Merge pull request github#6090 from atorralba/atorralba/move-httpsurls-tests

aschackmull · web-flow · commit 75d5fe67ea0c · 2021-06-16T12:00:55.000+02:00
Java: Move/tweak some tests
diff --git a/java/ql/test/query-tests/security/CWE-311/CWE-319/HttpsUrls.expected b/java/ql/test/query-tests/security/CWE-311/CWE-319/HttpsUrls.expected
@@ -0,0 +1,19 @@
+edges
+| HttpsUrlsTest.java:23:23:23:31 | "http://" : String | HttpsUrlsTest.java:28:50:28:50 | u |
+| HttpsUrlsTest.java:36:23:36:28 | "http" : String | HttpsUrlsTest.java:41:50:41:50 | u |
+| HttpsUrlsTest.java:49:23:49:31 | "http://" : String | HttpsUrlsTest.java:55:50:55:50 | u |
+| HttpsUrlsTest.java:87:23:87:28 | "http" : String | HttpsUrlsTest.java:92:50:92:50 | u |
+nodes
+| HttpsUrlsTest.java:23:23:23:31 | "http://" : String | semmle.label | "http://" : String |
+| HttpsUrlsTest.java:28:50:28:50 | u | semmle.label | u |
+| HttpsUrlsTest.java:36:23:36:28 | "http" : String | semmle.label | "http" : String |
+| HttpsUrlsTest.java:41:50:41:50 | u | semmle.label | u |
+| HttpsUrlsTest.java:49:23:49:31 | "http://" : String | semmle.label | "http://" : String |
+| HttpsUrlsTest.java:55:50:55:50 | u | semmle.label | u |
+| HttpsUrlsTest.java:87:23:87:28 | "http" : String | semmle.label | "http" : String |
+| HttpsUrlsTest.java:92:50:92:50 | u | semmle.label | u |
+#select
+| HttpsUrlsTest.java:28:50:28:67 | openConnection(...) | HttpsUrlsTest.java:23:23:23:31 | "http://" : String | HttpsUrlsTest.java:28:50:28:50 | u | URL may have been constructed with HTTP protocol, using $@. | HttpsUrlsTest.java:23:23:23:31 | "http://" | this source |
+| HttpsUrlsTest.java:41:50:41:67 | openConnection(...) | HttpsUrlsTest.java:36:23:36:28 | "http" : String | HttpsUrlsTest.java:41:50:41:50 | u | URL may have been constructed with HTTP protocol, using $@. | HttpsUrlsTest.java:36:23:36:28 | "http" | this source |
+| HttpsUrlsTest.java:55:50:55:67 | openConnection(...) | HttpsUrlsTest.java:49:23:49:31 | "http://" : String | HttpsUrlsTest.java:55:50:55:50 | u | URL may have been constructed with HTTP protocol, using $@. | HttpsUrlsTest.java:49:23:49:31 | "http://" | this source |
+| HttpsUrlsTest.java:92:50:92:67 | openConnection(...) | HttpsUrlsTest.java:87:23:87:28 | "http" : String | HttpsUrlsTest.java:92:50:92:50 | u | URL may have been constructed with HTTP protocol, using $@. | HttpsUrlsTest.java:87:23:87:28 | "http" | this source |
diff --git a/java/ql/test/query-tests/security/CWE-311/CWE-319/HttpsUrls.qlref b/java/ql/test/query-tests/security/CWE-311/CWE-319/HttpsUrls.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-319/HttpsUrls.ql
diff --git a/java/ql/test/query-tests/security/CWE-311/CWE-319/HttpsUrlsTest.java b/java/ql/test/query-tests/security/CWE-311/CWE-319/HttpsUrlsTest.java
@@ -0,0 +1,119 @@
+// Semmle test case for CWE-319: Cleartext Transmission of Sensitive Data
+// http://cwe.mitre.org/data/definitions/319.html
+package test.cwe319.cwe.examples;
+
+import java.net.URL;
+import java.io.*;
+import java.rmi.*;
+import java.rmi.server.*;
+import java.rmi.registry.*;
+
+import javax.net.ssl.HttpsURLConnection;
+import javax.rmi.ssl.*;
+
+interface Hello extends java.rmi.Remote {
+	String sayHello() throws java.rmi.RemoteException;
+}
+
+class HelloImpl implements Hello {
+	public static void main(String[] args) {
+		try {	
+			// HttpsUrls
+			{
+				String protocol = "http://";
+				URL u = new URL(protocol + "www.secret.example.org/");
+				// using HttpsURLConnections to enforce SSL is desirable
+				// BAD: this will give a ClassCastException at runtime, as the
+				// http URL cannot be used to make an HttpsURLConnection
+				HttpsURLConnection hu = (HttpsURLConnection) u.openConnection();
+				hu.setRequestMethod("PUT");
+				hu.connect();
+				OutputStream os = hu.getOutputStream();
+				hu.disconnect();
+			}
+			
+			{
+				String protocol = "http";
+				URL u = new URL(protocol, "www.secret.example.org", "foo");
+				// using HttpsURLConnections to enforce SSL is desirable
+				// BAD: this will give a ClassCastException at runtime, as the
+				// http URL cannot be used to make an HttpsURLConnection
+				HttpsURLConnection hu = (HttpsURLConnection) u.openConnection();
+				hu.setRequestMethod("PUT");
+				hu.connect();
+				OutputStream os = hu.getOutputStream();
+				hu.disconnect();
+			}
+			
+			{
+				String protocol = "http://";
+				// the second URL overwrites the first, as it has a protocol
+				URL u = new URL(new URL("https://www.secret.example.org"), protocol + "www.secret.example.org");
+				// using HttpsURLConnections to enforce SSL is desirable
+				// BAD: this will give a ClassCastException at runtime, as the
+				// http URL cannot be used to make an HttpsURLConnection
+				HttpsURLConnection hu = (HttpsURLConnection) u.openConnection();
+				hu.setRequestMethod("PUT");
+				hu.connect();
+				OutputStream os = hu.getOutputStream();
+				hu.disconnect();
+			}
+			
+			{
+				String protocol = "https://";
+				URL u = new URL(protocol + "www.secret.example.org/");
+				// using HttpsURLConnections to enforce SSL is desirable
+				// GOOD: open connection to URL using HTTPS
+				HttpsURLConnection hu = (HttpsURLConnection) u.openConnection();
+				hu.setRequestMethod("PUT");
+				hu.connect();
+				OutputStream os = hu.getOutputStream();
+				hu.disconnect();
+			}
+			
+			{
+				String protocol = "https";
+				URL u = new URL(protocol, "www.secret.example.org", "foo");
+				// using HttpsURLConnections to enforce SSL is desirable
+				// GOOD: open connection to URL using HTTPS
+				HttpsURLConnection hu = (HttpsURLConnection) u.openConnection();
+				hu.setRequestMethod("PUT");
+				hu.connect();
+				OutputStream os = hu.getOutputStream();
+				hu.disconnect();
+			}
+			
+			{
+				String protocol = "http";
+				URL u = new URL(protocol, "internal-url", "foo");
+				// FALSE POSITIVE: the query has no way of knowing whether the url will
+				// resolve to somewhere outside the internal network, where there
+				// are unlikely to be interception attempts
+				HttpsURLConnection hu = (HttpsURLConnection) u.openConnection();
+				hu.setRequestMethod("PUT");
+				hu.connect();
+				OutputStream os = hu.getOutputStream();
+				hu.disconnect();
+			}
+			
+			{
+				String input = "URL is: http://www.secret-example.org";
+				String url = input.substring(8);
+				URL u = new URL(url);
+				// FALSE NEGATIVE: we cannot tell that the substring results in a url
+				// string
+				HttpsURLConnection hu = (HttpsURLConnection) u.openConnection();
+				hu.setRequestMethod("PUT");
+				hu.connect();
+				OutputStream os = hu.getOutputStream();
+				hu.disconnect();
+			}
+		} catch (Exception e) {
+			// fail
+		}
+	}
+
+	public String sayHello() {
+		return "Hello";
+	}
+}
diff --git a/java/ql/test/query-tests/security/CWE-311/CWE-319/UseSSL.expected b/java/ql/test/query-tests/security/CWE-311/CWE-319/UseSSL.expected
@@ -1 +1 @@
-| Test.java:11:15:11:41 | getInputStream(...) | Stream using vulnerable non-SSL connection. |
+| UseSSLTest.java:11:15:11:41 | getInputStream(...) | Stream using vulnerable non-SSL connection. |
diff --git a/java/ql/test/query-tests/security/CWE-311/CWE-319/UseSSLTest.java b/java/ql/test/query-tests/security/CWE-311/CWE-319/UseSSLTest.java
@@ -2,7 +2,7 @@
 import javax.net.ssl.HttpsURLConnection;
 import java.io.*;
 
-class Test {
+class UseSSLTest {
   public void m1(HttpURLConnection connection) throws java.io.IOException {
     InputStream input;
     if (connection instanceof HttpsURLConnection) {

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-\| Test.java:11:15:11:41 \| getInputStream(...) \| Stream using vulnerable non-SSL connection. \|`
	`1`	`+\| UseSSLTest.java:11:15:11:41 \| getInputStream(...) \| Stream using vulnerable non-SSL connection. \|`