Java: Add a query for SpEL injections

- Added experimental/Security/CWE/CWE-094/SpelInjection.ql and a couple of libraries - Added a qhelp file with a few examples - Added tests and stubs for Spring
2026-05-03 12:45:27 +02:00 · 2020-04-18 19:04:24 +02:00
parent 14be4fedf7
commit df3adeec36
17 changed files with 516 additions and 0 deletions
--- a/java/ql/test/stubs/springframework-5.2.3/org/springframework/expression/EvaluationContext.java
+++ b/java/ql/test/stubs/springframework-5.2.3/org/springframework/expression/EvaluationContext.java
@@ -0,0 +1,3 @@
+package org.springframework.expression;
+
+public interface EvaluationContext {}
--- a/java/ql/test/stubs/springframework-5.2.3/org/springframework/expression/EvaluationException.java
+++ b/java/ql/test/stubs/springframework-5.2.3/org/springframework/expression/EvaluationException.java
@@ -0,0 +1,3 @@
+package org.springframework.expression;
+
+public class EvaluationException extends RuntimeException {}
--- a/java/ql/test/stubs/springframework-5.2.3/org/springframework/expression/Expression.java
+++ b/java/ql/test/stubs/springframework-5.2.3/org/springframework/expression/Expression.java
@@ -0,0 +1,14 @@
+package org.springframework.expression;
+
+public interface Expression {
+
+	Object getValue() throws EvaluationException;
+
+	Object getValue(EvaluationContext context) throws EvaluationException;
+
+	Class<?> getValueType() throws EvaluationException;
+
+	Class<?> getValueType(EvaluationContext context) throws EvaluationException;
+
+	void setValue(Object rootObject, Object value) throws EvaluationException;
+}
--- a/java/ql/test/stubs/springframework-5.2.3/org/springframework/expression/ExpressionParser.java
+++ b/java/ql/test/stubs/springframework-5.2.3/org/springframework/expression/ExpressionParser.java
@@ -0,0 +1,6 @@
+package org.springframework.expression;
+
+public interface ExpressionParser {
+
+    Expression parseExpression(String string);
+}
--- a/java/ql/test/stubs/springframework-5.2.3/org/springframework/expression/spel/standard/SpelExpressionParser.java
+++ b/java/ql/test/stubs/springframework-5.2.3/org/springframework/expression/spel/standard/SpelExpressionParser.java
@@ -0,0 +1,10 @@
+package org.springframework.expression.spel.standard;
+
+import org.springframework.expression.*;
+
+public class SpelExpressionParser implements ExpressionParser {
+
+    public SpelExpressionParser() {}
+    
+    public Expression parseExpression(String string) { return null; }
+}
--- a/java/ql/test/stubs/springframework-5.2.3/org/springframework/expression/spel/support/SimpleEvaluationContext.java
+++ b/java/ql/test/stubs/springframework-5.2.3/org/springframework/expression/spel/support/SimpleEvaluationContext.java
@@ -0,0 +1,13 @@
+
+package org.springframework.expression.spel.support;
+
+import org.springframework.expression.*;
+
+public class SimpleEvaluationContext implements EvaluationContext {
+
+    public static Builder forReadWriteDataBinding() { return null; }
+    
+    public static class Builder {
+        public SimpleEvaluationContext build() { return null; }
+    }
+}
--- a/java/ql/test/stubs/springframework-5.2.3/org/springframework/expression/spel/support/StandardEvaluationContext.java
+++ b/java/ql/test/stubs/springframework-5.2.3/org/springframework/expression/spel/support/StandardEvaluationContext.java
@@ -0,0 +1,5 @@
+package org.springframework.expression.spel.support;
+
+import org.springframework.expression.*;
+
+public class StandardEvaluationContext implements EvaluationContext {}