Query to detect main method in servlets

2026-04-29 18:55:14 +02:00 · 2021-02-05 03:53:01 +00:00
parent 649bd03db6
commit a183b00166
10 changed files with 272 additions and 0 deletions
--- a/java/ql/test/experimental/query-tests/security/CWE-489/ServletContextListenerMain.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-489/ServletContextListenerMain.java
@@ -0,0 +1,25 @@
+import javax.servlet.ServletContextEvent;
+import javax.servlet.ServletContextListener;
+import java.net.URL;
+
+public class ServletContextListenerMain implements ServletContextListener {
+	@Override
+	public void contextInitialized(ServletContextEvent sce) {
+		System.out.println("listener starts to work!");
+	}
+
+	@Override
+	public void contextDestroyed(ServletContextEvent sce) {
+		System.out.println("listener stopped!");
+	}
+
+	// BAD - Implement a main method in servlet listener.
+	public static void main(String[] args) {
+		try {
+			URL url = new URL("https://www.example.com");
+			url.openConnection();
+		} catch (Exception e) {
+			e.printStackTrace();
+		}
+	}
+}
--- a/java/ql/test/experimental/query-tests/security/CWE-489/ServletMain.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-489/ServletMain.expected
@@ -0,0 +1,2 @@
+| ServletContextListenerMain.java:17:21:17:24 | main | Web application has a main method. |
+| ServletMain.java:28:21:28:24 | main | Web application has a main method. |
--- a/java/ql/test/experimental/query-tests/security/CWE-489/ServletMain.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-489/ServletMain.java
@@ -0,0 +1,33 @@
+import javax.servlet.Servlet;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.ServletException;
+import javax.servlet.ServletConfig;
+import java.io.IOException;
+import java.net.URL;
+
+public class ServletMain implements Servlet {
+	public void service(ServletRequest servletRequest, ServletResponse servletResponse) throws ServletException, IOException {
+	}
+
+	public void init(ServletConfig servletConfig) throws ServletException {
+	}
+
+	public ServletConfig getServletConfig() {
+		return null;
+	}
+
+	public String getServletInfo() {
+		return null;
+	}
+
+	public void destroy() {
+	}
+
+	// BAD - Implement a main method in servlet.
+	public static void main(String[] args) throws Exception {
+		// Connect to my server
+		URL url = new URL("https://www.example.com");
+		url.openConnection();
+	}
+}
--- a/java/ql/test/experimental/query-tests/security/CWE-489/ServletMain.qlref
+++ b/java/ql/test/experimental/query-tests/security/CWE-489/ServletMain.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-489/ServletMain.ql
--- a/java/ql/test/experimental/query-tests/security/CWE-489/options
+++ b/java/ql/test/experimental/query-tests/security/CWE-489/options
@@ -0,0 +1 @@
+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4
--- a/java/ql/test/stubs/servlet-api-2.4/javax/servlet/ServletContextEvent.java
+++ b/java/ql/test/stubs/servlet-api-2.4/javax/servlet/ServletContextEvent.java
@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 1997-2018 Oracle and/or its affiliates. All rights reserved.
+ * Copyright 2004 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package javax.servlet;
+
+/** 
+ * This is the event class for notifications about changes to
+ * the servlet context of a web application.
+ * @see ServletContextListener
+ *
+ * @since Servlet 2.3
+ */
+
+public class ServletContextEvent extends java.util.EventObject { 
+
+    /** Construct a ServletContextEvent from the given context.
+     *
+     * @param source - the ServletContext that is sending the event.
+     */
+    public ServletContextEvent(ServletContext source) {
+        super(source);
+    }
+    
+    /**
+     * Return the ServletContext that changed.
+     *
+     * @return the ServletContext that sent the event.
+     */
+    public ServletContext getServletContext () { 
+        return null;
+    }
+}
--- a/java/ql/test/stubs/servlet-api-2.4/javax/servlet/ServletContextListener.java
+++ b/java/ql/test/stubs/servlet-api-2.4/javax/servlet/ServletContextListener.java
@@ -0,0 +1,74 @@
+/*
+ * Copyright (c) 1997-2018 Oracle and/or its affiliates. All rights reserved.
+ * Copyright 2004 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package javax.servlet;
+
+import java.util.EventListener;
+
+/** 
+ * Interface for receiving notification events about ServletContext
+ * lifecycle changes.
+ *
+ * <p>In order to receive these notification events, the implementation
+ * class must be either declared in the deployment descriptor of the web
+ * application, annotated with {@link javax.servlet.annotation.WebListener},
+ * or registered via one of the addListener methods defined on
+ * {@link ServletContext}.
+ *
+ * <p>Implementations of this interface are invoked at their
+ * {@link #contextInitialized} method in the order in which they have been
+ * declared, and at their {@link #contextDestroyed} method in reverse
+ * order.
+ *
+ * @see ServletContextEvent
+ *
+ * @since Servlet 2.3
+ */
+public interface ServletContextListener extends EventListener {
+
+    /**
+     * Receives notification that the web application initialization
+     * process is starting.
+     *
+     * <p>All ServletContextListeners are notified of context
+     * initialization before any filters or servlets in the web
+     * application are initialized.
+     *
+     * @param sce the ServletContextEvent containing the ServletContext
+     * that is being initialized
+     *
+     * @implSpec
+     * The default implementation takes no action.
+     */
+    default public void contextInitialized(ServletContextEvent sce) {}
+
+    /**
+     * Receives notification that the ServletContext is about to be
+     * shut down.
+     *
+     * <p>All servlets and filters will have been destroyed before any
+     * ServletContextListeners are notified of context
+     * destruction.
+     *
+     * @param sce the ServletContextEvent containing the ServletContext
+     * that is being destroyed
+     *
+     * @implSpec
+     * The default implementation takes no action.
+     */
+    default public void contextDestroyed(ServletContextEvent sce) {}
+}
				`@@ -0,0 +1 @@`
				`experimental/Security/CWE/CWE-489/ServletMain.ql`
				`@@ -0,0 +1 @@`
				`// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4`