hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 18:33:16 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
z80coder/ATM-feature-optimisation
codeql/java/ql/test/library-tests/frameworks/JaxWs/JaxRs1.java
Chris Smowton c37ecb7102 Fix existing JaxRs tests 
* Expose getContentTypeString for use by tests
* Use it to get constant arguments to @Produces annotations
* Note that text/html is xss-vulnerable (I have no idea how it ever came to expect exactly text/plain)
2021-06-30 12:04:21 +01:00

215 lines
5.6 KiB
Java
Raw Permalink Blame History

import java.io.InputStream;
import java.io.IOException;
import java.lang.annotation.Annotation;
import java.lang.reflect.Type;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.DELETE;
import javax.ws.rs.PUT;
import javax.ws.rs.OPTIONS;
import javax.ws.rs.HEAD;
import javax.ws.rs.Path;
import javax.ws.rs.BeanParam;
import javax.ws.rs.CookieParam;
import javax.ws.rs.FormParam;
import javax.ws.rs.HeaderParam;
import javax.ws.rs.MatrixParam;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.client.Client;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import javax.ws.rs.ext.MessageBodyReader;
@Path("")
public class JaxRs1 { // $ RootResourceClass
public JaxRs1() { // $ InjectableConstructor
}
@GET
int Get() { // $ ResourceMethod ResourceMethodOnResourceClass
return 0; // $ XssSink
}
@POST
void Post() { // $ ResourceMethod ResourceMethodOnResourceClass
}
@Produces("text/plain") // $ ProducesAnnotation=text/plain
@DELETE
double Delete() { // $ ResourceMethod=text/plain ResourceMethodOnResourceClass
return 0.0; // $ XssSink
}
@Produces(MediaType.TEXT_HTML) // $ ProducesAnnotation=text/html
@PUT
void Put() { // $ ResourceMethod=text/html ResourceMethodOnResourceClass
}
@OPTIONS
void Options() { // $ ResourceMethod ResourceMethodOnResourceClass
}
@HEAD
void Head() { // $ ResourceMethod ResourceMethodOnResourceClass
}
@Path("")
NonRootResourceClass subResourceLocator() { // $ SubResourceLocator
return null;
}
public class NonRootResourceClass { // $ NonRootResourceClass
@GET
int Get() { // $ ResourceMethod ResourceMethodOnResourceClass
return 0; // $ XssSink
}
@Produces("text/html") // $ ProducesAnnotation=text/html
@POST
boolean Post() { // $ ResourceMethod=text/html ResourceMethodOnResourceClass
return false; // $ XssSink
}
@Produces(MediaType.TEXT_PLAIN) // $ ProducesAnnotation=text/plain
@DELETE
double Delete() { // $ ResourceMethod=text/plain ResourceMethodOnResourceClass
return 0.0; // $ XssSink
}
@Path("")
AnotherNonRootResourceClass subResourceLocator1() { // $ SubResourceLocator
return null;
}
@GET
@Path("")
NotAResourceClass1 NotASubResourceLocator1() { // $ ResourceMethod ResourceMethodOnResourceClass
return null; // $ XssSink
}
@GET
NotAResourceClass2 NotASubResourceLocator2() { // $ ResourceMethod ResourceMethodOnResourceClass
return null; // $ XssSink
}
NotAResourceClass2 NotASubResourceLocator3() {
return null;
}
}
}
class AnotherNonRootResourceClass { // $ NonRootResourceClass
public AnotherNonRootResourceClass() {
}
public AnotherNonRootResourceClass(
@BeanParam int beanParam, // $ InjectionAnnotation
@CookieParam("") int cookieParam, // $ InjectionAnnotation
@FormParam("") int formParam, // $ InjectionAnnotation
@HeaderParam("") int headerParam, // $ InjectionAnnotation
@MatrixParam("") int matrixParam, // $ InjectionAnnotation
@PathParam("") int pathParam, // $ InjectionAnnotation
@QueryParam("") int queryParam, // $ InjectionAnnotation
@Context int context) { // $ InjectionAnnotation
}
@Path("")
public void resourceMethodWithBeanParamParameter(@BeanParam Foo foo) { // $ SubResourceLocator InjectionAnnotation
}
}
class Foo {
Foo() { // $ BeanParamConstructor
}
public Foo( // $ BeanParamConstructor
@BeanParam int beanParam, // $ InjectionAnnotation
@CookieParam("") int cookieParam, // $ InjectionAnnotation
@FormParam("") int formParam, // $ InjectionAnnotation
@HeaderParam("") int headerParam, // $ InjectionAnnotation
@MatrixParam("") int matrixParam, // $ InjectionAnnotation
@PathParam("") int pathParam, // $ InjectionAnnotation
@QueryParam("") int queryParam, // $ InjectionAnnotation
@Context int context) { // $ InjectionAnnotation
}
public Foo(
@BeanParam int beanParam, // $ InjectionAnnotation
@CookieParam("") int cookieParam, // $ InjectionAnnotation
@FormParam("") int formParam, // $ InjectionAnnotation
@HeaderParam("") int headerParam, // $ InjectionAnnotation
@MatrixParam("") int matrixParam, // $ InjectionAnnotation
@PathParam("") int pathParam, // $ InjectionAnnotation
@QueryParam("") int queryParam, // $ InjectionAnnotation
@Context int context, // $ InjectionAnnotation
int paramWithoutAnnotation) {
}
}
class NotAResourceClass1 {
}
class NotAResourceClass2 {
}
class ExtendsJaxRs1 extends JaxRs1 {
@Override
int Get() { // $ ResourceMethod
return 1;
}
@Override
@QueryParam("") // $ InjectionAnnotation
void Post() {
}
@Override
double Delete() { // $ ResourceMethod=text/plain
return 1.0;
}
@Override
void Put() { // $ ResourceMethod=text/html
}
@Produces("application/json") // $ ProducesAnnotation=application/json
@Override
void Options() {
}
@Produces(MediaType.TEXT_XML) // $ ProducesAnnotation=text/xml
@Override
void Head() {
}
}
@Produces(MediaType.TEXT_XML) // $ ProducesAnnotation=text/xml
class ExtendsJaxRs1WithProducesAnnotation extends JaxRs1 {
@Override
int Get() { // $ ResourceMethod=text/xml
return 2;
}
@Override
@QueryParam("") // $ InjectionAnnotation
void Post() {
}
@Override
double Delete() { // $ ResourceMethod=text/plain
return 2.0;
}
@Override
void Put() { // $ ResourceMethod=text/html
}
@Override
void Options() { // $ ResourceMethod=text/xml
}
}
Reference in New Issue View Git Blame Copy Permalink