hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-04 13:15:21 +02:00
Code Issues Packages Projects Releases Wiki Activity

Make sinks more specific, improve tests

Browse Source
This commit is contained in:
Tony Torralba
2021-06-11 16:56:35 +02:00
parent f9e6b3c3d2
commit f3ef93fa8a
4 changed files with 570 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
java/ql/test/query-tests/security/CWE-094/GroovyClassLoaderTest.java
View File

@@ -1,35 +1,54 @@
import groovy.lang.GroovyClassLoader;
import groovy.lang.GroovyCodeSource;
import groovy.lang.GroovyObject;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.StringReader;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import groovy.lang.GroovyClassLoader;
import groovy.lang.GroovyCodeSource;
public class GroovyClassLoaderTest extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
// "groovy.lang;GroovyClassLoader;false;parseClass;;;Argument[0];groovy",
try {
String script = request.getParameter("script");
final GroovyClassLoader classLoader = new GroovyClassLoader();
Class groovy = classLoader.parseClass(script); // $hasGroovyInjection
GroovyObject groovyObj = (GroovyObject) groovy.newInstance();
} catch (Exception e) {
// Ignore
}
try {
// "groovy.lang;GroovyClassLoader;false;parseClass;(GroovyCodeSource);;Argument[0];groovy",
{
String script = request.getParameter("script");
final GroovyClassLoader classLoader = new GroovyClassLoader();
GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test");
Class groovy = classLoader.parseClass(gcs); // $hasGroovyInjection
GroovyObject groovyObj = (GroovyObject) groovy.newInstance();
} catch (Exception e) {
// Ignore
classLoader.parseClass(gcs); // $hasGroovyInjection
}
// "groovy.lang;GroovyClassLoader;false;parseClass;(GroovyCodeSource,boolean);;Argument[0];groovy",
{
String script = request.getParameter("script");
final GroovyClassLoader classLoader = new GroovyClassLoader();
GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test");
classLoader.parseClass(gcs, true); // $hasGroovyInjection
}
// "groovy.lang;GroovyClassLoader;false;parseClass;(InputStream,String);;Argument[0];groovy",
{
String script = request.getParameter("script");
final GroovyClassLoader classLoader = new GroovyClassLoader();
classLoader.parseClass(new ByteArrayInputStream(script.getBytes()), "test"); // $hasGroovyInjection
}
// "groovy.lang;GroovyClassLoader;false;parseClass;(Reader,String);;Argument[0];groovy",
{
String script = request.getParameter("script");
final GroovyClassLoader classLoader = new GroovyClassLoader();
classLoader.parseClass(new StringReader(script), "test"); // $hasGroovyInjection
}
// "groovy.lang;GroovyClassLoader;false;parseClass;(String);;Argument[0];groovy",
{
String script = request.getParameter("script");
final GroovyClassLoader classLoader = new GroovyClassLoader();
classLoader.parseClass(script); // $hasGroovyInjection
}
// "groovy.lang;GroovyClassLoader;false;parseClass;(String,String);;Argument[0];groovy",
{
String script = request.getParameter("script");
final GroovyClassLoader classLoader = new GroovyClassLoader();
classLoader.parseClass(script, "test"); // $hasGroovyInjection
}
}
}