hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 09:43:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
codeql-cli-2.20.4
codeql/java/ql/test/library-tests/dataflow/threat-models/Test.java
Rasmus Wriedt Larsen fee38b3781 Java: Fixup test
2024-08-15 15:37:35 +02:00

73 lines
2.1 KiB
Java
Raw Permalink Blame History

import java.sql.*;
import java.net.*;
import java.util.logging.*;
import java.nio.charset.StandardCharsets;
import testlib.TestSources;
class Test {
private TestSources sources = new TestSources();
private String byteToString(byte[] data) {
return new String(data, StandardCharsets.UTF_8);
}
public void M1(Statement handle) throws Exception {
// Only a source if "remote" is a selected threat model.
// This is included in the "default" threat model.
Socket sock = new Socket("localhost", 1234);
byte[] data = new byte[1024];
sock.getInputStream().read(data);
// Logging sink
Logger.getLogger("foo").severe(byteToString(data));
// SQL sink
handle.executeUpdate("INSERT INTO foo VALUES ('" + byteToString(data) + "')");
}
public void M2(Statement handle) throws Exception {
// Only a source if "database" is a selected threat model.
String result = sources.executeQuery("SELECT * FROM foo");
// SQL sink
handle.executeUpdate("INSERT INTO foo VALUES ('" + result + "')");
// Logging sink
Logger.getLogger("foo").severe(result);
}
public void M3(Statement handle) throws Exception {
// Only a source if "environment" is a selected threat model.
String result = sources.readEnv("MY_ENV_VAR");
// SQL sink
handle.executeUpdate("INSERT INTO foo VALUES ('" + result + "')");
// Logging sink
Logger.getLogger("foo").severe(result);
}
public void M4(Statement handle) throws Exception {
// Only a source if "custom" is a selected threat model.
String result = sources.getCustom("custom");
// SQL sink
handle.executeUpdate("INSERT INTO foo VALUES ('" + result + "')");
// Logging sink
Logger.getLogger("foo").severe(result);
}
public void M5(Statement handle) throws Exception {
// Only a source if "stdin" is a selected threat model.
byte[] data = new byte[1024];
System.in.read(data);
// SQL sink
handle.executeUpdate("INSERT INTO foo VALUES ('" + byteToString(data) + "')");
// Logging sink
Logger.getLogger("foo").severe(byteToString(data));
}
}
Reference in New Issue View Git Blame Copy Permalink