Add Hudson models

Includes models-as-data rows, flow sources, and XSS sanitizers.

Tests for models-as-data rows not included.

java/ql/test/library-tests/dataflow/taintsources/Hudson.java

@@ -0,0 +1,16 @@
+import hudson.FilePath;
+
+public class Hudson {
+
+    private static void sink(Object o) {}
+
+    public static void test() throws Exception {
+        FilePath fp = null;
+        sink(FilePath.newInputStreamDenyingSymlinkAsNeeded(null, null, null)); // $hasLocalValueFlow
+        sink(FilePath.openInputStream(null, null)); // $hasLocalValueFlow
+        sink(fp.read()); // $hasLocalValueFlow
+        sink(fp.read(null)); // $hasLocalValueFlow
+        sink(fp.readFromOffset(-1)); // $hasLocalValueFlow
+        sink(fp.readToString()); // $hasLocalValueFlow
+    }
+}

java/ql/test/library-tests/dataflow/taintsources/options

@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/google-android-9.0.0:${testdir}/../../../stubs/playframework-2.6.x:${testdir}/../../../stubs/jackson-databind-2.12:${testdir}/../../../stubs/jackson-core-2.12:${testdir}/../../../stubs/akka-2.6.x:${testdir}/../../../stubs/jwtk-jjwt-0.11.2
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/google-android-9.0.0:${testdir}/../../../stubs/playframework-2.6.x:${testdir}/../../../stubs/jackson-databind-2.12:${testdir}/../../../stubs/jackson-core-2.12:${testdir}/../../../stubs/akka-2.6.x:${testdir}/../../../stubs/jwtk-jjwt-0.11.2:${testdir}/../../../stubs/jenkins

java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.java

@@ -4,9 +4,6 @@
 
 package test.cwe079.cwe.examples;
 
-
-
-
 import java.io.IOException;
 import javax.servlet.ServletException;
 import javax.servlet.http.Cookie;
@@ -14,13 +11,12 @@ import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-
 public class XSS extends HttpServlet {
 	protected void doGet(HttpServletRequest request, HttpServletResponse response)
-	throws ServletException, IOException {
+			throws ServletException, IOException {
 		// BAD: a request parameter is written directly to the Servlet response stream
-		response.getWriter().print(
-				"The page \"" + request.getParameter("page") + "\" was not found."); // $xss
+		response.getWriter()
+				.print("The page \"" + request.getParameter("page") + "\" was not found."); // $xss
 
 		// GOOD: servlet API encodes the error message HTML for the HTML context
 		response.sendError(HttpServletResponse.SC_NOT_FOUND,
@@ -29,35 +25,31 @@ public class XSS extends HttpServlet {
 		// GOOD: escape HTML characters first
 		response.sendError(HttpServletResponse.SC_NOT_FOUND,
 				"The page \"" + encodeForHtml(request.getParameter("page")) + "\" was not found.");
-		
+
 		// GOOD: servlet API encodes the error message HTML for the HTML context
 		response.sendError(HttpServletResponse.SC_NOT_FOUND,
 				"The page \"" + capitalizeName(request.getParameter("page")) + "\" was not found.");
-		
+
 		// BAD: outputting the path of the resource
 		response.getWriter().print("The path section of the URL was " + request.getPathInfo()); // $xss
 
-		// BAD: typical XSS, this time written to an OutputStream instead of a Writer 
+		// BAD: typical XSS, this time written to an OutputStream instead of a Writer
 		response.getOutputStream().write(request.getPathInfo().getBytes()); // $xss
+
+		// GOOD: sanitizer
+		response.getOutputStream().write(hudson.Util.escape(request.getPathInfo()).getBytes()); // safe
 	}
-	
-
-
-
-
-
 
 	/**
-	 * Replace special characters in the given text such that it can
-	 * be inserted into an HTML file and not be interpreted as including
-	 * any HTML tags.
+	 * Replace special characters in the given text such that it can be inserted into an HTML file
+	 * and not be interpreted as including any HTML tags.
 	 */
 	static String encodeForHtml(String text) {
 		// This is just a stub. For an example of a real implementation, see
 		// the OWASP Java Encoder Project.
 		return text.replace("<", "&lt;");
 	}
-	
+
 	static String capitalizeName(String text) {
 		return text.replace("foo inc", "Foo, Inc.");
 	}

java/ql/test/query-tests/security/CWE-079/semmle/tests/options

@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/servlet-api-2.4:${testdir}/../../../../../stubs/javax-ws-rs-api-2.1.1/:${testdir}/../../../../../stubs/springframework-5.3.8:${testdir}/../../../../../stubs/javax-faces-2.3/:${testdir}/../../../../../stubs/google-android-9.0.0
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/servlet-api-2.4:${testdir}/../../../../../stubs/javax-ws-rs-api-2.1.1/:${testdir}/../../../../../stubs/springframework-5.3.8:${testdir}/../../../../../stubs/javax-faces-2.3/:${testdir}/../../../../../stubs/google-android-9.0.0:${testdir}/../../../../../stubs/jenkins

java/ql/test/stubs/jenkins/hudson/FilePath.java

@@ -0,0 +1,34 @@
+package hudson;
+
+import java.io.File;
+import java.io.InputStream;
+import java.nio.file.OpenOption;
+
+public class FilePath {
+
+    public static InputStream newInputStreamDenyingSymlinkAsNeeded(File file,
+            String verificationRoot, OpenOption... openOption) {
+        return null;
+    }
+
+    public static InputStream openInputStream(File file, OpenOption[] openOptions) {
+        return null;
+    }
+
+    public InputStream read() {
+        return null;
+    }
+
+    public InputStream read(FilePath rootPath, OpenOption... openOptions) {
+        return null;
+    }
+
+    public InputStream readFromOffset(long offset) {
+        return null;
+    }
+
+    public String readToString() {
+        return null;
+    }
+}
+

java/ql/test/stubs/jenkins/hudson/Util.java

@@ -0,0 +1,7 @@
+package hudson;
+
+public class Util {
+    public static String escape(String text) {
+        return null;
+    }
+}