Merge pull request #4880 from luchua-bc/java/sensitive-query-with-get

Java: Sensitive GET Query
2026-04-29 18:55:14 +02:00 · 2021-02-24 11:08:47 +01:00
parent 8262f0343b 56e3b301e9
commit add960bc4d
11 changed files with 290 additions and 0 deletions
--- a/java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery.expected
@@ -0,0 +1,39 @@
+edges
+| SensitiveGetQuery2.java:12:13:12:37 | getParameterMap(...) : Map | SensitiveGetQuery2.java:14:21:14:48 | (...)... : Object |
+| SensitiveGetQuery2.java:14:21:14:48 | (...)... : Object | SensitiveGetQuery2.java:15:29:15:36 | password |
+| SensitiveGetQuery2.java:14:21:14:48 | (...)... : Object | SensitiveGetQuery2.java:15:29:15:36 | password : Object |
+| SensitiveGetQuery2.java:15:29:15:36 | password : Object | SensitiveGetQuery2.java:18:40:18:54 | password : Object |
+| SensitiveGetQuery2.java:18:40:18:54 | password : Object | SensitiveGetQuery2.java:19:61:19:68 | password |
+| SensitiveGetQuery3.java:12:21:12:60 | getRequestParameter(...) : String | SensitiveGetQuery3.java:13:57:13:64 | password |
+| SensitiveGetQuery3.java:17:10:17:40 | getParameter(...) : String | SensitiveGetQuery3.java:12:21:12:60 | getRequestParameter(...) : String |
+| SensitiveGetQuery4.java:14:24:14:66 | getRequestParameter(...) : String | SensitiveGetQuery4.java:16:37:16:47 | accessToken |
+| SensitiveGetQuery4.java:20:10:20:40 | getParameter(...) : String | SensitiveGetQuery4.java:14:24:14:66 | getRequestParameter(...) : String |
+| SensitiveGetQuery.java:12:21:12:52 | getParameter(...) : String | SensitiveGetQuery.java:14:29:14:36 | password |
+| SensitiveGetQuery.java:12:21:12:52 | getParameter(...) : String | SensitiveGetQuery.java:14:29:14:36 | password : String |
+| SensitiveGetQuery.java:14:29:14:36 | password : String | SensitiveGetQuery.java:17:40:17:54 | password : String |
+| SensitiveGetQuery.java:17:40:17:54 | password : String | SensitiveGetQuery.java:18:61:18:68 | password |
+nodes
+| SensitiveGetQuery2.java:12:13:12:37 | getParameterMap(...) : Map | semmle.label | getParameterMap(...) : Map |
+| SensitiveGetQuery2.java:14:21:14:48 | (...)... : Object | semmle.label | (...)... : Object |
+| SensitiveGetQuery2.java:15:29:15:36 | password | semmle.label | password |
+| SensitiveGetQuery2.java:15:29:15:36 | password : Object | semmle.label | password : Object |
+| SensitiveGetQuery2.java:18:40:18:54 | password : Object | semmle.label | password : Object |
+| SensitiveGetQuery2.java:19:61:19:68 | password | semmle.label | password |
+| SensitiveGetQuery3.java:12:21:12:60 | getRequestParameter(...) : String | semmle.label | getRequestParameter(...) : String |
+| SensitiveGetQuery3.java:13:57:13:64 | password | semmle.label | password |
+| SensitiveGetQuery3.java:17:10:17:40 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| SensitiveGetQuery4.java:14:24:14:66 | getRequestParameter(...) : String | semmle.label | getRequestParameter(...) : String |
+| SensitiveGetQuery4.java:16:37:16:47 | accessToken | semmle.label | accessToken |
+| SensitiveGetQuery4.java:20:10:20:40 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| SensitiveGetQuery.java:12:21:12:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| SensitiveGetQuery.java:14:29:14:36 | password | semmle.label | password |
+| SensitiveGetQuery.java:14:29:14:36 | password : String | semmle.label | password : String |
+| SensitiveGetQuery.java:17:40:17:54 | password : String | semmle.label | password : String |
+| SensitiveGetQuery.java:18:61:18:68 | password | semmle.label | password |
+#select
+| SensitiveGetQuery2.java:15:29:15:36 | password | SensitiveGetQuery2.java:12:13:12:37 | getParameterMap(...) : Map | SensitiveGetQuery2.java:15:29:15:36 | password | $@ uses the GET request method to transmit sensitive information. | SensitiveGetQuery2.java:12:13:12:37 | getParameterMap(...) | This request |
+| SensitiveGetQuery2.java:19:61:19:68 | password | SensitiveGetQuery2.java:12:13:12:37 | getParameterMap(...) : Map | SensitiveGetQuery2.java:19:61:19:68 | password | $@ uses the GET request method to transmit sensitive information. | SensitiveGetQuery2.java:12:13:12:37 | getParameterMap(...) | This request |
+| SensitiveGetQuery3.java:13:57:13:64 | password | SensitiveGetQuery3.java:17:10:17:40 | getParameter(...) : String | SensitiveGetQuery3.java:13:57:13:64 | password | $@ uses the GET request method to transmit sensitive information. | SensitiveGetQuery3.java:17:10:17:40 | getParameter(...) | This request |
+| SensitiveGetQuery4.java:16:37:16:47 | accessToken | SensitiveGetQuery4.java:20:10:20:40 | getParameter(...) : String | SensitiveGetQuery4.java:16:37:16:47 | accessToken | $@ uses the GET request method to transmit sensitive information. | SensitiveGetQuery4.java:20:10:20:40 | getParameter(...) | This request |
+| SensitiveGetQuery.java:14:29:14:36 | password | SensitiveGetQuery.java:12:21:12:52 | getParameter(...) : String | SensitiveGetQuery.java:14:29:14:36 | password | $@ uses the GET request method to transmit sensitive information. | SensitiveGetQuery.java:12:21:12:52 | getParameter(...) | This request |
+| SensitiveGetQuery.java:18:61:18:68 | password | SensitiveGetQuery.java:12:21:12:52 | getParameter(...) : String | SensitiveGetQuery.java:18:61:18:68 | password | $@ uses the GET request method to transmit sensitive information. | SensitiveGetQuery.java:12:21:12:52 | getParameter(...) | This request |
--- a/java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery.java
@@ -0,0 +1,26 @@
+import java.io.IOException;
+
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.ServletException;
+
+public class SensitiveGetQuery extends HttpServlet {
+	// BAD - Tests retrieving sensitive information through `request.getParameter()` in a GET request.
+	public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
+		String username = request.getParameter("username");
+		String password = request.getParameter("password");
+
+		processUserInfo(username, password);
+	}
+
+	void processUserInfo(String username, String password) {
+		System.out.println("username = " + username+"; password "+password);
+	}
+
+	// GOOD - Tests retrieving sensitive information through `request.getParameter()` in a POST request.
+	public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
+		String password = request.getParameter("password");
+		System.out.println("password = " + password);
+	}
+}
--- a/java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery.qlref
+++ b/java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql
--- a/java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery2.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery2.java
@@ -0,0 +1,29 @@
+import java.io.IOException;
+import java.util.Map;
+
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.ServletException;
+
+public class SensitiveGetQuery2 extends HttpServlet {
+	// BAD - Tests retrieving sensitive information through `request.getParameterMap()` in a GET request.
+	public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
+		Map map = request.getParameterMap();
+		String username = (String) map.get("username");
+		String password = (String) map.get("password");
+		processUserInfo(username, password);
+	}
+
+	void processUserInfo(String username, String password) {
+		System.out.println("username = " + username+"; password "+password);
+	}
+
+	// GOOD - Tests retrieving sensitive information through `request.getParameterMap()` in a POST request.
+	public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
+		Map map = request.getParameterMap();
+		String username = (String) map.get("username");
+		String password = (String) map.get("password");
+		processUserInfo(username, password);
+	}
+}
--- a/java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery3.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery3.java
@@ -0,0 +1,26 @@
+import java.io.IOException;
+
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.ServletException;
+
+public class SensitiveGetQuery3 extends HttpServlet {
+	// BAD - Tests retrieving sensitive information through a wrapper call in a GET request.
+	public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
+		String username = getRequestParameter(request, "username");
+		String password = getRequestParameter(request, "password");
+		System.out.println("Username="+username+"; password="+password);
+	}
+
+	String getRequestParameter(HttpServletRequest request, String paramName) {
+		return request.getParameter(paramName);
+	}
+
+	// GOOD - Tests retrieving sensitive information through a wrapper call in a POST request.
+	public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
+		String username = getRequestParameter(request, "username");
+		String password = getRequestParameter(request, "password");
+		System.out.println("Username="+username+"; password="+password);
+	}
+}
--- a/java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery4.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery4.java
@@ -0,0 +1,32 @@
+import java.io.IOException;
+
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.ServletException;
+
+public class SensitiveGetQuery4 extends HttpServlet {
+	// BAD - Tests retrieving non-sensitive tokens and sensitive tokens in a GET request.
+	public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
+		String username = getRequestParameter(request, "username");
+		String token = getRequestParameter(request, "token");
+		String tokenType = getRequestParameter(request, "tokenType");
+		String accessToken = getRequestParameter(request, "accessToken");
+		System.out.println("Username="+username+"; token="+token+"; tokenType="+tokenType);
+		System.out.println("AccessToken="+accessToken);
+	}
+
+	String getRequestParameter(HttpServletRequest request, String paramName) {
+		return request.getParameter(paramName);
+	}
+
+	// GOOD - Tests retrieving non-sensitive tokens and sensitive tokens in a POST request.
+	public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
+		String username = getRequestParameter(request, "username");
+		String token = getRequestParameter(request, "token");
+		String tokenType = getRequestParameter(request, "tokenType");
+		String accessToken = getRequestParameter(request, "accessToken");
+		System.out.println("Username="+username+"; token="+token+"; tokenType="+tokenType);
+		System.out.println("AccessToken="+accessToken);
+	}
+}
--- a/java/ql/test/experimental/query-tests/security/CWE-598/options
+++ b/java/ql/test/experimental/query-tests/security/CWE-598/options
@@ -0,0 +1 @@
+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4
				`@@ -0,0 +1 @@`
				`experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql`
				`@@ -0,0 +1 @@`
				`// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4`