Skip to content

Commit 7f05b72

Browse files
d10cd10c
committed
Java: convert OgnlInjection test to .qlref
1 parent cadfd0d commit 7f05b72

File tree

4 files changed

+140
-45
lines changed

4 files changed

+140
-45
lines changed

java/ql/test/query-tests/security/CWE-917/OgnlInjection.java

Lines changed: 27 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -13,61 +13,61 @@
1313
@Controller
1414
public class OgnlInjection {
1515
@RequestMapping
16-
public void testOgnlParseExpression(@RequestParam String expr) throws Exception {
16+
public void testOgnlParseExpression(@RequestParam String expr) throws Exception { // $ Source
1717
Object tree = Ognl.parseExpression(expr);
18-
Ognl.getValue(tree, new HashMap<>(), new Object()); // $hasOgnlInjection
19-
Ognl.setValue(tree, new HashMap<>(), new Object()); // $hasOgnlInjection
18+
Ognl.getValue(tree, new HashMap<>(), new Object()); // $ Alert
19+
Ognl.setValue(tree, new HashMap<>(), new Object()); // $ Alert
2020

2121
Node node = (Node) tree;
22-
node.getValue(null, new Object()); // $hasOgnlInjection
23-
node.setValue(null, new Object(), new Object()); // $hasOgnlInjection
22+
node.getValue(null, new Object()); // $ Alert
23+
node.setValue(null, new Object(), new Object()); // $ Alert
2424
}
2525

2626
@RequestMapping
27-
public void testOgnlCompileExpression(@RequestParam String expr) throws Exception {
27+
public void testOgnlCompileExpression(@RequestParam String expr) throws Exception { // $ Source
2828
Node tree = Ognl.compileExpression(null, new Object(), expr);
29-
Ognl.getValue(tree, new HashMap<>(), new Object()); // $hasOgnlInjection
30-
Ognl.setValue(tree, new HashMap<>(), new Object()); // $hasOgnlInjection
29+
Ognl.getValue(tree, new HashMap<>(), new Object()); // $ Alert
30+
Ognl.setValue(tree, new HashMap<>(), new Object()); // $ Alert
3131

32-
tree.getValue(null, new Object()); // $hasOgnlInjection
33-
tree.setValue(null, new Object(), new Object()); // $hasOgnlInjection
32+
tree.getValue(null, new Object()); // $ Alert
33+
tree.setValue(null, new Object(), new Object()); // $ Alert
3434
}
3535

3636
@RequestMapping
37-
public void testOgnlDirectlyToGetSet(@RequestParam String expr) throws Exception {
38-
Ognl.getValue(expr, new Object()); // $hasOgnlInjection
39-
Ognl.setValue(expr, new Object(), new Object()); // $hasOgnlInjection
37+
public void testOgnlDirectlyToGetSet(@RequestParam String expr) throws Exception { // $ Source
38+
Ognl.getValue(expr, new Object()); // $ Alert
39+
Ognl.setValue(expr, new Object(), new Object()); // $ Alert
4040
}
4141

4242
@RequestMapping
43-
public void testStruts(@RequestParam String expr) throws Exception {
43+
public void testStruts(@RequestParam String expr) throws Exception { // $ Source
4444
OgnlUtil ognl = new OgnlUtil();
45-
ognl.getValue(expr, new HashMap<>(), new Object()); // $hasOgnlInjection
46-
ognl.setValue(expr, new HashMap<>(), new Object(), new Object()); // $hasOgnlInjection
47-
new OgnlUtil().callMethod(expr, new HashMap<>(), new Object()); // $hasOgnlInjection
45+
ognl.getValue(expr, new HashMap<>(), new Object()); // $ Alert
46+
ognl.setValue(expr, new HashMap<>(), new Object(), new Object()); // $ Alert
47+
new OgnlUtil().callMethod(expr, new HashMap<>(), new Object()); // $ Alert
4848
}
4949

5050
@RequestMapping
51-
public void testExpressionAccessor(@RequestParam String expr) throws Exception {
51+
public void testExpressionAccessor(@RequestParam String expr) throws Exception { // $ Source
5252
Node tree = Ognl.compileExpression(null, new Object(), expr);
5353
ExpressionAccessor accessor = tree.getAccessor();
54-
accessor.get(null, new Object()); // $hasOgnlInjection
55-
accessor.set(null, new Object(), new Object()); // $hasOgnlInjection
54+
accessor.get(null, new Object()); // $ Alert
55+
accessor.set(null, new Object(), new Object()); // $ Alert
5656

57-
Ognl.getValue(accessor, null, new Object()); // $hasOgnlInjection
58-
Ognl.setValue(accessor, null, new Object()); // $hasOgnlInjection
57+
Ognl.getValue(accessor, null, new Object()); // $ Alert
58+
Ognl.setValue(accessor, null, new Object()); // $ Alert
5959
}
6060

6161
@RequestMapping
62-
public void testExpressionAccessorSetExpression(@RequestParam String expr) throws Exception {
62+
public void testExpressionAccessorSetExpression(@RequestParam String expr) throws Exception { // $ Source
6363
Node tree = Ognl.compileExpression(null, new Object(), "\"some safe expression\".toString()");
6464
ExpressionAccessor accessor = tree.getAccessor();
6565
Node taintedTree = Ognl.compileExpression(null, new Object(), expr);
6666
accessor.setExpression(taintedTree);
67-
accessor.get(null, new Object()); // $hasOgnlInjection
68-
accessor.set(null, new Object(), new Object()); // $hasOgnlInjection
67+
accessor.get(null, new Object()); // $ Alert
68+
accessor.set(null, new Object(), new Object()); // $ Alert
6969

70-
Ognl.getValue(accessor, null, new Object()); // $hasOgnlInjection
71-
Ognl.setValue(accessor, null, new Object()); // $hasOgnlInjection
70+
Ognl.getValue(accessor, null, new Object()); // $ Alert
71+
Ognl.setValue(accessor, null, new Object()); // $ Alert
7272
}
7373
}

java/ql/test/query-tests/security/CWE-917/OgnlInjectionTest.expected

Lines changed: 109 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,109 @@
1+
#select
2+
| OgnlInjection.java:18:19:18:22 | tree | OgnlInjection.java:16:39:16:63 | expr : String | OgnlInjection.java:18:19:18:22 | tree | OGNL Expression Language statement depends on a $@. | OgnlInjection.java:16:39:16:63 | expr | user-provided value |
3+
| OgnlInjection.java:19:19:19:22 | tree | OgnlInjection.java:16:39:16:63 | expr : String | OgnlInjection.java:19:19:19:22 | tree | OGNL Expression Language statement depends on a $@. | OgnlInjection.java:16:39:16:63 | expr | user-provided value |
4+
| OgnlInjection.java:22:5:22:8 | node | OgnlInjection.java:16:39:16:63 | expr : String | OgnlInjection.java:22:5:22:8 | node | OGNL Expression Language statement depends on a $@. | OgnlInjection.java:16:39:16:63 | expr | user-provided value |
5+
| OgnlInjection.java:23:5:23:8 | node | OgnlInjection.java:16:39:16:63 | expr : String | OgnlInjection.java:23:5:23:8 | node | OGNL Expression Language statement depends on a $@. | OgnlInjection.java:16:39:16:63 | expr | user-provided value |
6+
| OgnlInjection.java:29:19:29:22 | tree | OgnlInjection.java:27:41:27:65 | expr : String | OgnlInjection.java:29:19:29:22 | tree | OGNL Expression Language statement depends on a $@. | OgnlInjection.java:27:41:27:65 | expr | user-provided value |
7+
| OgnlInjection.java:30:19:30:22 | tree | OgnlInjection.java:27:41:27:65 | expr : String | OgnlInjection.java:30:19:30:22 | tree | OGNL Expression Language statement depends on a $@. | OgnlInjection.java:27:41:27:65 | expr | user-provided value |
8+
| OgnlInjection.java:32:5:32:8 | tree | OgnlInjection.java:27:41:27:65 | expr : String | OgnlInjection.java:32:5:32:8 | tree | OGNL Expression Language statement depends on a $@. | OgnlInjection.java:27:41:27:65 | expr | user-provided value |
9+
| OgnlInjection.java:33:5:33:8 | tree | OgnlInjection.java:27:41:27:65 | expr : String | OgnlInjection.java:33:5:33:8 | tree | OGNL Expression Language statement depends on a $@. | OgnlInjection.java:27:41:27:65 | expr | user-provided value |
10+
| OgnlInjection.java:38:19:38:22 | expr | OgnlInjection.java:37:40:37:64 | expr : String | OgnlInjection.java:38:19:38:22 | expr | OGNL Expression Language statement depends on a $@. | OgnlInjection.java:37:40:37:64 | expr | user-provided value |
11+
| OgnlInjection.java:39:19:39:22 | expr | OgnlInjection.java:37:40:37:64 | expr : String | OgnlInjection.java:39:19:39:22 | expr | OGNL Expression Language statement depends on a $@. | OgnlInjection.java:37:40:37:64 | expr | user-provided value |
12+
| OgnlInjection.java:45:19:45:22 | expr | OgnlInjection.java:43:26:43:50 | expr : String | OgnlInjection.java:45:19:45:22 | expr | OGNL Expression Language statement depends on a $@. | OgnlInjection.java:43:26:43:50 | expr | user-provided value |
13+
| OgnlInjection.java:46:19:46:22 | expr | OgnlInjection.java:43:26:43:50 | expr : String | OgnlInjection.java:46:19:46:22 | expr | OGNL Expression Language statement depends on a $@. | OgnlInjection.java:43:26:43:50 | expr | user-provided value |
14+
| OgnlInjection.java:47:31:47:34 | expr | OgnlInjection.java:43:26:43:50 | expr : String | OgnlInjection.java:47:31:47:34 | expr | OGNL Expression Language statement depends on a $@. | OgnlInjection.java:43:26:43:50 | expr | user-provided value |
15+
| OgnlInjection.java:54:5:54:12 | accessor | OgnlInjection.java:51:38:51:62 | expr : String | OgnlInjection.java:54:5:54:12 | accessor | OGNL Expression Language statement depends on a $@. | OgnlInjection.java:51:38:51:62 | expr | user-provided value |
16+
| OgnlInjection.java:55:5:55:12 | accessor | OgnlInjection.java:51:38:51:62 | expr : String | OgnlInjection.java:55:5:55:12 | accessor | OGNL Expression Language statement depends on a $@. | OgnlInjection.java:51:38:51:62 | expr | user-provided value |
17+
| OgnlInjection.java:57:19:57:26 | accessor | OgnlInjection.java:51:38:51:62 | expr : String | OgnlInjection.java:57:19:57:26 | accessor | OGNL Expression Language statement depends on a $@. | OgnlInjection.java:51:38:51:62 | expr | user-provided value |
18+
| OgnlInjection.java:58:19:58:26 | accessor | OgnlInjection.java:51:38:51:62 | expr : String | OgnlInjection.java:58:19:58:26 | accessor | OGNL Expression Language statement depends on a $@. | OgnlInjection.java:51:38:51:62 | expr | user-provided value |
19+
| OgnlInjection.java:67:5:67:12 | accessor | OgnlInjection.java:62:51:62:75 | expr : String | OgnlInjection.java:67:5:67:12 | accessor | OGNL Expression Language statement depends on a $@. | OgnlInjection.java:62:51:62:75 | expr | user-provided value |
20+
| OgnlInjection.java:68:5:68:12 | accessor | OgnlInjection.java:62:51:62:75 | expr : String | OgnlInjection.java:68:5:68:12 | accessor | OGNL Expression Language statement depends on a $@. | OgnlInjection.java:62:51:62:75 | expr | user-provided value |
21+
| OgnlInjection.java:70:19:70:26 | accessor | OgnlInjection.java:62:51:62:75 | expr : String | OgnlInjection.java:70:19:70:26 | accessor | OGNL Expression Language statement depends on a $@. | OgnlInjection.java:62:51:62:75 | expr | user-provided value |
22+
| OgnlInjection.java:71:19:71:26 | accessor | OgnlInjection.java:62:51:62:75 | expr : String | OgnlInjection.java:71:19:71:26 | accessor | OGNL Expression Language statement depends on a $@. | OgnlInjection.java:62:51:62:75 | expr | user-provided value |
23+
edges
24+
| OgnlInjection.java:16:39:16:63 | expr : String | OgnlInjection.java:17:40:17:43 | expr : String | provenance | |
25+
| OgnlInjection.java:17:19:17:44 | parseExpression(...) : Object | OgnlInjection.java:18:19:18:22 | tree | provenance | Sink:MaD:8 |
26+
| OgnlInjection.java:17:19:17:44 | parseExpression(...) : Object | OgnlInjection.java:19:19:19:22 | tree | provenance | Sink:MaD:9 |
27+
| OgnlInjection.java:17:19:17:44 | parseExpression(...) : Object | OgnlInjection.java:21:17:21:27 | (...)... : Object | provenance | |
28+
| OgnlInjection.java:17:40:17:43 | expr : String | OgnlInjection.java:17:19:17:44 | parseExpression(...) : Object | provenance | Config |
29+
| OgnlInjection.java:21:17:21:27 | (...)... : Object | OgnlInjection.java:22:5:22:8 | node | provenance | Sink:MaD:6 |
30+
| OgnlInjection.java:21:17:21:27 | (...)... : Object | OgnlInjection.java:23:5:23:8 | node | provenance | Sink:MaD:7 |
31+
| OgnlInjection.java:27:41:27:65 | expr : String | OgnlInjection.java:28:60:28:63 | expr : String | provenance | |
32+
| OgnlInjection.java:28:17:28:64 | compileExpression(...) : Node | OgnlInjection.java:29:19:29:22 | tree | provenance | Sink:MaD:8 |
33+
| OgnlInjection.java:28:17:28:64 | compileExpression(...) : Node | OgnlInjection.java:30:19:30:22 | tree | provenance | Sink:MaD:9 |
34+
| OgnlInjection.java:28:17:28:64 | compileExpression(...) : Node | OgnlInjection.java:32:5:32:8 | tree | provenance | Sink:MaD:6 |
35+
| OgnlInjection.java:28:17:28:64 | compileExpression(...) : Node | OgnlInjection.java:33:5:33:8 | tree | provenance | Sink:MaD:7 |
36+
| OgnlInjection.java:28:60:28:63 | expr : String | OgnlInjection.java:28:17:28:64 | compileExpression(...) : Node | provenance | Config |
37+
| OgnlInjection.java:37:40:37:64 | expr : String | OgnlInjection.java:38:19:38:22 | expr | provenance | Sink:MaD:8 |
38+
| OgnlInjection.java:37:40:37:64 | expr : String | OgnlInjection.java:39:19:39:22 | expr | provenance | Sink:MaD:9 |
39+
| OgnlInjection.java:43:26:43:50 | expr : String | OgnlInjection.java:45:19:45:22 | expr | provenance | Sink:MaD:2 |
40+
| OgnlInjection.java:43:26:43:50 | expr : String | OgnlInjection.java:46:19:46:22 | expr | provenance | Sink:MaD:3 |
41+
| OgnlInjection.java:43:26:43:50 | expr : String | OgnlInjection.java:47:31:47:34 | expr | provenance | Sink:MaD:1 |
42+
| OgnlInjection.java:51:38:51:62 | expr : String | OgnlInjection.java:52:60:52:63 | expr : String | provenance | |
43+
| OgnlInjection.java:52:17:52:64 | compileExpression(...) : Node | OgnlInjection.java:53:35:53:38 | tree : Node | provenance | |
44+
| OgnlInjection.java:52:60:52:63 | expr : String | OgnlInjection.java:52:17:52:64 | compileExpression(...) : Node | provenance | Config |
45+
| OgnlInjection.java:53:35:53:38 | tree : Node | OgnlInjection.java:53:35:53:52 | getAccessor(...) : ExpressionAccessor | provenance | Config |
46+
| OgnlInjection.java:53:35:53:52 | getAccessor(...) : ExpressionAccessor | OgnlInjection.java:54:5:54:12 | accessor | provenance | Sink:MaD:4 |
47+
| OgnlInjection.java:53:35:53:52 | getAccessor(...) : ExpressionAccessor | OgnlInjection.java:55:5:55:12 | accessor | provenance | Sink:MaD:5 |
48+
| OgnlInjection.java:53:35:53:52 | getAccessor(...) : ExpressionAccessor | OgnlInjection.java:57:19:57:26 | accessor | provenance | Sink:MaD:8 |
49+
| OgnlInjection.java:53:35:53:52 | getAccessor(...) : ExpressionAccessor | OgnlInjection.java:58:19:58:26 | accessor | provenance | Sink:MaD:9 |
50+
| OgnlInjection.java:62:51:62:75 | expr : String | OgnlInjection.java:65:67:65:70 | expr : String | provenance | |
51+
| OgnlInjection.java:65:24:65:71 | compileExpression(...) : Node | OgnlInjection.java:66:28:66:38 | taintedTree : Node | provenance | |
52+
| OgnlInjection.java:65:67:65:70 | expr : String | OgnlInjection.java:65:24:65:71 | compileExpression(...) : Node | provenance | Config |
53+
| OgnlInjection.java:66:5:66:12 | accessor [post update] : ExpressionAccessor | OgnlInjection.java:67:5:67:12 | accessor | provenance | Sink:MaD:4 |
54+
| OgnlInjection.java:66:5:66:12 | accessor [post update] : ExpressionAccessor | OgnlInjection.java:68:5:68:12 | accessor | provenance | Sink:MaD:5 |
55+
| OgnlInjection.java:66:5:66:12 | accessor [post update] : ExpressionAccessor | OgnlInjection.java:70:19:70:26 | accessor | provenance | Sink:MaD:8 |
56+
| OgnlInjection.java:66:5:66:12 | accessor [post update] : ExpressionAccessor | OgnlInjection.java:71:19:71:26 | accessor | provenance | Sink:MaD:9 |
57+
| OgnlInjection.java:66:28:66:38 | taintedTree : Node | OgnlInjection.java:66:5:66:12 | accessor [post update] : ExpressionAccessor | provenance | Config |
58+
models
59+
| 1 | Sink: com.opensymphony.xwork2.ognl; OgnlUtil; false; callMethod; ; ; Argument[0]; ognl-injection; manual |
60+
| 2 | Sink: com.opensymphony.xwork2.ognl; OgnlUtil; false; getValue; ; ; Argument[0]; ognl-injection; manual |
61+
| 3 | Sink: com.opensymphony.xwork2.ognl; OgnlUtil; false; setValue; ; ; Argument[0]; ognl-injection; manual |
62+
| 4 | Sink: ognl.enhance; ExpressionAccessor; true; get; ; ; Argument[this]; ognl-injection; manual |
63+
| 5 | Sink: ognl.enhance; ExpressionAccessor; true; set; ; ; Argument[this]; ognl-injection; manual |
64+
| 6 | Sink: ognl; Node; false; getValue; ; ; Argument[this]; ognl-injection; manual |
65+
| 7 | Sink: ognl; Node; false; setValue; ; ; Argument[this]; ognl-injection; manual |
66+
| 8 | Sink: ognl; Ognl; false; getValue; ; ; Argument[0]; ognl-injection; manual |
67+
| 9 | Sink: ognl; Ognl; false; setValue; ; ; Argument[0]; ognl-injection; manual |
68+
nodes
69+
| OgnlInjection.java:16:39:16:63 | expr : String | semmle.label | expr : String |
70+
| OgnlInjection.java:17:19:17:44 | parseExpression(...) : Object | semmle.label | parseExpression(...) : Object |
71+
| OgnlInjection.java:17:40:17:43 | expr : String | semmle.label | expr : String |
72+
| OgnlInjection.java:18:19:18:22 | tree | semmle.label | tree |
73+
| OgnlInjection.java:19:19:19:22 | tree | semmle.label | tree |
74+
| OgnlInjection.java:21:17:21:27 | (...)... : Object | semmle.label | (...)... : Object |
75+
| OgnlInjection.java:22:5:22:8 | node | semmle.label | node |
76+
| OgnlInjection.java:23:5:23:8 | node | semmle.label | node |
77+
| OgnlInjection.java:27:41:27:65 | expr : String | semmle.label | expr : String |
78+
| OgnlInjection.java:28:17:28:64 | compileExpression(...) : Node | semmle.label | compileExpression(...) : Node |
79+
| OgnlInjection.java:28:60:28:63 | expr : String | semmle.label | expr : String |
80+
| OgnlInjection.java:29:19:29:22 | tree | semmle.label | tree |
81+
| OgnlInjection.java:30:19:30:22 | tree | semmle.label | tree |
82+
| OgnlInjection.java:32:5:32:8 | tree | semmle.label | tree |
83+
| OgnlInjection.java:33:5:33:8 | tree | semmle.label | tree |
84+
| OgnlInjection.java:37:40:37:64 | expr : String | semmle.label | expr : String |
85+
| OgnlInjection.java:38:19:38:22 | expr | semmle.label | expr |
86+
| OgnlInjection.java:39:19:39:22 | expr | semmle.label | expr |
87+
| OgnlInjection.java:43:26:43:50 | expr : String | semmle.label | expr : String |
88+
| OgnlInjection.java:45:19:45:22 | expr | semmle.label | expr |
89+
| OgnlInjection.java:46:19:46:22 | expr | semmle.label | expr |
90+
| OgnlInjection.java:47:31:47:34 | expr | semmle.label | expr |
91+
| OgnlInjection.java:51:38:51:62 | expr : String | semmle.label | expr : String |
92+
| OgnlInjection.java:52:17:52:64 | compileExpression(...) : Node | semmle.label | compileExpression(...) : Node |
93+
| OgnlInjection.java:52:60:52:63 | expr : String | semmle.label | expr : String |
94+
| OgnlInjection.java:53:35:53:38 | tree : Node | semmle.label | tree : Node |
95+
| OgnlInjection.java:53:35:53:52 | getAccessor(...) : ExpressionAccessor | semmle.label | getAccessor(...) : ExpressionAccessor |
96+
| OgnlInjection.java:54:5:54:12 | accessor | semmle.label | accessor |
97+
| OgnlInjection.java:55:5:55:12 | accessor | semmle.label | accessor |
98+
| OgnlInjection.java:57:19:57:26 | accessor | semmle.label | accessor |
99+
| OgnlInjection.java:58:19:58:26 | accessor | semmle.label | accessor |
100+
| OgnlInjection.java:62:51:62:75 | expr : String | semmle.label | expr : String |
101+
| OgnlInjection.java:65:24:65:71 | compileExpression(...) : Node | semmle.label | compileExpression(...) : Node |
102+
| OgnlInjection.java:65:67:65:70 | expr : String | semmle.label | expr : String |
103+
| OgnlInjection.java:66:5:66:12 | accessor [post update] : ExpressionAccessor | semmle.label | accessor [post update] : ExpressionAccessor |
104+
| OgnlInjection.java:66:28:66:38 | taintedTree : Node | semmle.label | taintedTree : Node |
105+
| OgnlInjection.java:67:5:67:12 | accessor | semmle.label | accessor |
106+
| OgnlInjection.java:68:5:68:12 | accessor | semmle.label | accessor |
107+
| OgnlInjection.java:70:19:70:26 | accessor | semmle.label | accessor |
108+
| OgnlInjection.java:71:19:71:26 | accessor | semmle.label | accessor |
109+
subpaths

java/ql/test/query-tests/security/CWE-917/OgnlInjectionTest.ql

Lines changed: 0 additions & 18 deletions
This file was deleted.

java/ql/test/query-tests/security/CWE-917/OgnlInjectionTest.qlref

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
query: Security/CWE/CWE-917/OgnlInjection.ql
2+
postprocess:
3+
- utils/test/PrettyPrintModels.ql
4+
- utils/test/InlineExpectationsTestQuery.ql

0 commit comments

Comments
 (0)