Convert XSS test to inline expectations

Author: smowton

java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.expected

@@ -1,15 +0,0 @@
-edges
-| XSS.java:23:21:23:48 | getParameter(...) : String | XSS.java:23:5:23:70 | ... + ... |
-| XSS.java:38:67:38:87 | getPathInfo(...) : String | XSS.java:38:30:38:87 | ... + ... |
-| XSS.java:41:36:41:56 | getPathInfo(...) : String | XSS.java:41:36:41:67 | getBytes(...) |
-nodes
-| XSS.java:23:5:23:70 | ... + ... | semmle.label | ... + ... |
-| XSS.java:23:21:23:48 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| XSS.java:38:30:38:87 | ... + ... | semmle.label | ... + ... |
-| XSS.java:38:67:38:87 | getPathInfo(...) : String | semmle.label | getPathInfo(...) : String |
-| XSS.java:41:36:41:56 | getPathInfo(...) : String | semmle.label | getPathInfo(...) : String |
-| XSS.java:41:36:41:67 | getBytes(...) | semmle.label | getBytes(...) |
-#select
-| XSS.java:23:5:23:70 | ... + ... | XSS.java:23:21:23:48 | getParameter(...) : String | XSS.java:23:5:23:70 | ... + ... | Cross-site scripting vulnerability due to $@. | XSS.java:23:21:23:48 | getParameter(...) | user-provided value |
-| XSS.java:38:30:38:87 | ... + ... | XSS.java:38:67:38:87 | getPathInfo(...) : String | XSS.java:38:30:38:87 | ... + ... | Cross-site scripting vulnerability due to $@. | XSS.java:38:67:38:87 | getPathInfo(...) | user-provided value |
-| XSS.java:41:36:41:67 | getBytes(...) | XSS.java:41:36:41:56 | getPathInfo(...) : String | XSS.java:41:36:41:67 | getBytes(...) | Cross-site scripting vulnerability due to $@. | XSS.java:41:36:41:56 | getPathInfo(...) | user-provided value |

java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.java

@@ -20,7 +20,7 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)
 	throws ServletException, IOException {
 		// BAD: a request parameter is written directly to the Servlet response stream
 		response.getWriter().print(
-				"The page \"" + request.getParameter("page") + "\" was not found.");
+				"The page \"" + request.getParameter("page") + "\" was not found."); // $xss
 
 		// GOOD: servlet API encodes the error message HTML for the HTML context
 		response.sendError(HttpServletResponse.SC_NOT_FOUND,
@@ -35,10 +35,10 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)
 				"The page \"" + capitalizeName(request.getParameter("page")) + "\" was not found.");
 
 		// BAD: outputting the path of the resource
-		response.getWriter().print("The path section of the URL was " + request.getPathInfo());
+		response.getWriter().print("The path section of the URL was " + request.getPathInfo()); // $xss
 
 		// BAD: typical XSS, this time written to an OutputStream instead of a Writer 
-		response.getOutputStream().write(request.getPathInfo().getBytes());
+		response.getOutputStream().write(request.getPathInfo().getBytes()); // $xss
 	}
 
 

java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.ql

@@ -0,0 +1,33 @@
+import java
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.security.XSS
+import TestUtilities.InlineExpectationsTest
+
+class XSSConfig extends TaintTracking::Configuration {
+  XSSConfig() { this = "XSSConfig" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof XssSink }
+
+  override predicate isSanitizer(DataFlow::Node node) { node instanceof XssSanitizer }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(XssAdditionalTaintStep s).step(node1, node2)
+  }
+}
+
+class XssTest extends InlineExpectationsTest {
+  XssTest() { this = "XssTest" }
+
+  override string getARelevantTag() { result = ["xss"] }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "xss" and
+    exists(DataFlow::Node src, DataFlow::Node sink, XSSConfig conf | conf.hasFlow(src, sink) |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+  }
+}