diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql index f6f87648812..c28af8aaa15 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql @@ -16,31 +16,6 @@ import semmle.code.java.dataflow.FlowSources import semmle.code.java.deadcode.WebEntryPoints import DataFlow::PathGraph -/** - * Holds if some `Filter.doFilter` method exists in the whole program that takes some user-controlled - * input and tests it with what appears to be a token- or authentication-checking function. - */ -predicate existsFilterVerificationMethod() { - exists(DataFlow::Node source, DataFlow::Node sink, VerificationMethodFlowConfig vmfc, Method m | - vmfc.hasFlow(source, sink) and - m = getACallingCallableOrSelf(source.getEnclosingCallable()) and - isDoFilterMethod(m) - ) -} - -/** - * Holds if somewhere in the whole program some user-controlled - * input is tested with what appears to be a token- or authentication-checking function, - * and `checkNode` is reachable from any function that can reach the user-controlled input source. - */ -predicate existsServletVerificationMethod(Node checkNode) { - exists(DataFlow::Node source, DataFlow::Node sink, VerificationMethodFlowConfig vmfc | - vmfc.hasFlow(source, sink) and - getACallingCallableOrSelf(source.getEnclosingCallable()) = - getACallingCallableOrSelf(checkNode.getEnclosingCallable()) - ) -} - /** Taint-tracking configuration tracing flow from get method request sources to output jsonp data. */ class RequestResponseFlowConfig extends TaintTracking::Configuration { RequestResponseFlowConfig() { this = "RequestResponseFlowConfig" } @@ -64,8 +39,6 @@ class RequestResponseFlowConfig extends TaintTracking::Configuration { from DataFlow::PathNode source, DataFlow::PathNode sink, RequestResponseFlowConfig conf where - not existsServletVerificationMethod(source.getNode()) and - not existsFilterVerificationMethod() and conf.hasFlowPath(source, sink) and exists(JsonpInjectionFlowConfig jhfc | jhfc.hasFlowTo(sink.getNode())) select sink.getNode(), source, sink, "Jsonp response might include code from $@.", source.getNode(), diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll index 5f2ad8e8532..af9cebb865c 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll @@ -42,17 +42,21 @@ class VerificationMethodFlowConfig extends TaintTracking2::Configuration { } } -/** Get Callable by recursive method. */ -Callable getACallingCallableOrSelf(Callable call) { - result = call - or - result = getACallingCallableOrSelf(call.getAReference().getEnclosingCallable()) -} - /** * A method that is called to handle an HTTP GET request. */ -abstract class RequestGetMethod extends Method { } +abstract class RequestGetMethod extends Method { + RequestGetMethod() { + not exists(DataFlow::Node source, DataFlow::Node sink, VerificationMethodFlowConfig vmfc | + vmfc.hasFlow(source, sink) and + any(this).polyCalls*(source.getEnclosingCallable()) + ) and + not exists(MethodAccess ma | + ma.getMethod() instanceof ServletRequestGetBodyMethod and + any(this).polyCalls*(ma.getEnclosingCallable()) + ) + } +} /** Override method of `doGet` of `Servlet` subclass. */ private class ServletGetMethod extends RequestGetMethod { @@ -81,10 +85,6 @@ class SpringControllerRequestMappingGetMethod extends SpringControllerGetMethod this.getAnAnnotation().getValue("method").(VarAccess).getVariable().getName() = "GET" or this.getAnAnnotation().getValue("method").(ArrayInit).getSize() = 0 //Java code example: @RequestMapping(value = "test") ) and - not exists(MethodAccess ma | - ma.getMethod() instanceof ServletRequestGetBodyMethod and - any(this).polyCalls*(ma.getEnclosingCallable()) - ) and not this.getAParamType().getName() = "MultipartFile" } } diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpController.java b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpController.java deleted file mode 100644 index e875da2f699..00000000000 --- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpController.java +++ /dev/null @@ -1,218 +0,0 @@ -import com.alibaba.fastjson.JSONObject; -import com.fasterxml.jackson.databind.ObjectMapper; -import com.google.gson.Gson; -import java.io.BufferedReader; -import java.io.IOException; -import java.io.InputStreamReader; -import java.io.PrintWriter; -import java.util.HashMap; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import org.springframework.stereotype.Controller; -import org.springframework.web.bind.annotation.GetMapping; -import org.springframework.web.bind.annotation.RequestMapping; -import org.springframework.web.bind.annotation.RequestMethod; -import org.springframework.web.bind.annotation.RequestParam; -import org.springframework.web.bind.annotation.ResponseBody; -import org.springframework.web.multipart.MultipartFile; - -@Controller -public class JsonpController { - - private static HashMap hashMap = new HashMap(); - - static { - hashMap.put("username","admin"); - hashMap.put("password","123456"); - } - - @GetMapping(value = "jsonp1") - @ResponseBody - public String bad1(HttpServletRequest request) { - String resultStr = null; - String jsonpCallback = request.getParameter("jsonpCallback"); - Gson gson = new Gson(); - String result = gson.toJson(hashMap); - resultStr = jsonpCallback + "(" + result + ")"; - return resultStr; - } - - @GetMapping(value = "jsonp2") - @ResponseBody - public String bad2(HttpServletRequest request) { - String resultStr = null; - String jsonpCallback = request.getParameter("jsonpCallback"); - resultStr = jsonpCallback + "(" + JSONObject.toJSONString(hashMap) + ")"; - return resultStr; - } - - @GetMapping(value = "jsonp3") - @ResponseBody - public String bad3(HttpServletRequest request) { - String resultStr = null; - String jsonpCallback = request.getParameter("jsonpCallback"); - String jsonStr = getJsonStr(hashMap); - resultStr = jsonpCallback + "(" + jsonStr + ")"; - return resultStr; - } - - @GetMapping(value = "jsonp4") - @ResponseBody - public String bad4(HttpServletRequest request) { - String resultStr = null; - String jsonpCallback = request.getParameter("jsonpCallback"); - String restr = JSONObject.toJSONString(hashMap); - resultStr = jsonpCallback + "(" + restr + ");"; - return resultStr; - } - - @GetMapping(value = "jsonp5") - @ResponseBody - public void bad5(HttpServletRequest request, - HttpServletResponse response) throws Exception { - String jsonpCallback = request.getParameter("jsonpCallback"); - PrintWriter pw = null; - Gson gson = new Gson(); - String result = gson.toJson(hashMap); - String resultStr = null; - pw = response.getWriter(); - resultStr = jsonpCallback + "(" + result + ")"; - pw.println(resultStr); - } - - @GetMapping(value = "jsonp6") - @ResponseBody - public void bad6(HttpServletRequest request, - HttpServletResponse response) throws Exception { - String jsonpCallback = request.getParameter("jsonpCallback"); - PrintWriter pw = null; - ObjectMapper mapper = new ObjectMapper(); - String result = mapper.writeValueAsString(hashMap); - String resultStr = null; - pw = response.getWriter(); - resultStr = jsonpCallback + "(" + result + ")"; - pw.println(resultStr); - } - - @RequestMapping(value = "jsonp7", method = RequestMethod.GET) - @ResponseBody - public String bad7(HttpServletRequest request) { - String resultStr = null; - String jsonpCallback = request.getParameter("jsonpCallback"); - Gson gson = new Gson(); - String result = gson.toJson(hashMap); - resultStr = jsonpCallback + "(" + result + ")"; - return resultStr; - } - - @GetMapping(value = "jsonp8") - @ResponseBody - public String bad8(HttpServletRequest request) { - String resultStr = null; - String token = request.getParameter("token"); - boolean result = verifToken(token); //Just check. - String jsonpCallback = request.getParameter("jsonpCallback"); - String jsonStr = getJsonStr(hashMap); - resultStr = jsonpCallback + "(" + jsonStr + ")"; - return resultStr; - } - - - @GetMapping(value = "jsonp9") - @ResponseBody - public String good1(HttpServletRequest request) { - String resultStr = null; - String referer = request.getParameter("referer"); - if (verifReferer(referer)){ - String jsonpCallback = request.getParameter("jsonpCallback"); - String jsonStr = getJsonStr(hashMap); - resultStr = jsonpCallback + "(" + jsonStr + ")"; - return resultStr; - } - return "error"; - } - - - @GetMapping(value = "jsonp10") - @ResponseBody - public String good2(HttpServletRequest request) { - String resultStr = null; - String token = request.getParameter("token"); - boolean result = verifToken(token); - if (result){ - return ""; - } - String jsonpCallback = request.getParameter("jsonpCallback"); - String jsonStr = getJsonStr(hashMap); - resultStr = jsonpCallback + "(" + jsonStr + ")"; - return resultStr; - } - - @RequestMapping(value = "jsonp11") - @ResponseBody - public String good3(HttpServletRequest request) { - JSONObject parameterObj = readToJSONObect(request); - String resultStr = null; - String jsonpCallback = request.getParameter("jsonpCallback"); - String restr = JSONObject.toJSONString(hashMap); - resultStr = jsonpCallback + "(" + restr + ");"; - return resultStr; - } - - @RequestMapping(value = "jsonp12") - @ResponseBody - public String good4(@RequestParam("file") MultipartFile file,HttpServletRequest request) { - if(null == file){ - return "upload file error"; - } - String fileName = file.getOriginalFilename(); - System.out.println("file operations"); - String resultStr = null; - String jsonpCallback = request.getParameter("jsonpCallback"); - String restr = JSONObject.toJSONString(hashMap); - resultStr = jsonpCallback + "(" + restr + ");"; - return resultStr; - } - - public static JSONObject readToJSONObect(HttpServletRequest request){ - String jsonText = readPostContent(request); - JSONObject jsonObj = JSONObject.parseObject(jsonText, JSONObject.class); - return jsonObj; - } - - public static String readPostContent(HttpServletRequest request){ - BufferedReader in= null; - String content = null; - String line = null; - try { - in = new BufferedReader(new InputStreamReader(request.getInputStream(),"UTF-8")); - StringBuilder buf = new StringBuilder(); - while ((line = in.readLine()) != null) { - buf.append(line); - } - content = buf.toString(); - } catch (IOException e) { - e.printStackTrace(); - } - String uri = request.getRequestURI(); - return content; - } - - public static String getJsonStr(Object result) { - return JSONObject.toJSONString(result); - } - - public static boolean verifToken(String token){ - if (token != "xxxx"){ - return false; - } - return true; - } - - public static boolean verifReferer(String str){ - if (str != "xxxx"){ - return false; - } - return true; - } -} diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjection.expected deleted file mode 100644 index 3da805c6a69..00000000000 --- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjection.expected +++ /dev/null @@ -1,81 +0,0 @@ -edges -| JsonpController.java:33:32:33:68 | getParameter(...) : String | JsonpController.java:37:16:37:24 | resultStr | -| JsonpController.java:36:21:36:54 | ... + ... : String | JsonpController.java:37:16:37:24 | resultStr | -| JsonpController.java:44:32:44:68 | getParameter(...) : String | JsonpController.java:46:16:46:24 | resultStr | -| JsonpController.java:45:21:45:80 | ... + ... : String | JsonpController.java:46:16:46:24 | resultStr | -| JsonpController.java:53:32:53:68 | getParameter(...) : String | JsonpController.java:56:16:56:24 | resultStr | -| JsonpController.java:55:21:55:55 | ... + ... : String | JsonpController.java:56:16:56:24 | resultStr | -| JsonpController.java:63:32:63:68 | getParameter(...) : String | JsonpController.java:66:16:66:24 | resultStr | -| JsonpController.java:65:21:65:54 | ... + ... : String | JsonpController.java:66:16:66:24 | resultStr | -| JsonpController.java:73:32:73:68 | getParameter(...) : String | JsonpController.java:80:20:80:28 | resultStr | -| JsonpController.java:79:21:79:54 | ... + ... : String | JsonpController.java:80:20:80:28 | resultStr | -| JsonpController.java:87:32:87:68 | getParameter(...) : String | JsonpController.java:94:20:94:28 | resultStr | -| JsonpController.java:93:21:93:54 | ... + ... : String | JsonpController.java:94:20:94:28 | resultStr | -| JsonpController.java:101:32:101:68 | getParameter(...) : String | JsonpController.java:105:16:105:24 | resultStr | -| JsonpController.java:104:21:104:54 | ... + ... : String | JsonpController.java:105:16:105:24 | resultStr | -| JsonpController.java:114:32:114:68 | getParameter(...) : String | JsonpController.java:117:16:117:24 | resultStr | -| JsonpController.java:116:21:116:55 | ... + ... : String | JsonpController.java:117:16:117:24 | resultStr | -| JsonpController.java:127:36:127:72 | getParameter(...) : String | JsonpController.java:130:20:130:28 | resultStr | -| JsonpController.java:129:25:129:59 | ... + ... : String | JsonpController.java:130:20:130:28 | resultStr | -| JsonpController.java:145:32:145:68 | getParameter(...) : String | JsonpController.java:148:16:148:24 | resultStr | -| JsonpController.java:147:21:147:55 | ... + ... : String | JsonpController.java:148:16:148:24 | resultStr | -| JsonpController.java:158:21:158:54 | ... + ... : String | JsonpController.java:159:16:159:24 | resultStr | -| JsonpController.java:173:21:173:54 | ... + ... : String | JsonpController.java:174:16:174:24 | resultStr | -| JsonpInjectionServlet1.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet1.java:45:24:45:32 | resultStr | -| JsonpInjectionServlet1.java:44:25:44:62 | ... + ... : String | JsonpInjectionServlet1.java:45:24:45:32 | resultStr | -| JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr | -| JsonpInjectionServlet2.java:38:21:38:54 | ... + ... : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr | -nodes -| JsonpController.java:33:32:33:68 | getParameter(...) : String | semmle.label | getParameter(...) : String | -| JsonpController.java:36:21:36:54 | ... + ... : String | semmle.label | ... + ... : String | -| JsonpController.java:37:16:37:24 | resultStr | semmle.label | resultStr | -| JsonpController.java:37:16:37:24 | resultStr | semmle.label | resultStr | -| JsonpController.java:44:32:44:68 | getParameter(...) : String | semmle.label | getParameter(...) : String | -| JsonpController.java:45:21:45:80 | ... + ... : String | semmle.label | ... + ... : String | -| JsonpController.java:46:16:46:24 | resultStr | semmle.label | resultStr | -| JsonpController.java:46:16:46:24 | resultStr | semmle.label | resultStr | -| JsonpController.java:53:32:53:68 | getParameter(...) : String | semmle.label | getParameter(...) : String | -| JsonpController.java:55:21:55:55 | ... + ... : String | semmle.label | ... + ... : String | -| JsonpController.java:56:16:56:24 | resultStr | semmle.label | resultStr | -| JsonpController.java:56:16:56:24 | resultStr | semmle.label | resultStr | -| JsonpController.java:63:32:63:68 | getParameter(...) : String | semmle.label | getParameter(...) : String | -| JsonpController.java:65:21:65:54 | ... + ... : String | semmle.label | ... + ... : String | -| JsonpController.java:66:16:66:24 | resultStr | semmle.label | resultStr | -| JsonpController.java:66:16:66:24 | resultStr | semmle.label | resultStr | -| JsonpController.java:73:32:73:68 | getParameter(...) : String | semmle.label | getParameter(...) : String | -| JsonpController.java:79:21:79:54 | ... + ... : String | semmle.label | ... + ... : String | -| JsonpController.java:80:20:80:28 | resultStr | semmle.label | resultStr | -| JsonpController.java:80:20:80:28 | resultStr | semmle.label | resultStr | -| JsonpController.java:87:32:87:68 | getParameter(...) : String | semmle.label | getParameter(...) : String | -| JsonpController.java:93:21:93:54 | ... + ... : String | semmle.label | ... + ... : String | -| JsonpController.java:94:20:94:28 | resultStr | semmle.label | resultStr | -| JsonpController.java:94:20:94:28 | resultStr | semmle.label | resultStr | -| JsonpController.java:101:32:101:68 | getParameter(...) : String | semmle.label | getParameter(...) : String | -| JsonpController.java:104:21:104:54 | ... + ... : String | semmle.label | ... + ... : String | -| JsonpController.java:105:16:105:24 | resultStr | semmle.label | resultStr | -| JsonpController.java:105:16:105:24 | resultStr | semmle.label | resultStr | -| JsonpController.java:114:32:114:68 | getParameter(...) : String | semmle.label | getParameter(...) : String | -| JsonpController.java:116:21:116:55 | ... + ... : String | semmle.label | ... + ... : String | -| JsonpController.java:117:16:117:24 | resultStr | semmle.label | resultStr | -| JsonpController.java:117:16:117:24 | resultStr | semmle.label | resultStr | -| JsonpController.java:127:36:127:72 | getParameter(...) : String | semmle.label | getParameter(...) : String | -| JsonpController.java:129:25:129:59 | ... + ... : String | semmle.label | ... + ... : String | -| JsonpController.java:130:20:130:28 | resultStr | semmle.label | resultStr | -| JsonpController.java:130:20:130:28 | resultStr | semmle.label | resultStr | -| JsonpController.java:145:32:145:68 | getParameter(...) : String | semmle.label | getParameter(...) : String | -| JsonpController.java:147:21:147:55 | ... + ... : String | semmle.label | ... + ... : String | -| JsonpController.java:148:16:148:24 | resultStr | semmle.label | resultStr | -| JsonpController.java:148:16:148:24 | resultStr | semmle.label | resultStr | -| JsonpController.java:158:21:158:54 | ... + ... : String | semmle.label | ... + ... : String | -| JsonpController.java:159:16:159:24 | resultStr | semmle.label | resultStr | -| JsonpController.java:173:21:173:54 | ... + ... : String | semmle.label | ... + ... : String | -| JsonpController.java:174:16:174:24 | resultStr | semmle.label | resultStr | -| JsonpInjectionServlet1.java:31:32:31:64 | getParameter(...) : String | semmle.label | getParameter(...) : String | -| JsonpInjectionServlet1.java:44:25:44:62 | ... + ... : String | semmle.label | ... + ... : String | -| JsonpInjectionServlet1.java:45:24:45:32 | resultStr | semmle.label | resultStr | -| JsonpInjectionServlet1.java:45:24:45:32 | resultStr | semmle.label | resultStr | -| JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | semmle.label | getParameter(...) : String | -| JsonpInjectionServlet2.java:38:21:38:54 | ... + ... : String | semmle.label | ... + ... : String | -| JsonpInjectionServlet2.java:39:20:39:28 | resultStr | semmle.label | resultStr | -| JsonpInjectionServlet2.java:39:20:39:28 | resultStr | semmle.label | resultStr | -#select diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjection.qlref b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjection.qlref deleted file mode 100644 index 3f5fc450669..00000000000 --- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjection.qlref +++ /dev/null @@ -1 +0,0 @@ -experimental/Security/CWE/CWE-352/JsonpInjection.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjectionServlet1.java b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjectionServlet1.java deleted file mode 100644 index 14ef76275b1..00000000000 --- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjectionServlet1.java +++ /dev/null @@ -1,64 +0,0 @@ -import com.google.gson.Gson; -import java.io.IOException; -import java.io.PrintWriter; -import java.util.HashMap; -import javax.servlet.ServletConfig; -import javax.servlet.ServletException; -import javax.servlet.http.HttpServlet; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -public class JsonpInjectionServlet1 extends HttpServlet { - - private static HashMap hashMap = new HashMap(); - - static { - hashMap.put("username","admin"); - hashMap.put("password","123456"); - } - - private static final long serialVersionUID = 1L; - - private String key = "test"; - @Override - protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { - doPost(req, resp); - } - - @Override - protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { - resp.setContentType("application/json"); - String jsonpCallback = req.getParameter("jsonpCallback"); - PrintWriter pw = null; - Gson gson = new Gson(); - String jsonResult = gson.toJson(hashMap); - - String referer = req.getHeader("Referer"); - - boolean result = verifReferer(referer); - - // good - if (result){ - String resultStr = null; - pw = resp.getWriter(); - resultStr = jsonpCallback + "(" + jsonResult + ")"; - pw.println(resultStr); - pw.flush(); - } - } - - public static boolean verifReferer(String referer){ - if (!referer.startsWith("http://test.com/")){ - return false; - } - return true; - } - - @Override - public void init(ServletConfig config) throws ServletException { - this.key = config.getInitParameter("key"); - System.out.println("初始化" + this.key); - super.init(config); - } - -} diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjectionServlet2.java b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjectionServlet2.java deleted file mode 100644 index bbfbc2dc436..00000000000 --- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjectionServlet2.java +++ /dev/null @@ -1,50 +0,0 @@ -import com.google.gson.Gson; -import java.io.IOException; -import java.io.PrintWriter; -import java.util.HashMap; -import javax.servlet.ServletConfig; -import javax.servlet.ServletException; -import javax.servlet.http.HttpServlet; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -public class JsonpInjectionServlet2 extends HttpServlet { - - private static HashMap hashMap = new HashMap(); - - static { - hashMap.put("username","admin"); - hashMap.put("password","123456"); - } - - private static final long serialVersionUID = 1L; - - private String key = "test"; - @Override - protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { - doPost(req, resp); - } - - @Override - protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { - resp.setContentType("application/json"); - String jsonpCallback = req.getParameter("jsonpCallback"); - PrintWriter pw = null; - Gson gson = new Gson(); - String result = gson.toJson(hashMap); - - String resultStr = null; - pw = resp.getWriter(); - resultStr = jsonpCallback + "(" + result + ")"; - pw.println(resultStr); - pw.flush(); - } - - @Override - public void init(ServletConfig config) throws ServletException { - this.key = config.getInitParameter("key"); - System.out.println("初始化" + this.key); - super.init(config); - } - -} diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/RefererFilter.java b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/RefererFilter.java deleted file mode 100644 index 97444932ae1..00000000000 --- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/RefererFilter.java +++ /dev/null @@ -1,43 +0,0 @@ -import java.io.IOException; -import javax.servlet.Filter; -import javax.servlet.FilterChain; -import javax.servlet.FilterConfig; -import javax.servlet.ServletException; -import javax.servlet.ServletRequest; -import javax.servlet.ServletResponse; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import org.springframework.util.StringUtils; - -public class RefererFilter implements Filter { - - @Override - public void init(FilterConfig filterConfig) throws ServletException { - } - - @Override - public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { - HttpServletRequest request = (HttpServletRequest) servletRequest; - HttpServletResponse response = (HttpServletResponse) servletResponse; - String refefer = request.getHeader("Referer"); - boolean result = verifReferer(refefer); - if (result){ - filterChain.doFilter(servletRequest, servletResponse); - } - response.sendError(444, "Referer xxx."); - } - - @Override - public void destroy() { - } - - public static boolean verifReferer(String referer){ - if (StringUtils.isEmpty(referer)){ - return false; - } - if (referer.startsWith("http://www.baidu.com/")){ - return true; - } - return false; - } -} diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/options b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/options deleted file mode 100644 index c53e31e467f..00000000000 --- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/options +++ /dev/null @@ -1 +0,0 @@ -//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/apache-http-4.4.13/:${testdir}/../../../../../stubs/servlet-api-2.4:${testdir}/../../../../../stubs/fastjson-1.2.74/:${testdir}/../../../../../stubs/gson-2.8.6/:${testdir}/../../../../../stubs/jackson-databind-2.10/:${testdir}/../../../../../stubs/spring-context-5.3.2/:${testdir}/../../../../../stubs/spring-web-5.3.2/:${testdir}/../../../../../stubs/spring-core-5.3.2/:${testdir}/../../../../../stubs/tomcat-embed-core-9.0.41/ diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpInjection.expected index 2e4bc97ff97..83f2b7f206a 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpInjection.expected +++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpInjection.expected @@ -15,9 +15,7 @@ edges | JsonpController.java:104:21:104:54 | ... + ... : String | JsonpController.java:105:16:105:24 | resultStr | | JsonpController.java:114:32:114:68 | getParameter(...) : String | JsonpController.java:117:16:117:24 | resultStr | | JsonpController.java:116:21:116:55 | ... + ... : String | JsonpController.java:117:16:117:24 | resultStr | -| JsonpController.java:127:36:127:72 | getParameter(...) : String | JsonpController.java:130:20:130:28 | resultStr | | JsonpController.java:129:25:129:59 | ... + ... : String | JsonpController.java:130:20:130:28 | resultStr | -| JsonpController.java:145:32:145:68 | getParameter(...) : String | JsonpController.java:148:16:148:24 | resultStr | | JsonpController.java:147:21:147:55 | ... + ... : String | JsonpController.java:148:16:148:24 | resultStr | | JsonpController.java:158:21:158:54 | ... + ... : String | JsonpController.java:159:16:159:24 | resultStr | | JsonpController.java:173:21:173:54 | ... + ... : String | JsonpController.java:174:16:174:24 | resultStr | @@ -54,14 +52,10 @@ nodes | JsonpController.java:116:21:116:55 | ... + ... : String | semmle.label | ... + ... : String | | JsonpController.java:117:16:117:24 | resultStr | semmle.label | resultStr | | JsonpController.java:117:16:117:24 | resultStr | semmle.label | resultStr | -| JsonpController.java:127:36:127:72 | getParameter(...) : String | semmle.label | getParameter(...) : String | | JsonpController.java:129:25:129:59 | ... + ... : String | semmle.label | ... + ... : String | | JsonpController.java:130:20:130:28 | resultStr | semmle.label | resultStr | -| JsonpController.java:130:20:130:28 | resultStr | semmle.label | resultStr | -| JsonpController.java:145:32:145:68 | getParameter(...) : String | semmle.label | getParameter(...) : String | | JsonpController.java:147:21:147:55 | ... + ... : String | semmle.label | ... + ... : String | | JsonpController.java:148:16:148:24 | resultStr | semmle.label | resultStr | -| JsonpController.java:148:16:148:24 | resultStr | semmle.label | resultStr | | JsonpController.java:158:21:158:54 | ... + ... : String | semmle.label | ... + ... : String | | JsonpController.java:159:16:159:24 | resultStr | semmle.label | resultStr | | JsonpController.java:173:21:173:54 | ... + ... : String | semmle.label | ... + ... : String | diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjection.expected index d90d51ab552..dfbe0628760 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjection.expected +++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjection.expected @@ -15,13 +15,10 @@ edges | JsonpController.java:104:21:104:54 | ... + ... : String | JsonpController.java:105:16:105:24 | resultStr | | JsonpController.java:114:32:114:68 | getParameter(...) : String | JsonpController.java:117:16:117:24 | resultStr | | JsonpController.java:116:21:116:55 | ... + ... : String | JsonpController.java:117:16:117:24 | resultStr | -| JsonpController.java:127:36:127:72 | getParameter(...) : String | JsonpController.java:130:20:130:28 | resultStr | | JsonpController.java:129:25:129:59 | ... + ... : String | JsonpController.java:130:20:130:28 | resultStr | -| JsonpController.java:145:32:145:68 | getParameter(...) : String | JsonpController.java:148:16:148:24 | resultStr | | JsonpController.java:147:21:147:55 | ... + ... : String | JsonpController.java:148:16:148:24 | resultStr | | JsonpController.java:158:21:158:54 | ... + ... : String | JsonpController.java:159:16:159:24 | resultStr | | JsonpController.java:173:21:173:54 | ... + ... : String | JsonpController.java:174:16:174:24 | resultStr | -| JsonpInjectionServlet1.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet1.java:45:24:45:32 | resultStr | | JsonpInjectionServlet1.java:44:25:44:62 | ... + ... : String | JsonpInjectionServlet1.java:45:24:45:32 | resultStr | | JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr | | JsonpInjectionServlet2.java:38:21:38:54 | ... + ... : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr | @@ -58,22 +55,16 @@ nodes | JsonpController.java:116:21:116:55 | ... + ... : String | semmle.label | ... + ... : String | | JsonpController.java:117:16:117:24 | resultStr | semmle.label | resultStr | | JsonpController.java:117:16:117:24 | resultStr | semmle.label | resultStr | -| JsonpController.java:127:36:127:72 | getParameter(...) : String | semmle.label | getParameter(...) : String | | JsonpController.java:129:25:129:59 | ... + ... : String | semmle.label | ... + ... : String | | JsonpController.java:130:20:130:28 | resultStr | semmle.label | resultStr | -| JsonpController.java:130:20:130:28 | resultStr | semmle.label | resultStr | -| JsonpController.java:145:32:145:68 | getParameter(...) : String | semmle.label | getParameter(...) : String | | JsonpController.java:147:21:147:55 | ... + ... : String | semmle.label | ... + ... : String | | JsonpController.java:148:16:148:24 | resultStr | semmle.label | resultStr | -| JsonpController.java:148:16:148:24 | resultStr | semmle.label | resultStr | | JsonpController.java:158:21:158:54 | ... + ... : String | semmle.label | ... + ... : String | | JsonpController.java:159:16:159:24 | resultStr | semmle.label | resultStr | | JsonpController.java:173:21:173:54 | ... + ... : String | semmle.label | ... + ... : String | | JsonpController.java:174:16:174:24 | resultStr | semmle.label | resultStr | -| JsonpInjectionServlet1.java:31:32:31:64 | getParameter(...) : String | semmle.label | getParameter(...) : String | | JsonpInjectionServlet1.java:44:25:44:62 | ... + ... : String | semmle.label | ... + ... : String | | JsonpInjectionServlet1.java:45:24:45:32 | resultStr | semmle.label | resultStr | -| JsonpInjectionServlet1.java:45:24:45:32 | resultStr | semmle.label | resultStr | | JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | semmle.label | getParameter(...) : String | | JsonpInjectionServlet2.java:38:21:38:54 | ... + ... : String | semmle.label | ... + ... : String | | JsonpInjectionServlet2.java:39:20:39:28 | resultStr | semmle.label | resultStr |