Add tests for always-locked fields

2026-04-25 16:55:19 +02:00 · 2025-03-13 15:02:26 +00:00
parent aed51644ba
commit dc2cbf7402
3 changed files with 56 additions and 0 deletions
--- a/java/ql/test/query-tests/security/CWE-367/semmle/tests/FieldAlwaysLocked.java
+++ b/java/ql/test/query-tests/security/CWE-367/semmle/tests/FieldAlwaysLocked.java
@@ -0,0 +1,24 @@
+package test.cwe367.semmle.tests;
+
+import java.util.Enumeration;
+import java.util.Hashtable;
+
+class FieldAlwaysLocked {
+
+        Hashtable field;
+
+        public FieldAlwaysLocked() {
+                field = new Hashtable();
+        }
+
+        protected synchronized void checkOut() {
+                Object o;
+                if (field.size() > 0) {
+                        Enumeration e = field.keys(); // $ SPURIOUS: Alert
+                        while (e.hasMoreElements()) {
+                                o = e.nextElement();
+                                field.remove(o); // $ SPURIOUS: Alert
+                        }
+                }
+        }
+}
--- a/java/ql/test/query-tests/security/CWE-367/semmle/tests/FieldNotAlwaysLocked.java
+++ b/java/ql/test/query-tests/security/CWE-367/semmle/tests/FieldNotAlwaysLocked.java
@@ -0,0 +1,28 @@
+package test.cwe367.semmle.tests;
+
+import java.util.Enumeration;
+import java.util.Hashtable;
+
+class FieldNotAlwaysLocked {
+
+        Hashtable field;
+
+        public FieldNotAlwaysLocked() {
+                field = new Hashtable();
+        }
+
+        protected synchronized void checkOut() {
+                Object o;
+                if (field.size() > 0) {
+                        Enumeration e = field.keys(); // $ Alert
+                        while (e.hasMoreElements()) {
+                                o = e.nextElement();
+                                field.remove(o); // $ Alert
+                        }
+                }
+        }
+
+        protected void modifyUnlocked() {
+                field = new Hashtable();
+        }
+}
--- a/java/ql/test/query-tests/security/CWE-367/semmle/tests/TOCTOURace.expected
+++ b/java/ql/test/query-tests/security/CWE-367/semmle/tests/TOCTOURace.expected
@@ -1,3 +1,7 @@
+| FieldAlwaysLocked.java:17:41:17:52 | keys(...) | This uses the state of $@ which $@. But these are not jointly synchronized. | FieldAlwaysLocked.java:8:19:8:23 | field | field | FieldAlwaysLocked.java:16:21:16:32 | size(...) | is checked at a previous call |
+| FieldAlwaysLocked.java:20:33:20:47 | remove(...) | This uses the state of $@ which $@. But these are not jointly synchronized. | FieldAlwaysLocked.java:8:19:8:23 | field | field | FieldAlwaysLocked.java:16:21:16:32 | size(...) | is checked at a previous call |
+| FieldNotAlwaysLocked.java:17:41:17:52 | keys(...) | This uses the state of $@ which $@. But these are not jointly synchronized. | FieldNotAlwaysLocked.java:8:19:8:23 | field | field | FieldNotAlwaysLocked.java:16:21:16:32 | size(...) | is checked at a previous call |
+| FieldNotAlwaysLocked.java:20:33:20:47 | remove(...) | This uses the state of $@ which $@. But these are not jointly synchronized. | FieldNotAlwaysLocked.java:8:19:8:23 | field | field | FieldNotAlwaysLocked.java:16:21:16:32 | size(...) | is checked at a previous call |
 | Test.java:13:4:13:10 | act(...) | This uses the state of $@ which $@. But these are not jointly synchronized. | Test.java:10:32:10:41 | r | r | Test.java:12:7:12:18 | getState(...) | is checked at a previous call |
 | Test.java:20:4:20:10 | act(...) | This uses the state of $@ which $@. But these are not jointly synchronized. | Test.java:17:32:17:42 | r | r | Test.java:19:7:19:18 | getState(...) | is checked at a previous call |
 | Test.java:27:4:27:10 | act(...) | This uses the state of $@ which $@. But these are not jointly synchronized. | Test.java:24:19:24:28 | r | r | Test.java:26:7:26:18 | getState(...) | is checked at a previous call |