hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 10:45:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Reformat inline expectations (space after $)

Browse Source
This commit is contained in:
Owen Mansel-Chan
2025-01-27 14:36:26 +00:00
parent 05fb22e8ff
commit 9f3572d15a
5 changed files with 54 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
java/ql/test/query-tests/security/CWE-079/semmle/tests/SpringXSS.java
View File

@@ -19,11 +19,11 @@ public class SpringXSS {
if(!safeContentType) {
if(chainDirectly) {
return builder.contentType(MediaType.TEXT_HTML).body(userControlled); // $xss
return builder.contentType(MediaType.TEXT_HTML).body(userControlled); // $ xss
}
else {
ResponseEntity.BodyBuilder builder2 = builder.contentType(MediaType.TEXT_HTML);
return builder2.body(userControlled); // $xss
return builder2.body(userControlled); // $ xss
}
}
else {
@@ -60,22 +60,22 @@ public class SpringXSS {
@GetMapping(value = "/xyz", produces = MediaType.TEXT_HTML_VALUE)
public static ResponseEntity<String> methodContentTypeUnsafe(String userControlled) {
return ResponseEntity.ok(userControlled); // $xss
return ResponseEntity.ok(userControlled); // $ xss
}
@GetMapping(value = "/xyz", produces = "text/html")
public static ResponseEntity<String> methodContentTypeUnsafeStringLiteral(String userControlled) {
return ResponseEntity.ok(userControlled); // $xss
return ResponseEntity.ok(userControlled); // $ xss
}
@GetMapping(value = "/xyz", produces = {MediaType.TEXT_HTML_VALUE, MediaType.APPLICATION_JSON_VALUE})
public static ResponseEntity<String> methodContentTypeMaybeSafe(String userControlled) {
return ResponseEntity.ok(userControlled); // $xss
return ResponseEntity.ok(userControlled); // $ xss
}
@GetMapping(value = "/xyz", produces = MediaType.APPLICATION_JSON_VALUE)
public static ResponseEntity<String> methodContentTypeSafeOverriddenWithUnsafe(String userControlled) {
return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $xss
return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $ xss
}
@GetMapping(value = "/xyz", produces = MediaType.TEXT_HTML_VALUE)
@@ -88,13 +88,13 @@ public class SpringXSS {
// Also try out some alternative constructors for the ResponseEntity:
switch(constructionMethod) {
case 0:
return ResponseEntity.ok(userControlled); // $xss
return ResponseEntity.ok(userControlled); // $ xss
case 1:
return ResponseEntity.of(Optional.of(userControlled)); // $xss
return ResponseEntity.of(Optional.of(userControlled)); // $ xss
case 2:
return ResponseEntity.ok().body(userControlled); // $xss
return ResponseEntity.ok().body(userControlled); // $ xss
case 3:
return new ResponseEntity<String>(userControlled, HttpStatus.OK); // $xss
return new ResponseEntity<String>(userControlled, HttpStatus.OK); // $ xss
default:
return null;
}
@@ -115,12 +115,12 @@ public class SpringXSS {
@GetMapping(value = "/xyz", produces = {"text/html"})
public ResponseEntity<String> overridesWithUnsafe(String userControlled) {
return ResponseEntity.ok(userControlled); // $xss
return ResponseEntity.ok(userControlled); // $ xss
}
@GetMapping(value = "/abc")
public ResponseEntity<String> overridesWithUnsafe2(String userControlled) {
return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $xss
return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $ xss
}
}
@@ -129,12 +129,12 @@ public class SpringXSS {
private static class ClassContentTypeUnsafe {
@GetMapping(value = "/abc")
public ResponseEntity<String> test(String userControlled) {
return ResponseEntity.ok(userControlled); // $xss
return ResponseEntity.ok(userControlled); // $ xss
}
@GetMapping(value = "/abc")
public String testDirectReturn(String userControlled) {
return userControlled; // $xss
return userControlled; // $ xss
}
@GetMapping(value = "/xyz", produces = {"application/json"})
@@ -150,12 +150,12 @@ public class SpringXSS {
@GetMapping(value = "/abc")
public static ResponseEntity<String> entityWithNoMediaType(String userControlled) {
return ResponseEntity.ok(userControlled); // $xss
return ResponseEntity.ok(userControlled); // $ xss
}
@GetMapping(value = "/abc")
public static String stringWithNoMediaType(String userControlled) {
return userControlled; // $xss
return userControlled; // $ xss
}
@GetMapping(value = "/abc")