[TEST] Java: ConditionalBypass: convert to qlref

d10c · d10c · commit 44bb5e722010 · 2025-07-17T18:59:03.000+02:00
diff --git a/java/ql/test/query-tests/security/CWE-807/semmle/tests/ConditionalBypassTest.expected b/java/ql/test/query-tests/security/CWE-807/semmle/tests/ConditionalBypassTest.expected
@@ -0,0 +1,31 @@
+#select
+| ConditionalBypassTest.java:24:4:24:24 | login(...) | ConditionalBypassTest.java:19:20:19:50 | getParameter(...) : String | ConditionalBypassTest.java:23:7:23:24 | ... == ... | Sensitive method may not be executed depending on a $@, which flows from $@. | ConditionalBypassTest.java:23:7:23:24 | ... == ... | this condition | ConditionalBypassTest.java:19:20:19:50 | getParameter(...) | user-controlled value |
+| ConditionalBypassTest.java:30:4:30:24 | login(...) | ConditionalBypassTest.java:29:7:29:28 | getValue(...) : String | ConditionalBypassTest.java:29:7:29:44 | equals(...) | Sensitive method may not be executed depending on a $@, which flows from $@. | ConditionalBypassTest.java:29:7:29:44 | equals(...) | this condition | ConditionalBypassTest.java:29:7:29:28 | getValue(...) | user-controlled value |
+| ConditionalBypassTest.java:77:4:77:24 | login(...) | ConditionalBypassTest.java:76:7:76:28 | getValue(...) : String | ConditionalBypassTest.java:76:7:76:39 | ... == ... | Sensitive method may not be executed depending on a $@, which flows from $@. | ConditionalBypassTest.java:76:7:76:39 | ... == ... | this condition | ConditionalBypassTest.java:76:7:76:28 | getValue(...) | user-controlled value |
+| ConditionalBypassTest.java:89:4:89:24 | login(...) | ConditionalBypassTest.java:88:7:88:28 | getValue(...) : String | ConditionalBypassTest.java:88:7:88:39 | ... == ... | Sensitive method may not be executed depending on a $@, which flows from $@. | ConditionalBypassTest.java:88:7:88:39 | ... == ... | this condition | ConditionalBypassTest.java:88:7:88:28 | getValue(...) | user-controlled value |
+| ConditionalBypassTest.java:134:4:134:24 | login(...) | ConditionalBypassTest.java:133:7:133:28 | getValue(...) : String | ConditionalBypassTest.java:133:7:133:39 | ... == ... | Sensitive method may not be executed depending on a $@, which flows from $@. | ConditionalBypassTest.java:133:7:133:39 | ... == ... | this condition | ConditionalBypassTest.java:133:7:133:28 | getValue(...) | user-controlled value |
+| ConditionalBypassTest.java:146:5:146:29 | authorize(...) | ConditionalBypassTest.java:145:8:145:29 | getValue(...) : String | ConditionalBypassTest.java:145:8:145:40 | ... == ... | Sensitive method may not be executed depending on a $@, which flows from $@. | ConditionalBypassTest.java:145:8:145:40 | ... == ... | this condition | ConditionalBypassTest.java:145:8:145:29 | getValue(...) | user-controlled value |
+edges
+| ConditionalBypassTest.java:19:20:19:50 | getParameter(...) : String | ConditionalBypassTest.java:23:7:23:24 | ... == ... | provenance | Src:MaD:2  |
+| ConditionalBypassTest.java:29:7:29:28 | getValue(...) : String | ConditionalBypassTest.java:29:7:29:44 | equals(...) | provenance | Src:MaD:1  |
+| ConditionalBypassTest.java:76:7:76:28 | getValue(...) : String | ConditionalBypassTest.java:76:7:76:39 | ... == ... | provenance | Src:MaD:1  |
+| ConditionalBypassTest.java:88:7:88:28 | getValue(...) : String | ConditionalBypassTest.java:88:7:88:39 | ... == ... | provenance | Src:MaD:1  |
+| ConditionalBypassTest.java:133:7:133:28 | getValue(...) : String | ConditionalBypassTest.java:133:7:133:39 | ... == ... | provenance | Src:MaD:1  |
+| ConditionalBypassTest.java:145:8:145:29 | getValue(...) : String | ConditionalBypassTest.java:145:8:145:40 | ... == ... | provenance | Src:MaD:1  |
+models
+| 1 | Source: javax.servlet.http; Cookie; false; getValue; (); ; ReturnValue; remote; manual |
+| 2 | Source: javax.servlet; ServletRequest; false; getParameter; (String); ; ReturnValue; remote; manual |
+nodes
+| ConditionalBypassTest.java:19:20:19:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| ConditionalBypassTest.java:23:7:23:24 | ... == ... | semmle.label | ... == ... |
+| ConditionalBypassTest.java:29:7:29:28 | getValue(...) : String | semmle.label | getValue(...) : String |
+| ConditionalBypassTest.java:29:7:29:44 | equals(...) | semmle.label | equals(...) |
+| ConditionalBypassTest.java:76:7:76:28 | getValue(...) : String | semmle.label | getValue(...) : String |
+| ConditionalBypassTest.java:76:7:76:39 | ... == ... | semmle.label | ... == ... |
+| ConditionalBypassTest.java:88:7:88:28 | getValue(...) : String | semmle.label | getValue(...) : String |
+| ConditionalBypassTest.java:88:7:88:39 | ... == ... | semmle.label | ... == ... |
+| ConditionalBypassTest.java:133:7:133:28 | getValue(...) : String | semmle.label | getValue(...) : String |
+| ConditionalBypassTest.java:133:7:133:39 | ... == ... | semmle.label | ... == ... |
+| ConditionalBypassTest.java:145:8:145:29 | getValue(...) : String | semmle.label | getValue(...) : String |
+| ConditionalBypassTest.java:145:8:145:40 | ... == ... | semmle.label | ... == ... |
+subpaths
diff --git a/java/ql/test/query-tests/security/CWE-807/semmle/tests/ConditionalBypassTest.java b/java/ql/test/query-tests/security/CWE-807/semmle/tests/ConditionalBypassTest.java
@@ -16,18 +16,18 @@ public static void main(HttpServletRequest request) throws Exception {
 		String user = request.getParameter("user");
 		String password = request.getParameter("password");
 
-		String isAdmin = request.getParameter("isAdmin");
+		String isAdmin = request.getParameter("isAdmin"); // $ Source
 
 		// BAD: login is only executed if isAdmin is false, but isAdmin
 		// is controlled by the user
-		if (isAdmin == "false") // $ hasConditionalBypassTest
-			login(user, password);
+		if (isAdmin == "false") // $ Sink
+			login(user, password); // $ Alert
 
 		Cookie adminCookie = getCookies()[0];
 		// BAD: login is only executed if the cookie value is false, but the cookie
 		// is controlled by the user
-		if (adminCookie.getValue().equals("false")) // $ hasConditionalBypassTest
-			login(user, password);
+		if (adminCookie.getValue().equals("false")) // $ Source Sink
+			login(user, password); // $ Alert
 
 		// GOOD: both methods are conditionally executed, but they probably
 		// both perform the security-critical action
@@ -38,7 +38,7 @@ public static void main(HttpServletRequest request) throws Exception {
 		}
 
 		// FALSE NEGATIVE: we have no way of telling that the skipped method is sensitive
-		if (adminCookie.getValue() == "false") // $ MISSING: hasConditionalBypassTest
+		if (adminCookie.getValue() == "false") // $ MISSING: Alert
 			doReallyImportantSecurityWork();
 
 		InetAddress local = InetAddress.getLocalHost();
@@ -73,8 +73,8 @@ public static void test(String user, String password) {
 	public static void test2(String user, String password) {
 		Cookie adminCookie = getCookies()[0];
 		// BAD: login may happen once or twice
-		if (adminCookie.getValue() == "false") // $ hasConditionalBypassTest
-			login(user, password);
+		if (adminCookie.getValue() == "false") // $ Source Sink
+			login(user, password); // $ Alert
 		else {
 			// do something else
 			doIt();
@@ -85,8 +85,8 @@ public static void test2(String user, String password) {
 	public static void test3(String user, String password) {
 		Cookie adminCookie = getCookies()[0];
 		// BAD: login may not happen
-		if (adminCookie.getValue() == "false") // $ hasConditionalBypassTest
-			login(user, password);
+		if (adminCookie.getValue() == "false") // $ Source Sink
+			login(user, password); // $ Alert
 		else {
 			// do something else
 			doIt();
@@ -130,8 +130,8 @@ public static void test6(String user, String password) {
 	public static void test7(String user, String password) {
 		Cookie adminCookie = getCookies()[0];
 		// BAD: login is bypasseable
-		if (adminCookie.getValue() == "false") { // $ hasConditionalBypassTest
-			login(user, password);
+		if (adminCookie.getValue() == "false") { // $ Source Sink
+			login(user, password); // $ Alert
 			return;
 		} else {
 			doIt();
@@ -142,8 +142,8 @@ public static void test8(String user, String password) {
 		Cookie adminCookie = getCookies()[0];
 		{
 			// BAD: login may not happen
-			if (adminCookie.getValue() == "false") // $ hasConditionalBypassTest
-				authorize(user, password);
+			if (adminCookie.getValue() == "false") // $ Source Sink
+				authorize(user, password); // $ Alert
 			else {
 				// do something else
 				doIt();
diff --git a/java/ql/test/query-tests/security/CWE-807/semmle/tests/ConditionalBypassTest.ql b/java/ql/test/query-tests/security/CWE-807/semmle/tests/ConditionalBypassTest.ql
diff --git a/java/ql/test/query-tests/security/CWE-807/semmle/tests/ConditionalBypassTest.qlref b/java/ql/test/query-tests/security/CWE-807/semmle/tests/ConditionalBypassTest.qlref
@@ -0,0 +1,4 @@
+query: Security/CWE/CWE-807/ConditionalBypass.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql
