Skip to content

Commit

Permalink
Refactor query tests
Browse files Browse the repository at this point in the history
  • Loading branch information
egregius313 committed Apr 14, 2023
1 parent 98c5c15 commit 5103ef7
Show file tree
Hide file tree
Showing 4 changed files with 30 additions and 29 deletions.
17 changes: 9 additions & 8 deletions java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.ql
Original file line number Diff line number Diff line change
@@ -1,30 +1,31 @@
import java
import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.security.XSS
import TestUtilities.InlineExpectationsTest

class XssConfig extends TaintTracking::Configuration {
XssConfig() { this = "XSSConfig" }
module XssConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
predicate isSink(DataFlow::Node sink) { sink instanceof XssSink }

override predicate isSink(DataFlow::Node sink) { sink instanceof XssSink }
predicate isBarrier(DataFlow::Node node) { node instanceof XssSanitizer }

override predicate isSanitizer(DataFlow::Node node) { node instanceof XssSanitizer }

override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
any(XssAdditionalTaintStep s).step(node1, node2)
}
}

module XssFlow = TaintTracking::Global<XssConfig>;

class XssTest extends InlineExpectationsTest {
XssTest() { this = "XssTest" }

override string getARelevantTag() { result = "xss" }

override predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "xss" and
exists(DataFlow::Node sink, XssConfig conf | conf.hasFlowTo(sink) |
exists(DataFlow::Node sink | XssFlow::flowTo(sink) |
sink.getLocation() = location and
element = sink.toString() and
value = ""
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,34 +3,34 @@ import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.security.QueryInjection
import TestUtilities.InlineExpectationsTest

private class QueryInjectionFlowConfig extends TaintTracking::Configuration {
QueryInjectionFlowConfig() { this = "SqlInjectionLib::QueryInjectionFlowConfig" }

override predicate isSource(DataFlow::Node src) {
private module QueryInjectionFlowConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node src) {
src.asExpr() = any(MethodAccess ma | ma.getMethod().hasName("source"))
}

override predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }
predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }

override predicate isSanitizer(DataFlow::Node node) {
predicate isBarrier(DataFlow::Node node) {
node.getType() instanceof PrimitiveType or
node.getType() instanceof BoxedType or
node.getType() instanceof NumberType
}

override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
any(AdditionalQueryInjectionTaintStep s).step(node1, node2)
}
}

private module QueryInjectionFlow = TaintTracking::Global<QueryInjectionFlowConfig>;

class HasFlowTest extends InlineExpectationsTest {
HasFlowTest() { this = "HasFlowTest" }

override string getARelevantTag() { result = "sqlInjection" }

override predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "sqlInjection" and
exists(DataFlow::Node sink, QueryInjectionFlowConfig conf | conf.hasFlowTo(sink) |
exists(DataFlow::Node sink | QueryInjectionFlow::flowTo(sink) |
sink.getLocation() = location and
element = sink.toString() and
value = ""
Expand Down
Original file line number Diff line number Diff line change
@@ -1,16 +1,16 @@
import semmle.code.java.dataflow.FlowSources

class Conf extends TaintTracking::Configuration {
Conf() { this = "qltest:cwe-089:taintedString" }
module Config implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof UserInput }

override predicate isSource(DataFlow::Node source) { source instanceof UserInput }

override predicate isSink(DataFlow::Node sink) { any() }
predicate isSink(DataFlow::Node sink) { any() }
}

from Conf conf, Expr tainted, Method method
module Flow = TaintTracking::Global<Config>;

from Expr tainted, Method method
where
conf.hasFlowToExpr(tainted) and
Flow::flowToExpr(tainted) and
tainted.getEnclosingCallable() = method and
tainted.getFile().getStem() = ["Test", "Validation"]
select method, tainted.getLocation().getStartLine() - method.getLocation().getStartLine(), tainted
12 changes: 6 additions & 6 deletions java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.ql
Original file line number Diff line number Diff line change
Expand Up @@ -4,22 +4,22 @@ import semmle.code.java.dataflow.FlowSources
import semmle.code.java.security.XPath
import TestUtilities.InlineExpectationsTest

class Conf extends TaintTracking::Configuration {
Conf() { this = "test:xml:xpathinjection" }
module Config implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

override predicate isSink(DataFlow::Node sink) { sink instanceof XPathInjectionSink }
predicate isSink(DataFlow::Node sink) { sink instanceof XPathInjectionSink }
}

module Flow = TaintTracking::Global<Config>;

class HasXPathInjectionTest extends InlineExpectationsTest {
HasXPathInjectionTest() { this = "HasXPathInjectionTest" }

override string getARelevantTag() { result = "hasXPathInjection" }

override predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "hasXPathInjection" and
exists(DataFlow::Node sink, Conf conf | conf.hasFlowTo(sink) |
exists(DataFlow::Node sink | Flow::flowTo(sink) |
sink.getLocation() = location and
element = sink.toString() and
value = ""
Expand Down

0 comments on commit 5103ef7

Please sign in to comment.