hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 17:23:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
alexet/avoid-path-node-java
codeql/java/ql/test/query-tests/security/CWE-611/XMLDecoderTests.java
Nora Dimitrijević 162b1c51a9 Java: convert XXE test to .qlref
2025-06-24 16:42:21 +02:00

33 lines
1.2 KiB
Java
Raw Permalink Blame History

import java.beans.XMLDecoder;
import java.io.BufferedReader;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.dom4j.Document;
import org.dom4j.DocumentHelper;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.PostMapping;
@Controller
public class XMLDecoderTests {
@PostMapping(value = "bad")
public void bad3(HttpServletRequest request) throws Exception {
ServletInputStream servletInputStream = request.getInputStream(); // $ Source
XMLDecoder xmlDecoder = new XMLDecoder(servletInputStream);
xmlDecoder.readObject(); // $ Alert
}
@PostMapping(value = "good")
public void good3(HttpServletRequest request) throws Exception {
BufferedReader br = request.getReader();
String str = "";
StringBuilder listString = new StringBuilder();
while ((str = br.readLine()) != null) {
listString.append(str).append("\n");
}
// parseText falls back to a default SAXReader, which is safe
Document document = DocumentHelper.parseText(listString.toString()); // Safe
}
}
Reference in New Issue View Git Blame Copy Permalink