mirror of
https://github.com/github/codeql.git
synced 2025-12-20 10:46:30 +01:00
c37ecb7102
* Expose getContentTypeString for use by tests * Use it to get constant arguments to @Produces annotations * Note that text/html is xss-vulnerable (I have no idea how it ever came to expect exactly text/plain)
171 lines
5.6 KiB
Plaintext
171 lines
5.6 KiB
Plaintext
import java
|
|
import semmle.code.java.frameworks.JaxWS
|
|
import semmle.code.java.security.XSS
|
|
import TestUtilities.InlineExpectationsTest
|
|
|
|
class JaxRsTest extends InlineExpectationsTest {
|
|
JaxRsTest() { this = "JaxRsTest" }
|
|
|
|
override string getARelevantTag() {
|
|
result =
|
|
[
|
|
"ResourceMethod", "RootResourceClass", "NonRootResourceClass",
|
|
"ResourceMethodOnResourceClass", "InjectableConstructor", "InjectableField",
|
|
"InjectionAnnotation", "ResponseDeclaration", "ResponseBuilderDeclaration",
|
|
"ClientDeclaration", "BeanParamConstructor", "MessageBodyReaderDeclaration",
|
|
"MessageBodyReaderReadFromCall", "MessageBodyReaderReadCall", "ProducesAnnotation",
|
|
"ConsumesAnnotation"
|
|
]
|
|
}
|
|
|
|
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
|
tag = "ResourceMethod" and
|
|
exists(JaxRsResourceMethod resourceMethod |
|
|
resourceMethod.getLocation() = location and
|
|
element = resourceMethod.toString() and
|
|
if exists(resourceMethod.getProducesAnnotation())
|
|
then
|
|
value =
|
|
getContentTypeString(resourceMethod.getProducesAnnotation().getADeclaredContentTypeExpr()) and
|
|
value != ""
|
|
else
|
|
// Filter out empty strings that stem from using stubs.
|
|
// If we built the test against the real JAR then the field
|
|
// access against e.g. MediaType.APPLICATION_JSON wouldn't
|
|
// be a CompileTimeConstantExpr at all, whereas in the stubs
|
|
// it is and is defined empty.
|
|
value = ""
|
|
)
|
|
or
|
|
tag = "RootResourceClass" and
|
|
exists(JaxRsResourceClass resourceClass |
|
|
resourceClass.isRootResource() and
|
|
resourceClass.getLocation() = location and
|
|
element = resourceClass.toString() and
|
|
value = ""
|
|
)
|
|
or
|
|
tag = "NonRootResourceClass" and
|
|
exists(JaxRsResourceClass resourceClass |
|
|
not resourceClass.isRootResource() and
|
|
resourceClass.getLocation() = location and
|
|
element = resourceClass.toString() and
|
|
value = ""
|
|
)
|
|
or
|
|
tag = "ResourceMethodOnResourceClass" and
|
|
exists(JaxRsResourceMethod resourceMethod |
|
|
resourceMethod = any(JaxRsResourceClass ResourceClass).getAResourceMethod()
|
|
|
|
|
resourceMethod.getLocation() = location and
|
|
element = resourceMethod.toString() and
|
|
value = ""
|
|
)
|
|
or
|
|
tag = "InjectableConstructor" and
|
|
exists(Constructor cons |
|
|
cons = any(JaxRsResourceClass resourceClass).getAnInjectableConstructor()
|
|
|
|
|
cons.getLocation() = location and
|
|
element = cons.toString() and
|
|
value = ""
|
|
)
|
|
or
|
|
tag = "InjectableField" and
|
|
exists(Field field | field = any(JaxRsResourceClass resourceClass).getAnInjectableField() |
|
|
field.getLocation() = location and
|
|
element = field.toString() and
|
|
value = ""
|
|
)
|
|
or
|
|
tag = "InjectionAnnotation" and
|
|
exists(JaxRsInjectionAnnotation injectionAnnotation |
|
|
injectionAnnotation.getLocation() = location and
|
|
element = injectionAnnotation.toString() and
|
|
value = ""
|
|
)
|
|
or
|
|
tag = "ResponseDeclaration" and
|
|
exists(LocalVariableDecl decl |
|
|
decl.getType() instanceof JaxRsResponse and
|
|
decl.getLocation() = location and
|
|
element = decl.toString() and
|
|
value = ""
|
|
)
|
|
or
|
|
tag = "ResponseBuilderDeclaration" and
|
|
exists(LocalVariableDecl decl |
|
|
decl.getType() instanceof JaxRsResponseBuilder and
|
|
decl.getLocation() = location and
|
|
element = decl.toString() and
|
|
value = ""
|
|
)
|
|
or
|
|
tag = "ClientDeclaration" and
|
|
exists(LocalVariableDecl decl |
|
|
decl.getType() instanceof JaxRsClient and
|
|
decl.getLocation() = location and
|
|
element = decl.toString() and
|
|
value = ""
|
|
)
|
|
or
|
|
tag = "BeanParamConstructor" and
|
|
exists(JaxRsBeanParamConstructor cons |
|
|
cons.getLocation() = location and
|
|
element = cons.toString() and
|
|
value = ""
|
|
)
|
|
or
|
|
tag = "MessageBodyReaderDeclaration" and
|
|
exists(LocalVariableDecl decl |
|
|
decl.getType().(RefType).getSourceDeclaration() instanceof MessageBodyReader and
|
|
decl.getLocation() = location and
|
|
element = decl.toString() and
|
|
value = ""
|
|
)
|
|
or
|
|
tag = "MessageBodyReaderReadFromCall" and
|
|
exists(MethodAccess ma |
|
|
ma.getMethod() instanceof MessageBodyReaderReadFrom and
|
|
ma.getLocation() = location and
|
|
element = ma.toString() and
|
|
value = ""
|
|
)
|
|
or
|
|
tag = "MessageBodyReaderReadCall" and
|
|
exists(MethodAccess ma |
|
|
ma.getMethod() instanceof MessageBodyReaderRead and
|
|
ma.getLocation() = location and
|
|
element = ma.toString() and
|
|
value = ""
|
|
)
|
|
or
|
|
tag = "ProducesAnnotation" and
|
|
exists(JaxRSProducesAnnotation producesAnnotation |
|
|
producesAnnotation.getLocation() = location and
|
|
element = producesAnnotation.toString() and
|
|
value = getContentTypeString(producesAnnotation.getADeclaredContentTypeExpr()) and
|
|
value != ""
|
|
// Filter out empty strings that stem from using stubs.
|
|
// If we built the test against the real JAR then the field
|
|
// access against e.g. MediaType.APPLICATION_JSON wouldn't
|
|
// be a CompileTimeConstantExpr at all, whereas in the stubs
|
|
// it is and is defined empty.
|
|
)
|
|
or
|
|
tag = "ConsumesAnnotation" and
|
|
exists(JaxRSConsumesAnnotation consumesAnnotation |
|
|
consumesAnnotation.getLocation() = location and
|
|
element = consumesAnnotation.toString() and
|
|
value = ""
|
|
)
|
|
or
|
|
tag = "XssSink" and
|
|
exists(XssSink xssSink |
|
|
xssSink.getLocation() = location and
|
|
element = xssSink.toString() and
|
|
value = ""
|
|
)
|
|
}
|
|
}
|