Fix tests to take trim into account

Benjamin Muskalla · Benjamin Muskalla · commit 93bc8aa7b27b · 2021-09-01T15:41:15.000+02:00
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.expected
@@ -1,6 +1,8 @@
 edges
 | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:23:54:23:58 | bytes [post update] : byte[] |
-| JakartaExpressionInjection.java:23:54:23:58 | bytes [post update] : byte[] | JakartaExpressionInjection.java:25:31:25:40 | expression : String |
+| JakartaExpressionInjection.java:23:54:23:58 | bytes [post update] : byte[] | JakartaExpressionInjection.java:24:48:24:52 | bytes : byte[] |
+| JakartaExpressionInjection.java:24:37:24:59 | new String(...) : String | JakartaExpressionInjection.java:25:31:25:40 | expression : String |
+| JakartaExpressionInjection.java:24:48:24:52 | bytes : byte[] | JakartaExpressionInjection.java:24:37:24:59 | new String(...) : String |
 | JakartaExpressionInjection.java:25:31:25:40 | expression : String | JakartaExpressionInjection.java:32:24:32:33 | expression : String |
 | JakartaExpressionInjection.java:25:31:25:40 | expression : String | JakartaExpressionInjection.java:40:24:40:33 | expression : String |
 | JakartaExpressionInjection.java:25:31:25:40 | expression : String | JakartaExpressionInjection.java:48:24:48:33 | expression : String |
@@ -20,6 +22,8 @@ edges
 nodes
 | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | JakartaExpressionInjection.java:23:54:23:58 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
+| JakartaExpressionInjection.java:24:37:24:59 | new String(...) : String | semmle.label | new String(...) : String |
+| JakartaExpressionInjection.java:24:48:24:52 | bytes : byte[] | semmle.label | bytes : byte[] |
 | JakartaExpressionInjection.java:25:31:25:40 | expression : String | semmle.label | expression : String |
 | JakartaExpressionInjection.java:32:24:32:33 | expression : String | semmle.label | expression : String |
 | JakartaExpressionInjection.java:34:28:34:37 | expression | semmle.label | expression |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/JythonInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-094/JythonInjection.expected
@@ -2,7 +2,8 @@ edges
 | JythonInjection.java:28:23:28:50 | getParameter(...) : String | JythonInjection.java:36:30:36:33 | code |
 | JythonInjection.java:53:23:53:50 | getParameter(...) : String | JythonInjection.java:58:44:58:47 | code |
 | JythonInjection.java:73:23:73:50 | getParameter(...) : String | JythonInjection.java:81:35:81:38 | code |
-| JythonInjection.java:97:23:97:50 | getParameter(...) : String | JythonInjection.java:106:61:106:75 | getBytes(...) |
+| JythonInjection.java:97:23:97:50 | getParameter(...) : String | JythonInjection.java:106:61:106:64 | code : String |
+| JythonInjection.java:106:61:106:64 | code : String | JythonInjection.java:106:61:106:75 | getBytes(...) |
 nodes
 | JythonInjection.java:28:23:28:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | JythonInjection.java:36:30:36:33 | code | semmle.label | code |
@@ -11,6 +12,7 @@ nodes
 | JythonInjection.java:73:23:73:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | JythonInjection.java:81:35:81:38 | code | semmle.label | code |
 | JythonInjection.java:97:23:97:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JythonInjection.java:106:61:106:64 | code : String | semmle.label | code : String |
 | JythonInjection.java:106:61:106:75 | getBytes(...) | semmle.label | getBytes(...) |
 | JythonInjection.java:131:40:131:63 | getInputStream(...) | semmle.label | getInputStream(...) |
 #select
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/ScriptInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-094/ScriptInjection.expected
@@ -1,7 +1,8 @@
 edges
 | RhinoServlet.java:28:23:28:50 | getParameter(...) : String | RhinoServlet.java:32:55:32:58 | code |
 | RhinoServlet.java:81:23:81:50 | getParameter(...) : String | RhinoServlet.java:83:54:83:57 | code |
-| RhinoServlet.java:88:23:88:50 | getParameter(...) : String | RhinoServlet.java:89:74:89:88 | getBytes(...) |
+| RhinoServlet.java:88:23:88:50 | getParameter(...) : String | RhinoServlet.java:89:74:89:77 | code : String |
+| RhinoServlet.java:89:74:89:77 | code : String | RhinoServlet.java:89:74:89:88 | getBytes(...) |
 | ScriptEngineTest.java:20:44:20:55 | input : String | ScriptEngineTest.java:24:37:24:41 | input |
 | ScriptEngineTest.java:27:51:27:62 | input : String | ScriptEngineTest.java:31:31:31:35 | input |
 | ScriptEngineTest.java:35:58:35:69 | input : String | ScriptEngineTest.java:39:31:39:35 | input |
@@ -26,6 +27,7 @@ nodes
 | RhinoServlet.java:81:23:81:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | RhinoServlet.java:83:54:83:57 | code | semmle.label | code |
 | RhinoServlet.java:88:23:88:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RhinoServlet.java:89:74:89:77 | code : String | semmle.label | code : String |
 | RhinoServlet.java:89:74:89:88 | getBytes(...) | semmle.label | getBytes(...) |
 | ScriptEngineTest.java:20:44:20:55 | input : String | semmle.label | input : String |
 | ScriptEngineTest.java:24:37:24:41 | input | semmle.label | input |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/SpelInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-094/SpelInjection.expected
@@ -1,46 +1,70 @@
 edges
 | SpelInjection.java:15:22:15:44 | getInputStream(...) : InputStream | SpelInjection.java:18:13:18:14 | in : InputStream |
 | SpelInjection.java:18:13:18:14 | in : InputStream | SpelInjection.java:18:21:18:25 | bytes [post update] : byte[] |
-| SpelInjection.java:18:21:18:25 | bytes [post update] : byte[] | SpelInjection.java:23:5:23:14 | expression |
+| SpelInjection.java:18:21:18:25 | bytes [post update] : byte[] | SpelInjection.java:19:31:19:35 | bytes : byte[] |
+| SpelInjection.java:19:20:19:42 | new String(...) : String | SpelInjection.java:23:5:23:14 | expression |
+| SpelInjection.java:19:31:19:35 | bytes : byte[] | SpelInjection.java:19:20:19:42 | new String(...) : String |
 | SpelInjection.java:27:22:27:44 | getInputStream(...) : InputStream | SpelInjection.java:30:13:30:14 | in : InputStream |
 | SpelInjection.java:30:13:30:14 | in : InputStream | SpelInjection.java:30:21:30:25 | bytes [post update] : byte[] |
-| SpelInjection.java:30:21:30:25 | bytes [post update] : byte[] | SpelInjection.java:34:5:34:14 | expression |
+| SpelInjection.java:30:21:30:25 | bytes [post update] : byte[] | SpelInjection.java:31:31:31:35 | bytes : byte[] |
+| SpelInjection.java:31:20:31:42 | new String(...) : String | SpelInjection.java:34:5:34:14 | expression |
+| SpelInjection.java:31:31:31:35 | bytes : byte[] | SpelInjection.java:31:20:31:42 | new String(...) : String |
 | SpelInjection.java:38:22:38:44 | getInputStream(...) : InputStream | SpelInjection.java:41:13:41:14 | in : InputStream |
 | SpelInjection.java:41:13:41:14 | in : InputStream | SpelInjection.java:41:21:41:25 | bytes [post update] : byte[] |
-| SpelInjection.java:41:21:41:25 | bytes [post update] : byte[] | SpelInjection.java:48:5:48:14 | expression |
+| SpelInjection.java:41:21:41:25 | bytes [post update] : byte[] | SpelInjection.java:42:31:42:35 | bytes : byte[] |
+| SpelInjection.java:42:20:42:42 | new String(...) : String | SpelInjection.java:48:5:48:14 | expression |
+| SpelInjection.java:42:31:42:35 | bytes : byte[] | SpelInjection.java:42:20:42:42 | new String(...) : String |
 | SpelInjection.java:52:22:52:44 | getInputStream(...) : InputStream | SpelInjection.java:55:13:55:14 | in : InputStream |
 | SpelInjection.java:55:13:55:14 | in : InputStream | SpelInjection.java:55:21:55:25 | bytes [post update] : byte[] |
-| SpelInjection.java:55:21:55:25 | bytes [post update] : byte[] | SpelInjection.java:59:5:59:14 | expression |
+| SpelInjection.java:55:21:55:25 | bytes [post update] : byte[] | SpelInjection.java:56:31:56:35 | bytes : byte[] |
+| SpelInjection.java:56:20:56:42 | new String(...) : String | SpelInjection.java:59:5:59:14 | expression |
+| SpelInjection.java:56:31:56:35 | bytes : byte[] | SpelInjection.java:56:20:56:42 | new String(...) : String |
 | SpelInjection.java:63:22:63:44 | getInputStream(...) : InputStream | SpelInjection.java:66:13:66:14 | in : InputStream |
 | SpelInjection.java:66:13:66:14 | in : InputStream | SpelInjection.java:66:21:66:25 | bytes [post update] : byte[] |
-| SpelInjection.java:66:21:66:25 | bytes [post update] : byte[] | SpelInjection.java:70:5:70:14 | expression |
+| SpelInjection.java:66:21:66:25 | bytes [post update] : byte[] | SpelInjection.java:67:31:67:35 | bytes : byte[] |
+| SpelInjection.java:67:20:67:42 | new String(...) : String | SpelInjection.java:70:5:70:14 | expression |
+| SpelInjection.java:67:31:67:35 | bytes : byte[] | SpelInjection.java:67:20:67:42 | new String(...) : String |
 | SpelInjection.java:74:22:74:44 | getInputStream(...) : InputStream | SpelInjection.java:77:13:77:14 | in : InputStream |
 | SpelInjection.java:77:13:77:14 | in : InputStream | SpelInjection.java:77:21:77:25 | bytes [post update] : byte[] |
-| SpelInjection.java:77:21:77:25 | bytes [post update] : byte[] | SpelInjection.java:83:5:83:14 | expression |
+| SpelInjection.java:77:21:77:25 | bytes [post update] : byte[] | SpelInjection.java:78:31:78:35 | bytes : byte[] |
+| SpelInjection.java:78:20:78:42 | new String(...) : String | SpelInjection.java:83:5:83:14 | expression |
+| SpelInjection.java:78:31:78:35 | bytes : byte[] | SpelInjection.java:78:20:78:42 | new String(...) : String |
 nodes
 | SpelInjection.java:15:22:15:44 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | SpelInjection.java:18:13:18:14 | in : InputStream | semmle.label | in : InputStream |
 | SpelInjection.java:18:21:18:25 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
+| SpelInjection.java:19:20:19:42 | new String(...) : String | semmle.label | new String(...) : String |
+| SpelInjection.java:19:31:19:35 | bytes : byte[] | semmle.label | bytes : byte[] |
 | SpelInjection.java:23:5:23:14 | expression | semmle.label | expression |
 | SpelInjection.java:27:22:27:44 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | SpelInjection.java:30:13:30:14 | in : InputStream | semmle.label | in : InputStream |
 | SpelInjection.java:30:21:30:25 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
+| SpelInjection.java:31:20:31:42 | new String(...) : String | semmle.label | new String(...) : String |
+| SpelInjection.java:31:31:31:35 | bytes : byte[] | semmle.label | bytes : byte[] |
 | SpelInjection.java:34:5:34:14 | expression | semmle.label | expression |
 | SpelInjection.java:38:22:38:44 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | SpelInjection.java:41:13:41:14 | in : InputStream | semmle.label | in : InputStream |
 | SpelInjection.java:41:21:41:25 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
+| SpelInjection.java:42:20:42:42 | new String(...) : String | semmle.label | new String(...) : String |
+| SpelInjection.java:42:31:42:35 | bytes : byte[] | semmle.label | bytes : byte[] |
 | SpelInjection.java:48:5:48:14 | expression | semmle.label | expression |
 | SpelInjection.java:52:22:52:44 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | SpelInjection.java:55:13:55:14 | in : InputStream | semmle.label | in : InputStream |
 | SpelInjection.java:55:21:55:25 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
+| SpelInjection.java:56:20:56:42 | new String(...) : String | semmle.label | new String(...) : String |
+| SpelInjection.java:56:31:56:35 | bytes : byte[] | semmle.label | bytes : byte[] |
 | SpelInjection.java:59:5:59:14 | expression | semmle.label | expression |
 | SpelInjection.java:63:22:63:44 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | SpelInjection.java:66:13:66:14 | in : InputStream | semmle.label | in : InputStream |
 | SpelInjection.java:66:21:66:25 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
+| SpelInjection.java:67:20:67:42 | new String(...) : String | semmle.label | new String(...) : String |
+| SpelInjection.java:67:31:67:35 | bytes : byte[] | semmle.label | bytes : byte[] |
 | SpelInjection.java:70:5:70:14 | expression | semmle.label | expression |
 | SpelInjection.java:74:22:74:44 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | SpelInjection.java:77:13:77:14 | in : InputStream | semmle.label | in : InputStream |
 | SpelInjection.java:77:21:77:25 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
+| SpelInjection.java:78:20:78:42 | new String(...) : String | semmle.label | new String(...) : String |
+| SpelInjection.java:78:31:78:35 | bytes : byte[] | semmle.label | bytes : byte[] |
 | SpelInjection.java:83:5:83:14 | expression | semmle.label | expression |
 #select
 | SpelInjection.java:23:5:23:14 | expression | SpelInjection.java:15:22:15:44 | getInputStream(...) : InputStream | SpelInjection.java:23:5:23:14 | expression | SpEL injection from $@. | SpelInjection.java:15:22:15:44 | getInputStream(...) | this user input |
diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTaintedLocal.expected b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTaintedLocal.expected
@@ -4,9 +4,14 @@ edges
 | Test.java:29:30:29:42 | args : String[] | Test.java:36:47:36:52 | query1 |
 | Test.java:29:30:29:42 | args : String[] | Test.java:42:57:42:62 | query2 |
 | Test.java:29:30:29:42 | args : String[] | Test.java:50:62:50:67 | query3 |
+| Test.java:29:30:29:42 | args : String[] | Test.java:58:19:58:26 | category : String |
 | Test.java:29:30:29:42 | args : String[] | Test.java:62:47:62:61 | querySbToString |
 | Test.java:29:30:29:42 | args : String[] | Test.java:70:40:70:44 | query |
 | Test.java:29:30:29:42 | args : String[] | Test.java:78:46:78:50 | query |
+| Test.java:58:4:58:10 | querySb [post update] : StringBuilder | Test.java:60:29:60:35 | querySb : StringBuilder |
+| Test.java:58:19:58:26 | category : String | Test.java:58:4:58:10 | querySb [post update] : StringBuilder |
+| Test.java:60:29:60:35 | querySb : StringBuilder | Test.java:60:29:60:46 | toString(...) : String |
+| Test.java:60:29:60:46 | toString(...) : String | Test.java:62:47:62:61 | querySbToString |
 | Test.java:183:33:183:45 | args : String[] | Test.java:209:47:209:68 | queryWithUserTableName |
 | Test.java:213:26:213:38 | args : String[] | Test.java:214:11:214:14 | args : String[] |
 | Test.java:213:26:213:38 | args : String[] | Test.java:218:14:218:17 | args : String[] |
@@ -20,6 +25,10 @@ nodes
 | Test.java:36:47:36:52 | query1 | semmle.label | query1 |
 | Test.java:42:57:42:62 | query2 | semmle.label | query2 |
 | Test.java:50:62:50:67 | query3 | semmle.label | query3 |
+| Test.java:58:4:58:10 | querySb [post update] : StringBuilder | semmle.label | querySb [post update] : StringBuilder |
+| Test.java:58:19:58:26 | category : String | semmle.label | category : String |
+| Test.java:60:29:60:35 | querySb : StringBuilder | semmle.label | querySb : StringBuilder |
+| Test.java:60:29:60:46 | toString(...) : String | semmle.label | toString(...) : String |
 | Test.java:62:47:62:61 | querySbToString | semmle.label | querySbToString |
 | Test.java:70:40:70:44 | query | semmle.label | query |
 | Test.java:78:46:78:50 | query | semmle.label | query |
diff --git a/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayConstructionLocal.expected b/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayConstructionLocal.expected
@@ -1,8 +1,12 @@
 edges
-| Test.java:76:27:76:60 | getProperty(...) : String | Test.java:80:31:80:34 | size |
-| Test.java:76:27:76:60 | getProperty(...) : String | Test.java:86:34:86:37 | size |
+| Test.java:76:27:76:60 | getProperty(...) : String | Test.java:78:37:78:48 | userProperty : String |
+| Test.java:78:37:78:48 | userProperty : String | Test.java:78:37:78:55 | trim(...) : String |
+| Test.java:78:37:78:55 | trim(...) : String | Test.java:80:31:80:34 | size |
+| Test.java:78:37:78:55 | trim(...) : String | Test.java:86:34:86:37 | size |
 nodes
 | Test.java:76:27:76:60 | getProperty(...) : String | semmle.label | getProperty(...) : String |
+| Test.java:78:37:78:48 | userProperty : String | semmle.label | userProperty : String |
+| Test.java:78:37:78:55 | trim(...) : String | semmle.label | trim(...) : String |
 | Test.java:80:31:80:34 | size | semmle.label | size |
 | Test.java:86:34:86:37 | size | semmle.label | size |
 #select
diff --git a/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayIndexLocal.expected b/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayIndexLocal.expected
@@ -1,7 +1,11 @@
 edges
-| Test.java:14:27:14:60 | getProperty(...) : String | Test.java:19:34:19:38 | index |
+| Test.java:14:27:14:60 | getProperty(...) : String | Test.java:16:38:16:49 | userProperty : String |
+| Test.java:16:38:16:49 | userProperty : String | Test.java:16:38:16:56 | trim(...) : String |
+| Test.java:16:38:16:56 | trim(...) : String | Test.java:19:34:19:38 | index |
 nodes
 | Test.java:14:27:14:60 | getProperty(...) : String | semmle.label | getProperty(...) : String |
+| Test.java:16:38:16:49 | userProperty : String | semmle.label | userProperty : String |
+| Test.java:16:38:16:56 | trim(...) : String | semmle.label | trim(...) : String |
 | Test.java:19:34:19:38 | index | semmle.label | index |
 #select
 | Test.java:19:34:19:38 | index | Test.java:14:27:14:60 | getProperty(...) : String | Test.java:19:34:19:38 | index | $@ flows to here and is used as an index causing an ArrayIndexOutOfBoundsException. | Test.java:14:27:14:60 | getProperty(...) | User-provided value |
diff --git a/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTaintedLocal.expected b/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTaintedLocal.expected
diff --git a/java/ql/test/query-tests/security/CWE-681/semmle/tests/NumericCastTaintedLocal.expected b/java/ql/test/query-tests/security/CWE-681/semmle/tests/NumericCastTaintedLocal.expected
