Fix tests

atorralba · Stephan Brandauer · commit f07f0888aadc · 2023-03-10T12:35:13.000+01:00
diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected b/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected
@@ -14,7 +14,22 @@ edges
 | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:12:99:33 | new URI(...) |
 | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:100:12:100:45 | new URI(...) |
 | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:101:12:101:54 | new URI(...) |
-| Test.java:105:14:105:34 | getHostName(...) : String | Test.java:107:46:107:46 | t |
+| mad/Test.java:12:16:12:36 | getHostName(...) : String | mad/Test.java:17:61:17:72 | source(...) : String |
+| mad/Test.java:12:16:12:36 | getHostName(...) : String | mad/Test.java:19:41:19:52 | source(...) : String |
+| mad/Test.java:12:16:12:36 | getHostName(...) : String | mad/Test.java:25:38:25:49 | source(...) : String |
+| mad/Test.java:12:16:12:36 | getHostName(...) : String | mad/Test.java:27:36:27:47 | source(...) : String |
+| mad/Test.java:12:16:12:36 | getHostName(...) : String | mad/Test.java:29:31:29:42 | source(...) : String |
+| mad/Test.java:12:16:12:36 | getHostName(...) : String | mad/Test.java:31:33:31:44 | source(...) : String |
+| mad/Test.java:12:16:12:36 | getHostName(...) : String | mad/Test.java:33:50:33:61 | source(...) : String |
+| mad/Test.java:12:16:12:36 | getHostName(...) : String | mad/Test.java:35:54:35:65 | source(...) : String |
+| mad/Test.java:17:61:17:72 | source(...) : String | mad/Test.java:17:52:17:72 | (...)... |
+| mad/Test.java:19:41:19:52 | source(...) : String | mad/Test.java:19:32:19:52 | (...)... |
+| mad/Test.java:25:38:25:49 | source(...) : String | mad/Test.java:25:31:25:49 | (...)... |
+| mad/Test.java:27:36:27:47 | source(...) : String | mad/Test.java:27:29:27:47 | (...)... |
+| mad/Test.java:29:31:29:42 | source(...) : String | mad/Test.java:29:24:29:42 | (...)... |
+| mad/Test.java:31:33:31:44 | source(...) : String | mad/Test.java:31:24:31:44 | (...)... |
+| mad/Test.java:33:50:33:61 | source(...) : String | mad/Test.java:33:41:33:61 | (...)... |
+| mad/Test.java:35:54:35:65 | source(...) : String | mad/Test.java:35:45:35:65 | (...)... |
 nodes
 | Test.java:19:18:19:38 | getHostName(...) : String | semmle.label | getHostName(...) : String |
 | Test.java:24:20:24:23 | temp | semmle.label | temp |
@@ -35,8 +50,23 @@ nodes
 | Test.java:99:12:99:33 | new URI(...) | semmle.label | new URI(...) |
 | Test.java:100:12:100:45 | new URI(...) | semmle.label | new URI(...) |
 | Test.java:101:12:101:54 | new URI(...) | semmle.label | new URI(...) |
-| Test.java:105:14:105:34 | getHostName(...) : String | semmle.label | getHostName(...) : String |
-| Test.java:107:46:107:46 | t | semmle.label | t |
+| mad/Test.java:12:16:12:36 | getHostName(...) : String | semmle.label | getHostName(...) : String |
+| mad/Test.java:17:52:17:72 | (...)... | semmle.label | (...)... |
+| mad/Test.java:17:61:17:72 | source(...) : String | semmle.label | source(...) : String |
+| mad/Test.java:19:32:19:52 | (...)... | semmle.label | (...)... |
+| mad/Test.java:19:41:19:52 | source(...) : String | semmle.label | source(...) : String |
+| mad/Test.java:25:31:25:49 | (...)... | semmle.label | (...)... |
+| mad/Test.java:25:38:25:49 | source(...) : String | semmle.label | source(...) : String |
+| mad/Test.java:27:29:27:47 | (...)... | semmle.label | (...)... |
+| mad/Test.java:27:36:27:47 | source(...) : String | semmle.label | source(...) : String |
+| mad/Test.java:29:24:29:42 | (...)... | semmle.label | (...)... |
+| mad/Test.java:29:31:29:42 | source(...) : String | semmle.label | source(...) : String |
+| mad/Test.java:31:24:31:44 | (...)... | semmle.label | (...)... |
+| mad/Test.java:31:33:31:44 | source(...) : String | semmle.label | source(...) : String |
+| mad/Test.java:33:41:33:61 | (...)... | semmle.label | (...)... |
+| mad/Test.java:33:50:33:61 | source(...) : String | semmle.label | source(...) : String |
+| mad/Test.java:35:45:35:65 | (...)... | semmle.label | (...)... |
+| mad/Test.java:35:54:35:65 | source(...) : String | semmle.label | source(...) : String |
 subpaths
 #select
 | Test.java:24:11:24:24 | new File(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:24:20:24:23 | temp | This path depends on a $@. | Test.java:19:18:19:38 | getHostName(...) | user-provided value |
@@ -50,4 +80,11 @@ subpaths
 | Test.java:99:3:99:34 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:12:99:33 | new URI(...) | This path depends on a $@. | Test.java:95:14:95:34 | getHostName(...) | user-provided value |
 | Test.java:100:3:100:46 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:100:12:100:45 | new URI(...) | This path depends on a $@. | Test.java:95:14:95:34 | getHostName(...) | user-provided value |
 | Test.java:101:3:101:55 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:101:12:101:54 | new URI(...) | This path depends on a $@. | Test.java:95:14:95:34 | getHostName(...) | user-provided value |
-| Test.java:107:46:107:46 | t | Test.java:105:14:105:34 | getHostName(...) : String | Test.java:107:46:107:46 | t | This path depends on a $@. | Test.java:105:14:105:34 | getHostName(...) | user-provided value |
+| mad/Test.java:17:52:17:72 | (...)... | mad/Test.java:12:16:12:36 | getHostName(...) : String | mad/Test.java:17:52:17:72 | (...)... | This path depends on a $@. | mad/Test.java:12:16:12:36 | getHostName(...) | user-provided value |
+| mad/Test.java:19:32:19:52 | (...)... | mad/Test.java:12:16:12:36 | getHostName(...) : String | mad/Test.java:19:32:19:52 | (...)... | This path depends on a $@. | mad/Test.java:12:16:12:36 | getHostName(...) | user-provided value |
+| mad/Test.java:25:31:25:49 | (...)... | mad/Test.java:12:16:12:36 | getHostName(...) : String | mad/Test.java:25:31:25:49 | (...)... | This path depends on a $@. | mad/Test.java:12:16:12:36 | getHostName(...) | user-provided value |
+| mad/Test.java:27:29:27:47 | (...)... | mad/Test.java:12:16:12:36 | getHostName(...) : String | mad/Test.java:27:29:27:47 | (...)... | This path depends on a $@. | mad/Test.java:12:16:12:36 | getHostName(...) | user-provided value |
+| mad/Test.java:29:24:29:42 | (...)... | mad/Test.java:12:16:12:36 | getHostName(...) : String | mad/Test.java:29:24:29:42 | (...)... | This path depends on a $@. | mad/Test.java:12:16:12:36 | getHostName(...) | user-provided value |
+| mad/Test.java:31:9:31:45 | new FileReader(...) | mad/Test.java:12:16:12:36 | getHostName(...) : String | mad/Test.java:31:24:31:44 | (...)... | This path depends on a $@. | mad/Test.java:12:16:12:36 | getHostName(...) | user-provided value |
+| mad/Test.java:33:41:33:61 | (...)... | mad/Test.java:12:16:12:36 | getHostName(...) : String | mad/Test.java:33:41:33:61 | (...)... | This path depends on a $@. | mad/Test.java:12:16:12:36 | getHostName(...) | user-provided value |
+| mad/Test.java:35:45:35:65 | (...)... | mad/Test.java:12:16:12:36 | getHostName(...) : String | mad/Test.java:35:45:35:65 | (...)... | This path depends on a $@. | mad/Test.java:12:16:12:36 | getHostName(...) | user-provided value |
diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/mad/Test.java b/java/ql/test/query-tests/security/CWE-022/semmle/tests/mad/Test.java
@@ -8,27 +8,30 @@
 
 public class Test {
 
+    public Object source(InetAddress address) {
+        return address.getHostName();
+    }
+
     void test(InetAddress address) throws IOException {
-        String t = address.getHostName();
         // "java.lang;Module;true;getResourceAsStream;(String);;Argument[0];read-file;ai-generated"
-        getClass().getModule().getResourceAsStream(t);
+        getClass().getModule().getResourceAsStream((String) source(null));
         // "java.lang;Class;false;getResource;(String);;Argument[0];read-file;ai-generated"
-        getClass().getResource(t);
+        getClass().getResource((String) source(null));
         // "java.lang;ClassLoader;true;getSystemResourceAsStream;(String);;Argument[0];read-file;ai-generated"
-        ClassLoader.getSystemResource(t);
+        ClassLoader.getSystemResource((String) source(null));
         // "java.io;File;true;createTempFile;(String,String,File);;Argument[2];create-file;ai-generated"
-        File.createTempFile(";", t);
+        File.createTempFile(";", (String) source(null));
         // "java.io;File;true;renameTo;(File);;Argument[0];create-file;ai-generated"
-        new File("").renameTo((File) t);
+        new File("").renameTo((File) source(null));
         // "java.io;FileInputStream;true;FileInputStream;(File);;Argument[0];read-file;ai-generated"
-        new FileInputStream((File) t);
+        new FileInputStream((File) source(null));
         // "java.io;FileReader;true;FileReader;(File);;Argument[0];read-file;ai-generated"
-        new FileReader((File) t);
+        new FileReader((File) source(null));
         // "java.io;FileReader;true;FileReader;(String);;Argument[0];read-file;ai-generated"
-        new FileReader(t);
+        new FileReader((String) source(null));
         // "org.codehaus.cargo.container.installer;ZipURLInstaller;true;ZipURLInstaller;(URL,String,String);;Argument[1];create-file;ai-generated"
-        new ZipURLInstaller((URL) null, t, "");
+        new ZipURLInstaller((URL) null, (String) source(null), "");
         // "org.codehaus.cargo.container.installer;ZipURLInstaller;true;ZipURLInstaller;(URL,String,String);;Argument[2];create-file;ai-generated"
-        new ZipURLInstaller((URL) null, "", t);
+        new ZipURLInstaller((URL) null, "", (String) source(null));
     }
 }
diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/options b/java/ql/test/query-tests/security/CWE-022/semmle/tests/options
@@ -1 +1 @@
-// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/servlet-api-2.4:${testdir}/../../../../../stubs/apache-commons-io-2.6
+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/servlet-api-2.4:${testdir}/../../../../../stubs/apache-commons-io-2.6:${testdir}/../../../../../stubs/cargo
diff --git a/java/ql/test/query-tests/security/CWE-918/JdbcUrlSSRF.java b/java/ql/test/query-tests/security/CWE-918/JdbcUrlSSRF.java
@@ -20,7 +20,7 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)
     
         String jdbcUrl = request.getParameter("jdbcUrl");
         Driver driver = new org.postgresql.Driver();
-        DataSourceBuilder dsBuilder = new DataSourceBuilder();
+        DataSourceBuilder dsBuilder = DataSourceBuilder.create();
         
         try {
             driver.connect(jdbcUrl, null); // $ SSRF
diff --git a/java/ql/test/query-tests/security/CWE-918/mad/Test.java b/java/ql/test/query-tests/security/CWE-918/mad/Test.java
@@ -1,3 +1,4 @@
+import java.net.URL;
 import javax.servlet.http.HttpServletRequest;
 import javafx.scene.web.WebEngine;
 import org.codehaus.cargo.container.installer.ZipURLInstaller;
@@ -9,14 +10,13 @@ public static Object source(HttpServletRequest request) {
     }
 
     public void test(WebEngine webEngine) {
-        String taint = source(null);
         // "javafx.scene.web;WebEngine;false;load;(String);;Argument[0];open-url;ai-generated"
-        webEngine.load(taint); // $ SSRF
+        webEngine.load((String) source(null)); // $ SSRF
     }
 
     public void test() {
         // "org.codehaus.cargo.container.installer;ZipURLInstaller;true;ZipURLInstaller;(URL,String,String);;Argument[0];open-url:ai-generated"
-        new ZipURLInstaller((URL) source(), "", ""); // $ SSRF
+        new ZipURLInstaller((URL) source(null), "", ""); // $ SSRF
     }
 
 }
diff --git a/java/ql/test/query-tests/security/CWE-918/options b/java/ql/test/query-tests/security/CWE-918/options
@@ -1,2 +1,2 @@
-//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/javax-ws-rs-api-3.0.0:${testdir}/../../../stubs/apache-http-4.4.13/:${testdir}/../../../stubs/servlet-api-2.4/:${testdir}/../../../stubs/projectreactor-3.4.3/:${testdir}/../../../stubs/postgresql-42.3.3/:${testdir}/../../../stubs/HikariCP-3.4.5/:${testdir}/../../../stubs/spring-jdbc-5.3.8/:${testdir}/../../../stubs/jdbi3-core-3.27.2/
+//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/javax-ws-rs-api-3.0.0:${testdir}/../../../stubs/apache-http-4.4.13/:${testdir}/../../../stubs/servlet-api-2.4/:${testdir}/../../../stubs/projectreactor-3.4.3/:${testdir}/../../../stubs/postgresql-42.3.3/:${testdir}/../../../stubs/HikariCP-3.4.5/:${testdir}/../../../stubs/spring-jdbc-5.3.8/:${testdir}/../../../stubs/jdbi3-core-3.27.2/:${testdir}/../../../stubs/cargo:${testdir}/../../../stubs/javafx-web
 

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/servlet-api-2.4:${testdir}/../../../../../stubs/apache-commons-io-2.6`
	`1`	`+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/servlet-api-2.4:${testdir}/../../../../../stubs/apache-commons-io-2.6:${testdir}/../../../../../stubs/cargo`
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+import java.net.URL;`
`1`	`2`	`import javax.servlet.http.HttpServletRequest;`
`2`	`3`	`import javafx.scene.web.WebEngine;`
`3`	`4`	`import org.codehaus.cargo.container.installer.ZipURLInstaller;`
`@@ -9,14 +10,13 @@ public static Object source(HttpServletRequest request) {`
`9`	`10`	`}`
`10`	`11`
`11`	`12`	`public void test(WebEngine webEngine) {`
`12`		`- String taint = source(null);`
`13`	`13`	`// "javafx.scene.web;WebEngine;false;load;(String);;Argument[0];open-url;ai-generated"`
`14`		`- webEngine.load(taint); // $ SSRF`
	`14`	`+ webEngine.load((String) source(null)); // $ SSRF`
`15`	`15`	`}`
`16`	`16`
`17`	`17`	`public void test() {`
`18`	`18`	`// "org.codehaus.cargo.container.installer;ZipURLInstaller;true;ZipURLInstaller;(URL,String,String);;Argument[0];open-url:ai-generated"`
`19`		`- new ZipURLInstaller((URL) source(), "", ""); // $ SSRF`
	`19`	`+ new ZipURLInstaller((URL) source(null), "", ""); // $ SSRF`
`20`	`20`	`}`
`21`	`21`
`22`	`22`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`		-//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/javax-ws-rs-api-3.0.0:${testdir}/../../../stubs/apache-http-4.4.13/:${testdir}/../../../stubs/servlet-api-2.4/:${testdir}/../../../stubs/projectreactor-3.4.3/:${testdir}/../../../stubs/postgresql-42.3.3/:${testdir}/../../../stubs/HikariCP-3.4.5/:${testdir}/../../../stubs/spring-jdbc-5.3.8/:${testdir}/../../../stubs/jdbi3-core-3.27.2/
	`1`	+//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/javax-ws-rs-api-3.0.0:${testdir}/../../../stubs/apache-http-4.4.13/:${testdir}/../../../stubs/servlet-api-2.4/:${testdir}/../../../stubs/projectreactor-3.4.3/:${testdir}/../../../stubs/postgresql-42.3.3/:${testdir}/../../../stubs/HikariCP-3.4.5/:${testdir}/../../../stubs/spring-jdbc-5.3.8/:${testdir}/../../../stubs/jdbi3-core-3.27.2/:${testdir}/../../../stubs/cargo:${testdir}/../../../stubs/javafx-web
`2`	`2`