hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 18:10:39 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
codeql-cli-2.20.6
codeql/java/ql/test/experimental/query-tests/security/CWE-652/XQueryInjection.java
haby0 22e741c7a3 *)add XQExpression.executeCommand(0) sink
2021-02-12 11:17:42 +08:00

196 lines
7.9 KiB
Java
Raw Permalink Blame History

package com.vuln.v2.controller;
import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;
import javax.servlet.http.HttpServletRequest;
import javax.xml.namespace.QName;
import javax.xml.xquery.XQConnection;
import javax.xml.xquery.XQDataSource;
import javax.xml.xquery.XQException;
import javax.xml.xquery.XQExpression;
import javax.xml.xquery.XQItemType;
import javax.xml.xquery.XQPreparedExpression;
import javax.xml.xquery.XQResultSequence;
import net.sf.saxon.xqj.SaxonXQDataSource;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
@Controller
public class XQueryInjection {
public static void main(String[] args) throws Exception {
XQDataSource xqds = new SaxonXQDataSource();
XQConnection conn;
try {
String name = "admin";
String query = "declare variable $name as xs:string external;"
+ " for $user in doc(\"users.xml\")/Users/User[name=$name] return $user/password";
conn = xqds.getConnection();
XQExpression expr = conn.createExpression();
expr.bindString(new QName("name"), name,
conn.createAtomicType(XQItemType.XQBASETYPE_STRING));
XQResultSequence result = expr.executeQuery(query);
while (result.next()) {
System.out.println(result.getItemAsString(null));
}
} catch (XQException e) {
e.printStackTrace();
}
}
@RequestMapping
public void testRequestbad(HttpServletRequest request) throws Exception {
String name = request.getParameter("name");
XQDataSource ds = new SaxonXQDataSource();
XQConnection conn = ds.getConnection();
String query = "for $user in doc(\"users.xml\")/Users/User[name='" + name
+ "'] return $user/password";
XQPreparedExpression xqpe = conn.prepareExpression(query);
XQResultSequence result = xqpe.executeQuery();
while (result.next()) {
System.out.println(result.getItemAsString(null));
}
}
@RequestMapping
public void testRequestbad1(HttpServletRequest request) throws Exception {
String name = request.getParameter("name");
XQDataSource xqds = new SaxonXQDataSource();
String query = "for $user in doc(\"users.xml\")/Users/User[name='" + name
+ "'] return $user/password";
XQConnection conn = xqds.getConnection();
XQExpression expr = conn.createExpression();
XQResultSequence result = expr.executeQuery(query);
while (result.next()) {
System.out.println(result.getItemAsString(null));
}
}
@RequestMapping
public void testStringtbad(@RequestParam String nameStr) throws XQException {
XQDataSource ds = new SaxonXQDataSource();
XQConnection conn = ds.getConnection();
String query = "for $user in doc(\"users.xml\")/Users/User[name='" + nameStr
+ "'] return $user/password";
XQPreparedExpression xqpe = conn.prepareExpression(query);
XQResultSequence result = xqpe.executeQuery();
while (result.next()) {
System.out.println(result.getItemAsString(null));
}
}
@RequestMapping
public void testStringtbad1(@RequestParam String nameStr) throws XQException {
XQDataSource xqds = new SaxonXQDataSource();
String query = "for $user in doc(\"users.xml\")/Users/User[name='" + nameStr
+ "'] return $user/password";
XQConnection conn = xqds.getConnection();
XQExpression expr = conn.createExpression();
XQResultSequence result = expr.executeQuery(query);
while (result.next()) {
System.out.println(result.getItemAsString(null));
}
}
@RequestMapping
public void testInputStreambad(HttpServletRequest request) throws Exception {
InputStream name = request.getInputStream();
XQDataSource ds = new SaxonXQDataSource();
XQConnection conn = ds.getConnection();
XQPreparedExpression xqpe = conn.prepareExpression(name);
XQResultSequence result = xqpe.executeQuery();
while (result.next()) {
System.out.println(result.getItemAsString(null));
}
}
@RequestMapping
public void testInputStreambad1(HttpServletRequest request) throws Exception {
InputStream name = request.getInputStream();
XQDataSource xqds = new SaxonXQDataSource();
XQConnection conn = xqds.getConnection();
XQExpression expr = conn.createExpression();
XQResultSequence result = expr.executeQuery(name);
while (result.next()) {
System.out.println(result.getItemAsString(null));
}
}
@RequestMapping
public void testReaderbad(HttpServletRequest request) throws Exception {
InputStream name = request.getInputStream();
BufferedReader br = new BufferedReader(new InputStreamReader(name));
XQDataSource ds = new SaxonXQDataSource();
XQConnection conn = ds.getConnection();
XQPreparedExpression xqpe = conn.prepareExpression(br);
XQResultSequence result = xqpe.executeQuery();
while (result.next()) {
System.out.println(result.getItemAsString(null));
}
}
@RequestMapping
public void testReaderbad1(HttpServletRequest request) throws Exception {
InputStream name = request.getInputStream();
BufferedReader br = new BufferedReader(new InputStreamReader(name));
XQDataSource xqds = new SaxonXQDataSource();
XQConnection conn = xqds.getConnection();
XQExpression expr = conn.createExpression();
XQResultSequence result = expr.executeQuery(br);
while (result.next()) {
System.out.println(result.getItemAsString(null));
}
}
@RequestMapping
public void testExecuteCommandbad(HttpServletRequest request) throws Exception {
String name = request.getParameter("name");
XQDataSource xqds = new SaxonXQDataSource();
XQConnection conn = xqds.getConnection();
XQExpression expr = conn.createExpression();
//bad code
expr.executeCommand(name);
//bad code
InputStream is = request.getInputStream();
BufferedReader br = new BufferedReader(new InputStreamReader(is));
expr.executeCommand(br);
expr.close();
}
@RequestMapping
public void good(HttpServletRequest request) throws XQException {
String name = request.getParameter("name");
XQDataSource ds = new SaxonXQDataSource();
XQConnection conn = ds.getConnection();
String query = "declare variable $name as xs:string external;"
+ " for $user in doc(\"users.xml\")/Users/User[name=$name] return $user/password";
XQPreparedExpression xqpe = conn.prepareExpression(query);
xqpe.bindString(new QName("name"), name,
conn.createAtomicType(XQItemType.XQBASETYPE_STRING));
XQResultSequence result = xqpe.executeQuery();
while (result.next()) {
System.out.println(result.getItemAsString(null));
}
}
@RequestMapping
public void good1(HttpServletRequest request) throws XQException {
String name = request.getParameter("name");
String query = "declare variable $name as xs:string external;"
+ " for $user in doc(\"users.xml\")/Users/User[name=$name] return $user/password";
XQDataSource xqds = new SaxonXQDataSource();
XQConnection conn = xqds.getConnection();
XQExpression expr = conn.createExpression();
expr.bindString(new QName("name"), name,
conn.createAtomicType(XQItemType.XQBASETYPE_STRING));
XQResultSequence result = expr.executeQuery(query);
while (result.next()) {
System.out.println(result.getItemAsString(null));
}
}
}
Reference in New Issue View Git Blame Copy Permalink