[TEST] Java: CWE-020/ExternalAPI: new test based on qhelp

Author: d10c

java/ql/test/query-tests/security/CWE-020/ExternalAPISinkExample.java

@@ -0,0 +1,14 @@
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.ServletException;
+import java.io.IOException;
+
+public class ExternalAPISinkExample extends HttpServlet {
+	protected void doGet(HttpServletRequest request, HttpServletResponse response)
+	throws ServletException, IOException {
+		// BAD: a request parameter is written directly to an error response page
+		response.sendError(HttpServletResponse.SC_NOT_FOUND,
+				"The page \"" + request.getParameter("page") + "\" was not found."); // $ Alert
+	}
+}

java/ql/test/query-tests/security/CWE-020/ExternalAPITaintStepExample.java

@@ -0,0 +1,19 @@
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.ServletException;
+import java.io.IOException;
+
+public class ExternalAPITaintStepExample extends HttpServlet {
+	protected void doGet(HttpServletRequest request, HttpServletResponse response)
+	throws ServletException, IOException {
+
+		StringBuilder sqlQueryBuilder = new StringBuilder();
+		sqlQueryBuilder.append("SELECT * FROM user WHERE user_id='");
+		// BAD: a request parameter is concatenated directly into a SQL query
+		sqlQueryBuilder.append(request.getParameter("user_id"));
+		sqlQueryBuilder.append("'");
+
+		// ...
+	}
+}

java/ql/test/query-tests/security/CWE-020/ExternalAPIsUsedWithUntrustedData.expected

@@ -0,0 +1 @@
+| javax.servlet.http.HttpServletResponse.sendError(int,java.lang.String) [param 1] | 1 | 1 |

java/ql/test/query-tests/security/CWE-020/ExternalAPIsUsedWithUntrustedData.qlref

@@ -0,0 +1 @@
+Security/CWE/CWE-020/ExternalAPIsUsedWithUntrustedData.ql

java/ql/test/query-tests/security/CWE-020/UntrustedDataToExternalAPI.expected

@@ -0,0 +1,11 @@
+#select
+| ExternalAPISinkExample.java:12:5:12:70 | ... + ... | ExternalAPISinkExample.java:12:21:12:48 | getParameter(...) : String | ExternalAPISinkExample.java:12:5:12:70 | ... + ... | Call to javax.servlet.http.HttpServletResponse.sendError with untrusted data from $@. | ExternalAPISinkExample.java:12:21:12:48 | getParameter(...) : String | getParameter(...) : String |
+edges
+| ExternalAPISinkExample.java:12:21:12:48 | getParameter(...) : String | ExternalAPISinkExample.java:12:5:12:70 | ... + ... | provenance | Src:MaD:2 Sink:MaD:1 |
+models
+| 1 | Sink: javax.servlet.http; HttpServletResponse; false; sendError; (int,String); ; Argument[1]; information-leak; manual |
+| 2 | Source: javax.servlet; ServletRequest; false; getParameter; (String); ; ReturnValue; remote; manual |
+nodes
+| ExternalAPISinkExample.java:12:5:12:70 | ... + ... | semmle.label | ... + ... |
+| ExternalAPISinkExample.java:12:21:12:48 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+subpaths

java/ql/test/query-tests/security/CWE-020/UntrustedDataToExternalAPI.qlref

@@ -0,0 +1,4 @@
+query: Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql