Merge pull request github#5714 from aschackmull/java/add-misc-qltests

Java: Add a few qltests

Author: smowton

java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected

@@ -2,12 +2,19 @@ edges
 | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:24:20:24:23 | temp |
 | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:27:21:27:24 | temp |
 | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:30:44:30:47 | temp |
+| Test.java:19:18:19:38 | getHostName(...) : String | Test.java:34:21:34:24 | temp |
+| Test.java:79:74:79:97 | getInputStream(...) : ServletInputStream | Test.java:82:67:82:81 | ... + ... |
 nodes
 | Test.java:19:18:19:38 | getHostName(...) : String | semmle.label | getHostName(...) : String |
 | Test.java:24:20:24:23 | temp | semmle.label | temp |
 | Test.java:27:21:27:24 | temp | semmle.label | temp |
 | Test.java:30:44:30:47 | temp | semmle.label | temp |
+| Test.java:34:21:34:24 | temp | semmle.label | temp |
+| Test.java:79:74:79:97 | getInputStream(...) : ServletInputStream | semmle.label | getInputStream(...) : ServletInputStream |
+| Test.java:82:67:82:81 | ... + ... | semmle.label | ... + ... |
 #select
 | Test.java:24:11:24:24 | new File(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:24:20:24:23 | temp | $@ flows to here and is used in a path. | Test.java:19:18:19:38 | getHostName(...) | User-provided value |
 | Test.java:27:11:27:25 | get(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:27:21:27:24 | temp | $@ flows to here and is used in a path. | Test.java:19:18:19:38 | getHostName(...) | User-provided value |
 | Test.java:30:11:30:48 | getPath(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:30:44:30:47 | temp | $@ flows to here and is used in a path. | Test.java:19:18:19:38 | getHostName(...) | User-provided value |
+| Test.java:34:12:34:25 | new File(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:34:21:34:24 | temp | $@ flows to here and is used in a path. | Test.java:19:18:19:38 | getHostName(...) | User-provided value |
+| Test.java:82:52:82:88 | new FileWriter(...) | Test.java:79:74:79:97 | getInputStream(...) : ServletInputStream | Test.java:82:67:82:81 | ... + ... | $@ flows to here and is used in a path. | Test.java:79:74:79:97 | getInputStream(...) | User-provided value |

java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java

@@ -3,10 +3,10 @@
 package test.cwe22.semmle.tests;
 
 
+import javax.servlet.http.*;
+import javax.servlet.ServletException;
 
-
-import java.io.IOException;
-import java.io.File;
+import java.io.*;
 import java.net.InetAddress;
 import java.nio.file.Path;
 import java.nio.file.Paths;
@@ -28,6 +28,11 @@ void doGet1(InetAddress address)
 
 			// BAD: construct a path with user input
 			path = FileSystems.getDefault().getPath(temp);
+
+			// BAD: insufficient check
+			if (temp.startsWith("/some_safe_dir/")) {
+				file = new File(temp);
+			}
 	}
 
 	void doGet2(InetAddress address)
@@ -68,4 +73,13 @@ boolean isSortOfSafe(String pathSpec) {
 			return false;
 		return true;
 	}
+
+    public class MyServlet extends HttpServlet {
+        public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+            BufferedReader br = new BufferedReader(new InputStreamReader(request.getInputStream()));
+            String filename = br.readLine();
+            // BAD: construct a file path with user input
+            BufferedWriter bw = new BufferedWriter(new FileWriter("dir/"+filename, true));
+        }
+    }
 }

java/ql/test/query-tests/security/CWE-022/semmle/tests/options

@@ -0,0 +1 @@
+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/servlet-api-2.4

java/ql/test/query-tests/security/CWE-611/SAXSourceTests.java

@@ -0,0 +1,41 @@
+import java.net.Socket;
+
+import javax.xml.parsers.SAXParser;
+import javax.xml.parsers.SAXParserFactory;
+import javax.xml.transform.sax.SAXSource;
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.Unmarshaller;
+
+import org.xml.sax.InputSource;
+import org.xml.sax.XMLReader;
+import org.xml.sax.helpers.XMLReaderFactory;
+
+public class SAXSourceTests {
+
+  public void unsafeSource(Socket sock) throws Exception {
+    XMLReader reader = XMLReaderFactory.createXMLReader();
+    SAXSource source = new SAXSource(reader, new InputSource(sock.getInputStream()));
+    JAXBContext jc = JAXBContext.newInstance(Object.class);
+    Unmarshaller um = jc.createUnmarshaller();
+    um.unmarshal(source); // BAD
+  }
+
+  public void explicitlySafeSource1(Socket sock) throws Exception {
+    XMLReader reader = XMLReaderFactory.createXMLReader();
+    reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
+    reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+    reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd",false);
+    SAXSource source = new SAXSource(reader, new InputSource(sock.getInputStream())); // GOOD
+  }
+
+  public void createdSafeSource(Socket sock) throws Exception {
+    SAXParserFactory factory = SAXParserFactory.newInstance();
+    factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+    factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+    factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+    SAXParser parser = factory.newSAXParser();
+    XMLReader reader = parser.getXMLReader();
+    SAXSource source = new SAXSource(parser.getXMLReader(), new InputSource(sock.getInputStream())); // GOOD
+    SAXSource source2 = new SAXSource(reader, new InputSource(sock.getInputStream())); // GOOD
+  }
+}

java/ql/test/query-tests/security/CWE-611/UnmarshallerTests.java

@@ -0,0 +1,30 @@
+import java.net.Socket;
+
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.Unmarshaller;
+import javax.xml.parsers.SAXParserFactory;
+import javax.xml.transform.Source;
+import javax.xml.transform.sax.SAXSource;
+
+import org.xml.sax.InputSource;
+
+public class UnmarshallerTests {
+
+  public void safeUnmarshal(Socket sock) throws Exception {
+    SAXParserFactory spf = SAXParserFactory.newInstance();
+    spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+    spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+    spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+    JAXBContext jc = JAXBContext.newInstance(Object.class);
+    Source xmlSource = new SAXSource(spf.newSAXParser().getXMLReader(), new InputSource(sock.getInputStream()));
+    Unmarshaller um = jc.createUnmarshaller();
+    um.unmarshal(xmlSource); //safe
+  }
+
+  public void unsafeUnmarshal(Socket sock) throws Exception {
+    SAXParserFactory spf = SAXParserFactory.newInstance();
+    JAXBContext jc = JAXBContext.newInstance(Object.class);
+    Unmarshaller um = jc.createUnmarshaller();
+    um.unmarshal(sock.getInputStream()); //unsafe
+  }
+}

java/ql/test/query-tests/security/CWE-611/XXE.expected

@@ -2,6 +2,7 @@ edges
 | DocumentBuilderTests.java:93:51:93:71 | getInputStream(...) : InputStream | DocumentBuilderTests.java:94:16:94:38 | getInputSource(...) |
 | DocumentBuilderTests.java:100:41:100:61 | getInputStream(...) : InputStream | DocumentBuilderTests.java:101:16:101:52 | sourceToInputSource(...) |
 | DocumentBuilderTests.java:100:41:100:61 | getInputStream(...) : InputStream | DocumentBuilderTests.java:102:16:102:38 | getInputStream(...) |
+| SAXSourceTests.java:17:62:17:82 | getInputStream(...) : InputStream | SAXSourceTests.java:20:18:20:23 | source |
 | SchemaTests.java:12:56:12:76 | getInputStream(...) : InputStream | SchemaTests.java:12:39:12:77 | new StreamSource(...) |
 | SchemaTests.java:25:56:25:76 | getInputStream(...) : InputStream | SchemaTests.java:25:39:25:77 | new StreamSource(...) |
 | SchemaTests.java:31:56:31:76 | getInputStream(...) : InputStream | SchemaTests.java:31:39:31:77 | new StreamSource(...) |
@@ -78,6 +79,8 @@ nodes
 | SAXReaderTests.java:45:17:45:37 | getInputStream(...) | semmle.label | getInputStream(...) |
 | SAXReaderTests.java:53:17:53:37 | getInputStream(...) | semmle.label | getInputStream(...) |
 | SAXReaderTests.java:61:17:61:37 | getInputStream(...) | semmle.label | getInputStream(...) |
+| SAXSourceTests.java:17:62:17:82 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| SAXSourceTests.java:20:18:20:23 | source | semmle.label | source |
 | SchemaTests.java:12:39:12:77 | new StreamSource(...) | semmle.label | new StreamSource(...) |
 | SchemaTests.java:12:56:12:76 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | SchemaTests.java:25:39:25:77 | new StreamSource(...) | semmle.label | new StreamSource(...) |
@@ -163,6 +166,7 @@ nodes
 | TransformerTests.java:136:38:136:58 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | TransformerTests.java:141:18:141:70 | new SAXSource(...) | semmle.label | new SAXSource(...) |
 | TransformerTests.java:141:48:141:68 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| UnmarshallerTests.java:28:18:28:38 | getInputStream(...) | semmle.label | getInputStream(...) |
 | XMLReaderTests.java:16:18:16:55 | new InputSource(...) | semmle.label | new InputSource(...) |
 | XMLReaderTests.java:16:34:16:54 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | XMLReaderTests.java:56:18:56:55 | new InputSource(...) | semmle.label | new InputSource(...) |
@@ -220,6 +224,7 @@ nodes
 | SAXReaderTests.java:45:17:45:37 | getInputStream(...) | SAXReaderTests.java:45:17:45:37 | getInputStream(...) | SAXReaderTests.java:45:17:45:37 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXReaderTests.java:45:17:45:37 | getInputStream(...) | user input |
 | SAXReaderTests.java:53:17:53:37 | getInputStream(...) | SAXReaderTests.java:53:17:53:37 | getInputStream(...) | SAXReaderTests.java:53:17:53:37 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXReaderTests.java:53:17:53:37 | getInputStream(...) | user input |
 | SAXReaderTests.java:61:17:61:37 | getInputStream(...) | SAXReaderTests.java:61:17:61:37 | getInputStream(...) | SAXReaderTests.java:61:17:61:37 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXReaderTests.java:61:17:61:37 | getInputStream(...) | user input |
+| SAXSourceTests.java:20:18:20:23 | source | SAXSourceTests.java:17:62:17:82 | getInputStream(...) : InputStream | SAXSourceTests.java:20:18:20:23 | source | Unsafe parsing of XML file from $@. | SAXSourceTests.java:17:62:17:82 | getInputStream(...) | user input |
 | SchemaTests.java:12:39:12:77 | new StreamSource(...) | SchemaTests.java:12:56:12:76 | getInputStream(...) : InputStream | SchemaTests.java:12:39:12:77 | new StreamSource(...) | Unsafe parsing of XML file from $@. | SchemaTests.java:12:56:12:76 | getInputStream(...) | user input |
 | SchemaTests.java:25:39:25:77 | new StreamSource(...) | SchemaTests.java:25:56:25:76 | getInputStream(...) : InputStream | SchemaTests.java:25:39:25:77 | new StreamSource(...) | Unsafe parsing of XML file from $@. | SchemaTests.java:25:56:25:76 | getInputStream(...) | user input |
 | SchemaTests.java:31:39:31:77 | new StreamSource(...) | SchemaTests.java:31:56:31:76 | getInputStream(...) : InputStream | SchemaTests.java:31:39:31:77 | new StreamSource(...) | Unsafe parsing of XML file from $@. | SchemaTests.java:31:56:31:76 | getInputStream(...) | user input |
@@ -267,6 +272,7 @@ nodes
 | TransformerTests.java:129:21:129:59 | new StreamSource(...) | TransformerTests.java:129:38:129:58 | getInputStream(...) : InputStream | TransformerTests.java:129:21:129:59 | new StreamSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:129:38:129:58 | getInputStream(...) | user input |
 | TransformerTests.java:136:21:136:59 | new StreamSource(...) | TransformerTests.java:136:38:136:58 | getInputStream(...) : InputStream | TransformerTests.java:136:21:136:59 | new StreamSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:136:38:136:58 | getInputStream(...) | user input |
 | TransformerTests.java:141:18:141:70 | new SAXSource(...) | TransformerTests.java:141:48:141:68 | getInputStream(...) : InputStream | TransformerTests.java:141:18:141:70 | new SAXSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:141:48:141:68 | getInputStream(...) | user input |
+| UnmarshallerTests.java:28:18:28:38 | getInputStream(...) | UnmarshallerTests.java:28:18:28:38 | getInputStream(...) | UnmarshallerTests.java:28:18:28:38 | getInputStream(...) | Unsafe parsing of XML file from $@. | UnmarshallerTests.java:28:18:28:38 | getInputStream(...) | user input |
 | XMLReaderTests.java:16:18:16:55 | new InputSource(...) | XMLReaderTests.java:16:34:16:54 | getInputStream(...) : InputStream | XMLReaderTests.java:16:18:16:55 | new InputSource(...) | Unsafe parsing of XML file from $@. | XMLReaderTests.java:16:34:16:54 | getInputStream(...) | user input |
 | XMLReaderTests.java:56:18:56:55 | new InputSource(...) | XMLReaderTests.java:56:34:56:54 | getInputStream(...) : InputStream | XMLReaderTests.java:56:18:56:55 | new InputSource(...) | Unsafe parsing of XML file from $@. | XMLReaderTests.java:56:34:56:54 | getInputStream(...) | user input |
 | XMLReaderTests.java:63:18:63:55 | new InputSource(...) | XMLReaderTests.java:63:34:63:54 | getInputStream(...) : InputStream | XMLReaderTests.java:63:18:63:55 | new InputSource(...) | Unsafe parsing of XML file from $@. | XMLReaderTests.java:63:34:63:54 | getInputStream(...) | user input |

java/ql/test/query-tests/security/CWE-611/options

@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jdom-1.1.3:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/simple-xml-2.7.1
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jdom-1.1.3:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/simple-xml-2.7.1:${testdir}/../../../stubs/jaxb-api-2.3.1

java/ql/test/stubs/jaxb-api-2.3.1/javax/xml/bind/JAXBContext.java

@@ -0,0 +1,33 @@
+package javax.xml.bind;
+
+import java.util.Map;
+
+abstract public class JAXBContext {
+  protected JAXBContext() { }
+
+//  public static final String JAXB_CONTEXT_FACTORY;
+//
+//  public Binder<Node> createBinder() { return null; }
+//
+//  public Binder<T> createBinder(Class<T> p0) { return null; }
+//
+//  public JAXBIntrospector createJAXBIntrospector() { return null; }
+//
+//  abstract public Marshaller createMarshaller();
+
+  abstract public Unmarshaller createUnmarshaller();
+
+//  abstract public Validator createValidator();
+//
+//  public void generateSchema(SchemaOutputResolver p0) { }
+
+  public static JAXBContext newInstance(Class... p0) { return null; }
+
+  public static JAXBContext newInstance(Class<?>[] p0, Map<String,?> p1) { return null; }
+
+  public static JAXBContext newInstance(String p0) { return null; }
+
+  public static JAXBContext newInstance(String p0, ClassLoader p1) { return null; }
+
+  public static JAXBContext newInstance(String p0, ClassLoader p1, Map<String,?> p2) { return null; }
+}

java/ql/test/stubs/jaxb-api-2.3.1/javax/xml/bind/Unmarshaller.java

@@ -0,0 +1,76 @@
+package javax.xml.bind;
+
+import java.net.URL;
+import java.io.Reader;
+import java.io.InputStream;
+import java.io.File;
+import javax.xml.transform.Source;
+
+abstract public interface Unmarshaller {
+  abstract public static class Listener {
+    public Listener() { }
+  
+    public void afterUnmarshal(Object p0, Object p1) { }
+  
+    public void beforeUnmarshal(Object p0, Object p1) { }
+  }
+
+//  abstract public A getAdapter(Class<A> p0);
+//
+//  abstract public AttachmentUnmarshaller getAttachmentUnmarshaller();
+//
+//  abstract public ValidationEventHandler getEventHandler();
+//
+//  abstract public Listener getListener();
+
+  abstract public Object getProperty(String p0);
+
+//  abstract public Schema getSchema();
+//
+//  abstract public UnmarshallerHandler getUnmarshallerHandler();
+
+  abstract public boolean isValidating();
+
+//  abstract public void setAdapter(Class<A> p0, A p1);
+//
+//  abstract public void setAdapter(XmlAdapter p0);
+//
+//  abstract public void setAttachmentUnmarshaller(AttachmentUnmarshaller p0);
+//
+//  abstract public void setEventHandler(ValidationEventHandler p0);
+//
+//  abstract public void setListener(Listener p0);
+//
+//  abstract public void setProperty(String p0, Object p1);
+//
+//  abstract public void setSchema(Schema p0);
+
+  abstract public void setValidating(boolean p0);
+
+  abstract public Object unmarshal(File p0);
+
+  abstract public Object unmarshal(InputStream p0);
+
+  abstract public Object unmarshal(Reader p0);
+
+  abstract public Object unmarshal(URL p0);
+
+//  abstract public Object unmarshal(XMLEventReader p0);
+//
+//  abstract public JAXBElement<T> unmarshal(XMLEventReader p0, Class<T> p1);
+//
+//  abstract public Object unmarshal(XMLStreamReader p0);
+//
+//  abstract public JAXBElement<T> unmarshal(XMLStreamReader p0, Class<T> p1);
+
+  abstract public Object unmarshal(Source p0);
+
+//  abstract public JAXBElement<T> unmarshal(Source p0, Class<T> p1);
+//
+//  abstract public Object unmarshal(Node p0);
+//
+//  abstract public JAXBElement<T> unmarshal(Node p0, Class<T> p1);
+//
+//  abstract public Object unmarshal(InputSource p0);
+}
+