mirror of
https://github.com/github/codeql.git
synced 2026-06-13 08:51:20 +02:00
Merge pull request #21966 from owen-mc/java/convert-to-inline-expectation-tests
Java: convert all qlref tests to inline expectation tests using postprocessing
This commit is contained in:
Owen Mansel-Chan
@@ -1 +1,2 @@
|
||||
Likely Bugs/Arithmetic/ConstantExpAppearsNonConstant.ql
|
||||
query: Likely Bugs/Arithmetic/ConstantExpAppearsNonConstant.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Violations of Best Practice/Implementation Hiding/AbstractToConcreteCollection.ql
|
||||
query: Violations of Best Practice/Implementation Hiding/AbstractToConcreteCollection.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Violations of Best Practice/legacy/AutoBoxing.ql
|
||||
query: Violations of Best Practice/legacy/AutoBoxing.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Resource Leaks/CloseReader.ql
|
||||
query: Likely Bugs/Resource Leaks/CloseReader.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Resource Leaks/CloseWriter.ql
|
||||
query: Likely Bugs/Resource Leaks/CloseWriter.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Violations of Best Practice/Naming Conventions/ConfusingOverloading.ql
|
||||
query: Violations of Best Practice/Naming Conventions/ConfusingOverloading.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -2,21 +2,21 @@ fun fn0(f: Function0<Unit>) = f()
|
||||
|
||||
fun fn1() {
|
||||
var c = true
|
||||
while (c) { // TODO: false positive
|
||||
while (c) { // $ SPURIOUS: Alert // TODO: false positive
|
||||
fn0 {
|
||||
c = false
|
||||
}
|
||||
}
|
||||
|
||||
var d = true
|
||||
while (d) {
|
||||
while (d) { // $ Alert
|
||||
fn0 {
|
||||
println(d)
|
||||
}
|
||||
}
|
||||
|
||||
val e = true
|
||||
while (e) {
|
||||
while (e) { // $ Alert
|
||||
fn0 {
|
||||
println(e)
|
||||
}
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Termination/ConstantLoopCondition.ql
|
||||
query: Likely Bugs/Termination/ConstantLoopCondition.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
DeadCode/DeadClass.ql
|
||||
query: DeadCode/DeadClass.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
DeadCode/DeadMethod.ql
|
||||
query: DeadCode/DeadMethod.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
| test.kt:1:1:1:20 | C1 | Unused class: C1 is not referenced within this codebase. If not used as an external API it should be removed. |
|
||||
| test.kt:1:1:1:31 | C1 | Unused class: C1 is not referenced within this codebase. If not used as an external API it should be removed. |
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Violations of Best Practice/Dead Code/DeadRefTypes.ql
|
||||
query: Violations of Best Practice/Dead Code/DeadRefTypes.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
private class C1 { }
|
||||
private class C1 { } // $ Alert
|
||||
|
||||
private class C2 { }
|
||||
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Statements/EmptyBlock.ql
|
||||
query: Likely Bugs/Statements/EmptyBlock.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Violations of Best Practice/Implementation Hiding/ExposeRepresentation.ql
|
||||
query: Violations of Best Practice/Implementation Hiding/ExposeRepresentation.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Performance/InnerClassCouldBeStatic.ql
|
||||
query: Performance/InnerClassCouldBeStatic.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Comparison/MissingInstanceofInEquals.ql
|
||||
query: Likely Bugs/Comparison/MissingInstanceofInEquals.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Advisory/Declarations/MissingOverrideAnnotation.ql
|
||||
query: Advisory/Declarations/MissingOverrideAnnotation.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Architecture/Dependencies/MutualDependency.ql
|
||||
query: Architecture/Dependencies/MutualDependency.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
| Test.kt:12:1:12:13 | aaaa | Class and interface names should start in uppercase. |
|
||||
| Test.kt:12:1:12:24 | aaaa | Class and interface names should start in uppercase. |
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Advisory/Naming/NamingConventionsRefTypes.ql
|
||||
query: Advisory/Naming/NamingConventionsRefTypes.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -9,4 +9,4 @@ class Foo {
|
||||
}
|
||||
}
|
||||
|
||||
class aaaa {}
|
||||
class aaaa {} // $ Alert
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Serialization/NonSerializableField.ql
|
||||
query: Likely Bugs/Serialization/NonSerializableField.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Serialization/NonSerializableInnerClass.ql
|
||||
query: Likely Bugs/Serialization/NonSerializableInnerClass.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Nullness/NullMaybe.ql
|
||||
query: Likely Bugs/Nullness/NullMaybe.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Advisory/Statements/OneStatementPerLine.ql
|
||||
query: Advisory/Statements/OneStatementPerLine.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Statements/PartiallyMaskedCatch.ql
|
||||
query: Likely Bugs/Statements/PartiallyMaskedCatch.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Statements/ReturnValueIgnored.ql
|
||||
query: Likely Bugs/Statements/ReturnValueIgnored.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Violations of Best Practice/Boolean Logic/SimplifyBoolExpr.ql
|
||||
query: Violations of Best Practice/Boolean Logic/SimplifyBoolExpr.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Compatibility/JDK9/UnderscoreIdentifier.ql
|
||||
query: Compatibility/JDK9/UnderscoreIdentifier.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Violations of Best Practice/Dead Code/UnreadLocal.ql
|
||||
query: Violations of Best Practice/Dead Code/UnreadLocal.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -5,13 +5,13 @@ fun fn0(size: Int) {
|
||||
}
|
||||
|
||||
fun fn1(a: Array<Int>) {
|
||||
for (e in a) {
|
||||
for (e in a) { // $ Alert
|
||||
println()
|
||||
}
|
||||
}
|
||||
|
||||
fun fn2(a: Array<Int>) {
|
||||
for ((idx, e) in a.withIndex()) {
|
||||
for ((idx, e) in a.withIndex()) { // $ Alert
|
||||
println()
|
||||
}
|
||||
}
|
||||
|
||||
@@ -12,7 +12,7 @@ fun fn(x:Any?, y: Any?) {
|
||||
|
||||
fun fn0(o: Any?) {
|
||||
if (o != null) {
|
||||
o?.toString()
|
||||
o?.toString() // $ Alert
|
||||
o.toString()
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Language Abuse/UselessNullCheck.ql
|
||||
query: Language Abuse/UselessNullCheck.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
DeadCode/UselessParameter.ql
|
||||
query: DeadCode/UselessParameter.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Arithmetic/WhitespaceContradictsPrecedence.ql
|
||||
query: Likely Bugs/Arithmetic/WhitespaceContradictsPrecedence.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Violations of Best Practice/Implementation Hiding/AbstractToConcreteCollection.ql
|
||||
query: Violations of Best Practice/Implementation Hiding/AbstractToConcreteCollection.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Violations of Best Practice/legacy/AutoBoxing.ql
|
||||
query: Violations of Best Practice/legacy/AutoBoxing.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Resource Leaks/CloseReader.ql
|
||||
query: Likely Bugs/Resource Leaks/CloseReader.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Resource Leaks/CloseWriter.ql
|
||||
query: Likely Bugs/Resource Leaks/CloseWriter.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Violations of Best Practice/Naming Conventions/ConfusingOverloading.ql
|
||||
query: Violations of Best Practice/Naming Conventions/ConfusingOverloading.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -2,21 +2,21 @@ fun fn0(f: Function0<Unit>) = f()
|
||||
|
||||
fun fn1() {
|
||||
var c = true
|
||||
while (c) { // TODO: false positive
|
||||
while (c) { // $ SPURIOUS: Alert // TODO: false positive
|
||||
fn0 {
|
||||
c = false
|
||||
}
|
||||
}
|
||||
|
||||
var d = true
|
||||
while (d) {
|
||||
while (d) { // $ Alert
|
||||
fn0 {
|
||||
println(d)
|
||||
}
|
||||
}
|
||||
|
||||
val e = true
|
||||
while (e) {
|
||||
while (e) { // $ Alert
|
||||
fn0 {
|
||||
println(e)
|
||||
}
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Termination/ConstantLoopCondition.ql
|
||||
query: Likely Bugs/Termination/ConstantLoopCondition.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
DeadCode/DeadClass.ql
|
||||
query: DeadCode/DeadClass.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
DeadCode/DeadMethod.ql
|
||||
query: DeadCode/DeadMethod.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
| test.kt:1:1:1:20 | C1 | Unused class: C1 is not referenced within this codebase. If not used as an external API it should be removed. |
|
||||
| test.kt:1:1:1:31 | C1 | Unused class: C1 is not referenced within this codebase. If not used as an external API it should be removed. |
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Violations of Best Practice/Dead Code/DeadRefTypes.ql
|
||||
query: Violations of Best Practice/Dead Code/DeadRefTypes.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
private class C1 { }
|
||||
private class C1 { } // $ Alert
|
||||
|
||||
private class C2 { }
|
||||
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Statements/EmptyBlock.ql
|
||||
query: Likely Bugs/Statements/EmptyBlock.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Violations of Best Practice/Implementation Hiding/ExposeRepresentation.ql
|
||||
query: Violations of Best Practice/Implementation Hiding/ExposeRepresentation.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Performance/InnerClassCouldBeStatic.ql
|
||||
query: Performance/InnerClassCouldBeStatic.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Comparison/MissingInstanceofInEquals.ql
|
||||
query: Likely Bugs/Comparison/MissingInstanceofInEquals.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Advisory/Declarations/MissingOverrideAnnotation.ql
|
||||
query: Advisory/Declarations/MissingOverrideAnnotation.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Architecture/Dependencies/MutualDependency.ql
|
||||
query: Architecture/Dependencies/MutualDependency.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
| Test.kt:12:1:12:13 | aaaa | Class and interface names should start in uppercase. |
|
||||
| Test.kt:12:1:12:24 | aaaa | Class and interface names should start in uppercase. |
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Advisory/Naming/NamingConventionsRefTypes.ql
|
||||
query: Advisory/Naming/NamingConventionsRefTypes.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -9,4 +9,4 @@ class Foo {
|
||||
}
|
||||
}
|
||||
|
||||
class aaaa {}
|
||||
class aaaa {} // $ Alert
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Serialization/NonSerializableField.ql
|
||||
query: Likely Bugs/Serialization/NonSerializableField.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Serialization/NonSerializableInnerClass.ql
|
||||
query: Likely Bugs/Serialization/NonSerializableInnerClass.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Nullness/NullMaybe.ql
|
||||
query: Likely Bugs/Nullness/NullMaybe.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Advisory/Statements/OneStatementPerLine.ql
|
||||
query: Advisory/Statements/OneStatementPerLine.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Statements/PartiallyMaskedCatch.ql
|
||||
query: Likely Bugs/Statements/PartiallyMaskedCatch.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Statements/ReturnValueIgnored.ql
|
||||
query: Likely Bugs/Statements/ReturnValueIgnored.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Violations of Best Practice/Boolean Logic/SimplifyBoolExpr.ql
|
||||
query: Violations of Best Practice/Boolean Logic/SimplifyBoolExpr.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Compatibility/JDK9/UnderscoreIdentifier.ql
|
||||
query: Compatibility/JDK9/UnderscoreIdentifier.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Violations of Best Practice/Dead Code/UnreadLocal.ql
|
||||
query: Violations of Best Practice/Dead Code/UnreadLocal.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -5,13 +5,13 @@ fun fn0(size: Int) {
|
||||
}
|
||||
|
||||
fun fn1(a: Array<Int>) {
|
||||
for (e in a) {
|
||||
for (e in a) { // $ Alert
|
||||
println()
|
||||
}
|
||||
}
|
||||
|
||||
fun fn2(a: Array<Int>) {
|
||||
for ((idx, e) in a.withIndex()) {
|
||||
for ((idx, e) in a.withIndex()) { // $ Alert
|
||||
println()
|
||||
}
|
||||
}
|
||||
|
||||
@@ -12,7 +12,7 @@ fun fn(x:Any?, y: Any?) {
|
||||
|
||||
fun fn0(o: Any?) {
|
||||
if (o != null) {
|
||||
o?.toString()
|
||||
o?.toString() // $ Alert
|
||||
o.toString()
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Language Abuse/UselessNullCheck.ql
|
||||
query: Language Abuse/UselessNullCheck.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
DeadCode/UselessParameter.ql
|
||||
query: DeadCode/UselessParameter.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Arithmetic/WhitespaceContradictsPrecedence.ql
|
||||
query: Likely Bugs/Arithmetic/WhitespaceContradictsPrecedence.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/quantum/Examples/ReusedNonce.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -16,7 +16,7 @@ public class Test {
|
||||
|
||||
private static byte[] getRandomWrapper1() throws Exception {
|
||||
byte[] val = new byte[16];
|
||||
new SecureRandom().nextBytes(val);
|
||||
new SecureRandom().nextBytes(val); // $ Source
|
||||
return val;
|
||||
}
|
||||
|
||||
@@ -37,7 +37,7 @@ public class Test {
|
||||
IvParameterSpec ivSpec = new IvParameterSpec(iv);
|
||||
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
|
||||
SecretKey key = generateAESKey();
|
||||
cipher.init(Cipher.ENCRYPT_MODE, key, ivSpec); // BAD: Reuse of `iv` in funcB1
|
||||
cipher.init(Cipher.ENCRYPT_MODE, key, ivSpec); // $ Alert // BAD: Reuse of `iv` in funcB1
|
||||
byte[] ciphertext = cipher.doFinal("Simple Test Data".getBytes());
|
||||
}
|
||||
|
||||
@@ -46,7 +46,7 @@ public class Test {
|
||||
IvParameterSpec ivSpec = new IvParameterSpec(iv);
|
||||
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
|
||||
SecretKey key = generateAESKey();
|
||||
cipher.init(Cipher.ENCRYPT_MODE, key, ivSpec); // BAD: Reuse of `iv` in funcA1
|
||||
cipher.init(Cipher.ENCRYPT_MODE, key, ivSpec); // $ Alert // BAD: Reuse of `iv` in funcA1
|
||||
byte[] ciphertext = cipher.doFinal("Simple Test Data".getBytes());
|
||||
}
|
||||
|
||||
@@ -73,13 +73,13 @@ public class Test {
|
||||
IvParameterSpec ivSpec1 = new IvParameterSpec(iv);
|
||||
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
|
||||
SecretKey key1 = generateAESKey();
|
||||
cipher.init(Cipher.ENCRYPT_MODE, key1, ivSpec1); // BAD: reuse of `iv` below
|
||||
cipher.init(Cipher.ENCRYPT_MODE, key1, ivSpec1); // $ Alert // BAD: reuse of `iv` below
|
||||
byte[] ciphertext = cipher.doFinal("Simple Test Data".getBytes());
|
||||
|
||||
IvParameterSpec ivSpec2 = new IvParameterSpec(iv);
|
||||
Cipher cipher2 = Cipher.getInstance("AES/CBC/PKCS5Padding");
|
||||
SecretKey key2 = generateAESKey();
|
||||
cipher2.init(Cipher.ENCRYPT_MODE, key2, ivSpec2); // BAD: Reuse of `iv` above
|
||||
cipher2.init(Cipher.ENCRYPT_MODE, key2, ivSpec2); // $ Alert // BAD: Reuse of `iv` above
|
||||
byte[] ciphertext2 = cipher2.doFinal("Simple Test Data".getBytes());
|
||||
}
|
||||
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@@ -18,12 +18,12 @@ public class FilePathInjection extends Controller {
|
||||
|
||||
// BAD: Upload file to user specified path without validation
|
||||
public void uploadFile() throws IOException {
|
||||
String savePath = getPara("dir");
|
||||
String savePath = getPara("dir"); // $ Source
|
||||
File file = getFile("fileParam").getFile();
|
||||
String finalFilePath = BASE_PATH + savePath;
|
||||
|
||||
FileInputStream fis = new FileInputStream(file);
|
||||
FileOutputStream fos = new FileOutputStream(finalFilePath);
|
||||
FileOutputStream fos = new FileOutputStream(finalFilePath); // $ Alert
|
||||
int i = 0;
|
||||
|
||||
do {
|
||||
@@ -61,7 +61,7 @@ public class FilePathInjection extends Controller {
|
||||
|
||||
// BAD: Upload file to user specified path without validation through session attribute
|
||||
public void uploadFile3() throws IOException {
|
||||
String savePath = getPara("dir");
|
||||
String savePath = getPara("dir"); // $ Source
|
||||
setSessionAttr("uploadDir", savePath);
|
||||
String sessionUploadDir = getSessionAttr("uploadDir");
|
||||
|
||||
@@ -69,7 +69,7 @@ public class FilePathInjection extends Controller {
|
||||
String finalFilePath = BASE_PATH + sessionUploadDir;
|
||||
|
||||
FileInputStream fis = new FileInputStream(file);
|
||||
FileOutputStream fos = new FileOutputStream(finalFilePath);
|
||||
FileOutputStream fos = new FileOutputStream(finalFilePath); // $ Alert
|
||||
int i = 0;
|
||||
|
||||
do {
|
||||
@@ -84,7 +84,7 @@ public class FilePathInjection extends Controller {
|
||||
|
||||
// BAD: Upload file to user specified path without validation through request attribute
|
||||
public void uploadFile4() throws IOException {
|
||||
String savePath = getPara("dir");
|
||||
String savePath = getPara("dir"); // $ Source
|
||||
setAttr("uploadDir2", savePath);
|
||||
String requestUploadDir = getAttr("uploadDir2");
|
||||
|
||||
@@ -92,7 +92,7 @@ public class FilePathInjection extends Controller {
|
||||
String finalFilePath = BASE_PATH + requestUploadDir;
|
||||
|
||||
FileInputStream fis = new FileInputStream(file);
|
||||
FileOutputStream fos = new FileOutputStream(finalFilePath);
|
||||
FileOutputStream fos = new FileOutputStream(finalFilePath); // $ Alert
|
||||
int i = 0;
|
||||
|
||||
do {
|
||||
@@ -179,7 +179,7 @@ public class FilePathInjection extends Controller {
|
||||
FileInputStream fis = null;
|
||||
try {
|
||||
os = resp.getOutputStream();
|
||||
fis = new FileInputStream(file);
|
||||
fis = new FileInputStream(file); // $ Alert
|
||||
byte fileContent[] = new byte[(int) file.length()];
|
||||
fis.read(fileContent);
|
||||
os.write(fileContent);
|
||||
@@ -202,12 +202,12 @@ public class FilePathInjection extends Controller {
|
||||
// BAD: Download file to user specified path without validation
|
||||
public void downloadFile() throws FileNotFoundException, IOException {
|
||||
HttpServletRequest request = getRequest();
|
||||
String path = request.getParameter("path");
|
||||
String path = request.getParameter("path"); // $ Source
|
||||
String filePath = BASE_PATH + path;
|
||||
|
||||
HttpServletResponse resp = getResponse();
|
||||
File file = new File(filePath);
|
||||
if (path != null && file.exists()) {
|
||||
if (path != null && file.exists()) { // $ Alert
|
||||
resp.setHeader("Content-type", "application/force-download");
|
||||
resp.setHeader("Content-Disposition", "inline;filename=\"" + filePath + "\"");
|
||||
resp.setHeader("Content-Transfer-Encoding", "Binary");
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-073/FilePathInjection.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExecLocal.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-078/ExecTainted.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -11,7 +11,7 @@ public class JSchOSInjectionTest extends HttpServlet {
|
||||
String host = "sshHost";
|
||||
String user = "user";
|
||||
String password = "password";
|
||||
String command = request.getParameter("command");
|
||||
String command = request.getParameter("command"); // $ Source[java/command-line-injection-experimental]
|
||||
|
||||
java.util.Properties config = new java.util.Properties();
|
||||
config.put("StrictHostKeyChecking", "no");
|
||||
@@ -24,7 +24,7 @@ public class JSchOSInjectionTest extends HttpServlet {
|
||||
session.connect();
|
||||
|
||||
Channel channel = session.openChannel("exec");
|
||||
((ChannelExec) channel).setCommand("ping " + command);
|
||||
((ChannelExec) channel).setCommand("ping " + command); // $ Alert[java/command-line-injection-experimental]
|
||||
channel.setInputStream(null);
|
||||
((ChannelExec) channel).setErrStream(System.err);
|
||||
|
||||
@@ -37,7 +37,7 @@ public class JSchOSInjectionTest extends HttpServlet {
|
||||
String host = "sshHost";
|
||||
String user = "user";
|
||||
String password = "password";
|
||||
String command = request.getParameter("command");
|
||||
String command = request.getParameter("command"); // $ Source[java/command-line-injection-experimental]
|
||||
|
||||
java.util.Properties config = new java.util.Properties();
|
||||
config.put("StrictHostKeyChecking", "no");
|
||||
@@ -50,7 +50,7 @@ public class JSchOSInjectionTest extends HttpServlet {
|
||||
session.connect();
|
||||
|
||||
ChannelExec channel = (ChannelExec)session.openChannel("exec");
|
||||
channel.setCommand("ping " + command);
|
||||
channel.setCommand("ping " + command); // $ Alert[java/command-line-injection-experimental]
|
||||
channel.setInputStream(null);
|
||||
channel.setErrStream(System.err);
|
||||
|
||||
|
||||
@@ -14,29 +14,29 @@ public class RuntimeExecTest {
|
||||
public static void test() {
|
||||
System.out.println("Command injection test");
|
||||
|
||||
String script = System.getenv("SCRIPTNAME");
|
||||
String script = System.getenv("SCRIPTNAME"); // $ Source[java/command-line-injection-extra-local]
|
||||
|
||||
if (script != null) {
|
||||
try {
|
||||
// 1. array literal in the args
|
||||
Runtime.getRuntime().exec(new String[]{"/bin/sh", script});
|
||||
Runtime.getRuntime().exec(new String[]{"/bin/sh", script}); // $ Alert[java/command-line-injection-extra-local]
|
||||
|
||||
// 2. array literal with dataflow
|
||||
String[] commandArray1 = new String[]{"/bin/sh", script};
|
||||
Runtime.getRuntime().exec(commandArray1);
|
||||
Runtime.getRuntime().exec(commandArray1); // $ Alert[java/command-line-injection-extra-local]
|
||||
|
||||
// 3. array assignment after it is created
|
||||
String[] commandArray2 = new String[4];
|
||||
commandArray2[0] = "/bin/sh";
|
||||
commandArray2[1] = script;
|
||||
Runtime.getRuntime().exec(commandArray2);
|
||||
Runtime.getRuntime().exec(commandArray2); // $ Alert[java/command-line-injection-extra-local]
|
||||
|
||||
// 4. Stream concatenation
|
||||
Runtime.getRuntime().exec(
|
||||
Stream.concat(
|
||||
Stream.concat( // $
|
||||
Arrays.stream(new String[]{"/bin/sh"}),
|
||||
Arrays.stream(new String[]{script})
|
||||
).toArray(String[]::new)
|
||||
).toArray(String[]::new) // $ Alert[java/command-line-injection-extra-local]
|
||||
);
|
||||
|
||||
} catch (Exception e) {
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -16,55 +16,55 @@ public class MybatisSqlInjection {
|
||||
private MybatisSqlInjectionService mybatisSqlInjectionService;
|
||||
|
||||
@GetMapping(value = "msi1")
|
||||
public List<Test> bad1(@RequestParam String name) {
|
||||
public List<Test> bad1(@RequestParam String name) { // $ Source[java/mybatis-xml-sql-injection]
|
||||
List<Test> result = mybatisSqlInjectionService.bad1(name);
|
||||
return result;
|
||||
}
|
||||
|
||||
@GetMapping(value = "msi2")
|
||||
public List<Test> bad2(@RequestParam String name) {
|
||||
public List<Test> bad2(@RequestParam String name) { // $ Source[java/mybatis-xml-sql-injection]
|
||||
List<Test> result = mybatisSqlInjectionService.bad2(name);
|
||||
return result;
|
||||
}
|
||||
|
||||
@GetMapping(value = "msi3")
|
||||
public List<Test> bad3(@ModelAttribute Test test) {
|
||||
public List<Test> bad3(@ModelAttribute Test test) { // $ Source[java/mybatis-xml-sql-injection]
|
||||
List<Test> result = mybatisSqlInjectionService.bad3(test);
|
||||
return result;
|
||||
}
|
||||
|
||||
@RequestMapping(value = "msi4", method = RequestMethod.POST, produces = "application/json")
|
||||
public void bad4(@RequestBody Test test) {
|
||||
public void bad4(@RequestBody Test test) { // $ Source[java/mybatis-xml-sql-injection]
|
||||
mybatisSqlInjectionService.bad4(test);
|
||||
}
|
||||
|
||||
@RequestMapping(value = "msi5", method = RequestMethod.PUT, produces = "application/json")
|
||||
public void bad5(@RequestBody Test test) {
|
||||
public void bad5(@RequestBody Test test) { // $ Source[java/mybatis-xml-sql-injection]
|
||||
mybatisSqlInjectionService.bad5(test);
|
||||
}
|
||||
|
||||
@RequestMapping(value = "msi6", method = RequestMethod.POST, produces = "application/json")
|
||||
public void bad6(@RequestBody Map<String, String> params) {
|
||||
public void bad6(@RequestBody Map<String, String> params) { // $ Source[java/mybatis-xml-sql-injection]
|
||||
mybatisSqlInjectionService.bad6(params);
|
||||
}
|
||||
|
||||
@RequestMapping(value = "msi7", method = RequestMethod.POST, produces = "application/json")
|
||||
public void bad7(@RequestBody List<String> params) {
|
||||
public void bad7(@RequestBody List<String> params) { // $ Source[java/mybatis-xml-sql-injection]
|
||||
mybatisSqlInjectionService.bad7(params);
|
||||
}
|
||||
|
||||
@RequestMapping(value = "msi8", method = RequestMethod.POST, produces = "application/json")
|
||||
public void bad8(@RequestBody String[] params) {
|
||||
public void bad8(@RequestBody String[] params) { // $ Source[java/mybatis-xml-sql-injection]
|
||||
mybatisSqlInjectionService.bad8(params);
|
||||
}
|
||||
|
||||
@GetMapping(value = "msi9")
|
||||
public void bad9(@RequestParam String name) {
|
||||
public void bad9(@RequestParam String name) { // $ Source[java/mybatis-annotation-sql-injection]
|
||||
mybatisSqlInjectionService.bad9(name);
|
||||
}
|
||||
|
||||
@GetMapping(value = "msi10")
|
||||
public void bad10(@RequestParam Integer id, @RequestParam String name) {
|
||||
public void bad10(@RequestParam Integer id, @RequestParam String name) { // $ Source[java/mybatis-annotation-sql-injection]
|
||||
mybatisSqlInjectionService.bad10(id, name);
|
||||
}
|
||||
|
||||
|
||||
@@ -11,48 +11,48 @@ public class MybatisSqlInjectionService {
|
||||
private SqlInjectionMapper sqlInjectionMapper;
|
||||
|
||||
public List<Test> bad1(String name) {
|
||||
List<Test> result = sqlInjectionMapper.bad1(name);
|
||||
List<Test> result = sqlInjectionMapper.bad1(name); // $ Alert[java/mybatis-xml-sql-injection]
|
||||
return result;
|
||||
}
|
||||
|
||||
public List<Test> bad2(String name) {
|
||||
List<Test> result = sqlInjectionMapper.bad2(name);
|
||||
List<Test> result = sqlInjectionMapper.bad2(name); // $ Alert[java/mybatis-xml-sql-injection]
|
||||
return result;
|
||||
}
|
||||
|
||||
public List<Test> bad3(Test test) {
|
||||
List<Test> result = sqlInjectionMapper.bad3(test);
|
||||
List<Test> result = sqlInjectionMapper.bad3(test); // $ Alert[java/mybatis-xml-sql-injection]
|
||||
return result;
|
||||
}
|
||||
|
||||
public void bad4(Test test) {
|
||||
sqlInjectionMapper.bad4(test);
|
||||
sqlInjectionMapper.bad4(test); // $ Alert[java/mybatis-xml-sql-injection]
|
||||
}
|
||||
|
||||
public void bad5(Test test) {
|
||||
sqlInjectionMapper.bad5(test);
|
||||
sqlInjectionMapper.bad5(test); // $ Alert[java/mybatis-xml-sql-injection]
|
||||
}
|
||||
|
||||
public void bad6(Map<String, String> params) {
|
||||
sqlInjectionMapper.bad6(params);
|
||||
sqlInjectionMapper.bad6(params); // $ Alert[java/mybatis-xml-sql-injection]
|
||||
}
|
||||
|
||||
public void bad7(List<String> params) {
|
||||
sqlInjectionMapper.bad7(params);
|
||||
sqlInjectionMapper.bad7(params); // $ Alert[java/mybatis-xml-sql-injection]
|
||||
}
|
||||
|
||||
public void bad8(String[] params) {
|
||||
sqlInjectionMapper.bad8(params);
|
||||
sqlInjectionMapper.bad8(params); // $ Alert[java/mybatis-xml-sql-injection]
|
||||
}
|
||||
|
||||
public void bad9(String name) {
|
||||
HashMap hashMap = new HashMap();
|
||||
hashMap.put("name", name);
|
||||
sqlInjectionMapper.bad9(hashMap);
|
||||
sqlInjectionMapper.bad9(hashMap); // $ Alert[java/mybatis-annotation-sql-injection]
|
||||
}
|
||||
|
||||
public void bad10(Integer id, String name) {
|
||||
sqlInjectionMapper.bad10(id, name);
|
||||
sqlInjectionMapper.bad10(id, name); // $ Alert[java/mybatis-annotation-sql-injection]
|
||||
}
|
||||
|
||||
public List<Test> good1(Integer id) {
|
||||
|
||||
@@ -10,24 +10,24 @@ public class BeanShellInjection {
|
||||
|
||||
@GetMapping(value = "bad1")
|
||||
public void bad1(HttpServletRequest request) {
|
||||
String code = request.getParameter("code");
|
||||
String code = request.getParameter("code"); // $ Source[java/beanshell-injection]
|
||||
BshScriptEvaluator evaluator = new BshScriptEvaluator();
|
||||
evaluator.evaluate(new StaticScriptSource(code)); //bad
|
||||
evaluator.evaluate(new StaticScriptSource(code)); // $ Alert[java/beanshell-injection] //bad
|
||||
}
|
||||
|
||||
@GetMapping(value = "bad2")
|
||||
public void bad2(HttpServletRequest request) throws Exception {
|
||||
String code = request.getParameter("code");
|
||||
String code = request.getParameter("code"); // $ Source[java/beanshell-injection]
|
||||
Interpreter interpreter = new Interpreter();
|
||||
interpreter.eval(code); //bad
|
||||
interpreter.eval(code); // $ Alert[java/beanshell-injection] //bad
|
||||
}
|
||||
|
||||
@GetMapping(value = "bad3")
|
||||
public void bad3(HttpServletRequest request) {
|
||||
String code = request.getParameter("code");
|
||||
String code = request.getParameter("code"); // $ Source[java/beanshell-injection]
|
||||
StaticScriptSource staticScriptSource = new StaticScriptSource("test");
|
||||
staticScriptSource.setScript(code);
|
||||
BshScriptEvaluator evaluator = new BshScriptEvaluator();
|
||||
evaluator.evaluate(staticScriptSource); //bad
|
||||
evaluator.evaluate(staticScriptSource); // $ Alert[java/beanshell-injection] //bad
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-094/BeanShellInjection.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -9,24 +9,24 @@ public class JShellInjection {
|
||||
|
||||
@GetMapping(value = "bad1")
|
||||
public void bad1(HttpServletRequest request) {
|
||||
String input = request.getParameter("code");
|
||||
String input = request.getParameter("code"); // $ Source[java/jshell-injection]
|
||||
JShell jShell = JShell.builder().build();
|
||||
// BAD: allow execution of arbitrary Java code
|
||||
jShell.eval(input);
|
||||
jShell.eval(input); // $ Alert[java/jshell-injection]
|
||||
}
|
||||
|
||||
@GetMapping(value = "bad2")
|
||||
public void bad2(HttpServletRequest request) {
|
||||
String input = request.getParameter("code");
|
||||
String input = request.getParameter("code"); // $ Source[java/jshell-injection]
|
||||
JShell jShell = JShell.builder().build();
|
||||
SourceCodeAnalysis sourceCodeAnalysis = jShell.sourceCodeAnalysis();
|
||||
// BAD: allow execution of arbitrary Java code
|
||||
sourceCodeAnalysis.wrappers(input);
|
||||
sourceCodeAnalysis.wrappers(input); // $ Alert[java/jshell-injection]
|
||||
}
|
||||
|
||||
@GetMapping(value = "bad3")
|
||||
public void bad3(HttpServletRequest request) {
|
||||
String input = request.getParameter("code");
|
||||
String input = request.getParameter("code"); // $ Source[java/jshell-injection]
|
||||
JShell jShell = JShell.builder().build();
|
||||
SourceCodeAnalysis.CompletionInfo info;
|
||||
SourceCodeAnalysis sca = jShell.sourceCodeAnalysis();
|
||||
@@ -34,7 +34,7 @@ public class JShellInjection {
|
||||
info.completeness().isComplete();
|
||||
info = sca.analyzeCompletion(info.remaining())) {
|
||||
// BAD: allow execution of arbitrary Java code
|
||||
jShell.eval(info.source());
|
||||
jShell.eval(info.source()); // $ Alert[java/jshell-injection]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-094/JShellInjection.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -20,7 +20,7 @@ public class JakartaExpressionInjection {
|
||||
try (ServerSocket serverSocket = new ServerSocket(0)) {
|
||||
try (Socket socket = serverSocket.accept()) {
|
||||
byte[] bytes = new byte[1024];
|
||||
int n = socket.getInputStream().read(bytes);
|
||||
int n = socket.getInputStream().read(bytes); // $ Source[java/javaee-expression-injection]
|
||||
String expression = new String(bytes, 0, n);
|
||||
action.accept(expression);
|
||||
}
|
||||
@@ -31,7 +31,7 @@ public class JakartaExpressionInjection {
|
||||
private static void testWithELProcessorEval() throws IOException {
|
||||
testWithSocket(expression -> {
|
||||
ELProcessor processor = new ELProcessor();
|
||||
processor.eval(expression);
|
||||
processor.eval(expression); // $ Alert[java/javaee-expression-injection]
|
||||
});
|
||||
}
|
||||
|
||||
@@ -39,7 +39,7 @@ public class JakartaExpressionInjection {
|
||||
private static void testWithELProcessorGetValue() throws IOException {
|
||||
testWithSocket(expression -> {
|
||||
ELProcessor processor = new ELProcessor();
|
||||
processor.getValue(expression, Object.class);
|
||||
processor.getValue(expression, Object.class); // $ Alert[java/javaee-expression-injection]
|
||||
});
|
||||
}
|
||||
|
||||
@@ -50,7 +50,7 @@ public class JakartaExpressionInjection {
|
||||
StandardELContext context = new StandardELContext(factory);
|
||||
ValueExpression valueExpression = factory.createValueExpression(context, expression, Object.class);
|
||||
LambdaExpression lambdaExpression = new LambdaExpression(new ArrayList<>(), valueExpression);
|
||||
lambdaExpression.invoke(context, new Object[0]);
|
||||
lambdaExpression.invoke(context, new Object[0]); // $ Alert[java/javaee-expression-injection]
|
||||
});
|
||||
}
|
||||
|
||||
@@ -58,7 +58,7 @@ public class JakartaExpressionInjection {
|
||||
private static void testWithELProcessorSetValue() throws IOException {
|
||||
testWithSocket(expression -> {
|
||||
ELProcessor processor = new ELProcessor();
|
||||
processor.setValue(expression, new Object());
|
||||
processor.setValue(expression, new Object()); // $ Alert[java/javaee-expression-injection]
|
||||
});
|
||||
}
|
||||
|
||||
@@ -66,7 +66,7 @@ public class JakartaExpressionInjection {
|
||||
private static void testWithELProcessorSetVariable() throws IOException {
|
||||
testWithSocket(expression -> {
|
||||
ELProcessor processor = new ELProcessor();
|
||||
processor.setVariable("test", expression);
|
||||
processor.setVariable("test", expression); // $ Alert[java/javaee-expression-injection]
|
||||
});
|
||||
}
|
||||
|
||||
@@ -76,7 +76,7 @@ public class JakartaExpressionInjection {
|
||||
ExpressionFactory factory = new de.odysseus.el.ExpressionFactoryImpl();
|
||||
ELContext context = new de.odysseus.el.util.SimpleContext();
|
||||
ValueExpression e = factory.createValueExpression(context, expression, Object.class);
|
||||
e.getValue(context);
|
||||
e.getValue(context); // $ Alert[java/javaee-expression-injection]
|
||||
});
|
||||
}
|
||||
|
||||
@@ -86,7 +86,7 @@ public class JakartaExpressionInjection {
|
||||
ExpressionFactory factory = new de.odysseus.el.ExpressionFactoryImpl();
|
||||
ELContext context = new de.odysseus.el.util.SimpleContext();
|
||||
ValueExpression e = factory.createValueExpression(context, expression, Object.class);
|
||||
e.setValue(context, new Object());
|
||||
e.setValue(context, new Object()); // $ Alert[java/javaee-expression-injection]
|
||||
});
|
||||
}
|
||||
|
||||
@@ -96,7 +96,7 @@ public class JakartaExpressionInjection {
|
||||
ExpressionFactory factory = new de.odysseus.el.ExpressionFactoryImpl();
|
||||
ELContext context = new de.odysseus.el.util.SimpleContext();
|
||||
MethodExpression e = factory.createMethodExpression(context, expression, Object.class, new Class[0]);
|
||||
e.invoke(context, new Object[0]);
|
||||
e.invoke(context, new Object[0]); // $ Alert[java/javaee-expression-injection]
|
||||
});
|
||||
}
|
||||
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-094/JakartaExpressionInjection.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -25,7 +25,7 @@ public class JythonInjection extends HttpServlet {
|
||||
// BAD: allow execution of arbitrary Python code
|
||||
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
|
||||
response.setContentType("text/plain");
|
||||
String code = request.getParameter("code");
|
||||
String code = request.getParameter("code"); // $ Source[java/jython-injection]
|
||||
PythonInterpreter interpreter = null;
|
||||
ByteArrayOutputStream out = new ByteArrayOutputStream();
|
||||
|
||||
@@ -33,7 +33,7 @@ public class JythonInjection extends HttpServlet {
|
||||
interpreter = new PythonInterpreter();
|
||||
interpreter.setOut(out);
|
||||
interpreter.setErr(out);
|
||||
interpreter.exec(code);
|
||||
interpreter.exec(code); // $ Alert[java/jython-injection]
|
||||
out.flush();
|
||||
|
||||
response.getWriter().print(out.toString());
|
||||
@@ -50,12 +50,12 @@ public class JythonInjection extends HttpServlet {
|
||||
// BAD: allow execution of arbitrary Python code
|
||||
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
|
||||
response.setContentType("text/plain");
|
||||
String code = request.getParameter("code");
|
||||
String code = request.getParameter("code"); // $ Source[java/jython-injection]
|
||||
PythonInterpreter interpreter = null;
|
||||
|
||||
try {
|
||||
interpreter = new PythonInterpreter();
|
||||
PyObject py = interpreter.eval(code);
|
||||
PyObject py = interpreter.eval(code); // $ Alert[java/jython-injection]
|
||||
|
||||
response.getWriter().print(py.toString());
|
||||
} catch(PyException ex) {
|
||||
@@ -70,7 +70,7 @@ public class JythonInjection extends HttpServlet {
|
||||
// BAD: allow arbitrary Jython expression to run
|
||||
protected void doPut(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
|
||||
response.setContentType("text/plain");
|
||||
String code = request.getParameter("code");
|
||||
String code = request.getParameter("code"); // $ Source[java/jython-injection]
|
||||
InteractiveInterpreter interpreter = null;
|
||||
ByteArrayOutputStream out = new ByteArrayOutputStream();
|
||||
|
||||
@@ -78,7 +78,7 @@ public class JythonInjection extends HttpServlet {
|
||||
interpreter = new InteractiveInterpreter();
|
||||
interpreter.setOut(out);
|
||||
interpreter.setErr(out);
|
||||
interpreter.runsource(code);
|
||||
interpreter.runsource(code); // $ Alert[java/jython-injection]
|
||||
out.flush();
|
||||
|
||||
response.getWriter().print(out.toString());
|
||||
@@ -94,7 +94,7 @@ public class JythonInjection extends HttpServlet {
|
||||
// BAD: load arbitrary class file to execute
|
||||
protected void doTrace(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
|
||||
response.setContentType("text/plain");
|
||||
String code = request.getParameter("code");
|
||||
String code = request.getParameter("code"); // $ Source[java/jython-injection]
|
||||
PythonInterpreter interpreter = null;
|
||||
ByteArrayOutputStream out = new ByteArrayOutputStream();
|
||||
|
||||
@@ -103,7 +103,7 @@ public class JythonInjection extends HttpServlet {
|
||||
interpreter.setOut(out);
|
||||
interpreter.setErr(out);
|
||||
|
||||
PyCode pyCode = BytecodeLoader.makeCode("test", code.getBytes(), getServletContext().getRealPath("/com/example/test.pyc"));
|
||||
PyCode pyCode = BytecodeLoader.makeCode("test", code.getBytes(), getServletContext().getRealPath("/com/example/test.pyc")); // $ Alert[java/jython-injection]
|
||||
interpreter.exec(pyCode);
|
||||
out.flush();
|
||||
|
||||
@@ -128,7 +128,7 @@ public class JythonInjection extends HttpServlet {
|
||||
interpreter.setOut(out);
|
||||
interpreter.setErr(out);
|
||||
|
||||
PyCode pyCode = Py.compile(request.getInputStream(), "Test.py", org.python.core.CompileMode.eval);
|
||||
PyCode pyCode = Py.compile(request.getInputStream(), "Test.py", org.python.core.CompileMode.eval); // $ Alert[java/jython-injection]
|
||||
interpreter.exec(pyCode);
|
||||
out.flush();
|
||||
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-094/JythonInjection.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -25,11 +25,11 @@ public class RhinoServlet extends HttpServlet {
|
||||
// BAD: allow arbitrary Java and JavaScript code to be executed
|
||||
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
|
||||
response.setContentType("text/plain");
|
||||
String code = request.getParameter("code");
|
||||
String code = request.getParameter("code"); // $ Source[java/unsafe-eval]
|
||||
Context ctx = Context.enter();
|
||||
try {
|
||||
Scriptable scope = ctx.initStandardObjects();
|
||||
Object result = ctx.evaluateString(scope, code, "<code>", 1, null);
|
||||
Object result = ctx.evaluateString(scope, code, "<code>", 1, null); // $ Alert[java/unsafe-eval]
|
||||
response.getWriter().print(Context.toString(result));
|
||||
} catch(RhinoException ex) {
|
||||
response.getWriter().println(ex.getMessage());
|
||||
@@ -78,14 +78,14 @@ public class RhinoServlet extends HttpServlet {
|
||||
|
||||
// BAD: allow arbitrary code to be compiled for subsequent execution
|
||||
protected void doGet2(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
|
||||
String code = request.getParameter("code");
|
||||
String code = request.getParameter("code"); // $ Source[java/unsafe-eval]
|
||||
ClassCompiler compiler = new ClassCompiler(new CompilerEnvirons());
|
||||
Object[] objs = compiler.compileToClassFiles(code, "/sourceLocation", 1, "mainClassName");
|
||||
Object[] objs = compiler.compileToClassFiles(code, "/sourceLocation", 1, "mainClassName"); // $ Alert[java/unsafe-eval]
|
||||
}
|
||||
|
||||
// BAD: allow arbitrary code to be loaded for subsequent execution
|
||||
protected void doPost2(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
|
||||
String code = request.getParameter("code");
|
||||
Class clazz = new DefiningClassLoader().defineClass("Powerfunc", code.getBytes());
|
||||
String code = request.getParameter("code"); // $ Source[java/unsafe-eval]
|
||||
Class clazz = new DefiningClassLoader().defineClass("Powerfunc", code.getBytes()); // $ Alert[java/unsafe-eval]
|
||||
}
|
||||
}
|
||||
|
||||
@@ -21,14 +21,14 @@ public class ScriptEngineTest extends HttpServlet {
|
||||
ScriptEngineManager scriptEngineManager = new ScriptEngineManager();
|
||||
// Create with ScriptEngine reference
|
||||
ScriptEngine scriptEngine = scriptEngineManager.getEngineByExtension("js");
|
||||
Object result = scriptEngine.eval(input);
|
||||
Object result = scriptEngine.eval(input); // $ Alert[java/unsafe-eval]
|
||||
}
|
||||
|
||||
public void testNashornWithScriptEngineReference(String input) throws ScriptException {
|
||||
NashornScriptEngineFactory factory = new NashornScriptEngineFactory();
|
||||
// Create Nashorn with ScriptEngine reference
|
||||
ScriptEngine engine = (NashornScriptEngine) factory.getScriptEngine(new String[] { "-scripting" });
|
||||
Object result = engine.eval(input);
|
||||
Object result = engine.eval(input); // $ Alert[java/unsafe-eval]
|
||||
}
|
||||
|
||||
|
||||
@@ -36,27 +36,27 @@ public class ScriptEngineTest extends HttpServlet {
|
||||
NashornScriptEngineFactory factory = new NashornScriptEngineFactory();
|
||||
// Create Nashorn with NashornScriptEngine reference
|
||||
NashornScriptEngine engine = (NashornScriptEngine) factory.getScriptEngine(new String[] { "-scripting" });
|
||||
Object result = engine.eval(input);
|
||||
Object result = engine.eval(input); // $ Alert[java/unsafe-eval]
|
||||
}
|
||||
|
||||
public void testCustomScriptEngineReference(String input) throws ScriptException {
|
||||
MyCustomFactory factory = new MyCustomFactory();
|
||||
//Create with Custom Script Engine reference
|
||||
MyCustomScriptEngine engine = (MyCustomScriptEngine) factory.getScriptEngine(new String[] { "-scripting" });
|
||||
Object result = engine.eval(input);
|
||||
Object result = engine.eval(input); // $ Alert[java/unsafe-eval]
|
||||
}
|
||||
|
||||
public void testScriptEngineCompilable(String input) throws ScriptException {
|
||||
NashornScriptEngineFactory factory = new NashornScriptEngineFactory();
|
||||
Compilable engine = (Compilable) factory.getScriptEngine(new String[] { "-scripting" });
|
||||
CompiledScript script = engine.compile(input);
|
||||
CompiledScript script = engine.compile(input); // $ Alert[java/unsafe-eval]
|
||||
Object result = script.eval();
|
||||
}
|
||||
|
||||
public void testScriptEngineGetProgram(String input) throws ScriptException {
|
||||
ScriptEngineManager scriptEngineManager = new ScriptEngineManager();
|
||||
ScriptEngine engine = scriptEngineManager.getEngineByName("nashorn");
|
||||
String program = engine.getFactory().getProgram(input);
|
||||
String program = engine.getFactory().getProgram(input); // $ Alert[java/unsafe-eval]
|
||||
Object result = engine.eval(program);
|
||||
}
|
||||
|
||||
@@ -88,7 +88,7 @@ public class ScriptEngineTest extends HttpServlet {
|
||||
|
||||
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
|
||||
try {
|
||||
String code = request.getParameter("code");
|
||||
String code = request.getParameter("code"); // $ Source[java/unsafe-eval]
|
||||
|
||||
new ScriptEngineTest().testWithScriptEngineReference(code);
|
||||
new ScriptEngineTest().testNashornWithScriptEngineReference(code);
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-094/ScriptInjection.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -42,7 +42,7 @@ public class FileService extends Service {
|
||||
|
||||
try {
|
||||
String[] uris = (String[]) params[1];
|
||||
outputStream = new FileOutputStream(uris[0]);
|
||||
outputStream = new FileOutputStream(uris[0]); // $ Alert[java/sensitive-android-file-leak]
|
||||
return "success";
|
||||
} catch (Exception e) {
|
||||
}
|
||||
|
||||
@@ -25,7 +25,7 @@ public class InsecureWebResourceResponse extends Activity {
|
||||
super.onCreate(savedInstanceState);
|
||||
setContentView(-1);
|
||||
|
||||
String inputUrl = getIntent().getStringExtra("inputUrl");
|
||||
String inputUrl = getIntent().getStringExtra("inputUrl"); // $ Source[java/insecure-webview-resource-response]
|
||||
|
||||
getBadResponse1(inputUrl);
|
||||
|
||||
@@ -65,7 +65,7 @@ public class InsecureWebResourceResponse extends Activity {
|
||||
Uri uri = Uri.parse(url);
|
||||
FileInputStream inputStream = new FileInputStream(uri.getPath());
|
||||
String mimeType = getMimeTypeFromPath(uri.getPath());
|
||||
return new WebResourceResponse(mimeType, "UTF-8", inputStream);
|
||||
return new WebResourceResponse(mimeType, "UTF-8", inputStream); // $ Alert[java/insecure-webview-resource-response]
|
||||
} catch (IOException ie) {
|
||||
return new WebResourceResponse("text/plain", "UTF-8", null);
|
||||
}
|
||||
@@ -88,7 +88,7 @@ public class InsecureWebResourceResponse extends Activity {
|
||||
File cacheFile = new File(getCacheDir(), uri.getLastPathSegment());
|
||||
FileInputStream inputStream = new FileInputStream(cacheFile);
|
||||
String mimeType = getMimeTypeFromPath(uri.getPath());
|
||||
return new WebResourceResponse(mimeType, "UTF-8", inputStream);
|
||||
return new WebResourceResponse(mimeType, "UTF-8", inputStream); // $ Alert[java/insecure-webview-resource-response]
|
||||
} else {
|
||||
return new WebResourceResponse("text/plain", "UTF-8", null);
|
||||
}
|
||||
@@ -114,7 +114,7 @@ public class InsecureWebResourceResponse extends Activity {
|
||||
if (path.startsWith("files/")) {
|
||||
FileInputStream inputStream = new FileInputStream(path.substring("files/".length()));
|
||||
String mimeType = getMimeTypeFromPath(uri.getPath());
|
||||
return new WebResourceResponse(mimeType, "UTF-8", inputStream);
|
||||
return new WebResourceResponse(mimeType, "UTF-8", inputStream); // $ Alert[java/insecure-webview-resource-response]
|
||||
} else {
|
||||
return new WebResourceResponse("text/plain", "UTF-8", null);
|
||||
}
|
||||
@@ -196,7 +196,7 @@ public class InsecureWebResourceResponse extends Activity {
|
||||
File cacheFile = new File(getCacheDir(), uri.getLastPathSegment());
|
||||
FileInputStream inputStream = new FileInputStream(cacheFile);
|
||||
String mimeType = getMimeTypeFromPath(uri.getPath());
|
||||
return new WebResourceResponse(mimeType, "UTF-8", inputStream);
|
||||
return new WebResourceResponse(mimeType, "UTF-8", inputStream); // $ Alert[java/insecure-webview-resource-response]
|
||||
} else {
|
||||
return new WebResourceResponse("text/plain", "UTF-8", null);
|
||||
}
|
||||
@@ -234,7 +234,7 @@ class VulnerableWebViewClient extends WebViewClient {
|
||||
Uri uri = Uri.parse(url);
|
||||
FileInputStream inputStream = new FileInputStream(uri.getPath());
|
||||
String mimeType = InsecureWebResourceResponse.getMimeTypeFromPath(uri.getPath());
|
||||
return new WebResourceResponse(mimeType, "UTF-8", inputStream);
|
||||
return new WebResourceResponse(mimeType, "UTF-8", inputStream); // $ Alert[java/insecure-webview-resource-response]
|
||||
} catch (IOException ie) {
|
||||
return new WebResourceResponse("text/plain", "UTF-8", null);
|
||||
}
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-200/InsecureWebResourceResponse.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -24,7 +24,7 @@ public class InsecureWebViewActivity extends Activity {
|
||||
setContentView(-1);
|
||||
webview = (VulnerableWebView) findViewById(-1);
|
||||
|
||||
String inputUrl = getIntent().getStringExtra("inputUrl");
|
||||
String inputUrl = getIntent().getStringExtra("inputUrl"); // $ Source[java/insecure-webview-resource-response]
|
||||
loadWebUrl(inputUrl);
|
||||
}
|
||||
|
||||
@@ -55,7 +55,7 @@ class VulnerableWebView extends WebView {
|
||||
Uri uri = Uri.parse(url);
|
||||
FileInputStream inputStream = new FileInputStream(uri.getPath());
|
||||
String mimeType = InsecureWebViewActivity.getMimeTypeFromPath(uri.getPath());
|
||||
return new WebResourceResponse(mimeType, "UTF-8", inputStream);
|
||||
return new WebResourceResponse(mimeType, "UTF-8", inputStream); // $ Alert[java/insecure-webview-resource-response]
|
||||
} catch (IOException ie) {
|
||||
return new WebResourceResponse("text/plain", "UTF-8", null);
|
||||
}
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user