From c37ecb7102af07bb4eafe0b3cb8958aac9cb0341 Mon Sep 17 00:00:00 2001 From: Chris Smowton Date: Mon, 28 Jun 2021 19:38:14 +0100 Subject: [PATCH] Fix existing JaxRs tests * Expose getContentTypeString for use by tests * Use it to get constant arguments to @Produces annotations * Note that text/html is xss-vulnerable (I have no idea how it ever came to expect exactly text/plain) --- java/ql/src/semmle/code/java/frameworks/JaxWS.qll | 5 ++++- java/ql/test/library-tests/frameworks/JaxWs/JakartaRs1.java | 2 +- java/ql/test/library-tests/frameworks/JaxWs/JaxRs.ql | 5 +++-- java/ql/test/library-tests/frameworks/JaxWs/JaxRs1.java | 2 +- 4 files changed, 9 insertions(+), 5 deletions(-) diff --git a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll index 9e6ef2c1dfc..9e071d1fba6 100644 --- a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll +++ b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll @@ -283,7 +283,10 @@ class MessageBodyReaderRead extends Method { } } -private string getContentTypeString(Expr e) { +/** + * Gets a constant content-type described by expression `e` (either a string constant or a Jax-RS MediaType field access). + */ +string getContentTypeString(Expr e) { result = e.(CompileTimeConstantExpr).getStringValue() and result != "" or diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JakartaRs1.java b/java/ql/test/library-tests/frameworks/JaxWs/JakartaRs1.java index 271f3594eb0..14f76bd74d2 100644 --- a/java/ql/test/library-tests/frameworks/JaxWs/JakartaRs1.java +++ b/java/ql/test/library-tests/frameworks/JaxWs/JakartaRs1.java @@ -71,7 +71,7 @@ public class JakartaRs1 { // $ RootResourceClass @Produces("text/html") // $ ProducesAnnotation=text/html @POST boolean Post() { // $ ResourceMethod=text/html ResourceMethodOnResourceClass - return false; + return false; // $ XssSink } @Produces(MediaType.TEXT_PLAIN) // $ ProducesAnnotation=text/plain diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JaxRs.ql b/java/ql/test/library-tests/frameworks/JaxWs/JaxRs.ql index fcd150e8cf5..bc4916c217c 100644 --- a/java/ql/test/library-tests/frameworks/JaxWs/JaxRs.ql +++ b/java/ql/test/library-tests/frameworks/JaxWs/JaxRs.ql @@ -25,7 +25,8 @@ class JaxRsTest extends InlineExpectationsTest { element = resourceMethod.toString() and if exists(resourceMethod.getProducesAnnotation()) then - value = resourceMethod.getProducesAnnotation().getADeclaredContentType() and + value = + getContentTypeString(resourceMethod.getProducesAnnotation().getADeclaredContentTypeExpr()) and value != "" else // Filter out empty strings that stem from using stubs. @@ -143,7 +144,7 @@ class JaxRsTest extends InlineExpectationsTest { exists(JaxRSProducesAnnotation producesAnnotation | producesAnnotation.getLocation() = location and element = producesAnnotation.toString() and - value = producesAnnotation.getADeclaredContentType() and + value = getContentTypeString(producesAnnotation.getADeclaredContentTypeExpr()) and value != "" // Filter out empty strings that stem from using stubs. // If we built the test against the real JAR then the field diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JaxRs1.java b/java/ql/test/library-tests/frameworks/JaxWs/JaxRs1.java index ba21f36069b..1205b538b6b 100644 --- a/java/ql/test/library-tests/frameworks/JaxWs/JaxRs1.java +++ b/java/ql/test/library-tests/frameworks/JaxWs/JaxRs1.java @@ -71,7 +71,7 @@ public class JaxRs1 { // $ RootResourceClass @Produces("text/html") // $ ProducesAnnotation=text/html @POST boolean Post() { // $ ResourceMethod=text/html ResourceMethodOnResourceClass - return false; + return false; // $ XssSink } @Produces(MediaType.TEXT_PLAIN) // $ ProducesAnnotation=text/plain