Refactor tests to use InlineFlowTest

Author: atorralba

java/ql/test/query-tests/security/CWE-611/DigesterTests.java

@@ -13,7 +13,7 @@ public class DigesterTests {
     public void bad1(HttpServletRequest request, HttpServletResponse response) throws Exception {
         ServletInputStream servletInputStream = request.getInputStream();
         Digester digester = new Digester();
-        digester.parse(servletInputStream); // bad
+        digester.parse(servletInputStream); // $ hasTaintFlow
     }
 
     @PostMapping(value = "good")

java/ql/test/query-tests/security/CWE-611/DocumentBuilderTests.java

@@ -11,95 +11,97 @@ class DocumentBuilderTests {
   public void unconfiguredParse(Socket sock) throws Exception {
     DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
     DocumentBuilder builder = factory.newDocumentBuilder();
-    builder.parse(sock.getInputStream()); //unsafe
+    builder.parse(sock.getInputStream()); // $ hasTaintFlow
   }
 
   public void disableDTD(Socket sock) throws Exception {
     DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
     factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
     DocumentBuilder builder = factory.newDocumentBuilder();
-    builder.parse(sock.getInputStream()); //safe
+    builder.parse(sock.getInputStream()); // safe
   }
 
   public void enableSecurityFeature(Socket sock) throws Exception {
     DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
     factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
     DocumentBuilder builder = factory.newDocumentBuilder();
-    builder.parse(sock.getInputStream()); //unsafe -- secure-processing by itself is insufficient
+    builder.parse(sock.getInputStream()); // $ hasTaintFlow -- secure-processing by itself is
+                                          // insufficient
   }
 
   public void enableSecurityFeature2(Socket sock) throws Exception {
     DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
     factory.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", true);
     DocumentBuilder builder = factory.newDocumentBuilder();
-    builder.parse(sock.getInputStream()); //unsafe -- secure-processing by itself is insufficient
+    builder.parse(sock.getInputStream()); // $ hasTaintFlow -- secure-processing by itself is
+                                          // insufficient
   }
 
   public void enableDTD(Socket sock) throws Exception {
     DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
     factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
     DocumentBuilder builder = factory.newDocumentBuilder();
-    builder.parse(sock.getInputStream()); //unsafe
+    builder.parse(sock.getInputStream()); // $ hasTaintFlow
   }
 
   public void disableSecurityFeature(Socket sock) throws Exception {
     DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
     factory.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", false);
     DocumentBuilder builder = factory.newDocumentBuilder();
-    builder.parse(sock.getInputStream()); //unsafe
+    builder.parse(sock.getInputStream()); // $ hasTaintFlow
   }
 
   public void disableExternalEntities(Socket sock) throws Exception {
     DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
     factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
     factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
     DocumentBuilder builder = factory.newDocumentBuilder();
-    builder.parse(sock.getInputStream()); //safe
+    builder.parse(sock.getInputStream()); // safe
   }
 
   public void partialDisableExternalEntities(Socket sock) throws Exception {
     DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
     factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
     DocumentBuilder builder = factory.newDocumentBuilder();
-    builder.parse(sock.getInputStream()); //unsafe
+    builder.parse(sock.getInputStream()); // $ hasTaintFlow
   }
 
   public void partialDisableExternalEntities2(Socket sock) throws Exception {
     DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
     factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
     DocumentBuilder builder = factory.newDocumentBuilder();
-    builder.parse(sock.getInputStream()); //unsafe
+    builder.parse(sock.getInputStream()); // $ hasTaintFlow
   }
 
   public void misConfigureExternalEntities1(Socket sock) throws Exception {
     DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
     factory.setFeature("http://xml.org/sax/features/external-parameter-entities", true);
     factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
     DocumentBuilder builder = factory.newDocumentBuilder();
-    builder.parse(sock.getInputStream()); //unsafe
+    builder.parse(sock.getInputStream()); // $ hasTaintFlow
   }
 
   public void misConfigureExternalEntities2(Socket sock) throws Exception {
     DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
     factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
     factory.setFeature("http://xml.org/sax/features/external-general-entities", true);
     DocumentBuilder builder = factory.newDocumentBuilder();
-    builder.parse(sock.getInputStream()); //unsafe
+    builder.parse(sock.getInputStream()); // $ hasTaintFlow
   }
 
   public void taintedSAXInputSource1(Socket sock) throws Exception {
-	DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
-	DocumentBuilder builder = factory.newDocumentBuilder();
-	SAXSource source = new SAXSource(new InputSource(sock.getInputStream()));
-	builder.parse(source.getInputSource()); //unsafe
+    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+    DocumentBuilder builder = factory.newDocumentBuilder();
+    SAXSource source = new SAXSource(new InputSource(sock.getInputStream()));
+    builder.parse(source.getInputSource()); // $ hasTaintFlow
   }
 
   public void taintedSAXInputSource2(Socket sock) throws Exception {
-	DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
-	DocumentBuilder builder = factory.newDocumentBuilder();
-	StreamSource source = new StreamSource(sock.getInputStream());
-	builder.parse(SAXSource.sourceToInputSource(source)); //unsafe
-	builder.parse(source.getInputStream()); //unsafe
+    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+    DocumentBuilder builder = factory.newDocumentBuilder();
+    StreamSource source = new StreamSource(sock.getInputStream());
+    builder.parse(SAXSource.sourceToInputSource(source)); // $ hasTaintFlow
+    builder.parse(source.getInputStream()); // $ hasTaintFlow
   }
 
   private static DocumentBuilderFactory getDocumentBuilderFactory() throws Exception {
@@ -112,21 +114,22 @@ private static DocumentBuilderFactory getDocumentBuilderFactory() throws Excepti
     return factory;
   }
 
-  private static final ThreadLocal<DocumentBuilder> XML_DOCUMENT_BUILDER = new ThreadLocal<DocumentBuilder>() {
-    @Override
-    protected DocumentBuilder initialValue() {
-      try {
-        DocumentBuilderFactory factory = getDocumentBuilderFactory();
-        return factory.newDocumentBuilder();
-      } catch (Exception ex) {
-        throw new RuntimeException(ex);
-      }
-    }
-  };
+  private static final ThreadLocal<DocumentBuilder> XML_DOCUMENT_BUILDER =
+      new ThreadLocal<DocumentBuilder>() {
+        @Override
+        protected DocumentBuilder initialValue() {
+          try {
+            DocumentBuilderFactory factory = getDocumentBuilderFactory();
+            return factory.newDocumentBuilder();
+          } catch (Exception ex) {
+            throw new RuntimeException(ex);
+          }
+        }
+      };
 
   public void disableExternalEntities2(Socket sock) throws Exception {
     DocumentBuilder builder = XML_DOCUMENT_BUILDER.get();
-    builder.parse(sock.getInputStream()); //safe
+    builder.parse(sock.getInputStream()); // safe
   }
 
 }

java/ql/test/query-tests/security/CWE-611/ParserHelperTests.java

@@ -9,6 +9,6 @@ public class ParserHelperTests {
 
     @PostMapping(value = "bad4")
     public void bad4(HttpServletRequest request) throws Exception {
-        Document document = ParserHelper.loadDocument(request.getInputStream()); // bad
+        Document document = ParserHelper.loadDocument(request.getInputStream()); // $ hasTaintFlow
     }
 }

java/ql/test/query-tests/security/CWE-611/SAXBuilderTests.java

@@ -5,18 +5,18 @@ public class SAXBuilderTests {
 
   public void unconfiguredSAXBuilder(Socket sock) throws Exception {
     SAXBuilder builder = new SAXBuilder();
-    builder.build(sock.getInputStream()); //unsafe
+    builder.build(sock.getInputStream()); // $ hasTaintFlow
   }
-  
+
   public void safeBuilder(Socket sock) throws Exception {
     SAXBuilder builder = new SAXBuilder();
-    builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl",true);
-    builder.build(sock.getInputStream()); //safe
+    builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+    builder.build(sock.getInputStream()); // safe
   }
 
   public void misConfiguredBuilder(Socket sock) throws Exception {
     SAXBuilder builder = new SAXBuilder();
-    builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl",false);
-    builder.build(sock.getInputStream()); //unsafe
+    builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
+    builder.build(sock.getInputStream()); // $ hasTaintFlow
   }
 }

java/ql/test/query-tests/security/CWE-611/SAXParserTests.java

@@ -6,78 +6,78 @@
 import org.xml.sax.helpers.DefaultHandler;
 
 public class SAXParserTests {
-  
+
   public void unconfiguredParser(Socket sock) throws Exception {
     SAXParserFactory factory = SAXParserFactory.newInstance();
     SAXParser parser = factory.newSAXParser();
-    parser.parse(sock.getInputStream(), new DefaultHandler()); //unsafe
+    parser.parse(sock.getInputStream(), new DefaultHandler()); // $ hasTaintFlow
   }
-  
+
   public void safeParser(Socket sock) throws Exception {
     SAXParserFactory factory = SAXParserFactory.newInstance();
     factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
     factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
     factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
     SAXParser parser = factory.newSAXParser();
-    parser.parse(sock.getInputStream(), new DefaultHandler()); //safe
+    parser.parse(sock.getInputStream(), new DefaultHandler()); // safe
   }
-  
+
   public void partialConfiguredParser1(Socket sock) throws Exception {
     SAXParserFactory factory = SAXParserFactory.newInstance();
     factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
     factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
     SAXParser parser = factory.newSAXParser();
-    parser.parse(sock.getInputStream(), new DefaultHandler()); //unsafe
+    parser.parse(sock.getInputStream(), new DefaultHandler()); // $ hasTaintFlow
   }
-  
+
   public void partialConfiguredParser2(Socket sock) throws Exception {
     SAXParserFactory factory = SAXParserFactory.newInstance();
     factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
     factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
     SAXParser parser = factory.newSAXParser();
-    parser.parse(sock.getInputStream(), new DefaultHandler()); //unsafe
+    parser.parse(sock.getInputStream(), new DefaultHandler()); // $ hasTaintFlow
   }
-  
+
   public void partialConfiguredParser3(Socket sock) throws Exception {
     SAXParserFactory factory = SAXParserFactory.newInstance();
     factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
     factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
     SAXParser parser = factory.newSAXParser();
-    parser.parse(sock.getInputStream(), new DefaultHandler()); //unsafe
+    parser.parse(sock.getInputStream(), new DefaultHandler()); // $ hasTaintFlow
   }
-  
+
   public void misConfiguredParser1(Socket sock) throws Exception {
     SAXParserFactory factory = SAXParserFactory.newInstance();
     factory.setFeature("http://xml.org/sax/features/external-general-entities", true);
     factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
     factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
     SAXParser parser = factory.newSAXParser();
-    parser.parse(sock.getInputStream(), new DefaultHandler()); //unsafe
+    parser.parse(sock.getInputStream(), new DefaultHandler()); // $ hasTaintFlow
   }
-  
+
   public void misConfiguredParser2(Socket sock) throws Exception {
     SAXParserFactory factory = SAXParserFactory.newInstance();
     factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
     factory.setFeature("http://xml.org/sax/features/external-parameter-entities", true);
     factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
     SAXParser parser = factory.newSAXParser();
-    parser.parse(sock.getInputStream(), new DefaultHandler()); //unsafe
+    parser.parse(sock.getInputStream(), new DefaultHandler()); // $ hasTaintFlow
   }
-  
+
   public void misConfiguredParser3(Socket sock) throws Exception {
     SAXParserFactory factory = SAXParserFactory.newInstance();
     factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
     factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
     factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", true);
     SAXParser parser = factory.newSAXParser();
-    parser.parse(sock.getInputStream(), new DefaultHandler()); //unsafe
+    parser.parse(sock.getInputStream(), new DefaultHandler()); // $ hasTaintFlow
   }
 
   public void safeParser2(Socket sock) throws Exception {
     SAXParserFactory factory = SAXParserFactory.newInstance();
     factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
-    factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); 
+    factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
     SAXParser parser = factory.newSAXParser();
-    parser.parse(sock.getInputStream(), new DefaultHandler()); //safe
+    parser.parse(sock.getInputStream(), new DefaultHandler()); // safe
   }
 }

java/ql/test/query-tests/security/CWE-611/SAXReaderTests.java

@@ -5,59 +5,59 @@ public class SAXReaderTests {
 
   public void unconfiguredReader(Socket sock) throws Exception {
     SAXReader reader = new SAXReader();
-    reader.read(sock.getInputStream()); //unsafe
+    reader.read(sock.getInputStream()); // $ hasTaintFlow
   }
-  
+
   public void safeReader(Socket sock) throws Exception {
     SAXReader reader = new SAXReader();
     reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
     reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
-    reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);    
-    reader.read(sock.getInputStream()); //safe
+    reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+    reader.read(sock.getInputStream()); // safe
   }
-  
+
   public void partialConfiguredReader1(Socket sock) throws Exception {
     SAXReader reader = new SAXReader();
     reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
     reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
-    reader.read(sock.getInputStream()); //unsafe
+    reader.read(sock.getInputStream()); // $ hasTaintFlow
   }
-  
+
   public void partialConfiguredReader2(Socket sock) throws Exception {
     SAXReader reader = new SAXReader();
     reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
-    reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);    
-    reader.read(sock.getInputStream()); //unsafe
+    reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+    reader.read(sock.getInputStream()); // $ hasTaintFlow
   }
-  
+
   public void partialConfiguredReader3(Socket sock) throws Exception {
     SAXReader reader = new SAXReader();
     reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
-    reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);    
-    reader.read(sock.getInputStream()); //unsafe
+    reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+    reader.read(sock.getInputStream()); // $ hasTaintFlow
   }
-  
+
   public void misConfiguredReader1(Socket sock) throws Exception {
     SAXReader reader = new SAXReader();
     reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
     reader.setFeature("http://xml.org/sax/features/external-general-entities", true);
-    reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);    
-    reader.read(sock.getInputStream()); //unsafe
+    reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+    reader.read(sock.getInputStream()); // $ hasTaintFlow
   }
-  
+
   public void misConfiguredReader2(Socket sock) throws Exception {
     SAXReader reader = new SAXReader();
     reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
     reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
-    reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);    
-    reader.read(sock.getInputStream()); //unsafe
+    reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+    reader.read(sock.getInputStream()); // $ hasTaintFlow
   }
-  
+
   public void misConfiguredReader3(Socket sock) throws Exception {
     SAXReader reader = new SAXReader();
     reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
     reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
-    reader.setFeature("http://xml.org/sax/features/external-parameter-entities", true);    
-    reader.read(sock.getInputStream()); //unsafe
+    reader.setFeature("http://xml.org/sax/features/external-parameter-entities", true);
+    reader.read(sock.getInputStream()); // $ hasTaintFlow
   }
 }

java/ql/test/query-tests/security/CWE-611/SAXSourceTests.java

@@ -17,14 +17,14 @@ public void unsafeSource(Socket sock) throws Exception {
     SAXSource source = new SAXSource(reader, new InputSource(sock.getInputStream()));
     JAXBContext jc = JAXBContext.newInstance(Object.class);
     Unmarshaller um = jc.createUnmarshaller();
-    um.unmarshal(source); // BAD
+    um.unmarshal(source); // $ hasTaintFlow
   }
 
   public void explicitlySafeSource1(Socket sock) throws Exception {
     XMLReader reader = XMLReaderFactory.createXMLReader();
     reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
     reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
-    reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd",false);
+    reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
     SAXSource source = new SAXSource(reader, new InputSource(sock.getInputStream())); // GOOD
   }