Java: ExternalAPIs (enable diff-informed + add tests based on qhelp)

d10c · d10c · commit 1119e806f189 · 2025-07-07T17:51:38.000+02:00
diff --git a/java/ql/lib/semmle/code/java/security/ExternalAPIs.qll b/java/ql/lib/semmle/code/java/security/ExternalAPIs.qll
@@ -103,7 +103,7 @@ module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
 
   predicate observeDiffInformedIncrementalMode() {
-    any() // TODO: Make sure that the location overrides match the query's select clause: Flow call outside 'select' clause (/Users/d10c/src/semmle-code/ql/java/ql/lib/semmle/code/java/security/ExternalAPIs.qll@113:36:113:79), Flow call outside 'select' clause (/Users/d10c/src/semmle-code/ql/java/ql/lib/semmle/code/java/security/ExternalAPIs.qll@116:43:116:92)
+    any() // Simple use in UntrustedDataToExternalAPI.ql; also used through ExternalApiUsedWithUntrustedData in ExternalAPIsUsedWithUntrustedData.ql
   }
 }
 
diff --git a/java/ql/test/query-tests/security/CWE-020/ExternalAPISinkExample.java b/java/ql/test/query-tests/security/CWE-020/ExternalAPISinkExample.java
@@ -0,0 +1,14 @@
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.ServletException;
+import java.io.IOException;
+
+public class ExternalAPISinkExample extends HttpServlet {
+	protected void doGet(HttpServletRequest request, HttpServletResponse response)
+	throws ServletException, IOException {
+		// BAD: a request parameter is written directly to an error response page
+		response.sendError(HttpServletResponse.SC_NOT_FOUND,
+				"The page \"" + request.getParameter("page") + "\" was not found."); // $ Alert
+	}
+}
diff --git a/java/ql/test/query-tests/security/CWE-020/ExternalAPITaintStepExample.java b/java/ql/test/query-tests/security/CWE-020/ExternalAPITaintStepExample.java
@@ -0,0 +1,19 @@
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.ServletException;
+import java.io.IOException;
+
+public class ExternalAPITaintStepExample extends HttpServlet {
+	protected void doGet(HttpServletRequest request, HttpServletResponse response)
+	throws ServletException, IOException {
+
+		StringBuilder sqlQueryBuilder = new StringBuilder();
+		sqlQueryBuilder.append("SELECT * FROM user WHERE user_id='");
+		// BAD: a request parameter is concatenated directly into a SQL query
+		sqlQueryBuilder.append(request.getParameter("user_id"));
+		sqlQueryBuilder.append("'");
+
+		// ...
+	}
+}
diff --git a/java/ql/test/query-tests/security/CWE-020/ExternalAPIsUsedWithUntrustedData.expected b/java/ql/test/query-tests/security/CWE-020/ExternalAPIsUsedWithUntrustedData.expected
@@ -0,0 +1 @@
+| javax.servlet.http.HttpServletResponse.sendError(int,java.lang.String) [param 1] | 1 | 1 |
diff --git a/java/ql/test/query-tests/security/CWE-020/ExternalAPIsUsedWithUntrustedData.qlref b/java/ql/test/query-tests/security/CWE-020/ExternalAPIsUsedWithUntrustedData.qlref
@@ -0,0 +1,3 @@
+query: Security/CWE/CWE-020/ExternalAPIsUsedWithUntrustedData.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
diff --git a/java/ql/test/query-tests/security/CWE-020/UntrustedDataToExternalAPI.expected b/java/ql/test/query-tests/security/CWE-020/UntrustedDataToExternalAPI.expected
@@ -0,0 +1,11 @@
+#select
+| ExternalAPISinkExample.java:12:5:12:70 | ... + ... | ExternalAPISinkExample.java:12:21:12:48 | getParameter(...) : String | ExternalAPISinkExample.java:12:5:12:70 | ... + ... | Call to javax.servlet.http.HttpServletResponse.sendError with untrusted data from $@. | ExternalAPISinkExample.java:12:21:12:48 | getParameter(...) : String | getParameter(...) : String |
+edges
+| ExternalAPISinkExample.java:12:21:12:48 | getParameter(...) : String | ExternalAPISinkExample.java:12:5:12:70 | ... + ... | provenance | Src:MaD:2 Sink:MaD:1 |
+models
+| 1 | Sink: javax.servlet.http; HttpServletResponse; false; sendError; (int,String); ; Argument[1]; information-leak; manual |
+| 2 | Source: javax.servlet; ServletRequest; false; getParameter; (String); ; ReturnValue; remote; manual |
+nodes
+| ExternalAPISinkExample.java:12:5:12:70 | ... + ... | semmle.label | ... + ... |
+| ExternalAPISinkExample.java:12:21:12:48 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+subpaths
diff --git a/java/ql/test/query-tests/security/CWE-020/UntrustedDataToExternalAPI.qlref b/java/ql/test/query-tests/security/CWE-020/UntrustedDataToExternalAPI.qlref
@@ -0,0 +1,4 @@
+query: Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

Original file line number	Diff line number	Diff line change
`@@ -103,7 +103,7 @@ module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {`
`103`	`103`	`predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }`
`104`	`104`
`105`	`105`	`predicate observeDiffInformedIncrementalMode() {`
`106`		`- any() // TODO: Make sure that the location overrides match the query's select clause: Flow call outside 'select' clause (/Users/d10c/src/semmle-code/ql/java/ql/lib/semmle/code/java/security/ExternalAPIs.qll@113:36:113:79), Flow call outside 'select' clause (/Users/d10c/src/semmle-code/ql/java/ql/lib/semmle/code/java/security/ExternalAPIs.qll@116:43:116:92)`
	`106`	`+ any() // Simple use in UntrustedDataToExternalAPI.ql; also used through ExternalApiUsedWithUntrustedData in ExternalAPIsUsedWithUntrustedData.ql`
`107`	`107`	`}`
`108`	`108`	`}`
`109`	`109`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+\| javax.servlet.http.HttpServletResponse.sendError(int,java.lang.String) [param 1] \| 1 \| 1 \|`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+query: Security/CWE/CWE-020/ExternalAPIsUsedWithUntrustedData.ql`
	`2`	`+postprocess:`
	`3`	`+ - utils/test/PrettyPrintModels.ql`