Apply suggestions from code review

aschackmull · web-flow · commit c5193cf03f18 · 2021-04-19T13:14:56.000+02:00
diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java b/java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java
@@ -78,6 +78,7 @@ public class MyServlet extends HttpServlet {
         public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
             BufferedReader br = new BufferedReader(new InputStreamReader(request.getInputStream()));
             String filename = br.readLine();
+            // BAD: construct a file path with user input
             BufferedWriter bw = new BufferedWriter(new FileWriter("dir/"+filename, true));
         }
     }
diff --git a/java/ql/test/query-tests/security/CWE-611/SAXSourceTests.java b/java/ql/test/query-tests/security/CWE-611/SAXSourceTests.java
@@ -17,15 +17,15 @@ public void unsafeSource(Socket sock) throws Exception {
     SAXSource source = new SAXSource(reader, new InputSource(sock.getInputStream()));
     JAXBContext jc = JAXBContext.newInstance(Object.class);
     Unmarshaller um = jc.createUnmarshaller();
-    um.unmarshal(source); //unsafe
+    um.unmarshal(source); // BAD
   }
 
   public void explicitlySafeSource1(Socket sock) throws Exception {
     XMLReader reader = XMLReaderFactory.createXMLReader();
     reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
     reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
     reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd",false);
-    SAXSource source = new SAXSource(reader, new InputSource(sock.getInputStream())); //safe
+    SAXSource source = new SAXSource(reader, new InputSource(sock.getInputStream())); // GOOD
   }
 
   public void createdSafeSource(Socket sock) throws Exception {
@@ -35,7 +35,7 @@ public void createdSafeSource(Socket sock) throws Exception {
     factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
     SAXParser parser = factory.newSAXParser();
     XMLReader reader = parser.getXMLReader();
-    SAXSource source = new SAXSource(parser.getXMLReader(), new InputSource(sock.getInputStream())); //safe
-    SAXSource source2 = new SAXSource(reader, new InputSource(sock.getInputStream())); //safe
+    SAXSource source = new SAXSource(parser.getXMLReader(), new InputSource(sock.getInputStream())); // GOOD
+    SAXSource source2 = new SAXSource(reader, new InputSource(sock.getInputStream())); // GOOD
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -78,6 +78,7 @@ public class MyServlet extends HttpServlet {`
`78`	`78`	`public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {`
`79`	`79`	`BufferedReader br = new BufferedReader(new InputStreamReader(request.getInputStream()));`
`80`	`80`	`String filename = br.readLine();`
	`81`	`+ // BAD: construct a file path with user input`
`81`	`82`	`BufferedWriter bw = new BufferedWriter(new FileWriter("dir/"+filename, true));`
`82`	`83`	`}`
`83`	`84`	`}`