From e4375b0c069898c459d33b344e0698a38669e9df Mon Sep 17 00:00:00 2001
From: Michael Nebel <michaelnebel@github.com>
Date: Thu, 4 May 2023 19:27:52 +0200
Subject: [PATCH] Java: Add test for SQL injection using different threat
 models.

---
 .../configured-flow/sql-tainted1.expected     | 24 ++++++++++++
 .../configured-flow/sql-tainted1.qlref        |  1 +
 .../configured-flow/sql-tainted2.expected     | 39 +++++++++++++++++++
 .../configured-flow/sql-tainted2.ext.yml      |  7 ++++
 .../configured-flow/sql-tainted2.qlref        |  1 +
 5 files changed, 72 insertions(+)
 create mode 100644 java/ql/test/experimental/configured-flow/sql-tainted1.expected
 create mode 100644 java/ql/test/experimental/configured-flow/sql-tainted1.qlref
 create mode 100644 java/ql/test/experimental/configured-flow/sql-tainted2.expected
 create mode 100644 java/ql/test/experimental/configured-flow/sql-tainted2.ext.yml
 create mode 100644 java/ql/test/experimental/configured-flow/sql-tainted2.qlref

diff --git a/java/ql/test/experimental/configured-flow/sql-tainted1.expected b/java/ql/test/experimental/configured-flow/sql-tainted1.expected
new file mode 100644
index 00000000000..bace19009e7
--- /dev/null
+++ b/java/ql/test/experimental/configured-flow/sql-tainted1.expected
@@ -0,0 +1,24 @@
+edges
+| Test.java:6:31:6:41 | data : byte[] | Test.java:7:23:7:26 | data : byte[] |
+| Test.java:7:23:7:26 | data : byte[] | Test.java:7:12:7:51 | new String(...) : String |
+| Test.java:14:5:14:25 | getInputStream(...) : InputStream | Test.java:14:32:14:35 | data [post update] : byte[] |
+| Test.java:14:32:14:35 | data [post update] : byte[] | Test.java:17:34:17:37 | data |
+| Test.java:14:32:14:35 | data [post update] : byte[] | Test.java:20:69:20:72 | data : byte[] |
+| Test.java:20:56:20:73 | byteToString(...) : String | Test.java:20:26:20:80 | ... + ... |
+| Test.java:20:69:20:72 | data : byte[] | Test.java:6:31:6:41 | data : byte[] |
+| Test.java:20:69:20:72 | data : byte[] | Test.java:20:56:20:73 | byteToString(...) : String |
+nodes
+| Test.java:6:31:6:41 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:7:12:7:51 | new String(...) : String | semmle.label | new String(...) : String |
+| Test.java:7:23:7:26 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:14:5:14:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| Test.java:14:32:14:35 | data [post update] : byte[] | semmle.label | data [post update] : byte[] |
+| Test.java:17:34:17:37 | data | semmle.label | data |
+| Test.java:20:26:20:80 | ... + ... | semmle.label | ... + ... |
+| Test.java:20:56:20:73 | byteToString(...) : String | semmle.label | byteToString(...) : String |
+| Test.java:20:69:20:72 | data : byte[] | semmle.label | data : byte[] |
+subpaths
+| Test.java:20:69:20:72 | data : byte[] | Test.java:6:31:6:41 | data : byte[] | Test.java:7:12:7:51 | new String(...) : String | Test.java:20:56:20:73 | byteToString(...) : String |
+#select
+| Test.java:17:34:17:37 | data | Test.java:14:5:14:25 | getInputStream(...) : InputStream | Test.java:17:34:17:37 | data | This query depends on a $@. | Test.java:14:5:14:25 | getInputStream(...) | user-provided value |
+| Test.java:20:26:20:80 | ... + ... | Test.java:14:5:14:25 | getInputStream(...) : InputStream | Test.java:20:26:20:80 | ... + ... | This query depends on a $@. | Test.java:14:5:14:25 | getInputStream(...) | user-provided value |
diff --git a/java/ql/test/experimental/configured-flow/sql-tainted1.qlref b/java/ql/test/experimental/configured-flow/sql-tainted1.qlref
new file mode 100644
index 00000000000..9ba7d2a03bd
--- /dev/null
+++ b/java/ql/test/experimental/configured-flow/sql-tainted1.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-089/SqlTainted.ql
\ No newline at end of file
diff --git a/java/ql/test/experimental/configured-flow/sql-tainted2.expected b/java/ql/test/experimental/configured-flow/sql-tainted2.expected
new file mode 100644
index 00000000000..e03756e6fbc
--- /dev/null
+++ b/java/ql/test/experimental/configured-flow/sql-tainted2.expected
@@ -0,0 +1,39 @@
+edges
+| Test.java:6:31:6:41 | data : byte[] | Test.java:7:23:7:26 | data : byte[] |
+| Test.java:7:23:7:26 | data : byte[] | Test.java:7:12:7:51 | new String(...) : String |
+| Test.java:14:5:14:25 | getInputStream(...) : InputStream | Test.java:14:32:14:35 | data [post update] : byte[] |
+| Test.java:14:32:14:35 | data [post update] : byte[] | Test.java:17:34:17:37 | data |
+| Test.java:14:32:14:35 | data [post update] : byte[] | Test.java:20:69:20:72 | data : byte[] |
+| Test.java:20:56:20:73 | byteToString(...) : String | Test.java:20:26:20:80 | ... + ... |
+| Test.java:20:69:20:72 | data : byte[] | Test.java:6:31:6:41 | data : byte[] |
+| Test.java:20:69:20:72 | data : byte[] | Test.java:20:56:20:73 | byteToString(...) : String |
+| Test.java:25:20:25:59 | executeQuery(...) : ResultSet | Test.java:28:56:28:57 | rs : ResultSet |
+| Test.java:25:20:25:59 | executeQuery(...) : ResultSet | Test.java:32:34:32:35 | rs : ResultSet |
+| Test.java:28:56:28:57 | rs : ResultSet | Test.java:28:56:28:75 | getString(...) : String |
+| Test.java:28:56:28:75 | getString(...) : String | Test.java:28:26:28:82 | ... + ... |
+| Test.java:32:34:32:35 | rs : ResultSet | Test.java:32:34:32:53 | getString(...) : String |
+| Test.java:32:34:32:53 | getString(...) : String | Test.java:32:34:32:64 | getBytes(...) |
+nodes
+| Test.java:6:31:6:41 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:7:12:7:51 | new String(...) : String | semmle.label | new String(...) : String |
+| Test.java:7:23:7:26 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:14:5:14:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| Test.java:14:32:14:35 | data [post update] : byte[] | semmle.label | data [post update] : byte[] |
+| Test.java:17:34:17:37 | data | semmle.label | data |
+| Test.java:20:26:20:80 | ... + ... | semmle.label | ... + ... |
+| Test.java:20:56:20:73 | byteToString(...) : String | semmle.label | byteToString(...) : String |
+| Test.java:20:69:20:72 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:25:20:25:59 | executeQuery(...) : ResultSet | semmle.label | executeQuery(...) : ResultSet |
+| Test.java:28:26:28:82 | ... + ... | semmle.label | ... + ... |
+| Test.java:28:56:28:57 | rs : ResultSet | semmle.label | rs : ResultSet |
+| Test.java:28:56:28:75 | getString(...) : String | semmle.label | getString(...) : String |
+| Test.java:32:34:32:35 | rs : ResultSet | semmle.label | rs : ResultSet |
+| Test.java:32:34:32:53 | getString(...) : String | semmle.label | getString(...) : String |
+| Test.java:32:34:32:64 | getBytes(...) | semmle.label | getBytes(...) |
+subpaths
+| Test.java:20:69:20:72 | data : byte[] | Test.java:6:31:6:41 | data : byte[] | Test.java:7:12:7:51 | new String(...) : String | Test.java:20:56:20:73 | byteToString(...) : String |
+#select
+| Test.java:17:34:17:37 | data | Test.java:14:5:14:25 | getInputStream(...) : InputStream | Test.java:17:34:17:37 | data | This query depends on a $@. | Test.java:14:5:14:25 | getInputStream(...) | user-provided value |
+| Test.java:20:26:20:80 | ... + ... | Test.java:14:5:14:25 | getInputStream(...) : InputStream | Test.java:20:26:20:80 | ... + ... | This query depends on a $@. | Test.java:14:5:14:25 | getInputStream(...) | user-provided value |
+| Test.java:28:26:28:82 | ... + ... | Test.java:25:20:25:59 | executeQuery(...) : ResultSet | Test.java:28:26:28:82 | ... + ... | This query depends on a $@. | Test.java:25:20:25:59 | executeQuery(...) | user-provided value |
+| Test.java:32:34:32:64 | getBytes(...) | Test.java:25:20:25:59 | executeQuery(...) : ResultSet | Test.java:32:34:32:64 | getBytes(...) | This query depends on a $@. | Test.java:25:20:25:59 | executeQuery(...) | user-provided value |
diff --git a/java/ql/test/experimental/configured-flow/sql-tainted2.ext.yml b/java/ql/test/experimental/configured-flow/sql-tainted2.ext.yml
new file mode 100644
index 00000000000..d5e7640e607
--- /dev/null
+++ b/java/ql/test/experimental/configured-flow/sql-tainted2.ext.yml
@@ -0,0 +1,7 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/java-tests
+      extensible: supportedThreatModel
+    data:
+      - ["sql"]
\ No newline at end of file
diff --git a/java/ql/test/experimental/configured-flow/sql-tainted2.qlref b/java/ql/test/experimental/configured-flow/sql-tainted2.qlref
new file mode 100644
index 00000000000..9ba7d2a03bd
--- /dev/null
+++ b/java/ql/test/experimental/configured-flow/sql-tainted2.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-089/SqlTainted.ql
\ No newline at end of file