hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-03 12:45:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add more test cases

Browse Source
This commit is contained in:
luchua-bc
2022-04-19 22:22:15 +00:00
parent f0c4b1955b
commit b76873fc8d
2 changed files with 53 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
java/ql/test/experimental/query-tests/security/CWE-552/UnsafeResourceGet.java
View File

@@ -2,6 +2,7 @@ package com.example;
import java.io.InputStream;
import java.io.IOException;
import java.io.PrintWriter;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.net.URL;
@@ -60,6 +61,42 @@ public class UnsafeResourceGet extends HttpServlet {
}
}
// GOOD: getResource constructed from `ServletContext` with null check only
protected void doGetGood2(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String requestUrl = request.getParameter("requestURL");
PrintWriter writer = response.getWriter();
ServletConfig cfg = getServletConfig();
ServletContext sc = cfg.getServletContext();
// A sample request /fake.jsp/../WEB-INF/web.xml can load the web.xml file
URL url = sc.getResource(requestUrl);
if (url == null) {
writer.println("Requested source not found");
}
}
// GOOD: getResource constructed from `ServletContext` with `equals` check
protected void doGetGood3(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String requestUrl = request.getParameter("requestURL");
ServletOutputStream out = response.getOutputStream();
ServletContext sc = request.getServletContext();
if (requestUrl.equals("/public/crossdomain.xml")) {
URL url = sc.getResource(requestUrl);
InputStream in = url.openStream();
byte[] buf = new byte[4 * 1024]; // 4K buffer
int bytesRead;
while ((bytesRead = in.read(buf)) != -1) {
out.write(buf, 0, bytesRead);
}
}
}
@Override
// BAD: getResourceAsStream constructed from `ServletContext` without input validation
protected void doPost(HttpServletRequest request, HttpServletResponse response)
@@ -67,9 +104,6 @@ public class UnsafeResourceGet extends HttpServlet {
String requestPath = request.getParameter("requestPath");
ServletOutputStream out = response.getOutputStream();
ServletConfig cfg = getServletConfig();
ServletContext sc = cfg.getServletContext();
// A sample request /fake.jsp/../WEB-INF/web.xml can load the web.xml file
InputStream in = request.getServletContext().getResourceAsStream(requestPath);
byte[] buf = new byte[4 * 1024]; // 4K buffer
@@ -85,9 +119,6 @@ public class UnsafeResourceGet extends HttpServlet {
String requestPath = request.getParameter("requestPath");
ServletOutputStream out = response.getOutputStream();
ServletConfig cfg = getServletConfig();
ServletContext sc = cfg.getServletContext();
if (!requestPath.contains("..") && requestPath.startsWith("/trusted")) {
InputStream in = request.getServletContext().getResourceAsStream(requestPath);
byte[] buf = new byte[4 * 1024]; // 4K buffer

32
java/ql/test/experimental/query-tests/security/CWE-552/UnsafeUrlForward.expected
View File

@@ -1,9 +1,9 @@
edges
| UnsafeRequestPath.java:20:17:20:63 | getServletPath(...) : String | UnsafeRequestPath.java:23:33:23:36 | path |
| UnsafeResourceGet.java:24:23:24:56 | getParameter(...) : String | UnsafeResourceGet.java:31:28:31:37 | requestUrl |
| UnsafeResourceGet.java:67:24:67:58 | getParameter(...) : String | UnsafeResourceGet.java:74:68:74:78 | requestPath |
| UnsafeResourceGet.java:105:23:105:56 | getParameter(...) : String | UnsafeResourceGet.java:110:36:110:45 | requestUrl |
| UnsafeResourceGet.java:143:24:143:58 | getParameter(...) : String | UnsafeResourceGet.java:151:68:151:78 | requestPath |
| UnsafeResourceGet.java:25:23:25:56 | getParameter(...) : String | UnsafeResourceGet.java:34:20:34:22 | url |
| UnsafeResourceGet.java:104:24:104:58 | getParameter(...) : String | UnsafeResourceGet.java:108:68:108:78 | requestPath |
| UnsafeResourceGet.java:136:23:136:56 | getParameter(...) : String | UnsafeResourceGet.java:143:20:143:22 | url |
| UnsafeResourceGet.java:174:24:174:58 | getParameter(...) : String | UnsafeResourceGet.java:182:68:182:78 | requestPath |
| UnsafeServletRequestDispatch.java:23:22:23:54 | getParameter(...) : String | UnsafeServletRequestDispatch.java:32:51:32:59 | returnURL |
| UnsafeServletRequestDispatch.java:42:22:42:54 | getParameter(...) : String | UnsafeServletRequestDispatch.java:48:56:48:64 | returnURL |
| UnsafeServletRequestDispatch.java:71:17:71:44 | getParameter(...) : String | UnsafeServletRequestDispatch.java:76:53:76:56 | path |
@@ -23,14 +23,14 @@ edges
nodes
| UnsafeRequestPath.java:20:17:20:63 | getServletPath(...) : String | semmle.label | getServletPath(...) : String |
| UnsafeRequestPath.java:23:33:23:36 | path | semmle.label | path |
| UnsafeResourceGet.java:24:23:24:56 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| UnsafeResourceGet.java:31:28:31:37 | requestUrl | semmle.label | requestUrl |
| UnsafeResourceGet.java:67:24:67:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| UnsafeResourceGet.java:74:68:74:78 | requestPath | semmle.label | requestPath |
| UnsafeResourceGet.java:105:23:105:56 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| UnsafeResourceGet.java:110:36:110:45 | requestUrl | semmle.label | requestUrl |
| UnsafeResourceGet.java:143:24:143:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| UnsafeResourceGet.java:151:68:151:78 | requestPath | semmle.label | requestPath |
| UnsafeResourceGet.java:25:23:25:56 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| UnsafeResourceGet.java:34:20:34:22 | url | semmle.label | url |
| UnsafeResourceGet.java:104:24:104:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| UnsafeResourceGet.java:108:68:108:78 | requestPath | semmle.label | requestPath |
| UnsafeResourceGet.java:136:23:136:56 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| UnsafeResourceGet.java:143:20:143:22 | url | semmle.label | url |
| UnsafeResourceGet.java:174:24:174:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| UnsafeResourceGet.java:182:68:182:78 | requestPath | semmle.label | requestPath |
| UnsafeServletRequestDispatch.java:23:22:23:54 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| UnsafeServletRequestDispatch.java:32:51:32:59 | returnURL | semmle.label | returnURL |
| UnsafeServletRequestDispatch.java:42:22:42:54 | getParameter(...) : String | semmle.label | getParameter(...) : String |
@@ -61,10 +61,10 @@ nodes
subpaths
#select
| UnsafeRequestPath.java:23:33:23:36 | path | UnsafeRequestPath.java:20:17:20:63 | getServletPath(...) : String | UnsafeRequestPath.java:23:33:23:36 | path | Potentially untrusted URL forward due to $@. | UnsafeRequestPath.java:20:17:20:63 | getServletPath(...) | user-provided value |
| UnsafeResourceGet.java:31:28:31:37 | requestUrl | UnsafeResourceGet.java:24:23:24:56 | getParameter(...) : String | UnsafeResourceGet.java:31:28:31:37 | requestUrl | Potentially untrusted URL forward due to $@. | UnsafeResourceGet.java:24:23:24:56 | getParameter(...) | user-provided value |
| UnsafeResourceGet.java:74:68:74:78 | requestPath | UnsafeResourceGet.java:67:24:67:58 | getParameter(...) : String | UnsafeResourceGet.java:74:68:74:78 | requestPath | Potentially untrusted URL forward due to $@. | UnsafeResourceGet.java:67:24:67:58 | getParameter(...) | user-provided value |
| UnsafeResourceGet.java:110:36:110:45 | requestUrl | UnsafeResourceGet.java:105:23:105:56 | getParameter(...) : String | UnsafeResourceGet.java:110:36:110:45 | requestUrl | Potentially untrusted URL forward due to $@. | UnsafeResourceGet.java:105:23:105:56 | getParameter(...) | user-provided value |
| UnsafeResourceGet.java:151:68:151:78 | requestPath | UnsafeResourceGet.java:143:24:143:58 | getParameter(...) : String | UnsafeResourceGet.java:151:68:151:78 | requestPath | Potentially untrusted URL forward due to $@. | UnsafeResourceGet.java:143:24:143:58 | getParameter(...) | user-provided value |
| UnsafeResourceGet.java:34:20:34:22 | url | UnsafeResourceGet.java:25:23:25:56 | getParameter(...) : String | UnsafeResourceGet.java:34:20:34:22 | url | Potentially untrusted URL forward due to $@. | UnsafeResourceGet.java:25:23:25:56 | getParameter(...) | user-provided value |
| UnsafeResourceGet.java:108:68:108:78 | requestPath | UnsafeResourceGet.java:104:24:104:58 | getParameter(...) : String | UnsafeResourceGet.java:108:68:108:78 | requestPath | Potentially untrusted URL forward due to $@. | UnsafeResourceGet.java:104:24:104:58 | getParameter(...) | user-provided value |
| UnsafeResourceGet.java:143:20:143:22 | url | UnsafeResourceGet.java:136:23:136:56 | getParameter(...) : String | UnsafeResourceGet.java:143:20:143:22 | url | Potentially untrusted URL forward due to $@. | UnsafeResourceGet.java:136:23:136:56 | getParameter(...) | user-provided value |
| UnsafeResourceGet.java:182:68:182:78 | requestPath | UnsafeResourceGet.java:174:24:174:58 | getParameter(...) : String | UnsafeResourceGet.java:182:68:182:78 | requestPath | Potentially untrusted URL forward due to $@. | UnsafeResourceGet.java:174:24:174:58 | getParameter(...) | user-provided value |
| UnsafeServletRequestDispatch.java:32:51:32:59 | returnURL | UnsafeServletRequestDispatch.java:23:22:23:54 | getParameter(...) : String | UnsafeServletRequestDispatch.java:32:51:32:59 | returnURL | Potentially untrusted URL forward due to $@. | UnsafeServletRequestDispatch.java:23:22:23:54 | getParameter(...) | user-provided value |
| UnsafeServletRequestDispatch.java:48:56:48:64 | returnURL | UnsafeServletRequestDispatch.java:42:22:42:54 | getParameter(...) : String | UnsafeServletRequestDispatch.java:48:56:48:64 | returnURL | Potentially untrusted URL forward due to $@. | UnsafeServletRequestDispatch.java:42:22:42:54 | getParameter(...) | user-provided value |
| UnsafeServletRequestDispatch.java:76:53:76:56 | path | UnsafeServletRequestDispatch.java:71:17:71:44 | getParameter(...) : String | UnsafeServletRequestDispatch.java:76:53:76:56 | path | Potentially untrusted URL forward due to $@. | UnsafeServletRequestDispatch.java:71:17:71:44 | getParameter(...) | user-provided value |