hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-02 04:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Apply suggestions from code review

Browse Source
This commit is contained in:
Anders Schack-Mulligen
2021-04-19 13:14:56 +02:00
committed by GitHub
parent 06514159be
commit c5193cf03f
2 changed files with 5 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java
View File

@@ -78,6 +78,7 @@ class Test {
public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
BufferedReader br = new BufferedReader(new InputStreamReader(request.getInputStream()));
String filename = br.readLine();
// BAD: construct a file path with user input
BufferedWriter bw = new BufferedWriter(new FileWriter("dir/"+filename, true));
}
}

8
java/ql/test/query-tests/security/CWE-611/SAXSourceTests.java
View File

@@ -17,7 +17,7 @@ public class SAXSourceTests {
SAXSource source = new SAXSource(reader, new InputSource(sock.getInputStream()));
JAXBContext jc = JAXBContext.newInstance(Object.class);
Unmarshaller um = jc.createUnmarshaller();
um.unmarshal(source); //unsafe
um.unmarshal(source); // BAD
}
public void explicitlySafeSource1(Socket sock) throws Exception {
@@ -25,7 +25,7 @@ public class SAXSourceTests {
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd",false);
SAXSource source = new SAXSource(reader, new InputSource(sock.getInputStream())); //safe
SAXSource source = new SAXSource(reader, new InputSource(sock.getInputStream())); // GOOD
}
public void createdSafeSource(Socket sock) throws Exception {
@@ -35,7 +35,7 @@ public class SAXSourceTests {
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
SAXParser parser = factory.newSAXParser();
XMLReader reader = parser.getXMLReader();
SAXSource source = new SAXSource(parser.getXMLReader(), new InputSource(sock.getInputStream())); //safe
SAXSource source2 = new SAXSource(reader, new InputSource(sock.getInputStream())); //safe
SAXSource source = new SAXSource(parser.getXMLReader(), new InputSource(sock.getInputStream())); // GOOD
SAXSource source2 = new SAXSource(reader, new InputSource(sock.getInputStream())); // GOOD
}
}