hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-30 20:28:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Java: Inline expectation should have space after $

Browse Source 
This was a regex-find-replace from `// \$(?! )` (using a negative lookahead) to `// $ `.
This commit is contained in:
Owen Mansel-Chan
2026-03-03 14:56:35 +00:00
parent 219ea28217
commit ef345a3279
87 changed files with 2744 additions and 2746 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
java/ql/src/Security/CWE/CWE-295/ImproperWebViewCertificateValidation.java
View File

@@ -1,7 +1,7 @@
class Bad extends WebViewClient {
// BAD: All certificates are trusted.
public void onReceivedSslError (WebView view, SslErrorHandler handler, SslError error) { // $hasResult
handler.proceed();
public void onReceivedSslError (WebView view, SslErrorHandler handler, SslError error) { // $ hasResult
handler.proceed();
}
}
@@ -9,7 +9,7 @@ class Good extends WebViewClient {
PublicKey myPubKey = ...;
// GOOD: Only certificates signed by a certain public key are trusted.
public void onReceivedSslError (WebView view, SslErrorHandler handler, SslError error) { // $hasResult
public void onReceivedSslError (WebView view, SslErrorHandler handler, SslError error) { // $ hasResult
try {
X509Certificate cert = error.getCertificate().getX509Certificate();
cert.verify(this.myPubKey);
@@ -18,5 +18,5 @@ class Good extends WebViewClient {
catch (CertificateException|NoSuchAlgorithmException|InvalidKeyException|NoSuchProviderException|SignatureException e) {
handler.cancel();
}
}
}
}
}

14
java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacUse.java
View File

@@ -47,20 +47,20 @@ class BadMacUse {
SecretKey encryptionKey = new SecretKeySpec(encryptionKeyBytes, "AES");
Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
cipher.init(Cipher.DECRYPT_MODE, encryptionKey, new SecureRandom());
byte[] plaintext = cipher.doFinal(ciphertext); // $Source
byte[] plaintext = cipher.doFinal(ciphertext); // $ Source
// Now verify MAC (too late)
SecretKey macKey = new SecretKeySpec(macKeyBytes, "HmacSHA256");
Mac mac = Mac.getInstance("HmacSHA256");
mac.init(macKey);
byte[] computedMac = mac.doFinal(plaintext); // $Alert[java/quantum/examples/bad-mac-order-decrypt-to-mac]
byte[] computedMac = mac.doFinal(plaintext); // $ Alert[java/quantum/examples/bad-mac-order-decrypt-to-mac]
if (!MessageDigest.isEqual(receivedMac, computedMac)) {
throw new SecurityException("MAC verification failed");
}
}
public void BadMacOnPlaintext(byte[] encryptionKeyBytes, byte[] macKeyBytes, byte[] plaintext) throws Exception {// $Source
public void BadMacOnPlaintext(byte[] encryptionKeyBytes, byte[] macKeyBytes, byte[] plaintext) throws Exception {// $ Source
// Create keys directly from provided byte arrays
SecretKey encryptionKey = new SecretKeySpec(encryptionKeyBytes, "AES");
SecretKey macKey = new SecretKeySpec(macKeyBytes, "HmacSHA256");
@@ -73,7 +73,7 @@ class BadMacUse {
// Encrypt the plaintext
Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
cipher.init(Cipher.ENCRYPT_MODE, encryptionKey, new SecureRandom());
byte[] ciphertext = cipher.doFinal(plaintext); // $Alert[java/quantum/examples/bad-mac-order-encrypt-plaintext-also-in-mac]
byte[] ciphertext = cipher.doFinal(plaintext); // $ Alert[java/quantum/examples/bad-mac-order-encrypt-plaintext-also-in-mac]
// Concatenate ciphertext and MAC
byte[] output = new byte[ciphertext.length + computedMac.length];
@@ -132,7 +132,7 @@ class BadMacUse {
/**
* Correct inputs to a decrypt and MAC operation, but the ordering is unsafe.
* Correct inputs to a decrypt and MAC operation, but the ordering is unsafe.
* The function decrypts THEN computes the MAC on the plaintext.
* It should have the MAC computed on the ciphertext first.
*/
@@ -143,13 +143,13 @@ class BadMacUse {
byte[] receivedMac = Arrays.copyOfRange(input, input.length - macLength, input.length);
// Decrypt first (unsafe)
byte[] plaintext = decryptUsingWrapper(ciphertext, encryptionKeyBytes, new byte[16]); // $Source
byte[] plaintext = decryptUsingWrapper(ciphertext, encryptionKeyBytes, new byte[16]); // $ Source
// Now verify MAC (too late)
SecretKey macKey = new SecretKeySpec(macKeyBytes, "HmacSHA256");
Mac mac = Mac.getInstance("HmacSHA256");
mac.init(macKey);
byte[] computedMac = mac.doFinal(ciphertext); // $Alert[java/quantum/examples/bad-mac-order-decrypt-then-mac], False positive for Plaintext reuse
byte[] computedMac = mac.doFinal(ciphertext); // $ Alert[java/quantum/examples/bad-mac-order-decrypt-then-mac], False positive for Plaintext reuse
if (!MessageDigest.isEqual(receivedMac, computedMac)) {
throw new SecurityException("MAC verification failed");

44
java/ql/test/experimental/query-tests/quantum/examples/InsecureOrUnknownNonceSource/InsecureIVorNonceSource.java
View File

@@ -11,33 +11,33 @@ public class InsecureIVorNonceSource {
// BAD: AES-GCM with static IV from a byte array
public byte[] encryptWithStaticIvByteArrayWithInitializer(byte[] key, byte[] plaintext) throws Exception {
byte[] iv = new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5 }; // $Source
byte[] iv = new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5 }; // $ Source
GCMParameterSpec ivSpec = new GCMParameterSpec(128, iv);
SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING");
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/examples/insecure-iv-or-nonce]
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $ Alert[java/quantum/examples/insecure-iv-or-nonce]
cipher.update(plaintext);
return cipher.doFinal();
}
// BAD: AES-GCM with static IV from zero-initialized byte array
public byte[] encryptWithZeroStaticIvByteArray(byte[] key, byte[] plaintext) throws Exception {
byte[] iv = new byte[16];
byte[] iv = new byte[16];
GCMParameterSpec ivSpec = new GCMParameterSpec(128, iv);
SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING");
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/examples/unknown-iv-or-nonce-source]
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $ Alert[java/quantum/examples/unknown-iv-or-nonce-source]
cipher.update(plaintext);
return cipher.doFinal();
}
// BAD: AES-CBC with static IV from 1-initialized byte array
public byte[] encryptWithStaticIvByteArray(byte[] key, byte[] plaintext) throws Exception {
byte[] iv = new byte[16];
byte[] iv = new byte[16];
for (byte i = 0; i < iv.length; i++) {
iv[i] = 1;
}
@@ -46,7 +46,7 @@ public class InsecureIVorNonceSource {
SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/examples/insecure-iv-or-nonce]
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $ Alert[java/quantum/examples/insecure-iv-or-nonce]
cipher.update(plaintext);
return cipher.doFinal();
}
@@ -54,15 +54,15 @@ public class InsecureIVorNonceSource {
// BAD: AES-GCM with static IV from a multidimensional byte array
public byte[] encryptWithOneOfStaticIvs01(byte[] key, byte[] plaintext) throws Exception {
byte[][] staticIvs = new byte[][] {
{ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5 }, // $Source
{ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 42 } // $Source
};
{ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5 }, // $ Source
{ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 42 } // $ Source
};
GCMParameterSpec ivSpec = new GCMParameterSpec(128, staticIvs[1]);
SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING");
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/examples/insecure-iv-or-nonce]
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $ Alert[java/quantum/examples/insecure-iv-or-nonce]
cipher.update(plaintext);
return cipher.doFinal();
}
@@ -70,15 +70,15 @@ public class InsecureIVorNonceSource {
// BAD: AES-GCM with static IV from a multidimensional byte array
public byte[] encryptWithOneOfStaticIvs02(byte[] key, byte[] plaintext) throws Exception {
byte[][] staticIvs = new byte[][] {
new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5 }, // $Source
new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 42 } // $Source
};
new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5 }, // $ Source
new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 42 } // $ Source
};
GCMParameterSpec ivSpec = new GCMParameterSpec(128, staticIvs[1]);
SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING");
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/examples/insecure-iv-or-nonce]
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $ Alert[java/quantum/examples/insecure-iv-or-nonce]
cipher.update(plaintext);
return cipher.doFinal();
}
@@ -86,15 +86,15 @@ public class InsecureIVorNonceSource {
// BAD: AES-GCM with static IV from a zero-initialized multidimensional byte array
public byte[] encryptWithOneOfStaticZeroIvs(byte[] key, byte[] plaintext) throws Exception {
byte[][] ivs = new byte[][] {
new byte[8],
new byte[16]
new byte[8],
new byte[16]
};
GCMParameterSpec ivSpec = new GCMParameterSpec(128, ivs[1]);
SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING");
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/examples/unknown-iv-or-nonce-source]
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $ Alert[java/quantum/examples/unknown-iv-or-nonce-source]
cipher.update(plaintext);
return cipher.doFinal();
}
@@ -166,8 +166,8 @@ public class InsecureIVorNonceSource {
return cipher.doFinal();
}
public byte[] generate(int size) throws Exception {
if (size == 0) {
public byte[] generate(int size) throws Exception {
if (size == 0) {
return new byte[0];
}
byte[] randomBytes = new byte[size];
@@ -183,7 +183,7 @@ public class InsecureIVorNonceSource {
SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec);
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec);
cipher.update(plaintext);
return cipher.doFinal();
}
@@ -191,7 +191,7 @@ public class InsecureIVorNonceSource {
public byte[] generateInsecureRandomBytes(int numBytes) {
Random random = new Random();
byte[] bytes = new byte[numBytes];
random.nextBytes(bytes); // $Source
random.nextBytes(bytes); // $ Source
return bytes;
}
@@ -203,7 +203,7 @@ public class InsecureIVorNonceSource {
SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/examples/insecure-iv-or-nonce]]
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $ Alert[java/quantum/examples/insecure-iv-or-nonce]]
cipher.update(plaintext);
return cipher.doFinal();
}

8
java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownAsymmetricKeySize/InsufficientAsymmetricKeySize.java
View File

@@ -2,15 +2,15 @@ import java.security.*;
public class InsufficientAsymmetricKeySize{
public static void test() throws Exception{
KeyPairGenerator keyPairGen1 = KeyPairGenerator.getInstance("RSA");
keyPairGen1.initialize(1024); // $Alert[java/quantum/examples/weak-asymmetric-key-gen-size]
keyPairGen1.initialize(1024); // $ Alert[java/quantum/examples/weak-asymmetric-key-gen-size]
keyPairGen1.generateKeyPair();
KeyPairGenerator keyPairGen2 = KeyPairGenerator.getInstance("DSA");
keyPairGen2.initialize(1024); // $Alert[java/quantum/examples/weak-asymmetric-key-gen-size]
keyPairGen2.initialize(1024); // $ Alert[java/quantum/examples/weak-asymmetric-key-gen-size]
keyPairGen2.generateKeyPair();
KeyPairGenerator keyPairGen3 = KeyPairGenerator.getInstance("DH");
keyPairGen3.initialize(1024); // $Alert[java/quantum/examples/weak-asymmetric-key-gen-size]
keyPairGen3.initialize(1024); // $ Alert[java/quantum/examples/weak-asymmetric-key-gen-size]
keyPairGen3.generateKeyPair();
KeyPairGenerator keyPairGen4 = KeyPairGenerator.getInstance("RSA");
@@ -25,4 +25,4 @@ public class InsufficientAsymmetricKeySize{
keyPairGen6.initialize(2048); // GOOD
keyPairGen6.generateKeyPair();
}
}
}

10
java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownBlockMode/Test.java
View File

@@ -10,25 +10,25 @@ public class Test {
byte[] data = "SensitiveData".getBytes();
// Insecure block mode: ECB
Cipher cipherECB = Cipher.getInstance("AES/ECB/PKCS5Padding"); // $Alert
Cipher cipherECB = Cipher.getInstance("AES/ECB/PKCS5Padding"); // $ Alert
cipherECB.init(Cipher.ENCRYPT_MODE, key);
byte[] ecbEncrypted = cipherECB.doFinal(data);
System.out.println("ECB encrypted: " + bytesToHex(ecbEncrypted));
// Insecure block mode: CFB
Cipher cipherCFB = Cipher.getInstance("AES/CFB/PKCS5Padding"); // $Alert
Cipher cipherCFB = Cipher.getInstance("AES/CFB/PKCS5Padding"); // $ Alert
cipherCFB.init(Cipher.ENCRYPT_MODE, key, iv);
byte[] cfbEncrypted = cipherCFB.doFinal(data);
System.out.println("CFB encrypted: " + bytesToHex(cfbEncrypted));
// Insecure block mode: OFB
Cipher cipherOFB = Cipher.getInstance("AES/OFB/PKCS5Padding"); // $Alert
Cipher cipherOFB = Cipher.getInstance("AES/OFB/PKCS5Padding"); // $ Alert
cipherOFB.init(Cipher.ENCRYPT_MODE, key, iv);
byte[] ofbEncrypted = cipherOFB.doFinal(data);
System.out.println("OFB encrypted: " + bytesToHex(ofbEncrypted));
// Insecure block mode: CTR
Cipher cipherCTR = Cipher.getInstance("AES/CTR/NoPadding"); // $Alert
Cipher cipherCTR = Cipher.getInstance("AES/CTR/NoPadding"); // $ Alert
cipherCTR.init(Cipher.ENCRYPT_MODE, key, iv);
byte[] ctrEncrypted = cipherCTR.doFinal(data);
System.out.println("CTR encrypted: " + bytesToHex(ctrEncrypted));
@@ -54,4 +54,4 @@ public class Test {
sb.append(String.format("%02x", b));
return sb.toString();
}
}
}

16
java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownHash/WeakHashing.java
View File

@@ -12,33 +12,33 @@ public class WeakHashing {
props.load(new FileInputStream("example.properties"));
// BAD: Using a weak hashing algorithm even with a secure default
MessageDigest bad = MessageDigest.getInstance(props.getProperty("hashAlg1")); // $Alert[java/quantum/examples/weak-hash]
MessageDigest bad = MessageDigest.getInstance(props.getProperty("hashAlg1")); // $ Alert[java/quantum/examples/weak-hash]
// BAD: Using a weak hashing algorithm even with a secure default
MessageDigest bad2 = MessageDigest.getInstance(props.getProperty("hashAlg1", "SHA-256")); // $Alert[java/quantum/examples/weak-hash]
MessageDigest bad2 = MessageDigest.getInstance(props.getProperty("hashAlg1", "SHA-256")); // $ Alert[java/quantum/examples/weak-hash]
// BAD: Using a strong hashing algorithm but with a weak default
MessageDigest bad3 = MessageDigest.getInstance(props.getProperty("hashAlg2", "MD5")); // $Alert[java/quantum/examples/weak-hash]
MessageDigest bad3 = MessageDigest.getInstance(props.getProperty("hashAlg2", "MD5")); // $ Alert[java/quantum/examples/weak-hash]
// BAD: Using a weak hash
MessageDigest bad4 = MessageDigest.getInstance("SHA-1"); // $Alert[java/quantum/examples/weak-hash]
MessageDigest bad4 = MessageDigest.getInstance("SHA-1"); // $ Alert[java/quantum/examples/weak-hash]
// BAD: Property does not exist and default (used value) is unknown
MessageDigest bad5 = MessageDigest.getInstance(props.getProperty("non-existent_property", "non-existent_default")); // $Alert[java/quantum/examples/unknown-hash]
MessageDigest bad5 = MessageDigest.getInstance(props.getProperty("non-existent_property", "non-existent_default")); // $ Alert[java/quantum/examples/unknown-hash]
java.util.Properties props2 = new java.util.Properties();
props2.load(new FileInputStream("unobserved-file.properties"));
// BAD: "hashAlg2" is not visible in the file loaded for props2, should be an unknown
// BAD: "hashAlg2" is not visible in the file loaded for props2, should be an unknown
// FALSE NEGATIVE for unknown hash
MessageDigest bad6 = MessageDigest.getInstance(props2.getProperty("hashAlg2", "SHA-256")); // $Alert[java/quantum/examples/unknown-hash]
MessageDigest bad6 = MessageDigest.getInstance(props2.getProperty("hashAlg2", "SHA-256")); // $ Alert[java/quantum/examples/unknown-hash]
// GOOD: Using a strong hashing algorithm
MessageDigest ok = MessageDigest.getInstance(props.getProperty("hashAlg2"));
// BAD?: Property does not exist (considered unknown) and but default is secure
MessageDigest ok2 = MessageDigest.getInstance(props.getProperty("non-existent-property", "SHA-256")); // $Alert[java/quantum/examples/unknown-hash]
MessageDigest ok2 = MessageDigest.getInstance(props.getProperty("non-existent-property", "SHA-256")); // $ Alert[java/quantum/examples/unknown-hash]
// GOOD: Using a strong hashing algorithm
MessageDigest ok3 = MessageDigest.getInstance("SHA3-512");

14
java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownKDFIterationCount/Test.java
View File

@@ -28,8 +28,8 @@ public class Test {
*/
public void pbkdf2LowIteration(String password) throws Exception {
byte[] salt = generateSalt(16);
int iterationCount = 10; // $Source
PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterationCount, 256); // $Alert[java/quantum/examples/weak-kdf-iteration-count]
int iterationCount = 10; // $ Source
PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterationCount, 256); // $ Alert[java/quantum/examples/weak-kdf-iteration-count]
SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
byte[] key = factory.generateSecret(spec).getEncoded();
}
@@ -40,9 +40,9 @@ public class Test {
* SAST/CBOM: - Parent: PBKDF2. - Iteration count is only 10, which is far
* below acceptable security standards. - Flagged as insecure.
*/
public void pbkdf2LowIteration(String password, int iterationCount) throws Exception { // $Source
public void pbkdf2LowIteration(String password, int iterationCount) throws Exception { // $ Source
byte[] salt = generateSalt(16);
PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterationCount, 256); // $Alert[java/quantum/examples/unknown-kdf-iteration-count]
PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterationCount, 256); // $ Alert[java/quantum/examples/unknown-kdf-iteration-count]
SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
byte[] key = factory.generateSecret(spec).getEncoded();
}
@@ -55,9 +55,9 @@ public class Test {
*/
public void pbkdf2HighIteration(String password) throws Exception {
byte[] salt = generateSalt(16);
int iterationCount = 1_000_000;
PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterationCount, 256);
int iterationCount = 1_000_000;
PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterationCount, 256);
SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
byte[] key = factory.generateSecret(spec).getEncoded();
}
}
}

6
java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownKDFKeySize/Test.java
View File

@@ -20,8 +20,8 @@ public class Test {
public void pbkdf2WeakKeySize(String password) throws Exception {
byte[] salt = generateSalt(16);
int iterationCount = 100_000;
int keySize = 64; // $Source
PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterationCount, keySize); // $Alert[java/quantum/examples/weak-kdf-key-size]
int keySize = 64; // $ Source
PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterationCount, keySize); // $ Alert[java/quantum/examples/weak-kdf-key-size]
SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
byte[] key = factory.generateSecret(spec).getEncoded();
}
@@ -39,4 +39,4 @@ public class Test {
SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
byte[] key = factory.generateSecret(spec).getEncoded();
}
}
}

30
java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownSymmetricCipher/Test.java
View File

@@ -10,51 +10,51 @@ public class Test {
byte[] data = "Sensitive Data".getBytes();
// BAD: DES (unsafe)
KeyGenerator desKeyGen = KeyGenerator.getInstance("DES"); // $Alert
KeyGenerator desKeyGen = KeyGenerator.getInstance("DES"); // $ Alert
SecretKey desKey = desKeyGen.generateKey();
Cipher desCipher = Cipher.getInstance("DES"); // $Alert
Cipher desCipher = Cipher.getInstance("DES"); // $ Alert
desCipher.init(Cipher.ENCRYPT_MODE, desKey);
byte[] desEncrypted = desCipher.doFinal(data);
// BAD: DESede (Triple DES, considered weak)
KeyGenerator desedeKeyGen = KeyGenerator.getInstance("DESede"); // $Alert
KeyGenerator desedeKeyGen = KeyGenerator.getInstance("DESede"); // $ Alert
SecretKey desedeKey = desedeKeyGen.generateKey();
Cipher desedeCipher = Cipher.getInstance("DESede"); // $Alert
Cipher desedeCipher = Cipher.getInstance("DESede"); // $ Alert
desedeCipher.init(Cipher.ENCRYPT_MODE, desedeKey);
byte[] desedeEncrypted = desedeCipher.doFinal(data);
// BAD: Blowfish (considered weak)
KeyGenerator blowfishKeyGen = KeyGenerator.getInstance("Blowfish"); // $Alert
KeyGenerator blowfishKeyGen = KeyGenerator.getInstance("Blowfish"); // $ Alert
SecretKey blowfishKey = blowfishKeyGen.generateKey();
Cipher blowfishCipher = Cipher.getInstance("Blowfish"); // $Alert
Cipher blowfishCipher = Cipher.getInstance("Blowfish"); // $ Alert
blowfishCipher.init(Cipher.ENCRYPT_MODE, blowfishKey);
byte[] blowfishEncrypted = blowfishCipher.doFinal(data);
// BAD: RC2 (unsafe)
KeyGenerator rc2KeyGen = KeyGenerator.getInstance("RC2"); // $Alert
KeyGenerator rc2KeyGen = KeyGenerator.getInstance("RC2"); // $ Alert
SecretKey rc2Key = rc2KeyGen.generateKey();
Cipher rc2Cipher = Cipher.getInstance("RC2"); // $Alert
Cipher rc2Cipher = Cipher.getInstance("RC2"); // $ Alert
rc2Cipher.init(Cipher.ENCRYPT_MODE, rc2Key);
byte[] rc2Encrypted = rc2Cipher.doFinal(data);
// BAD: RC4 (stream cipher, unsafe)
KeyGenerator rc4KeyGen = KeyGenerator.getInstance("RC4"); // $Alert
KeyGenerator rc4KeyGen = KeyGenerator.getInstance("RC4"); // $ Alert
SecretKey rc4Key = rc4KeyGen.generateKey();
Cipher rc4Cipher = Cipher.getInstance("RC4"); // $Alert
Cipher rc4Cipher = Cipher.getInstance("RC4"); // $ Alert
rc4Cipher.init(Cipher.ENCRYPT_MODE, rc4Key);
byte[] rc4Encrypted = rc4Cipher.doFinal(data);
// BAD: IDEA (considered weak)
KeyGenerator ideaKeyGen = KeyGenerator.getInstance("IDEA"); // $Alert
KeyGenerator ideaKeyGen = KeyGenerator.getInstance("IDEA"); // $ Alert
SecretKey ideaKey = ideaKeyGen.generateKey();
Cipher ideaCipher = Cipher.getInstance("IDEA"); // $Alert
Cipher ideaCipher = Cipher.getInstance("IDEA"); // $ Alert
ideaCipher.init(Cipher.ENCRYPT_MODE, ideaKey);
byte[] ideaEncrypted = ideaCipher.doFinal(data);
// BAD: Skipjack (unsafe)
KeyGenerator skipjackKeyGen = KeyGenerator.getInstance("Skipjack"); // $Alert
KeyGenerator skipjackKeyGen = KeyGenerator.getInstance("Skipjack"); // $ Alert
SecretKey skipjackKey = skipjackKeyGen.generateKey();
Cipher skipjackCipher = Cipher.getInstance("Skipjack"); // $Alert
Cipher skipjackCipher = Cipher.getInstance("Skipjack"); // $ Alert
skipjackCipher.init(Cipher.ENCRYPT_MODE, skipjackKey);
byte[] skipjackEncrypted = skipjackCipher.doFinal(data);
@@ -78,4 +78,4 @@ public class Test {
// GOOD: not a symmetric cipher (Sanity check)
SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
}
}
}

90
java/ql/test/ext/TestModels/Test.java
View File

@@ -33,50 +33,50 @@ public class Test {
// top 100 JDK APIs tests
{
Exception e1 = new RuntimeException((String)source());
sink((String)e1.getMessage()); // $hasValueFlow
sink((String)e1.getMessage()); // $ hasValueFlow
Exception e2 = new RuntimeException((Throwable)source());
sink((Throwable)e2.getCause()); // $hasValueFlow
sink((Throwable)e2.getCause()); // $ hasValueFlow
Exception e3 = new IllegalArgumentException((String)source());
sink((String)e3.getMessage()); // $hasValueFlow
sink((String)e3.getMessage()); // $ hasValueFlow
Exception e4 = new IllegalStateException((String)source());
sink((String)e4.getMessage()); // $hasValueFlow
sink((String)e4.getMessage()); // $ hasValueFlow
Exception e5 = new UnsupportedOperationException((String)source());
sink((String)e5.getMessage()); // $hasValueFlow
sink((String)e5.getMessage()); // $ hasValueFlow
Throwable t = new Throwable((Throwable)source());
sink((Throwable)t.getCause()); // $hasValueFlow
sink((Throwable)t.getCause()); // $ hasValueFlow
String s2 = (String)source();
int i = 0;
sink(s2.charAt(i)); // $hasTaintFlow
sink(s2.charAt(i)); // $ hasTaintFlow
ResultSet rs = (ResultSet)source();
sink(rs.getString("")); // $hasTaintFlow
sink(rs.getString("")); // $ hasTaintFlow
}
// top 200 JDK APIs tests
{
// java.io
Exception e1 = new IOException((String)source());
sink((String)e1.getMessage()); // $hasValueFlow
sink((String)e1.getMessage()); // $ hasValueFlow
File f = (File)source();
sink(f.getName()); // $hasTaintFlow
sink(f.getName()); // $ hasTaintFlow
// java.lang
Exception e2 = new Exception((String)source());
sink((String)e2.getMessage()); // $hasValueFlow
sink((String)e2.getMessage()); // $ hasValueFlow
Exception e3 = new IndexOutOfBoundsException((String)source());
sink((String)e3.getMessage()); // $hasValueFlow
sink((String)e3.getMessage()); // $ hasValueFlow
Exception e4 = new RuntimeException((String)source(), (Throwable)source());
sink((String)e4.getMessage()); // $hasValueFlow
sink((Throwable)e4.getCause()); // $hasValueFlow
sink((String)e4.getMessage()); // $ hasValueFlow
sink((Throwable)e4.getCause()); // $ hasValueFlow
// java.sql
Connection con = DriverManager.getConnection("");
@@ -86,14 +86,14 @@ public class Test {
// java.util.concurrent.atomic
AtomicReference ar = new AtomicReference(source());
sink(ar.get()); // $hasValueFlow
sink(ar.get()); // $ hasValueFlow
// java.util
StringJoiner sj1 = new StringJoiner(",");
sink(sj1.add((CharSequence)source())); // $hasTaintFlow
sink(sj1.add((CharSequence)source())); // $ hasTaintFlow
StringJoiner sj2 = (StringJoiner)source();
sink(sj2.add("test")); // $hasValueFlow
sink(sj2.add("test")); // $ hasValueFlow
}
// top 300-500 JDK APIs tests
@@ -101,62 +101,62 @@ public class Test {
// java.awt
Container container = new Container();
sink(container.add((Component)source())); // $hasValueFlow
sink(container.add((Component)source())); // $ hasValueFlow
// java.io
File f1 = (File)source();
sink(f1.getParentFile()); // $hasTaintFlow
sink(f1.getParentFile()); // $ hasTaintFlow
File f2 = (File)source();
sink(f2.getPath()); // $hasTaintFlow
sink(f2.getPath()); // $ hasTaintFlow
StringWriter sw = (StringWriter)source();
sink(sw.toString()); // $hasTaintFlow
sink(sw.toString()); // $ hasTaintFlow
Exception e = new UncheckedIOException((IOException)source());
sink((Throwable)e.getCause()); // $hasValueFlow
sink((Throwable)e.getCause()); // $ hasValueFlow
// java.net
URL url = (URL)source();
sink(url.toURI()); // $hasTaintFlow
sink(url.toURI()); // $ hasTaintFlow
// java.nio.file
Path p = (Path)source();
sink(p.getFileName()); // $hasTaintFlow
sink(p.getFileName()); // $ hasTaintFlow
// java.util.concurrent.atomic
AtomicReference ar = new AtomicReference();
ar.set(source());
sink(ar.get()); // $hasValueFlow
sink(ar.get()); // $ hasValueFlow
// java.util.concurrent
// `ThreadPoolExecutor` implements the `java.util.concurrent.ExecutorService` interface
ThreadPoolExecutor tpe = new ThreadPoolExecutor(0, 0, 0, null, null);
sink(tpe.submit((Runnable)source())); // $hasTaintFlow
sink(tpe.submit((Runnable)source())); // $ hasTaintFlow
CompletionStage cs = (CompletionStage)source();
sink(cs.toCompletableFuture()); // $hasTaintFlow
sink(cs.toCompletableFuture()); // $ hasTaintFlow
CompletableFuture cf1 = new CompletableFuture();
cf1.complete(source());
sink(cf1.get()); // $hasValueFlow
sink(cf1.join()); // $hasValueFlow
sink(cf1.get()); // $ hasValueFlow
sink(cf1.join()); // $ hasValueFlow
CompletableFuture cf2 = CompletableFuture.completedFuture(source());
sink(cf2.get()); // $hasValueFlow
sink(cf2.join()); // $hasValueFlow
sink(cf2.get()); // $ hasValueFlow
sink(cf2.join()); // $ hasValueFlow
// java.util.logging
Logger logger = Logger.getLogger((String)source());
sink(logger.getName()); // $hasValueFlow
sink(logger.getName()); // $ hasValueFlow
// java.util.regex
Pattern pattern = Pattern.compile((String)source());
sink(pattern); // $hasTaintFlow
sink(pattern); // $ hasTaintFlow
// java.util
EventObject eventObj = new EventObject(source());
sink(eventObj.getSource()); // $hasValueFlow
sink(eventObj.getSource()); // $ hasValueFlow
// "java.util;ResourceBundle;true;getString;(String);;Argument[-1].MapValue;ReturnValue;value;manual"
String out = null;
@@ -166,33 +166,33 @@ public class Test {
// java.lang
AssertionError assertErr = new AssertionError(source());
sink((String)assertErr.getMessage()); // $hasValueFlow
sink((String)assertErr.getMessage()); // $ hasValueFlow
sink(Test.class.cast(source())); // $hasValueFlow
sink(Test.class.cast(source())); // $ hasValueFlow
Exception excep1 = new Exception((String)source(), (Throwable)source());
sink((String)excep1.getMessage()); // $hasValueFlow
sink((Throwable)excep1.getCause()); // $hasValueFlow
sink((String)excep1.getMessage()); // $ hasValueFlow
sink((Throwable)excep1.getCause()); // $ hasValueFlow
Exception excep2 = new NullPointerException((String)source());
sink((String)excep2.getMessage()); // $hasValueFlow
sink((String)excep2.getMessage()); // $ hasValueFlow
StringBuilder sb = (StringBuilder)source();
sink(sb.delete(0, 1)); // $hasValueFlow
sink(sb.delete(0, 1)); // $ hasValueFlow
Thread thread1 = new Thread((Runnable)source());
sink(thread1); // $hasTaintFlow
sink(thread1); // $ hasTaintFlow
Thread thread2 = new Thread((String)source());
sink(thread2.getName()); // $hasValueFlow
sink(thread2.getName()); // $ hasValueFlow
ThreadLocal threadloc = new ThreadLocal();
threadloc.set(source());
sink(threadloc.get()); // $hasValueFlow
sink(threadloc.get()); // $ hasValueFlow
Throwable th = new Throwable((String)source());
sink((String)th.getLocalizedMessage()); // $hasValueFlow
sink(th.toString()); // $hasTaintFlow
sink((String)th.getLocalizedMessage()); // $ hasValueFlow
sink(th.toString()); // $ hasTaintFlow
}
}
}

30
java/ql/test/library-tests/dataflow/entrypoint-types/EntryPointTypesTest.java
View File

@@ -48,34 +48,34 @@ public class EntryPointTypesTest {
private static void sink(String sink) {}
public static void test(TestObject source) {
sink(source.field1); // $hasTaintFlow
sink(source.getField2()); // $hasTaintFlow
sink(source.getField3().field4); // $hasTaintFlow
sink(source.getField3().getField5()); // $hasTaintFlow
sink(source.field1); // $ hasTaintFlow
sink(source.getField2()); // $ hasTaintFlow
sink(source.getField3().field4); // $ hasTaintFlow
sink(source.getField3().getField5()); // $ hasTaintFlow
}
public static void testParameterized(
ParameterizedTestObject<TestObject, AnotherTestObject> source) {
sink(source.field6); // $hasTaintFlow
sink(source.field7.field1); // $hasTaintFlow
sink(source.field7.getField2()); // $hasTaintFlow
sink(source.getField8().field4); // $hasTaintFlow
sink(source.getField8().getField5()); // $hasTaintFlow
sink(source.field6); // $ hasTaintFlow
sink(source.field7.field1); // $ hasTaintFlow
sink(source.field7.getField2()); // $ hasTaintFlow
sink(source.getField8().field4); // $ hasTaintFlow
sink(source.getField8().getField5()); // $ hasTaintFlow
}
public static void testSubtype(ParameterizedTestObject<?, ?> source) {
ChildObject subtypeSource = (ChildObject) source;
sink(subtypeSource.field6); // $hasTaintFlow
sink(subtypeSource.field7.field1); // $hasTaintFlow
sink(subtypeSource.field7.getField2()); // $hasTaintFlow
sink((String) subtypeSource.getField8()); // $hasTaintFlow
sink((String) subtypeSource.field9); // $hasTaintFlow
sink(subtypeSource.field6); // $ hasTaintFlow
sink(subtypeSource.field7.field1); // $ hasTaintFlow
sink(subtypeSource.field7.getField2()); // $ hasTaintFlow
sink((String) subtypeSource.getField8()); // $ hasTaintFlow
sink((String) subtypeSource.field9); // $ hasTaintFlow
// Ensure that we are not tainting every subclass of Object
UnrelatedObject unrelated = (UnrelatedObject) subtypeSource.getField8();
sink(unrelated.safeField); // Safe
}
public static void testArray(ArrayElemObject[] source) {
sink(source[0].field); // $hasTaintFlow
sink(source[0].field); // $ hasTaintFlow
}
}

10
java/ql/test/library-tests/dataflow/fluent-methods/Test.java
View File

@@ -42,31 +42,31 @@ public class Test {
public static void test1() {
Test t = new Test();
t.fluentNoop().fluentSet(source()).fluentNoop();
sink(t.get()); // $hasValueFlow
sink(t.get()); // $ hasValueFlow
}
public static void test2() {
Test t = new Test();
Test.identity(t).fluentNoop().fluentSet(source()).fluentNoop();
sink(t.get()); // $hasValueFlow
sink(t.get()); // $ hasValueFlow
}
public static void test3() {
Test t = new Test();
t.indirectlyFluentNoop().fluentSet(source()).fluentNoop();
sink(t.get()); // $hasValueFlow
sink(t.get()); // $ hasValueFlow
}
public static void testModel1() {
Test t = new Test();
t.indirectlyFluentNoop().modelledFluentMethod().fluentSet(source()).fluentNoop();
sink(t.get()); // $hasValueFlow
sink(t.get()); // $ hasValueFlow
}
public static void testModel2() {
Test t = new Test();
Test.modelledIdentity(t).indirectlyFluentNoop().modelledFluentMethod().fluentSet(source()).fluentNoop();
sink(t.get()); // $hasValueFlow
sink(t.get()); // $ hasValueFlow
}
}

32
java/ql/test/library-tests/dataflow/taintsources/A.java
View File

@@ -18,40 +18,40 @@ public class A {
private static void sink(Object o) {}
public static void main(String[] args) {
sink(args); // $hasLocalValueFlow
sink(args[0]); // $hasLocalTaintFlow
sink(args); // $ hasLocalValueFlow
sink(args[0]); // $ hasLocalTaintFlow
}
public static void userInput() throws SQLException, IOException, MalformedURLException {
sink(System.getenv("test")); // $hasLocalValueFlow
sink(System.getenv("test")); // $ hasLocalValueFlow
class TestServlet extends HttpServlet {
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
sink(req.getParameter("test")); // $hasRemoteValueFlow
sink(req.getHeader("test")); // $hasRemoteValueFlow
sink(req.getQueryString()); // $hasRemoteValueFlow
sink(req.getCookies()[0].getValue()); // $hasRemoteValueFlow
sink(req.getParameter("test")); // $ hasRemoteValueFlow
sink(req.getHeader("test")); // $ hasRemoteValueFlow
sink(req.getQueryString()); // $ hasRemoteValueFlow
sink(req.getCookies()[0].getValue()); // $ hasRemoteValueFlow
}
}
sink(new Properties().getProperty("test")); // $hasLocalValueFlow
sink(System.getProperty("test")); // $hasLocalValueFlow
sink(new Properties().getProperty("test")); // $ hasLocalValueFlow
sink(System.getProperty("test")); // $ hasLocalValueFlow
new Object() {
public void test(ResultSet rs) throws SQLException {
sink(rs.getString(0)); // $hasLocalValueFlow
sink(rs.getString(0)); // $ hasLocalValueFlow
}
};
sink(new URL("test").openConnection().getInputStream()); // $hasRemoteValueFlow
sink(new Socket("test", 1234).getInputStream()); // $hasRemoteValueFlow
sink(InetAddress.getByName("test").getHostName()); // $hasReverseDnsValueFlow
sink(new URL("test").openConnection().getInputStream()); // $ hasRemoteValueFlow
sink(new Socket("test", 1234).getInputStream()); // $ hasRemoteValueFlow
sink(InetAddress.getByName("test").getHostName()); // $ hasReverseDnsValueFlow
sink(InetAddress.getLocalHost().getHostName());
sink(InetAddress.getLoopbackAddress().getHostName());
sink(InetAddress.getByName("test").getCanonicalHostName()); // $hasReverseDnsValueFlow
sink(InetAddress.getByName("test").getCanonicalHostName()); // $ hasReverseDnsValueFlow
sink(InetAddress.getLocalHost().getCanonicalHostName());
sink(InetAddress.getLoopbackAddress().getCanonicalHostName());
sink(System.in); // $hasLocalValueFlow
sink(new FileInputStream("test")); // $hasLocalValueFlow
sink(System.in); // $ hasLocalValueFlow
sink(new FileInputStream("test")); // $ hasLocalValueFlow
}
}

2
java/ql/test/library-tests/dataflow/taintsources/AndroidExposedObject.java
View File

@@ -6,6 +6,6 @@ public class AndroidExposedObject {
@JavascriptInterface
public void test(String arg) {
sink(arg); // $hasRemoteValueFlow
sink(arg); // $ hasRemoteValueFlow
}
}

12
java/ql/test/library-tests/dataflow/taintsources/Hudson.java
View File

@@ -6,11 +6,11 @@ public class Hudson {
public static void test() throws Exception {
FilePath fp = null;
sink(FilePath.newInputStreamDenyingSymlinkAsNeeded(null, null, null)); // $hasLocalValueFlow
sink(FilePath.openInputStream(null, null)); // $hasLocalValueFlow
sink(fp.read()); // $hasLocalValueFlow
sink(fp.read(null)); // $hasLocalValueFlow
sink(fp.readFromOffset(-1)); // $hasLocalValueFlow
sink(fp.readToString()); // $hasLocalValueFlow
sink(FilePath.newInputStreamDenyingSymlinkAsNeeded(null, null, null)); // $ hasLocalValueFlow
sink(FilePath.openInputStream(null, null)); // $ hasLocalValueFlow
sink(fp.read()); // $ hasLocalValueFlow
sink(fp.read(null)); // $ hasLocalValueFlow
sink(fp.readFromOffset(-1)); // $ hasLocalValueFlow
sink(fp.readToString()); // $ hasLocalValueFlow
}
}

8
java/ql/test/library-tests/dataflow/taintsources/IntentSourcesActivity.java
View File

@@ -9,21 +9,21 @@ public class IntentSourcesActivity extends Activity {
public void test() throws java.io.IOException {
String trouble = this.getIntent().getStringExtra("key");
sink(trouble); // $hasRemoteTaintFlow
sink(trouble); // $ hasRemoteTaintFlow
}
public void test2() throws java.io.IOException {
String trouble = getIntent().getStringExtra("key");
sink(trouble); // $hasRemoteTaintFlow
sink(trouble); // $ hasRemoteTaintFlow
}
public void test3() throws java.io.IOException {
String trouble = getIntent().getExtras().getString("key");
sink(trouble); // $hasRemoteTaintFlow
sink(trouble); // $ hasRemoteTaintFlow
}
}
@@ -34,7 +34,7 @@ class OtherClass {
public void test(IntentSourcesActivity is) throws java.io.IOException {
String trouble = is.getIntent().getStringExtra("key");
sink(trouble); // $hasRemoteTaintFlow
sink(trouble); // $ hasRemoteTaintFlow
}
}

2
java/ql/test/library-tests/dataflow/taintsources/RmiFlowImpl.java
View File

@@ -6,7 +6,7 @@ public class RmiFlowImpl implements RmiFlow {
public String listDirectory(String path) throws java.io.IOException {
String command = "ls " + path;
sink(command); // $hasRemoteTaintFlow
sink(command); // $ hasRemoteTaintFlow
return "pretend there are some results here";
}

24
java/ql/test/library-tests/dataflow/taintsources/SpringMultiPart.java
View File

@@ -7,21 +7,21 @@ public class SpringMultiPart {
private static void sink(Object o) {}
public void test() throws Exception {
sink(file.getBytes()); // $hasRemoteValueFlow
sink(file.getBytes()); // $ hasRemoteValueFlow
sink(file.isEmpty()); // Safe
sink(file.getInputStream()); // $hasRemoteValueFlow
sink(file.getResource()); // $hasRemoteValueFlow
sink(file.getName()); // $hasRemoteValueFlow
sink(file.getContentType()); // $hasRemoteValueFlow
sink(file.getOriginalFilename()); // $hasRemoteValueFlow
sink(file.getInputStream()); // $ hasRemoteValueFlow
sink(file.getResource()); // $ hasRemoteValueFlow
sink(file.getName()); // $ hasRemoteValueFlow
sink(file.getContentType()); // $ hasRemoteValueFlow
sink(file.getOriginalFilename()); // $ hasRemoteValueFlow
}
public void test(MultipartRequest request) {
sink(request.getFile("name"));// $hasRemoteValueFlow
sink(request.getFileMap());// $hasRemoteValueFlow
sink(request.getFileNames());// $hasRemoteValueFlow
sink(request.getFiles("name"));// $hasRemoteValueFlow
sink(request.getMultiFileMap());// $hasRemoteValueFlow
sink(request.getMultipartContentType("name")); // $hasRemoteValueFlow
sink(request.getFile("name"));// $ hasRemoteValueFlow
sink(request.getFileMap());// $ hasRemoteValueFlow
sink(request.getFileNames());// $ hasRemoteValueFlow
sink(request.getFiles("name"));// $ hasRemoteValueFlow
sink(request.getMultiFileMap());// $ hasRemoteValueFlow
sink(request.getMultipartContentType("name")); // $ hasRemoteValueFlow
}
}

24
java/ql/test/library-tests/dataflow/taintsources/SpringSavedRequest.java
View File

@@ -7,22 +7,22 @@ public class SpringSavedRequest {
private static void sink(Object o) {}
public void test() {
sink(sr.getRedirectUrl()); // $hasRemoteValueFlow
sink(sr.getCookies()); // $hasRemoteValueFlow
sink(sr.getHeaderValues("name")); // $hasRemoteValueFlow
sink(sr.getHeaderNames()); // $hasRemoteValueFlow
sink(sr.getParameterValues("name")); // $hasRemoteValueFlow
sink(sr.getParameterMap()); // $hasRemoteValueFlow
sink(sr.getRedirectUrl()); // $ hasRemoteValueFlow
sink(sr.getCookies()); // $ hasRemoteValueFlow
sink(sr.getHeaderValues("name")); // $ hasRemoteValueFlow
sink(sr.getHeaderNames()); // $ hasRemoteValueFlow
sink(sr.getParameterValues("name")); // $ hasRemoteValueFlow
sink(sr.getParameterMap()); // $ hasRemoteValueFlow
}
SimpleSavedRequest ssr;
public void test2() {
sink(ssr.getRedirectUrl()); // $hasRemoteValueFlow
sink(ssr.getCookies()); // $hasRemoteValueFlow
sink(ssr.getHeaderValues("name")); // $hasRemoteValueFlow
sink(ssr.getHeaderNames()); // $hasRemoteValueFlow
sink(ssr.getParameterValues("name")); // $hasRemoteValueFlow
sink(ssr.getParameterMap()); // $hasRemoteValueFlow
sink(ssr.getRedirectUrl()); // $ hasRemoteValueFlow
sink(ssr.getCookies()); // $ hasRemoteValueFlow
sink(ssr.getHeaderValues("name")); // $ hasRemoteValueFlow
sink(ssr.getHeaderNames()); // $ hasRemoteValueFlow
sink(ssr.getParameterValues("name")); // $ hasRemoteValueFlow
sink(ssr.getParameterMap()); // $ hasRemoteValueFlow
}
}

10
java/ql/test/library-tests/frameworks/android/slice/TestSources.java
View File

@@ -18,14 +18,14 @@ public class TestSources extends SliceProvider {
// "androidx.slice;SliceProvider;true;onBindSlice;;;Parameter[0];contentprovider;manual",
@Override
public Slice onBindSlice(Uri sliceUri) {
sink(sliceUri); // $hasValueFlow
sink(sliceUri); // $ hasValueFlow
return null;
}
// "androidx.slice;SliceProvider;true;onCreatePermissionRequest;;;Parameter[0];contentprovider;manual",
@Override
public PendingIntent onCreatePermissionRequest(Uri sliceUri, String callingPackage) {
sink(sliceUri); // $hasValueFlow
sink(sliceUri); // $ hasValueFlow
sink(callingPackage); // Safe
return null;
}
@@ -33,18 +33,18 @@ public class TestSources extends SliceProvider {
// "androidx.slice;SliceProvider;true;onMapIntentToUri;;;Parameter[0];contentprovider;manual",
@Override
public Uri onMapIntentToUri(Intent intent) {
sink(intent); // $hasValueFlow
sink(intent); // $ hasValueFlow
return null;
}
// "androidx.slice;SliceProvider;true;onSlicePinned;;;Parameter[0];contentprovider;manual",
public void onSlicePinned(Uri sliceUri) {
sink(sliceUri); // $hasValueFlow
sink(sliceUri); // $ hasValueFlow
}
// "androidx.slice;SliceProvider;true;onSliceUnpinned;;;Parameter[0];contentprovider;manual"
public void onSliceUnpinned(Uri sliceUri) {
sink(sliceUri); // $hasValueFlow
sink(sliceUri); // $ hasValueFlow
}
// Methods needed for compilation

134
java/ql/test/library-tests/frameworks/android/taint-database/FlowSteps.java
View File

@@ -29,96 +29,96 @@ public class FlowSteps {
}
public static String appendSelectionArgs() {
String[] originalValues = {taint()}; // $taintReachesReturn
String[] newValues = {taint()}; // $taintReachesReturn
String[] originalValues = {taint()}; // $ taintReachesReturn
String[] newValues = {taint()}; // $ taintReachesReturn
return DatabaseUtils.appendSelectionArgs(originalValues, newValues)[0];
}
public static String concatenateWhere() {
String a = taint(); // $taintReachesReturn
String b = taint(); // $taintReachesReturn
String a = taint(); // $ taintReachesReturn
String b = taint(); // $ taintReachesReturn
return DatabaseUtils.concatenateWhere(a, b);
}
public static String buildQueryString(MySQLiteQueryBuilder target) {
target = taint();
boolean distinct = taint();
String tables = taint(); // $taintReachesReturn
String[] columns = {taint()}; // $taintReachesReturn
String where = taint(); // $taintReachesReturn
String groupBy = taint(); // $taintReachesReturn
String having = taint(); // $taintReachesReturn
String orderBy = taint(); // $taintReachesReturn
String limit = taint(); // $taintReachesReturn
boolean distinct = taint();
String tables = taint(); // $ taintReachesReturn
String[] columns = {taint()}; // $ taintReachesReturn
String where = taint(); // $ taintReachesReturn
String groupBy = taint(); // $ taintReachesReturn
String having = taint(); // $ taintReachesReturn
String orderBy = taint(); // $ taintReachesReturn
String limit = taint(); // $ taintReachesReturn
return SQLiteQueryBuilder.buildQueryString(distinct, tables, columns, where, groupBy, having, orderBy, limit);
}
public static String buildQuery(MySQLiteQueryBuilder target) {
target = taint(); // $taintReachesReturn
String[] projectionIn = {taint()}; // $taintReachesReturn
String selection = taint(); // $taintReachesReturn
String groupBy = taint(); // $taintReachesReturn
String having = taint(); // $taintReachesReturn
String sortOrder = taint(); // $taintReachesReturn
String limit = taint(); // $taintReachesReturn
target = taint(); // $ taintReachesReturn
String[] projectionIn = {taint()}; // $ taintReachesReturn
String selection = taint(); // $ taintReachesReturn
String groupBy = taint(); // $ taintReachesReturn
String having = taint(); // $ taintReachesReturn
String sortOrder = taint(); // $ taintReachesReturn
String limit = taint(); // $ taintReachesReturn
return target.buildQuery(projectionIn, selection, groupBy, having, sortOrder, limit);
}
public static String buildQuery2(MySQLiteQueryBuilder target) {
target = taint(); // $taintReachesReturn
String[] projectionIn = {taint()}; // $taintReachesReturn
String selection = taint(); // $taintReachesReturn
String[] selectionArgs = {taint()};
String groupBy = taint(); // $taintReachesReturn
String having = taint(); // $taintReachesReturn
String sortOrder = taint(); // $taintReachesReturn
String limit = taint(); // $taintReachesReturn
target = taint(); // $ taintReachesReturn
String[] projectionIn = {taint()}; // $ taintReachesReturn
String selection = taint(); // $ taintReachesReturn
String[] selectionArgs = {taint()};
String groupBy = taint(); // $ taintReachesReturn
String having = taint(); // $ taintReachesReturn
String sortOrder = taint(); // $ taintReachesReturn
String limit = taint(); // $ taintReachesReturn
return target.buildQuery(projectionIn, selection, selectionArgs, groupBy, having, sortOrder, limit);
}
public static String buildUnionQuery(MySQLiteQueryBuilder target) {
target = taint(); // $taintReachesReturn
String[] subQueries = {taint()}; // $taintReachesReturn
String sortOrder = taint(); // $taintReachesReturn
String limit = taint(); // $taintReachesReturn
target = taint(); // $ taintReachesReturn
String[] subQueries = {taint()}; // $ taintReachesReturn
String sortOrder = taint(); // $ taintReachesReturn
String limit = taint(); // $ taintReachesReturn
return target.buildUnionQuery(subQueries, sortOrder, limit);
}
public static String buildUnionSubQuery2(MySQLiteQueryBuilder target) {
target = taint(); // $taintReachesReturn
String typeDiscriminatorColumn = taint(); // $taintReachesReturn
String[] unionColumns = {taint()}; // $taintReachesReturn
target = taint(); // $ taintReachesReturn
String typeDiscriminatorColumn = taint(); // $ taintReachesReturn
String[] unionColumns = {taint()}; // $ taintReachesReturn
Set<String> columnsPresentInTable = new HashSet();
columnsPresentInTable.add(taint()); // $taintReachesReturn
columnsPresentInTable.add(taint()); // $ taintReachesReturn
int computedColumnsOffset = taint();
String typeDiscriminatorValue = taint(); // $taintReachesReturn
String selection = taint(); // $taintReachesReturn
String typeDiscriminatorValue = taint(); // $ taintReachesReturn
String selection = taint(); // $ taintReachesReturn
String[] selectionArgs = {taint()};
String groupBy = taint(); // $taintReachesReturn
String having = taint(); // $taintReachesReturn
String groupBy = taint(); // $ taintReachesReturn
String having = taint(); // $ taintReachesReturn
return target.buildUnionSubQuery(typeDiscriminatorColumn, unionColumns, columnsPresentInTable,
computedColumnsOffset, typeDiscriminatorValue, selection, selectionArgs, groupBy, having);
}
public static String buildUnionSubQuery3(MySQLiteQueryBuilder target) {
target = taint(); // $taintReachesReturn
String typeDiscriminatorColumn = taint(); // $taintReachesReturn
String[] unionColumns = {taint()}; // $taintReachesReturn
target = taint(); // $ taintReachesReturn
String typeDiscriminatorColumn = taint(); // $ taintReachesReturn
String[] unionColumns = {taint()}; // $ taintReachesReturn
Set<String> columnsPresentInTable = new HashSet();
columnsPresentInTable.add(taint()); // $taintReachesReturn
columnsPresentInTable.add(taint()); // $ taintReachesReturn
int computedColumnsOffset = taint();
String typeDiscriminatorValue = taint(); // $taintReachesReturn
String selection = taint(); // $taintReachesReturn
String groupBy = taint(); // $taintReachesReturn
String having = taint(); // $taintReachesReturn
String typeDiscriminatorValue = taint(); // $ taintReachesReturn
String selection = taint(); // $ taintReachesReturn
String groupBy = taint(); // $ taintReachesReturn
String having = taint(); // $ taintReachesReturn
return target.buildUnionSubQuery(typeDiscriminatorColumn, unionColumns, columnsPresentInTable, computedColumnsOffset,
typeDiscriminatorValue, selection, groupBy, having);
}
public static Cursor query(MyContentResolver target) {
Uri uri = taint(); // $taintReachesReturn
Uri uri = taint(); // $ taintReachesReturn
String[] projection = {taint()};
String selection = taint(); // $taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
String sortOrder = taint();
CancellationSignal cancellationSignal = taint();
@@ -126,9 +126,9 @@ public class FlowSteps {
}
public static Cursor query(MyContentProvider target) {
Uri uri = taint(); // $taintReachesReturn
Uri uri = taint(); // $ taintReachesReturn
String[] projection = {taint()};
String selection = taint(); // $taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
String sortOrder = taint();
CancellationSignal cancellationSignal = taint();
@@ -136,57 +136,57 @@ public class FlowSteps {
}
public static Cursor query2(MyContentResolver target) {
Uri uri = taint(); // $taintReachesReturn
Uri uri = taint(); // $ taintReachesReturn
String[] projection = {taint()};
String selection = taint(); // $taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
String sortOrder = taint();
return target.query(uri, projection, selection, selectionArgs, sortOrder);
}
public static Cursor query2(MyContentProvider target) {
Uri uri = taint(); // $taintReachesReturn
Uri uri = taint(); // $ taintReachesReturn
String[] projection = {taint()};
String selection = taint(); // $taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
String sortOrder = taint();
return target.query(uri, projection, selection, selectionArgs, sortOrder);
}
public static StringBuilder appendColumns() {
StringBuilder s = taint(); // $taintReachesReturn
String[] columns = {taint()}; // $taintReachesReturn
StringBuilder s = taint(); // $ taintReachesReturn
String[] columns = {taint()}; // $ taintReachesReturn
SQLiteQueryBuilder.appendColumns(s, columns);
return s;
}
public static SQLiteQueryBuilder setProjectionMap(MySQLiteQueryBuilder target) {
target = taint(); // $taintReachesReturn
Map<String, String> columnMap = new HashMap();
String k = taint(); // $taintReachesReturn
String v = taint(); // $taintReachesReturn
target = taint(); // $ taintReachesReturn
Map<String, String> columnMap = new HashMap();
String k = taint(); // $ taintReachesReturn
String v = taint(); // $ taintReachesReturn
columnMap.put(k, v);
target.setProjectionMap(columnMap);
return target;
}
public static SQLiteQueryBuilder setTables(MySQLiteQueryBuilder target) {
target = taint(); // $taintReachesReturn
String inTables = taint(); // $taintReachesReturn
target = taint(); // $ taintReachesReturn
String inTables = taint(); // $ taintReachesReturn
target.setTables(inTables);
return target;
}
public static SQLiteQueryBuilder appendWhere(MySQLiteQueryBuilder target) {
target = taint(); // $taintReachesReturn
CharSequence inWhere = taint(); // $taintReachesReturn
target = taint(); // $ taintReachesReturn
CharSequence inWhere = taint(); // $ taintReachesReturn
target.appendWhere(inWhere);
return target;
}
public static SQLiteQueryBuilder appendWhereStandalone(MySQLiteQueryBuilder target) {
target = taint(); // $taintReachesReturn
CharSequence inWhere = taint(); // $taintReachesReturn
target = taint(); // $ taintReachesReturn
CharSequence inWhere = taint(); // $ taintReachesReturn
target.appendWhereStandalone(inWhere);
return target;
}

192
java/ql/test/library-tests/frameworks/android/taint-database/Sinks.java
View File

@@ -25,58 +25,58 @@ public class Sinks {
}
public static void compileStatement(SQLiteDatabase target) {
String sql = taint(); // $taintReachesSink
String sql = taint(); // $ taintReachesSink
target.compileStatement(sql);
}
public static void delete1(MySQLiteQueryBuilder target) {
target = taint(); // $taintReachesSink
target = taint(); // $ taintReachesSink
SQLiteDatabase db = taint();
String selection = taint(); // $taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
target.delete(db, selection, selectionArgs);
}
public static void delete(SQLiteDatabase target) {
String table = taint(); // $taintReachesSink
String whereClause = taint(); // $taintReachesSink
String table = taint(); // $ taintReachesSink
String whereClause = taint(); // $ taintReachesSink
String[] whereArgs = {taint()};
target.delete(table, whereClause, whereArgs);
}
public static void delete(MyContentResolver target) {
Uri uri = taint();
String selection = taint(); // $taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
target.delete(uri, selection, selectionArgs);
}
public static void delete(MyContentProvider target) {
Uri uri = taint();
String selection = taint(); // $taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
target.delete(uri, selection, selectionArgs);
}
public static void execPerConnectionSQL(SQLiteDatabase target) {
String sql = taint(); // $taintReachesSink
String sql = taint(); // $ taintReachesSink
Object[] bindArgs = {taint()};
target.execPerConnectionSQL(sql, bindArgs);
}
public static void execSQL(SQLiteDatabase target) {
String sql = taint(); // $taintReachesSink
String sql = taint(); // $ taintReachesSink
target.execSQL(sql);
}
public static void execSQL2(SQLiteDatabase target) {
String sql = taint(); // $taintReachesSink
String sql = taint(); // $ taintReachesSink
Object[] bindArgs = {taint()};
target.execSQL(sql, bindArgs);
}
public static void insert(MySQLiteQueryBuilder target) {
target = taint(); // $taintReachesSink
target = taint(); // $ taintReachesSink
SQLiteDatabase db = taint();
ContentValues values = taint();
target.insert(db, values);
@@ -84,90 +84,90 @@ public class Sinks {
public static void query(SQLiteDatabase target) {
boolean distinct = taint();
String table = taint(); // $taintReachesSink
String[] columns = {taint()}; // $taintReachesSink
String selection = taint(); // $taintReachesSink
String table = taint(); // $ taintReachesSink
String[] columns = {taint()}; // $ taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
String groupBy = taint(); // $taintReachesSink
String having = taint(); // $taintReachesSink
String orderBy = taint(); // $taintReachesSink
String limit = taint(); // $taintReachesSink
String groupBy = taint(); // $ taintReachesSink
String having = taint(); // $ taintReachesSink
String orderBy = taint(); // $ taintReachesSink
String limit = taint(); // $ taintReachesSink
target.query(distinct, table, columns, selection, selectionArgs, groupBy, having, orderBy, limit);
}
public static void query2(SQLiteDatabase target) {
boolean distinct = taint();
String table = taint(); // $taintReachesSink
String[] columns = {taint()}; // $taintReachesSink
String selection = taint(); // $taintReachesSink
String table = taint(); // $ taintReachesSink
String[] columns = {taint()}; // $ taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
String groupBy = taint(); // $taintReachesSink
String having = taint(); // $taintReachesSink
String orderBy = taint(); // $taintReachesSink
String limit = taint(); // $taintReachesSink
String groupBy = taint(); // $ taintReachesSink
String having = taint(); // $ taintReachesSink
String orderBy = taint(); // $ taintReachesSink
String limit = taint(); // $ taintReachesSink
CancellationSignal cancellationSignal = taint();
target.query(distinct, table, columns, selection, selectionArgs, groupBy, having, orderBy, limit,
cancellationSignal);
}
public static void query3(SQLiteDatabase target) {
String table = taint(); // $taintReachesSink
String[] columns = {taint()}; // $taintReachesSink
String selection = taint(); // $taintReachesSink
String table = taint(); // $ taintReachesSink
String[] columns = {taint()}; // $ taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
String groupBy = taint(); // $taintReachesSink
String having = taint(); // $taintReachesSink
String orderBy = taint(); // $taintReachesSink
String groupBy = taint(); // $ taintReachesSink
String having = taint(); // $ taintReachesSink
String orderBy = taint(); // $ taintReachesSink
target.query(table, columns, selection, selectionArgs, groupBy, having, orderBy);
}
public static void query4(SQLiteDatabase target) {
String table = taint(); // $taintReachesSink
String[] columns = {taint()}; // $taintReachesSink
String selection = taint(); // $taintReachesSink
String table = taint(); // $ taintReachesSink
String[] columns = {taint()}; // $ taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
String groupBy = taint(); // $taintReachesSink
String having = taint(); // $taintReachesSink
String orderBy = taint(); // $taintReachesSink
String limit = taint(); // $taintReachesSink
String groupBy = taint(); // $ taintReachesSink
String having = taint(); // $ taintReachesSink
String orderBy = taint(); // $ taintReachesSink
String limit = taint(); // $ taintReachesSink
target.query(table, columns, selection, selectionArgs, groupBy, having, orderBy, limit);
}
public static void query(MySQLiteQueryBuilder target) {
target = taint(); // $taintReachesSink
target = taint(); // $ taintReachesSink
SQLiteDatabase db = taint();
String[] projectionIn = {taint()}; // $taintReachesSink
String selection = taint(); // $taintReachesSink
String[] projectionIn = {taint()}; // $ taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
String groupBy = taint(); // $taintReachesSink
String having = taint(); // $taintReachesSink
String sortOrder = taint(); // $taintReachesSink
String groupBy = taint(); // $ taintReachesSink
String having = taint(); // $ taintReachesSink
String sortOrder = taint(); // $ taintReachesSink
target.query(db, projectionIn, selection, selectionArgs, groupBy, having, sortOrder);
}
public static void query2(MySQLiteQueryBuilder target) {
target = taint(); // $taintReachesSink
target = taint(); // $ taintReachesSink
SQLiteDatabase db = taint();
String[] projectionIn = {taint()}; // $taintReachesSink
String selection = taint(); // $taintReachesSink
String[] projectionIn = {taint()}; // $ taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
String groupBy = taint(); // $taintReachesSink
String having = taint(); // $taintReachesSink
String sortOrder = taint(); // $taintReachesSink
String limit = taint(); // $taintReachesSink
String groupBy = taint(); // $ taintReachesSink
String having = taint(); // $ taintReachesSink
String sortOrder = taint(); // $ taintReachesSink
String limit = taint(); // $ taintReachesSink
target.query(db, projectionIn, selection, selectionArgs, groupBy, having, sortOrder, limit);
}
public static void query3(MySQLiteQueryBuilder target) {
target = taint(); // $taintReachesSink
target = taint(); // $ taintReachesSink
SQLiteDatabase db = taint();
String[] projectionIn = {taint()}; // $taintReachesSink
String selection = taint(); // $taintReachesSink
String[] projectionIn = {taint()}; // $ taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
String groupBy = taint(); // $taintReachesSink
String having = taint(); // $taintReachesSink
String sortOrder = taint(); // $taintReachesSink
String limit = taint(); // $taintReachesSink
String groupBy = taint(); // $ taintReachesSink
String having = taint(); // $ taintReachesSink
String sortOrder = taint(); // $ taintReachesSink
String limit = taint(); // $ taintReachesSink
CancellationSignal cancellationSignal = taint();
target.query(db, projectionIn, selection, selectionArgs, groupBy, having, sortOrder, limit, cancellationSignal);
}
@@ -175,7 +175,7 @@ public class Sinks {
public static void query3(MyContentProvider target) {
Uri uri = taint();
String[] projection = {taint()};
String selection = taint(); // $taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
String sortOrder = taint();
target.query(uri, projection, selection, selectionArgs, sortOrder);
@@ -184,7 +184,7 @@ public class Sinks {
public static void query(MyContentProvider target) {
Uri uri = taint();
String[] projection = {taint()};
String selection = taint(); // $taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
String sortOrder = taint();
CancellationSignal cancellationSignal = taint();
@@ -194,7 +194,7 @@ public class Sinks {
public static void query3(MyContentResolver target) {
Uri uri = taint();
String[] projection = {taint()};
String selection = taint(); // $taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
String sortOrder = taint();
target.query(uri, projection, selection, selectionArgs, sortOrder);
@@ -203,7 +203,7 @@ public class Sinks {
public static void query(MyContentResolver target) {
Uri uri = taint();
String[] projection = {taint()};
String selection = taint(); // $taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
String sortOrder = taint();
CancellationSignal cancellationSignal = taint();
@@ -213,14 +213,14 @@ public class Sinks {
public static void queryWithFactory(SQLiteDatabase target) {
SQLiteDatabase.CursorFactory cursorFactory = taint();
boolean distinct = taint();
String table = taint(); // $taintReachesSink
String[] columns = {taint()}; // $taintReachesSink
String selection = taint(); // $taintReachesSink
String table = taint(); // $ taintReachesSink
String[] columns = {taint()}; // $ taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
String groupBy = taint(); // $taintReachesSink
String having = taint(); // $taintReachesSink
String orderBy = taint(); // $taintReachesSink
String limit = taint(); // $taintReachesSink
String groupBy = taint(); // $ taintReachesSink
String having = taint(); // $ taintReachesSink
String orderBy = taint(); // $ taintReachesSink
String limit = taint(); // $ taintReachesSink
target.queryWithFactory(cursorFactory, distinct, table, columns, selection, selectionArgs, groupBy, having,
orderBy, limit);
}
@@ -228,27 +228,27 @@ public class Sinks {
public static void queryWithFactory2(SQLiteDatabase target) {
SQLiteDatabase.CursorFactory cursorFactory = taint();
boolean distinct = taint();
String table = taint(); // $taintReachesSink
String[] columns = {taint()}; // $taintReachesSink
String selection = taint(); // $taintReachesSink
String table = taint(); // $ taintReachesSink
String[] columns = {taint()}; // $ taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
String groupBy = taint(); // $taintReachesSink
String having = taint(); // $taintReachesSink
String orderBy = taint(); // $taintReachesSink
String limit = taint(); // $taintReachesSink
String groupBy = taint(); // $ taintReachesSink
String having = taint(); // $ taintReachesSink
String orderBy = taint(); // $ taintReachesSink
String limit = taint(); // $ taintReachesSink
CancellationSignal cancellationSignal = taint();
target.queryWithFactory(cursorFactory, distinct, table, columns, selection, selectionArgs, groupBy, having,
orderBy, limit, cancellationSignal);
}
public static void rawQuery(SQLiteDatabase target) {
String sql = taint(); // $taintReachesSink
String sql = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
target.rawQuery(sql, selectionArgs);
}
public static void rawQuery2(SQLiteDatabase target) {
String sql = taint(); // $taintReachesSink
String sql = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
CancellationSignal cancellationSignal = taint();
target.rawQuery(sql, selectionArgs, cancellationSignal);
@@ -256,7 +256,7 @@ public class Sinks {
public static void rawQueryWithFactory(SQLiteDatabase target) {
SQLiteDatabase.CursorFactory cursorFactory = taint();
String sql = taint(); // $taintReachesSink
String sql = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
String editTable = taint();
target.rawQueryWithFactory(cursorFactory, sql, selectionArgs, editTable);
@@ -264,7 +264,7 @@ public class Sinks {
public static void rawQueryWithFactory2(SQLiteDatabase target) {
SQLiteDatabase.CursorFactory cursorFactory = taint();
String sql = taint(); // $taintReachesSink
String sql = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
String editTable = taint();
CancellationSignal cancellationSignal = taint();
@@ -272,18 +272,18 @@ public class Sinks {
}
public static void update(MySQLiteQueryBuilder target) {
target = taint(); // $taintReachesSink
target = taint(); // $ taintReachesSink
SQLiteDatabase db = taint();
ContentValues values = taint();
String selection = taint(); // $taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
target.update(db, values, selection, selectionArgs);
}
public static void update(SQLiteDatabase target) {
String table = taint(); // $taintReachesSink
String table = taint(); // $ taintReachesSink
ContentValues values = taint();
String whereClause = taint(); // $taintReachesSink
String whereClause = taint(); // $ taintReachesSink
String[] whereArgs = {taint()};
target.update(table, values, whereClause, whereArgs);
}
@@ -291,7 +291,7 @@ public class Sinks {
public static void update(MyContentResolver target) {
Uri uri = taint();
ContentValues values = taint();
String selection = taint(); // $taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
target.update(uri, values, selection, selectionArgs);
}
@@ -299,15 +299,15 @@ public class Sinks {
public static void update(MyContentProvider target) {
Uri uri = taint();
ContentValues values = taint();
String selection = taint(); // $taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
target.update(uri, values, selection, selectionArgs);
}
public static void updateWithOnConflict(SQLiteDatabase target) {
String table = taint(); // $taintReachesSink
String table = taint(); // $ taintReachesSink
ContentValues values = taint();
String whereClause = taint(); // $taintReachesSink
String whereClause = taint(); // $ taintReachesSink
String[] whereArgs = {taint()};
int conflictAlgorithm = taint();
target.updateWithOnConflict(table, values, whereClause, whereArgs, conflictAlgorithm);
@@ -315,15 +315,15 @@ public class Sinks {
public static void queryNumEntries() {
SQLiteDatabase db = taint();
String table = taint(); // $taintReachesSink
String selection = taint(); // $taintReachesSink
String table = taint(); // $ taintReachesSink
String selection = taint(); // $ taintReachesSink
DatabaseUtils.queryNumEntries(db, table, selection);
}
public static void queryNumEntries2() {
SQLiteDatabase db = taint();
String table = taint(); // $taintReachesSink
String selection = taint(); // $taintReachesSink
String table = taint(); // $ taintReachesSink
String selection = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
DatabaseUtils.queryNumEntries(db, table, selection, selectionArgs);
}
@@ -332,27 +332,27 @@ public class Sinks {
Context context = taint();
String dbName = taint();
int dbVersion = taint();
String sqlStatements = taint(); // $taintReachesSink
String sqlStatements = taint(); // $ taintReachesSink
DatabaseUtils.createDbFromSqlStatements(context, dbName, dbVersion, sqlStatements);
}
public static void blobFileDescriptorForQuery() {
SQLiteDatabase db = taint();
String query = taint(); // $taintReachesSink
String query = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
DatabaseUtils.blobFileDescriptorForQuery(db, query, selectionArgs);
}
public static void longForQuery() {
SQLiteDatabase db = taint();
String query = taint(); // $taintReachesSink
String query = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
DatabaseUtils.longForQuery(db, query, selectionArgs);
}
public static void stringForQuery() {
SQLiteDatabase db = taint();
String query = taint(); // $taintReachesSink
String query = taint(); // $ taintReachesSink
String[] selectionArgs = {taint()};
DatabaseUtils.stringForQuery(db, query, selectionArgs);
}

62
java/ql/test/library-tests/frameworks/apache-commons-lang3/ArrayUtilsTest.java
View File

@@ -20,56 +20,56 @@ class ArrayUtilsTest {
String[] alreadyTainted = new String[] { taint() };
String[] clean = new String[] { "Untainted" };
sink(ArrayUtils.add(clean, 0, taint())); // $hasTaintFlow
sink(ArrayUtils.add(alreadyTainted, 0, "clean")); // $hasTaintFlow
sink(ArrayUtils.add(clean, 0, taint())); // $ hasTaintFlow
sink(ArrayUtils.add(alreadyTainted, 0, "clean")); // $ hasTaintFlow
sink(ArrayUtils.add(clean, IntSource.taint(), "clean")); // Index argument does not contribute taint
sink(ArrayUtils.add(clean, taint())); // $hasTaintFlow
sink(ArrayUtils.add(alreadyTainted, "clean")); // $hasTaintFlow
sink(ArrayUtils.addAll(clean, "clean", taint())); // $hasTaintFlow
sink(ArrayUtils.addAll(clean, taint(), "clean")); // $hasTaintFlow
sink(ArrayUtils.addAll(alreadyTainted, "clean", "also clean")); // $hasTaintFlow
sink(ArrayUtils.addFirst(clean, taint())); // $hasTaintFlow
sink(ArrayUtils.addFirst(alreadyTainted, "clean")); // $hasTaintFlow
sink(ArrayUtils.clone(alreadyTainted)); // $hasTaintFlow
sink(ArrayUtils.get(alreadyTainted, 0)); // $hasValueFlow
sink(ArrayUtils.add(clean, taint())); // $ hasTaintFlow
sink(ArrayUtils.add(alreadyTainted, "clean")); // $ hasTaintFlow
sink(ArrayUtils.addAll(clean, "clean", taint())); // $ hasTaintFlow
sink(ArrayUtils.addAll(clean, taint(), "clean")); // $ hasTaintFlow
sink(ArrayUtils.addAll(alreadyTainted, "clean", "also clean")); // $ hasTaintFlow
sink(ArrayUtils.addFirst(clean, taint())); // $ hasTaintFlow
sink(ArrayUtils.addFirst(alreadyTainted, "clean")); // $ hasTaintFlow
sink(ArrayUtils.clone(alreadyTainted)); // $ hasTaintFlow
sink(ArrayUtils.get(alreadyTainted, 0)); // $ hasValueFlow
sink(ArrayUtils.get(clean, IntSource.taint())); // Index argument does not contribute taint
sink(ArrayUtils.get(alreadyTainted, 0, "default value")); // $hasValueFlow
sink(ArrayUtils.get(alreadyTainted, 0, "default value")); // $ hasValueFlow
sink(ArrayUtils.get(clean, IntSource.taint(), "default value")); // Index argument does not contribute taint
sink(ArrayUtils.get(clean, 0, taint())); // $hasValueFlow
sink(ArrayUtils.get(clean, 0, taint())); // $ hasValueFlow
sink(ArrayUtils.insert(IntSource.taint(), clean, "value1", "value2")); // Index argument does not contribute taint
sink(ArrayUtils.insert(0, alreadyTainted, "value1", "value2")); // $hasTaintFlow
sink(ArrayUtils.insert(0, clean, taint(), "value2")); // $hasTaintFlow
sink(ArrayUtils.insert(0, clean, "value1", taint())); // $hasTaintFlow
sink(ArrayUtils.nullToEmpty(alreadyTainted)); // $hasTaintFlow
sink(ArrayUtils.nullToEmpty(alreadyTainted, String[].class)); // $hasTaintFlow
sink(ArrayUtils.remove(alreadyTainted, 0)); // $hasTaintFlow
sink(ArrayUtils.insert(0, alreadyTainted, "value1", "value2")); // $ hasTaintFlow
sink(ArrayUtils.insert(0, clean, taint(), "value2")); // $ hasTaintFlow
sink(ArrayUtils.insert(0, clean, "value1", taint())); // $ hasTaintFlow
sink(ArrayUtils.nullToEmpty(alreadyTainted)); // $ hasTaintFlow
sink(ArrayUtils.nullToEmpty(alreadyTainted, String[].class)); // $ hasTaintFlow
sink(ArrayUtils.remove(alreadyTainted, 0)); // $ hasTaintFlow
sink(ArrayUtils.remove(clean, IntSource.taint())); // Index argument does not contribute taint
sink(ArrayUtils.removeAll(alreadyTainted, 0, 1)); // $hasTaintFlow
sink(ArrayUtils.removeAll(alreadyTainted, 0, 1)); // $ hasTaintFlow
sink(ArrayUtils.removeAll(clean, IntSource.taint(), 1)); // Index argument does not contribute taint
sink(ArrayUtils.removeAll(clean, 0, IntSource.taint())); // Index argument does not contribute taint
sink(ArrayUtils.removeAllOccurences(clean, taint())); // Removed argument does not contribute taint
sink(ArrayUtils.removeAllOccurences(alreadyTainted, "value to remove")); // $hasTaintFlow
sink(ArrayUtils.removeAllOccurences(alreadyTainted, "value to remove")); // $ hasTaintFlow
sink(ArrayUtils.removeAllOccurrences(clean, taint())); // Removed argument does not contribute taint
sink(ArrayUtils.removeAllOccurrences(alreadyTainted, "value to remove")); // $hasTaintFlow
sink(ArrayUtils.removeAllOccurrences(alreadyTainted, "value to remove")); // $ hasTaintFlow
sink(ArrayUtils.removeElement(clean, taint())); // Removed argument does not contribute taint
sink(ArrayUtils.removeElement(alreadyTainted, "value to remove")); // $hasTaintFlow
sink(ArrayUtils.removeElements(alreadyTainted, 0, 1)); // $hasTaintFlow
sink(ArrayUtils.removeElement(alreadyTainted, "value to remove")); // $ hasTaintFlow
sink(ArrayUtils.removeElements(alreadyTainted, 0, 1)); // $ hasTaintFlow
sink(ArrayUtils.removeElements(clean, IntSource.taint(), 1)); // Index argument does not contribute taint
sink(ArrayUtils.removeElements(clean, 0, IntSource.taint())); // Index argument does not contribute taint
sink(ArrayUtils.subarray(alreadyTainted, 0, 0)); // $hasTaintFlow
sink(ArrayUtils.subarray(alreadyTainted, 0, 0)); // $ hasTaintFlow
sink(ArrayUtils.subarray(clean, IntSource.taint(), IntSource.taint())); // Index arguments do not contribute taint
sink(ArrayUtils.toArray("clean", taint())); // $hasTaintFlow
sink(ArrayUtils.toArray(taint(), "clean")); // $hasTaintFlow
sink(ArrayUtils.toMap(alreadyTainted).get("key")); // $hasTaintFlow
sink(ArrayUtils.toArray("clean", taint())); // $ hasTaintFlow
sink(ArrayUtils.toArray(taint(), "clean")); // $ hasTaintFlow
sink(ArrayUtils.toMap(alreadyTainted).get("key")); // $ hasTaintFlow
// Check that none of the above had an effect on `clean`:
sink(clean);
int[] taintedInts = new int[] { IntSource.taint() };
Integer[] taintedBoxedInts = ArrayUtils.toObject(taintedInts);
sink(taintedBoxedInts); // $hasTaintFlow
sink(ArrayUtils.toPrimitive(taintedBoxedInts)); // $hasTaintFlow
sink(ArrayUtils.toPrimitive(new Integer[] {}, IntSource.taint())); // $hasTaintFlow
sink(taintedBoxedInts); // $ hasTaintFlow
sink(ArrayUtils.toPrimitive(taintedBoxedInts)); // $ hasTaintFlow
sink(ArrayUtils.toPrimitive(new Integer[] {}, IntSource.taint())); // $ hasTaintFlow
}
}

14
java/ql/test/library-tests/frameworks/apache-commons-lang3/MutableTest.java
View File

@@ -17,14 +17,14 @@ class MutableTest {
Mutable<String> taintSetAlias = taintSet;
Mutable<String> taintClearedAlias = taintCleared;
sink(tainted.getValue()); // $hasValueFlow
sink(taintedAlias.getValue()); // $hasValueFlow
sink(taintSet.getValue()); // $hasValueFlow
sink(taintSetAlias.getValue()); // $hasValueFlow
sink(tainted.getValue()); // $ hasValueFlow
sink(taintedAlias.getValue()); // $ hasValueFlow
sink(taintSet.getValue()); // $ hasValueFlow
sink(taintSetAlias.getValue()); // $ hasValueFlow
// These two cases don't work currently because synthetic fields are always weakly updated,
// so no taint clearing takes place.
sink(taintCleared.getValue()); // $SPURIOUS: hasValueFlow
sink(taintClearedAlias.getValue()); // $SPURIOUS: hasValueFlow
sink(taintCleared.getValue()); // $ SPURIOUS: hasValueFlow
sink(taintClearedAlias.getValue()); // $ SPURIOUS: hasValueFlow
}
}
}

20
java/ql/test/library-tests/frameworks/apache-commons-lang3/ObjectUtilsTest.java
View File

@@ -10,17 +10,17 @@ public class ObjectUtilsTest {
void sink(Object o) {}
void test() throws Exception {
sink(ObjectUtils.clone(taint())); // $hasValueFlow
sink(ObjectUtils.cloneIfPossible(taint())); // $hasValueFlow
sink(ObjectUtils.CONST(taint())); // $hasValueFlow
sink(ObjectUtils.CONST_SHORT(IntSource.taint())); // $hasValueFlow
sink(ObjectUtils.CONST_BYTE(IntSource.taint())); // $hasValueFlow
sink(ObjectUtils.defaultIfNull(taint(), null)); // $hasValueFlow
sink(ObjectUtils.defaultIfNull(null, taint())); // $hasValueFlow
sink(ObjectUtils.clone(taint())); // $ hasValueFlow
sink(ObjectUtils.cloneIfPossible(taint())); // $ hasValueFlow
sink(ObjectUtils.CONST(taint())); // $ hasValueFlow
sink(ObjectUtils.CONST_SHORT(IntSource.taint())); // $ hasValueFlow
sink(ObjectUtils.CONST_BYTE(IntSource.taint())); // $ hasValueFlow
sink(ObjectUtils.defaultIfNull(taint(), null)); // $ hasValueFlow
sink(ObjectUtils.defaultIfNull(null, taint())); // $ hasValueFlow
sink(ObjectUtils.firstNonNull(taint(), null, null)); // $ hasValueFlow
sink(ObjectUtils.firstNonNull(null, taint(), null)); // $ hasValueFlow
sink(ObjectUtils.firstNonNull(null, null, taint())); // $ hasValueFlow
sink(ObjectUtils.getIfNull(taint(), null)); // $hasValueFlow
sink(ObjectUtils.getIfNull(taint(), null)); // $ hasValueFlow
sink(ObjectUtils.max(taint(), null, null)); // $ hasValueFlow
sink(ObjectUtils.max(null, taint(), null)); // $ hasValueFlow
sink(ObjectUtils.max(null, null, taint())); // $ hasValueFlow
@@ -33,9 +33,9 @@ public class ObjectUtilsTest {
sink(ObjectUtils.mode(taint(), null, null)); // $ hasValueFlow
sink(ObjectUtils.mode(null, taint(), null)); // $ hasValueFlow
sink(ObjectUtils.mode(null, null, taint())); // $ hasValueFlow
sink(ObjectUtils.requireNonEmpty(taint(), "message")); // $hasValueFlow
sink(ObjectUtils.requireNonEmpty(taint(), "message")); // $ hasValueFlow
sink(ObjectUtils.requireNonEmpty("not null", taint())); // GOOD (message doesn't propagate to the return)
sink(ObjectUtils.toString(taint(), "default string")); // GOOD (first argument is stringified)
sink(ObjectUtils.toString(null, taint())); // $hasValueFlow
sink(ObjectUtils.toString(null, taint())); // $ hasValueFlow
}
}

104
java/ql/test/library-tests/frameworks/apache-commons-lang3/PairTest.java
View File

@@ -25,60 +25,60 @@ class PairTest {
ImmutablePair<String, String> taintedRight4 = new ImmutablePair("clean-left", taint());
// Check flow through ImmutablePairs:
sink(taintedLeft.getLeft()); // $hasValueFlow
sink(taintedLeft.getLeft()); // $ hasValueFlow
sink(taintedLeft.getRight());
sink(taintedLeft.getKey()); // $hasValueFlow
sink(taintedLeft.getKey()); // $ hasValueFlow
sink(taintedLeft.getValue());
sink(taintedLeft.left); // $hasValueFlow
sink(taintedLeft.left); // $ hasValueFlow
sink(taintedLeft.right);
sink(taintedRight.getLeft());
sink(taintedRight.getRight()); // $hasValueFlow
sink(taintedRight.getRight()); // $ hasValueFlow
sink(taintedRight.getKey());
sink(taintedRight.getValue()); // $hasValueFlow
sink(taintedRight.getValue()); // $ hasValueFlow
sink(taintedRight.left);
sink(taintedRight.right); // $hasValueFlow
sink(taintedLeft2.getLeft()); // $hasValueFlow
sink(taintedRight.right); // $ hasValueFlow
sink(taintedLeft2.getLeft()); // $ hasValueFlow
sink(taintedLeft2.getRight());
sink(taintedLeft2.getKey()); // $hasValueFlow
sink(taintedLeft2.getKey()); // $ hasValueFlow
sink(taintedLeft2.getValue());
sink(taintedLeft2.left); // $hasValueFlow
sink(taintedLeft2.left); // $ hasValueFlow
sink(taintedLeft2.right);
sink(taintedRight2.getLeft());
sink(taintedRight2.getRight()); // $hasValueFlow
sink(taintedRight2.getRight()); // $ hasValueFlow
sink(taintedRight2.getKey());
sink(taintedRight2.getValue()); // $hasValueFlow
sink(taintedRight2.getValue()); // $ hasValueFlow
sink(taintedRight2.left);
sink(taintedRight2.right); // $hasValueFlow
sink(taintedLeft3.getLeft()); // $hasValueFlow
sink(taintedRight2.right); // $ hasValueFlow
sink(taintedLeft3.getLeft()); // $ hasValueFlow
sink(taintedLeft3.getRight());
sink(taintedLeft3.getKey()); // $hasValueFlow
sink(taintedLeft3.getKey()); // $ hasValueFlow
sink(taintedLeft3.getValue());
sink(taintedRight3.getLeft());
sink(taintedRight3.getRight()); // $hasValueFlow
sink(taintedRight3.getRight()); // $ hasValueFlow
sink(taintedRight3.getKey());
sink(taintedRight3.getValue()); // $hasValueFlow
sink(taintedLeft4.getLeft()); // $hasValueFlow
sink(taintedRight3.getValue()); // $ hasValueFlow
sink(taintedLeft4.getLeft()); // $ hasValueFlow
sink(taintedLeft4.getRight());
sink(taintedLeft4.getKey()); // $hasValueFlow
sink(taintedLeft4.getKey()); // $ hasValueFlow
sink(taintedLeft4.getValue());
sink(taintedLeft4.left); // $hasValueFlow
sink(taintedLeft4.left); // $ hasValueFlow
sink(taintedLeft4.right);
sink(taintedRight4.getLeft());
sink(taintedRight4.getRight()); // $hasValueFlow
sink(taintedRight4.getRight()); // $ hasValueFlow
sink(taintedRight4.getKey());
sink(taintedRight4.getValue()); // $hasValueFlow
sink(taintedRight4.getValue()); // $ hasValueFlow
sink(taintedRight4.left);
sink(taintedRight4.right); // $hasValueFlow
sink(taintedRight4.right); // $ hasValueFlow
// Check flow also works via an alias of type Pair:
sink(taintedLeft2_.getLeft()); // $hasValueFlow
sink(taintedLeft2_.getLeft()); // $ hasValueFlow
sink(taintedLeft2_.getRight());
sink(taintedLeft2_.getKey()); // $hasValueFlow
sink(taintedLeft2_.getKey()); // $ hasValueFlow
sink(taintedLeft2_.getValue());
sink(taintedRight2_.getLeft());
sink(taintedRight2_.getRight()); // $hasValueFlow
sink(taintedRight2_.getRight()); // $ hasValueFlow
sink(taintedRight2_.getKey());
sink(taintedRight2_.getValue()); // $hasValueFlow
sink(taintedRight2_.getValue()); // $ hasValueFlow
// Check flow through MutablePairs:
MutablePair<String, String> taintedLeftMutable = MutablePair.of(taint(), "clean-right");
@@ -92,59 +92,59 @@ class PairTest {
MutablePair<String, String> taintedLeftMutableConstructed = new MutablePair(taint(), "clean-right");
MutablePair<String, String> taintedRightMutableConstructed = new MutablePair("clean-left", taint());
sink(taintedLeftMutable.getLeft()); // $hasValueFlow
sink(taintedLeftMutable.getLeft()); // $ hasValueFlow
sink(taintedLeftMutable.getRight());
sink(taintedLeftMutable.getKey()); // $hasValueFlow
sink(taintedLeftMutable.getKey()); // $ hasValueFlow
sink(taintedLeftMutable.getValue());
sink(taintedLeftMutable.left); // $hasValueFlow
sink(taintedLeftMutable.left); // $ hasValueFlow
sink(taintedLeftMutable.right);
sink(taintedRightMutable.getLeft());
sink(taintedRightMutable.getRight()); // $hasValueFlow
sink(taintedRightMutable.getRight()); // $ hasValueFlow
sink(taintedRightMutable.getKey());
sink(taintedRightMutable.getValue()); // $hasValueFlow
sink(taintedRightMutable.getValue()); // $ hasValueFlow
sink(taintedRightMutable.left);
sink(taintedRightMutable.right); // $hasValueFlow
sink(setTaintLeft.getLeft()); // $hasValueFlow
sink(taintedRightMutable.right); // $ hasValueFlow
sink(setTaintLeft.getLeft()); // $ hasValueFlow
sink(setTaintLeft.getRight());
sink(setTaintLeft.getKey()); // $hasValueFlow
sink(setTaintLeft.getKey()); // $ hasValueFlow
sink(setTaintLeft.getValue());
sink(setTaintLeft.left); // $hasValueFlow
sink(setTaintLeft.left); // $ hasValueFlow
sink(setTaintLeft.right);
sink(setTaintRight.getLeft());
sink(setTaintRight.getRight()); // $hasValueFlow
sink(setTaintRight.getRight()); // $ hasValueFlow
sink(setTaintRight.getKey());
sink(setTaintRight.getValue()); // $hasValueFlow
sink(setTaintRight.getValue()); // $ hasValueFlow
sink(setTaintRight.left);
sink(setTaintRight.right); // $hasValueFlow
sink(setTaintRight.right); // $ hasValueFlow
sink(setTaintValue.getLeft());
sink(setTaintValue.getRight()); // $hasValueFlow
sink(setTaintValue.getRight()); // $ hasValueFlow
sink(setTaintValue.getKey());
sink(setTaintValue.getValue()); // $hasValueFlow
sink(setTaintValue.getValue()); // $ hasValueFlow
sink(setTaintValue.left);
sink(setTaintValue.right); // $hasValueFlow
sink(taintedLeftMutableConstructed.getLeft()); // $hasValueFlow
sink(setTaintValue.right); // $ hasValueFlow
sink(taintedLeftMutableConstructed.getLeft()); // $ hasValueFlow
sink(taintedLeftMutableConstructed.getRight());
sink(taintedLeftMutableConstructed.getKey()); // $hasValueFlow
sink(taintedLeftMutableConstructed.getKey()); // $ hasValueFlow
sink(taintedLeftMutableConstructed.getValue());
sink(taintedLeftMutableConstructed.left); // $hasValueFlow
sink(taintedLeftMutableConstructed.left); // $ hasValueFlow
sink(taintedLeftMutableConstructed.right);
sink(taintedRightMutableConstructed.getLeft());
sink(taintedRightMutableConstructed.getRight()); // $hasValueFlow
sink(taintedRightMutableConstructed.getRight()); // $ hasValueFlow
sink(taintedRightMutableConstructed.getKey());
sink(taintedRightMutableConstructed.getValue()); // $hasValueFlow
sink(taintedRightMutableConstructed.getValue()); // $ hasValueFlow
sink(taintedRightMutableConstructed.left);
sink(taintedRightMutableConstructed.right); // $hasValueFlow
sink(taintedRightMutableConstructed.right); // $ hasValueFlow
// Check flow also works via an alias of type Pair:
Pair<String, String> taintedLeftMutableAlias = taintedLeftMutable;
Pair<String, String> taintedRightMutableAlias = taintedRightMutable;
sink(taintedLeftMutableAlias.getLeft()); // $hasValueFlow
sink(taintedLeftMutableAlias.getLeft()); // $ hasValueFlow
sink(taintedLeftMutableAlias.getRight());
sink(taintedLeftMutableAlias.getKey()); // $hasValueFlow
sink(taintedLeftMutableAlias.getKey()); // $ hasValueFlow
sink(taintedLeftMutableAlias.getValue());
sink(taintedRightMutableAlias.getLeft());
sink(taintedRightMutableAlias.getRight()); // $hasValueFlow
sink(taintedRightMutableAlias.getRight()); // $ hasValueFlow
sink(taintedRightMutableAlias.getKey());
sink(taintedRightMutableAlias.getValue()); // $hasValueFlow
sink(taintedRightMutableAlias.getValue()); // $ hasValueFlow
}
}
}

32
java/ql/test/library-tests/frameworks/apache-commons-lang3/RegExUtilsTest.java
View File

@@ -10,21 +10,21 @@ public class RegExUtilsTest {
Pattern cleanPattern = Pattern.compile("clean");
Pattern taintedPattern = Pattern.compile(taint());
sink(RegExUtils.removeAll(taint(), cleanPattern)); // $hasTaintFlow
sink(RegExUtils.removeAll(taint(), "clean")); // $hasTaintFlow
sink(RegExUtils.removeFirst(taint(), cleanPattern)); // $hasTaintFlow
sink(RegExUtils.removeFirst(taint(), "clean")); // $hasTaintFlow
sink(RegExUtils.removePattern(taint(), "clean")); // $hasTaintFlow
sink(RegExUtils.replaceAll(taint(), cleanPattern, "replacement")); // $hasTaintFlow
sink(RegExUtils.replaceAll(taint(), "clean", "replacement")); // $hasTaintFlow
sink(RegExUtils.replaceFirst(taint(), cleanPattern, "replacement")); // $hasTaintFlow
sink(RegExUtils.replaceFirst(taint(), "clean", "replacement")); // $hasTaintFlow
sink(RegExUtils.replacePattern(taint(), "clean", "replacement")); // $hasTaintFlow
sink(RegExUtils.replaceAll("original", cleanPattern, taint())); // $hasTaintFlow
sink(RegExUtils.replaceAll("original", "clean", taint())); // $hasTaintFlow
sink(RegExUtils.replaceFirst("original", cleanPattern, taint())); // $hasTaintFlow
sink(RegExUtils.replaceFirst("original", "clean", taint())); // $hasTaintFlow
sink(RegExUtils.replacePattern("original", "clean", taint())); // $hasTaintFlow
sink(RegExUtils.removeAll(taint(), cleanPattern)); // $ hasTaintFlow
sink(RegExUtils.removeAll(taint(), "clean")); // $ hasTaintFlow
sink(RegExUtils.removeFirst(taint(), cleanPattern)); // $ hasTaintFlow
sink(RegExUtils.removeFirst(taint(), "clean")); // $ hasTaintFlow
sink(RegExUtils.removePattern(taint(), "clean")); // $ hasTaintFlow
sink(RegExUtils.replaceAll(taint(), cleanPattern, "replacement")); // $ hasTaintFlow
sink(RegExUtils.replaceAll(taint(), "clean", "replacement")); // $ hasTaintFlow
sink(RegExUtils.replaceFirst(taint(), cleanPattern, "replacement")); // $ hasTaintFlow
sink(RegExUtils.replaceFirst(taint(), "clean", "replacement")); // $ hasTaintFlow
sink(RegExUtils.replacePattern(taint(), "clean", "replacement")); // $ hasTaintFlow
sink(RegExUtils.replaceAll("original", cleanPattern, taint())); // $ hasTaintFlow
sink(RegExUtils.replaceAll("original", "clean", taint())); // $ hasTaintFlow
sink(RegExUtils.replaceFirst("original", cleanPattern, taint())); // $ hasTaintFlow
sink(RegExUtils.replaceFirst("original", "clean", taint())); // $ hasTaintFlow
sink(RegExUtils.replacePattern("original", "clean", taint())); // $ hasTaintFlow
// Subsequent calls don't propagate taint, as regex search patterns don't propagate to the return value.
sink(RegExUtils.removeAll("original", taintedPattern));
sink(RegExUtils.removeAll("original", taint()));
@@ -42,4 +42,4 @@ public class RegExUtilsTest {
sink(RegExUtils.replaceFirst("original", taint(), "replacement"));
sink(RegExUtils.replacePattern("original", taint(), "replacement"));
}
}
}

152
java/ql/test/library-tests/frameworks/apache-commons-lang3/StrBuilderTest.java
View File

@@ -14,134 +14,134 @@ class StrBuilderTest {
void test() throws Exception {
StrBuilder cons1 = new StrBuilder(taint()); sink(cons1.toString()); // $hasTaintFlow
StrBuilder cons1 = new StrBuilder(taint()); sink(cons1.toString()); // $ hasTaintFlow
StrBuilder sb1 = new StrBuilder(); sb1.append(taint().toCharArray()); sink(sb1.toString()); // $hasTaintFlow
StrBuilder sb2 = new StrBuilder(); sb2.append(taint().toCharArray(), 0, 0); sink(sb2.toString()); // $hasTaintFlow
StrBuilder sb1 = new StrBuilder(); sb1.append(taint().toCharArray()); sink(sb1.toString()); // $ hasTaintFlow
StrBuilder sb2 = new StrBuilder(); sb2.append(taint().toCharArray(), 0, 0); sink(sb2.toString()); // $ hasTaintFlow
StrBuilder sb3 = new StrBuilder(); sb3.append(CharBuffer.wrap(taint().toCharArray())); sink(sb3.toString()); // $ hasTaintFlow
StrBuilder sb4 = new StrBuilder(); sb4.append(CharBuffer.wrap(taint().toCharArray()), 0, 0); sink(sb4.toString()); // $ hasTaintFlow
StrBuilder sb5 = new StrBuilder(); sb5.append((CharSequence)taint()); sink(sb5.toString()); // $hasTaintFlow
StrBuilder sb6 = new StrBuilder(); sb6.append((CharSequence)taint(), 0, 0); sink(sb6.toString()); // $hasTaintFlow
StrBuilder sb7 = new StrBuilder(); sb7.append((Object)taint()); sink(sb7.toString()); // $hasTaintFlow
StrBuilder sb5 = new StrBuilder(); sb5.append((CharSequence)taint()); sink(sb5.toString()); // $ hasTaintFlow
StrBuilder sb6 = new StrBuilder(); sb6.append((CharSequence)taint(), 0, 0); sink(sb6.toString()); // $ hasTaintFlow
StrBuilder sb7 = new StrBuilder(); sb7.append((Object)taint()); sink(sb7.toString()); // $ hasTaintFlow
{
StrBuilder auxsb = new StrBuilder(); auxsb.append(taint());
StrBuilder sb8 = new StrBuilder(); sb8.append(auxsb); sink(sb8.toString()); // $hasTaintFlow
StrBuilder sb8 = new StrBuilder(); sb8.append(auxsb); sink(sb8.toString()); // $ hasTaintFlow
}
StrBuilder sb9 = new StrBuilder(); sb9.append(new StringBuffer(taint())); sink(sb9.toString()); // $hasTaintFlow
StrBuilder sb10 = new StrBuilder(); sb10.append(new StringBuffer(taint()), 0, 0); sink(sb10.toString()); // $hasTaintFlow
StrBuilder sb11 = new StrBuilder(); sb11.append(new StringBuilder(taint())); sink(sb11.toString()); // $hasTaintFlow
StrBuilder sb12 = new StrBuilder(); sb12.append(new StringBuilder(taint()), 0, 0); sink(sb12.toString()); // $hasTaintFlow
StrBuilder sb13 = new StrBuilder(); sb13.append(taint()); sink(sb13.toString()); // $hasTaintFlow
StrBuilder sb14 = new StrBuilder(); sb14.append(taint(), 0, 0); sink(sb14.toString()); // $hasTaintFlow
StrBuilder sb15 = new StrBuilder(); sb15.append(taint(), "format", "args"); sink(sb15.toString()); // $hasTaintFlow
StrBuilder sb16 = new StrBuilder(); sb16.append("Format string", taint(), "args"); sink(sb16.toString()); // $hasTaintFlow
StrBuilder sb9 = new StrBuilder(); sb9.append(new StringBuffer(taint())); sink(sb9.toString()); // $ hasTaintFlow
StrBuilder sb10 = new StrBuilder(); sb10.append(new StringBuffer(taint()), 0, 0); sink(sb10.toString()); // $ hasTaintFlow
StrBuilder sb11 = new StrBuilder(); sb11.append(new StringBuilder(taint())); sink(sb11.toString()); // $ hasTaintFlow
StrBuilder sb12 = new StrBuilder(); sb12.append(new StringBuilder(taint()), 0, 0); sink(sb12.toString()); // $ hasTaintFlow
StrBuilder sb13 = new StrBuilder(); sb13.append(taint()); sink(sb13.toString()); // $ hasTaintFlow
StrBuilder sb14 = new StrBuilder(); sb14.append(taint(), 0, 0); sink(sb14.toString()); // $ hasTaintFlow
StrBuilder sb15 = new StrBuilder(); sb15.append(taint(), "format", "args"); sink(sb15.toString()); // $ hasTaintFlow
StrBuilder sb16 = new StrBuilder(); sb16.append("Format string", taint(), "args"); sink(sb16.toString()); // $ hasTaintFlow
{
List<String> taintedList = new ArrayList<>();
taintedList.add(taint());
StrBuilder sb17 = new StrBuilder(); sb17.appendAll(taintedList); sink(sb17.toString()); // $hasTaintFlow
StrBuilder sb18 = new StrBuilder(); sb18.appendAll(taintedList.iterator()); sink(sb18.toString()); // $hasTaintFlow
StrBuilder sb17 = new StrBuilder(); sb17.appendAll(taintedList); sink(sb17.toString()); // $ hasTaintFlow
StrBuilder sb18 = new StrBuilder(); sb18.appendAll(taintedList.iterator()); sink(sb18.toString()); // $ hasTaintFlow
}
StrBuilder sb19 = new StrBuilder(); sb19.appendAll("clean", taint()); sink(sb19.toString()); // $hasTaintFlow
StrBuilder sb20 = new StrBuilder(); sb20.appendAll(taint(), "clean"); sink(sb20.toString()); // $hasTaintFlow
StrBuilder sb21 = new StrBuilder(); sb21.appendFixedWidthPadLeft(taint(), 0, ' '); sink(sb21.toString()); // $hasTaintFlow
StrBuilder sb22 = new StrBuilder(); sb22.appendFixedWidthPadRight(taint(), 0, ' '); sink(sb22.toString()); // $hasTaintFlow
StrBuilder sb23 = new StrBuilder(); sb23.appendln(taint().toCharArray()); sink(sb23.toString()); // $hasTaintFlow
StrBuilder sb24 = new StrBuilder(); sb24.appendln(taint().toCharArray(), 0, 0); sink(sb24.toString()); // $hasTaintFlow
StrBuilder sb25 = new StrBuilder(); sb25.appendln((Object)taint()); sink(sb25.toString()); // $hasTaintFlow
StrBuilder sb19 = new StrBuilder(); sb19.appendAll("clean", taint()); sink(sb19.toString()); // $ hasTaintFlow
StrBuilder sb20 = new StrBuilder(); sb20.appendAll(taint(), "clean"); sink(sb20.toString()); // $ hasTaintFlow
StrBuilder sb21 = new StrBuilder(); sb21.appendFixedWidthPadLeft(taint(), 0, ' '); sink(sb21.toString()); // $ hasTaintFlow
StrBuilder sb22 = new StrBuilder(); sb22.appendFixedWidthPadRight(taint(), 0, ' '); sink(sb22.toString()); // $ hasTaintFlow
StrBuilder sb23 = new StrBuilder(); sb23.appendln(taint().toCharArray()); sink(sb23.toString()); // $ hasTaintFlow
StrBuilder sb24 = new StrBuilder(); sb24.appendln(taint().toCharArray(), 0, 0); sink(sb24.toString()); // $ hasTaintFlow
StrBuilder sb25 = new StrBuilder(); sb25.appendln((Object)taint()); sink(sb25.toString()); // $ hasTaintFlow
{
StrBuilder auxsb = new StrBuilder(); auxsb.appendln(taint());
StrBuilder sb26 = new StrBuilder(); sb26.appendln(auxsb); sink(sb26.toString()); // $hasTaintFlow
StrBuilder sb26 = new StrBuilder(); sb26.appendln(auxsb); sink(sb26.toString()); // $ hasTaintFlow
}
StrBuilder sb27 = new StrBuilder(); sb27.appendln(new StringBuffer(taint())); sink(sb27.toString()); // $hasTaintFlow
StrBuilder sb28 = new StrBuilder(); sb28.appendln(new StringBuffer(taint()), 0, 0); sink(sb28.toString()); // $hasTaintFlow
StrBuilder sb29 = new StrBuilder(); sb29.appendln(new StringBuilder(taint())); sink(sb29.toString()); // $hasTaintFlow
StrBuilder sb30 = new StrBuilder(); sb30.appendln(new StringBuilder(taint()), 0, 0); sink(sb30.toString()); // $hasTaintFlow
StrBuilder sb31 = new StrBuilder(); sb31.appendln(taint()); sink(sb31.toString()); // $hasTaintFlow
StrBuilder sb32 = new StrBuilder(); sb32.appendln(taint(), 0, 0); sink(sb32.toString()); // $hasTaintFlow
StrBuilder sb33 = new StrBuilder(); sb33.appendln(taint(), "format", "args"); sink(sb33.toString()); // $hasTaintFlow
StrBuilder sb34 = new StrBuilder(); sb34.appendln("Format string", taint(), "args"); sink(sb34.toString()); // $hasTaintFlow
StrBuilder sb35 = new StrBuilder(); sb35.appendSeparator(taint()); sink(sb35.toString()); // $hasTaintFlow
StrBuilder sb36 = new StrBuilder(); sb36.appendSeparator(taint(), 0); sink(sb36.toString()); // $hasTaintFlow
StrBuilder sb37 = new StrBuilder(); sb37.appendSeparator(taint(), "default"); sink(sb37.toString()); // $hasTaintFlow
StrBuilder sb38 = new StrBuilder(); sb38.appendSeparator("", taint()); sink(sb38.toString()); // $hasTaintFlow
StrBuilder sb27 = new StrBuilder(); sb27.appendln(new StringBuffer(taint())); sink(sb27.toString()); // $ hasTaintFlow
StrBuilder sb28 = new StrBuilder(); sb28.appendln(new StringBuffer(taint()), 0, 0); sink(sb28.toString()); // $ hasTaintFlow
StrBuilder sb29 = new StrBuilder(); sb29.appendln(new StringBuilder(taint())); sink(sb29.toString()); // $ hasTaintFlow
StrBuilder sb30 = new StrBuilder(); sb30.appendln(new StringBuilder(taint()), 0, 0); sink(sb30.toString()); // $ hasTaintFlow
StrBuilder sb31 = new StrBuilder(); sb31.appendln(taint()); sink(sb31.toString()); // $ hasTaintFlow
StrBuilder sb32 = new StrBuilder(); sb32.appendln(taint(), 0, 0); sink(sb32.toString()); // $ hasTaintFlow
StrBuilder sb33 = new StrBuilder(); sb33.appendln(taint(), "format", "args"); sink(sb33.toString()); // $ hasTaintFlow
StrBuilder sb34 = new StrBuilder(); sb34.appendln("Format string", taint(), "args"); sink(sb34.toString()); // $ hasTaintFlow
StrBuilder sb35 = new StrBuilder(); sb35.appendSeparator(taint()); sink(sb35.toString()); // $ hasTaintFlow
StrBuilder sb36 = new StrBuilder(); sb36.appendSeparator(taint(), 0); sink(sb36.toString()); // $ hasTaintFlow
StrBuilder sb37 = new StrBuilder(); sb37.appendSeparator(taint(), "default"); sink(sb37.toString()); // $ hasTaintFlow
StrBuilder sb38 = new StrBuilder(); sb38.appendSeparator("", taint()); sink(sb38.toString()); // $ hasTaintFlow
{
StrBuilder auxsb = new StrBuilder(); auxsb.appendln(taint());
StrBuilder sb39 = new StrBuilder(); auxsb.appendTo(sb39); sink(sb39.toString()); // $hasTaintFlow
StrBuilder sb39 = new StrBuilder(); auxsb.appendTo(sb39); sink(sb39.toString()); // $ hasTaintFlow
}
{
List<String> taintedList = new ArrayList<>();
taintedList.add(taint());
StrBuilder sb40 = new StrBuilder(); sb40.appendWithSeparators(taintedList, ", "); sink(sb40.toString()); // $hasTaintFlow
StrBuilder sb41 = new StrBuilder(); sb41.appendWithSeparators(taintedList.iterator(), ", "); sink(sb41.toString()); // $hasTaintFlow
StrBuilder sb40 = new StrBuilder(); sb40.appendWithSeparators(taintedList, ", "); sink(sb40.toString()); // $ hasTaintFlow
StrBuilder sb41 = new StrBuilder(); sb41.appendWithSeparators(taintedList.iterator(), ", "); sink(sb41.toString()); // $ hasTaintFlow
List<String> untaintedList = new ArrayList<>();
StrBuilder sb42 = new StrBuilder(); sb42.appendWithSeparators(untaintedList, taint()); sink(sb42.toString()); // $hasTaintFlow
StrBuilder sb43 = new StrBuilder(); sb43.appendWithSeparators(untaintedList.iterator(), taint()); sink(sb43.toString()); // $hasTaintFlow
StrBuilder sb42 = new StrBuilder(); sb42.appendWithSeparators(untaintedList, taint()); sink(sb42.toString()); // $ hasTaintFlow
StrBuilder sb43 = new StrBuilder(); sb43.appendWithSeparators(untaintedList.iterator(), taint()); sink(sb43.toString()); // $ hasTaintFlow
String[] taintedArray = new String[] { taint() };
String[] untaintedArray = new String[] {};
StrBuilder sb44 = new StrBuilder(); sb44.appendWithSeparators(taintedArray, ", "); sink(sb44.toString()); // $hasTaintFlow
StrBuilder sb45 = new StrBuilder(); sb45.appendWithSeparators(untaintedArray, taint()); sink(sb45.toString()); // $hasTaintFlow
StrBuilder sb44 = new StrBuilder(); sb44.appendWithSeparators(taintedArray, ", "); sink(sb44.toString()); // $ hasTaintFlow
StrBuilder sb45 = new StrBuilder(); sb45.appendWithSeparators(untaintedArray, taint()); sink(sb45.toString()); // $ hasTaintFlow
}
{
StrBuilder sb46 = new StrBuilder(); sb46.append(taint());
char[] target = new char[100];
sb46.asReader().read(target);
sink(target); // $hasTaintFlow
sink(target); // $ hasTaintFlow
}
StrBuilder sb47 = new StrBuilder(); sb47.append(taint()); sink(sb47.asTokenizer().next()); // $hasTaintFlow
StrBuilder sb48 = new StrBuilder(); sb48.append(taint()); sink(sb48.build()); // $hasTaintFlow
StrBuilder sb49 = new StrBuilder(); sb49.append(taint()); sink(sb49.getChars(null)); // $hasTaintFlow
StrBuilder sb47 = new StrBuilder(); sb47.append(taint()); sink(sb47.asTokenizer().next()); // $ hasTaintFlow
StrBuilder sb48 = new StrBuilder(); sb48.append(taint()); sink(sb48.build()); // $ hasTaintFlow
StrBuilder sb49 = new StrBuilder(); sb49.append(taint()); sink(sb49.getChars(null)); // $ hasTaintFlow
{
StrBuilder sb50 = new StrBuilder(); sb50.append(taint());
char[] target = new char[100];
sb50.getChars(target);
sink(target); // $hasTaintFlow
sink(target); // $ hasTaintFlow
}
{
StrBuilder sb51 = new StrBuilder(); sb51.append(taint());
char[] target = new char[100];
sb51.getChars(0, 0, target, 0);
sink(target); // $hasTaintFlow
sink(target); // $ hasTaintFlow
}
StrBuilder sb52 = new StrBuilder(); sb52.insert(0, taint().toCharArray()); sink(sb52.toString()); // $hasTaintFlow
StrBuilder sb53 = new StrBuilder(); sb53.insert(0, taint().toCharArray(), 0, 0); sink(sb53.toString()); // $hasTaintFlow
StrBuilder sb54 = new StrBuilder(); sb54.insert(0, taint()); sink(sb54.toString()); // $hasTaintFlow
StrBuilder sb55 = new StrBuilder(); sb55.insert(0, (Object)taint()); sink(sb55.toString()); // $hasTaintFlow
StrBuilder sb56 = new StrBuilder(); sb56.append(taint()); sink(sb56.leftString(0)); // $hasTaintFlow
StrBuilder sb57 = new StrBuilder(); sb57.append(taint()); sink(sb57.midString(0, 0)); // $hasTaintFlow
StrBuilder sb52 = new StrBuilder(); sb52.insert(0, taint().toCharArray()); sink(sb52.toString()); // $ hasTaintFlow
StrBuilder sb53 = new StrBuilder(); sb53.insert(0, taint().toCharArray(), 0, 0); sink(sb53.toString()); // $ hasTaintFlow
StrBuilder sb54 = new StrBuilder(); sb54.insert(0, taint()); sink(sb54.toString()); // $ hasTaintFlow
StrBuilder sb55 = new StrBuilder(); sb55.insert(0, (Object)taint()); sink(sb55.toString()); // $ hasTaintFlow
StrBuilder sb56 = new StrBuilder(); sb56.append(taint()); sink(sb56.leftString(0)); // $ hasTaintFlow
StrBuilder sb57 = new StrBuilder(); sb57.append(taint()); sink(sb57.midString(0, 0)); // $ hasTaintFlow
{
StringReader reader = new StringReader(taint());
StrBuilder sb58 = new StrBuilder(); sb58.readFrom(reader); sink(sb58.toString()); // $hasTaintFlow
StrBuilder sb58 = new StrBuilder(); sb58.readFrom(reader); sink(sb58.toString()); // $ hasTaintFlow
}
StrBuilder sb59 = new StrBuilder(); sb59.replace(0, 0, taint()); sink(sb59.toString()); // $hasTaintFlow
StrBuilder sb60 = new StrBuilder(); sb60.replace(null, taint(), 0, 0, 0); sink(sb60.toString()); // $hasTaintFlow
StrBuilder sb61 = new StrBuilder(); sb61.replaceAll((StrMatcher)null, taint()); sink(sb61.toString()); // $hasTaintFlow
StrBuilder sb62 = new StrBuilder(); sb62.replaceAll("search", taint()); sink(sb62.toString()); // $hasTaintFlow
StrBuilder sb59 = new StrBuilder(); sb59.replace(0, 0, taint()); sink(sb59.toString()); // $ hasTaintFlow
StrBuilder sb60 = new StrBuilder(); sb60.replace(null, taint(), 0, 0, 0); sink(sb60.toString()); // $ hasTaintFlow
StrBuilder sb61 = new StrBuilder(); sb61.replaceAll((StrMatcher)null, taint()); sink(sb61.toString()); // $ hasTaintFlow
StrBuilder sb62 = new StrBuilder(); sb62.replaceAll("search", taint()); sink(sb62.toString()); // $ hasTaintFlow
StrBuilder sb63 = new StrBuilder(); sb63.replaceAll(taint(), "replace"); sink(sb63.toString()); // GOOD (search string doesn't convey taint)
StrBuilder sb64 = new StrBuilder(); sb64.replaceFirst((StrMatcher)null, taint()); sink(sb64.toString()); // $hasTaintFlow
StrBuilder sb65 = new StrBuilder(); sb65.replaceFirst("search", taint()); sink(sb65.toString()); // $hasTaintFlow
StrBuilder sb64 = new StrBuilder(); sb64.replaceFirst((StrMatcher)null, taint()); sink(sb64.toString()); // $ hasTaintFlow
StrBuilder sb65 = new StrBuilder(); sb65.replaceFirst("search", taint()); sink(sb65.toString()); // $ hasTaintFlow
StrBuilder sb66 = new StrBuilder(); sb66.replaceFirst(taint(), "replace"); sink(sb66.toString()); // GOOD (search string doesn't convey taint)
StrBuilder sb67 = new StrBuilder(); sb67.append(taint()); sink(sb67.rightString(0)); // $hasTaintFlow
StrBuilder sb68 = new StrBuilder(); sb68.append(taint()); sink(sb68.subSequence(0, 0)); // $hasTaintFlow
StrBuilder sb69 = new StrBuilder(); sb69.append(taint()); sink(sb69.substring(0)); // $hasTaintFlow
StrBuilder sb70 = new StrBuilder(); sb70.append(taint()); sink(sb70.substring(0, 0)); // $hasTaintFlow
StrBuilder sb71 = new StrBuilder(); sb71.append(taint()); sink(sb71.toCharArray()); // $hasTaintFlow
StrBuilder sb72 = new StrBuilder(); sb72.append(taint()); sink(sb72.toCharArray(0, 0)); // $hasTaintFlow
StrBuilder sb73 = new StrBuilder(); sb73.append(taint()); sink(sb73.toStringBuffer()); // $hasTaintFlow
StrBuilder sb74 = new StrBuilder(); sb74.append(taint()); sink(sb74.toStringBuilder()); // $hasTaintFlow
StrBuilder sb67 = new StrBuilder(); sb67.append(taint()); sink(sb67.rightString(0)); // $ hasTaintFlow
StrBuilder sb68 = new StrBuilder(); sb68.append(taint()); sink(sb68.subSequence(0, 0)); // $ hasTaintFlow
StrBuilder sb69 = new StrBuilder(); sb69.append(taint()); sink(sb69.substring(0)); // $ hasTaintFlow
StrBuilder sb70 = new StrBuilder(); sb70.append(taint()); sink(sb70.substring(0, 0)); // $ hasTaintFlow
StrBuilder sb71 = new StrBuilder(); sb71.append(taint()); sink(sb71.toCharArray()); // $ hasTaintFlow
StrBuilder sb72 = new StrBuilder(); sb72.append(taint()); sink(sb72.toCharArray(0, 0)); // $ hasTaintFlow
StrBuilder sb73 = new StrBuilder(); sb73.append(taint()); sink(sb73.toStringBuffer()); // $ hasTaintFlow
StrBuilder sb74 = new StrBuilder(); sb74.append(taint()); sink(sb74.toStringBuilder()); // $ hasTaintFlow
// Tests for fluent methods (those returning `this`):
StrBuilder fluentTest = new StrBuilder();
sink(fluentTest.append("Harmless").append(taint()).append("Also harmless").toString()); // $hasTaintFlow
sink(fluentTest.append("Harmless").append(taint()).append("Also harmless").toString()); // $ hasTaintFlow
StrBuilder fluentBackflowTest = new StrBuilder();
fluentBackflowTest.append("Harmless").append(taint()).append("Also harmless");
sink(fluentBackflowTest.toString()); // $hasTaintFlow
sink(fluentBackflowTest.toString()); // $ hasTaintFlow
// Test the case where the fluent method contributing taint is at the end of a statement:
StrBuilder fluentBackflowTest2 = new StrBuilder();
fluentBackflowTest2.append("Harmless").append(taint());
sink(fluentBackflowTest2.toString()); // $hasTaintFlow
sink(fluentBackflowTest2.toString()); // $ hasTaintFlow
// Test all fluent methods are passing taint through to their result:
StrBuilder fluentAllMethodsTest = new StrBuilder(taint());
@@ -171,7 +171,7 @@ class StrBuilderTest {
.setLength(500)
.setNewLineText("newline")
.setNullText("NULL")
.trim()); // $hasTaintFlow
.trim()); // $ hasTaintFlow
// Test all fluent methods are passing taint back to their qualifier:
StrBuilder fluentAllMethodsTest2 = new StrBuilder();
@@ -203,7 +203,7 @@ class StrBuilderTest {
.setNullText("NULL")
.trim()
.append(taint());
sink(fluentAllMethodsTest2); // $hasTaintFlow
sink(fluentAllMethodsTest2); // $ hasTaintFlow
}
}

152
java/ql/test/library-tests/frameworks/apache-commons-lang3/StrBuilderTextTest.java
View File

@@ -14,134 +14,134 @@ class StrBuilderTextTest {
void test() throws Exception {
StrBuilder cons1 = new StrBuilder(taint()); sink(cons1.toString()); // $hasTaintFlow
StrBuilder cons1 = new StrBuilder(taint()); sink(cons1.toString()); // $ hasTaintFlow
StrBuilder sb1 = new StrBuilder(); sb1.append(taint().toCharArray()); sink(sb1.toString()); // $hasTaintFlow
StrBuilder sb2 = new StrBuilder(); sb2.append(taint().toCharArray(), 0, 0); sink(sb2.toString()); // $hasTaintFlow
StrBuilder sb1 = new StrBuilder(); sb1.append(taint().toCharArray()); sink(sb1.toString()); // $ hasTaintFlow
StrBuilder sb2 = new StrBuilder(); sb2.append(taint().toCharArray(), 0, 0); sink(sb2.toString()); // $ hasTaintFlow
StrBuilder sb3 = new StrBuilder(); sb3.append(CharBuffer.wrap(taint().toCharArray())); sink(sb3.toString()); // $ hasTaintFlow
StrBuilder sb4 = new StrBuilder(); sb4.append(CharBuffer.wrap(taint().toCharArray()), 0, 0); sink(sb4.toString()); // $ hasTaintFlow
StrBuilder sb5 = new StrBuilder(); sb5.append((CharSequence)taint()); sink(sb5.toString()); // $hasTaintFlow
StrBuilder sb6 = new StrBuilder(); sb6.append((CharSequence)taint(), 0, 0); sink(sb6.toString()); // $hasTaintFlow
StrBuilder sb7 = new StrBuilder(); sb7.append((Object)taint()); sink(sb7.toString()); // $hasTaintFlow
StrBuilder sb5 = new StrBuilder(); sb5.append((CharSequence)taint()); sink(sb5.toString()); // $ hasTaintFlow
StrBuilder sb6 = new StrBuilder(); sb6.append((CharSequence)taint(), 0, 0); sink(sb6.toString()); // $ hasTaintFlow
StrBuilder sb7 = new StrBuilder(); sb7.append((Object)taint()); sink(sb7.toString()); // $ hasTaintFlow
{
StrBuilder auxsb = new StrBuilder(); auxsb.append(taint());
StrBuilder sb8 = new StrBuilder(); sb8.append(auxsb); sink(sb8.toString()); // $hasTaintFlow
StrBuilder sb8 = new StrBuilder(); sb8.append(auxsb); sink(sb8.toString()); // $ hasTaintFlow
}
StrBuilder sb9 = new StrBuilder(); sb9.append(new StringBuffer(taint())); sink(sb9.toString()); // $hasTaintFlow
StrBuilder sb10 = new StrBuilder(); sb10.append(new StringBuffer(taint()), 0, 0); sink(sb10.toString()); // $hasTaintFlow
StrBuilder sb11 = new StrBuilder(); sb11.append(new StringBuilder(taint())); sink(sb11.toString()); // $hasTaintFlow
StrBuilder sb12 = new StrBuilder(); sb12.append(new StringBuilder(taint()), 0, 0); sink(sb12.toString()); // $hasTaintFlow
StrBuilder sb13 = new StrBuilder(); sb13.append(taint()); sink(sb13.toString()); // $hasTaintFlow
StrBuilder sb14 = new StrBuilder(); sb14.append(taint(), 0, 0); sink(sb14.toString()); // $hasTaintFlow
StrBuilder sb15 = new StrBuilder(); sb15.append(taint(), "format", "args"); sink(sb15.toString()); // $hasTaintFlow
StrBuilder sb16 = new StrBuilder(); sb16.append("Format string", taint(), "args"); sink(sb16.toString()); // $hasTaintFlow
StrBuilder sb9 = new StrBuilder(); sb9.append(new StringBuffer(taint())); sink(sb9.toString()); // $ hasTaintFlow
StrBuilder sb10 = new StrBuilder(); sb10.append(new StringBuffer(taint()), 0, 0); sink(sb10.toString()); // $ hasTaintFlow
StrBuilder sb11 = new StrBuilder(); sb11.append(new StringBuilder(taint())); sink(sb11.toString()); // $ hasTaintFlow
StrBuilder sb12 = new StrBuilder(); sb12.append(new StringBuilder(taint()), 0, 0); sink(sb12.toString()); // $ hasTaintFlow
StrBuilder sb13 = new StrBuilder(); sb13.append(taint()); sink(sb13.toString()); // $ hasTaintFlow
StrBuilder sb14 = new StrBuilder(); sb14.append(taint(), 0, 0); sink(sb14.toString()); // $ hasTaintFlow
StrBuilder sb15 = new StrBuilder(); sb15.append(taint(), "format", "args"); sink(sb15.toString()); // $ hasTaintFlow
StrBuilder sb16 = new StrBuilder(); sb16.append("Format string", taint(), "args"); sink(sb16.toString()); // $ hasTaintFlow
{
List<String> taintedList = new ArrayList<>();
taintedList.add(taint());
StrBuilder sb17 = new StrBuilder(); sb17.appendAll(taintedList); sink(sb17.toString()); // $hasTaintFlow
StrBuilder sb18 = new StrBuilder(); sb18.appendAll(taintedList.iterator()); sink(sb18.toString()); // $hasTaintFlow
StrBuilder sb17 = new StrBuilder(); sb17.appendAll(taintedList); sink(sb17.toString()); // $ hasTaintFlow
StrBuilder sb18 = new StrBuilder(); sb18.appendAll(taintedList.iterator()); sink(sb18.toString()); // $ hasTaintFlow
}
StrBuilder sb19 = new StrBuilder(); sb19.appendAll("clean", taint()); sink(sb19.toString()); // $hasTaintFlow
StrBuilder sb20 = new StrBuilder(); sb20.appendAll(taint(), "clean"); sink(sb20.toString()); // $hasTaintFlow
StrBuilder sb21 = new StrBuilder(); sb21.appendFixedWidthPadLeft(taint(), 0, ' '); sink(sb21.toString()); // $hasTaintFlow
StrBuilder sb22 = new StrBuilder(); sb22.appendFixedWidthPadRight(taint(), 0, ' '); sink(sb22.toString()); // $hasTaintFlow
StrBuilder sb23 = new StrBuilder(); sb23.appendln(taint().toCharArray()); sink(sb23.toString()); // $hasTaintFlow
StrBuilder sb24 = new StrBuilder(); sb24.appendln(taint().toCharArray(), 0, 0); sink(sb24.toString()); // $hasTaintFlow
StrBuilder sb25 = new StrBuilder(); sb25.appendln((Object)taint()); sink(sb25.toString()); // $hasTaintFlow
StrBuilder sb19 = new StrBuilder(); sb19.appendAll("clean", taint()); sink(sb19.toString()); // $ hasTaintFlow
StrBuilder sb20 = new StrBuilder(); sb20.appendAll(taint(), "clean"); sink(sb20.toString()); // $ hasTaintFlow
StrBuilder sb21 = new StrBuilder(); sb21.appendFixedWidthPadLeft(taint(), 0, ' '); sink(sb21.toString()); // $ hasTaintFlow
StrBuilder sb22 = new StrBuilder(); sb22.appendFixedWidthPadRight(taint(), 0, ' '); sink(sb22.toString()); // $ hasTaintFlow
StrBuilder sb23 = new StrBuilder(); sb23.appendln(taint().toCharArray()); sink(sb23.toString()); // $ hasTaintFlow
StrBuilder sb24 = new StrBuilder(); sb24.appendln(taint().toCharArray(), 0, 0); sink(sb24.toString()); // $ hasTaintFlow
StrBuilder sb25 = new StrBuilder(); sb25.appendln((Object)taint()); sink(sb25.toString()); // $ hasTaintFlow
{
StrBuilder auxsb = new StrBuilder(); auxsb.appendln(taint());
StrBuilder sb26 = new StrBuilder(); sb26.appendln(auxsb); sink(sb26.toString()); // $hasTaintFlow
StrBuilder sb26 = new StrBuilder(); sb26.appendln(auxsb); sink(sb26.toString()); // $ hasTaintFlow
}
StrBuilder sb27 = new StrBuilder(); sb27.appendln(new StringBuffer(taint())); sink(sb27.toString()); // $hasTaintFlow
StrBuilder sb28 = new StrBuilder(); sb28.appendln(new StringBuffer(taint()), 0, 0); sink(sb28.toString()); // $hasTaintFlow
StrBuilder sb29 = new StrBuilder(); sb29.appendln(new StringBuilder(taint())); sink(sb29.toString()); // $hasTaintFlow
StrBuilder sb30 = new StrBuilder(); sb30.appendln(new StringBuilder(taint()), 0, 0); sink(sb30.toString()); // $hasTaintFlow
StrBuilder sb31 = new StrBuilder(); sb31.appendln(taint()); sink(sb31.toString()); // $hasTaintFlow
StrBuilder sb32 = new StrBuilder(); sb32.appendln(taint(), 0, 0); sink(sb32.toString()); // $hasTaintFlow
StrBuilder sb33 = new StrBuilder(); sb33.appendln(taint(), "format", "args"); sink(sb33.toString()); // $hasTaintFlow
StrBuilder sb34 = new StrBuilder(); sb34.appendln("Format string", taint(), "args"); sink(sb34.toString()); // $hasTaintFlow
StrBuilder sb35 = new StrBuilder(); sb35.appendSeparator(taint()); sink(sb35.toString()); // $hasTaintFlow
StrBuilder sb36 = new StrBuilder(); sb36.appendSeparator(taint(), 0); sink(sb36.toString()); // $hasTaintFlow
StrBuilder sb37 = new StrBuilder(); sb37.appendSeparator(taint(), "default"); sink(sb37.toString()); // $hasTaintFlow
StrBuilder sb38 = new StrBuilder(); sb38.appendSeparator("", taint()); sink(sb38.toString()); // $hasTaintFlow
StrBuilder sb27 = new StrBuilder(); sb27.appendln(new StringBuffer(taint())); sink(sb27.toString()); // $ hasTaintFlow
StrBuilder sb28 = new StrBuilder(); sb28.appendln(new StringBuffer(taint()), 0, 0); sink(sb28.toString()); // $ hasTaintFlow
StrBuilder sb29 = new StrBuilder(); sb29.appendln(new StringBuilder(taint())); sink(sb29.toString()); // $ hasTaintFlow
StrBuilder sb30 = new StrBuilder(); sb30.appendln(new StringBuilder(taint()), 0, 0); sink(sb30.toString()); // $ hasTaintFlow
StrBuilder sb31 = new StrBuilder(); sb31.appendln(taint()); sink(sb31.toString()); // $ hasTaintFlow
StrBuilder sb32 = new StrBuilder(); sb32.appendln(taint(), 0, 0); sink(sb32.toString()); // $ hasTaintFlow
StrBuilder sb33 = new StrBuilder(); sb33.appendln(taint(), "format", "args"); sink(sb33.toString()); // $ hasTaintFlow
StrBuilder sb34 = new StrBuilder(); sb34.appendln("Format string", taint(), "args"); sink(sb34.toString()); // $ hasTaintFlow
StrBuilder sb35 = new StrBuilder(); sb35.appendSeparator(taint()); sink(sb35.toString()); // $ hasTaintFlow
StrBuilder sb36 = new StrBuilder(); sb36.appendSeparator(taint(), 0); sink(sb36.toString()); // $ hasTaintFlow
StrBuilder sb37 = new StrBuilder(); sb37.appendSeparator(taint(), "default"); sink(sb37.toString()); // $ hasTaintFlow
StrBuilder sb38 = new StrBuilder(); sb38.appendSeparator("", taint()); sink(sb38.toString()); // $ hasTaintFlow
{
StrBuilder auxsb = new StrBuilder(); auxsb.appendln(taint());
StrBuilder sb39 = new StrBuilder(); auxsb.appendTo(sb39); sink(sb39.toString()); // $hasTaintFlow
StrBuilder sb39 = new StrBuilder(); auxsb.appendTo(sb39); sink(sb39.toString()); // $ hasTaintFlow
}
{
List<String> taintedList = new ArrayList<>();
taintedList.add(taint());
StrBuilder sb40 = new StrBuilder(); sb40.appendWithSeparators(taintedList, ", "); sink(sb40.toString()); // $hasTaintFlow
StrBuilder sb41 = new StrBuilder(); sb41.appendWithSeparators(taintedList.iterator(), ", "); sink(sb41.toString()); // $hasTaintFlow
StrBuilder sb40 = new StrBuilder(); sb40.appendWithSeparators(taintedList, ", "); sink(sb40.toString()); // $ hasTaintFlow
StrBuilder sb41 = new StrBuilder(); sb41.appendWithSeparators(taintedList.iterator(), ", "); sink(sb41.toString()); // $ hasTaintFlow
List<String> untaintedList = new ArrayList<>();
StrBuilder sb42 = new StrBuilder(); sb42.appendWithSeparators(untaintedList, taint()); sink(sb42.toString()); // $hasTaintFlow
StrBuilder sb43 = new StrBuilder(); sb43.appendWithSeparators(untaintedList.iterator(), taint()); sink(sb43.toString()); // $hasTaintFlow
StrBuilder sb42 = new StrBuilder(); sb42.appendWithSeparators(untaintedList, taint()); sink(sb42.toString()); // $ hasTaintFlow
StrBuilder sb43 = new StrBuilder(); sb43.appendWithSeparators(untaintedList.iterator(), taint()); sink(sb43.toString()); // $ hasTaintFlow
String[] taintedArray = new String[] { taint() };
String[] untaintedArray = new String[] {};
StrBuilder sb44 = new StrBuilder(); sb44.appendWithSeparators(taintedArray, ", "); sink(sb44.toString()); // $hasTaintFlow
StrBuilder sb45 = new StrBuilder(); sb45.appendWithSeparators(untaintedArray, taint()); sink(sb45.toString()); // $hasTaintFlow
StrBuilder sb44 = new StrBuilder(); sb44.appendWithSeparators(taintedArray, ", "); sink(sb44.toString()); // $ hasTaintFlow
StrBuilder sb45 = new StrBuilder(); sb45.appendWithSeparators(untaintedArray, taint()); sink(sb45.toString()); // $ hasTaintFlow
}
{
StrBuilder sb46 = new StrBuilder(); sb46.append(taint());
char[] target = new char[100];
sb46.asReader().read(target);
sink(target); // $hasTaintFlow
sink(target); // $ hasTaintFlow
}
StrBuilder sb47 = new StrBuilder(); sb47.append(taint()); sink(sb47.asTokenizer().next()); // $hasTaintFlow
StrBuilder sb48 = new StrBuilder(); sb48.append(taint()); sink(sb48.build()); // $hasTaintFlow
StrBuilder sb49 = new StrBuilder(); sb49.append(taint()); sink(sb49.getChars(null)); // $hasTaintFlow
StrBuilder sb47 = new StrBuilder(); sb47.append(taint()); sink(sb47.asTokenizer().next()); // $ hasTaintFlow
StrBuilder sb48 = new StrBuilder(); sb48.append(taint()); sink(sb48.build()); // $ hasTaintFlow
StrBuilder sb49 = new StrBuilder(); sb49.append(taint()); sink(sb49.getChars(null)); // $ hasTaintFlow
{
StrBuilder sb50 = new StrBuilder(); sb50.append(taint());
char[] target = new char[100];
sb50.getChars(target);
sink(target); // $hasTaintFlow
sink(target); // $ hasTaintFlow
}
{
StrBuilder sb51 = new StrBuilder(); sb51.append(taint());
char[] target = new char[100];
sb51.getChars(0, 0, target, 0);
sink(target); // $hasTaintFlow
sink(target); // $ hasTaintFlow
}
StrBuilder sb52 = new StrBuilder(); sb52.insert(0, taint().toCharArray()); sink(sb52.toString()); // $hasTaintFlow
StrBuilder sb53 = new StrBuilder(); sb53.insert(0, taint().toCharArray(), 0, 0); sink(sb53.toString()); // $hasTaintFlow
StrBuilder sb54 = new StrBuilder(); sb54.insert(0, taint()); sink(sb54.toString()); // $hasTaintFlow
StrBuilder sb55 = new StrBuilder(); sb55.insert(0, (Object)taint()); sink(sb55.toString()); // $hasTaintFlow
StrBuilder sb56 = new StrBuilder(); sb56.append(taint()); sink(sb56.leftString(0)); // $hasTaintFlow
StrBuilder sb57 = new StrBuilder(); sb57.append(taint()); sink(sb57.midString(0, 0)); // $hasTaintFlow
StrBuilder sb52 = new StrBuilder(); sb52.insert(0, taint().toCharArray()); sink(sb52.toString()); // $ hasTaintFlow
StrBuilder sb53 = new StrBuilder(); sb53.insert(0, taint().toCharArray(), 0, 0); sink(sb53.toString()); // $ hasTaintFlow
StrBuilder sb54 = new StrBuilder(); sb54.insert(0, taint()); sink(sb54.toString()); // $ hasTaintFlow
StrBuilder sb55 = new StrBuilder(); sb55.insert(0, (Object)taint()); sink(sb55.toString()); // $ hasTaintFlow
StrBuilder sb56 = new StrBuilder(); sb56.append(taint()); sink(sb56.leftString(0)); // $ hasTaintFlow
StrBuilder sb57 = new StrBuilder(); sb57.append(taint()); sink(sb57.midString(0, 0)); // $ hasTaintFlow
{
StringReader reader = new StringReader(taint());
StrBuilder sb58 = new StrBuilder(); sb58.readFrom(reader); sink(sb58.toString()); // $hasTaintFlow
StrBuilder sb58 = new StrBuilder(); sb58.readFrom(reader); sink(sb58.toString()); // $ hasTaintFlow
}
StrBuilder sb59 = new StrBuilder(); sb59.replace(0, 0, taint()); sink(sb59.toString()); // $hasTaintFlow
StrBuilder sb60 = new StrBuilder(); sb60.replace(null, taint(), 0, 0, 0); sink(sb60.toString()); // $hasTaintFlow
StrBuilder sb61 = new StrBuilder(); sb61.replaceAll((StrMatcher)null, taint()); sink(sb61.toString()); // $hasTaintFlow
StrBuilder sb62 = new StrBuilder(); sb62.replaceAll("search", taint()); sink(sb62.toString()); // $hasTaintFlow
StrBuilder sb59 = new StrBuilder(); sb59.replace(0, 0, taint()); sink(sb59.toString()); // $ hasTaintFlow
StrBuilder sb60 = new StrBuilder(); sb60.replace(null, taint(), 0, 0, 0); sink(sb60.toString()); // $ hasTaintFlow
StrBuilder sb61 = new StrBuilder(); sb61.replaceAll((StrMatcher)null, taint()); sink(sb61.toString()); // $ hasTaintFlow
StrBuilder sb62 = new StrBuilder(); sb62.replaceAll("search", taint()); sink(sb62.toString()); // $ hasTaintFlow
StrBuilder sb63 = new StrBuilder(); sb63.replaceAll(taint(), "replace"); sink(sb63.toString()); // GOOD (search string doesn't convey taint)
StrBuilder sb64 = new StrBuilder(); sb64.replaceFirst((StrMatcher)null, taint()); sink(sb64.toString()); // $hasTaintFlow
StrBuilder sb65 = new StrBuilder(); sb65.replaceFirst("search", taint()); sink(sb65.toString()); // $hasTaintFlow
StrBuilder sb64 = new StrBuilder(); sb64.replaceFirst((StrMatcher)null, taint()); sink(sb64.toString()); // $ hasTaintFlow
StrBuilder sb65 = new StrBuilder(); sb65.replaceFirst("search", taint()); sink(sb65.toString()); // $ hasTaintFlow
StrBuilder sb66 = new StrBuilder(); sb66.replaceFirst(taint(), "replace"); sink(sb66.toString()); // GOOD (search string doesn't convey taint)
StrBuilder sb67 = new StrBuilder(); sb67.append(taint()); sink(sb67.rightString(0)); // $hasTaintFlow
StrBuilder sb68 = new StrBuilder(); sb68.append(taint()); sink(sb68.subSequence(0, 0)); // $hasTaintFlow
StrBuilder sb69 = new StrBuilder(); sb69.append(taint()); sink(sb69.substring(0)); // $hasTaintFlow
StrBuilder sb70 = new StrBuilder(); sb70.append(taint()); sink(sb70.substring(0, 0)); // $hasTaintFlow
StrBuilder sb71 = new StrBuilder(); sb71.append(taint()); sink(sb71.toCharArray()); // $hasTaintFlow
StrBuilder sb72 = new StrBuilder(); sb72.append(taint()); sink(sb72.toCharArray(0, 0)); // $hasTaintFlow
StrBuilder sb73 = new StrBuilder(); sb73.append(taint()); sink(sb73.toStringBuffer()); // $hasTaintFlow
StrBuilder sb74 = new StrBuilder(); sb74.append(taint()); sink(sb74.toStringBuilder()); // $hasTaintFlow
StrBuilder sb67 = new StrBuilder(); sb67.append(taint()); sink(sb67.rightString(0)); // $ hasTaintFlow
StrBuilder sb68 = new StrBuilder(); sb68.append(taint()); sink(sb68.subSequence(0, 0)); // $ hasTaintFlow
StrBuilder sb69 = new StrBuilder(); sb69.append(taint()); sink(sb69.substring(0)); // $ hasTaintFlow
StrBuilder sb70 = new StrBuilder(); sb70.append(taint()); sink(sb70.substring(0, 0)); // $ hasTaintFlow
StrBuilder sb71 = new StrBuilder(); sb71.append(taint()); sink(sb71.toCharArray()); // $ hasTaintFlow
StrBuilder sb72 = new StrBuilder(); sb72.append(taint()); sink(sb72.toCharArray(0, 0)); // $ hasTaintFlow
StrBuilder sb73 = new StrBuilder(); sb73.append(taint()); sink(sb73.toStringBuffer()); // $ hasTaintFlow
StrBuilder sb74 = new StrBuilder(); sb74.append(taint()); sink(sb74.toStringBuilder()); // $ hasTaintFlow
// Tests for fluent methods (those returning `this`):
StrBuilder fluentTest = new StrBuilder();
sink(fluentTest.append("Harmless").append(taint()).append("Also harmless").toString()); // $hasTaintFlow
sink(fluentTest.append("Harmless").append(taint()).append("Also harmless").toString()); // $ hasTaintFlow
StrBuilder fluentBackflowTest = new StrBuilder();
fluentBackflowTest.append("Harmless").append(taint()).append("Also harmless");
sink(fluentBackflowTest.toString()); // $hasTaintFlow
sink(fluentBackflowTest.toString()); // $ hasTaintFlow
// Test the case where the fluent method contributing taint is at the end of a statement:
StrBuilder fluentBackflowTest2 = new StrBuilder();
fluentBackflowTest2.append("Harmless").append(taint());
sink(fluentBackflowTest2.toString()); // $hasTaintFlow
sink(fluentBackflowTest2.toString()); // $ hasTaintFlow
// Test all fluent methods are passing taint through to their result:
StrBuilder fluentAllMethodsTest = new StrBuilder(taint());
@@ -171,7 +171,7 @@ class StrBuilderTextTest {
.setLength(500)
.setNewLineText("newline")
.setNullText("NULL")
.trim()); // $hasTaintFlow
.trim()); // $ hasTaintFlow
// Test all fluent methods are passing taint back to their qualifier:
StrBuilder fluentAllMethodsTest2 = new StrBuilder();
@@ -203,7 +203,7 @@ class StrBuilderTextTest {
.setNullText("NULL")
.trim()
.append(taint());
sink(fluentAllMethodsTest2); // $hasTaintFlow
sink(fluentAllMethodsTest2); // $ hasTaintFlow
}
}

2
java/ql/test/library-tests/frameworks/apache-commons-lang3/StrLookupTest.java
View File

@@ -11,7 +11,7 @@ class StrLookupTest {
Map<String, String> map = new HashMap<String, String>();
map.put("key", taint());
StrLookup<String> lookup = StrLookup.mapLookup(map);
sink(lookup.lookup("key")); // $hasTaintFlow
sink(lookup.lookup("key")); // $ hasTaintFlow
}
}

96
java/ql/test/library-tests/frameworks/apache-commons-lang3/StrSubstitutorTest.java
View File

@@ -17,66 +17,66 @@ class StrSubstitutorTest {
StrLookup<String> taintedLookup = StrLookup.mapLookup(taintedMap);
// Test constructors:
StrSubstitutor ss1 = new StrSubstitutor(); ss1.setVariableResolver(taintedLookup); sink(ss1.replace("input")); // $hasTaintFlow
StrSubstitutor ss2 = new StrSubstitutor(taintedMap); sink(ss2.replace("input")); // $hasTaintFlow
StrSubstitutor ss3 = new StrSubstitutor(taintedMap, "{", "}"); sink(ss3.replace("input")); // $hasTaintFlow
StrSubstitutor ss4 = new StrSubstitutor(taintedMap, "{", "}", ' '); sink(ss4.replace("input")); // $hasTaintFlow
StrSubstitutor ss5 = new StrSubstitutor(taintedMap, "{", "}", ' ', ","); sink(ss5.replace("input")); // $hasTaintFlow
StrSubstitutor ss6 = new StrSubstitutor(taintedLookup); sink(ss6.replace("input")); // $hasTaintFlow
StrSubstitutor ss7 = new StrSubstitutor(taintedLookup, "{", "}", ' '); sink(ss7.replace("input")); // $hasTaintFlow
StrSubstitutor ss8 = new StrSubstitutor(taintedLookup, "{", "}", ' ', ","); sink(ss8.replace("input")); // $hasTaintFlow
StrSubstitutor ss9 = new StrSubstitutor(taintedLookup, (StrMatcher)null, null, ' '); sink(ss9.replace("input")); // $hasTaintFlow
StrSubstitutor ss10 = new StrSubstitutor(taintedLookup, (StrMatcher)null, null, ' ', null); sink(ss10.replace("input")); // $hasTaintFlow
StrSubstitutor ss1 = new StrSubstitutor(); ss1.setVariableResolver(taintedLookup); sink(ss1.replace("input")); // $ hasTaintFlow
StrSubstitutor ss2 = new StrSubstitutor(taintedMap); sink(ss2.replace("input")); // $ hasTaintFlow
StrSubstitutor ss3 = new StrSubstitutor(taintedMap, "{", "}"); sink(ss3.replace("input")); // $ hasTaintFlow
StrSubstitutor ss4 = new StrSubstitutor(taintedMap, "{", "}", ' '); sink(ss4.replace("input")); // $ hasTaintFlow
StrSubstitutor ss5 = new StrSubstitutor(taintedMap, "{", "}", ' ', ","); sink(ss5.replace("input")); // $ hasTaintFlow
StrSubstitutor ss6 = new StrSubstitutor(taintedLookup); sink(ss6.replace("input")); // $ hasTaintFlow
StrSubstitutor ss7 = new StrSubstitutor(taintedLookup, "{", "}", ' '); sink(ss7.replace("input")); // $ hasTaintFlow
StrSubstitutor ss8 = new StrSubstitutor(taintedLookup, "{", "}", ' ', ","); sink(ss8.replace("input")); // $ hasTaintFlow
StrSubstitutor ss9 = new StrSubstitutor(taintedLookup, (StrMatcher)null, null, ' '); sink(ss9.replace("input")); // $ hasTaintFlow
StrSubstitutor ss10 = new StrSubstitutor(taintedLookup, (StrMatcher)null, null, ' ', null); sink(ss10.replace("input")); // $ hasTaintFlow
// Test replace overloads (tainted substitution map):
StrSubstitutor taintedSubst = ss2;
sink(taintedSubst.replace((Object)"input")); // $hasTaintFlow
sink(taintedSubst.replace("input")); // $hasTaintFlow
sink(taintedSubst.replace("input", 0, 0)); // $hasTaintFlow
sink(taintedSubst.replace("input".toCharArray())); // $hasTaintFlow
sink(taintedSubst.replace("input".toCharArray(), 0, 0)); // $hasTaintFlow
sink(taintedSubst.replace((CharSequence)"input")); // $hasTaintFlow
sink(taintedSubst.replace((CharSequence)"input", 0, 0)); // $hasTaintFlow
sink(taintedSubst.replace(new StrBuilder("input"))); // $hasTaintFlow
sink(taintedSubst.replace(new StrBuilder("input"), 0, 0)); // $hasTaintFlow
sink(taintedSubst.replace(new StringBuilder("input"))); // $hasTaintFlow
sink(taintedSubst.replace(new StringBuilder("input"), 0, 0)); // $hasTaintFlow
sink(taintedSubst.replace(new StringBuffer("input"))); // $hasTaintFlow
sink(taintedSubst.replace(new StringBuffer("input"), 0, 0)); // $hasTaintFlow
sink(taintedSubst.replace((Object)"input")); // $ hasTaintFlow
sink(taintedSubst.replace("input")); // $ hasTaintFlow
sink(taintedSubst.replace("input", 0, 0)); // $ hasTaintFlow
sink(taintedSubst.replace("input".toCharArray())); // $ hasTaintFlow
sink(taintedSubst.replace("input".toCharArray(), 0, 0)); // $ hasTaintFlow
sink(taintedSubst.replace((CharSequence)"input")); // $ hasTaintFlow
sink(taintedSubst.replace((CharSequence)"input", 0, 0)); // $ hasTaintFlow
sink(taintedSubst.replace(new StrBuilder("input"))); // $ hasTaintFlow
sink(taintedSubst.replace(new StrBuilder("input"), 0, 0)); // $ hasTaintFlow
sink(taintedSubst.replace(new StringBuilder("input"))); // $ hasTaintFlow
sink(taintedSubst.replace(new StringBuilder("input"), 0, 0)); // $ hasTaintFlow
sink(taintedSubst.replace(new StringBuffer("input"))); // $ hasTaintFlow
sink(taintedSubst.replace(new StringBuffer("input"), 0, 0)); // $ hasTaintFlow
// Test replace overloads (tainted input):
StrSubstitutor untaintedSubst = ss1;
sink(untaintedSubst.replace((Object)taint())); // $hasTaintFlow
sink(untaintedSubst.replace(taint())); // $hasTaintFlow
sink(untaintedSubst.replace(taint(), 0, 0)); // $hasTaintFlow
sink(untaintedSubst.replace(taint().toCharArray())); // $hasTaintFlow
sink(untaintedSubst.replace(taint().toCharArray(), 0, 0)); // $hasTaintFlow
sink(untaintedSubst.replace((CharSequence)taint())); // $hasTaintFlow
sink(untaintedSubst.replace((CharSequence)taint(), 0, 0)); // $hasTaintFlow
sink(untaintedSubst.replace(new StrBuilder(taint()))); // $hasTaintFlow
sink(untaintedSubst.replace(new StrBuilder(taint()), 0, 0)); // $hasTaintFlow
sink(untaintedSubst.replace(new StringBuilder(taint()))); // $hasTaintFlow
sink(untaintedSubst.replace(new StringBuilder(taint()), 0, 0)); // $hasTaintFlow
sink(untaintedSubst.replace(new StringBuffer(taint()))); // $hasTaintFlow
sink(untaintedSubst.replace(new StringBuffer(taint()), 0, 0)); // $hasTaintFlow
sink(untaintedSubst.replace((Object)taint())); // $ hasTaintFlow
sink(untaintedSubst.replace(taint())); // $ hasTaintFlow
sink(untaintedSubst.replace(taint(), 0, 0)); // $ hasTaintFlow
sink(untaintedSubst.replace(taint().toCharArray())); // $ hasTaintFlow
sink(untaintedSubst.replace(taint().toCharArray(), 0, 0)); // $ hasTaintFlow
sink(untaintedSubst.replace((CharSequence)taint())); // $ hasTaintFlow
sink(untaintedSubst.replace((CharSequence)taint(), 0, 0)); // $ hasTaintFlow
sink(untaintedSubst.replace(new StrBuilder(taint()))); // $ hasTaintFlow
sink(untaintedSubst.replace(new StrBuilder(taint()), 0, 0)); // $ hasTaintFlow
sink(untaintedSubst.replace(new StringBuilder(taint()))); // $ hasTaintFlow
sink(untaintedSubst.replace(new StringBuilder(taint()), 0, 0)); // $ hasTaintFlow
sink(untaintedSubst.replace(new StringBuffer(taint()))); // $ hasTaintFlow
sink(untaintedSubst.replace(new StringBuffer(taint()), 0, 0)); // $ hasTaintFlow
// Test static replace methods:
sink(StrSubstitutor.replace(taint(), new HashMap<String, String>())); // $hasTaintFlow
sink(StrSubstitutor.replace(taint(), new HashMap<String, String>(), "{", "}")); // $hasTaintFlow
sink(StrSubstitutor.replace("input", taintedMap)); // $hasTaintFlow
sink(StrSubstitutor.replace("input", taintedMap, "{", "}")); // $hasTaintFlow
sink(StrSubstitutor.replace(taint(), new HashMap<String, String>())); // $ hasTaintFlow
sink(StrSubstitutor.replace(taint(), new HashMap<String, String>(), "{", "}")); // $ hasTaintFlow
sink(StrSubstitutor.replace("input", taintedMap)); // $ hasTaintFlow
sink(StrSubstitutor.replace("input", taintedMap, "{", "}")); // $ hasTaintFlow
Properties taintedProps = new Properties();
taintedProps.put("key", taint());
sink(StrSubstitutor.replace(taint(), new Properties())); // $hasTaintFlow
sink(StrSubstitutor.replace("input", taintedProps)); // $hasTaintFlow
sink(StrSubstitutor.replace(taint(), new Properties())); // $ hasTaintFlow
sink(StrSubstitutor.replace("input", taintedProps)); // $ hasTaintFlow
// Test replaceIn methods:
StrBuilder strBuilder1 = new StrBuilder(); taintedSubst.replaceIn(strBuilder1); sink(strBuilder1.toString()); // $hasTaintFlow
StrBuilder strBuilder2 = new StrBuilder(); taintedSubst.replaceIn(strBuilder2, 0, 0); sink(strBuilder2.toString()); // $hasTaintFlow
StringBuilder stringBuilder1 = new StringBuilder(); taintedSubst.replaceIn(stringBuilder1); sink(stringBuilder1.toString()); // $hasTaintFlow
StringBuilder stringBuilder2 = new StringBuilder(); taintedSubst.replaceIn(stringBuilder2, 0, 0); sink(stringBuilder2.toString()); // $hasTaintFlow
StringBuffer stringBuffer1 = new StringBuffer(); taintedSubst.replaceIn(stringBuffer1); sink(stringBuffer1.toString()); // $hasTaintFlow
StringBuffer stringBuffer2 = new StringBuffer(); taintedSubst.replaceIn(stringBuffer2, 0, 0); sink(stringBuffer2.toString()); // $hasTaintFlow
StrBuilder strBuilder1 = new StrBuilder(); taintedSubst.replaceIn(strBuilder1); sink(strBuilder1.toString()); // $ hasTaintFlow
StrBuilder strBuilder2 = new StrBuilder(); taintedSubst.replaceIn(strBuilder2, 0, 0); sink(strBuilder2.toString()); // $ hasTaintFlow
StringBuilder stringBuilder1 = new StringBuilder(); taintedSubst.replaceIn(stringBuilder1); sink(stringBuilder1.toString()); // $ hasTaintFlow
StringBuilder stringBuilder2 = new StringBuilder(); taintedSubst.replaceIn(stringBuilder2, 0, 0); sink(stringBuilder2.toString()); // $ hasTaintFlow
StringBuffer stringBuffer1 = new StringBuffer(); taintedSubst.replaceIn(stringBuffer1); sink(stringBuffer1.toString()); // $ hasTaintFlow
StringBuffer stringBuffer2 = new StringBuffer(); taintedSubst.replaceIn(stringBuffer2, 0, 0); sink(stringBuffer2.toString()); // $ hasTaintFlow
}
}

52
java/ql/test/library-tests/frameworks/apache-commons-lang3/StrTokenizerTest.java
View File

@@ -9,38 +9,38 @@ public class StrTokenizerTest {
void test() throws Exception {
// Test constructors:
sink((new StrTokenizer(taint().toCharArray())).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint().toCharArray(), ',')).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint().toCharArray(), ',', '"')).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint().toCharArray(), ",")).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint().toCharArray(), (StrMatcher)null)).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint().toCharArray(), (StrMatcher)null, (StrMatcher)null)).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint())).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint(), ',')).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint(), ',', '"')).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint(), ",")).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint(), (StrMatcher)null)).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint(), (StrMatcher)null, (StrMatcher)null)).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint().toCharArray())).toString()); // $ hasTaintFlow
sink((new StrTokenizer(taint().toCharArray(), ',')).toString()); // $ hasTaintFlow
sink((new StrTokenizer(taint().toCharArray(), ',', '"')).toString()); // $ hasTaintFlow
sink((new StrTokenizer(taint().toCharArray(), ",")).toString()); // $ hasTaintFlow
sink((new StrTokenizer(taint().toCharArray(), (StrMatcher)null)).toString()); // $ hasTaintFlow
sink((new StrTokenizer(taint().toCharArray(), (StrMatcher)null, (StrMatcher)null)).toString()); // $ hasTaintFlow
sink((new StrTokenizer(taint())).toString()); // $ hasTaintFlow
sink((new StrTokenizer(taint(), ',')).toString()); // $ hasTaintFlow
sink((new StrTokenizer(taint(), ',', '"')).toString()); // $ hasTaintFlow
sink((new StrTokenizer(taint(), ",")).toString()); // $ hasTaintFlow
sink((new StrTokenizer(taint(), (StrMatcher)null)).toString()); // $ hasTaintFlow
sink((new StrTokenizer(taint(), (StrMatcher)null, (StrMatcher)null)).toString()); // $ hasTaintFlow
// Test constructing static methods:
sink(StrTokenizer.getCSVInstance(taint().toCharArray()).toString()); // $hasTaintFlow
sink(StrTokenizer.getCSVInstance(taint()).toString()); // $hasTaintFlow
sink(StrTokenizer.getTSVInstance(taint().toCharArray()).toString()); // $hasTaintFlow
sink(StrTokenizer.getTSVInstance(taint()).toString()); // $hasTaintFlow
sink(StrTokenizer.getCSVInstance(taint().toCharArray()).toString()); // $ hasTaintFlow
sink(StrTokenizer.getCSVInstance(taint()).toString()); // $ hasTaintFlow
sink(StrTokenizer.getTSVInstance(taint().toCharArray()).toString()); // $ hasTaintFlow
sink(StrTokenizer.getTSVInstance(taint()).toString()); // $ hasTaintFlow
// Test accessors:
sink((new StrTokenizer(taint())).clone()); // $hasTaintFlow
sink((new StrTokenizer(taint())).getContent()); // $hasTaintFlow
sink((new StrTokenizer(taint())).getTokenArray()); // $hasTaintFlow
sink((new StrTokenizer(taint())).getTokenList()); // $hasTaintFlow
sink((new StrTokenizer(taint())).next()); // $hasTaintFlow
sink((new StrTokenizer(taint())).nextToken()); // $hasTaintFlow
sink((new StrTokenizer(taint())).previous()); // $hasTaintFlow
sink((new StrTokenizer(taint())).previousToken()); // $hasTaintFlow
sink((new StrTokenizer(taint())).clone()); // $ hasTaintFlow
sink((new StrTokenizer(taint())).getContent()); // $ hasTaintFlow
sink((new StrTokenizer(taint())).getTokenArray()); // $ hasTaintFlow
sink((new StrTokenizer(taint())).getTokenList()); // $ hasTaintFlow
sink((new StrTokenizer(taint())).next()); // $ hasTaintFlow
sink((new StrTokenizer(taint())).nextToken()); // $ hasTaintFlow
sink((new StrTokenizer(taint())).previous()); // $ hasTaintFlow
sink((new StrTokenizer(taint())).previousToken()); // $ hasTaintFlow
// Test mutators:
sink((new StrTokenizer()).reset(taint().toCharArray()).toString()); // $hasTaintFlow
sink((new StrTokenizer()).reset(taint()).toString()); // $hasTaintFlow
sink((new StrTokenizer()).reset(taint().toCharArray()).toString()); // $ hasTaintFlow
sink((new StrTokenizer()).reset(taint()).toString()); // $ hasTaintFlow
}
}

52
java/ql/test/library-tests/frameworks/apache-commons-lang3/StrTokenizerTextTest.java
View File

@@ -9,38 +9,38 @@ public class StrTokenizerTextTest {
void test() throws Exception {
// Test constructors:
sink((new StrTokenizer(taint().toCharArray())).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint().toCharArray(), ',')).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint().toCharArray(), ',', '"')).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint().toCharArray(), ",")).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint().toCharArray(), (StrMatcher)null)).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint().toCharArray(), (StrMatcher)null, (StrMatcher)null)).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint())).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint(), ',')).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint(), ',', '"')).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint(), ",")).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint(), (StrMatcher)null)).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint(), (StrMatcher)null, (StrMatcher)null)).toString()); // $hasTaintFlow
sink((new StrTokenizer(taint().toCharArray())).toString()); // $ hasTaintFlow
sink((new StrTokenizer(taint().toCharArray(), ',')).toString()); // $ hasTaintFlow
sink((new StrTokenizer(taint().toCharArray(), ',', '"')).toString()); // $ hasTaintFlow
sink((new StrTokenizer(taint().toCharArray(), ",")).toString()); // $ hasTaintFlow
sink((new StrTokenizer(taint().toCharArray(), (StrMatcher)null)).toString()); // $ hasTaintFlow
sink((new StrTokenizer(taint().toCharArray(), (StrMatcher)null, (StrMatcher)null)).toString()); // $ hasTaintFlow
sink((new StrTokenizer(taint())).toString()); // $ hasTaintFlow
sink((new StrTokenizer(taint(), ',')).toString()); // $ hasTaintFlow
sink((new StrTokenizer(taint(), ',', '"')).toString()); // $ hasTaintFlow
sink((new StrTokenizer(taint(), ",")).toString()); // $ hasTaintFlow
sink((new StrTokenizer(taint(), (StrMatcher)null)).toString()); // $ hasTaintFlow
sink((new StrTokenizer(taint(), (StrMatcher)null, (StrMatcher)null)).toString()); // $ hasTaintFlow
// Test constructing static methods:
sink(StrTokenizer.getCSVInstance(taint().toCharArray()).toString()); // $hasTaintFlow
sink(StrTokenizer.getCSVInstance(taint()).toString()); // $hasTaintFlow
sink(StrTokenizer.getTSVInstance(taint().toCharArray()).toString()); // $hasTaintFlow
sink(StrTokenizer.getTSVInstance(taint()).toString()); // $hasTaintFlow
sink(StrTokenizer.getCSVInstance(taint().toCharArray()).toString()); // $ hasTaintFlow
sink(StrTokenizer.getCSVInstance(taint()).toString()); // $ hasTaintFlow
sink(StrTokenizer.getTSVInstance(taint().toCharArray()).toString()); // $ hasTaintFlow
sink(StrTokenizer.getTSVInstance(taint()).toString()); // $ hasTaintFlow
// Test accessors:
sink((new StrTokenizer(taint())).clone()); // $hasTaintFlow
sink((new StrTokenizer(taint())).getContent()); // $hasTaintFlow
sink((new StrTokenizer(taint())).getTokenArray()); // $hasTaintFlow
sink((new StrTokenizer(taint())).getTokenList()); // $hasTaintFlow
sink((new StrTokenizer(taint())).next()); // $hasTaintFlow
sink((new StrTokenizer(taint())).nextToken()); // $hasTaintFlow
sink((new StrTokenizer(taint())).previous()); // $hasTaintFlow
sink((new StrTokenizer(taint())).previousToken()); // $hasTaintFlow
sink((new StrTokenizer(taint())).clone()); // $ hasTaintFlow
sink((new StrTokenizer(taint())).getContent()); // $ hasTaintFlow
sink((new StrTokenizer(taint())).getTokenArray()); // $ hasTaintFlow
sink((new StrTokenizer(taint())).getTokenList()); // $ hasTaintFlow
sink((new StrTokenizer(taint())).next()); // $ hasTaintFlow
sink((new StrTokenizer(taint())).nextToken()); // $ hasTaintFlow
sink((new StrTokenizer(taint())).previous()); // $ hasTaintFlow
sink((new StrTokenizer(taint())).previousToken()); // $ hasTaintFlow
// Test mutators:
sink((new StrTokenizer()).reset(taint().toCharArray()).toString()); // $hasTaintFlow
sink((new StrTokenizer()).reset(taint()).toString()); // $hasTaintFlow
sink((new StrTokenizer()).reset(taint().toCharArray()).toString()); // $ hasTaintFlow
sink((new StrTokenizer()).reset(taint()).toString()); // $ hasTaintFlow
}
}

2
java/ql/test/library-tests/frameworks/apache-commons-lang3/StringEscapeUtilsTest.java
View File

@@ -6,6 +6,6 @@ public class StringEscapeUtilsTest {
void sink(Object o) {}
void test() throws Exception {
sink(StringEscapeUtils.escapeJson(taint())); // $hasTaintFlow
sink(StringEscapeUtils.escapeJson(taint())); // $ hasTaintFlow
}
}

2
java/ql/test/library-tests/frameworks/apache-commons-lang3/StringLookupTextTest.java
View File

@@ -12,7 +12,7 @@ class StringLookupTextTest {
Map<String, String> map = new HashMap<String, String>();
map.put("key", taint());
StringLookup lookup = StringLookupFactory.INSTANCE.mapStringLookup(map);
sink(lookup.lookup("key")); // $hasTaintFlow
sink(lookup.lookup("key")); // $ hasTaintFlow
}
}

96
java/ql/test/library-tests/frameworks/apache-commons-lang3/StringSubstitutorTextTest.java
View File

@@ -18,66 +18,66 @@ class StringSubstitutorTextTest {
StringLookup taintedLookup = StringLookupFactory.INSTANCE.mapStringLookup(taintedMap);
// Test constructors:
StringSubstitutor ss1 = new StringSubstitutor(); ss1.setVariableResolver(taintedLookup); sink(ss1.replace("input")); // $hasTaintFlow
StringSubstitutor ss2 = new StringSubstitutor(taintedMap); sink(ss2.replace("input")); // $hasTaintFlow
StringSubstitutor ss3 = new StringSubstitutor(taintedMap, "{", "}"); sink(ss3.replace("input")); // $hasTaintFlow
StringSubstitutor ss4 = new StringSubstitutor(taintedMap, "{", "}", ' '); sink(ss4.replace("input")); // $hasTaintFlow
StringSubstitutor ss5 = new StringSubstitutor(taintedMap, "{", "}", ' ', ","); sink(ss5.replace("input")); // $hasTaintFlow
StringSubstitutor ss6 = new StringSubstitutor(taintedLookup); sink(ss6.replace("input")); // $hasTaintFlow
StringSubstitutor ss7 = new StringSubstitutor(taintedLookup, "{", "}", ' '); sink(ss7.replace("input")); // $hasTaintFlow
StringSubstitutor ss8 = new StringSubstitutor(taintedLookup, "{", "}", ' ', ","); sink(ss8.replace("input")); // $hasTaintFlow
StringSubstitutor ss9 = new StringSubstitutor(taintedLookup, (StringMatcher)null, null, ' '); sink(ss9.replace("input")); // $hasTaintFlow
StringSubstitutor ss10 = new StringSubstitutor(taintedLookup, (StringMatcher)null, null, ' ', null); sink(ss10.replace("input")); // $hasTaintFlow
StringSubstitutor ss1 = new StringSubstitutor(); ss1.setVariableResolver(taintedLookup); sink(ss1.replace("input")); // $ hasTaintFlow
StringSubstitutor ss2 = new StringSubstitutor(taintedMap); sink(ss2.replace("input")); // $ hasTaintFlow
StringSubstitutor ss3 = new StringSubstitutor(taintedMap, "{", "}"); sink(ss3.replace("input")); // $ hasTaintFlow
StringSubstitutor ss4 = new StringSubstitutor(taintedMap, "{", "}", ' '); sink(ss4.replace("input")); // $ hasTaintFlow
StringSubstitutor ss5 = new StringSubstitutor(taintedMap, "{", "}", ' ', ","); sink(ss5.replace("input")); // $ hasTaintFlow
StringSubstitutor ss6 = new StringSubstitutor(taintedLookup); sink(ss6.replace("input")); // $ hasTaintFlow
StringSubstitutor ss7 = new StringSubstitutor(taintedLookup, "{", "}", ' '); sink(ss7.replace("input")); // $ hasTaintFlow
StringSubstitutor ss8 = new StringSubstitutor(taintedLookup, "{", "}", ' ', ","); sink(ss8.replace("input")); // $ hasTaintFlow
StringSubstitutor ss9 = new StringSubstitutor(taintedLookup, (StringMatcher)null, null, ' '); sink(ss9.replace("input")); // $ hasTaintFlow
StringSubstitutor ss10 = new StringSubstitutor(taintedLookup, (StringMatcher)null, null, ' ', null); sink(ss10.replace("input")); // $ hasTaintFlow
// Test replace overloads (tainted substitution map):
StringSubstitutor taintedSubst = ss2;
sink(taintedSubst.replace((Object)"input")); // $hasTaintFlow
sink(taintedSubst.replace("input")); // $hasTaintFlow
sink(taintedSubst.replace("input", 0, 0)); // $hasTaintFlow
sink(taintedSubst.replace("input".toCharArray())); // $hasTaintFlow
sink(taintedSubst.replace("input".toCharArray(), 0, 0)); // $hasTaintFlow
sink(taintedSubst.replace((CharSequence)"input")); // $hasTaintFlow
sink(taintedSubst.replace((CharSequence)"input", 0, 0)); // $hasTaintFlow
sink(taintedSubst.replace(new TextStringBuilder("input"))); // $hasTaintFlow
sink(taintedSubst.replace(new TextStringBuilder("input"), 0, 0)); // $hasTaintFlow
sink(taintedSubst.replace(new StringBuilder("input"))); // $hasTaintFlow
sink(taintedSubst.replace(new StringBuilder("input"), 0, 0)); // $hasTaintFlow
sink(taintedSubst.replace(new StringBuffer("input"))); // $hasTaintFlow
sink(taintedSubst.replace(new StringBuffer("input"), 0, 0)); // $hasTaintFlow
sink(taintedSubst.replace((Object)"input")); // $ hasTaintFlow
sink(taintedSubst.replace("input")); // $ hasTaintFlow
sink(taintedSubst.replace("input", 0, 0)); // $ hasTaintFlow
sink(taintedSubst.replace("input".toCharArray())); // $ hasTaintFlow
sink(taintedSubst.replace("input".toCharArray(), 0, 0)); // $ hasTaintFlow
sink(taintedSubst.replace((CharSequence)"input")); // $ hasTaintFlow
sink(taintedSubst.replace((CharSequence)"input", 0, 0)); // $ hasTaintFlow
sink(taintedSubst.replace(new TextStringBuilder("input"))); // $ hasTaintFlow
sink(taintedSubst.replace(new TextStringBuilder("input"), 0, 0)); // $ hasTaintFlow
sink(taintedSubst.replace(new StringBuilder("input"))); // $ hasTaintFlow
sink(taintedSubst.replace(new StringBuilder("input"), 0, 0)); // $ hasTaintFlow
sink(taintedSubst.replace(new StringBuffer("input"))); // $ hasTaintFlow
sink(taintedSubst.replace(new StringBuffer("input"), 0, 0)); // $ hasTaintFlow
// Test replace overloads (tainted input):
StringSubstitutor untaintedSubst = ss1;
sink(untaintedSubst.replace((Object)taint())); // $hasTaintFlow
sink(untaintedSubst.replace(taint())); // $hasTaintFlow
sink(untaintedSubst.replace(taint(), 0, 0)); // $hasTaintFlow
sink(untaintedSubst.replace(taint().toCharArray())); // $hasTaintFlow
sink(untaintedSubst.replace(taint().toCharArray(), 0, 0)); // $hasTaintFlow
sink(untaintedSubst.replace((CharSequence)taint())); // $hasTaintFlow
sink(untaintedSubst.replace((CharSequence)taint(), 0, 0)); // $hasTaintFlow
sink(untaintedSubst.replace(new TextStringBuilder(taint()))); // $hasTaintFlow
sink(untaintedSubst.replace(new TextStringBuilder(taint()), 0, 0)); // $hasTaintFlow
sink(untaintedSubst.replace(new StringBuilder(taint()))); // $hasTaintFlow
sink(untaintedSubst.replace(new StringBuilder(taint()), 0, 0)); // $hasTaintFlow
sink(untaintedSubst.replace(new StringBuffer(taint()))); // $hasTaintFlow
sink(untaintedSubst.replace(new StringBuffer(taint()), 0, 0)); // $hasTaintFlow
sink(untaintedSubst.replace((Object)taint())); // $ hasTaintFlow
sink(untaintedSubst.replace(taint())); // $ hasTaintFlow
sink(untaintedSubst.replace(taint(), 0, 0)); // $ hasTaintFlow
sink(untaintedSubst.replace(taint().toCharArray())); // $ hasTaintFlow
sink(untaintedSubst.replace(taint().toCharArray(), 0, 0)); // $ hasTaintFlow
sink(untaintedSubst.replace((CharSequence)taint())); // $ hasTaintFlow
sink(untaintedSubst.replace((CharSequence)taint(), 0, 0)); // $ hasTaintFlow
sink(untaintedSubst.replace(new TextStringBuilder(taint()))); // $ hasTaintFlow
sink(untaintedSubst.replace(new TextStringBuilder(taint()), 0, 0)); // $ hasTaintFlow
sink(untaintedSubst.replace(new StringBuilder(taint()))); // $ hasTaintFlow
sink(untaintedSubst.replace(new StringBuilder(taint()), 0, 0)); // $ hasTaintFlow
sink(untaintedSubst.replace(new StringBuffer(taint()))); // $ hasTaintFlow
sink(untaintedSubst.replace(new StringBuffer(taint()), 0, 0)); // $ hasTaintFlow
// Test static replace methods:
sink(StringSubstitutor.replace(taint(), new HashMap<String, String>())); // $hasTaintFlow
sink(StringSubstitutor.replace(taint(), new HashMap<String, String>(), "{", "}")); // $hasTaintFlow
sink(StringSubstitutor.replace("input", taintedMap)); // $hasTaintFlow
sink(StringSubstitutor.replace("input", taintedMap, "{", "}")); // $hasTaintFlow
sink(StringSubstitutor.replace(taint(), new HashMap<String, String>())); // $ hasTaintFlow
sink(StringSubstitutor.replace(taint(), new HashMap<String, String>(), "{", "}")); // $ hasTaintFlow
sink(StringSubstitutor.replace("input", taintedMap)); // $ hasTaintFlow
sink(StringSubstitutor.replace("input", taintedMap, "{", "}")); // $ hasTaintFlow
Properties taintedProps = new Properties();
taintedProps.put("key", taint());
sink(StringSubstitutor.replace(taint(), new Properties())); // $hasTaintFlow
sink(StringSubstitutor.replace("input", taintedProps)); // $hasTaintFlow
sink(StringSubstitutor.replace(taint(), new Properties())); // $ hasTaintFlow
sink(StringSubstitutor.replace("input", taintedProps)); // $ hasTaintFlow
// Test replaceIn methods:
TextStringBuilder strBuilder1 = new TextStringBuilder(); taintedSubst.replaceIn(strBuilder1); sink(strBuilder1.toString()); // $hasTaintFlow
TextStringBuilder strBuilder2 = new TextStringBuilder(); taintedSubst.replaceIn(strBuilder2, 0, 0); sink(strBuilder2.toString()); // $hasTaintFlow
StringBuilder stringBuilder1 = new StringBuilder(); taintedSubst.replaceIn(stringBuilder1); sink(stringBuilder1.toString()); // $hasTaintFlow
StringBuilder stringBuilder2 = new StringBuilder(); taintedSubst.replaceIn(stringBuilder2, 0, 0); sink(stringBuilder2.toString()); // $hasTaintFlow
StringBuffer stringBuffer1 = new StringBuffer(); taintedSubst.replaceIn(stringBuffer1); sink(stringBuffer1.toString()); // $hasTaintFlow
StringBuffer stringBuffer2 = new StringBuffer(); taintedSubst.replaceIn(stringBuffer2, 0, 0); sink(stringBuffer2.toString()); // $hasTaintFlow
TextStringBuilder strBuilder1 = new TextStringBuilder(); taintedSubst.replaceIn(strBuilder1); sink(strBuilder1.toString()); // $ hasTaintFlow
TextStringBuilder strBuilder2 = new TextStringBuilder(); taintedSubst.replaceIn(strBuilder2, 0, 0); sink(strBuilder2.toString()); // $ hasTaintFlow
StringBuilder stringBuilder1 = new StringBuilder(); taintedSubst.replaceIn(stringBuilder1); sink(stringBuilder1.toString()); // $ hasTaintFlow
StringBuilder stringBuilder2 = new StringBuilder(); taintedSubst.replaceIn(stringBuilder2, 0, 0); sink(stringBuilder2.toString()); // $ hasTaintFlow
StringBuffer stringBuffer1 = new StringBuffer(); taintedSubst.replaceIn(stringBuffer1); sink(stringBuffer1.toString()); // $ hasTaintFlow
StringBuffer stringBuffer2 = new StringBuffer(); taintedSubst.replaceIn(stringBuffer2, 0, 0); sink(stringBuffer2.toString()); // $ hasTaintFlow
}
}

52
java/ql/test/library-tests/frameworks/apache-commons-lang3/StringTokenizerTest.java
View File

@@ -9,38 +9,38 @@ public class StringTokenizerTest {
void test() throws Exception {
// Test constructors:
sink((new StringTokenizer(taint().toCharArray())).toString()); // $hasTaintFlow
sink((new StringTokenizer(taint().toCharArray(), ',')).toString()); // $hasTaintFlow
sink((new StringTokenizer(taint().toCharArray(), ',', '"')).toString()); // $hasTaintFlow
sink((new StringTokenizer(taint().toCharArray(), ",")).toString()); // $hasTaintFlow
sink((new StringTokenizer(taint().toCharArray(), (StringMatcher)null)).toString()); // $hasTaintFlow
sink((new StringTokenizer(taint().toCharArray(), (StringMatcher)null, (StringMatcher)null)).toString()); // $hasTaintFlow
sink((new StringTokenizer(taint())).toString()); // $hasTaintFlow
sink((new StringTokenizer(taint(), ',')).toString()); // $hasTaintFlow
sink((new StringTokenizer(taint(), ',', '"')).toString()); // $hasTaintFlow
sink((new StringTokenizer(taint(), ",")).toString()); // $hasTaintFlow
sink((new StringTokenizer(taint(), (StringMatcher)null)).toString()); // $hasTaintFlow
sink((new StringTokenizer(taint(), (StringMatcher)null, (StringMatcher)null)).toString()); // $hasTaintFlow
sink((new StringTokenizer(taint().toCharArray())).toString()); // $ hasTaintFlow
sink((new StringTokenizer(taint().toCharArray(), ',')).toString()); // $ hasTaintFlow
sink((new StringTokenizer(taint().toCharArray(), ',', '"')).toString()); // $ hasTaintFlow
sink((new StringTokenizer(taint().toCharArray(), ",")).toString()); // $ hasTaintFlow
sink((new StringTokenizer(taint().toCharArray(), (StringMatcher)null)).toString()); // $ hasTaintFlow
sink((new StringTokenizer(taint().toCharArray(), (StringMatcher)null, (StringMatcher)null)).toString()); // $ hasTaintFlow
sink((new StringTokenizer(taint())).toString()); // $ hasTaintFlow
sink((new StringTokenizer(taint(), ',')).toString()); // $ hasTaintFlow
sink((new StringTokenizer(taint(), ',', '"')).toString()); // $ hasTaintFlow
sink((new StringTokenizer(taint(), ",")).toString()); // $ hasTaintFlow
sink((new StringTokenizer(taint(), (StringMatcher)null)).toString()); // $ hasTaintFlow
sink((new StringTokenizer(taint(), (StringMatcher)null, (StringMatcher)null)).toString()); // $ hasTaintFlow
// Test constructing static methods:
sink(StringTokenizer.getCSVInstance(taint().toCharArray()).toString()); // $hasTaintFlow
sink(StringTokenizer.getCSVInstance(taint()).toString()); // $hasTaintFlow
sink(StringTokenizer.getTSVInstance(taint().toCharArray()).toString()); // $hasTaintFlow
sink(StringTokenizer.getTSVInstance(taint()).toString()); // $hasTaintFlow
sink(StringTokenizer.getCSVInstance(taint().toCharArray()).toString()); // $ hasTaintFlow
sink(StringTokenizer.getCSVInstance(taint()).toString()); // $ hasTaintFlow
sink(StringTokenizer.getTSVInstance(taint().toCharArray()).toString()); // $ hasTaintFlow
sink(StringTokenizer.getTSVInstance(taint()).toString()); // $ hasTaintFlow
// Test accessors:
sink((new StringTokenizer(taint())).clone()); // $hasTaintFlow
sink((new StringTokenizer(taint())).getContent()); // $hasTaintFlow
sink((new StringTokenizer(taint())).getTokenArray()); // $hasTaintFlow
sink((new StringTokenizer(taint())).getTokenList()); // $hasTaintFlow
sink((new StringTokenizer(taint())).next()); // $hasTaintFlow
sink((new StringTokenizer(taint())).nextToken()); // $hasTaintFlow
sink((new StringTokenizer(taint())).previous()); // $hasTaintFlow
sink((new StringTokenizer(taint())).previousToken()); // $hasTaintFlow
sink((new StringTokenizer(taint())).clone()); // $ hasTaintFlow
sink((new StringTokenizer(taint())).getContent()); // $ hasTaintFlow
sink((new StringTokenizer(taint())).getTokenArray()); // $ hasTaintFlow
sink((new StringTokenizer(taint())).getTokenList()); // $ hasTaintFlow
sink((new StringTokenizer(taint())).next()); // $ hasTaintFlow
sink((new StringTokenizer(taint())).nextToken()); // $ hasTaintFlow
sink((new StringTokenizer(taint())).previous()); // $ hasTaintFlow
sink((new StringTokenizer(taint())).previousToken()); // $ hasTaintFlow
// Test mutators:
sink((new StringTokenizer()).reset(taint().toCharArray()).toString()); // $hasTaintFlow
sink((new StringTokenizer()).reset(taint()).toString()); // $hasTaintFlow
sink((new StringTokenizer()).reset(taint().toCharArray()).toString()); // $ hasTaintFlow
sink((new StringTokenizer()).reset(taint()).toString()); // $ hasTaintFlow
}
}

356
java/ql/test/library-tests/frameworks/apache-commons-lang3/Test.java
View File

@@ -12,57 +12,57 @@ class Test {
void test() throws Exception {
// All these calls should convey taint to `sink` except as noted.
sink(StringUtils.abbreviate(taint(), 0)); // $hasTaintFlow
sink(StringUtils.abbreviate(taint(), 0, 0)); // $hasTaintFlow
sink(StringUtils.abbreviate(taint(), "...", 0)); // $hasTaintFlow
sink(StringUtils.abbreviate("Untainted", taint(), 0)); // $hasTaintFlow
sink(StringUtils.abbreviate(taint(), "...", 0, 0)); // $hasTaintFlow
sink(StringUtils.abbreviate("Untainted", taint(), 0, 0)); // $hasTaintFlow
sink(StringUtils.abbreviateMiddle(taint(), "...", 0)); // $hasTaintFlow
sink(StringUtils.abbreviateMiddle("Untainted", taint(), 0)); // $hasTaintFlow
sink(StringUtils.appendIfMissing(taint(), "suffix", "candsuffix1", "candsuffix2")); // $hasTaintFlow
sink(StringUtils.appendIfMissing("prefix", taint(), "candsuffix1", "candsuffix2")); // $hasTaintFlow
sink(StringUtils.abbreviate(taint(), 0)); // $ hasTaintFlow
sink(StringUtils.abbreviate(taint(), 0, 0)); // $ hasTaintFlow
sink(StringUtils.abbreviate(taint(), "...", 0)); // $ hasTaintFlow
sink(StringUtils.abbreviate("Untainted", taint(), 0)); // $ hasTaintFlow
sink(StringUtils.abbreviate(taint(), "...", 0, 0)); // $ hasTaintFlow
sink(StringUtils.abbreviate("Untainted", taint(), 0, 0)); // $ hasTaintFlow
sink(StringUtils.abbreviateMiddle(taint(), "...", 0)); // $ hasTaintFlow
sink(StringUtils.abbreviateMiddle("Untainted", taint(), 0)); // $ hasTaintFlow
sink(StringUtils.appendIfMissing(taint(), "suffix", "candsuffix1", "candsuffix2")); // $ hasTaintFlow
sink(StringUtils.appendIfMissing("prefix", taint(), "candsuffix1", "candsuffix2")); // $ hasTaintFlow
// (next 2 calls) GOOD: candidate suffixes do not flow to the return value.
sink(StringUtils.appendIfMissing("prefix", "suffix", taint(), "candsuffix2"));
sink(StringUtils.appendIfMissing("prefix", "suffix", "candsuffix1", taint()));
sink(StringUtils.appendIfMissingIgnoreCase(taint(), "suffix", "candsuffix1", "candsuffix2")); // $hasTaintFlow
sink(StringUtils.appendIfMissingIgnoreCase("prefix", taint(), "candsuffix1", "candsuffix2")); // $hasTaintFlow
sink(StringUtils.appendIfMissingIgnoreCase(taint(), "suffix", "candsuffix1", "candsuffix2")); // $ hasTaintFlow
sink(StringUtils.appendIfMissingIgnoreCase("prefix", taint(), "candsuffix1", "candsuffix2")); // $ hasTaintFlow
// (next 2 calls) GOOD: candidate suffixes do not flow to the return value.
sink(StringUtils.appendIfMissingIgnoreCase("prefix", "suffix", taint(), "candsuffix2"));
sink(StringUtils.appendIfMissingIgnoreCase("prefix", "suffix", "candsuffix1", taint()));
sink(StringUtils.capitalize(taint())); // $hasTaintFlow
sink(StringUtils.center(taint(), 0)); // $hasTaintFlow
sink(StringUtils.center(taint(), 0, 'x')); // $hasTaintFlow
sink(StringUtils.center(taint(), 0, "padding string")); // $hasTaintFlow
sink(StringUtils.center("Center me", 0, taint())); // $hasTaintFlow
sink(StringUtils.chomp(taint())); // $hasTaintFlow
sink(StringUtils.chomp(taint(), "separator")); // $hasTaintFlow
sink(StringUtils.capitalize(taint())); // $ hasTaintFlow
sink(StringUtils.center(taint(), 0)); // $ hasTaintFlow
sink(StringUtils.center(taint(), 0, 'x')); // $ hasTaintFlow
sink(StringUtils.center(taint(), 0, "padding string")); // $ hasTaintFlow
sink(StringUtils.center("Center me", 0, taint())); // $ hasTaintFlow
sink(StringUtils.chomp(taint())); // $ hasTaintFlow
sink(StringUtils.chomp(taint(), "separator")); // $ hasTaintFlow
// GOOD: separator does not flow to the return value.
sink(StringUtils.chomp("Chomp me", taint()));
sink(StringUtils.chop(taint())); // $hasTaintFlow
sink(StringUtils.defaultIfBlank(taint(), "default")); // $hasTaintFlow
sink(StringUtils.defaultIfBlank("Perhaps blank", taint())); // $hasTaintFlow
sink(StringUtils.defaultIfEmpty(taint(), "default")); // $hasTaintFlow
sink(StringUtils.defaultIfEmpty("Perhaps empty", taint())); // $hasTaintFlow
sink(StringUtils.defaultString(taint())); // $hasTaintFlow
sink(StringUtils.defaultString(taint(), "default string")); // $hasTaintFlow
sink(StringUtils.defaultString("perhaps null", taint())); // $hasTaintFlow
sink(StringUtils.deleteWhitespace(taint())); // $hasTaintFlow
sink(StringUtils.difference(taint(), "rhs")); // $hasTaintFlow
sink(StringUtils.difference("lhs", taint())); // $hasTaintFlow
sink(StringUtils.firstNonBlank(taint(), "second string")); // $hasValueFlow
sink(StringUtils.firstNonBlank("first string", taint())); // $hasValueFlow
sink(StringUtils.firstNonEmpty(taint(), "second string")); // $hasValueFlow
sink(StringUtils.firstNonEmpty("first string", taint())); // $hasValueFlow
sink(StringUtils.getBytes(taint(), (Charset)null)); // $hasTaintFlow
sink(StringUtils.getBytes(taint(), "some charset")); // $hasTaintFlow
sink(StringUtils.chop(taint())); // $ hasTaintFlow
sink(StringUtils.defaultIfBlank(taint(), "default")); // $ hasTaintFlow
sink(StringUtils.defaultIfBlank("Perhaps blank", taint())); // $ hasTaintFlow
sink(StringUtils.defaultIfEmpty(taint(), "default")); // $ hasTaintFlow
sink(StringUtils.defaultIfEmpty("Perhaps empty", taint())); // $ hasTaintFlow
sink(StringUtils.defaultString(taint())); // $ hasTaintFlow
sink(StringUtils.defaultString(taint(), "default string")); // $ hasTaintFlow
sink(StringUtils.defaultString("perhaps null", taint())); // $ hasTaintFlow
sink(StringUtils.deleteWhitespace(taint())); // $ hasTaintFlow
sink(StringUtils.difference(taint(), "rhs")); // $ hasTaintFlow
sink(StringUtils.difference("lhs", taint())); // $ hasTaintFlow
sink(StringUtils.firstNonBlank(taint(), "second string")); // $ hasValueFlow
sink(StringUtils.firstNonBlank("first string", taint())); // $ hasValueFlow
sink(StringUtils.firstNonEmpty(taint(), "second string")); // $ hasValueFlow
sink(StringUtils.firstNonEmpty("first string", taint())); // $ hasValueFlow
sink(StringUtils.getBytes(taint(), (Charset)null)); // $ hasTaintFlow
sink(StringUtils.getBytes(taint(), "some charset")); // $ hasTaintFlow
// GOOD: charset names are not a source of taint
sink(StringUtils.getBytes("some string", taint()));
sink(StringUtils.getCommonPrefix(taint(), "second string")); // $hasTaintFlow
sink(StringUtils.getCommonPrefix("first string", taint())); // $hasTaintFlow
sink(StringUtils.getDigits(taint())); // $hasTaintFlow
sink(StringUtils.getIfBlank(taint(), () -> "default")); // $hasTaintFlow
sink(StringUtils.getIfEmpty(taint(), () -> "default")); // $hasTaintFlow
sink(StringUtils.getCommonPrefix(taint(), "second string")); // $ hasTaintFlow
sink(StringUtils.getCommonPrefix("first string", taint())); // $ hasTaintFlow
sink(StringUtils.getDigits(taint())); // $ hasTaintFlow
sink(StringUtils.getIfBlank(taint(), () -> "default")); // $ hasTaintFlow
sink(StringUtils.getIfEmpty(taint(), () -> "default")); // $ hasTaintFlow
// BAD (but not detected yet): latent taint in lambdas
sink(StringUtils.getIfBlank("maybe blank", () -> taint()));
sink(StringUtils.getIfEmpty("maybe blank", () -> taint()));
@@ -70,70 +70,70 @@ class Test {
// of tainted data.
sink(StringUtils.join(StringUtils.getBytes(taint(), "UTF-8"), ' '));
sink(StringUtils.join(StringUtils.getBytes(taint(), "UTF-8"), ' ', 0, 0));
sink(StringUtils.join(taint().toCharArray(), ' ')); // $hasTaintFlow
sink(StringUtils.join(taint().toCharArray(), ' ', 0, 0)); // $hasTaintFlow
sink(StringUtils.join(taint().toCharArray(), ' ')); // $ hasTaintFlow
sink(StringUtils.join(taint().toCharArray(), ' ', 0, 0)); // $ hasTaintFlow
// Testing the Iterable<?> overloads of `join`
List<String> taintedList = new ArrayList<>();
taintedList.add(taint());
sink(StringUtils.join(taintedList, ' ')); // $hasTaintFlow
sink(StringUtils.join(taintedList, "sep")); // $hasTaintFlow
sink(StringUtils.join(taintedList, ' ')); // $ hasTaintFlow
sink(StringUtils.join(taintedList, "sep")); // $ hasTaintFlow
List<String> untaintedList = new ArrayList<>();
sink(StringUtils.join(untaintedList, taint())); // $hasTaintFlow
sink(StringUtils.join(untaintedList, taint())); // $ hasTaintFlow
// Testing the Iterator<?> overloads of `join`
sink(StringUtils.join(taintedList.iterator(), ' ')); // $hasTaintFlow
sink(StringUtils.join(taintedList.iterator(), "sep")); // $hasTaintFlow
sink(StringUtils.join(untaintedList.iterator(), taint())); // $hasTaintFlow
sink(StringUtils.join(taintedList.iterator(), ' ')); // $ hasTaintFlow
sink(StringUtils.join(taintedList.iterator(), "sep")); // $ hasTaintFlow
sink(StringUtils.join(untaintedList.iterator(), taint())); // $ hasTaintFlow
// Testing the List<?> overloads of `join`, which have start/end indices
sink(StringUtils.join(taintedList, ' ', 0, 0)); // $hasTaintFlow
sink(StringUtils.join(taintedList, "sep", 0, 0)); // $hasTaintFlow
sink(StringUtils.join(untaintedList, taint(), 0, 0)); // $hasTaintFlow
sink(StringUtils.join(taintedList, ' ', 0, 0)); // $ hasTaintFlow
sink(StringUtils.join(taintedList, "sep", 0, 0)); // $ hasTaintFlow
sink(StringUtils.join(untaintedList, taint(), 0, 0)); // $ hasTaintFlow
// Testing the Object[] overloads of `join`, which may have start/end indices
Object[] taintedArray = new Object[] { taint() };
sink(StringUtils.join(taintedArray, ' ')); // $hasTaintFlow
sink(StringUtils.join(taintedArray, "sep")); // $hasTaintFlow
sink(StringUtils.join(taintedArray, ' ', 0, 0)); // $hasTaintFlow
sink(StringUtils.join(taintedArray, "sep", 0, 0)); // $hasTaintFlow
sink(StringUtils.join(taintedArray, ' ')); // $ hasTaintFlow
sink(StringUtils.join(taintedArray, "sep")); // $ hasTaintFlow
sink(StringUtils.join(taintedArray, ' ', 0, 0)); // $ hasTaintFlow
sink(StringUtils.join(taintedArray, "sep", 0, 0)); // $ hasTaintFlow
Object[] untaintedArray = new Object[] { "safe" };
sink(StringUtils.join(untaintedArray, taint())); // $hasTaintFlow
sink(StringUtils.join(untaintedArray, taint(), 0, 0)); // $hasTaintFlow
sink(StringUtils.join(untaintedArray, taint())); // $ hasTaintFlow
sink(StringUtils.join(untaintedArray, taint(), 0, 0)); // $ hasTaintFlow
// Testing the variadic overload of `join` and `joinWith`
sink(StringUtils.join(taint(), "other string")); // $hasTaintFlow
sink(StringUtils.join("other string before", taint())); // $hasTaintFlow
sink(StringUtils.joinWith("separator", taint(), "other string")); // $hasTaintFlow
sink(StringUtils.joinWith("separator", "other string before", taint())); // $hasTaintFlow
sink(StringUtils.joinWith(taint(), "other string before", "other string after")); // $hasTaintFlow
sink(StringUtils.join(taint(), "other string")); // $ hasTaintFlow
sink(StringUtils.join("other string before", taint())); // $ hasTaintFlow
sink(StringUtils.joinWith("separator", taint(), "other string")); // $ hasTaintFlow
sink(StringUtils.joinWith("separator", "other string before", taint())); // $ hasTaintFlow
sink(StringUtils.joinWith(taint(), "other string before", "other string after")); // $ hasTaintFlow
// End of `join` tests
sink(StringUtils.left(taint(), 0)); // $hasTaintFlow
sink(StringUtils.leftPad(taint(), 0)); // $hasTaintFlow
sink(StringUtils.leftPad(taint(), 0, ' ')); // $hasTaintFlow
sink(StringUtils.leftPad(taint(), 0, "padding")); // $hasTaintFlow
sink(StringUtils.leftPad("to pad", 0, taint())); // $hasTaintFlow
sink(StringUtils.lowerCase(taint())); // $hasTaintFlow
sink(StringUtils.lowerCase(taint(), Locale.UK)); // $hasTaintFlow
sink(StringUtils.mid(taint(), 0, 0)); // $hasTaintFlow
sink(StringUtils.normalizeSpace(taint())); // $hasTaintFlow
sink(StringUtils.overlay(taint(), "overlay", 0, 0)); // $hasTaintFlow
sink(StringUtils.overlay("underlay", taint(), 0, 0)); // $hasTaintFlow
sink(StringUtils.prependIfMissing(taint(), "append prefix", "check prefix 1", "check prefix 2")); // $hasTaintFlow
sink(StringUtils.prependIfMissing("original string", taint(), "check prefix 1", "check prefix 2")); // $hasTaintFlow
sink(StringUtils.left(taint(), 0)); // $ hasTaintFlow
sink(StringUtils.leftPad(taint(), 0)); // $ hasTaintFlow
sink(StringUtils.leftPad(taint(), 0, ' ')); // $ hasTaintFlow
sink(StringUtils.leftPad(taint(), 0, "padding")); // $ hasTaintFlow
sink(StringUtils.leftPad("to pad", 0, taint())); // $ hasTaintFlow
sink(StringUtils.lowerCase(taint())); // $ hasTaintFlow
sink(StringUtils.lowerCase(taint(), Locale.UK)); // $ hasTaintFlow
sink(StringUtils.mid(taint(), 0, 0)); // $ hasTaintFlow
sink(StringUtils.normalizeSpace(taint())); // $ hasTaintFlow
sink(StringUtils.overlay(taint(), "overlay", 0, 0)); // $ hasTaintFlow
sink(StringUtils.overlay("underlay", taint(), 0, 0)); // $ hasTaintFlow
sink(StringUtils.prependIfMissing(taint(), "append prefix", "check prefix 1", "check prefix 2")); // $ hasTaintFlow
sink(StringUtils.prependIfMissing("original string", taint(), "check prefix 1", "check prefix 2")); // $ hasTaintFlow
// (next 2 calls) GOOD: args 3+ are checked against but do not propagate to the return value
sink(StringUtils.prependIfMissing("original string", "append prefix", taint(), "check prefix 2"));
sink(StringUtils.prependIfMissing("original string", "append prefix", "check prefix 1", taint()));
sink(StringUtils.prependIfMissingIgnoreCase(taint(), "append prefix", "check prefix 1", "check prefix 2")); // $hasTaintFlow
sink(StringUtils.prependIfMissingIgnoreCase("original string", taint(), "check prefix 1", "check prefix 2")); // $hasTaintFlow
sink(StringUtils.prependIfMissingIgnoreCase(taint(), "append prefix", "check prefix 1", "check prefix 2")); // $ hasTaintFlow
sink(StringUtils.prependIfMissingIgnoreCase("original string", taint(), "check prefix 1", "check prefix 2")); // $ hasTaintFlow
// (next 2 calls) GOOD: args 3+ are checked against but do not propagate to the return value
sink(StringUtils.prependIfMissingIgnoreCase("original string", "append prefix", taint(), "check prefix 2"));
sink(StringUtils.prependIfMissingIgnoreCase("original string", "append prefix", "check prefix 1", taint()));
sink(StringUtils.remove(taint(), ' ')); // $hasTaintFlow
sink(StringUtils.remove(taint(), "delete me")); // $hasTaintFlow
sink(StringUtils.removeAll(taint(), "delete me")); // $hasTaintFlow
sink(StringUtils.removeEnd(taint(), "delete me")); // $hasTaintFlow
sink(StringUtils.removeEndIgnoreCase(taint(), "delete me")); // $hasTaintFlow
sink(StringUtils.removeFirst(taint(), "delete me")); // $hasTaintFlow
sink(StringUtils.removeIgnoreCase(taint(), "delete me")); // $hasTaintFlow
sink(StringUtils.removePattern(taint(), "delete me")); // $hasTaintFlow
sink(StringUtils.removeStart(taint(), "delete me")); // $hasTaintFlow
sink(StringUtils.removeStartIgnoreCase(taint(), "delete me")); // $hasTaintFlow
sink(StringUtils.remove(taint(), ' ')); // $ hasTaintFlow
sink(StringUtils.remove(taint(), "delete me")); // $ hasTaintFlow
sink(StringUtils.removeAll(taint(), "delete me")); // $ hasTaintFlow
sink(StringUtils.removeEnd(taint(), "delete me")); // $ hasTaintFlow
sink(StringUtils.removeEndIgnoreCase(taint(), "delete me")); // $ hasTaintFlow
sink(StringUtils.removeFirst(taint(), "delete me")); // $ hasTaintFlow
sink(StringUtils.removeIgnoreCase(taint(), "delete me")); // $ hasTaintFlow
sink(StringUtils.removePattern(taint(), "delete me")); // $ hasTaintFlow
sink(StringUtils.removeStart(taint(), "delete me")); // $ hasTaintFlow
sink(StringUtils.removeStartIgnoreCase(taint(), "delete me")); // $ hasTaintFlow
// GOOD (next 9 calls): the removed string doesn't propagate to the return value
sink(StringUtils.remove("remove from", taint()));
sink(StringUtils.removeAll("remove from", taint()));
@@ -144,32 +144,32 @@ class Test {
sink(StringUtils.removePattern("remove from", taint()));
sink(StringUtils.removeStart("remove from", taint()));
sink(StringUtils.removeStartIgnoreCase("remove from", taint()));
sink(StringUtils.repeat(taint(), 1)); // $hasTaintFlow
sink(StringUtils.repeat(taint(), "separator", 1)); // $hasTaintFlow
sink(StringUtils.repeat("repeat me", taint(), 1)); // $hasTaintFlow
sink(StringUtils.replace(taint(), "search", "replacement")); // $hasTaintFlow
sink(StringUtils.replace("haystack", "search", taint())); // $hasTaintFlow
sink(StringUtils.replace(taint(), "search", "replacement", 0)); // $hasTaintFlow
sink(StringUtils.replace("haystack", "search", taint(), 0)); // $hasTaintFlow
sink(StringUtils.replaceAll(taint(), "search", "replacement")); // $hasTaintFlow
sink(StringUtils.replaceAll("haystack", "search", taint())); // $hasTaintFlow
sink(StringUtils.replaceChars(taint(), 'a', 'b')); // $hasTaintFlow
sink(StringUtils.replaceChars(taint(), "abc", "xyz")); // $hasTaintFlow
sink(StringUtils.replaceChars("haystack", "abc", taint())); // $hasTaintFlow
sink(StringUtils.replaceEach(taint(), new String[] { "search" }, new String[] { "replacement" })); // $hasTaintFlow
sink(StringUtils.replaceEach("haystack", new String[] { "search" }, new String[] { taint() })); // $hasTaintFlow
sink(StringUtils.replaceEachRepeatedly(taint(), new String[] { "search" }, new String[] { "replacement" })); // $hasTaintFlow
sink(StringUtils.replaceEachRepeatedly("haystack", new String[] { "search" }, new String[] { taint() })); // $hasTaintFlow
sink(StringUtils.replaceFirst(taint(), "search", "replacement")); // $hasTaintFlow
sink(StringUtils.replaceFirst("haystack", "search", taint())); // $hasTaintFlow
sink(StringUtils.replaceIgnoreCase(taint(), "search", "replacement")); // $hasTaintFlow
sink(StringUtils.replaceIgnoreCase("haystack", "search", taint())); // $hasTaintFlow
sink(StringUtils.replaceOnce(taint(), "search", "replacement")); // $hasTaintFlow
sink(StringUtils.replaceOnce("haystack", "search", taint())); // $hasTaintFlow
sink(StringUtils.replaceOnceIgnoreCase(taint(), "search", "replacement")); // $hasTaintFlow
sink(StringUtils.replaceOnceIgnoreCase("haystack", "search", taint())); // $hasTaintFlow
sink(StringUtils.replacePattern(taint(), "search", "replacement")); // $hasTaintFlow
sink(StringUtils.replacePattern("haystack", "search", taint())); // $hasTaintFlow
sink(StringUtils.repeat(taint(), 1)); // $ hasTaintFlow
sink(StringUtils.repeat(taint(), "separator", 1)); // $ hasTaintFlow
sink(StringUtils.repeat("repeat me", taint(), 1)); // $ hasTaintFlow
sink(StringUtils.replace(taint(), "search", "replacement")); // $ hasTaintFlow
sink(StringUtils.replace("haystack", "search", taint())); // $ hasTaintFlow
sink(StringUtils.replace(taint(), "search", "replacement", 0)); // $ hasTaintFlow
sink(StringUtils.replace("haystack", "search", taint(), 0)); // $ hasTaintFlow
sink(StringUtils.replaceAll(taint(), "search", "replacement")); // $ hasTaintFlow
sink(StringUtils.replaceAll("haystack", "search", taint())); // $ hasTaintFlow
sink(StringUtils.replaceChars(taint(), 'a', 'b')); // $ hasTaintFlow
sink(StringUtils.replaceChars(taint(), "abc", "xyz")); // $ hasTaintFlow
sink(StringUtils.replaceChars("haystack", "abc", taint())); // $ hasTaintFlow
sink(StringUtils.replaceEach(taint(), new String[] { "search" }, new String[] { "replacement" })); // $ hasTaintFlow
sink(StringUtils.replaceEach("haystack", new String[] { "search" }, new String[] { taint() })); // $ hasTaintFlow
sink(StringUtils.replaceEachRepeatedly(taint(), new String[] { "search" }, new String[] { "replacement" })); // $ hasTaintFlow
sink(StringUtils.replaceEachRepeatedly("haystack", new String[] { "search" }, new String[] { taint() })); // $ hasTaintFlow
sink(StringUtils.replaceFirst(taint(), "search", "replacement")); // $ hasTaintFlow
sink(StringUtils.replaceFirst("haystack", "search", taint())); // $ hasTaintFlow
sink(StringUtils.replaceIgnoreCase(taint(), "search", "replacement")); // $ hasTaintFlow
sink(StringUtils.replaceIgnoreCase("haystack", "search", taint())); // $ hasTaintFlow
sink(StringUtils.replaceOnce(taint(), "search", "replacement")); // $ hasTaintFlow
sink(StringUtils.replaceOnce("haystack", "search", taint())); // $ hasTaintFlow
sink(StringUtils.replaceOnceIgnoreCase(taint(), "search", "replacement")); // $ hasTaintFlow
sink(StringUtils.replaceOnceIgnoreCase("haystack", "search", taint())); // $ hasTaintFlow
sink(StringUtils.replacePattern(taint(), "search", "replacement")); // $ hasTaintFlow
sink(StringUtils.replacePattern("haystack", "search", taint())); // $ hasTaintFlow
// GOOD (next 11 calls): searched string in replace methods does not flow to the return value.
sink(StringUtils.replace("haystack", taint(), "replacement"));
sink(StringUtils.replace("haystack", taint(), "replacement", 0));
@@ -182,28 +182,28 @@ class Test {
sink(StringUtils.replaceOnce("haystack", taint(), "replacement"));
sink(StringUtils.replaceOnceIgnoreCase("haystack", taint(), "replacement"));
sink(StringUtils.replacePattern("haystack", taint(), "replacement"));
sink(StringUtils.reverse(taint())); // $hasTaintFlow
sink(StringUtils.reverseDelimited(taint(), ',')); // $hasTaintFlow
sink(StringUtils.right(taint(), 0)); // $hasTaintFlow
sink(StringUtils.rightPad(taint(), 0)); // $hasTaintFlow
sink(StringUtils.rightPad(taint(), 0, ' ')); // $hasTaintFlow
sink(StringUtils.rightPad(taint(), 0, "padding")); // $hasTaintFlow
sink(StringUtils.rightPad("to pad", 0, taint())); // $hasTaintFlow
sink(StringUtils.rotate(taint(), 0)); // $hasTaintFlow
sink(StringUtils.split(taint())); // $hasTaintFlow
sink(StringUtils.split(taint(), ' ')); // $hasTaintFlow
sink(StringUtils.split(taint(), " ,;")); // $hasTaintFlow
sink(StringUtils.split(taint(), " ,;", 0)); // $hasTaintFlow
sink(StringUtils.splitByCharacterType(taint())); // $hasTaintFlow
sink(StringUtils.splitByCharacterTypeCamelCase(taint())); // $hasTaintFlow
sink(StringUtils.splitByWholeSeparator(taint(), "separator")); // $hasTaintFlow
sink(StringUtils.splitByWholeSeparator(taint(), "separator", 0)); // $hasTaintFlow
sink(StringUtils.splitByWholeSeparatorPreserveAllTokens(taint(), "separator")); // $hasTaintFlow
sink(StringUtils.splitByWholeSeparatorPreserveAllTokens(taint(), "separator", 0)); // $hasTaintFlow
sink(StringUtils.splitPreserveAllTokens(taint())); // $hasTaintFlow
sink(StringUtils.splitPreserveAllTokens(taint(), ' ')); // $hasTaintFlow
sink(StringUtils.splitPreserveAllTokens(taint(), " ,;")); // $hasTaintFlow
sink(StringUtils.splitPreserveAllTokens(taint(), " ,;", 0)); // $hasTaintFlow
sink(StringUtils.reverse(taint())); // $ hasTaintFlow
sink(StringUtils.reverseDelimited(taint(), ',')); // $ hasTaintFlow
sink(StringUtils.right(taint(), 0)); // $ hasTaintFlow
sink(StringUtils.rightPad(taint(), 0)); // $ hasTaintFlow
sink(StringUtils.rightPad(taint(), 0, ' ')); // $ hasTaintFlow
sink(StringUtils.rightPad(taint(), 0, "padding")); // $ hasTaintFlow
sink(StringUtils.rightPad("to pad", 0, taint())); // $ hasTaintFlow
sink(StringUtils.rotate(taint(), 0)); // $ hasTaintFlow
sink(StringUtils.split(taint())); // $ hasTaintFlow
sink(StringUtils.split(taint(), ' ')); // $ hasTaintFlow
sink(StringUtils.split(taint(), " ,;")); // $ hasTaintFlow
sink(StringUtils.split(taint(), " ,;", 0)); // $ hasTaintFlow
sink(StringUtils.splitByCharacterType(taint())); // $ hasTaintFlow
sink(StringUtils.splitByCharacterTypeCamelCase(taint())); // $ hasTaintFlow
sink(StringUtils.splitByWholeSeparator(taint(), "separator")); // $ hasTaintFlow
sink(StringUtils.splitByWholeSeparator(taint(), "separator", 0)); // $ hasTaintFlow
sink(StringUtils.splitByWholeSeparatorPreserveAllTokens(taint(), "separator")); // $ hasTaintFlow
sink(StringUtils.splitByWholeSeparatorPreserveAllTokens(taint(), "separator", 0)); // $ hasTaintFlow
sink(StringUtils.splitPreserveAllTokens(taint())); // $ hasTaintFlow
sink(StringUtils.splitPreserveAllTokens(taint(), ' ')); // $ hasTaintFlow
sink(StringUtils.splitPreserveAllTokens(taint(), " ,;")); // $ hasTaintFlow
sink(StringUtils.splitPreserveAllTokens(taint(), " ,;", 0)); // $ hasTaintFlow
// GOOD (next 8 calls): separators don't propagate to the return value
sink(StringUtils.split("to split", taint()));
sink(StringUtils.split("to split", taint(), 0));
@@ -213,30 +213,30 @@ class Test {
sink(StringUtils.splitByWholeSeparatorPreserveAllTokens("to split", taint()));
sink(StringUtils.splitByWholeSeparatorPreserveAllTokens("to split", taint(), 0));
sink(StringUtils.splitPreserveAllTokens("to split", taint()));
sink(StringUtils.strip(taint())); // $hasTaintFlow
sink(StringUtils.strip(taint(), "charstoremove")); // $hasTaintFlow
sink(StringUtils.stripAccents(taint())); // $hasTaintFlow
sink(StringUtils.stripAll(new String[] { taint() }, "charstoremove")[0]); // $hasTaintFlow
sink(StringUtils.stripEnd(taint(), "charstoremove")); // $hasTaintFlow
sink(StringUtils.stripStart(taint(), "charstoremove")); // $hasTaintFlow
sink(StringUtils.strip(taint())); // $ hasTaintFlow
sink(StringUtils.strip(taint(), "charstoremove")); // $ hasTaintFlow
sink(StringUtils.stripAccents(taint())); // $ hasTaintFlow
sink(StringUtils.stripAll(new String[] { taint() }, "charstoremove")[0]); // $ hasTaintFlow
sink(StringUtils.stripEnd(taint(), "charstoremove")); // $ hasTaintFlow
sink(StringUtils.stripStart(taint(), "charstoremove")); // $ hasTaintFlow
// GOOD (next 4 calls): stripped chars do not flow to the return value.
sink(StringUtils.strip("original text", taint()));
sink(StringUtils.stripAll(new String[] { "original text" }, taint())[0]);
sink(StringUtils.stripEnd("original text", taint()));
sink(StringUtils.stripStart("original text", taint()));
sink(StringUtils.stripToEmpty(taint())); // $hasTaintFlow
sink(StringUtils.stripToNull(taint())); // $hasTaintFlow
sink(StringUtils.substring(taint(), 0)); // $hasTaintFlow
sink(StringUtils.substring(taint(), 0, 0)); // $hasTaintFlow
sink(StringUtils.substringAfter(taint(), 0)); // $hasTaintFlow
sink(StringUtils.substringAfter(taint(), "separator")); // $hasTaintFlow
sink(StringUtils.substringAfterLast(taint(), 0)); // $hasTaintFlow
sink(StringUtils.substringAfterLast(taint(), "separator")); // $hasTaintFlow
sink(StringUtils.substringBefore(taint(), "separator")); // $hasTaintFlow
sink(StringUtils.substringBeforeLast(taint(), "separator")); // $hasTaintFlow
sink(StringUtils.substringBetween(taint(), "separator")); // $hasTaintFlow
sink(StringUtils.substringBetween(taint(), "start-tag", "end-tag")); // $hasTaintFlow
sink(StringUtils.substringsBetween(taint(), "start-tag", "end-tag")[0]); // $hasTaintFlow
sink(StringUtils.stripToEmpty(taint())); // $ hasTaintFlow
sink(StringUtils.stripToNull(taint())); // $ hasTaintFlow
sink(StringUtils.substring(taint(), 0)); // $ hasTaintFlow
sink(StringUtils.substring(taint(), 0, 0)); // $ hasTaintFlow
sink(StringUtils.substringAfter(taint(), 0)); // $ hasTaintFlow
sink(StringUtils.substringAfter(taint(), "separator")); // $ hasTaintFlow
sink(StringUtils.substringAfterLast(taint(), 0)); // $ hasTaintFlow
sink(StringUtils.substringAfterLast(taint(), "separator")); // $ hasTaintFlow
sink(StringUtils.substringBefore(taint(), "separator")); // $ hasTaintFlow
sink(StringUtils.substringBeforeLast(taint(), "separator")); // $ hasTaintFlow
sink(StringUtils.substringBetween(taint(), "separator")); // $ hasTaintFlow
sink(StringUtils.substringBetween(taint(), "start-tag", "end-tag")); // $ hasTaintFlow
sink(StringUtils.substringsBetween(taint(), "start-tag", "end-tag")[0]); // $ hasTaintFlow
// GOOD (next 9 calls): separators and bounding tags do not flow to the return value.
sink(StringUtils.substringAfter("original text", taint()));
sink(StringUtils.substringAfterLast("original text", taint()));
@@ -247,31 +247,31 @@ class Test {
sink(StringUtils.substringBetween("original text", "start-tag", taint()));
sink(StringUtils.substringsBetween("original text", taint(), "end-tag")[0]);
sink(StringUtils.substringsBetween("original text", "start-tag", taint())[0]);
sink(StringUtils.swapCase(taint())); // $hasTaintFlow
sink(StringUtils.toCodePoints(taint())); // $hasTaintFlow
sink(StringUtils.toEncodedString(StringUtils.getBytes(taint(), "charset"), null)); // $hasTaintFlow
sink(StringUtils.toRootLowerCase(taint())); // $hasTaintFlow
sink(StringUtils.toRootUpperCase(taint())); // $hasTaintFlow
sink(StringUtils.toString(StringUtils.getBytes(taint(), "charset"), "charset")); // $hasTaintFlow
sink(StringUtils.trim(taint())); // $hasTaintFlow
sink(StringUtils.trimToEmpty(taint())); // $hasTaintFlow
sink(StringUtils.trimToNull(taint())); // $hasTaintFlow
sink(StringUtils.truncate(taint(), 0)); // $hasTaintFlow
sink(StringUtils.truncate(taint(), 0, 0)); // $hasTaintFlow
sink(StringUtils.uncapitalize(taint())); // $hasTaintFlow
sink(StringUtils.unwrap(taint(), '"')); // $hasTaintFlow
sink(StringUtils.unwrap(taint(), "separator")); // $hasTaintFlow
sink(StringUtils.swapCase(taint())); // $ hasTaintFlow
sink(StringUtils.toCodePoints(taint())); // $ hasTaintFlow
sink(StringUtils.toEncodedString(StringUtils.getBytes(taint(), "charset"), null)); // $ hasTaintFlow
sink(StringUtils.toRootLowerCase(taint())); // $ hasTaintFlow
sink(StringUtils.toRootUpperCase(taint())); // $ hasTaintFlow
sink(StringUtils.toString(StringUtils.getBytes(taint(), "charset"), "charset")); // $ hasTaintFlow
sink(StringUtils.trim(taint())); // $ hasTaintFlow
sink(StringUtils.trimToEmpty(taint())); // $ hasTaintFlow
sink(StringUtils.trimToNull(taint())); // $ hasTaintFlow
sink(StringUtils.truncate(taint(), 0)); // $ hasTaintFlow
sink(StringUtils.truncate(taint(), 0, 0)); // $ hasTaintFlow
sink(StringUtils.uncapitalize(taint())); // $ hasTaintFlow
sink(StringUtils.unwrap(taint(), '"')); // $ hasTaintFlow
sink(StringUtils.unwrap(taint(), "separator")); // $ hasTaintFlow
// GOOD: the wrapper string does not flow to the return value.
sink(StringUtils.unwrap("original string", taint()));
sink(StringUtils.upperCase(taint())); // $hasTaintFlow
sink(StringUtils.upperCase(taint(), null)); // $hasTaintFlow
sink(StringUtils.valueOf(taint().toCharArray())); // $hasTaintFlow
sink(StringUtils.wrap(taint(), '"')); // $hasTaintFlow
sink(StringUtils.wrap(taint(), "wrapper token")); // $hasTaintFlow
sink(StringUtils.wrap("wrap me", taint())); // $hasTaintFlow
sink(StringUtils.wrapIfMissing(taint(), '"')); // $hasTaintFlow
sink(StringUtils.wrapIfMissing(taint(), "wrapper token")); // $hasTaintFlow
sink(StringUtils.wrapIfMissing("wrap me", taint())); // $hasTaintFlow
sink(StringUtils.upperCase(taint())); // $ hasTaintFlow
sink(StringUtils.upperCase(taint(), null)); // $ hasTaintFlow
sink(StringUtils.valueOf(taint().toCharArray())); // $ hasTaintFlow
sink(StringUtils.wrap(taint(), '"')); // $ hasTaintFlow
sink(StringUtils.wrap(taint(), "wrapper token")); // $ hasTaintFlow
sink(StringUtils.wrap("wrap me", taint())); // $ hasTaintFlow
sink(StringUtils.wrapIfMissing(taint(), '"')); // $ hasTaintFlow
sink(StringUtils.wrapIfMissing(taint(), "wrapper token")); // $ hasTaintFlow
sink(StringUtils.wrapIfMissing("wrap me", taint())); // $ hasTaintFlow
}

154
java/ql/test/library-tests/frameworks/apache-commons-lang3/TextStringBuilderTest.java
View File

@@ -14,135 +14,135 @@ class TextStringBuilderTest {
void test() throws Exception {
TextStringBuilder cons1 = new TextStringBuilder(taint()); sink(cons1.toString()); // $hasTaintFlow
TextStringBuilder cons2 = new TextStringBuilder((CharSequence)taint()); sink(cons2.toString()); // $hasTaintFlow
TextStringBuilder cons1 = new TextStringBuilder(taint()); sink(cons1.toString()); // $ hasTaintFlow
TextStringBuilder cons2 = new TextStringBuilder((CharSequence)taint()); sink(cons2.toString()); // $ hasTaintFlow
TextStringBuilder sb1 = new TextStringBuilder(); sb1.append(taint().toCharArray()); sink(sb1.toString()); // $hasTaintFlow
TextStringBuilder sb2 = new TextStringBuilder(); sb2.append(taint().toCharArray(), 0, 0); sink(sb2.toString()); // $hasTaintFlow
TextStringBuilder sb1 = new TextStringBuilder(); sb1.append(taint().toCharArray()); sink(sb1.toString()); // $ hasTaintFlow
TextStringBuilder sb2 = new TextStringBuilder(); sb2.append(taint().toCharArray(), 0, 0); sink(sb2.toString()); // $ hasTaintFlow
TextStringBuilder sb3 = new TextStringBuilder(); sb3.append(CharBuffer.wrap(taint().toCharArray())); sink(sb3.toString()); // $ hasTaintFlow
TextStringBuilder sb4 = new TextStringBuilder(); sb4.append(CharBuffer.wrap(taint().toCharArray()), 0, 0); sink(sb4.toString()); // $ hasTaintFlow
TextStringBuilder sb5 = new TextStringBuilder(); sb5.append((CharSequence)taint()); sink(sb5.toString()); // $hasTaintFlow
TextStringBuilder sb6 = new TextStringBuilder(); sb6.append((CharSequence)taint(), 0, 0); sink(sb6.toString()); // $hasTaintFlow
TextStringBuilder sb7 = new TextStringBuilder(); sb7.append((Object)taint()); sink(sb7.toString()); // $hasTaintFlow
TextStringBuilder sb5 = new TextStringBuilder(); sb5.append((CharSequence)taint()); sink(sb5.toString()); // $ hasTaintFlow
TextStringBuilder sb6 = new TextStringBuilder(); sb6.append((CharSequence)taint(), 0, 0); sink(sb6.toString()); // $ hasTaintFlow
TextStringBuilder sb7 = new TextStringBuilder(); sb7.append((Object)taint()); sink(sb7.toString()); // $ hasTaintFlow
{
TextStringBuilder auxsb = new TextStringBuilder(); auxsb.append(taint());
TextStringBuilder sb8 = new TextStringBuilder(); sb8.append(auxsb); sink(sb8.toString()); // $hasTaintFlow
TextStringBuilder sb8 = new TextStringBuilder(); sb8.append(auxsb); sink(sb8.toString()); // $ hasTaintFlow
}
TextStringBuilder sb9 = new TextStringBuilder(); sb9.append(new StringBuffer(taint())); sink(sb9.toString()); // $hasTaintFlow
TextStringBuilder sb10 = new TextStringBuilder(); sb10.append(new StringBuffer(taint()), 0, 0); sink(sb10.toString()); // $hasTaintFlow
TextStringBuilder sb11 = new TextStringBuilder(); sb11.append(new StringBuilder(taint())); sink(sb11.toString()); // $hasTaintFlow
TextStringBuilder sb12 = new TextStringBuilder(); sb12.append(new StringBuilder(taint()), 0, 0); sink(sb12.toString()); // $hasTaintFlow
TextStringBuilder sb13 = new TextStringBuilder(); sb13.append(taint()); sink(sb13.toString()); // $hasTaintFlow
TextStringBuilder sb14 = new TextStringBuilder(); sb14.append(taint(), 0, 0); sink(sb14.toString()); // $hasTaintFlow
TextStringBuilder sb15 = new TextStringBuilder(); sb15.append(taint(), "format", "args"); sink(sb15.toString()); // $hasTaintFlow
TextStringBuilder sb16 = new TextStringBuilder(); sb16.append("Format string", taint(), "args"); sink(sb16.toString()); // $hasTaintFlow
TextStringBuilder sb9 = new TextStringBuilder(); sb9.append(new StringBuffer(taint())); sink(sb9.toString()); // $ hasTaintFlow
TextStringBuilder sb10 = new TextStringBuilder(); sb10.append(new StringBuffer(taint()), 0, 0); sink(sb10.toString()); // $ hasTaintFlow
TextStringBuilder sb11 = new TextStringBuilder(); sb11.append(new StringBuilder(taint())); sink(sb11.toString()); // $ hasTaintFlow
TextStringBuilder sb12 = new TextStringBuilder(); sb12.append(new StringBuilder(taint()), 0, 0); sink(sb12.toString()); // $ hasTaintFlow
TextStringBuilder sb13 = new TextStringBuilder(); sb13.append(taint()); sink(sb13.toString()); // $ hasTaintFlow
TextStringBuilder sb14 = new TextStringBuilder(); sb14.append(taint(), 0, 0); sink(sb14.toString()); // $ hasTaintFlow
TextStringBuilder sb15 = new TextStringBuilder(); sb15.append(taint(), "format", "args"); sink(sb15.toString()); // $ hasTaintFlow
TextStringBuilder sb16 = new TextStringBuilder(); sb16.append("Format string", taint(), "args"); sink(sb16.toString()); // $ hasTaintFlow
{
List<String> taintedList = new ArrayList<>();
taintedList.add(taint());
TextStringBuilder sb17 = new TextStringBuilder(); sb17.appendAll(taintedList); sink(sb17.toString()); // $hasTaintFlow
TextStringBuilder sb18 = new TextStringBuilder(); sb18.appendAll(taintedList.iterator()); sink(sb18.toString()); // $hasTaintFlow
TextStringBuilder sb17 = new TextStringBuilder(); sb17.appendAll(taintedList); sink(sb17.toString()); // $ hasTaintFlow
TextStringBuilder sb18 = new TextStringBuilder(); sb18.appendAll(taintedList.iterator()); sink(sb18.toString()); // $ hasTaintFlow
}
TextStringBuilder sb19 = new TextStringBuilder(); sb19.appendAll("clean", taint()); sink(sb19.toString()); // $hasTaintFlow
TextStringBuilder sb20 = new TextStringBuilder(); sb20.appendAll(taint(), "clean"); sink(sb20.toString()); // $hasTaintFlow
TextStringBuilder sb21 = new TextStringBuilder(); sb21.appendFixedWidthPadLeft(taint(), 0, ' '); sink(sb21.toString()); // $hasTaintFlow
TextStringBuilder sb22 = new TextStringBuilder(); sb22.appendFixedWidthPadRight(taint(), 0, ' '); sink(sb22.toString()); // $hasTaintFlow
TextStringBuilder sb23 = new TextStringBuilder(); sb23.appendln(taint().toCharArray()); sink(sb23.toString()); // $hasTaintFlow
TextStringBuilder sb24 = new TextStringBuilder(); sb24.appendln(taint().toCharArray(), 0, 0); sink(sb24.toString()); // $hasTaintFlow
TextStringBuilder sb25 = new TextStringBuilder(); sb25.appendln((Object)taint()); sink(sb25.toString()); // $hasTaintFlow
TextStringBuilder sb19 = new TextStringBuilder(); sb19.appendAll("clean", taint()); sink(sb19.toString()); // $ hasTaintFlow
TextStringBuilder sb20 = new TextStringBuilder(); sb20.appendAll(taint(), "clean"); sink(sb20.toString()); // $ hasTaintFlow
TextStringBuilder sb21 = new TextStringBuilder(); sb21.appendFixedWidthPadLeft(taint(), 0, ' '); sink(sb21.toString()); // $ hasTaintFlow
TextStringBuilder sb22 = new TextStringBuilder(); sb22.appendFixedWidthPadRight(taint(), 0, ' '); sink(sb22.toString()); // $ hasTaintFlow
TextStringBuilder sb23 = new TextStringBuilder(); sb23.appendln(taint().toCharArray()); sink(sb23.toString()); // $ hasTaintFlow
TextStringBuilder sb24 = new TextStringBuilder(); sb24.appendln(taint().toCharArray(), 0, 0); sink(sb24.toString()); // $ hasTaintFlow
TextStringBuilder sb25 = new TextStringBuilder(); sb25.appendln((Object)taint()); sink(sb25.toString()); // $ hasTaintFlow
{
TextStringBuilder auxsb = new TextStringBuilder(); auxsb.appendln(taint());
TextStringBuilder sb26 = new TextStringBuilder(); sb26.appendln(auxsb); sink(sb26.toString()); // $hasTaintFlow
TextStringBuilder sb26 = new TextStringBuilder(); sb26.appendln(auxsb); sink(sb26.toString()); // $ hasTaintFlow
}
TextStringBuilder sb27 = new TextStringBuilder(); sb27.appendln(new StringBuffer(taint())); sink(sb27.toString()); // $hasTaintFlow
TextStringBuilder sb28 = new TextStringBuilder(); sb28.appendln(new StringBuffer(taint()), 0, 0); sink(sb28.toString()); // $hasTaintFlow
TextStringBuilder sb29 = new TextStringBuilder(); sb29.appendln(new StringBuilder(taint())); sink(sb29.toString()); // $hasTaintFlow
TextStringBuilder sb30 = new TextStringBuilder(); sb30.appendln(new StringBuilder(taint()), 0, 0); sink(sb30.toString()); // $hasTaintFlow
TextStringBuilder sb31 = new TextStringBuilder(); sb31.appendln(taint()); sink(sb31.toString()); // $hasTaintFlow
TextStringBuilder sb32 = new TextStringBuilder(); sb32.appendln(taint(), 0, 0); sink(sb32.toString()); // $hasTaintFlow
TextStringBuilder sb33 = new TextStringBuilder(); sb33.appendln(taint(), "format", "args"); sink(sb33.toString()); // $hasTaintFlow
TextStringBuilder sb34 = new TextStringBuilder(); sb34.appendln("Format string", taint(), "args"); sink(sb34.toString()); // $hasTaintFlow
TextStringBuilder sb35 = new TextStringBuilder(); sb35.appendSeparator(taint()); sink(sb35.toString()); // $hasTaintFlow
TextStringBuilder sb36 = new TextStringBuilder(); sb36.appendSeparator(taint(), 0); sink(sb36.toString()); // $hasTaintFlow
TextStringBuilder sb37 = new TextStringBuilder(); sb37.appendSeparator(taint(), "default"); sink(sb37.toString()); // $hasTaintFlow
TextStringBuilder sb38 = new TextStringBuilder(); sb38.appendSeparator("", taint()); sink(sb38.toString()); // $hasTaintFlow
TextStringBuilder sb27 = new TextStringBuilder(); sb27.appendln(new StringBuffer(taint())); sink(sb27.toString()); // $ hasTaintFlow
TextStringBuilder sb28 = new TextStringBuilder(); sb28.appendln(new StringBuffer(taint()), 0, 0); sink(sb28.toString()); // $ hasTaintFlow
TextStringBuilder sb29 = new TextStringBuilder(); sb29.appendln(new StringBuilder(taint())); sink(sb29.toString()); // $ hasTaintFlow
TextStringBuilder sb30 = new TextStringBuilder(); sb30.appendln(new StringBuilder(taint()), 0, 0); sink(sb30.toString()); // $ hasTaintFlow
TextStringBuilder sb31 = new TextStringBuilder(); sb31.appendln(taint()); sink(sb31.toString()); // $ hasTaintFlow
TextStringBuilder sb32 = new TextStringBuilder(); sb32.appendln(taint(), 0, 0); sink(sb32.toString()); // $ hasTaintFlow
TextStringBuilder sb33 = new TextStringBuilder(); sb33.appendln(taint(), "format", "args"); sink(sb33.toString()); // $ hasTaintFlow
TextStringBuilder sb34 = new TextStringBuilder(); sb34.appendln("Format string", taint(), "args"); sink(sb34.toString()); // $ hasTaintFlow
TextStringBuilder sb35 = new TextStringBuilder(); sb35.appendSeparator(taint()); sink(sb35.toString()); // $ hasTaintFlow
TextStringBuilder sb36 = new TextStringBuilder(); sb36.appendSeparator(taint(), 0); sink(sb36.toString()); // $ hasTaintFlow
TextStringBuilder sb37 = new TextStringBuilder(); sb37.appendSeparator(taint(), "default"); sink(sb37.toString()); // $ hasTaintFlow
TextStringBuilder sb38 = new TextStringBuilder(); sb38.appendSeparator("", taint()); sink(sb38.toString()); // $ hasTaintFlow
{
TextStringBuilder auxsb = new TextStringBuilder(); auxsb.appendln(taint());
TextStringBuilder sb39 = new TextStringBuilder(); auxsb.appendTo(sb39); sink(sb39.toString()); // $hasTaintFlow
TextStringBuilder sb39 = new TextStringBuilder(); auxsb.appendTo(sb39); sink(sb39.toString()); // $ hasTaintFlow
}
{
List<String> taintedList = new ArrayList<>();
taintedList.add(taint());
TextStringBuilder sb40 = new TextStringBuilder(); sb40.appendWithSeparators(taintedList, ", "); sink(sb40.toString()); // $hasTaintFlow
TextStringBuilder sb41 = new TextStringBuilder(); sb41.appendWithSeparators(taintedList.iterator(), ", "); sink(sb41.toString()); // $hasTaintFlow
TextStringBuilder sb40 = new TextStringBuilder(); sb40.appendWithSeparators(taintedList, ", "); sink(sb40.toString()); // $ hasTaintFlow
TextStringBuilder sb41 = new TextStringBuilder(); sb41.appendWithSeparators(taintedList.iterator(), ", "); sink(sb41.toString()); // $ hasTaintFlow
List<String> untaintedList = new ArrayList<>();
TextStringBuilder sb42 = new TextStringBuilder(); sb42.appendWithSeparators(untaintedList, taint()); sink(sb42.toString()); // $hasTaintFlow
TextStringBuilder sb43 = new TextStringBuilder(); sb43.appendWithSeparators(untaintedList.iterator(), taint()); sink(sb43.toString()); // $hasTaintFlow
TextStringBuilder sb42 = new TextStringBuilder(); sb42.appendWithSeparators(untaintedList, taint()); sink(sb42.toString()); // $ hasTaintFlow
TextStringBuilder sb43 = new TextStringBuilder(); sb43.appendWithSeparators(untaintedList.iterator(), taint()); sink(sb43.toString()); // $ hasTaintFlow
String[] taintedArray = new String[] { taint() };
String[] untaintedArray = new String[] {};
TextStringBuilder sb44 = new TextStringBuilder(); sb44.appendWithSeparators(taintedArray, ", "); sink(sb44.toString()); // $hasTaintFlow
TextStringBuilder sb45 = new TextStringBuilder(); sb45.appendWithSeparators(untaintedArray, taint()); sink(sb45.toString()); // $hasTaintFlow
TextStringBuilder sb44 = new TextStringBuilder(); sb44.appendWithSeparators(taintedArray, ", "); sink(sb44.toString()); // $ hasTaintFlow
TextStringBuilder sb45 = new TextStringBuilder(); sb45.appendWithSeparators(untaintedArray, taint()); sink(sb45.toString()); // $ hasTaintFlow
}
{
TextStringBuilder sb46 = new TextStringBuilder(); sb46.append(taint());
char[] target = new char[100];
sb46.asReader().read(target);
sink(target); // $hasTaintFlow
sink(target); // $ hasTaintFlow
}
TextStringBuilder sb47 = new TextStringBuilder(); sb47.append(taint()); sink(sb47.asTokenizer().next()); // $hasTaintFlow
TextStringBuilder sb48 = new TextStringBuilder(); sb48.append(taint()); sink(sb48.build()); // $hasTaintFlow
TextStringBuilder sb49 = new TextStringBuilder(); sb49.append(taint()); sink(sb49.getChars(null)); // $hasTaintFlow
TextStringBuilder sb47 = new TextStringBuilder(); sb47.append(taint()); sink(sb47.asTokenizer().next()); // $ hasTaintFlow
TextStringBuilder sb48 = new TextStringBuilder(); sb48.append(taint()); sink(sb48.build()); // $ hasTaintFlow
TextStringBuilder sb49 = new TextStringBuilder(); sb49.append(taint()); sink(sb49.getChars(null)); // $ hasTaintFlow
{
TextStringBuilder sb50 = new TextStringBuilder(); sb50.append(taint());
char[] target = new char[100];
sb50.getChars(target);
sink(target); // $hasTaintFlow
sink(target); // $ hasTaintFlow
}
{
TextStringBuilder sb51 = new TextStringBuilder(); sb51.append(taint());
char[] target = new char[100];
sb51.getChars(0, 0, target, 0);
sink(target); // $hasTaintFlow
sink(target); // $ hasTaintFlow
}
TextStringBuilder sb52 = new TextStringBuilder(); sb52.insert(0, taint().toCharArray()); sink(sb52.toString()); // $hasTaintFlow
TextStringBuilder sb53 = new TextStringBuilder(); sb53.insert(0, taint().toCharArray(), 0, 0); sink(sb53.toString()); // $hasTaintFlow
TextStringBuilder sb54 = new TextStringBuilder(); sb54.insert(0, taint()); sink(sb54.toString()); // $hasTaintFlow
TextStringBuilder sb55 = new TextStringBuilder(); sb55.insert(0, (Object)taint()); sink(sb55.toString()); // $hasTaintFlow
TextStringBuilder sb56 = new TextStringBuilder(); sb56.append(taint()); sink(sb56.leftString(0)); // $hasTaintFlow
TextStringBuilder sb57 = new TextStringBuilder(); sb57.append(taint()); sink(sb57.midString(0, 0)); // $hasTaintFlow
TextStringBuilder sb52 = new TextStringBuilder(); sb52.insert(0, taint().toCharArray()); sink(sb52.toString()); // $ hasTaintFlow
TextStringBuilder sb53 = new TextStringBuilder(); sb53.insert(0, taint().toCharArray(), 0, 0); sink(sb53.toString()); // $ hasTaintFlow
TextStringBuilder sb54 = new TextStringBuilder(); sb54.insert(0, taint()); sink(sb54.toString()); // $ hasTaintFlow
TextStringBuilder sb55 = new TextStringBuilder(); sb55.insert(0, (Object)taint()); sink(sb55.toString()); // $ hasTaintFlow
TextStringBuilder sb56 = new TextStringBuilder(); sb56.append(taint()); sink(sb56.leftString(0)); // $ hasTaintFlow
TextStringBuilder sb57 = new TextStringBuilder(); sb57.append(taint()); sink(sb57.midString(0, 0)); // $ hasTaintFlow
{
StringReader reader = new StringReader(taint());
TextStringBuilder sb58 = new TextStringBuilder(); sb58.readFrom(reader); sink(sb58.toString()); // $hasTaintFlow
TextStringBuilder sb58 = new TextStringBuilder(); sb58.readFrom(reader); sink(sb58.toString()); // $ hasTaintFlow
}
TextStringBuilder sb59 = new TextStringBuilder(); sb59.replace(0, 0, taint()); sink(sb59.toString()); // $hasTaintFlow
TextStringBuilder sb60 = new TextStringBuilder(); sb60.replace(null, taint(), 0, 0, 0); sink(sb60.toString()); // $hasTaintFlow
TextStringBuilder sb61 = new TextStringBuilder(); sb61.replaceAll((StringMatcher)null, taint()); sink(sb61.toString()); // $hasTaintFlow
TextStringBuilder sb62 = new TextStringBuilder(); sb62.replaceAll("search", taint()); sink(sb62.toString()); // $hasTaintFlow
TextStringBuilder sb59 = new TextStringBuilder(); sb59.replace(0, 0, taint()); sink(sb59.toString()); // $ hasTaintFlow
TextStringBuilder sb60 = new TextStringBuilder(); sb60.replace(null, taint(), 0, 0, 0); sink(sb60.toString()); // $ hasTaintFlow
TextStringBuilder sb61 = new TextStringBuilder(); sb61.replaceAll((StringMatcher)null, taint()); sink(sb61.toString()); // $ hasTaintFlow
TextStringBuilder sb62 = new TextStringBuilder(); sb62.replaceAll("search", taint()); sink(sb62.toString()); // $ hasTaintFlow
TextStringBuilder sb63 = new TextStringBuilder(); sb63.replaceAll(taint(), "replace"); sink(sb63.toString()); // GOOD (search string doesn't convey taint)
TextStringBuilder sb64 = new TextStringBuilder(); sb64.replaceFirst((StringMatcher)null, taint()); sink(sb64.toString()); // $hasTaintFlow
TextStringBuilder sb65 = new TextStringBuilder(); sb65.replaceFirst("search", taint()); sink(sb65.toString()); // $hasTaintFlow
TextStringBuilder sb64 = new TextStringBuilder(); sb64.replaceFirst((StringMatcher)null, taint()); sink(sb64.toString()); // $ hasTaintFlow
TextStringBuilder sb65 = new TextStringBuilder(); sb65.replaceFirst("search", taint()); sink(sb65.toString()); // $ hasTaintFlow
TextStringBuilder sb66 = new TextStringBuilder(); sb66.replaceFirst(taint(), "replace"); sink(sb66.toString()); // GOOD (search string doesn't convey taint)
TextStringBuilder sb67 = new TextStringBuilder(); sb67.append(taint()); sink(sb67.rightString(0)); // $hasTaintFlow
TextStringBuilder sb68 = new TextStringBuilder(); sb68.append(taint()); sink(sb68.subSequence(0, 0)); // $hasTaintFlow
TextStringBuilder sb69 = new TextStringBuilder(); sb69.append(taint()); sink(sb69.substring(0)); // $hasTaintFlow
TextStringBuilder sb70 = new TextStringBuilder(); sb70.append(taint()); sink(sb70.substring(0, 0)); // $hasTaintFlow
TextStringBuilder sb71 = new TextStringBuilder(); sb71.append(taint()); sink(sb71.toCharArray()); // $hasTaintFlow
TextStringBuilder sb72 = new TextStringBuilder(); sb72.append(taint()); sink(sb72.toCharArray(0, 0)); // $hasTaintFlow
TextStringBuilder sb73 = new TextStringBuilder(); sb73.append(taint()); sink(sb73.toStringBuffer()); // $hasTaintFlow
TextStringBuilder sb74 = new TextStringBuilder(); sb74.append(taint()); sink(sb74.toStringBuilder()); // $hasTaintFlow
TextStringBuilder sb67 = new TextStringBuilder(); sb67.append(taint()); sink(sb67.rightString(0)); // $ hasTaintFlow
TextStringBuilder sb68 = new TextStringBuilder(); sb68.append(taint()); sink(sb68.subSequence(0, 0)); // $ hasTaintFlow
TextStringBuilder sb69 = new TextStringBuilder(); sb69.append(taint()); sink(sb69.substring(0)); // $ hasTaintFlow
TextStringBuilder sb70 = new TextStringBuilder(); sb70.append(taint()); sink(sb70.substring(0, 0)); // $ hasTaintFlow
TextStringBuilder sb71 = new TextStringBuilder(); sb71.append(taint()); sink(sb71.toCharArray()); // $ hasTaintFlow
TextStringBuilder sb72 = new TextStringBuilder(); sb72.append(taint()); sink(sb72.toCharArray(0, 0)); // $ hasTaintFlow
TextStringBuilder sb73 = new TextStringBuilder(); sb73.append(taint()); sink(sb73.toStringBuffer()); // $ hasTaintFlow
TextStringBuilder sb74 = new TextStringBuilder(); sb74.append(taint()); sink(sb74.toStringBuilder()); // $ hasTaintFlow
// Tests for fluent methods (those returning `this`):
TextStringBuilder fluentTest = new TextStringBuilder();
sink(fluentTest.append("Harmless").append(taint()).append("Also harmless").toString()); // $hasTaintFlow
sink(fluentTest.append("Harmless").append(taint()).append("Also harmless").toString()); // $ hasTaintFlow
TextStringBuilder fluentBackflowTest = new TextStringBuilder();
fluentBackflowTest.append("Harmless").append(taint()).append("Also harmless");
sink(fluentBackflowTest.toString()); // $hasTaintFlow
sink(fluentBackflowTest.toString()); // $ hasTaintFlow
// Test the case where the fluent method contributing taint is at the end of a statement:
TextStringBuilder fluentBackflowTest2 = new TextStringBuilder();
fluentBackflowTest2.append("Harmless").append(taint());
sink(fluentBackflowTest2.toString()); // $hasTaintFlow
sink(fluentBackflowTest2.toString()); // $ hasTaintFlow
// Test all fluent methods are passing taint through to their result:
TextStringBuilder fluentAllMethodsTest = new TextStringBuilder(taint());
@@ -172,7 +172,7 @@ class TextStringBuilderTest {
.setLength(500)
.setNewLineText("newline")
.setNullText("NULL")
.trim()); // $hasTaintFlow
.trim()); // $ hasTaintFlow
// Test all fluent methods are passing taint back to their qualifier:
TextStringBuilder fluentAllMethodsTest2 = new TextStringBuilder();
@@ -204,7 +204,7 @@ class TextStringBuilderTest {
.setNullText("NULL")
.trim()
.append(taint());
sink(fluentAllMethodsTest2); // $hasTaintFlow
sink(fluentAllMethodsTest2); // $ hasTaintFlow
}
}

28
java/ql/test/library-tests/frameworks/apache-commons-lang3/ToStringBuilderTest.java
View File

@@ -7,31 +7,31 @@ class ToStringBuilderTest {
void test() throws Exception {
ToStringBuilder sb1 = new ToStringBuilder(null); sb1.append((Object)taint()); sink(sb1.toString()); // $hasTaintFlow
ToStringBuilder sb2 = new ToStringBuilder(null); sb2.append(new Object[] { taint() }); sink(sb2.toString()); // $hasTaintFlow
ToStringBuilder sb3 = new ToStringBuilder(null); sb3.append(taint(), true); sink(sb3.toString()); // $hasTaintFlow
ToStringBuilder sb4 = new ToStringBuilder(null); sb4.append("fieldname", taint()); sink(sb4.toString()); // $hasTaintFlow
ToStringBuilder sb5 = new ToStringBuilder(null); sb5.append("fieldname", new Object[] { taint() }); sink(sb5.toString()); // $hasTaintFlow
ToStringBuilder sb6 = new ToStringBuilder(null); sb6.append("fieldname", new Object[] { taint() }, true); sink(sb6.toString()); // $hasTaintFlow
ToStringBuilder sb1 = new ToStringBuilder(null); sb1.append((Object)taint()); sink(sb1.toString()); // $ hasTaintFlow
ToStringBuilder sb2 = new ToStringBuilder(null); sb2.append(new Object[] { taint() }); sink(sb2.toString()); // $ hasTaintFlow
ToStringBuilder sb3 = new ToStringBuilder(null); sb3.append(taint(), true); sink(sb3.toString()); // $ hasTaintFlow
ToStringBuilder sb4 = new ToStringBuilder(null); sb4.append("fieldname", taint()); sink(sb4.toString()); // $ hasTaintFlow
ToStringBuilder sb5 = new ToStringBuilder(null); sb5.append("fieldname", new Object[] { taint() }); sink(sb5.toString()); // $ hasTaintFlow
ToStringBuilder sb6 = new ToStringBuilder(null); sb6.append("fieldname", new Object[] { taint() }, true); sink(sb6.toString()); // $ hasTaintFlow
// GOOD: this appends an Object using the Object.toString style, which does not expose fields or String content.
ToStringBuilder sb7 = new ToStringBuilder(null); sb7.appendAsObjectToString(taint()); sink(sb7.toString());
ToStringBuilder sb8 = new ToStringBuilder(null); sb8.appendSuper(taint()); sink(sb8.toString()); // $hasTaintFlow
ToStringBuilder sb9 = new ToStringBuilder(null); sb9.appendToString(taint()); sink(sb9.toString()); // $hasTaintFlow
ToStringBuilder sb10 = new ToStringBuilder(null); sb10.append((Object)taint()); sink(sb10.build()); // $hasTaintFlow
ToStringBuilder sb11 = new ToStringBuilder(null); sb11.append((Object)taint()); sink(sb11.getStringBuffer().toString()); // $hasTaintFlow
ToStringBuilder sb8 = new ToStringBuilder(null); sb8.appendSuper(taint()); sink(sb8.toString()); // $ hasTaintFlow
ToStringBuilder sb9 = new ToStringBuilder(null); sb9.appendToString(taint()); sink(sb9.toString()); // $ hasTaintFlow
ToStringBuilder sb10 = new ToStringBuilder(null); sb10.append((Object)taint()); sink(sb10.build()); // $ hasTaintFlow
ToStringBuilder sb11 = new ToStringBuilder(null); sb11.append((Object)taint()); sink(sb11.getStringBuffer().toString()); // $ hasTaintFlow
// Test fluent methods:
ToStringBuilder fluentTest = new ToStringBuilder(null);
sink(fluentTest.append("Harmless").append(taint()).append("Also harmless").toString()); // $hasTaintFlow
sink(fluentTest.append("Harmless").append(taint()).append("Also harmless").toString()); // $ hasTaintFlow
ToStringBuilder fluentBackflowTest = new ToStringBuilder(null);
fluentBackflowTest.append("Harmless").append(taint()).append("Also harmless");
sink(fluentBackflowTest.toString()); // $hasTaintFlow
sink(fluentBackflowTest.toString()); // $ hasTaintFlow
// Test the case where the fluent method contributing taint is at the end of a statement:
ToStringBuilder fluentBackflowTest2 = new ToStringBuilder(null);
fluentBackflowTest2.append("Harmless").append(taint());
sink(fluentBackflowTest2.toString()); // $hasTaintFlow
sink(fluentBackflowTest2.toString()); // $ hasTaintFlow
}
}
}

80
java/ql/test/library-tests/frameworks/apache-commons-lang3/TripleTest.java
View File

@@ -18,69 +18,69 @@ class TripleTest {
ImmutableTriple<String, String, String> taintedRight = ImmutableTriple.of("clean-left", "clean-middle", taint());
// Check flow through ImmutableTriples:
sink(taintedLeft.getLeft()); // $hasValueFlow
sink(taintedLeft.getLeft()); // $ hasValueFlow
sink(taintedLeft.getMiddle());
sink(taintedLeft.getRight());
sink(taintedLeft.left); // $hasValueFlow
sink(taintedLeft.left); // $ hasValueFlow
sink(taintedLeft.middle);
sink(taintedLeft.right);
sink(taintedMiddle.getLeft());
sink(taintedMiddle.getMiddle()); // $hasValueFlow
sink(taintedMiddle.getMiddle()); // $ hasValueFlow
sink(taintedMiddle.getRight());
sink(taintedMiddle.left);
sink(taintedMiddle.middle); // $hasValueFlow
sink(taintedMiddle.middle); // $ hasValueFlow
sink(taintedMiddle.right);
sink(taintedRight.getLeft());
sink(taintedRight.getMiddle());
sink(taintedRight.getRight()); // $hasValueFlow
sink(taintedRight.getRight()); // $ hasValueFlow
sink(taintedRight.left);
sink(taintedRight.middle);
sink(taintedRight.right); // $hasValueFlow
sink(taintedRight.right); // $ hasValueFlow
Triple<String, String, String> taintedLeft2 = taintedLeft;
Triple<String, String, String> taintedMiddle2 = taintedMiddle;
Triple<String, String, String> taintedRight2 = taintedRight;
// Check flow also works via an alias of type Triple:
sink(taintedLeft2.getLeft()); // $hasValueFlow
sink(taintedLeft2.getLeft()); // $ hasValueFlow
sink(taintedLeft2.getMiddle());
sink(taintedLeft2.getRight());
sink(taintedMiddle2.getLeft());
sink(taintedMiddle2.getMiddle()); // $hasValueFlow
sink(taintedMiddle2.getMiddle()); // $ hasValueFlow
sink(taintedMiddle2.getRight());
sink(taintedRight2.getLeft());
sink(taintedRight2.getMiddle());
sink(taintedRight2.getRight()); // $hasValueFlow
sink(taintedRight2.getRight()); // $ hasValueFlow
// Check flow via Triple.of:
Triple<String, String, String> taintedLeft3 = Triple.of(taint(), "clean-middle", "clean-right");
Triple<String, String, String> taintedMiddle3 = Triple.of("clean-left", taint(), "clean-right");
Triple<String, String, String> taintedRight3 = Triple.of("clean-left", "clean-middle", taint());
sink(taintedLeft3.getLeft()); // $hasValueFlow
sink(taintedLeft3.getLeft()); // $ hasValueFlow
sink(taintedLeft3.getMiddle());
sink(taintedLeft3.getRight());
sink(taintedMiddle3.getLeft());
sink(taintedMiddle3.getMiddle()); // $hasValueFlow
sink(taintedMiddle3.getMiddle()); // $ hasValueFlow
sink(taintedMiddle3.getRight());
sink(taintedRight3.getLeft());
sink(taintedRight3.getMiddle());
sink(taintedRight3.getRight()); // $hasValueFlow
sink(taintedRight3.getRight()); // $ hasValueFlow
// Check flow via constructor:
ImmutableTriple<String, String, String> taintedLeft4 = new ImmutableTriple(taint(), "clean-middle", "clean-right");
ImmutableTriple<String, String, String> taintedMiddle4 = new ImmutableTriple("clean-left", taint(), "clean-right");
ImmutableTriple<String, String, String> taintedRight4 = new ImmutableTriple("clean-left", "clean-middle", taint());
sink(taintedLeft4.getLeft()); // $hasValueFlow
sink(taintedLeft4.getLeft()); // $ hasValueFlow
sink(taintedLeft4.getMiddle());
sink(taintedLeft4.getRight());
sink(taintedMiddle4.getLeft());
sink(taintedMiddle4.getMiddle()); // $hasValueFlow
sink(taintedMiddle4.getMiddle()); // $ hasValueFlow
sink(taintedMiddle4.getRight());
sink(taintedRight4.getLeft());
sink(taintedRight4.getMiddle());
sink(taintedRight4.getRight()); // $hasValueFlow
sink(taintedRight4.getRight()); // $ hasValueFlow
MutableTriple<String, String, String> mutableTaintedLeft = MutableTriple.of(taint(), "clean-middle", "clean-right");
MutableTriple<String, String, String> mutableTaintedMiddle = MutableTriple.of("clean-left", taint(), "clean-right");
@@ -96,60 +96,60 @@ class TripleTest {
MutableTriple<String, String, String> mutableTaintedRightConstructed = new MutableTriple("clean-left", "clean-middle", taint());
// Check flow through MutableTriples:
sink(mutableTaintedLeft.getLeft()); // $hasValueFlow
sink(mutableTaintedLeft.getLeft()); // $ hasValueFlow
sink(mutableTaintedLeft.getMiddle());
sink(mutableTaintedLeft.getRight());
sink(mutableTaintedLeft.left); // $hasValueFlow
sink(mutableTaintedLeft.left); // $ hasValueFlow
sink(mutableTaintedLeft.middle);
sink(mutableTaintedLeft.right);
sink(mutableTaintedMiddle.getLeft());
sink(mutableTaintedMiddle.getMiddle()); // $hasValueFlow
sink(mutableTaintedMiddle.getMiddle()); // $ hasValueFlow
sink(mutableTaintedMiddle.getRight());
sink(mutableTaintedMiddle.left);
sink(mutableTaintedMiddle.middle); // $hasValueFlow
sink(mutableTaintedMiddle.middle); // $ hasValueFlow
sink(mutableTaintedMiddle.right);
sink(mutableTaintedRight.getLeft());
sink(mutableTaintedRight.getMiddle());
sink(mutableTaintedRight.getRight()); // $hasValueFlow
sink(mutableTaintedRight.getRight()); // $ hasValueFlow
sink(mutableTaintedRight.left);
sink(mutableTaintedRight.middle);
sink(mutableTaintedRight.right); // $hasValueFlow
sink(setTaintedLeft.getLeft()); // $hasValueFlow
sink(mutableTaintedRight.right); // $ hasValueFlow
sink(setTaintedLeft.getLeft()); // $ hasValueFlow
sink(setTaintedLeft.getMiddle());
sink(setTaintedLeft.getRight());
sink(setTaintedLeft.left); // $hasValueFlow
sink(setTaintedLeft.left); // $ hasValueFlow
sink(setTaintedLeft.middle);
sink(setTaintedLeft.right);
sink(setTaintedMiddle.getLeft());
sink(setTaintedMiddle.getMiddle()); // $hasValueFlow
sink(setTaintedMiddle.getMiddle()); // $ hasValueFlow
sink(setTaintedMiddle.getRight());
sink(setTaintedMiddle.left);
sink(setTaintedMiddle.middle); // $hasValueFlow
sink(setTaintedMiddle.middle); // $ hasValueFlow
sink(setTaintedMiddle.right);
sink(setTaintedRight.getLeft());
sink(setTaintedRight.getMiddle());
sink(setTaintedRight.getRight()); // $hasValueFlow
sink(setTaintedRight.getRight()); // $ hasValueFlow
sink(setTaintedRight.left);
sink(setTaintedRight.middle);
sink(setTaintedRight.right); // $hasValueFlow
sink(mutableTaintedLeftConstructed.getLeft()); // $hasValueFlow
sink(setTaintedRight.right); // $ hasValueFlow
sink(mutableTaintedLeftConstructed.getLeft()); // $ hasValueFlow
sink(mutableTaintedLeftConstructed.getMiddle());
sink(mutableTaintedLeftConstructed.getRight());
sink(mutableTaintedLeftConstructed.left); // $hasValueFlow
sink(mutableTaintedLeftConstructed.left); // $ hasValueFlow
sink(mutableTaintedLeftConstructed.middle);
sink(mutableTaintedLeftConstructed.right);
sink(mutableTaintedMiddleConstructed.getLeft());
sink(mutableTaintedMiddleConstructed.getMiddle()); // $hasValueFlow
sink(mutableTaintedMiddleConstructed.getMiddle()); // $ hasValueFlow
sink(mutableTaintedMiddleConstructed.getRight());
sink(mutableTaintedMiddleConstructed.left);
sink(mutableTaintedMiddleConstructed.middle); // $hasValueFlow
sink(mutableTaintedMiddleConstructed.middle); // $ hasValueFlow
sink(mutableTaintedMiddleConstructed.right);
sink(mutableTaintedRightConstructed.getLeft());
sink(mutableTaintedRightConstructed.getMiddle());
sink(mutableTaintedRightConstructed.getRight()); // $hasValueFlow
sink(mutableTaintedRightConstructed.getRight()); // $ hasValueFlow
sink(mutableTaintedRightConstructed.left);
sink(mutableTaintedRightConstructed.middle);
sink(mutableTaintedRightConstructed.right); // $hasValueFlow
sink(mutableTaintedRightConstructed.right); // $ hasValueFlow
Triple<String, String, String> mutableTaintedLeft2 = mutableTaintedLeft;
Triple<String, String, String> mutableTaintedMiddle2 = mutableTaintedMiddle;
@@ -159,23 +159,23 @@ class TripleTest {
Triple<String, String, String> setTaintedRight2 = setTaintedRight;
// Check flow also works via an alias of type Triple:
sink(mutableTaintedLeft2.getLeft()); // $hasValueFlow
sink(mutableTaintedLeft2.getLeft()); // $ hasValueFlow
sink(mutableTaintedLeft2.getMiddle());
sink(mutableTaintedLeft2.getRight());
sink(mutableTaintedMiddle2.getLeft());
sink(mutableTaintedMiddle2.getMiddle()); // $hasValueFlow
sink(mutableTaintedMiddle2.getMiddle()); // $ hasValueFlow
sink(mutableTaintedMiddle2.getRight());
sink(mutableTaintedRight2.getLeft());
sink(mutableTaintedRight2.getMiddle());
sink(mutableTaintedRight2.getRight()); // $hasValueFlow
sink(setTaintedLeft2.getLeft()); // $hasValueFlow
sink(mutableTaintedRight2.getRight()); // $ hasValueFlow
sink(setTaintedLeft2.getLeft()); // $ hasValueFlow
sink(setTaintedLeft2.getMiddle());
sink(setTaintedLeft2.getRight());
sink(setTaintedMiddle2.getLeft());
sink(setTaintedMiddle2.getMiddle()); // $hasValueFlow
sink(setTaintedMiddle2.getMiddle()); // $ hasValueFlow
sink(setTaintedMiddle2.getRight());
sink(setTaintedRight2.getLeft());
sink(setTaintedRight2.getMiddle());
sink(setTaintedRight2.getRight()); // $hasValueFlow
sink(setTaintedRight2.getRight()); // $ hasValueFlow
}
}
}

28
java/ql/test/library-tests/frameworks/apache-commons-lang3/WordUtilsTest.java
View File

@@ -6,20 +6,20 @@ public class WordUtilsTest {
void sink(Object o) {}
void test() throws Exception {
sink(WordUtils.capitalize(taint())); // $hasTaintFlow
sink(WordUtils.capitalize(taint(), ' ', ',')); // $hasTaintFlow
sink(WordUtils.capitalizeFully(taint())); // $hasTaintFlow
sink(WordUtils.capitalizeFully(taint(), ' ', ',')); // $hasTaintFlow
sink(WordUtils.initials(taint())); // $hasTaintFlow
sink(WordUtils.initials(taint(), ' ', ',')); // $hasTaintFlow
sink(WordUtils.swapCase(taint())); // $hasTaintFlow
sink(WordUtils.uncapitalize(taint())); // $hasTaintFlow
sink(WordUtils.uncapitalize(taint(), ' ', ',')); // $hasTaintFlow
sink(WordUtils.wrap(taint(), 0)); // $hasTaintFlow
sink(WordUtils.wrap(taint(), 0, "\n", false)); // $hasTaintFlow
sink(WordUtils.wrap("wrap me", 0, taint(), false)); // $hasTaintFlow
sink(WordUtils.wrap(taint(), 0, "\n", false, "\n")); // $hasTaintFlow
sink(WordUtils.wrap("wrap me", 0, taint(), false, "\n")); // $hasTaintFlow
sink(WordUtils.capitalize(taint())); // $ hasTaintFlow
sink(WordUtils.capitalize(taint(), ' ', ',')); // $ hasTaintFlow
sink(WordUtils.capitalizeFully(taint())); // $ hasTaintFlow
sink(WordUtils.capitalizeFully(taint(), ' ', ',')); // $ hasTaintFlow
sink(WordUtils.initials(taint())); // $ hasTaintFlow
sink(WordUtils.initials(taint(), ' ', ',')); // $ hasTaintFlow
sink(WordUtils.swapCase(taint())); // $ hasTaintFlow
sink(WordUtils.uncapitalize(taint())); // $ hasTaintFlow
sink(WordUtils.uncapitalize(taint(), ' ', ',')); // $ hasTaintFlow
sink(WordUtils.wrap(taint(), 0)); // $ hasTaintFlow
sink(WordUtils.wrap(taint(), 0, "\n", false)); // $ hasTaintFlow
sink(WordUtils.wrap("wrap me", 0, taint(), false)); // $ hasTaintFlow
sink(WordUtils.wrap(taint(), 0, "\n", false, "\n")); // $ hasTaintFlow
sink(WordUtils.wrap("wrap me", 0, taint(), false, "\n")); // $ hasTaintFlow
// GOOD: the wrap-on line terminator does not propagate to the return value
sink(WordUtils.wrap("wrap me", 0, "\n", false, taint()));
}

32
java/ql/test/library-tests/frameworks/apache-commons-lang3/WordUtilsTextTest.java
View File

@@ -6,22 +6,22 @@ public class WordUtilsTextTest {
void sink(Object o) {}
void test() throws Exception {
sink(WordUtils.abbreviate(taint(), 0, 0, "append me")); // $hasTaintFlow
sink(WordUtils.abbreviate("abbreviate me", 0, 0, taint())); // $hasTaintFlow
sink(WordUtils.capitalize(taint())); // $hasTaintFlow
sink(WordUtils.capitalize(taint(), ' ', ',')); // $hasTaintFlow
sink(WordUtils.capitalizeFully(taint())); // $hasTaintFlow
sink(WordUtils.capitalizeFully(taint(), ' ', ',')); // $hasTaintFlow
sink(WordUtils.initials(taint())); // $hasTaintFlow
sink(WordUtils.initials(taint(), ' ', ',')); // $hasTaintFlow
sink(WordUtils.swapCase(taint())); // $hasTaintFlow
sink(WordUtils.uncapitalize(taint())); // $hasTaintFlow
sink(WordUtils.uncapitalize(taint(), ' ', ',')); // $hasTaintFlow
sink(WordUtils.wrap(taint(), 0)); // $hasTaintFlow
sink(WordUtils.wrap(taint(), 0, "\n", false)); // $hasTaintFlow
sink(WordUtils.wrap("wrap me", 0, taint(), false)); // $hasTaintFlow
sink(WordUtils.wrap(taint(), 0, "\n", false, "\n")); // $hasTaintFlow
sink(WordUtils.wrap("wrap me", 0, taint(), false, "\n")); // $hasTaintFlow
sink(WordUtils.abbreviate(taint(), 0, 0, "append me")); // $ hasTaintFlow
sink(WordUtils.abbreviate("abbreviate me", 0, 0, taint())); // $ hasTaintFlow
sink(WordUtils.capitalize(taint())); // $ hasTaintFlow
sink(WordUtils.capitalize(taint(), ' ', ',')); // $ hasTaintFlow
sink(WordUtils.capitalizeFully(taint())); // $ hasTaintFlow
sink(WordUtils.capitalizeFully(taint(), ' ', ',')); // $ hasTaintFlow
sink(WordUtils.initials(taint())); // $ hasTaintFlow
sink(WordUtils.initials(taint(), ' ', ',')); // $ hasTaintFlow
sink(WordUtils.swapCase(taint())); // $ hasTaintFlow
sink(WordUtils.uncapitalize(taint())); // $ hasTaintFlow
sink(WordUtils.uncapitalize(taint(), ' ', ',')); // $ hasTaintFlow
sink(WordUtils.wrap(taint(), 0)); // $ hasTaintFlow
sink(WordUtils.wrap(taint(), 0, "\n", false)); // $ hasTaintFlow
sink(WordUtils.wrap("wrap me", 0, taint(), false)); // $ hasTaintFlow
sink(WordUtils.wrap(taint(), 0, "\n", false, "\n")); // $ hasTaintFlow
sink(WordUtils.wrap("wrap me", 0, taint(), false, "\n")); // $ hasTaintFlow
// GOOD: the wrap-on line terminator does not propagate to the return value
sink(WordUtils.wrap("wrap me", 0, "\n", false, taint()));
}

92
java/ql/test/library-tests/frameworks/guava/handwritten/TestBase.java
View File

@@ -13,13 +13,13 @@ class TestBase {
void test1() {
String x = taint();
sink(Strings.padStart(x, 10, ' ')); // $numTaintFlow=1
sink(Strings.padEnd(x, 10, ' ')); // $numTaintFlow=1
sink(Strings.repeat(x, 3)); // $numTaintFlow=1
sink(Strings.emptyToNull(Strings.nullToEmpty(x))); // $numValueFlow=1
sink(Strings.lenientFormat(x, 3)); // $numTaintFlow=1
sink(Strings.commonPrefix(x, "abc"));
sink(Strings.commonSuffix(x, "cde"));
sink(Strings.padStart(x, 10, ' ')); // $ numTaintFlow=1
sink(Strings.padEnd(x, 10, ' ')); // $ numTaintFlow=1
sink(Strings.repeat(x, 3)); // $ numTaintFlow=1
sink(Strings.emptyToNull(Strings.nullToEmpty(x))); // $ numValueFlow=1
sink(Strings.lenientFormat(x, 3)); // $ numTaintFlow=1
sink(Strings.commonPrefix(x, "abc"));
sink(Strings.commonSuffix(x, "cde"));
sink(Strings.lenientFormat("%s = %s", x, 3)); // $ numTaintFlow=1
}
@@ -28,10 +28,10 @@ class TestBase {
Splitter s = Splitter.on(x).omitEmptyStrings();
sink(s.split("x y z"));
sink(s.split(x)); // $numTaintFlow=1
sink(s.splitToList(x)); // $numTaintFlow=1
sink(s.split(x)); // $ numTaintFlow=1
sink(s.splitToList(x)); // $ numTaintFlow=1
sink(s.withKeyValueSeparator("=").split("a=b"));
sink(s.withKeyValueSeparator("=").split(x)); // $numTaintFlow=1
sink(s.withKeyValueSeparator("=").split(x)); // $ numTaintFlow=1
}
void test3() {
@@ -42,68 +42,68 @@ class TestBase {
StringBuilder sb = new StringBuilder();
sink(safeJoiner.appendTo(sb, "a", "b", "c"));
sink(sb.toString());
sink(taintedJoiner.appendTo(sb, "a", "b", "c")); // $numTaintFlow=1
sink(sb.toString()); // $numTaintFlow=1
sink(safeJoiner.appendTo(sb, "a", "b", "c")); // $numTaintFlow=1
sink(sb.toString()); // $numTaintFlow=1
sink(taintedJoiner.appendTo(sb, "a", "b", "c")); // $ numTaintFlow=1
sink(sb.toString()); // $ numTaintFlow=1
sink(safeJoiner.appendTo(sb, "a", "b", "c")); // $ numTaintFlow=1
sink(sb.toString()); // $ numTaintFlow=1
sb = new StringBuilder();
sink(safeJoiner.appendTo(sb, x, x)); // $numTaintFlow=1
sink(safeJoiner.appendTo(sb, x, x)); // $ numTaintFlow=1
Map<String, String> m = new HashMap<String, String>();
m.put("k", "v");
sink(safeJoiner.withKeyValueSeparator("=").join(m));
sink(safeJoiner.withKeyValueSeparator(x).join(m)); // $numTaintFlow=1
sink(taintedJoiner.useForNull("(null)").withKeyValueSeparator("=").join(m)); // $numTaintFlow=1
sink(safeJoiner.withKeyValueSeparator(x).join(m)); // $ numTaintFlow=1
sink(taintedJoiner.useForNull("(null)").withKeyValueSeparator("=").join(m)); // $ numTaintFlow=1
m.put("k2", x);
sink(safeJoiner.withKeyValueSeparator("=").join(m)); // $numTaintFlow=1
sink(safeJoiner.withKeyValueSeparator("=").join(m)); // $ numTaintFlow=1
}
void test4() {
sink(Preconditions.checkNotNull(taint())); // $numValueFlow=1
sink(Verify.verifyNotNull(taint())); // $numValueFlow=1
sink(Preconditions.checkNotNull(taint())); // $ numValueFlow=1
sink(Verify.verifyNotNull(taint())); // $ numValueFlow=1
}
void test5() {
sink(Ascii.toLowerCase(taint())); // $numTaintFlow=1
sink(Ascii.toUpperCase(taint())); // $numTaintFlow=1
sink(Ascii.truncate(taint(), 3, "...")); // $numTaintFlow=1
sink(Ascii.truncate("abcabcabc", 3, taint())); // $numTaintFlow=1
sink(CaseFormat.LOWER_CAMEL.to(CaseFormat.UPPER_UNDERSCORE, taint())); // $numTaintFlow=1
sink(CaseFormat.LOWER_HYPHEN.converterTo(CaseFormat.UPPER_CAMEL).convert(taint())); // $numTaintFlow=1
sink(CaseFormat.LOWER_UNDERSCORE.converterTo(CaseFormat.LOWER_HYPHEN).reverse().convert(taint())); // $numTaintFlow=1
sink(Ascii.toLowerCase(taint())); // $ numTaintFlow=1
sink(Ascii.toUpperCase(taint())); // $ numTaintFlow=1
sink(Ascii.truncate(taint(), 3, "...")); // $ numTaintFlow=1
sink(Ascii.truncate("abcabcabc", 3, taint())); // $ numTaintFlow=1
sink(CaseFormat.LOWER_CAMEL.to(CaseFormat.UPPER_UNDERSCORE, taint())); // $ numTaintFlow=1
sink(CaseFormat.LOWER_HYPHEN.converterTo(CaseFormat.UPPER_CAMEL).convert(taint())); // $ numTaintFlow=1
sink(CaseFormat.LOWER_UNDERSCORE.converterTo(CaseFormat.LOWER_HYPHEN).reverse().convert(taint())); // $ numTaintFlow=1
}
void test6() {
sink(Suppliers.memoize(Suppliers.memoizeWithExpiration(Suppliers.synchronizedSupplier(Suppliers.ofInstance(taint())), 3, TimeUnit.HOURS)).get()); // $numTaintFlow=1
sink(Suppliers.memoize(Suppliers.memoizeWithExpiration(Suppliers.synchronizedSupplier(Suppliers.ofInstance(taint())), 3, TimeUnit.HOURS)).get()); // $ numTaintFlow=1
}
void test7() {
sink(MoreObjects.firstNonNull(taint(), taint())); // $numValueFlow=2
sink(MoreObjects.firstNonNull(null, taint())); // $numValueFlow=1
sink(MoreObjects.firstNonNull(taint(), null)); // $numValueFlow=1
sink(MoreObjects.toStringHelper(taint()).add("x", 3).omitNullValues().toString()); // $numTaintFlow=1
sink(MoreObjects.firstNonNull(taint(), taint())); // $ numValueFlow=2
sink(MoreObjects.firstNonNull(null, taint())); // $ numValueFlow=1
sink(MoreObjects.firstNonNull(taint(), null)); // $ numValueFlow=1
sink(MoreObjects.toStringHelper(taint()).add("x", 3).omitNullValues().toString()); // $ numTaintFlow=1
sink(MoreObjects.toStringHelper((Object) taint()).toString());
sink(MoreObjects.toStringHelper("a").add("x", 3).add(taint(), 4).toString()); // $numTaintFlow=1
sink(MoreObjects.toStringHelper("a").add("x", taint()).toString()); // $numTaintFlow=1
sink(MoreObjects.toStringHelper("a").addValue(taint()).toString()); // $numTaintFlow=1
sink(MoreObjects.toStringHelper("a").add("x", 3).add(taint(), 4).toString()); // $ numTaintFlow=1
sink(MoreObjects.toStringHelper("a").add("x", taint()).toString()); // $ numTaintFlow=1
sink(MoreObjects.toStringHelper("a").addValue(taint()).toString()); // $ numTaintFlow=1
MoreObjects.ToStringHelper h = MoreObjects.toStringHelper("a");
h.add("x", 3).add(taint(), 4);
sink(h.add("z",5).toString()); // $numTaintFlow=1
sink(h.add("z",5).toString()); // $ numTaintFlow=1
}
void test8() {
Optional<String> x = Optional.of(taint());
sink(x); // no flow
sink(x.get()); // $numValueFlow=1
sink(x.or("hi")); // $numValueFlow=1
sink(x.orNull()); // $numValueFlow=1
sink(x.asSet().toArray()[0]); // $numValueFlow=1
sink(Optional.fromJavaUtil(x.toJavaUtil()).get()); // $numValueFlow=1
sink(Optional.fromJavaUtil(Optional.toJavaUtil(x)).get()); // $numValueFlow=1
sink(Optional.fromNullable(taint()).get()); // $numValueFlow=1
sink(Optional.absent().or(x).get()); // $numValueFlow=1
sink(Optional.absent().or(taint())); // $numValueFlow=1
sink(Optional.presentInstances(Set.of(x)).iterator().next()); // $numValueFlow=1
sink(x.get()); // $ numValueFlow=1
sink(x.or("hi")); // $ numValueFlow=1
sink(x.orNull()); // $ numValueFlow=1
sink(x.asSet().toArray()[0]); // $ numValueFlow=1
sink(Optional.fromJavaUtil(x.toJavaUtil()).get()); // $ numValueFlow=1
sink(Optional.fromJavaUtil(Optional.toJavaUtil(x)).get()); // $ numValueFlow=1
sink(Optional.fromNullable(taint()).get()); // $ numValueFlow=1
sink(Optional.absent().or(x).get()); // $ numValueFlow=1
sink(Optional.absent().or(taint())); // $ numValueFlow=1
sink(Optional.presentInstances(Set.of(x)).iterator().next()); // $ numValueFlow=1
}
}

82
java/ql/test/library-tests/frameworks/guava/handwritten/TestCollect.java
View File

@@ -47,25 +47,25 @@ class TestCollect {
String x = taint();
ImmutableSet<String> xs = ImmutableSet.of(x, "y", "z");
sink(element(xs.asList())); // $numValueFlow=1
sink(element(xs.asList())); // $ numValueFlow=1
ImmutableSet<String> ys = ImmutableSet.of("a", "b", "c");
sink(element(Sets.filter(Sets.union(xs, ys), y -> true))); // $numValueFlow=1
sink(element(Sets.filter(Sets.union(xs, ys), y -> true))); // $ numValueFlow=1
sink(element(Sets.newHashSet("a", "b", "c", "d", x))); // $numValueFlow=1
sink(element(Sets.newHashSet("a", "b", "c", "d", x))); // $ numValueFlow=1
}
void test2() {
sink(element(ImmutableList.of(taint(), taint(), taint(), taint(),taint(), taint(), taint(), taint(),taint(), taint(), taint(), taint(),taint(), taint(), taint(), taint()))); // $numValueFlow=16
sink(element(ImmutableSet.of(taint(), taint(), taint(), taint(),taint(), taint(), taint(), taint(),taint(), taint(), taint(), taint(),taint(), taint(), taint(), taint()))); // $numValueFlow=16
sink(mapKey(ImmutableMap.of(taint(), taint(), taint(), taint()))); // $numValueFlow=2
sink(mapValue(ImmutableMap.of(taint(), taint(), taint(), taint()))); // $numValueFlow=2
sink(multimapKey(ImmutableMultimap.of(taint(), taint(), taint(), taint()))); // $numValueFlow=2
sink(multimapValue(ImmutableMultimap.of(taint(), taint(), taint(), taint()))); // $numValueFlow=2
sink(tableRow(ImmutableTable.of(taint(), taint(), taint()))); // $numValueFlow=1
sink(tableColumn(ImmutableTable.of(taint(), taint(), taint()))); // $numValueFlow=1
sink(tableValue(ImmutableTable.of(taint(), taint(), taint()))); // $numValueFlow=1
sink(element(ImmutableList.of(taint(), taint(), taint(), taint(),taint(), taint(), taint(), taint(),taint(), taint(), taint(), taint(),taint(), taint(), taint(), taint()))); // $ numValueFlow=16
sink(element(ImmutableSet.of(taint(), taint(), taint(), taint(),taint(), taint(), taint(), taint(),taint(), taint(), taint(), taint(),taint(), taint(), taint(), taint()))); // $ numValueFlow=16
sink(mapKey(ImmutableMap.of(taint(), taint(), taint(), taint()))); // $ numValueFlow=2
sink(mapValue(ImmutableMap.of(taint(), taint(), taint(), taint()))); // $ numValueFlow=2
sink(multimapKey(ImmutableMultimap.of(taint(), taint(), taint(), taint()))); // $ numValueFlow=2
sink(multimapValue(ImmutableMultimap.of(taint(), taint(), taint(), taint()))); // $ numValueFlow=2
sink(tableRow(ImmutableTable.of(taint(), taint(), taint()))); // $ numValueFlow=1
sink(tableColumn(ImmutableTable.of(taint(), taint(), taint()))); // $ numValueFlow=1
sink(tableValue(ImmutableTable.of(taint(), taint(), taint()))); // $ numValueFlow=1
}
void test3() {
@@ -76,60 +76,60 @@ class TestCollect {
b.add("a");
sink(b);
b.add(x);
sink(element(b.build())); // $numValueFlow=1
sink(element(b.build())); // $ numValueFlow=1
b = ImmutableList.builder();
b.add("a").add(x);
sink(element(b.build())); // $numValueFlow=1
sink(element(b.build())); // $ numValueFlow=1
sink(ImmutableList.builder().add("a").add(x).build().toArray()[0]); // $numValueFlow=1
sink(ImmutableList.builder().add("a").add(x).build().toArray()[0]); // $ numValueFlow=1
ImmutableMap.Builder<String, String> b2 = ImmutableMap.builder();
b2.put(x,"v");
sink(mapKey(b2.build())); // $numValueFlow=1
sink(mapKey(b2.build())); // $ numValueFlow=1
b2.put("k",x);
sink(mapValue(b2.build())); // $numValueFlow=1
sink(mapValue(b2.build())); // $ numValueFlow=1
}
void test4(Table<String, String, String> t1, Table<String, String, String> t2, Table<String, String, String> t3) {
String x = taint();
t1.put(x, "c", "v");
sink(tableRow(t1)); // $numValueFlow=1
sink(tableRow(t1)); // $ numValueFlow=1
t1.put("r", x, "v");
sink(tableColumn(t1)); // $numValueFlow=1
sink(tableColumn(t1)); // $ numValueFlow=1
t1.put("r", "c", x);
sink(tableValue(t1)); // $numValueFlow=1
sink(mapKey(t1.row("r"))); // $numValueFlow=1
sink(mapValue(t1.row("r"))); // $numValueFlow=1
sink(tableValue(t1)); // $ numValueFlow=1
sink(mapKey(t1.row("r"))); // $ numValueFlow=1
sink(mapValue(t1.row("r"))); // $ numValueFlow=1
t2.putAll(t1);
for (Table.Cell<String,String,String> c : t2.cellSet()) {
sink(c.getValue()); // $numValueFlow=1
sink(c.getValue()); // $ numValueFlow=1
}
sink(t1.remove("r", "c")); // $numValueFlow=1
sink(t1.remove("r", "c")); // $ numValueFlow=1
t3.row("r").put("c", x);
sink(tableValue(t3)); // $ MISSING:numValueFlow=1 // depends on aliasing
}
void test5(Multimap<String, String> m1, Multimap<String, String> m2, Multimap<String, String> m3,
void test5(Multimap<String, String> m1, Multimap<String, String> m2, Multimap<String, String> m3,
Multimap<String, String> m4, Multimap<String, String> m5){
String x = taint();
m1.put("k", x);
sink(multimapValue(m1)); // $numValueFlow=1
sink(element(m1.get("k"))); // $numValueFlow=1
sink(multimapValue(m1)); // $ numValueFlow=1
sink(element(m1.get("k"))); // $ numValueFlow=1
m2.putAll("k", ImmutableList.of("a", x, "b"));
sink(multimapValue(m2)); // $numValueFlow=1
sink(multimapValue(m2)); // $ numValueFlow=1
m3.putAll(m1);
sink(multimapValue(m3)); // $numValueFlow=1
sink(multimapValue(m3)); // $ numValueFlow=1
m4.replaceValues("k", m1.replaceValues("k", ImmutableList.of("a")));
for (Map.Entry<String, String> e : m4.entries()) {
sink(e.getValue()); // $numValueFlow=1
sink(e.getValue()); // $ numValueFlow=1
}
m5.asMap().get("k").add(x);
@@ -139,23 +139,23 @@ class TestCollect {
void test6(Comparator<String> comp, SortedSet<String> sorS, SortedMap<String, String> sorM) {
ImmutableSortedSet<String> s = ImmutableSortedSet.of(taint());
sink(element(s)); // $numValueFlow=1
sink(element(ImmutableSortedSet.copyOf(s))); // $numValueFlow=1
sink(element(ImmutableSortedSet.copyOf(comp, s))); // $numValueFlow=1
sink(element(s)); // $ numValueFlow=1
sink(element(ImmutableSortedSet.copyOf(s))); // $ numValueFlow=1
sink(element(ImmutableSortedSet.copyOf(comp, s))); // $ numValueFlow=1
sorS.add(taint());
sink(element(ImmutableSortedSet.copyOfSorted(sorS))); // $numValueFlow=1
sink(element(ImmutableSortedSet.copyOfSorted(sorS))); // $ numValueFlow=1
sink(element(ImmutableList.sortedCopyOf(s))); // $numValueFlow=1
sink(element(ImmutableList.sortedCopyOf(comp, s))); // $numValueFlow=1
sink(element(ImmutableList.sortedCopyOf(s))); // $ numValueFlow=1
sink(element(ImmutableList.sortedCopyOf(comp, s))); // $ numValueFlow=1
ImmutableSortedMap<String, String> m = ImmutableSortedMap.of("k", taint());
sink(mapValue(m)); // $numValueFlow=1
sink(mapValue(ImmutableSortedMap.copyOf(m))); // $numValueFlow=1
sink(mapValue(ImmutableSortedMap.copyOf(m, comp))); // $numValueFlow=1
sink(mapValue(m)); // $ numValueFlow=1
sink(mapValue(ImmutableSortedMap.copyOf(m))); // $ numValueFlow=1
sink(mapValue(ImmutableSortedMap.copyOf(m, comp))); // $ numValueFlow=1
sorM.put("k", taint());
sink(mapValue(ImmutableSortedMap.copyOfSorted(sorM))); // $numValueFlow=1
sink(mapValue(ImmutableSortedMap.copyOfSorted(sorM))); // $ numValueFlow=1
}
}

108
java/ql/test/library-tests/frameworks/guava/handwritten/TestIO.java
View File

@@ -28,43 +28,43 @@ class TestIO {
void test1() {
BaseEncoding enc = BaseEncoding.base64();
sink(enc.decode(staint())); // $numTaintFlow=1
sink(enc.encode(btaint())); // $numTaintFlow=1
sink(enc.encode(btaint(), 0, 42)); // $numTaintFlow=1
sink(enc.decodingStream(rtaint())); // $numTaintFlow=1
sink(enc.decodingSource(CharSource.wrap(staint()))); // $numTaintFlow=1
sink(enc.withSeparator(staint(), 10).omitPadding().lowerCase().decode("abc")); // $numTaintFlow=1
sink(enc.decode(staint())); // $ numTaintFlow=1
sink(enc.encode(btaint())); // $ numTaintFlow=1
sink(enc.encode(btaint(), 0, 42)); // $ numTaintFlow=1
sink(enc.decodingStream(rtaint())); // $ numTaintFlow=1
sink(enc.decodingSource(CharSource.wrap(staint()))); // $ numTaintFlow=1
sink(enc.withSeparator(staint(), 10).omitPadding().lowerCase().decode("abc")); // $ numTaintFlow=1
}
void test2() throws IOException {
ByteSource b = ByteSource.wrap(btaint());
sink(b.openStream()); // $numTaintFlow=1
sink(b.openBufferedStream()); // $numTaintFlow=1
sink(b.asCharSource(null)); // $numTaintFlow=1
sink(b.slice(42,1337)); // $numTaintFlow=1
sink(b.read()); // $numTaintFlow=1
sink(ByteSource.concat(ByteSource.empty(), ByteSource.empty(), b)); // $numTaintFlow=1
sink(ByteSource.concat(ImmutableList.of(ByteSource.empty(), ByteSource.empty(), b))); // $numTaintFlow=1
sink(b.openStream()); // $ numTaintFlow=1
sink(b.openBufferedStream()); // $ numTaintFlow=1
sink(b.asCharSource(null)); // $ numTaintFlow=1
sink(b.slice(42,1337)); // $ numTaintFlow=1
sink(b.read()); // $ numTaintFlow=1
sink(ByteSource.concat(ByteSource.empty(), ByteSource.empty(), b)); // $ numTaintFlow=1
sink(ByteSource.concat(ImmutableList.of(ByteSource.empty(), ByteSource.empty(), b))); // $ numTaintFlow=1
sink(b.read(new MyByteProcessor())); // $ MISSING:numTaintFlow=1
ByteArrayOutputStream out = new ByteArrayOutputStream();
b.copyTo(out);
sink(out.toByteArray()); // $numTaintFlow=1
sink(out.toByteArray()); // $ numTaintFlow=1
CharSource c = CharSource.wrap(staint());
sink(c.openStream()); // $numTaintFlow=1
sink(c.openBufferedStream()); // $numTaintFlow=1
sink(c.asByteSource(null)); // $numTaintFlow=1
sink(c.readFirstLine()); // $numTaintFlow=1
sink(c.readLines()); // $numTaintFlow=1
sink(c.read()); // $numTaintFlow=1
sink(c.lines()); // $numTaintFlow=1
sink(CharSource.concat(CharSource.empty(), CharSource.empty(), c)); // $numTaintFlow=1
sink(CharSource.concat(ImmutableList.of(CharSource.empty(), CharSource.empty(), c))); // $numTaintFlow=1
sink(c.openStream()); // $ numTaintFlow=1
sink(c.openBufferedStream()); // $ numTaintFlow=1
sink(c.asByteSource(null)); // $ numTaintFlow=1
sink(c.readFirstLine()); // $ numTaintFlow=1
sink(c.readLines()); // $ numTaintFlow=1
sink(c.read()); // $ numTaintFlow=1
sink(c.lines()); // $ numTaintFlow=1
sink(CharSource.concat(CharSource.empty(), CharSource.empty(), c)); // $ numTaintFlow=1
sink(CharSource.concat(ImmutableList.of(CharSource.empty(), CharSource.empty(), c))); // $ numTaintFlow=1
sink(c.readLines(new MyLineProcessor())); // $ MISSING:numTaintFlow=1
c.forEachLine(l -> sink(l)); // $ MISSING:numTaintFlow=1
StringBuffer buf = new StringBuffer();
c.copyTo(buf);
sink(buf); // $numTaintFlow=1
sink(buf); // $ numTaintFlow=1
}
class MyByteProcessor implements ByteProcessor<Object> {
@@ -83,59 +83,59 @@ class TestIO {
{
ByteArrayOutputStream out = new ByteArrayOutputStream();
ByteStreams.copy(itaint(), out);
sink(out); // $numTaintFlow=1
sink(out); // $ numTaintFlow=1
}
{
WritableByteChannel out = FileChannel.open(Paths.get("/tmp/xyz"));
ByteStreams.copy(rbctaint(), out);
sink(out); // $numTaintFlow=1
sink(out); // $ numTaintFlow=1
}
sink(ByteStreams.limit(itaint(), 1337)); // $numTaintFlow=1
sink(ByteStreams.newDataInput(btaint())); // $numTaintFlow=1
sink(ByteStreams.newDataInput(btaint(), 0)); // $numTaintFlow=1
sink(ByteStreams.newDataInput(btaint())); // $numTaintFlow=1
sink(ByteStreams.newDataInput(btaint()).readLine()); // $numTaintFlow=1
sink(ByteStreams.newDataInput(new ByteArrayInputStream(btaint()))); // $numTaintFlow=1
sink(ByteStreams.limit(itaint(), 1337)); // $ numTaintFlow=1
sink(ByteStreams.newDataInput(btaint())); // $ numTaintFlow=1
sink(ByteStreams.newDataInput(btaint(), 0)); // $ numTaintFlow=1
sink(ByteStreams.newDataInput(btaint())); // $ numTaintFlow=1
sink(ByteStreams.newDataInput(btaint()).readLine()); // $ numTaintFlow=1
sink(ByteStreams.newDataInput(new ByteArrayInputStream(btaint()))); // $ numTaintFlow=1
ByteArrayOutputStream out = new ByteArrayOutputStream();
out.write(btaint());
sink(ByteStreams.newDataOutput(out)); // $numTaintFlow=1
sink(ByteStreams.newDataOutput(out)); // $ numTaintFlow=1
byte[] b1 = null, b2 = null, b3 = null;
ByteStreams.read(itaint(), b1, 0, 42);
sink(b1); // $numTaintFlow=1
sink(b1); // $ numTaintFlow=1
ByteStreams.readFully(itaint(), b2);
sink(b2); // $numTaintFlow=1
sink(b2); // $ numTaintFlow=1
ByteStreams.readFully(itaint(), b3, 0, 42);
sink(b3); // $numTaintFlow=1
sink(b3); // $ numTaintFlow=1
sink(ByteStreams.readBytes(itaint(), new MyByteProcessor())); // $ MISSING:numTaintFlow=1
sink(ByteStreams.toByteArray(itaint())); // $numTaintFlow=1
sink(ByteStreams.toByteArray(itaint())); // $ numTaintFlow=1
ByteArrayDataOutput out2 = ByteStreams.newDataOutput();
out2.writeUTF(staint());
sink(out2.toByteArray()); // $numTaintFlow=1
sink(out2.toByteArray()); // $ numTaintFlow=1
StringBuffer buf = new StringBuffer();
CharStreams.copy(rtaint(), buf);
sink(buf); // $numTaintFlow=1
sink(CharStreams.readLines(rtaint())); // $numTaintFlow=1
sink(buf); // $ numTaintFlow=1
sink(CharStreams.readLines(rtaint())); // $ numTaintFlow=1
sink(CharStreams.readLines(rtaint(), new MyLineProcessor())); // $ MISSING:numTaintFlow=1
sink(CharStreams.toString(rtaint())); // $numTaintFlow=1
sink(CharStreams.toString(rtaint())); // $ numTaintFlow=1
}
void test4() throws IOException {
sink(Closer.create().register((Closeable) taint())); // $numValueFlow=1
sink(new LineReader(rtaint()).readLine()); // $numTaintFlow=1
sink(Files.simplifyPath(staint())); // $numTaintFlow=1
sink(Files.getFileExtension(staint())); // $numTaintFlow=1
sink(Files.getNameWithoutExtension(staint())); // $numTaintFlow=1
sink(MoreFiles.getFileExtension(ptaint())); // $numTaintFlow=1
sink(MoreFiles.getNameWithoutExtension(ptaint())); // $numTaintFlow=1
sink(Closer.create().register((Closeable) taint())); // $ numValueFlow=1
sink(new LineReader(rtaint()).readLine()); // $ numTaintFlow=1
sink(Files.simplifyPath(staint())); // $ numTaintFlow=1
sink(Files.getFileExtension(staint())); // $ numTaintFlow=1
sink(Files.getNameWithoutExtension(staint())); // $ numTaintFlow=1
sink(MoreFiles.getFileExtension(ptaint())); // $ numTaintFlow=1
sink(MoreFiles.getNameWithoutExtension(ptaint())); // $ numTaintFlow=1
}
void test6() throws IOException {
sink(new CountingInputStream(itaint())); // $numTaintFlow=1
sink(new CountingInputStream(itaint())); // $ numTaintFlow=1
byte[] buf = null;
new CountingInputStream(itaint()).read(buf, 0, 42);
sink(buf); // $numTaintFlow=1
sink(new LittleEndianDataInputStream(itaint())); // $numTaintFlow=1
sink(new LittleEndianDataInputStream(itaint()).readUTF()); // $numTaintFlow=1
new CountingInputStream(itaint()).read(buf, 0, 42);
sink(buf); // $ numTaintFlow=1
sink(new LittleEndianDataInputStream(itaint())); // $ numTaintFlow=1
sink(new LittleEndianDataInputStream(itaint()).readUTF()); // $ numTaintFlow=1
}
}
}

956
java/ql/test/library-tests/frameworks/javax-json/Test.java
View File

File diff suppressed because it is too large Load Diff

40
java/ql/test/library-tests/frameworks/jms/MessageListenerImpl.java
View File

@@ -13,59 +13,59 @@ import javax.jms.TopicRequestor;
public class MessageListenerImpl implements MessageListener {
@Override
public void onMessage(Message message) { // $source
public void onMessage(Message message) { // $ source
try {
if (message instanceof TextMessage) {
TextMessage textMessage = (TextMessage) message;
String text = textMessage.getText();
sink(text); // $tainted
sink(text); // $ tainted
} else if (message instanceof BytesMessage) {
BytesMessage bytesMessage = (BytesMessage) message;
byte[] data = new byte[1024];
bytesMessage.readBytes(data, 42);
sink(new String(data)); // $tainted
sink(bytesMessage.readUTF()); // $tainted
sink(new String(data)); // $ tainted
sink(bytesMessage.readUTF()); // $ tainted
} else if (message instanceof MapMessage) {
MapMessage mapMessage = (MapMessage) message;
sink(mapMessage.getString("data")); // $tainted
sink(new String(mapMessage.getBytes("bytes"))); // $tainted
sink(mapMessage.getString("data")); // $ tainted
sink(new String(mapMessage.getBytes("bytes"))); // $ tainted
} else if (message instanceof ObjectMessage) {
ObjectMessage objectMessage = (ObjectMessage) message;
sink((String) objectMessage.getObject()); // $tainted
sink((String) objectMessage.getObject()); // $ tainted
} else if (message instanceof StreamMessage) {
StreamMessage streamMessage = (StreamMessage) message;
byte[] data = new byte[1024];
streamMessage.readBytes(data);
sink(new String(data)); // $tainted
sink(streamMessage.readString()); // $tainted
sink((String) streamMessage.readObject()); // $tainted
sink(new String(data)); // $ tainted
sink(streamMessage.readString()); // $ tainted
sink((String) streamMessage.readObject()); // $ tainted
}
} catch (Exception e) {
}
}
public void readFromCounsumer(MessageConsumer consumer) throws Exception {
TextMessage message = (TextMessage) consumer.receive(5000); // $source
TextMessage message = (TextMessage) consumer.receive(5000); // $ source
String text = message.getText();
sink(text); // $tainted
message = (TextMessage) consumer.receive(); // $source
sink(text); // $ tainted
message = (TextMessage) consumer.receive(); // $ source
text = message.getText();
sink(text); // $tainted
message = (TextMessage) consumer.receiveNoWait(); // $source
sink(text); // $ tainted
message = (TextMessage) consumer.receiveNoWait(); // $ source
text = message.getText();
sink(text); // $tainted
sink(text); // $ tainted
}
public void readFromQueueRequestor(QueueRequestor requestor, Message message) throws Exception {
TextMessage reply = (TextMessage) requestor.request(message); // $source
TextMessage reply = (TextMessage) requestor.request(message); // $ source
String text = reply.getText();
sink(text); // $tainted
sink(text); // $ tainted
}
public void readFromTopicRequestor(TopicRequestor requestor, Message message) throws Exception {
TextMessage reply = (TextMessage) requestor.request(message); // $source
TextMessage reply = (TextMessage) requestor.request(message); // $ source
String text = reply.getText();
sink(text); // $tainted
sink(text); // $ tainted
}
private void sink(String data) {

6
java/ql/test/library-tests/frameworks/lastaflute/Test.java
View File

@@ -16,12 +16,10 @@ public class Test {
public String index(TestForm form) throws IOException {
MultipartFormFile file = form.file;
sink(file.getFileData()); // $hasTaintFlow
sink(file.getInputStream()); // $hasTaintFlow
sink(file.getFileData()); // $ hasTaintFlow
sink(file.getInputStream()); // $ hasTaintFlow
return "index.jsp";
}
}

6
java/ql/test/library-tests/frameworks/netty/manual/Test.java
View File

@@ -12,7 +12,7 @@ class Test {
class A extends ChannelInboundHandlerAdapter {
public void channelRead(ChannelHandlerContext ctx, Object msg) {
sink(msg); // $hasTaintFlow
sink(msg); // $ hasTaintFlow
}
}
@@ -21,7 +21,7 @@ class Test {
ByteBuf bb = (ByteBuf) msg;
byte[] data = new byte[1024];
bb.readBytes(data);
sink(data); // $hasTaintFlow
sink(data); // $ hasTaintFlow
}
}
@@ -73,4 +73,4 @@ class Test {
sink(payload); // $ hasTaintFlow
}
}
}
}

14
java/ql/test/library-tests/frameworks/rabbitmq/Test.java
View File

@@ -11,20 +11,20 @@ public class Test {
@Override
public void handleDelivery(
String consumerTag, Envelope envelope, AMQP.BasicProperties properties,
byte[] body) { // $source
String consumerTag, Envelope envelope, AMQP.BasicProperties properties,
byte[] body) { // $ source
sink(body); // $hasTaintFlow
sink(body); // $ hasTaintFlow
}
};
}
public void queueingConsumerTest(QueueingConsumer consumer) {
while (true) {
QueueingConsumer.Delivery delivery = consumer.nextDelivery(); // $source
sink(delivery.getBody()); // $hasTaintFlow
delivery = consumer.nextDelivery(42); // $source
sink(delivery.getBody()); // $hasTaintFlow
QueueingConsumer.Delivery delivery = consumer.nextDelivery(); // $ source
sink(delivery.getBody()); // $ hasTaintFlow
delivery = consumer.nextDelivery(42); // $ source
sink(delivery.getBody()); // $ hasTaintFlow
}
}

6
java/ql/test/library-tests/frameworks/ratpack/resources/PairTest.java
View File

@@ -5,7 +5,7 @@ import ratpack.func.Pair;
public class PairTest {
void sink(Object o) {}
String taint() {
@@ -126,12 +126,12 @@ public class PairTest {
sink(pair.left()); // no taint flow
sink(pair.right()); // no taint flow
Pair<Pair<String, String>, String> nestLeftPair = pair.nestLeft(taint());
sink(nestLeftPair.left().left()); // $hasTaintFlow
sink(nestLeftPair.left().left()); // $ hasTaintFlow
sink(nestLeftPair.left().right()); // no taint flow
sink(nestLeftPair.right()); // no taint flow
Pair<String, Pair<String, String>> nestRightPair = pair.nestRight(taint());
sink(nestRightPair.left()); // no taint flow
sink(nestRightPair.right().left()); // $hasTaintFlow
sink(nestRightPair.right().left()); // $ hasTaintFlow
sink(nestRightPair.right().right()); // no taint flow
}

26
java/ql/test/library-tests/frameworks/spring/cache/Test.java vendored
View File

@@ -50,91 +50,91 @@ public class Test {
Cache.ValueRetrievalException out = null;
Object in = source();
out = new Cache.ValueRetrievalException(in, null, null);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.cache;Cache$ValueRetrievalException;false;getKey;;;MapKey of Argument[this];ReturnValue;value;manual"
Object out = null;
Cache.ValueRetrievalException in = new Cache.ValueRetrievalException(source(), null, null);
out = in.getKey();
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "org.springframework.cache;Cache$ValueWrapper;true;get;;;MapValue of Argument[this];ReturnValue;value;manual"
Object out = null;
Cache.ValueWrapper in = new ValueWrapper(source());
out = in.get();
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "org.springframework.cache;Cache;true;get;(Object);;MapValue of Argument[this];MapValue of ReturnValue;value;manual"
Cache.ValueWrapper out = null;
Cache in = new DummyCache(null, source());
out = in.get(null);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.cache;Cache;true;get;(Object,Callable);;MapValue of Argument[this];ReturnValue;value;manual"
Object out = null;
Cache in = new DummyCache(null, source());
out = in.get(null, (Callable)null);
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "org.springframework.cache;Cache;true;get;(Object,Class);;MapValue of Argument[this];ReturnValue;value;manual"
Object out = null;
Cache in = new DummyCache(null, source());
out = in.get(null, (Class)null);
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "org.springframework.cache;Cache;true;getNativeCache;;;MapKey of Argument[this];MapKey of ReturnValue;value;manual"
Object out = null;
Cache in = new DummyCache(source(), null);
out = in.getNativeCache();
sink(getMapKey((Cache)out)); // $hasValueFlow
sink(getMapKey((Cache)out)); // $ hasValueFlow
}
{
// "org.springframework.cache;Cache;true;getNativeCache;;;MapValue of Argument[this];MapValue of ReturnValue;value;manual"
Object out = null;
Cache in = new DummyCache(null, source());
out = in.getNativeCache();
sink(getMapValue((Cache)out)); // $hasValueFlow
sink(getMapValue((Cache)out)); // $ hasValueFlow
}
{
// "org.springframework.cache;Cache;true;put;;;Argument[0];MapKey of Argument[this];value;manual"
Cache out = null;
Object in = source();
out.put(in, null);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.cache;Cache;true;put;;;Argument[1];MapValue of Argument[this];value;manual"
Cache out = null;
Object in = source();
out.put(null, in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.cache;Cache;true;putIfAbsent;;;Argument[0];MapKey of Argument[this];value;manual"
Cache out = null;
Object in = source();
out.putIfAbsent(in, null);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.cache;Cache;true;putIfAbsent;;;Argument[1];MapValue of Argument[this];value;manual"
Cache out = null;
Object in = source();
out.putIfAbsent(null, in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.cache;Cache;true;putIfAbsent;;;MapValue of Argument[this];MapValue of ReturnValue;value;manual"
Cache.ValueWrapper out = null;
Cache in = new DummyCache(null, source());
out = in.putIfAbsent(null, null);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
}

6
java/ql/test/library-tests/frameworks/spring/context/Test.java
View File

@@ -13,8 +13,8 @@ public class Test {
public void test() {
StaticMessageSource sms = new StaticMessageSource();
sms.addMessage(code, locale, "hello {0}");
sink(sms.getMessage(code, new String[]{ taint() }, locale)); // $hasTaintFlow
sink(sms.getMessage(code, new String[]{ taint() }, "", locale)); // $hasTaintFlow
sink(sms.getMessage(code, null, taint(), locale)); // $hasTaintFlow
sink(sms.getMessage(code, new String[]{ taint() }, locale)); // $ hasTaintFlow
sink(sms.getMessage(code, new String[]{ taint() }, "", locale)); // $ hasTaintFlow
sink(sms.getMessage(code, null, taint(), locale)); // $ hasTaintFlow
}
}

28
java/ql/test/library-tests/frameworks/spring/controller/Test.java
View File

@@ -127,62 +127,62 @@ public class Test {
static class ExplicitlyTaintedTest {
@RequestMapping("/")
public void get(InputStream src) { // $ RequestMappingURL="/"
sink(src); // $hasValueFlow
sink(src); // $ hasValueFlow
}
@RequestMapping("/")
public void get(Reader src) { // $ RequestMappingURL="/"
sink(src); // $hasValueFlow
sink(src); // $ hasValueFlow
}
@RequestMapping("/")
public void matrixVariable(@MatrixVariable Object src) { // $ RequestMappingURL="/"
sink(src); // $hasValueFlow
sink(src); // $ hasValueFlow
}
@RequestMapping("/")
public void requestParam(@RequestParam Object src) { // $ RequestMappingURL="/"
sink(src); // $hasValueFlow
sink(src); // $ hasValueFlow
}
@RequestMapping("/")
public void requestHeader(@RequestHeader Object src) { // $ RequestMappingURL="/"
sink(src); // $hasValueFlow
sink(src); // $ hasValueFlow
}
@RequestMapping("/")
public void cookieValue(@CookieValue Object src) { // $ RequestMappingURL="/"
sink(src); // $hasValueFlow
sink(src); // $ hasValueFlow
}
@RequestMapping("/")
public void requestPart(@RequestPart Object src) { // $ RequestMappingURL="/"
sink(src); // $hasValueFlow
sink(src); // $ hasValueFlow
}
@RequestMapping("/")
public void pathVariable(@PathVariable Object src) { // $ RequestMappingURL="/"
sink(src); // $hasValueFlow
sink(src); // $ hasValueFlow
}
@RequestMapping("/")
public void requestBody(@RequestBody Object src) { // $ RequestMappingURL="/"
sink(src); // $hasValueFlow
sink(src); // $ hasValueFlow
}
@RequestMapping("/")
public void get(HttpEntity src) { // $ RequestMappingURL="/"
sink(src); // $hasValueFlow
sink(src); // $ hasValueFlow
}
@RequestMapping("/")
public void requestAttribute(@RequestAttribute Object src) { // $ RequestMappingURL="/"
sink(src); // $hasValueFlow
sink(src); // $ hasValueFlow
}
@RequestMapping("/")
public void sessionAttribute(@SessionAttribute Object src) { // $ RequestMappingURL="/"
sink(src); // $hasValueFlow
sink(src); // $ hasValueFlow
}
}
@@ -193,12 +193,12 @@ public class Test {
@RequestMapping("/")
public void get(String src) { // $ RequestMappingURL="/"
sink(src); // $hasValueFlow
sink(src); // $ hasValueFlow
}
@RequestMapping("/")
public void get1(Pojo src) { // $ RequestMappingURL="/"
sink(src); // $hasValueFlow
sink(src); // $ hasValueFlow
}
}

148
java/ql/test/library-tests/frameworks/spring/http/TestHttp.java
View File

@@ -14,149 +14,149 @@ class TestHttp {
void test1() {
String x = taint();
sink(new HttpEntity(x)); // $hasTaintFlow
sink(new HttpEntity(x)); // $ hasTaintFlow
MultiValueMap<String,String> m1 = new LinkedMultiValueMap();
sink(new HttpEntity(x, m1)); // $hasTaintFlow
sink(new HttpEntity(x, m1)); // $ hasTaintFlow
m1.add("a", taint());
sink(new HttpEntity("a", m1)); // $hasTaintFlow
sink(new HttpEntity<String>(m1)); // $hasTaintFlow
sink(new HttpEntity("a", m1)); // $ hasTaintFlow
sink(new HttpEntity<String>(m1)); // $ hasTaintFlow
MultiValueMap<String,String> m2 = new LinkedMultiValueMap();
m2.add(taint(), "a");
sink(new HttpEntity<String>(m2)); // $hasTaintFlow
sink(new HttpEntity<String>(m2)); // $ hasTaintFlow
HttpEntity<String> ent = taint();
sink(ent.getBody()); // $hasTaintFlow
sink(ent.getHeaders()); // $hasTaintFlow
sink(ent.getBody()); // $ hasTaintFlow
sink(ent.getHeaders()); // $ hasTaintFlow
RequestEntity<String> req = taint();
sink(req.getUrl()); // $hasTaintFlow
sink(req.getUrl()); // $ hasTaintFlow
}
void test2() {
String x = taint();
sink(ResponseEntity.ok(x)); // $hasTaintFlow
sink(ResponseEntity.of(Optional.of(x))); // $hasTaintFlow
sink(ResponseEntity.ok(x)); // $ hasTaintFlow
sink(ResponseEntity.of(Optional.of(x))); // $ hasTaintFlow
sink(ResponseEntity.status(200).contentLength(2048).body(x)); // $hasTaintFlow
sink(ResponseEntity.created(taint()).contentType(null).body("a")); // $hasTaintFlow
sink(ResponseEntity.status(200).header(x, "a", "b", "c").build()); // $hasTaintFlow
sink(ResponseEntity.status(200).header("h", "a", "b", x).build()); // $hasTaintFlow
sink(ResponseEntity.status(200).contentLength(2048).body(x)); // $ hasTaintFlow
sink(ResponseEntity.created(taint()).contentType(null).body("a")); // $ hasTaintFlow
sink(ResponseEntity.status(200).header(x, "a", "b", "c").build()); // $ hasTaintFlow
sink(ResponseEntity.status(200).header("h", "a", "b", x).build()); // $ hasTaintFlow
HttpHeaders h = new HttpHeaders();
h.add("h", taint());
sink(ResponseEntity.status(200).headers(h).allow().build()); // $hasTaintFlow
sink(ResponseEntity.status(200).eTag(x).allow().build()); // $hasTaintFlow
sink(ResponseEntity.status(200).location(taint()).lastModified(10000000).build()); // $hasTaintFlow
sink(ResponseEntity.status(200).varyBy(x).build());
sink(ResponseEntity.status(200).headers(h).allow().build()); // $ hasTaintFlow
sink(ResponseEntity.status(200).eTag(x).allow().build()); // $ hasTaintFlow
sink(ResponseEntity.status(200).location(taint()).lastModified(10000000).build()); // $ hasTaintFlow
sink(ResponseEntity.status(200).varyBy(x).build());
}
void test3() {
String x = taint();
MultiValueMap<String,String> m1 = new LinkedMultiValueMap();
sink(new ResponseEntity(x, HttpStatus.ACCEPTED)); // $hasTaintFlow
sink(new ResponseEntity(x, m1, HttpStatus.ACCEPTED)); // $hasTaintFlow
sink(new ResponseEntity(x, m1, 200)); // $hasTaintFlow
sink(new ResponseEntity(x, HttpStatus.ACCEPTED)); // $ hasTaintFlow
sink(new ResponseEntity(x, m1, HttpStatus.ACCEPTED)); // $ hasTaintFlow
sink(new ResponseEntity(x, m1, 200)); // $ hasTaintFlow
m1.add("a", taint());
sink(new ResponseEntity("a", m1, HttpStatus.ACCEPTED)); // $hasTaintFlow
sink(new ResponseEntity<String>(m1, HttpStatus.ACCEPTED)); // $hasTaintFlow
sink(new ResponseEntity("a", m1, 200)); // $hasTaintFlow
sink(new ResponseEntity("a", m1, HttpStatus.ACCEPTED)); // $ hasTaintFlow
sink(new ResponseEntity<String>(m1, HttpStatus.ACCEPTED)); // $ hasTaintFlow
sink(new ResponseEntity("a", m1, 200)); // $ hasTaintFlow
MultiValueMap<String,String> m2 = new LinkedMultiValueMap();
m2.add(taint(), "a");
sink(new ResponseEntity("a", m2, HttpStatus.ACCEPTED)); // $hasTaintFlow
sink(new ResponseEntity<String>(m2, HttpStatus.ACCEPTED)); // $hasTaintFlow
sink(new ResponseEntity("a", m2, 200)); // $hasTaintFlow
sink(new ResponseEntity("a", m2, HttpStatus.ACCEPTED)); // $ hasTaintFlow
sink(new ResponseEntity<String>(m2, HttpStatus.ACCEPTED)); // $ hasTaintFlow
sink(new ResponseEntity("a", m2, 200)); // $ hasTaintFlow
ResponseEntity<String> ent = taint();
sink(ent.getBody()); // $hasTaintFlow
sink(ent.getHeaders()); // $hasTaintFlow
sink(ent.getBody()); // $ hasTaintFlow
sink(ent.getHeaders()); // $ hasTaintFlow
}
void test4() {
MultiValueMap<String,String> m1 = new LinkedMultiValueMap();
m1.add("a", taint());
sink(new HttpHeaders(m1)); // $hasTaintFlow
sink(new HttpHeaders(m1)); // $ hasTaintFlow
MultiValueMap<String,String> m2 = new LinkedMultiValueMap();
m2.add(taint(), "a");
sink(new HttpHeaders(m2)); // $hasTaintFlow
sink(new HttpHeaders(m2)); // $ hasTaintFlow
HttpHeaders h1 = new HttpHeaders();
h1.add(taint(), "a");
sink(h1); // $hasTaintFlow
h1.add(taint(), "a");
sink(h1); // $ hasTaintFlow
HttpHeaders h2 = new HttpHeaders();
h2.add("a", taint());
sink(h2); // $hasTaintFlow
h2.add("a", taint());
sink(h2); // $ hasTaintFlow
HttpHeaders h3 = new HttpHeaders();
h3.addAll(m1);
sink(h3); // $hasTaintFlow
h3.addAll(m1);
sink(h3); // $ hasTaintFlow
HttpHeaders h4 = new HttpHeaders();
h4.addAll(m2);
sink(h4); // $hasTaintFlow
h4.addAll(m2);
sink(h4); // $ hasTaintFlow
HttpHeaders h5 = new HttpHeaders();
h5.addAll(taint(), List.of());
sink(h5); // $hasTaintFlow
h5.addAll(taint(), List.of());
sink(h5); // $ hasTaintFlow
HttpHeaders h6 = new HttpHeaders();
h6.addAll("a", List.of(taint()));
sink(h6); // $hasTaintFlow
h6.addAll("a", List.of(taint()));
sink(h6); // $ hasTaintFlow
sink(HttpHeaders.formatHeaders(m1)); // $hasTaintFlow
sink(HttpHeaders.formatHeaders(m2)); // $hasTaintFlow
sink(HttpHeaders.formatHeaders(m1)); // $ hasTaintFlow
sink(HttpHeaders.formatHeaders(m2)); // $ hasTaintFlow
sink(HttpHeaders.encodeBasicAuth(taint(), "a", null)); // $hasTaintFlow
sink(HttpHeaders.encodeBasicAuth("a", taint(), null)); // $hasTaintFlow
sink(HttpHeaders.encodeBasicAuth(taint(), "a", null)); // $ hasTaintFlow
sink(HttpHeaders.encodeBasicAuth("a", taint(), null)); // $ hasTaintFlow
}
void test5() {
HttpHeaders h = taint();
sink(h.get(null).get(0)); // $hasTaintFlow
sink(h.get(null).get(0)); // $ hasTaintFlow
sink(h.getAccept().get(0));
sink(h.getAcceptCharset().get(0));
sink(h.getAcceptLanguage().get(0));
sink(h.getAcceptLanguageAsLocales().get(0));
sink(h.getAccessControlAllowCredentials());
sink(h.getAccessControlAllowHeaders().get(0)); // $hasTaintFlow
sink(h.getAccessControlAllowHeaders().get(0)); // $ hasTaintFlow
sink(h.getAccessControlAllowMethods().get(0));
sink(h.getAccessControlAllowOrigin()); // $hasTaintFlow
sink(h.getAccessControlExposeHeaders().get(0)); // $hasTaintFlow
sink(h.getAccessControlAllowOrigin()); // $ hasTaintFlow
sink(h.getAccessControlExposeHeaders().get(0)); // $ hasTaintFlow
sink(h.getAccessControlMaxAge());
sink(h.getAccessControlRequestHeaders().get(0)); // $hasTaintFlow
sink(h.getAccessControlRequestMethod());
sink(h.getAccessControlRequestHeaders().get(0)); // $ hasTaintFlow
sink(h.getAccessControlRequestMethod());
sink(h.getAllow().toArray()[0]);
sink(h.getCacheControl()); // $hasTaintFlow
sink(h.getConnection().get(0)); // $hasTaintFlow
sink(h.getCacheControl()); // $ hasTaintFlow
sink(h.getConnection().get(0)); // $ hasTaintFlow
sink(h.getContentDisposition());
sink(h.getContentLanguage());
sink(h.getContentLength());
sink(h.getContentType());
sink(h.getDate());
sink(h.getETag()); // $hasTaintFlow
sink(h.getETag()); // $ hasTaintFlow
sink(h.getExpires());
sink(h.getFirst("a")); // $hasTaintFlow
sink(h.getFirstDate("a"));
sink(h.getFirstZonedDateTime("a"));
sink(h.getHost()); // $hasTaintFlow
sink(h.getIfMatch().get(0)); // $hasTaintFlow
sink(h.getIfModifiedSince());
sink(h.getIfNoneMatch().get(0)); // $hasTaintFlow
sink(h.getIfUnmodifiedSince());
sink(h.getLastModified());
sink(h.getLocation()); // $hasTaintFlow
sink(h.getOrEmpty("a").get(0)); // $hasTaintFlow
sink(h.getOrigin()); // $hasTaintFlow
sink(h.getPragma()); // $hasTaintFlow
sink(h.getUpgrade()); // $hasTaintFlow
sink(h.getValuesAsList("a").get(0)); // $hasTaintFlow
sink(h.getVary().get(0)); // $hasTaintFlow
sink(h.getFirst("a")); // $ hasTaintFlow
sink(h.getFirstDate("a"));
sink(h.getFirstZonedDateTime("a"));
sink(h.getHost()); // $ hasTaintFlow
sink(h.getIfMatch().get(0)); // $ hasTaintFlow
sink(h.getIfModifiedSince());
sink(h.getIfNoneMatch().get(0)); // $ hasTaintFlow
sink(h.getIfUnmodifiedSince());
sink(h.getLastModified());
sink(h.getLocation()); // $ hasTaintFlow
sink(h.getOrEmpty("a").get(0)); // $ hasTaintFlow
sink(h.getOrigin()); // $ hasTaintFlow
sink(h.getPragma()); // $ hasTaintFlow
sink(h.getUpgrade()); // $ hasTaintFlow
sink(h.getValuesAsList("a").get(0)); // $ hasTaintFlow
sink(h.getVary().get(0)); // $ hasTaintFlow
}
}
}

152
java/ql/test/library-tests/frameworks/spring/ui/Test.java
View File

@@ -28,35 +28,35 @@ public class Test {
ConcurrentModel out = null;
Object in = source();
out = new ConcurrentModel(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;ConcurrentModel;false;ConcurrentModel;(String,Object);;Argument[0];MapKey of Argument[this];value;manual"
ConcurrentModel out = null;
String in = (String)source();
out = new ConcurrentModel(in, null);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;ConcurrentModel;false;ConcurrentModel;(String,Object);;Argument[1];MapValue of Argument[this];value;manual"
ConcurrentModel out = null;
Object in = source();
out = new ConcurrentModel(null, in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;(Collection);;Element of Argument[0];MapValue of Argument[this];value;manual"
Model out = null;
Collection in = List.of(source());
out.addAllAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;(Collection);;Element of Argument[0];MapValue of Argument[this];value;manual"
ConcurrentModel out = null;
Collection in = List.of(source());
out.addAllAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;(Collection);;Element of Argument[0];MapValue of ReturnValue;value;manual"
@@ -64,7 +64,7 @@ public class Test {
Collection in = List.of(source());
Model instance = null;
out = instance.addAllAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;(Collection);;Element of Argument[0];MapValue of ReturnValue;value;manual"
@@ -72,21 +72,21 @@ public class Test {
Collection in = List.of(source());
ConcurrentModel instance = null;
out = instance.addAllAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;(Map);;MapKey of Argument[0];MapKey of Argument[this];value;manual"
Model out = null;
Map in = Map.of(source(), null);
out.addAllAttributes(in);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;(Map);;MapKey of Argument[0];MapKey of Argument[this];value;manual"
ConcurrentModel out = null;
Map in = Map.of(source(), null);
out.addAllAttributes(in);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;(Map);;MapKey of Argument[0];MapKey of ReturnValue;value;manual"
@@ -94,7 +94,7 @@ public class Test {
Map in = Map.of(source(), null);
Model instance = null;
out = instance.addAllAttributes(in);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;(Map);;MapKey of Argument[0];MapKey of ReturnValue;value;manual"
@@ -102,21 +102,21 @@ public class Test {
Map in = Map.of(source(), null);
ConcurrentModel instance = null;
out = instance.addAllAttributes(in);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;(Map);;MapValue of Argument[0];MapValue of Argument[this];value;manual"
Model out = null;
Map in = Map.of(null, source());
out.addAllAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;(Map);;MapValue of Argument[0];MapValue of Argument[this];value;manual"
ConcurrentModel out = null;
Map in = Map.of(null, source());
out.addAllAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;(Map);;MapValue of Argument[0];MapValue of ReturnValue;value;manual"
@@ -124,7 +124,7 @@ public class Test {
Map in = Map.of(null, source());
Model instance = null;
out = instance.addAllAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;(Map);;MapValue of Argument[0];MapValue of ReturnValue;value;manual"
@@ -132,49 +132,49 @@ public class Test {
Map in = Map.of(null, source());
ConcurrentModel instance = null;
out = instance.addAllAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;;;Argument[this];ReturnValue;value;manual"
Model out = null;
Model in = (Model)source();
out = in.addAllAttributes((Map)null);
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;;;Argument[this];ReturnValue;value;manual"
Model out = null;
Model in = (Model)source();
out = in.addAllAttributes((Collection)null);
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;;;Argument[this];ReturnValue;value;manual"
ConcurrentModel out = null;
ConcurrentModel in = (ConcurrentModel)source();
out = in.addAllAttributes((Map)null);
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAllAttributes;;;Argument[this];ReturnValue;value;manual"
ConcurrentModel out = null;
ConcurrentModel in = (ConcurrentModel)source();
out = in.addAllAttributes((Collection)null);
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;(Object);;Argument[0];MapValue of Argument[this];value;manual"
Model out = null;
Object in = source();
out.addAttribute(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;(Object);;Argument[0];MapValue of Argument[this];value;manual"
ConcurrentModel out = null;
Object in = source();
out.addAttribute(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;(Object);;Argument[0];MapValue of ReturnValue;value;manual"
@@ -182,7 +182,7 @@ public class Test {
Object in = source();
Model instance = null;
out = instance.addAttribute(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;(Object);;Argument[0];MapValue of ReturnValue;value;manual"
@@ -190,21 +190,21 @@ public class Test {
Object in = source();
ConcurrentModel instance = null;
out = instance.addAttribute(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;(String,Object);;Argument[0];MapKey of Argument[this];value;manual"
Model out = null;
String in = (String)source();
out.addAttribute(in, null);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;(String,Object);;Argument[0];MapKey of Argument[this];value;manual"
ConcurrentModel out = null;
String in = (String)source();
out.addAttribute(in, null);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;(String,Object);;Argument[0];MapKey of ReturnValue;value;manual"
@@ -212,7 +212,7 @@ public class Test {
String in = (String)source();
Model instance = null;
out = instance.addAttribute(in, null);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;(String,Object);;Argument[0];MapKey of ReturnValue;value;manual"
@@ -220,21 +220,21 @@ public class Test {
String in = (String)source();
ConcurrentModel instance = null;
out = instance.addAttribute(in, null);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;(String,Object);;Argument[1];MapValue of Argument[this];value;manual"
Model out = null;
Object in = source();
out.addAttribute(null, in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;(String,Object);;Argument[1];MapValue of Argument[this];value;manual"
ConcurrentModel out = null;
Object in = source();
out.addAttribute(null, in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;(String,Object);;Argument[1];MapValue of ReturnValue;value;manual"
@@ -242,7 +242,7 @@ public class Test {
Object in = source();
Model instance = null;
out = instance.addAttribute(null, in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;(String,Object);;Argument[1];MapValue of ReturnValue;value;manual"
@@ -250,175 +250,175 @@ public class Test {
Object in = source();
ConcurrentModel instance = null;
out = instance.addAttribute(null, in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;;;Argument[this];ReturnValue;value;manual"
Model out = null;
Model in = (Model)source();
out = in.addAttribute(null, null);
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;;;Argument[this];ReturnValue;value;manual"
Model out = null;
Model in = (Model)source();
out = in.addAttribute(null);
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;;;Argument[this];ReturnValue;value;manual"
ConcurrentModel out = null;
ConcurrentModel in = (ConcurrentModel)source();
out = in.addAttribute(null, null);
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;addAttribute;;;Argument[this];ReturnValue;value;manual"
ConcurrentModel out = null;
ConcurrentModel in = (ConcurrentModel)source();
out = in.addAttribute(null);
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;asMap;;;MapKey of Argument[this];MapKey of ReturnValue;value;manual"
Map out = null;
Model in = new ConcurrentModel((String)source(), null);
out = in.asMap();
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;asMap;;;MapKey of Argument[this];MapKey of ReturnValue;value;manual"
Map out = null;
ConcurrentModel in = new ConcurrentModel((String)source(), null);
out = in.asMap();
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;asMap;;;MapValue of Argument[this];MapValue of ReturnValue;value;manual"
Map out = null;
Model in = (Model)Map.of(null, source());
out = in.asMap();
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;asMap;;;MapValue of Argument[this];MapValue of ReturnValue;value;manual"
Map out = null;
ConcurrentModel in = new ConcurrentModel(null, source());
out = in.asMap();
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;getAttribute;;;MapValue of Argument[this];ReturnValue;value;manual"
Object out = null;
Model in = (Model)Map.of(null, source());
out = in.getAttribute(null);
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;getAttribute;;;MapValue of Argument[this];ReturnValue;value;manual"
Object out = null;
ConcurrentModel in = new ConcurrentModel(null, source());
out = in.getAttribute(null);
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;mergeAttributes;;;Argument[this];ReturnValue;value;manual"
Model out = null;
Model in = (Model)source();
out = in.mergeAttributes(null);
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;mergeAttributes;;;Argument[this];ReturnValue;value;manual"
ConcurrentModel out = null;
ConcurrentModel in = (ConcurrentModel)source();
out = in.mergeAttributes(null);
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;mergeAttributes;;;MapKey of Argument[this];MapKey of ReturnValue;value;manual"
Model out = null;
Model in = new ConcurrentModel((String)source(), null);
out = in.mergeAttributes(null);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;mergeAttributes;;;MapKey of Argument[this];MapKey of ReturnValue;value;manual"
ConcurrentModel out = null;
ConcurrentModel in = new ConcurrentModel((String)source(), null);
out = in.mergeAttributes(null);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;mergeAttributes;;;MapKey of Argument[0];MapKey of Argument[this];value;manual"
Model out = null;
Map in = Map.of(source(), null);
out.mergeAttributes(in);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;mergeAttributes;;;MapKey of Argument[0];MapKey of Argument[this];value;manual"
ConcurrentModel out = null;
Map in = Map.of(source(), null);
out.mergeAttributes(in);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;mergeAttributes;;;MapValue of Argument[this];MapValue of ReturnValue;value;manual"
Model out = null;
Model in = (Model)Map.of(null, source());
out = in.mergeAttributes(null);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;mergeAttributes;;;MapValue of Argument[this];MapValue of ReturnValue;value;manual"
ConcurrentModel out = null;
ConcurrentModel in = new ConcurrentModel(null, source());
out = in.mergeAttributes(null);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;mergeAttributes;;;MapValue of Argument[0];MapValue of Argument[this];value;manual"
Model out = null;
Map in = Map.of(null, source());
out.mergeAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;Model;true;mergeAttributes;;;MapValue of Argument[0];MapValue of Argument[this];value;manual"
ConcurrentModel out = null;
Map in = Map.of(null, source());
out.mergeAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;ModelMap;(Object);;Argument[0];MapValue of Argument[this];value;manual"
ModelMap out = null;
Object in = source();
out = new ModelMap(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;ModelMap;(String,Object);;Argument[0];MapKey of Argument[this];value;manual"
ModelMap out = null;
String in = (String)source();
out = new ModelMap(in, null);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;ModelMap;(String,Object);;Argument[1];MapValue of Argument[this];value;manual"
ModelMap out = null;
Object in = source();
out = new ModelMap(null, in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAllAttributes;(Collection);;Element of Argument[0];MapValue of Argument[this];value;manual"
ModelMap out = null;
Collection in = List.of(source());
out.addAllAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAllAttributes;(Collection);;Element of Argument[0];MapValue of ReturnValue;value;manual"
@@ -426,14 +426,14 @@ public class Test {
Collection in = List.of(source());
ModelMap instance = null;
out = instance.addAllAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAllAttributes;(Map);;MapKey of Argument[0];MapKey of Argument[this];value;manual"
ModelMap out = null;
Map in = Map.of(source(), null);
out.addAllAttributes(in);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAllAttributes;(Map);;MapKey of Argument[0];MapKey of ReturnValue;value;manual"
@@ -441,14 +441,14 @@ public class Test {
Map in = Map.of(source(), null);
ModelMap instance = null;
out = instance.addAllAttributes(in);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAllAttributes;(Map);;MapValue of Argument[0];MapValue of Argument[this];value;manual"
ModelMap out = null;
Map in = Map.of(null, source());
out.addAllAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAllAttributes;(Map);;MapValue of Argument[0];MapValue of ReturnValue;value;manual"
@@ -456,28 +456,28 @@ public class Test {
Map in = Map.of(null, source());
ModelMap instance = null;
out = instance.addAllAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAllAttributes;;;Argument[this];ReturnValue;value;manual"
ModelMap out = null;
ModelMap in = (ModelMap)source();
out = in.addAllAttributes((Map)null);
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAllAttributes;;;Argument[this];ReturnValue;value;manual"
ModelMap out = null;
ModelMap in = (ModelMap)source();
out = in.addAllAttributes((Collection)null);
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAttribute;(Object);;Argument[0];MapValue of Argument[this];value;manual"
ModelMap out = null;
Object in = source();
out.addAttribute(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAttribute;(Object);;Argument[0];MapValue of ReturnValue;value;manual"
@@ -485,14 +485,14 @@ public class Test {
Object in = source();
ModelMap instance = null;
out = instance.addAttribute(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAttribute;(String,Object);;Argument[0];MapKey of Argument[this];value;manual"
ModelMap out = null;
String in = (String)source();
out.addAttribute(in, null);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAttribute;(String,Object);;Argument[0];MapKey of ReturnValue;value;manual"
@@ -500,14 +500,14 @@ public class Test {
String in = (String)source();
ModelMap instance = null;
out = instance.addAttribute(in, null);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAttribute;(String,Object);;Argument[1];MapValue of Argument[this];value;manual"
ModelMap out = null;
Object in = source();
out.addAttribute(null, in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAttribute;(String,Object);;Argument[1];MapValue of ReturnValue;value;manual"
@@ -515,63 +515,63 @@ public class Test {
Object in = source();
ModelMap instance = null;
out = instance.addAttribute(null, in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAttribute;;;Argument[this];ReturnValue;value;manual"
ModelMap out = null;
ModelMap in = (ModelMap)source();
out = in.addAttribute(null, null);
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;addAttribute;;;Argument[this];ReturnValue;value;manual"
ModelMap out = null;
ModelMap in = (ModelMap)source();
out = in.addAttribute(null);
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;getAttribute;;;MapValue of Argument[this];ReturnValue;value;manual"
Object out = null;
ModelMap in = new ModelMap(null, source());
out = in.getAttribute(null);
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;mergeAttributes;;;Argument[this];ReturnValue;value;manual"
ModelMap out = null;
ModelMap in = (ModelMap)source();
out = in.mergeAttributes(null);
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;mergeAttributes;;;MapKey of Argument[this];MapKey of ReturnValue;value;manual"
ModelMap out = null;
ModelMap in = new ModelMap((String)source(), null);
out = in.mergeAttributes(null);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;mergeAttributes;;;MapKey of Argument[0];MapKey of Argument[this];value;manual"
ModelMap out = null;
Map in = Map.of(source(), null);
out.mergeAttributes(in);
sink(getMapKey(out)); // $hasValueFlow
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;mergeAttributes;;;MapValue of Argument[this];MapValue of ReturnValue;value;manual"
ModelMap out = null;
ModelMap in = new ModelMap(null, source());
out = in.mergeAttributes(null);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "org.springframework.ui;ModelMap;false;mergeAttributes;;;MapValue of Argument[0];MapValue of Argument[this];value;manual"
ModelMap out = null;
Map in = Map.of(null, source());
out.mergeAttributes(in);
sink(getMapValue(out)); // $hasValueFlow
sink(getMapValue(out)); // $ hasValueFlow
}
}

378
java/ql/test/library-tests/frameworks/spring/util/Test.java
View File

File diff suppressed because it is too large Load Diff

36
java/ql/test/library-tests/frameworks/spring/validation/Test.java
View File

@@ -11,68 +11,68 @@ class ValidationErrorsTest {
void test() {
Errors es0 = errors();
es0.addAllErrors(sourceErrs());
sink(es0); // $hasTaintFlow
sink(es0); // $ hasTaintFlow
sink(sourceErrs().getAllErrors()); // $hasTaintFlow
sink(sourceErrs().getAllErrors()); // $ hasTaintFlow
sink(sourceErrs().getFieldError()); // $hasTaintFlow
sink(sourceErrs().getFieldError("field")); // $hasTaintFlow
sink(sourceErrs().getFieldError()); // $ hasTaintFlow
sink(sourceErrs().getFieldError("field")); // $ hasTaintFlow
sink(sourceErrs().getGlobalError()); // $hasTaintFlow
sink(sourceErrs().getGlobalErrors()); // $hasTaintFlow
sink(sourceErrs().getGlobalError()); // $ hasTaintFlow
sink(sourceErrs().getGlobalErrors()); // $ hasTaintFlow
Errors es1 = errors();
es1.reject((String)source());
sink(es1); // $hasTaintFlow
sink(es1); // $ hasTaintFlow
Errors es2 = errors();
es2.reject((String)source(), null, "");
sink(es2); // $hasTaintFlow
sink(es2); // $ hasTaintFlow
Errors es3 = errors();
es3.reject((String)source(), null, "");
sink(es3); // $hasTaintFlow
sink(es3); // $ hasTaintFlow
{
Errors es4 = errors();
Object[] in = { (String)source() };
es4.reject("", in, "");
sink(in); // $hasTaintFlow
sink(in); // $ hasTaintFlow
}
{
Errors es5 = errors();
es5.reject("", null, (String)source());
sink(es5); // $hasTaintFlow
sink(es5); // $ hasTaintFlow
}
Errors es6 = errors();
es6.reject((String)source(), "");
sink(es6); // $hasTaintFlow
sink(es6); // $ hasTaintFlow
Errors es7 = errors();
es7.reject("", (String)source());
sink(es7); // $hasTaintFlow
sink(es7); // $ hasTaintFlow
Errors es8 = errors();
es8.rejectValue("", (String)source(), null, "");
sink(es8); // $hasTaintFlow
sink(es8); // $ hasTaintFlow
Errors es9 = errors();
Object[] in = {source()};
es9.rejectValue("", "", in, "");
sink(es9); // $hasTaintFlow
sink(es9); // $ hasTaintFlow
Errors es10 = errors();
es10.rejectValue("", "", null, (String)source());
sink(es10); // $hasTaintFlow
sink(es10); // $ hasTaintFlow
Errors es11 = errors();
es11.rejectValue("", (String)source(), "");
sink(es11); // $hasTaintFlow
sink(es11); // $ hasTaintFlow
Errors es12 = errors();
es12.rejectValue("", "", (String)source());
sink(es12); // $hasTaintFlow
sink(es12); // $ hasTaintFlow
}
}

26
java/ql/test/library-tests/frameworks/spring/webmultipart/Test.java
View File

@@ -30,84 +30,84 @@ public class Test {
byte[] out = null;
MultipartFile in = (MultipartFile)source();
out = in.getBytes();
sink(out); // $hasTaintFlow
sink(out); // $ hasTaintFlow
}
{
// "org.springframework.web.multipart;MultipartFile;true;getInputStream;;;Argument[this];ReturnValue;taint;manual"
InputStream out = null;
MultipartFile in = (MultipartFile)source();
out = in.getInputStream();
sink(out); // $hasTaintFlow
sink(out); // $ hasTaintFlow
}
{
// "org.springframework.web.multipart;MultipartFile;true;getName;;;Argument[this];ReturnValue;taint;manual"
String out = null;
MultipartFile in = (MultipartFile)source();
out = in.getName();
sink(out); // $hasTaintFlow
sink(out); // $ hasTaintFlow
}
{
// "org.springframework.web.multipart;MultipartFile;true;getOriginalFilename;;;Argument[this];ReturnValue;taint;manual"
String out = null;
MultipartFile in = (MultipartFile)source();
out = in.getOriginalFilename();
sink(out); // $hasTaintFlow
sink(out); // $ hasTaintFlow
}
{
// "org.springframework.web.multipart;MultipartFile;true;getResource;;;Argument[this];ReturnValue;taint;manual"
Resource out = null;
MultipartFile in = (MultipartFile)source();
out = in.getResource();
sink(out); // $hasTaintFlow
sink(out); // $ hasTaintFlow
}
{
// "org.springframework.web.multipart;MultipartHttpServletRequest;true;getMultipartHeaders;;;Argument[this];ReturnValue;taint;manual"
HttpHeaders out = null;
MultipartHttpServletRequest in = (MultipartHttpServletRequest)source();
out = in.getMultipartHeaders(null);
sink(out); // $hasTaintFlow
sink(out); // $ hasTaintFlow
}
{
// "org.springframework.web.multipart;MultipartHttpServletRequest;true;getRequestHeaders;;;Argument[this];ReturnValue;taint;manual"
HttpHeaders out = null;
MultipartHttpServletRequest in = (MultipartHttpServletRequest)source();
out = in.getRequestHeaders();
sink(out); // $hasTaintFlow
sink(out); // $ hasTaintFlow
}
{
// "org.springframework.web.multipart;MultipartRequest;true;getFile;;;Argument[this];ReturnValue;taint;manual"
MultipartFile out = null;
MultipartRequest in = (MultipartRequest)source();
out = in.getFile(null);
sink(out); // $hasTaintFlow
sink(out); // $ hasTaintFlow
}
{
// "org.springframework.web.multipart;MultipartRequest;true;getFileMap;;;Argument[this];MapValue of ReturnValue;taint;manual"
Map out = null;
MultipartRequest in = (MultipartRequest)source();
out = in.getFileMap();
sink(getMapValue(out)); // $hasTaintFlow
sink(getMapValue(out)); // $ hasTaintFlow
}
{
// "org.springframework.web.multipart;MultipartRequest;true;getFileNames;;;Argument[this];Element of ReturnValue;taint;manual"
Iterator out = null;
MultipartRequest in = (MultipartRequest)source();
out = in.getFileNames();
sink(getElement(out)); // $hasTaintFlow
sink(getElement(out)); // $ hasTaintFlow
}
{
// "org.springframework.web.multipart;MultipartRequest;true;getFiles;;;Argument[this];Element of ReturnValue;taint;manual"
List out = null;
MultipartRequest in = (MultipartRequest)source();
out = in.getFiles(null);
sink(getElement(out)); // $hasTaintFlow
sink(getElement(out)); // $ hasTaintFlow
}
{
// "org.springframework.web.multipart;MultipartRequest;true;getMultiFileMap;;;Argument[this];MapValue of ReturnValue;taint;manual"
MultiValueMap out = null;
MultipartRequest in = (MultipartRequest)source();
out = in.getMultiFileMap();
sink(getMapValue(out)); // $hasTaintFlow
sink(getMapValue(out)); // $ hasTaintFlow
}
{
// "org.springframework.web.multipart;MultipartResolver;true;resolveMultipart;;;Argument[0];ReturnValue;taint;manual"
@@ -115,7 +115,7 @@ public class Test {
HttpServletRequest in = (HttpServletRequest)source();
MultipartResolver instance = null;
out = instance.resolveMultipart(in);
sink(out); // $hasTaintFlow
sink(out); // $ hasTaintFlow
}
}

46
java/ql/test/library-tests/frameworks/spring/websocket/Test.java
View File

@@ -14,51 +14,51 @@ public class Test {
public class A extends TextWebSocketHandler {
@Override
public void handleMessage(WebSocketSession s, WebSocketMessage<?> m) {
sink(s); // $hasTaintFlow
sink(s.getAcceptedProtocol()); // $hasTaintFlow
sink(s.getHandshakeHeaders()); // $hasTaintFlow
sink(s.getPrincipal()); // $hasTaintFlow
sink(s.getUri()); // $hasTaintFlow
sink(s); // $ hasTaintFlow
sink(s.getAcceptedProtocol()); // $ hasTaintFlow
sink(s.getHandshakeHeaders()); // $ hasTaintFlow
sink(s.getPrincipal()); // $ hasTaintFlow
sink(s.getUri()); // $ hasTaintFlow
sink(m); // $hasTaintFlow
sink(m.getPayload()); // $hasTaintFlow
sink(m); // $ hasTaintFlow
sink(m.getPayload()); // $ hasTaintFlow
}
@Override
@Override
protected void handleTextMessage(WebSocketSession s, TextMessage m) {
sink(s); // $hasTaintFlow
sink(m); // $hasTaintFlow
sink(m.asBytes()); // $hasTaintFlow
sink(s); // $ hasTaintFlow
sink(m); // $ hasTaintFlow
sink(m.asBytes()); // $ hasTaintFlow
}
@Override
@Override
protected void handleBinaryMessage(WebSocketSession s, BinaryMessage m) {
sink(s); // $hasTaintFlow
sink(m); // $hasTaintFlow
sink(s); // $ hasTaintFlow
sink(m); // $ hasTaintFlow
}
@Override
protected void handlePongMessage(WebSocketSession s, PongMessage m) {
sink(s); // $hasTaintFlow
sink(m); // $hasTaintFlow
sink(s); // $ hasTaintFlow
sink(m); // $ hasTaintFlow
}
@Override
public void afterConnectionEstablished(WebSocketSession s) {
sink(s); // $hasTaintFlow
sink(s); // $ hasTaintFlow
}
@Override
@Override
public void afterConnectionClosed(WebSocketSession s, CloseStatus c) {
sink(s); // $hasTaintFlow
sink(s); // $ hasTaintFlow
}
@Override
public void handleTransportError(WebSocketSession s, Throwable exc) {
sink(s); // $hasTaintFlow
@Override
public void handleTransportError(WebSocketSession s, Throwable exc) {
sink(s); // $ hasTaintFlow
}
}
}
}

662
java/ql/test/library-tests/frameworks/spring/webutil/Test.java
View File

File diff suppressed because it is too large Load Diff

24
java/ql/test/library-tests/optional/FunctionalTest.java
View File

@@ -11,48 +11,48 @@ public class FunctionalTest {
void test() {
Optional<String> o = Optional.of(source());
o.ifPresent(v -> {
sink(v); // $hasValueFlow
sink(v); // $ hasValueFlow
});
o.ifPresentOrElse(v -> {
sink(v); // $hasValueFlow
sink(v); // $ hasValueFlow
}, () -> {
// no-op
});
o.map(v -> {
sink(v); // $hasValueFlow
sink(v); // $ hasValueFlow
return v;
}).ifPresent(v -> {
sink(v); // $hasValueFlow
sink(v); // $ hasValueFlow
});
o.flatMap(v -> {
sink(v); // $hasValueFlow
sink(v); // $ hasValueFlow
return Optional.of(v);
}).ifPresent(v -> {
sink(v); // $hasValueFlow
sink(v); // $ hasValueFlow
});
o.flatMap(v -> {
sink(v); // $hasValueFlow
sink(v); // $ hasValueFlow
return Optional.of("safe");
}).ifPresent(v -> {
sink(v); // no value flow
});
o.filter(v -> {
sink(v); // $hasValueFlow
sink(v); // $ hasValueFlow
return true;
}).ifPresent(v -> {
sink(v); // $hasValueFlow
sink(v); // $ hasValueFlow
});
Optional.of("safe").map(v -> {
sink(v); // no value flow
return v;
}).or(() -> o).ifPresent(v -> {
sink(v); // $hasValueFlow
sink(v); // $ hasValueFlow
});
Optional<String> safe = Optional.of("safe");
o.or(() -> safe).ifPresent(v -> {
sink(v); // $hasValueFlow
sink(v); // $ hasValueFlow
});
String value = safe.orElseGet(() -> source());
sink(value); // $hasValueFlow
sink(value); // $ hasValueFlow
}
}

24
java/ql/test/library-tests/optional/Test.java
View File

@@ -19,35 +19,35 @@ public class Test {
Optional<Object> out = null;
Optional<Object> in = newWithElement(source());
out = in.filter(null);
sink(getElement(out)); // $hasValueFlow
sink(getElement(out)); // $ hasValueFlow
}
{
// "java.util;Optional;false;get;;;Element of Argument[this];ReturnValue;value;manual"
Object out = null;
Optional<Object> in = newWithElement(source());
out = in.get();
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "java.util;Optional;false;of;;;Argument[0];Element of ReturnValue;value;manual"
Optional<Object> out = null;
Object in = (Object)source();
out = Optional.of(in);
sink(getElement(out)); // $hasValueFlow
sink(getElement(out)); // $ hasValueFlow
}
{
// "java.util;Optional;false;ofNullable;;;Argument[0];Element of ReturnValue;value;manual"
Optional<Object> out = null;
Object in = (Object)source();
out = Optional.ofNullable(in);
sink(getElement(out)); // $hasValueFlow
sink(getElement(out)); // $ hasValueFlow
}
{
// "java.util;Optional;false;or;;;Element of Argument[this];Element of ReturnValue;value;manual"
Optional<Object> out = null;
Optional<Object> in = newWithElement(source());
out = in.or(null);
sink(getElement(out)); // $hasValueFlow
sink(getElement(out)); // $ hasValueFlow
}
{
// "java.util;Optional;false;orElse;;;Argument[0];ReturnValue;value;manual"
@@ -55,44 +55,44 @@ public class Test {
Object in = (Object)source();
Optional<Object> instance = null;
out = instance.orElse(in);
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "java.util;Optional;false;orElse;;;Element of Argument[this];ReturnValue;value;manual"
Object out = null;
Optional<Object> in = newWithElement(source());
out = in.orElse(null);
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "java.util;Optional;false;orElseGet;;;Element of Argument[this];ReturnValue;value;manual"
Object out = null;
Optional<Object> in = newWithElement(source());
out = in.orElseGet(null);
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "java.util;Optional;false;orElseThrow;;;Element of Argument[this];ReturnValue;value;manual"
Object out = null;
Optional<Object> in = newWithElement(source());
out = in.orElseThrow(null);
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "java.util;Optional;false;orElseThrow;;;Element of Argument[this];ReturnValue;value;manual"
Object out = null;
Optional<Object> in = newWithElement(source());
out = in.orElseThrow();
sink(out); // $hasValueFlow
sink(out); // $ hasValueFlow
}
{
// "java.util;Optional;false;stream;;;Element of Argument[this];Element of ReturnValue;value;manual"
Stream<Object> out = null;
Optional<Object> in = newWithElement(source());
out = in.stream();
sink(getStreamElement(out)); // $hasValueFlow
sink(getStreamElement(out)); // $ hasValueFlow
}
}
}
}

20
java/ql/test/query-tests/security/CWE-078/TaintedEnvironment.java
View File

@@ -11,24 +11,24 @@ public class TaintedEnvironment {
String s = (String) source();
ProcessBuilder pb = new ProcessBuilder();
pb.environment().put("foo", s); // $hasTaintFlow
pb.environment().put("foo", s); // $ hasTaintFlow
pb.environment().put(s, "foo"); // $hasTaintFlow
pb.environment().put(s, "foo"); // $ hasTaintFlow
Map<String, String> extra = Map.of("USER", s);
pb.environment().putAll(extra); // $hasTaintFlow
pb.environment().putAll(extra); // $ hasTaintFlow
pb.environment().putIfAbsent("foo", s); // $hasTaintFlow
pb.environment().putIfAbsent(s, "foo"); // $hasTaintFlow
pb.environment().putIfAbsent("foo", s); // $ hasTaintFlow
pb.environment().putIfAbsent(s, "foo"); // $ hasTaintFlow
pb.environment().replace("foo", s); // $hasTaintFlow
pb.environment().replace(s, "foo"); // $hasTaintFlow
pb.environment().replace("foo", "bar", s); // $hasTaintFlow
pb.environment().replace("foo", s); // $ hasTaintFlow
pb.environment().replace(s, "foo"); // $ hasTaintFlow
pb.environment().replace("foo", "bar", s); // $ hasTaintFlow
Map<String, String> env = pb.environment();
env.put("foo", s); // $hasTaintFlow
env.put("foo", s); // $ hasTaintFlow
pb.start();
}
@@ -36,6 +36,6 @@ public class TaintedEnvironment {
public void exec() throws java.io.IOException {
String kv = (String) source();
Runtime.getRuntime().exec(new String[] { "ls" }, new String[] { kv }); // $hasTaintFlow
Runtime.getRuntime().exec(new String[] { "ls" }, new String[] { kv }); // $ hasTaintFlow
}
}

26
java/ql/test/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.java
View File

@@ -21,14 +21,14 @@ class SensitiveCookieNotHttpOnly {
// BAD - Tests adding a sensitive cookie without the `HttpOnly` flag set.
public void addCookie2(String jwt_token, String userId, HttpServletRequest request, HttpServletResponse response) {
String tokenCookieStr = "jwt_token"; // $Source
String tokenCookieStr = "jwt_token"; // $ Source
Cookie jwtCookie = new Cookie(tokenCookieStr, jwt_token);
Cookie userIdCookie = new Cookie("user_id", userId);
jwtCookie.setPath("/");
userIdCookie.setPath("/");
jwtCookie.setMaxAge(3600*24*7);
userIdCookie.setMaxAge(3600*24*7);
response.addCookie(jwtCookie); // $Alert
response.addCookie(jwtCookie); // $ Alert
response.addCookie(userIdCookie);
}
@@ -39,9 +39,9 @@ class SensitiveCookieNotHttpOnly {
// BAD - Tests set a sensitive cookie header without the `HttpOnly` flag set.
public void addCookie4(String authId, HttpServletRequest request, HttpServletResponse response) {
response.addHeader("Set-Cookie", "token=" +authId + ";Secure"); // $Alert
response.addHeader("Set-Cookie", "token=" +authId + ";Secure"); // $ Alert
}
// GOOD - Tests set a sensitive cookie header using the class `javax.ws.rs.core.Cookie` with the `HttpOnly` flag set through string concatenation.
public void addCookie5(String accessKey, HttpServletRequest request, HttpServletResponse response) {
response.setHeader("Set-Cookie", new NewCookie("session-access-key", accessKey, "/", null, null, 0, true) + ";HttpOnly");
@@ -49,7 +49,7 @@ class SensitiveCookieNotHttpOnly {
// BAD - Tests set a sensitive cookie header using the class `javax.ws.rs.core.Cookie` without the `HttpOnly` flag set.
public void addCookie6(String accessKey, HttpServletRequest request, HttpServletResponse response) {
response.setHeader("Set-Cookie", new NewCookie("session-access-key", accessKey, "/", null, null, 0, true).toString()); // $Alert
response.setHeader("Set-Cookie", new NewCookie("session-access-key", accessKey, "/", null, null, 0, true).toString()); // $ Alert
}
// GOOD - Tests set a sensitive cookie header using the class `javax.ws.rs.core.Cookie` with the `HttpOnly` flag set through the constructor.
@@ -60,15 +60,15 @@ class SensitiveCookieNotHttpOnly {
// BAD - Tests set a sensitive cookie header using the class `javax.ws.rs.core.Cookie` without the `HttpOnly` flag set.
public void addCookie8(String accessKey, HttpServletRequest request, HttpServletResponse response) {
NewCookie accessKeyCookie = new NewCookie("session-access-key", accessKey, "/", null, 0, null, 86400, true); // $Source
NewCookie accessKeyCookie = new NewCookie("session-access-key", accessKey, "/", null, 0, null, 86400, true); // $ Source
String keyStr = accessKeyCookie.toString();
response.setHeader("Set-Cookie", keyStr); // $Alert
response.setHeader("Set-Cookie", keyStr); // $ Alert
}
// BAD - Tests set a sensitive cookie header using a variable without the `HttpOnly` flag set.
public void addCookie9(String authId, HttpServletRequest request, HttpServletResponse response) {
String secString = "token=" +authId + ";Secure"; // $Source
response.addHeader("Set-Cookie", secString); // $Alert
String secString = "token=" +authId + ";Secure"; // $ Source
response.addHeader("Set-Cookie", secString); // $ Alert
}
// GOOD - Tests set a sensitive cookie header with the `HttpOnly` flag set using `String.format(...)`.
@@ -85,7 +85,7 @@ class SensitiveCookieNotHttpOnly {
}
public Cookie createAuthenticationCookie(HttpServletRequest request, String jwt) {
String PRESTO_UI_COOKIE = "Presto-UI-Token"; // $Source
String PRESTO_UI_COOKIE = "Presto-UI-Token"; // $ Source
Cookie cookie = new Cookie(PRESTO_UI_COOKIE, jwt);
cookie.setPath("/ui");
return cookie;
@@ -108,7 +108,7 @@ class SensitiveCookieNotHttpOnly {
// BAD - Tests set a sensitive cookie header without the `HttpOnly` flag set using a wrapper method.
public void addCookie12(HttpServletRequest request, HttpServletResponse response, String jwt) {
Cookie cookie = createAuthenticationCookie(request, jwt);
response.addCookie(cookie); // $Alert
response.addCookie(cookie); // $ Alert
}
// GOOD - Tests remove a sensitive cookie header without the `HttpOnly` flag set using a wrapper method.
@@ -141,14 +141,14 @@ class SensitiveCookieNotHttpOnly {
// This example is missed because the `cookie.setHttpOnly` call in `createCookie` is thought to maybe set the HTTP-only flag, and the `cookie`
// object flows to this `addCookie` call.
public void addCookie15(HttpServletRequest request, HttpServletResponse response, String refreshToken) {
response.addCookie(createCookie("refresh_token", refreshToken, false)); // $MISSING:Alert
response.addCookie(createCookie("refresh_token", refreshToken, false)); // $ MISSING:Alert
}
// GOOD - CSRF token doesn't need to have the `HttpOnly` flag set.
public void addCsrfCookie(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
// Spring put the CSRF token in session attribute "_csrf"
CsrfToken csrfToken = (CsrfToken) request.getAttribute("_csrf");
// Send the cookie only if the token has changed
String actualToken = request.getHeader("X-CSRF-TOKEN");
if (actualToken == null || !actualToken.equals(csrfToken.getToken())) {

32
java/ql/test/query-tests/security/CWE-1204/StaticInitializationVector.java
View File

@@ -10,33 +10,33 @@ public class StaticInitializationVector {
// BAD: AES-GCM with static IV from a byte array
public byte[] encryptWithStaticIvByteArrayWithInitializer(byte[] key, byte[] plaintext) throws Exception {
byte[] iv = new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5 }; // $Source
byte[] iv = new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5 }; // $ Source
GCMParameterSpec ivSpec = new GCMParameterSpec(128, iv);
SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING");
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $ Alert
cipher.update(plaintext);
return cipher.doFinal();
}
// BAD: AES-GCM with static IV from zero-initialized byte array
public byte[] encryptWithZeroStaticIvByteArray(byte[] key, byte[] plaintext) throws Exception {
byte[] iv = new byte[16]; // $Source
byte[] iv = new byte[16]; // $ Source
GCMParameterSpec ivSpec = new GCMParameterSpec(128, iv);
SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING");
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $ Alert
cipher.update(plaintext);
return cipher.doFinal();
}
// BAD: AES-CBC with static IV from zero-initialized byte array
public byte[] encryptWithStaticIvByteArray(byte[] key, byte[] plaintext) throws Exception {
byte[] iv = new byte[16]; // $Source
byte[] iv = new byte[16]; // $ Source
for (byte i = 0; i < iv.length; i++) {
iv[i] = 1;
}
@@ -45,7 +45,7 @@ public class StaticInitializationVector {
SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $ Alert
cipher.update(plaintext);
return cipher.doFinal();
}
@@ -55,13 +55,13 @@ public class StaticInitializationVector {
byte[][] staticIvs = new byte[][] {
{ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5 },
{ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 42 }
}; // $Source
}; // $ Source
GCMParameterSpec ivSpec = new GCMParameterSpec(128, staticIvs[1]);
SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING");
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $ Alert
cipher.update(plaintext);
return cipher.doFinal();
}
@@ -71,13 +71,13 @@ public class StaticInitializationVector {
byte[][] staticIvs = new byte[][] {
new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5 },
new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 42 }
}; // $Source
}; // $ Source
GCMParameterSpec ivSpec = new GCMParameterSpec(128, staticIvs[1]);
SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING");
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $ Alert
cipher.update(plaintext);
return cipher.doFinal();
}
@@ -85,15 +85,15 @@ public class StaticInitializationVector {
// BAD: AES-GCM with static IV from a multidimensional byte array
public byte[] encryptWithOneOfStaticZeroIvs(byte[] key, byte[] plaintext) throws Exception {
byte[][] ivs = new byte[][] {
new byte[8], // $Source
new byte[16] // $Source
new byte[8], // $ Source
new byte[16] // $ Source
};
GCMParameterSpec ivSpec = new GCMParameterSpec(128, ivs[1]);
SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING");
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $ Alert
cipher.update(plaintext);
return cipher.doFinal();
}
@@ -165,8 +165,8 @@ public class StaticInitializationVector {
return cipher.doFinal();
}
public byte[] generate(int size) throws Exception {
if (size == 0) {
public byte[] generate(int size) throws Exception {
if (size == 0) {
return new byte[0];
}
byte[] randomBytes = new byte[size];
@@ -182,7 +182,7 @@ public class StaticInitializationVector {
SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec);
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec);
cipher.update(plaintext);
return cipher.doFinal();
}

168
java/ql/test/query-tests/security/CWE-200/semmle/tests/SensitiveNotification/Test.java
View File

@@ -8,122 +8,122 @@ import android.widget.RemoteViews;
class Test extends Activity {
void test(String password) {
Notification.Builder builder = new Notification.Builder(this, "");
builder.setContentText(password); // $sensitive-notification
builder.setContentTitle(password); // $sensitive-notification
builder.setContentInfo(password); // $sensitive-notification
builder.setContentText(password); // $ sensitive-notification
builder.setContentTitle(password); // $ sensitive-notification
builder.setContentInfo(password); // $ sensitive-notification
Intent intent = new Intent();
intent.putExtra("a", password);
builder.addExtras(intent.getExtras()); // $sensitive-notification
builder.setCategory(password); // $sensitive-notification
builder.setChannelId(password); // $sensitive-notification
builder.setGroup(password); // $sensitive-notification
builder.setExtras(intent.getExtras()); // $sensitive-notification
builder.setGroup(password); // $sensitive-notification
builder.setSortKey(password); // $sensitive-notification
builder.setSettingsText(password); // $sensitive-notification
builder.setRemoteInputHistory(new CharSequence[] { password }); // $sensitive-notification
builder.setTicker(password); // $sensitive-notification
builder.setTicker(password, null); // $sensitive-notification
builder.addExtras(intent.getExtras()); // $ sensitive-notification
builder.setCategory(password); // $ sensitive-notification
builder.setChannelId(password); // $ sensitive-notification
builder.setGroup(password); // $ sensitive-notification
builder.setExtras(intent.getExtras()); // $ sensitive-notification
builder.setGroup(password); // $ sensitive-notification
builder.setSortKey(password); // $ sensitive-notification
builder.setSettingsText(password); // $ sensitive-notification
builder.setRemoteInputHistory(new CharSequence[] { password }); // $ sensitive-notification
builder.setTicker(password); // $ sensitive-notification
builder.setTicker(password, null); // $ sensitive-notification
builder.setStyle(new Notification.BigPictureStyle()
.setContentDescription(password) // $sensitive-notification
.setSummaryText(password) // $sensitive-notification
.setBigContentTitle(password)); // $sensitive-notification
.setContentDescription(password) // $ sensitive-notification
.setSummaryText(password) // $ sensitive-notification
.setBigContentTitle(password)); // $ sensitive-notification
builder.setStyle(new Notification.BigTextStyle()
.bigText(password) // $sensitive-notification
.setSummaryText(password) // $sensitive-notification
.setBigContentTitle(password)); // $sensitive-notification
.bigText(password) // $ sensitive-notification
.setSummaryText(password) // $ sensitive-notification
.setBigContentTitle(password)); // $ sensitive-notification
builder.setStyle(new Notification.InboxStyle()
.addLine(password) // $sensitive-notification
.setBigContentTitle(password) // $sensitive-notification
.setSummaryText(password)); // $sensitive-notification
.addLine(password) // $ sensitive-notification
.setBigContentTitle(password) // $ sensitive-notification
.setSummaryText(password)); // $ sensitive-notification
builder.setStyle(new Notification.MediaStyle()
.setRemotePlaybackInfo(password, 0, null)); // $sensitive-notification
builder.setStyle(
new Notification.MessagingStyle(password) // $sensitive-notification
.setConversationTitle(password) // $sensitive-notification
.addMessage(password, 0, "") // $sensitive-notification
.addMessage(password, 0, (android.app.Person)null) // $sensitive-notification
.addMessage("", 0, password) // $sensitive-notification
.addMessage(new Notification.MessagingStyle.Message(password, 0, "")) // $sensitive-notification
.addMessage(new Notification.MessagingStyle.Message(password, 0, (android.app.Person)null)) // $sensitive-notification
.addMessage(new Notification.MessagingStyle.Message("", 0, password)) // $sensitive-notification
.setRemotePlaybackInfo(password, 0, null)); // $ sensitive-notification
builder.setStyle(
new Notification.MessagingStyle(password) // $ sensitive-notification
.setConversationTitle(password) // $ sensitive-notification
.addMessage(password, 0, "") // $ sensitive-notification
.addMessage(password, 0, (android.app.Person)null) // $ sensitive-notification
.addMessage("", 0, password) // $ sensitive-notification
.addMessage(new Notification.MessagingStyle.Message(password, 0, "")) // $ sensitive-notification
.addMessage(new Notification.MessagingStyle.Message(password, 0, (android.app.Person)null)) // $ sensitive-notification
.addMessage(new Notification.MessagingStyle.Message("", 0, password)) // $ sensitive-notification
);
builder.addAction(0, password, null); // $sensitive-notification
builder.addAction(new Notification.Action(0, password, null)); // $sensitive-notification
builder.addAction(new Notification.Action.Builder(0, password, null) // $sensitive-notification
.addExtras(intent.getExtras()) // $sensitive-notification
builder.addAction(0, password, null); // $ sensitive-notification
builder.addAction(new Notification.Action(0, password, null)); // $ sensitive-notification
builder.addAction(new Notification.Action.Builder(0, password, null) // $ sensitive-notification
.addExtras(intent.getExtras()) // $ sensitive-notification
.build());
builder.addAction(new Notification.Action.Builder(null, password, null).build()); // $sensitive-notification
builder.addAction(new Notification.Action.Builder(null, password, null).build()); // $ sensitive-notification
builder.setStyle(Notification.CallStyle.forScreeningCall(null, null, null)
.setVerificationText(password)); // $sensitive-notification
builder.setStyle(Notification.CallStyle.forScreeningCall(null, null, null)
.setVerificationText(password)); // $ sensitive-notification
}
void test2(RemoteViews passwordView) {
Notification.Builder builder = new Notification.Builder(this, "");
builder.setContent(passwordView); // $sensitive-notification
builder.setCustomBigContentView(passwordView); // $sensitive-notification
builder.setCustomContentView(passwordView); // $sensitive-notification
builder.setCustomHeadsUpContentView(passwordView); // $sensitive-notification
builder.setTicker("", passwordView); // $sensitive-notification
builder.setContent(passwordView); // $ sensitive-notification
builder.setCustomBigContentView(passwordView); // $ sensitive-notification
builder.setCustomContentView(passwordView); // $ sensitive-notification
builder.setCustomHeadsUpContentView(passwordView); // $ sensitive-notification
builder.setTicker("", passwordView); // $ sensitive-notification
}
void test3(String password) {
NotificationCompat.Builder builder = new NotificationCompat.Builder(this, "");
builder.setContentText(password); // $sensitive-notification
builder.setContentTitle(password); // $sensitive-notification
builder.setContentInfo(password); // $sensitive-notification
builder.setContentText(password); // $ sensitive-notification
builder.setContentTitle(password); // $ sensitive-notification
builder.setContentInfo(password); // $ sensitive-notification
Intent intent = new Intent();
intent.putExtra("a", password);
builder.addExtras(intent.getExtras()); // $sensitive-notification
builder.setCategory(password); // $sensitive-notification
builder.setChannelId(password); // $sensitive-notification
builder.setGroup(password); // $sensitive-notification
builder.setExtras(intent.getExtras()); // $sensitive-notification
builder.setGroup(password); // $sensitive-notification
builder.setSortKey(password); // $sensitive-notification
builder.setSettingsText(password); // $sensitive-notification
builder.setRemoteInputHistory(new CharSequence[] { password }); // $sensitive-notification
builder.setTicker(password); // $sensitive-notification
builder.setTicker(password, null); // $sensitive-notification
builder.addExtras(intent.getExtras()); // $ sensitive-notification
builder.setCategory(password); // $ sensitive-notification
builder.setChannelId(password); // $ sensitive-notification
builder.setGroup(password); // $ sensitive-notification
builder.setExtras(intent.getExtras()); // $ sensitive-notification
builder.setGroup(password); // $ sensitive-notification
builder.setSortKey(password); // $ sensitive-notification
builder.setSettingsText(password); // $ sensitive-notification
builder.setRemoteInputHistory(new CharSequence[] { password }); // $ sensitive-notification
builder.setTicker(password); // $ sensitive-notification
builder.setTicker(password, null); // $ sensitive-notification
builder.setStyle(new NotificationCompat.BigPictureStyle()
.setContentDescription(password) // $sensitive-notification
.setSummaryText(password) // $sensitive-notification
.setBigContentTitle(password)); // $sensitive-notification
.setContentDescription(password) // $ sensitive-notification
.setSummaryText(password) // $ sensitive-notification
.setBigContentTitle(password)); // $ sensitive-notification
builder.setStyle(new NotificationCompat.BigTextStyle()
.bigText(password) // $sensitive-notification
.setSummaryText(password) // $sensitive-notification
.setBigContentTitle(password)); // $sensitive-notification
.bigText(password) // $ sensitive-notification
.setSummaryText(password) // $ sensitive-notification
.setBigContentTitle(password)); // $ sensitive-notification
builder.setStyle(new NotificationCompat.InboxStyle()
.addLine(password) // $sensitive-notification
.setBigContentTitle(password) // $sensitive-notification
.setSummaryText(password)); // $sensitive-notification
builder.setStyle(
new NotificationCompat.MessagingStyle(password) // $sensitive-notification
.setConversationTitle(password) // $sensitive-notification
.addMessage(password, 0, "") // $sensitive-notification
.addMessage(password, 0, (androidx.core.app.Person)null) // $sensitive-notification
.addMessage("", 0, password) // $sensitive-notification
.addMessage(new NotificationCompat.MessagingStyle.Message(password, 0, "")) // $sensitive-notification
.addMessage(new NotificationCompat.MessagingStyle.Message(password, 0, (androidx.core.app.Person)null)) // $sensitive-notification
.addMessage(new NotificationCompat.MessagingStyle.Message("", 0, password)) // $sensitive-notification
.addLine(password) // $ sensitive-notification
.setBigContentTitle(password) // $ sensitive-notification
.setSummaryText(password)); // $ sensitive-notification
builder.setStyle(
new NotificationCompat.MessagingStyle(password) // $ sensitive-notification
.setConversationTitle(password) // $ sensitive-notification
.addMessage(password, 0, "") // $ sensitive-notification
.addMessage(password, 0, (androidx.core.app.Person)null) // $ sensitive-notification
.addMessage("", 0, password) // $ sensitive-notification
.addMessage(new NotificationCompat.MessagingStyle.Message(password, 0, "")) // $ sensitive-notification
.addMessage(new NotificationCompat.MessagingStyle.Message(password, 0, (androidx.core.app.Person)null)) // $ sensitive-notification
.addMessage(new NotificationCompat.MessagingStyle.Message("", 0, password)) // $ sensitive-notification
);
builder.addAction(0, password, null); // $sensitive-notification
builder.addAction(new NotificationCompat.Action(0, password, null)); // $sensitive-notification
builder.addAction(new NotificationCompat.Action.Builder(0, password, null) // $sensitive-notification
.addExtras(intent.getExtras()) // $sensitive-notification
builder.addAction(0, password, null); // $ sensitive-notification
builder.addAction(new NotificationCompat.Action(0, password, null)); // $ sensitive-notification
builder.addAction(new NotificationCompat.Action.Builder(0, password, null) // $ sensitive-notification
.addExtras(intent.getExtras()) // $ sensitive-notification
.build());
builder.addAction(new NotificationCompat.Action.Builder(null, password, null).build()); // $sensitive-notification
builder.addAction(new NotificationCompat.Action.Builder(null, password, null).build()); // $ sensitive-notification
builder.setStyle(NotificationCompat.CallStyle.forScreeningCall(null, null, null)
.setVerificationText(password)); // $sensitive-notification
.setVerificationText(password)); // $ sensitive-notification
}
}
}

12
java/ql/test/query-tests/security/CWE-200/semmle/tests/SensitiveTextView/Test.java
View File

@@ -11,11 +11,11 @@ class Test extends Activity {
void test(String password) {
EditText test1 = findViewById(R.id.test1);
// BAD: Exposing sensitive data to text view
test1.setText(password); // $sensitive-text
test1.setHint(password); // $sensitive-text
test1.append(password); // $sensitive-text
test1.setText(password); // $ sensitive-text
test1.setHint(password); // $ sensitive-text
test1.append(password); // $ sensitive-text
// GOOD: resource constant is not sensitive info
test1.setText(R.string.password_prompt);
test1.setText(R.string.password_prompt);
// GOOD: Visibility is dynamically set
TextView test2 = findViewById(R.id.test2);
@@ -47,7 +47,7 @@ class Test extends Activity {
// BAD: Input type set to textVisiblePassword in XML, which is not hidden
EditText test9 = findViewById(R.id.test9);
test9.setText(password); // $sensitive-text
test9.setText(password); // $ sensitive-text
// GOOD: Visibility set to invisible in XML
EditText test10 = findViewById(R.id.test10);
@@ -74,4 +74,4 @@ class Test extends Activity {
// GOOD: Input type set to textPassword in XML
test14.setText(password);
}
}
}

8
java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test1/Test.java
View File

@@ -6,9 +6,9 @@ import javax.crypto.KeyGenerator;
class Test {
void test() {
KeyGenParameterSpec.Builder builder = new KeyGenParameterSpec.Builder("MySecretKey", KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT);
builder.setUserAuthenticationRequired(false); // $insecure-key
builder.setInvalidatedByBiometricEnrollment(false); // $insecure-key
builder.setUserAuthenticationValidityDurationSeconds(30); // $insecure-key
builder.setUserAuthenticationRequired(false); // $ insecure-key
builder.setInvalidatedByBiometricEnrollment(false); // $ insecure-key
builder.setUserAuthenticationValidityDurationSeconds(30); // $ insecure-key
}
private void generateSecretKey() throws Exception {
@@ -36,4 +36,4 @@ class Callback extends BiometricPrompt.AuthenticationCallback {
public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) {
useKey(result.getCryptoObject());
}
}
}

14
java/ql/test/query-tests/security/CWE-287/InsecureLocalAuth/Test.java
View File

@@ -16,15 +16,15 @@ class TestA {
// BAD: result is not used
class Test2 extends BiometricPrompt.AuthenticationCallback {
@Override
public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) { // $insecure-auth
public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) { // $ insecure-auth
}
}
// BAD: result is only used in a super call
class Test3 extends BiometricPrompt.AuthenticationCallback {
@Override
public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) { // $insecure-auth
public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) { // $ insecure-auth
super.onAuthenticationSucceeded(result);
}
}
@@ -62,15 +62,15 @@ class TestB {
// BAD: result is not used
class Test2 extends FingerprintManager.AuthenticationCallback {
@Override
public void onAuthenticationSucceeded(FingerprintManager.AuthenticationResult result) { // $insecure-auth
public void onAuthenticationSucceeded(FingerprintManager.AuthenticationResult result) { // $ insecure-auth
}
}
// BAD: result is only used in a super call
class Test3 extends FingerprintManager.AuthenticationCallback {
@Override
public void onAuthenticationSucceeded(FingerprintManager.AuthenticationResult result) { // $insecure-auth
public void onAuthenticationSucceeded(FingerprintManager.AuthenticationResult result) { // $ insecure-auth
super.onAuthenticationSucceeded(result);
}
}
@@ -91,4 +91,4 @@ class TestB {
super.onAuthenticationSucceeded(result);
}
}
}
}

8
java/ql/test/query-tests/security/CWE-287/InsecureLocalAuth/Test2.java
View File

@@ -15,15 +15,15 @@ class TestC {
// BAD: result is not used
class Test2 extends BiometricPrompt.AuthenticationCallback {
@Override
public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) { // $insecure-auth
public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) { // $ insecure-auth
}
}
// BAD: result is only used in a super call
class Test3 extends BiometricPrompt.AuthenticationCallback {
@Override
public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) { // $insecure-auth
public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) { // $ insecure-auth
super.onAuthenticationSucceeded(result);
}
}
@@ -44,4 +44,4 @@ class TestC {
super.onAuthenticationSucceeded(result);
}
}
}
}

2
java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test1/Test.java
View File

@@ -7,7 +7,7 @@ class Test {
}
URLConnection test2() throws Exception {
return new URL("https://bad.example.com").openConnection(); // $hasUntrustedResult
return new URL("https://bad.example.com").openConnection(); // $ hasUntrustedResult
}
URLConnection test3() throws Exception {

2
java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test2/Test.java
View File

@@ -3,7 +3,7 @@ import java.net.URLConnection;
class Test {
URLConnection test2() throws Exception {
return new URL("https://example.com").openConnection(); // $hasNoTrustedResult
return new URL("https://example.com").openConnection(); // $ hasNoTrustedResult
}
URLConnection test3() throws Exception {

2
java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test3/Test.java
View File

@@ -11,7 +11,7 @@ class Test {
new OkHttpClient.Builder().certificatePinner(certificatePinner).build();
client.newCall(new Request.Builder().url("https://good.example.com").build()).execute();
client.newCall(new Request.Builder().url("https://bad.example.com").build()).execute(); // $hasUntrustedResult
client.newCall(new Request.Builder().url("https://bad.example.com").build()).execute(); // $ hasUntrustedResult
client.newCall(new Request.Builder().url("classpath:example/directory/test.class").build())
.execute();
client.newCall(new Request.Builder().url("file:///example/file").build()).execute();

2
java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test4/Test.java
View File

@@ -28,6 +28,6 @@ class Test {
void test2() throws Exception {
URL url = new URL("http://www.example.com/");
HttpsURLConnection urlConnection = (HttpsURLConnection) url.openConnection(); // $hasNoTrustedResult
HttpsURLConnection urlConnection = (HttpsURLConnection) url.openConnection(); // $ hasNoTrustedResult
}
}

8
java/ql/test/query-tests/security/CWE-295/ImproperWebVeiwCertificateValidation/Test.java
View File

@@ -9,8 +9,8 @@ import android.app.Activity;
class Test {
class A extends WebViewClient {
public void onReceivedSslError (WebView view, SslErrorHandler handler, SslError error) { // $hasResult
handler.proceed();
public void onReceivedSslError (WebView view, SslErrorHandler handler, SslError error) { // $ hasResult
handler.proceed();
}
}
@@ -28,7 +28,7 @@ class Test {
else {
handler.cancel();
}
}
}
}
class C extends WebViewClient {
@@ -51,4 +51,4 @@ class Test {
}).show();
}
}
}
}

2
java/ql/test/query-tests/security/CWE-297/InsecureJakartaMailTest.java
View File

@@ -19,7 +19,7 @@ class InsecureJakartaMailTest {
if (null != authenticator) {
properties.put("mail.smtp.auth", "true");
}
final Session session = Session.getInstance(properties, authenticator); // $hasInsecureJavaMail
final Session session = Session.getInstance(properties, authenticator); // $ hasInsecureJavaMail
}
public void testSecureJavaMail() {

2
java/ql/test/query-tests/security/CWE-297/InsecureJavaMailTest.java
View File

@@ -19,7 +19,7 @@ class InsecureJavaMailTest {
if (null != authenticator) {
properties.put("mail.smtp.auth", "true");
}
final Session session = Session.getInstance(properties, authenticator); // $hasInsecureJavaMail
final Session session = Session.getInstance(properties, authenticator); // $ hasInsecureJavaMail
}
public void testSecureJavaMail() {

4
java/ql/test/query-tests/security/CWE-297/InsecureSimpleEmailTest.java
View File

@@ -10,7 +10,7 @@ public class InsecureSimpleEmailTest {
email.setHostName("config.hostName");
email.setSmtpPort(25);
email.setAuthenticator(new DefaultAuthenticator("config.username", "config.password"));
email.setSSLOnConnect(true); // $hasInsecureJavaMail
email.setSSLOnConnect(true); // $ hasInsecureJavaMail
email.setFrom("fromAddress");
email.setSubject("subject");
email.setMsg("body");
@@ -23,7 +23,7 @@ public class InsecureSimpleEmailTest {
email.setHostName("config.hostName");
email.setSmtpPort(25);
email.setAuthenticator(new DefaultAuthenticator("config.username", "config.password"));
email.setStartTLSRequired(true); // $hasInsecureJavaMail
email.setStartTLSRequired(true); // $ hasInsecureJavaMail
email.setFrom("fromAddress");
email.setSubject("subject");
email.setMsg("body");

4
java/ql/test/query-tests/security/CWE-312/android/CleartextStorage/CleartextStorageSharedPrefsTest.java
View File

@@ -100,13 +100,13 @@ public class CleartextStorageSharedPrefsTest extends Activity {
SharedPreferences sharedPrefs =
context.getSharedPreferences("user_prefs", Context.MODE_PRIVATE);
sharedPrefs.edit().putString("name", name).apply(); // Safe
sharedPrefs.edit().putString("password", password).apply(); // $hasCleartextStorageSharedPrefs
sharedPrefs.edit().putString("password", password).apply(); // $ hasCleartextStorageSharedPrefs
}
public void testSetSharedPrefs7(Context context, EditText name, EditText password) {
SharedPreferences sharedPrefs =
context.getSharedPreferences("user_prefs", Context.MODE_PRIVATE);
sharedPrefs.edit().putString("name", name.getText().toString()).apply(); // Safe
sharedPrefs.edit().putString("password", password.getText().toString()).apply(); // $hasCleartextStorageSharedPrefs
sharedPrefs.edit().putString("password", password.getText().toString()).apply(); // $ hasCleartextStorageSharedPrefs
}
}

2
java/ql/test/query-tests/security/CWE-749/UnsafeActivity1.java
View File

@@ -31,6 +31,6 @@ public class UnsafeActivity1 extends Activity {
});
String thisUrl = getIntent().getExtras().getString("url");
wv.loadUrl(thisUrl); // $hasUnsafeAndroidAccess
wv.loadUrl(thisUrl); // $ hasUnsafeAndroidAccess
}
}

2
java/ql/test/query-tests/security/CWE-749/UnsafeActivity2.java
View File

@@ -31,6 +31,6 @@ public class UnsafeActivity2 extends Activity {
});
String thisUrl = getIntent().getExtras().getString("url");
wv.loadUrl(thisUrl); // $hasUnsafeAndroidAccess
wv.loadUrl(thisUrl); // $ hasUnsafeAndroidAccess
}
}

2
java/ql/test/query-tests/security/CWE-749/UnsafeActivity3.java
View File

@@ -31,6 +31,6 @@ public class UnsafeActivity3 extends Activity {
});
String thisUrl = getIntent().getExtras().getString("url");
wv.loadUrl(thisUrl); // $hasUnsafeAndroidAccess
wv.loadUrl(thisUrl); // $ hasUnsafeAndroidAccess
}
}

6
java/ql/test/query-tests/security/CWE-749/UnsafeAndroidAccess.java
View File

@@ -31,7 +31,7 @@ public class UnsafeAndroidAccess extends Activity {
});
String thisUrl = getIntent().getExtras().getString("url");
wv.loadUrl(thisUrl); // $hasUnsafeAndroidAccess
wv.loadUrl(thisUrl); // $ hasUnsafeAndroidAccess
}
// Test onCreate with both JavaScript and cross-origin resource access enabled while taking
@@ -55,7 +55,7 @@ public class UnsafeAndroidAccess extends Activity {
});
String thisUrl = getIntent().getStringExtra("url");
wv.loadUrl(thisUrl); // $hasUnsafeAndroidAccess
wv.loadUrl(thisUrl); // $ hasUnsafeAndroidAccess
}
// Test onCreate with both JavaScript and cross-origin resource access disabled by default while
@@ -99,7 +99,7 @@ public class UnsafeAndroidAccess extends Activity {
});
String thisUrl = getIntent().getStringExtra("url");
wv.loadUrl(thisUrl); // $hasUnsafeAndroidAccess
wv.loadUrl(thisUrl); // $ hasUnsafeAndroidAccess
}
// Test onCreate with both JavaScript and cross-origin resource access enabled while not taking

2
java/ql/test/query-tests/security/CWE-749/UnsafeAndroidBroadcastReceiver.java
View File

@@ -30,6 +30,6 @@ public class UnsafeAndroidBroadcastReceiver extends BroadcastReceiver {
}
});
wv.loadUrl(thisUrl); // $hasUnsafeAndroidAccess
wv.loadUrl(thisUrl); // $ hasUnsafeAndroidAccess
}
}

4
java/ql/test/query-tests/security/CWE-927/SensitiveResultReceiver.java
View File

@@ -10,6 +10,6 @@ class SensitiveResultReceiver {
ResultReceiver rec = intent.getParcelableExtra("hi");
Bundle b = new Bundle();
b.putCharSequence("pass", password);
rec.send(0, b); // $hasSensitiveResultReceiver
rec.send(0, b); // $ hasSensitiveResultReceiver
}
}
}