Fix imports and stubs so that tests pass

Author: atorralba

java/change-notes/2021-04-26-xpath-injection-query.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The query "XPath injection" (`java/xml/xpath-injection`) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally [submitted as an experimental query by @SpaceWhite](https://github.com/github/codeql/pull/2800)

java/ql/src/semmle/code/java/security/XPath.qll

@@ -13,7 +13,7 @@ class XPath extends RefType {
   XPath() { this.hasQualifiedName("javax.xml.xpath", "XPath") }
 }
 
-/** A call to `XPath.Evaluate` or `XPath.compile` */
+/** A call to `XPath.evaluate` or `XPath.compile` */
 class XPathEvaluateOrCompile extends XPathSink {
   XPathEvaluateOrCompile() {
     exists(Method m | this.getMethod() = m and m.getDeclaringType() instanceof XPath |
@@ -24,9 +24,13 @@ class XPathEvaluateOrCompile extends XPathSink {
   override Expr getSink() { result = this.getArgument(0) }
 }
 
-/** The class `org.dom4j.Node` */
+/** Any class extending or implementing `org.dom4j.Node` */
 class Dom4JNode extends RefType {
-  Dom4JNode() { this.hasQualifiedName("org.dom4j", "Node") }
+  Dom4JNode() {
+    exists(Interface node | node.hasQualifiedName("org.dom4j", "Node") |
+      this.extendsOrImplements*(node)
+    )
+  }
 }
 
 /** A call to `Node.selectNodes` or `Node.selectSingleNode` */

java/ql/test/experimental/query-tests/security/CWE-643/A.java

@@ -1,22 +1,16 @@
-import org.w3c.dom.Document;
-import org.xml.sax.InputSource;
-import org.xml.sax.SAXException;
+import java.io.ByteArrayInputStream;
+import java.io.StringReader;
 
+import javax.servlet.http.HttpServletRequest;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
-import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.xpath.XPath;
 import javax.xml.xpath.XPathConstants;
 import javax.xml.xpath.XPathExpression;
-import javax.xml.xpath.XPathExpressionException;
 import javax.xml.xpath.XPathFactory;
 
-import java.io.BufferedInputStream;
-import java.io.ByteArrayInputStream;
-import java.io.InputStream;
-import java.io.StringReader;
-
-import javax.servlet.http.HttpServletRequest;
+import org.w3c.dom.Document;
+import org.xml.sax.InputSource;
 
 public class A {
     public void handle(HttpServletRequest request) throws Exception {
@@ -34,17 +28,13 @@ public void handle(HttpServletRequest request) throws Exception {
         String user = request.getParameter("user");
         String pass = request.getParameter("pass");
         if (user != null && pass != null) {
-            boolean isExist = false;
-
             // Bad expression
             String expression1 = "/users/user[@name='" + user + "' and @pass='" + pass + "']";
-            isExist = (boolean) xpath.evaluate(expression1, doc, XPathConstants.BOOLEAN); // $hasXPathInjection
-            System.out.println(isExist);
+            xpath.evaluate(expression1, doc, XPathConstants.BOOLEAN); // $hasXPathInjection
 
             // Bad expression
             XPathExpression expression2 = xpath.compile("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
-            isExist = (boolean) expression2.evaluate(doc, XPathConstants.BOOLEAN);
-            System.out.println(isExist);
+            expression2.evaluate(doc, XPathConstants.BOOLEAN);
 
             // Bad expression
             StringBuffer sb = new StringBuffer("/users/user[@name=");
@@ -54,8 +44,7 @@ public void handle(HttpServletRequest request) throws Exception {
             sb.append("']");
             String query = sb.toString();
             XPathExpression expression3 = xpath.compile(query); // $hasXPathInjection
-            isExist = (boolean) expression3.evaluate(doc, XPathConstants.BOOLEAN);
-            System.out.println(isExist);
+            expression3.evaluate(doc, XPathConstants.BOOLEAN);
 
             // Good expression
             String expression4 = "/users/user[@name=$user and @pass=$pass]";
@@ -69,13 +58,12 @@ public void handle(HttpServletRequest request) throws Exception {
                     throw new IllegalArgumentException();
                 }
             });
-            isExist = (boolean) xpath.evaluate(expression4, doc, XPathConstants.BOOLEAN);
-            System.out.println(isExist);
+            xpath.evaluate(expression4, doc, XPathConstants.BOOLEAN); // Safe
 
             // Bad Dom4j
             org.dom4j.io.SAXReader reader = new org.dom4j.io.SAXReader();
             org.dom4j.Document document = reader.read(new ByteArrayInputStream(xmlStr.getBytes()));
-            isExist = document.selectSingleNode("/users/user[@name='" + user + "' and @pass='" + pass + "']") // $hasXPathInjection
+            document.selectSingleNode("/users/user[@name='" + user + "' and @pass='" + pass + "']") // $hasXPathInjection
                     .hasContent();
             document.selectNodes("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
         }

java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Branch.java

@@ -0,0 +1,54 @@
+/*
+ * Copyright 2001-2005 (C) MetaStuff, Ltd. All Rights Reserved.
+ *
+ * This software is open source.
+ * See the bottom of this file for the licence.
+ */
+
+/*
+ * Adapted from DOM4J version 2.1.1 as available at
+ *   https://search.maven.org/remotecontent?filepath=org/dom4j/dom4j/2.1.1/dom4j-2.1.1-sources.jar
+ * Only relevant stubs of this file have been retained for test purposes.
+ */
+
+package org.dom4j;
+
+public interface Branch extends Node {
+}
+
+/*
+ * Redistribution and use of this software and associated documentation
+ * ("Software"), with or without modification, are permitted provided that the
+ * following conditions are met:
+ * 
+ * 1. Redistributions of source code must retain copyright statements and
+ * notices. Redistributions must also contain a copy of this document.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * 3. The name "DOM4J" must not be used to endorse or promote products derived
+ * from this Software without prior written permission of MetaStuff, Ltd. For
+ * written permission, please contact [email protected].
+ * 
+ * 4. Products derived from this Software may not be called "DOM4J" nor may
+ * "DOM4J" appear in their names without prior written permission of MetaStuff,
+ * Ltd. DOM4J is a registered trademark of MetaStuff, Ltd.
+ * 
+ * 5. Due credit should be given to the DOM4J Project - http://www.dom4j.org
+ * 
+ * THIS SOFTWARE IS PROVIDED BY METASTUFF, LTD. AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL METASTUFF, LTD. OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ * 
+ * Copyright 2001-2005 (C) MetaStuff, Ltd. All Rights Reserved.
+ */

java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Document.java

@@ -15,7 +15,7 @@
 
 import java.util.List;
 
-public interface Document {
+public interface Document extends Branch {
 
     public Node selectSingleNode(String xpathExpression);