Fix existing JaxRs tests

smowton · smowton · commit c37ecb7102af · 2021-06-30T12:04:21.000+01:00
* Expose getContentTypeString for use by tests * Use it to get constant arguments to @produces annotations * Note that text/html is xss-vulnerable (I have no idea how it ever came to expect exactly text/plain)
diff --git a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll
@@ -283,7 +283,10 @@ class MessageBodyReaderRead extends Method {
   }
 }
 
-private string getContentTypeString(Expr e) {
+/**
+ * Gets a constant content-type described by expression `e` (either a string constant or a Jax-RS MediaType field access).
+ */
+string getContentTypeString(Expr e) {
   result = e.(CompileTimeConstantExpr).getStringValue() and
   result != ""
   or
diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JakartaRs1.java b/java/ql/test/library-tests/frameworks/JaxWs/JakartaRs1.java
@@ -71,7 +71,7 @@ int Get() { // $ ResourceMethod ResourceMethodOnResourceClass
     @Produces("text/html") // $ ProducesAnnotation=text/html
     @POST
     boolean Post() { // $ ResourceMethod=text/html ResourceMethodOnResourceClass
-      return false;
+      return false; // $ XssSink
     }
 
     @Produces(MediaType.TEXT_PLAIN) // $ ProducesAnnotation=text/plain
diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JaxRs.ql b/java/ql/test/library-tests/frameworks/JaxWs/JaxRs.ql
@@ -25,7 +25,8 @@ class JaxRsTest extends InlineExpectationsTest {
       element = resourceMethod.toString() and
       if exists(resourceMethod.getProducesAnnotation())
       then
-        value = resourceMethod.getProducesAnnotation().getADeclaredContentType() and
+        value =
+          getContentTypeString(resourceMethod.getProducesAnnotation().getADeclaredContentTypeExpr()) and
         value != ""
       else
         // Filter out empty strings that stem from using stubs.
@@ -143,7 +144,7 @@ class JaxRsTest extends InlineExpectationsTest {
     exists(JaxRSProducesAnnotation producesAnnotation |
       producesAnnotation.getLocation() = location and
       element = producesAnnotation.toString() and
-      value = producesAnnotation.getADeclaredContentType() and
+      value = getContentTypeString(producesAnnotation.getADeclaredContentTypeExpr()) and
       value != ""
       // Filter out empty strings that stem from using stubs.
       // If we built the test against the real JAR then the field
diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JaxRs1.java b/java/ql/test/library-tests/frameworks/JaxWs/JaxRs1.java
@@ -71,7 +71,7 @@ int Get() { // $ ResourceMethod ResourceMethodOnResourceClass
     @Produces("text/html") // $ ProducesAnnotation=text/html
     @POST
     boolean Post() { // $ ResourceMethod=text/html ResourceMethodOnResourceClass
-      return false;
+      return false; // $ XssSink
     }
 
     @Produces(MediaType.TEXT_PLAIN) // $ ProducesAnnotation=text/plain

Original file line number	Diff line number	Diff line change
`@@ -283,7 +283,10 @@ class MessageBodyReaderRead extends Method {`
`283`	`283`	`}`
`284`	`284`	`}`
`285`	`285`
`286`		`-private string getContentTypeString(Expr e) {`
	`286`	`+/**`
	`287`	+ * Gets a constant content-type described by expression `e` (either a string constant or a Jax-RS MediaType field access).
	`288`	`+ */`
	`289`	`+string getContentTypeString(Expr e) {`
`287`	`290`	`result = e.(CompileTimeConstantExpr).getStringValue() and`
`288`	`291`	`result != ""`
`289`	`292`	`or`
Original file line number	Diff line number	Diff line change
`@@ -71,7 +71,7 @@ int Get() { // $ ResourceMethod ResourceMethodOnResourceClass`
`71`	`71`	`@Produces("text/html") // $ ProducesAnnotation=text/html`
`72`	`72`	`@POST`
`73`	`73`	`boolean Post() { // $ ResourceMethod=text/html ResourceMethodOnResourceClass`
`74`		`- return false;`
	`74`	`+ return false; // $ XssSink`
`75`	`75`	`}`
`76`	`76`
`77`	`77`	`@Produces(MediaType.TEXT_PLAIN) // $ ProducesAnnotation=text/plain`