '/unsafeCustomeRemoteInvocationSerializingExporter' |
| SpringExporterUnsafeDeserialization.java:56:32:56:63 | unsafeHttpInvokerServiceExporter | Unsafe deserialization in a Spring exporter bean '/unsafeHttpInvokerServiceExporter' |
| SpringExporterUnsafeDeserialization.java:68:32:68:63 | unsafeHttpInvokerServiceExporter | Unsafe deserialization in a Spring exporter bean '/unsafeHttpInvokerServiceExporter' |

2
java/ql/test/experimental/query-tests/security/CWE-502/UnsafeSpringExporterInXMLConfiguration.expected
View File

@@ -1,2 +1,4 @@
| beans.xml:10:5:13:12 | /unsafeBooking | Unsafe deserialization in a Spring exporter bean '/unsafeBooking' |
| beans.xml:15:5:18:12 | org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter | Unsafe deserialization in a Spring exporter bean 'org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter' |
| beans.xml:20:5:24:12 | org.springframework.remoting.rmi.RmiServiceExporter | Unsafe deserialization in a Spring exporter bean 'org.springframework.remoting.rmi.RmiServiceExporter' |
| beans.xml:26:5:29:12 | org.springframework.remoting.caucho.HessianServiceExporter | Unsafe deserialization in a Spring exporter bean 'org.springframework.remoting.caucho.HessianServiceExporter' |

11
java/ql/test/experimental/query-tests/security/CWE-502/beans.xml
View File

@@ -16,4 +16,15 @@
<property name="service" ref="anotherBookingService"/>
<property name="serviceInterface" value="com.gypsyengineer.api.CabBookingService"/>
</bean>
<bean class="org.springframework.remoting.rmi.RmiServiceExporter">
<property name="service" ref="oneMoreBookingService"/>
<property name="serviceInterface" value="com.gypsyengineer.api.CabBookingService"/>
<property name="registryPort" value="1199"/>
</bean>
<bean class="org.springframework.remoting.caucho.HessianServiceExporter">
<property name="service" ref="oneMoreBookingService"/>
<property name="serviceInterface" value="com.gypsyengineer.api.CabBookingService"/>
</bean>
</beans>

2
java/ql/test/experimental/query-tests/security/CWE-502/options
View File

@@ -1 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.3.8

48
java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.expected
View File

@@ -1,35 +1,35 @@
edges
| InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:15:41:15:47 | ldapUrl : String |
| InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:20:49:20:59 | environment |
| InsecureLdapAuth.java:15:3:15:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:20:49:20:59 | environment |
| InsecureLdapAuth.java:15:41:15:47 | ldapUrl : String | InsecureLdapAuth.java:15:3:15:13 | environment [post update] : Hashtable |
| InsecureLdapAuth.java:15:3:15:13 | environment [post update] [<map.value>] : String | InsecureLdapAuth.java:20:49:20:59 | environment |
| InsecureLdapAuth.java:15:41:15:47 | ldapUrl : String | InsecureLdapAuth.java:15:3:15:13 | environment [post update] [<map.value>] : String |
| InsecureLdapAuth.java:17:3:17:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:20:49:20:59 | environment |
| InsecureLdapAuth.java:25:20:25:39 | ... + ... : String | InsecureLdapAuth.java:29:41:29:47 | ldapUrl : String |
| InsecureLdapAuth.java:25:20:25:39 | ... + ... : String | InsecureLdapAuth.java:34:49:34:59 | environment |
| InsecureLdapAuth.java:29:3:29:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:34:49:34:59 | environment |
| InsecureLdapAuth.java:29:41:29:47 | ldapUrl : String | InsecureLdapAuth.java:29:3:29:13 | environment [post update] : Hashtable |
| InsecureLdapAuth.java:29:3:29:13 | environment [post update] [<map.value>] : String | InsecureLdapAuth.java:34:49:34:59 | environment |
| InsecureLdapAuth.java:29:41:29:47 | ldapUrl : String | InsecureLdapAuth.java:29:3:29:13 | environment [post update] [<map.value>] : String |
| InsecureLdapAuth.java:31:3:31:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:34:49:34:59 | environment |
| InsecureLdapAuth.java:45:3:45:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:48:49:48:59 | environment |
| InsecureLdapAuth.java:53:20:53:50 | "ldap://ad.your-server.com:636" : String | InsecureLdapAuth.java:57:41:57:47 | ldapUrl : String |
| InsecureLdapAuth.java:53:20:53:50 | "ldap://ad.your-server.com:636" : String | InsecureLdapAuth.java:63:49:63:59 | environment |
| InsecureLdapAuth.java:57:3:57:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:63:49:63:59 | environment |
| InsecureLdapAuth.java:57:41:57:47 | ldapUrl : String | InsecureLdapAuth.java:57:3:57:13 | environment [post update] : Hashtable |
| InsecureLdapAuth.java:57:3:57:13 | environment [post update] [<map.value>] : String | InsecureLdapAuth.java:63:49:63:59 | environment |
| InsecureLdapAuth.java:57:41:57:47 | ldapUrl : String | InsecureLdapAuth.java:57:3:57:13 | environment [post update] [<map.value>] : String |
| InsecureLdapAuth.java:59:3:59:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:63:49:63:59 | environment |
| InsecureLdapAuth.java:62:3:62:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:63:49:63:59 | environment |
| InsecureLdapAuth.java:68:20:68:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:72:41:72:47 | ldapUrl : String |
| InsecureLdapAuth.java:68:20:68:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:77:49:77:59 | environment |
| InsecureLdapAuth.java:72:3:72:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:77:49:77:59 | environment |
| InsecureLdapAuth.java:72:41:72:47 | ldapUrl : String | InsecureLdapAuth.java:72:3:72:13 | environment [post update] : Hashtable |
| InsecureLdapAuth.java:72:3:72:13 | environment [post update] [<map.value>] : String | InsecureLdapAuth.java:77:49:77:59 | environment |
| InsecureLdapAuth.java:72:41:72:47 | ldapUrl : String | InsecureLdapAuth.java:72:3:72:13 | environment [post update] [<map.value>] : String |
| InsecureLdapAuth.java:88:3:88:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:91:49:91:59 | environment |
| InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:100:41:100:47 | ldapUrl : String |
| InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:105:59:105:69 | environment |
| InsecureLdapAuth.java:100:3:100:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:105:59:105:69 | environment |
| InsecureLdapAuth.java:100:41:100:47 | ldapUrl : String | InsecureLdapAuth.java:100:3:100:13 | environment [post update] : Hashtable |
| InsecureLdapAuth.java:100:3:100:13 | environment [post update] [<map.value>] : String | InsecureLdapAuth.java:105:59:105:69 | environment |
| InsecureLdapAuth.java:100:41:100:47 | ldapUrl : String | InsecureLdapAuth.java:100:3:100:13 | environment [post update] [<map.value>] : String |
| InsecureLdapAuth.java:102:3:102:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:105:59:105:69 | environment |
| InsecureLdapAuth.java:111:20:111:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:115:47:115:53 | ldapUrl : String |
| InsecureLdapAuth.java:111:20:111:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:120:49:120:59 | environment |
| InsecureLdapAuth.java:115:3:115:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:120:49:120:59 | environment |
| InsecureLdapAuth.java:115:47:115:53 | ldapUrl : String | InsecureLdapAuth.java:115:3:115:13 | environment [post update] : Hashtable |
| InsecureLdapAuth.java:115:3:115:13 | environment [post update] [<map.value>] : String | InsecureLdapAuth.java:120:49:120:59 | environment |
| InsecureLdapAuth.java:115:47:115:53 | ldapUrl : String | InsecureLdapAuth.java:115:3:115:13 | environment [post update] [<map.value>] : String |
| InsecureLdapAuth.java:117:3:117:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:120:49:120:59 | environment |
| InsecureLdapAuth.java:124:3:124:5 | env [post update] : Hashtable | InsecureLdapAuth.java:137:10:137:20 | environment [post update] : Hashtable |
| InsecureLdapAuth.java:128:3:128:5 | env [post update] : Hashtable | InsecureLdapAuth.java:141:16:141:26 | environment [post update] : Hashtable |
@@ -37,23 +37,23 @@ edges
| InsecureLdapAuth.java:135:20:135:39 | ... + ... : String | InsecureLdapAuth.java:140:41:140:47 | ldapUrl : String |
| InsecureLdapAuth.java:135:20:135:39 | ... + ... : String | InsecureLdapAuth.java:142:50:142:60 | environment |
| InsecureLdapAuth.java:137:10:137:20 | environment [post update] : Hashtable | InsecureLdapAuth.java:142:50:142:60 | environment |
| InsecureLdapAuth.java:140:3:140:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:142:50:142:60 | environment |
| InsecureLdapAuth.java:140:41:140:47 | ldapUrl : String | InsecureLdapAuth.java:140:3:140:13 | environment [post update] : Hashtable |
| InsecureLdapAuth.java:140:3:140:13 | environment [post update] [<map.value>] : String | InsecureLdapAuth.java:142:50:142:60 | environment |
| InsecureLdapAuth.java:140:41:140:47 | ldapUrl : String | InsecureLdapAuth.java:140:3:140:13 | environment [post update] [<map.value>] : String |
| InsecureLdapAuth.java:141:16:141:26 | environment [post update] : Hashtable | InsecureLdapAuth.java:142:50:142:60 | environment |
| InsecureLdapAuth.java:147:20:147:39 | ... + ... : String | InsecureLdapAuth.java:151:41:151:47 | ldapUrl : String |
| InsecureLdapAuth.java:147:20:147:39 | ... + ... : String | InsecureLdapAuth.java:153:50:153:60 | environment |
| InsecureLdapAuth.java:151:3:151:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:153:50:153:60 | environment |
| InsecureLdapAuth.java:151:41:151:47 | ldapUrl : String | InsecureLdapAuth.java:151:3:151:13 | environment [post update] : Hashtable |
| InsecureLdapAuth.java:151:3:151:13 | environment [post update] [<map.value>] : String | InsecureLdapAuth.java:153:50:153:60 | environment |
| InsecureLdapAuth.java:151:41:151:47 | ldapUrl : String | InsecureLdapAuth.java:151:3:151:13 | environment [post update] [<map.value>] : String |
| InsecureLdapAuth.java:152:16:152:26 | environment [post update] : Hashtable | InsecureLdapAuth.java:153:50:153:60 | environment |
nodes
| InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String |
| InsecureLdapAuth.java:15:3:15:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
| InsecureLdapAuth.java:15:3:15:13 | environment [post update] [<map.value>] : String | semmle.label | environment [post update] [<map.value>] : String |
| InsecureLdapAuth.java:15:41:15:47 | ldapUrl : String | semmle.label | ldapUrl : String |
| InsecureLdapAuth.java:17:3:17:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
| InsecureLdapAuth.java:20:49:20:59 | environment | semmle.label | environment |
| InsecureLdapAuth.java:20:49:20:59 | environment | semmle.label | environment |
| InsecureLdapAuth.java:25:20:25:39 | ... + ... : String | semmle.label | ... + ... : String |
| InsecureLdapAuth.java:29:3:29:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
| InsecureLdapAuth.java:29:3:29:13 | environment [post update] [<map.value>] : String | semmle.label | environment [post update] [<map.value>] : String |
| InsecureLdapAuth.java:29:41:29:47 | ldapUrl : String | semmle.label | ldapUrl : String |
| InsecureLdapAuth.java:31:3:31:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
| InsecureLdapAuth.java:34:49:34:59 | environment | semmle.label | environment |
@@ -61,7 +61,7 @@ nodes
| InsecureLdapAuth.java:45:3:45:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
| InsecureLdapAuth.java:48:49:48:59 | environment | semmle.label | environment |
| InsecureLdapAuth.java:53:20:53:50 | "ldap://ad.your-server.com:636" : String | semmle.label | "ldap://ad.your-server.com:636" : String |
| InsecureLdapAuth.java:57:3:57:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
| InsecureLdapAuth.java:57:3:57:13 | environment [post update] [<map.value>] : String | semmle.label | environment [post update] [<map.value>] : String |
| InsecureLdapAuth.java:57:41:57:47 | ldapUrl : String | semmle.label | ldapUrl : String |
| InsecureLdapAuth.java:59:3:59:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
| InsecureLdapAuth.java:62:3:62:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
@@ -69,19 +69,19 @@ nodes
| InsecureLdapAuth.java:63:49:63:59 | environment | semmle.label | environment |
| InsecureLdapAuth.java:63:49:63:59 | environment | semmle.label | environment |
| InsecureLdapAuth.java:68:20:68:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String |
| InsecureLdapAuth.java:72:3:72:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
| InsecureLdapAuth.java:72:3:72:13 | environment [post update] [<map.value>] : String | semmle.label | environment [post update] [<map.value>] : String |
| InsecureLdapAuth.java:72:41:72:47 | ldapUrl : String | semmle.label | ldapUrl : String |
| InsecureLdapAuth.java:77:49:77:59 | environment | semmle.label | environment |
| InsecureLdapAuth.java:88:3:88:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
| InsecureLdapAuth.java:91:49:91:59 | environment | semmle.label | environment |
| InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String |
| InsecureLdapAuth.java:100:3:100:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
| InsecureLdapAuth.java:100:3:100:13 | environment [post update] [<map.value>] : String | semmle.label | environment [post update] [<map.value>] : String |
| InsecureLdapAuth.java:100:41:100:47 | ldapUrl : String | semmle.label | ldapUrl : String |
| InsecureLdapAuth.java:102:3:102:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
| InsecureLdapAuth.java:105:59:105:69 | environment | semmle.label | environment |
| InsecureLdapAuth.java:105:59:105:69 | environment | semmle.label | environment |
| InsecureLdapAuth.java:111:20:111:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String |
| InsecureLdapAuth.java:115:3:115:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
| InsecureLdapAuth.java:115:3:115:13 | environment [post update] [<map.value>] : String | semmle.label | environment [post update] [<map.value>] : String |
| InsecureLdapAuth.java:115:47:115:53 | ldapUrl : String | semmle.label | ldapUrl : String |
| InsecureLdapAuth.java:117:3:117:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
| InsecureLdapAuth.java:120:49:120:59 | environment | semmle.label | environment |
@@ -90,14 +90,14 @@ nodes
| InsecureLdapAuth.java:128:3:128:5 | env [post update] : Hashtable | semmle.label | env [post update] : Hashtable |
| InsecureLdapAuth.java:135:20:135:39 | ... + ... : String | semmle.label | ... + ... : String |
| InsecureLdapAuth.java:137:10:137:20 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
| InsecureLdapAuth.java:140:3:140:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
| InsecureLdapAuth.java:140:3:140:13 | environment [post update] [<map.value>] : String | semmle.label | environment [post update] [<map.value>] : String |
| InsecureLdapAuth.java:140:41:140:47 | ldapUrl : String | semmle.label | ldapUrl : String |
| InsecureLdapAuth.java:141:16:141:26 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
| InsecureLdapAuth.java:142:50:142:60 | environment | semmle.label | environment |
| InsecureLdapAuth.java:142:50:142:60 | environment | semmle.label | environment |
| InsecureLdapAuth.java:142:50:142:60 | environment | semmle.label | environment |
| InsecureLdapAuth.java:147:20:147:39 | ... + ... : String | semmle.label | ... + ... : String |
| InsecureLdapAuth.java:151:3:151:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
| InsecureLdapAuth.java:151:3:151:13 | environment [post update] [<map.value>] : String | semmle.label | environment [post update] [<map.value>] : String |
| InsecureLdapAuth.java:151:41:151:47 | ldapUrl : String | semmle.label | ldapUrl : String |
| InsecureLdapAuth.java:152:16:152:26 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
| InsecureLdapAuth.java:153:50:153:60 | environment | semmle.label | environment |

2
java/ql/test/experimental/query-tests/security/CWE-601/options
View File

@@ -1 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/springframework-5.2.3/
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/springframework-5.3.8/

2
java/ql/test/experimental/query-tests/security/CWE-652/options
View File

@@ -1 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/apache-http-4.4.13/:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/saxon-xqj-9.x/:${testdir}/../../../../stubs/springframework-5.2.3/
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/apache-http-4.4.13/:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/saxon-xqj-9.x/:${testdir}/../../../../stubs/springframework-5.3.8/

4
java/ql/test/experimental/query-tests/security/CWE-665/InsecureRmiJmxEnvironmentConfiguration.expected Normal file
View File

@@ -0,0 +1,4 @@
| InsecureRmiJmxEnvironmentConfiguration.java:12:5:12:69 | newJMXConnectorServer(...) | RMI/JMX server initialized with a null environment. Missing type restriction in RMI authentication method exposes the application to deserialization attacks. | InsecureRmiJmxEnvironmentConfiguration.java:12:59:12:62 | null | null |
| InsecureRmiJmxEnvironmentConfiguration.java:17:5:17:50 | new RMIConnectorServer(...) | RMI/JMX server initialized with a null environment. Missing type restriction in RMI authentication method exposes the application to deserialization attacks. | InsecureRmiJmxEnvironmentConfiguration.java:17:34:17:37 | null | null |
| InsecureRmiJmxEnvironmentConfiguration.java:25:5:25:49 | new RMIConnectorServer(...) | RMI/JMX server initialized with insecure environment $@, which never restricts accepted client objects to 'java.lang.String'. This exposes to deserialization attacks against the RMI authentication method. | InsecureRmiJmxEnvironmentConfiguration.java:25:34:25:36 | env | env |
| InsecureRmiJmxEnvironmentConfiguration.java:33:5:33:68 | newJMXConnectorServer(...) | RMI/JMX server initialized with insecure environment $@, which never restricts accepted client objects to 'java.lang.String'. This exposes to deserialization attacks against the RMI authentication method. | InsecureRmiJmxEnvironmentConfiguration.java:33:59:33:61 | env | env |

89
java/ql/test/experimental/query-tests/security/CWE-665/InsecureRmiJmxEnvironmentConfiguration.java Normal file
View File

@@ -0,0 +1,89 @@
import java.io.IOException;
import javax.management.remote.JMXConnectorServerFactory;
import javax.management.remote.rmi.RMIConnectorServer;
import java.util.HashMap;
import java.util.Map;
public class InsecureRmiJmxEnvironmentConfiguration {
public void initInsecureJmxDueToNullEnv() throws IOException {
// Bad initializing env (arg1) with null
JMXConnectorServerFactory.newJMXConnectorServer(null, null, null);
}
public void initInsecureRmiDueToNullEnv() throws IOException {
// Bad initializing env (arg1) with null
new RMIConnectorServer(null, null, null, null);
}
public void initInsecureRmiDueToMissingEnvKeyValue() throws IOException {
// Bad initializing env (arg1) with missing
// "jmx.remote.rmi.server.credential.types"
Map<String, Object> env = new HashMap<>();
env.put("jmx.remote.x.daemon", "true");
new RMIConnectorServer(null, env, null, null);
}
public void initInsecureJmxDueToMissingEnvKeyValue() throws IOException {
// Bad initializing env (arg1) with missing
// "jmx.remote.rmi.server.credential.types"
Map<String, Object> env = new HashMap<>();
env.put("jmx.remote.x.daemon", "true");
JMXConnectorServerFactory.newJMXConnectorServer(null, env, null);
}
public void secureJmxConnnectorServer() throws IOException {
// Good
Map<String, Object> env = new HashMap<>();
env.put("jmx.remote.x.daemon", "true");
env.put("jmx.remote.rmi.server.credential.types",
new String[] { String[].class.getName(), String.class.getName() });
JMXConnectorServerFactory.newJMXConnectorServer(null, env, null);
}
public void secureRmiConnnectorServer() throws IOException {
// Good
Map<String, Object> env = new HashMap<>();
env.put("jmx.remote.x.daemon", "true");
env.put("jmx.remote.rmi.server.credential.types",
new String[] { String[].class.getName(), String.class.getName() });
new RMIConnectorServer(null, env, null, null);
}
public void secureeJmxConnectorServerConstants1() throws IOException {
// Good
Map<String, Object> env = new HashMap<>();
env.put("jmx.remote.x.daemon", "true");
env.put(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN, "java.lang.String;!*"); // Deny everything but
// java.lang.String
JMXConnectorServerFactory.newJMXConnectorServer(null, env, null);
}
public void secureeRmiConnectorServerConstants1() throws IOException {
// Good
Map<String, Object> env = new HashMap<>();
env.put("jmx.remote.x.daemon", "true");
String stringsOnlyFilter = "java.lang.String;!*"; // Deny everything but java.lang.String
env.put(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN, stringsOnlyFilter);
new RMIConnectorServer(null, env, null, null);
}
public void secureJmxConnectorServerConstants2() throws IOException {
// Good
Map<String, Object> env = new HashMap<>();
env.put("jmx.remote.x.daemon", "true");
env.put("jmx.remote.rmi.server.credentials.filter.pattern", "java.lang.String;!*"); // Deny everything but
// java.lang.String
JMXConnectorServerFactory.newJMXConnectorServer(null, env, null);
}
public void secureRmiConnectorServerConstants2() throws IOException {
// Good
Map<String, Object> env = new HashMap<>();
env.put("jmx.remote.x.daemon", "true");
String stringsOnlyFilter = "java.lang.String;!*"; // Deny everything but java.lang.String
env.put("jmx.remote.rmi.server.credentials.filter.pattern", stringsOnlyFilter);
new RMIConnectorServer(null, env, null, null);
}
}

1
java/ql/test/experimental/query-tests/security/CWE-665/InsecureRmiJmxEnvironmentConfiguration.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfiguration.ql

1
java/ql/test/experimental/query-tests/security/CWE-665/options Normal file
View File

@@ -0,0 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/rmi-remote-0.0.0

2
java/ql/test/experimental/query-tests/security/CWE-917/options
View File

@@ -1 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../stubs/ognl-3.2.14:${testdir}/../../../stubs/struts2-core-2.5.22
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/ognl-3.2.14:${testdir}/../../../stubs/struts2-core-2.5.22

6
java/ql/test/experimental/query-tests/security/CWE-927/SensitiveBroadcast.expected
View File

@@ -3,8 +3,8 @@ edges
| SensitiveBroadcast.java:13:41:13:52 | refreshToken : String | SensitiveBroadcast.java:14:31:14:36 | intent |
| SensitiveBroadcast.java:25:32:25:39 | password : String | SensitiveBroadcast.java:26:31:26:36 | intent |
| SensitiveBroadcast.java:36:35:36:39 | email : String | SensitiveBroadcast.java:38:31:38:36 | intent |
| SensitiveBroadcast.java:50:9:50:16 | userinfo [post update] : ArrayList | SensitiveBroadcast.java:52:31:52:36 | intent |
| SensitiveBroadcast.java:50:22:50:29 | password : String | SensitiveBroadcast.java:50:9:50:16 | userinfo [post update] : ArrayList |
| SensitiveBroadcast.java:50:9:50:16 | userinfo [post update] [<element>] : String | SensitiveBroadcast.java:52:31:52:36 | intent |
| SensitiveBroadcast.java:50:22:50:29 | password : String | SensitiveBroadcast.java:50:9:50:16 | userinfo [post update] [<element>] : String |
| SensitiveBroadcast.java:97:35:97:40 | ticket : String | SensitiveBroadcast.java:98:54:98:59 | intent |
| SensitiveBroadcast.java:109:32:109:39 | passcode : String | SensitiveBroadcast.java:111:54:111:59 | intent |
| SensitiveBroadcast.java:136:33:136:38 | passwd : String | SensitiveBroadcast.java:140:54:140:59 | intent |
@@ -16,7 +16,7 @@ nodes
| SensitiveBroadcast.java:26:31:26:36 | intent | semmle.label | intent |
| SensitiveBroadcast.java:36:35:36:39 | email : String | semmle.label | email : String |
| SensitiveBroadcast.java:38:31:38:36 | intent | semmle.label | intent |
| SensitiveBroadcast.java:50:9:50:16 | userinfo [post update] : ArrayList | semmle.label | userinfo [post update] : ArrayList |
| SensitiveBroadcast.java:50:9:50:16 | userinfo [post update] [<element>] : String | semmle.label | userinfo [post update] [<element>] : String |
| SensitiveBroadcast.java:50:22:50:29 | password : String | semmle.label | password : String |
| SensitiveBroadcast.java:52:31:52:36 | intent | semmle.label | intent |
| SensitiveBroadcast.java:97:35:97:40 | ticket : String | semmle.label | ticket : String |

30
java/ql/test/experimental/stubs/javax-management-remote-rmi-0.0.1/javax/management/remote/rmi/RMIConnectorServer.java Normal file
View File

@@ -0,0 +1,30 @@
package javax.management.remote.rmi;
import java.io.IOException;
import java.util.Map;
import java.io.IOException;
import javax.management.remote.JMXConnectorServer;
import javax.management.remote.JMXServiceURL;
import javax.management.MBeanServer;
import javax.management.remote.rmi.RMIServerImpl;
//import javax.management.remote.JMXConnectorServer;
//public class RMIConnectorServerTEST extends JMXConnectorServer{
public class RMIConnectorServer extends java.lang.Object {
public static final String CREDENTIALS_FILTER_PATTERN = "jmx.remote.rmi.server.credentials.filter.pattern";
public RMIConnectorServer(JMXServiceURL url, Map<String, ?> environment) throws IOException {
// stub;
}
public RMIConnectorServer(JMXServiceURL url, Map<String, ?> environment, MBeanServer mbeanServer)
throws IOException {
// stub;
}
public RMIConnectorServer(JMXServiceURL url, Map<String, ?> environment, RMIServerImpl rmiServerImpl,
MBeanServer mbeanServer) throws IOException {
// stub;
}
}

10
java/ql/test/experimental/stubs/javax-management-remote-rmi-0.0.1/javax/management/remote/rmi/RMIServerImpl.java Normal file
View File

@@ -0,0 +1,10 @@
package javax.management.remote.rmi;
import java.util.Map;
public class RMIServerImpl {
public RMIServerImpl(Map<String, ?> env) {
// stub;
}
}

37
java/ql/test/experimental/stubs/jshell/jdk/jshell/JShell.java Normal file
View File

@@ -0,0 +1,37 @@
package jdk.jshell;
import java.util.List;
import java.lang.IllegalStateException;
public class JShell implements AutoCloseable {
JShell(Builder b) throws IllegalStateException { }
public static class Builder {
Builder() { }
public JShell build() throws IllegalStateException {
return null;
}
}
public static JShell create() throws IllegalStateException {
return null;
}
public static Builder builder() {
return null;
}
public SourceCodeAnalysis sourceCodeAnalysis() {
return null;
}
public List<SnippetEvent> eval(String input) throws IllegalStateException {
return null;
}
@Override
public void close() { }
}

31
java/ql/test/experimental/stubs/jshell/jdk/jshell/Snippet.java Normal file
View File

@@ -0,0 +1,31 @@
package jdk.jshell;
public abstract class Snippet {
public enum Kind {
IMPORT(true),
TYPE_DECL(true),
METHOD(true),
VAR(true),
EXPRESSION(false),
STATEMENT(false),
ERRONEOUS(false);
private final boolean isPersistent;
Kind(boolean isPersistent) {
this.isPersistent = isPersistent;
}
public boolean isPersistent() {
return false;
}
}
}

5
java/ql/test/experimental/stubs/jshell/jdk/jshell/SnippetEvent.java Normal file
View File

@@ -0,0 +1,5 @@
package jdk.jshell;
public class SnippetEvent {
}

111
java/ql/test/experimental/stubs/jshell/jdk/jshell/SourceCodeAnalysis.java Normal file
View File

@@ -0,0 +1,111 @@
package jdk.jshell;
import java.util.Collection;
import java.util.List;
public abstract class SourceCodeAnalysis {
public abstract CompletionInfo analyzeCompletion(String input);
public abstract List<Suggestion> completionSuggestions(String input, int cursor, int[] anchor);
public abstract List<Documentation> documentation(String input, int cursor, boolean computeJavadoc);
public abstract String analyzeType(String code, int cursor);
public abstract QualifiedNames listQualifiedNames(String code, int cursor);
public abstract SnippetWrapper wrapper(Snippet snippet);
public abstract List<SnippetWrapper> wrappers(String input);
public abstract Collection<Snippet> dependents(Snippet snippet);
SourceCodeAnalysis() {}
public interface CompletionInfo {
Completeness completeness();
String remaining();
String source();
}
public enum Completeness {
COMPLETE(true),
COMPLETE_WITH_SEMI(true),
DEFINITELY_INCOMPLETE(false),
CONSIDERED_INCOMPLETE(false),
EMPTY(false),
UNKNOWN(true);
private final boolean isComplete;
Completeness(boolean isComplete) {
this.isComplete = isComplete;
}
public boolean isComplete() {
return isComplete;
}
}
public interface Suggestion {
String continuation();
boolean matchesType();
}
public interface Documentation {
String signature();
String javadoc();
}
public static final class QualifiedNames {
QualifiedNames(List<String> names, int simpleNameLength, boolean upToDate, boolean resolvable) { }
public List<String> getNames() {
return null;
}
public int getSimpleNameLength() {
return 1;
}
public boolean isUpToDate() {
return false;
}
public boolean isResolvable() {
return false;
}
}
public interface SnippetWrapper {
String source();
String wrapped();
String fullClassName();
Snippet.Kind kind();
int sourceToWrappedPosition(int pos);
int wrappedToSourcePosition(int pos);
}
}

1
java/ql/test/experimental/stubs/rmi-remote-0.0.0/README Normal file
View File

@@ -0,0 +1 @@
This is a workaround for a bug in which the extractor can't resolve type javax.management.remote.rmi.RMIConnectorServer even though it has been part of the JDK since Java 5

6
java/ql/test/experimental/stubs/rmi-remote-0.0.0/javax/management/remote/rmi/RMIConnection.java Normal file
View File

@@ -0,0 +1,6 @@
package javax.management.remote.rmi;
import java.rmi.Remote;
import java.io.Closeable;
interface RMIConnection extends Closeable, Remote { }

34
java/ql/test/experimental/stubs/rmi-remote-0.0.0/javax/management/remote/rmi/RMIConnectorServer.java Normal file
View File

@@ -0,0 +1,34 @@
package javax.management.remote.rmi;
import java.util.Map;
import javax.management.remote.JMXConnectorServer;
import javax.management.remote.JMXConnector;
import javax.management.remote.JMXServiceURL;
import javax.management.remote.MBeanServerForwarder;
import javax.management.MBeanServer;
// Note this is a partial stub sufficient to the needs of tests for CWE-665
public class RMIConnectorServer extends JMXConnectorServer {
public RMIConnectorServer(JMXServiceURL url, Map<String,?> environment) { }
public RMIConnectorServer(JMXServiceURL url, Map<String,?> environment, MBeanServer mbeanServer) { }
public RMIConnectorServer(JMXServiceURL url, Map<String,?> environment, RMIServerImpl rmiServerImpl, MBeanServer mbeanServer) { }
public static String CREDENTIAL_TYPES = "";
public static String CREDENTIALS_FILTER_PATTERN = "";
public static String JNDI_REBIND_ATTRIBUTE = "";
public static String RMI_CLIENT_SOCKET_FACTORY_ATTRIBUTE = "";
public static String RMI_SERVER_SOCKET_FACTORY_ATTRIBUTE = "";
public static String SERIAL_FILTER_PATTERN = "";
public Map<String,?> getAttributes() { return null; }
public JMXServiceURL getAddress() { return null; }
public String[] getConnectionIds() { return null; }
public boolean isActive() { return true; }
public void setMBeanServerForwarder(MBeanServerForwarder mbsf) { }
public void start() { }
public void stop() { }
public JMXConnector toJMXConnector(Map<String,?> env) { return null; }
}

3
java/ql/test/experimental/stubs/rmi-remote-0.0.0/javax/management/remote/rmi/RMIServer.java Normal file
View File

@@ -0,0 +1,3 @@
package javax.management.remote.rmi;
interface RMIServer { }

12
java/ql/test/experimental/stubs/rmi-remote-0.0.0/javax/management/remote/rmi/RMIServerImpl.java Normal file
View File

@@ -0,0 +1,12 @@
package javax.management.remote.rmi;
import java.io.Closeable;
import java.rmi.Remote;
public class RMIServerImpl implements Closeable, RMIServer {
public void close() { }
public String getVersion() { return null; }
public RMIConnection newClient(Object credentials) { return null; }
}

711
java/ql/test/library-tests/dataflow/collections/B.java
View File

File diff suppressed because it is too large Load Diff

228
java/ql/test/library-tests/dataflow/collections/ContainterTest.java
View File

@@ -1,228 +0,0 @@
import java.util.Collection;
import java.util.List;
import java.util.Vector;
import java.util.Stack;
import java.util.Queue;
import java.util.Deque;
import java.util.concurrent.BlockingQueue;
import java.util.concurrent.TransferQueue;
import java.util.concurrent.BlockingDeque;
import java.util.SortedSet;
import java.util.NavigableSet;
import java.util.Map;
import java.util.Map.Entry;
import java.util.SortedMap;
import java.util.NavigableMap;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.TimeUnit;
import java.util.Dictionary;
import java.util.Iterator;
import java.util.ListIterator;
import java.util.Enumeration;
class ContainerTest {
private static <T> T sink(T object) { return object; }
private static <T> T mkSink(Class<T> cls) { return null; }
private static <T> T source(T object) { return object; }
public static void taintSteps(
Iterable<String> iterable,
Collection<String> collection,
List<String> list,
Vector<String> vector,
Stack<String> stack,
Queue<String> queue,
Deque<String> deque,
BlockingQueue<String> blockQueue,
BlockingDeque<String> blockDeque,
TransferQueue<String> transferQ,
SortedSet<String> sortedSet,
NavigableSet<String> navSet,
Map<String, String> map,
Map.Entry<String, String> entry,
SortedMap<String, String> sortedMap,
NavigableMap<String, String> navMap,
ConcurrentHashMap<String, String> syncHashMap,
Dictionary<String, String> dict,
Iterator<String> iter,
ListIterator<String> listIter,
Enumeration<String> enumeration
) throws InterruptedException {
// java.util.Iterable
sink(iterable.iterator());
sink(iterable.spliterator());
// java.util.Collection
sink(collection.parallelStream());
sink(collection.stream());
sink(collection.toArray());
sink(collection.toArray(x -> new String[x]));
sink(collection.toArray(new String[5]));
collection.toArray(mkSink(String[].class));
mkSink(Collection.class).add(source("value"));
mkSink(Collection.class).addAll(collection);
// java.util.List
sink(list.get(1));
sink(list.listIterator());
sink(list.listIterator(2));
sink(list.remove(3));
sink(list.set(4, "value"));
sink(list.subList(5, 6));
mkSink(List.class).add(7, source("value"));
mkSink(List.class).addAll(8, collection);
mkSink(List.class).set(9, source("value"));
// java.util.Vector
sink(vector.elementAt(7));
sink(vector.elements());
sink(vector.firstElement());
sink(vector.lastElement());
mkSink(Vector.class).addElement(source("element"));
mkSink(Vector.class).insertElementAt(source("element"), 1);
mkSink(Vector.class).setElementAt(source("element"), 2);
vector.copyInto(mkSink(String[].class));
// java.util.Stack
sink(stack.peek());
sink(stack.pop());
sink(stack.push("value")); // not tainted
sink(new Stack().push(source("value"))); // $ hasValueFlow
mkSink(Stack.class).push(source("value"));
// java.util.Queue
sink(queue.element());
sink(queue.peek());
sink(queue.poll());
sink(queue.remove());
mkSink(Queue.class).offer(source("element"));
// java.util.Deque
sink(deque.getFirst());
sink(deque.getLast());
sink(deque.peekFirst());
sink(deque.peekLast());
sink(deque.pollFirst());
sink(deque.pollLast());
sink(deque.removeFirst());
sink(deque.removeLast());
mkSink(Deque.class).addFirst(source("value"));
mkSink(Deque.class).addLast(source("value"));
mkSink(Deque.class).offerFirst(source("value"));
mkSink(Deque.class).offerLast(source("value"));
mkSink(Deque.class).push(source("value"));
// java.util.concurrent.BlockingQueue
sink(blockQueue.poll(10, TimeUnit.SECONDS));
sink(blockQueue.take());
blockQueue.drainTo(mkSink(Collection.class));
blockQueue.drainTo(mkSink(Collection.class), 4);
// java.util.concurrent.TransferQueue
mkSink(TransferQueue.class).transfer(source("value"));
mkSink(TransferQueue.class).tryTransfer(source("value"));
mkSink(TransferQueue.class).tryTransfer(source("value"), 9, TimeUnit.SECONDS);
// java.util.concurrent.BlockingDeque
sink(blockDeque.pollFirst(11, TimeUnit.SECONDS));
sink(blockDeque.pollLast(12, TimeUnit.SECONDS));
sink(blockDeque.takeFirst());
sink(blockDeque.takeLast());
mkSink(BlockingDeque.class).offer(source("value"), 10, TimeUnit.SECONDS);
mkSink(BlockingDeque.class).put(source("value"));
mkSink(BlockingDeque.class).offerFirst(source("value"), 10, TimeUnit.SECONDS);
mkSink(BlockingDeque.class).offerLast(source("value"), 10, TimeUnit.SECONDS);
mkSink(BlockingDeque.class).putFirst(source("value"));
mkSink(BlockingDeque.class).putLast(source("value"));
// java.util.SortedSet
sink(sortedSet.first());
sink(sortedSet.headSet("a"));
sink(sortedSet.last());
sink(sortedSet.subSet("b", "c"));
sink(sortedSet.tailSet("d"));
// java.util.NavigableSet
sink(navSet.ceiling("e"));
sink(navSet.descendingIterator());
sink(navSet.descendingSet());
sink(navSet.floor("f"));
sink(navSet.headSet("g", true));
sink(navSet.higher("h"));
sink(navSet.lower("i"));
sink(navSet.pollFirst());
sink(navSet.pollLast());
sink(navSet.subSet("j", true, "k", false));
sink(navSet.tailSet("l", true));
// java.util.Map
sink(map.computeIfAbsent("key", key -> "result"));
sink(map.entrySet());
sink(map.get("key"));
sink(map.getOrDefault("key", "default"));
sink(map.merge("key", "value", (x, y) -> x + y));
sink(map.put("key", "value"));
sink(map.putIfAbsent("key", "value"));
sink(map.remove("object"));
sink(map.replace("key", "value"));
sink(map.values());
mkSink(Map.class).merge("key", source("v"), (x,y) -> "" + x + y);
mkSink(Map.class).put("key", source("v"));
mkSink(Map.class).putAll(map);
mkSink(Map.class).putIfAbsent("key", source("v"));
mkSink(Map.class).replace("key", source("v"));
mkSink(Map.class).replace("key", "old", source("v"));
mkSink(Map.class).replace("key", source("old"), "v"); // not tainted
// java.util.Map.Entry
sink(entry.getValue());
sink(entry.setValue("value"));
mkSink(Map.Entry.class).setValue(source("value"));
// java.util.SortedMap
sink(sortedMap.headMap("key"));
sink(sortedMap.subMap("key1", "key2"));
sink(sortedMap.tailMap("key"));
// java.util.NavigableMap
sink(navMap.ceilingEntry("key"));
sink(navMap.descendingMap());
sink(navMap.firstEntry());
sink(navMap.floorEntry("key"));
sink(navMap.headMap("key", true));
sink(navMap.higherEntry("key"));
sink(navMap.lastEntry());
sink(navMap.lowerEntry("key"));
sink(navMap.pollFirstEntry());
sink(navMap.pollLastEntry());
sink(navMap.subMap("key1", true, "key2", true));
sink(navMap.tailMap("key", true));
// java.util.concurrent.ConcurrentHashMap
sink(syncHashMap.elements());
sink(syncHashMap.search(10, (k, v) -> v));
sink(syncHashMap.searchEntries(11, e -> e.getValue()));
sink(syncHashMap.searchValues(12, v -> v));
// java.util.Dictionary
sink(dict.elements());
sink(dict.get("object"));
sink(dict.put("key", "value"));
sink(dict.remove("object"));
mkSink(Dictionary.class).put("key", source("value"));
// java.util.Iterator
sink(iter.next());
// java.util.ListIterator
sink(listIter.previous());
mkSink(ListIterator.class).add(source("value"));
mkSink(ListIterator.class).set(source("value"));
// java.util.Enumeration
sink(enumeration.asIterator());
sink(enumeration.nextElement());
}
}

10
java/ql/test/library-tests/dataflow/collections/containerflow.ql
View File

@@ -9,14 +9,8 @@ class SummaryModelTest extends SummaryModelCsv {
row =
[
//"package;type;overrides;name;signature;ext;inputspec;outputspec;kind",
";B;false;storeArrayElement;(Object);;Argument[0];ArrayElement of ReturnValue;value",
";B;false;storeElement;(Object);;Argument[0];Element of ReturnValue;value",
";B;false;storeMapKey;(Object);;Argument[0];MapKey of ReturnValue;value",
";B;false;storeMapValue;(Object);;Argument[0];MapValue of ReturnValue;value",
";B;false;readArrayElement;(Object);;ArrayElement of Argument[0];ReturnValue;value",
";B;false;readElement;(Object);;Element of Argument[0];ReturnValue;value",
";B;false;readMapKey;(Object);;MapKey of Argument[0];ReturnValue;value",
";B;false;readMapValue;(Object);;MapValue of Argument[0];ReturnValue;value"
";B;false;readElement;(Spliterator);;Element of Argument[0];ReturnValue;value",
";B;false;readElement;(Stream);;Element of Argument[0];ReturnValue;value"
]
}
}

127
java/ql/test/library-tests/dataflow/collections/flow.expected
View File

@@ -1,130 +1,3 @@
| ContainterTest.java:31:4:31:28 | iterable | ContainterTest.java:54:8:54:26 | iterator(...) |
| ContainterTest.java:31:4:31:28 | iterable | ContainterTest.java:55:8:55:29 | spliterator(...) |
| ContainterTest.java:32:4:32:32 | collection | ContainterTest.java:58:8:58:34 | parallelStream(...) |
| ContainterTest.java:32:4:32:32 | collection | ContainterTest.java:59:8:59:26 | stream(...) |
| ContainterTest.java:32:4:32:32 | collection | ContainterTest.java:60:8:60:27 | toArray(...) |
| ContainterTest.java:32:4:32:32 | collection | ContainterTest.java:61:8:61:45 | toArray(...) |
| ContainterTest.java:32:4:32:32 | collection | ContainterTest.java:62:8:62:40 | toArray(...) |
| ContainterTest.java:32:4:32:32 | collection | ContainterTest.java:63:22:63:43 | mkSink(...) [post update] |
| ContainterTest.java:32:4:32:32 | collection | ContainterTest.java:65:3:65:26 | mkSink(...) [post update] |
| ContainterTest.java:32:4:32:32 | collection | ContainterTest.java:75:3:75:20 | mkSink(...) [post update] |
| ContainterTest.java:33:4:33:20 | list | ContainterTest.java:68:8:68:18 | get(...) |
| ContainterTest.java:33:4:33:20 | list | ContainterTest.java:69:8:69:26 | listIterator(...) |
| ContainterTest.java:33:4:33:20 | list | ContainterTest.java:70:8:70:27 | listIterator(...) |
| ContainterTest.java:33:4:33:20 | list | ContainterTest.java:71:8:71:21 | remove(...) |
| ContainterTest.java:33:4:33:20 | list | ContainterTest.java:72:8:72:27 | set(...) |
| ContainterTest.java:33:4:33:20 | list | ContainterTest.java:73:8:73:25 | subList(...) |
| ContainterTest.java:34:4:34:24 | vector | ContainterTest.java:79:8:79:26 | elementAt(...) |
| ContainterTest.java:34:4:34:24 | vector | ContainterTest.java:80:8:80:24 | elements(...) |
| ContainterTest.java:34:4:34:24 | vector | ContainterTest.java:81:8:81:28 | firstElement(...) |
| ContainterTest.java:34:4:34:24 | vector | ContainterTest.java:82:8:82:27 | lastElement(...) |
| ContainterTest.java:34:4:34:24 | vector | ContainterTest.java:86:19:86:40 | mkSink(...) [post update] |
| ContainterTest.java:35:4:35:22 | stack | ContainterTest.java:89:8:89:19 | peek(...) |
| ContainterTest.java:35:4:35:22 | stack | ContainterTest.java:90:8:90:18 | pop(...) |
| ContainterTest.java:36:4:36:22 | queue | ContainterTest.java:96:8:96:22 | element(...) |
| ContainterTest.java:36:4:36:22 | queue | ContainterTest.java:97:8:97:19 | peek(...) |
| ContainterTest.java:36:4:36:22 | queue | ContainterTest.java:98:8:98:19 | poll(...) |
| ContainterTest.java:36:4:36:22 | queue | ContainterTest.java:99:8:99:21 | remove(...) |
| ContainterTest.java:37:4:37:22 | deque | ContainterTest.java:103:8:103:23 | getFirst(...) |
| ContainterTest.java:37:4:37:22 | deque | ContainterTest.java:104:8:104:22 | getLast(...) |
| ContainterTest.java:37:4:37:22 | deque | ContainterTest.java:105:8:105:24 | peekFirst(...) |
| ContainterTest.java:37:4:37:22 | deque | ContainterTest.java:106:8:106:23 | peekLast(...) |
| ContainterTest.java:37:4:37:22 | deque | ContainterTest.java:107:8:107:24 | pollFirst(...) |
| ContainterTest.java:37:4:37:22 | deque | ContainterTest.java:108:8:108:23 | pollLast(...) |
| ContainterTest.java:37:4:37:22 | deque | ContainterTest.java:109:8:109:26 | removeFirst(...) |
| ContainterTest.java:37:4:37:22 | deque | ContainterTest.java:110:8:110:25 | removeLast(...) |
| ContainterTest.java:38:4:38:35 | blockQueue | ContainterTest.java:118:8:118:44 | poll(...) |
| ContainterTest.java:38:4:38:35 | blockQueue | ContainterTest.java:119:8:119:24 | take(...) |
| ContainterTest.java:38:4:38:35 | blockQueue | ContainterTest.java:120:22:120:45 | mkSink(...) [post update] |
| ContainterTest.java:38:4:38:35 | blockQueue | ContainterTest.java:121:22:121:45 | mkSink(...) [post update] |
| ContainterTest.java:39:4:39:35 | blockDeque | ContainterTest.java:129:8:129:49 | pollFirst(...) |
| ContainterTest.java:39:4:39:35 | blockDeque | ContainterTest.java:130:8:130:48 | pollLast(...) |
| ContainterTest.java:39:4:39:35 | blockDeque | ContainterTest.java:131:8:131:29 | takeFirst(...) |
| ContainterTest.java:39:4:39:35 | blockDeque | ContainterTest.java:132:8:132:28 | takeLast(...) |
| ContainterTest.java:41:4:41:30 | sortedSet | ContainterTest.java:141:8:141:24 | first(...) |
| ContainterTest.java:41:4:41:30 | sortedSet | ContainterTest.java:142:8:142:29 | headSet(...) |
| ContainterTest.java:41:4:41:30 | sortedSet | ContainterTest.java:143:8:143:23 | last(...) |
| ContainterTest.java:41:4:41:30 | sortedSet | ContainterTest.java:144:8:144:33 | subSet(...) |
| ContainterTest.java:41:4:41:30 | sortedSet | ContainterTest.java:145:8:145:29 | tailSet(...) |
| ContainterTest.java:42:4:42:30 | navSet | ContainterTest.java:148:8:148:26 | ceiling(...) |
| ContainterTest.java:42:4:42:30 | navSet | ContainterTest.java:149:8:149:34 | descendingIterator(...) |
| ContainterTest.java:42:4:42:30 | navSet | ContainterTest.java:150:8:150:29 | descendingSet(...) |
| ContainterTest.java:42:4:42:30 | navSet | ContainterTest.java:151:8:151:24 | floor(...) |
| ContainterTest.java:42:4:42:30 | navSet | ContainterTest.java:152:8:152:32 | headSet(...) |
| ContainterTest.java:42:4:42:30 | navSet | ContainterTest.java:153:8:153:25 | higher(...) |
| ContainterTest.java:42:4:42:30 | navSet | ContainterTest.java:154:8:154:24 | lower(...) |
| ContainterTest.java:42:4:42:30 | navSet | ContainterTest.java:155:8:155:25 | pollFirst(...) |
| ContainterTest.java:42:4:42:30 | navSet | ContainterTest.java:156:8:156:24 | pollLast(...) |
| ContainterTest.java:42:4:42:30 | navSet | ContainterTest.java:157:8:157:43 | subSet(...) |
| ContainterTest.java:42:4:42:30 | navSet | ContainterTest.java:158:8:158:32 | tailSet(...) |
| ContainterTest.java:43:4:43:26 | map | ContainterTest.java:161:8:161:50 | computeIfAbsent(...) |
| ContainterTest.java:43:4:43:26 | map | ContainterTest.java:162:8:162:21 | entrySet(...) |
| ContainterTest.java:43:4:43:26 | map | ContainterTest.java:163:8:163:21 | get(...) |
| ContainterTest.java:43:4:43:26 | map | ContainterTest.java:164:8:164:41 | getOrDefault(...) |
| ContainterTest.java:43:4:43:26 | map | ContainterTest.java:166:8:166:30 | put(...) |
| ContainterTest.java:43:4:43:26 | map | ContainterTest.java:167:8:167:38 | putIfAbsent(...) |
| ContainterTest.java:43:4:43:26 | map | ContainterTest.java:168:8:168:27 | remove(...) |
| ContainterTest.java:43:4:43:26 | map | ContainterTest.java:169:8:169:34 | replace(...) |
| ContainterTest.java:43:4:43:26 | map | ContainterTest.java:170:8:170:19 | values(...) |
| ContainterTest.java:43:4:43:26 | map | ContainterTest.java:173:3:173:19 | mkSink(...) [post update] |
| ContainterTest.java:44:4:44:34 | entry | ContainterTest.java:180:8:180:23 | getValue(...) |
| ContainterTest.java:44:4:44:34 | entry | ContainterTest.java:181:8:181:30 | setValue(...) |
| ContainterTest.java:45:4:45:38 | sortedMap | ContainterTest.java:184:8:184:31 | headMap(...) |
| ContainterTest.java:45:4:45:38 | sortedMap | ContainterTest.java:185:8:185:39 | subMap(...) |
| ContainterTest.java:45:4:45:38 | sortedMap | ContainterTest.java:186:8:186:31 | tailMap(...) |
| ContainterTest.java:46:4:46:38 | navMap | ContainterTest.java:189:8:189:33 | ceilingEntry(...) |
| ContainterTest.java:46:4:46:38 | navMap | ContainterTest.java:190:8:190:29 | descendingMap(...) |
| ContainterTest.java:46:4:46:38 | navMap | ContainterTest.java:191:8:191:26 | firstEntry(...) |
| ContainterTest.java:46:4:46:38 | navMap | ContainterTest.java:192:8:192:31 | floorEntry(...) |
| ContainterTest.java:46:4:46:38 | navMap | ContainterTest.java:193:8:193:34 | headMap(...) |
| ContainterTest.java:46:4:46:38 | navMap | ContainterTest.java:194:8:194:32 | higherEntry(...) |
| ContainterTest.java:46:4:46:38 | navMap | ContainterTest.java:195:8:195:25 | lastEntry(...) |
| ContainterTest.java:46:4:46:38 | navMap | ContainterTest.java:196:8:196:31 | lowerEntry(...) |
| ContainterTest.java:46:4:46:38 | navMap | ContainterTest.java:197:8:197:30 | pollFirstEntry(...) |
| ContainterTest.java:46:4:46:38 | navMap | ContainterTest.java:198:8:198:29 | pollLastEntry(...) |
| ContainterTest.java:46:4:46:38 | navMap | ContainterTest.java:199:8:199:48 | subMap(...) |
| ContainterTest.java:46:4:46:38 | navMap | ContainterTest.java:200:8:200:34 | tailMap(...) |
| ContainterTest.java:47:4:47:48 | syncHashMap | ContainterTest.java:203:8:203:29 | elements(...) |
| ContainterTest.java:48:4:48:34 | dict | ContainterTest.java:209:8:209:22 | elements(...) |
| ContainterTest.java:48:4:48:34 | dict | ContainterTest.java:210:8:210:25 | get(...) |
| ContainterTest.java:48:4:48:34 | dict | ContainterTest.java:211:8:211:31 | put(...) |
| ContainterTest.java:48:4:48:34 | dict | ContainterTest.java:212:8:212:28 | remove(...) |
| ContainterTest.java:49:4:49:24 | iter | ContainterTest.java:216:8:216:18 | next(...) |
| ContainterTest.java:50:4:50:32 | listIter | ContainterTest.java:219:8:219:26 | previous(...) |
| ContainterTest.java:51:4:51:34 | enumeration | ContainterTest.java:224:8:224:31 | asIterator(...) |
| ContainterTest.java:51:4:51:34 | enumeration | ContainterTest.java:225:8:225:32 | nextElement(...) |
| ContainterTest.java:64:39:64:45 | "value" | ContainterTest.java:64:3:64:26 | mkSink(...) [post update] |
| ContainterTest.java:74:36:74:42 | "value" | ContainterTest.java:74:3:74:20 | mkSink(...) [post update] |
| ContainterTest.java:76:36:76:42 | "value" | ContainterTest.java:76:3:76:20 | mkSink(...) [post update] |
| ContainterTest.java:83:42:83:50 | "element" | ContainterTest.java:83:3:83:22 | mkSink(...) [post update] |
| ContainterTest.java:84:47:84:55 | "element" | ContainterTest.java:84:3:84:22 | mkSink(...) [post update] |
| ContainterTest.java:85:44:85:52 | "element" | ContainterTest.java:85:3:85:22 | mkSink(...) [post update] |
| ContainterTest.java:92:32:92:38 | "value" | ContainterTest.java:92:8:92:40 | push(...) |
| ContainterTest.java:93:35:93:41 | "value" | ContainterTest.java:93:3:93:21 | mkSink(...) [post update] |
| ContainterTest.java:100:36:100:44 | "element" | ContainterTest.java:100:3:100:21 | mkSink(...) [post update] |
| ContainterTest.java:111:39:111:45 | "value" | ContainterTest.java:111:3:111:21 | mkSink(...) [post update] |
| ContainterTest.java:112:38:112:44 | "value" | ContainterTest.java:112:3:112:21 | mkSink(...) [post update] |
| ContainterTest.java:113:41:113:47 | "value" | ContainterTest.java:113:3:113:21 | mkSink(...) [post update] |
| ContainterTest.java:114:40:114:46 | "value" | ContainterTest.java:114:3:114:21 | mkSink(...) [post update] |
| ContainterTest.java:115:35:115:41 | "value" | ContainterTest.java:115:3:115:21 | mkSink(...) [post update] |
| ContainterTest.java:124:47:124:53 | "value" | ContainterTest.java:124:3:124:29 | mkSink(...) [post update] |
| ContainterTest.java:125:50:125:56 | "value" | ContainterTest.java:125:3:125:29 | mkSink(...) [post update] |
| ContainterTest.java:126:50:126:56 | "value" | ContainterTest.java:126:3:126:29 | mkSink(...) [post update] |
| ContainterTest.java:133:44:133:50 | "value" | ContainterTest.java:133:3:133:29 | mkSink(...) [post update] |
| ContainterTest.java:134:42:134:48 | "value" | ContainterTest.java:134:3:134:29 | mkSink(...) [post update] |
| ContainterTest.java:135:49:135:55 | "value" | ContainterTest.java:135:3:135:29 | mkSink(...) [post update] |
| ContainterTest.java:136:48:136:54 | "value" | ContainterTest.java:136:3:136:29 | mkSink(...) [post update] |
| ContainterTest.java:137:47:137:53 | "value" | ContainterTest.java:137:3:137:29 | mkSink(...) [post update] |
| ContainterTest.java:138:46:138:52 | "value" | ContainterTest.java:138:3:138:29 | mkSink(...) [post update] |
| ContainterTest.java:171:41:171:43 | "v" | ContainterTest.java:171:3:171:19 | mkSink(...) [post update] |
| ContainterTest.java:172:39:172:41 | "v" | ContainterTest.java:172:3:172:19 | mkSink(...) [post update] |
| ContainterTest.java:174:47:174:49 | "v" | ContainterTest.java:174:3:174:19 | mkSink(...) [post update] |
| ContainterTest.java:175:43:175:45 | "v" | ContainterTest.java:175:3:175:19 | mkSink(...) [post update] |
| ContainterTest.java:176:50:176:52 | "v" | ContainterTest.java:176:3:176:19 | mkSink(...) [post update] |
| ContainterTest.java:182:43:182:49 | "value" | ContainterTest.java:182:3:182:25 | mkSink(...) [post update] |
| ContainterTest.java:213:46:213:52 | "value" | ContainterTest.java:213:3:213:26 | mkSink(...) [post update] |
| ContainterTest.java:220:41:220:47 | "value" | ContainterTest.java:220:3:220:28 | mkSink(...) [post update] |
| ContainterTest.java:221:41:221:47 | "value" | ContainterTest.java:221:3:221:28 | mkSink(...) [post update] |
| Test.java:13:18:13:24 | tainted | Test.java:15:10:15:11 | x2 |
| Test.java:13:18:13:24 | tainted | Test.java:18:10:18:11 | x3 |
| Test.java:13:18:13:24 | tainted | Test.java:22:12:22:13 | x4 |

2
java/ql/test/library-tests/dataflow/taintsources/options
View File

@@ -1 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/springframework-5.2.3:${testdir}/../../../stubs/google-android-9.0.0:${testdir}/../../../stubs/playframework-2.6.x:${testdir}/../../../stubs/jackson-databind-2.10:${testdir}/../../../stubs/akka-2.6.x
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/google-android-9.0.0:${testdir}/../../../stubs/playframework-2.6.x:${testdir}/../../../stubs/jackson-databind-2.10:${testdir}/../../../stubs/akka-2.6.x

2
java/ql/test/library-tests/dependency-counts/PrintAst.expected
View File

@@ -3,7 +3,7 @@ Example.java:
#-----| -1: (Imports)
# 1| 1: [ImportType] import Set
# 2| 2: [ImportType] import List
# 4| 1: [Interface] Example
# 4| 1: [GenericType,Interface,ParameterizedType] Example
#-----| -2: (Generic Parameters)
# 4| 0: [TypeVariable] A
#-----| -1: (Base Types)

2
java/ql/test/library-tests/dependency/PrintAst.expected
View File

@@ -1,6 +1,6 @@
dependency/A.java:
# 0| [CompilationUnit] A
# 3| 1: [Class] A
# 3| 1: [Class,GenericType,ParameterizedType] A
#-----| -2: (Generic Parameters)
# 3| 0: [TypeVariable] T
# 6| 2: [Class] B

10
java/ql/test/library-tests/frameworks/JaxWs/JakartaRsFlow.java
View File

@@ -160,12 +160,16 @@ public class JakartaRsFlow {
void testAbstractMultivaluedMap(Map<String, List<String>> map1, Map<String, List<String>> map2, List<String> list) {
map1.put(taint(), list);
AbstractMultivaluedMap<String, String> amm1 = new MyAbstractMultivaluedMapJak<String, String>(map1);
sink(amm1.keySet().iterator().next()); // $ MISSING: hasValueFlow
sink(amm1.keySet().iterator().next()); // $ hasValueFlow
list.add(taint());
map2.put("key", list);
AbstractMultivaluedMap<String, String> amm2 = new MyAbstractMultivaluedMapJak<String, String>(map2);
sink(amm2.get("key").get(0)); // $ MISSING: hasValueFlow SPURIOUS: hasTaintFlow
sink(amm2.get("key").get(0)); // $ hasValueFlow
AbstractMultivaluedMap<String, String> amm3 = new MyAbstractMultivaluedMapJak<String, String>(null);
amm3.put("key", list);
sink(amm3.get("key").get(0)); // $ hasValueFlow
}
void testMultivaluedHashMap(Map<String, String> map1, Map<String, String> map2,
@@ -407,4 +411,4 @@ public class JakartaRsFlow {
class DummyJakarta {
private static Set<String> foo() { return null; }
}
}

20
java/ql/test/library-tests/frameworks/JaxWs/JaxRs.ql
View File

@@ -24,8 +24,16 @@ class JaxRsTest extends InlineExpectationsTest {
resourceMethod.getLocation() = location and
element = resourceMethod.toString() and
if exists(resourceMethod.getProducesAnnotation())
then value = resourceMethod.getProducesAnnotation().getADeclaredContentType()
else value = ""
then
value = resourceMethod.getProducesAnnotation().getADeclaredContentType() and
value != ""
else
// Filter out empty strings that stem from using stubs.
// If we built the test against the real JAR then the field
// access against e.g. MediaType.APPLICATION_JSON wouldn't
// be a CompileTimeConstantExpr at all, whereas in the stubs
// it is and is defined empty.
value = ""
)
or
tag = "RootResourceClass" and
@@ -135,7 +143,13 @@ class JaxRsTest extends InlineExpectationsTest {
exists(JaxRSProducesAnnotation producesAnnotation |
producesAnnotation.getLocation() = location and
element = producesAnnotation.toString() and
value = producesAnnotation.getADeclaredContentType()
value = producesAnnotation.getADeclaredContentType() and
value != ""
// Filter out empty strings that stem from using stubs.
// If we built the test against the real JAR then the field
// access against e.g. MediaType.APPLICATION_JSON wouldn't
// be a CompileTimeConstantExpr at all, whereas in the stubs
// it is and is defined empty.
)
or
tag = "ConsumesAnnotation" and

4
java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.java
View File

@@ -160,12 +160,12 @@ public class JaxRsFlow {
void testAbstractMultivaluedMap(Map<String, List<String>> map1, Map<String, List<String>> map2, List<String> list) {
map1.put(taint(), list);
AbstractMultivaluedMap<String, String> amm1 = new MyAbstractMultivaluedMap<String, String>(map1);
sink(amm1.keySet().iterator().next()); // $ MISSING: hasValueFlow
sink(amm1.keySet().iterator().next()); // $ hasValueFlow
list.add(taint());
map2.put("key", list);
AbstractMultivaluedMap<String, String> amm2 = new MyAbstractMultivaluedMap<String, String>(map2);
sink(amm2.get("key").get(0)); // $ MISSING: hasValueFlow SPURIOUS: hasTaintFlow
sink(amm2.get("key").get(0)); // $ hasValueFlow
}
void testMultivaluedHashMap(Map<String, String> map1, Map<String, String> map2,

4
java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.ql
View File

@@ -12,6 +12,8 @@ class TaintFlowConf extends TaintTracking::Configuration {
override predicate isSink(DataFlow::Node n) {
exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
}
override int fieldFlowBranchLimit() { result = 1000 }
}
class ValueFlowConf extends DataFlow::Configuration {
@@ -24,6 +26,8 @@ class ValueFlowConf extends DataFlow::Configuration {
override predicate isSink(DataFlow::Node n) {
exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
}
override int fieldFlowBranchLimit() { result = 1000 }
}
class HasFlowTest extends InlineExpectationsTest {

178
java/ql/test/library-tests/frameworks/android/taint-database/FlowSteps.java
View File

@@ -1,5 +1,7 @@
import java.util.Map;
import java.util.Set;
import java.util.HashSet;
import java.util.HashMap;
import android.content.ContentProvider;
import android.content.ContentResolver;
@@ -26,156 +28,166 @@ public class FlowSteps {
// Dummy class to test for sub classes
}
public static String[] appendSelectionArgs() {
String[] originalValues = taint();
String[] newValues = taint();
return DatabaseUtils.appendSelectionArgs(originalValues, newValues);
public static String appendSelectionArgs() {
String[] originalValues = {taint()}; // $taintReachesReturn
String[] newValues = {taint()}; // $taintReachesReturn
return DatabaseUtils.appendSelectionArgs(originalValues, newValues)[0];
}
public static String concatenateWhere() {
String a = taint();
String b = taint();
String a = taint(); // $taintReachesReturn
String b = taint(); // $taintReachesReturn
return DatabaseUtils.concatenateWhere(a, b);
}
public static String buildQueryString(MySQLiteQueryBuilder target) {
target = taint();
boolean distinct = taint();
String tables = taint();
String[] columns = taint();
String where = taint();
String groupBy = taint();
String having = taint();
String orderBy = taint();
String limit = taint();
boolean distinct = taint();
String tables = taint(); // $taintReachesReturn
String[] columns = {taint()}; // $taintReachesReturn
String where = taint(); // $taintReachesReturn
String groupBy = taint(); // $taintReachesReturn
String having = taint(); // $taintReachesReturn
String orderBy = taint(); // $taintReachesReturn
String limit = taint(); // $taintReachesReturn
return SQLiteQueryBuilder.buildQueryString(distinct, tables, columns, where, groupBy, having, orderBy, limit);
}
public static String buildQuery(MySQLiteQueryBuilder target) {
target = taint();
String[] projectionIn = taint();
String selection = taint();
String groupBy = taint();
String having = taint();
String sortOrder = taint();
String limit = taint();
target = taint(); // $taintReachesReturn
String[] projectionIn = {taint()}; // $taintReachesReturn
String selection = taint(); // $taintReachesReturn
String groupBy = taint(); // $taintReachesReturn
String having = taint(); // $taintReachesReturn
String sortOrder = taint(); // $taintReachesReturn
String limit = taint(); // $taintReachesReturn
return target.buildQuery(projectionIn, selection, groupBy, having, sortOrder, limit);
}
public static String buildQuery2(MySQLiteQueryBuilder target) {
target = taint();
String[] projectionIn = taint();
String selection = taint();
String[] selectionArgs = taint();
String groupBy = taint();
String having = taint();
String sortOrder = taint();
String limit = taint();
target = taint(); // $taintReachesReturn
String[] projectionIn = {taint()}; // $taintReachesReturn
String selection = taint(); // $taintReachesReturn
String[] selectionArgs = {taint()};
String groupBy = taint(); // $taintReachesReturn
String having = taint(); // $taintReachesReturn
String sortOrder = taint(); // $taintReachesReturn
String limit = taint(); // $taintReachesReturn
return target.buildQuery(projectionIn, selection, selectionArgs, groupBy, having, sortOrder, limit);
}
public static String buildUnionQuery(MySQLiteQueryBuilder target) {
target = taint();
String[] subQueries = taint();
String sortOrder = taint();
String limit = taint();
target = taint(); // $taintReachesReturn
String[] subQueries = {taint()}; // $taintReachesReturn
String sortOrder = taint(); // $taintReachesReturn
String limit = taint(); // $taintReachesReturn
return target.buildUnionQuery(subQueries, sortOrder, limit);
}
public static String buildUnionSubQuery2(MySQLiteQueryBuilder target) {
target = taint();
String typeDiscriminatorColumn = taint();
String[] unionColumns = taint();
Set<String> columnsPresentInTable = taint();
target = taint(); // $taintReachesReturn
String typeDiscriminatorColumn = taint(); // $taintReachesReturn
String[] unionColumns = {taint()}; // $taintReachesReturn
Set<String> columnsPresentInTable = new HashSet();
columnsPresentInTable.add(taint()); // $taintReachesReturn
int computedColumnsOffset = taint();
String typeDiscriminatorValue = taint();
String selection = taint();
String[] selectionArgs = taint();
String groupBy = taint();
String having = taint();
String typeDiscriminatorValue = taint(); // $taintReachesReturn
String selection = taint(); // $taintReachesReturn
String[] selectionArgs = {taint()};
String groupBy = taint(); // $taintReachesReturn
String having = taint(); // $taintReachesReturn
return target.buildUnionSubQuery(typeDiscriminatorColumn, unionColumns, columnsPresentInTable,
computedColumnsOffset, typeDiscriminatorValue, selection, selectionArgs, groupBy, having);
}
public static void buildUnionSubQuery3(MySQLiteQueryBuilder target) {
target = taint();
String typeDiscriminatorColumn = taint();
String[] unionColumns = taint();
Set<String> columnsPresentInTable = taint();
public static String buildUnionSubQuery3(MySQLiteQueryBuilder target) {
target = taint(); // $taintReachesReturn
String typeDiscriminatorColumn = taint(); // $taintReachesReturn
String[] unionColumns = {taint()}; // $taintReachesReturn
Set<String> columnsPresentInTable = new HashSet();
columnsPresentInTable.add(taint()); // $taintReachesReturn
int computedColumnsOffset = taint();
String typeDiscriminatorValue = taint();
String selection = taint();
String groupBy = taint();
String having = taint();
target.buildUnionSubQuery(typeDiscriminatorColumn, unionColumns, columnsPresentInTable, computedColumnsOffset,
String typeDiscriminatorValue = taint(); // $taintReachesReturn
String selection = taint(); // $taintReachesReturn
String groupBy = taint(); // $taintReachesReturn
String having = taint(); // $taintReachesReturn
return target.buildUnionSubQuery(typeDiscriminatorColumn, unionColumns, columnsPresentInTable, computedColumnsOffset,
typeDiscriminatorValue, selection, groupBy, having);
}
public static Cursor query(MyContentResolver target) {
Uri uri = taint();
String[] projection = taint();
String selection = taint();
String[] selectionArgs = taint();
Uri uri = taint(); // $taintReachesReturn
String[] projection = {taint()};
String selection = taint(); // $taintReachesSink
String[] selectionArgs = {taint()};
String sortOrder = taint();
CancellationSignal cancellationSignal = taint();
return target.query(uri, projection, selection, selectionArgs, sortOrder, cancellationSignal);
}
public static Cursor query(MyContentProvider target) {
Uri uri = taint();
String[] projection = taint();
String selection = taint();
String[] selectionArgs = taint();
Uri uri = taint(); // $taintReachesReturn
String[] projection = {taint()};
String selection = taint(); // $taintReachesSink
String[] selectionArgs = {taint()};
String sortOrder = taint();
CancellationSignal cancellationSignal = taint();
return target.query(uri, projection, selection, selectionArgs, sortOrder, cancellationSignal);
}
public static Cursor query2(MyContentResolver target) {
Uri uri = taint();
String[] projection = taint();
String selection = taint();
String[] selectionArgs = taint();
Uri uri = taint(); // $taintReachesReturn
String[] projection = {taint()};
String selection = taint(); // $taintReachesSink
String[] selectionArgs = {taint()};
String sortOrder = taint();
return target.query(uri, projection, selection, selectionArgs, sortOrder);
}
public static Cursor query2(MyContentProvider target) {
Uri uri = taint();
String[] projection = taint();
String selection = taint();
String[] selectionArgs = taint();
Uri uri = taint(); // $taintReachesReturn
String[] projection = {taint()};
String selection = taint(); // $taintReachesSink
String[] selectionArgs = {taint()};
String sortOrder = taint();
return target.query(uri, projection, selection, selectionArgs, sortOrder);
}
public static void appendColumns() {
StringBuilder s = taint();
String[] columns = taint();
public static StringBuilder appendColumns() {
StringBuilder s = taint(); // $taintReachesReturn
String[] columns = {taint()}; // $taintReachesReturn
SQLiteQueryBuilder.appendColumns(s, columns);
return s;
}
public static void setProjectionMap(MySQLiteQueryBuilder target) {
target = taint();
Map<String, String> columnMap = taint();
public static SQLiteQueryBuilder setProjectionMap(MySQLiteQueryBuilder target) {
target = taint(); // $taintReachesReturn
Map<String, String> columnMap = new HashMap();
String k = taint(); // $taintReachesReturn
String v = taint(); // $taintReachesReturn
columnMap.put(k, v);
target.setProjectionMap(columnMap);
return target;
}
public static void setTables(MySQLiteQueryBuilder target) {
target = taint();
String inTables = taint();
public static SQLiteQueryBuilder setTables(MySQLiteQueryBuilder target) {
target = taint(); // $taintReachesReturn
String inTables = taint(); // $taintReachesReturn
target.setTables(inTables);
return target;
}
public static void appendWhere(MySQLiteQueryBuilder target) {
target = taint();
CharSequence inWhere = taint();
public static SQLiteQueryBuilder appendWhere(MySQLiteQueryBuilder target) {
target = taint(); // $taintReachesReturn
CharSequence inWhere = taint(); // $taintReachesReturn
target.appendWhere(inWhere);
return target;
}
public static void appendWhereStandalone(MySQLiteQueryBuilder target) {
target = taint();
CharSequence inWhere = taint();
public static SQLiteQueryBuilder appendWhereStandalone(MySQLiteQueryBuilder target) {
target = taint(); // $taintReachesReturn
CharSequence inWhere = taint(); // $taintReachesReturn
target.appendWhereStandalone(inWhere);
return target;
}
}

264
java/ql/test/library-tests/frameworks/android/taint-database/Sinks.java
View File

@@ -25,58 +25,58 @@ public class Sinks {
}
public static void compileStatement(SQLiteDatabase target) {
String sql = taint();
String sql = taint(); // $taintReachesSink
target.compileStatement(sql);
}
public static void delete1(MySQLiteQueryBuilder target) {
target = taint();;
target = taint(); // $taintReachesSink
SQLiteDatabase db = taint();
String selection = taint();
String[] selectionArgs = taint();
String selection = taint(); // $taintReachesSink
String[] selectionArgs = {taint()};
target.delete(db, selection, selectionArgs);
}
public static void delete(SQLiteDatabase target) {
String table = taint();
String whereClause = taint();
String[] whereArgs = taint();
String table = taint(); // $taintReachesSink
String whereClause = taint(); // $taintReachesSink
String[] whereArgs = {taint()};
target.delete(table, whereClause, whereArgs);
}
public static void delete(MyContentResolver target) {
Uri uri = taint();
String selection = taint();
String[] selectionArgs = taint();
String selection = taint(); // $taintReachesSink
String[] selectionArgs = {taint()};
target.delete(uri, selection, selectionArgs);
}
public static void delete(MyContentProvider target) {
Uri uri = taint();
String selection = taint();
String[] selectionArgs = taint();
String selection = taint(); // $taintReachesSink
String[] selectionArgs = {taint()};
target.delete(uri, selection, selectionArgs);
}
public static void execPerConnectionSQL(SQLiteDatabase target) {
String sql = taint();
Object[] bindArgs = taint();
String sql = taint(); // $taintReachesSink
Object[] bindArgs = {taint()};
target.execPerConnectionSQL(sql, bindArgs);
}
public static void execSQL(SQLiteDatabase target) {
String sql = taint();
String sql = taint(); // $taintReachesSink
target.execSQL(sql);
}
public static void execSQL2(SQLiteDatabase target) {
String sql = taint();
Object[] bindArgs = taint();
String sql = taint(); // $taintReachesSink
Object[] bindArgs = {taint()};
target.execSQL(sql, bindArgs);
}
public static void insert(MySQLiteQueryBuilder target) {
target = taint();;
target = taint(); // $taintReachesSink
SQLiteDatabase db = taint();
ContentValues values = taint();
target.insert(db, values);
@@ -84,108 +84,108 @@ public class Sinks {
public static void query(SQLiteDatabase target) {
boolean distinct = taint();
String table = taint();
String[] columns = taint();
String selection = taint();
String[] selectionArgs = taint();
String groupBy = taint();
String having = taint();
String orderBy = taint();
String limit = taint();
String table = taint(); // $taintReachesSink
String[] columns = {taint()}; // $taintReachesSink
String selection = taint(); // $taintReachesSink
String[] selectionArgs = {taint()};
String groupBy = taint(); // $taintReachesSink
String having = taint(); // $taintReachesSink
String orderBy = taint(); // $taintReachesSink
String limit = taint(); // $taintReachesSink
target.query(distinct, table, columns, selection, selectionArgs, groupBy, having, orderBy, limit);
}
public static void query2(SQLiteDatabase target) {
boolean distinct = taint();
String table = taint();
String[] columns = taint();
String selection = taint();
String[] selectionArgs = taint();
String groupBy = taint();
String having = taint();
String orderBy = taint();
String limit = taint();
String table = taint(); // $taintReachesSink
String[] columns = {taint()}; // $taintReachesSink
String selection = taint(); // $taintReachesSink
String[] selectionArgs = {taint()};
String groupBy = taint(); // $taintReachesSink
String having = taint(); // $taintReachesSink
String orderBy = taint(); // $taintReachesSink
String limit = taint(); // $taintReachesSink
CancellationSignal cancellationSignal = taint();
target.query(distinct, table, columns, selection, selectionArgs, groupBy, having, orderBy, limit,
cancellationSignal);
}
public static void query3(SQLiteDatabase target) {
String table = taint();
String[] columns = taint();
String selection = taint();
String[] selectionArgs = taint();
String groupBy = taint();
String having = taint();
String orderBy = taint();
String table = taint(); // $taintReachesSink
String[] columns = {taint()}; // $taintReachesSink
String selection = taint(); // $taintReachesSink
String[] selectionArgs = {taint()};
String groupBy = taint(); // $taintReachesSink
String having = taint(); // $taintReachesSink
String orderBy = taint(); // $taintReachesSink
target.query(table, columns, selection, selectionArgs, groupBy, having, orderBy);
}
public static void query4(SQLiteDatabase target) {
String table = taint();
String[] columns = taint();
String selection = taint();
String[] selectionArgs = taint();
String groupBy = taint();
String having = taint();
String orderBy = taint();
String limit = taint();
String table = taint(); // $taintReachesSink
String[] columns = {taint()}; // $taintReachesSink
String selection = taint(); // $taintReachesSink
String[] selectionArgs = {taint()};
String groupBy = taint(); // $taintReachesSink
String having = taint(); // $taintReachesSink
String orderBy = taint(); // $taintReachesSink
String limit = taint(); // $taintReachesSink
target.query(table, columns, selection, selectionArgs, groupBy, having, orderBy, limit);
}
public static void query(MySQLiteQueryBuilder target) {
target = taint();;
target = taint(); // $taintReachesSink
SQLiteDatabase db = taint();
String[] projectionIn = taint();
String selection = taint();
String[] selectionArgs = taint();
String groupBy = taint();
String having = taint();
String sortOrder = taint();
String[] projectionIn = {taint()}; // $taintReachesSink
String selection = taint(); // $taintReachesSink
String[] selectionArgs = {taint()};
String groupBy = taint(); // $taintReachesSink
String having = taint(); // $taintReachesSink
String sortOrder = taint(); // $taintReachesSink
target.query(db, projectionIn, selection, selectionArgs, groupBy, having, sortOrder);
}
public static void query2(MySQLiteQueryBuilder target) {
target = taint();;
target = taint(); // $taintReachesSink
SQLiteDatabase db = taint();
String[] projectionIn = taint();
String selection = taint();
String[] selectionArgs = taint();
String groupBy = taint();
String having = taint();
String sortOrder = taint();
String limit = taint();
String[] projectionIn = {taint()}; // $taintReachesSink
String selection = taint(); // $taintReachesSink
String[] selectionArgs = {taint()};
String groupBy = taint(); // $taintReachesSink
String having = taint(); // $taintReachesSink
String sortOrder = taint(); // $taintReachesSink
String limit = taint(); // $taintReachesSink
target.query(db, projectionIn, selection, selectionArgs, groupBy, having, sortOrder, limit);
}
public static void query3(MySQLiteQueryBuilder target) {
target = taint();;
target = taint(); // $taintReachesSink
SQLiteDatabase db = taint();
String[] projectionIn = taint();
String selection = taint();
String[] selectionArgs = taint();
String groupBy = taint();
String having = taint();
String sortOrder = taint();
String limit = taint();
String[] projectionIn = {taint()}; // $taintReachesSink
String selection = taint(); // $taintReachesSink
String[] selectionArgs = {taint()};
String groupBy = taint(); // $taintReachesSink
String having = taint(); // $taintReachesSink
String sortOrder = taint(); // $taintReachesSink
String limit = taint(); // $taintReachesSink
CancellationSignal cancellationSignal = taint();
target.query(db, projectionIn, selection, selectionArgs, groupBy, having, sortOrder, limit, cancellationSignal);
}
public static void query3(MyContentProvider target) {
Uri uri = taint();
String[] projection = taint();
String selection = taint();
String[] selectionArgs = taint();
String[] projection = {taint()};
String selection = taint(); // $taintReachesSink
String[] selectionArgs = {taint()};
String sortOrder = taint();
target.query(uri, projection, selection, selectionArgs, sortOrder);
}
public static void query(MyContentProvider target) {
Uri uri = taint();
String[] projection = taint();
String selection = taint();
String[] selectionArgs = taint();
String[] projection = {taint()};
String selection = taint(); // $taintReachesSink
String[] selectionArgs = {taint()};
String sortOrder = taint();
CancellationSignal cancellationSignal = taint();
target.query(uri, projection, selection, selectionArgs, sortOrder, cancellationSignal);
@@ -193,18 +193,18 @@ public class Sinks {
public static void query3(MyContentResolver target) {
Uri uri = taint();
String[] projection = taint();
String selection = taint();
String[] selectionArgs = taint();
String[] projection = {taint()};
String selection = taint(); // $taintReachesSink
String[] selectionArgs = {taint()};
String sortOrder = taint();
target.query(uri, projection, selection, selectionArgs, sortOrder);
}
public static void query(MyContentResolver target) {
Uri uri = taint();
String[] projection = taint();
String selection = taint();
String[] selectionArgs = taint();
String[] projection = {taint()};
String selection = taint(); // $taintReachesSink
String[] selectionArgs = {taint()};
String sortOrder = taint();
CancellationSignal cancellationSignal = taint();
target.query(uri, projection, selection, selectionArgs, sortOrder, cancellationSignal);
@@ -213,14 +213,14 @@ public class Sinks {
public static void queryWithFactory(SQLiteDatabase target) {
SQLiteDatabase.CursorFactory cursorFactory = taint();
boolean distinct = taint();
String table = taint();
String[] columns = taint();
String selection = taint();
String[] selectionArgs = taint();
String groupBy = taint();
String having = taint();
String orderBy = taint();
String limit = taint();
String table = taint(); // $taintReachesSink
String[] columns = {taint()}; // $taintReachesSink
String selection = taint(); // $taintReachesSink
String[] selectionArgs = {taint()};
String groupBy = taint(); // $taintReachesSink
String having = taint(); // $taintReachesSink
String orderBy = taint(); // $taintReachesSink
String limit = taint(); // $taintReachesSink
target.queryWithFactory(cursorFactory, distinct, table, columns, selection, selectionArgs, groupBy, having,
orderBy, limit);
}
@@ -228,103 +228,103 @@ public class Sinks {
public static void queryWithFactory2(SQLiteDatabase target) {
SQLiteDatabase.CursorFactory cursorFactory = taint();
boolean distinct = taint();
String table = taint();
String[] columns = taint();
String selection = taint();
String[] selectionArgs = taint();
String groupBy = taint();
String having = taint();
String orderBy = taint();
String limit = taint();
String table = taint(); // $taintReachesSink
String[] columns = {taint()}; // $taintReachesSink
String selection = taint(); // $taintReachesSink
String[] selectionArgs = {taint()};
String groupBy = taint(); // $taintReachesSink
String having = taint(); // $taintReachesSink
String orderBy = taint(); // $taintReachesSink
String limit = taint(); // $taintReachesSink
CancellationSignal cancellationSignal = taint();
target.queryWithFactory(cursorFactory, distinct, table, columns, selection, selectionArgs, groupBy, having,
orderBy, limit, cancellationSignal);
}
public static void rawQuery(SQLiteDatabase target) {
String sql = taint();
String[] selectionArgs = taint();
String sql = taint(); // $taintReachesSink
String[] selectionArgs = {taint()};
target.rawQuery(sql, selectionArgs);
}
public static void rawQuery2(SQLiteDatabase target) {
String sql = taint();
String[] selectionArgs = taint();
String sql = taint(); // $taintReachesSink
String[] selectionArgs = {taint()};
CancellationSignal cancellationSignal = taint();
target.rawQuery(sql, selectionArgs, cancellationSignal);
}
public static void rawQueryWithFactory(SQLiteDatabase target) {
SQLiteDatabase.CursorFactory cursorFactory = taint();
String sql = taint();
String[] selectionArgs = taint();
String sql = taint(); // $taintReachesSink
String[] selectionArgs = {taint()};
String editTable = taint();
target.rawQueryWithFactory(cursorFactory, sql, selectionArgs, editTable);
}
public static void rawQueryWithFactory2(SQLiteDatabase target) {
SQLiteDatabase.CursorFactory cursorFactory = taint();
String sql = taint();
String[] selectionArgs = taint();
String sql = taint(); // $taintReachesSink
String[] selectionArgs = {taint()};
String editTable = taint();
CancellationSignal cancellationSignal = taint();
target.rawQueryWithFactory(cursorFactory, sql, selectionArgs, editTable, cancellationSignal);
}
public static void update(MySQLiteQueryBuilder target) {
target = taint();;
target = taint(); // $taintReachesSink
SQLiteDatabase db = taint();
ContentValues values = taint();
String selection = taint();
String[] selectionArgs = taint();
String selection = taint(); // $taintReachesSink
String[] selectionArgs = {taint()};
target.update(db, values, selection, selectionArgs);
}
public static void update(SQLiteDatabase target) {
String table = taint();
String table = taint(); // $taintReachesSink
ContentValues values = taint();
String whereClause = taint();
String[] whereArgs = taint();
String whereClause = taint(); // $taintReachesSink
String[] whereArgs = {taint()};
target.update(table, values, whereClause, whereArgs);
}
public static void update(MyContentResolver target) {
Uri uri = taint();
ContentValues values = taint();
String selection = taint();
String[] selectionArgs = taint();
String selection = taint(); // $taintReachesSink
String[] selectionArgs = {taint()};
target.update(uri, values, selection, selectionArgs);
}
public static void update(MyContentProvider target) {
Uri uri = taint();
ContentValues values = taint();
String selection = taint();
String[] selectionArgs = taint();
String selection = taint(); // $taintReachesSink
String[] selectionArgs = {taint()};
target.update(uri, values, selection, selectionArgs);
}
public static void updateWithOnConflict(SQLiteDatabase target) {
String table = taint();
String table = taint(); // $taintReachesSink
ContentValues values = taint();
String whereClause = taint();
String[] whereArgs = taint();
String whereClause = taint(); // $taintReachesSink
String[] whereArgs = {taint()};
int conflictAlgorithm = taint();
target.updateWithOnConflict(table, values, whereClause, whereArgs, conflictAlgorithm);
}
public static void queryNumEntries() {
SQLiteDatabase db = taint();
String table = taint();
String selection = taint();
String table = taint(); // $taintReachesSink
String selection = taint(); // $taintReachesSink
DatabaseUtils.queryNumEntries(db, table, selection);
}
public static void queryNumEntries2() {
SQLiteDatabase db = taint();
String table = taint();
String selection = taint();
String[] selectionArgs = taint();
String table = taint(); // $taintReachesSink
String selection = taint(); // $taintReachesSink
String[] selectionArgs = {taint()};
DatabaseUtils.queryNumEntries(db, table, selection, selectionArgs);
}
@@ -332,28 +332,28 @@ public class Sinks {
Context context = taint();
String dbName = taint();
int dbVersion = taint();
String sqlStatements = taint();
String sqlStatements = taint(); // $taintReachesSink
DatabaseUtils.createDbFromSqlStatements(context, dbName, dbVersion, sqlStatements);
}
public static void blobFileDescriptorForQuery() {
SQLiteDatabase db = taint();
String query = taint();
String[] selectionArgs = taint();
String query = taint(); // $taintReachesSink
String[] selectionArgs = {taint()};
DatabaseUtils.blobFileDescriptorForQuery(db, query, selectionArgs);
}
public static void longForQuery() {
SQLiteDatabase db = taint();
String query = taint();
String[] selectionArgs = taint();
String query = taint(); // $taintReachesSink
String[] selectionArgs = {taint()};
DatabaseUtils.longForQuery(db, query, selectionArgs);
}
public static void stringForQuery() {
SQLiteDatabase db = taint();
String query = taint();
String[] selectionArgs = taint();
String query = taint(); // $taintReachesSink
String[] selectionArgs = {taint()};
DatabaseUtils.stringForQuery(db, query, selectionArgs);
}
}

56
java/ql/test/library-tests/frameworks/android/taint-database/flowSteps.expected
View File

@@ -1,56 +0,0 @@
| FlowSteps.java:32:44:32:57 | originalValues | FlowSteps.java:32:10:32:69 | appendSelectionArgs(...) |
| FlowSteps.java:32:60:32:68 | newValues | FlowSteps.java:32:10:32:69 | appendSelectionArgs(...) |
| FlowSteps.java:38:41:38:41 | a | FlowSteps.java:38:10:38:45 | concatenateWhere(...) |
| FlowSteps.java:38:44:38:44 | b | FlowSteps.java:38:10:38:45 | concatenateWhere(...) |
| FlowSteps.java:51:56:51:61 | tables | FlowSteps.java:51:10:51:111 | buildQueryString(...) |
| FlowSteps.java:51:64:51:70 | columns | FlowSteps.java:51:10:51:111 | buildQueryString(...) |
| FlowSteps.java:51:73:51:77 | where | FlowSteps.java:51:10:51:111 | buildQueryString(...) |
| FlowSteps.java:51:80:51:86 | groupBy | FlowSteps.java:51:10:51:111 | buildQueryString(...) |
| FlowSteps.java:51:89:51:94 | having | FlowSteps.java:51:10:51:111 | buildQueryString(...) |
| FlowSteps.java:51:97:51:103 | orderBy | FlowSteps.java:51:10:51:111 | buildQueryString(...) |
| FlowSteps.java:51:106:51:110 | limit | FlowSteps.java:51:10:51:111 | buildQueryString(...) |
| FlowSteps.java:62:10:62:15 | target | FlowSteps.java:62:10:62:86 | buildQuery(...) |
| FlowSteps.java:62:28:62:39 | projectionIn | FlowSteps.java:62:10:62:86 | buildQuery(...) |
| FlowSteps.java:62:42:62:50 | selection | FlowSteps.java:62:10:62:86 | buildQuery(...) |
| FlowSteps.java:62:53:62:59 | groupBy | FlowSteps.java:62:10:62:86 | buildQuery(...) |
| FlowSteps.java:62:62:62:67 | having | FlowSteps.java:62:10:62:86 | buildQuery(...) |
| FlowSteps.java:62:70:62:78 | sortOrder | FlowSteps.java:62:10:62:86 | buildQuery(...) |
| FlowSteps.java:62:81:62:85 | limit | FlowSteps.java:62:10:62:86 | buildQuery(...) |
| FlowSteps.java:74:10:74:15 | target | FlowSteps.java:74:10:74:101 | buildQuery(...) |
| FlowSteps.java:74:28:74:39 | projectionIn | FlowSteps.java:74:10:74:101 | buildQuery(...) |
| FlowSteps.java:74:42:74:50 | selection | FlowSteps.java:74:10:74:101 | buildQuery(...) |
| FlowSteps.java:74:53:74:65 | selectionArgs | FlowSteps.java:74:10:74:101 | buildQuery(...) |
| FlowSteps.java:74:68:74:74 | groupBy | FlowSteps.java:74:10:74:101 | buildQuery(...) |
| FlowSteps.java:74:77:74:82 | having | FlowSteps.java:74:10:74:101 | buildQuery(...) |
| FlowSteps.java:74:85:74:93 | sortOrder | FlowSteps.java:74:10:74:101 | buildQuery(...) |
| FlowSteps.java:74:96:74:100 | limit | FlowSteps.java:74:10:74:101 | buildQuery(...) |
| FlowSteps.java:82:10:82:15 | target | FlowSteps.java:82:10:82:61 | buildUnionQuery(...) |
| FlowSteps.java:82:33:82:42 | subQueries | FlowSteps.java:82:10:82:61 | buildUnionQuery(...) |
| FlowSteps.java:82:45:82:53 | sortOrder | FlowSteps.java:82:10:82:61 | buildUnionQuery(...) |
| FlowSteps.java:82:56:82:60 | limit | FlowSteps.java:82:10:82:61 | buildUnionQuery(...) |
| FlowSteps.java:96:10:96:15 | target | FlowSteps.java:96:10:97:93 | buildUnionSubQuery(...) |
| FlowSteps.java:96:36:96:58 | typeDiscriminatorColumn | FlowSteps.java:96:10:97:93 | buildUnionSubQuery(...) |
| FlowSteps.java:96:61:96:72 | unionColumns | FlowSteps.java:96:10:97:93 | buildUnionSubQuery(...) |
| FlowSteps.java:96:75:96:95 | columnsPresentInTable | FlowSteps.java:96:10:97:93 | buildUnionSubQuery(...) |
| FlowSteps.java:97:28:97:49 | typeDiscriminatorValue | FlowSteps.java:96:10:97:93 | buildUnionSubQuery(...) |
| FlowSteps.java:97:52:97:60 | selection | FlowSteps.java:96:10:97:93 | buildUnionSubQuery(...) |
| FlowSteps.java:97:63:97:75 | selectionArgs | FlowSteps.java:96:10:97:93 | buildUnionSubQuery(...) |
| FlowSteps.java:97:78:97:84 | groupBy | FlowSteps.java:96:10:97:93 | buildUnionSubQuery(...) |
| FlowSteps.java:97:87:97:92 | having | FlowSteps.java:96:10:97:93 | buildUnionSubQuery(...) |
| FlowSteps.java:110:3:110:8 | target | FlowSteps.java:110:3:111:55 | buildUnionSubQuery(...) |
| FlowSteps.java:110:29:110:51 | typeDiscriminatorColumn | FlowSteps.java:110:3:111:55 | buildUnionSubQuery(...) |
| FlowSteps.java:110:54:110:65 | unionColumns | FlowSteps.java:110:3:111:55 | buildUnionSubQuery(...) |
| FlowSteps.java:110:68:110:88 | columnsPresentInTable | FlowSteps.java:110:3:111:55 | buildUnionSubQuery(...) |
| FlowSteps.java:111:5:111:26 | typeDiscriminatorValue | FlowSteps.java:110:3:111:55 | buildUnionSubQuery(...) |
| FlowSteps.java:111:29:111:37 | selection | FlowSteps.java:110:3:111:55 | buildUnionSubQuery(...) |
| FlowSteps.java:111:40:111:46 | groupBy | FlowSteps.java:110:3:111:55 | buildUnionSubQuery(...) |
| FlowSteps.java:111:49:111:54 | having | FlowSteps.java:110:3:111:55 | buildUnionSubQuery(...) |
| FlowSteps.java:121:23:121:25 | uri | FlowSteps.java:121:10:121:95 | query(...) |
| FlowSteps.java:131:23:131:25 | uri | FlowSteps.java:131:10:131:95 | query(...) |
| FlowSteps.java:140:23:140:25 | uri | FlowSteps.java:140:10:140:75 | query(...) |
| FlowSteps.java:149:23:149:25 | uri | FlowSteps.java:149:10:149:75 | query(...) |
| FlowSteps.java:155:39:155:45 | columns | FlowSteps.java:155:36:155:36 | s [post update] |
| FlowSteps.java:161:27:161:35 | columnMap | FlowSteps.java:161:3:161:8 | target [post update] |
| FlowSteps.java:167:20:167:27 | inTables | FlowSteps.java:167:3:167:8 | target [post update] |
| FlowSteps.java:173:22:173:28 | inWhere | FlowSteps.java:173:3:173:8 | target [post update] |
| FlowSteps.java:179:32:179:38 | inWhere | FlowSteps.java:179:3:179:8 | target [post update] |

27
java/ql/test/library-tests/frameworks/android/taint-database/flowSteps.ql
View File

@@ -2,21 +2,30 @@ import semmle.code.java.dataflow.DataFlow
import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.security.QueryInjection
import TestUtilities.InlineExpectationsTest
class Conf extends TaintTracking::Configuration {
Conf() { this = "qltest:dataflow:android::flow" }
override predicate isSource(DataFlow::Node source) {
exists(VarAccess va, MethodAccess ma |
source.asExpr() = va and
va.getVariable().getAnAssignedValue() = ma and
ma.getMethod().hasName("taint")
)
source.asExpr().(MethodAccess).getMethod().hasName("taint")
}
override predicate isSink(DataFlow::Node sink) { not isSource(sink) }
override predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(ReturnStmt r).getResult() }
}
from DataFlow::Node source, DataFlow::Node sink, Conf config
where config.hasFlow(source, sink) and sink.getLocation().getFile().getBaseName() = "FlowSteps.java"
select source, sink
class FlowStepTest extends InlineExpectationsTest {
FlowStepTest() { this = "FlowStepTest" }
override string getARelevantTag() { result = "taintReachesReturn" }
override predicate hasActualResult(Location l, string element, string tag, string value) {
tag = "taintReachesReturn" and
value = "" and
exists(Conf conf, DataFlow::Node source, DataFlow::Node sink |
conf.hasFlow(source, sink) and
l = source.getLocation() and
element = source.toString()
)
}
}

88
java/ql/test/library-tests/frameworks/android/taint-database/sinks.expected
View File

@@ -1,88 +0,0 @@
| Sinks.java:29:27:29:29 | sql |
| Sinks.java:37:3:37:8 | target |
| Sinks.java:37:21:37:29 | selection |
| Sinks.java:44:24:44:34 | whereClause |
| Sinks.java:51:22:51:30 | selection |
| Sinks.java:58:22:58:30 | selection |
| Sinks.java:64:31:64:33 | sql |
| Sinks.java:69:18:69:20 | sql |
| Sinks.java:75:18:75:20 | sql |
| Sinks.java:82:3:82:8 | target |
| Sinks.java:95:26:95:30 | table |
| Sinks.java:95:33:95:39 | columns |
| Sinks.java:95:42:95:50 | selection |
| Sinks.java:95:68:95:74 | groupBy |
| Sinks.java:95:77:95:82 | having |
| Sinks.java:95:85:95:91 | orderBy |
| Sinks.java:95:94:95:98 | limit |
| Sinks.java:109:26:109:30 | table |
| Sinks.java:109:33:109:39 | columns |
| Sinks.java:109:42:109:50 | selection |
| Sinks.java:109:68:109:74 | groupBy |
| Sinks.java:109:77:109:82 | having |
| Sinks.java:109:85:109:91 | orderBy |
| Sinks.java:109:94:109:98 | limit |
| Sinks.java:121:16:121:20 | table |
| Sinks.java:121:23:121:29 | columns |
| Sinks.java:121:32:121:40 | selection |
| Sinks.java:121:58:121:64 | groupBy |
| Sinks.java:121:67:121:72 | having |
| Sinks.java:121:75:121:81 | orderBy |
| Sinks.java:133:16:133:20 | table |
| Sinks.java:133:23:133:29 | columns |
| Sinks.java:133:32:133:40 | selection |
| Sinks.java:133:58:133:64 | groupBy |
| Sinks.java:133:67:133:72 | having |
| Sinks.java:133:75:133:81 | orderBy |
| Sinks.java:133:84:133:88 | limit |
| Sinks.java:145:3:145:8 | target |
| Sinks.java:145:34:145:42 | selection |
| Sinks.java:145:60:145:66 | groupBy |
| Sinks.java:145:69:145:74 | having |
| Sinks.java:145:77:145:85 | sortOrder |
| Sinks.java:158:3:158:8 | target |
| Sinks.java:158:34:158:42 | selection |
| Sinks.java:158:60:158:66 | groupBy |
| Sinks.java:158:69:158:74 | having |
| Sinks.java:158:77:158:85 | sortOrder |
| Sinks.java:158:88:158:92 | limit |
| Sinks.java:172:3:172:8 | target |
| Sinks.java:172:34:172:42 | selection |
| Sinks.java:172:60:172:66 | groupBy |
| Sinks.java:172:69:172:74 | having |
| Sinks.java:172:77:172:85 | sortOrder |
| Sinks.java:172:88:172:92 | limit |
| Sinks.java:181:33:181:41 | selection |
| Sinks.java:191:33:191:41 | selection |
| Sinks.java:200:33:200:41 | selection |
| Sinks.java:210:33:210:41 | selection |
| Sinks.java:224:52:224:56 | table |
| Sinks.java:224:59:224:65 | columns |
| Sinks.java:224:68:224:76 | selection |
| Sinks.java:224:94:224:100 | groupBy |
| Sinks.java:224:103:224:108 | having |
| Sinks.java:225:5:225:11 | orderBy |
| Sinks.java:225:14:225:18 | limit |
| Sinks.java:240:52:240:56 | table |
| Sinks.java:240:59:240:65 | columns |
| Sinks.java:240:68:240:76 | selection |
| Sinks.java:240:94:240:100 | groupBy |
| Sinks.java:240:103:240:108 | having |
| Sinks.java:241:5:241:11 | orderBy |
| Sinks.java:241:14:241:18 | limit |
| Sinks.java:247:19:247:21 | sql |
| Sinks.java:254:19:254:21 | sql |
| Sinks.java:262:45:262:47 | sql |
| Sinks.java:271:45:271:47 | sql |
| Sinks.java:280:3:280:8 | target |
| Sinks.java:280:29:280:37 | selection |
| Sinks.java:288:32:288:42 | whereClause |
| Sinks.java:296:30:296:38 | selection |
| Sinks.java:304:30:304:38 | selection |
| Sinks.java:313:46:313:56 | whereClause |
| Sinks.java:320:44:320:52 | selection |
| Sinks.java:328:44:328:52 | selection |
| Sinks.java:336:71:336:83 | sqlStatements |
| Sinks.java:343:48:343:52 | query |
| Sinks.java:350:34:350:38 | query |
| Sinks.java:357:36:357:40 | query |

32
java/ql/test/library-tests/frameworks/android/taint-database/sinks.ql
View File

@@ -1,5 +1,31 @@
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.security.QueryInjection
import TestUtilities.InlineExpectationsTest
from QueryInjectionSink sink
where sink.getLocation().getFile().getBaseName() = "Sinks.java"
select sink
class Conf extends TaintTracking::Configuration {
Conf() { this = "qltest:dataflow:android::flow" }
override predicate isSource(DataFlow::Node source) {
source.asExpr().(MethodAccess).getMethod().hasName("taint")
}
override predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }
}
class SinkTest extends InlineExpectationsTest {
SinkTest() { this = "SinkTest" }
override string getARelevantTag() { result = "taintReachesSink" }
override predicate hasActualResult(Location l, string element, string tag, string value) {
tag = "taintReachesSink" and
value = "" and
exists(Conf conf, DataFlow::Node source, DataFlow::Node sink |
conf.hasFlow(source, sink) and
l = source.getLocation() and
element = source.toString()
)
}
}

990
java/ql/test/library-tests/frameworks/apache-collections/Test.java Normal file
View File

@@ -0,0 +1,990 @@
package generatedtest;
import java.util.Map;
import java.util.ResourceBundle;
import java.util.SortedMap;
import java.util.TreeMap;
import java.util.Vector;
import org.apache.commons.collections4.Factory;
import org.apache.commons.collections4.IterableMap;
import org.apache.commons.collections4.IterableSortedMap;
import org.apache.commons.collections4.KeyValue;
import org.apache.commons.collections4.MapUtils;
import org.apache.commons.collections4.MultiMap;
import org.apache.commons.collections4.OrderedMap;
import org.apache.commons.collections4.Transformer;
import org.apache.commons.collections4.keyvalue.AbstractKeyValue;
import org.apache.commons.collections4.keyvalue.AbstractMapEntry;
import org.apache.commons.collections4.keyvalue.AbstractMapEntryDecorator;
import org.apache.commons.collections4.keyvalue.DefaultKeyValue;
import org.apache.commons.collections4.keyvalue.DefaultMapEntry;
import org.apache.commons.collections4.keyvalue.TiedMapEntry;
import org.apache.commons.collections4.keyvalue.UnmodifiableMapEntry;
import org.apache.commons.collections4.map.MultiValueMap;
//Test case generated by GenerateFlowTestCase.ql
public class Test {
static Object getMapKey(AbstractKeyValue container) { return container.getKey(); }
static Object getMapKeyFromEntry(Map.Entry container) { return container.getKey(); }
static Object getMapKey(AbstractMapEntryDecorator container) { return container.getKey(); }
static Object getMapKey(Map container) { return container.keySet().iterator().next(); }
static Object getMapValue(AbstractKeyValue container) { return container.getValue(); }
static Object getMapValueFromEntry(Map.Entry container) { return container.getValue(); }
static Object getMapValue(AbstractMapEntryDecorator container) { return container.getValue(); }
static Object getMapValue(Map container) { return container.get(null); }
Object[] newWithArrayElement(Object element) { return new Object[] {element}; }
Iterable<String> newWithElement(String element) { Vector<String> v = new Vector<String>(); v.add(element); return v; }
MyAbstractKeyValue newMAKVWithMapKey(Object element) { return new MyAbstractKeyValue(element,null); }
DefaultKeyValue newDKVWithMapKey(Object element) { return new DefaultKeyValue(element,null); }
MyAbstractMapEntry newMAMEWithMapKey(Object element) { return new MyAbstractMapEntry(element,null); }
MyAbstractMapEntryDecorator newMAMEDWithMapKey(Object element) { return new MyAbstractMapEntryDecorator(newMAMEWithMapKey(element)); }
ResourceBundle newRBWithMapKey(Object element) { return (ResourceBundle)null; }
SortedMap newTreeMapWithMapKey(Object element) { SortedMap m = new TreeMap(); m.put(element,null); return m; }
TiedMapEntry newTMEWithMapKey(Object element) { return new TiedMapEntry(newTreeMapWithMapKey(element),element); }
MyAbstractKeyValue newMAKVWithMapValue(Object element) { return new MyAbstractKeyValue(null,element); }
DefaultKeyValue newDKVWithMapValue(Object element) { return new DefaultKeyValue(null,element); }
MyAbstractMapEntry newMAMEWithMapValue(Object element) { return new MyAbstractMapEntry(null,element); }
MyAbstractMapEntryDecorator newMAMEDWithMapValue(Object element) { return new MyAbstractMapEntryDecorator(newMAMEWithMapValue(element)); }
ResourceBundle newRBWithMapValue(Object element) { return (ResourceBundle)null; }
SortedMap newTreeMapWithMapValue(Object element) { SortedMap m = new TreeMap(); m.put(null,element); return m; }
TiedMapEntry newTMEWithMapValue(Object element) { return new TiedMapEntry(newTreeMapWithMapValue(element),null); }
UnmodifiableMapEntry newUMEWithMapValue(Object element) { return new UnmodifiableMapEntry(null,element); }
Object source() { return null; }
void sink(Object o) { }
class MyAbstractKeyValue<K, V> extends AbstractKeyValue<K, V> {
MyAbstractKeyValue(K key, V value) {
super(key, value);
}
K mySetKey(final K key) {
return super.setKey(key);
}
V mySetValue(final V value) {
return super.setValue(value);
}
}
class MyAbstractMapEntry<K, V> extends AbstractMapEntry<K, V> {
MyAbstractMapEntry(final K key, final V value) {
super(key, value);
}
@Override
public K getKey() { return null; }
@Override
public V getValue() { return null; }
}
class MyAbstractMapEntryDecorator<K, V> extends AbstractMapEntryDecorator<K, V> {
MyAbstractMapEntryDecorator(final Map.Entry<K, V> entry) {
super(entry);
}
Map.Entry<K, V> myGetMapEntry() {
return super.getMapEntry();
}
}
public void test() {
{
// "org.apache.commons.collections4.keyvalue;AbstractKeyValue;true;AbstractKeyValue;;;Argument[0];MapKey of Argument[-1];value"
AbstractKeyValue out = null;
Object in = source();
out = new MyAbstractKeyValue(in, null);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4.keyvalue;AbstractKeyValue;true;AbstractKeyValue;;;Argument[1];MapValue of Argument[-1];value"
AbstractKeyValue out = null;
Object in = source();
out = new MyAbstractKeyValue(null, in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4.keyvalue;AbstractKeyValue;true;setKey;;;Argument[0];MapKey of Argument[-1];value"
DefaultKeyValue out = null;
Object in = source();
out.setKey(in);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4.keyvalue;AbstractKeyValue;true;setKey;;;Argument[0];MapKey of Argument[-1];value"
MyAbstractKeyValue out = null;
Object in = source();
out.mySetKey(in);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4.keyvalue;AbstractKeyValue;true;setKey;;;MapValue of Argument[-1];ReturnValue;value"
Object out = null;
DefaultKeyValue in = newDKVWithMapValue(source());
out = in.setKey(null);
sink(out); // $hasValueFlow
}
{
// "org.apache.commons.collections4.keyvalue;AbstractKeyValue;true;setKey;;;MapValue of Argument[-1];ReturnValue;value"
Object out = null;
MyAbstractKeyValue in = newMAKVWithMapValue(source());
out = in.mySetKey(null);
sink(out); // $hasValueFlow
}
{
// "org.apache.commons.collections4.keyvalue;AbstractKeyValue;true;setKey;;;MapValue of Argument[-1];ReturnValue;value"
Object out = null;
MyAbstractKeyValue in = newMAKVWithMapValue(source());
out = in.mySetKey((Object)null);
sink(out); // $hasValueFlow
}
{
// "org.apache.commons.collections4.keyvalue;AbstractKeyValue;true;setValue;;;Argument[0];MapValue of Argument[-1];value"
UnmodifiableMapEntry out = null;
Object in = source();
out.setValue(in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4.keyvalue;AbstractKeyValue;true;setValue;;;Argument[0];MapValue of Argument[-1];value"
DefaultKeyValue out = null;
Object in = source();
out.setValue(in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4.keyvalue;AbstractKeyValue;true;setValue;;;Argument[0];MapValue of Argument[-1];value"
AbstractMapEntry out = null;
Object in = source();
out.setValue(in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4.keyvalue;AbstractKeyValue;true;setValue;;;Argument[0];MapValue of Argument[-1];value"
MyAbstractKeyValue out = null;
Object in = source();
out.mySetValue(in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4.keyvalue;AbstractKeyValue;true;setValue;;;MapValue of Argument[-1];ReturnValue;value"
Object out = null;
UnmodifiableMapEntry in = newUMEWithMapValue(source());
out = in.setValue(null);
sink(out); // $hasValueFlow
}
{
// "org.apache.commons.collections4.keyvalue;AbstractKeyValue;true;setValue;;;MapValue of Argument[-1];ReturnValue;value"
Object out = null;
DefaultKeyValue in = newDKVWithMapValue(source());
out = in.setValue(null);
sink(out); // $hasValueFlow
}
{
// "org.apache.commons.collections4.keyvalue;AbstractKeyValue;true;setValue;;;MapValue of Argument[-1];ReturnValue;value"
Object out = null;
AbstractMapEntry in = newMAMEWithMapValue(source());
out = in.setValue(null);
sink(out); // $hasValueFlow
}
{
// "org.apache.commons.collections4.keyvalue;AbstractKeyValue;true;setValue;;;MapValue of Argument[-1];ReturnValue;value"
Object out = null;
AbstractMapEntry in = newMAMEWithMapValue(source());
out = in.setValue(null);
sink(out); // $hasValueFlow
}
{
// "org.apache.commons.collections4.keyvalue;AbstractKeyValue;true;setValue;;;MapValue of Argument[-1];ReturnValue;value"
Object out = null;
MyAbstractKeyValue in = newMAKVWithMapValue(source());
out = in.mySetValue(null);
sink(out); // $hasValueFlow
}
{
// "org.apache.commons.collections4.keyvalue;AbstractKeyValue;true;setValue;;;MapValue of Argument[-1];ReturnValue;value"
Object out = null;
MyAbstractKeyValue in = newMAKVWithMapValue(source());
out = in.mySetValue(null);
sink(out); // $hasValueFlow
}
{
// "org.apache.commons.collections4.keyvalue;AbstractKeyValue;true;toString;;;MapKey of Argument[-1];ReturnValue;taint"
String out = null;
AbstractKeyValue in = newMAKVWithMapKey(source());
out = in.toString();
sink(out); // $hasTaintFlow
}
{
// "org.apache.commons.collections4.keyvalue;AbstractKeyValue;true;toString;;;MapValue of Argument[-1];ReturnValue;taint"
String out = null;
AbstractKeyValue in = newMAKVWithMapValue(source());
out = in.toString();
sink(out); // $hasTaintFlow
}
{
// "org.apache.commons.collections4.keyvalue;AbstractMapEntry;true;AbstractMapEntry;;;Argument[0];MapKey of Argument[-1];value"
AbstractMapEntry out = null;
Object in = source();
out = new MyAbstractMapEntry(in, null);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4.keyvalue;AbstractMapEntry;true;AbstractMapEntry;;;Argument[1];MapValue of Argument[-1];value"
AbstractMapEntry out = null;
Object in = source();
out = new MyAbstractMapEntry(null, in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4.keyvalue;AbstractMapEntryDecorator;true;AbstractMapEntryDecorator;;;MapKey of Argument[0];MapKey of Argument[-1];value"
AbstractMapEntryDecorator out = null;
Map.Entry<String,String> in = newMAMEWithMapKey(source());
out = new MyAbstractMapEntryDecorator(in);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4.keyvalue;AbstractMapEntryDecorator;true;AbstractMapEntryDecorator;;;MapValue of Argument[0];MapValue of Argument[-1];value"
AbstractMapEntryDecorator out = null;
Map.Entry<String,String> in = newMAMEWithMapValue(source());
out = new MyAbstractMapEntryDecorator(in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4.keyvalue;AbstractMapEntryDecorator;true;getMapEntry;;;MapKey of Argument[-1];MapKey of ReturnValue;value"
Map.Entry<String,String> out = null;
MyAbstractMapEntryDecorator in = newMAMEDWithMapKey(source());
out = in.myGetMapEntry();
sink(getMapKeyFromEntry(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4.keyvalue;AbstractMapEntryDecorator;true;getMapEntry;;;MapValue of Argument[-1];MapValue of ReturnValue;value"
Map.Entry<String,String> out = null;
MyAbstractMapEntryDecorator in = newMAMEDWithMapValue(source());
out = in.myGetMapEntry();
sink(getMapValueFromEntry(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4.keyvalue;AbstractMapEntryDecorator;true;toString;;;MapKey of Argument[-1];ReturnValue;taint"
String out = null;
AbstractMapEntryDecorator in = newMAMEDWithMapKey(source());
out = in.toString();
sink(out); // $hasTaintFlow
}
{
// "org.apache.commons.collections4.keyvalue;AbstractMapEntryDecorator;true;toString;;;MapValue of Argument[-1];ReturnValue;taint"
String out = null;
AbstractMapEntryDecorator in = newMAMEDWithMapValue(source());
out = in.toString();
sink(out); // $hasTaintFlow
}
{
// "org.apache.commons.collections4.keyvalue;DefaultKeyValue;true;DefaultKeyValue;(Entry);;MapKey of Argument[0];MapKey of Argument[-1];value"
DefaultKeyValue out = null;
Map.Entry<String,String> in = newMAMEWithMapKey(source());
out = new DefaultKeyValue(in);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4.keyvalue;DefaultKeyValue;true;DefaultKeyValue;(Entry);;MapValue of Argument[0];MapValue of Argument[-1];value"
DefaultKeyValue out = null;
Map.Entry<String,String> in = newMAMEWithMapValue(source());
out = new DefaultKeyValue(in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4.keyvalue;DefaultKeyValue;true;DefaultKeyValue;(KeyValue);;MapKey of Argument[0];MapKey of Argument[-1];value"
DefaultKeyValue out = null;
KeyValue in = newMAKVWithMapKey(source());
out = new DefaultKeyValue(in);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4.keyvalue;DefaultKeyValue;true;DefaultKeyValue;(KeyValue);;MapValue of Argument[0];MapValue of Argument[-1];value"
DefaultKeyValue out = null;
KeyValue in = newMAKVWithMapValue(source());
out = new DefaultKeyValue(in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4.keyvalue;DefaultKeyValue;true;DefaultKeyValue;(Object,Object);;Argument[0];MapKey of Argument[-1];value"
DefaultKeyValue out = null;
Object in = source();
out = new DefaultKeyValue(in, null);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4.keyvalue;DefaultKeyValue;true;DefaultKeyValue;(Object,Object);;Argument[1];MapValue of Argument[-1];value"
DefaultKeyValue out = null;
Object in = source();
out = new DefaultKeyValue(null, in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4.keyvalue;DefaultKeyValue;true;toMapEntry;;;MapKey of Argument[-1];MapKey of ReturnValue;value"
Map.Entry<String,String> out = null;
DefaultKeyValue in = newDKVWithMapKey(source());
out = in.toMapEntry();
sink(getMapKeyFromEntry(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4.keyvalue;DefaultKeyValue;true;toMapEntry;;;MapValue of Argument[-1];MapValue of ReturnValue;value"
Map.Entry<String,String> out = null;
DefaultKeyValue in = newDKVWithMapValue(source());
out = in.toMapEntry();
sink(getMapValueFromEntry(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4.keyvalue;DefaultMapEntry;true;DefaultMapEntry;(Entry);;MapKey of Argument[0];MapKey of Argument[-1];value"
DefaultMapEntry out = null;
Map.Entry<String,String> in = newMAMEWithMapKey(source());
out = new DefaultMapEntry(in);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4.keyvalue;DefaultMapEntry;true;DefaultMapEntry;(Entry);;MapValue of Argument[0];MapValue of Argument[-1];value"
DefaultMapEntry out = null;
Map.Entry<String,String> in = newMAMEWithMapValue(source());
out = new DefaultMapEntry(in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4.keyvalue;DefaultMapEntry;true;DefaultMapEntry;(KeyValue);;MapKey of Argument[0];MapKey of Argument[-1];value"
DefaultMapEntry out = null;
KeyValue in = newMAKVWithMapKey(source());
out = new DefaultMapEntry(in);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4.keyvalue;DefaultMapEntry;true;DefaultMapEntry;(KeyValue);;MapValue of Argument[0];MapValue of Argument[-1];value"
DefaultMapEntry out = null;
KeyValue in = newMAKVWithMapValue(source());
out = new DefaultMapEntry(in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4.keyvalue;DefaultMapEntry;true;DefaultMapEntry;(Object,Object);;Argument[0];MapKey of Argument[-1];value"
DefaultMapEntry out = null;
Object in = source();
out = new DefaultMapEntry(in, null);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4.keyvalue;DefaultMapEntry;true;DefaultMapEntry;(Object,Object);;Argument[1];MapValue of Argument[-1];value"
DefaultMapEntry out = null;
Object in = source();
out = new DefaultMapEntry(null, in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4.keyvalue;TiedMapEntry;true;TiedMapEntry;;;Argument[1];MapKey of Argument[-1];value"
TiedMapEntry out = null;
Object in = source();
out = new TiedMapEntry(null, in);
sink(getMapKeyFromEntry(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4.keyvalue;TiedMapEntry;true;TiedMapEntry;;;MapValue of Argument[0];MapValue of Argument[-1];value"
TiedMapEntry out = null;
Map in = newTreeMapWithMapValue(source());
out = new TiedMapEntry(in, null);
sink(getMapValueFromEntry(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4.keyvalue;UnmodifiableMapEntry;true;UnmodifiableMapEntry;(Entry);;MapKey of Argument[0];MapKey of Argument[-1];value"
UnmodifiableMapEntry out = null;
Map.Entry<String,String> in = newMAMEWithMapKey(source());
out = new UnmodifiableMapEntry(in);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4.keyvalue;UnmodifiableMapEntry;true;UnmodifiableMapEntry;(Entry);;MapValue of Argument[0];MapValue of Argument[-1];value"
UnmodifiableMapEntry out = null;
Map.Entry<String,String> in = newMAMEWithMapValue(source());
out = new UnmodifiableMapEntry(in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4.keyvalue;UnmodifiableMapEntry;true;UnmodifiableMapEntry;(KeyValue);;MapKey of Argument[0];MapKey of Argument[-1];value"
UnmodifiableMapEntry out = null;
KeyValue in = newMAKVWithMapKey(source());
out = new UnmodifiableMapEntry(in);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4.keyvalue;UnmodifiableMapEntry;true;UnmodifiableMapEntry;(KeyValue);;MapValue of Argument[0];MapValue of Argument[-1];value"
UnmodifiableMapEntry out = null;
KeyValue in = newMAKVWithMapValue(source());
out = new UnmodifiableMapEntry(in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4.keyvalue;UnmodifiableMapEntry;true;UnmodifiableMapEntry;(Object,Object);;Argument[0];MapKey of Argument[-1];value"
UnmodifiableMapEntry out = null;
Object in = source();
out = new UnmodifiableMapEntry(in, null);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4.keyvalue;UnmodifiableMapEntry;true;UnmodifiableMapEntry;(Object,Object);;Argument[1];MapValue of Argument[-1];value"
UnmodifiableMapEntry out = null;
Object in = source();
out = new UnmodifiableMapEntry(null, in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;KeyValue;true;getKey;;;MapKey of Argument[-1];ReturnValue;value"
Object out = null;
TiedMapEntry in = newTMEWithMapKey(source());
out = in.getKey();
sink(out); // $hasValueFlow
}
{
// "org.apache.commons.collections4;KeyValue;true;getKey;;;MapKey of Argument[-1];ReturnValue;value"
Object out = null;
KeyValue in = newMAKVWithMapKey(source());
out = in.getKey();
sink(out); // $hasValueFlow
}
{
// "org.apache.commons.collections4;KeyValue;true;getKey;;;MapKey of Argument[-1];ReturnValue;value"
Object out = null;
AbstractMapEntryDecorator in = newMAMEDWithMapKey(source());
out = in.getKey();
sink(out); // $hasValueFlow
}
{
// "org.apache.commons.collections4;KeyValue;true;getKey;;;MapKey of Argument[-1];ReturnValue;value"
Object out = null;
AbstractKeyValue in = newMAKVWithMapKey(source());
out = in.getKey();
sink(out); // $hasValueFlow
}
{
// "org.apache.commons.collections4;KeyValue;true;getValue;;;MapValue of Argument[-1];ReturnValue;value"
Object out = null;
TiedMapEntry in = newTMEWithMapValue(source());
out = in.getValue();
sink(out); // $hasValueFlow
}
{
// "org.apache.commons.collections4;KeyValue;true;getValue;;;MapValue of Argument[-1];ReturnValue;value"
Object out = null;
KeyValue in = newMAKVWithMapValue(source());
out = in.getValue();
sink(out); // $hasValueFlow
}
{
// "org.apache.commons.collections4;KeyValue;true;getValue;;;MapValue of Argument[-1];ReturnValue;value"
Object out = null;
AbstractMapEntryDecorator in = newMAMEDWithMapValue(source());
out = in.getValue();
sink(out); // $hasValueFlow
}
{
// "org.apache.commons.collections4;KeyValue;true;getValue;;;MapValue of Argument[-1];ReturnValue;value"
Object out = null;
AbstractKeyValue in = newMAKVWithMapValue(source());
out = in.getValue();
sink(out); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;emptyIfNull;;;Argument[0];ReturnValue;value"
Map out = null;
Map in = (Map)source();
out = MapUtils.emptyIfNull(in);
sink(out); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;fixedSizeMap;;;MapKey of Argument[0];MapKey of ReturnValue;value"
IterableMap out = null;
Map in = newTreeMapWithMapKey(source());
out = MapUtils.fixedSizeMap(in);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;fixedSizeMap;;;MapValue of Argument[0];MapValue of ReturnValue;value"
IterableMap out = null;
Map in = newTreeMapWithMapValue(source());
out = MapUtils.fixedSizeMap(in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;fixedSizeSortedMap;;;MapKey of Argument[0];MapKey of ReturnValue;value"
SortedMap out = null;
SortedMap in = newTreeMapWithMapKey(source());
out = MapUtils.fixedSizeSortedMap(in);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;fixedSizeSortedMap;;;MapValue of Argument[0];MapValue of ReturnValue;value"
SortedMap out = null;
SortedMap in = newTreeMapWithMapValue(source());
out = MapUtils.fixedSizeSortedMap(in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;getMap;;;Argument[2];ReturnValue;value"
Map out = null;
Map in = (Map)source();
out = MapUtils.getMap(null, null, in);
sink(out); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;getMap;;;MapValue of Argument[0];ReturnValue;value"
Map out = null;
Map in = newTreeMapWithMapValue(source());
out = MapUtils.getMap(in, null, null);
sink(out); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;getMap;;;MapValue of Argument[0];ReturnValue;value"
Map out = null;
Map in = newTreeMapWithMapValue(source());
out = MapUtils.getMap(in, null);
sink(out); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;getObject;;;Argument[2];ReturnValue;value"
Object out = null;
Object in = source();
out = MapUtils.getObject(null, null, in);
sink(out); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;getObject;;;MapValue of Argument[0];ReturnValue;value"
Object out = null;
Map in = newTreeMapWithMapValue(source());
out = MapUtils.getObject(in, null, null);
sink(out); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;getObject;;;MapValue of Argument[0];ReturnValue;value"
Object out = null;
Map in = newTreeMapWithMapValue(source());
out = MapUtils.getObject(in, null);
sink(out); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;getString;;;Argument[2];ReturnValue;value"
String out = null;
String in = (String)source();
out = MapUtils.getString(null, null, in);
sink(out); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;getString;;;MapValue of Argument[0];ReturnValue;value"
String out = null;
Map in = newTreeMapWithMapValue(source());
out = MapUtils.getString(in, null, null);
sink(out); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;getString;;;MapValue of Argument[0];ReturnValue;value"
String out = null;
Map in = newTreeMapWithMapValue(source());
out = MapUtils.getString(in, null);
sink(out); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;invertMap;;;MapKey of Argument[0];MapValue of ReturnValue;value"
Map out = null;
Map in = newTreeMapWithMapKey(source());
out = MapUtils.invertMap(in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;invertMap;;;MapValue of Argument[0];MapKey of ReturnValue;value"
Map out = null;
Map in = newTreeMapWithMapValue(source());
out = MapUtils.invertMap(in);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;iterableMap;;;MapKey of Argument[0];MapKey of ReturnValue;value"
IterableMap out = null;
Map in = newTreeMapWithMapKey(source());
out = MapUtils.iterableMap(in);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;iterableMap;;;MapValue of Argument[0];MapValue of ReturnValue;value"
IterableMap out = null;
Map in = newTreeMapWithMapValue(source());
out = MapUtils.iterableMap(in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;iterableSortedMap;;;MapKey of Argument[0];MapKey of ReturnValue;value"
IterableSortedMap out = null;
SortedMap in = newTreeMapWithMapKey(source());
out = MapUtils.iterableSortedMap(in);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;iterableSortedMap;;;MapValue of Argument[0];MapValue of ReturnValue;value"
IterableSortedMap out = null;
SortedMap in = newTreeMapWithMapValue(source());
out = MapUtils.iterableSortedMap(in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;lazyMap;;;MapKey of Argument[0];MapKey of ReturnValue;value"
IterableMap out = null;
Map in = newTreeMapWithMapKey(source());
out = MapUtils.lazyMap(in, (Transformer)null);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;lazyMap;;;MapKey of Argument[0];MapKey of ReturnValue;value"
IterableMap out = null;
Map in = newTreeMapWithMapKey(source());
out = MapUtils.lazyMap(in, (Factory)null);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;lazyMap;;;MapValue of Argument[0];MapValue of ReturnValue;value"
IterableMap out = null;
Map in = newTreeMapWithMapValue(source());
out = MapUtils.lazyMap(in, (Transformer)null);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;lazyMap;;;MapValue of Argument[0];MapValue of ReturnValue;value"
IterableMap out = null;
Map in = newTreeMapWithMapValue(source());
out = MapUtils.lazyMap(in, (Factory)null);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;lazySortedMap;;;MapKey of Argument[0];MapKey of ReturnValue;value"
SortedMap out = null;
SortedMap in = newTreeMapWithMapKey(source());
out = MapUtils.lazySortedMap(in, (Transformer)null);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;lazySortedMap;;;MapKey of Argument[0];MapKey of ReturnValue;value"
SortedMap out = null;
SortedMap in = newTreeMapWithMapKey(source());
out = MapUtils.lazySortedMap(in, (Factory)null);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;lazySortedMap;;;MapValue of Argument[0];MapValue of ReturnValue;value"
SortedMap out = null;
SortedMap in = newTreeMapWithMapValue(source());
out = MapUtils.lazySortedMap(in, (Transformer)null);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;lazySortedMap;;;MapValue of Argument[0];MapValue of ReturnValue;value"
SortedMap out = null;
SortedMap in = newTreeMapWithMapValue(source());
out = MapUtils.lazySortedMap(in, (Factory)null);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;multiValueMap;;;MapKey of Argument[0];MapKey of ReturnValue;value"
MultiValueMap out = null;
Map in = newTreeMapWithMapKey(source());
out = MapUtils.multiValueMap(in, (Factory)null);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;multiValueMap;;;MapKey of Argument[0];MapKey of ReturnValue;value"
MultiValueMap out = null;
Map in = newTreeMapWithMapKey(source());
out = MapUtils.multiValueMap(in, (Class)null);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;multiValueMap;;;MapKey of Argument[0];MapKey of ReturnValue;value"
MultiValueMap out = null;
Map in = newTreeMapWithMapKey(source());
out = MapUtils.multiValueMap(in);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;multiValueMap;;;MapValue of Argument[0];MapValue of ReturnValue;value"
MultiValueMap out = null;
Map in = newTreeMapWithMapValue(source());
out = MapUtils.multiValueMap(in, (Factory)null);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;multiValueMap;;;MapValue of Argument[0];MapValue of ReturnValue;value"
MultiValueMap out = null;
Map in = newTreeMapWithMapValue(source());
out = MapUtils.multiValueMap(in, (Class)null);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;multiValueMap;;;MapValue of Argument[0];MapValue of ReturnValue;value"
MultiValueMap out = null;
Map in = newTreeMapWithMapValue(source());
out = MapUtils.multiValueMap(in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;orderedMap;;;MapKey of Argument[0];MapKey of ReturnValue;value"
OrderedMap out = null;
Map in = newTreeMapWithMapKey(source());
out = MapUtils.orderedMap(in);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;orderedMap;;;MapValue of Argument[0];MapValue of ReturnValue;value"
OrderedMap out = null;
Map in = newTreeMapWithMapValue(source());
out = MapUtils.orderedMap(in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;populateMap;(Map,Iterable,Transformer);;Element of Argument[1];MapValue of Argument[0];value"
Map out = null;
Iterable in = newWithElement((String)source());
MapUtils.populateMap(out, in, (Transformer)null);
sink(getMapValue(out)); // $hasValueFlow
}
{
// Note it is tricky to get this to compile - the compiler thinks it is ambiguous
// which overload it should choose unless you put the generic types in correctly
// "org.apache.commons.collections4;MapUtils;true;populateMap;(MultiMap,Iterable,Transformer);;Element of Argument[1];MapValue of Argument[0];value"
MultiMap<Integer, String> out = null;
Iterable<String> in = newWithElement((String)source());
MapUtils.populateMap(out, in, (Transformer<String, Integer>)null);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;predicatedMap;;;MapKey of Argument[0];MapKey of ReturnValue;value"
IterableMap out = null;
Map in = newTreeMapWithMapKey(source());
out = MapUtils.predicatedMap(in, null, null);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;predicatedMap;;;MapValue of Argument[0];MapValue of ReturnValue;value"
IterableMap out = null;
Map in = newTreeMapWithMapValue(source());
out = MapUtils.predicatedMap(in, null, null);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;predicatedSortedMap;;;MapKey of Argument[0];MapKey of ReturnValue;value"
SortedMap out = null;
SortedMap in = newTreeMapWithMapKey(source());
out = MapUtils.predicatedSortedMap(in, null, null);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;predicatedSortedMap;;;MapValue of Argument[0];MapValue of ReturnValue;value"
SortedMap out = null;
SortedMap in = newTreeMapWithMapValue(source());
out = MapUtils.predicatedSortedMap(in, null, null);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;putAll;;;ArrayElement of Argument[1];MapKey of Argument[0];value"
Map out = null;
Object[] in = newWithArrayElement(source());
MapUtils.putAll(out, in);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;putAll;;;ArrayElement of Argument[1];MapKey of ReturnValue;value"
Map out = null;
Object[] in = newWithArrayElement(source());
out = MapUtils.putAll(null, in);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;putAll;;;ArrayElement of Argument[1];MapValue of Argument[0];value"
Map out = null;
Object[] in = newWithArrayElement(source());
MapUtils.putAll(out, in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;putAll;;;ArrayElement of Argument[1];MapValue of ReturnValue;value"
Map out = null;
Object[] in = newWithArrayElement(source());
out = MapUtils.putAll(null, in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;putAll;;;ArrayElement of ArrayElement of Argument[1];MapKey of Argument[0];value"
Map out = null;
Object[] in = newWithArrayElement(newWithArrayElement(source()));
MapUtils.putAll(out, in);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;putAll;;;ArrayElement of ArrayElement of Argument[1];MapKey of ReturnValue;value"
Map out = null;
Object[] in = newWithArrayElement(newWithArrayElement(source()));
out = MapUtils.putAll(null, in);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;putAll;;;ArrayElement of ArrayElement of Argument[1];MapValue of Argument[0];value"
Map out = null;
Object[] in = newWithArrayElement(newWithArrayElement(source()));
MapUtils.putAll(out, in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;putAll;;;ArrayElement of ArrayElement of Argument[1];MapValue of ReturnValue;value"
Map out = null;
Object[] in = newWithArrayElement(newWithArrayElement(source()));
out = MapUtils.putAll(null, in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;putAll;;;MapKey of ArrayElement of Argument[1];MapKey of Argument[0];value"
Map out = null;
Object[] in = newWithArrayElement(newMAKVWithMapKey(source()));
MapUtils.putAll(out, in);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;putAll;;;MapKey of ArrayElement of Argument[1];MapKey of ReturnValue;value"
Map out = null;
Object[] in = newWithArrayElement(newMAKVWithMapKey(source()));
out = MapUtils.putAll(null, in);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;putAll;;;MapValue of ArrayElement of Argument[1];MapValue of Argument[0];value"
Map out = null;
Object[] in = newWithArrayElement(newMAKVWithMapValue(source()));
MapUtils.putAll(out, in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;putAll;;;MapValue of ArrayElement of Argument[1];MapValue of ReturnValue;value"
Map out = null;
Object[] in = newWithArrayElement(newMAKVWithMapValue(source()));
out = MapUtils.putAll(null, in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;safeAddToMap;;;Argument[1];MapKey of Argument[0];value"
Map out = null;
Object in = source();
MapUtils.safeAddToMap(out, in, null);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;safeAddToMap;;;Argument[2];MapValue of Argument[0];value"
Map out = null;
Object in = source();
MapUtils.safeAddToMap(out, null, in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;synchronizedMap;;;MapKey of Argument[0];MapKey of ReturnValue;value"
Map out = null;
Map in = newTreeMapWithMapKey(source());
out = MapUtils.synchronizedMap(in);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;synchronizedMap;;;MapValue of Argument[0];MapValue of ReturnValue;value"
Map out = null;
Map in = newTreeMapWithMapValue(source());
out = MapUtils.synchronizedMap(in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;synchronizedSortedMap;;;MapKey of Argument[0];MapKey of ReturnValue;value"
SortedMap out = null;
SortedMap in = newTreeMapWithMapKey(source());
out = MapUtils.synchronizedSortedMap(in);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;synchronizedSortedMap;;;MapValue of Argument[0];MapValue of ReturnValue;value"
SortedMap out = null;
SortedMap in = newTreeMapWithMapValue(source());
out = MapUtils.synchronizedSortedMap(in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;toMap;;;MapKey of Argument[0];MapKey of ReturnValue;value"
Map out = null;
ResourceBundle in = newRBWithMapKey(source());
out = MapUtils.toMap(in);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;toMap;;;MapValue of Argument[0];MapValue of ReturnValue;value"
Map out = null;
ResourceBundle in = newRBWithMapValue(source());
out = MapUtils.toMap(in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;transformedMap;;;MapKey of Argument[0];MapKey of ReturnValue;value"
IterableMap out = null;
Map in = newTreeMapWithMapKey(source());
out = MapUtils.transformedMap(in, null, null);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;transformedMap;;;MapValue of Argument[0];MapValue of ReturnValue;value"
IterableMap out = null;
Map in = newTreeMapWithMapValue(source());
out = MapUtils.transformedMap(in, null, null);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;transformedSortedMap;;;MapKey of Argument[0];MapKey of ReturnValue;value"
SortedMap out = null;
SortedMap in = newTreeMapWithMapKey(source());
out = MapUtils.transformedSortedMap(in, null, null);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;transformedSortedMap;;;MapValue of Argument[0];MapValue of ReturnValue;value"
SortedMap out = null;
SortedMap in = newTreeMapWithMapValue(source());
out = MapUtils.transformedSortedMap(in, null, null);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;unmodifiableMap;;;MapKey of Argument[0];MapKey of ReturnValue;value"
Map out = null;
Map in = newTreeMapWithMapKey(source());
out = MapUtils.unmodifiableMap(in);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;unmodifiableMap;;;MapValue of Argument[0];MapValue of ReturnValue;value"
Map out = null;
Map in = newTreeMapWithMapValue(source());
out = MapUtils.unmodifiableMap(in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;unmodifiableSortedMap;;;MapKey of Argument[0];MapKey of ReturnValue;value"
SortedMap out = null;
SortedMap in = newTreeMapWithMapKey(source());
out = MapUtils.unmodifiableSortedMap(in);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.apache.commons.collections4;MapUtils;true;unmodifiableSortedMap;;;MapValue of Argument[0];MapValue of ReturnValue;value"
SortedMap out = null;
SortedMap in = newTreeMapWithMapValue(source());
out = MapUtils.unmodifiableSortedMap(in);
sink(getMapValue(out)); // $hasValueFlow
}
}
}

1
java/ql/test/library-tests/frameworks/apache-collections/options Normal file
View File

@@ -0,0 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/apache-commons-collections4-4.4

0
java/ql/test/library-tests/frameworks/apache-collections/test.expected Normal file
View File

68
java/ql/test/library-tests/frameworks/apache-collections/test.ql Normal file
View File

@@ -0,0 +1,68 @@
import java
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.dataflow.ExternalFlow
import semmle.code.java.dataflow.TaintTracking
import TestUtilities.InlineExpectationsTest
class SummaryModelTest extends SummaryModelCsv {
override predicate row(string row) {
row =
[
//"package;type;overrides;name;signature;ext;inputspec;outputspec;kind",
"generatedtest;Test;false;newRBWithMapValue;;;Argument[0];MapValue of ReturnValue;value",
"generatedtest;Test;false;newRBWithMapKey;;;Argument[0];MapKey of ReturnValue;value"
]
}
}
class ValueFlowConf extends DataFlow::Configuration {
ValueFlowConf() { this = "qltest:valueFlowConf" }
override predicate isSource(DataFlow::Node n) {
n.asExpr().(MethodAccess).getMethod().hasName("source")
}
override predicate isSink(DataFlow::Node n) {
n.asExpr().(Argument).getCall().getCallee().hasName("sink")
}
override int fieldFlowBranchLimit() { result = 1000 }
}
class TaintFlowConf extends TaintTracking::Configuration {
TaintFlowConf() { this = "qltest:taintFlowConf" }
override predicate isSource(DataFlow::Node n) {
n.asExpr().(MethodAccess).getMethod().hasName("source")
}
override predicate isSink(DataFlow::Node n) {
n.asExpr().(Argument).getCall().getCallee().hasName("sink")
}
override int fieldFlowBranchLimit() { result = 1000 }
}
class HasFlowTest extends InlineExpectationsTest {
HasFlowTest() { this = "HasFlowTest" }
override string getARelevantTag() { result = ["hasValueFlow", "hasTaintFlow"] }
override predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "hasValueFlow" and
exists(DataFlow::Node src, DataFlow::Node sink, ValueFlowConf conf | conf.hasFlow(src, sink) |
sink.getLocation() = location and
element = sink.toString() and
value = ""
)
or
tag = "hasTaintFlow" and
exists(DataFlow::Node src, DataFlow::Node sink, TaintFlowConf conf |
conf.hasFlow(src, sink) and not any(ValueFlowConf c).hasFlow(src, sink)
|
sink.getLocation() = location and
element = sink.toString() and
value = ""
)
}
}

8
java/ql/test/library-tests/frameworks/apache-commons-lang3/ArrayUtilsTest.java
View File

@@ -31,11 +31,11 @@ class ArrayUtilsTest {
sink(ArrayUtils.addFirst(clean, taint())); // $hasTaintFlow
sink(ArrayUtils.addFirst(alreadyTainted, "clean")); // $hasTaintFlow
sink(ArrayUtils.clone(alreadyTainted)); // $hasTaintFlow
sink(ArrayUtils.get(alreadyTainted, 0)); // $hasTaintFlow
sink(ArrayUtils.get(alreadyTainted, 0)); // $hasValueFlow
sink(ArrayUtils.get(clean, IntSource.taint())); // Index argument does not contribute taint
sink(ArrayUtils.get(alreadyTainted, 0, "default value")); // $hasTaintFlow
sink(ArrayUtils.get(alreadyTainted, 0, "default value")); // $hasValueFlow
sink(ArrayUtils.get(clean, IntSource.taint(), "default value")); // Index argument does not contribute taint
sink(ArrayUtils.get(clean, 0, taint())); // $hasTaintFlow
sink(ArrayUtils.get(clean, 0, taint())); // $hasValueFlow
sink(ArrayUtils.insert(IntSource.taint(), clean, "value1", "value2")); // Index argument does not contribute taint
sink(ArrayUtils.insert(0, alreadyTainted, "value1", "value2")); // $hasTaintFlow
sink(ArrayUtils.insert(0, clean, taint(), "value2")); // $hasTaintFlow
@@ -72,4 +72,4 @@ class ArrayUtilsTest {
sink(ArrayUtils.toPrimitive(new Integer[] {}, IntSource.taint())); // $hasTaintFlow
}
}
}

30
java/ql/test/library-tests/frameworks/apache-commons-lang3/MutableTest.java Normal file
View File

@@ -0,0 +1,30 @@
import org.apache.commons.lang3.mutable.Mutable;
import org.apache.commons.lang3.mutable.MutableObject;
class MutableTest {
String taint() { return "tainted"; }
void sink(Object o) {}
void test() throws Exception {
MutableObject<String> tainted = new MutableObject<>(taint());
MutableObject<String> taintSet = new MutableObject<>("clean");
MutableObject<String> taintCleared = new MutableObject<>(taint());
taintSet.setValue(taint());
taintCleared.setValue("clean");
Mutable<String> taintedAlias = tainted;
Mutable<String> taintSetAlias = taintSet;
Mutable<String> taintClearedAlias = taintCleared;
sink(tainted.getValue()); // $hasValueFlow
sink(taintedAlias.getValue()); // $hasValueFlow
sink(taintSet.getValue()); // $hasValueFlow
sink(taintSetAlias.getValue()); // $hasValueFlow
// These two cases don't work currently because synthetic fields are always weakly updated,
// so no taint clearing takes place.
sink(taintCleared.getValue()); // $SPURIOUS: hasValueFlow
sink(taintClearedAlias.getValue()); // $SPURIOUS: hasValueFlow
}
}

150
java/ql/test/library-tests/frameworks/apache-commons-lang3/PairTest.java Normal file
View File

@@ -0,0 +1,150 @@
import org.apache.commons.lang3.tuple.Pair;
import org.apache.commons.lang3.tuple.ImmutablePair;
import org.apache.commons.lang3.tuple.MutablePair;
class PairTest {
String taint() { return "tainted"; }
private static class IntSource {
static int taint() { return 0; }
}
void sink(Object o) {}
void test() throws Exception {
ImmutablePair<String, String> taintedLeft = ImmutablePair.of(taint(), "clean-right");
ImmutablePair<String, String> taintedRight = ImmutablePair.of("clean-left", taint());
Pair<String, String> taintedLeft2_ = ImmutablePair.left(taint());
ImmutablePair<String, String> taintedLeft2 = (ImmutablePair)taintedLeft2_;
Pair<String, String> taintedRight2_ = ImmutablePair.right(taint());
ImmutablePair<String, String> taintedRight2 = (ImmutablePair)taintedRight2_;
Pair<String, String> taintedLeft3 = Pair.of(taint(), "clean-right");
Pair<String, String> taintedRight3 = Pair.of("clean-left", taint());
ImmutablePair<String, String> taintedLeft4 = new ImmutablePair(taint(), "clean-right");
ImmutablePair<String, String> taintedRight4 = new ImmutablePair("clean-left", taint());
// Check flow through ImmutablePairs:
sink(taintedLeft.getLeft()); // $hasValueFlow
sink(taintedLeft.getRight());
sink(taintedLeft.getKey()); // $hasValueFlow
sink(taintedLeft.getValue());
sink(taintedLeft.left); // $hasValueFlow
sink(taintedLeft.right);
sink(taintedRight.getLeft());
sink(taintedRight.getRight()); // $hasValueFlow
sink(taintedRight.getKey());
sink(taintedRight.getValue()); // $hasValueFlow
sink(taintedRight.left);
sink(taintedRight.right); // $hasValueFlow
sink(taintedLeft2.getLeft()); // $hasValueFlow
sink(taintedLeft2.getRight());
sink(taintedLeft2.getKey()); // $hasValueFlow
sink(taintedLeft2.getValue());
sink(taintedLeft2.left); // $hasValueFlow
sink(taintedLeft2.right);
sink(taintedRight2.getLeft());
sink(taintedRight2.getRight()); // $hasValueFlow
sink(taintedRight2.getKey());
sink(taintedRight2.getValue()); // $hasValueFlow
sink(taintedRight2.left);
sink(taintedRight2.right); // $hasValueFlow
sink(taintedLeft3.getLeft()); // $hasValueFlow
sink(taintedLeft3.getRight());
sink(taintedLeft3.getKey()); // $hasValueFlow
sink(taintedLeft3.getValue());
sink(taintedRight3.getLeft());
sink(taintedRight3.getRight()); // $hasValueFlow
sink(taintedRight3.getKey());
sink(taintedRight3.getValue()); // $hasValueFlow
sink(taintedLeft4.getLeft()); // $hasValueFlow
sink(taintedLeft4.getRight());
sink(taintedLeft4.getKey()); // $hasValueFlow
sink(taintedLeft4.getValue());
sink(taintedLeft4.left); // $hasValueFlow
sink(taintedLeft4.right);
sink(taintedRight4.getLeft());
sink(taintedRight4.getRight()); // $hasValueFlow
sink(taintedRight4.getKey());
sink(taintedRight4.getValue()); // $hasValueFlow
sink(taintedRight4.left);
sink(taintedRight4.right); // $hasValueFlow
// Check flow also works via an alias of type Pair:
sink(taintedLeft2_.getLeft()); // $hasValueFlow
sink(taintedLeft2_.getRight());
sink(taintedLeft2_.getKey()); // $hasValueFlow
sink(taintedLeft2_.getValue());
sink(taintedRight2_.getLeft());
sink(taintedRight2_.getRight()); // $hasValueFlow
sink(taintedRight2_.getKey());
sink(taintedRight2_.getValue()); // $hasValueFlow
// Check flow through MutablePairs:
MutablePair<String, String> taintedLeftMutable = MutablePair.of(taint(), "clean-right");
MutablePair<String, String> taintedRightMutable = MutablePair.of("clean-left", taint());
MutablePair<String, String> setTaintLeft = MutablePair.of("clean-left", "clean-right");
setTaintLeft.setLeft(taint());
MutablePair<String, String> setTaintRight = MutablePair.of("clean-left", "clean-right");
setTaintRight.setRight(taint());
MutablePair<String, String> setTaintValue = MutablePair.of("clean-left", "clean-right");
setTaintValue.setValue(taint());
MutablePair<String, String> taintedLeftMutableConstructed = new MutablePair(taint(), "clean-right");
MutablePair<String, String> taintedRightMutableConstructed = new MutablePair("clean-left", taint());
sink(taintedLeftMutable.getLeft()); // $hasValueFlow
sink(taintedLeftMutable.getRight());
sink(taintedLeftMutable.getKey()); // $hasValueFlow
sink(taintedLeftMutable.getValue());
sink(taintedLeftMutable.left); // $hasValueFlow
sink(taintedLeftMutable.right);
sink(taintedRightMutable.getLeft());
sink(taintedRightMutable.getRight()); // $hasValueFlow
sink(taintedRightMutable.getKey());
sink(taintedRightMutable.getValue()); // $hasValueFlow
sink(taintedRightMutable.left);
sink(taintedRightMutable.right); // $hasValueFlow
sink(setTaintLeft.getLeft()); // $hasValueFlow
sink(setTaintLeft.getRight());
sink(setTaintLeft.getKey()); // $hasValueFlow
sink(setTaintLeft.getValue());
sink(setTaintLeft.left); // $hasValueFlow
sink(setTaintLeft.right);
sink(setTaintRight.getLeft());
sink(setTaintRight.getRight()); // $hasValueFlow
sink(setTaintRight.getKey());
sink(setTaintRight.getValue()); // $hasValueFlow
sink(setTaintRight.left);
sink(setTaintRight.right); // $hasValueFlow
sink(setTaintValue.getLeft());
sink(setTaintValue.getRight()); // $hasValueFlow
sink(setTaintValue.getKey());
sink(setTaintValue.getValue()); // $hasValueFlow
sink(setTaintValue.left);
sink(setTaintValue.right); // $hasValueFlow
sink(taintedLeftMutableConstructed.getLeft()); // $hasValueFlow
sink(taintedLeftMutableConstructed.getRight());
sink(taintedLeftMutableConstructed.getKey()); // $hasValueFlow
sink(taintedLeftMutableConstructed.getValue());
sink(taintedLeftMutableConstructed.left); // $hasValueFlow
sink(taintedLeftMutableConstructed.right);
sink(taintedRightMutableConstructed.getLeft());
sink(taintedRightMutableConstructed.getRight()); // $hasValueFlow
sink(taintedRightMutableConstructed.getKey());
sink(taintedRightMutableConstructed.getValue()); // $hasValueFlow
sink(taintedRightMutableConstructed.left);
sink(taintedRightMutableConstructed.right); // $hasValueFlow
// Check flow also works via an alias of type Pair:
Pair<String, String> taintedLeftMutableAlias = taintedLeftMutable;
Pair<String, String> taintedRightMutableAlias = taintedRightMutable;
sink(taintedLeftMutableAlias.getLeft()); // $hasValueFlow
sink(taintedLeftMutableAlias.getRight());
sink(taintedLeftMutableAlias.getKey()); // $hasValueFlow
sink(taintedLeftMutableAlias.getValue());
sink(taintedRightMutableAlias.getLeft());
sink(taintedRightMutableAlias.getRight()); // $hasValueFlow
sink(taintedRightMutableAlias.getKey());
sink(taintedRightMutableAlias.getValue()); // $hasValueFlow
}
}

181
java/ql/test/library-tests/frameworks/apache-commons-lang3/TripleTest.java Normal file
View File

@@ -0,0 +1,181 @@
import org.apache.commons.lang3.tuple.Triple;
import org.apache.commons.lang3.tuple.ImmutableTriple;
import org.apache.commons.lang3.tuple.MutableTriple;
class TripleTest {
String taint() { return "tainted"; }
private static class IntSource {
static int taint() { return 0; }
}
void sink(Object o) {}
void test() throws Exception {
ImmutableTriple<String, String, String> taintedLeft = ImmutableTriple.of(taint(), "clean-middle", "clean-right");
ImmutableTriple<String, String, String> taintedMiddle = ImmutableTriple.of("clean-left", taint(), "clean-right");
ImmutableTriple<String, String, String> taintedRight = ImmutableTriple.of("clean-left", "clean-middle", taint());
// Check flow through ImmutableTriples:
sink(taintedLeft.getLeft()); // $hasValueFlow
sink(taintedLeft.getMiddle());
sink(taintedLeft.getRight());
sink(taintedLeft.left); // $hasValueFlow
sink(taintedLeft.middle);
sink(taintedLeft.right);
sink(taintedMiddle.getLeft());
sink(taintedMiddle.getMiddle()); // $hasValueFlow
sink(taintedMiddle.getRight());
sink(taintedMiddle.left);
sink(taintedMiddle.middle); // $hasValueFlow
sink(taintedMiddle.right);
sink(taintedRight.getLeft());
sink(taintedRight.getMiddle());
sink(taintedRight.getRight()); // $hasValueFlow
sink(taintedRight.left);
sink(taintedRight.middle);
sink(taintedRight.right); // $hasValueFlow
Triple<String, String, String> taintedLeft2 = taintedLeft;
Triple<String, String, String> taintedMiddle2 = taintedMiddle;
Triple<String, String, String> taintedRight2 = taintedRight;
// Check flow also works via an alias of type Triple:
sink(taintedLeft2.getLeft()); // $hasValueFlow
sink(taintedLeft2.getMiddle());
sink(taintedLeft2.getRight());
sink(taintedMiddle2.getLeft());
sink(taintedMiddle2.getMiddle()); // $hasValueFlow
sink(taintedMiddle2.getRight());
sink(taintedRight2.getLeft());
sink(taintedRight2.getMiddle());
sink(taintedRight2.getRight()); // $hasValueFlow
// Check flow via Triple.of:
Triple<String, String, String> taintedLeft3 = Triple.of(taint(), "clean-middle", "clean-right");
Triple<String, String, String> taintedMiddle3 = Triple.of("clean-left", taint(), "clean-right");
Triple<String, String, String> taintedRight3 = Triple.of("clean-left", "clean-middle", taint());
sink(taintedLeft3.getLeft()); // $hasValueFlow
sink(taintedLeft3.getMiddle());
sink(taintedLeft3.getRight());
sink(taintedMiddle3.getLeft());
sink(taintedMiddle3.getMiddle()); // $hasValueFlow
sink(taintedMiddle3.getRight());
sink(taintedRight3.getLeft());
sink(taintedRight3.getMiddle());
sink(taintedRight3.getRight()); // $hasValueFlow
// Check flow via constructor:
ImmutableTriple<String, String, String> taintedLeft4 = new ImmutableTriple(taint(), "clean-middle", "clean-right");
ImmutableTriple<String, String, String> taintedMiddle4 = new ImmutableTriple("clean-left", taint(), "clean-right");
ImmutableTriple<String, String, String> taintedRight4 = new ImmutableTriple("clean-left", "clean-middle", taint());
sink(taintedLeft4.getLeft()); // $hasValueFlow
sink(taintedLeft4.getMiddle());
sink(taintedLeft4.getRight());
sink(taintedMiddle4.getLeft());
sink(taintedMiddle4.getMiddle()); // $hasValueFlow
sink(taintedMiddle4.getRight());
sink(taintedRight4.getLeft());
sink(taintedRight4.getMiddle());
sink(taintedRight4.getRight()); // $hasValueFlow
MutableTriple<String, String, String> mutableTaintedLeft = MutableTriple.of(taint(), "clean-middle", "clean-right");
MutableTriple<String, String, String> mutableTaintedMiddle = MutableTriple.of("clean-left", taint(), "clean-right");
MutableTriple<String, String, String> mutableTaintedRight = MutableTriple.of("clean-left", "clean-middle", taint());
MutableTriple<String, String, String> setTaintedLeft = MutableTriple.of("clean-left", "clean-middle", "clean-right");
setTaintedLeft.setLeft(taint());
MutableTriple<String, String, String> setTaintedMiddle = MutableTriple.of("clean-left", "clean-middle", "clean-right");
setTaintedMiddle.setMiddle(taint());
MutableTriple<String, String, String> setTaintedRight = MutableTriple.of("clean-left", "clean-middle", "clean-right");
setTaintedRight.setRight(taint());
MutableTriple<String, String, String> mutableTaintedLeftConstructed = new MutableTriple(taint(), "clean-middle", "clean-right");
MutableTriple<String, String, String> mutableTaintedMiddleConstructed = new MutableTriple("clean-left", taint(), "clean-right");
MutableTriple<String, String, String> mutableTaintedRightConstructed = new MutableTriple("clean-left", "clean-middle", taint());
// Check flow through MutableTriples:
sink(mutableTaintedLeft.getLeft()); // $hasValueFlow
sink(mutableTaintedLeft.getMiddle());
sink(mutableTaintedLeft.getRight());
sink(mutableTaintedLeft.left); // $hasValueFlow
sink(mutableTaintedLeft.middle);
sink(mutableTaintedLeft.right);
sink(mutableTaintedMiddle.getLeft());
sink(mutableTaintedMiddle.getMiddle()); // $hasValueFlow
sink(mutableTaintedMiddle.getRight());
sink(mutableTaintedMiddle.left);
sink(mutableTaintedMiddle.middle); // $hasValueFlow
sink(mutableTaintedMiddle.right);
sink(mutableTaintedRight.getLeft());
sink(mutableTaintedRight.getMiddle());
sink(mutableTaintedRight.getRight()); // $hasValueFlow
sink(mutableTaintedRight.left);
sink(mutableTaintedRight.middle);
sink(mutableTaintedRight.right); // $hasValueFlow
sink(setTaintedLeft.getLeft()); // $hasValueFlow
sink(setTaintedLeft.getMiddle());
sink(setTaintedLeft.getRight());
sink(setTaintedLeft.left); // $hasValueFlow
sink(setTaintedLeft.middle);
sink(setTaintedLeft.right);
sink(setTaintedMiddle.getLeft());
sink(setTaintedMiddle.getMiddle()); // $hasValueFlow
sink(setTaintedMiddle.getRight());
sink(setTaintedMiddle.left);
sink(setTaintedMiddle.middle); // $hasValueFlow
sink(setTaintedMiddle.right);
sink(setTaintedRight.getLeft());
sink(setTaintedRight.getMiddle());
sink(setTaintedRight.getRight()); // $hasValueFlow
sink(setTaintedRight.left);
sink(setTaintedRight.middle);
sink(setTaintedRight.right); // $hasValueFlow
sink(mutableTaintedLeftConstructed.getLeft()); // $hasValueFlow
sink(mutableTaintedLeftConstructed.getMiddle());
sink(mutableTaintedLeftConstructed.getRight());
sink(mutableTaintedLeftConstructed.left); // $hasValueFlow
sink(mutableTaintedLeftConstructed.middle);
sink(mutableTaintedLeftConstructed.right);
sink(mutableTaintedMiddleConstructed.getLeft());
sink(mutableTaintedMiddleConstructed.getMiddle()); // $hasValueFlow
sink(mutableTaintedMiddleConstructed.getRight());
sink(mutableTaintedMiddleConstructed.left);
sink(mutableTaintedMiddleConstructed.middle); // $hasValueFlow
sink(mutableTaintedMiddleConstructed.right);
sink(mutableTaintedRightConstructed.getLeft());
sink(mutableTaintedRightConstructed.getMiddle());
sink(mutableTaintedRightConstructed.getRight()); // $hasValueFlow
sink(mutableTaintedRightConstructed.left);
sink(mutableTaintedRightConstructed.middle);
sink(mutableTaintedRightConstructed.right); // $hasValueFlow
Triple<String, String, String> mutableTaintedLeft2 = mutableTaintedLeft;
Triple<String, String, String> mutableTaintedMiddle2 = mutableTaintedMiddle;
Triple<String, String, String> mutableTaintedRight2 = mutableTaintedRight;
Triple<String, String, String> setTaintedLeft2 = setTaintedLeft;
Triple<String, String, String> setTaintedMiddle2 = setTaintedMiddle;
Triple<String, String, String> setTaintedRight2 = setTaintedRight;
// Check flow also works via an alias of type Triple:
sink(mutableTaintedLeft2.getLeft()); // $hasValueFlow
sink(mutableTaintedLeft2.getMiddle());
sink(mutableTaintedLeft2.getRight());
sink(mutableTaintedMiddle2.getLeft());
sink(mutableTaintedMiddle2.getMiddle()); // $hasValueFlow
sink(mutableTaintedMiddle2.getRight());
sink(mutableTaintedRight2.getLeft());
sink(mutableTaintedRight2.getMiddle());
sink(mutableTaintedRight2.getRight()); // $hasValueFlow
sink(setTaintedLeft2.getLeft()); // $hasValueFlow
sink(setTaintedLeft2.getMiddle());
sink(setTaintedLeft2.getRight());
sink(setTaintedMiddle2.getLeft());
sink(setTaintedMiddle2.getMiddle()); // $hasValueFlow
sink(setTaintedMiddle2.getRight());
sink(setTaintedRight2.getLeft());
sink(setTaintedRight2.getMiddle());
sink(setTaintedRight2.getRight()); // $hasValueFlow
}
}

2
java/ql/test/library-tests/frameworks/guava/TestBase.java
View File

@@ -94,7 +94,7 @@ class TestBase {
void test8() {
Optional<String> x = Optional.of(taint());
sink(x); // $numTaintFlow=1
sink(x); // no flow
sink(x.get()); // $numValueFlow=1
sink(x.or("hi")); // $numValueFlow=1
sink(x.orNull()); // $numValueFlow=1

6
java/ql/test/library-tests/frameworks/guava/TestCollect.java
View File

@@ -105,7 +105,7 @@ class TestCollect {
sink(ImmutableSortedSet.copyOf(comp, s)); // $numTaintFlow=1
sorS.add(taint());
sink(ImmutableSortedSet.copyOfSorted(sorS)); // $numTaintFlow=1
sink(ImmutableSortedSet.copyOfSorted(sorS)); // $ MISSING: numTaintFlow=1
sink(ImmutableList.sortedCopyOf(s)); // $numTaintFlow=1
sink(ImmutableList.sortedCopyOf(comp, s)); // $numTaintFlow=1
@@ -117,6 +117,6 @@ class TestCollect {
sink(ImmutableSortedMap.copyOf(m, comp)); // $numTaintFlow=1
sorM.put("k", taint());
sink(ImmutableSortedMap.copyOfSorted(sorM)); // $numTaintFlow=1
sink(ImmutableSortedMap.copyOfSorted(sorM)); // $ MISSING: numTaintFlow=1
}
}
}

3471
java/ql/test/library-tests/frameworks/javax-json/Test.java Normal file
View File

File diff suppressed because it is too large Load Diff

1
java/ql/test/library-tests/frameworks/javax-json/options Normal file
View File

@@ -0,0 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/javax-json-api-1.1.4:${testdir}/../../../stubs/jakarta-json-2.0.1

0
java/ql/test/library-tests/frameworks/javax-json/test.expected Normal file
View File

52
java/ql/test/library-tests/frameworks/javax-json/test.ql Normal file
View File

@@ -0,0 +1,52 @@
import java
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.dataflow.TaintTracking
import TestUtilities.InlineExpectationsTest
class ValueFlowConf extends DataFlow::Configuration {
ValueFlowConf() { this = "qltest:valueFlowConf" }
override predicate isSource(DataFlow::Node n) {
n.asExpr().(MethodAccess).getMethod().hasName("source")
}
override predicate isSink(DataFlow::Node n) {
n.asExpr().(Argument).getCall().getCallee().hasName("sink")
}
}
class TaintFlowConf extends TaintTracking::Configuration {
TaintFlowConf() { this = "qltest:taintFlowConf" }
override predicate isSource(DataFlow::Node n) {
n.asExpr().(MethodAccess).getMethod().hasName("source")
}
override predicate isSink(DataFlow::Node n) {
n.asExpr().(Argument).getCall().getCallee().hasName("sink")
}
}
class HasFlowTest extends InlineExpectationsTest {
HasFlowTest() { this = "HasFlowTest" }
override string getARelevantTag() { result = ["hasValueFlow", "hasTaintFlow"] }
override predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "hasValueFlow" and
exists(DataFlow::Node src, DataFlow::Node sink, ValueFlowConf conf | conf.hasFlow(src, sink) |
sink.getLocation() = location and
element = sink.toString() and
value = ""
)
or
tag = "hasTaintFlow" and
exists(DataFlow::Node src, DataFlow::Node sink, TaintFlowConf conf |
conf.hasFlow(src, sink) and not any(ValueFlowConf c).hasFlow(src, sink)
|
sink.getLocation() = location and
element = sink.toString() and
value = ""
)
}
}

2
java/ql/test/library-tests/frameworks/play/PlayBodyParserAnnotation.expected
View File

@@ -1 +1 @@
| play.mvc.BodyParser<>$Of |
| play.mvc.BodyParser$Of |

299
java/ql/test/library-tests/frameworks/spring/beans/Test.java Normal file
View File

@@ -0,0 +1,299 @@
package generatedtest;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.springframework.beans.MutablePropertyValues;
import org.springframework.beans.PropertyValue;
import org.springframework.beans.PropertyValues;
public class Test {
Object getMapKey(PropertyValue container) {
return container.getName();
}
Object getMapValue(PropertyValue container) {
return container.getValue();
}
PropertyValue getElement(Iterable<PropertyValue> container) {
return container.iterator().next();
}
PropertyValue getArrayElement(PropertyValue[] container) {
return container[0];
}
PropertyValue newWithMapKey(String element) {
return new PropertyValue(element, null);
}
PropertyValue newWithMapValue(String element) {
return new PropertyValue("", element);
}
MutablePropertyValues newWithElement(PropertyValue element) {
MutablePropertyValues pv = new MutablePropertyValues();
pv.addPropertyValue(element);
return pv;
}
String source() {
return null;
}
void sink(Object o) {}
public void test() {
// @formatter:off
// "org.springframework.beans;PropertyValue;false;;(String,Object);;Argument[0];MapKey of Argument[-1];value",
{
PropertyValue v = new PropertyValue((String) source(), null);
sink(getMapKey(v)); // $hasValueFlow
sink(getMapValue(v)); // Safe
}
// "org.springframework.beans;PropertyValue;false;;(String,Object);;Argument[1];MapValue of Argument[-1];value",
{
PropertyValue v = new PropertyValue("", source());
sink(getMapKey(v)); // Safe
sink(getMapValue(v)); // $hasValueFlow
}
// "org.springframework.beans;PropertyValue;false;;(PropertyValue);;Argument[0];Argument[-1];value",
{
PropertyValue v1 = new PropertyValue((String) source(), null);
PropertyValue v2 = new PropertyValue(v1);
sink(getMapKey(v2)); // $hasValueFlow
sink(getMapValue(v2)); // Safe
PropertyValue v3 = new PropertyValue("safe", source());
PropertyValue v4 = new PropertyValue(v3);
sink(getMapKey(v4)); // Safe
sink(getMapValue(v4)); // $hasValueFlow
}
// "org.springframework.beans;PropertyValue;false;;(PropertyValue,Object);;MapKey of Argument[0];MapKey of Argument[-1];value",
{
PropertyValue v1 = new PropertyValue((String) source(), source());
PropertyValue v2 = new PropertyValue(v1, null);
sink(getMapKey(v2)); // $hasValueFlow
sink(getMapValue(v2)); // Safe
}
// "org.springframework.beans;PropertyValue;false;PropertyValue;(PropertyValue,Object);;Argument[1];MapValue of Argument[-1];value",
{
PropertyValue v1 = new PropertyValue("safe", null);
PropertyValue v2 = new PropertyValue(v1, source());
sink(getMapKey(v2)); // Safe
sink(getMapValue(v2)); // $hasValueFlow
}
// "org.springframework.beans;PropertyValue;false;getName;;;MapKey of Argument[-1];ReturnValue;value",
{
PropertyValue v = new PropertyValue((String) source(), null);
sink(v.getName()); // $hasValueFlow
sink(v.getValue()); // Safe
}
// "org.springframework.beans;PropertyValue;false;getValue;;;MapValue of Argument[-1];ReturnValue;value",
{
PropertyValue v = new PropertyValue("safe", source());
sink(v.getName()); // Safe
sink(v.getValue()); // $hasValueFlow
}
// "org.springframework.beans;PropertyValues;true;getPropertyValue;;;Element of Argument[-1];ReturnValue;value",
{
PropertyValues pv = newWithElement(newWithMapValue(source()));
sink(pv.getPropertyValue("safe").getValue()); // $hasValueFlow
}
// "org.springframework.beans;PropertyValues;true;getPropertyValues;;;Element of Argument[-1];ArrayElement of ReturnValue;value",
{
PropertyValues pv = newWithElement(newWithMapValue(source()));
PropertyValue[] vs = pv.getPropertyValues();
sink(getMapKey(getArrayElement(vs))); // Safe
sink(getMapValue(getArrayElement(vs))); // $hasValueFlow
}
// "org.springframework.beans;MutablePropertyValues;true;add;(String,Object);;Argument[0];MapKey of Element of Argument[-1];value",
{
MutablePropertyValues pv = new MutablePropertyValues();
pv.add((String) source(), null);
sink(getMapKey(getElement(pv))); // $hasValueFlow
sink(getMapValue(getElement(pv))); // Safe
}
// "org.springframework.beans;MutablePropertyValues;true;add;(String,Object);;Argument[-1];ReturnValue;value",
{
MutablePropertyValues pv = new MutablePropertyValues();
sink(getMapKey(getElement(pv.add(source(), null)))); // $hasValueFlow
sink(getMapValue(getElement(pv.add(source(), null)))); // Safe
}
{
MutablePropertyValues pv = new MutablePropertyValues();
sink(getMapKey(getElement(pv.add("safe", source())))); // Safe
sink(getMapValue(getElement(pv.add("safe", source())))); // $hasValueFlow
}
// "org.springframework.beans;MutablePropertyValues;true;add;(String,Object);;Argument[1];MapValue of Element of Argument[-1];value",
{
MutablePropertyValues pv = new MutablePropertyValues();
pv.add("safe", source());
sink(getMapKey(getElement(pv))); // Safe
sink(getMapValue(getElement(pv))); // $hasValueFlow
}
// "org.springframework.beans;MutablePropertyValues;true;addPropertyValue;(PropertyValue);;Argument[0];Element of Argument[-1];value",
{
MutablePropertyValues pv1 = new MutablePropertyValues();
PropertyValue v1 = newWithMapKey(source());
pv1.addPropertyValue(v1);
sink(getMapKey(getElement(pv1))); // $hasValueFlow
sink(getMapValue(getElement(pv1))); // Safe
MutablePropertyValues pv2 = new MutablePropertyValues();
PropertyValue v2 = newWithMapValue(source());
pv2.addPropertyValue(v2);
sink(getMapKey(getElement(pv2))); // Safe
sink(getMapValue(getElement(pv2))); // $hasValueFlow
}
// "org.springframework.beans;MutablePropertyValues;true;addPropertyValue;(PropertyValue);;Argument[-1];ReturnValue;value",
{
MutablePropertyValues pv1 = new MutablePropertyValues();
PropertyValue v1 = newWithMapKey(source());
PropertyValues pv2 = pv1.addPropertyValue(v1);
sink(getMapKey(getElement(pv2))); // $hasValueFlow
sink(getMapValue(getElement(pv2))); // Safe
MutablePropertyValues pv3 = new MutablePropertyValues();
PropertyValue v2 = newWithMapValue(source());
PropertyValues pv4 = pv3.addPropertyValue(v2);
sink(getMapKey(getElement(pv4))); // Safe
sink(getMapValue(getElement(pv4))); // $hasValueFlow
}
// "org.springframework.beans;MutablePropertyValues;true;addPropertyValue;(String,Object);;Argument[0];MapKey of Element of Argument[-1];value",
{
MutablePropertyValues pv = new MutablePropertyValues();
pv.addPropertyValue((String)source(), null);
sink(getMapKey(getElement(pv))); // $hasValueFlow
sink(getMapValue(getElement(pv))); // Safe
}
// "org.springframework.beans;MutablePropertyValues;true;addPropertyValue;(String,Object);;Argument[1];MapValue of Element of Argument[-1];value",
{
MutablePropertyValues pv = new MutablePropertyValues();
pv.addPropertyValue("safe", source());
sink(getMapKey(getElement(pv))); // Safe
sink(getMapValue(getElement(pv))); // $hasValueFlow
}
// "org.springframework.beans;MutablePropertyValues;true;addPropertyValues;(Map);;MapKey of Argument[0];MapKey of Element of Argument[-1];value",
{
MutablePropertyValues pv = new MutablePropertyValues();
Map<String, Object> values = new HashMap<String, Object>();
values.put(source(), null);
pv.addPropertyValues(values);
sink(getMapKey(getElement(pv))); // $hasValueFlow
sink(getMapValue(getElement(pv))); // Safe
}
// "org.springframework.beans;MutablePropertyValues;true;addPropertyValues;(Map);;MapValue of Argument[0];MapValue of Element of Argument[-1];value",
{
MutablePropertyValues pv = new MutablePropertyValues();
Map<String, Object> values = new HashMap<String, Object>();
values.put("", source());
pv.addPropertyValues(values);
sink(getMapKey(getElement(pv))); // Safe
sink(getMapValue(getElement(pv))); // $hasValueFlow
}
// "org.springframework.beans;MutablePropertyValues;true;addPropertyValues;(Map);;Argument[-1];ReturnValue;value",
{
MutablePropertyValues pv = new MutablePropertyValues();
Map<String, Object> values = new HashMap<String, Object>();
values.put("", source());
PropertyValues pv2 = pv.addPropertyValues(values);
sink(getMapKey(getElement(pv2))); // Safe
sink(getMapValue(getElement(pv2))); // $hasValueFlow
}
{
MutablePropertyValues pv = new MutablePropertyValues();
Map<String, Object> values = new HashMap<String, Object>();
values.put(source(), null);
PropertyValues pv2 = pv.addPropertyValues(values);
sink(getMapKey(getElement(pv2))); // $hasValueFlow
sink(getMapValue(getElement(pv2))); // Safe
}
// "org.springframework.beans;MutablePropertyValues;true;addPropertyValues;(PropertyValues);;Element of Argument[0];Element of Argument[-1];value",
{
MutablePropertyValues pv = new MutablePropertyValues();
PropertyValues values = newWithElement(newWithMapKey(source()));
pv.addPropertyValues(values);
sink(getMapKey(getElement(pv))); // $hasValueFlow
sink(getMapValue(getElement(pv))); // Safe
}
{
MutablePropertyValues pv = new MutablePropertyValues();
PropertyValues values = newWithElement(newWithMapValue(source()));
pv.addPropertyValues(values);
sink(getMapKey(getElement(pv))); // Safe
sink(getMapValue(getElement(pv))); // $hasValueFlow
}
// "org.springframework.beans;MutablePropertyValues;true;addPropertyValues;(PropertyValues);;Argument[-1];ReturnValue;value",
{
MutablePropertyValues pv = new MutablePropertyValues();
PropertyValues values = newWithElement(newWithMapKey(source()));
PropertyValues pv2 = pv.addPropertyValues(values);
sink(getMapKey(getElement(pv2))); // $hasValueFlow
sink(getMapValue(getElement(pv2))); // Safe
}
{
MutablePropertyValues pv = new MutablePropertyValues();
PropertyValues values = newWithElement(newWithMapValue(source()));
PropertyValues pv2 = pv.addPropertyValues(values);
sink(getMapKey(getElement(pv2))); // Safe
sink(getMapValue(getElement(pv2))); // $hasValueFlow
}
// "org.springframework.beans;MutablePropertyValues;true;get;;;MapValue of Element of Argument[-1];ReturnValue;value",
{
MutablePropertyValues pv = newWithElement(newWithMapValue(source()));
sink(pv.get("something")); // $hasValueFlow
}
// "org.springframework.beans;MutablePropertyValues;true;getPropertyValue;;;Element of Argument[-1];ReturnValue;value",
{
MutablePropertyValues pv1 = newWithElement(newWithMapKey(source()));
sink(pv1.getPropertyValue("something").getName()); // $hasValueFlow
sink(pv1.getPropertyValue("something").getValue()); // Safe
MutablePropertyValues pv2 = newWithElement(newWithMapValue(source()));
sink(pv2.getPropertyValue("something").getName()); // Safe
sink(pv2.getPropertyValue("something").getValue()); // $hasValueFlow
}
// "org.springframework.beans;MutablePropertyValues;true;getPropertyValueList;;;Element of Argument[-1];Element of ReturnValue;value",
{
MutablePropertyValues pv1 = newWithElement(newWithMapKey(source()));
List<PropertyValue> pvl1 = pv1.getPropertyValueList();
sink(getMapKey(getElement(pvl1))); // $hasValueFlow
sink(getMapValue(getElement(pvl1))); // Safe
MutablePropertyValues pv2 = newWithElement(newWithMapValue(source()));
List<PropertyValue> pvl2 = pv2.getPropertyValueList();
sink(getMapKey(getElement(pvl2))); // Safe
sink(getMapValue(getElement(pvl2))); // $hasValueFlow
}
// "org.springframework.beans;MutablePropertyValues;true;getPropertyValues;;;Element of Argument[-1];ArrayElement of ReturnValue;value",
{
MutablePropertyValues pv1 = newWithElement(newWithMapKey(source()));
PropertyValue[] pvl1 = pv1.getPropertyValues();
sink(getMapKey(getArrayElement(pvl1))); // $hasValueFlow
sink(getMapValue(getArrayElement(pvl1))); // Safe
MutablePropertyValues pv2 = newWithElement(newWithMapValue(source()));
PropertyValue[] pvl2 = pv2.getPropertyValues();
sink(getMapKey(getArrayElement(pvl2))); // Safe
sink(getMapValue(getArrayElement(pvl2))); // $hasValueFlow
}
// "org.springframework.beans;MutablePropertyValues;true;setPropertyValueAt;;;Argument[0];Element of Argument[-1];value"
{
MutablePropertyValues pv1 = new MutablePropertyValues();
PropertyValue v1 = newWithMapKey(source());
pv1.setPropertyValueAt(v1, 0);
sink(getMapKey(getElement(pv1))); // $hasValueFlow
sink(getMapValue(getElement(pv1))); // Safe
MutablePropertyValues pv2 = new MutablePropertyValues();
PropertyValue v2 = newWithMapValue(source());
pv2.setPropertyValueAt(v2, 0);
sink(getMapKey(getElement(pv2))); // Safe
sink(getMapValue(getElement(pv2))); // $hasValueFlow
}
// @formatter:on
}
}

1
java/ql/test/library-tests/frameworks/spring/beans/options Normal file
View File

@@ -0,0 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.3.8

0
java/ql/test/library-tests/frameworks/spring/beans/test.expected Normal file
View File

52
java/ql/test/library-tests/frameworks/spring/beans/test.ql Normal file
View File

@@ -0,0 +1,52 @@
import java
import semmle.code.java.dataflow.ExternalFlow
import semmle.code.java.dataflow.TaintTracking
import TestUtilities.InlineExpectationsTest
class ValueFlowConf extends DataFlow::Configuration {
ValueFlowConf() { this = "qltest:valueFlowConf" }
override predicate isSource(DataFlow::Node n) {
n.asExpr().(MethodAccess).getMethod().hasName("source")
}
override predicate isSink(DataFlow::Node n) {
n.asExpr().(Argument).getCall().getCallee().hasName("sink")
}
}
class TaintFlowConf extends TaintTracking::Configuration {
TaintFlowConf() { this = "qltest:taintFlowConf" }
override predicate isSource(DataFlow::Node n) {
n.asExpr().(MethodAccess).getMethod().hasName("source")
}
override predicate isSink(DataFlow::Node n) {
n.asExpr().(Argument).getCall().getCallee().hasName("sink")
}
}
class HasFlowTest extends InlineExpectationsTest {
HasFlowTest() { this = "HasFlowTest" }
override string getARelevantTag() { result = ["hasValueFlow", "hasTaintFlow"] }
override predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "hasValueFlow" and
exists(DataFlow::Node src, DataFlow::Node sink, ValueFlowConf conf | conf.hasFlow(src, sink) |
sink.getLocation() = location and
element = sink.toString() and
value = ""
)
or
tag = "hasTaintFlow" and
exists(DataFlow::Node src, DataFlow::Node sink, TaintFlowConf conf |
conf.hasFlow(src, sink) and not any(ValueFlowConf c).hasFlow(src, sink)
|
sink.getLocation() = location and
element = sink.toString() and
value = ""
)
}
}

142
java/ql/test/library-tests/frameworks/spring/cache/Test.java vendored Normal file
View File

@@ -0,0 +1,142 @@
package generatedtest;
import java.util.Map;
import java.util.HashMap;
import java.util.concurrent.Callable;
import org.springframework.cache.Cache;
// Test case generated by GenerateFlowTestCase.ql
public class Test {
public class ValueWrapper extends HashMap<Object,Object> implements Cache.ValueWrapper {
ValueWrapper(Object element) {
super();
this.put(null, element);
}
public Object get() { return this.get(null); }
}
public class DummyCache implements Cache {
DummyCache(Object key, Object value) {
this.put(key, value);
}
public void clear() {}
public void evict(Object key) {}
public boolean evictIfPresent(Object key) { return false; }
public Cache.ValueWrapper get(Object key) { return null; }
public <T> T get(Object key, Callable<T> valueLoader) { return null; }
public <T> T get(Object key, Class<T> type) { return null; }
public String getName() { return null; }
public Object getNativeCache() { return null; }
//public default boolean invalidate() { return false; }
public void put(Object key, Object value) {}
//default Cache.ValueWrapper putIfAbsent(Object key, Object value) { return null; }
}
Object getMapKey(Cache.ValueRetrievalException container) { return container.getKey(); }
Object getMapKey(Cache container) { return ((Map)container.getNativeCache()).keySet().iterator().next(); }
Object getMapValue(Cache container) { return container.get(null, (Class)null); }
Object getMapValue(Cache.ValueWrapper container) { return container.get(); }
Object source() { return null; }
void sink(Object o) { }
public void test() {
{
// "org.springframework.cache;Cache$ValueRetrievalException;false;ValueRetrievalException;;;Argument[0];MapKey of Argument[-1];value"
Cache.ValueRetrievalException out = null;
Object in = source();
out = new Cache.ValueRetrievalException(in, null, null);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.springframework.cache;Cache$ValueRetrievalException;false;getKey;;;MapKey of Argument[-1];ReturnValue;value"
Object out = null;
Cache.ValueRetrievalException in = new Cache.ValueRetrievalException(source(), null, null);
out = in.getKey();
sink(out); // $hasValueFlow
}
{
// "org.springframework.cache;Cache$ValueWrapper;true;get;;;MapValue of Argument[-1];ReturnValue;value"
Object out = null;
Cache.ValueWrapper in = new ValueWrapper(source());
out = in.get();
sink(out); // $hasValueFlow
}
{
// "org.springframework.cache;Cache;true;get;(Object);;MapValue of Argument[-1];MapValue of ReturnValue;value"
Cache.ValueWrapper out = null;
Cache in = new DummyCache(null, source());
out = in.get(null);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.springframework.cache;Cache;true;get;(Object,Callable);;MapValue of Argument[-1];ReturnValue;value"
Object out = null;
Cache in = new DummyCache(null, source());
out = in.get(null, (Callable)null);
sink(out); // $hasValueFlow
}
{
// "org.springframework.cache;Cache;true;get;(Object,Class);;MapValue of Argument[-1];ReturnValue;value"
Object out = null;
Cache in = new DummyCache(null, source());
out = in.get(null, (Class)null);
sink(out); // $hasValueFlow
}
{
// "org.springframework.cache;Cache;true;getNativeCache;;;MapKey of Argument[-1];MapKey of ReturnValue;value"
Object out = null;
Cache in = new DummyCache(source(), null);
out = in.getNativeCache();
sink(getMapKey((Cache)out)); // $hasValueFlow
}
{
// "org.springframework.cache;Cache;true;getNativeCache;;;MapValue of Argument[-1];MapValue of ReturnValue;value"
Object out = null;
Cache in = new DummyCache(null, source());
out = in.getNativeCache();
sink(getMapValue((Cache)out)); // $hasValueFlow
}
{
// "org.springframework.cache;Cache;true;put;;;Argument[0];MapKey of Argument[-1];value"
Cache out = null;
Object in = source();
out.put(in, null);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.springframework.cache;Cache;true;put;;;Argument[1];MapValue of Argument[-1];value"
Cache out = null;
Object in = source();
out.put(null, in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.springframework.cache;Cache;true;putIfAbsent;;;Argument[0];MapKey of Argument[-1];value"
Cache out = null;
Object in = source();
out.putIfAbsent(in, null);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.springframework.cache;Cache;true;putIfAbsent;;;Argument[1];MapValue of Argument[-1];value"
Cache out = null;
Object in = source();
out.putIfAbsent(null, in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.springframework.cache;Cache;true;putIfAbsent;;;MapValue of Argument[-1];MapValue of ReturnValue;value"
Cache.ValueWrapper out = null;
Cache in = new DummyCache(null, source());
out = in.putIfAbsent(null, null);
sink(getMapValue(out)); // $hasValueFlow
}
}
}

1
java/ql/test/library-tests/frameworks/spring/cache/options vendored Normal file
View File

@@ -0,0 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.3.8

0
java/ql/test/library-tests/frameworks/spring/cache/test.expected vendored Normal file
View File

52
java/ql/test/library-tests/frameworks/spring/cache/test.ql vendored Normal file
View File

@@ -0,0 +1,52 @@
import java
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.dataflow.TaintTracking
import TestUtilities.InlineExpectationsTest
class ValueFlowConf extends DataFlow::Configuration {
ValueFlowConf() { this = "qltest:valueFlowConf" }
override predicate isSource(DataFlow::Node n) {
n.asExpr().(MethodAccess).getMethod().hasName("source")
}
override predicate isSink(DataFlow::Node n) {
n.asExpr().(Argument).getCall().getCallee().hasName("sink")
}
}
class TaintFlowConf extends TaintTracking::Configuration {
TaintFlowConf() { this = "qltest:taintFlowConf" }
override predicate isSource(DataFlow::Node n) {
n.asExpr().(MethodAccess).getMethod().hasName("source")
}
override predicate isSink(DataFlow::Node n) {
n.asExpr().(Argument).getCall().getCallee().hasName("sink")
}
}
class HasFlowTest extends InlineExpectationsTest {
HasFlowTest() { this = "HasFlowTest" }
override string getARelevantTag() { result = ["hasValueFlow", "hasTaintFlow"] }
override predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "hasValueFlow" and
exists(DataFlow::Node src, DataFlow::Node sink, ValueFlowConf conf | conf.hasFlow(src, sink) |
sink.getLocation() = location and
element = sink.toString() and
value = ""
)
or
tag = "hasTaintFlow" and
exists(DataFlow::Node src, DataFlow::Node sink, TaintFlowConf conf |
conf.hasFlow(src, sink) and not any(ValueFlowConf c).hasFlow(src, sink)
|
sink.getLocation() = location and
element = sink.toString() and
value = ""
)
}
}

162
java/ql/test/library-tests/frameworks/spring/http/TestHttp.java Normal file
View File

@@ -0,0 +1,162 @@
import org.springframework.http.HttpEntity;
import org.springframework.http.ResponseEntity;
import org.springframework.http.RequestEntity;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpStatus;
import org.springframework.util.MultiValueMap;
import org.springframework.util.LinkedMultiValueMap;
import java.util.Optional;
import java.util.List;
class TestHttp {
static <T> T taint() { return null; }
static void sink(Object o) {}
void test1() {
String x = taint();
sink(new HttpEntity(x)); // $hasTaintFlow
MultiValueMap<String,String> m1 = new LinkedMultiValueMap();
sink(new HttpEntity(x, m1)); // $hasTaintFlow
m1.add("a", taint());
sink(new HttpEntity("a", m1)); // $hasTaintFlow
sink(new HttpEntity<String>(m1)); // $hasTaintFlow
MultiValueMap<String,String> m2 = new LinkedMultiValueMap();
m2.add(taint(), "a");
sink(new HttpEntity<String>(m2)); // $hasTaintFlow
HttpEntity<String> ent = taint();
sink(ent.getBody()); // $hasTaintFlow
sink(ent.getHeaders()); // $hasTaintFlow
RequestEntity<String> req = taint();
sink(req.getUrl()); // $hasTaintFlow
}
void test2() {
String x = taint();
sink(ResponseEntity.ok(x)); // $hasTaintFlow
sink(ResponseEntity.of(Optional.of(x))); // $hasTaintFlow
sink(ResponseEntity.status(200).contentLength(2048).body(x)); // $hasTaintFlow
sink(ResponseEntity.created(taint()).contentType(null).body("a")); // $hasTaintFlow
sink(ResponseEntity.status(200).header(x, "a", "b", "c").build()); // $hasTaintFlow
sink(ResponseEntity.status(200).header("h", "a", "b", x).build()); // $hasTaintFlow
HttpHeaders h = new HttpHeaders();
h.add("h", taint());
sink(ResponseEntity.status(200).headers(h).allow().build()); // $hasTaintFlow
sink(ResponseEntity.status(200).eTag(x).allow().build()); // $hasTaintFlow
sink(ResponseEntity.status(200).location(taint()).lastModified(10000000).build()); // $hasTaintFlow
sink(ResponseEntity.status(200).varyBy(x).build());
}
void test3() {
String x = taint();
MultiValueMap<String,String> m1 = new LinkedMultiValueMap();
sink(new ResponseEntity(x, HttpStatus.ACCEPTED)); // $hasTaintFlow
sink(new ResponseEntity(x, m1, HttpStatus.ACCEPTED)); // $hasTaintFlow
sink(new ResponseEntity(x, m1, 200)); // $hasTaintFlow
m1.add("a", taint());
sink(new ResponseEntity("a", m1, HttpStatus.ACCEPTED)); // $hasTaintFlow
sink(new ResponseEntity<String>(m1, HttpStatus.ACCEPTED)); // $hasTaintFlow
sink(new ResponseEntity("a", m1, 200)); // $hasTaintFlow
MultiValueMap<String,String> m2 = new LinkedMultiValueMap();
m2.add(taint(), "a");
sink(new ResponseEntity("a", m2, HttpStatus.ACCEPTED)); // $hasTaintFlow
sink(new ResponseEntity<String>(m2, HttpStatus.ACCEPTED)); // $hasTaintFlow
sink(new ResponseEntity("a", m2, 200)); // $hasTaintFlow
ResponseEntity<String> ent = taint();
sink(ent.getBody()); // $hasTaintFlow
sink(ent.getHeaders()); // $hasTaintFlow
}
void test4() {
MultiValueMap<String,String> m1 = new LinkedMultiValueMap();
m1.add("a", taint());
sink(new HttpHeaders(m1)); // $hasTaintFlow
MultiValueMap<String,String> m2 = new LinkedMultiValueMap();
m2.add(taint(), "a");
sink(new HttpHeaders(m2)); // $hasTaintFlow
HttpHeaders h1 = new HttpHeaders();
h1.add(taint(), "a");
sink(h1); // $hasTaintFlow
HttpHeaders h2 = new HttpHeaders();
h2.add("a", taint());
sink(h2); // $hasTaintFlow
HttpHeaders h3 = new HttpHeaders();
h3.addAll(m1);
sink(h3); // $hasTaintFlow
HttpHeaders h4 = new HttpHeaders();
h4.addAll(m2);
sink(h4); // $hasTaintFlow
HttpHeaders h5 = new HttpHeaders();
h5.addAll(taint(), List.of());
sink(h5); // $hasTaintFlow
HttpHeaders h6 = new HttpHeaders();
h6.addAll("a", List.of(taint()));
sink(h6); // $hasTaintFlow
sink(HttpHeaders.formatHeaders(m1)); // $hasTaintFlow
sink(HttpHeaders.formatHeaders(m2)); // $hasTaintFlow
sink(HttpHeaders.encodeBasicAuth(taint(), "a", null)); // $hasTaintFlow
sink(HttpHeaders.encodeBasicAuth("a", taint(), null)); // $hasTaintFlow
}
void test5() {
HttpHeaders h = taint();
sink(h.get(null).get(0)); // $hasTaintFlow
sink(h.getAccept().get(0));
sink(h.getAcceptCharset().get(0));
sink(h.getAcceptLanguage().get(0));
sink(h.getAcceptLanguageAsLocales().get(0));
sink(h.getAccessControlAllowCredentials());
sink(h.getAccessControlAllowHeaders().get(0)); // $hasTaintFlow
sink(h.getAccessControlAllowMethods().get(0));
sink(h.getAccessControlAllowOrigin()); // $hasTaintFlow
sink(h.getAccessControlExposeHeaders().get(0)); // $hasTaintFlow
sink(h.getAccessControlMaxAge());
sink(h.getAccessControlRequestHeaders().get(0)); // $hasTaintFlow
sink(h.getAccessControlRequestMethod());
sink(h.getAllow().toArray()[0]);
sink(h.getCacheControl()); // $hasTaintFlow
sink(h.getConnection().get(0)); // $hasTaintFlow
sink(h.getContentDisposition());
sink(h.getContentLanguage());
sink(h.getContentLength());
sink(h.getContentType());
sink(h.getDate());
sink(h.getETag()); // $hasTaintFlow
sink(h.getExpires());
sink(h.getFirst("a")); // $hasTaintFlow
sink(h.getFirstDate("a"));
sink(h.getFirstZonedDateTime("a"));
sink(h.getHost()); // $hasTaintFlow
sink(h.getIfMatch().get(0)); // $hasTaintFlow
sink(h.getIfModifiedSince());
sink(h.getIfNoneMatch().get(0)); // $hasTaintFlow
sink(h.getIfUnmodifiedSince());
sink(h.getLastModified());
sink(h.getLocation()); // $hasTaintFlow
sink(h.getOrEmpty("a").get(0)); // $hasTaintFlow
sink(h.getOrigin()); // $hasTaintFlow
sink(h.getPragma()); // $hasTaintFlow
sink(h.getUpgrade()); // $hasTaintFlow
sink(h.getValuesAsList("a").get(0)); // $hasTaintFlow
sink(h.getVary().get(0)); // $hasTaintFlow
}
}

0
java/ql/test/library-tests/frameworks/spring/http/flow.expected Normal file
View File

53
java/ql/test/library-tests/frameworks/spring/http/flow.ql Normal file
View File

@@ -0,0 +1,53 @@
import java
import semmle.code.java.frameworks.spring.Spring
import semmle.code.java.dataflow.TaintTracking
import TestUtilities.InlineExpectationsTest
class TaintFlowConf extends TaintTracking::Configuration {
TaintFlowConf() { this = "qltest:frameworks:spring-taint-flow" }
override predicate isSource(DataFlow::Node n) {
exists(string name | name.matches("taint%") |
n.asExpr().(MethodAccess).getMethod().hasName(name)
)
}
override predicate isSink(DataFlow::Node n) {
exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
}
}
class ValueFlowConf extends DataFlow::Configuration {
ValueFlowConf() { this = "qltest:frameworks:spring-value-flow" }
override predicate isSource(DataFlow::Node n) {
n.asExpr().(MethodAccess).getMethod().hasName("taint")
}
override predicate isSink(DataFlow::Node n) {
exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
}
}
class HasFlowTest extends InlineExpectationsTest {
HasFlowTest() { this = "HasFlowTest" }
override string getARelevantTag() { result = ["hasTaintFlow", "hasValueFlow"] }
override predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "hasTaintFlow" and
exists(DataFlow::Node src, DataFlow::Node sink, TaintFlowConf conf | conf.hasFlow(src, sink) |
not any(ValueFlowConf vconf).hasFlow(src, sink) and
sink.getLocation() = location and
element = sink.toString() and
value = ""
)
or
tag = "hasValueFlow" and
exists(DataFlow::Node src, DataFlow::Node sink, ValueFlowConf conf | conf.hasFlow(src, sink) |
sink.getLocation() = location and
element = sink.toString() and
value = ""
)
}
}

1
java/ql/test/library-tests/frameworks/spring/http/options Normal file
View File

@@ -0,0 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.3.8

579
java/ql/test/library-tests/frameworks/spring/ui/Test.java Normal file
View File

@@ -0,0 +1,579 @@
package generatedtest;
import java.util.Collection;
import java.util.Map;
import java.util.List;
import org.springframework.ui.ConcurrentModel;
import org.springframework.ui.Model;
import org.springframework.ui.ModelMap;
// Test case generated by GenerateFlowTestCase.ql
public class Test {
<K> K getMapKey(Map<K,?> container) { return container.keySet().iterator().next(); }
<V> V getMapValue(Map<?,V> container) { return container.get(null); }
String getMapKey(Model container) { return container.asMap().keySet().iterator().next(); }
Object getMapValue(Model container) { return container.getAttribute(null); }
String getMapKey(ConcurrentModel container) { return container.keySet().iterator().next(); }
Object getMapValue(ConcurrentModel container) { return container.getAttribute(null); }
String getMapKey(ModelMap container) { return container.keySet().iterator().next(); }
Object getMapValue(ModelMap container) { return container.getAttribute(null); }
Object source() { return null; }
void sink(Object o) { }
public void test() {
{
// "org.springframework.ui;ConcurrentModel;false;ConcurrentModel;(Object);;Argument[0];MapValue of Argument[-1];value"
ConcurrentModel out = null;
Object in = source();
out = new ConcurrentModel(in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.springframework.ui;ConcurrentModel;false;ConcurrentModel;(String,Object);;Argument[0];MapKey of Argument[-1];value"
ConcurrentModel out = null;
String in = (String)source();
out = new ConcurrentModel(in, null);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.springframework.ui;ConcurrentModel;false;ConcurrentModel;(String,Object);;Argument[1];MapValue of Argument[-1];value"
ConcurrentModel out = null;
Object in = source();
out = new ConcurrentModel(null, in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;(Collection);;Element of Argument[0];MapValue of Argument[-1];value"
Model out = null;
Collection in = List.of(source());
out.addAllAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;(Collection);;Element of Argument[0];MapValue of Argument[-1];value"
ConcurrentModel out = null;
Collection in = List.of(source());
out.addAllAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;(Collection);;Element of Argument[0];MapValue of ReturnValue;value"
Model out = null;
Collection in = List.of(source());
Model instance = null;
out = instance.addAllAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;(Collection);;Element of Argument[0];MapValue of ReturnValue;value"
ConcurrentModel out = null;
Collection in = List.of(source());
ConcurrentModel instance = null;
out = instance.addAllAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;(Map);;MapKey of Argument[0];MapKey of Argument[-1];value"
Model out = null;
Map in = Map.of(source(), null);
out.addAllAttributes(in);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;(Map);;MapKey of Argument[0];MapKey of Argument[-1];value"
ConcurrentModel out = null;
Map in = Map.of(source(), null);
out.addAllAttributes(in);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;(Map);;MapKey of Argument[0];MapKey of ReturnValue;value"
Model out = null;
Map in = Map.of(source(), null);
Model instance = null;
out = instance.addAllAttributes(in);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;(Map);;MapKey of Argument[0];MapKey of ReturnValue;value"
ConcurrentModel out = null;
Map in = Map.of(source(), null);
ConcurrentModel instance = null;
out = instance.addAllAttributes(in);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;(Map);;MapValue of Argument[0];MapValue of Argument[-1];value"
Model out = null;
Map in = Map.of(null, source());
out.addAllAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;(Map);;MapValue of Argument[0];MapValue of Argument[-1];value"
ConcurrentModel out = null;
Map in = Map.of(null, source());
out.addAllAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;(Map);;MapValue of Argument[0];MapValue of ReturnValue;value"
Model out = null;
Map in = Map.of(null, source());
Model instance = null;
out = instance.addAllAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;(Map);;MapValue of Argument[0];MapValue of ReturnValue;value"
ConcurrentModel out = null;
Map in = Map.of(null, source());
ConcurrentModel instance = null;
out = instance.addAllAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;;;Argument[-1];ReturnValue;value"
Model out = null;
Model in = (Model)source();
out = in.addAllAttributes((Map)null);
sink(out); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;;;Argument[-1];ReturnValue;value"
Model out = null;
Model in = (Model)source();
out = in.addAllAttributes((Collection)null);
sink(out); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;;;Argument[-1];ReturnValue;value"
ConcurrentModel out = null;
ConcurrentModel in = (ConcurrentModel)source();
out = in.addAllAttributes((Map)null);
sink(out); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;;;Argument[-1];ReturnValue;value"
ConcurrentModel out = null;
ConcurrentModel in = (ConcurrentModel)source();
out = in.addAllAttributes((Collection)null);
sink(out); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;(Object);;Argument[0];MapValue of Argument[-1];value"
Model out = null;
Object in = source();
out.addAttribute(in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;(Object);;Argument[0];MapValue of Argument[-1];value"
ConcurrentModel out = null;
Object in = source();
out.addAttribute(in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;(Object);;Argument[0];MapValue of ReturnValue;value"
Model out = null;
Object in = source();
Model instance = null;
out = instance.addAttribute(in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;(Object);;Argument[0];MapValue of ReturnValue;value"
ConcurrentModel out = null;
Object in = source();
ConcurrentModel instance = null;
out = instance.addAttribute(in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;(String,Object);;Argument[0];MapKey of Argument[-1];value"
Model out = null;
String in = (String)source();
out.addAttribute(in, null);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;(String,Object);;Argument[0];MapKey of Argument[-1];value"
ConcurrentModel out = null;
String in = (String)source();
out.addAttribute(in, null);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;(String,Object);;Argument[0];MapKey of ReturnValue;value"
Model out = null;
String in = (String)source();
Model instance = null;
out = instance.addAttribute(in, null);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;(String,Object);;Argument[0];MapKey of ReturnValue;value"
ConcurrentModel out = null;
String in = (String)source();
ConcurrentModel instance = null;
out = instance.addAttribute(in, null);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;(String,Object);;Argument[1];MapValue of Argument[-1];value"
Model out = null;
Object in = source();
out.addAttribute(null, in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;(String,Object);;Argument[1];MapValue of Argument[-1];value"
ConcurrentModel out = null;
Object in = source();
out.addAttribute(null, in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;(String,Object);;Argument[1];MapValue of ReturnValue;value"
Model out = null;
Object in = source();
Model instance = null;
out = instance.addAttribute(null, in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;(String,Object);;Argument[1];MapValue of ReturnValue;value"
ConcurrentModel out = null;
Object in = source();
ConcurrentModel instance = null;
out = instance.addAttribute(null, in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;;;Argument[-1];ReturnValue;value"
Model out = null;
Model in = (Model)source();
out = in.addAttribute(null, null);
sink(out); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;;;Argument[-1];ReturnValue;value"
Model out = null;
Model in = (Model)source();
out = in.addAttribute(null);
sink(out); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;;;Argument[-1];ReturnValue;value"
ConcurrentModel out = null;
ConcurrentModel in = (ConcurrentModel)source();
out = in.addAttribute(null, null);
sink(out); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;;;Argument[-1];ReturnValue;value"
ConcurrentModel out = null;
ConcurrentModel in = (ConcurrentModel)source();
out = in.addAttribute(null);
sink(out); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;asMap;;;MapKey of Argument[-1];MapKey of ReturnValue;value"
Map out = null;
Model in = new ConcurrentModel((String)source(), null);
out = in.asMap();
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;asMap;;;MapKey of Argument[-1];MapKey of ReturnValue;value"
Map out = null;
ConcurrentModel in = new ConcurrentModel((String)source(), null);
out = in.asMap();
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;asMap;;;MapValue of Argument[-1];MapValue of ReturnValue;value"
Map out = null;
Model in = (Model)Map.of(null, source());
out = in.asMap();
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;asMap;;;MapValue of Argument[-1];MapValue of ReturnValue;value"
Map out = null;
ConcurrentModel in = new ConcurrentModel(null, source());
out = in.asMap();
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;getAttribute;;;MapValue of Argument[-1];ReturnValue;value"
Object out = null;
Model in = (Model)Map.of(null, source());
out = in.getAttribute(null);
sink(out); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;getAttribute;;;MapValue of Argument[-1];ReturnValue;value"
Object out = null;
ConcurrentModel in = new ConcurrentModel(null, source());
out = in.getAttribute(null);
sink(out); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;mergeAttributes;;;Argument[-1];ReturnValue;value"
Model out = null;
Model in = (Model)source();
out = in.mergeAttributes(null);
sink(out); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;mergeAttributes;;;Argument[-1];ReturnValue;value"
ConcurrentModel out = null;
ConcurrentModel in = (ConcurrentModel)source();
out = in.mergeAttributes(null);
sink(out); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;mergeAttributes;;;MapKey of Argument[-1];MapKey of ReturnValue;value"
Model out = null;
Model in = new ConcurrentModel((String)source(), null);
out = in.mergeAttributes(null);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;mergeAttributes;;;MapKey of Argument[-1];MapKey of ReturnValue;value"
ConcurrentModel out = null;
ConcurrentModel in = new ConcurrentModel((String)source(), null);
out = in.mergeAttributes(null);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;mergeAttributes;;;MapKey of Argument[0];MapKey of Argument[-1];value"
Model out = null;
Map in = Map.of(source(), null);
out.mergeAttributes(in);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;mergeAttributes;;;MapKey of Argument[0];MapKey of Argument[-1];value"
ConcurrentModel out = null;
Map in = Map.of(source(), null);
out.mergeAttributes(in);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;mergeAttributes;;;MapValue of Argument[-1];MapValue of ReturnValue;value"
Model out = null;
Model in = (Model)Map.of(null, source());
out = in.mergeAttributes(null);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;mergeAttributes;;;MapValue of Argument[-1];MapValue of ReturnValue;value"
ConcurrentModel out = null;
ConcurrentModel in = new ConcurrentModel(null, source());
out = in.mergeAttributes(null);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;mergeAttributes;;;MapValue of Argument[0];MapValue of Argument[-1];value"
Model out = null;
Map in = Map.of(null, source());
out.mergeAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.springframework.ui;Model;true;mergeAttributes;;;MapValue of Argument[0];MapValue of Argument[-1];value"
ConcurrentModel out = null;
Map in = Map.of(null, source());
out.mergeAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;ModelMap;(Object);;Argument[0];MapValue of Argument[-1];value"
ModelMap out = null;
Object in = source();
out = new ModelMap(in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;ModelMap;(String,Object);;Argument[0];MapKey of Argument[-1];value"
ModelMap out = null;
String in = (String)source();
out = new ModelMap(in, null);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;ModelMap;(String,Object);;Argument[1];MapValue of Argument[-1];value"
ModelMap out = null;
Object in = source();
out = new ModelMap(null, in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAllAttributes;(Collection);;Element of Argument[0];MapValue of Argument[-1];value"
ModelMap out = null;
Collection in = List.of(source());
out.addAllAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAllAttributes;(Collection);;Element of Argument[0];MapValue of ReturnValue;value"
ModelMap out = null;
Collection in = List.of(source());
ModelMap instance = null;
out = instance.addAllAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAllAttributes;(Map);;MapKey of Argument[0];MapKey of Argument[-1];value"
ModelMap out = null;
Map in = Map.of(source(), null);
out.addAllAttributes(in);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAllAttributes;(Map);;MapKey of Argument[0];MapKey of ReturnValue;value"
ModelMap out = null;
Map in = Map.of(source(), null);
ModelMap instance = null;
out = instance.addAllAttributes(in);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAllAttributes;(Map);;MapValue of Argument[0];MapValue of Argument[-1];value"
ModelMap out = null;
Map in = Map.of(null, source());
out.addAllAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAllAttributes;(Map);;MapValue of Argument[0];MapValue of ReturnValue;value"
ModelMap out = null;
Map in = Map.of(null, source());
ModelMap instance = null;
out = instance.addAllAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAllAttributes;;;Argument[-1];ReturnValue;value"
ModelMap out = null;
ModelMap in = (ModelMap)source();
out = in.addAllAttributes((Map)null);
sink(out); // $hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAllAttributes;;;Argument[-1];ReturnValue;value"
ModelMap out = null;
ModelMap in = (ModelMap)source();
out = in.addAllAttributes((Collection)null);
sink(out); // $hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAttribute;(Object);;Argument[0];MapValue of Argument[-1];value"
ModelMap out = null;
Object in = source();
out.addAttribute(in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAttribute;(Object);;Argument[0];MapValue of ReturnValue;value"
ModelMap out = null;
Object in = source();
ModelMap instance = null;
out = instance.addAttribute(in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAttribute;(String,Object);;Argument[0];MapKey of Argument[-1];value"
ModelMap out = null;
String in = (String)source();
out.addAttribute(in, null);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAttribute;(String,Object);;Argument[0];MapKey of ReturnValue;value"
ModelMap out = null;
String in = (String)source();
ModelMap instance = null;
out = instance.addAttribute(in, null);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAttribute;(String,Object);;Argument[1];MapValue of Argument[-1];value"
ModelMap out = null;
Object in = source();
out.addAttribute(null, in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAttribute;(String,Object);;Argument[1];MapValue of ReturnValue;value"
ModelMap out = null;
Object in = source();
ModelMap instance = null;
out = instance.addAttribute(null, in);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAttribute;;;Argument[-1];ReturnValue;value"
ModelMap out = null;
ModelMap in = (ModelMap)source();
out = in.addAttribute(null, null);
sink(out); // $hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAttribute;;;Argument[-1];ReturnValue;value"
ModelMap out = null;
ModelMap in = (ModelMap)source();
out = in.addAttribute(null);
sink(out); // $hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;getAttribute;;;MapValue of Argument[-1];ReturnValue;value"
Object out = null;
ModelMap in = new ModelMap(null, source());
out = in.getAttribute(null);
sink(out); // $hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;mergeAttributes;;;Argument[-1];ReturnValue;value"
ModelMap out = null;
ModelMap in = (ModelMap)source();
out = in.mergeAttributes(null);
sink(out); // $hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;mergeAttributes;;;MapKey of Argument[-1];MapKey of ReturnValue;value"
ModelMap out = null;
ModelMap in = new ModelMap((String)source(), null);
out = in.mergeAttributes(null);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;mergeAttributes;;;MapKey of Argument[0];MapKey of Argument[-1];value"
ModelMap out = null;
Map in = Map.of(source(), null);
out.mergeAttributes(in);
sink(getMapKey(out)); // $hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;mergeAttributes;;;MapValue of Argument[-1];MapValue of ReturnValue;value"
ModelMap out = null;
ModelMap in = new ModelMap(null, source());
out = in.mergeAttributes(null);
sink(getMapValue(out)); // $hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;mergeAttributes;;;MapValue of Argument[0];MapValue of Argument[-1];value"
ModelMap out = null;
Map in = Map.of(null, source());
out.mergeAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
}
}
}

1
java/ql/test/library-tests/frameworks/spring/ui/options Normal file
View File

@@ -0,0 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.3.8

0
java/ql/test/library-tests/frameworks/spring/ui/test.expected Normal file
View File

52
java/ql/test/library-tests/frameworks/spring/ui/test.ql Normal file
View File

@@ -0,0 +1,52 @@
import java
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.dataflow.TaintTracking
import TestUtilities.InlineExpectationsTest
class ValueFlowConf extends DataFlow::Configuration {
ValueFlowConf() { this = "qltest:valueFlowConf" }
override predicate isSource(DataFlow::Node n) {
n.asExpr().(MethodAccess).getMethod().hasName("source")
}
override predicate isSink(DataFlow::Node n) {
n.asExpr().(Argument).getCall().getCallee().hasName("sink")
}
}
class TaintFlowConf extends TaintTracking::Configuration {
TaintFlowConf() { this = "qltest:taintFlowConf" }
override predicate isSource(DataFlow::Node n) {
n.asExpr().(MethodAccess).getMethod().hasName("source")
}
override predicate isSink(DataFlow::Node n) {
n.asExpr().(Argument).getCall().getCallee().hasName("sink")
}
}
class HasFlowTest extends InlineExpectationsTest {
HasFlowTest() { this = "HasFlowTest" }
override string getARelevantTag() { result = ["hasValueFlow", "hasTaintFlow"] }
override predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "hasValueFlow" and
exists(DataFlow::Node src, DataFlow::Node sink, ValueFlowConf conf | conf.hasFlow(src, sink) |
sink.getLocation() = location and
element = sink.toString() and
value = ""
)
or
tag = "hasTaintFlow" and
exists(DataFlow::Node src, DataFlow::Node sink, TaintFlowConf conf |
conf.hasFlow(src, sink) and not any(ValueFlowConf c).hasFlow(src, sink)
|
sink.getLocation() = location and
element = sink.toString() and
value = ""
)
}
}

1438
java/ql/test/library-tests/frameworks/spring/util/Test.java Normal file
View File

File diff suppressed because it is too large Load Diff

1
java/ql/test/library-tests/frameworks/spring/util/options Normal file
View File

@@ -0,0 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.3.8

0
java/ql/test/library-tests/frameworks/spring/util/test.expected Normal file
View File

52
java/ql/test/library-tests/frameworks/spring/util/test.ql Normal file
View File

@@ -0,0 +1,52 @@
import java
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.dataflow.TaintTracking
import TestUtilities.InlineExpectationsTest
class ValueFlowConf extends DataFlow::Configuration {
ValueFlowConf() { this = "qltest:valueFlowConf" }
override predicate isSource(DataFlow::Node n) {
n.asExpr().(MethodAccess).getMethod().hasName("source")
}
override predicate isSink(DataFlow::Node n) {
n.asExpr().(Argument).getCall().getCallee().hasName("sink")
}
}
class TaintFlowConf extends TaintTracking::Configuration {
TaintFlowConf() { this = "qltest:taintFlowConf" }
override predicate isSource(DataFlow::Node n) {
n.asExpr().(MethodAccess).getMethod().hasName("source")
}
override predicate isSink(DataFlow::Node n) {
n.asExpr().(Argument).getCall().getCallee().hasName("sink")
}
}
class HasFlowTest extends InlineExpectationsTest {
HasFlowTest() { this = "HasFlowTest" }
override string getARelevantTag() { result = ["hasValueFlow", "hasTaintFlow"] }
override predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "hasValueFlow" and
exists(DataFlow::Node src, DataFlow::Node sink, ValueFlowConf conf | conf.hasFlow(src, sink) |
sink.getLocation() = location and
element = sink.toString() and
value = ""
)
or
tag = "hasTaintFlow" and
exists(DataFlow::Node src, DataFlow::Node sink, TaintFlowConf conf |
conf.hasFlow(src, sink) and not any(ValueFlowConf c).hasFlow(src, sink)
|
sink.getLocation() = location and
element = sink.toString() and
value = ""
)
}
}

78
java/ql/test/library-tests/frameworks/spring/validation/Test.java Normal file
View File

@@ -0,0 +1,78 @@
import org.springframework.validation.Errors;
class ValidationErrorsTest {
Object source() { return null; }
Errors sourceErrs() { return (Errors)source(); }
Errors errors() { return null; }
void sink(Object o) {}
void test() {
Errors es0 = errors();
es0.addAllErrors(sourceErrs());
sink(es0); // $hasTaintFlow
sink(sourceErrs().getAllErrors()); // $hasTaintFlow
sink(sourceErrs().getFieldError()); // $hasTaintFlow
sink(sourceErrs().getFieldError("field")); // $hasTaintFlow
sink(sourceErrs().getGlobalError()); // $hasTaintFlow
sink(sourceErrs().getGlobalErrors()); // $hasTaintFlow
Errors es1 = errors();
es1.reject((String)source());
sink(es1); // $hasTaintFlow
Errors es2 = errors();
es2.reject((String)source(), null, "");
sink(es2); // $hasTaintFlow
Errors es3 = errors();
es3.reject((String)source(), null, "");
sink(es3); // $hasTaintFlow
{
Errors es4 = errors();
Object[] in = { (String)source() };
es4.reject("", in, "");
sink(in); // $hasTaintFlow
}
{
Errors es5 = errors();
es5.reject("", null, (String)source());
sink(es5); // $hasTaintFlow
}
Errors es6 = errors();
es6.reject((String)source(), "");
sink(es6); // $hasTaintFlow
Errors es7 = errors();
es7.reject("", (String)source());
sink(es7); // $hasTaintFlow
Errors es8 = errors();
es8.rejectValue("", (String)source(), null, "");
sink(es8); // $hasTaintFlow
Errors es9 = errors();
Object[] in = {source()};
es9.rejectValue("", "", in, "");
sink(es9); // $hasTaintFlow
Errors es10 = errors();
es10.rejectValue("", "", null, (String)source());
sink(es10); // $hasTaintFlow
Errors es11 = errors();
es11.rejectValue("", (String)source(), "");
sink(es11); // $hasTaintFlow
Errors es12 = errors();
es12.rejectValue("", "", (String)source());
sink(es12); // $hasTaintFlow
}
}

1
java/ql/test/library-tests/frameworks/spring/validation/options Normal file
View File

@@ -0,0 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.3.8

0
java/ql/test/library-tests/frameworks/spring/validation/test.expected Normal file
View File

52
java/ql/test/library-tests/frameworks/spring/validation/test.ql Normal file
View File

@@ -0,0 +1,52 @@
import java
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.dataflow.TaintTracking
import TestUtilities.InlineExpectationsTest
class ValueFlowConf extends DataFlow::Configuration {
ValueFlowConf() { this = "qltest:valueFlowConf" }
override predicate isSource(DataFlow::Node n) {
n.asExpr().(MethodAccess).getMethod().hasName("source")
}
override predicate isSink(DataFlow::Node n) {
n.asExpr().(Argument).getCall().getCallee().hasName("sink")
}
}
class TaintFlowConf extends TaintTracking::Configuration {
TaintFlowConf() { this = "qltest:taintFlowConf" }
override predicate isSource(DataFlow::Node n) {
n.asExpr().(MethodAccess).getMethod().hasName("source")
}
override predicate isSink(DataFlow::Node n) {
n.asExpr().(Argument).getCall().getCallee().hasName("sink")
}
}
class HasFlowTest extends InlineExpectationsTest {
HasFlowTest() { this = "HasFlowTest" }
override string getARelevantTag() { result = ["hasValueFlow", "hasTaintFlow"] }
override predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "hasValueFlow" and
exists(DataFlow::Node src, DataFlow::Node sink, ValueFlowConf conf | conf.hasFlow(src, sink) |
sink.getLocation() = location and
element = sink.toString() and
value = ""
)
or
tag = "hasTaintFlow" and
exists(DataFlow::Node src, DataFlow::Node sink, TaintFlowConf conf |
conf.hasFlow(src, sink) and not any(ValueFlowConf c).hasFlow(src, sink)
|
sink.getLocation() = location and
element = sink.toString() and
value = ""
)
}
}

Some files were not shown because too many files have changed in this diff Show More