Java: convert XXE test to .qlref

Author: d10c

java/ql/test/query-tests/security/CWE-611/CdaUtilTests.java

@@ -7,17 +7,17 @@
 public class CdaUtilTests {
 
     public void test(Socket sock) throws Exception {
-        InputStream is = sock.getInputStream();
+        InputStream is = sock.getInputStream(); // $ Source
         InputSource iSrc = new InputSource(new InputStreamReader(is));
-        CDAUtil.load(is); // $ hasTaintFlow
-        CDAUtil.load(iSrc); // $ hasTaintFlow
-        CDAUtil.load(is, (CDAUtil.ValidationHandler) null); // $ hasTaintFlow
-        CDAUtil.load(is, (CDAUtil.LoadHandler) null); // $ hasTaintFlow
-        CDAUtil.load(null, null, is, null); // $ hasTaintFlow
-        CDAUtil.load(iSrc, (CDAUtil.ValidationHandler) null); // $ hasTaintFlow
-        CDAUtil.load(iSrc, (CDAUtil.LoadHandler) null); // $ hasTaintFlow
-        CDAUtil.load(null, null, iSrc, null); // $ hasTaintFlow
-        CDAUtil.loadAs(is, null); // $ hasTaintFlow
-        CDAUtil.loadAs(is, null, null); // $ hasTaintFlow
+        CDAUtil.load(is); // $ Alert
+        CDAUtil.load(iSrc); // $ Alert
+        CDAUtil.load(is, (CDAUtil.ValidationHandler) null); // $ Alert
+        CDAUtil.load(is, (CDAUtil.LoadHandler) null); // $ Alert
+        CDAUtil.load(null, null, is, null); // $ Alert
+        CDAUtil.load(iSrc, (CDAUtil.ValidationHandler) null); // $ Alert
+        CDAUtil.load(iSrc, (CDAUtil.LoadHandler) null); // $ Alert
+        CDAUtil.load(null, null, iSrc, null); // $ Alert
+        CDAUtil.loadAs(is, null); // $ Alert
+        CDAUtil.loadAs(is, null, null); // $ Alert
     }
 }

java/ql/test/query-tests/security/CWE-611/DigesterTests.java

@@ -11,9 +11,9 @@ public class DigesterTests {
 
     @PostMapping(value = "bad")
     public void bad1(HttpServletRequest request, HttpServletResponse response) throws Exception {
-        ServletInputStream servletInputStream = request.getInputStream();
+        ServletInputStream servletInputStream = request.getInputStream(); // $ Source
         Digester digester = new Digester();
-        digester.parse(servletInputStream); // $ hasTaintFlow
+        digester.parse(servletInputStream); // $ Alert
     }
 
     @PostMapping(value = "good")

java/ql/test/query-tests/security/CWE-611/DocumentBuilderTests.java

@@ -11,7 +11,7 @@ class DocumentBuilderTests {
   public void unconfiguredParse(Socket sock) throws Exception {
     DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
     DocumentBuilder builder = factory.newDocumentBuilder();
-    builder.parse(sock.getInputStream()); // $ hasTaintFlow
+    builder.parse(sock.getInputStream()); // $ Alert
   }
 
   public void disableDTD(Socket sock) throws Exception {
@@ -25,30 +25,30 @@ public void enableSecurityFeature(Socket sock) throws Exception {
     DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
     factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
     DocumentBuilder builder = factory.newDocumentBuilder();
-    builder.parse(sock.getInputStream()); // $ hasTaintFlow -- secure-processing by itself is
+    builder.parse(sock.getInputStream()); // $ Alert -- secure-processing by itself is
                                           // insufficient
   }
 
   public void enableSecurityFeature2(Socket sock) throws Exception {
     DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
     factory.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", true);
     DocumentBuilder builder = factory.newDocumentBuilder();
-    builder.parse(sock.getInputStream()); // $ hasTaintFlow -- secure-processing by itself is
+    builder.parse(sock.getInputStream()); // $ Alert -- secure-processing by itself is
                                           // insufficient
   }
 
   public void enableDTD(Socket sock) throws Exception {
     DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
     factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
     DocumentBuilder builder = factory.newDocumentBuilder();
-    builder.parse(sock.getInputStream()); // $ hasTaintFlow
+    builder.parse(sock.getInputStream()); // $ Alert
   }
 
   public void disableSecurityFeature(Socket sock) throws Exception {
     DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
     factory.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", false);
     DocumentBuilder builder = factory.newDocumentBuilder();
-    builder.parse(sock.getInputStream()); // $ hasTaintFlow
+    builder.parse(sock.getInputStream()); // $ Alert
   }
 
   public void disableExternalEntities(Socket sock) throws Exception {
@@ -63,45 +63,45 @@ public void partialDisableExternalEntities(Socket sock) throws Exception {
     DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
     factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
     DocumentBuilder builder = factory.newDocumentBuilder();
-    builder.parse(sock.getInputStream()); // $ hasTaintFlow
+    builder.parse(sock.getInputStream()); // $ Alert
   }
 
   public void partialDisableExternalEntities2(Socket sock) throws Exception {
     DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
     factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
     DocumentBuilder builder = factory.newDocumentBuilder();
-    builder.parse(sock.getInputStream()); // $ hasTaintFlow
+    builder.parse(sock.getInputStream()); // $ Alert
   }
 
   public void misConfigureExternalEntities1(Socket sock) throws Exception {
     DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
     factory.setFeature("http://xml.org/sax/features/external-parameter-entities", true);
     factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
     DocumentBuilder builder = factory.newDocumentBuilder();
-    builder.parse(sock.getInputStream()); // $ hasTaintFlow
+    builder.parse(sock.getInputStream()); // $ Alert
   }
 
   public void misConfigureExternalEntities2(Socket sock) throws Exception {
     DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
     factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
     factory.setFeature("http://xml.org/sax/features/external-general-entities", true);
     DocumentBuilder builder = factory.newDocumentBuilder();
-    builder.parse(sock.getInputStream()); // $ hasTaintFlow
+    builder.parse(sock.getInputStream()); // $ Alert
   }
 
   public void taintedSAXInputSource1(Socket sock) throws Exception {
     DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
     DocumentBuilder builder = factory.newDocumentBuilder();
-    SAXSource source = new SAXSource(new InputSource(sock.getInputStream()));
-    builder.parse(source.getInputSource()); // $ hasTaintFlow
+    SAXSource source = new SAXSource(new InputSource(sock.getInputStream())); // $ Source
+    builder.parse(source.getInputSource()); // $ Alert
   }
 
   public void taintedSAXInputSource2(Socket sock) throws Exception {
     DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
     DocumentBuilder builder = factory.newDocumentBuilder();
-    StreamSource source = new StreamSource(sock.getInputStream());
-    builder.parse(SAXSource.sourceToInputSource(source)); // $ hasTaintFlow
-    builder.parse(source.getInputStream()); // $ hasTaintFlow
+    StreamSource source = new StreamSource(sock.getInputStream()); // $ Source
+    builder.parse(SAXSource.sourceToInputSource(source)); // $ Alert
+    builder.parse(source.getInputStream()); // $ Alert
   }
 
   private static DocumentBuilderFactory getDocumentBuilderFactory() throws Exception {

java/ql/test/query-tests/security/CWE-611/ParserHelperTests.java

@@ -9,6 +9,6 @@ public class ParserHelperTests {
 
     @PostMapping(value = "bad4")
     public void bad4(HttpServletRequest request) throws Exception {
-        Document document = ParserHelper.loadDocument(request.getInputStream()); // $ hasTaintFlow
+        Document document = ParserHelper.loadDocument(request.getInputStream()); // $ Alert
     }
 }

java/ql/test/query-tests/security/CWE-611/SAXBuilderTests.java

@@ -5,7 +5,7 @@ public class SAXBuilderTests {
 
   public void unconfiguredSAXBuilder(Socket sock) throws Exception {
     SAXBuilder builder = new SAXBuilder();
-    builder.build(sock.getInputStream()); // $ hasTaintFlow
+    builder.build(sock.getInputStream()); // $ Alert
   }
 
   public void safeBuilder(Socket sock) throws Exception {
@@ -17,6 +17,6 @@ public void safeBuilder(Socket sock) throws Exception {
   public void misConfiguredBuilder(Socket sock) throws Exception {
     SAXBuilder builder = new SAXBuilder();
     builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
-    builder.build(sock.getInputStream()); // $ hasTaintFlow
+    builder.build(sock.getInputStream()); // $ Alert
   }
 }

java/ql/test/query-tests/security/CWE-611/SAXParserTests.java

@@ -10,7 +10,7 @@ public class SAXParserTests {
   public void unconfiguredParser(Socket sock) throws Exception {
     SAXParserFactory factory = SAXParserFactory.newInstance();
     SAXParser parser = factory.newSAXParser();
-    parser.parse(sock.getInputStream(), new DefaultHandler()); // $ hasTaintFlow
+    parser.parse(sock.getInputStream(), new DefaultHandler()); // $ Alert
   }
 
   public void safeParser(Socket sock) throws Exception {
@@ -27,23 +27,23 @@ public void partialConfiguredParser1(Socket sock) throws Exception {
     factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
     factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
     SAXParser parser = factory.newSAXParser();
-    parser.parse(sock.getInputStream(), new DefaultHandler()); // $ hasTaintFlow
+    parser.parse(sock.getInputStream(), new DefaultHandler()); // $ Alert
   }
 
   public void partialConfiguredParser2(Socket sock) throws Exception {
     SAXParserFactory factory = SAXParserFactory.newInstance();
     factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
     factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
     SAXParser parser = factory.newSAXParser();
-    parser.parse(sock.getInputStream(), new DefaultHandler()); // $ hasTaintFlow
+    parser.parse(sock.getInputStream(), new DefaultHandler()); // $ Alert
   }
 
   public void partialConfiguredParser3(Socket sock) throws Exception {
     SAXParserFactory factory = SAXParserFactory.newInstance();
     factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
     factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
     SAXParser parser = factory.newSAXParser();
-    parser.parse(sock.getInputStream(), new DefaultHandler()); // $ hasTaintFlow
+    parser.parse(sock.getInputStream(), new DefaultHandler()); // $ Alert
   }
 
   public void misConfiguredParser1(Socket sock) throws Exception {
@@ -52,7 +52,7 @@ public void misConfiguredParser1(Socket sock) throws Exception {
     factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
     factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
     SAXParser parser = factory.newSAXParser();
-    parser.parse(sock.getInputStream(), new DefaultHandler()); // $ hasTaintFlow
+    parser.parse(sock.getInputStream(), new DefaultHandler()); // $ Alert
   }
 
   public void misConfiguredParser2(Socket sock) throws Exception {
@@ -61,7 +61,7 @@ public void misConfiguredParser2(Socket sock) throws Exception {
     factory.setFeature("http://xml.org/sax/features/external-parameter-entities", true);
     factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
     SAXParser parser = factory.newSAXParser();
-    parser.parse(sock.getInputStream(), new DefaultHandler()); // $ hasTaintFlow
+    parser.parse(sock.getInputStream(), new DefaultHandler()); // $ Alert
   }
 
   public void misConfiguredParser3(Socket sock) throws Exception {
@@ -70,7 +70,7 @@ public void misConfiguredParser3(Socket sock) throws Exception {
     factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
     factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", true);
     SAXParser parser = factory.newSAXParser();
-    parser.parse(sock.getInputStream(), new DefaultHandler()); // $ hasTaintFlow
+    parser.parse(sock.getInputStream(), new DefaultHandler()); // $ Alert
   }
 
   public void safeParser2(Socket sock) throws Exception {

java/ql/test/query-tests/security/CWE-611/SAXReaderTests.java

@@ -5,7 +5,7 @@ public class SAXReaderTests {
 
   public void unconfiguredReader(Socket sock) throws Exception {
     SAXReader reader = new SAXReader();
-    reader.read(sock.getInputStream()); // $ hasTaintFlow
+    reader.read(sock.getInputStream()); // $ Alert
   }
 
   public void safeReader(Socket sock) throws Exception {
@@ -20,44 +20,44 @@ public void partialConfiguredReader1(Socket sock) throws Exception {
     SAXReader reader = new SAXReader();
     reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
     reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
-    reader.read(sock.getInputStream()); // $ hasTaintFlow
+    reader.read(sock.getInputStream()); // $ Alert
   }
 
   public void partialConfiguredReader2(Socket sock) throws Exception {
     SAXReader reader = new SAXReader();
     reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
     reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
-    reader.read(sock.getInputStream()); // $ hasTaintFlow
+    reader.read(sock.getInputStream()); // $ Alert
   }
 
   public void partialConfiguredReader3(Socket sock) throws Exception {
     SAXReader reader = new SAXReader();
     reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
     reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
-    reader.read(sock.getInputStream()); // $ hasTaintFlow
+    reader.read(sock.getInputStream()); // $ Alert
   }
 
   public void misConfiguredReader1(Socket sock) throws Exception {
     SAXReader reader = new SAXReader();
     reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
     reader.setFeature("http://xml.org/sax/features/external-general-entities", true);
     reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
-    reader.read(sock.getInputStream()); // $ hasTaintFlow
+    reader.read(sock.getInputStream()); // $ Alert
   }
 
   public void misConfiguredReader2(Socket sock) throws Exception {
     SAXReader reader = new SAXReader();
     reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
     reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
     reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
-    reader.read(sock.getInputStream()); // $ hasTaintFlow
+    reader.read(sock.getInputStream()); // $ Alert
   }
 
   public void misConfiguredReader3(Socket sock) throws Exception {
     SAXReader reader = new SAXReader();
     reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
     reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
     reader.setFeature("http://xml.org/sax/features/external-parameter-entities", true);
-    reader.read(sock.getInputStream()); // $ hasTaintFlow
+    reader.read(sock.getInputStream()); // $ Alert
   }
 }

java/ql/test/query-tests/security/CWE-611/SAXSourceTests.java

@@ -14,10 +14,10 @@ public class SAXSourceTests {
 
   public void unsafeSource(Socket sock) throws Exception {
     XMLReader reader = XMLReaderFactory.createXMLReader();
-    SAXSource source = new SAXSource(reader, new InputSource(sock.getInputStream()));
+    SAXSource source = new SAXSource(reader, new InputSource(sock.getInputStream())); // $ Source
     JAXBContext jc = JAXBContext.newInstance(Object.class);
     Unmarshaller um = jc.createUnmarshaller();
-    um.unmarshal(source); // $ hasTaintFlow
+    um.unmarshal(source); // $ Alert
   }
 
   public void explicitlySafeSource1(Socket sock) throws Exception {

java/ql/test/query-tests/security/CWE-611/SchemaTests.java

@@ -9,7 +9,7 @@ public class SchemaTests {
 
   public void unconfiguredSchemaFactory(Socket sock) throws Exception {
     SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
-    Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); // $ hasTaintFlow
+    Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); // $ Alert
   }
 
   public void safeSchemaFactory(Socket sock) throws Exception {
@@ -22,26 +22,26 @@ public void safeSchemaFactory(Socket sock) throws Exception {
   public void partialConfiguredSchemaFactory1(Socket sock) throws Exception {
     SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
     factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
-    Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); // $ hasTaintFlow
+    Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); // $ Alert
   }
 
   public void partialConfiguredSchemaFactory2(Socket sock) throws Exception {
     SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
     factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
-    Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); // $ hasTaintFlow
+    Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); // $ Alert
   }
 
   public void misConfiguredSchemaFactory1(Socket sock) throws Exception {
     SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
     factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
     factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "ab");
-    Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); // $ hasTaintFlow
+    Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); // $ Alert
   }
 
   public void misConfiguredSchemaFactory2(Socket sock) throws Exception {
     SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
     factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "cd");
     factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
-    Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); // $ hasTaintFlow
+    Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); // $ Alert
   }
 }