mirror of
https://github.com/github/codeql.git
synced 2026-04-28 18:25:24 +02:00
156 lines
4.9 KiB
Plaintext
156 lines
4.9 KiB
Plaintext
import java
|
|
import semmle.code.java.frameworks.JaxWS
|
|
import semmle.code.java.security.XSS
|
|
import TestUtilities.InlineExpectationsTest
|
|
|
|
class JaxRsTest extends InlineExpectationsTest {
|
|
JaxRsTest() { this = "JaxRsTest" }
|
|
|
|
override string getARelevantTag() {
|
|
result =
|
|
[
|
|
"ResourceMethod", "RootResourceClass", "NonRootResourceClass",
|
|
"ResourceMethodOnResourceClass", "InjectableConstructor", "InjectableField",
|
|
"InjectionAnnotation", "ResponseDeclaration", "ResponseBuilderDeclaration",
|
|
"ClientDeclaration", "BeanParamConstructor", "MessageBodyReaderDeclaration",
|
|
"MessageBodyReaderReadFromCall", "MessageBodyReaderReadCall", "ProducesAnnotation",
|
|
"ConsumesAnnotation"
|
|
]
|
|
}
|
|
|
|
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
|
tag = "ResourceMethod" and
|
|
exists(JaxRsResourceMethod resourceMethod |
|
|
resourceMethod.getLocation() = location and
|
|
element = resourceMethod.toString() and
|
|
if exists(resourceMethod.getProducesAnnotation())
|
|
then value = resourceMethod.getProducesAnnotation().getADeclaredContentType()
|
|
else value = ""
|
|
)
|
|
or
|
|
tag = "RootResourceClass" and
|
|
exists(JaxRsResourceClass resourceClass |
|
|
resourceClass.isRootResource() and
|
|
resourceClass.getLocation() = location and
|
|
element = resourceClass.toString() and
|
|
value = ""
|
|
)
|
|
or
|
|
tag = "NonRootResourceClass" and
|
|
exists(JaxRsResourceClass resourceClass |
|
|
not resourceClass.isRootResource() and
|
|
resourceClass.getLocation() = location and
|
|
element = resourceClass.toString() and
|
|
value = ""
|
|
)
|
|
or
|
|
tag = "ResourceMethodOnResourceClass" and
|
|
exists(JaxRsResourceMethod resourceMethod |
|
|
resourceMethod = any(JaxRsResourceClass ResourceClass).getAResourceMethod()
|
|
|
|
|
resourceMethod.getLocation() = location and
|
|
element = resourceMethod.toString() and
|
|
value = ""
|
|
)
|
|
or
|
|
tag = "InjectableConstructor" and
|
|
exists(Constructor cons |
|
|
cons = any(JaxRsResourceClass resourceClass).getAnInjectableConstructor()
|
|
|
|
|
cons.getLocation() = location and
|
|
element = cons.toString() and
|
|
value = ""
|
|
)
|
|
or
|
|
tag = "InjectableField" and
|
|
exists(Field field | field = any(JaxRsResourceClass resourceClass).getAnInjectableField() |
|
|
field.getLocation() = location and
|
|
element = field.toString() and
|
|
value = ""
|
|
)
|
|
or
|
|
tag = "InjectionAnnotation" and
|
|
exists(JaxRsInjectionAnnotation injectionAnnotation |
|
|
injectionAnnotation.getLocation() = location and
|
|
element = injectionAnnotation.toString() and
|
|
value = ""
|
|
)
|
|
or
|
|
tag = "ResponseDeclaration" and
|
|
exists(LocalVariableDecl decl |
|
|
decl.getType() instanceof JaxRsResponse and
|
|
decl.getLocation() = location and
|
|
element = decl.toString() and
|
|
value = ""
|
|
)
|
|
or
|
|
tag = "ResponseBuilderDeclaration" and
|
|
exists(LocalVariableDecl decl |
|
|
decl.getType() instanceof JaxRsResponseBuilder and
|
|
decl.getLocation() = location and
|
|
element = decl.toString() and
|
|
value = ""
|
|
)
|
|
or
|
|
tag = "ClientDeclaration" and
|
|
exists(LocalVariableDecl decl |
|
|
decl.getType() instanceof JaxRsClient and
|
|
decl.getLocation() = location and
|
|
element = decl.toString() and
|
|
value = ""
|
|
)
|
|
or
|
|
tag = "BeanParamConstructor" and
|
|
exists(JaxRsBeanParamConstructor cons |
|
|
cons.getLocation() = location and
|
|
element = cons.toString() and
|
|
value = ""
|
|
)
|
|
or
|
|
tag = "MessageBodyReaderDeclaration" and
|
|
exists(LocalVariableDecl decl |
|
|
decl.getType().(RefType).getSourceDeclaration() instanceof MessageBodyReader and
|
|
decl.getLocation() = location and
|
|
element = decl.toString() and
|
|
value = ""
|
|
)
|
|
or
|
|
tag = "MessageBodyReaderReadFromCall" and
|
|
exists(MethodAccess ma |
|
|
ma.getMethod() instanceof MessageBodyReaderReadFrom and
|
|
ma.getLocation() = location and
|
|
element = ma.toString() and
|
|
value = ""
|
|
)
|
|
or
|
|
tag = "MessageBodyReaderReadCall" and
|
|
exists(MethodAccess ma |
|
|
ma.getMethod() instanceof MessageBodyReaderRead and
|
|
ma.getLocation() = location and
|
|
element = ma.toString() and
|
|
value = ""
|
|
)
|
|
or
|
|
tag = "ProducesAnnotation" and
|
|
exists(JaxRSProducesAnnotation producesAnnotation |
|
|
producesAnnotation.getLocation() = location and
|
|
element = producesAnnotation.toString() and
|
|
value = producesAnnotation.getADeclaredContentType()
|
|
)
|
|
or
|
|
tag = "ConsumesAnnotation" and
|
|
exists(JaxRSConsumesAnnotation consumesAnnotation |
|
|
consumesAnnotation.getLocation() = location and
|
|
element = consumesAnnotation.toString() and
|
|
value = ""
|
|
)
|
|
or
|
|
tag = "XssSink" and
|
|
exists(XssSink xssSink |
|
|
xssSink.getLocation() = location and
|
|
element = xssSink.toString() and
|
|
value = ""
|
|
)
|
|
}
|
|
}
|