Updated JexlInjection.ql to check for sandboxes

- Added a dataflow config to track setting a sandbox on JexlBuilder - Added SandboxedJexl3.java test
2026-05-02 04:05:14 +02:00 · 2021-02-10 22:19:45 +01:00
parent 59f48ecea3
commit af0f361ac8
6 changed files with 204 additions and 5 deletions
--- a/java/ql/test/stubs/apache-commons-jexl-3.1/org/apache/commons/jexl3/JexlBuilder.java
+++ b/java/ql/test/stubs/apache-commons-jexl-3.1/org/apache/commons/jexl3/JexlBuilder.java
@@ -1,8 +1,18 @@
 package org.apache.commons.jexl3;

+import org.apache.commons.jexl3.introspection.*;
+
 public class JexlBuilder {

    public JexlEngine create() {
        return null;
    }
+
+    public JexlBuilder sandbox(JexlSandbox sandbox) {
+        return null;
+    }
+
+    public JexlBuilder uberspect(JexlUberspect uberspect) {
+        return null;
+    }
 }
--- a/java/ql/test/stubs/apache-commons-jexl-3.1/org/apache/commons/jexl3/JexlEngine.java
+++ b/java/ql/test/stubs/apache-commons-jexl-3.1/org/apache/commons/jexl3/JexlEngine.java
@@ -1,5 +1,7 @@
 package org.apache.commons.jexl3;

+import org.apache.commons.jexl3.introspection.*;
+
 public abstract class JexlEngine {

    public JexlExpression createExpression(JexlInfo info, String expression) {
@@ -31,4 +33,8 @@ public abstract class JexlEngine {
    public Object getProperty(Object bean, String expr) {
        return null;
    }
+
+    public JexlUberspect getUberspect() {
+        return null;
+    }
 }
--- a/java/ql/test/stubs/apache-commons-jexl-3.1/org/apache/commons/jexl3/introspection/JexlSandbox.java
+++ b/java/ql/test/stubs/apache-commons-jexl-3.1/org/apache/commons/jexl3/introspection/JexlSandbox.java
@@ -0,0 +1,16 @@
+package org.apache.commons.jexl3.introspection;
+
+public class JexlSandbox {
+    
+    public JexlSandbox() {}
+
+    public JexlSandbox(boolean wb) {}
+
+    public JexlSandbox.Permissions white(String clazz) {
+        return null;
+    }
+
+    public static final class Permissions {
+
+    }
+}
--- a/java/ql/test/stubs/apache-commons-jexl-3.1/org/apache/commons/jexl3/introspection/JexlUberspect.java
+++ b/java/ql/test/stubs/apache-commons-jexl-3.1/org/apache/commons/jexl3/introspection/JexlUberspect.java
@@ -0,0 +1,37 @@
+package org.apache.commons.jexl3.introspection;
+
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+
+public interface JexlUberspect {
+    /*
+    interface PropertyResolver {}
+
+    List<PropertyResolver> getResolvers(JexlOperator op, Object obj);
+
+    void setClassLoader(ClassLoader loader);
+
+    ClassLoader getClassLoader();
+
+    int getVersion();
+
+    JexlMethod getConstructor(Object ctorHandle, Object... args);
+
+    JexlMethod getMethod(Object obj, String method, Object... args);
+
+    JexlPropertyGet getPropertyGet(Object obj, Object identifier);
+
+    JexlPropertyGet getPropertyGet(List<PropertyResolver> resolvers, Object obj, Object identifier);
+
+    JexlPropertySet getPropertySet(Object obj, Object identifier, Object arg);
+
+    JexlPropertySet getPropertySet(List<PropertyResolver> resolvers, Object obj, Object identifier, Object arg);
+
+    Iterator<?> getIterator(Object obj);
+
+    JexlArithmetic.Uberspect getArithmetic(JexlArithmetic arithmetic);
+    */
+}