Java: Add more tests for CWE-078 and update expected test outout.

Author: michaelnebel

java/test/security/CWE-078/CommandInjectionRuntimeExecLocal.expected

@@ -0,0 +1,2 @@
+query: security/CWE-078/CommandInjectionRuntimeExecLocal.ql
+postprocess: TestUtilities/PrettyPrintModels.ql

java/test/security/CWE-078/CommandInjectionRuntimeExecLocal.qlref

@@ -0,0 +1,15 @@
+#select
+| JSchOSInjectionTest.java:27:52:27:68 | ... + ... | JSchOSInjectionTest.java:14:30:14:60 | getParameter(...) : String | JSchOSInjectionTest.java:27:52:27:68 | ... + ... | This command line depends on a $@. | JSchOSInjectionTest.java:14:30:14:60 | getParameter(...) | user-provided value |
+| JSchOSInjectionTest.java:53:36:53:52 | ... + ... | JSchOSInjectionTest.java:40:30:40:60 | getParameter(...) : String | JSchOSInjectionTest.java:53:36:53:52 | ... + ... | This command line depends on a $@. | JSchOSInjectionTest.java:40:30:40:60 | getParameter(...) | user-provided value |
+edges
+| JSchOSInjectionTest.java:14:30:14:60 | getParameter(...) : String | JSchOSInjectionTest.java:27:52:27:68 | ... + ... | provenance | Src:MaD:2 Sink:MaD:1 |
+| JSchOSInjectionTest.java:40:30:40:60 | getParameter(...) : String | JSchOSInjectionTest.java:53:36:53:52 | ... + ... | provenance | Src:MaD:2 Sink:MaD:1 |
+models
+| 1 | Sink: com.jcraft.jsch; ChannelExec; true; setCommand; ; ; Argument[0]; command-injection; manual |
+| 2 | Source: javax.servlet; ServletRequest; false; getParameter; (String); ; ReturnValue; remote; manual |
+nodes
+| JSchOSInjectionTest.java:14:30:14:60 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JSchOSInjectionTest.java:27:52:27:68 | ... + ... | semmle.label | ... + ... |
+| JSchOSInjectionTest.java:40:30:40:60 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JSchOSInjectionTest.java:53:36:53:52 | ... + ... | semmle.label | ... + ... |
+subpaths

java/test/security/CWE-078/CommandInjectionRuntimeExecTest.expected

@@ -0,0 +1,2 @@
+query: security/CWE-078/ExecTainted.ql
+postprocess: TestUtilities/PrettyPrintModels.ql

java/test/security/CWE-078/CommandInjectionRuntimeExecTestPath.expected

@@ -0,0 +1,60 @@
+import com.jcraft.jsch.*;
+
+import javax.servlet.http.*;
+import javax.servlet.ServletException;
+import java.io.IOException;
+
+public class JSchOSInjectionTest extends HttpServlet {
+
+    protected void doGet(HttpServletRequest request, HttpServletResponse response)
+        throws ServletException, IOException {
+            String host = "sshHost";
+            String user = "user";
+            String password = "password";
+            String command = request.getParameter("command");
+
+            java.util.Properties config = new java.util.Properties();
+            config.put("StrictHostKeyChecking", "no");
+            
+            JSch jsch = new JSch();
+            try {
+                Session session = jsch.getSession(user, host, 22);
+                session.setPassword(password);
+                session.setConfig(config);
+                session.connect();
+
+                Channel channel = session.openChannel("exec");
+                ((ChannelExec) channel).setCommand("ping " + command);
+                channel.setInputStream(null);
+                ((ChannelExec) channel).setErrStream(System.err);
+
+                channel.connect();
+            } catch (JSchException e) { }
+    }
+
+    protected void doPost(HttpServletRequest request, HttpServletResponse response)
+        throws ServletException, IOException {
+            String host = "sshHost";
+            String user = "user";
+            String password = "password";
+            String command = request.getParameter("command");
+
+            java.util.Properties config = new java.util.Properties();
+            config.put("StrictHostKeyChecking", "no");
+            
+            JSch jsch = new JSch();
+            try {
+                Session session = jsch.getSession(user, host, 22);
+                session.setPassword(password);
+                session.setConfig(config);
+                session.connect();
+
+                ChannelExec channel = (ChannelExec)session.openChannel("exec");
+                channel.setCommand("ping " + command);
+                channel.setInputStream(null);
+                channel.setErrStream(System.err);
+
+                channel.connect();
+            } catch (JSchException e) { }
+    }
+}

java/test/security/CWE-078/ExecTainted.expected

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../codeql/java/ql/test/stubs/servlet-api-2.4:${testdir}/../../../../codeql/java/ql/test/stubs/jsch-0.1.55

java/test/security/CWE-078/ExecTainted.qlref

@@ -40,5 +40,35 @@ public static void main(String[] args) {
         } catch (Exception e) {
             System.err.println("ERROR: " + e.getMessage());
         }
+
+        String script = System.getenv("SCRIPTNAME");
+
+        if (script != null) {
+            try {
+                // 1. array literal in the args
+                Runtime.getRuntime().exec(new String[]{"/bin/sh", script});
+
+                // 2. array literal with dataflow
+                String[] commandArray1 = new String[]{"/bin/sh", script};
+                Runtime.getRuntime().exec(commandArray1);
+
+                // 3. array assignment after it is created
+                String[] commandArray2 = new String[4];
+                commandArray2[0] = "/bin/sh";
+                commandArray2[1] = script;
+                Runtime.getRuntime().exec(commandArray2);
+
+                // 4. Stream concatenation
+                Runtime.getRuntime().exec(
+                    Stream.concat(
+                        Arrays.stream(new String[]{"/bin/sh"}),
+                        Arrays.stream(new String[]{script})
+                    ).toArray(String[]::new)
+                );
+
+            } catch (Exception e) {
+                System.err.println("ERROR: " + e.getMessage());
+            }
+        }
     }
 }