Java: update test cases to use inline expectations

Author: Jami Cogswell

java/ql/test/query-tests/security/CWE-552/UnsafeLoadSpringResource.java

@@ -32,7 +32,7 @@ public String getFileContent1(@RequestParam(name="fileName") String fileName) {
 		char[] buffer = new char[4096];
 		StringBuilder out = new StringBuilder();
 		try {
-			Reader in = new FileReader(clr.getFilename());
+			Reader in = new FileReader(clr.getFilename()); // $ hasUnsafeUrlForward (path-inj?)
 			for (int numRead; (numRead = in.read(buffer, 0, buffer.length)) > 0; ) {
 				out.append(buffer, 0, numRead);
 			}
@@ -67,13 +67,13 @@ public String getFileContent1a(@RequestParam(name="fileName") String fileName) {
 	//BAD: Get resource from ResourceUtils without input validation
 	public String getFileContent2(@RequestParam(name="fileName") String fileName) {
 		String content = null;
-		
+
 		try {
 			// A request such as the following can disclose source code and system configuration
 			// fileName=/etc/hosts
 			// fileName=file:/etc/hosts
 			// fileName=/opt/appdir/WEB-INF/views/page.jsp
-			File file = ResourceUtils.getFile(fileName);
+			File file = ResourceUtils.getFile(fileName); // $ hasUnsafeUrlForward (path-inj?)
 			//Read File Content
 			content = new String(Files.readAllBytes(file.toPath()));
 		} catch (IOException ie) {
@@ -86,7 +86,7 @@ public String getFileContent2(@RequestParam(name="fileName") String fileName) {
 	//GOOD: Get resource from ResourceUtils with input path validation
 	public String getFileContent2a(@RequestParam(name="fileName") String fileName) {
 		String content = null;
-		
+
 		if (fileName.startsWith("/safe_dir") && !fileName.contains("..")) {
 			try {
 					File file = ResourceUtils.getFile(fileName);
@@ -113,7 +113,7 @@ public String getFileContent3(@RequestParam(name="fileName") String fileName) {
 			// fileName=/WEB-INF/views/page.jsp
 			// fileName=/WEB-INF/classes/com/example/package/SampleController.class
 			// fileName=file:/etc/hosts
-			Resource resource = resourceLoader.getResource(fileName);
+			Resource resource = resourceLoader.getResource(fileName); // $ hasUnsafeUrlForward (path-inj?)
 
 			char[] buffer = new char[4096];
 			StringBuilder out = new StringBuilder();

java/ql/test/query-tests/security/CWE-552/UnsafeRequestPath.java

@@ -14,35 +14,35 @@ public class UnsafeRequestPath implements Filter {
 	private static final String BASE_PATH = "/pages";
 
 	@Override
-	// BAD: Request dispatcher from servlet path without check 
+	// BAD: Request dispatcher from servlet path without check
 	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
 		throws IOException, ServletException {
 		String path = ((HttpServletRequest) request).getServletPath();
 		// A sample payload "/%57EB-INF/web.xml" can bypass this `startsWith` check
 		if (path != null && !path.startsWith("/WEB-INF")) {
-			request.getRequestDispatcher(path).forward(request, response);
+			request.getRequestDispatcher(path).forward(request, response); // $ hasUnsafeUrlForward
 		} else {
 			chain.doFilter(request, response);
 		}
 	}
 
-	// GOOD: Request dispatcher from servlet path with check 
+	// GOOD: Request dispatcher from servlet path with check
 	public void doFilter2(ServletRequest request, ServletResponse response, FilterChain chain)
 		throws IOException, ServletException {
 		String path = ((HttpServletRequest) request).getServletPath();
-		
+
 		if (path.startsWith(BASE_PATH) && !path.contains("..")) {
 			request.getRequestDispatcher(path).forward(request, response);
 		} else {
 			chain.doFilter(request, response);
 		}
 	}
 
-	// GOOD: Request dispatcher from servlet path with whitelisted string comparison 
+	// GOOD: Request dispatcher from servlet path with whitelisted string comparison
 	public void doFilter3(ServletRequest request, ServletResponse response, FilterChain chain)
 		throws IOException, ServletException {
 		String path = ((HttpServletRequest) request).getServletPath();
-		
+
 		if (path.equals("/comaction")) {
 			request.getRequestDispatcher(path).forward(request, response);
 		} else {

java/ql/test/query-tests/security/CWE-552/UnsafeResourceGet.java

@@ -38,7 +38,7 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)
 		// A sample request /fake.jsp/../WEB-INF/web.xml can load the web.xml file
 		URL url = sc.getResource(requestUrl);
 
-		InputStream in = url.openStream();
+		InputStream in = url.openStream(); // $ hasUnsafeUrlForward (SSRF)
 		byte[] buf = new byte[4 * 1024];  // 4K buffer
 		int bytesRead;
 		while ((bytesRead = in.read(buf)) != -1) {
@@ -112,7 +112,7 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
 		ServletOutputStream out = response.getOutputStream();
 
 		// A sample request /fake.jsp/../WEB-INF/web.xml can load the web.xml file
-		InputStream in = request.getServletContext().getResourceAsStream(requestPath);
+		InputStream in = request.getServletContext().getResourceAsStream(requestPath); // $ hasUnsafeUrlForward (path-inj?)
 		byte[] buf = new byte[4 * 1024];  // 4K buffer
 		int bytesRead;
 		while ((bytesRead = in.read(buf)) != -1) {
@@ -147,7 +147,7 @@ protected void doHead(HttpServletRequest request, HttpServletResponse response)
 		// Note the class is in two levels of subpackages and `Class.getResource` starts from its own directory
 		URL url = getClass().getResource(requestUrl);
 
-		InputStream in = url.openStream();
+		InputStream in = url.openStream(); // $ hasUnsafeUrlForward (SSRF)
 		byte[] buf = new byte[4 * 1024];  // 4K buffer
 		int bytesRead;
 		while ((bytesRead = in.read(buf)) != -1) {
@@ -186,7 +186,7 @@ protected void doPut(HttpServletRequest request, HttpServletResponse response)
 
 		// A sample request /fake.jsp/../../../WEB-INF/web.xml can load the web.xml file
 		// Note the class is in two levels of subpackages and `ClassLoader.getResourceAsStream` starts from its own directory
-		InputStream in = getClass().getClassLoader().getResourceAsStream(requestPath);
+		InputStream in = getClass().getClassLoader().getResourceAsStream(requestPath); // $ hasUnsafeUrlForward (path-inj?)
 		byte[] buf = new byte[4 * 1024];  // 4K buffer
 		int bytesRead;
 		while ((bytesRead = in.read(buf)) != -1) {
@@ -223,7 +223,7 @@ protected void doPutBad(HttpServletRequest request, HttpServletResponse response
 		// Note the class is in two levels of subpackages and `ClassLoader.getResource` starts from its own directory
 		URL url = getClass().getClassLoader().getResource(requestUrl);
 
-		InputStream in = url.openStream();
+		InputStream in = url.openStream(); // $ hasUnsafeUrlForward (SSRF)
 		byte[] buf = new byte[4 * 1024];  // 4K buffer
 		int bytesRead;
 		while ((bytesRead = in.read(buf)) != -1) {
@@ -242,7 +242,7 @@ protected void doPutBad2(HttpServletRequest request, HttpServletResponse respons
 
 			VirtualFile overlay = VFS.getChild(new URI("EAP_HOME/modules/"));
 			// Do file operations
-			overlay.getChild(rs.getPath());
+			overlay.getChild(rs.getPath()); // $ hasUnsafeUrlForward (path-inj?)
 		} catch (URISyntaxException ue) {
 			throw new IOException("Cannot parse the URI");
 		}

java/ql/test/query-tests/security/CWE-552/UnsafeResourceGet2.java

@@ -16,7 +16,7 @@ public String parameterActionBad1() throws IOException {
 		Map<String, String> params = fc.getExternalContext().getRequestParameterMap();
 		String loadUrl = params.get("loadUrl");
 
-		InputStreamReader isr = new InputStreamReader(fc.getExternalContext().getResourceAsStream(loadUrl));
+		InputStreamReader isr = new InputStreamReader(fc.getExternalContext().getResourceAsStream(loadUrl)); // $ hasUnsafeUrlForward (path-inj?)
 		BufferedReader br = new BufferedReader(isr);
 		if(br.ready()) {
 			//Do Stuff
@@ -34,7 +34,7 @@ public String parameterActionBad2() throws IOException {
 
 		URL url = fc.getExternalContext().getResource(loadUrl);
 
-		InputStream in = url.openStream();
+		InputStream in = url.openStream(); // $ hasUnsafeUrlForward (SSRF)
 		//Do Stuff
 		return "result";
 	}

java/ql/test/query-tests/security/CWE-552/UnsafeServletRequestDispatch.java

@@ -29,13 +29,13 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)
 			rd.forward(request, response);
 		} else {
 			ServletContext sc = cfg.getServletContext();
-			RequestDispatcher rd = sc.getRequestDispatcher(returnURL);
+			RequestDispatcher rd = sc.getRequestDispatcher(returnURL); // $ hasUnsafeUrlForward
 			rd.forward(request, response);
 		}
 	}
 
 	@Override
-	// BAD: Request dispatcher constructed from `HttpServletRequest` without input validation 
+	// BAD: Request dispatcher constructed from `HttpServletRequest` without input validation
 	protected void doPost(HttpServletRequest request, HttpServletResponse response)
 			throws ServletException, IOException {
 		String action = request.getParameter("action");
@@ -45,7 +45,7 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
 			RequestDispatcher rd = request.getRequestDispatcher("/Login.jsp");
 			rd.forward(request, response);
 		} else {
-			RequestDispatcher rd = request.getRequestDispatcher(returnURL);
+			RequestDispatcher rd = request.getRequestDispatcher(returnURL); // $ hasUnsafeUrlForward
 			rd.forward(request, response);
 		}
 	}
@@ -65,22 +65,22 @@ protected void doPut(HttpServletRequest request, HttpServletResponse response)
 		}
 	}
 
-	// BAD: Request dispatcher without path traversal check 
+	// BAD: Request dispatcher without path traversal check
 	protected void doHead2(HttpServletRequest request, HttpServletResponse response)
 			throws ServletException, IOException {
 		String path = request.getParameter("path");
 
-		// A sample payload "/pages/welcome.jsp/../WEB-INF/web.xml" can bypass the `startsWith` check 
-		// The payload "/pages/welcome.jsp/../../%57EB-INF/web.xml" can bypass the check as well since RequestDispatcher will decode `%57` as `W`  
+		// A sample payload "/pages/welcome.jsp/../WEB-INF/web.xml" can bypass the `startsWith` check
+		// The payload "/pages/welcome.jsp/../../%57EB-INF/web.xml" can bypass the check as well since RequestDispatcher will decode `%57` as `W`
 		if (path.startsWith(BASE_PATH)) {
-			request.getServletContext().getRequestDispatcher(path).include(request, response);
+			request.getServletContext().getRequestDispatcher(path).include(request, response); // $ hasUnsafeUrlForward
 		}
 	}
 
-	// GOOD: Request dispatcher with path traversal check 
+	// GOOD: Request dispatcher with path traversal check
 	protected void doHead3(HttpServletRequest request, HttpServletResponse response)
 			throws ServletException, IOException {
-		String path = request.getParameter("path");		
+		String path = request.getParameter("path");
 
 		if (path.startsWith(BASE_PATH) && !path.contains("..")) {
 			request.getServletContext().getRequestDispatcher(path).include(request, response);
@@ -110,7 +110,7 @@ protected void doHead5(HttpServletRequest request, HttpServletResponse response)
 		Path requestedPath = Paths.get(BASE_PATH).resolve(path).normalize();
 
 		if (!requestedPath.startsWith("/WEB-INF") && !requestedPath.startsWith("/META-INF")) {
-			request.getServletContext().getRequestDispatcher(requestedPath.toString()).forward(request, response);
+			request.getServletContext().getRequestDispatcher(requestedPath.toString()).forward(request, response); // $ MISSING: hasUnsafeUrlForward
 		}
 	}