add comments for FPs

am0o0 · am0o0 · commit 966295040586 · 2024-07-30T13:24:46.000+02:00
diff --git a/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/Zip4jHandler.java b/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/Zip4jHandler.java
@@ -33,7 +33,7 @@ public static void zip4jZipInputStreamSafe(InputStream inputStream) throws IOExc
                 File extractedFile = new File(localFileHeader.getFileName());
                 try (OutputStream outputStream = new FileOutputStream(extractedFile)) {
                     int totallRead = 0;
-                    while ((readLen = zipInputStream.read(readBuffer)) != -1) { // $ hasTaintFlow="zipInputStream"
+                    while ((readLen = zipInputStream.read(readBuffer)) != -1) { // $ hasTaintFlow="zipInputStream"  "this test gives a FP"
                         totallRead += readLen;
                         if (totallRead > 1024 * 1024 * 4) {
                             System.out.println("potential Bomb");
diff --git a/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/ZipHandler.java b/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/ZipHandler.java
@@ -38,7 +38,7 @@ public static void ZipInputStreamSafe(InputStream inputStream) throws IOExceptio
                 }
                 FileOutputStream fos = new FileOutputStream("/tmp/tmptmp");
                 BufferedOutputStream dest = new BufferedOutputStream(fos, BUFFER);
-                while (total + BUFFER <= TOOBIG && (count = zis.read(data, 0, BUFFER)) != -1) { // $ hasTaintFlow="zis"
+                while (total + BUFFER <= TOOBIG && (count = zis.read(data, 0, BUFFER)) != -1) { // $ hasTaintFlow="zis" "this test gives a FP"
                     dest.write(data, 0, count);
                     total += count;
                 }
@@ -78,7 +78,7 @@ public static void ZipInputStreamSafe2(InputStream inputStream) throws IOExcepti
                 }
                 FileOutputStream fos = new FileOutputStream(entry.getName());
                 BufferedOutputStream dest = new BufferedOutputStream(fos, BUFFER);
-                while ((count = zis.read(data, 0, BUFFER)) != -1) { // $ hasTaintFlow="zis"
+                while ((count = zis.read(data, 0, BUFFER)) != -1) { // $ hasTaintFlow="zis"  "this test gives a FP"
                     dest.write(data, 0, count);
                 }
                 dest.flush();
@@ -100,7 +100,7 @@ public static void ZipInputStreamUnsafe(InputStream inputStream) throws IOExcept
                 // Write the files to the disk
                 FileOutputStream fos = new FileOutputStream(entry.getName()); 
                 BufferedOutputStream dest = new BufferedOutputStream(fos, BUFFER);
-                while ((count = zis.read(data, 0, BUFFER)) != -1) { // $ hasTaintFlow="zis"
+                while ((count = zis.read(data, 0, BUFFER)) != -1) { // $ hasTaintFlow="zis" 
                     dest.write(data, 0, count);
                 }
                 dest.flush();

Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,7 @@ public static void ZipInputStreamSafe(InputStream inputStream) throws IOExceptio`
`38`	`38`	`}`
`39`	`39`	`FileOutputStream fos = new FileOutputStream("/tmp/tmptmp");`
`40`	`40`	`BufferedOutputStream dest = new BufferedOutputStream(fos, BUFFER);`
`41`		`- while (total + BUFFER <= TOOBIG && (count = zis.read(data, 0, BUFFER)) != -1) { // $ hasTaintFlow="zis"`
	`41`	`+ while (total + BUFFER <= TOOBIG && (count = zis.read(data, 0, BUFFER)) != -1) { // $ hasTaintFlow="zis" "this test gives a FP"`
`42`	`42`	`dest.write(data, 0, count);`
`43`	`43`	`total += count;`
`44`	`44`	`}`
`@@ -78,7 +78,7 @@ public static void ZipInputStreamSafe2(InputStream inputStream) throws IOExcepti`
`78`	`78`	`}`
`79`	`79`	`FileOutputStream fos = new FileOutputStream(entry.getName());`
`80`	`80`	`BufferedOutputStream dest = new BufferedOutputStream(fos, BUFFER);`
`81`		`- while ((count = zis.read(data, 0, BUFFER)) != -1) { // $ hasTaintFlow="zis"`
	`81`	`+ while ((count = zis.read(data, 0, BUFFER)) != -1) { // $ hasTaintFlow="zis" "this test gives a FP"`
`82`	`82`	`dest.write(data, 0, count);`
`83`	`83`	`}`
`84`	`84`	`dest.flush();`
`@@ -100,7 +100,7 @@ public static void ZipInputStreamUnsafe(InputStream inputStream) throws IOExcept`
`100`	`100`	`// Write the files to the disk`
`101`	`101`	`FileOutputStream fos = new FileOutputStream(entry.getName());`
`102`	`102`	`BufferedOutputStream dest = new BufferedOutputStream(fos, BUFFER);`
`103`		`- while ((count = zis.read(data, 0, BUFFER)) != -1) { // $ hasTaintFlow="zis"`
	`103`	`+ while ((count = zis.read(data, 0, BUFFER)) != -1) { // $ hasTaintFlow="zis"`
`104`	`104`	`dest.write(data, 0, count);`
`105`	`105`	`}`
`106`	`106`	`dest.flush();`