Fix tests

atorralba · atorralba · commit 7ff4d368bea3 · 2021-06-16T13:01:39.000+02:00
diff --git a/java/ql/test/query-tests/security/CWE-094/GroovyClassLoaderTest.java b/java/ql/test/query-tests/security/CWE-094/GroovyClassLoaderTest.java
@@ -12,6 +12,7 @@ public class GroovyClassLoaderTest extends HttpServlet {
 
     protected void doGet(HttpServletRequest request, HttpServletResponse response)
             throws ServletException, IOException {
+        // "groovy.lang;GroovyClassLoader;false;parseClass;;;Argument[0];groovy",
         try {
             String script = request.getParameter("script");
             final GroovyClassLoader classLoader = new GroovyClassLoader();
@@ -21,10 +22,6 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)
         } catch (Exception e) {
             // Ignore
         }
-    }
-
-    protected void doPost(HttpServletRequest request, HttpServletResponse response)
-            throws ServletException, IOException {
         try {
             String script = request.getParameter("script");
             final GroovyClassLoader classLoader = new GroovyClassLoader();
diff --git a/java/ql/test/query-tests/security/CWE-094/GroovyCompilationUnitTest.java b/java/ql/test/query-tests/security/CWE-094/GroovyCompilationUnitTest.java
@@ -0,0 +1,85 @@
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.net.URL;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.codehaus.groovy.control.CompilationUnit;
+import org.codehaus.groovy.control.SourceUnit;
+import org.codehaus.groovy.control.io.ReaderSource;
+import org.codehaus.groovy.control.io.StringReaderSource;
+
+public class GroovyCompilationUnitTest extends HttpServlet {
+    public void doGet(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        // "org.codehaus.groovy.control;CompilationUnit;false;compile;;;Argument[-1];groovy"
+        {
+            CompilationUnit cu = new CompilationUnit();
+            cu.addSource("test", request.getParameter("source"));
+            cu.compile(); // $hasGroovyInjection
+        }
+        {
+            CompilationUnit cu = new CompilationUnit();
+            cu.addSource(request.getParameter("source"), "safe");
+            cu.compile(); // Safe
+        }
+        {
+            CompilationUnit cu = new CompilationUnit();
+            cu.addSource("test",
+                    new ByteArrayInputStream(request.getParameter("source").getBytes()));
+            cu.compile(); // $hasGroovyInjection
+        }
+        {
+            CompilationUnit cu = new CompilationUnit();
+            cu.addSource(new URL(request.getParameter("source")));
+            cu.compile(); // $hasGroovyInjection
+        }
+        {
+            CompilationUnit cu = new CompilationUnit();
+            SourceUnit su =
+                    new SourceUnit("test", request.getParameter("source"), null, null, null);
+            cu.addSource(su);
+            cu.compile(); // $hasGroovyInjection
+        }
+        {
+            CompilationUnit cu = new CompilationUnit();
+            SourceUnit su =
+                    new SourceUnit(request.getParameter("source"), "safe", null, null, null);
+            cu.addSource(su);
+            cu.compile(); // Safe
+        }
+        {
+            CompilationUnit cu = new CompilationUnit();
+            ReaderSource rs = new StringReaderSource(request.getParameter("source"), null);
+            SourceUnit su = new SourceUnit("test", rs, null, null, null);
+            cu.addSource(su);
+            cu.compile(); // $hasGroovyInjection
+        }
+        {
+            CompilationUnit cu = new CompilationUnit();
+            SourceUnit su =
+                    new SourceUnit(new URL(request.getParameter("source")), null, null, null);
+            cu.addSource(su);
+            cu.compile(); // $hasGroovyInjection
+        }
+        {
+            CompilationUnit cu = new CompilationUnit();
+            SourceUnit su = SourceUnit.create("test", request.getParameter("source"));
+            cu.addSource(su);
+            cu.compile(); // $hasGroovyInjection
+        }
+        {
+            CompilationUnit cu = new CompilationUnit();
+            SourceUnit su = SourceUnit.create("test", request.getParameter("source"), 0);
+            cu.addSource(su);
+            cu.compile(); // $hasGroovyInjection
+        }
+        {
+            CompilationUnit cu = new CompilationUnit();
+            SourceUnit su = SourceUnit.create(request.getParameter("source"), "safe", 0);
+            cu.addSource(su);
+            cu.compile(); // Safe
+        }
+    }
+}
diff --git a/java/ql/test/query-tests/security/CWE-094/GroovyEvalTest.java b/java/ql/test/query-tests/security/CWE-094/GroovyEvalTest.java
@@ -9,33 +9,32 @@ public class GroovyEvalTest extends HttpServlet {
 
     protected void doGet(HttpServletRequest request, HttpServletResponse response)
             throws ServletException, IOException {
-        String script = request.getParameter("script");
-        Eval.me(script); // $hasGroovyInjection
-    }
-
-    protected void doPost(HttpServletRequest request, HttpServletResponse response)
-            throws ServletException, IOException {
-        String script = request.getParameter("script");
-        Eval.me("test", "result", script); // $hasGroovyInjection
-    }
-
-    protected void doPut(HttpServletRequest request, HttpServletResponse response)
-            throws ServletException, IOException {
-        String script = request.getParameter("script");
-        Eval.x("result2", script); // $hasGroovyInjection
-
-    }
-
-    protected void doDelete(HttpServletRequest request, HttpServletResponse response)
-            throws ServletException, IOException {
-        String script = request.getParameter("script");
-        Eval.xy("result3", "result4", script); // $hasGroovyInjection
-    }
-
-    protected void doPatch(HttpServletRequest request, HttpServletResponse response)
-            throws ServletException, IOException {
-        String script = request.getParameter("script");
-        Eval.xyz("result3", "result4", "aaa", script); // $hasGroovyInjection
+        // "groovy.util;Eval;false;me;(String);;Argument[0];groovy",
+        {
+            String script = request.getParameter("script");
+            Eval.me(script); // $hasGroovyInjection
+        }
+        // "groovy.util;Eval;false;me;(String,Object,String);;Argument[2];groovy",
+        {
+            String script = request.getParameter("script");
+            Eval.me("test", "result", script); // $hasGroovyInjection
+        }
+        // "groovy.util;Eval;false;x;(Object,String);;Argument[1];groovy",
+        {
+            String script = request.getParameter("script");
+            Eval.x("result2", script); // $hasGroovyInjection
+
+        }
+        // "groovy.util;Eval;false;xy;(Object,Object,String);;Argument[2];groovy",
+        {
+            String script = request.getParameter("script");
+            Eval.xy("result3", "result4", script); // $hasGroovyInjection
+        }
+        // "groovy.util;Eval;false;xyz;(Object,Object,Object,String);;Argument[3];groovy",
+        {
+            String script = request.getParameter("script");
+            Eval.xyz("result3", "result4", "aaa", script); // $hasGroovyInjection
+        }
     }
 }
 
diff --git a/java/ql/test/query-tests/security/CWE-094/GroovyShellTest.java b/java/ql/test/query-tests/security/CWE-094/GroovyShellTest.java
@@ -1,63 +1,154 @@
-import groovy.lang.GroovyCodeSource;
-import groovy.lang.GroovyShell;
-
+import java.io.IOException;
+import java.io.Reader;
+import java.io.StringReader;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.util.ArrayList;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
+import groovy.lang.GroovyCodeSource;
+import groovy.lang.GroovyShell;
 
 public class GroovyShellTest extends HttpServlet {
 
     protected void doGet(HttpServletRequest request, HttpServletResponse response)
             throws ServletException, IOException {
-        GroovyShell shell = new GroovyShell();
-        String script = request.getParameter("script");
-        shell.evaluate(script); // $hasGroovyInjection
-    }
-
-    protected void doPost(HttpServletRequest request, HttpServletResponse response)
-            throws ServletException, IOException {
-        GroovyShell shell = new GroovyShell();
-        String script = request.getParameter("script");
-        shell.evaluate(script, "test"); // $hasGroovyInjection
-    }
-
-    protected void doPut(HttpServletRequest request, HttpServletResponse response)
-            throws ServletException, IOException {
-        GroovyShell shell = new GroovyShell();
-        String script = request.getParameter("script");
-        shell.evaluate(script, "test", "test2"); // $hasGroovyInjection
-    }
-
-    protected void doOptions(HttpServletRequest request, HttpServletResponse response)
-            throws ServletException, IOException {
-        GroovyShell shell = new GroovyShell();
-        String script = request.getParameter("script");
-        shell.run(script, "_", new String[] {}); // $hasGroovyInjection
-    }
-
-    protected void doHead(HttpServletRequest request, HttpServletResponse response)
-            throws ServletException, IOException {
-        GroovyShell shell = new GroovyShell();
-        String script = request.getParameter("script");
-        GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test");
-        shell.run(gcs, new String[] {}); // $hasGroovyInjection
-    }
-
-    protected void doDelete(HttpServletRequest request, HttpServletResponse response)
-            throws ServletException, IOException {
-        GroovyShell shell = new GroovyShell();
-        String script = request.getParameter("script");
-        GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test");
-        shell.evaluate(gcs); // $hasGroovyInjection
-    }
 
-    protected void doPatch(HttpServletRequest request, HttpServletResponse response)
-            throws ServletException, IOException {
-        GroovyShell shell = new GroovyShell();
-        String script = request.getParameter("script");
-        shell.parse(script); // $hasGroovyInjection
+        // "groovy.lang;GroovyShell;false;evaluate;(GroovyCodeSource);;Argument[0];groovy",
+        {
+            GroovyShell shell = new GroovyShell();
+            String script = request.getParameter("script");
+            GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test");
+            shell.evaluate(gcs); // $hasGroovyInjection
+        }
+        // "groovy.lang;GroovyShell;false;evaluate;(Reader);;Argument[0];groovy",
+        {
+            GroovyShell shell = new GroovyShell();
+            String script = request.getParameter("script");
+            Reader reader = new StringReader(script);
+            shell.evaluate(reader); // $hasGroovyInjection
+        }
+        // "groovy.lang;GroovyShell;false;evaluate;(Reader,String);;Argument[0];groovy",
+        {
+            GroovyShell shell = new GroovyShell();
+            String script = request.getParameter("script");
+            Reader reader = new StringReader(script);
+            shell.evaluate(reader, "_"); // $hasGroovyInjection
+        }
+        // "groovy.lang;GroovyShell;false;evaluate;(String);;Argument[0];groovy",
+        {
+            GroovyShell shell = new GroovyShell();
+            String script = request.getParameter("script");
+            shell.evaluate(script); // $hasGroovyInjection
+        }
+        // "groovy.lang;GroovyShell;false;evaluate;(String,String);;Argument[0];groovy",
+        {
+            GroovyShell shell = new GroovyShell();
+            String script = request.getParameter("script");
+            shell.evaluate(script, "test"); // $hasGroovyInjection
+        }
+        // "groovy.lang;GroovyShell;false;evaluate;(String,String,String);;Argument[0];groovy",
+        {
+            GroovyShell shell = new GroovyShell();
+            String script = request.getParameter("script");
+            shell.evaluate(script, "test", "test2"); // $hasGroovyInjection
+        }
+        // "groovy.lang;GroovyShell;false;evaluate;(URI);;Argument[0];groovy",
+        try {
+            GroovyShell shell = new GroovyShell();
+            String script = request.getParameter("script");
+            shell.parse(new URI(script)); // $hasGroovyInjection
+        } catch (URISyntaxException e) {
+        }
+        // "groovy.lang;GroovyShell;false;parse;(Reader);;Argument[0];groovy",
+        {
+            GroovyShell shell = new GroovyShell();
+            String script = request.getParameter("script");
+            Reader reader = new StringReader(script);
+            shell.parse(reader); // $hasGroovyInjection
+        }
+        // "groovy.lang;GroovyShell;false;parse;(Reader,String);;Argument[0];groovy",
+        {
+            GroovyShell shell = new GroovyShell();
+            String script = request.getParameter("script");
+            Reader reader = new StringReader(script);
+            shell.parse(reader, "_"); // $hasGroovyInjection
+        }
+        // "groovy.lang;GroovyShell;false;parse;(String);;Argument[0];groovy",
+        {
+            GroovyShell shell = new GroovyShell();
+            String script = request.getParameter("script");
+            shell.parse(script); // $hasGroovyInjection
+        }
+        // "groovy.lang;GroovyShell;false;parse;(String,String);;Argument[0];groovy",
+        {
+            GroovyShell shell = new GroovyShell();
+            String script = request.getParameter("script");
+            shell.parse(script, "_"); // $hasGroovyInjection
+        }
+        // "groovy.lang;GroovyShell;false;parse;(URI);;Argument[0];groovy",
+        try {
+            GroovyShell shell = new GroovyShell();
+            String script = request.getParameter("script");
+            shell.parse(new URI(script)); // $hasGroovyInjection
+        } catch (URISyntaxException e) {
+        }
+        // "groovy.lang;GroovyShell;false;run;(GroovyCodeSource,String[]);;Argument[0];groovy",
+        {
+            GroovyShell shell = new GroovyShell();
+            String script = request.getParameter("script");
+            GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test");
+            shell.run(gcs, new String[] {}); // $hasGroovyInjection
+        }
+        // "groovy.lang;GroovyShell;false;run;(GroovyCodeSource,List);;Argument[0];groovy",
+        {
+            GroovyShell shell = new GroovyShell();
+            String script = request.getParameter("script");
+            GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test");
+            shell.run(gcs, new ArrayList<String>()); // $hasGroovyInjection
+        }
+        // "groovy.lang;GroovyShell;false;run;(Reader,String,String[]);;Argument[0];groovy",
+        {
+            GroovyShell shell = new GroovyShell();
+            String script = request.getParameter("script");
+            Reader reader = new StringReader(script);
+            shell.run(reader, "test", new String[] {}); // $hasGroovyInjection
+        }
+        // "groovy.lang;GroovyShell;false;run;(Reader,String,List);;Argument[0];groovy",
+        {
+            GroovyShell shell = new GroovyShell();
+            String script = request.getParameter("script");
+            Reader reader = new StringReader(script);
+            shell.run(reader, "test", new ArrayList<String>()); // $hasGroovyInjection
+        }
+        // "groovy.lang;GroovyShell;false;run;(String,String,String[]);;Argument[0];groovy",
+        {
+            GroovyShell shell = new GroovyShell();
+            String script = request.getParameter("script");
+            shell.run(script, "_", new String[] {}); // $hasGroovyInjection
+        }
+        // "groovy.lang;GroovyShell;false;run;(String,String,List);;Argument[0];groovy",
+        {
+            GroovyShell shell = new GroovyShell();
+            String script = request.getParameter("script");
+            shell.run(script, "_", new ArrayList<String>()); // $hasGroovyInjection
+        }
+        // "groovy.lang;GroovyShell;false;run;(URI,String[]);;Argument[0];groovy",
+        try {
+            GroovyShell shell = new GroovyShell();
+            String script = request.getParameter("script");
+            shell.run(new URI(script), new String[] {}); // $hasGroovyInjection
+        } catch (URISyntaxException e) {
+        }
+        // "groovy.lang;GroovyShell;false;run;(URI,List);;Argument[0];groovy",
+        try {
+            GroovyShell shell = new GroovyShell();
+            String script = request.getParameter("script");
+            shell.run(new URI(script), new ArrayList<String>()); // $hasGroovyInjection
+        } catch (URISyntaxException e) {
+        }
     }
 }
 
