Added tests for SpringHttpInvokerUnsafeDeserialization.ql

Author: artem-smotrakov

java/ql/test/experimental/query-tests/security/CWE-502/SpringHttpInvokerUnsafeDeserialization.expected

@@ -0,0 +1 @@
+| SpringHttpInvokerUnsafeDeserialization.java:9:32:9:37 | unsafe | Unasafe deserialization in a remote service exporter in 'unsafe' method |

java/ql/test/experimental/query-tests/security/CWE-502/SpringHttpInvokerUnsafeDeserialization.java

@@ -0,0 +1,45 @@
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter;
+
+@Configuration
+public class SpringHttpInvokerUnsafeDeserialization {
+    
+    @Bean(name = "/unsafe")
+    HttpInvokerServiceExporter unsafe() {
+        HttpInvokerServiceExporter exporter = new HttpInvokerServiceExporter();
+        exporter.setService(new AccountServiceImpl());
+        exporter.setServiceInterface(AccountService.class);
+        return exporter;
+    }
+
+    HttpInvokerServiceExporter notABean() {
+        HttpInvokerServiceExporter exporter = new HttpInvokerServiceExporter();
+        exporter.setService(new AccountServiceImpl());
+        exporter.setServiceInterface(AccountService.class);
+        return exporter;
+    }
+}
+
+class NotAConfiguration {
+
+    @Bean(name = "/notAnEndpoint")
+    HttpInvokerServiceExporter notAnEndpoint() {
+        HttpInvokerServiceExporter exporter = new HttpInvokerServiceExporter();
+        exporter.setService(new AccountServiceImpl());
+        exporter.setServiceInterface(AccountService.class);
+        return exporter;
+    }
+}
+
+class AccountServiceImpl implements AccountService {
+
+    @Override
+    public String echo(String data) {
+        return data;
+    }
+}
+
+interface AccountService {
+    String echo(String data);
+}

java/ql/test/experimental/query-tests/security/CWE-502/SpringHttpInvokerUnsafeDeserialization.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-502/SpringHttpInvokerUnsafeDeserialization.ql

java/ql/test/experimental/query-tests/security/CWE-502/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3

java/ql/test/stubs/springframework-5.2.3/org/springframework/context/annotation/Bean.java

@@ -0,0 +1,10 @@
+package org.springframework.context.annotation;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Target;
+
+@Target({ElementType.METHOD, ElementType.ANNOTATION_TYPE})
+public @interface Bean {
+
+	String[] name() default {};
+}

java/ql/test/stubs/springframework-5.2.3/org/springframework/context/annotation/Configuration.java

@@ -0,0 +1,7 @@
+package org.springframework.context.annotation;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Target;
+
+@Target(ElementType.TYPE)
+public @interface Configuration {}

java/ql/test/stubs/springframework-5.2.3/org/springframework/remoting/httpinvoker/HttpInvokerServiceExporter.java

@@ -0,0 +1,8 @@
+package org.springframework.remoting.httpinvoker;
+
+public class HttpInvokerServiceExporter extends org.springframework.remoting.rmi.RemoteInvocationSerializingExporter {
+
+    public void setService(Object service) {}
+
+    public void setServiceInterface(Class clazz) {}
+}

java/ql/test/stubs/springframework-5.2.3/org/springframework/remoting/rmi/RemoteInvocationSerializingExporter.java

@@ -0,0 +1,5 @@
+package org.springframework.remoting.rmi;
+
+public abstract class RemoteInvocationSerializingExporter {
+    
+}