mirror of
https://github.com/github/codeql.git
synced 2026-04-29 02:35:15 +02:00
768a8e78dd
In a real-world situation this type would be defined in an imported jar, but since here it is defined in a stub the getADeclaredContentType routine can see it is defined as an empty string in the stubbed implementation. Filter these out so the test more closely resembles the real situation.
170 lines
5.5 KiB
Plaintext
170 lines
5.5 KiB
Plaintext
import java
|
|
import semmle.code.java.frameworks.JaxWS
|
|
import semmle.code.java.security.XSS
|
|
import TestUtilities.InlineExpectationsTest
|
|
|
|
class JaxRsTest extends InlineExpectationsTest {
|
|
JaxRsTest() { this = "JaxRsTest" }
|
|
|
|
override string getARelevantTag() {
|
|
result =
|
|
[
|
|
"ResourceMethod", "RootResourceClass", "NonRootResourceClass",
|
|
"ResourceMethodOnResourceClass", "InjectableConstructor", "InjectableField",
|
|
"InjectionAnnotation", "ResponseDeclaration", "ResponseBuilderDeclaration",
|
|
"ClientDeclaration", "BeanParamConstructor", "MessageBodyReaderDeclaration",
|
|
"MessageBodyReaderReadFromCall", "MessageBodyReaderReadCall", "ProducesAnnotation",
|
|
"ConsumesAnnotation"
|
|
]
|
|
}
|
|
|
|
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
|
tag = "ResourceMethod" and
|
|
exists(JaxRsResourceMethod resourceMethod |
|
|
resourceMethod.getLocation() = location and
|
|
element = resourceMethod.toString() and
|
|
if exists(resourceMethod.getProducesAnnotation())
|
|
then
|
|
value = resourceMethod.getProducesAnnotation().getADeclaredContentType() and
|
|
value != ""
|
|
else
|
|
// Filter out empty strings that stem from using stubs.
|
|
// If we built the test against the real JAR then the field
|
|
// access against e.g. MediaType.APPLICATION_JSON wouldn't
|
|
// be a CompileTimeConstantExpr at all, whereas in the stubs
|
|
// it is and is defined empty.
|
|
value = ""
|
|
)
|
|
or
|
|
tag = "RootResourceClass" and
|
|
exists(JaxRsResourceClass resourceClass |
|
|
resourceClass.isRootResource() and
|
|
resourceClass.getLocation() = location and
|
|
element = resourceClass.toString() and
|
|
value = ""
|
|
)
|
|
or
|
|
tag = "NonRootResourceClass" and
|
|
exists(JaxRsResourceClass resourceClass |
|
|
not resourceClass.isRootResource() and
|
|
resourceClass.getLocation() = location and
|
|
element = resourceClass.toString() and
|
|
value = ""
|
|
)
|
|
or
|
|
tag = "ResourceMethodOnResourceClass" and
|
|
exists(JaxRsResourceMethod resourceMethod |
|
|
resourceMethod = any(JaxRsResourceClass ResourceClass).getAResourceMethod()
|
|
|
|
|
resourceMethod.getLocation() = location and
|
|
element = resourceMethod.toString() and
|
|
value = ""
|
|
)
|
|
or
|
|
tag = "InjectableConstructor" and
|
|
exists(Constructor cons |
|
|
cons = any(JaxRsResourceClass resourceClass).getAnInjectableConstructor()
|
|
|
|
|
cons.getLocation() = location and
|
|
element = cons.toString() and
|
|
value = ""
|
|
)
|
|
or
|
|
tag = "InjectableField" and
|
|
exists(Field field | field = any(JaxRsResourceClass resourceClass).getAnInjectableField() |
|
|
field.getLocation() = location and
|
|
element = field.toString() and
|
|
value = ""
|
|
)
|
|
or
|
|
tag = "InjectionAnnotation" and
|
|
exists(JaxRsInjectionAnnotation injectionAnnotation |
|
|
injectionAnnotation.getLocation() = location and
|
|
element = injectionAnnotation.toString() and
|
|
value = ""
|
|
)
|
|
or
|
|
tag = "ResponseDeclaration" and
|
|
exists(LocalVariableDecl decl |
|
|
decl.getType() instanceof JaxRsResponse and
|
|
decl.getLocation() = location and
|
|
element = decl.toString() and
|
|
value = ""
|
|
)
|
|
or
|
|
tag = "ResponseBuilderDeclaration" and
|
|
exists(LocalVariableDecl decl |
|
|
decl.getType() instanceof JaxRsResponseBuilder and
|
|
decl.getLocation() = location and
|
|
element = decl.toString() and
|
|
value = ""
|
|
)
|
|
or
|
|
tag = "ClientDeclaration" and
|
|
exists(LocalVariableDecl decl |
|
|
decl.getType() instanceof JaxRsClient and
|
|
decl.getLocation() = location and
|
|
element = decl.toString() and
|
|
value = ""
|
|
)
|
|
or
|
|
tag = "BeanParamConstructor" and
|
|
exists(JaxRsBeanParamConstructor cons |
|
|
cons.getLocation() = location and
|
|
element = cons.toString() and
|
|
value = ""
|
|
)
|
|
or
|
|
tag = "MessageBodyReaderDeclaration" and
|
|
exists(LocalVariableDecl decl |
|
|
decl.getType().(RefType).getSourceDeclaration() instanceof MessageBodyReader and
|
|
decl.getLocation() = location and
|
|
element = decl.toString() and
|
|
value = ""
|
|
)
|
|
or
|
|
tag = "MessageBodyReaderReadFromCall" and
|
|
exists(MethodAccess ma |
|
|
ma.getMethod() instanceof MessageBodyReaderReadFrom and
|
|
ma.getLocation() = location and
|
|
element = ma.toString() and
|
|
value = ""
|
|
)
|
|
or
|
|
tag = "MessageBodyReaderReadCall" and
|
|
exists(MethodAccess ma |
|
|
ma.getMethod() instanceof MessageBodyReaderRead and
|
|
ma.getLocation() = location and
|
|
element = ma.toString() and
|
|
value = ""
|
|
)
|
|
or
|
|
tag = "ProducesAnnotation" and
|
|
exists(JaxRSProducesAnnotation producesAnnotation |
|
|
producesAnnotation.getLocation() = location and
|
|
element = producesAnnotation.toString() and
|
|
value = producesAnnotation.getADeclaredContentType() and
|
|
value != ""
|
|
// Filter out empty strings that stem from using stubs.
|
|
// If we built the test against the real JAR then the field
|
|
// access against e.g. MediaType.APPLICATION_JSON wouldn't
|
|
// be a CompileTimeConstantExpr at all, whereas in the stubs
|
|
// it is and is defined empty.
|
|
)
|
|
or
|
|
tag = "ConsumesAnnotation" and
|
|
exists(JaxRSConsumesAnnotation consumesAnnotation |
|
|
consumesAnnotation.getLocation() = location and
|
|
element = consumesAnnotation.toString() and
|
|
value = ""
|
|
)
|
|
or
|
|
tag = "XssSink" and
|
|
exists(XssSink xssSink |
|
|
xssSink.getLocation() = location and
|
|
element = xssSink.toString() and
|
|
value = ""
|
|
)
|
|
}
|
|
}
|