*)add CWE-652 test case

2026-05-01 11:45:14 +02:00 · 2021-01-27 10:14:33 +08:00
parent 42f55e1ebe
commit b76854a384
23 changed files with 322 additions and 0 deletions
--- a/java/ql/test/experimental/query-tests/security/CWE-652/XQueryInjection.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-652/XQueryInjection.expected
@@ -0,0 +1,19 @@
+edges
+| XQueryInjection.java:26:37:26:65 | prepareExpression(...) : XQPreparedExpression | XQueryInjection.java:27:35:27:38 | xqpe |
+| XQueryInjection.java:41:37:41:65 | prepareExpression(...) : XQPreparedExpression | XQueryInjection.java:42:35:42:38 | xqpe |
+| XQueryInjection.java:53:37:53:64 | prepareExpression(...) : XQPreparedExpression | XQueryInjection.java:54:35:54:38 | xqpe |
+| XQueryInjection.java:66:37:66:62 | prepareExpression(...) : XQPreparedExpression | XQueryInjection.java:67:35:67:38 | xqpe |
+nodes
+| XQueryInjection.java:26:37:26:65 | prepareExpression(...) : XQPreparedExpression | semmle.label | prepareExpression(...) : XQPreparedExpression |
+| XQueryInjection.java:27:35:27:38 | xqpe | semmle.label | xqpe |
+| XQueryInjection.java:41:37:41:65 | prepareExpression(...) : XQPreparedExpression | semmle.label | prepareExpression(...) : XQPreparedExpression |
+| XQueryInjection.java:42:35:42:38 | xqpe | semmle.label | xqpe |
+| XQueryInjection.java:53:37:53:64 | prepareExpression(...) : XQPreparedExpression | semmle.label | prepareExpression(...) : XQPreparedExpression |
+| XQueryInjection.java:54:35:54:38 | xqpe | semmle.label | xqpe |
+| XQueryInjection.java:66:37:66:62 | prepareExpression(...) : XQPreparedExpression | semmle.label | prepareExpression(...) : XQPreparedExpression |
+| XQueryInjection.java:67:35:67:38 | xqpe | semmle.label | xqpe |
+#select
+| XQueryInjection.java:27:35:27:38 | xqpe | XQueryInjection.java:26:37:26:65 | prepareExpression(...) : XQPreparedExpression | XQueryInjection.java:27:35:27:38 | xqpe | XQuery query might include code from $@. | XQueryInjection.java:26:37:26:65 | prepareExpression(...) | this user input |
+| XQueryInjection.java:42:35:42:38 | xqpe | XQueryInjection.java:41:37:41:65 | prepareExpression(...) : XQPreparedExpression | XQueryInjection.java:42:35:42:38 | xqpe | XQuery query might include code from $@. | XQueryInjection.java:41:37:41:65 | prepareExpression(...) | this user input |
+| XQueryInjection.java:54:35:54:38 | xqpe | XQueryInjection.java:53:37:53:64 | prepareExpression(...) : XQPreparedExpression | XQueryInjection.java:54:35:54:38 | xqpe | XQuery query might include code from $@. | XQueryInjection.java:53:37:53:64 | prepareExpression(...) | this user input |
+| XQueryInjection.java:67:35:67:38 | xqpe | XQueryInjection.java:66:37:66:62 | prepareExpression(...) : XQPreparedExpression | XQueryInjection.java:67:35:67:38 | xqpe | XQuery query might include code from $@. | XQueryInjection.java:66:37:66:62 | prepareExpression(...) | this user input |
--- a/java/ql/test/experimental/query-tests/security/CWE-652/XQueryInjection.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-652/XQueryInjection.java
@@ -0,0 +1,87 @@
+import java.io.BufferedReader;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import javax.servlet.http.HttpServletRequest;
+import javax.xml.namespace.QName;
+import javax.xml.xquery.XQConnection;
+import javax.xml.xquery.XQDataSource;
+import javax.xml.xquery.XQException;
+import javax.xml.xquery.XQItemType;
+import javax.xml.xquery.XQPreparedExpression;
+import javax.xml.xquery.XQResultSequence;
+import net.sf.saxon.xqj.SaxonXQDataSource;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+
+@Controller
+public class XQueryInjection {
+
+    @RequestMapping
+    public void testRequestbad(HttpServletRequest request) throws Exception {
+        String name = request.getParameter("name");
+        XQDataSource ds = new SaxonXQDataSource();
+        XQConnection conn = ds.getConnection();
+        String query = "for $user in doc(\"users.xml\")/Users/User[name='" + name + "'] return $user/password";
+        XQPreparedExpression xqpe = conn.prepareExpression(query);
+        XQResultSequence result = xqpe.executeQuery();
+        while (result.next()){
+            System.out.println(result.getItemAsString(null));
+        }
+
+    }
+
+
+    @RequestMapping
+    public void testStringtbad(@RequestParam String nameStr) throws XQException {
+        String name = nameStr;
+        XQDataSource ds = new SaxonXQDataSource();
+        XQConnection conn = ds.getConnection();
+        String query = "for $user in doc(\"users.xml\")/Users/User[name='" + name + "'] return $user/password";
+        XQPreparedExpression xqpe = conn.prepareExpression(query);
+        XQResultSequence result = xqpe.executeQuery();
+        while (result.next()){
+            System.out.println(result.getItemAsString(null));
+        }
+    }
+
+    @RequestMapping
+    public void testInputStreambad(HttpServletRequest request) throws Exception {
+        InputStream name = request.getInputStream();
+        XQDataSource ds = new SaxonXQDataSource();
+        XQConnection conn = ds.getConnection();
+        XQPreparedExpression xqpe = conn.prepareExpression(name);
+        XQResultSequence result = xqpe.executeQuery();
+        while (result.next()){
+            System.out.println(result.getItemAsString(null));
+        }
+    }
+
+    @RequestMapping
+    public void testReaderbad(HttpServletRequest request) throws Exception {
+        InputStream name = request.getInputStream();
+        BufferedReader br = new BufferedReader(new InputStreamReader(name));
+        XQDataSource ds = new SaxonXQDataSource();
+        XQConnection conn = ds.getConnection();
+        XQPreparedExpression xqpe = conn.prepareExpression(br);
+        XQResultSequence result = xqpe.executeQuery();
+        while (result.next()){
+            System.out.println(result.getItemAsString(null));
+        }
+    }
+
+    @RequestMapping
+    public void good(HttpServletRequest request) throws XQException {
+        String name = request.getParameter("name");
+        XQDataSource ds = new SaxonXQDataSource();
+        XQConnection conn = ds.getConnection();
+        String query = "declare variable $name as xs:string external;"
+                + " for $user in doc(\"users.xml\")/Users/User[name=$name] return $user/password";
+        XQPreparedExpression xqpe = conn.prepareExpression(query);
+        xqpe.bindString(new QName("name"), name, conn.createAtomicType(XQItemType.XQBASETYPE_STRING));
+        XQResultSequence result = xqpe.executeQuery();
+        while (result.next()){
+            System.out.println(result.getItemAsString(null));
+        }
+    }
+}
--- a/java/ql/test/experimental/query-tests/security/CWE-652/XQueryInjection.qlref
+++ b/java/ql/test/experimental/query-tests/security/CWE-652/XQueryInjection.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-652/XQueryInjection.ql
--- a/java/ql/test/experimental/query-tests/security/CWE-652/options
+++ b/java/ql/test/experimental/query-tests/security/CWE-652/options
@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/apache-http-4.4.13/:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/saxon-xqj-9.x/:${testdir}/../../../../stubs/springframework-5.2.3/
				`@@ -0,0 +1 @@`
				`//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/apache-http-4.4.13/:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/saxon-xqj-9.x/:${testdir}/../../../../stubs/springframework-5.2.3/`