Fix the problem

java/ql/test/experimental/query-tests/security/CWE-352/JsonpController.java

@@ -3,17 +3,14 @@ import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.gson.Gson;
 import java.io.PrintWriter;
 import java.util.HashMap;
-import java.util.Random;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.ResponseBody;
 
 @Controller
-public class JsonpInjection {
+public class JsonpController {
     private static HashMap hashMap = new HashMap();
 
     static {
@@ -96,54 +93,13 @@ public class JsonpInjection {
 
     @GetMapping(value = "jsonp7")
     @ResponseBody
-    public String good(HttpServletRequest request) {
-        String resultStr = null;
-        String jsonpCallback = request.getParameter("jsonpCallback");
-
-        String val = "";
-        Random random = new Random();
-        for (int i = 0; i < 10; i++) {
-            val += String.valueOf(random.nextInt(10));
-        }
-        // good
-        jsonpCallback = jsonpCallback + "_" + val;
-        String jsonStr = getJsonStr(hashMap);
-        resultStr = jsonpCallback + "(" + jsonStr + ")";
-        return resultStr;
-    }
-
-    @GetMapping(value = "jsonp8")
-    @ResponseBody
     public String good1(HttpServletRequest request) {
         String resultStr = null;
-        String jsonpCallback = request.getParameter("jsonpCallback");
 
         String token = request.getParameter("token");
 
-        // good
         if (verifToken(token)){
-            System.out.println(token);
-            String jsonStr = getJsonStr(hashMap);
-            resultStr = jsonpCallback + "(" + jsonStr + ")";
-            return resultStr;
-        }
-
-        return "error";
-    }
-
-    @GetMapping(value = "jsonp9")
-    @ResponseBody
-    public String good2(HttpServletRequest request) {
-        String resultStr = null;
-        String jsonpCallback = request.getParameter("jsonpCallback");
-
-        String referer = request.getHeader("Referer");
-
-        boolean result = verifReferer(referer);
-
-        boolean test = result;
-        // good
-        if (test){
+            String jsonpCallback = request.getParameter("jsonpCallback");
             String jsonStr = getJsonStr(hashMap);
             resultStr = jsonpCallback + "(" + jsonStr + ")";
             return resultStr;
@@ -169,4 +125,4 @@ public class JsonpInjection {
         }
         return true;
     }
-}
+}

java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.expected

@@ -1,60 +0,0 @@
-edges
-| JsonpInjection.java:29:32:29:38 | request : HttpServletRequest | JsonpInjection.java:34:16:34:24 | resultStr |
-| JsonpInjection.java:33:21:33:54 | ... + ... : String | JsonpInjection.java:34:16:34:24 | resultStr |
-| JsonpInjection.java:41:32:41:38 | request : HttpServletRequest | JsonpInjection.java:45:16:45:24 | resultStr |
-| JsonpInjection.java:43:21:43:80 | ... + ... : String | JsonpInjection.java:45:16:45:24 | resultStr |
-| JsonpInjection.java:52:32:52:38 | request : HttpServletRequest | JsonpInjection.java:55:16:55:24 | resultStr |
-| JsonpInjection.java:54:21:54:55 | ... + ... : String | JsonpInjection.java:55:16:55:24 | resultStr |
-| JsonpInjection.java:62:32:62:38 | request : HttpServletRequest | JsonpInjection.java:65:16:65:24 | resultStr |
-| JsonpInjection.java:64:21:64:54 | ... + ... : String | JsonpInjection.java:65:16:65:24 | resultStr |
-| JsonpInjection.java:72:32:72:38 | request : HttpServletRequest | JsonpInjection.java:80:20:80:28 | resultStr |
-| JsonpInjection.java:79:21:79:54 | ... + ... : String | JsonpInjection.java:80:20:80:28 | resultStr |
-| JsonpInjection.java:87:32:87:38 | request : HttpServletRequest | JsonpInjection.java:94:20:94:28 | resultStr |
-| JsonpInjection.java:93:21:93:54 | ... + ... : String | JsonpInjection.java:94:20:94:28 | resultStr |
-| JsonpInjection.java:101:32:101:38 | request : HttpServletRequest | JsonpInjection.java:112:16:112:24 | resultStr |
-| JsonpInjection.java:127:25:127:59 | ... + ... : String | JsonpInjection.java:128:20:128:28 | resultStr |
-| JsonpInjection.java:148:25:148:59 | ... + ... : String | JsonpInjection.java:149:20:149:28 | resultStr |
-nodes
-| JsonpInjection.java:29:32:29:38 | request : HttpServletRequest | semmle.label | request : HttpServletRequest |
-| JsonpInjection.java:33:21:33:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpInjection.java:34:16:34:24 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:34:16:34:24 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:41:32:41:38 | request : HttpServletRequest | semmle.label | request : HttpServletRequest |
-| JsonpInjection.java:43:21:43:80 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpInjection.java:45:16:45:24 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:45:16:45:24 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:52:32:52:38 | request : HttpServletRequest | semmle.label | request : HttpServletRequest |
-| JsonpInjection.java:54:21:54:55 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpInjection.java:55:16:55:24 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:55:16:55:24 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:62:32:62:38 | request : HttpServletRequest | semmle.label | request : HttpServletRequest |
-| JsonpInjection.java:64:21:64:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpInjection.java:65:16:65:24 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:65:16:65:24 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:72:32:72:38 | request : HttpServletRequest | semmle.label | request : HttpServletRequest |
-| JsonpInjection.java:79:21:79:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpInjection.java:80:20:80:28 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:80:20:80:28 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:87:32:87:38 | request : HttpServletRequest | semmle.label | request : HttpServletRequest |
-| JsonpInjection.java:93:21:93:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpInjection.java:94:20:94:28 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:94:20:94:28 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:101:32:101:38 | request : HttpServletRequest | semmle.label | request : HttpServletRequest |
-| JsonpInjection.java:112:16:112:24 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:127:25:127:59 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpInjection.java:128:20:128:28 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:148:25:148:59 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpInjection.java:149:20:149:28 | resultStr | semmle.label | resultStr |
-#select
-| JsonpInjection.java:34:16:34:24 | resultStr | JsonpInjection.java:29:32:29:38 | request : HttpServletRequest | JsonpInjection.java:34:16:34:24 | 
-resultStr | Jsonp Injection query might include code from $@. | JsonpInjection.java:29:32:29:38 | request | this user input |
-| JsonpInjection.java:45:16:45:24 | resultStr | JsonpInjection.java:41:32:41:38 | request : HttpServletRequest | JsonpInjection.java:45:16:45:24 | 
-resultStr | Jsonp Injection query might include code from $@. | JsonpInjection.java:41:32:41:38 | request | this user input |
-| JsonpInjection.java:55:16:55:24 | resultStr | JsonpInjection.java:52:32:52:38 | request : HttpServletRequest | JsonpInjection.java:55:16:55:24 | 
-resultStr | Jsonp Injection query might include code from $@. | JsonpInjection.java:52:32:52:38 | request | this user input |
-| JsonpInjection.java:65:16:65:24 | resultStr | JsonpInjection.java:62:32:62:38 | request : HttpServletRequest | JsonpInjection.java:65:16:65:24 | 
-resultStr | Jsonp Injection query might include code from $@. | JsonpInjection.java:62:32:62:38 | request | this user input |
-| JsonpInjection.java:80:20:80:28 | resultStr | JsonpInjection.java:72:32:72:38 | request : HttpServletRequest | JsonpInjection.java:80:20:80:28 | 
-resultStr | Jsonp Injection query might include code from $@. | JsonpInjection.java:72:32:72:38 | request | this user input |
-| JsonpInjection.java:94:20:94:28 | resultStr | JsonpInjection.java:87:32:87:38 | request : HttpServletRequest | JsonpInjection.java:94:20:94:28 | 
-resultStr | Jsonp Injection query might include code from $@. | JsonpInjection.java:87:32:87:38 | request | this user input |

java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionServlet1.java

@@ -0,0 +1,64 @@
+import com.google.gson.Gson;
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.util.HashMap;
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+public class JsonpInjectionServlet1 extends HttpServlet {
+
+    private static HashMap hashMap = new HashMap();
+
+    static {
+        hashMap.put("username","admin");
+        hashMap.put("password","123456");
+    }
+
+    private static final long serialVersionUID = 1L;
+
+    private String key = "test";
+    @Override
+    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+        doPost(req, resp);
+    }
+
+    @Override
+    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+        resp.setContentType("application/json");
+        String jsonpCallback = req.getParameter("jsonpCallback");
+        PrintWriter pw = null;
+        Gson gson = new Gson();
+        String jsonResult = gson.toJson(hashMap);
+
+        String referer = req.getHeader("Referer");
+
+        boolean result = verifReferer(referer);
+
+        // good
+        if (result){
+            String resultStr = null;
+            pw = resp.getWriter();
+            resultStr = jsonpCallback + "(" + jsonResult + ")";
+            pw.println(resultStr);
+            pw.flush();
+        }
+    }
+
+    public static boolean verifReferer(String referer){
+        if (!referer.startsWith("http://test.com/")){
+            return false;
+        }
+        return true;
+    }
+
+    @Override
+    public void init(ServletConfig config) throws ServletException {
+        this.key = config.getInitParameter("key");
+        System.out.println("初始化" + this.key);
+        super.init(config);
+    }
+
+}

java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionServlet2.java

@@ -0,0 +1,50 @@
+import com.google.gson.Gson;
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.util.HashMap;
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+public class JsonpInjectionServlet2  extends HttpServlet {
+
+    private static HashMap hashMap = new HashMap();
+
+    static {
+        hashMap.put("username","admin");
+        hashMap.put("password","123456");
+    }
+
+    private static final long serialVersionUID = 1L;
+
+    private String key = "test";
+    @Override
+    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+        doPost(req, resp);
+    }
+
+    @Override
+    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+        resp.setContentType("application/json");
+        String jsonpCallback = req.getParameter("jsonpCallback");
+        PrintWriter pw = null;
+        Gson gson = new Gson();
+        String result = gson.toJson(hashMap);
+
+        String resultStr = null;
+        pw = resp.getWriter();
+        resultStr = jsonpCallback + "(" + result + ")";
+        pw.println(resultStr);
+        pw.flush();
+    }
+
+    @Override
+    public void init(ServletConfig config) throws ServletException {
+        this.key = config.getInitParameter("key");
+        System.out.println("初始化" + this.key);
+        super.init(config);
+    }
+
+}

java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection_1.expected

@@ -0,0 +1,60 @@
+edges
+| JsonpController.java:26:32:26:68 | getParameter(...) : String | JsonpController.java:31:16:31:24 | resultStr |
+| JsonpController.java:30:21:30:54 | ... + ... : String | JsonpController.java:31:16:31:24 | resultStr |
+| JsonpController.java:38:32:38:68 | getParameter(...) : String | JsonpController.java:42:16:42:24 | resultStr |
+| JsonpController.java:40:21:40:80 | ... + ... : String | JsonpController.java:42:16:42:24 | resultStr |
+| JsonpController.java:49:32:49:68 | getParameter(...) : String | JsonpController.java:52:16:52:24 | resultStr |
+| JsonpController.java:51:21:51:55 | ... + ... : String | JsonpController.java:52:16:52:24 | resultStr |
+| JsonpController.java:59:32:59:68 | getParameter(...) : String | JsonpController.java:62:16:62:24 | resultStr |
+| JsonpController.java:61:21:61:54 | ... + ... : String | JsonpController.java:62:16:62:24 | resultStr |
+| JsonpController.java:69:32:69:68 | getParameter(...) : String | JsonpController.java:77:20:77:28 | resultStr |
+| JsonpController.java:76:21:76:54 | ... + ... : String | JsonpController.java:77:20:77:28 | resultStr |
+| JsonpController.java:84:32:84:68 | getParameter(...) : String | JsonpController.java:91:20:91:28 | resultStr |
+| JsonpController.java:90:21:90:54 | ... + ... : String | JsonpController.java:91:20:91:28 | resultStr |
+| JsonpController.java:99:24:99:52 | getParameter(...) : String | JsonpController.java:101:24:101:28 | token |
+| JsonpController.java:102:36:102:72 | getParameter(...) : String | JsonpController.java:105:20:105:28 | resultStr |
+| JsonpController.java:104:25:104:59 | ... + ... : String | JsonpController.java:105:20:105:28 | resultStr |
+nodes
+| JsonpController.java:26:32:26:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:30:21:30:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:31:16:31:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:31:16:31:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:38:32:38:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:40:21:40:80 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:42:16:42:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:42:16:42:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:49:32:49:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:51:21:51:55 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:52:16:52:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:52:16:52:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:59:32:59:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:61:21:61:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:62:16:62:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:62:16:62:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:69:32:69:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:76:21:76:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:77:20:77:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:77:20:77:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:84:32:84:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:90:21:90:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:91:20:91:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:91:20:91:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:99:24:99:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:101:24:101:28 | token | semmle.label | token |
+| JsonpController.java:102:36:102:72 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:104:25:104:59 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:105:20:105:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:105:20:105:28 | resultStr | semmle.label | resultStr |
+#select
+| JsonpController.java:31:16:31:24 | resultStr | JsonpController.java:26:32:26:68 | getParameter(...) : String | JsonpController.java:31:16:31:24 |
+ resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:26:32:26:68 | getParameter(...) | this user input |
+| JsonpController.java:42:16:42:24 | resultStr | JsonpController.java:38:32:38:68 | getParameter(...) : String | JsonpController.java:42:16:42:24 |
+ resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:38:32:38:68 | getParameter(...) | this user input |
+| JsonpController.java:52:16:52:24 | resultStr | JsonpController.java:49:32:49:68 | getParameter(...) : String | JsonpController.java:52:16:52:24 |
+ resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:49:32:49:68 | getParameter(...) | this user input |
+| JsonpController.java:62:16:62:24 | resultStr | JsonpController.java:59:32:59:68 | getParameter(...) : String | JsonpController.java:62:16:62:24 |
+ resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:59:32:59:68 | getParameter(...) | this user input |
+| JsonpController.java:77:20:77:28 | resultStr | JsonpController.java:69:32:69:68 | getParameter(...) : String | JsonpController.java:77:20:77:28 |
+ resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:69:32:69:68 | getParameter(...) | this user input |
+| JsonpController.java:91:20:91:28 | resultStr | JsonpController.java:84:32:84:68 | getParameter(...) : String | JsonpController.java:91:20:91:28 |
+ resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:84:32:84:68 | getParameter(...) | this user input |

java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection_2.expected

@@ -0,0 +1,78 @@
+edges
+| JsonpController.java:26:32:26:68 | getParameter(...) : String | JsonpController.java:31:16:31:24 | resultStr |
+| JsonpController.java:30:21:30:54 | ... + ... : String | JsonpController.java:31:16:31:24 | resultStr |
+| JsonpController.java:38:32:38:68 | getParameter(...) : String | JsonpController.java:42:16:42:24 | resultStr |
+| JsonpController.java:40:21:40:80 | ... + ... : String | JsonpController.java:42:16:42:24 | resultStr |
+| JsonpController.java:49:32:49:68 | getParameter(...) : String | JsonpController.java:52:16:52:24 | resultStr |
+| JsonpController.java:51:21:51:55 | ... + ... : String | JsonpController.java:52:16:52:24 | resultStr |
+| JsonpController.java:59:32:59:68 | getParameter(...) : String | JsonpController.java:62:16:62:24 | resultStr |
+| JsonpController.java:61:21:61:54 | ... + ... : String | JsonpController.java:62:16:62:24 | resultStr |
+| JsonpController.java:69:32:69:68 | getParameter(...) : String | JsonpController.java:77:20:77:28 | resultStr |
+| JsonpController.java:76:21:76:54 | ... + ... : String | JsonpController.java:77:20:77:28 | resultStr |
+| JsonpController.java:84:32:84:68 | getParameter(...) : String | JsonpController.java:91:20:91:28 | resultStr |
+| JsonpController.java:90:21:90:54 | ... + ... : String | JsonpController.java:91:20:91:28 | resultStr |
+| JsonpController.java:99:24:99:52 | getParameter(...) : String | JsonpController.java:101:24:101:28 | token |
+| JsonpController.java:102:36:102:72 | getParameter(...) : String | JsonpController.java:105:20:105:28 | resultStr |
+| JsonpController.java:104:25:104:59 | ... + ... : String | JsonpController.java:105:20:105:28 | resultStr |
+| JsonpInjectionServlet1.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet1.java:45:24:45:32 | resultStr |
+| JsonpInjectionServlet1.java:36:26:36:49 | getHeader(...) : String | JsonpInjectionServlet1.java:38:39:38:45 | referer |
+| JsonpInjectionServlet1.java:44:25:44:62 | ... + ... : String | JsonpInjectionServlet1.java:45:24:45:32 | resultStr |
+| JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr |
+| JsonpInjectionServlet2.java:38:21:38:54 | ... + ... : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr |
+nodes
+| JsonpController.java:26:32:26:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:30:21:30:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:31:16:31:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:31:16:31:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:38:32:38:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:40:21:40:80 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:42:16:42:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:42:16:42:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:49:32:49:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:51:21:51:55 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:52:16:52:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:52:16:52:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:59:32:59:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:61:21:61:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:62:16:62:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:62:16:62:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:69:32:69:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:76:21:76:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:77:20:77:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:77:20:77:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:84:32:84:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:90:21:90:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:91:20:91:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:91:20:91:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:99:24:99:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:101:24:101:28 | token | semmle.label | token |
+| JsonpController.java:102:36:102:72 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:104:25:104:59 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:105:20:105:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:105:20:105:28 | resultStr | semmle.label | resultStr |
+| JsonpInjectionServlet1.java:31:32:31:64 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpInjectionServlet1.java:36:26:36:49 | getHeader(...) : String | semmle.label | getHeader(...) : String |
+| JsonpInjectionServlet1.java:38:39:38:45 | referer | semmle.label | referer |
+| JsonpInjectionServlet1.java:44:25:44:62 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpInjectionServlet1.java:45:24:45:32 | resultStr | semmle.label | resultStr |
+| JsonpInjectionServlet1.java:45:24:45:32 | resultStr | semmle.label | resultStr |
+| JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpInjectionServlet2.java:38:21:38:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpInjectionServlet2.java:39:20:39:28 | resultStr | semmle.label | resultStr |
+| JsonpInjectionServlet2.java:39:20:39:28 | resultStr | semmle.label | resultStr |
+#select
+| JsonpController.java:31:16:31:24 | resultStr | JsonpController.java:26:32:26:68 | getParameter(...) : String | JsonpController.java:31:16:31:24 |
+ resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:26:32:26:68 | getParameter(...) | this user input |
+| JsonpController.java:42:16:42:24 | resultStr | JsonpController.java:38:32:38:68 | getParameter(...) : String | JsonpController.java:42:16:42:24 |
+ resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:38:32:38:68 | getParameter(...) | this user input |
+| JsonpController.java:52:16:52:24 | resultStr | JsonpController.java:49:32:49:68 | getParameter(...) : String | JsonpController.java:52:16:52:24 |
+ resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:49:32:49:68 | getParameter(...) | this user input |
+| JsonpController.java:62:16:62:24 | resultStr | JsonpController.java:59:32:59:68 | getParameter(...) : String | JsonpController.java:62:16:62:24 |
+ resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:59:32:59:68 | getParameter(...) | this user input |
+| JsonpController.java:77:20:77:28 | resultStr | JsonpController.java:69:32:69:68 | getParameter(...) : String | JsonpController.java:77:20:77:28 |
+ resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:69:32:69:68 | getParameter(...) | this user input |
+| JsonpController.java:91:20:91:28 | resultStr | JsonpController.java:84:32:84:68 | getParameter(...) : String | JsonpController.java:91:20:91:28 |
+ resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:84:32:84:68 | getParameter(...) | this user input |
+| JsonpInjectionServlet2.java:39:20:39:28 | resultStr | JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServle
+t2.java:39:20:39:28 | resultStr | Jsonp Injection query might include code from $@. | JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) |
+ this user input |

java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection_3.expected

@@ -0,0 +1,66 @@
+edges
+| JsonpController.java:26:32:26:68 | getParameter(...) : String | JsonpController.java:31:16:31:24 | resultStr |
+| JsonpController.java:30:21:30:54 | ... + ... : String | JsonpController.java:31:16:31:24 | resultStr |
+| JsonpController.java:38:32:38:68 | getParameter(...) : String | JsonpController.java:42:16:42:24 | resultStr |
+| JsonpController.java:40:21:40:80 | ... + ... : String | JsonpController.java:42:16:42:24 | resultStr |
+| JsonpController.java:49:32:49:68 | getParameter(...) : String | JsonpController.java:52:16:52:24 | resultStr |
+| JsonpController.java:51:21:51:55 | ... + ... : String | JsonpController.java:52:16:52:24 | resultStr |
+| JsonpController.java:59:32:59:68 | getParameter(...) : String | JsonpController.java:62:16:62:24 | resultStr |
+| JsonpController.java:61:21:61:54 | ... + ... : String | JsonpController.java:62:16:62:24 | resultStr |
+| JsonpController.java:69:32:69:68 | getParameter(...) : String | JsonpController.java:77:20:77:28 | resultStr |
+| JsonpController.java:76:21:76:54 | ... + ... : String | JsonpController.java:77:20:77:28 | resultStr |
+| JsonpController.java:84:32:84:68 | getParameter(...) : String | JsonpController.java:91:20:91:28 | resultStr |
+| JsonpController.java:90:21:90:54 | ... + ... : String | JsonpController.java:91:20:91:28 | resultStr |
+| JsonpController.java:99:24:99:52 | getParameter(...) : String | JsonpController.java:101:24:101:28 | token |
+| JsonpController.java:102:36:102:72 | getParameter(...) : String | JsonpController.java:105:20:105:28 | resultStr |
+| JsonpController.java:104:25:104:59 | ... + ... : String | JsonpController.java:105:20:105:28 | resultStr |
+| JsonpInjectionServlet1.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet1.java:45:24:45:32 | resultStr |
+| JsonpInjectionServlet1.java:36:26:36:49 | getHeader(...) : String | JsonpInjectionServlet1.java:38:39:38:45 | referer |
+| JsonpInjectionServlet1.java:44:25:44:62 | ... + ... : String | JsonpInjectionServlet1.java:45:24:45:32 | resultStr |
+| JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr |
+| JsonpInjectionServlet2.java:38:21:38:54 | ... + ... : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr |
+| RefererFilter.java:22:26:22:53 | getHeader(...) : String | RefererFilter.java:23:39:23:45 | refefer |
+nodes
+| JsonpController.java:26:32:26:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:30:21:30:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:31:16:31:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:31:16:31:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:38:32:38:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:40:21:40:80 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:42:16:42:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:42:16:42:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:49:32:49:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:51:21:51:55 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:52:16:52:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:52:16:52:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:59:32:59:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:61:21:61:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:62:16:62:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:62:16:62:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:69:32:69:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:76:21:76:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:77:20:77:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:77:20:77:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:84:32:84:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:90:21:90:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:91:20:91:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:91:20:91:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:99:24:99:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:101:24:101:28 | token | semmle.label | token |
+| JsonpController.java:102:36:102:72 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:104:25:104:59 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:105:20:105:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:105:20:105:28 | resultStr | semmle.label | resultStr |
+| JsonpInjectionServlet1.java:31:32:31:64 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpInjectionServlet1.java:36:26:36:49 | getHeader(...) : String | semmle.label | getHeader(...) : String |
+| JsonpInjectionServlet1.java:38:39:38:45 | referer | semmle.label | referer |
+| JsonpInjectionServlet1.java:44:25:44:62 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpInjectionServlet1.java:45:24:45:32 | resultStr | semmle.label | resultStr |
+| JsonpInjectionServlet1.java:45:24:45:32 | resultStr | semmle.label | resultStr |
+| JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpInjectionServlet2.java:38:21:38:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpInjectionServlet2.java:39:20:39:28 | resultStr | semmle.label | resultStr |
+| JsonpInjectionServlet2.java:39:20:39:28 | resultStr | semmle.label | resultStr |
+| RefererFilter.java:22:26:22:53 | getHeader(...) : String | semmle.label | getHeader(...) : String |
+| RefererFilter.java:23:39:23:45 | refefer | semmle.label | refefer |
+#select

java/ql/test/experimental/query-tests/security/CWE-352/Readme

@@ -0,0 +1,3 @@
+1. The JsonpInjection_1.expected result is obtained through the test of `JsonpController.java`.
+2. The JsonpInjection_2.expected result is obtained through the test of `JsonpController.java`, `JsonpInjectionServlet1.java`, `JsonpInjectionServlet2.java`.
+3. The JsonpInjection_3.expected result is obtained through the test of `JsonpController.java`, `JsonpInjectionServlet1.java`, `JsonpInjectionServlet2.java`, `RefererFilter.java`.

java/ql/test/experimental/query-tests/security/CWE-352/RefererFilter.java

@@ -0,0 +1,43 @@
+import java.io.IOException;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.springframework.util.StringUtils;
+
+public class RefererFilter implements Filter {
+
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+    }
+
+    @Override
+    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
+        HttpServletRequest request = (HttpServletRequest) servletRequest;
+        HttpServletResponse response = (HttpServletResponse) servletResponse;
+        String refefer = request.getHeader("Referer");
+        boolean result = verifReferer(refefer);
+        if (result){
+            filterChain.doFilter(servletRequest, servletResponse);
+        }
+        response.sendError(444, "Referer xxx.");
+    }
+
+    @Override
+    public void destroy() {
+    }
+
+    public static boolean verifReferer(String referer){
+        if (StringUtils.isEmpty(referer)){
+            return false;
+        }
+        if (referer.startsWith("http://www.baidu.com/")){
+            return true;
+        }
+        return false;
+    }
+}