Spring HTTP: Fix test mistakes

smowton · smowton · commit 82ea2592adef · 2021-07-19T18:21:13.000+01:00
Classes without RestController and methods without GetMapping or similar were never going to be detected.
diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/SpringXSS.java b/java/ql/test/query-tests/security/CWE-079/semmle/tests/SpringXSS.java
@@ -99,46 +99,51 @@ public static ResponseEntity<String> methodContentTypeMaybeSafeStringLiterals(St
     }
   }
 
+  @RestController
   @RequestMapping(produces = {"application/json"})
   private static class ClassContentTypeSafe {
+    @GetMapping(value = "/abc")
     public ResponseEntity<String> test(String userControlled) {
-      return ResponseEntity.ok(userControlled);
+      return ResponseEntity.ok(userControlled); // $SPURIOUS: xss
     }
 
     @GetMapping(value = "/abc")
     public String testDirectReturn(String userControlled) {
-      return userControlled;
+      return userControlled; // $SPURIOUS: xss
     }
 
     @GetMapping(value = "/xyz", produces = {"text/html"})
     public ResponseEntity<String> overridesWithUnsafe(String userControlled) {
-      return ResponseEntity.ok(userControlled); // $MISSING: xss
+      return ResponseEntity.ok(userControlled); // $xss
     }
 
     @GetMapping(value = "/abc")
     public ResponseEntity<String> overridesWithUnsafe2(String userControlled) {
-      return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $MISSING: xss
+      return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $xss
     }
   }
 
+  @RestController
   @RequestMapping(produces = {"text/html"})
   private static class ClassContentTypeUnsafe {
+    @GetMapping(value = "/abc")
     public ResponseEntity<String> test(String userControlled) {
-      return ResponseEntity.ok(userControlled); // $MISSING: xss
+      return ResponseEntity.ok(userControlled); // $xss
     }
 
     @GetMapping(value = "/abc")
     public String testDirectReturn(String userControlled) {
-      return userControlled; //$MISSING: xss
+      return userControlled; // $xss
     }
 
     @GetMapping(value = "/xyz", produces = {"application/json"})
     public ResponseEntity<String> overridesWithSafe(String userControlled) {
-      return ResponseEntity.ok(userControlled);
+      return ResponseEntity.ok(userControlled); // $SPURIOUS: xss
     }
 
+    @GetMapping(value = "/abc")
     public ResponseEntity<String> overridesWithSafe2(String userControlled) {
-      return ResponseEntity.ok().contentType(MediaType.APPLICATION_JSON).body(userControlled);
+      return ResponseEntity.ok().contentType(MediaType.APPLICATION_JSON).body(userControlled); // $SPURIOUS: xss
     }
   }
 

Original file line number	Diff line number	Diff line change
`@@ -99,46 +99,51 @@ public static ResponseEntity<String> methodContentTypeMaybeSafeStringLiterals(St`
`99`	`99`	`}`
`100`	`100`	`}`
`101`	`101`
	`102`	`+ @RestController`
`102`	`103`	`@RequestMapping(produces = {"application/json"})`
`103`	`104`	`private static class ClassContentTypeSafe {`
	`105`	`+ @GetMapping(value = "/abc")`
`104`	`106`	`public ResponseEntity<String> test(String userControlled) {`
`105`		`- return ResponseEntity.ok(userControlled);`
	`107`	`+ return ResponseEntity.ok(userControlled); // $SPURIOUS: xss`
`106`	`108`	`}`
`107`	`109`
`108`	`110`	`@GetMapping(value = "/abc")`
`109`	`111`	`public String testDirectReturn(String userControlled) {`
`110`		`- return userControlled;`
	`112`	`+ return userControlled; // $SPURIOUS: xss`
`111`	`113`	`}`
`112`	`114`
`113`	`115`	`@GetMapping(value = "/xyz", produces = {"text/html"})`
`114`	`116`	`public ResponseEntity<String> overridesWithUnsafe(String userControlled) {`
`115`		`- return ResponseEntity.ok(userControlled); // $MISSING: xss`
	`117`	`+ return ResponseEntity.ok(userControlled); // $xss`
`116`	`118`	`}`
`117`	`119`
`118`	`120`	`@GetMapping(value = "/abc")`
`119`	`121`	`public ResponseEntity<String> overridesWithUnsafe2(String userControlled) {`
`120`		`- return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $MISSING: xss`
	`122`	`+ return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $xss`
`121`	`123`	`}`
`122`	`124`	`}`
`123`	`125`
	`126`	`+ @RestController`
`124`	`127`	`@RequestMapping(produces = {"text/html"})`
`125`	`128`	`private static class ClassContentTypeUnsafe {`
	`129`	`+ @GetMapping(value = "/abc")`
`126`	`130`	`public ResponseEntity<String> test(String userControlled) {`
`127`		`- return ResponseEntity.ok(userControlled); // $MISSING: xss`
	`131`	`+ return ResponseEntity.ok(userControlled); // $xss`
`128`	`132`	`}`
`129`	`133`
`130`	`134`	`@GetMapping(value = "/abc")`
`131`	`135`	`public String testDirectReturn(String userControlled) {`
`132`		`- return userControlled; //$MISSING: xss`
	`136`	`+ return userControlled; // $xss`
`133`	`137`	`}`
`134`	`138`
`135`	`139`	`@GetMapping(value = "/xyz", produces = {"application/json"})`
`136`	`140`	`public ResponseEntity<String> overridesWithSafe(String userControlled) {`
`137`		`- return ResponseEntity.ok(userControlled);`
	`141`	`+ return ResponseEntity.ok(userControlled); // $SPURIOUS: xss`
`138`	`142`	`}`
`139`	`143`
	`144`	`+ @GetMapping(value = "/abc")`
`140`	`145`	`public ResponseEntity<String> overridesWithSafe2(String userControlled) {`
`141`		`- return ResponseEntity.ok().contentType(MediaType.APPLICATION_JSON).body(userControlled);`
	`146`	`+ return ResponseEntity.ok().contentType(MediaType.APPLICATION_JSON).body(userControlled); // $SPURIOUS: xss`
`142`	`147`	`}`
`143`	`148`	`}`
`144`	`149`