Use InlineExpectationsTest

2026-04-29 02:35:15 +02:00 · 2021-06-07 09:56:59 +02:00
parent 079769ed2e
commit b985ddb868
5 changed files with 41 additions and 11 deletions
--- a/java/ql/src/semmle/code/java/security/SpelInjection.qll
+++ b/java/ql/src/semmle/code/java/security/SpelInjection.qll
@@ -56,7 +56,7 @@ private class DefaultSpelExpressionInjectionAdditionalTaintStep extends SpelExpr
 /**
 * A configuration for safe evaluation context that may be used in expression evaluation.
 */
-class SafeEvaluationContextFlowConfig extends DataFlow2::Configuration {
+private class SafeEvaluationContextFlowConfig extends DataFlow2::Configuration {
  SafeEvaluationContextFlowConfig() { this = "SpelInjection::SafeEvaluationContextFlowConfig" }

  override predicate isSource(DataFlow::Node source) { source instanceof SafeContextSource }
--- a/java/ql/test/query-tests/security/CWE-094/SpelInjection.qlref
+++ b/java/ql/test/query-tests/security/CWE-094/SpelInjection.qlref
@@ -1 +0,0 @@
-Security/CWE/CWE-094/SpelInjection.ql
--- a/java/ql/test/query-tests/security/CWE-094/SpelInjectionTest.expected
+++ b/java/ql/test/query-tests/security/CWE-094/SpelInjectionTest.expected
--- a/java/ql/test/query-tests/security/CWE-094/SpelInjectionTest.java
+++ b/java/ql/test/query-tests/security/CWE-094/SpelInjectionTest.java
@@ -7,7 +7,7 @@ import org.springframework.expression.spel.standard.SpelExpressionParser;
 import org.springframework.expression.spel.support.SimpleEvaluationContext;
 import org.springframework.expression.spel.support.StandardEvaluationContext;

-public class SpelInjection {
+public class SpelInjectionTest {

  private static final ExpressionParser PARSER = new SpelExpressionParser();

@@ -20,7 +20,7 @@ public class SpelInjection {

    ExpressionParser parser = new SpelExpressionParser();
    Expression expression = parser.parseExpression(input);
-    expression.getValue();
+    expression.getValue(); // $hasSpelInjection
  }

  public void testGetValueWithChainedCalls(Socket socket) throws IOException {
@@ -31,7 +31,7 @@ public class SpelInjection {
    String input = new String(bytes, 0, n);

    Expression expression = new SpelExpressionParser().parseExpression(input);
-    expression.getValue();
+    expression.getValue(); // $hasSpelInjection
  }

  public void testSetValueWithRootObject(Socket socket) throws IOException {
@@ -45,7 +45,7 @@ public class SpelInjection {

    Object root = new Object();
    Object value = new Object();
-    expression.setValue(root, value);
+    expression.setValue(root, value); // $hasSpelInjection
  }

  public void testGetValueWithStaticParser(Socket socket) throws IOException {
@@ -56,7 +56,7 @@ public class SpelInjection {
    String input = new String(bytes, 0, n);

    Expression expression = PARSER.parseExpression(input);
-    expression.getValue();
+    expression.getValue(); // $hasSpelInjection
  }

  public void testGetValueType(Socket socket) throws IOException {
@@ -67,7 +67,7 @@ public class SpelInjection {
    String input = new String(bytes, 0, n);

    Expression expression = PARSER.parseExpression(input);
-    expression.getValueType();
+    expression.getValueType(); // $hasSpelInjection
  }

  public void testWithStandardEvaluationContext(Socket socket) throws IOException {
@@ -80,7 +80,7 @@ public class SpelInjection {
    Expression expression = PARSER.parseExpression(input);

    StandardEvaluationContext context = new StandardEvaluationContext();
-    expression.getValue(context);
+    expression.getValue(context); // $hasSpelInjection
  }

  public void testWithSimpleEvaluationContext(Socket socket) throws IOException {
@@ -93,8 +93,7 @@ public class SpelInjection {
    Expression expression = PARSER.parseExpression(input);
    SimpleEvaluationContext context = SimpleEvaluationContext.forReadWriteDataBinding().build();

-    // the expression is evaluated in a limited context
-    expression.getValue(context);
+    expression.getValue(context); // Safe - the expression is evaluated in a limited context
  }

 }
--- a/java/ql/test/query-tests/security/CWE-094/SpelInjectionTest.ql
+++ b/java/ql/test/query-tests/security/CWE-094/SpelInjectionTest.ql
@@ -0,0 +1,32 @@
+import java
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.security.SpelInjection
+import TestUtilities.InlineExpectationsTest
+
+class Conf extends TaintTracking::Configuration {
+  Conf() { this = "test:cwe:spel-injection" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof SpelExpressionEvaluationSink }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(SpelExpressionInjectionAdditionalTaintStep c).step(node1, node2)
+  }
+}
+
+class HasSpelInjectionTest extends InlineExpectationsTest {
+  HasSpelInjectionTest() { this = "HasSpelInjectionTest" }
+
+  override string getARelevantTag() { result = "hasSpelInjection" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasSpelInjection" and
+    exists(DataFlow::Node src, DataFlow::Node sink, Conf conf | conf.hasFlow(src, sink) |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+  }
+}