Java: tests for automodel framework mode candidate extraction

Stephan Brandauer · Stephan Brandauer · commit 18fe587e7514 · 2023-08-01T09:18:56.000+02:00
diff --git a/java/ql/test/query-tests/Telemetry/AutomodelFrameworkModeExtractCandidates/AutomodelFrameworkModeExtractCandidates.expected b/java/ql/test/query-tests/Telemetry/AutomodelFrameworkModeExtractCandidates/AutomodelFrameworkModeExtractCandidates.expected
@@ -0,0 +1,3 @@
+| com/github/codeql/test/PublicClass.java:4:21:4:30 | arg | command-injection, path-injection, request-forgery, sql-injection\nrelated locations: $@, $@.\nmetadata: $@, $@, $@, $@, $@, $@, $@. | com/github/codeql/test/PublicClass.java:4:21:4:30 | arg | MethodDoc | com/github/codeql/test/PublicClass.java:4:21:4:30 | arg | ClassDoc | file://com.github.codeql.test:1:1:1:1 | com.github.codeql.test | package | file://PublicClass:1:1:1:1 | PublicClass | type | file://true:1:1:1:1 | true | subtypes | file://stuff:1:1:1:1 | stuff | name | file://(String):1:1:1:1 | (String) | signature | file://Argument[0]:1:1:1:1 | Argument[0] | input | file://arg:1:1:1:1 | arg | parameterName |
+| com/github/codeql/test/PublicClass.java:8:34:8:43 | arg | command-injection, path-injection, request-forgery, sql-injection\nrelated locations: $@, $@.\nmetadata: $@, $@, $@, $@, $@, $@, $@. | com/github/codeql/test/PublicClass.java:8:34:8:43 | arg | MethodDoc | com/github/codeql/test/PublicClass.java:8:34:8:43 | arg | ClassDoc | file://com.github.codeql.test:1:1:1:1 | com.github.codeql.test | package | file://PublicClass:1:1:1:1 | PublicClass | type | file://false:1:1:1:1 | false | subtypes | file://staticStuff:1:1:1:1 | staticStuff | name | file://(String):1:1:1:1 | (String) | signature | file://Argument[0]:1:1:1:1 | Argument[0] | input | file://arg:1:1:1:1 | arg | parameterName |
+| java/nio/file/Files.java:12:42:12:57 | out | command-injection, path-injection, request-forgery, sql-injection\nrelated locations: $@, $@.\nmetadata: $@, $@, $@, $@, $@, $@, $@. | java/nio/file/Files.java:12:42:12:57 | out | MethodDoc | java/nio/file/Files.java:12:42:12:57 | out | ClassDoc | file://java.nio.file:1:1:1:1 | java.nio.file | package | file://Files:1:1:1:1 | Files | type | file://false:1:1:1:1 | false | subtypes | file://copy:1:1:1:1 | copy | name | file://(Path,OutputStream):1:1:1:1 | (Path,OutputStream) | signature | file://Argument[1]:1:1:1:1 | Argument[1] | input | file://out:1:1:1:1 | out | parameterName |
diff --git a/java/ql/test/query-tests/Telemetry/AutomodelFrameworkModeExtractCandidates/AutomodelFrameworkModeExtractCandidates.qlref b/java/ql/test/query-tests/Telemetry/AutomodelFrameworkModeExtractCandidates/AutomodelFrameworkModeExtractCandidates.qlref
@@ -0,0 +1 @@
+Telemetry/AutomodelFrameworkModeExtractCandidates.ql
diff --git a/java/ql/test/query-tests/Telemetry/AutomodelFrameworkModeExtractCandidates/com/github/codeql/test/NonPublicClass.java b/java/ql/test/query-tests/Telemetry/AutomodelFrameworkModeExtractCandidates/com/github/codeql/test/NonPublicClass.java
@@ -0,0 +1,10 @@
+package com.github.codeql.test;
+
+/**
+ * No candidates in this class, as it's not public!
+ */
+class NonPublicClass {
+  public void noCandidates(String here) {
+    System.out.println(here);
+  }
+}
diff --git a/java/ql/test/query-tests/Telemetry/AutomodelFrameworkModeExtractCandidates/com/github/codeql/test/PublicClass.java b/java/ql/test/query-tests/Telemetry/AutomodelFrameworkModeExtractCandidates/com/github/codeql/test/PublicClass.java
@@ -0,0 +1,16 @@
+package com.github.codeql.test;
+
+public class PublicClass {
+  public void stuff(String arg) { // arg is a candidate
+    System.out.println(arg);
+  }
+
+  public static void staticStuff(String arg) { // arg is a candidate
+    System.out.println(arg);
+  }
+
+  // arg is not a candidate because the method is not public:
+  protected void nonPublicStuff(String arg) {
+    System.out.println(arg);
+  }
+}
diff --git a/java/ql/test/query-tests/Telemetry/AutomodelFrameworkModeExtractCandidates/java/nio/file/Files.java b/java/ql/test/query-tests/Telemetry/AutomodelFrameworkModeExtractCandidates/java/nio/file/Files.java
@@ -0,0 +1,15 @@
+package java.nio.file;
+
+import java.nio.file.Path;
+import java.io.IOException;
+import java.io.OutputStream;
+
+public class Files {
+    // - source is not a candidate because a manual model exists:
+    // ["java.nio.file", "Files", False, "copy", "(Path,OutputStream)", "", "Argument[0]", "path-injection", "manual"]
+    // - out is a candidate. NB: may be worthwile to implement the same behaviour as in application mode where out
+    //   would not be a candidate because another param is already modeled.
+    public static void copy(Path source, OutputStream out) throws IOException {
+        // ...
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+\| com/github/codeql/test/PublicClass.java:4:21:4:30 \| arg \| command-injection, path-injection, request-forgery, sql-injection\nrelated locations: $@, $@.\nmetadata: $@, $@, $@, $@, $@, $@, $@. \| com/github/codeql/test/PublicClass.java:4:21:4:30 \| arg \| MethodDoc \| com/github/codeql/test/PublicClass.java:4:21:4:30 \| arg \| ClassDoc \| file://com.github.codeql.test:1:1:1:1 \| com.github.codeql.test \| package \| file://PublicClass:1:1:1:1 \| PublicClass \| type \| file://true:1:1:1:1 \| true \| subtypes \| file://stuff:1:1:1:1 \| stuff \| name \| file://(String):1:1:1:1 \| (String) \| signature \| file://Argument[0]:1:1:1:1 \| Argument[0] \| input \| file://arg:1:1:1:1 \| arg \| parameterName \|
	`2`	+\| com/github/codeql/test/PublicClass.java:8:34:8:43 \| arg \| command-injection, path-injection, request-forgery, sql-injection\nrelated locations: $@, $@.\nmetadata: $@, $@, $@, $@, $@, $@, $@. \| com/github/codeql/test/PublicClass.java:8:34:8:43 \| arg \| MethodDoc \| com/github/codeql/test/PublicClass.java:8:34:8:43 \| arg \| ClassDoc \| file://com.github.codeql.test:1:1:1:1 \| com.github.codeql.test \| package \| file://PublicClass:1:1:1:1 \| PublicClass \| type \| file://false:1:1:1:1 \| false \| subtypes \| file://staticStuff:1:1:1:1 \| staticStuff \| name \| file://(String):1:1:1:1 \| (String) \| signature \| file://Argument[0]:1:1:1:1 \| Argument[0] \| input \| file://arg:1:1:1:1 \| arg \| parameterName \|
	`3`	+\| java/nio/file/Files.java:12:42:12:57 \| out \| command-injection, path-injection, request-forgery, sql-injection\nrelated locations: $@, $@.\nmetadata: $@, $@, $@, $@, $@, $@, $@. \| java/nio/file/Files.java:12:42:12:57 \| out \| MethodDoc \| java/nio/file/Files.java:12:42:12:57 \| out \| ClassDoc \| file://java.nio.file:1:1:1:1 \| java.nio.file \| package \| file://Files:1:1:1:1 \| Files \| type \| file://false:1:1:1:1 \| false \| subtypes \| file://copy:1:1:1:1 \| copy \| name \| file://(Path,OutputStream):1:1:1:1 \| (Path,OutputStream) \| signature \| file://Argument[1]:1:1:1:1 \| Argument[1] \| input \| file://out:1:1:1:1 \| out \| parameterName \|
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Telemetry/AutomodelFrameworkModeExtractCandidates.ql`