Use InlineExpectationsTest

Author: atorralba

java/ql/test/query-tests/security/CWE-094/MvelInjection.expected

@@ -19,73 +19,72 @@
 import org.mvel2.templates.TemplateCompiler;
 import org.mvel2.templates.TemplateRuntime;
 
-public class MvelInjection {
+public class MvelInjectionTest {
 
   public static void testWithMvelEval(Socket socket) throws IOException {
-    MVEL.eval(read(socket));
+    MVEL.eval(read(socket)); // $hasMvelInjection
   }
 
   public static void testWithMvelCompileAndExecute(Socket socket) throws IOException {
     Serializable expression = MVEL.compileExpression(read(socket));
-    MVEL.executeExpression(expression);
+    MVEL.executeExpression(expression); // $hasMvelInjection
   }
 
   public static void testWithExpressionCompiler(Socket socket) throws IOException {
     ExpressionCompiler compiler = new ExpressionCompiler(read(socket));
     ExecutableStatement statement = compiler.compile();
-    statement.getValue(new Object(), new ImmutableDefaultFactory());
-    statement.getValue(new Object(), new Object(), new ImmutableDefaultFactory());
+    statement.getValue(new Object(), new ImmutableDefaultFactory()); // $hasMvelInjection
+    statement.getValue(new Object(), new Object(), new ImmutableDefaultFactory()); // $hasMvelInjection
   }
 
   public static void testWithCompiledExpressionGetDirectValue(Socket socket) throws IOException {
     ExpressionCompiler compiler = new ExpressionCompiler(read(socket));
     CompiledExpression expression = compiler.compile();
-    expression.getDirectValue(new Object(), new ImmutableDefaultFactory());
+    expression.getDirectValue(new Object(), new ImmutableDefaultFactory()); // $hasMvelInjection
   }
 
   public static void testCompiledAccExpressionGetValue(Socket socket) throws IOException {
-    CompiledAccExpression expression = new CompiledAccExpression(
-      read(socket).toCharArray(), Object.class, new ParserContext());
-    expression.getValue(new Object(), new ImmutableDefaultFactory());
+    CompiledAccExpression expression =
+        new CompiledAccExpression(read(socket).toCharArray(), Object.class, new ParserContext());
+    expression.getValue(new Object(), new ImmutableDefaultFactory()); // $hasMvelInjection
   }
 
   public static void testMvelScriptEngineCompileAndEvaluate(Socket socket) throws Exception {
     String input = read(socket);
 
     MvelScriptEngine engine = new MvelScriptEngine();
     CompiledScript compiledScript = engine.compile(input);
-    compiledScript.eval();
+    compiledScript.eval(); // $hasMvelInjection
 
     Serializable script = engine.compiledScript(input);
-    engine.evaluate(script, new SimpleScriptContext());
+    engine.evaluate(script, new SimpleScriptContext()); // $hasMvelInjection
   }
 
   public static void testMvelCompiledScriptCompileAndEvaluate(Socket socket) throws Exception {
     MvelScriptEngine engine = new MvelScriptEngine();
     ExpressionCompiler compiler = new ExpressionCompiler(read(socket));
     ExecutableStatement statement = compiler.compile();
     MvelCompiledScript script = new MvelCompiledScript(engine, statement);
-    script.eval(new SimpleScriptContext());
+    script.eval(new SimpleScriptContext()); // $hasMvelInjection
   }
 
   public static void testTemplateRuntimeEval(Socket socket) throws Exception {
-    TemplateRuntime.eval(read(socket), new HashMap());
+    TemplateRuntime.eval(read(socket), new HashMap()); // $hasMvelInjection
   }
 
   public static void testTemplateRuntimeCompileTemplateAndExecute(Socket socket) throws Exception {
-    TemplateRuntime.execute(
-      TemplateCompiler.compileTemplate(read(socket)), new HashMap());
+    TemplateRuntime.execute(TemplateCompiler.compileTemplate(read(socket)), new HashMap()); // $hasMvelInjection
   }
 
   public static void testTemplateRuntimeCompileAndExecute(Socket socket) throws Exception {
     TemplateCompiler compiler = new TemplateCompiler(read(socket));
-    TemplateRuntime.execute(compiler.compile(), new HashMap());
+    TemplateRuntime.execute(compiler.compile(), new HashMap()); // $hasMvelInjection
   }
 
   public static void testMvelRuntimeExecute(Socket socket) throws Exception {
     ExpressionCompiler compiler = new ExpressionCompiler(read(socket));
     CompiledExpression expression = compiler.compile();
-    MVELRuntime.execute(false, expression, new Object(), new ImmutableDefaultFactory());
+    MVELRuntime.execute(false, expression, new Object(), new ImmutableDefaultFactory()); // $hasMvelInjection
   }
 
   public static String read(Socket socket) throws IOException {

java/ql/test/query-tests/security/CWE-094/MvelInjection.qlref

@@ -0,0 +1,36 @@
+import java
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.security.MvelInjection
+import TestUtilities.InlineExpectationsTest
+
+class Conf extends TaintTracking::Configuration {
+  Conf() { this = "test:cwe:mvel-injection" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof MvelEvaluationSink }
+
+  override predicate isSanitizer(DataFlow::Node sanitizer) {
+    sanitizer instanceof MvelInjectionSanitizer
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(MvelInjectionAdditionalTaintStep c).step(node1, node2)
+  }
+}
+
+class HasMvelInjectionTest extends InlineExpectationsTest {
+  HasMvelInjectionTest() { this = "HasMvelInjectionTest" }
+
+  override string getARelevantTag() { result = "hasMvelInjection" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasMvelInjection" and
+    exists(DataFlow::Node src, DataFlow::Node sink, Conf conf | conf.hasFlow(src, sink) |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+  }
+}