New sinks and test cases

atorralba · atorralba · commit 8af7f4a4843e · 2021-05-06T09:18:49.000+02:00
diff --git a/java/ql/src/semmle/code/java/security/XPath.qll b/java/ql/src/semmle/code/java/security/XPath.qll
@@ -31,6 +31,8 @@ private class DefaultXPathInjectionSinkModel extends SinkModelCsv {
         "org.dom4j;DocumentHelper;false;createPattern;;;Argument[0];xpath",
         "org.dom4j;DocumentHelper;false;createXPath;;;Argument[0];xpath",
         "org.dom4j;DocumentHelper;false;createXPathFilter;;;Argument[0];xpath",
+        "org.dom4j;DocumentHelper;false;selectNodes;;;Argument[0];xpath",
+        "org.dom4j;DocumentHelper;false;sort;;;Argument[1];xpath",
         "org.dom4j.tree;AbstractNode;true;createXPathFilter;;;Argument[0];xpath",
         "org.dom4j.tree;AbstractNode;true;createPattern;;;Argument[0];xpath",
         "org.dom4j.util;ProxyDocumentFactory;true;createPattern;;;Argument[0];xpath",
diff --git a/java/ql/test/query-tests/security/CWE-643/A.java b/java/ql/test/query-tests/security/CWE-643/A.java
@@ -1,5 +1,6 @@
 import java.io.ByteArrayInputStream;
 import java.io.StringReader;
+import java.util.ArrayList;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.xml.namespace.QName;
@@ -11,9 +12,11 @@
 import javax.xml.xpath.XPathExpressionException;
 import javax.xml.xpath.XPathFactory;
 
+import org.jaxen.pattern.Pattern;
 import org.dom4j.DocumentFactory;
 import org.dom4j.DocumentHelper;
 import org.dom4j.Namespace;
+import org.dom4j.Node;
 import org.dom4j.io.SAXReader;
 import org.dom4j.util.ProxyDocumentFactory;
 import org.dom4j.xpath.DefaultXPath;
@@ -58,6 +61,18 @@ public String evaluate(String expression, InputSource source) throws XPathExpres
     private static class ProxyDocumentFactoryStub extends ProxyDocumentFactory {
     }
 
+    private static class PatternStub extends Pattern {
+        private String text;
+
+        PatternStub(String text) {
+            this.text = text;
+        }
+
+        public String getText() {
+            return text;
+        }
+    }
+
     public void handle(HttpServletRequest request) throws Exception {
         String user = request.getParameter("user");
         String pass = request.getParameter("pass");
@@ -118,6 +133,7 @@ public void handle(HttpServletRequest request) throws Exception {
 
         new DefaultXPath("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
         new XPathPattern("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        new XPathPattern(new PatternStub(user)); // Safe
 
         DocumentFactory docFactory = DocumentFactory.getInstance();
         docFactory.createPattern("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
@@ -127,6 +143,8 @@ public void handle(HttpServletRequest request) throws Exception {
         DocumentHelper.createPattern("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
         DocumentHelper.createXPath("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
         DocumentHelper.createXPathFilter("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        DocumentHelper.selectNodes("/users/user[@name='" + user + "' and @pass='" + pass + "']", new ArrayList<Node>()); // $hasXPathInjection
+        DocumentHelper.sort(new ArrayList<Node>(), "/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
 
         ProxyDocumentFactoryStub proxyDocFactory = new ProxyDocumentFactoryStub();
         proxyDocFactory.createPattern("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
diff --git a/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/xpath/XPathPattern.java b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/xpath/XPathPattern.java
@@ -19,6 +19,9 @@ public class XPathPattern implements org.dom4j.rule.Pattern {
   public XPathPattern(String text) {
   }
 
+  public XPathPattern(org.jaxen.pattern.Pattern pattern) {
+  }
+
   public boolean matches(Node node) {
     return false;
   }
diff --git a/java/ql/test/stubs/jaxen-1.2.0/org/jaxen/pattern/Pattern.java b/java/ql/test/stubs/jaxen-1.2.0/org/jaxen/pattern/Pattern.java
@@ -0,0 +1,73 @@
+/*
+ * $Header$
+ * $Revision$
+ * $Date$
+ *
+ * ====================================================================
+ *
+ * Copyright 2000-2002 bob mcwhirter & James Strachan.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ * 
+ *   * Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 
+ *   * Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 
+ *   * Neither the name of the Jaxen Project nor the names of its
+ *     contributors may be used to endorse or promote products derived 
+ *     from this software without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * ====================================================================
+ * This software consists of voluntary contributions made by many 
+ * individuals on behalf of the Jaxen Project and was originally 
+ * created by bob mcwhirter <bob@werken.com> and 
+ * James Strachan <jstrachan@apache.org>.  For more information on the 
+ * Jaxen Project, please see <http://www.jaxen.org/>.
+ * 
+ * $Id$
+ */
+
+package org.jaxen.pattern;
+
+public abstract class Pattern {
+  public double getPriority() {
+    return 0;
+  }
+
+  public Pattern[] getUnionPatterns() {
+    return null;
+  }
+
+  public short getMatchType() {
+    return 0;
+  }
+
+  public String getMatchesNodeName() {
+    return null;
+  }
+
+  public Pattern simplify() {
+    return null;
+  }
+
+  public abstract String getText();
+
+}

Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,9 @@ public class XPathPattern implements org.dom4j.rule.Pattern {`
`19`	`19`	`public XPathPattern(String text) {`
`20`	`20`	`}`
`21`	`21`
	`22`	`+ public XPathPattern(org.jaxen.pattern.Pattern pattern) {`
	`23`	`+ }`
	`24`	`+`
`22`	`25`	`public boolean matches(Node node) {`
`23`	`26`	`return false;`
`24`	`27`	`}`