Skip to content

Commit b76873f

Browse files
committed
Add more test cases
1 parent f0c4b19 commit b76873f

File tree

2 files changed

+53
-22
lines changed

2 files changed

+53
-22
lines changed

java/ql/test/experimental/query-tests/security/CWE-552/UnsafeResourceGet.java

Lines changed: 37 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@
22

33
import java.io.InputStream;
44
import java.io.IOException;
5+
import java.io.PrintWriter;
56
import java.nio.file.Path;
67
import java.nio.file.Paths;
78
import java.net.URL;
@@ -60,16 +61,49 @@ protected void doGetGood(HttpServletRequest request, HttpServletResponse respons
6061
}
6162
}
6263

64+
// GOOD: getResource constructed from `ServletContext` with null check only
65+
protected void doGetGood2(HttpServletRequest request, HttpServletResponse response)
66+
throws ServletException, IOException {
67+
String requestUrl = request.getParameter("requestURL");
68+
PrintWriter writer = response.getWriter();
69+
70+
ServletConfig cfg = getServletConfig();
71+
ServletContext sc = cfg.getServletContext();
72+
73+
// A sample request /fake.jsp/../WEB-INF/web.xml can load the web.xml file
74+
URL url = sc.getResource(requestUrl);
75+
if (url == null) {
76+
writer.println("Requested source not found");
77+
}
78+
}
79+
80+
// GOOD: getResource constructed from `ServletContext` with `equals` check
81+
protected void doGetGood3(HttpServletRequest request, HttpServletResponse response)
82+
throws ServletException, IOException {
83+
String requestUrl = request.getParameter("requestURL");
84+
ServletOutputStream out = response.getOutputStream();
85+
86+
ServletContext sc = request.getServletContext();
87+
88+
if (requestUrl.equals("/public/crossdomain.xml")) {
89+
URL url = sc.getResource(requestUrl);
90+
91+
InputStream in = url.openStream();
92+
byte[] buf = new byte[4 * 1024]; // 4K buffer
93+
int bytesRead;
94+
while ((bytesRead = in.read(buf)) != -1) {
95+
out.write(buf, 0, bytesRead);
96+
}
97+
}
98+
}
99+
63100
@Override
64101
// BAD: getResourceAsStream constructed from `ServletContext` without input validation
65102
protected void doPost(HttpServletRequest request, HttpServletResponse response)
66103
throws ServletException, IOException {
67104
String requestPath = request.getParameter("requestPath");
68105
ServletOutputStream out = response.getOutputStream();
69106

70-
ServletConfig cfg = getServletConfig();
71-
ServletContext sc = cfg.getServletContext();
72-
73107
// A sample request /fake.jsp/../WEB-INF/web.xml can load the web.xml file
74108
InputStream in = request.getServletContext().getResourceAsStream(requestPath);
75109
byte[] buf = new byte[4 * 1024]; // 4K buffer
@@ -85,9 +119,6 @@ protected void doPostGood(HttpServletRequest request, HttpServletResponse respon
85119
String requestPath = request.getParameter("requestPath");
86120
ServletOutputStream out = response.getOutputStream();
87121

88-
ServletConfig cfg = getServletConfig();
89-
ServletContext sc = cfg.getServletContext();
90-
91122
if (!requestPath.contains("..") && requestPath.startsWith("/trusted")) {
92123
InputStream in = request.getServletContext().getResourceAsStream(requestPath);
93124
byte[] buf = new byte[4 * 1024]; // 4K buffer

java/ql/test/experimental/query-tests/security/CWE-552/UnsafeUrlForward.expected

Lines changed: 16 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,9 @@
11
edges
22
| UnsafeRequestPath.java:20:17:20:63 | getServletPath(...) : String | UnsafeRequestPath.java:23:33:23:36 | path |
3-
| UnsafeResourceGet.java:24:23:24:56 | getParameter(...) : String | UnsafeResourceGet.java:31:28:31:37 | requestUrl |
4-
| UnsafeResourceGet.java:67:24:67:58 | getParameter(...) : String | UnsafeResourceGet.java:74:68:74:78 | requestPath |
5-
| UnsafeResourceGet.java:105:23:105:56 | getParameter(...) : String | UnsafeResourceGet.java:110:36:110:45 | requestUrl |
6-
| UnsafeResourceGet.java:143:24:143:58 | getParameter(...) : String | UnsafeResourceGet.java:151:68:151:78 | requestPath |
3+
| UnsafeResourceGet.java:25:23:25:56 | getParameter(...) : String | UnsafeResourceGet.java:34:20:34:22 | url |
4+
| UnsafeResourceGet.java:104:24:104:58 | getParameter(...) : String | UnsafeResourceGet.java:108:68:108:78 | requestPath |
5+
| UnsafeResourceGet.java:136:23:136:56 | getParameter(...) : String | UnsafeResourceGet.java:143:20:143:22 | url |
6+
| UnsafeResourceGet.java:174:24:174:58 | getParameter(...) : String | UnsafeResourceGet.java:182:68:182:78 | requestPath |
77
| UnsafeServletRequestDispatch.java:23:22:23:54 | getParameter(...) : String | UnsafeServletRequestDispatch.java:32:51:32:59 | returnURL |
88
| UnsafeServletRequestDispatch.java:42:22:42:54 | getParameter(...) : String | UnsafeServletRequestDispatch.java:48:56:48:64 | returnURL |
99
| UnsafeServletRequestDispatch.java:71:17:71:44 | getParameter(...) : String | UnsafeServletRequestDispatch.java:76:53:76:56 | path |
@@ -23,14 +23,14 @@ edges
2323
nodes
2424
| UnsafeRequestPath.java:20:17:20:63 | getServletPath(...) : String | semmle.label | getServletPath(...) : String |
2525
| UnsafeRequestPath.java:23:33:23:36 | path | semmle.label | path |
26-
| UnsafeResourceGet.java:24:23:24:56 | getParameter(...) : String | semmle.label | getParameter(...) : String |
27-
| UnsafeResourceGet.java:31:28:31:37 | requestUrl | semmle.label | requestUrl |
28-
| UnsafeResourceGet.java:67:24:67:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
29-
| UnsafeResourceGet.java:74:68:74:78 | requestPath | semmle.label | requestPath |
30-
| UnsafeResourceGet.java:105:23:105:56 | getParameter(...) : String | semmle.label | getParameter(...) : String |
31-
| UnsafeResourceGet.java:110:36:110:45 | requestUrl | semmle.label | requestUrl |
32-
| UnsafeResourceGet.java:143:24:143:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
33-
| UnsafeResourceGet.java:151:68:151:78 | requestPath | semmle.label | requestPath |
26+
| UnsafeResourceGet.java:25:23:25:56 | getParameter(...) : String | semmle.label | getParameter(...) : String |
27+
| UnsafeResourceGet.java:34:20:34:22 | url | semmle.label | url |
28+
| UnsafeResourceGet.java:104:24:104:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
29+
| UnsafeResourceGet.java:108:68:108:78 | requestPath | semmle.label | requestPath |
30+
| UnsafeResourceGet.java:136:23:136:56 | getParameter(...) : String | semmle.label | getParameter(...) : String |
31+
| UnsafeResourceGet.java:143:20:143:22 | url | semmle.label | url |
32+
| UnsafeResourceGet.java:174:24:174:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
33+
| UnsafeResourceGet.java:182:68:182:78 | requestPath | semmle.label | requestPath |
3434
| UnsafeServletRequestDispatch.java:23:22:23:54 | getParameter(...) : String | semmle.label | getParameter(...) : String |
3535
| UnsafeServletRequestDispatch.java:32:51:32:59 | returnURL | semmle.label | returnURL |
3636
| UnsafeServletRequestDispatch.java:42:22:42:54 | getParameter(...) : String | semmle.label | getParameter(...) : String |
@@ -61,10 +61,10 @@ nodes
6161
subpaths
6262
#select
6363
| UnsafeRequestPath.java:23:33:23:36 | path | UnsafeRequestPath.java:20:17:20:63 | getServletPath(...) : String | UnsafeRequestPath.java:23:33:23:36 | path | Potentially untrusted URL forward due to $@. | UnsafeRequestPath.java:20:17:20:63 | getServletPath(...) | user-provided value |
64-
| UnsafeResourceGet.java:31:28:31:37 | requestUrl | UnsafeResourceGet.java:24:23:24:56 | getParameter(...) : String | UnsafeResourceGet.java:31:28:31:37 | requestUrl | Potentially untrusted URL forward due to $@. | UnsafeResourceGet.java:24:23:24:56 | getParameter(...) | user-provided value |
65-
| UnsafeResourceGet.java:74:68:74:78 | requestPath | UnsafeResourceGet.java:67:24:67:58 | getParameter(...) : String | UnsafeResourceGet.java:74:68:74:78 | requestPath | Potentially untrusted URL forward due to $@. | UnsafeResourceGet.java:67:24:67:58 | getParameter(...) | user-provided value |
66-
| UnsafeResourceGet.java:110:36:110:45 | requestUrl | UnsafeResourceGet.java:105:23:105:56 | getParameter(...) : String | UnsafeResourceGet.java:110:36:110:45 | requestUrl | Potentially untrusted URL forward due to $@. | UnsafeResourceGet.java:105:23:105:56 | getParameter(...) | user-provided value |
67-
| UnsafeResourceGet.java:151:68:151:78 | requestPath | UnsafeResourceGet.java:143:24:143:58 | getParameter(...) : String | UnsafeResourceGet.java:151:68:151:78 | requestPath | Potentially untrusted URL forward due to $@. | UnsafeResourceGet.java:143:24:143:58 | getParameter(...) | user-provided value |
64+
| UnsafeResourceGet.java:34:20:34:22 | url | UnsafeResourceGet.java:25:23:25:56 | getParameter(...) : String | UnsafeResourceGet.java:34:20:34:22 | url | Potentially untrusted URL forward due to $@. | UnsafeResourceGet.java:25:23:25:56 | getParameter(...) | user-provided value |
65+
| UnsafeResourceGet.java:108:68:108:78 | requestPath | UnsafeResourceGet.java:104:24:104:58 | getParameter(...) : String | UnsafeResourceGet.java:108:68:108:78 | requestPath | Potentially untrusted URL forward due to $@. | UnsafeResourceGet.java:104:24:104:58 | getParameter(...) | user-provided value |
66+
| UnsafeResourceGet.java:143:20:143:22 | url | UnsafeResourceGet.java:136:23:136:56 | getParameter(...) : String | UnsafeResourceGet.java:143:20:143:22 | url | Potentially untrusted URL forward due to $@. | UnsafeResourceGet.java:136:23:136:56 | getParameter(...) | user-provided value |
67+
| UnsafeResourceGet.java:182:68:182:78 | requestPath | UnsafeResourceGet.java:174:24:174:58 | getParameter(...) : String | UnsafeResourceGet.java:182:68:182:78 | requestPath | Potentially untrusted URL forward due to $@. | UnsafeResourceGet.java:174:24:174:58 | getParameter(...) | user-provided value |
6868
| UnsafeServletRequestDispatch.java:32:51:32:59 | returnURL | UnsafeServletRequestDispatch.java:23:22:23:54 | getParameter(...) : String | UnsafeServletRequestDispatch.java:32:51:32:59 | returnURL | Potentially untrusted URL forward due to $@. | UnsafeServletRequestDispatch.java:23:22:23:54 | getParameter(...) | user-provided value |
6969
| UnsafeServletRequestDispatch.java:48:56:48:64 | returnURL | UnsafeServletRequestDispatch.java:42:22:42:54 | getParameter(...) : String | UnsafeServletRequestDispatch.java:48:56:48:64 | returnURL | Potentially untrusted URL forward due to $@. | UnsafeServletRequestDispatch.java:42:22:42:54 | getParameter(...) | user-provided value |
7070
| UnsafeServletRequestDispatch.java:76:53:76:56 | path | UnsafeServletRequestDispatch.java:71:17:71:44 | getParameter(...) : String | UnsafeServletRequestDispatch.java:76:53:76:56 | path | Potentially untrusted URL forward due to $@. | UnsafeServletRequestDispatch.java:71:17:71:44 | getParameter(...) | user-provided value |

0 commit comments

Comments
 (0)