Re-structure imports, add some new comments to tests

atorralba · atorralba · commit b37b15cea405 · 2021-05-07T12:33:51.000+02:00
diff --git a/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql b/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql
@@ -11,9 +11,9 @@
  */
 
 import java
-import DataFlow::PathGraph
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.JexlInjection
+import DataFlow::PathGraph
 
 /**
  * A taint-tracking configuration for unsafe user input
diff --git a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
@@ -80,6 +80,7 @@ private module Frameworks {
   private import semmle.code.java.security.ResponseSplitting
   private import semmle.code.java.security.XSS
   private import semmle.code.java.security.LdapInjection
+  private import semmle.code.java.security.JexlInjection
 }
 
 private predicate sourceModelCsv(string row) {
diff --git a/java/ql/test/query-tests/security/CWE-094/SandboxedJexl3.java b/java/ql/test/query-tests/security/CWE-094/SandboxedJexl3.java
@@ -15,17 +15,17 @@ private static void runJexlExpressionWithSandbox(String jexlExpr) {
         JexlSandbox sandbox = new JexlSandbox(false);
         sandbox.white(SandboxedJexl3.class.getCanonicalName());
         JexlEngine jexl = new JexlBuilder().sandbox(sandbox).create();
-        JexlExpression e = jexl.createExpression(jexlExpr);
+        JexlExpression e = jexl.createExpression(jexlExpr); // Safe
         JexlContext jc = new MapContext();
-        e.evaluate(jc);
+        e.evaluate(jc); // Safe
     }
 
     private static void runJexlExpressionWithUberspectSandbox(String jexlExpr) {
         JexlUberspect sandbox = new JexlUberspectSandbox();
         JexlEngine jexl = new JexlBuilder().uberspect(sandbox).create();
-        JexlExpression e = jexl.createExpression(jexlExpr);
+        JexlExpression e = jexl.createExpression(jexlExpr); // Safe
         JexlContext jc = new MapContext();
-        e.evaluate(jc);
+        e.evaluate(jc); // Safe
     }
 
     private static JexlBuilder STATIC_JEXL_BUILDER;
@@ -39,7 +39,7 @@ private static void runJexlExpressionWithUberspectSandbox(String jexlExpr) {
     private static void runJexlExpressionViaJxltEngineWithSandbox(String jexlExpr) {
         JexlEngine jexl = STATIC_JEXL_BUILDER.create();
         JxltEngine jxlt = jexl.createJxltEngine();
-        jxlt.createExpression(jexlExpr).evaluate(new MapContext());
+        jxlt.createExpression(jexlExpr).evaluate(new MapContext()); // Safe
     }
 
     private static class JexlUberspectSandbox implements JexlUberspect {

Original file line number	Diff line number	Diff line change
`@@ -80,6 +80,7 @@ private module Frameworks {`
`80`	`80`	`private import semmle.code.java.security.ResponseSplitting`
`81`	`81`	`private import semmle.code.java.security.XSS`
`82`	`82`	`private import semmle.code.java.security.LdapInjection`
	`83`	`+ private import semmle.code.java.security.JexlInjection`
`83`	`84`	`}`
`84`	`85`
`85`	`86`	`private predicate sourceModelCsv(string row) {`