Merge pull request github#5141 from github/yo-h/java-flow-check-fix

Java: prepare to enforce additional compiler checks in test code

Author: aschackmull

java/ql/test/experimental/query-tests/security/CWE-273/UnsafeCertTrustTest.java

@@ -87,7 +87,7 @@ public X509Certificate[] getAcceptedIssuers() {
 	/**
 	 * Test the endpoint identification of SSL engine is set to null
 	 */
-	public void testSSLEngineEndpointIdSetNull() {
+	public void testSSLEngineEndpointIdSetNull() throws java.security.NoSuchAlgorithmException {
 		SSLContext sslContext = SSLContext.getInstance("TLS");
 		SSLEngine sslEngine = sslContext.createSSLEngine();
 		SSLParameters sslParameters = sslEngine.getSSLParameters();
@@ -98,15 +98,15 @@ public void testSSLEngineEndpointIdSetNull() {
 	/**
 	 * Test the endpoint identification of SSL engine is not set
 	 */
-	public void testSSLEngineEndpointIdNotSet() {
+	public void testSSLEngineEndpointIdNotSet() throws java.security.NoSuchAlgorithmException {
 		SSLContext sslContext = SSLContext.getInstance("TLS");
 		SSLEngine sslEngine = sslContext.createSSLEngine();
 	}
 
 	/**
 	 * Test the endpoint identification of SSL socket is not set
 	 */
-	public void testSSLSocketEndpointIdNotSet() {
+	public void testSSLSocketEndpointIdNotSet() throws java.security.NoSuchAlgorithmException, java.io.IOException {
 		SSLContext sslContext = SSLContext.getInstance("TLS");
 		final SSLSocketFactory socketFactory = sslContext.getSocketFactory();
 		SSLSocket socket = (SSLSocket) socketFactory.createSocket("www.example.com", 443);
@@ -115,7 +115,7 @@ public void testSSLSocketEndpointIdNotSet() {
 	/**
 	 * Test the endpoint identification of regular socket is not set
 	 */
-	public void testSocketEndpointIdNotSet() {
+	public void testSocketEndpointIdNotSet() throws java.io.IOException {
 		SocketFactory socketFactory = SocketFactory.getDefault();
 		Socket socket = socketFactory.createSocket("www.example.com", 80);
 	}
@@ -127,4 +127,4 @@ public void testSocketEndpointIdNotSet() {
 	// ConnectionFactory connectionFactory = new ConnectionFactory();
 	// connectionFactory.useSslProtocol();
 	// }
-}
+}

java/ql/test/experimental/query-tests/security/CWE-297/InsecureJavaMail.java

@@ -29,7 +29,7 @@ protected PasswordAuthentication getPasswordAuthentication() {
 		final Session session = Session.getInstance(properties, authenticator);
 	}
 
-	public void testSimpleMail() {
+	public void testSimpleMail() throws Exception {
 		Email email = new SimpleEmail();
 		email.setHostName("config.hostName");
 		email.setSmtpPort(25);
@@ -42,4 +42,4 @@ public void testSimpleMail() {
 		email.addTo("toAddress");
 		email.send();
 	}
-}
+}

java/ql/test/experimental/query-tests/security/CWE-312/CleartextStorageSharedPrefs.java

@@ -20,15 +20,15 @@ public void testSetSharedPrefs1(Context context, String name, String password) {
 	}
 
 	// GOOD - save sensitive information in encrypted format
-	public void testSetSharedPrefs2(Context context, String name, String password) {
+	public void testSetSharedPrefs2(Context context, String name, String password) throws Exception {
 		SharedPreferences sharedPrefs = context.getSharedPreferences("user_prefs", Context.MODE_PRIVATE);
 		Editor editor = sharedPrefs.edit();
 		editor.putString("name", encrypt(name));
 		editor.putString("password", encrypt(password));
 		editor.commit();
 	}
 
-	private static String encrypt(String cleartext) {
+	private static String encrypt(String cleartext) throws Exception {
 		// Use an encryption or hashing algorithm in real world. The demo below just returns its hash.
 		MessageDigest digest = MessageDigest.getInstance("SHA-256");
 		byte[] hash = digest.digest(cleartext.getBytes(StandardCharsets.UTF_8));
@@ -37,7 +37,7 @@ private static String encrypt(String cleartext) {
 	}
 
 	// GOOD - save sensitive information in encrypted format using separate variables
-	public void testSetSharedPrefs3(Context context, String name, String password) {
+	public void testSetSharedPrefs3(Context context, String name, String password) throws Exception {
 		String encUsername = encrypt(name);
 		String encPassword = encrypt(password);
 		SharedPreferences sharedPrefs = context.getSharedPreferences("user_prefs", Context.MODE_PRIVATE);
@@ -49,7 +49,7 @@ public void testSetSharedPrefs3(Context context, String name, String password) {
 
 
 	// GOOD - save sensitive information using the built-in `EncryptedSharedPreferences` class in androidx
-	public void testSetSharedPrefs4(Context context, String name, String password) {
+	public void testSetSharedPrefs4(Context context, String name, String password) throws Exception {
 		MasterKey masterKey = new MasterKey.Builder(context, MasterKey.DEFAULT_MASTER_KEY_ALIAS)
 			.setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
 			.build();
@@ -69,7 +69,7 @@ public void testSetSharedPrefs4(Context context, String name, String password) {
 	}
 
 	// GOOD - save sensitive information using the built-in `EncryptedSharedPreferences` class in androidx
-	public void testSetSharedPrefs5(Context context, String name, String password) {
+	public void testSetSharedPrefs5(Context context, String name, String password) throws Exception {
 		MasterKey masterKey = new MasterKey.Builder(context, MasterKey.DEFAULT_MASTER_KEY_ALIAS)
 			.setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
 			.build();
@@ -89,7 +89,7 @@ public void testSetSharedPrefs5(Context context, String name, String password) {
 	}
 
 	// GOOD - save sensitive information using the built-in `EncryptedSharedPreferences` class in androidx
-	public void testSetSharedPrefs6(Context context, String name, String password) {
+	public void testSetSharedPrefs6(Context context, String name, String password) throws Exception {
 		MasterKey masterKey = new MasterKey.Builder(context, MasterKey.DEFAULT_MASTER_KEY_ALIAS)
 			.setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
 			.build();

java/ql/test/experimental/query-tests/security/CWE-326/InsufficientKeySize.java

@@ -3,7 +3,7 @@
 import javax.crypto.KeyGenerator;
 
 public class InsufficientKeySize {
-    public void CryptoMethod() {
+    public void CryptoMethod() throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException {
         KeyGenerator keyGen1 = KeyGenerator.getInstance("AES");
         // BAD: Key size is less than 128
         keyGen1.init(64);

java/ql/test/experimental/query-tests/security/CWE-522/InsecureBasicAuth.java

@@ -57,7 +57,7 @@ public void testApacheHttpRequest3(String username, String password) {
 	/**
 	 * Test basic authentication with Apache HTTP POST request using the URI constructor with one argument.
 	 */
-	public void testApacheHttpRequest4(String username, String password) {
+	public void testApacheHttpRequest4(String username, String password) throws Exception {
 		String uriStr = "http://www.example.com/rest/getuser.do?uid=abcdx";
 		URI uri = new URI(uriStr);
 		HttpRequestBase post = new HttpPost(uri);
@@ -74,7 +74,7 @@ public void testApacheHttpRequest4(String username, String password) {
 	/**
 	 * Test basic authentication with Apache HTTP POST request using a URI constructor with multiple arguments.
 	 */
-	public void testApacheHttpRequest5(String username, String password) {
+	public void testApacheHttpRequest5(String username, String password) throws Exception {
 		HttpRequestBase post = new HttpPost(new URI("http", "www.example.com", "/test", "abc=123", null));
 		post.setHeader("Accept", "application/json");
 		post.setHeader("Content-type", "application/json");
@@ -122,7 +122,7 @@ public void testApacheHttpRequest7(String username, String password) {
 	/**
 	 * Test basic authentication with Java HTTP URL connection using the `URL(String spec)` constructor.
 	 */
-	public void testHttpUrlConnection(String username, String password) {
+	public void testHttpUrlConnection(String username, String password) throws Exception {
 		String urlStr = "http://www.example.com/rest/getuser.do?uid=abcdx";
 		String authString = username + ":" + password;
 		String encoding = Base64.getEncoder().encodeToString(authString.getBytes("UTF-8"));
@@ -136,7 +136,7 @@ public void testHttpUrlConnection(String username, String password) {
 	/**
 	 * Test basic authentication with Java HTTP URL connection using the `URL(String protocol, String host, String file)` constructor.
 	 */
-	public void testHttpUrlConnection2(String username, String password) {
+	public void testHttpUrlConnection2(String username, String password) throws Exception {
 		String host = "www.example.com";
 		String path = "/rest/getuser.do?uid=abcdx";
 		String protocol = "http";
@@ -152,7 +152,7 @@ public void testHttpUrlConnection2(String username, String password) {
 	/**
 	 * Test basic authentication with Java HTTP URL connection using a constructor with private URL.
 	 */
-	public void testHttpUrlConnection3(String username, String password) {
+	public void testHttpUrlConnection3(String username, String password) throws Exception {
 		String host = "LOCALHOST";
 		String authString = username + ":" + password;
 		String encoding = Base64.getEncoder().encodeToString(authString.getBytes("UTF-8"));
@@ -161,4 +161,4 @@ public void testHttpUrlConnection3(String username, String password) {
 		conn.setDoOutput(true);
 		conn.setRequestProperty("Authorization", "Basic " + encoding);
 	}
-}
+}

java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.java

@@ -7,7 +7,7 @@
 
 public class InsecureLdapAuth {
 	// BAD - Test LDAP authentication in cleartext using `DirContext`.
-	public void testCleartextLdapAuth(String ldapUserName, String password) {
+	public void testCleartextLdapAuth(String ldapUserName, String password) throws Exception {
 		String ldapUrl = "ldap://ad.your-server.com:389";
 		Hashtable<String, String> environment = new Hashtable<String, String>();
 		environment.put(Context.INITIAL_CONTEXT_FACTORY,
@@ -21,7 +21,7 @@ public void testCleartextLdapAuth(String ldapUserName, String password) {
 	}
 
 	// BAD - Test LDAP authentication in cleartext using `DirContext`.
-	public void testCleartextLdapAuth(String ldapUserName, String password, String serverName) {
+	public void testCleartextLdapAuth(String ldapUserName, String password, String serverName) throws Exception {
 		String ldapUrl = "ldap://"+serverName+":389";
 		Hashtable<String, String> environment = new Hashtable<String, String>();
 		environment.put(Context.INITIAL_CONTEXT_FACTORY,
@@ -35,7 +35,7 @@ public void testCleartextLdapAuth(String ldapUserName, String password, String s
 	}
 
 	// GOOD - Test LDAP authentication over SSL.
-	public void testSslLdapAuth(String ldapUserName, String password) {
+	public void testSslLdapAuth(String ldapUserName, String password) throws Exception {
 		String ldapUrl = "ldaps://ad.your-server.com:636";
 		Hashtable<String, String> environment = new Hashtable<String, String>();
 		environment.put(Context.INITIAL_CONTEXT_FACTORY,
@@ -49,7 +49,7 @@ public void testSslLdapAuth(String ldapUserName, String password) {
 	}
 
 	// GOOD - Test LDAP authentication over SSL.
-	public void testSslLdapAuth2(String ldapUserName, String password) {
+	public void testSslLdapAuth2(String ldapUserName, String password) throws Exception {
 		String ldapUrl = "ldap://ad.your-server.com:636";
 		Hashtable<String, String> environment = new Hashtable<String, String>();
 		environment.put(Context.INITIAL_CONTEXT_FACTORY,
@@ -64,7 +64,7 @@ public void testSslLdapAuth2(String ldapUserName, String password) {
 	}
 
 	// GOOD - Test LDAP authentication with SASL authentication.
-	public void testSaslLdapAuth(String ldapUserName, String password) {
+	public void testSaslLdapAuth(String ldapUserName, String password) throws Exception {
 		String ldapUrl = "ldap://ad.your-server.com:389";
 		Hashtable<String, String> environment = new Hashtable<String, String>();
 		environment.put(Context.INITIAL_CONTEXT_FACTORY,
@@ -78,7 +78,7 @@ public void testSaslLdapAuth(String ldapUserName, String password) {
 	}
 
 	// GOOD - Test LDAP authentication in cleartext connecting to local LDAP server.
-	public void testCleartextLdapAuth2(String ldapUserName, String password) {
+	public void testCleartextLdapAuth2(String ldapUserName, String password) throws Exception {
 		String ldapUrl = "ldap://localhost:389";
 		Hashtable<String, String> environment = new Hashtable<String, String>();
 		environment.put(Context.INITIAL_CONTEXT_FACTORY,
@@ -92,7 +92,7 @@ public void testCleartextLdapAuth2(String ldapUserName, String password) {
 	}
 
 	// BAD - Test LDAP authentication in cleartext using `InitialLdapContext`.
-	public void testCleartextLdapAuth3(String ldapUserName, String password) {
+	public void testCleartextLdapAuth3(String ldapUserName, String password) throws Exception {
 		String ldapUrl = "ldap://ad.your-server.com:389";
 		Hashtable<String, String> environment = new Hashtable<String, String>();
 		environment.put(Context.INITIAL_CONTEXT_FACTORY,
@@ -107,7 +107,7 @@ public void testCleartextLdapAuth3(String ldapUserName, String password) {
 
 
 	// BAD - Test LDAP authentication in cleartext using `DirContext` and string literals.
-	public void testCleartextLdapAuth4(String ldapUserName, String password) {
+	public void testCleartextLdapAuth4(String ldapUserName, String password) throws Exception {
 		String ldapUrl = "ldap://ad.your-server.com:389";
 		Hashtable<String, String> environment = new Hashtable<String, String>();
 		environment.put("java.naming.factory.initial",
@@ -131,7 +131,7 @@ private void setBasicAuth(Hashtable env, String ldapUserName, String password) {
 	}
 
 	// GOOD - Test LDAP authentication with `ssl` configuration and basic authentication.
-	public void testCleartextLdapAuth5(String ldapUserName, String password, String serverName) {
+	public void testCleartextLdapAuth5(String ldapUserName, String password, String serverName) throws Exception {
 		String ldapUrl = "ldap://"+serverName+":389";
 		Hashtable<String, String> environment = new Hashtable<String, String>();
 		setSSL(environment);
@@ -143,7 +143,7 @@ public void testCleartextLdapAuth5(String ldapUserName, String password, String
 	}
 
 	// BAD - Test LDAP authentication with basic authentication.
-	public void testCleartextLdapAuth6(String ldapUserName, String password, String serverName) {
+	public void testCleartextLdapAuth6(String ldapUserName, String password, String serverName) throws Exception {
 		String ldapUrl = "ldap://"+serverName+":389";
 		Hashtable<String, String> environment = new Hashtable<String, String>();
 		environment.put(Context.INITIAL_CONTEXT_FACTORY,

java/ql/test/experimental/query-tests/security/CWE-918/SpringSSRF.java

@@ -26,7 +26,7 @@ protected void doGet(HttpServletRequest request2, HttpServletResponse response2)
         String fooResourceUrl = request2.getParameter("uri");;
         RestTemplate restTemplate = new RestTemplate();
         HttpEntity<String> request = new HttpEntity<>(new String("bar"));
-
+        try {
         {
             ResponseEntity<String> response =
                     restTemplate.getForEntity(fooResourceUrl + "/1", String.class);
@@ -68,5 +68,6 @@ protected void doGet(HttpServletRequest request2, HttpServletResponse response2)
         {
             restTemplate.put(fooResourceUrl, new String("object"));
         }
+        } catch (org.springframework.web.client.RestClientException | java.net.URISyntaxException e) {}
     }
 }

java/ql/test/library-tests/ExternalProcess/Test.java

@@ -43,28 +43,28 @@ void exec(String command) {
 		new Bogus().exec("Irrelevant version of exec");
 	}
 
-	void apacheExecute1() {
+	void apacheExecute1() throws IOException {
 		String line = "AcroRd32.exe /p /h some.file";
 		CommandLine cmdLine = CommandLine.parse(line);
 		DefaultExecutor executor = new DefaultExecutor();
 		int exitValue = executor.execute(cmdLine);
 	}
 
-	void apacheExecute2() {
+	void apacheExecute2() throws IOException {
 		String line = "AcroRd32.exe /p /h some.file";
 		CommandLine cmdLine = CommandLine.parse(line, null);
 		DefaultExecutor executor = new DefaultExecutor();
 		int exitValue = executor.execute(cmdLine);
 	}
 
-	void apacheExecute3() {
+	void apacheExecute3() throws IOException {
 		CommandLine cmdLine = new CommandLine("AcroRd32.exe");
 		cmdLine.addArguments("/p /h some.file");
 		DefaultExecutor executor = new DefaultExecutor();
 		int exitValue = executor.execute(cmdLine);
 	}
 
-	void apacheExecute4() {
+	void apacheExecute4() throws IOException {
 		CommandLine cmdLine = new CommandLine("AcroRd32.exe");
 		cmdLine.addArguments("/p /h some.file", false);
 		DefaultExecutor executor = new DefaultExecutor();

java/ql/test/library-tests/RelativePaths/Test.java

@@ -1,5 +1,5 @@
 class Test {
-	public static void main(String[] args) {
+	public static void main(String[] args) throws java.io.IOException {
 		// Relative paths
 		Runtime.getRuntime().exec("make");
 		Runtime.getRuntime().exec("m");

java/ql/test/library-tests/commentedcode/CommentedCode.java

@@ -88,8 +88,8 @@ public static int method(){
 		 * &nbsp ;
 		 * &nbsp ;
 		 */
+		return -1;
 	}
-	
 //	public static int commentedOutMethod(){
 //		
 //		return 123;