Add test cases and reduce FPs

2026-04-30 11:15:13 +02:00 · 2022-07-01 23:03:29 +00:00
parent 251f67dcf3
commit e33d786745
4 changed files with 36 additions and 71 deletions
--- a/java/ql/test/experimental/query-tests/security/CWE-552/UnsafeLoadSpringResource.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-552/UnsafeLoadSpringResource.java
@@ -1,6 +1,7 @@
 package com.example;

 import java.io.File;
+import java.io.FileReader;
 import java.io.InputStreamReader;
 import java.io.IOException;
 import java.io.Reader;
@@ -31,7 +32,7 @@ public class UnsafeLoadSpringResource {
 		char[] buffer = new char[4096];
 		StringBuilder out = new StringBuilder();
 		try {
-			Reader in = new InputStreamReader(clr.getInputStream(), "UTF-8");
+			Reader in = new FileReader(clr.getFilename());
 			for (int numRead; (numRead = in.read(buffer, 0, buffer.length)) > 0; ) {
 				out.append(buffer, 0, numRead);
 			}
@@ -103,6 +104,7 @@ public class UnsafeLoadSpringResource {

 	@GetMapping("/file3")
 	//BAD: Get resource from ResourceLoader (same as application context) without input validation
+	// Note it is not detected without the generic `resource.getInputStream()` check
 	public String getFileContent3(@RequestParam(name="fileName") String fileName) {
 		String content = null;