diff --git a/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll b/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll index b16770c222b8..e10c6cebaf63 100644 --- a/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll @@ -323,6 +323,10 @@ private module UnsafeDeserializationConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { isUnsafeDeserializationSanitizer(node) } predicate observeDiffInformedIncrementalMode() { any() } + + Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.(UnsafeDeserializationSink).getMethodCall().getLocation() + } } module UnsafeDeserializationFlow = TaintTracking::Global; diff --git a/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll b/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll index 767ebc97437b..ba65e13dd611 100644 --- a/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll +++ b/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll @@ -47,18 +47,6 @@ module PolynomialRedosConfig implements DataFlow::ConfigSig { node instanceof SimpleTypeSanitizer or node.asExpr().(MethodCall).getMethod() instanceof LengthRestrictedMethod } - - predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSinkLocation(DataFlow::Node sink) { - exists(SuperlinearBackTracking::PolynomialBackTrackingTerm regexp | - regexp.getRootTerm() = sink.(PolynomialRedosSink).getRegExp() - | - result = sink.getLocation() - or - result = regexp.getLocation() - ) - } } module PolynomialRedosFlow = TaintTracking::Global; diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected b/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected index e69de29bb2d1..aee29733bca4 100644 --- a/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected +++ b/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected @@ -0,0 +1,474 @@ +#select +| TaintedPath.java:16:71:16:78 | filename | TaintedPath.java:13:58:13:78 | getInputStream(...) : InputStream | TaintedPath.java:16:71:16:78 | filename | This path depends on a $@. | TaintedPath.java:13:58:13:78 | getInputStream(...) | user-provided value | +| Test.java:37:52:37:68 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:37:52:37:68 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:39:32:39:48 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:39:32:39:48 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:41:47:41:63 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:41:47:41:63 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:43:10:43:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:43:10:43:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:45:10:45:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:45:10:45:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:47:10:47:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:47:10:47:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:49:10:49:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:49:10:49:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:51:39:51:53 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:51:39:51:53 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:53:10:53:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:53:10:53:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:55:10:55:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:55:10:55:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:57:10:57:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:57:10:57:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:59:10:59:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:59:10:59:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:61:10:61:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:61:10:61:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:63:10:63:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:63:10:63:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:65:10:65:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:65:10:65:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:67:10:67:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:67:10:67:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:69:31:69:45 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:69:31:69:45 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:71:10:71:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:71:10:71:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:73:10:73:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:73:10:73:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:75:10:75:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:75:10:75:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:77:10:77:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:77:10:77:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:79:10:79:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:79:10:79:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:81:10:81:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:81:10:81:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:83:31:83:45 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:83:31:83:45 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:85:29:85:43 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:85:29:85:43 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:87:29:87:53 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:87:29:87:53 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:89:29:89:45 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:89:29:89:45 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:91:24:91:38 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:91:24:91:38 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:93:24:93:48 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:93:24:93:48 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:95:24:95:38 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:95:24:95:38 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:97:24:97:40 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:97:24:97:40 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:99:24:99:40 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:99:24:99:40 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:101:20:101:34 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:101:20:101:34 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:102:20:102:34 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:102:20:102:34 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:104:33:104:47 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:104:33:104:47 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:105:40:105:54 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:105:40:105:54 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:107:33:107:47 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:107:33:107:47 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:109:31:109:45 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:109:31:109:45 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:111:26:111:40 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:111:26:111:40 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:113:26:113:40 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:113:26:113:40 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:115:34:115:48 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:115:34:115:48 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:117:35:117:49 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:117:35:117:49 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:119:30:119:44 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:119:30:119:44 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:121:22:121:36 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:121:22:121:36 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:123:30:123:44 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:123:30:123:44 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:125:21:125:35 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:125:21:125:35 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:127:26:127:40 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:127:26:127:40 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:129:33:129:47 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:129:33:129:47 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:131:33:131:47 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:131:33:131:47 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:132:33:132:47 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:132:33:132:47 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:134:31:134:45 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:134:31:134:45 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:136:21:136:35 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:136:21:136:35 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:137:21:137:35 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:137:21:137:35 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:138:21:138:35 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:138:21:138:35 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:140:27:140:41 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:140:27:140:41 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:141:27:141:41 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:141:27:141:41 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:143:26:143:40 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:143:26:143:40 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:145:35:145:49 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:145:35:145:49 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:147:41:147:57 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:147:41:147:57 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:149:45:149:61 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:149:45:149:61 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:151:43:151:57 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:151:43:151:57 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:153:28:153:42 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:153:28:153:42 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:155:41:155:55 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:155:41:155:55 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:160:30:160:44 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:160:30:160:44 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:162:40:162:81 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:162:40:162:81 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:164:34:164:75 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:164:34:164:75 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:166:34:166:75 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:166:34:166:75 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:168:23:168:37 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:168:23:168:37 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:181:23:181:37 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:181:23:181:37 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:186:23:186:40 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:186:23:186:40 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:188:20:188:34 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:188:20:188:34 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:190:21:190:35 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:190:21:190:35 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:192:22:192:36 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:192:22:192:36 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:197:20:197:34 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:197:20:197:34 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:199:19:199:33 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:199:19:199:33 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +| Test.java:204:20:204:36 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:204:20:204:36 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value | +edges +| TaintedPath.java:13:17:13:89 | new BufferedReader(...) : BufferedReader | TaintedPath.java:14:27:14:40 | filenameReader : BufferedReader | provenance | | +| TaintedPath.java:13:36:13:88 | new InputStreamReader(...) : InputStreamReader | TaintedPath.java:13:17:13:89 | new BufferedReader(...) : BufferedReader | provenance | MaD:74 | +| TaintedPath.java:13:58:13:78 | getInputStream(...) : InputStream | TaintedPath.java:13:36:13:88 | new InputStreamReader(...) : InputStreamReader | provenance | Src:MaD:72 MaD:76 | +| TaintedPath.java:14:27:14:40 | filenameReader : BufferedReader | TaintedPath.java:14:27:14:51 | readLine(...) : String | provenance | MaD:75 | +| TaintedPath.java:14:27:14:51 | readLine(...) : String | TaintedPath.java:16:71:16:78 | filename | provenance | Sink:MaD:27 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:37:61:37:68 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:39:41:39:48 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:41:56:41:63 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:43:17:43:24 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:45:17:45:24 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:47:17:47:24 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:49:17:49:24 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:51:46:51:53 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:53:17:53:24 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:55:17:55:24 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:57:17:57:24 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:59:17:59:24 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:61:17:61:24 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:63:17:63:24 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:65:17:65:24 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:67:17:67:24 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:69:38:69:45 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:71:17:71:24 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:73:17:73:24 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:75:17:75:24 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:77:17:77:24 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:79:17:79:24 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:81:17:81:24 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:83:38:83:45 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:85:36:85:43 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:87:46:87:53 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:89:38:89:45 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:91:31:91:38 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:93:41:93:48 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:95:31:95:38 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:97:33:97:40 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:99:33:99:40 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:101:27:101:34 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:102:27:102:34 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:104:40:104:47 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:105:47:105:54 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:107:40:107:47 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:109:38:109:45 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:111:33:111:40 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:113:33:113:40 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:115:41:115:48 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:117:42:117:49 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:119:37:119:44 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:121:29:121:36 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:123:37:123:44 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:125:28:125:35 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:127:33:127:40 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:129:40:129:47 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:131:40:131:47 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:132:40:132:47 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:134:38:134:45 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:136:28:136:35 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:137:28:137:35 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:138:28:138:35 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:140:34:140:41 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:141:34:141:41 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:143:33:143:40 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:145:42:145:49 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:147:50:147:57 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:149:54:149:61 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:151:50:151:57 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:153:35:153:42 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:155:48:155:55 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:160:37:160:44 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:162:74:162:81 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:164:68:164:75 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:166:68:166:75 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:168:30:168:37 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:181:30:181:37 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:186:33:186:40 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:188:27:188:34 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:190:28:190:35 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:192:29:192:36 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:197:27:197:34 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:199:26:199:33 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:204:29:204:36 | source(...) : String | provenance | Src:MaD:73 | +| Test.java:37:61:37:68 | source(...) : String | Test.java:37:52:37:68 | (...)... | provenance | Sink:MaD:31 | +| Test.java:39:41:39:48 | source(...) : String | Test.java:39:32:39:48 | (...)... | provenance | Sink:MaD:29 | +| Test.java:41:56:41:63 | source(...) : String | Test.java:41:47:41:63 | (...)... | provenance | Sink:MaD:30 | +| Test.java:43:17:43:24 | source(...) : String | Test.java:43:10:43:24 | (...)... | provenance | Sink:MaD:1 | +| Test.java:45:17:45:24 | source(...) : String | Test.java:45:10:45:24 | (...)... | provenance | Sink:MaD:2 | +| Test.java:47:17:47:24 | source(...) : String | Test.java:47:10:47:24 | (...)... | provenance | Sink:MaD:3 | +| Test.java:49:17:49:24 | source(...) : String | Test.java:49:10:49:24 | (...)... | provenance | Sink:MaD:4 | +| Test.java:51:46:51:53 | source(...) : String | Test.java:51:39:51:53 | (...)... | provenance | Sink:MaD:5 | +| Test.java:53:17:53:24 | source(...) : String | Test.java:53:10:53:24 | (...)... | provenance | Sink:MaD:6 | +| Test.java:55:17:55:24 | source(...) : String | Test.java:55:10:55:24 | (...)... | provenance | Sink:MaD:7 | +| Test.java:57:17:57:24 | source(...) : String | Test.java:57:10:57:24 | (...)... | provenance | Sink:MaD:8 | +| Test.java:59:17:59:24 | source(...) : String | Test.java:59:10:59:24 | (...)... | provenance | Sink:MaD:9 | +| Test.java:61:17:61:24 | source(...) : String | Test.java:61:10:61:24 | (...)... | provenance | Sink:MaD:10 | +| Test.java:63:17:63:24 | source(...) : String | Test.java:63:10:63:24 | (...)... | provenance | Sink:MaD:11 | +| Test.java:65:17:65:24 | source(...) : String | Test.java:65:10:65:24 | (...)... | provenance | Sink:MaD:12 | +| Test.java:67:17:67:24 | source(...) : String | Test.java:67:10:67:24 | (...)... | provenance | Sink:MaD:13 | +| Test.java:69:38:69:45 | source(...) : String | Test.java:69:31:69:45 | (...)... | provenance | Sink:MaD:14 | +| Test.java:71:17:71:24 | source(...) : String | Test.java:71:10:71:24 | (...)... | provenance | Sink:MaD:15 | +| Test.java:73:17:73:24 | source(...) : String | Test.java:73:10:73:24 | (...)... | provenance | Sink:MaD:16 | +| Test.java:75:17:75:24 | source(...) : String | Test.java:75:10:75:24 | (...)... | provenance | Sink:MaD:17 | +| Test.java:77:17:77:24 | source(...) : String | Test.java:77:10:77:24 | (...)... | provenance | Sink:MaD:19 | +| Test.java:79:17:79:24 | source(...) : String | Test.java:79:10:79:24 | (...)... | provenance | Sink:MaD:18 | +| Test.java:81:17:81:24 | source(...) : String | Test.java:81:10:81:24 | (...)... | provenance | Sink:MaD:20 | +| Test.java:83:38:83:45 | source(...) : String | Test.java:83:31:83:45 | (...)... | provenance | Sink:MaD:14 | +| Test.java:85:36:85:43 | source(...) : String | Test.java:85:29:85:43 | (...)... | provenance | Sink:MaD:21 | +| Test.java:87:46:87:53 | source(...) : String | Test.java:87:29:87:53 | (...)... | provenance | Sink:MaD:22 | +| Test.java:89:38:89:45 | source(...) : String | Test.java:89:29:89:45 | (...)... | provenance | Sink:MaD:23 | +| Test.java:91:31:91:38 | source(...) : String | Test.java:91:24:91:38 | (...)... | provenance | Sink:MaD:24 | +| Test.java:93:41:93:48 | source(...) : String | Test.java:93:24:93:48 | (...)... | provenance | Sink:MaD:26 | +| Test.java:95:31:95:38 | source(...) : String | Test.java:95:24:95:38 | (...)... | provenance | Sink:MaD:25 | +| Test.java:97:33:97:40 | source(...) : String | Test.java:97:24:97:40 | (...)... | provenance | Sink:MaD:27 | +| Test.java:99:33:99:40 | source(...) : String | Test.java:99:24:99:40 | (...)... | provenance | Sink:MaD:28 | +| Test.java:101:27:101:34 | source(...) : String | Test.java:101:20:101:34 | (...)... | provenance | Sink:MaD:34 | +| Test.java:102:27:102:34 | source(...) : String | Test.java:102:20:102:34 | (...)... | provenance | Sink:MaD:33 | +| Test.java:104:40:104:47 | source(...) : String | Test.java:104:33:104:47 | (...)... | provenance | Sink:MaD:35 | +| Test.java:105:47:105:54 | source(...) : String | Test.java:105:40:105:54 | (...)... | provenance | Sink:MaD:32 | +| Test.java:107:40:107:47 | source(...) : String | Test.java:107:33:107:47 | (...)... | provenance | Sink:MaD:36 | +| Test.java:109:38:109:45 | source(...) : String | Test.java:109:31:109:45 | (...)... | provenance | Sink:MaD:37 | +| Test.java:111:33:111:40 | source(...) : String | Test.java:111:26:111:40 | (...)... | provenance | Sink:MaD:38 | +| Test.java:113:33:113:40 | source(...) : String | Test.java:113:26:113:40 | (...)... | provenance | Sink:MaD:39 | +| Test.java:115:41:115:48 | source(...) : String | Test.java:115:34:115:48 | (...)... | provenance | Sink:MaD:40 | +| Test.java:117:42:117:49 | source(...) : String | Test.java:117:35:117:49 | (...)... | provenance | Sink:MaD:41 | +| Test.java:119:37:119:44 | source(...) : String | Test.java:119:30:119:44 | (...)... | provenance | Sink:MaD:42 | +| Test.java:121:29:121:36 | source(...) : String | Test.java:121:22:121:36 | (...)... | provenance | Sink:MaD:43 | +| Test.java:123:37:123:44 | source(...) : String | Test.java:123:30:123:44 | (...)... | provenance | Sink:MaD:44 | +| Test.java:125:28:125:35 | source(...) : String | Test.java:125:21:125:35 | (...)... | provenance | Sink:MaD:45 | +| Test.java:127:33:127:40 | source(...) : String | Test.java:127:26:127:40 | (...)... | provenance | Sink:MaD:46 | +| Test.java:129:40:129:47 | source(...) : String | Test.java:129:33:129:47 | (...)... | provenance | Sink:MaD:47 | +| Test.java:131:40:131:47 | source(...) : String | Test.java:131:33:131:47 | (...)... | provenance | Sink:MaD:48 | +| Test.java:132:40:132:47 | source(...) : String | Test.java:132:33:132:47 | (...)... | provenance | Sink:MaD:48 | +| Test.java:134:38:134:45 | source(...) : String | Test.java:134:31:134:45 | (...)... | provenance | Sink:MaD:49 | +| Test.java:136:28:136:35 | source(...) : String | Test.java:136:21:136:35 | (...)... | provenance | Sink:MaD:50 | +| Test.java:137:28:137:35 | source(...) : String | Test.java:137:21:137:35 | (...)... | provenance | Sink:MaD:50 | +| Test.java:138:28:138:35 | source(...) : String | Test.java:138:21:138:35 | (...)... | provenance | Sink:MaD:50 | +| Test.java:140:34:140:41 | source(...) : String | Test.java:140:27:140:41 | (...)... | provenance | Sink:MaD:51 | +| Test.java:141:34:141:41 | source(...) : String | Test.java:141:27:141:41 | (...)... | provenance | Sink:MaD:51 | +| Test.java:143:33:143:40 | source(...) : String | Test.java:143:26:143:40 | (...)... | provenance | Sink:MaD:52 | +| Test.java:145:42:145:49 | source(...) : String | Test.java:145:35:145:49 | (...)... | provenance | Sink:MaD:53 | +| Test.java:147:50:147:57 | source(...) : String | Test.java:147:41:147:57 | (...)... | provenance | Sink:MaD:65 | +| Test.java:149:54:149:61 | source(...) : String | Test.java:149:45:149:61 | (...)... | provenance | Sink:MaD:66 | +| Test.java:151:50:151:57 | source(...) : String | Test.java:151:43:151:57 | (...)... | provenance | Sink:MaD:71 | +| Test.java:153:35:153:42 | source(...) : String | Test.java:153:28:153:42 | (...)... | provenance | Sink:MaD:69 | +| Test.java:155:48:155:55 | source(...) : String | Test.java:155:41:155:55 | (...)... | provenance | Sink:MaD:70 | +| Test.java:160:37:160:44 | source(...) : String | Test.java:160:30:160:44 | (...)... | provenance | Sink:MaD:63 | +| Test.java:162:74:162:81 | source(...) : String | Test.java:162:40:162:81 | (...)... | provenance | Sink:MaD:60 | +| Test.java:164:68:164:75 | source(...) : String | Test.java:164:34:164:75 | (...)... | provenance | Sink:MaD:62 | +| Test.java:166:68:166:75 | source(...) : String | Test.java:166:34:166:75 | (...)... | provenance | Sink:MaD:61 | +| Test.java:168:30:168:37 | source(...) : String | Test.java:168:23:168:37 | (...)... | provenance | Sink:MaD:67 | +| Test.java:181:30:181:37 | source(...) : String | Test.java:181:23:181:37 | (...)... | provenance | Sink:MaD:64 | +| Test.java:186:33:186:40 | source(...) : String | Test.java:186:23:186:40 | (...)... | provenance | Sink:MaD:54 | +| Test.java:188:27:188:34 | source(...) : String | Test.java:188:20:188:34 | (...)... | provenance | Sink:MaD:55 | +| Test.java:190:28:190:35 | source(...) : String | Test.java:190:21:190:35 | (...)... | provenance | Sink:MaD:56 | +| Test.java:192:29:192:36 | source(...) : String | Test.java:192:22:192:36 | (...)... | provenance | Sink:MaD:57 | +| Test.java:197:27:197:34 | source(...) : String | Test.java:197:20:197:34 | (...)... | provenance | Sink:MaD:58 | +| Test.java:199:26:199:33 | source(...) : String | Test.java:199:19:199:33 | (...)... | provenance | Sink:MaD:59 | +| Test.java:204:29:204:36 | source(...) : String | Test.java:204:20:204:36 | (...)... | provenance | Sink:MaD:68 | +models +| 1 | Sink: java.io; File; true; canExecute; (); ; Argument[this]; path-injection; manual | +| 2 | Sink: java.io; File; true; canRead; (); ; Argument[this]; path-injection; manual | +| 3 | Sink: java.io; File; true; canWrite; (); ; Argument[this]; path-injection; manual | +| 4 | Sink: java.io; File; true; createNewFile; (); ; Argument[this]; path-injection; ai-manual | +| 5 | Sink: java.io; File; true; createTempFile; (String,String,File); ; Argument[2]; path-injection; ai-manual | +| 6 | Sink: java.io; File; true; delete; (); ; Argument[this]; path-injection; manual | +| 7 | Sink: java.io; File; true; deleteOnExit; (); ; Argument[this]; path-injection; manual | +| 8 | Sink: java.io; File; true; exists; (); ; Argument[this]; path-injection; manual | +| 9 | Sink: java.io; File; true; isDirectory; (); ; Argument[this]; path-injection; manual | +| 10 | Sink: java.io; File; true; isFile; (); ; Argument[this]; path-injection; manual | +| 11 | Sink: java.io; File; true; isHidden; (); ; Argument[this]; path-injection; manual | +| 12 | Sink: java.io; File; true; mkdir; (); ; Argument[this]; path-injection; manual | +| 13 | Sink: java.io; File; true; mkdirs; (); ; Argument[this]; path-injection; manual | +| 14 | Sink: java.io; File; true; renameTo; (File); ; Argument[0]; path-injection; ai-manual | +| 15 | Sink: java.io; File; true; renameTo; (File); ; Argument[this]; path-injection; ai-manual | +| 16 | Sink: java.io; File; true; setExecutable; ; ; Argument[this]; path-injection; manual | +| 17 | Sink: java.io; File; true; setLastModified; ; ; Argument[this]; path-injection; manual | +| 18 | Sink: java.io; File; true; setReadOnly; ; ; Argument[this]; path-injection; manual | +| 19 | Sink: java.io; File; true; setReadable; ; ; Argument[this]; path-injection; manual | +| 20 | Sink: java.io; File; true; setWritable; ; ; Argument[this]; path-injection; manual | +| 21 | Sink: java.io; FileInputStream; true; FileInputStream; (File); ; Argument[0]; path-injection; ai-manual | +| 22 | Sink: java.io; FileInputStream; true; FileInputStream; (FileDescriptor); ; Argument[0]; path-injection; manual | +| 23 | Sink: java.io; FileInputStream; true; FileInputStream; (String); ; Argument[0]; path-injection; ai-manual | +| 24 | Sink: java.io; FileReader; true; FileReader; (File); ; Argument[0]; path-injection; ai-manual | +| 25 | Sink: java.io; FileReader; true; FileReader; (File,Charset); ; Argument[0]; path-injection; manual | +| 26 | Sink: java.io; FileReader; true; FileReader; (FileDescriptor); ; Argument[0]; path-injection; manual | +| 27 | Sink: java.io; FileReader; true; FileReader; (String); ; Argument[0]; path-injection; ai-manual | +| 28 | Sink: java.io; FileReader; true; FileReader; (String,Charset); ; Argument[0]; path-injection; manual | +| 29 | Sink: java.lang; Class; false; getResource; (String); ; Argument[0]; path-injection; ai-manual | +| 30 | Sink: java.lang; ClassLoader; true; getSystemResourceAsStream; (String); ; Argument[0]; path-injection; ai-manual | +| 31 | Sink: java.lang; Module; true; getResourceAsStream; (String); ; Argument[0]; path-injection; ai-manual | +| 32 | Sink: java.nio.file; Files; false; copy; (InputStream,Path,CopyOption[]); ; Argument[1]; path-injection; manual | +| 33 | Sink: java.nio.file; Files; false; copy; (Path,OutputStream); ; Argument[0]; path-injection; manual | +| 34 | Sink: java.nio.file; Files; false; copy; (Path,Path,CopyOption[]); ; Argument[0]; path-injection; manual | +| 35 | Sink: java.nio.file; Files; false; copy; (Path,Path,CopyOption[]); ; Argument[1]; path-injection; manual | +| 36 | Sink: java.nio.file; Files; false; createDirectories; ; ; Argument[0]; path-injection; manual | +| 37 | Sink: java.nio.file; Files; false; createDirectory; ; ; Argument[0]; path-injection; manual | +| 38 | Sink: java.nio.file; Files; false; createFile; ; ; Argument[0]; path-injection; manual | +| 39 | Sink: java.nio.file; Files; false; createLink; ; ; Argument[0]; path-injection; manual | +| 40 | Sink: java.nio.file; Files; false; createSymbolicLink; ; ; Argument[0]; path-injection; manual | +| 41 | Sink: java.nio.file; Files; false; createTempDirectory; (Path,String,FileAttribute[]); ; Argument[0]; path-injection; manual | +| 42 | Sink: java.nio.file; Files; false; createTempFile; (Path,String,String,FileAttribute[]); ; Argument[0]; path-injection; manual | +| 43 | Sink: java.nio.file; Files; false; delete; (Path); ; Argument[0]; path-injection; ai-manual | +| 44 | Sink: java.nio.file; Files; false; deleteIfExists; (Path); ; Argument[0]; path-injection; ai-manual | +| 45 | Sink: java.nio.file; Files; false; lines; (Path,Charset); ; Argument[0]; path-injection; ai-manual | +| 46 | Sink: java.nio.file; Files; false; move; ; ; Argument[1]; path-injection; manual | +| 47 | Sink: java.nio.file; Files; false; newBufferedReader; (Path,Charset); ; Argument[0]; path-injection; ai-manual | +| 48 | Sink: java.nio.file; Files; false; newBufferedWriter; ; ; Argument[0]; path-injection; manual | +| 49 | Sink: java.nio.file; Files; false; newOutputStream; ; ; Argument[0]; path-injection; manual | +| 50 | Sink: java.nio.file; Files; false; write; ; ; Argument[0]; path-injection; manual | +| 51 | Sink: java.nio.file; Files; false; writeString; ; ; Argument[0]; path-injection; manual | +| 52 | Sink: javax.xml.transform.stream; StreamResult; true; StreamResult; (File); ; Argument[0]; path-injection; ai-manual | +| 53 | Sink: org.apache.commons.io; FileUtils; true; openInputStream; (File); ; Argument[0]; path-injection; ai-manual | +| 54 | Sink: org.apache.tools.ant.taskdefs; Copy; true; addFileset; (FileSet); ; Argument[0]; path-injection; ai-manual | +| 55 | Sink: org.apache.tools.ant.taskdefs; Copy; true; setFile; (File); ; Argument[0]; path-injection; ai-manual | +| 56 | Sink: org.apache.tools.ant.taskdefs; Copy; true; setTodir; (File); ; Argument[0]; path-injection; ai-manual | +| 57 | Sink: org.apache.tools.ant.taskdefs; Copy; true; setTofile; (File); ; Argument[0]; path-injection; ai-manual | +| 58 | Sink: org.apache.tools.ant.taskdefs; Expand; true; setDest; (File); ; Argument[0]; path-injection; ai-manual | +| 59 | Sink: org.apache.tools.ant.taskdefs; Expand; true; setSrc; (File); ; Argument[0]; path-injection; ai-manual | +| 60 | Sink: org.apache.tools.ant; AntClassLoader; true; AntClassLoader; (ClassLoader,Project,Path,boolean); ; Argument[2]; path-injection; ai-manual | +| 61 | Sink: org.apache.tools.ant; AntClassLoader; true; AntClassLoader; (Project,Path); ; Argument[1]; path-injection; ai-manual | +| 62 | Sink: org.apache.tools.ant; AntClassLoader; true; AntClassLoader; (Project,Path,boolean); ; Argument[1]; path-injection; ai-manual | +| 63 | Sink: org.apache.tools.ant; AntClassLoader; true; addPathComponent; (File); ; Argument[0]; path-injection; ai-manual | +| 64 | Sink: org.apache.tools.ant; DirectoryScanner; true; setBasedir; (File); ; Argument[0]; path-injection; ai-manual | +| 65 | Sink: org.codehaus.cargo.container.installer; ZipURLInstaller; true; ZipURLInstaller; (URL,String,String); ; Argument[1]; path-injection; ai-manual | +| 66 | Sink: org.codehaus.cargo.container.installer; ZipURLInstaller; true; ZipURLInstaller; (URL,String,String); ; Argument[2]; path-injection; ai-manual | +| 67 | Sink: org.kohsuke.stapler.framework.io; LargeText; true; LargeText; (File,Charset,boolean,boolean); ; Argument[0]; path-injection; ai-manual | +| 68 | Sink: org.openjdk.jmh.runner.options; ChainedOptionsBuilder; true; result; (String); ; Argument[0]; path-injection; ai-manual | +| 69 | Sink: org.springframework.util; FileCopyUtils; false; copy; (File,File); ; Argument[0]; path-injection; manual | +| 70 | Sink: org.springframework.util; FileCopyUtils; false; copy; (File,File); ; Argument[1]; path-injection; manual | +| 71 | Sink: org.springframework.util; FileCopyUtils; false; copy; (byte[],File); ; Argument[1]; path-injection; manual | +| 72 | Source: java.net; Socket; false; getInputStream; (); ; ReturnValue; remote; manual | +| 73 | Source: javax.servlet; ServletRequest; false; getParameter; (String); ; ReturnValue; remote; manual | +| 74 | Summary: java.io; BufferedReader; false; BufferedReader; ; ; Argument[0]; Argument[this]; taint; manual | +| 75 | Summary: java.io; BufferedReader; true; readLine; ; ; Argument[this]; ReturnValue; taint; manual | +| 76 | Summary: java.io; InputStreamReader; false; InputStreamReader; ; ; Argument[0]; Argument[this]; taint; manual | +nodes +| TaintedPath.java:13:17:13:89 | new BufferedReader(...) : BufferedReader | semmle.label | new BufferedReader(...) : BufferedReader | +| TaintedPath.java:13:36:13:88 | new InputStreamReader(...) : InputStreamReader | semmle.label | new InputStreamReader(...) : InputStreamReader | +| TaintedPath.java:13:58:13:78 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| TaintedPath.java:14:27:14:40 | filenameReader : BufferedReader | semmle.label | filenameReader : BufferedReader | +| TaintedPath.java:14:27:14:51 | readLine(...) : String | semmle.label | readLine(...) : String | +| TaintedPath.java:16:71:16:78 | filename | semmle.label | filename | +| Test.java:32:16:32:45 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| Test.java:37:52:37:68 | (...)... | semmle.label | (...)... | +| Test.java:37:61:37:68 | source(...) : String | semmle.label | source(...) : String | +| Test.java:39:32:39:48 | (...)... | semmle.label | (...)... | +| Test.java:39:41:39:48 | source(...) : String | semmle.label | source(...) : String | +| Test.java:41:47:41:63 | (...)... | semmle.label | (...)... | +| Test.java:41:56:41:63 | source(...) : String | semmle.label | source(...) : String | +| Test.java:43:10:43:24 | (...)... | semmle.label | (...)... | +| Test.java:43:17:43:24 | source(...) : String | semmle.label | source(...) : String | +| Test.java:45:10:45:24 | (...)... | semmle.label | (...)... | +| Test.java:45:17:45:24 | source(...) : String | semmle.label | source(...) : String | +| Test.java:47:10:47:24 | (...)... | semmle.label | (...)... | +| Test.java:47:17:47:24 | source(...) : String | semmle.label | source(...) : String | +| Test.java:49:10:49:24 | (...)... | semmle.label | (...)... | +| Test.java:49:17:49:24 | source(...) : String | semmle.label | source(...) : String | +| Test.java:51:39:51:53 | (...)... | semmle.label | (...)... | +| Test.java:51:46:51:53 | source(...) : String | semmle.label | source(...) : String | +| Test.java:53:10:53:24 | (...)... | semmle.label | (...)... | +| Test.java:53:17:53:24 | source(...) : String | semmle.label | source(...) : String | +| Test.java:55:10:55:24 | (...)... | semmle.label | (...)... | +| Test.java:55:17:55:24 | source(...) : String | semmle.label | source(...) : String | +| Test.java:57:10:57:24 | (...)... | semmle.label | (...)... | +| Test.java:57:17:57:24 | source(...) : String | semmle.label | source(...) : String | +| Test.java:59:10:59:24 | (...)... | semmle.label | (...)... | +| Test.java:59:17:59:24 | source(...) : String | semmle.label | source(...) : String | +| Test.java:61:10:61:24 | (...)... | semmle.label | (...)... | +| Test.java:61:17:61:24 | source(...) : String | semmle.label | source(...) : String | +| Test.java:63:10:63:24 | (...)... | semmle.label | (...)... | +| Test.java:63:17:63:24 | source(...) : String | semmle.label | source(...) : String | +| Test.java:65:10:65:24 | (...)... | semmle.label | (...)... | +| Test.java:65:17:65:24 | source(...) : String | semmle.label | source(...) : String | +| Test.java:67:10:67:24 | (...)... | semmle.label | (...)... | +| Test.java:67:17:67:24 | source(...) : String | semmle.label | source(...) : String | +| Test.java:69:31:69:45 | (...)... | semmle.label | (...)... | +| Test.java:69:38:69:45 | source(...) : String | semmle.label | source(...) : String | +| Test.java:71:10:71:24 | (...)... | semmle.label | (...)... | +| Test.java:71:17:71:24 | source(...) : String | semmle.label | source(...) : String | +| Test.java:73:10:73:24 | (...)... | semmle.label | (...)... | +| Test.java:73:17:73:24 | source(...) : String | semmle.label | source(...) : String | +| Test.java:75:10:75:24 | (...)... | semmle.label | (...)... | +| Test.java:75:17:75:24 | source(...) : String | semmle.label | source(...) : String | +| Test.java:77:10:77:24 | (...)... | semmle.label | (...)... | +| Test.java:77:17:77:24 | source(...) : String | semmle.label | source(...) : String | +| Test.java:79:10:79:24 | (...)... | semmle.label | (...)... | +| Test.java:79:17:79:24 | source(...) : String | semmle.label | source(...) : String | +| Test.java:81:10:81:24 | (...)... | semmle.label | (...)... | +| Test.java:81:17:81:24 | source(...) : String | semmle.label | source(...) : String | +| Test.java:83:31:83:45 | (...)... | semmle.label | (...)... | +| Test.java:83:38:83:45 | source(...) : String | semmle.label | source(...) : String | +| Test.java:85:29:85:43 | (...)... | semmle.label | (...)... | +| Test.java:85:36:85:43 | source(...) : String | semmle.label | source(...) : String | +| Test.java:87:29:87:53 | (...)... | semmle.label | (...)... | +| Test.java:87:46:87:53 | source(...) : String | semmle.label | source(...) : String | +| Test.java:89:29:89:45 | (...)... | semmle.label | (...)... | +| Test.java:89:38:89:45 | source(...) : String | semmle.label | source(...) : String | +| Test.java:91:24:91:38 | (...)... | semmle.label | (...)... | +| Test.java:91:31:91:38 | source(...) : String | semmle.label | source(...) : String | +| Test.java:93:24:93:48 | (...)... | semmle.label | (...)... | +| Test.java:93:41:93:48 | source(...) : String | semmle.label | source(...) : String | +| Test.java:95:24:95:38 | (...)... | semmle.label | (...)... | +| Test.java:95:31:95:38 | source(...) : String | semmle.label | source(...) : String | +| Test.java:97:24:97:40 | (...)... | semmle.label | (...)... | +| Test.java:97:33:97:40 | source(...) : String | semmle.label | source(...) : String | +| Test.java:99:24:99:40 | (...)... | semmle.label | (...)... | +| Test.java:99:33:99:40 | source(...) : String | semmle.label | source(...) : String | +| Test.java:101:20:101:34 | (...)... | semmle.label | (...)... | +| Test.java:101:27:101:34 | source(...) : String | semmle.label | source(...) : String | +| Test.java:102:20:102:34 | (...)... | semmle.label | (...)... | +| Test.java:102:27:102:34 | source(...) : String | semmle.label | source(...) : String | +| Test.java:104:33:104:47 | (...)... | semmle.label | (...)... | +| Test.java:104:40:104:47 | source(...) : String | semmle.label | source(...) : String | +| Test.java:105:40:105:54 | (...)... | semmle.label | (...)... | +| Test.java:105:47:105:54 | source(...) : String | semmle.label | source(...) : String | +| Test.java:107:33:107:47 | (...)... | semmle.label | (...)... | +| Test.java:107:40:107:47 | source(...) : String | semmle.label | source(...) : String | +| Test.java:109:31:109:45 | (...)... | semmle.label | (...)... | +| Test.java:109:38:109:45 | source(...) : String | semmle.label | source(...) : String | +| Test.java:111:26:111:40 | (...)... | semmle.label | (...)... | +| Test.java:111:33:111:40 | source(...) : String | semmle.label | source(...) : String | +| Test.java:113:26:113:40 | (...)... | semmle.label | (...)... | +| Test.java:113:33:113:40 | source(...) : String | semmle.label | source(...) : String | +| Test.java:115:34:115:48 | (...)... | semmle.label | (...)... | +| Test.java:115:41:115:48 | source(...) : String | semmle.label | source(...) : String | +| Test.java:117:35:117:49 | (...)... | semmle.label | (...)... | +| Test.java:117:42:117:49 | source(...) : String | semmle.label | source(...) : String | +| Test.java:119:30:119:44 | (...)... | semmle.label | (...)... | +| Test.java:119:37:119:44 | source(...) : String | semmle.label | source(...) : String | +| Test.java:121:22:121:36 | (...)... | semmle.label | (...)... | +| Test.java:121:29:121:36 | source(...) : String | semmle.label | source(...) : String | +| Test.java:123:30:123:44 | (...)... | semmle.label | (...)... | +| Test.java:123:37:123:44 | source(...) : String | semmle.label | source(...) : String | +| Test.java:125:21:125:35 | (...)... | semmle.label | (...)... | +| Test.java:125:28:125:35 | source(...) : String | semmle.label | source(...) : String | +| Test.java:127:26:127:40 | (...)... | semmle.label | (...)... | +| Test.java:127:33:127:40 | source(...) : String | semmle.label | source(...) : String | +| Test.java:129:33:129:47 | (...)... | semmle.label | (...)... | +| Test.java:129:40:129:47 | source(...) : String | semmle.label | source(...) : String | +| Test.java:131:33:131:47 | (...)... | semmle.label | (...)... | +| Test.java:131:40:131:47 | source(...) : String | semmle.label | source(...) : String | +| Test.java:132:33:132:47 | (...)... | semmle.label | (...)... | +| Test.java:132:40:132:47 | source(...) : String | semmle.label | source(...) : String | +| Test.java:134:31:134:45 | (...)... | semmle.label | (...)... | +| Test.java:134:38:134:45 | source(...) : String | semmle.label | source(...) : String | +| Test.java:136:21:136:35 | (...)... | semmle.label | (...)... | +| Test.java:136:28:136:35 | source(...) : String | semmle.label | source(...) : String | +| Test.java:137:21:137:35 | (...)... | semmle.label | (...)... | +| Test.java:137:28:137:35 | source(...) : String | semmle.label | source(...) : String | +| Test.java:138:21:138:35 | (...)... | semmle.label | (...)... | +| Test.java:138:28:138:35 | source(...) : String | semmle.label | source(...) : String | +| Test.java:140:27:140:41 | (...)... | semmle.label | (...)... | +| Test.java:140:34:140:41 | source(...) : String | semmle.label | source(...) : String | +| Test.java:141:27:141:41 | (...)... | semmle.label | (...)... | +| Test.java:141:34:141:41 | source(...) : String | semmle.label | source(...) : String | +| Test.java:143:26:143:40 | (...)... | semmle.label | (...)... | +| Test.java:143:33:143:40 | source(...) : String | semmle.label | source(...) : String | +| Test.java:145:35:145:49 | (...)... | semmle.label | (...)... | +| Test.java:145:42:145:49 | source(...) : String | semmle.label | source(...) : String | +| Test.java:147:41:147:57 | (...)... | semmle.label | (...)... | +| Test.java:147:50:147:57 | source(...) : String | semmle.label | source(...) : String | +| Test.java:149:45:149:61 | (...)... | semmle.label | (...)... | +| Test.java:149:54:149:61 | source(...) : String | semmle.label | source(...) : String | +| Test.java:151:43:151:57 | (...)... | semmle.label | (...)... | +| Test.java:151:50:151:57 | source(...) : String | semmle.label | source(...) : String | +| Test.java:153:28:153:42 | (...)... | semmle.label | (...)... | +| Test.java:153:35:153:42 | source(...) : String | semmle.label | source(...) : String | +| Test.java:155:41:155:55 | (...)... | semmle.label | (...)... | +| Test.java:155:48:155:55 | source(...) : String | semmle.label | source(...) : String | +| Test.java:160:30:160:44 | (...)... | semmle.label | (...)... | +| Test.java:160:37:160:44 | source(...) : String | semmle.label | source(...) : String | +| Test.java:162:40:162:81 | (...)... | semmle.label | (...)... | +| Test.java:162:74:162:81 | source(...) : String | semmle.label | source(...) : String | +| Test.java:164:34:164:75 | (...)... | semmle.label | (...)... | +| Test.java:164:68:164:75 | source(...) : String | semmle.label | source(...) : String | +| Test.java:166:34:166:75 | (...)... | semmle.label | (...)... | +| Test.java:166:68:166:75 | source(...) : String | semmle.label | source(...) : String | +| Test.java:168:23:168:37 | (...)... | semmle.label | (...)... | +| Test.java:168:30:168:37 | source(...) : String | semmle.label | source(...) : String | +| Test.java:181:23:181:37 | (...)... | semmle.label | (...)... | +| Test.java:181:30:181:37 | source(...) : String | semmle.label | source(...) : String | +| Test.java:186:23:186:40 | (...)... | semmle.label | (...)... | +| Test.java:186:33:186:40 | source(...) : String | semmle.label | source(...) : String | +| Test.java:188:20:188:34 | (...)... | semmle.label | (...)... | +| Test.java:188:27:188:34 | source(...) : String | semmle.label | source(...) : String | +| Test.java:190:21:190:35 | (...)... | semmle.label | (...)... | +| Test.java:190:28:190:35 | source(...) : String | semmle.label | source(...) : String | +| Test.java:192:22:192:36 | (...)... | semmle.label | (...)... | +| Test.java:192:29:192:36 | source(...) : String | semmle.label | source(...) : String | +| Test.java:197:20:197:34 | (...)... | semmle.label | (...)... | +| Test.java:197:27:197:34 | source(...) : String | semmle.label | source(...) : String | +| Test.java:199:19:199:33 | (...)... | semmle.label | (...)... | +| Test.java:199:26:199:33 | source(...) : String | semmle.label | source(...) : String | +| Test.java:204:20:204:36 | (...)... | semmle.label | (...)... | +| Test.java:204:29:204:36 | source(...) : String | semmle.label | source(...) : String | +subpaths diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.java b/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.java index 00447364bb38..442873b54a44 100644 --- a/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.java +++ b/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.java @@ -10,10 +10,10 @@ public class TaintedPath { public void sendUserFile(Socket sock, String user) throws IOException { BufferedReader filenameReader = - new BufferedReader(new InputStreamReader(sock.getInputStream(), "UTF-8")); + new BufferedReader(new InputStreamReader(sock.getInputStream(), "UTF-8")); // $ Source String filename = filenameReader.readLine(); // BAD: read from a file without checking its path - BufferedReader fileReader = new BufferedReader(new FileReader(filename)); // $ hasTaintFlow + BufferedReader fileReader = new BufferedReader(new FileReader(filename)); // $ Alert String fileLine = fileReader.readLine(); while (fileLine != null) { sock.getOutputStream().write(fileLine.getBytes()); diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.ql b/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.ql deleted file mode 100644 index 3e7fbdb31312..000000000000 --- a/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.ql +++ /dev/null @@ -1,4 +0,0 @@ -import java -import utils.test.InlineFlowTest -import semmle.code.java.security.TaintedPathQuery -import TaintFlowTest diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.qlref b/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.qlref new file mode 100644 index 000000000000..574c839511c0 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.qlref @@ -0,0 +1,4 @@ +query: Security/CWE/CWE-022/TaintedPath.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java b/java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java index d8cd210b70cf..362c84f4b167 100644 --- a/java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java +++ b/java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java @@ -29,143 +29,143 @@ public class Test { private HttpServletRequest request; public Object source() { - return request.getParameter("source"); + return request.getParameter("source"); // $ Source } void test() throws IOException { // "java.lang;Module;true;getResourceAsStream;(String);;Argument[0];read-file;ai-generated" - getClass().getModule().getResourceAsStream((String) source()); // $ hasTaintFlow + getClass().getModule().getResourceAsStream((String) source()); // $ Alert // "java.lang;Class;false;getResource;(String);;Argument[0];read-file;ai-generated" - getClass().getResource((String) source()); // $ hasTaintFlow + getClass().getResource((String) source()); // $ Alert // "java.lang;ClassLoader;true;getSystemResourceAsStream;(String);;Argument[0];read-file;ai-generated" - ClassLoader.getSystemResourceAsStream((String) source()); // $ hasTaintFlow + ClassLoader.getSystemResourceAsStream((String) source()); // $ Alert // "java.io;File;True;canExecute;();;Argument[this];path-injection;manual" - ((File) source()).canExecute(); // $ hasTaintFlow + ((File) source()).canExecute(); // $ Alert // "java.io;File;True;canRead;();;Argument[this];path-injection;manual" - ((File) source()).canRead(); // $ hasTaintFlow + ((File) source()).canRead(); // $ Alert // "java.io;File;True;canWrite;();;Argument[this];path-injection;manual" - ((File) source()).canWrite(); // $ hasTaintFlow + ((File) source()).canWrite(); // $ Alert // "java.io;File;True;createNewFile;();;Argument[this];path-injection;ai-manual" - ((File) source()).createNewFile(); // $ hasTaintFlow + ((File) source()).createNewFile(); // $ Alert // "java.io;File;true;createTempFile;(String,String,File);;Argument[2];create-file;ai-generated" - File.createTempFile(";", ";", (File) source()); // $ hasTaintFlow + File.createTempFile(";", ";", (File) source()); // $ Alert // "java.io;File;True;delete;();;Argument[this];path-injection;manual" - ((File) source()).delete(); // $ hasTaintFlow + ((File) source()).delete(); // $ Alert // "java.io;File;True;deleteOnExit;();;Argument[this];path-injection;manual" - ((File) source()).deleteOnExit(); // $ hasTaintFlow + ((File) source()).deleteOnExit(); // $ Alert // "java.io;File;True;exists;();;Argument[this];path-injection;manual" - ((File) source()).exists(); // $ hasTaintFlow + ((File) source()).exists(); // $ Alert // "java.io:File;True;isDirectory;();;Argument[this];path-injection;manual" - ((File) source()).isDirectory(); // $ hasTaintFlow + ((File) source()).isDirectory(); // $ Alert // "java.io:File;True;isFile;();;Argument[this];path-injection;manual" - ((File) source()).isFile(); // $ hasTaintFlow + ((File) source()).isFile(); // $ Alert // "java.io:File;True;isHidden;();;Argument[this];path-injection;manual" - ((File) source()).isHidden(); // $ hasTaintFlow + ((File) source()).isHidden(); // $ Alert // "java.io;File;True;mkdir;();;Argument[this];path-injection;manual" - ((File) source()).mkdir(); // $ hasTaintFlow + ((File) source()).mkdir(); // $ Alert // "java.io;File;True;mkdirs;();;Argument[this];path-injection;manual" - ((File) source()).mkdirs(); // $ hasTaintFlow + ((File) source()).mkdirs(); // $ Alert // "java.io;File;True;renameTo;(File);;Argument[0];path-injection;ai-manual" - new File("").renameTo((File) source()); // $ hasTaintFlow + new File("").renameTo((File) source()); // $ Alert // "java.io;File;True;renameTo;(File);;Argument[this];path-injection;ai-manual" - ((File) source()).renameTo(null); // $ hasTaintFlow + ((File) source()).renameTo(null); // $ Alert // "java.io;File;True;setExecutable;;;Argument[this];path-injection;manual" - ((File) source()).setExecutable(true); // $ hasTaintFlow + ((File) source()).setExecutable(true); // $ Alert // "java.io;File;True;setLastModified;;;Argument[this];path-injection;manual" - ((File) source()).setLastModified(0); // $ hasTaintFlow + ((File) source()).setLastModified(0); // $ Alert // "java.io;File;True;setReadable;;;Argument[this];path-injection;manual" - ((File) source()).setReadable(true); // $ hasTaintFlow + ((File) source()).setReadable(true); // $ Alert // "java.io;File;True;setReadOnly;;;Argument[this];path-injection;manual" - ((File) source()).setReadOnly(); // $ hasTaintFlow + ((File) source()).setReadOnly(); // $ Alert // "java.io;File;True;setWritable;;;Argument[this];path-injection;manual" - ((File) source()).setWritable(true); // $ hasTaintFlow + ((File) source()).setWritable(true); // $ Alert // "java.io;File;true;renameTo;(File);;Argument[0];create-file;ai-generated" - new File("").renameTo((File) source()); // $ hasTaintFlow + new File("").renameTo((File) source()); // $ Alert // "java.io;FileInputStream;true;FileInputStream;(File);;Argument[0];read-file;ai-generated" - new FileInputStream((File) source()); // $ hasTaintFlow + new FileInputStream((File) source()); // $ Alert // "java.io;FileInputStream;true;FileInputStream;(FileDescriptor);;Argument[0];read-file;manual" - new FileInputStream((FileDescriptor) source()); // $ hasTaintFlow - // "java.io;FileInputStream;true;FileInputStream;(Strrirng);;Argument[0];read-file;manual" - new FileInputStream((String) source()); // $ hasTaintFlow + new FileInputStream((FileDescriptor) source()); // $ Alert + // "java.io;FileInputStream;true;FileInputStream;(String);;Argument[0];read-file;manual" + new FileInputStream((String) source()); // $ Alert // "java.io;FileReader;true;FileReader;(File);;Argument[0];read-file;ai-generated" - new FileReader((File) source()); // $ hasTaintFlow + new FileReader((File) source()); // $ Alert // "java.io;FileReader;true;FileReader;(FileDescriptor);;Argument[0];read-file;manual" - new FileReader((FileDescriptor) source()); // $ hasTaintFlow + new FileReader((FileDescriptor) source()); // $ Alert // "java.io;FileReader;true;FileReader;(File,Charset);;Argument[0];read-file;manual" - new FileReader((File) source(), null); // $ hasTaintFlow + new FileReader((File) source(), null); // $ Alert // "java.io;FileReader;true;FileReader;(String);;Argument[0];read-file;ai-generated" - new FileReader((String) source()); // $ hasTaintFlow + new FileReader((String) source()); // $ Alert // "java.io;FileReader;true;FileReader;(String,Charset);;Argument[0];read-file;manual" - new FileReader((String) source(), null); // $ hasTaintFlow + new FileReader((String) source(), null); // $ Alert // "java.nio.file;Files;false;copy;;;Argument[0];read-file;manual" - Files.copy((Path) source(), (Path) null); // $ hasTaintFlow - Files.copy((Path) source(), (OutputStream) null); // $ hasTaintFlow + Files.copy((Path) source(), (Path) null); // $ Alert + Files.copy((Path) source(), (OutputStream) null); // $ Alert // "java.nio.file;Files;false;copy;;;Argument[1];create-file;manual" - Files.copy((Path) null, (Path) source()); // $ hasTaintFlow - Files.copy((InputStream) null, (Path) source()); // $ hasTaintFlow + Files.copy((Path) null, (Path) source()); // $ Alert + Files.copy((InputStream) null, (Path) source()); // $ Alert // "java.nio.file;Files;false;createDirectories;;;Argument[0];create-file;manual" - Files.createDirectories((Path) source()); // $ hasTaintFlow + Files.createDirectories((Path) source()); // $ Alert // "java.nio.file;Files;false;createDirectory;;;Argument[0];create-file;manual" - Files.createDirectory((Path) source()); // $ hasTaintFlow + Files.createDirectory((Path) source()); // $ Alert // "java.nio.file;Files;false;createFile;;;Argument[0];create-file;manual" - Files.createFile((Path) source()); // $ hasTaintFlow + Files.createFile((Path) source()); // $ Alert // "java.nio.file;Files;false;createLink;;;Argument[0];create-file;manual" - Files.createLink((Path) source(), null); // $ hasTaintFlow + Files.createLink((Path) source(), null); // $ Alert // "java.nio.file;Files;false;createSymbolicLink;;;Argument[0];create-file;manual" - Files.createSymbolicLink((Path) source(), null); // $ hasTaintFlow + Files.createSymbolicLink((Path) source(), null); // $ Alert // "java.nio.file;Files;false;createTempDirectory;(Path,String,FileAttribute[]);;Argument[0];create-file;manual" - Files.createTempDirectory((Path) source(), null); // $ hasTaintFlow + Files.createTempDirectory((Path) source(), null); // $ Alert // "java.nio.file;Files;false;createTempFile;(Path,String,String,FileAttribute[]);;Argument[0];create-file;manual" - Files.createTempFile((Path) source(), null, null); // $ hasTaintFlow + Files.createTempFile((Path) source(), null, null); // $ Alert // "java.nio.file;Files;false;delete;(Path);;Argument[0];delete-file;ai-generated" - Files.delete((Path) source()); // $ hasTaintFlow + Files.delete((Path) source()); // $ Alert // "java.nio.file;Files;false;deleteIfExists;(Path);;Argument[0];delete-file;ai-generated" - Files.deleteIfExists((Path) source()); // $ hasTaintFlow + Files.deleteIfExists((Path) source()); // $ Alert // "java.nio.file;Files;false;lines;(Path,Charset);;Argument[0];read-file;ai-generated" - Files.lines((Path) source(), null); // $ hasTaintFlow + Files.lines((Path) source(), null); // $ Alert // "java.nio.file;Files;false;move;;;Argument[1];create-file;manual" - Files.move(null, (Path) source()); // $ hasTaintFlow + Files.move(null, (Path) source()); // $ Alert // "java.nio.file;Files;false;newBufferedReader;(Path,Charset);;Argument[0];read-file;ai-generated" - Files.newBufferedReader((Path) source(), null); // $ hasTaintFlow + Files.newBufferedReader((Path) source(), null); // $ Alert // "java.nio.file;Files;false;newBufferedWriter;;;Argument[0];create-file;manual" - Files.newBufferedWriter((Path) source()); // $ hasTaintFlow - Files.newBufferedWriter((Path) source(), (Charset) null); // $ hasTaintFlow + Files.newBufferedWriter((Path) source()); // $ Alert + Files.newBufferedWriter((Path) source(), (Charset) null); // $ Alert // "java.nio.file;Files;false;newOutputStream;;;Argument[0];create-file;manual" - Files.newOutputStream((Path) source()); // $ hasTaintFlow + Files.newOutputStream((Path) source()); // $ Alert // "java.nio.file;Files;false;write;;;Argument[0];create-file;manual" - Files.write((Path) source(), (byte[]) null); // $ hasTaintFlow - Files.write((Path) source(), (Iterable) null); // $ hasTaintFlow - Files.write((Path) source(), (Iterable) null, (Charset) null); // $ hasTaintFlow + Files.write((Path) source(), (byte[]) null); // $ Alert + Files.write((Path) source(), (Iterable) null); // $ Alert + Files.write((Path) source(), (Iterable) null, (Charset) null); // $ Alert // "java.nio.file;Files;false;writeString;;;Argument[0];create-file;manual" - Files.writeString((Path) source(), (CharSequence) null); // $ hasTaintFlow - Files.writeString((Path) source(), (CharSequence) null, (Charset) null); // $ hasTaintFlow + Files.writeString((Path) source(), (CharSequence) null); // $ Alert + Files.writeString((Path) source(), (CharSequence) null, (Charset) null); // $ Alert // "javax.xml.transform.stream;StreamResult";true;"StreamResult;(File);;Argument[0];create-file;ai-generated" - new StreamResult((File) source()); // $ hasTaintFlow + new StreamResult((File) source()); // $ Alert // "org.apache.commons.io;FileUtils;true;openInputStream;(File);;Argument[0];read-file;ai-generated" - FileUtils.openInputStream((File) source()); // $ hasTaintFlow + FileUtils.openInputStream((File) source()); // $ Alert // "org.codehaus.cargo.container.installer;ZipURLInstaller;true;ZipURLInstaller;(URL,String,String);;Argument[1];create-file;ai-generated" - new ZipURLInstaller((URL) null, (String) source(), ""); // $ hasTaintFlow + new ZipURLInstaller((URL) null, (String) source(), ""); // $ Alert // "org.codehaus.cargo.container.installer;ZipURLInstaller;true;ZipURLInstaller;(URL,String,String);;Argument[2];create-file;ai-generated" - new ZipURLInstaller((URL) null, "", (String) source()); // $ hasTaintFlow + new ZipURLInstaller((URL) null, "", (String) source()); // $ Alert // "org.springframework.util;FileCopyUtils;false;copy;(byte[],File);;Argument[1];create-file;manual" - FileCopyUtils.copy((byte[]) null, (File) source()); // $ hasTaintFlow + FileCopyUtils.copy((byte[]) null, (File) source()); // $ Alert // "org.springframework.util;FileCopyUtils;false;copy;(File,File);;Argument[0];create-file;manual" - FileCopyUtils.copy((File) source(), null); // $ hasTaintFlow + FileCopyUtils.copy((File) source(), null); // $ Alert // "org.springframework.util;FileCopyUtils;false;copy;(File,File);;Argument[1];create-file;manual" - FileCopyUtils.copy((File) null, (File) source()); // $ hasTaintFlow + FileCopyUtils.copy((File) null, (File) source()); // $ Alert } void test(AntClassLoader acl) { // "org.apache.tools.ant;AntClassLoader;true;addPathComponent;(File);;Argument[0];read-file;ai-generated" - acl.addPathComponent((File) source()); // $ hasTaintFlow + acl.addPathComponent((File) source()); // $ Alert // "org.apache.tools.ant;AntClassLoader;true;AntClassLoader;(ClassLoader,Project,Path,boolean);;Argument[2];read-file;ai-generated" - new AntClassLoader(null, null, (org.apache.tools.ant.types.Path) source(), false); // $ hasTaintFlow + new AntClassLoader(null, null, (org.apache.tools.ant.types.Path) source(), false); // $ Alert // "org.apache.tools.ant;AntClassLoader;true;AntClassLoader;(Project,Path,boolean);;Argument[1];read-file;ai-generated" - new AntClassLoader(null, (org.apache.tools.ant.types.Path) source(), false); // $ hasTaintFlow + new AntClassLoader(null, (org.apache.tools.ant.types.Path) source(), false); // $ Alert // "org.apache.tools.ant;AntClassLoader;true;AntClassLoader;(Project,Path);;Argument[1];read-file;ai-generated" - new AntClassLoader(null, (org.apache.tools.ant.types.Path) source()); // $ hasTaintFlow + new AntClassLoader(null, (org.apache.tools.ant.types.Path) source()); // $ Alert // "org.kohsuke.stapler.framework.io;LargeText;true;LargeText;(File,Charset,boolean,boolean);;Argument[0];read-file;ai-generated" - new LargeText((File) source(), null, false, false); // $ hasTaintFlow + new LargeText((File) source(), null, false, false); // $ Alert } void doGet6(String root, HttpServletRequest request) throws IOException { @@ -178,29 +178,29 @@ void doGet6(String root, HttpServletRequest request) throws IOException { void test(DirectoryScanner ds) { // "org.apache.tools.ant;DirectoryScanner;true;setBasedir;(File);;Argument[0];read-file;ai-generated" - ds.setBasedir((File) source()); // $ hasTaintFlow + ds.setBasedir((File) source()); // $ Alert } void test(Copy cp) { // "org.apache.tools.ant.taskdefs;Copy;true;addFileset;(FileSet);;Argument[0];read-file;ai-generated" - cp.addFileset((FileSet) source()); // $ hasTaintFlow + cp.addFileset((FileSet) source()); // $ Alert // "org.apache.tools.ant.taskdefs;Copy;true;setFile;(File);;Argument[0];read-file;ai-generated" - cp.setFile((File) source()); // $ hasTaintFlow + cp.setFile((File) source()); // $ Alert // "org.apache.tools.ant.taskdefs;Copy;true;setTodir;(File);;Argument[0];create-file;ai-generated" - cp.setTodir((File) source()); // $ hasTaintFlow + cp.setTodir((File) source()); // $ Alert // "org.apache.tools.ant.taskdefs;Copy;true;setTofile;(File);;Argument[0];create-file;ai-generated" - cp.setTofile((File) source()); // $ hasTaintFlow + cp.setTofile((File) source()); // $ Alert } void test(Expand ex) { // "org.apache.tools.ant.taskdefs;Expand;true;setDest;(File);;Argument[0];create-file;ai-generated" - ex.setDest((File) source()); // $ hasTaintFlow + ex.setDest((File) source()); // $ Alert // "org.apache.tools.ant.taskdefs;Expand;true;setSrc;(File);;Argument[0];read-file;ai-generated" - ex.setSrc((File) source()); // $ hasTaintFlow + ex.setSrc((File) source()); // $ Alert } void test(ChainedOptionsBuilder cob) { // "org.openjdk.jmh.runner.options;ChainedOptionsBuilder;true;result;(String);;Argument[0];create-file;ai-generated" - cob.result((String) source()); // $ hasTaintFlow + cob.result((String) source()); // $ Alert } } diff --git a/java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversal.expected b/java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversal.expected index b876fd2367da..5379de2403b4 100644 --- a/java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversal.expected +++ b/java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversal.expected @@ -1,16 +1,16 @@ -| PartialPathTraversalTest.java:10:14:10:73 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. | -| PartialPathTraversalTest.java:17:9:17:72 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. | -| PartialPathTraversalTest.java:29:14:29:58 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. | -| PartialPathTraversalTest.java:35:14:35:63 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. | -| PartialPathTraversalTest.java:42:14:42:64 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. | -| PartialPathTraversalTest.java:49:14:49:64 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. | -| PartialPathTraversalTest.java:53:14:53:65 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. | -| PartialPathTraversalTest.java:61:14:61:64 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. | -| PartialPathTraversalTest.java:64:14:64:65 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. | -| PartialPathTraversalTest.java:75:14:75:64 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. | -| PartialPathTraversalTest.java:94:14:94:63 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. | -| PartialPathTraversalTest.java:102:14:102:63 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. | -| PartialPathTraversalTest.java:105:14:105:64 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. | -| PartialPathTraversalTest.java:173:14:173:63 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. | -| PartialPathTraversalTest.java:191:18:191:87 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. | -| PartialPathTraversalTest.java:209:14:209:64 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. | +| PartialPathTraversalTest.java:13:14:13:75 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. | +| PartialPathTraversalTest.java:20:9:20:74 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. | +| PartialPathTraversalTest.java:32:14:32:60 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. | +| PartialPathTraversalTest.java:38:14:38:65 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. | +| PartialPathTraversalTest.java:45:14:45:64 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. | +| PartialPathTraversalTest.java:52:14:52:64 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. | +| PartialPathTraversalTest.java:56:14:56:65 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. | +| PartialPathTraversalTest.java:64:14:64:64 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. | +| PartialPathTraversalTest.java:67:14:67:65 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. | +| PartialPathTraversalTest.java:78:14:78:64 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. | +| PartialPathTraversalTest.java:97:14:97:65 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. | +| PartialPathTraversalTest.java:105:14:105:65 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. | +| PartialPathTraversalTest.java:108:14:108:66 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. | +| PartialPathTraversalTest.java:176:14:176:65 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. | +| PartialPathTraversalTest.java:194:18:194:87 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. | +| PartialPathTraversalTest.java:212:14:212:64 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. | diff --git a/java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversalFromRemoteTest.expected b/java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversalFromRemoteTest.expected index e69de29bb2d1..f2af01542ee9 100644 --- a/java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversalFromRemoteTest.expected +++ b/java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversalFromRemoteTest.expected @@ -0,0 +1,135 @@ +#select +| PartialPathTraversalTest.java:13:14:13:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:13:14:13:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data | +| PartialPathTraversalTest.java:20:10:20:33 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:20:10:20:33 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data | +| PartialPathTraversalTest.java:32:14:32:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:32:14:32:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data | +| PartialPathTraversalTest.java:38:14:38:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:38:14:38:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data | +| PartialPathTraversalTest.java:45:14:45:26 | canonicalPath | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:45:14:45:26 | canonicalPath | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data | +| PartialPathTraversalTest.java:52:14:52:26 | canonicalPath | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:52:14:52:26 | canonicalPath | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data | +| PartialPathTraversalTest.java:56:14:56:27 | canonicalPath2 | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:56:14:56:27 | canonicalPath2 | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data | +| PartialPathTraversalTest.java:64:14:64:26 | canonicalPath | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:64:14:64:26 | canonicalPath | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data | +| PartialPathTraversalTest.java:67:14:67:27 | canonicalPath2 | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:67:14:67:27 | canonicalPath2 | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data | +| PartialPathTraversalTest.java:97:14:97:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:97:14:97:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data | +| PartialPathTraversalTest.java:105:14:105:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:105:14:105:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data | +| PartialPathTraversalTest.java:108:14:108:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:108:14:108:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data | +| PartialPathTraversalTest.java:176:14:176:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:176:14:176:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data | +| PartialPathTraversalTest.java:194:18:194:47 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:194:18:194:47 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data | +| PartialPathTraversalTest.java:212:14:212:26 | canonicalPath | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:212:14:212:26 | canonicalPath | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data | +edges +| PartialPathTraversalTest.java:13:14:13:18 | dir(...) : File | PartialPathTraversalTest.java:13:14:13:37 | getCanonicalPath(...) | provenance | MaD:6 | +| PartialPathTraversalTest.java:20:10:20:14 | dir(...) : File | PartialPathTraversalTest.java:20:10:20:33 | getCanonicalPath(...) | provenance | MaD:6 | +| PartialPathTraversalTest.java:32:14:32:18 | dir(...) : File | PartialPathTraversalTest.java:32:14:32:37 | getCanonicalPath(...) | provenance | MaD:6 | +| PartialPathTraversalTest.java:38:14:38:18 | dir(...) : File | PartialPathTraversalTest.java:38:14:38:37 | getCanonicalPath(...) | provenance | MaD:6 | +| PartialPathTraversalTest.java:44:32:44:36 | dir(...) : File | PartialPathTraversalTest.java:44:32:44:55 | getCanonicalPath(...) : String | provenance | MaD:6 | +| PartialPathTraversalTest.java:44:32:44:55 | getCanonicalPath(...) : String | PartialPathTraversalTest.java:45:14:45:26 | canonicalPath | provenance | | +| PartialPathTraversalTest.java:51:32:51:36 | dir(...) : File | PartialPathTraversalTest.java:51:32:51:55 | getCanonicalPath(...) : String | provenance | MaD:6 | +| PartialPathTraversalTest.java:51:32:51:55 | getCanonicalPath(...) : String | PartialPathTraversalTest.java:52:14:52:26 | canonicalPath | provenance | | +| PartialPathTraversalTest.java:55:33:55:37 | dir(...) : File | PartialPathTraversalTest.java:55:33:55:56 | getCanonicalPath(...) : String | provenance | MaD:6 | +| PartialPathTraversalTest.java:55:33:55:56 | getCanonicalPath(...) : String | PartialPathTraversalTest.java:56:14:56:27 | canonicalPath2 | provenance | | +| PartialPathTraversalTest.java:62:32:62:36 | dir(...) : File | PartialPathTraversalTest.java:62:32:62:55 | getCanonicalPath(...) : String | provenance | MaD:6 | +| PartialPathTraversalTest.java:62:32:62:55 | getCanonicalPath(...) : String | PartialPathTraversalTest.java:64:14:64:26 | canonicalPath | provenance | | +| PartialPathTraversalTest.java:63:33:63:37 | dir(...) : File | PartialPathTraversalTest.java:63:33:63:56 | getCanonicalPath(...) : String | provenance | MaD:6 | +| PartialPathTraversalTest.java:63:33:63:56 | getCanonicalPath(...) : String | PartialPathTraversalTest.java:67:14:67:27 | canonicalPath2 | provenance | | +| PartialPathTraversalTest.java:97:14:97:18 | dir(...) : File | PartialPathTraversalTest.java:97:14:97:37 | getCanonicalPath(...) | provenance | MaD:6 | +| PartialPathTraversalTest.java:105:14:105:18 | dir(...) : File | PartialPathTraversalTest.java:105:14:105:37 | getCanonicalPath(...) | provenance | MaD:6 | +| PartialPathTraversalTest.java:108:14:108:18 | dir(...) : File | PartialPathTraversalTest.java:108:14:108:37 | getCanonicalPath(...) | provenance | MaD:6 | +| PartialPathTraversalTest.java:176:14:176:18 | dir(...) : File | PartialPathTraversalTest.java:176:14:176:37 | getCanonicalPath(...) | provenance | MaD:6 | +| PartialPathTraversalTest.java:186:25:186:30 | path(...) : String[] | PartialPathTraversalTest.java:188:23:188:23 | p : String | provenance | | +| PartialPathTraversalTest.java:188:13:188:14 | sb [post update] : StringBuilder | PartialPathTraversalTest.java:191:27:191:28 | sb : StringBuilder | provenance | | +| PartialPathTraversalTest.java:188:23:188:23 | p : String | PartialPathTraversalTest.java:188:13:188:14 | sb [post update] : StringBuilder | provenance | MaD:8 | +| PartialPathTraversalTest.java:191:27:191:28 | sb : StringBuilder | PartialPathTraversalTest.java:191:27:191:39 | toString(...) : String | provenance | MaD:9 | +| PartialPathTraversalTest.java:191:27:191:39 | toString(...) : String | PartialPathTraversalTest.java:192:37:192:44 | filePath : String | provenance | | +| PartialPathTraversalTest.java:192:28:192:45 | new File(...) : File | PartialPathTraversalTest.java:194:18:194:28 | encodedFile : File | provenance | | +| PartialPathTraversalTest.java:192:37:192:44 | filePath : String | PartialPathTraversalTest.java:192:28:192:45 | new File(...) : File | provenance | MaD:4 | +| PartialPathTraversalTest.java:194:18:194:28 | encodedFile : File | PartialPathTraversalTest.java:194:18:194:47 | getCanonicalPath(...) | provenance | MaD:6 | +| PartialPathTraversalTest.java:211:46:211:50 | dir(...) : File | PartialPathTraversalTest.java:211:46:211:69 | getCanonicalPath(...) : String | provenance | MaD:6 | +| PartialPathTraversalTest.java:211:46:211:69 | getCanonicalPath(...) : String | PartialPathTraversalTest.java:212:14:212:26 | canonicalPath | provenance | | +| PartialPathTraversalTest.java:252:45:252:117 | new BufferedReader(...) : BufferedReader | PartialPathTraversalTest.java:253:31:253:44 | filenameReader : BufferedReader | provenance | | +| PartialPathTraversalTest.java:252:64:252:116 | new InputStreamReader(...) : InputStreamReader | PartialPathTraversalTest.java:252:45:252:117 | new BufferedReader(...) : BufferedReader | provenance | MaD:2 | +| PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:252:64:252:116 | new InputStreamReader(...) : InputStreamReader | provenance | Src:MaD:1 MaD:7 | +| PartialPathTraversalTest.java:253:31:253:44 | filenameReader : BufferedReader | PartialPathTraversalTest.java:253:31:253:55 | readLine(...) : String | provenance | MaD:3 | +| PartialPathTraversalTest.java:253:31:253:55 | readLine(...) : String | PartialPathTraversalTest.java:254:29:254:36 | filename : String | provenance | | +| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:13:14:13:18 | dir(...) : File | provenance | | +| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:20:10:20:14 | dir(...) : File | provenance | | +| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:32:14:32:18 | dir(...) : File | provenance | | +| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:38:14:38:18 | dir(...) : File | provenance | | +| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:44:32:44:36 | dir(...) : File | provenance | | +| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:51:32:51:36 | dir(...) : File | provenance | | +| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:55:33:55:37 | dir(...) : File | provenance | | +| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:62:32:62:36 | dir(...) : File | provenance | | +| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:63:33:63:37 | dir(...) : File | provenance | | +| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:97:14:97:18 | dir(...) : File | provenance | | +| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:105:14:105:18 | dir(...) : File | provenance | | +| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:108:14:108:18 | dir(...) : File | provenance | | +| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:176:14:176:18 | dir(...) : File | provenance | | +| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:211:46:211:50 | dir(...) : File | provenance | | +| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:261:16:261:20 | dir(...) : File | provenance | | +| PartialPathTraversalTest.java:254:29:254:36 | filename : String | PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | provenance | MaD:4 | +| PartialPathTraversalTest.java:261:16:261:20 | dir(...) : File | PartialPathTraversalTest.java:261:16:261:38 | getAbsolutePath(...) : String | provenance | MaD:5 | +| PartialPathTraversalTest.java:261:16:261:38 | getAbsolutePath(...) : String | PartialPathTraversalTest.java:261:16:261:60 | split(...) : String[] | provenance | MaD:10 | +| PartialPathTraversalTest.java:261:16:261:60 | split(...) : String[] | PartialPathTraversalTest.java:186:25:186:30 | path(...) : String[] | provenance | | +models +| 1 | Source: java.net; Socket; false; getInputStream; (); ; ReturnValue; remote; manual | +| 2 | Summary: java.io; BufferedReader; false; BufferedReader; ; ; Argument[0]; Argument[this]; taint; manual | +| 3 | Summary: java.io; BufferedReader; true; readLine; ; ; Argument[this]; ReturnValue; taint; manual | +| 4 | Summary: java.io; File; false; File; ; ; Argument[0]; Argument[this]; taint; manual | +| 5 | Summary: java.io; File; true; getAbsolutePath; ; ; Argument[this]; ReturnValue; taint; manual | +| 6 | Summary: java.io; File; true; getCanonicalPath; ; ; Argument[this]; ReturnValue; taint; manual | +| 7 | Summary: java.io; InputStreamReader; false; InputStreamReader; ; ; Argument[0]; Argument[this]; taint; manual | +| 8 | Summary: java.lang; AbstractStringBuilder; true; append; ; ; Argument[0]; Argument[this]; taint; manual | +| 9 | Summary: java.lang; CharSequence; true; toString; ; ; Argument[this]; ReturnValue; taint; manual | +| 10 | Summary: java.lang; String; false; split; ; ; Argument[this]; ReturnValue; taint; manual | +nodes +| PartialPathTraversalTest.java:13:14:13:18 | dir(...) : File | semmle.label | dir(...) : File | +| PartialPathTraversalTest.java:13:14:13:37 | getCanonicalPath(...) | semmle.label | getCanonicalPath(...) | +| PartialPathTraversalTest.java:20:10:20:14 | dir(...) : File | semmle.label | dir(...) : File | +| PartialPathTraversalTest.java:20:10:20:33 | getCanonicalPath(...) | semmle.label | getCanonicalPath(...) | +| PartialPathTraversalTest.java:32:14:32:18 | dir(...) : File | semmle.label | dir(...) : File | +| PartialPathTraversalTest.java:32:14:32:37 | getCanonicalPath(...) | semmle.label | getCanonicalPath(...) | +| PartialPathTraversalTest.java:38:14:38:18 | dir(...) : File | semmle.label | dir(...) : File | +| PartialPathTraversalTest.java:38:14:38:37 | getCanonicalPath(...) | semmle.label | getCanonicalPath(...) | +| PartialPathTraversalTest.java:44:32:44:36 | dir(...) : File | semmle.label | dir(...) : File | +| PartialPathTraversalTest.java:44:32:44:55 | getCanonicalPath(...) : String | semmle.label | getCanonicalPath(...) : String | +| PartialPathTraversalTest.java:45:14:45:26 | canonicalPath | semmle.label | canonicalPath | +| PartialPathTraversalTest.java:51:32:51:36 | dir(...) : File | semmle.label | dir(...) : File | +| PartialPathTraversalTest.java:51:32:51:55 | getCanonicalPath(...) : String | semmle.label | getCanonicalPath(...) : String | +| PartialPathTraversalTest.java:52:14:52:26 | canonicalPath | semmle.label | canonicalPath | +| PartialPathTraversalTest.java:55:33:55:37 | dir(...) : File | semmle.label | dir(...) : File | +| PartialPathTraversalTest.java:55:33:55:56 | getCanonicalPath(...) : String | semmle.label | getCanonicalPath(...) : String | +| PartialPathTraversalTest.java:56:14:56:27 | canonicalPath2 | semmle.label | canonicalPath2 | +| PartialPathTraversalTest.java:62:32:62:36 | dir(...) : File | semmle.label | dir(...) : File | +| PartialPathTraversalTest.java:62:32:62:55 | getCanonicalPath(...) : String | semmle.label | getCanonicalPath(...) : String | +| PartialPathTraversalTest.java:63:33:63:37 | dir(...) : File | semmle.label | dir(...) : File | +| PartialPathTraversalTest.java:63:33:63:56 | getCanonicalPath(...) : String | semmle.label | getCanonicalPath(...) : String | +| PartialPathTraversalTest.java:64:14:64:26 | canonicalPath | semmle.label | canonicalPath | +| PartialPathTraversalTest.java:67:14:67:27 | canonicalPath2 | semmle.label | canonicalPath2 | +| PartialPathTraversalTest.java:97:14:97:18 | dir(...) : File | semmle.label | dir(...) : File | +| PartialPathTraversalTest.java:97:14:97:37 | getCanonicalPath(...) | semmle.label | getCanonicalPath(...) | +| PartialPathTraversalTest.java:105:14:105:18 | dir(...) : File | semmle.label | dir(...) : File | +| PartialPathTraversalTest.java:105:14:105:37 | getCanonicalPath(...) | semmle.label | getCanonicalPath(...) | +| PartialPathTraversalTest.java:108:14:108:18 | dir(...) : File | semmle.label | dir(...) : File | +| PartialPathTraversalTest.java:108:14:108:37 | getCanonicalPath(...) | semmle.label | getCanonicalPath(...) | +| PartialPathTraversalTest.java:176:14:176:18 | dir(...) : File | semmle.label | dir(...) : File | +| PartialPathTraversalTest.java:176:14:176:37 | getCanonicalPath(...) | semmle.label | getCanonicalPath(...) | +| PartialPathTraversalTest.java:186:25:186:30 | path(...) : String[] | semmle.label | path(...) : String[] | +| PartialPathTraversalTest.java:188:13:188:14 | sb [post update] : StringBuilder | semmle.label | sb [post update] : StringBuilder | +| PartialPathTraversalTest.java:188:23:188:23 | p : String | semmle.label | p : String | +| PartialPathTraversalTest.java:191:27:191:28 | sb : StringBuilder | semmle.label | sb : StringBuilder | +| PartialPathTraversalTest.java:191:27:191:39 | toString(...) : String | semmle.label | toString(...) : String | +| PartialPathTraversalTest.java:192:28:192:45 | new File(...) : File | semmle.label | new File(...) : File | +| PartialPathTraversalTest.java:192:37:192:44 | filePath : String | semmle.label | filePath : String | +| PartialPathTraversalTest.java:194:18:194:28 | encodedFile : File | semmle.label | encodedFile : File | +| PartialPathTraversalTest.java:194:18:194:47 | getCanonicalPath(...) | semmle.label | getCanonicalPath(...) | +| PartialPathTraversalTest.java:211:46:211:50 | dir(...) : File | semmle.label | dir(...) : File | +| PartialPathTraversalTest.java:211:46:211:69 | getCanonicalPath(...) : String | semmle.label | getCanonicalPath(...) : String | +| PartialPathTraversalTest.java:212:14:212:26 | canonicalPath | semmle.label | canonicalPath | +| PartialPathTraversalTest.java:252:45:252:117 | new BufferedReader(...) : BufferedReader | semmle.label | new BufferedReader(...) : BufferedReader | +| PartialPathTraversalTest.java:252:64:252:116 | new InputStreamReader(...) : InputStreamReader | semmle.label | new InputStreamReader(...) : InputStreamReader | +| PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| PartialPathTraversalTest.java:253:31:253:44 | filenameReader : BufferedReader | semmle.label | filenameReader : BufferedReader | +| PartialPathTraversalTest.java:253:31:253:55 | readLine(...) : String | semmle.label | readLine(...) : String | +| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | semmle.label | new File(...) : File | +| PartialPathTraversalTest.java:254:29:254:36 | filename : String | semmle.label | filename : String | +| PartialPathTraversalTest.java:261:16:261:20 | dir(...) : File | semmle.label | dir(...) : File | +| PartialPathTraversalTest.java:261:16:261:38 | getAbsolutePath(...) : String | semmle.label | getAbsolutePath(...) : String | +| PartialPathTraversalTest.java:261:16:261:60 | split(...) : String[] | semmle.label | split(...) : String[] | +subpaths diff --git a/java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversalFromRemoteTest.ql b/java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversalFromRemoteTest.ql deleted file mode 100644 index 45dab6606fa1..000000000000 --- a/java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversalFromRemoteTest.ql +++ /dev/null @@ -1,24 +0,0 @@ -import java -import utils.test.InlineExpectationsTest -import semmle.code.java.security.PartialPathTraversalQuery - -class TestRemoteSource extends RemoteFlowSource { - TestRemoteSource() { this.asParameter().hasName(["dir", "path"]) } - - override string getSourceType() { result = "TestSource" } -} - -module Test implements TestSig { - string getARelevantTag() { result = "hasTaintFlow" } - - predicate hasActualResult(Location location, string element, string tag, string value) { - tag = "hasTaintFlow" and - exists(DataFlow::Node sink | PartialPathTraversalFromRemoteFlow::flowTo(sink) | - sink.getLocation() = location and - element = sink.toString() and - value = "" - ) - } -} - -import MakeTest diff --git a/java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversalFromRemoteTest.qlref b/java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversalFromRemoteTest.qlref new file mode 100644 index 000000000000..0c2ceb8cd731 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversalFromRemoteTest.qlref @@ -0,0 +1,4 @@ +query: Security/CWE/CWE-023/PartialPathTraversalFromRemote.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversalTest.java b/java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversalTest.java index af0fd776de15..b1986c1b6694 100644 --- a/java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversalTest.java +++ b/java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversalTest.java @@ -1,68 +1,71 @@ import java.io.IOException; import java.io.File; import java.io.InputStream; +import java.io.BufferedReader; +import java.io.InputStreamReader; import static java.io.File.separatorChar; import java.nio.file.Files; +import java.net.Socket; public class PartialPathTraversalTest { - public void esapiExample(File dir, File parent) throws IOException { - if (!dir.getCanonicalPath().startsWith(parent.getCanonicalPath())) { // $hasTaintFlow - throw new IOException("Invalid directory: " + dir.getCanonicalPath()); + public void esapiExample(File parent) throws IOException { + if (!dir().getCanonicalPath().startsWith(parent.getCanonicalPath())) { // $ Alert + throw new IOException("Invalid directory: " + dir().getCanonicalPath()); } } @SuppressWarnings("ResultOfMethodCallIgnored") - void foo1(File dir, File parent) throws IOException { - (dir.getCanonicalPath()).startsWith((parent.getCanonicalPath())); // $hasTaintFlow + void foo1(File parent) throws IOException { + (dir().getCanonicalPath()).startsWith((parent.getCanonicalPath())); // $ Alert } - void foo2(File dir, File parent) throws IOException { - dir.getCanonicalPath(); + void foo2(File parent) throws IOException { + dir().getCanonicalPath(); if ("potato".startsWith(parent.getCanonicalPath())) { System.out.println("Hello!"); } } - void foo3(File dir, File parent) throws IOException { + void foo3(File parent) throws IOException { String parentPath = parent.getCanonicalPath(); - if (!dir.getCanonicalPath().startsWith(parentPath)) { // $hasTaintFlow - throw new IOException("Invalid directory: " + dir.getCanonicalPath()); + if (!dir().getCanonicalPath().startsWith(parentPath)) { // $ Alert + throw new IOException("Invalid directory: " + dir().getCanonicalPath()); } } - void foo4(File dir) throws IOException { - if (!dir.getCanonicalPath().startsWith("/usr" + "/dir")) { // $hasTaintFlow - throw new IOException("Invalid directory: " + dir.getCanonicalPath()); + void foo4() throws IOException { + if (!dir().getCanonicalPath().startsWith("/usr" + "/dir")) { // $ Alert + throw new IOException("Invalid directory: " + dir().getCanonicalPath()); } } - void foo5(File dir, File parent) throws IOException { - String canonicalPath = dir.getCanonicalPath(); - if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $hasTaintFlow - throw new IOException("Invalid directory: " + dir.getCanonicalPath()); + void foo5(File parent) throws IOException { + String canonicalPath = dir().getCanonicalPath(); + if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert + throw new IOException("Invalid directory: " + dir().getCanonicalPath()); } } - void foo6(File dir, File parent) throws IOException { - String canonicalPath = dir.getCanonicalPath(); - if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $hasTaintFlow - throw new IOException("Invalid directory: " + dir.getCanonicalPath()); + void foo6(File parent) throws IOException { + String canonicalPath = dir().getCanonicalPath(); + if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert + throw new IOException("Invalid directory: " + dir().getCanonicalPath()); } - String canonicalPath2 = dir.getCanonicalPath(); - if (!canonicalPath2.startsWith(parent.getCanonicalPath())) { // $hasTaintFlow - throw new IOException("Invalid directory: " + dir.getCanonicalPath()); + String canonicalPath2 = dir().getCanonicalPath(); + if (!canonicalPath2.startsWith(parent.getCanonicalPath())) { // $ Alert + throw new IOException("Invalid directory: " + dir().getCanonicalPath()); } } void foo7(File dir, File parent) throws IOException { - String canonicalPath = dir.getCanonicalPath(); - String canonicalPath2 = dir.getCanonicalPath(); - if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $hasTaintFlow - throw new IOException("Invalid directory: " + dir.getCanonicalPath()); + String canonicalPath = dir().getCanonicalPath(); + String canonicalPath2 = dir().getCanonicalPath(); + if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert + throw new IOException("Invalid directory: " + dir().getCanonicalPath()); } - if (!canonicalPath2.startsWith(parent.getCanonicalPath())) { // $hasTaintFlow - throw new IOException("Invalid directory: " + dir.getCanonicalPath()); + if (!canonicalPath2.startsWith(parent.getCanonicalPath())) { // $ Alert + throw new IOException("Invalid directory: " + dir().getCanonicalPath()); } } @@ -72,70 +75,70 @@ File getChild() { void foo8(File parent) throws IOException { String canonicalPath = getChild().getCanonicalPath(); - if (!canonicalPath.startsWith(parent.getCanonicalPath())) { + if (!canonicalPath.startsWith(parent.getCanonicalPath())) { throw new IOException("Invalid directory: " + getChild().getCanonicalPath()); } } - void foo9(File dir, File parent) throws IOException { - if (!dir.getCanonicalPath().startsWith(parent.getCanonicalPath() + File.separator)) { - throw new IOException("Invalid directory: " + dir.getCanonicalPath()); + void foo9(File parent) throws IOException { + if (!dir().getCanonicalPath().startsWith(parent.getCanonicalPath() + File.separator)) { + throw new IOException("Invalid directory: " + dir().getCanonicalPath()); } } - void foo10(File dir, File parent) throws IOException { - if (!dir.getCanonicalPath().startsWith(parent.getCanonicalPath() + File.separatorChar)) { - throw new IOException("Invalid directory: " + dir.getCanonicalPath()); + void foo10(File parent) throws IOException { + if (!dir().getCanonicalPath().startsWith(parent.getCanonicalPath() + File.separatorChar)) { + throw new IOException("Invalid directory: " + dir().getCanonicalPath()); } } - void foo11(File dir, File parent) throws IOException { + void foo11(File parent) throws IOException { String parentCanonical = parent.getCanonicalPath(); - if (!dir.getCanonicalPath().startsWith(parentCanonical)) { // $hasTaintFlow - throw new IOException("Invalid directory: " + dir.getCanonicalPath()); + if (!dir().getCanonicalPath().startsWith(parentCanonical)) { // $ Alert + throw new IOException("Invalid directory: " + dir().getCanonicalPath()); } } - void foo12(File dir, File parent) throws IOException { + void foo12(File parent) throws IOException { String parentCanonical = parent.getCanonicalPath(); String parentCanonical2 = parent.getCanonicalPath(); - if (!dir.getCanonicalPath().startsWith(parentCanonical)) { // $hasTaintFlow - throw new IOException("Invalid directory: " + dir.getCanonicalPath()); + if (!dir().getCanonicalPath().startsWith(parentCanonical)) { // $ Alert + throw new IOException("Invalid directory: " + dir().getCanonicalPath()); } - if (!dir.getCanonicalPath().startsWith(parentCanonical2)) { // $hasTaintFlow - throw new IOException("Invalid directory: " + dir.getCanonicalPath()); + if (!dir().getCanonicalPath().startsWith(parentCanonical2)) { // $ Alert + throw new IOException("Invalid directory: " + dir().getCanonicalPath()); } } - void foo13(File dir, File parent) throws IOException { + void foo13(File parent) throws IOException { String parentCanonical = parent.getCanonicalPath() + File.separatorChar; - if (!dir.getCanonicalPath().startsWith(parentCanonical)) { - throw new IOException("Invalid directory: " + dir.getCanonicalPath()); + if (!dir().getCanonicalPath().startsWith(parentCanonical)) { + throw new IOException("Invalid directory: " + dir().getCanonicalPath()); } } - void foo14(File dir, File parent) throws IOException { + void foo14(File parent) throws IOException { String parentCanonical = parent.getCanonicalPath() + separatorChar; - if (!dir.getCanonicalPath().startsWith(parentCanonical)) { - throw new IOException("Invalid directory: " + dir.getCanonicalPath()); + if (!dir().getCanonicalPath().startsWith(parentCanonical)) { + throw new IOException("Invalid directory: " + dir().getCanonicalPath()); } } void foo15(File dir, File parent) throws IOException { String parentCanonical = parent.getCanonicalPath() + File.separatorChar; String parentCanonical2 = parent.getCanonicalPath() + File.separatorChar; - if (!dir.getCanonicalPath().startsWith(parentCanonical)) { - throw new IOException("Invalid directory: " + dir.getCanonicalPath()); + if (!dir().getCanonicalPath().startsWith(parentCanonical)) { + throw new IOException("Invalid directory: " + dir().getCanonicalPath()); } - if (!dir.getCanonicalPath().startsWith(parentCanonical2)) { - throw new IOException("Invalid directory: " + dir.getCanonicalPath()); + if (!dir().getCanonicalPath().startsWith(parentCanonical2)) { + throw new IOException("Invalid directory: " + dir().getCanonicalPath()); } } - void foo16(File dir, File parent) throws IOException { + void foo16(File parent) throws IOException { String parentCanonical = parent.getCanonicalPath() + File.separator; - if (!dir.getCanonicalPath().startsWith(parentCanonical)) { - throw new IOException("Invalid directory: " + dir.getCanonicalPath()); + if (!dir().getCanonicalPath().startsWith(parentCanonical)) { + throw new IOException("Invalid directory: " + dir().getCanonicalPath()); } } @@ -145,7 +148,7 @@ void foo16(File dir, File parent) throws IOException { "UnusedAssignment", "ResultOfMethodCallIgnored" }) - void foo17(File dir, File parent, boolean branch) throws IOException { + void foo17(File parent, boolean branch) throws IOException { String parentCanonical = null; "test ".startsWith("somethingElse"); if (branch) { @@ -153,8 +156,8 @@ void foo17(File dir, File parent, boolean branch) throws IOException { } else { parentCanonical = parent.getCanonicalPath() + File.separatorChar; } - if (!dir.getCanonicalPath().startsWith(parentCanonical)) { - throw new IOException("Invalid directory: " + dir.getCanonicalPath()); + if (!dir().getCanonicalPath().startsWith(parentCanonical)) { + throw new IOException("Invalid directory: " + dir().getCanonicalPath()); } } @@ -163,24 +166,24 @@ void foo18(File dir, File parent, boolean branch) throws IOException { if (branch) { parentCanonical = parent.getCanonicalPath() + File.separatorChar; } - if (!dir.getCanonicalPath().startsWith(parentCanonical)) { - throw new IOException("Invalid directory: " + dir.getCanonicalPath()); + if (!dir().getCanonicalPath().startsWith(parentCanonical)) { + throw new IOException("Invalid directory: " + dir().getCanonicalPath()); } } - void foo19(File dir, File parent) throws IOException { + void foo19(File parent) throws IOException { String parentCanonical = parent.getCanonicalPath() + "/potato"; - if (!dir.getCanonicalPath().startsWith(parentCanonical)) { // $hasTaintFlow - throw new IOException("Invalid directory: " + dir.getCanonicalPath()); + if (!dir().getCanonicalPath().startsWith(parentCanonical)) { // $ Alert + throw new IOException("Invalid directory: " + dir().getCanonicalPath()); } } private File cacheDir; - InputStream foo20(String... path) { + InputStream foo20() { StringBuilder sb = new StringBuilder(); sb.append(cacheDir.getAbsolutePath()); - for (String p : path) { + for (String p : path()) { sb.append(File.separatorChar); sb.append(p); } @@ -188,7 +191,7 @@ InputStream foo20(String... path) { String filePath = sb.toString(); File encodedFile = new File(filePath); try { - if (!encodedFile.getCanonicalPath().startsWith(cacheDir.getCanonicalPath())) { // $hasTaintFlow + if (!encodedFile.getCanonicalPath().startsWith(cacheDir.getCanonicalPath())) { // $ Alert return null; } return Files.newInputStream(encodedFile.toPath()); @@ -197,37 +200,37 @@ InputStream foo20(String... path) { } } - void foo21(File dir, File parent) throws IOException { + void foo21(File parent) throws IOException { String parentCanonical = parent.getCanonicalPath(); - if (!dir.getCanonicalPath().startsWith(parentCanonical + File.separator)) { - throw new IOException("Invalid directory: " + dir.getCanonicalPath()); + if (!dir().getCanonicalPath().startsWith(parentCanonical + File.separator)) { + throw new IOException("Invalid directory: " + dir().getCanonicalPath()); } } - void foo22(File dir, File dir2, File parent, boolean conditional) throws IOException { - String canonicalPath = conditional ? dir.getCanonicalPath() : dir2.getCanonicalPath(); - if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $hasTaintFlow - throw new IOException("Invalid directory: " + dir.getCanonicalPath()); + void foo22(File dir2, File parent, boolean conditional) throws IOException { + String canonicalPath = conditional ? dir().getCanonicalPath() : dir2.getCanonicalPath(); + if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert + throw new IOException("Invalid directory: " + dir().getCanonicalPath()); } } - void foo23(File dir, File parent) throws IOException { + void foo23(File parent) throws IOException { String parentCanonical = parent.getCanonicalPath(); - if (!dir.getCanonicalPath().startsWith(parentCanonical + "/")) { - throw new IOException("Invalid directory: " + dir.getCanonicalPath()); + if (!dir().getCanonicalPath().startsWith(parentCanonical + "/")) { + throw new IOException("Invalid directory: " + dir().getCanonicalPath()); } } - void foo24(File dir, File parent) throws IOException { + void foo24(File parent) throws IOException { String parentCanonical = parent.getCanonicalPath(); - if (!dir.getCanonicalPath().startsWith(parentCanonical + '/')) { - throw new IOException("Invalid directory: " + dir.getCanonicalPath()); + if (!dir().getCanonicalPath().startsWith(parentCanonical + '/')) { + throw new IOException("Invalid directory: " + dir().getCanonicalPath()); } } - public void doesNotFlagOptimalSafeVersion(File dir, File parent) throws IOException { - if (!dir.toPath().normalize().startsWith(parent.toPath())) { // Safe - throw new IOException("Path traversal attempt: " + dir.getCanonicalPath()); + public void doesNotFlagOptimalSafeVersion(File parent) throws IOException { + if (!dir().toPath().normalize().startsWith(parent.toPath())) { // Safe + throw new IOException("Path traversal attempt: " + dir().getCanonicalPath()); } } @@ -242,4 +245,19 @@ public void doesNotFlagBackslash(File file) throws IOException { } } -} \ No newline at end of file + Socket sock; + + File dir() { + try { + BufferedReader filenameReader = new BufferedReader(new InputStreamReader(sock.getInputStream(), "UTF-8")); // $ Source + String filename = filenameReader.readLine(); + return new File(filename); + } catch (IOException e) { + throw new RuntimeException("Failed to read from socket", e); + } + } + + String[] path() { + return dir().getAbsolutePath().split(File.separator); + } +} diff --git a/java/ql/test/query-tests/security/CWE-074/JndiInjection/JndiInjectionTest.expected b/java/ql/test/query-tests/security/CWE-074/JndiInjection/JndiInjectionTest.expected new file mode 100644 index 000000000000..6855ccb21040 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-074/JndiInjection/JndiInjectionTest.expected @@ -0,0 +1,308 @@ +#select +| JndiInjectionTest.java:36:16:36:22 | nameStr | JndiInjectionTest.java:32:38:32:65 | nameStr : String | JndiInjectionTest.java:36:16:36:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:32:38:32:65 | nameStr | this user input | +| JndiInjectionTest.java:37:20:37:26 | nameStr | JndiInjectionTest.java:32:38:32:65 | nameStr : String | JndiInjectionTest.java:37:20:37:26 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:32:38:32:65 | nameStr | this user input | +| JndiInjectionTest.java:38:29:38:35 | nameStr | JndiInjectionTest.java:32:38:32:65 | nameStr : String | JndiInjectionTest.java:38:29:38:35 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:32:38:32:65 | nameStr | this user input | +| JndiInjectionTest.java:39:16:39:22 | nameStr | JndiInjectionTest.java:32:38:32:65 | nameStr : String | JndiInjectionTest.java:39:16:39:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:32:38:32:65 | nameStr | this user input | +| JndiInjectionTest.java:40:14:40:20 | nameStr | JndiInjectionTest.java:32:38:32:65 | nameStr : String | JndiInjectionTest.java:40:14:40:20 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:32:38:32:65 | nameStr | this user input | +| JndiInjectionTest.java:41:22:41:28 | nameStr | JndiInjectionTest.java:32:38:32:65 | nameStr : String | JndiInjectionTest.java:41:22:41:28 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:32:38:32:65 | nameStr | this user input | +| JndiInjectionTest.java:43:16:43:19 | name | JndiInjectionTest.java:32:38:32:65 | nameStr : String | JndiInjectionTest.java:43:16:43:19 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:32:38:32:65 | nameStr | this user input | +| JndiInjectionTest.java:44:20:44:23 | name | JndiInjectionTest.java:32:38:32:65 | nameStr : String | JndiInjectionTest.java:44:20:44:23 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:32:38:32:65 | nameStr | this user input | +| JndiInjectionTest.java:45:29:45:32 | name | JndiInjectionTest.java:32:38:32:65 | nameStr : String | JndiInjectionTest.java:45:29:45:32 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:32:38:32:65 | nameStr | this user input | +| JndiInjectionTest.java:46:16:46:19 | name | JndiInjectionTest.java:32:38:32:65 | nameStr : String | JndiInjectionTest.java:46:16:46:19 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:32:38:32:65 | nameStr | this user input | +| JndiInjectionTest.java:47:14:47:17 | name | JndiInjectionTest.java:32:38:32:65 | nameStr : String | JndiInjectionTest.java:47:14:47:17 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:32:38:32:65 | nameStr | this user input | +| JndiInjectionTest.java:48:22:48:25 | name | JndiInjectionTest.java:32:38:32:65 | nameStr : String | JndiInjectionTest.java:48:22:48:25 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:32:38:32:65 | nameStr | this user input | +| JndiInjectionTest.java:56:16:56:22 | nameStr | JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:56:16:56:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:52:34:52:61 | nameStr | this user input | +| JndiInjectionTest.java:57:20:57:26 | nameStr | JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:57:20:57:26 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:52:34:52:61 | nameStr | this user input | +| JndiInjectionTest.java:58:16:58:22 | nameStr | JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:58:16:58:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:52:34:52:61 | nameStr | this user input | +| JndiInjectionTest.java:59:14:59:20 | nameStr | JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:59:14:59:20 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:52:34:52:61 | nameStr | this user input | +| JndiInjectionTest.java:60:22:60:28 | nameStr | JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:60:22:60:28 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:52:34:52:61 | nameStr | this user input | +| JndiInjectionTest.java:62:16:62:19 | name | JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:62:16:62:19 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:52:34:52:61 | nameStr | this user input | +| JndiInjectionTest.java:63:20:63:23 | name | JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:63:20:63:23 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:52:34:52:61 | nameStr | this user input | +| JndiInjectionTest.java:64:16:64:19 | name | JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:64:16:64:19 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:52:34:52:61 | nameStr | this user input | +| JndiInjectionTest.java:65:14:65:17 | name | JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:65:14:65:17 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:52:34:52:61 | nameStr | this user input | +| JndiInjectionTest.java:66:22:66:25 | name | JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:66:22:66:25 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:52:34:52:61 | nameStr | this user input | +| JndiInjectionTest.java:70:16:70:22 | nameStr | JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:70:16:70:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:52:34:52:61 | nameStr | this user input | +| JndiInjectionTest.java:71:16:71:22 | nameStr | JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:71:16:71:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:52:34:52:61 | nameStr | this user input | +| JndiInjectionTest.java:74:16:74:22 | nameStr | JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:74:16:74:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:52:34:52:61 | nameStr | this user input | +| JndiInjectionTest.java:75:16:75:22 | nameStr | JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:75:16:75:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:52:34:52:61 | nameStr | this user input | +| JndiInjectionTest.java:87:16:87:22 | nameStr | JndiInjectionTest.java:83:42:83:69 | nameStr : String | JndiInjectionTest.java:87:16:87:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:83:42:83:69 | nameStr | this user input | +| JndiInjectionTest.java:88:20:88:26 | nameStr | JndiInjectionTest.java:83:42:83:69 | nameStr : String | JndiInjectionTest.java:88:20:88:26 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:83:42:83:69 | nameStr | this user input | +| JndiInjectionTest.java:89:16:89:22 | nameStr | JndiInjectionTest.java:83:42:83:69 | nameStr : String | JndiInjectionTest.java:89:16:89:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:83:42:83:69 | nameStr | this user input | +| JndiInjectionTest.java:90:14:90:20 | nameStr | JndiInjectionTest.java:83:42:83:69 | nameStr : String | JndiInjectionTest.java:90:14:90:20 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:83:42:83:69 | nameStr | this user input | +| JndiInjectionTest.java:91:22:91:28 | nameStr | JndiInjectionTest.java:83:42:83:69 | nameStr : String | JndiInjectionTest.java:91:22:91:28 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:83:42:83:69 | nameStr | this user input | +| JndiInjectionTest.java:93:16:93:19 | name | JndiInjectionTest.java:83:42:83:69 | nameStr : String | JndiInjectionTest.java:93:16:93:19 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:83:42:83:69 | nameStr | this user input | +| JndiInjectionTest.java:94:20:94:23 | name | JndiInjectionTest.java:83:42:83:69 | nameStr : String | JndiInjectionTest.java:94:20:94:23 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:83:42:83:69 | nameStr | this user input | +| JndiInjectionTest.java:95:16:95:19 | name | JndiInjectionTest.java:83:42:83:69 | nameStr : String | JndiInjectionTest.java:95:16:95:19 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:83:42:83:69 | nameStr | this user input | +| JndiInjectionTest.java:96:14:96:17 | name | JndiInjectionTest.java:83:42:83:69 | nameStr : String | JndiInjectionTest.java:96:14:96:17 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:83:42:83:69 | nameStr | this user input | +| JndiInjectionTest.java:97:22:97:25 | name | JndiInjectionTest.java:83:42:83:69 | nameStr : String | JndiInjectionTest.java:97:22:97:25 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:83:42:83:69 | nameStr | this user input | +| JndiInjectionTest.java:104:16:104:22 | nameStr | JndiInjectionTest.java:101:42:101:69 | nameStr : String | JndiInjectionTest.java:104:16:104:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:101:42:101:69 | nameStr | this user input | +| JndiInjectionTest.java:105:16:105:22 | nameStr | JndiInjectionTest.java:101:42:101:69 | nameStr : String | JndiInjectionTest.java:105:16:105:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:101:42:101:69 | nameStr | this user input | +| JndiInjectionTest.java:113:16:113:19 | name | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:113:16:113:19 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input | +| JndiInjectionTest.java:115:16:115:19 | name | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:115:16:115:19 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input | +| JndiInjectionTest.java:117:16:117:19 | name | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:117:16:117:19 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input | +| JndiInjectionTest.java:118:16:118:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:118:16:118:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input | +| JndiInjectionTest.java:120:16:120:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:120:16:120:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input | +| JndiInjectionTest.java:122:16:122:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:122:16:122:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input | +| JndiInjectionTest.java:123:23:123:26 | name | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:123:23:123:26 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input | +| JndiInjectionTest.java:124:23:124:29 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:124:23:124:29 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input | +| JndiInjectionTest.java:125:18:125:21 | name | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:125:18:125:21 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input | +| JndiInjectionTest.java:126:16:126:19 | name | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:126:16:126:19 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input | +| JndiInjectionTest.java:127:14:127:17 | name | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:127:14:127:17 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input | +| JndiInjectionTest.java:128:22:128:25 | name | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:128:22:128:25 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input | +| JndiInjectionTest.java:129:16:129:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:129:16:129:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input | +| JndiInjectionTest.java:131:16:131:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:131:16:131:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input | +| JndiInjectionTest.java:132:16:132:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:132:16:132:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input | +| JndiInjectionTest.java:133:16:133:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:133:16:133:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input | +| JndiInjectionTest.java:134:16:134:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:134:16:134:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input | +| JndiInjectionTest.java:138:16:138:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:138:16:138:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input | +| JndiInjectionTest.java:139:16:139:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:139:16:139:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input | +| JndiInjectionTest.java:141:16:141:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:141:16:141:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input | +| JndiInjectionTest.java:142:16:142:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:142:16:142:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input | +| JndiInjectionTest.java:144:16:144:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:144:16:144:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input | +| JndiInjectionTest.java:145:16:145:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:145:16:145:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input | +| JndiInjectionTest.java:149:16:149:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:149:16:149:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input | +| JndiInjectionTest.java:150:16:150:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:150:16:150:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input | +| JndiInjectionTest.java:152:16:152:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:152:16:152:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input | +| JndiInjectionTest.java:153:16:153:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:153:16:153:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input | +| JndiInjectionTest.java:155:16:155:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:155:16:155:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input | +| JndiInjectionTest.java:156:16:156:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:156:16:156:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input | +| JndiInjectionTest.java:170:25:170:31 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:170:25:170:31 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input | +| JndiInjectionTest.java:177:16:177:22 | nameStr | JndiInjectionTest.java:174:41:174:68 | nameStr : String | JndiInjectionTest.java:177:16:177:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:174:41:174:68 | nameStr | this user input | +| JndiInjectionTest.java:178:16:178:22 | nameStr | JndiInjectionTest.java:174:41:174:68 | nameStr : String | JndiInjectionTest.java:178:16:178:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:174:41:174:68 | nameStr | this user input | +| JndiInjectionTest.java:183:33:183:57 | new JMXServiceURL(...) | JndiInjectionTest.java:182:37:182:63 | urlStr : String | JndiInjectionTest.java:183:33:183:57 | new JMXServiceURL(...) | JNDI lookup might include name from $@. | JndiInjectionTest.java:182:37:182:63 | urlStr | this user input | +| JndiInjectionTest.java:187:5:187:13 | connector | JndiInjectionTest.java:182:37:182:63 | urlStr : String | JndiInjectionTest.java:187:5:187:13 | connector | JNDI lookup might include name from $@. | JndiInjectionTest.java:182:37:182:63 | urlStr | this user input | +| JndiInjectionTest.java:194:35:194:40 | urlStr | JndiInjectionTest.java:191:27:191:53 | urlStr : String | JndiInjectionTest.java:194:35:194:40 | urlStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:191:27:191:53 | urlStr | this user input | +| JndiInjectionTest.java:202:41:202:46 | urlStr | JndiInjectionTest.java:199:27:199:53 | urlStr : String | JndiInjectionTest.java:202:41:202:46 | urlStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:199:27:199:53 | urlStr | this user input | +| JndiInjectionTest.java:211:37:211:42 | urlStr | JndiInjectionTest.java:207:52:207:78 | urlStr : String | JndiInjectionTest.java:211:37:211:42 | urlStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:207:52:207:78 | urlStr | this user input | +| JndiInjectionTest.java:221:51:221:56 | urlStr | JndiInjectionTest.java:216:52:216:78 | urlStr : String | JndiInjectionTest.java:221:51:221:56 | urlStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:216:52:216:78 | urlStr | this user input | +| JndiInjectionTest.java:231:51:231:56 | urlStr | JndiInjectionTest.java:226:52:226:78 | urlStr : String | JndiInjectionTest.java:231:51:231:56 | urlStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:226:52:226:78 | urlStr | this user input | +edges +| JndiInjectionTest.java:32:38:32:65 | nameStr : String | JndiInjectionTest.java:33:35:33:41 | nameStr : String | provenance | | +| JndiInjectionTest.java:33:17:33:42 | new CompositeName(...) : CompositeName | JndiInjectionTest.java:43:16:43:19 | name | provenance | Sink:MaD:6 | +| JndiInjectionTest.java:33:17:33:42 | new CompositeName(...) : CompositeName | JndiInjectionTest.java:44:20:44:23 | name | provenance | Sink:MaD:7 | +| JndiInjectionTest.java:33:17:33:42 | new CompositeName(...) : CompositeName | JndiInjectionTest.java:45:29:45:32 | name | provenance | Sink:MaD:9 | +| JndiInjectionTest.java:33:17:33:42 | new CompositeName(...) : CompositeName | JndiInjectionTest.java:46:16:46:19 | name | provenance | Sink:MaD:8 | +| JndiInjectionTest.java:33:17:33:42 | new CompositeName(...) : CompositeName | JndiInjectionTest.java:47:14:47:17 | name | provenance | Sink:MaD:4 | +| JndiInjectionTest.java:33:17:33:42 | new CompositeName(...) : CompositeName | JndiInjectionTest.java:48:22:48:25 | name | provenance | Sink:MaD:5 | +| JndiInjectionTest.java:33:35:33:41 | nameStr : String | JndiInjectionTest.java:33:17:33:42 | new CompositeName(...) : CompositeName | provenance | Config | +| JndiInjectionTest.java:33:35:33:41 | nameStr : String | JndiInjectionTest.java:36:16:36:22 | nameStr | provenance | Sink:MaD:6 | +| JndiInjectionTest.java:33:35:33:41 | nameStr : String | JndiInjectionTest.java:37:20:37:26 | nameStr | provenance | Sink:MaD:7 | +| JndiInjectionTest.java:33:35:33:41 | nameStr : String | JndiInjectionTest.java:38:29:38:35 | nameStr | provenance | Sink:MaD:9 | +| JndiInjectionTest.java:33:35:33:41 | nameStr : String | JndiInjectionTest.java:39:16:39:22 | nameStr | provenance | Sink:MaD:8 | +| JndiInjectionTest.java:33:35:33:41 | nameStr : String | JndiInjectionTest.java:40:14:40:20 | nameStr | provenance | Sink:MaD:4 | +| JndiInjectionTest.java:33:35:33:41 | nameStr : String | JndiInjectionTest.java:41:22:41:28 | nameStr | provenance | Sink:MaD:5 | +| JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:53:34:53:40 | nameStr : String | provenance | | +| JndiInjectionTest.java:53:17:53:59 | new CompoundName(...) : CompoundName | JndiInjectionTest.java:62:16:62:19 | name | provenance | Sink:MaD:6 | +| JndiInjectionTest.java:53:17:53:59 | new CompoundName(...) : CompoundName | JndiInjectionTest.java:63:20:63:23 | name | provenance | Sink:MaD:7 | +| JndiInjectionTest.java:53:17:53:59 | new CompoundName(...) : CompoundName | JndiInjectionTest.java:64:16:64:19 | name | provenance | Sink:MaD:8 | +| JndiInjectionTest.java:53:17:53:59 | new CompoundName(...) : CompoundName | JndiInjectionTest.java:65:14:65:17 | name | provenance | Sink:MaD:4 | +| JndiInjectionTest.java:53:17:53:59 | new CompoundName(...) : CompoundName | JndiInjectionTest.java:66:22:66:25 | name | provenance | Sink:MaD:5 | +| JndiInjectionTest.java:53:34:53:40 | nameStr : String | JndiInjectionTest.java:53:17:53:59 | new CompoundName(...) : CompoundName | provenance | Config | +| JndiInjectionTest.java:53:34:53:40 | nameStr : String | JndiInjectionTest.java:56:16:56:22 | nameStr | provenance | Sink:MaD:6 | +| JndiInjectionTest.java:53:34:53:40 | nameStr : String | JndiInjectionTest.java:57:20:57:26 | nameStr | provenance | Sink:MaD:7 | +| JndiInjectionTest.java:53:34:53:40 | nameStr : String | JndiInjectionTest.java:58:16:58:22 | nameStr | provenance | Sink:MaD:8 | +| JndiInjectionTest.java:53:34:53:40 | nameStr : String | JndiInjectionTest.java:59:14:59:20 | nameStr | provenance | Sink:MaD:4 | +| JndiInjectionTest.java:53:34:53:40 | nameStr : String | JndiInjectionTest.java:60:22:60:28 | nameStr | provenance | Sink:MaD:5 | +| JndiInjectionTest.java:53:34:53:40 | nameStr : String | JndiInjectionTest.java:70:16:70:22 | nameStr | provenance | Sink:MaD:3 | +| JndiInjectionTest.java:53:34:53:40 | nameStr : String | JndiInjectionTest.java:71:16:71:22 | nameStr | provenance | Sink:MaD:3 | +| JndiInjectionTest.java:53:34:53:40 | nameStr : String | JndiInjectionTest.java:74:16:74:22 | nameStr | provenance | Sink:MaD:3 | +| JndiInjectionTest.java:53:34:53:40 | nameStr : String | JndiInjectionTest.java:75:16:75:22 | nameStr | provenance | Sink:MaD:3 | +| JndiInjectionTest.java:83:42:83:69 | nameStr : String | JndiInjectionTest.java:84:35:84:41 | nameStr : String | provenance | | +| JndiInjectionTest.java:84:17:84:42 | new CompositeName(...) : CompositeName | JndiInjectionTest.java:93:16:93:19 | name | provenance | Sink:MaD:6 | +| JndiInjectionTest.java:84:17:84:42 | new CompositeName(...) : CompositeName | JndiInjectionTest.java:94:20:94:23 | name | provenance | Sink:MaD:7 | +| JndiInjectionTest.java:84:17:84:42 | new CompositeName(...) : CompositeName | JndiInjectionTest.java:95:16:95:19 | name | provenance | Sink:MaD:8 | +| JndiInjectionTest.java:84:17:84:42 | new CompositeName(...) : CompositeName | JndiInjectionTest.java:96:14:96:17 | name | provenance | Sink:MaD:4 | +| JndiInjectionTest.java:84:17:84:42 | new CompositeName(...) : CompositeName | JndiInjectionTest.java:97:22:97:25 | name | provenance | Sink:MaD:5 | +| JndiInjectionTest.java:84:35:84:41 | nameStr : String | JndiInjectionTest.java:84:17:84:42 | new CompositeName(...) : CompositeName | provenance | Config | +| JndiInjectionTest.java:84:35:84:41 | nameStr : String | JndiInjectionTest.java:87:16:87:22 | nameStr | provenance | Sink:MaD:6 | +| JndiInjectionTest.java:84:35:84:41 | nameStr : String | JndiInjectionTest.java:88:20:88:26 | nameStr | provenance | Sink:MaD:7 | +| JndiInjectionTest.java:84:35:84:41 | nameStr : String | JndiInjectionTest.java:89:16:89:22 | nameStr | provenance | Sink:MaD:8 | +| JndiInjectionTest.java:84:35:84:41 | nameStr : String | JndiInjectionTest.java:90:14:90:20 | nameStr | provenance | Sink:MaD:4 | +| JndiInjectionTest.java:84:35:84:41 | nameStr : String | JndiInjectionTest.java:91:22:91:28 | nameStr | provenance | Sink:MaD:5 | +| JndiInjectionTest.java:101:42:101:69 | nameStr : String | JndiInjectionTest.java:104:16:104:22 | nameStr | provenance | Sink:MaD:11 | +| JndiInjectionTest.java:101:42:101:69 | nameStr : String | JndiInjectionTest.java:105:16:105:22 | nameStr | provenance | Sink:MaD:11 | +| JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:111:41:111:47 | nameStr : String | provenance | | +| JndiInjectionTest.java:111:17:111:48 | add(...) : Name | JndiInjectionTest.java:113:16:113:19 | name | provenance | Sink:MaD:15 | +| JndiInjectionTest.java:111:17:111:48 | add(...) : Name | JndiInjectionTest.java:115:16:115:19 | name | provenance | Sink:MaD:16 | +| JndiInjectionTest.java:111:17:111:48 | add(...) : Name | JndiInjectionTest.java:117:16:117:19 | name | provenance | Sink:MaD:17 | +| JndiInjectionTest.java:111:17:111:48 | add(...) : Name | JndiInjectionTest.java:123:23:123:26 | name | provenance | Sink:MaD:21 | +| JndiInjectionTest.java:111:17:111:48 | add(...) : Name | JndiInjectionTest.java:125:18:125:21 | name | provenance | Sink:MaD:12 | +| JndiInjectionTest.java:111:17:111:48 | add(...) : Name | JndiInjectionTest.java:126:16:126:19 | name | provenance | Sink:MaD:22 | +| JndiInjectionTest.java:111:17:111:48 | add(...) : Name | JndiInjectionTest.java:127:14:127:17 | name | provenance | Sink:MaD:13 | +| JndiInjectionTest.java:111:17:111:48 | add(...) : Name | JndiInjectionTest.java:128:22:128:25 | name | provenance | Sink:MaD:14 | +| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:111:17:111:48 | add(...) : Name | provenance | Config | +| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:118:16:118:22 | nameStr | provenance | Sink:MaD:18 | +| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:120:16:120:22 | nameStr | provenance | Sink:MaD:19 | +| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:122:16:122:22 | nameStr | provenance | Sink:MaD:20 | +| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:124:23:124:29 | nameStr | provenance | Sink:MaD:21 | +| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:129:16:129:22 | nameStr | provenance | | +| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:131:16:131:22 | nameStr | provenance | Sink:MaD:27 | +| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:132:16:132:22 | nameStr | provenance | Sink:MaD:25 | +| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:132:16:132:22 | nameStr | provenance | Sink:MaD:27 | +| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:133:16:133:22 | nameStr | provenance | Sink:MaD:24 | +| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:133:16:133:22 | nameStr | provenance | Sink:MaD:27 | +| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:134:16:134:22 | nameStr | provenance | Sink:MaD:23 | +| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:134:16:134:22 | nameStr | provenance | Sink:MaD:27 | +| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:138:16:138:22 | nameStr | provenance | Sink:MaD:27 | +| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:139:16:139:22 | nameStr | provenance | Sink:MaD:27 | +| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:141:16:141:22 | nameStr | provenance | Sink:MaD:27 | +| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:142:16:142:22 | nameStr | provenance | Sink:MaD:27 | +| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:144:16:144:22 | nameStr | provenance | Sink:MaD:27 | +| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:145:16:145:22 | nameStr | provenance | Sink:MaD:27 | +| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:149:16:149:22 | nameStr | provenance | Sink:MaD:27 | +| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:150:16:150:22 | nameStr | provenance | Sink:MaD:27 | +| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:152:16:152:22 | nameStr | provenance | Sink:MaD:27 | +| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:153:16:153:22 | nameStr | provenance | Sink:MaD:27 | +| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:155:16:155:22 | nameStr | provenance | Sink:MaD:27 | +| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:156:16:156:22 | nameStr | provenance | Sink:MaD:27 | +| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:170:25:170:31 | nameStr | provenance | Sink:MaD:26 | +| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:170:25:170:31 | nameStr | provenance | Sink:MaD:28 | +| JndiInjectionTest.java:174:41:174:68 | nameStr : String | JndiInjectionTest.java:177:16:177:22 | nameStr | provenance | Sink:MaD:10 | +| JndiInjectionTest.java:174:41:174:68 | nameStr : String | JndiInjectionTest.java:178:16:178:22 | nameStr | provenance | Sink:MaD:10 | +| JndiInjectionTest.java:182:37:182:63 | urlStr : String | JndiInjectionTest.java:183:51:183:56 | urlStr : String | provenance | | +| JndiInjectionTest.java:183:51:183:56 | urlStr : String | JndiInjectionTest.java:183:33:183:57 | new JMXServiceURL(...) | provenance | Config Sink:MaD:2 | +| JndiInjectionTest.java:183:51:183:56 | urlStr : String | JndiInjectionTest.java:185:43:185:48 | urlStr : String | provenance | | +| JndiInjectionTest.java:185:25:185:49 | new JMXServiceURL(...) : JMXServiceURL | JndiInjectionTest.java:186:66:186:68 | url : JMXServiceURL | provenance | | +| JndiInjectionTest.java:185:43:185:48 | urlStr : String | JndiInjectionTest.java:185:25:185:49 | new JMXServiceURL(...) : JMXServiceURL | provenance | Config | +| JndiInjectionTest.java:186:30:186:75 | newJMXConnector(...) : JMXConnector | JndiInjectionTest.java:187:5:187:13 | connector | provenance | Sink:MaD:1 | +| JndiInjectionTest.java:186:66:186:68 | url : JMXServiceURL | JndiInjectionTest.java:186:30:186:75 | newJMXConnector(...) : JMXConnector | provenance | Config | +| JndiInjectionTest.java:186:66:186:68 | url : JMXServiceURL | JndiInjectionTest.java:186:30:186:75 | newJMXConnector(...) : JMXConnector | provenance | MaD:29 | +| JndiInjectionTest.java:191:27:191:53 | urlStr : String | JndiInjectionTest.java:194:35:194:40 | urlStr | provenance | | +| JndiInjectionTest.java:199:27:199:53 | urlStr : String | JndiInjectionTest.java:202:41:202:46 | urlStr | provenance | | +| JndiInjectionTest.java:207:52:207:78 | urlStr : String | JndiInjectionTest.java:211:37:211:42 | urlStr | provenance | | +| JndiInjectionTest.java:216:52:216:78 | urlStr : String | JndiInjectionTest.java:221:51:221:56 | urlStr | provenance | | +| JndiInjectionTest.java:226:52:226:78 | urlStr : String | JndiInjectionTest.java:231:51:231:56 | urlStr | provenance | | +models +| 1 | Sink: javax.management.remote; JMXConnector; true; connect; ; ; Argument[this]; jndi-injection; manual | +| 2 | Sink: javax.management.remote; JMXConnectorFactory; false; connect; ; ; Argument[0]; jndi-injection; manual | +| 3 | Sink: javax.naming.directory; DirContext; true; search; ; ; Argument[0..1]; ldap-injection; manual | +| 4 | Sink: javax.naming; Context; true; list; ; ; Argument[0]; jndi-injection; manual | +| 5 | Sink: javax.naming; Context; true; listBindings; ; ; Argument[0]; jndi-injection; manual | +| 6 | Sink: javax.naming; Context; true; lookup; ; ; Argument[0]; jndi-injection; manual | +| 7 | Sink: javax.naming; Context; true; lookupLink; ; ; Argument[0]; jndi-injection; manual | +| 8 | Sink: javax.naming; Context; true; rename; ; ; Argument[0]; jndi-injection; manual | +| 9 | Sink: javax.naming; InitialContext; true; doLookup; ; ; Argument[0]; jndi-injection; manual | +| 10 | Sink: org.apache.shiro.jndi; JndiTemplate; false; lookup; ; ; Argument[0]; jndi-injection; manual | +| 11 | Sink: org.springframework.jndi; JndiTemplate; false; lookup; ; ; Argument[0]; jndi-injection; manual | +| 12 | Sink: org.springframework.ldap.core; LdapOperations; true; findByDn; ; ; Argument[0]; jndi-injection; manual | +| 13 | Sink: org.springframework.ldap.core; LdapOperations; true; list; ; ; Argument[0]; jndi-injection; manual | +| 14 | Sink: org.springframework.ldap.core; LdapOperations; true; listBindings; ; ; Argument[0]; jndi-injection; manual | +| 15 | Sink: org.springframework.ldap.core; LdapOperations; true; lookup; (Name); ; Argument[0]; jndi-injection; manual | +| 16 | Sink: org.springframework.ldap.core; LdapOperations; true; lookup; (Name,ContextMapper); ; Argument[0]; jndi-injection; manual | +| 17 | Sink: org.springframework.ldap.core; LdapOperations; true; lookup; (Name,String[],ContextMapper); ; Argument[0]; jndi-injection; manual | +| 18 | Sink: org.springframework.ldap.core; LdapOperations; true; lookup; (String); ; Argument[0]; jndi-injection; manual | +| 19 | Sink: org.springframework.ldap.core; LdapOperations; true; lookup; (String,ContextMapper); ; Argument[0]; jndi-injection; manual | +| 20 | Sink: org.springframework.ldap.core; LdapOperations; true; lookup; (String,String[],ContextMapper); ; Argument[0]; jndi-injection; manual | +| 21 | Sink: org.springframework.ldap.core; LdapOperations; true; lookupContext; ; ; Argument[0]; jndi-injection; manual | +| 22 | Sink: org.springframework.ldap.core; LdapOperations; true; rename; ; ; Argument[0]; jndi-injection; manual | +| 23 | Sink: org.springframework.ldap.core; LdapOperations; true; search; (String,String,ContextMapper); ; Argument[0]; jndi-injection; manual | +| 24 | Sink: org.springframework.ldap.core; LdapOperations; true; search; (String,String,int,ContextMapper); ; Argument[0]; jndi-injection; manual | +| 25 | Sink: org.springframework.ldap.core; LdapOperations; true; search; (String,String,int,String[],ContextMapper); ; Argument[0]; jndi-injection; manual | +| 26 | Sink: org.springframework.ldap.core; LdapOperations; true; searchForObject; (String,String,ContextMapper); ; Argument[0]; jndi-injection; manual | +| 27 | Sink: org.springframework.ldap.core; LdapTemplate; false; search; ; ; Argument[0..1]; ldap-injection; manual | +| 28 | Sink: org.springframework.ldap.core; LdapTemplate; false; searchForObject; ; ; Argument[0..1]; ldap-injection; manual | +| 29 | Summary: javax.management.remote; JMXConnectorFactory; true; newJMXConnector; (JMXServiceURL,Map); ; Argument[0]; ReturnValue; taint; df-generated | +nodes +| JndiInjectionTest.java:32:38:32:65 | nameStr : String | semmle.label | nameStr : String | +| JndiInjectionTest.java:33:17:33:42 | new CompositeName(...) : CompositeName | semmle.label | new CompositeName(...) : CompositeName | +| JndiInjectionTest.java:33:35:33:41 | nameStr : String | semmle.label | nameStr : String | +| JndiInjectionTest.java:36:16:36:22 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:37:20:37:26 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:38:29:38:35 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:39:16:39:22 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:40:14:40:20 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:41:22:41:28 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:43:16:43:19 | name | semmle.label | name | +| JndiInjectionTest.java:44:20:44:23 | name | semmle.label | name | +| JndiInjectionTest.java:45:29:45:32 | name | semmle.label | name | +| JndiInjectionTest.java:46:16:46:19 | name | semmle.label | name | +| JndiInjectionTest.java:47:14:47:17 | name | semmle.label | name | +| JndiInjectionTest.java:48:22:48:25 | name | semmle.label | name | +| JndiInjectionTest.java:52:34:52:61 | nameStr : String | semmle.label | nameStr : String | +| JndiInjectionTest.java:53:17:53:59 | new CompoundName(...) : CompoundName | semmle.label | new CompoundName(...) : CompoundName | +| JndiInjectionTest.java:53:34:53:40 | nameStr : String | semmle.label | nameStr : String | +| JndiInjectionTest.java:56:16:56:22 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:57:20:57:26 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:58:16:58:22 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:59:14:59:20 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:60:22:60:28 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:62:16:62:19 | name | semmle.label | name | +| JndiInjectionTest.java:63:20:63:23 | name | semmle.label | name | +| JndiInjectionTest.java:64:16:64:19 | name | semmle.label | name | +| JndiInjectionTest.java:65:14:65:17 | name | semmle.label | name | +| JndiInjectionTest.java:66:22:66:25 | name | semmle.label | name | +| JndiInjectionTest.java:70:16:70:22 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:71:16:71:22 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:74:16:74:22 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:75:16:75:22 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:83:42:83:69 | nameStr : String | semmle.label | nameStr : String | +| JndiInjectionTest.java:84:17:84:42 | new CompositeName(...) : CompositeName | semmle.label | new CompositeName(...) : CompositeName | +| JndiInjectionTest.java:84:35:84:41 | nameStr : String | semmle.label | nameStr : String | +| JndiInjectionTest.java:87:16:87:22 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:88:20:88:26 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:89:16:89:22 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:90:14:90:20 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:91:22:91:28 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:93:16:93:19 | name | semmle.label | name | +| JndiInjectionTest.java:94:20:94:23 | name | semmle.label | name | +| JndiInjectionTest.java:95:16:95:19 | name | semmle.label | name | +| JndiInjectionTest.java:96:14:96:17 | name | semmle.label | name | +| JndiInjectionTest.java:97:22:97:25 | name | semmle.label | name | +| JndiInjectionTest.java:101:42:101:69 | nameStr : String | semmle.label | nameStr : String | +| JndiInjectionTest.java:104:16:104:22 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:105:16:105:22 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:109:42:109:69 | nameStr : String | semmle.label | nameStr : String | +| JndiInjectionTest.java:111:17:111:48 | add(...) : Name | semmle.label | add(...) : Name | +| JndiInjectionTest.java:111:41:111:47 | nameStr : String | semmle.label | nameStr : String | +| JndiInjectionTest.java:113:16:113:19 | name | semmle.label | name | +| JndiInjectionTest.java:115:16:115:19 | name | semmle.label | name | +| JndiInjectionTest.java:117:16:117:19 | name | semmle.label | name | +| JndiInjectionTest.java:118:16:118:22 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:120:16:120:22 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:122:16:122:22 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:123:23:123:26 | name | semmle.label | name | +| JndiInjectionTest.java:124:23:124:29 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:125:18:125:21 | name | semmle.label | name | +| JndiInjectionTest.java:126:16:126:19 | name | semmle.label | name | +| JndiInjectionTest.java:127:14:127:17 | name | semmle.label | name | +| JndiInjectionTest.java:128:22:128:25 | name | semmle.label | name | +| JndiInjectionTest.java:129:16:129:22 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:131:16:131:22 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:132:16:132:22 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:133:16:133:22 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:134:16:134:22 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:138:16:138:22 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:139:16:139:22 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:141:16:141:22 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:142:16:142:22 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:144:16:144:22 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:145:16:145:22 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:149:16:149:22 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:150:16:150:22 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:152:16:152:22 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:153:16:153:22 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:155:16:155:22 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:156:16:156:22 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:170:25:170:31 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:174:41:174:68 | nameStr : String | semmle.label | nameStr : String | +| JndiInjectionTest.java:177:16:177:22 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:178:16:178:22 | nameStr | semmle.label | nameStr | +| JndiInjectionTest.java:182:37:182:63 | urlStr : String | semmle.label | urlStr : String | +| JndiInjectionTest.java:183:33:183:57 | new JMXServiceURL(...) | semmle.label | new JMXServiceURL(...) | +| JndiInjectionTest.java:183:51:183:56 | urlStr : String | semmle.label | urlStr : String | +| JndiInjectionTest.java:185:25:185:49 | new JMXServiceURL(...) : JMXServiceURL | semmle.label | new JMXServiceURL(...) : JMXServiceURL | +| JndiInjectionTest.java:185:43:185:48 | urlStr : String | semmle.label | urlStr : String | +| JndiInjectionTest.java:186:30:186:75 | newJMXConnector(...) : JMXConnector | semmle.label | newJMXConnector(...) : JMXConnector | +| JndiInjectionTest.java:186:66:186:68 | url : JMXServiceURL | semmle.label | url : JMXServiceURL | +| JndiInjectionTest.java:187:5:187:13 | connector | semmle.label | connector | +| JndiInjectionTest.java:191:27:191:53 | urlStr : String | semmle.label | urlStr : String | +| JndiInjectionTest.java:194:35:194:40 | urlStr | semmle.label | urlStr | +| JndiInjectionTest.java:199:27:199:53 | urlStr : String | semmle.label | urlStr : String | +| JndiInjectionTest.java:202:41:202:46 | urlStr | semmle.label | urlStr | +| JndiInjectionTest.java:207:52:207:78 | urlStr : String | semmle.label | urlStr : String | +| JndiInjectionTest.java:211:37:211:42 | urlStr | semmle.label | urlStr | +| JndiInjectionTest.java:216:52:216:78 | urlStr : String | semmle.label | urlStr : String | +| JndiInjectionTest.java:221:51:221:56 | urlStr | semmle.label | urlStr | +| JndiInjectionTest.java:226:52:226:78 | urlStr : String | semmle.label | urlStr : String | +| JndiInjectionTest.java:231:51:231:56 | urlStr | semmle.label | urlStr | +subpaths diff --git a/java/ql/test/query-tests/security/CWE-074/JndiInjectionTest.java b/java/ql/test/query-tests/security/CWE-074/JndiInjection/JndiInjectionTest.java similarity index 70% rename from java/ql/test/query-tests/security/CWE-074/JndiInjectionTest.java rename to java/ql/test/query-tests/security/CWE-074/JndiInjection/JndiInjectionTest.java index 549ae554097b..961023db60de 100644 --- a/java/ql/test/query-tests/security/CWE-074/JndiInjectionTest.java +++ b/java/ql/test/query-tests/security/CWE-074/JndiInjection/JndiInjectionTest.java @@ -29,50 +29,50 @@ @Controller public class JndiInjectionTest { @RequestMapping - public void testInitialContextBad1(@RequestParam String nameStr) throws NamingException { + public void testInitialContextBad1(@RequestParam String nameStr) throws NamingException { // $ Source Name name = new CompositeName(nameStr); InitialContext ctx = new InitialContext(); - ctx.lookup(nameStr); // $hasJndiInjection - ctx.lookupLink(nameStr); // $hasJndiInjection - InitialContext.doLookup(nameStr); // $hasJndiInjection - ctx.rename(nameStr, ""); // $hasJndiInjection - ctx.list(nameStr); // $hasJndiInjection - ctx.listBindings(nameStr); // $hasJndiInjection - - ctx.lookup(name); // $hasJndiInjection - ctx.lookupLink(name); // $hasJndiInjection - InitialContext.doLookup(name); // $hasJndiInjection - ctx.rename(name, null); // $hasJndiInjection - ctx.list(name); // $hasJndiInjection - ctx.listBindings(name); // $hasJndiInjection + ctx.lookup(nameStr); // $ Alert + ctx.lookupLink(nameStr); // $ Alert + InitialContext.doLookup(nameStr); // $ Alert + ctx.rename(nameStr, ""); // $ Alert + ctx.list(nameStr); // $ Alert + ctx.listBindings(nameStr); // $ Alert + + ctx.lookup(name); // $ Alert + ctx.lookupLink(name); // $ Alert + InitialContext.doLookup(name); // $ Alert + ctx.rename(name, null); // $ Alert + ctx.list(name); // $ Alert + ctx.listBindings(name); // $ Alert } @RequestMapping - public void testDirContextBad1(@RequestParam String nameStr) throws NamingException { + public void testDirContextBad1(@RequestParam String nameStr) throws NamingException { // $ Source Name name = new CompoundName(nameStr, new Properties()); DirContext ctx = new InitialDirContext(); - ctx.lookup(nameStr); // $hasJndiInjection - ctx.lookupLink(nameStr); // $hasJndiInjection - ctx.rename(nameStr, ""); // $hasJndiInjection - ctx.list(nameStr); // $hasJndiInjection - ctx.listBindings(nameStr); // $hasJndiInjection + ctx.lookup(nameStr); // $ Alert + ctx.lookupLink(nameStr); // $ Alert + ctx.rename(nameStr, ""); // $ Alert + ctx.list(nameStr); // $ Alert + ctx.listBindings(nameStr); // $ Alert - ctx.lookup(name); // $hasJndiInjection - ctx.lookupLink(name); // $hasJndiInjection - ctx.rename(name, null); // $hasJndiInjection - ctx.list(name); // $hasJndiInjection - ctx.listBindings(name); // $hasJndiInjection + ctx.lookup(name); // $ Alert + ctx.lookupLink(name); // $ Alert + ctx.rename(name, null); // $ Alert + ctx.list(name); // $ Alert + ctx.listBindings(name); // $ Alert SearchControls searchControls = new SearchControls(); searchControls.setReturningObjFlag(true); - ctx.search(nameStr, "", searchControls); // $hasJndiInjection - ctx.search(nameStr, "", new Object[] {}, searchControls); // $hasJndiInjection + ctx.search(nameStr, "", searchControls); // $ Alert + ctx.search(nameStr, "", new Object[] {}, searchControls); // $ Alert SearchControls searchControls2 = new SearchControls(1, 0, 0, null, true, false); - ctx.search(nameStr, "", searchControls2); // $hasJndiInjection - ctx.search(nameStr, "", new Object[] {}, searchControls2); // $hasJndiInjection + ctx.search(nameStr, "", searchControls2); // $ Alert + ctx.search(nameStr, "", new Object[] {}, searchControls2); // $ Alert SearchControls searchControls3 = new SearchControls(1, 0, 0, null, false, false); ctx.search(nameStr, "", searchControls3); // Safe @@ -80,80 +80,80 @@ public void testDirContextBad1(@RequestParam String nameStr) throws NamingExcept } @RequestMapping - public void testInitialLdapContextBad1(@RequestParam String nameStr) throws NamingException { + public void testInitialLdapContextBad1(@RequestParam String nameStr) throws NamingException { // $ Source Name name = new CompositeName(nameStr); InitialLdapContext ctx = new InitialLdapContext(); - ctx.lookup(nameStr); // $hasJndiInjection - ctx.lookupLink(nameStr); // $hasJndiInjection - ctx.rename(nameStr, ""); // $hasJndiInjection - ctx.list(nameStr); // $hasJndiInjection - ctx.listBindings(nameStr); // $hasJndiInjection - - ctx.lookup(name); // $hasJndiInjection - ctx.lookupLink(name); // $hasJndiInjection - ctx.rename(name, null); // $hasJndiInjection - ctx.list(name); // $hasJndiInjection - ctx.listBindings(name); // $hasJndiInjection + ctx.lookup(nameStr); // $ Alert + ctx.lookupLink(nameStr); // $ Alert + ctx.rename(nameStr, ""); // $ Alert + ctx.list(nameStr); // $ Alert + ctx.listBindings(nameStr); // $ Alert + + ctx.lookup(name); // $ Alert + ctx.lookupLink(name); // $ Alert + ctx.rename(name, null); // $ Alert + ctx.list(name); // $ Alert + ctx.listBindings(name); // $ Alert } @RequestMapping - public void testSpringJndiTemplateBad1(@RequestParam String nameStr) throws NamingException { + public void testSpringJndiTemplateBad1(@RequestParam String nameStr) throws NamingException { // $ Source JndiTemplate ctx = new JndiTemplate(); - ctx.lookup(nameStr); // $hasJndiInjection - ctx.lookup(nameStr, null); // $hasJndiInjection + ctx.lookup(nameStr); // $ Alert + ctx.lookup(nameStr, null); // $ Alert } @RequestMapping - public void testSpringLdapTemplateBad1(@RequestParam String nameStr) throws NamingException { + public void testSpringLdapTemplateBad1(@RequestParam String nameStr) throws NamingException { // $ Source LdapTemplate ctx = new LdapTemplate(); Name name = new CompositeName().add(nameStr); - ctx.lookup(name); // $hasJndiInjection + ctx.lookup(name); // $ Alert ctx.lookup(name, (AttributesMapper) null); // Safe - ctx.lookup(name, (ContextMapper) null); // $hasJndiInjection + ctx.lookup(name, (ContextMapper) null); // $ Alert ctx.lookup(name, new String[] {}, (AttributesMapper) null); // Safe - ctx.lookup(name, new String[] {}, (ContextMapper) null); // $hasJndiInjection - ctx.lookup(nameStr); // $hasJndiInjection + ctx.lookup(name, new String[] {}, (ContextMapper) null); // $ Alert + ctx.lookup(nameStr); // $ Alert ctx.lookup(nameStr, (AttributesMapper) null); // Safe - ctx.lookup(nameStr, (ContextMapper) null); // $hasJndiInjection + ctx.lookup(nameStr, (ContextMapper) null); // $ Alert ctx.lookup(nameStr, new String[] {}, (AttributesMapper) null); // Safe - ctx.lookup(nameStr, new String[] {}, (ContextMapper) null); // $hasJndiInjection - ctx.lookupContext(name); // $hasJndiInjection - ctx.lookupContext(nameStr); // $hasJndiInjection - ctx.findByDn(name, null); // $hasJndiInjection - ctx.rename(name, null); // $hasJndiInjection - ctx.list(name); // $hasJndiInjection - ctx.listBindings(name); // $hasJndiInjection - ctx.unbind(nameStr, true); // $hasJndiInjection - - ctx.search(nameStr, "", 0, true, null); // $hasJndiInjection - ctx.search(nameStr, "", 0, new String[] {}, (ContextMapper) null); // $hasJndiInjection - ctx.search(nameStr, "", 0, (ContextMapper) null); // $hasJndiInjection - ctx.search(nameStr, "", (ContextMapper) null); // $hasJndiInjection + ctx.lookup(nameStr, new String[] {}, (ContextMapper) null); // $ Alert + ctx.lookupContext(name); // $ Alert + ctx.lookupContext(nameStr); // $ Alert + ctx.findByDn(name, null); // $ Alert + ctx.rename(name, null); // $ Alert + ctx.list(name); // $ Alert + ctx.listBindings(name); // $ Alert + ctx.unbind(nameStr, true); // $ Alert + + ctx.search(nameStr, "", 0, true, null); // $ Alert + ctx.search(nameStr, "", 0, new String[] {}, (ContextMapper) null); // $ Alert + ctx.search(nameStr, "", 0, (ContextMapper) null); // $ Alert + ctx.search(nameStr, "", (ContextMapper) null); // $ Alert SearchControls searchControls = new SearchControls(); searchControls.setReturningObjFlag(true); - ctx.search(nameStr, "", searchControls, (AttributesMapper) null); // $hasJndiInjection - ctx.search(nameStr, "", searchControls, (AttributesMapper) null, // $hasJndiInjection + ctx.search(nameStr, "", searchControls, (AttributesMapper) null); // $ Alert + ctx.search(nameStr, "", searchControls, (AttributesMapper) null, // $ Alert (DirContextProcessor) null); - ctx.search(nameStr, "", searchControls, (ContextMapper) null); // $hasJndiInjection - ctx.search(nameStr, "", searchControls, (ContextMapper) null, // $hasJndiInjection + ctx.search(nameStr, "", searchControls, (ContextMapper) null); // $ Alert + ctx.search(nameStr, "", searchControls, (ContextMapper) null, // $ Alert (DirContextProcessor) null); - ctx.search(nameStr, "", searchControls, (NameClassPairCallbackHandler) null); // $hasJndiInjection - ctx.search(nameStr, "", searchControls, (NameClassPairCallbackHandler) null, // $hasJndiInjection + ctx.search(nameStr, "", searchControls, (NameClassPairCallbackHandler) null); // $ Alert + ctx.search(nameStr, "", searchControls, (NameClassPairCallbackHandler) null, // $ Alert (DirContextProcessor) null); SearchControls searchControls2 = new SearchControls(1, 0, 0, null, true, false); - ctx.search(nameStr, "", searchControls2, (AttributesMapper) null); // $hasJndiInjection - ctx.search(nameStr, "", searchControls2, (AttributesMapper) null, // $hasJndiInjection + ctx.search(nameStr, "", searchControls2, (AttributesMapper) null); // $ Alert + ctx.search(nameStr, "", searchControls2, (AttributesMapper) null, // $ Alert (DirContextProcessor) null); - ctx.search(nameStr, "", searchControls2, (ContextMapper) null); // $hasJndiInjection - ctx.search(nameStr, "", searchControls2, (ContextMapper) null, // $hasJndiInjection + ctx.search(nameStr, "", searchControls2, (ContextMapper) null); // $ Alert + ctx.search(nameStr, "", searchControls2, (ContextMapper) null, // $ Alert (DirContextProcessor) null); - ctx.search(nameStr, "", searchControls2, (NameClassPairCallbackHandler) null); // $hasJndiInjection - ctx.search(nameStr, "", searchControls2, (NameClassPairCallbackHandler) null, // $hasJndiInjection + ctx.search(nameStr, "", searchControls2, (NameClassPairCallbackHandler) null); // $ Alert + ctx.search(nameStr, "", searchControls2, (NameClassPairCallbackHandler) null, // $ Alert (DirContextProcessor) null); SearchControls searchControls3 = new SearchControls(1, 0, 0, null, false, false); @@ -167,68 +167,68 @@ public void testSpringLdapTemplateBad1(@RequestParam String nameStr) throws Nami ctx.search(nameStr, "", searchControls3, (NameClassPairCallbackHandler) null, // Safe (DirContextProcessor) null); - ctx.searchForObject(nameStr, "", (ContextMapper) null); // $hasJndiInjection + ctx.searchForObject(nameStr, "", (ContextMapper) null); // $ Alert } @RequestMapping - public void testShiroJndiTemplateBad1(@RequestParam String nameStr) throws NamingException { + public void testShiroJndiTemplateBad1(@RequestParam String nameStr) throws NamingException { // $ Source org.apache.shiro.jndi.JndiTemplate ctx = new org.apache.shiro.jndi.JndiTemplate(); - ctx.lookup(nameStr); // $hasJndiInjection - ctx.lookup(nameStr, null); // $hasJndiInjection + ctx.lookup(nameStr); // $ Alert + ctx.lookup(nameStr, null); // $ Alert } @RequestMapping - public void testJMXServiceUrlBad1(@RequestParam String urlStr) throws IOException { - JMXConnectorFactory.connect(new JMXServiceURL(urlStr)); // $hasJndiInjection + public void testJMXServiceUrlBad1(@RequestParam String urlStr) throws IOException { // $ Source + JMXConnectorFactory.connect(new JMXServiceURL(urlStr)); // $ Alert JMXServiceURL url = new JMXServiceURL(urlStr); JMXConnector connector = JMXConnectorFactory.newJMXConnector(url, null); - connector.connect(); // $hasJndiInjection + connector.connect(); // $ Alert } @RequestMapping - public void testEnvBad1(@RequestParam String urlStr) throws NamingException { + public void testEnvBad1(@RequestParam String urlStr) throws NamingException { // $ Source Hashtable env = new Hashtable(); env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.rmi.registry.RegistryContextFactory"); - env.put(Context.PROVIDER_URL, urlStr); // $hasJndiInjection + env.put(Context.PROVIDER_URL, urlStr); // $ Alert new InitialContext(env); } @RequestMapping - public void testEnvBad2(@RequestParam String urlStr) throws NamingException { + public void testEnvBad2(@RequestParam String urlStr) throws NamingException { // $ Source Hashtable env = new Hashtable(); env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.rmi.registry.RegistryContextFactory"); - env.put("java.naming.provider.url", urlStr); // $hasJndiInjection + env.put("java.naming.provider.url", urlStr); // $ Alert new InitialDirContext(env); } @RequestMapping - public void testSpringJndiTemplatePropertiesBad1(@RequestParam String urlStr) + public void testSpringJndiTemplatePropertiesBad1(@RequestParam String urlStr) // $ Source throws NamingException { Properties props = new Properties(); props.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.rmi.registry.RegistryContextFactory"); - props.put(Context.PROVIDER_URL, urlStr); // $hasJndiInjection + props.put(Context.PROVIDER_URL, urlStr); // $ Alert new JndiTemplate(props); } @RequestMapping - public void testSpringJndiTemplatePropertiesBad2(@RequestParam String urlStr) + public void testSpringJndiTemplatePropertiesBad2(@RequestParam String urlStr) // $ Source throws NamingException { Properties props = new Properties(); props.setProperty(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.rmi.registry.RegistryContextFactory"); - props.setProperty("java.naming.provider.url", urlStr); // $hasJndiInjection + props.setProperty("java.naming.provider.url", urlStr); // $ Alert new JndiTemplate(props); } @RequestMapping - public void testSpringJndiTemplatePropertiesBad3(@RequestParam String urlStr) + public void testSpringJndiTemplatePropertiesBad3(@RequestParam String urlStr) // $ Source throws NamingException { Properties props = new Properties(); props.setProperty(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.rmi.registry.RegistryContextFactory"); - props.setProperty("java.naming.provider.url", urlStr); // $hasJndiInjection + props.setProperty("java.naming.provider.url", urlStr); // $ Alert JndiTemplate template = new JndiTemplate(); template.setEnvironment(props); } diff --git a/java/ql/test/query-tests/security/CWE-074/JndiInjection/JndiInjectionTest.qlref b/java/ql/test/query-tests/security/CWE-074/JndiInjection/JndiInjectionTest.qlref new file mode 100644 index 000000000000..90b6394597b8 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-074/JndiInjection/JndiInjectionTest.qlref @@ -0,0 +1,4 @@ +query: Security/CWE/CWE-074/JndiInjection.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-074/JndiInjection/options b/java/ql/test/query-tests/security/CWE-074/JndiInjection/options new file mode 100644 index 000000000000..099749ee58bf --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-074/JndiInjection/options @@ -0,0 +1 @@ +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.8.x:${testdir}/../../../../stubs/shiro-core-1.5.2:${testdir}/../../../../stubs/spring-ldap-2.3.2:${testdir}/../../../../stubs/Saxon-HE-9.9.1-7:${testdir}/../../../../stubs/apache-commons-logging-1.2 diff --git a/java/ql/test/query-tests/security/CWE-074/JndiInjectionTest.expected b/java/ql/test/query-tests/security/CWE-074/JndiInjectionTest.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/java/ql/test/query-tests/security/CWE-074/JndiInjectionTest.ql b/java/ql/test/query-tests/security/CWE-074/JndiInjectionTest.ql deleted file mode 100644 index 03b588555b56..000000000000 --- a/java/ql/test/query-tests/security/CWE-074/JndiInjectionTest.ql +++ /dev/null @@ -1,18 +0,0 @@ -import java -import semmle.code.java.security.JndiInjectionQuery -import utils.test.InlineExpectationsTest - -module HasJndiInjectionTest implements TestSig { - string getARelevantTag() { result = "hasJndiInjection" } - - predicate hasActualResult(Location location, string element, string tag, string value) { - tag = "hasJndiInjection" and - exists(DataFlow::Node sink | JndiInjectionFlow::flowTo(sink) | - sink.getLocation() = location and - element = sink.toString() and - value = "" - ) - } -} - -import MakeTest diff --git a/java/ql/test/query-tests/security/CWE-074/XsltInjection/XsltInjectionTest.expected b/java/ql/test/query-tests/security/CWE-074/XsltInjection/XsltInjectionTest.expected new file mode 100644 index 000000000000..87167aa84bf0 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-074/XsltInjection/XsltInjectionTest.expected @@ -0,0 +1,245 @@ +#select +| XsltInjectionTest.java:31:5:31:59 | newTransformer(...) | XsltInjectionTest.java:30:44:30:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:31:5:31:59 | newTransformer(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:30:44:30:66 | getInputStream(...) | this user input | +| XsltInjectionTest.java:36:5:36:74 | newTransformer(...) | XsltInjectionTest.java:35:66:35:88 | getInputStream(...) : InputStream | XsltInjectionTest.java:36:5:36:74 | newTransformer(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:35:66:35:88 | getInputStream(...) | this user input | +| XsltInjectionTest.java:43:5:43:59 | newTransformer(...) | XsltInjectionTest.java:40:45:40:70 | param : String | XsltInjectionTest.java:43:5:43:59 | newTransformer(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:40:45:40:70 | param | this user input | +| XsltInjectionTest.java:48:5:48:74 | newTransformer(...) | XsltInjectionTest.java:47:54:47:76 | getInputStream(...) : InputStream | XsltInjectionTest.java:48:5:48:74 | newTransformer(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:47:54:47:76 | getInputStream(...) | this user input | +| XsltInjectionTest.java:54:5:54:59 | newTransformer(...) | XsltInjectionTest.java:53:67:53:89 | getInputStream(...) : InputStream | XsltInjectionTest.java:54:5:54:59 | newTransformer(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:53:67:53:89 | getInputStream(...) | this user input | +| XsltInjectionTest.java:60:5:60:59 | newTransformer(...) | XsltInjectionTest.java:59:75:59:97 | getInputStream(...) : InputStream | XsltInjectionTest.java:60:5:60:59 | newTransformer(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:59:75:59:97 | getInputStream(...) | this user input | +| XsltInjectionTest.java:66:5:66:74 | newTransformer(...) | XsltInjectionTest.java:65:31:65:53 | getInputStream(...) : InputStream | XsltInjectionTest.java:66:5:66:74 | newTransformer(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:65:31:65:53 | getInputStream(...) | this user input | +| XsltInjectionTest.java:72:5:72:59 | newTransformer(...) | XsltInjectionTest.java:71:73:71:95 | getInputStream(...) : InputStream | XsltInjectionTest.java:72:5:72:59 | newTransformer(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:71:73:71:95 | getInputStream(...) | this user input | +| XsltInjectionTest.java:80:5:80:34 | newTransformer(...) | XsltInjectionTest.java:76:44:76:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:80:5:80:34 | newTransformer(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:76:44:76:66 | getInputStream(...) | this user input | +| XsltInjectionTest.java:87:5:87:34 | newTransformer(...) | XsltInjectionTest.java:84:44:84:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:87:5:87:34 | newTransformer(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:84:44:84:66 | getInputStream(...) | this user input | +| XsltInjectionTest.java:94:5:94:35 | load(...) | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:94:5:94:35 | load(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) | this user input | +| XsltInjectionTest.java:95:5:95:37 | load30(...) | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:95:5:95:37 | load30(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) | this user input | +| XsltInjectionTest.java:96:5:96:37 | load30(...) | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:96:5:96:37 | load30(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) | this user input | +| XsltInjectionTest.java:97:5:97:37 | load30(...) | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:97:5:97:37 | load30(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) | this user input | +| XsltInjectionTest.java:98:5:98:37 | load30(...) | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:98:5:98:37 | load30(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) | this user input | +| XsltInjectionTest.java:99:5:99:37 | load30(...) | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:99:5:99:37 | load30(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) | this user input | +| XsltInjectionTest.java:100:5:100:37 | load30(...) | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:100:5:100:37 | load30(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) | this user input | +| XsltInjectionTest.java:101:5:101:37 | load30(...) | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:101:5:101:37 | load30(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) | this user input | +| XsltInjectionTest.java:102:5:102:37 | load30(...) | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:102:5:102:37 | load30(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) | this user input | +| XsltInjectionTest.java:103:5:103:37 | load30(...) | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:103:5:103:37 | load30(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) | this user input | +| XsltInjectionTest.java:112:5:112:46 | load(...) | XsltInjectionTest.java:107:36:107:61 | param : String | XsltInjectionTest.java:112:5:112:46 | load(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:107:36:107:61 | param | this user input | +| XsltInjectionTest.java:113:5:113:49 | load(...) | XsltInjectionTest.java:107:64:107:76 | socket : Socket | XsltInjectionTest.java:113:5:113:49 | load(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:107:64:107:76 | socket | this user input | +| XsltInjectionTest.java:113:5:113:49 | load(...) | XsltInjectionTest.java:109:44:109:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:113:5:113:49 | load(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:109:44:109:66 | getInputStream(...) | this user input | +| XsltInjectionTest.java:114:5:114:50 | load(...) | XsltInjectionTest.java:107:36:107:61 | param : String | XsltInjectionTest.java:114:5:114:50 | load(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:107:36:107:61 | param | this user input | +edges +| XsltInjectionTest.java:30:27:30:67 | new StreamSource(...) : StreamSource | XsltInjectionTest.java:31:53:31:58 | source : StreamSource | provenance | | +| XsltInjectionTest.java:30:44:30:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:30:27:30:67 | new StreamSource(...) : StreamSource | provenance | Src:MaD:7 MaD:14 | +| XsltInjectionTest.java:31:53:31:58 | source : StreamSource | XsltInjectionTest.java:31:5:31:59 | newTransformer(...) | provenance | Config Sink:MaD:1 | +| XsltInjectionTest.java:35:27:35:90 | new StreamSource(...) : StreamSource | XsltInjectionTest.java:36:51:36:56 | source : StreamSource | provenance | | +| XsltInjectionTest.java:35:44:35:89 | new InputStreamReader(...) : InputStreamReader | XsltInjectionTest.java:35:27:35:90 | new StreamSource(...) : StreamSource | provenance | MaD:14 | +| XsltInjectionTest.java:35:66:35:88 | getInputStream(...) : InputStream | XsltInjectionTest.java:35:44:35:89 | new InputStreamReader(...) : InputStreamReader | provenance | Src:MaD:7 MaD:8 | +| XsltInjectionTest.java:36:5:36:57 | newTemplates(...) : Templates | XsltInjectionTest.java:36:5:36:74 | newTransformer(...) | provenance | Config Sink:MaD:1 | +| XsltInjectionTest.java:36:5:36:57 | newTemplates(...) : Templates | XsltInjectionTest.java:36:5:36:74 | newTransformer(...) | provenance | MaD:15 Sink:MaD:1 | +| XsltInjectionTest.java:36:51:36:56 | source : StreamSource | XsltInjectionTest.java:36:5:36:57 | newTemplates(...) : Templates | provenance | Config | +| XsltInjectionTest.java:36:51:36:56 | source : StreamSource | XsltInjectionTest.java:36:5:36:57 | newTemplates(...) : Templates | provenance | MaD:16 | +| XsltInjectionTest.java:40:45:40:70 | param : String | XsltInjectionTest.java:42:61:42:64 | xslt : String | provenance | | +| XsltInjectionTest.java:42:27:42:66 | new StreamSource(...) : StreamSource | XsltInjectionTest.java:43:53:43:58 | source : StreamSource | provenance | | +| XsltInjectionTest.java:42:44:42:65 | new StringReader(...) : StringReader | XsltInjectionTest.java:42:27:42:66 | new StreamSource(...) : StreamSource | provenance | MaD:14 | +| XsltInjectionTest.java:42:61:42:64 | xslt : String | XsltInjectionTest.java:42:44:42:65 | new StringReader(...) : StringReader | provenance | MaD:9 | +| XsltInjectionTest.java:43:53:43:58 | source : StreamSource | XsltInjectionTest.java:43:5:43:59 | newTransformer(...) | provenance | Config Sink:MaD:1 | +| XsltInjectionTest.java:47:24:47:78 | new SAXSource(...) : SAXSource | XsltInjectionTest.java:48:51:48:56 | source : SAXSource | provenance | | +| XsltInjectionTest.java:47:38:47:77 | new InputSource(...) : InputSource | XsltInjectionTest.java:47:24:47:78 | new SAXSource(...) : SAXSource | provenance | MaD:12 | +| XsltInjectionTest.java:47:54:47:76 | getInputStream(...) : InputStream | XsltInjectionTest.java:47:38:47:77 | new InputSource(...) : InputSource | provenance | Src:MaD:7 MaD:17 | +| XsltInjectionTest.java:48:5:48:57 | newTemplates(...) : Templates | XsltInjectionTest.java:48:5:48:74 | newTransformer(...) | provenance | Config Sink:MaD:1 | +| XsltInjectionTest.java:48:5:48:57 | newTemplates(...) : Templates | XsltInjectionTest.java:48:5:48:74 | newTransformer(...) | provenance | MaD:15 Sink:MaD:1 | +| XsltInjectionTest.java:48:51:48:56 | source : SAXSource | XsltInjectionTest.java:48:5:48:57 | newTemplates(...) : Templates | provenance | Config | +| XsltInjectionTest.java:48:51:48:56 | source : SAXSource | XsltInjectionTest.java:48:5:48:57 | newTemplates(...) : Templates | provenance | MaD:16 | +| XsltInjectionTest.java:53:9:53:92 | new SAXSource(...) : SAXSource | XsltInjectionTest.java:54:53:54:58 | source : SAXSource | provenance | | +| XsltInjectionTest.java:53:29:53:91 | new InputSource(...) : InputSource | XsltInjectionTest.java:53:9:53:92 | new SAXSource(...) : SAXSource | provenance | MaD:13 | +| XsltInjectionTest.java:53:45:53:90 | new InputStreamReader(...) : InputStreamReader | XsltInjectionTest.java:53:29:53:91 | new InputSource(...) : InputSource | provenance | MaD:17 | +| XsltInjectionTest.java:53:67:53:89 | getInputStream(...) : InputStream | XsltInjectionTest.java:53:45:53:90 | new InputStreamReader(...) : InputStreamReader | provenance | Src:MaD:7 MaD:8 | +| XsltInjectionTest.java:54:53:54:58 | source : SAXSource | XsltInjectionTest.java:54:5:54:59 | newTransformer(...) | provenance | Config Sink:MaD:1 | +| XsltInjectionTest.java:59:9:59:99 | new StAXSource(...) : StAXSource | XsltInjectionTest.java:60:53:60:58 | source : StAXSource | provenance | | +| XsltInjectionTest.java:59:24:59:98 | createXMLEventReader(...) : XMLEventReader | XsltInjectionTest.java:59:9:59:99 | new StAXSource(...) : StAXSource | provenance | Config | +| XsltInjectionTest.java:59:75:59:97 | getInputStream(...) : InputStream | XsltInjectionTest.java:59:24:59:98 | createXMLEventReader(...) : XMLEventReader | provenance | Src:MaD:7 Config | +| XsltInjectionTest.java:60:53:60:58 | source : StAXSource | XsltInjectionTest.java:60:5:60:59 | newTransformer(...) | provenance | Config Sink:MaD:1 | +| XsltInjectionTest.java:64:25:65:56 | new StAXSource(...) : StAXSource | XsltInjectionTest.java:66:51:66:56 | source : StAXSource | provenance | | +| XsltInjectionTest.java:64:40:65:55 | createXMLStreamReader(...) : XMLStreamReader | XsltInjectionTest.java:64:25:65:56 | new StAXSource(...) : StAXSource | provenance | Config | +| XsltInjectionTest.java:65:9:65:54 | new InputStreamReader(...) : InputStreamReader | XsltInjectionTest.java:64:40:65:55 | createXMLStreamReader(...) : XMLStreamReader | provenance | Config | +| XsltInjectionTest.java:65:31:65:53 | getInputStream(...) : InputStream | XsltInjectionTest.java:65:9:65:54 | new InputStreamReader(...) : InputStreamReader | provenance | Src:MaD:7 MaD:8 | +| XsltInjectionTest.java:66:5:66:57 | newTemplates(...) : Templates | XsltInjectionTest.java:66:5:66:74 | newTransformer(...) | provenance | Config Sink:MaD:1 | +| XsltInjectionTest.java:66:5:66:57 | newTemplates(...) : Templates | XsltInjectionTest.java:66:5:66:74 | newTransformer(...) | provenance | MaD:15 Sink:MaD:1 | +| XsltInjectionTest.java:66:51:66:56 | source : StAXSource | XsltInjectionTest.java:66:5:66:57 | newTemplates(...) : Templates | provenance | Config | +| XsltInjectionTest.java:66:51:66:56 | source : StAXSource | XsltInjectionTest.java:66:5:66:57 | newTemplates(...) : Templates | provenance | MaD:16 | +| XsltInjectionTest.java:70:24:71:97 | new DOMSource(...) : DOMSource | XsltInjectionTest.java:72:53:72:58 | source : DOMSource | provenance | | +| XsltInjectionTest.java:71:9:71:96 | parse(...) : Document | XsltInjectionTest.java:70:24:71:97 | new DOMSource(...) : DOMSource | provenance | Config | +| XsltInjectionTest.java:71:73:71:95 | getInputStream(...) : InputStream | XsltInjectionTest.java:71:9:71:96 | parse(...) : Document | provenance | Src:MaD:7 Config | +| XsltInjectionTest.java:72:53:72:58 | source : DOMSource | XsltInjectionTest.java:72:5:72:59 | newTransformer(...) | provenance | Config Sink:MaD:1 | +| XsltInjectionTest.java:76:27:76:67 | new StreamSource(...) : StreamSource | XsltInjectionTest.java:80:28:80:33 | source : StreamSource | provenance | | +| XsltInjectionTest.java:76:44:76:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:76:27:76:67 | new StreamSource(...) : StreamSource | provenance | Src:MaD:7 MaD:14 | +| XsltInjectionTest.java:80:28:80:33 | source : StreamSource | XsltInjectionTest.java:80:5:80:34 | newTransformer(...) | provenance | Config Sink:MaD:1 | +| XsltInjectionTest.java:84:27:84:67 | new StreamSource(...) : StreamSource | XsltInjectionTest.java:87:28:87:33 | source : StreamSource | provenance | | +| XsltInjectionTest.java:84:44:84:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:84:27:84:67 | new StreamSource(...) : StreamSource | provenance | Src:MaD:7 MaD:14 | +| XsltInjectionTest.java:87:28:87:33 | source : StreamSource | XsltInjectionTest.java:87:5:87:34 | newTransformer(...) | provenance | Config Sink:MaD:1 | +| XsltInjectionTest.java:91:27:91:67 | new StreamSource(...) : StreamSource | XsltInjectionTest.java:94:22:94:27 | source : StreamSource | provenance | | +| XsltInjectionTest.java:91:44:91:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:91:27:91:67 | new StreamSource(...) : StreamSource | provenance | Src:MaD:7 MaD:14 | +| XsltInjectionTest.java:94:5:94:28 | compile(...) : XsltExecutable | XsltInjectionTest.java:94:5:94:35 | load(...) | provenance | Config Sink:MaD:6 | +| XsltInjectionTest.java:94:22:94:27 | source : StreamSource | XsltInjectionTest.java:94:5:94:28 | compile(...) : XsltExecutable | provenance | Config | +| XsltInjectionTest.java:94:22:94:27 | source : StreamSource | XsltInjectionTest.java:95:22:95:27 | source : StreamSource | provenance | | +| XsltInjectionTest.java:95:5:95:28 | compile(...) : XsltExecutable | XsltInjectionTest.java:95:5:95:37 | load30(...) | provenance | Config Sink:MaD:5 | +| XsltInjectionTest.java:95:22:95:27 | source : StreamSource | XsltInjectionTest.java:95:5:95:28 | compile(...) : XsltExecutable | provenance | Config | +| XsltInjectionTest.java:95:22:95:27 | source : StreamSource | XsltInjectionTest.java:96:22:96:27 | source : StreamSource | provenance | | +| XsltInjectionTest.java:96:5:96:28 | compile(...) : XsltExecutable | XsltInjectionTest.java:96:5:96:37 | load30(...) | provenance | Config Sink:MaD:2 | +| XsltInjectionTest.java:96:22:96:27 | source : StreamSource | XsltInjectionTest.java:96:5:96:28 | compile(...) : XsltExecutable | provenance | Config | +| XsltInjectionTest.java:96:22:96:27 | source : StreamSource | XsltInjectionTest.java:97:22:97:27 | source : StreamSource | provenance | | +| XsltInjectionTest.java:97:5:97:28 | compile(...) : XsltExecutable | XsltInjectionTest.java:97:5:97:37 | load30(...) | provenance | Config Sink:MaD:2 | +| XsltInjectionTest.java:97:22:97:27 | source : StreamSource | XsltInjectionTest.java:97:5:97:28 | compile(...) : XsltExecutable | provenance | Config | +| XsltInjectionTest.java:97:22:97:27 | source : StreamSource | XsltInjectionTest.java:98:22:98:27 | source : StreamSource | provenance | | +| XsltInjectionTest.java:98:5:98:28 | compile(...) : XsltExecutable | XsltInjectionTest.java:98:5:98:37 | load30(...) | provenance | Config Sink:MaD:2 | +| XsltInjectionTest.java:98:22:98:27 | source : StreamSource | XsltInjectionTest.java:98:5:98:28 | compile(...) : XsltExecutable | provenance | Config | +| XsltInjectionTest.java:98:22:98:27 | source : StreamSource | XsltInjectionTest.java:99:22:99:27 | source : StreamSource | provenance | | +| XsltInjectionTest.java:99:5:99:28 | compile(...) : XsltExecutable | XsltInjectionTest.java:99:5:99:37 | load30(...) | provenance | Config Sink:MaD:2 | +| XsltInjectionTest.java:99:22:99:27 | source : StreamSource | XsltInjectionTest.java:99:5:99:28 | compile(...) : XsltExecutable | provenance | Config | +| XsltInjectionTest.java:99:22:99:27 | source : StreamSource | XsltInjectionTest.java:100:22:100:27 | source : StreamSource | provenance | | +| XsltInjectionTest.java:100:5:100:28 | compile(...) : XsltExecutable | XsltInjectionTest.java:100:5:100:37 | load30(...) | provenance | Config Sink:MaD:3 | +| XsltInjectionTest.java:100:22:100:27 | source : StreamSource | XsltInjectionTest.java:100:5:100:28 | compile(...) : XsltExecutable | provenance | Config | +| XsltInjectionTest.java:100:22:100:27 | source : StreamSource | XsltInjectionTest.java:101:22:101:27 | source : StreamSource | provenance | | +| XsltInjectionTest.java:101:5:101:28 | compile(...) : XsltExecutable | XsltInjectionTest.java:101:5:101:37 | load30(...) | provenance | Config Sink:MaD:3 | +| XsltInjectionTest.java:101:22:101:27 | source : StreamSource | XsltInjectionTest.java:101:5:101:28 | compile(...) : XsltExecutable | provenance | Config | +| XsltInjectionTest.java:101:22:101:27 | source : StreamSource | XsltInjectionTest.java:102:22:102:27 | source : StreamSource | provenance | | +| XsltInjectionTest.java:102:5:102:28 | compile(...) : XsltExecutable | XsltInjectionTest.java:102:5:102:37 | load30(...) | provenance | Config Sink:MaD:4 | +| XsltInjectionTest.java:102:22:102:27 | source : StreamSource | XsltInjectionTest.java:102:5:102:28 | compile(...) : XsltExecutable | provenance | Config | +| XsltInjectionTest.java:102:22:102:27 | source : StreamSource | XsltInjectionTest.java:103:22:103:27 | source : StreamSource | provenance | | +| XsltInjectionTest.java:103:5:103:28 | compile(...) : XsltExecutable | XsltInjectionTest.java:103:5:103:37 | load30(...) | provenance | Config Sink:MaD:4 | +| XsltInjectionTest.java:103:22:103:27 | source : StreamSource | XsltInjectionTest.java:103:5:103:28 | compile(...) : XsltExecutable | provenance | Config | +| XsltInjectionTest.java:107:36:107:61 | param : String | XsltInjectionTest.java:108:23:108:27 | param : String | provenance | | +| XsltInjectionTest.java:107:64:107:76 | socket : Socket | XsltInjectionTest.java:109:44:109:49 | socket : Socket | provenance | | +| XsltInjectionTest.java:108:15:108:28 | new URI(...) : URI | XsltInjectionTest.java:112:36:112:38 | uri : URI | provenance | | +| XsltInjectionTest.java:108:23:108:27 | param : String | XsltInjectionTest.java:108:15:108:28 | new URI(...) : URI | provenance | MaD:11 | +| XsltInjectionTest.java:109:27:109:67 | new StreamSource(...) : StreamSource | XsltInjectionTest.java:113:29:113:34 | source : StreamSource | provenance | | +| XsltInjectionTest.java:109:44:109:49 | socket : Socket | XsltInjectionTest.java:109:44:109:66 | getInputStream(...) : InputStream | provenance | MaD:10 | +| XsltInjectionTest.java:109:44:109:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:109:27:109:67 | new StreamSource(...) : StreamSource | provenance | Src:MaD:7 MaD:14 | +| XsltInjectionTest.java:112:5:112:39 | loadExecutablePackage(...) : XsltExecutable | XsltInjectionTest.java:112:5:112:46 | load(...) | provenance | Config Sink:MaD:6 | +| XsltInjectionTest.java:112:36:112:38 | uri : URI | XsltInjectionTest.java:112:5:112:39 | loadExecutablePackage(...) : XsltExecutable | provenance | Config | +| XsltInjectionTest.java:112:36:112:38 | uri : URI | XsltInjectionTest.java:114:33:114:35 | uri : URI | provenance | | +| XsltInjectionTest.java:113:5:113:35 | compilePackage(...) : XsltPackage | XsltInjectionTest.java:113:5:113:42 | link(...) : XsltExecutable | provenance | Config | +| XsltInjectionTest.java:113:5:113:42 | link(...) : XsltExecutable | XsltInjectionTest.java:113:5:113:49 | load(...) | provenance | Config Sink:MaD:6 | +| XsltInjectionTest.java:113:29:113:34 | source : StreamSource | XsltInjectionTest.java:113:5:113:35 | compilePackage(...) : XsltPackage | provenance | Config | +| XsltInjectionTest.java:114:5:114:36 | loadLibraryPackage(...) : XsltPackage | XsltInjectionTest.java:114:5:114:43 | link(...) : XsltExecutable | provenance | Config | +| XsltInjectionTest.java:114:5:114:43 | link(...) : XsltExecutable | XsltInjectionTest.java:114:5:114:50 | load(...) | provenance | Config Sink:MaD:6 | +| XsltInjectionTest.java:114:33:114:35 | uri : URI | XsltInjectionTest.java:114:5:114:36 | loadLibraryPackage(...) : XsltPackage | provenance | Config | +models +| 1 | Sink: javax.xml.transform; Transformer; false; transform; ; ; Argument[this]; xslt-injection; manual | +| 2 | Sink: net.sf.saxon.s9api; Xslt30Transformer; false; applyTemplates; ; ; Argument[this]; xslt-injection; manual | +| 3 | Sink: net.sf.saxon.s9api; Xslt30Transformer; false; callFunction; ; ; Argument[this]; xslt-injection; manual | +| 4 | Sink: net.sf.saxon.s9api; Xslt30Transformer; false; callTemplate; ; ; Argument[this]; xslt-injection; manual | +| 5 | Sink: net.sf.saxon.s9api; Xslt30Transformer; false; transform; ; ; Argument[this]; xslt-injection; manual | +| 6 | Sink: net.sf.saxon.s9api; XsltTransformer; false; transform; ; ; Argument[this]; xslt-injection; manual | +| 7 | Source: java.net; Socket; false; getInputStream; (); ; ReturnValue; remote; manual | +| 8 | Summary: java.io; InputStreamReader; false; InputStreamReader; ; ; Argument[0]; Argument[this]; taint; manual | +| 9 | Summary: java.io; StringReader; false; StringReader; ; ; Argument[0]; Argument[this]; taint; manual | +| 10 | Summary: java.net; Socket; true; getInputStream; (); ; Argument[this]; ReturnValue; taint; df-generated | +| 11 | Summary: java.net; URI; false; URI; (String); ; Argument[0]; Argument[this]; taint; manual | +| 12 | Summary: javax.xml.transform.sax; SAXSource; false; SAXSource; (InputSource); ; Argument[0]; Argument[this]; taint; manual | +| 13 | Summary: javax.xml.transform.sax; SAXSource; false; SAXSource; (XMLReader,InputSource); ; Argument[1]; Argument[this]; taint; manual | +| 14 | Summary: javax.xml.transform.stream; StreamSource; false; StreamSource; ; ; Argument[0]; Argument[this]; taint; manual | +| 15 | Summary: javax.xml.transform; Templates; true; newTransformer; (); ; Argument[this]; ReturnValue; taint; df-generated | +| 16 | Summary: javax.xml.transform; TransformerFactory; true; newTemplates; (Source); ; Argument[0]; ReturnValue; taint; df-generated | +| 17 | Summary: org.xml.sax; InputSource; false; InputSource; ; ; Argument[0]; Argument[this]; taint; manual | +nodes +| XsltInjectionTest.java:30:27:30:67 | new StreamSource(...) : StreamSource | semmle.label | new StreamSource(...) : StreamSource | +| XsltInjectionTest.java:30:44:30:66 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| XsltInjectionTest.java:31:5:31:59 | newTransformer(...) | semmle.label | newTransformer(...) | +| XsltInjectionTest.java:31:53:31:58 | source : StreamSource | semmle.label | source : StreamSource | +| XsltInjectionTest.java:35:27:35:90 | new StreamSource(...) : StreamSource | semmle.label | new StreamSource(...) : StreamSource | +| XsltInjectionTest.java:35:44:35:89 | new InputStreamReader(...) : InputStreamReader | semmle.label | new InputStreamReader(...) : InputStreamReader | +| XsltInjectionTest.java:35:66:35:88 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| XsltInjectionTest.java:36:5:36:57 | newTemplates(...) : Templates | semmle.label | newTemplates(...) : Templates | +| XsltInjectionTest.java:36:5:36:74 | newTransformer(...) | semmle.label | newTransformer(...) | +| XsltInjectionTest.java:36:51:36:56 | source : StreamSource | semmle.label | source : StreamSource | +| XsltInjectionTest.java:40:45:40:70 | param : String | semmle.label | param : String | +| XsltInjectionTest.java:42:27:42:66 | new StreamSource(...) : StreamSource | semmle.label | new StreamSource(...) : StreamSource | +| XsltInjectionTest.java:42:44:42:65 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader | +| XsltInjectionTest.java:42:61:42:64 | xslt : String | semmle.label | xslt : String | +| XsltInjectionTest.java:43:5:43:59 | newTransformer(...) | semmle.label | newTransformer(...) | +| XsltInjectionTest.java:43:53:43:58 | source : StreamSource | semmle.label | source : StreamSource | +| XsltInjectionTest.java:47:24:47:78 | new SAXSource(...) : SAXSource | semmle.label | new SAXSource(...) : SAXSource | +| XsltInjectionTest.java:47:38:47:77 | new InputSource(...) : InputSource | semmle.label | new InputSource(...) : InputSource | +| XsltInjectionTest.java:47:54:47:76 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| XsltInjectionTest.java:48:5:48:57 | newTemplates(...) : Templates | semmle.label | newTemplates(...) : Templates | +| XsltInjectionTest.java:48:5:48:74 | newTransformer(...) | semmle.label | newTransformer(...) | +| XsltInjectionTest.java:48:51:48:56 | source : SAXSource | semmle.label | source : SAXSource | +| XsltInjectionTest.java:53:9:53:92 | new SAXSource(...) : SAXSource | semmle.label | new SAXSource(...) : SAXSource | +| XsltInjectionTest.java:53:29:53:91 | new InputSource(...) : InputSource | semmle.label | new InputSource(...) : InputSource | +| XsltInjectionTest.java:53:45:53:90 | new InputStreamReader(...) : InputStreamReader | semmle.label | new InputStreamReader(...) : InputStreamReader | +| XsltInjectionTest.java:53:67:53:89 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| XsltInjectionTest.java:54:5:54:59 | newTransformer(...) | semmle.label | newTransformer(...) | +| XsltInjectionTest.java:54:53:54:58 | source : SAXSource | semmle.label | source : SAXSource | +| XsltInjectionTest.java:59:9:59:99 | new StAXSource(...) : StAXSource | semmle.label | new StAXSource(...) : StAXSource | +| XsltInjectionTest.java:59:24:59:98 | createXMLEventReader(...) : XMLEventReader | semmle.label | createXMLEventReader(...) : XMLEventReader | +| XsltInjectionTest.java:59:75:59:97 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| XsltInjectionTest.java:60:5:60:59 | newTransformer(...) | semmle.label | newTransformer(...) | +| XsltInjectionTest.java:60:53:60:58 | source : StAXSource | semmle.label | source : StAXSource | +| XsltInjectionTest.java:64:25:65:56 | new StAXSource(...) : StAXSource | semmle.label | new StAXSource(...) : StAXSource | +| XsltInjectionTest.java:64:40:65:55 | createXMLStreamReader(...) : XMLStreamReader | semmle.label | createXMLStreamReader(...) : XMLStreamReader | +| XsltInjectionTest.java:65:9:65:54 | new InputStreamReader(...) : InputStreamReader | semmle.label | new InputStreamReader(...) : InputStreamReader | +| XsltInjectionTest.java:65:31:65:53 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| XsltInjectionTest.java:66:5:66:57 | newTemplates(...) : Templates | semmle.label | newTemplates(...) : Templates | +| XsltInjectionTest.java:66:5:66:74 | newTransformer(...) | semmle.label | newTransformer(...) | +| XsltInjectionTest.java:66:51:66:56 | source : StAXSource | semmle.label | source : StAXSource | +| XsltInjectionTest.java:70:24:71:97 | new DOMSource(...) : DOMSource | semmle.label | new DOMSource(...) : DOMSource | +| XsltInjectionTest.java:71:9:71:96 | parse(...) : Document | semmle.label | parse(...) : Document | +| XsltInjectionTest.java:71:73:71:95 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| XsltInjectionTest.java:72:5:72:59 | newTransformer(...) | semmle.label | newTransformer(...) | +| XsltInjectionTest.java:72:53:72:58 | source : DOMSource | semmle.label | source : DOMSource | +| XsltInjectionTest.java:76:27:76:67 | new StreamSource(...) : StreamSource | semmle.label | new StreamSource(...) : StreamSource | +| XsltInjectionTest.java:76:44:76:66 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| XsltInjectionTest.java:80:5:80:34 | newTransformer(...) | semmle.label | newTransformer(...) | +| XsltInjectionTest.java:80:28:80:33 | source : StreamSource | semmle.label | source : StreamSource | +| XsltInjectionTest.java:84:27:84:67 | new StreamSource(...) : StreamSource | semmle.label | new StreamSource(...) : StreamSource | +| XsltInjectionTest.java:84:44:84:66 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| XsltInjectionTest.java:87:5:87:34 | newTransformer(...) | semmle.label | newTransformer(...) | +| XsltInjectionTest.java:87:28:87:33 | source : StreamSource | semmle.label | source : StreamSource | +| XsltInjectionTest.java:91:27:91:67 | new StreamSource(...) : StreamSource | semmle.label | new StreamSource(...) : StreamSource | +| XsltInjectionTest.java:91:44:91:66 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| XsltInjectionTest.java:94:5:94:28 | compile(...) : XsltExecutable | semmle.label | compile(...) : XsltExecutable | +| XsltInjectionTest.java:94:5:94:35 | load(...) | semmle.label | load(...) | +| XsltInjectionTest.java:94:22:94:27 | source : StreamSource | semmle.label | source : StreamSource | +| XsltInjectionTest.java:95:5:95:28 | compile(...) : XsltExecutable | semmle.label | compile(...) : XsltExecutable | +| XsltInjectionTest.java:95:5:95:37 | load30(...) | semmle.label | load30(...) | +| XsltInjectionTest.java:95:22:95:27 | source : StreamSource | semmle.label | source : StreamSource | +| XsltInjectionTest.java:96:5:96:28 | compile(...) : XsltExecutable | semmle.label | compile(...) : XsltExecutable | +| XsltInjectionTest.java:96:5:96:37 | load30(...) | semmle.label | load30(...) | +| XsltInjectionTest.java:96:22:96:27 | source : StreamSource | semmle.label | source : StreamSource | +| XsltInjectionTest.java:97:5:97:28 | compile(...) : XsltExecutable | semmle.label | compile(...) : XsltExecutable | +| XsltInjectionTest.java:97:5:97:37 | load30(...) | semmle.label | load30(...) | +| XsltInjectionTest.java:97:22:97:27 | source : StreamSource | semmle.label | source : StreamSource | +| XsltInjectionTest.java:98:5:98:28 | compile(...) : XsltExecutable | semmle.label | compile(...) : XsltExecutable | +| XsltInjectionTest.java:98:5:98:37 | load30(...) | semmle.label | load30(...) | +| XsltInjectionTest.java:98:22:98:27 | source : StreamSource | semmle.label | source : StreamSource | +| XsltInjectionTest.java:99:5:99:28 | compile(...) : XsltExecutable | semmle.label | compile(...) : XsltExecutable | +| XsltInjectionTest.java:99:5:99:37 | load30(...) | semmle.label | load30(...) | +| XsltInjectionTest.java:99:22:99:27 | source : StreamSource | semmle.label | source : StreamSource | +| XsltInjectionTest.java:100:5:100:28 | compile(...) : XsltExecutable | semmle.label | compile(...) : XsltExecutable | +| XsltInjectionTest.java:100:5:100:37 | load30(...) | semmle.label | load30(...) | +| XsltInjectionTest.java:100:22:100:27 | source : StreamSource | semmle.label | source : StreamSource | +| XsltInjectionTest.java:101:5:101:28 | compile(...) : XsltExecutable | semmle.label | compile(...) : XsltExecutable | +| XsltInjectionTest.java:101:5:101:37 | load30(...) | semmle.label | load30(...) | +| XsltInjectionTest.java:101:22:101:27 | source : StreamSource | semmle.label | source : StreamSource | +| XsltInjectionTest.java:102:5:102:28 | compile(...) : XsltExecutable | semmle.label | compile(...) : XsltExecutable | +| XsltInjectionTest.java:102:5:102:37 | load30(...) | semmle.label | load30(...) | +| XsltInjectionTest.java:102:22:102:27 | source : StreamSource | semmle.label | source : StreamSource | +| XsltInjectionTest.java:103:5:103:28 | compile(...) : XsltExecutable | semmle.label | compile(...) : XsltExecutable | +| XsltInjectionTest.java:103:5:103:37 | load30(...) | semmle.label | load30(...) | +| XsltInjectionTest.java:103:22:103:27 | source : StreamSource | semmle.label | source : StreamSource | +| XsltInjectionTest.java:107:36:107:61 | param : String | semmle.label | param : String | +| XsltInjectionTest.java:107:64:107:76 | socket : Socket | semmle.label | socket : Socket | +| XsltInjectionTest.java:108:15:108:28 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| XsltInjectionTest.java:108:23:108:27 | param : String | semmle.label | param : String | +| XsltInjectionTest.java:109:27:109:67 | new StreamSource(...) : StreamSource | semmle.label | new StreamSource(...) : StreamSource | +| XsltInjectionTest.java:109:44:109:49 | socket : Socket | semmle.label | socket : Socket | +| XsltInjectionTest.java:109:44:109:66 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| XsltInjectionTest.java:112:5:112:39 | loadExecutablePackage(...) : XsltExecutable | semmle.label | loadExecutablePackage(...) : XsltExecutable | +| XsltInjectionTest.java:112:5:112:46 | load(...) | semmle.label | load(...) | +| XsltInjectionTest.java:112:36:112:38 | uri : URI | semmle.label | uri : URI | +| XsltInjectionTest.java:113:5:113:35 | compilePackage(...) : XsltPackage | semmle.label | compilePackage(...) : XsltPackage | +| XsltInjectionTest.java:113:5:113:42 | link(...) : XsltExecutable | semmle.label | link(...) : XsltExecutable | +| XsltInjectionTest.java:113:5:113:49 | load(...) | semmle.label | load(...) | +| XsltInjectionTest.java:113:29:113:34 | source : StreamSource | semmle.label | source : StreamSource | +| XsltInjectionTest.java:114:5:114:36 | loadLibraryPackage(...) : XsltPackage | semmle.label | loadLibraryPackage(...) : XsltPackage | +| XsltInjectionTest.java:114:5:114:43 | link(...) : XsltExecutable | semmle.label | link(...) : XsltExecutable | +| XsltInjectionTest.java:114:5:114:50 | load(...) | semmle.label | load(...) | +| XsltInjectionTest.java:114:33:114:35 | uri : URI | semmle.label | uri : URI | +subpaths diff --git a/java/ql/test/query-tests/security/CWE-074/XsltInjectionTest.java b/java/ql/test/query-tests/security/CWE-074/XsltInjection/XsltInjectionTest.java similarity index 81% rename from java/ql/test/query-tests/security/CWE-074/XsltInjectionTest.java rename to java/ql/test/query-tests/security/CWE-074/XsltInjection/XsltInjectionTest.java index 2bfd02a865c6..d6804d801b79 100644 --- a/java/ql/test/query-tests/security/CWE-074/XsltInjectionTest.java +++ b/java/ql/test/query-tests/security/CWE-074/XsltInjection/XsltInjectionTest.java @@ -27,91 +27,91 @@ @Controller public class XsltInjectionTest { public void testStreamSourceInputStream(Socket socket) throws Exception { - StreamSource source = new StreamSource(socket.getInputStream()); - TransformerFactory.newInstance().newTransformer(source).transform(null, null); // $hasXsltInjection + StreamSource source = new StreamSource(socket.getInputStream()); // $ Source + TransformerFactory.newInstance().newTransformer(source).transform(null, null); // $ Alert } public void testStreamSourceReader(Socket socket) throws Exception { - StreamSource source = new StreamSource(new InputStreamReader(socket.getInputStream())); - TransformerFactory.newInstance().newTemplates(source).newTransformer().transform(null, null); // $hasXsltInjection + StreamSource source = new StreamSource(new InputStreamReader(socket.getInputStream())); // $ Source + TransformerFactory.newInstance().newTemplates(source).newTransformer().transform(null, null); // $ Alert } @RequestMapping - public void testStreamSourceInjectedParam(@RequestParam String param) throws Exception { + public void testStreamSourceInjectedParam(@RequestParam String param) throws Exception { // $ Source String xslt = ""; StreamSource source = new StreamSource(new StringReader(xslt)); - TransformerFactory.newInstance().newTransformer(source).transform(null, null); // $hasXsltInjection + TransformerFactory.newInstance().newTransformer(source).transform(null, null); // $ Alert } public void testSAXSourceInputStream(Socket socket) throws Exception { - SAXSource source = new SAXSource(new InputSource(socket.getInputStream())); - TransformerFactory.newInstance().newTemplates(source).newTransformer().transform(null, null); // $hasXsltInjection + SAXSource source = new SAXSource(new InputSource(socket.getInputStream())); // $ Source + TransformerFactory.newInstance().newTemplates(source).newTransformer().transform(null, null); // $ Alert } public void testSAXSourceReader(Socket socket) throws Exception { SAXSource source = - new SAXSource(null, new InputSource(new InputStreamReader(socket.getInputStream()))); - TransformerFactory.newInstance().newTransformer(source).transform(null, null); // $hasXsltInjection + new SAXSource(null, new InputSource(new InputStreamReader(socket.getInputStream()))); // $ Source + TransformerFactory.newInstance().newTransformer(source).transform(null, null); // $ Alert } public void testStAXSourceEventReader(Socket socket) throws Exception { StAXSource source = - new StAXSource(XMLInputFactory.newInstance().createXMLEventReader(socket.getInputStream())); - TransformerFactory.newInstance().newTransformer(source).transform(null, null); // $hasXsltInjection + new StAXSource(XMLInputFactory.newInstance().createXMLEventReader(socket.getInputStream())); // $ Source + TransformerFactory.newInstance().newTransformer(source).transform(null, null); // $ Alert } public void testStAXSourceEventStream(Socket socket) throws Exception { StAXSource source = new StAXSource(XMLInputFactory.newInstance().createXMLStreamReader(null, - new InputStreamReader(socket.getInputStream()))); - TransformerFactory.newInstance().newTemplates(source).newTransformer().transform(null, null); // $hasXsltInjection + new InputStreamReader(socket.getInputStream()))); // $ Source + TransformerFactory.newInstance().newTemplates(source).newTransformer().transform(null, null); // $ Alert } public void testDOMSource(Socket socket) throws Exception { DOMSource source = new DOMSource( - DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(socket.getInputStream())); - TransformerFactory.newInstance().newTransformer(source).transform(null, null); // $hasXsltInjection + DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(socket.getInputStream())); // $ Source + TransformerFactory.newInstance().newTransformer(source).transform(null, null); // $ Alert } public void testDisabledXXE(Socket socket) throws Exception { - StreamSource source = new StreamSource(socket.getInputStream()); + StreamSource source = new StreamSource(socket.getInputStream()); // $ Source TransformerFactory factory = TransformerFactory.newInstance(); factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); - factory.newTransformer(source).transform(null, null); // $hasXsltInjection + factory.newTransformer(source).transform(null, null); // $ Alert } public void testFeatureSecureProcessingDisabled(Socket socket) throws Exception { - StreamSource source = new StreamSource(socket.getInputStream()); + StreamSource source = new StreamSource(socket.getInputStream()); // $ Source TransformerFactory factory = TransformerFactory.newInstance(); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); - factory.newTransformer(source).transform(null, null); // $hasXsltInjection + factory.newTransformer(source).transform(null, null); // $ Alert } public void testSaxon(Socket socket) throws Exception { - StreamSource source = new StreamSource(socket.getInputStream()); + StreamSource source = new StreamSource(socket.getInputStream()); // $ Source XsltCompiler compiler = new Processor(true).newXsltCompiler(); - compiler.compile(source).load().transform(); // $hasXsltInjection - compiler.compile(source).load30().transform(null, null); // $hasXsltInjection - compiler.compile(source).load30().applyTemplates((Source) null); // $hasXsltInjection - compiler.compile(source).load30().applyTemplates((Source) null, null); // $hasXsltInjection - compiler.compile(source).load30().applyTemplates((XdmValue) null); // $hasXsltInjection - compiler.compile(source).load30().applyTemplates((XdmValue) null, null); // $hasXsltInjection - compiler.compile(source).load30().callFunction(null, null); // $hasXsltInjection - compiler.compile(source).load30().callFunction(null, null, null); // $hasXsltInjection - compiler.compile(source).load30().callTemplate(null); // $hasXsltInjection - compiler.compile(source).load30().callTemplate(null, null); // $hasXsltInjection + compiler.compile(source).load().transform(); // $ Alert + compiler.compile(source).load30().transform(null, null); // $ Alert + compiler.compile(source).load30().applyTemplates((Source) null); // $ Alert + compiler.compile(source).load30().applyTemplates((Source) null, null); // $ Alert + compiler.compile(source).load30().applyTemplates((XdmValue) null); // $ Alert + compiler.compile(source).load30().applyTemplates((XdmValue) null, null); // $ Alert + compiler.compile(source).load30().callFunction(null, null); // $ Alert + compiler.compile(source).load30().callFunction(null, null, null); // $ Alert + compiler.compile(source).load30().callTemplate(null); // $ Alert + compiler.compile(source).load30().callTemplate(null, null); // $ Alert } @RequestMapping - public void testSaxonXsltPackage(@RequestParam String param, Socket socket) throws Exception { + public void testSaxonXsltPackage(@RequestParam String param, Socket socket) throws Exception { // $ Source URI uri = new URI(param); - StreamSource source = new StreamSource(socket.getInputStream()); + StreamSource source = new StreamSource(socket.getInputStream()); // $ Source XsltCompiler compiler = new Processor(true).newXsltCompiler(); - compiler.loadExecutablePackage(uri).load().transform(); // $hasXsltInjection - compiler.compilePackage(source).link().load().transform(); // $hasXsltInjection - compiler.loadLibraryPackage(uri).link().load().transform(); // $hasXsltInjection + compiler.loadExecutablePackage(uri).load().transform(); // $ Alert + compiler.compilePackage(source).link().load().transform(); // $ Alert + compiler.loadLibraryPackage(uri).link().load().transform(); // $ Alert } public void testOkFeatureSecureProcessing(Socket socket) throws Exception { diff --git a/java/ql/test/query-tests/security/CWE-074/XsltInjection/XsltInjectionTest.qlref b/java/ql/test/query-tests/security/CWE-074/XsltInjection/XsltInjectionTest.qlref new file mode 100644 index 000000000000..e32e035cedb4 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-074/XsltInjection/XsltInjectionTest.qlref @@ -0,0 +1,4 @@ +query: Security/CWE/CWE-074/XsltInjection.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-074/XsltInjection/options b/java/ql/test/query-tests/security/CWE-074/XsltInjection/options new file mode 100644 index 000000000000..099749ee58bf --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-074/XsltInjection/options @@ -0,0 +1 @@ +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.8.x:${testdir}/../../../../stubs/shiro-core-1.5.2:${testdir}/../../../../stubs/spring-ldap-2.3.2:${testdir}/../../../../stubs/Saxon-HE-9.9.1-7:${testdir}/../../../../stubs/apache-commons-logging-1.2 diff --git a/java/ql/test/query-tests/security/CWE-074/XsltInjectionTest.expected b/java/ql/test/query-tests/security/CWE-074/XsltInjectionTest.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/java/ql/test/query-tests/security/CWE-074/XsltInjectionTest.ql b/java/ql/test/query-tests/security/CWE-074/XsltInjectionTest.ql deleted file mode 100644 index 72c003246bc2..000000000000 --- a/java/ql/test/query-tests/security/CWE-074/XsltInjectionTest.ql +++ /dev/null @@ -1,20 +0,0 @@ -import java -import semmle.code.java.dataflow.TaintTracking -import semmle.code.java.dataflow.FlowSources -import semmle.code.java.security.XsltInjectionQuery -import utils.test.InlineExpectationsTest - -module HasXsltInjectionTest implements TestSig { - string getARelevantTag() { result = "hasXsltInjection" } - - predicate hasActualResult(Location location, string element, string tag, string value) { - tag = "hasXsltInjection" and - exists(DataFlow::Node sink | XsltInjectionFlow::flowTo(sink) | - sink.getLocation() = location and - element = sink.toString() and - value = "" - ) - } -} - -import MakeTest diff --git a/java/ql/test/query-tests/security/CWE-074/options b/java/ql/test/query-tests/security/CWE-074/options deleted file mode 100644 index becd1ca3f587..000000000000 --- a/java/ql/test/query-tests/security/CWE-074/options +++ /dev/null @@ -1 +0,0 @@ -//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/springframework-5.8.x:${testdir}/../../../stubs/shiro-core-1.5.2:${testdir}/../../../stubs/spring-ldap-2.3.2:${testdir}/../../../stubs/Saxon-HE-9.9.1-7:${testdir}/../../../stubs/apache-commons-logging-1.2 diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/JaxXSS.java b/java/ql/test/query-tests/security/CWE-079/semmle/tests/JaxXSS.java index a0719526d979..0e096ab94e02 100644 --- a/java/ql/test/query-tests/security/CWE-079/semmle/tests/JaxXSS.java +++ b/java/ql/test/query-tests/security/CWE-079/semmle/tests/JaxXSS.java @@ -12,25 +12,25 @@ public class JaxXSS { @GET - public static Response specificContentType(boolean safeContentType, boolean chainDirectly, boolean contentTypeFirst, String userControlled) { + public static Response specificContentType(boolean safeContentType, boolean chainDirectly, boolean contentTypeFirst, String userControlled) { // $ Source Response.ResponseBuilder builder = Response.ok(); if(!safeContentType) { if(chainDirectly) { if(contentTypeFirst) - return builder.type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ xss + return builder.type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ Alert else - return builder.entity(userControlled).type(MediaType.TEXT_HTML).build(); // $ xss + return builder.entity(userControlled).type(MediaType.TEXT_HTML).build(); // $ Alert } else { if(contentTypeFirst) { Response.ResponseBuilder builder2 = builder.type(MediaType.TEXT_HTML); - return builder2.entity(userControlled).build(); // $ xss + return builder2.entity(userControlled).build(); // $ Alert } else { Response.ResponseBuilder builder2 = builder.entity(userControlled); - return builder2.type(MediaType.TEXT_HTML).build(); // $ xss + return builder2.type(MediaType.TEXT_HTML).build(); // $ Alert } } } @@ -56,7 +56,7 @@ public static Response specificContentType(boolean safeContentType, boolean chai } @GET - public static Response specificContentTypeSetterMethods(int route, boolean safeContentType, String userControlled) { + public static Response specificContentTypeSetterMethods(int route, boolean safeContentType, String userControlled) { // $ Source // Test the remarkably many routes to setting a content-type in Jax-RS, besides the ResponseBuilder.entity method used above: @@ -105,39 +105,39 @@ else if(route == 8) { else { if(route == 0) { // via ok, as a string literal: - return Response.ok("text/html").entity(userControlled).build(); // $ xss + return Response.ok("text/html").entity(userControlled).build(); // $ Alert } else if(route == 1) { // via ok, as a string constant: - return Response.ok(MediaType.TEXT_HTML).entity(userControlled).build(); // $ xss + return Response.ok(MediaType.TEXT_HTML).entity(userControlled).build(); // $ Alert } else if(route == 2) { // via ok, as a MediaType constant: - return Response.ok(MediaType.TEXT_HTML_TYPE).entity(userControlled).build(); // $ xss + return Response.ok(MediaType.TEXT_HTML_TYPE).entity(userControlled).build(); // $ Alert } else if(route == 3) { // via ok, as a Variant, via constructor: - return Response.ok(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $ xss + return Response.ok(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $ Alert } else if(route == 4) { // via ok, as a Variant, via static method: - return Response.ok(Variant.mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $ xss + return Response.ok(Variant.mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $ Alert } else if(route == 5) { // via ok, as a Variant, via instance method: - return Response.ok(Variant.languages(Locale.UK).mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $ xss + return Response.ok(Variant.languages(Locale.UK).mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $ Alert } else if(route == 6) { // via builder variant, before entity: - return Response.ok().variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $ xss + return Response.ok().variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $ Alert } else if(route == 7) { // via builder variant, after entity: - return Response.ok().entity(userControlled).variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).build(); // $ xss + return Response.ok().entity(userControlled).variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).build(); // $ Alert } else if(route == 8) { // provide entity via ok, then content-type via builder: - return Response.ok(userControlled).type(MediaType.TEXT_HTML_TYPE).build(); // $ xss + return Response.ok(userControlled).type(MediaType.TEXT_HTML_TYPE).build(); // $ Alert } } @@ -161,28 +161,28 @@ public static Response methodContentTypeSafeStringLiteral(String userControlled) } @GET @Produces(MediaType.TEXT_HTML) - public static Response methodContentTypeUnsafe(String userControlled) { - return Response.ok(userControlled).build(); // $ xss + public static Response methodContentTypeUnsafe(String userControlled) { // $ Source + return Response.ok(userControlled).build(); // $ Alert } @POST @Produces(MediaType.TEXT_HTML) - public static Response methodContentTypeUnsafePost(String userControlled) { - return Response.ok(userControlled).build(); // $ xss + public static Response methodContentTypeUnsafePost(String userControlled) { // $ Source + return Response.ok(userControlled).build(); // $ Alert } @GET @Produces("text/html") - public static Response methodContentTypeUnsafeStringLiteral(String userControlled) { - return Response.ok(userControlled).build(); // $ xss + public static Response methodContentTypeUnsafeStringLiteral(String userControlled) { // $ Source + return Response.ok(userControlled).build(); // $ Alert } @GET @Produces({MediaType.TEXT_HTML, MediaType.APPLICATION_JSON}) - public static Response methodContentTypeMaybeSafe(String userControlled) { - return Response.ok(userControlled).build(); // $ xss + public static Response methodContentTypeMaybeSafe(String userControlled) { // $ Source + return Response.ok(userControlled).build(); // $ Alert } @GET @Produces(MediaType.APPLICATION_JSON) - public static Response methodContentTypeSafeOverriddenWithUnsafe(String userControlled) { - return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ xss + public static Response methodContentTypeSafeOverriddenWithUnsafe(String userControlled) { // $ Source + return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ Alert } @GET @Produces(MediaType.TEXT_HTML) @@ -204,13 +204,13 @@ public String testDirectReturn(String userControlled) { } @GET @Produces({"text/html"}) - public Response overridesWithUnsafe(String userControlled) { - return Response.ok(userControlled).build(); // $ xss + public Response overridesWithUnsafe(String userControlled) { // $ Source + return Response.ok(userControlled).build(); // $ Alert } @GET - public Response overridesWithUnsafe2(String userControlled) { - return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ xss + public Response overridesWithUnsafe2(String userControlled) { // $ Source + return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ Alert } } @@ -218,13 +218,13 @@ public Response overridesWithUnsafe2(String userControlled) { @Produces({"text/html"}) public static class ClassContentTypeUnsafe { @GET - public Response test(String userControlled) { - return Response.ok(userControlled).build(); // $ xss + public Response test(String userControlled) { // $ Source + return Response.ok(userControlled).build(); // $ Alert } @GET - public String testDirectReturn(String userControlled) { - return userControlled; // $ xss + public String testDirectReturn(String userControlled) { // $ Source + return userControlled; // $ Alert } @GET @Produces({"application/json"}) @@ -239,13 +239,13 @@ public Response overridesWithSafe2(String userControlled) { } @GET - public static Response entityWithNoMediaType(String userControlled) { - return Response.ok(userControlled).build(); // $ xss + public static Response entityWithNoMediaType(String userControlled) { // $ Source + return Response.ok(userControlled).build(); // $ Alert } @GET - public static String stringWithNoMediaType(String userControlled) { - return userControlled; // $ xss + public static String stringWithNoMediaType(String userControlled) { // $ Source + return userControlled; // $ Alert } } diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/JsfXSS.java b/java/ql/test/query-tests/security/CWE-079/semmle/tests/JsfXSS.java index 38df344dff26..f3efab3ddfe3 100644 --- a/java/ql/test/query-tests/security/CWE-079/semmle/tests/JsfXSS.java +++ b/java/ql/test/query-tests/security/CWE-079/semmle/tests/JsfXSS.java @@ -18,7 +18,7 @@ public void encodeBegin(FacesContext facesContext, UIComponent component) throws { super.encodeBegin(facesContext, component); - Map requestParameters = facesContext.getExternalContext().getRequestParameterMap(); + Map requestParameters = facesContext.getExternalContext().getRequestParameterMap(); // $ Source String windowId = requestParameters.get("window_id"); ResponseWriter writer = facesContext.getResponseWriter(); @@ -26,7 +26,7 @@ public void encodeBegin(FacesContext facesContext, UIComponent component) throws writer.write("(function(){"); writer.write("dswh.init('" + windowId + "','" + "......" + "'," - + -1 + ",{"); // $ xss + + -1 + ",{"); // $ Alert writer.write("});"); writer.write("})();"); writer.write(""); @@ -57,13 +57,13 @@ public void testAllSources(FacesContext facesContext) throws IOException { ExternalContext ec = facesContext.getExternalContext(); ResponseWriter writer = facesContext.getResponseWriter(); - writer.write(ec.getRequestParameterMap().keySet().iterator().next()); // $ xss - writer.write(ec.getRequestParameterNames().next()); // $ xss - writer.write(ec.getRequestParameterValuesMap().get("someKey")[0]); // $ xss - writer.write(ec.getRequestParameterValuesMap().keySet().iterator().next()); // $ xss - writer.write(ec.getRequestPathInfo()); // $ xss - writer.write(((Cookie)ec.getRequestCookieMap().get("someKey")).getName()); // $ xss - writer.write(ec.getRequestHeaderMap().get("someKey")); // $ xss - writer.write(ec.getRequestHeaderValuesMap().get("someKey")[0]); // $ xss + writer.write(ec.getRequestParameterMap().keySet().iterator().next()); // $ Alert + writer.write(ec.getRequestParameterNames().next()); // $ Alert + writer.write(ec.getRequestParameterValuesMap().get("someKey")[0]); // $ Alert + writer.write(ec.getRequestParameterValuesMap().keySet().iterator().next()); // $ Alert + writer.write(ec.getRequestPathInfo()); // $ Alert + writer.write(((Cookie)ec.getRequestCookieMap().get("someKey")).getName()); // $ Alert + writer.write(ec.getRequestHeaderMap().get("someKey")); // $ Alert + writer.write(ec.getRequestHeaderValuesMap().get("someKey")[0]); // $ Alert } } diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/SpringXSS.java b/java/ql/test/query-tests/security/CWE-079/semmle/tests/SpringXSS.java index ff4957f3788a..fd3a26bcf105 100644 --- a/java/ql/test/query-tests/security/CWE-079/semmle/tests/SpringXSS.java +++ b/java/ql/test/query-tests/security/CWE-079/semmle/tests/SpringXSS.java @@ -13,17 +13,17 @@ public class SpringXSS { @GetMapping - public static ResponseEntity specificContentType(boolean safeContentType, boolean chainDirectly, String userControlled) { + public static ResponseEntity specificContentType(boolean safeContentType, boolean chainDirectly, String userControlled) { // $ Source ResponseEntity.BodyBuilder builder = ResponseEntity.ok(); if(!safeContentType) { if(chainDirectly) { - return builder.contentType(MediaType.TEXT_HTML).body(userControlled); // $ xss + return builder.contentType(MediaType.TEXT_HTML).body(userControlled); // $ Alert } else { ResponseEntity.BodyBuilder builder2 = builder.contentType(MediaType.TEXT_HTML); - return builder2.body(userControlled); // $ xss + return builder2.body(userControlled); // $ Alert } } else { @@ -59,23 +59,23 @@ public static ResponseEntity methodContentTypeSafeStringLiteral(String u } @GetMapping(value = "/xyz", produces = MediaType.TEXT_HTML_VALUE) - public static ResponseEntity methodContentTypeUnsafe(String userControlled) { - return ResponseEntity.ok(userControlled); // $ xss + public static ResponseEntity methodContentTypeUnsafe(String userControlled) { // $ Source + return ResponseEntity.ok(userControlled); // $ Alert } @GetMapping(value = "/xyz", produces = "text/html") - public static ResponseEntity methodContentTypeUnsafeStringLiteral(String userControlled) { - return ResponseEntity.ok(userControlled); // $ xss + public static ResponseEntity methodContentTypeUnsafeStringLiteral(String userControlled) { // $ Source + return ResponseEntity.ok(userControlled); // $ Alert } @GetMapping(value = "/xyz", produces = {MediaType.TEXT_HTML_VALUE, MediaType.APPLICATION_JSON_VALUE}) - public static ResponseEntity methodContentTypeMaybeSafe(String userControlled) { - return ResponseEntity.ok(userControlled); // $ xss + public static ResponseEntity methodContentTypeMaybeSafe(String userControlled) { // $ Source + return ResponseEntity.ok(userControlled); // $ Alert } @GetMapping(value = "/xyz", produces = MediaType.APPLICATION_JSON_VALUE) - public static ResponseEntity methodContentTypeSafeOverriddenWithUnsafe(String userControlled) { - return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $ xss + public static ResponseEntity methodContentTypeSafeOverriddenWithUnsafe(String userControlled) { // $ Source + return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $ Alert } @GetMapping(value = "/xyz", produces = MediaType.TEXT_HTML_VALUE) @@ -84,17 +84,17 @@ public static ResponseEntity methodContentTypeUnsafeOverriddenWithSafe(S } @GetMapping(value = "/xyz", produces = {"text/html", "application/json"}) - public static ResponseEntity methodContentTypeMaybeSafeStringLiterals(String userControlled, int constructionMethod) { + public static ResponseEntity methodContentTypeMaybeSafeStringLiterals(String userControlled, int constructionMethod) { // $ Source // Also try out some alternative constructors for the ResponseEntity: switch(constructionMethod) { case 0: - return ResponseEntity.ok(userControlled); // $ xss + return ResponseEntity.ok(userControlled); // $ Alert case 1: - return ResponseEntity.of(Optional.of(userControlled)); // $ xss + return ResponseEntity.of(Optional.of(userControlled)); // $ Alert case 2: - return ResponseEntity.ok().body(userControlled); // $ xss + return ResponseEntity.ok().body(userControlled); // $ Alert case 3: - return new ResponseEntity(userControlled, HttpStatus.OK); // $ xss + return new ResponseEntity(userControlled, HttpStatus.OK); // $ Alert default: return null; } @@ -114,13 +114,13 @@ public String testDirectReturn(String userControlled) { } @GetMapping(value = "/xyz", produces = {"text/html"}) - public ResponseEntity overridesWithUnsafe(String userControlled) { - return ResponseEntity.ok(userControlled); // $ xss + public ResponseEntity overridesWithUnsafe(String userControlled) { // $ Source + return ResponseEntity.ok(userControlled); // $ Alert } @GetMapping(value = "/abc") - public ResponseEntity overridesWithUnsafe2(String userControlled) { - return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $ xss + public ResponseEntity overridesWithUnsafe2(String userControlled) { // $ Source + return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $ Alert } } @@ -128,13 +128,13 @@ public ResponseEntity overridesWithUnsafe2(String userControlled) { @RequestMapping(produces = {"text/html"}) private static class ClassContentTypeUnsafe { @GetMapping(value = "/abc") - public ResponseEntity test(String userControlled) { - return ResponseEntity.ok(userControlled); // $ xss + public ResponseEntity test(String userControlled) { // $ Source + return ResponseEntity.ok(userControlled); // $ Alert } @GetMapping(value = "/abc") - public String testDirectReturn(String userControlled) { - return userControlled; // $ xss + public String testDirectReturn(String userControlled) { // $ Source + return userControlled; // $ Alert } @GetMapping(value = "/xyz", produces = {"application/json"}) @@ -149,13 +149,13 @@ public ResponseEntity overridesWithSafe2(String userControlled) { } @GetMapping(value = "/abc") - public static ResponseEntity entityWithNoMediaType(String userControlled) { - return ResponseEntity.ok(userControlled); // $ xss + public static ResponseEntity entityWithNoMediaType(String userControlled) { // $ Source + return ResponseEntity.ok(userControlled); // $ Alert } @GetMapping(value = "/abc") - public static String stringWithNoMediaType(String userControlled) { - return userControlled; // $ xss + public static String stringWithNoMediaType(String userControlled) { // $ Source + return userControlled; // $ Alert } @GetMapping(value = "/abc") diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.expected b/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.expected index e69de29bb2d1..fcd7fd0ff18c 100644 --- a/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.expected +++ b/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.expected @@ -0,0 +1,336 @@ +#select +| JaxXSS.java:22:59:22:72 | userControlled | JaxXSS.java:15:120:15:140 | userControlled : String | JaxXSS.java:22:59:22:72 | userControlled | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:15:120:15:140 | userControlled | user-provided value | +| JaxXSS.java:24:33:24:46 | userControlled | JaxXSS.java:15:120:15:140 | userControlled : String | JaxXSS.java:24:33:24:46 | userControlled | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:15:120:15:140 | userControlled | user-provided value | +| JaxXSS.java:29:34:29:47 | userControlled | JaxXSS.java:15:120:15:140 | userControlled : String | JaxXSS.java:29:34:29:47 | userControlled | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:15:120:15:140 | userControlled | user-provided value | +| JaxXSS.java:33:18:33:59 | build(...) | JaxXSS.java:15:120:15:140 | userControlled : String | JaxXSS.java:33:18:33:59 | build(...) | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:15:120:15:140 | userControlled | user-provided value | +| JaxXSS.java:108:16:108:70 | build(...) | JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:108:16:108:70 | build(...) | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:59:95:59:115 | userControlled | user-provided value | +| JaxXSS.java:112:16:112:78 | build(...) | JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:112:16:112:78 | build(...) | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:59:95:59:115 | userControlled | user-provided value | +| JaxXSS.java:116:16:116:83 | build(...) | JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:116:16:116:83 | build(...) | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:59:95:59:115 | userControlled | user-provided value | +| JaxXSS.java:120:98:120:111 | userControlled | JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:120:98:120:111 | userControlled | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:59:95:59:115 | userControlled | user-provided value | +| JaxXSS.java:124:89:124:102 | userControlled | JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:124:89:124:102 | userControlled | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:59:95:59:115 | userControlled | user-provided value | +| JaxXSS.java:128:110:128:123 | userControlled | JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:128:110:128:123 | userControlled | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:59:95:59:115 | userControlled | user-provided value | +| JaxXSS.java:132:108:132:121 | userControlled | JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:132:108:132:121 | userControlled | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:59:95:59:115 | userControlled | user-provided value | +| JaxXSS.java:136:37:136:50 | userControlled | JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:136:37:136:50 | userControlled | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:59:95:59:115 | userControlled | user-provided value | +| JaxXSS.java:140:16:140:81 | build(...) | JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:140:16:140:81 | build(...) | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:59:95:59:115 | userControlled | user-provided value | +| JaxXSS.java:165:12:165:46 | build(...) | JaxXSS.java:164:50:164:70 | userControlled : String | JaxXSS.java:165:12:165:46 | build(...) | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:164:50:164:70 | userControlled | user-provided value | +| JaxXSS.java:170:12:170:46 | build(...) | JaxXSS.java:169:54:169:74 | userControlled : String | JaxXSS.java:170:12:170:46 | build(...) | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:169:54:169:74 | userControlled | user-provided value | +| JaxXSS.java:175:12:175:46 | build(...) | JaxXSS.java:174:63:174:83 | userControlled : String | JaxXSS.java:175:12:175:46 | build(...) | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:174:63:174:83 | userControlled | user-provided value | +| JaxXSS.java:180:12:180:46 | build(...) | JaxXSS.java:179:53:179:73 | userControlled : String | JaxXSS.java:180:12:180:46 | build(...) | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:179:53:179:73 | userControlled | user-provided value | +| JaxXSS.java:185:59:185:72 | userControlled | JaxXSS.java:184:68:184:88 | userControlled : String | JaxXSS.java:185:59:185:72 | userControlled | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:184:68:184:88 | userControlled | user-provided value | +| JaxXSS.java:208:14:208:48 | build(...) | JaxXSS.java:207:41:207:61 | userControlled : String | JaxXSS.java:208:14:208:48 | build(...) | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:207:41:207:61 | userControlled | user-provided value | +| JaxXSS.java:213:61:213:74 | userControlled | JaxXSS.java:212:42:212:62 | userControlled : String | JaxXSS.java:213:61:213:74 | userControlled | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:212:42:212:62 | userControlled | user-provided value | +| JaxXSS.java:222:14:222:48 | build(...) | JaxXSS.java:221:26:221:46 | userControlled : String | JaxXSS.java:222:14:222:48 | build(...) | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:221:26:221:46 | userControlled | user-provided value | +| JaxXSS.java:227:14:227:27 | userControlled | JaxXSS.java:226:36:226:56 | userControlled : String | JaxXSS.java:227:14:227:27 | userControlled | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:226:36:226:56 | userControlled | user-provided value | +| JaxXSS.java:243:12:243:46 | build(...) | JaxXSS.java:242:48:242:68 | userControlled : String | JaxXSS.java:243:12:243:46 | build(...) | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:242:48:242:68 | userControlled | user-provided value | +| JaxXSS.java:248:12:248:25 | userControlled | JaxXSS.java:247:46:247:66 | userControlled : String | JaxXSS.java:248:12:248:25 | userControlled | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:247:46:247:66 | userControlled | user-provided value | +| JsfXSS.java:27:22:29:27 | ... + ... | JsfXSS.java:21:50:21:107 | getRequestParameterMap(...) : Map | JsfXSS.java:27:22:29:27 | ... + ... | Cross-site scripting vulnerability due to a $@. | JsfXSS.java:21:50:21:107 | getRequestParameterMap(...) | user-provided value | +| JsfXSS.java:60:22:60:75 | next(...) | JsfXSS.java:60:22:60:48 | getRequestParameterMap(...) : Map | JsfXSS.java:60:22:60:75 | next(...) | Cross-site scripting vulnerability due to a $@. | JsfXSS.java:60:22:60:48 | getRequestParameterMap(...) | user-provided value | +| JsfXSS.java:61:22:61:57 | next(...) | JsfXSS.java:61:22:61:50 | getRequestParameterNames(...) : Iterator | JsfXSS.java:61:22:61:57 | next(...) | Cross-site scripting vulnerability due to a $@. | JsfXSS.java:61:22:61:50 | getRequestParameterNames(...) | user-provided value | +| JsfXSS.java:62:22:62:72 | ...[...] | JsfXSS.java:62:22:62:54 | getRequestParameterValuesMap(...) : Map | JsfXSS.java:62:22:62:72 | ...[...] | Cross-site scripting vulnerability due to a $@. | JsfXSS.java:62:22:62:54 | getRequestParameterValuesMap(...) | user-provided value | +| JsfXSS.java:63:22:63:81 | next(...) | JsfXSS.java:63:22:63:54 | getRequestParameterValuesMap(...) : Map | JsfXSS.java:63:22:63:81 | next(...) | Cross-site scripting vulnerability due to a $@. | JsfXSS.java:63:22:63:54 | getRequestParameterValuesMap(...) | user-provided value | +| JsfXSS.java:64:22:64:44 | getRequestPathInfo(...) | JsfXSS.java:64:22:64:44 | getRequestPathInfo(...) | JsfXSS.java:64:22:64:44 | getRequestPathInfo(...) | Cross-site scripting vulnerability due to a $@. | JsfXSS.java:64:22:64:44 | getRequestPathInfo(...) | user-provided value | +| JsfXSS.java:65:22:65:80 | getName(...) | JsfXSS.java:65:22:65:80 | getName(...) | JsfXSS.java:65:22:65:80 | getName(...) | Cross-site scripting vulnerability due to a $@. | JsfXSS.java:65:22:65:80 | getName(...) | user-provided value | +| JsfXSS.java:66:22:66:60 | get(...) | JsfXSS.java:66:22:66:45 | getRequestHeaderMap(...) : Map | JsfXSS.java:66:22:66:60 | get(...) | Cross-site scripting vulnerability due to a $@. | JsfXSS.java:66:22:66:45 | getRequestHeaderMap(...) | user-provided value | +| JsfXSS.java:67:22:67:69 | ...[...] | JsfXSS.java:67:22:67:51 | getRequestHeaderValuesMap(...) : Map | JsfXSS.java:67:22:67:69 | ...[...] | Cross-site scripting vulnerability due to a $@. | JsfXSS.java:67:22:67:51 | getRequestHeaderValuesMap(...) | user-provided value | +| SpringXSS.java:22:62:22:75 | userControlled | SpringXSS.java:16:108:16:128 | userControlled : String | SpringXSS.java:22:62:22:75 | userControlled | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:16:108:16:128 | userControlled | user-provided value | +| SpringXSS.java:26:30:26:43 | userControlled | SpringXSS.java:16:108:16:128 | userControlled : String | SpringXSS.java:26:30:26:43 | userControlled | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:16:108:16:128 | userControlled | user-provided value | +| SpringXSS.java:63:12:63:44 | ok(...) | SpringXSS.java:62:64:62:84 | userControlled : String | SpringXSS.java:63:12:63:44 | ok(...) | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:62:64:62:84 | userControlled | user-provided value | +| SpringXSS.java:68:12:68:44 | ok(...) | SpringXSS.java:67:77:67:97 | userControlled : String | SpringXSS.java:68:12:68:44 | ok(...) | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:67:77:67:97 | userControlled | user-provided value | +| SpringXSS.java:73:12:73:44 | ok(...) | SpringXSS.java:72:67:72:87 | userControlled : String | SpringXSS.java:73:12:73:44 | ok(...) | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:72:67:72:87 | userControlled | user-provided value | +| SpringXSS.java:78:70:78:83 | userControlled | SpringXSS.java:77:82:77:102 | userControlled : String | SpringXSS.java:78:70:78:83 | userControlled | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:77:82:77:102 | userControlled | user-provided value | +| SpringXSS.java:91:14:91:46 | ok(...) | SpringXSS.java:87:81:87:101 | userControlled : String | SpringXSS.java:91:14:91:46 | ok(...) | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:87:81:87:101 | userControlled | user-provided value | +| SpringXSS.java:93:14:93:59 | of(...) | SpringXSS.java:87:81:87:101 | userControlled : String | SpringXSS.java:93:14:93:59 | of(...) | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:87:81:87:101 | userControlled | user-provided value | +| SpringXSS.java:95:14:95:53 | body(...) | SpringXSS.java:87:81:87:101 | userControlled : String | SpringXSS.java:95:14:95:53 | body(...) | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:87:81:87:101 | userControlled | user-provided value | +| SpringXSS.java:97:14:97:70 | new ResponseEntity(...) | SpringXSS.java:87:81:87:101 | userControlled : String | SpringXSS.java:97:14:97:70 | new ResponseEntity(...) | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:87:81:87:101 | userControlled | user-provided value | +| SpringXSS.java:118:14:118:46 | ok(...) | SpringXSS.java:117:55:117:75 | userControlled : String | SpringXSS.java:118:14:118:46 | ok(...) | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:117:55:117:75 | userControlled | user-provided value | +| SpringXSS.java:123:72:123:85 | userControlled | SpringXSS.java:122:56:122:76 | userControlled : String | SpringXSS.java:123:72:123:85 | userControlled | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:122:56:122:76 | userControlled | user-provided value | +| SpringXSS.java:132:14:132:46 | ok(...) | SpringXSS.java:131:40:131:60 | userControlled : String | SpringXSS.java:132:14:132:46 | ok(...) | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:131:40:131:60 | userControlled | user-provided value | +| SpringXSS.java:137:14:137:27 | userControlled | SpringXSS.java:136:36:136:56 | userControlled : String | SpringXSS.java:137:14:137:27 | userControlled | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:136:36:136:56 | userControlled | user-provided value | +| SpringXSS.java:153:12:153:44 | ok(...) | SpringXSS.java:152:62:152:82 | userControlled : String | SpringXSS.java:153:12:153:44 | ok(...) | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:152:62:152:82 | userControlled | user-provided value | +| SpringXSS.java:158:12:158:25 | userControlled | SpringXSS.java:157:46:157:66 | userControlled : String | SpringXSS.java:158:12:158:25 | userControlled | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:157:46:157:66 | userControlled | user-provided value | +| XSS.java:19:12:19:77 | ... + ... | XSS.java:19:28:19:55 | getParameter(...) : String | XSS.java:19:12:19:77 | ... + ... | Cross-site scripting vulnerability due to a $@. | XSS.java:19:28:19:55 | getParameter(...) | user-provided value | +| XSS.java:34:30:34:87 | ... + ... | XSS.java:34:67:34:87 | getPathInfo(...) : String | XSS.java:34:30:34:87 | ... + ... | Cross-site scripting vulnerability due to a $@. | XSS.java:34:67:34:87 | getPathInfo(...) | user-provided value | +| XSS.java:37:36:37:67 | getBytes(...) | XSS.java:37:36:37:56 | getPathInfo(...) : String | XSS.java:37:36:37:67 | getBytes(...) | Cross-site scripting vulnerability due to a $@. | XSS.java:37:36:37:56 | getPathInfo(...) | user-provided value | +| XSS.java:83:33:83:53 | getPathInfo(...) | XSS.java:83:33:83:53 | getPathInfo(...) | XSS.java:83:33:83:53 | getPathInfo(...) | Cross-site scripting vulnerability due to a $@. | XSS.java:83:33:83:53 | getPathInfo(...) | user-provided value | +| XSS.java:88:33:88:53 | getPathInfo(...) | XSS.java:88:33:88:53 | getPathInfo(...) | XSS.java:88:33:88:53 | getPathInfo(...) | Cross-site scripting vulnerability due to a $@. | XSS.java:88:33:88:53 | getPathInfo(...) | user-provided value | +| XSS.java:93:33:93:53 | getPathInfo(...) | XSS.java:93:33:93:53 | getPathInfo(...) | XSS.java:93:33:93:53 | getPathInfo(...) | Cross-site scripting vulnerability due to a $@. | XSS.java:93:33:93:53 | getPathInfo(...) | user-provided value | +| XSS.java:100:39:100:70 | getBytes(...) | XSS.java:100:39:100:59 | getPathInfo(...) : String | XSS.java:100:39:100:70 | getBytes(...) | Cross-site scripting vulnerability due to a $@. | XSS.java:100:39:100:59 | getPathInfo(...) | user-provided value | +| XSS.java:105:39:105:70 | getBytes(...) | XSS.java:105:39:105:59 | getPathInfo(...) : String | XSS.java:105:39:105:70 | getBytes(...) | Cross-site scripting vulnerability due to a $@. | XSS.java:105:39:105:59 | getPathInfo(...) | user-provided value | +| XSS.java:110:39:110:70 | getBytes(...) | XSS.java:110:39:110:59 | getPathInfo(...) : String | XSS.java:110:39:110:70 | getBytes(...) | Cross-site scripting vulnerability due to a $@. | XSS.java:110:39:110:59 | getPathInfo(...) | user-provided value | +edges +| JaxXSS.java:15:120:15:140 | userControlled : String | JaxXSS.java:22:59:22:72 | userControlled | provenance | | +| JaxXSS.java:15:120:15:140 | userControlled : String | JaxXSS.java:24:33:24:46 | userControlled | provenance | | +| JaxXSS.java:15:120:15:140 | userControlled : String | JaxXSS.java:29:34:29:47 | userControlled | provenance | | +| JaxXSS.java:15:120:15:140 | userControlled : String | JaxXSS.java:32:62:32:75 | userControlled : String | provenance | | +| JaxXSS.java:32:47:32:76 | entity(...) : ResponseBuilder | JaxXSS.java:33:18:33:25 | builder2 : ResponseBuilder | provenance | | +| JaxXSS.java:32:62:32:75 | userControlled : String | JaxXSS.java:32:47:32:76 | entity(...) : ResponseBuilder | provenance | MaD:17+MaD:18 | +| JaxXSS.java:33:18:33:25 | builder2 : ResponseBuilder | JaxXSS.java:33:18:33:51 | type(...) : ResponseBuilder | provenance | MaD:19 | +| JaxXSS.java:33:18:33:51 | type(...) : ResponseBuilder | JaxXSS.java:33:18:33:59 | build(...) | provenance | MaD:16 | +| JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:108:48:108:61 | userControlled : String | provenance | | +| JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:112:56:112:69 | userControlled : String | provenance | | +| JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:116:61:116:74 | userControlled : String | provenance | | +| JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:120:98:120:111 | userControlled | provenance | | +| JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:124:89:124:102 | userControlled | provenance | | +| JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:128:110:128:123 | userControlled | provenance | | +| JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:132:108:132:121 | userControlled | provenance | | +| JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:136:37:136:50 | userControlled | provenance | | +| JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:140:28:140:41 | userControlled : String | provenance | | +| JaxXSS.java:108:16:108:62 | entity(...) : ResponseBuilder | JaxXSS.java:108:16:108:70 | build(...) | provenance | MaD:16 | +| JaxXSS.java:108:48:108:61 | userControlled : String | JaxXSS.java:108:16:108:62 | entity(...) : ResponseBuilder | provenance | MaD:17+MaD:18 | +| JaxXSS.java:112:16:112:70 | entity(...) : ResponseBuilder | JaxXSS.java:112:16:112:78 | build(...) | provenance | MaD:16 | +| JaxXSS.java:112:56:112:69 | userControlled : String | JaxXSS.java:112:16:112:70 | entity(...) : ResponseBuilder | provenance | MaD:17+MaD:18 | +| JaxXSS.java:116:16:116:75 | entity(...) : ResponseBuilder | JaxXSS.java:116:16:116:83 | build(...) | provenance | MaD:16 | +| JaxXSS.java:116:61:116:74 | userControlled : String | JaxXSS.java:116:16:116:75 | entity(...) : ResponseBuilder | provenance | MaD:17+MaD:18 | +| JaxXSS.java:140:16:140:42 | ok(...) : ResponseBuilder | JaxXSS.java:140:16:140:73 | type(...) : ResponseBuilder | provenance | MaD:19 | +| JaxXSS.java:140:16:140:73 | type(...) : ResponseBuilder | JaxXSS.java:140:16:140:81 | build(...) | provenance | MaD:16 | +| JaxXSS.java:140:28:140:41 | userControlled : String | JaxXSS.java:140:16:140:42 | ok(...) : ResponseBuilder | provenance | MaD:20 | +| JaxXSS.java:164:50:164:70 | userControlled : String | JaxXSS.java:165:24:165:37 | userControlled : String | provenance | | +| JaxXSS.java:165:12:165:38 | ok(...) : ResponseBuilder | JaxXSS.java:165:12:165:46 | build(...) | provenance | MaD:16 | +| JaxXSS.java:165:24:165:37 | userControlled : String | JaxXSS.java:165:12:165:38 | ok(...) : ResponseBuilder | provenance | MaD:20 | +| JaxXSS.java:169:54:169:74 | userControlled : String | JaxXSS.java:170:24:170:37 | userControlled : String | provenance | | +| JaxXSS.java:170:12:170:38 | ok(...) : ResponseBuilder | JaxXSS.java:170:12:170:46 | build(...) | provenance | MaD:16 | +| JaxXSS.java:170:24:170:37 | userControlled : String | JaxXSS.java:170:12:170:38 | ok(...) : ResponseBuilder | provenance | MaD:20 | +| JaxXSS.java:174:63:174:83 | userControlled : String | JaxXSS.java:175:24:175:37 | userControlled : String | provenance | | +| JaxXSS.java:175:12:175:38 | ok(...) : ResponseBuilder | JaxXSS.java:175:12:175:46 | build(...) | provenance | MaD:16 | +| JaxXSS.java:175:24:175:37 | userControlled : String | JaxXSS.java:175:12:175:38 | ok(...) : ResponseBuilder | provenance | MaD:20 | +| JaxXSS.java:179:53:179:73 | userControlled : String | JaxXSS.java:180:24:180:37 | userControlled : String | provenance | | +| JaxXSS.java:180:12:180:38 | ok(...) : ResponseBuilder | JaxXSS.java:180:12:180:46 | build(...) | provenance | MaD:16 | +| JaxXSS.java:180:24:180:37 | userControlled : String | JaxXSS.java:180:12:180:38 | ok(...) : ResponseBuilder | provenance | MaD:20 | +| JaxXSS.java:184:68:184:88 | userControlled : String | JaxXSS.java:185:59:185:72 | userControlled | provenance | | +| JaxXSS.java:207:41:207:61 | userControlled : String | JaxXSS.java:208:26:208:39 | userControlled : String | provenance | | +| JaxXSS.java:208:14:208:40 | ok(...) : ResponseBuilder | JaxXSS.java:208:14:208:48 | build(...) | provenance | MaD:16 | +| JaxXSS.java:208:26:208:39 | userControlled : String | JaxXSS.java:208:14:208:40 | ok(...) : ResponseBuilder | provenance | MaD:20 | +| JaxXSS.java:212:42:212:62 | userControlled : String | JaxXSS.java:213:61:213:74 | userControlled | provenance | | +| JaxXSS.java:221:26:221:46 | userControlled : String | JaxXSS.java:222:26:222:39 | userControlled : String | provenance | | +| JaxXSS.java:222:14:222:40 | ok(...) : ResponseBuilder | JaxXSS.java:222:14:222:48 | build(...) | provenance | MaD:16 | +| JaxXSS.java:222:26:222:39 | userControlled : String | JaxXSS.java:222:14:222:40 | ok(...) : ResponseBuilder | provenance | MaD:20 | +| JaxXSS.java:226:36:226:56 | userControlled : String | JaxXSS.java:227:14:227:27 | userControlled | provenance | | +| JaxXSS.java:242:48:242:68 | userControlled : String | JaxXSS.java:243:24:243:37 | userControlled : String | provenance | | +| JaxXSS.java:243:12:243:38 | ok(...) : ResponseBuilder | JaxXSS.java:243:12:243:46 | build(...) | provenance | MaD:16 | +| JaxXSS.java:243:24:243:37 | userControlled : String | JaxXSS.java:243:12:243:38 | ok(...) : ResponseBuilder | provenance | MaD:20 | +| JaxXSS.java:247:46:247:66 | userControlled : String | JaxXSS.java:248:12:248:25 | userControlled | provenance | | +| JsfXSS.java:21:50:21:107 | getRequestParameterMap(...) : Map | JsfXSS.java:22:27:22:43 | requestParameters : Map | provenance | Src:MaD:5 | +| JsfXSS.java:22:27:22:43 | requestParameters : Map | JsfXSS.java:22:27:22:60 | get(...) : String | provenance | MaD:13 | +| JsfXSS.java:22:27:22:60 | get(...) : String | JsfXSS.java:27:22:29:27 | ... + ... | provenance | Sink:MaD:2 | +| JsfXSS.java:60:22:60:48 | getRequestParameterMap(...) : Map | JsfXSS.java:60:22:60:57 | keySet(...) : Set [] : Object | provenance | Src:MaD:5 MaD:14 | +| JsfXSS.java:60:22:60:57 | keySet(...) : Set [] : Object | JsfXSS.java:60:22:60:68 | iterator(...) : Iterator [] : Object | provenance | MaD:10 | +| JsfXSS.java:60:22:60:68 | iterator(...) : Iterator [] : Object | JsfXSS.java:60:22:60:75 | next(...) | provenance | MaD:12 Sink:MaD:2 | +| JsfXSS.java:61:22:61:50 | getRequestParameterNames(...) : Iterator | JsfXSS.java:61:22:61:57 | next(...) | provenance | Src:MaD:6 MaD:12 Sink:MaD:2 | +| JsfXSS.java:62:22:62:54 | getRequestParameterValuesMap(...) : Map | JsfXSS.java:62:22:62:69 | get(...) : String[] | provenance | Src:MaD:7 MaD:13 | +| JsfXSS.java:62:22:62:69 | get(...) : String[] | JsfXSS.java:62:22:62:72 | ...[...] | provenance | Sink:MaD:2 | +| JsfXSS.java:63:22:63:54 | getRequestParameterValuesMap(...) : Map | JsfXSS.java:63:22:63:63 | keySet(...) : Set [] : Object | provenance | Src:MaD:7 MaD:14 | +| JsfXSS.java:63:22:63:63 | keySet(...) : Set [] : Object | JsfXSS.java:63:22:63:74 | iterator(...) : Iterator [] : Object | provenance | MaD:10 | +| JsfXSS.java:63:22:63:74 | iterator(...) : Iterator [] : Object | JsfXSS.java:63:22:63:81 | next(...) | provenance | MaD:12 Sink:MaD:2 | +| JsfXSS.java:66:22:66:45 | getRequestHeaderMap(...) : Map | JsfXSS.java:66:22:66:60 | get(...) | provenance | Src:MaD:3 MaD:13 Sink:MaD:2 | +| JsfXSS.java:67:22:67:51 | getRequestHeaderValuesMap(...) : Map | JsfXSS.java:67:22:67:66 | get(...) : String[] | provenance | Src:MaD:4 MaD:13 | +| JsfXSS.java:67:22:67:66 | get(...) : String[] | JsfXSS.java:67:22:67:69 | ...[...] | provenance | Sink:MaD:2 | +| SpringXSS.java:16:108:16:128 | userControlled : String | SpringXSS.java:22:62:22:75 | userControlled | provenance | | +| SpringXSS.java:16:108:16:128 | userControlled : String | SpringXSS.java:26:30:26:43 | userControlled | provenance | | +| SpringXSS.java:62:64:62:84 | userControlled : String | SpringXSS.java:63:12:63:44 | ok(...) | provenance | SpringResponseEntity | +| SpringXSS.java:62:64:62:84 | userControlled : String | SpringXSS.java:63:30:63:43 | userControlled : String | provenance | | +| SpringXSS.java:63:30:63:43 | userControlled : String | SpringXSS.java:63:12:63:44 | ok(...) | provenance | MaD:24 | +| SpringXSS.java:67:77:67:97 | userControlled : String | SpringXSS.java:68:12:68:44 | ok(...) | provenance | SpringResponseEntity | +| SpringXSS.java:67:77:67:97 | userControlled : String | SpringXSS.java:68:30:68:43 | userControlled : String | provenance | | +| SpringXSS.java:68:30:68:43 | userControlled : String | SpringXSS.java:68:12:68:44 | ok(...) | provenance | MaD:24 | +| SpringXSS.java:72:67:72:87 | userControlled : String | SpringXSS.java:73:12:73:44 | ok(...) | provenance | SpringResponseEntity | +| SpringXSS.java:72:67:72:87 | userControlled : String | SpringXSS.java:73:30:73:43 | userControlled : String | provenance | | +| SpringXSS.java:73:30:73:43 | userControlled : String | SpringXSS.java:73:12:73:44 | ok(...) | provenance | MaD:24 | +| SpringXSS.java:77:82:77:102 | userControlled : String | SpringXSS.java:78:70:78:83 | userControlled | provenance | | +| SpringXSS.java:87:81:87:101 | userControlled : String | SpringXSS.java:91:14:91:46 | ok(...) | provenance | SpringResponseEntity | +| SpringXSS.java:87:81:87:101 | userControlled : String | SpringXSS.java:91:32:91:45 | userControlled : String | provenance | | +| SpringXSS.java:87:81:87:101 | userControlled : String | SpringXSS.java:93:44:93:57 | userControlled : String | provenance | | +| SpringXSS.java:87:81:87:101 | userControlled : String | SpringXSS.java:95:14:95:53 | body(...) | provenance | SpringResponseEntityBodyBuilder | +| SpringXSS.java:87:81:87:101 | userControlled : String | SpringXSS.java:95:39:95:52 | userControlled : String | provenance | | +| SpringXSS.java:87:81:87:101 | userControlled : String | SpringXSS.java:97:41:97:54 | userControlled : String | provenance | | +| SpringXSS.java:91:32:91:45 | userControlled : String | SpringXSS.java:91:14:91:46 | ok(...) | provenance | MaD:24 | +| SpringXSS.java:93:32:93:58 | of(...) : Optional [] : String | SpringXSS.java:93:14:93:59 | of(...) | provenance | MaD:23 | +| SpringXSS.java:93:44:93:57 | userControlled : String | SpringXSS.java:93:32:93:58 | of(...) : Optional [] : String | provenance | MaD:15 | +| SpringXSS.java:95:39:95:52 | userControlled : String | SpringXSS.java:95:14:95:53 | body(...) | provenance | MaD:21 | +| SpringXSS.java:97:41:97:54 | userControlled : String | SpringXSS.java:97:14:97:70 | new ResponseEntity(...) | provenance | MaD:22 | +| SpringXSS.java:117:55:117:75 | userControlled : String | SpringXSS.java:118:14:118:46 | ok(...) | provenance | SpringResponseEntity | +| SpringXSS.java:117:55:117:75 | userControlled : String | SpringXSS.java:118:32:118:45 | userControlled : String | provenance | | +| SpringXSS.java:118:32:118:45 | userControlled : String | SpringXSS.java:118:14:118:46 | ok(...) | provenance | MaD:24 | +| SpringXSS.java:122:56:122:76 | userControlled : String | SpringXSS.java:123:72:123:85 | userControlled | provenance | | +| SpringXSS.java:131:40:131:60 | userControlled : String | SpringXSS.java:132:14:132:46 | ok(...) | provenance | SpringResponseEntity | +| SpringXSS.java:131:40:131:60 | userControlled : String | SpringXSS.java:132:32:132:45 | userControlled : String | provenance | | +| SpringXSS.java:132:32:132:45 | userControlled : String | SpringXSS.java:132:14:132:46 | ok(...) | provenance | MaD:24 | +| SpringXSS.java:136:36:136:56 | userControlled : String | SpringXSS.java:137:14:137:27 | userControlled | provenance | | +| SpringXSS.java:152:62:152:82 | userControlled : String | SpringXSS.java:153:12:153:44 | ok(...) | provenance | SpringResponseEntity | +| SpringXSS.java:152:62:152:82 | userControlled : String | SpringXSS.java:153:30:153:43 | userControlled : String | provenance | | +| SpringXSS.java:153:30:153:43 | userControlled : String | SpringXSS.java:153:12:153:44 | ok(...) | provenance | MaD:24 | +| SpringXSS.java:157:46:157:66 | userControlled : String | SpringXSS.java:158:12:158:25 | userControlled | provenance | | +| XSS.java:19:28:19:55 | getParameter(...) : String | XSS.java:19:12:19:77 | ... + ... | provenance | Src:MaD:9 Sink:MaD:1 | +| XSS.java:34:67:34:87 | getPathInfo(...) : String | XSS.java:34:30:34:87 | ... + ... | provenance | Src:MaD:8 Sink:MaD:1 | +| XSS.java:37:36:37:56 | getPathInfo(...) : String | XSS.java:37:36:37:67 | getBytes(...) | provenance | Src:MaD:8 MaD:11 | +| XSS.java:100:39:100:59 | getPathInfo(...) : String | XSS.java:100:39:100:70 | getBytes(...) | provenance | Src:MaD:8 MaD:11 | +| XSS.java:105:39:105:59 | getPathInfo(...) : String | XSS.java:105:39:105:70 | getBytes(...) | provenance | Src:MaD:8 MaD:11 | +| XSS.java:110:39:110:59 | getPathInfo(...) : String | XSS.java:110:39:110:70 | getBytes(...) | provenance | Src:MaD:8 MaD:11 | +models +| 1 | Sink: java.io; PrintWriter; false; print; ; ; Argument[0]; file-content-store; manual | +| 2 | Sink: java.io; Writer; true; write; ; ; Argument[0]; file-content-store; manual | +| 3 | Source: javax.faces.context; ExternalContext; true; getRequestHeaderMap; (); ; ReturnValue; remote; manual | +| 4 | Source: javax.faces.context; ExternalContext; true; getRequestHeaderValuesMap; (); ; ReturnValue; remote; manual | +| 5 | Source: javax.faces.context; ExternalContext; true; getRequestParameterMap; (); ; ReturnValue; remote; manual | +| 6 | Source: javax.faces.context; ExternalContext; true; getRequestParameterNames; (); ; ReturnValue; remote; manual | +| 7 | Source: javax.faces.context; ExternalContext; true; getRequestParameterValuesMap; (); ; ReturnValue; remote; manual | +| 8 | Source: javax.servlet.http; HttpServletRequest; false; getPathInfo; (); ; ReturnValue; remote; manual | +| 9 | Source: javax.servlet; ServletRequest; false; getParameter; (String); ; ReturnValue; remote; manual | +| 10 | Summary: java.lang; Iterable; true; iterator; (); ; Argument[this].Element; ReturnValue.Element; value; manual | +| 11 | Summary: java.lang; String; false; getBytes; ; ; Argument[this]; ReturnValue; taint; manual | +| 12 | Summary: java.util; Iterator; true; next; ; ; Argument[this].Element; ReturnValue; value; manual | +| 13 | Summary: java.util; Map; true; get; ; ; Argument[this].MapValue; ReturnValue; value; manual | +| 14 | Summary: java.util; Map; true; keySet; (); ; Argument[this].MapKey; ReturnValue.Element; value; manual | +| 15 | Summary: java.util; Optional; false; of; ; ; Argument[0]; ReturnValue.Element; value; manual | +| 16 | Summary: javax.ws.rs.core; Response$ResponseBuilder; true; build; ; ; Argument[this]; ReturnValue; taint; manual | +| 17 | Summary: javax.ws.rs.core; Response$ResponseBuilder; true; entity; ; ; Argument[0]; Argument[this]; taint; manual | +| 18 | Summary: javax.ws.rs.core; Response$ResponseBuilder; true; entity; ; ; Argument[this]; ReturnValue; value; manual | +| 19 | Summary: javax.ws.rs.core; Response$ResponseBuilder; true; type; ; ; Argument[this]; ReturnValue; value; manual | +| 20 | Summary: javax.ws.rs.core; Response; false; ok; ; ; Argument[0]; ReturnValue; taint; manual | +| 21 | Summary: org.springframework.http; ResponseEntity$BodyBuilder; true; body; (Object); ; Argument[0]; ReturnValue; taint; manual | +| 22 | Summary: org.springframework.http; ResponseEntity; true; ResponseEntity; (Object,HttpStatus); ; Argument[0]; Argument[this]; taint; manual | +| 23 | Summary: org.springframework.http; ResponseEntity; true; of; (Optional); ; Argument[0].Element; ReturnValue; taint; manual | +| 24 | Summary: org.springframework.http; ResponseEntity; true; ok; (Object); ; Argument[0]; ReturnValue; taint; manual | +nodes +| JaxXSS.java:15:120:15:140 | userControlled : String | semmle.label | userControlled : String | +| JaxXSS.java:22:59:22:72 | userControlled | semmle.label | userControlled | +| JaxXSS.java:24:33:24:46 | userControlled | semmle.label | userControlled | +| JaxXSS.java:29:34:29:47 | userControlled | semmle.label | userControlled | +| JaxXSS.java:32:47:32:76 | entity(...) : ResponseBuilder | semmle.label | entity(...) : ResponseBuilder | +| JaxXSS.java:32:62:32:75 | userControlled : String | semmle.label | userControlled : String | +| JaxXSS.java:33:18:33:25 | builder2 : ResponseBuilder | semmle.label | builder2 : ResponseBuilder | +| JaxXSS.java:33:18:33:51 | type(...) : ResponseBuilder | semmle.label | type(...) : ResponseBuilder | +| JaxXSS.java:33:18:33:59 | build(...) | semmle.label | build(...) | +| JaxXSS.java:59:95:59:115 | userControlled : String | semmle.label | userControlled : String | +| JaxXSS.java:108:16:108:62 | entity(...) : ResponseBuilder | semmle.label | entity(...) : ResponseBuilder | +| JaxXSS.java:108:16:108:70 | build(...) | semmle.label | build(...) | +| JaxXSS.java:108:48:108:61 | userControlled : String | semmle.label | userControlled : String | +| JaxXSS.java:112:16:112:70 | entity(...) : ResponseBuilder | semmle.label | entity(...) : ResponseBuilder | +| JaxXSS.java:112:16:112:78 | build(...) | semmle.label | build(...) | +| JaxXSS.java:112:56:112:69 | userControlled : String | semmle.label | userControlled : String | +| JaxXSS.java:116:16:116:75 | entity(...) : ResponseBuilder | semmle.label | entity(...) : ResponseBuilder | +| JaxXSS.java:116:16:116:83 | build(...) | semmle.label | build(...) | +| JaxXSS.java:116:61:116:74 | userControlled : String | semmle.label | userControlled : String | +| JaxXSS.java:120:98:120:111 | userControlled | semmle.label | userControlled | +| JaxXSS.java:124:89:124:102 | userControlled | semmle.label | userControlled | +| JaxXSS.java:128:110:128:123 | userControlled | semmle.label | userControlled | +| JaxXSS.java:132:108:132:121 | userControlled | semmle.label | userControlled | +| JaxXSS.java:136:37:136:50 | userControlled | semmle.label | userControlled | +| JaxXSS.java:140:16:140:42 | ok(...) : ResponseBuilder | semmle.label | ok(...) : ResponseBuilder | +| JaxXSS.java:140:16:140:73 | type(...) : ResponseBuilder | semmle.label | type(...) : ResponseBuilder | +| JaxXSS.java:140:16:140:81 | build(...) | semmle.label | build(...) | +| JaxXSS.java:140:28:140:41 | userControlled : String | semmle.label | userControlled : String | +| JaxXSS.java:164:50:164:70 | userControlled : String | semmle.label | userControlled : String | +| JaxXSS.java:165:12:165:38 | ok(...) : ResponseBuilder | semmle.label | ok(...) : ResponseBuilder | +| JaxXSS.java:165:12:165:46 | build(...) | semmle.label | build(...) | +| JaxXSS.java:165:24:165:37 | userControlled : String | semmle.label | userControlled : String | +| JaxXSS.java:169:54:169:74 | userControlled : String | semmle.label | userControlled : String | +| JaxXSS.java:170:12:170:38 | ok(...) : ResponseBuilder | semmle.label | ok(...) : ResponseBuilder | +| JaxXSS.java:170:12:170:46 | build(...) | semmle.label | build(...) | +| JaxXSS.java:170:24:170:37 | userControlled : String | semmle.label | userControlled : String | +| JaxXSS.java:174:63:174:83 | userControlled : String | semmle.label | userControlled : String | +| JaxXSS.java:175:12:175:38 | ok(...) : ResponseBuilder | semmle.label | ok(...) : ResponseBuilder | +| JaxXSS.java:175:12:175:46 | build(...) | semmle.label | build(...) | +| JaxXSS.java:175:24:175:37 | userControlled : String | semmle.label | userControlled : String | +| JaxXSS.java:179:53:179:73 | userControlled : String | semmle.label | userControlled : String | +| JaxXSS.java:180:12:180:38 | ok(...) : ResponseBuilder | semmle.label | ok(...) : ResponseBuilder | +| JaxXSS.java:180:12:180:46 | build(...) | semmle.label | build(...) | +| JaxXSS.java:180:24:180:37 | userControlled : String | semmle.label | userControlled : String | +| JaxXSS.java:184:68:184:88 | userControlled : String | semmle.label | userControlled : String | +| JaxXSS.java:185:59:185:72 | userControlled | semmle.label | userControlled | +| JaxXSS.java:207:41:207:61 | userControlled : String | semmle.label | userControlled : String | +| JaxXSS.java:208:14:208:40 | ok(...) : ResponseBuilder | semmle.label | ok(...) : ResponseBuilder | +| JaxXSS.java:208:14:208:48 | build(...) | semmle.label | build(...) | +| JaxXSS.java:208:26:208:39 | userControlled : String | semmle.label | userControlled : String | +| JaxXSS.java:212:42:212:62 | userControlled : String | semmle.label | userControlled : String | +| JaxXSS.java:213:61:213:74 | userControlled | semmle.label | userControlled | +| JaxXSS.java:221:26:221:46 | userControlled : String | semmle.label | userControlled : String | +| JaxXSS.java:222:14:222:40 | ok(...) : ResponseBuilder | semmle.label | ok(...) : ResponseBuilder | +| JaxXSS.java:222:14:222:48 | build(...) | semmle.label | build(...) | +| JaxXSS.java:222:26:222:39 | userControlled : String | semmle.label | userControlled : String | +| JaxXSS.java:226:36:226:56 | userControlled : String | semmle.label | userControlled : String | +| JaxXSS.java:227:14:227:27 | userControlled | semmle.label | userControlled | +| JaxXSS.java:242:48:242:68 | userControlled : String | semmle.label | userControlled : String | +| JaxXSS.java:243:12:243:38 | ok(...) : ResponseBuilder | semmle.label | ok(...) : ResponseBuilder | +| JaxXSS.java:243:12:243:46 | build(...) | semmle.label | build(...) | +| JaxXSS.java:243:24:243:37 | userControlled : String | semmle.label | userControlled : String | +| JaxXSS.java:247:46:247:66 | userControlled : String | semmle.label | userControlled : String | +| JaxXSS.java:248:12:248:25 | userControlled | semmle.label | userControlled | +| JsfXSS.java:21:50:21:107 | getRequestParameterMap(...) : Map | semmle.label | getRequestParameterMap(...) : Map | +| JsfXSS.java:22:27:22:43 | requestParameters : Map | semmle.label | requestParameters : Map | +| JsfXSS.java:22:27:22:60 | get(...) : String | semmle.label | get(...) : String | +| JsfXSS.java:27:22:29:27 | ... + ... | semmle.label | ... + ... | +| JsfXSS.java:60:22:60:48 | getRequestParameterMap(...) : Map | semmle.label | getRequestParameterMap(...) : Map | +| JsfXSS.java:60:22:60:57 | keySet(...) : Set [] : Object | semmle.label | keySet(...) : Set [] : Object | +| JsfXSS.java:60:22:60:68 | iterator(...) : Iterator [] : Object | semmle.label | iterator(...) : Iterator [] : Object | +| JsfXSS.java:60:22:60:75 | next(...) | semmle.label | next(...) | +| JsfXSS.java:61:22:61:50 | getRequestParameterNames(...) : Iterator | semmle.label | getRequestParameterNames(...) : Iterator | +| JsfXSS.java:61:22:61:57 | next(...) | semmle.label | next(...) | +| JsfXSS.java:62:22:62:54 | getRequestParameterValuesMap(...) : Map | semmle.label | getRequestParameterValuesMap(...) : Map | +| JsfXSS.java:62:22:62:69 | get(...) : String[] | semmle.label | get(...) : String[] | +| JsfXSS.java:62:22:62:72 | ...[...] | semmle.label | ...[...] | +| JsfXSS.java:63:22:63:54 | getRequestParameterValuesMap(...) : Map | semmle.label | getRequestParameterValuesMap(...) : Map | +| JsfXSS.java:63:22:63:63 | keySet(...) : Set [] : Object | semmle.label | keySet(...) : Set [] : Object | +| JsfXSS.java:63:22:63:74 | iterator(...) : Iterator [] : Object | semmle.label | iterator(...) : Iterator [] : Object | +| JsfXSS.java:63:22:63:81 | next(...) | semmle.label | next(...) | +| JsfXSS.java:64:22:64:44 | getRequestPathInfo(...) | semmle.label | getRequestPathInfo(...) | +| JsfXSS.java:65:22:65:80 | getName(...) | semmle.label | getName(...) | +| JsfXSS.java:66:22:66:45 | getRequestHeaderMap(...) : Map | semmle.label | getRequestHeaderMap(...) : Map | +| JsfXSS.java:66:22:66:60 | get(...) | semmle.label | get(...) | +| JsfXSS.java:67:22:67:51 | getRequestHeaderValuesMap(...) : Map | semmle.label | getRequestHeaderValuesMap(...) : Map | +| JsfXSS.java:67:22:67:66 | get(...) : String[] | semmle.label | get(...) : String[] | +| JsfXSS.java:67:22:67:69 | ...[...] | semmle.label | ...[...] | +| SpringXSS.java:16:108:16:128 | userControlled : String | semmle.label | userControlled : String | +| SpringXSS.java:22:62:22:75 | userControlled | semmle.label | userControlled | +| SpringXSS.java:26:30:26:43 | userControlled | semmle.label | userControlled | +| SpringXSS.java:62:64:62:84 | userControlled : String | semmle.label | userControlled : String | +| SpringXSS.java:63:12:63:44 | ok(...) | semmle.label | ok(...) | +| SpringXSS.java:63:30:63:43 | userControlled : String | semmle.label | userControlled : String | +| SpringXSS.java:67:77:67:97 | userControlled : String | semmle.label | userControlled : String | +| SpringXSS.java:68:12:68:44 | ok(...) | semmle.label | ok(...) | +| SpringXSS.java:68:30:68:43 | userControlled : String | semmle.label | userControlled : String | +| SpringXSS.java:72:67:72:87 | userControlled : String | semmle.label | userControlled : String | +| SpringXSS.java:73:12:73:44 | ok(...) | semmle.label | ok(...) | +| SpringXSS.java:73:30:73:43 | userControlled : String | semmle.label | userControlled : String | +| SpringXSS.java:77:82:77:102 | userControlled : String | semmle.label | userControlled : String | +| SpringXSS.java:78:70:78:83 | userControlled | semmle.label | userControlled | +| SpringXSS.java:87:81:87:101 | userControlled : String | semmle.label | userControlled : String | +| SpringXSS.java:91:14:91:46 | ok(...) | semmle.label | ok(...) | +| SpringXSS.java:91:32:91:45 | userControlled : String | semmle.label | userControlled : String | +| SpringXSS.java:93:14:93:59 | of(...) | semmle.label | of(...) | +| SpringXSS.java:93:32:93:58 | of(...) : Optional [] : String | semmle.label | of(...) : Optional [] : String | +| SpringXSS.java:93:44:93:57 | userControlled : String | semmle.label | userControlled : String | +| SpringXSS.java:95:14:95:53 | body(...) | semmle.label | body(...) | +| SpringXSS.java:95:39:95:52 | userControlled : String | semmle.label | userControlled : String | +| SpringXSS.java:97:14:97:70 | new ResponseEntity(...) | semmle.label | new ResponseEntity(...) | +| SpringXSS.java:97:41:97:54 | userControlled : String | semmle.label | userControlled : String | +| SpringXSS.java:117:55:117:75 | userControlled : String | semmle.label | userControlled : String | +| SpringXSS.java:118:14:118:46 | ok(...) | semmle.label | ok(...) | +| SpringXSS.java:118:32:118:45 | userControlled : String | semmle.label | userControlled : String | +| SpringXSS.java:122:56:122:76 | userControlled : String | semmle.label | userControlled : String | +| SpringXSS.java:123:72:123:85 | userControlled | semmle.label | userControlled | +| SpringXSS.java:131:40:131:60 | userControlled : String | semmle.label | userControlled : String | +| SpringXSS.java:132:14:132:46 | ok(...) | semmle.label | ok(...) | +| SpringXSS.java:132:32:132:45 | userControlled : String | semmle.label | userControlled : String | +| SpringXSS.java:136:36:136:56 | userControlled : String | semmle.label | userControlled : String | +| SpringXSS.java:137:14:137:27 | userControlled | semmle.label | userControlled | +| SpringXSS.java:152:62:152:82 | userControlled : String | semmle.label | userControlled : String | +| SpringXSS.java:153:12:153:44 | ok(...) | semmle.label | ok(...) | +| SpringXSS.java:153:30:153:43 | userControlled : String | semmle.label | userControlled : String | +| SpringXSS.java:157:46:157:66 | userControlled : String | semmle.label | userControlled : String | +| SpringXSS.java:158:12:158:25 | userControlled | semmle.label | userControlled | +| XSS.java:19:12:19:77 | ... + ... | semmle.label | ... + ... | +| XSS.java:19:28:19:55 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| XSS.java:34:30:34:87 | ... + ... | semmle.label | ... + ... | +| XSS.java:34:67:34:87 | getPathInfo(...) : String | semmle.label | getPathInfo(...) : String | +| XSS.java:37:36:37:56 | getPathInfo(...) : String | semmle.label | getPathInfo(...) : String | +| XSS.java:37:36:37:67 | getBytes(...) | semmle.label | getBytes(...) | +| XSS.java:83:33:83:53 | getPathInfo(...) | semmle.label | getPathInfo(...) | +| XSS.java:88:33:88:53 | getPathInfo(...) | semmle.label | getPathInfo(...) | +| XSS.java:93:33:93:53 | getPathInfo(...) | semmle.label | getPathInfo(...) | +| XSS.java:100:39:100:59 | getPathInfo(...) : String | semmle.label | getPathInfo(...) : String | +| XSS.java:100:39:100:70 | getBytes(...) | semmle.label | getBytes(...) | +| XSS.java:105:39:105:59 | getPathInfo(...) : String | semmle.label | getPathInfo(...) : String | +| XSS.java:105:39:105:70 | getBytes(...) | semmle.label | getBytes(...) | +| XSS.java:110:39:110:59 | getPathInfo(...) : String | semmle.label | getPathInfo(...) : String | +| XSS.java:110:39:110:70 | getBytes(...) | semmle.label | getBytes(...) | +subpaths diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.java b/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.java index 3584c45d8b2b..13ae6b62e10c 100644 --- a/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.java +++ b/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.java @@ -16,7 +16,7 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response, b throws ServletException, IOException { // BAD: a request parameter is written directly to the Servlet response stream response.getWriter() - .print("The page \"" + request.getParameter("page") + "\" was not found."); // $ xss + .print("The page \"" + request.getParameter("page") + "\" was not found."); // $ Alert // GOOD: servlet API encodes the error message HTML for the HTML context response.sendError(HttpServletResponse.SC_NOT_FOUND, @@ -31,10 +31,10 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response, b "The page \"" + capitalizeName(request.getParameter("page")) + "\" was not found."); // BAD: outputting the path of the resource - response.getWriter().print("The path section of the URL was " + request.getPathInfo()); // $ xss + response.getWriter().print("The path section of the URL was " + request.getPathInfo()); // $ Alert // BAD: typical XSS, this time written to an OutputStream instead of a Writer - response.getOutputStream().write(request.getPathInfo().getBytes()); // $ xss + response.getOutputStream().write(request.getPathInfo().getBytes()); // $ Alert // GOOD: sanitizer response.getOutputStream().write(hudson.Util.escape(request.getPathInfo()).getBytes()); // safe @@ -80,34 +80,34 @@ else if(setContentMethod == 1) { if(setContentMethod == 0) { // BAD: set content-type to something that is not safe response.setContentType("text/html"); - response.getWriter().print(request.getPathInfo()); // $ xss + response.getWriter().print(request.getPathInfo()); // $ Alert } else if(setContentMethod == 1) { // BAD: set content-type to something that is not safe response.setHeader("Content-Type", "text/html"); - response.getWriter().print(request.getPathInfo()); // $ xss + response.getWriter().print(request.getPathInfo()); // $ Alert } else { // BAD: set content-type to something that is not safe response.addHeader("Content-Type", "text/html"); - response.getWriter().print(request.getPathInfo()); // $ xss + response.getWriter().print(request.getPathInfo()); // $ Alert } } else { if(setContentMethod == 0) { // BAD: set content-type to something that is not safe response.setContentType("text/html"); - response.getOutputStream().write(request.getPathInfo().getBytes()); // $ xss + response.getOutputStream().write(request.getPathInfo().getBytes()); // $ Alert } else if(setContentMethod == 1) { // BAD: set content-type to something that is not safe response.setHeader("Content-Type", "text/html"); - response.getOutputStream().write(request.getPathInfo().getBytes()); // $ xss + response.getOutputStream().write(request.getPathInfo().getBytes()); // $ Alert } else { // BAD: set content-type to something that is not safe response.addHeader("Content-Type", "text/html"); - response.getOutputStream().write(request.getPathInfo().getBytes()); // $ xss + response.getOutputStream().write(request.getPathInfo().getBytes()); // $ Alert } } } diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.ql b/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.ql deleted file mode 100644 index 271488ffb1f0..000000000000 --- a/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.ql +++ /dev/null @@ -1,18 +0,0 @@ -import java -import semmle.code.java.security.XssQuery -import utils.test.InlineExpectationsTest - -module XssTest implements TestSig { - string getARelevantTag() { result = "xss" } - - predicate hasActualResult(Location location, string element, string tag, string value) { - tag = "xss" and - exists(DataFlow::Node sink | XssFlow::flowTo(sink) | - sink.getLocation() = location and - element = sink.toString() and - value = "" - ) - } -} - -import MakeTest diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.qlref b/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.qlref new file mode 100644 index 000000000000..bff2f2538a29 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.qlref @@ -0,0 +1,4 @@ +query: Security/CWE/CWE-079/XSS.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-094/GroovyClassLoaderTest.java b/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyClassLoaderTest.java similarity index 74% rename from java/ql/test/query-tests/security/CWE-094/GroovyClassLoaderTest.java rename to java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyClassLoaderTest.java index 2ded64caaf63..ff7d73f16bd9 100644 --- a/java/ql/test/query-tests/security/CWE-094/GroovyClassLoaderTest.java +++ b/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyClassLoaderTest.java @@ -14,42 +14,41 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { // "groovy.lang;GroovyClassLoader;false;parseClass;(GroovyCodeSource);;Argument[0];groovy;manual", { - String script = request.getParameter("script"); + String script = request.getParameter("script"); // $ Source final GroovyClassLoader classLoader = new GroovyClassLoader(); GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test"); - classLoader.parseClass(gcs); // $hasGroovyInjection + classLoader.parseClass(gcs); // $ Alert } // "groovy.lang;GroovyClassLoader;false;parseClass;(GroovyCodeSource,boolean);;Argument[0];groovy;manual", { - String script = request.getParameter("script"); + String script = request.getParameter("script"); // $ Source final GroovyClassLoader classLoader = new GroovyClassLoader(); GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test"); - classLoader.parseClass(gcs, true); // $hasGroovyInjection + classLoader.parseClass(gcs, true); // $ Alert } // "groovy.lang;GroovyClassLoader;false;parseClass;(InputStream,String);;Argument[0];groovy;manual", { - String script = request.getParameter("script"); + String script = request.getParameter("script"); // $ Source final GroovyClassLoader classLoader = new GroovyClassLoader(); - classLoader.parseClass(new ByteArrayInputStream(script.getBytes()), "test"); // $hasGroovyInjection + classLoader.parseClass(new ByteArrayInputStream(script.getBytes()), "test"); // $ Alert } // "groovy.lang;GroovyClassLoader;false;parseClass;(Reader,String);;Argument[0];groovy;manual", { - String script = request.getParameter("script"); + String script = request.getParameter("script"); // $ Source final GroovyClassLoader classLoader = new GroovyClassLoader(); - classLoader.parseClass(new StringReader(script), "test"); // $hasGroovyInjection + classLoader.parseClass(new StringReader(script), "test"); // $ Alert } // "groovy.lang;GroovyClassLoader;false;parseClass;(String);;Argument[0];groovy;manual", { - String script = request.getParameter("script"); + String script = request.getParameter("script"); // $ Source final GroovyClassLoader classLoader = new GroovyClassLoader(); - classLoader.parseClass(script); // $hasGroovyInjection + classLoader.parseClass(script); // $ Alert } // "groovy.lang;GroovyClassLoader;false;parseClass;(String,String);;Argument[0];groovy;manual", { - String script = request.getParameter("script"); + String script = request.getParameter("script"); // $ Source final GroovyClassLoader classLoader = new GroovyClassLoader(); - classLoader.parseClass(script, "test"); // $hasGroovyInjection + classLoader.parseClass(script, "test"); // $ Alert } } } - diff --git a/java/ql/test/query-tests/security/CWE-094/GroovyCompilationUnitTest.java b/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyCompilationUnitTest.java similarity index 84% rename from java/ql/test/query-tests/security/CWE-094/GroovyCompilationUnitTest.java rename to java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyCompilationUnitTest.java index f25e27e6893d..a906d9fdc968 100644 --- a/java/ql/test/query-tests/security/CWE-094/GroovyCompilationUnitTest.java +++ b/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyCompilationUnitTest.java @@ -18,8 +18,8 @@ public void doGet(HttpServletRequest request, HttpServletResponse response) // "org.codehaus.groovy.control;CompilationUnit;false;compile;;;Argument[this];groovy;manual" { CompilationUnit cu = new CompilationUnit(); - cu.addSource("test", request.getParameter("source")); - cu.compile(); // $hasGroovyInjection + cu.addSource("test", request.getParameter("source")); // $ Source + cu.compile(); // $ Alert } { CompilationUnit cu = new CompilationUnit(); @@ -29,20 +29,20 @@ public void doGet(HttpServletRequest request, HttpServletResponse response) { CompilationUnit cu = new CompilationUnit(); cu.addSource("test", - new ByteArrayInputStream(request.getParameter("source").getBytes())); - cu.compile(); // $hasGroovyInjection + new ByteArrayInputStream(request.getParameter("source").getBytes())); // $ Source + cu.compile(); // $ Alert } { CompilationUnit cu = new CompilationUnit(); - cu.addSource(new URL(request.getParameter("source"))); - cu.compile(); // $hasGroovyInjection + cu.addSource(new URL(request.getParameter("source"))); // $ Source + cu.compile(); // $ Alert } { CompilationUnit cu = new CompilationUnit(); SourceUnit su = - new SourceUnit("test", request.getParameter("source"), null, null, null); + new SourceUnit("test", request.getParameter("source"), null, null, null); // $ Source cu.addSource(su); - cu.compile(); // $hasGroovyInjection + cu.compile(); // $ Alert } { CompilationUnit cu = new CompilationUnit(); @@ -53,29 +53,29 @@ public void doGet(HttpServletRequest request, HttpServletResponse response) } { CompilationUnit cu = new CompilationUnit(); - StringReaderSource rs = new StringReaderSource(request.getParameter("source"), null); + StringReaderSource rs = new StringReaderSource(request.getParameter("source"), null); // $ Source SourceUnit su = new SourceUnit("test", rs, null, null, null); cu.addSource(su); - cu.compile(); // $hasGroovyInjection + cu.compile(); // $ Alert } { CompilationUnit cu = new CompilationUnit(); SourceUnit su = - new SourceUnit(new URL(request.getParameter("source")), null, null, null); + new SourceUnit(new URL(request.getParameter("source")), null, null, null); // $ Source cu.addSource(su); - cu.compile(); // $hasGroovyInjection + cu.compile(); // $ Alert } { CompilationUnit cu = new CompilationUnit(); - SourceUnit su = SourceUnit.create("test", request.getParameter("source")); + SourceUnit su = SourceUnit.create("test", request.getParameter("source")); // $ Source cu.addSource(su); - cu.compile(); // $hasGroovyInjection + cu.compile(); // $ Alert } { CompilationUnit cu = new CompilationUnit(); - SourceUnit su = SourceUnit.create("test", request.getParameter("source"), 0); + SourceUnit su = SourceUnit.create("test", request.getParameter("source"), 0); // $ Source cu.addSource(su); - cu.compile(); // $hasGroovyInjection + cu.compile(); // $ Alert } { CompilationUnit cu = new CompilationUnit(); @@ -85,8 +85,8 @@ public void doGet(HttpServletRequest request, HttpServletResponse response) } { JavaAwareCompilationUnit cu = new JavaAwareCompilationUnit(); - cu.addSource("test", request.getParameter("source")); - cu.compile(); // $hasGroovyInjection + cu.addSource("test", request.getParameter("source")); // $ Source + cu.compile(); // $ Alert } { JavaStubCompilationUnit cu = new JavaStubCompilationUnit(null, null); diff --git a/java/ql/test/query-tests/security/CWE-094/GroovyEvalTest.java b/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyEvalTest.java similarity index 59% rename from java/ql/test/query-tests/security/CWE-094/GroovyEvalTest.java rename to java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyEvalTest.java index 3647a3346fa8..3756cd10bfa2 100644 --- a/java/ql/test/query-tests/security/CWE-094/GroovyEvalTest.java +++ b/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyEvalTest.java @@ -11,30 +11,29 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { // "groovy.util;Eval;false;me;(String);;Argument[0];groovy;manual", { - String script = request.getParameter("script"); - Eval.me(script); // $hasGroovyInjection + String script = request.getParameter("script"); // $ Source + Eval.me(script); // $ Alert } // "groovy.util;Eval;false;me;(String,Object,String);;Argument[2];groovy;manual", { - String script = request.getParameter("script"); - Eval.me("test", "result", script); // $hasGroovyInjection + String script = request.getParameter("script"); // $ Source + Eval.me("test", "result", script); // $ Alert } // "groovy.util;Eval;false;x;(Object,String);;Argument[1];groovy;manual", { - String script = request.getParameter("script"); - Eval.x("result2", script); // $hasGroovyInjection + String script = request.getParameter("script"); // $ Source + Eval.x("result2", script); // $ Alert } // "groovy.util;Eval;false;xy;(Object,Object,String);;Argument[2];groovy;manual", { - String script = request.getParameter("script"); - Eval.xy("result3", "result4", script); // $hasGroovyInjection + String script = request.getParameter("script"); // $ Source + Eval.xy("result3", "result4", script); // $ Alert } // "groovy.util;Eval;false;xyz;(Object,Object,Object,String);;Argument[3];groovy;manual", { - String script = request.getParameter("script"); - Eval.xyz("result3", "result4", "aaa", script); // $hasGroovyInjection + String script = request.getParameter("script"); // $ Source + Eval.xyz("result3", "result4", "aaa", script); // $ Alert } } } - diff --git a/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyInjectionTest.expected b/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyInjectionTest.expected new file mode 100644 index 000000000000..3a00c80a7043 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyInjectionTest.expected @@ -0,0 +1,327 @@ +#select +| GroovyClassLoaderTest.java:20:36:20:38 | gcs | GroovyClassLoaderTest.java:17:29:17:58 | getParameter(...) : String | GroovyClassLoaderTest.java:20:36:20:38 | gcs | Groovy script depends on a $@. | GroovyClassLoaderTest.java:17:29:17:58 | getParameter(...) | user-provided value | +| GroovyClassLoaderTest.java:27:36:27:38 | gcs | GroovyClassLoaderTest.java:24:29:24:58 | getParameter(...) : String | GroovyClassLoaderTest.java:27:36:27:38 | gcs | Groovy script depends on a $@. | GroovyClassLoaderTest.java:24:29:24:58 | getParameter(...) | user-provided value | +| GroovyClassLoaderTest.java:33:36:33:78 | new ByteArrayInputStream(...) | GroovyClassLoaderTest.java:31:29:31:58 | getParameter(...) : String | GroovyClassLoaderTest.java:33:36:33:78 | new ByteArrayInputStream(...) | Groovy script depends on a $@. | GroovyClassLoaderTest.java:31:29:31:58 | getParameter(...) | user-provided value | +| GroovyClassLoaderTest.java:39:36:39:59 | new StringReader(...) | GroovyClassLoaderTest.java:37:29:37:58 | getParameter(...) : String | GroovyClassLoaderTest.java:39:36:39:59 | new StringReader(...) | Groovy script depends on a $@. | GroovyClassLoaderTest.java:37:29:37:58 | getParameter(...) | user-provided value | +| GroovyClassLoaderTest.java:45:36:45:41 | script | GroovyClassLoaderTest.java:43:29:43:58 | getParameter(...) : String | GroovyClassLoaderTest.java:45:36:45:41 | script | Groovy script depends on a $@. | GroovyClassLoaderTest.java:43:29:43:58 | getParameter(...) | user-provided value | +| GroovyClassLoaderTest.java:51:36:51:41 | script | GroovyClassLoaderTest.java:49:29:49:58 | getParameter(...) : String | GroovyClassLoaderTest.java:51:36:51:41 | script | Groovy script depends on a $@. | GroovyClassLoaderTest.java:49:29:49:58 | getParameter(...) | user-provided value | +| GroovyCompilationUnitTest.java:22:13:22:14 | cu | GroovyCompilationUnitTest.java:21:34:21:63 | getParameter(...) : String | GroovyCompilationUnitTest.java:22:13:22:14 | cu | Groovy script depends on a $@. | GroovyCompilationUnitTest.java:21:34:21:63 | getParameter(...) | user-provided value | +| GroovyCompilationUnitTest.java:33:13:33:14 | cu | GroovyCompilationUnitTest.java:32:46:32:75 | getParameter(...) : String | GroovyCompilationUnitTest.java:33:13:33:14 | cu | Groovy script depends on a $@. | GroovyCompilationUnitTest.java:32:46:32:75 | getParameter(...) | user-provided value | +| GroovyCompilationUnitTest.java:38:13:38:14 | cu | GroovyCompilationUnitTest.java:37:34:37:63 | getParameter(...) : String | GroovyCompilationUnitTest.java:38:13:38:14 | cu | Groovy script depends on a $@. | GroovyCompilationUnitTest.java:37:34:37:63 | getParameter(...) | user-provided value | +| GroovyCompilationUnitTest.java:45:13:45:14 | cu | GroovyCompilationUnitTest.java:43:44:43:73 | getParameter(...) : String | GroovyCompilationUnitTest.java:45:13:45:14 | cu | Groovy script depends on a $@. | GroovyCompilationUnitTest.java:43:44:43:73 | getParameter(...) | user-provided value | +| GroovyCompilationUnitTest.java:59:13:59:14 | cu | GroovyCompilationUnitTest.java:56:60:56:89 | getParameter(...) : String | GroovyCompilationUnitTest.java:59:13:59:14 | cu | Groovy script depends on a $@. | GroovyCompilationUnitTest.java:56:60:56:89 | getParameter(...) | user-provided value | +| GroovyCompilationUnitTest.java:66:13:66:14 | cu | GroovyCompilationUnitTest.java:64:44:64:73 | getParameter(...) : String | GroovyCompilationUnitTest.java:66:13:66:14 | cu | Groovy script depends on a $@. | GroovyCompilationUnitTest.java:64:44:64:73 | getParameter(...) | user-provided value | +| GroovyCompilationUnitTest.java:72:13:72:14 | cu | GroovyCompilationUnitTest.java:70:55:70:84 | getParameter(...) : String | GroovyCompilationUnitTest.java:72:13:72:14 | cu | Groovy script depends on a $@. | GroovyCompilationUnitTest.java:70:55:70:84 | getParameter(...) | user-provided value | +| GroovyCompilationUnitTest.java:78:13:78:14 | cu | GroovyCompilationUnitTest.java:76:55:76:84 | getParameter(...) : String | GroovyCompilationUnitTest.java:78:13:78:14 | cu | Groovy script depends on a $@. | GroovyCompilationUnitTest.java:76:55:76:84 | getParameter(...) | user-provided value | +| GroovyCompilationUnitTest.java:89:13:89:14 | cu | GroovyCompilationUnitTest.java:88:34:88:63 | getParameter(...) : String | GroovyCompilationUnitTest.java:89:13:89:14 | cu | Groovy script depends on a $@. | GroovyCompilationUnitTest.java:88:34:88:63 | getParameter(...) | user-provided value | +| GroovyEvalTest.java:15:21:15:26 | script | GroovyEvalTest.java:14:29:14:58 | getParameter(...) : String | GroovyEvalTest.java:15:21:15:26 | script | Groovy script depends on a $@. | GroovyEvalTest.java:14:29:14:58 | getParameter(...) | user-provided value | +| GroovyEvalTest.java:20:39:20:44 | script | GroovyEvalTest.java:19:29:19:58 | getParameter(...) : String | GroovyEvalTest.java:20:39:20:44 | script | Groovy script depends on a $@. | GroovyEvalTest.java:19:29:19:58 | getParameter(...) | user-provided value | +| GroovyEvalTest.java:25:31:25:36 | script | GroovyEvalTest.java:24:29:24:58 | getParameter(...) : String | GroovyEvalTest.java:25:31:25:36 | script | Groovy script depends on a $@. | GroovyEvalTest.java:24:29:24:58 | getParameter(...) | user-provided value | +| GroovyEvalTest.java:31:43:31:48 | script | GroovyEvalTest.java:30:29:30:58 | getParameter(...) : String | GroovyEvalTest.java:31:43:31:48 | script | Groovy script depends on a $@. | GroovyEvalTest.java:30:29:30:58 | getParameter(...) | user-provided value | +| GroovyEvalTest.java:36:51:36:56 | script | GroovyEvalTest.java:35:29:35:58 | getParameter(...) : String | GroovyEvalTest.java:36:51:36:56 | script | Groovy script depends on a $@. | GroovyEvalTest.java:35:29:35:58 | getParameter(...) | user-provided value | +| GroovyShellTest.java:24:28:24:30 | gcs | GroovyShellTest.java:22:29:22:58 | getParameter(...) : String | GroovyShellTest.java:24:28:24:30 | gcs | Groovy script depends on a $@. | GroovyShellTest.java:22:29:22:58 | getParameter(...) | user-provided value | +| GroovyShellTest.java:31:28:31:33 | reader | GroovyShellTest.java:29:29:29:58 | getParameter(...) : String | GroovyShellTest.java:31:28:31:33 | reader | Groovy script depends on a $@. | GroovyShellTest.java:29:29:29:58 | getParameter(...) | user-provided value | +| GroovyShellTest.java:38:28:38:33 | reader | GroovyShellTest.java:36:29:36:58 | getParameter(...) : String | GroovyShellTest.java:38:28:38:33 | reader | Groovy script depends on a $@. | GroovyShellTest.java:36:29:36:58 | getParameter(...) | user-provided value | +| GroovyShellTest.java:44:28:44:33 | script | GroovyShellTest.java:43:29:43:58 | getParameter(...) : String | GroovyShellTest.java:44:28:44:33 | script | Groovy script depends on a $@. | GroovyShellTest.java:43:29:43:58 | getParameter(...) | user-provided value | +| GroovyShellTest.java:50:28:50:33 | script | GroovyShellTest.java:49:29:49:58 | getParameter(...) : String | GroovyShellTest.java:50:28:50:33 | script | Groovy script depends on a $@. | GroovyShellTest.java:49:29:49:58 | getParameter(...) | user-provided value | +| GroovyShellTest.java:56:28:56:33 | script | GroovyShellTest.java:55:29:55:58 | getParameter(...) : String | GroovyShellTest.java:56:28:56:33 | script | Groovy script depends on a $@. | GroovyShellTest.java:55:29:55:58 | getParameter(...) | user-provided value | +| GroovyShellTest.java:62:25:62:39 | new URI(...) | GroovyShellTest.java:61:29:61:58 | getParameter(...) : String | GroovyShellTest.java:62:25:62:39 | new URI(...) | Groovy script depends on a $@. | GroovyShellTest.java:61:29:61:58 | getParameter(...) | user-provided value | +| GroovyShellTest.java:70:25:70:30 | reader | GroovyShellTest.java:68:29:68:58 | getParameter(...) : String | GroovyShellTest.java:70:25:70:30 | reader | Groovy script depends on a $@. | GroovyShellTest.java:68:29:68:58 | getParameter(...) | user-provided value | +| GroovyShellTest.java:77:25:77:30 | reader | GroovyShellTest.java:75:29:75:58 | getParameter(...) : String | GroovyShellTest.java:77:25:77:30 | reader | Groovy script depends on a $@. | GroovyShellTest.java:75:29:75:58 | getParameter(...) | user-provided value | +| GroovyShellTest.java:83:25:83:30 | script | GroovyShellTest.java:82:29:82:58 | getParameter(...) : String | GroovyShellTest.java:83:25:83:30 | script | Groovy script depends on a $@. | GroovyShellTest.java:82:29:82:58 | getParameter(...) | user-provided value | +| GroovyShellTest.java:89:25:89:30 | script | GroovyShellTest.java:88:29:88:58 | getParameter(...) : String | GroovyShellTest.java:89:25:89:30 | script | Groovy script depends on a $@. | GroovyShellTest.java:88:29:88:58 | getParameter(...) | user-provided value | +| GroovyShellTest.java:95:25:95:39 | new URI(...) | GroovyShellTest.java:94:29:94:58 | getParameter(...) : String | GroovyShellTest.java:95:25:95:39 | new URI(...) | Groovy script depends on a $@. | GroovyShellTest.java:94:29:94:58 | getParameter(...) | user-provided value | +| GroovyShellTest.java:103:23:103:25 | gcs | GroovyShellTest.java:101:29:101:58 | getParameter(...) : String | GroovyShellTest.java:103:23:103:25 | gcs | Groovy script depends on a $@. | GroovyShellTest.java:101:29:101:58 | getParameter(...) | user-provided value | +| GroovyShellTest.java:110:23:110:25 | gcs | GroovyShellTest.java:108:29:108:58 | getParameter(...) : String | GroovyShellTest.java:110:23:110:25 | gcs | Groovy script depends on a $@. | GroovyShellTest.java:108:29:108:58 | getParameter(...) | user-provided value | +| GroovyShellTest.java:117:23:117:28 | reader | GroovyShellTest.java:115:29:115:58 | getParameter(...) : String | GroovyShellTest.java:117:23:117:28 | reader | Groovy script depends on a $@. | GroovyShellTest.java:115:29:115:58 | getParameter(...) | user-provided value | +| GroovyShellTest.java:124:23:124:28 | reader | GroovyShellTest.java:122:29:122:58 | getParameter(...) : String | GroovyShellTest.java:124:23:124:28 | reader | Groovy script depends on a $@. | GroovyShellTest.java:122:29:122:58 | getParameter(...) | user-provided value | +| GroovyShellTest.java:130:23:130:28 | script | GroovyShellTest.java:129:29:129:58 | getParameter(...) : String | GroovyShellTest.java:130:23:130:28 | script | Groovy script depends on a $@. | GroovyShellTest.java:129:29:129:58 | getParameter(...) | user-provided value | +| GroovyShellTest.java:136:23:136:28 | script | GroovyShellTest.java:135:29:135:58 | getParameter(...) : String | GroovyShellTest.java:136:23:136:28 | script | Groovy script depends on a $@. | GroovyShellTest.java:135:29:135:58 | getParameter(...) | user-provided value | +| GroovyShellTest.java:142:23:142:37 | new URI(...) | GroovyShellTest.java:141:29:141:58 | getParameter(...) : String | GroovyShellTest.java:142:23:142:37 | new URI(...) | Groovy script depends on a $@. | GroovyShellTest.java:141:29:141:58 | getParameter(...) | user-provided value | +| GroovyShellTest.java:149:23:149:37 | new URI(...) | GroovyShellTest.java:148:29:148:58 | getParameter(...) : String | GroovyShellTest.java:149:23:149:37 | new URI(...) | Groovy script depends on a $@. | GroovyShellTest.java:148:29:148:58 | getParameter(...) | user-provided value | +| TemplateEngineTest.java:22:35:22:64 | getParameter(...) | TemplateEngineTest.java:22:35:22:64 | getParameter(...) | TemplateEngineTest.java:22:35:22:64 | getParameter(...) | Groovy script depends on a $@. | TemplateEngineTest.java:22:35:22:64 | getParameter(...) | user-provided value | +| TemplateEngineTest.java:23:35:23:47 | (...)... | TemplateEngineTest.java:14:16:14:45 | getParameter(...) : String | TemplateEngineTest.java:23:35:23:47 | (...)... | Groovy script depends on a $@. | TemplateEngineTest.java:14:16:14:45 | getParameter(...) | user-provided value | +| TemplateEngineTest.java:24:35:24:49 | (...)... | TemplateEngineTest.java:14:16:14:45 | getParameter(...) : String | TemplateEngineTest.java:24:35:24:49 | (...)... | Groovy script depends on a $@. | TemplateEngineTest.java:14:16:14:45 | getParameter(...) | user-provided value | +| TemplateEngineTest.java:25:35:25:46 | (...)... | TemplateEngineTest.java:14:16:14:45 | getParameter(...) : String | TemplateEngineTest.java:25:35:25:46 | (...)... | Groovy script depends on a $@. | TemplateEngineTest.java:14:16:14:45 | getParameter(...) | user-provided value | +edges +| GroovyClassLoaderTest.java:17:29:17:58 | getParameter(...) : String | GroovyClassLoaderTest.java:19:57:19:62 | script : String | provenance | Src:MaD:33 | +| GroovyClassLoaderTest.java:19:36:19:79 | new GroovyCodeSource(...) : GroovyCodeSource | GroovyClassLoaderTest.java:20:36:20:38 | gcs | provenance | Sink:MaD:1 | +| GroovyClassLoaderTest.java:19:57:19:62 | script : String | GroovyClassLoaderTest.java:19:36:19:79 | new GroovyCodeSource(...) : GroovyCodeSource | provenance | Config | +| GroovyClassLoaderTest.java:24:29:24:58 | getParameter(...) : String | GroovyClassLoaderTest.java:26:57:26:62 | script : String | provenance | Src:MaD:33 | +| GroovyClassLoaderTest.java:26:36:26:79 | new GroovyCodeSource(...) : GroovyCodeSource | GroovyClassLoaderTest.java:27:36:27:38 | gcs | provenance | Sink:MaD:2 | +| GroovyClassLoaderTest.java:26:57:26:62 | script : String | GroovyClassLoaderTest.java:26:36:26:79 | new GroovyCodeSource(...) : GroovyCodeSource | provenance | Config | +| GroovyClassLoaderTest.java:31:29:31:58 | getParameter(...) : String | GroovyClassLoaderTest.java:33:61:33:66 | script : String | provenance | Src:MaD:33 | +| GroovyClassLoaderTest.java:33:61:33:66 | script : String | GroovyClassLoaderTest.java:33:61:33:77 | getBytes(...) : byte[] | provenance | MaD:36 | +| GroovyClassLoaderTest.java:33:61:33:77 | getBytes(...) : byte[] | GroovyClassLoaderTest.java:33:36:33:78 | new ByteArrayInputStream(...) | provenance | MaD:34 Sink:MaD:3 | +| GroovyClassLoaderTest.java:33:61:33:77 | getBytes(...) : byte[] | GroovyClassLoaderTest.java:33:36:33:78 | new ByteArrayInputStream(...) | provenance | inputStreamWrapper Sink:MaD:3 | +| GroovyClassLoaderTest.java:37:29:37:58 | getParameter(...) : String | GroovyClassLoaderTest.java:39:53:39:58 | script : String | provenance | Src:MaD:33 | +| GroovyClassLoaderTest.java:39:53:39:58 | script : String | GroovyClassLoaderTest.java:39:36:39:59 | new StringReader(...) | provenance | MaD:35 Sink:MaD:4 | +| GroovyClassLoaderTest.java:43:29:43:58 | getParameter(...) : String | GroovyClassLoaderTest.java:45:36:45:41 | script | provenance | Src:MaD:33 Sink:MaD:5 | +| GroovyClassLoaderTest.java:49:29:49:58 | getParameter(...) : String | GroovyClassLoaderTest.java:51:36:51:41 | script | provenance | Src:MaD:33 Sink:MaD:6 | +| GroovyCompilationUnitTest.java:21:13:21:14 | cu [post update] : CompilationUnit | GroovyCompilationUnitTest.java:22:13:22:14 | cu | provenance | Sink:MaD:32 | +| GroovyCompilationUnitTest.java:21:34:21:63 | getParameter(...) : String | GroovyCompilationUnitTest.java:21:13:21:14 | cu [post update] : CompilationUnit | provenance | Src:MaD:33 Config | +| GroovyCompilationUnitTest.java:31:13:31:14 | cu [post update] : CompilationUnit | GroovyCompilationUnitTest.java:33:13:33:14 | cu | provenance | Sink:MaD:32 | +| GroovyCompilationUnitTest.java:32:21:32:87 | new ByteArrayInputStream(...) : ByteArrayInputStream | GroovyCompilationUnitTest.java:31:13:31:14 | cu [post update] : CompilationUnit | provenance | Config | +| GroovyCompilationUnitTest.java:32:46:32:75 | getParameter(...) : String | GroovyCompilationUnitTest.java:32:46:32:86 | getBytes(...) : byte[] | provenance | Src:MaD:33 MaD:36 | +| GroovyCompilationUnitTest.java:32:46:32:86 | getBytes(...) : byte[] | GroovyCompilationUnitTest.java:32:21:32:87 | new ByteArrayInputStream(...) : ByteArrayInputStream | provenance | MaD:34 | +| GroovyCompilationUnitTest.java:32:46:32:86 | getBytes(...) : byte[] | GroovyCompilationUnitTest.java:32:21:32:87 | new ByteArrayInputStream(...) : ByteArrayInputStream | provenance | inputStreamWrapper | +| GroovyCompilationUnitTest.java:37:13:37:14 | cu [post update] : CompilationUnit | GroovyCompilationUnitTest.java:38:13:38:14 | cu | provenance | Sink:MaD:32 | +| GroovyCompilationUnitTest.java:37:26:37:64 | new URL(...) : URL | GroovyCompilationUnitTest.java:37:13:37:14 | cu [post update] : CompilationUnit | provenance | Config | +| GroovyCompilationUnitTest.java:37:34:37:63 | getParameter(...) : String | GroovyCompilationUnitTest.java:37:26:37:64 | new URL(...) : URL | provenance | Src:MaD:33 MaD:38 | +| GroovyCompilationUnitTest.java:43:21:43:92 | new SourceUnit(...) : SourceUnit | GroovyCompilationUnitTest.java:44:26:44:27 | su : SourceUnit | provenance | | +| GroovyCompilationUnitTest.java:43:44:43:73 | getParameter(...) : String | GroovyCompilationUnitTest.java:43:21:43:92 | new SourceUnit(...) : SourceUnit | provenance | Src:MaD:33 Config | +| GroovyCompilationUnitTest.java:44:13:44:14 | cu [post update] : CompilationUnit | GroovyCompilationUnitTest.java:45:13:45:14 | cu | provenance | Sink:MaD:32 | +| GroovyCompilationUnitTest.java:44:26:44:27 | su : SourceUnit | GroovyCompilationUnitTest.java:44:13:44:14 | cu [post update] : CompilationUnit | provenance | Config | +| GroovyCompilationUnitTest.java:56:37:56:96 | new StringReaderSource(...) : StringReaderSource | GroovyCompilationUnitTest.java:57:52:57:53 | rs : StringReaderSource | provenance | | +| GroovyCompilationUnitTest.java:56:60:56:89 | getParameter(...) : String | GroovyCompilationUnitTest.java:56:37:56:96 | new StringReaderSource(...) : StringReaderSource | provenance | Src:MaD:33 Config | +| GroovyCompilationUnitTest.java:57:29:57:72 | new SourceUnit(...) : SourceUnit | GroovyCompilationUnitTest.java:58:26:58:27 | su : SourceUnit | provenance | | +| GroovyCompilationUnitTest.java:57:52:57:53 | rs : StringReaderSource | GroovyCompilationUnitTest.java:57:29:57:72 | new SourceUnit(...) : SourceUnit | provenance | Config | +| GroovyCompilationUnitTest.java:58:13:58:14 | cu [post update] : CompilationUnit | GroovyCompilationUnitTest.java:59:13:59:14 | cu | provenance | Sink:MaD:32 | +| GroovyCompilationUnitTest.java:58:26:58:27 | su : SourceUnit | GroovyCompilationUnitTest.java:58:13:58:14 | cu [post update] : CompilationUnit | provenance | Config | +| GroovyCompilationUnitTest.java:64:21:64:93 | new SourceUnit(...) : SourceUnit | GroovyCompilationUnitTest.java:65:26:65:27 | su : SourceUnit | provenance | | +| GroovyCompilationUnitTest.java:64:36:64:74 | new URL(...) : URL | GroovyCompilationUnitTest.java:64:21:64:93 | new SourceUnit(...) : SourceUnit | provenance | Config | +| GroovyCompilationUnitTest.java:64:44:64:73 | getParameter(...) : String | GroovyCompilationUnitTest.java:64:36:64:74 | new URL(...) : URL | provenance | Src:MaD:33 MaD:38 | +| GroovyCompilationUnitTest.java:65:13:65:14 | cu [post update] : CompilationUnit | GroovyCompilationUnitTest.java:66:13:66:14 | cu | provenance | Sink:MaD:32 | +| GroovyCompilationUnitTest.java:65:26:65:27 | su : SourceUnit | GroovyCompilationUnitTest.java:65:13:65:14 | cu [post update] : CompilationUnit | provenance | Config | +| GroovyCompilationUnitTest.java:70:29:70:85 | create(...) : SourceUnit | GroovyCompilationUnitTest.java:71:26:71:27 | su : SourceUnit | provenance | | +| GroovyCompilationUnitTest.java:70:55:70:84 | getParameter(...) : String | GroovyCompilationUnitTest.java:70:29:70:85 | create(...) : SourceUnit | provenance | Src:MaD:33 Config | +| GroovyCompilationUnitTest.java:71:13:71:14 | cu [post update] : CompilationUnit | GroovyCompilationUnitTest.java:72:13:72:14 | cu | provenance | Sink:MaD:32 | +| GroovyCompilationUnitTest.java:71:26:71:27 | su : SourceUnit | GroovyCompilationUnitTest.java:71:13:71:14 | cu [post update] : CompilationUnit | provenance | Config | +| GroovyCompilationUnitTest.java:76:29:76:88 | create(...) : SourceUnit | GroovyCompilationUnitTest.java:77:26:77:27 | su : SourceUnit | provenance | | +| GroovyCompilationUnitTest.java:76:55:76:84 | getParameter(...) : String | GroovyCompilationUnitTest.java:76:29:76:88 | create(...) : SourceUnit | provenance | Src:MaD:33 Config | +| GroovyCompilationUnitTest.java:77:13:77:14 | cu [post update] : CompilationUnit | GroovyCompilationUnitTest.java:78:13:78:14 | cu | provenance | Sink:MaD:32 | +| GroovyCompilationUnitTest.java:77:26:77:27 | su : SourceUnit | GroovyCompilationUnitTest.java:77:13:77:14 | cu [post update] : CompilationUnit | provenance | Config | +| GroovyCompilationUnitTest.java:88:13:88:14 | cu [post update] : JavaAwareCompilationUnit | GroovyCompilationUnitTest.java:89:13:89:14 | cu | provenance | Sink:MaD:32 | +| GroovyCompilationUnitTest.java:88:34:88:63 | getParameter(...) : String | GroovyCompilationUnitTest.java:88:13:88:14 | cu [post update] : JavaAwareCompilationUnit | provenance | Src:MaD:33 Config | +| GroovyEvalTest.java:14:29:14:58 | getParameter(...) : String | GroovyEvalTest.java:15:21:15:26 | script | provenance | Src:MaD:33 Sink:MaD:27 | +| GroovyEvalTest.java:19:29:19:58 | getParameter(...) : String | GroovyEvalTest.java:20:39:20:44 | script | provenance | Src:MaD:33 Sink:MaD:28 | +| GroovyEvalTest.java:24:29:24:58 | getParameter(...) : String | GroovyEvalTest.java:25:31:25:36 | script | provenance | Src:MaD:33 Sink:MaD:29 | +| GroovyEvalTest.java:30:29:30:58 | getParameter(...) : String | GroovyEvalTest.java:31:43:31:48 | script | provenance | Src:MaD:33 Sink:MaD:30 | +| GroovyEvalTest.java:35:29:35:58 | getParameter(...) : String | GroovyEvalTest.java:36:51:36:56 | script | provenance | Src:MaD:33 Sink:MaD:31 | +| GroovyShellTest.java:22:29:22:58 | getParameter(...) : String | GroovyShellTest.java:23:57:23:62 | script : String | provenance | Src:MaD:33 | +| GroovyShellTest.java:23:36:23:79 | new GroovyCodeSource(...) : GroovyCodeSource | GroovyShellTest.java:24:28:24:30 | gcs | provenance | Sink:MaD:7 | +| GroovyShellTest.java:23:57:23:62 | script : String | GroovyShellTest.java:23:36:23:79 | new GroovyCodeSource(...) : GroovyCodeSource | provenance | Config | +| GroovyShellTest.java:29:29:29:58 | getParameter(...) : String | GroovyShellTest.java:30:46:30:51 | script : String | provenance | Src:MaD:33 | +| GroovyShellTest.java:30:29:30:52 | new StringReader(...) : StringReader | GroovyShellTest.java:31:28:31:33 | reader | provenance | Sink:MaD:8 | +| GroovyShellTest.java:30:46:30:51 | script : String | GroovyShellTest.java:30:29:30:52 | new StringReader(...) : StringReader | provenance | MaD:35 | +| GroovyShellTest.java:36:29:36:58 | getParameter(...) : String | GroovyShellTest.java:37:46:37:51 | script : String | provenance | Src:MaD:33 | +| GroovyShellTest.java:37:29:37:52 | new StringReader(...) : StringReader | GroovyShellTest.java:38:28:38:33 | reader | provenance | Sink:MaD:9 | +| GroovyShellTest.java:37:46:37:51 | script : String | GroovyShellTest.java:37:29:37:52 | new StringReader(...) : StringReader | provenance | MaD:35 | +| GroovyShellTest.java:43:29:43:58 | getParameter(...) : String | GroovyShellTest.java:44:28:44:33 | script | provenance | Src:MaD:33 Sink:MaD:10 | +| GroovyShellTest.java:49:29:49:58 | getParameter(...) : String | GroovyShellTest.java:50:28:50:33 | script | provenance | Src:MaD:33 Sink:MaD:11 | +| GroovyShellTest.java:55:29:55:58 | getParameter(...) : String | GroovyShellTest.java:56:28:56:33 | script | provenance | Src:MaD:33 Sink:MaD:12 | +| GroovyShellTest.java:61:29:61:58 | getParameter(...) : String | GroovyShellTest.java:62:33:62:38 | script : String | provenance | Src:MaD:33 | +| GroovyShellTest.java:62:33:62:38 | script : String | GroovyShellTest.java:62:25:62:39 | new URI(...) | provenance | MaD:37 Sink:MaD:17 | +| GroovyShellTest.java:68:29:68:58 | getParameter(...) : String | GroovyShellTest.java:69:46:69:51 | script : String | provenance | Src:MaD:33 | +| GroovyShellTest.java:69:29:69:52 | new StringReader(...) : StringReader | GroovyShellTest.java:70:25:70:30 | reader | provenance | Sink:MaD:13 | +| GroovyShellTest.java:69:46:69:51 | script : String | GroovyShellTest.java:69:29:69:52 | new StringReader(...) : StringReader | provenance | MaD:35 | +| GroovyShellTest.java:75:29:75:58 | getParameter(...) : String | GroovyShellTest.java:76:46:76:51 | script : String | provenance | Src:MaD:33 | +| GroovyShellTest.java:76:29:76:52 | new StringReader(...) : StringReader | GroovyShellTest.java:77:25:77:30 | reader | provenance | Sink:MaD:14 | +| GroovyShellTest.java:76:46:76:51 | script : String | GroovyShellTest.java:76:29:76:52 | new StringReader(...) : StringReader | provenance | MaD:35 | +| GroovyShellTest.java:82:29:82:58 | getParameter(...) : String | GroovyShellTest.java:83:25:83:30 | script | provenance | Src:MaD:33 Sink:MaD:15 | +| GroovyShellTest.java:88:29:88:58 | getParameter(...) : String | GroovyShellTest.java:89:25:89:30 | script | provenance | Src:MaD:33 Sink:MaD:16 | +| GroovyShellTest.java:94:29:94:58 | getParameter(...) : String | GroovyShellTest.java:95:33:95:38 | script : String | provenance | Src:MaD:33 | +| GroovyShellTest.java:95:33:95:38 | script : String | GroovyShellTest.java:95:25:95:39 | new URI(...) | provenance | MaD:37 Sink:MaD:17 | +| GroovyShellTest.java:101:29:101:58 | getParameter(...) : String | GroovyShellTest.java:102:57:102:62 | script : String | provenance | Src:MaD:33 | +| GroovyShellTest.java:102:36:102:79 | new GroovyCodeSource(...) : GroovyCodeSource | GroovyShellTest.java:103:23:103:25 | gcs | provenance | Sink:MaD:19 | +| GroovyShellTest.java:102:57:102:62 | script : String | GroovyShellTest.java:102:36:102:79 | new GroovyCodeSource(...) : GroovyCodeSource | provenance | Config | +| GroovyShellTest.java:108:29:108:58 | getParameter(...) : String | GroovyShellTest.java:109:57:109:62 | script : String | provenance | Src:MaD:33 | +| GroovyShellTest.java:109:36:109:79 | new GroovyCodeSource(...) : GroovyCodeSource | GroovyShellTest.java:110:23:110:25 | gcs | provenance | Sink:MaD:18 | +| GroovyShellTest.java:109:57:109:62 | script : String | GroovyShellTest.java:109:36:109:79 | new GroovyCodeSource(...) : GroovyCodeSource | provenance | Config | +| GroovyShellTest.java:115:29:115:58 | getParameter(...) : String | GroovyShellTest.java:116:46:116:51 | script : String | provenance | Src:MaD:33 | +| GroovyShellTest.java:116:29:116:52 | new StringReader(...) : StringReader | GroovyShellTest.java:117:23:117:28 | reader | provenance | Sink:MaD:21 | +| GroovyShellTest.java:116:46:116:51 | script : String | GroovyShellTest.java:116:29:116:52 | new StringReader(...) : StringReader | provenance | MaD:35 | +| GroovyShellTest.java:122:29:122:58 | getParameter(...) : String | GroovyShellTest.java:123:46:123:51 | script : String | provenance | Src:MaD:33 | +| GroovyShellTest.java:123:29:123:52 | new StringReader(...) : StringReader | GroovyShellTest.java:124:23:124:28 | reader | provenance | Sink:MaD:20 | +| GroovyShellTest.java:123:46:123:51 | script : String | GroovyShellTest.java:123:29:123:52 | new StringReader(...) : StringReader | provenance | MaD:35 | +| GroovyShellTest.java:129:29:129:58 | getParameter(...) : String | GroovyShellTest.java:130:23:130:28 | script | provenance | Src:MaD:33 Sink:MaD:23 | +| GroovyShellTest.java:135:29:135:58 | getParameter(...) : String | GroovyShellTest.java:136:23:136:28 | script | provenance | Src:MaD:33 Sink:MaD:22 | +| GroovyShellTest.java:141:29:141:58 | getParameter(...) : String | GroovyShellTest.java:142:31:142:36 | script : String | provenance | Src:MaD:33 | +| GroovyShellTest.java:142:31:142:36 | script : String | GroovyShellTest.java:142:23:142:37 | new URI(...) | provenance | MaD:37 Sink:MaD:25 | +| GroovyShellTest.java:148:29:148:58 | getParameter(...) : String | GroovyShellTest.java:149:31:149:36 | script : String | provenance | Src:MaD:33 | +| GroovyShellTest.java:149:31:149:36 | script : String | GroovyShellTest.java:149:23:149:37 | new URI(...) | provenance | MaD:37 Sink:MaD:24 | +| TemplateEngineTest.java:14:16:14:45 | getParameter(...) : String | TemplateEngineTest.java:20:29:20:43 | source(...) : String | provenance | Src:MaD:33 | +| TemplateEngineTest.java:20:29:20:43 | source(...) : String | TemplateEngineTest.java:23:35:23:47 | (...)... | provenance | Sink:MaD:26 | +| TemplateEngineTest.java:20:29:20:43 | source(...) : String | TemplateEngineTest.java:24:35:24:49 | (...)... | provenance | Sink:MaD:26 | +| TemplateEngineTest.java:20:29:20:43 | source(...) : String | TemplateEngineTest.java:25:35:25:46 | (...)... | provenance | Sink:MaD:26 | +models +| 1 | Sink: groovy.lang; GroovyClassLoader; false; parseClass; (GroovyCodeSource); ; Argument[0]; groovy-injection; manual | +| 2 | Sink: groovy.lang; GroovyClassLoader; false; parseClass; (GroovyCodeSource,boolean); ; Argument[0]; groovy-injection; manual | +| 3 | Sink: groovy.lang; GroovyClassLoader; false; parseClass; (InputStream,String); ; Argument[0]; groovy-injection; manual | +| 4 | Sink: groovy.lang; GroovyClassLoader; false; parseClass; (Reader,String); ; Argument[0]; groovy-injection; manual | +| 5 | Sink: groovy.lang; GroovyClassLoader; false; parseClass; (String); ; Argument[0]; groovy-injection; manual | +| 6 | Sink: groovy.lang; GroovyClassLoader; false; parseClass; (String,String); ; Argument[0]; groovy-injection; manual | +| 7 | Sink: groovy.lang; GroovyShell; false; evaluate; (GroovyCodeSource); ; Argument[0]; groovy-injection; manual | +| 8 | Sink: groovy.lang; GroovyShell; false; evaluate; (Reader); ; Argument[0]; groovy-injection; manual | +| 9 | Sink: groovy.lang; GroovyShell; false; evaluate; (Reader,String); ; Argument[0]; groovy-injection; manual | +| 10 | Sink: groovy.lang; GroovyShell; false; evaluate; (String); ; Argument[0]; groovy-injection; manual | +| 11 | Sink: groovy.lang; GroovyShell; false; evaluate; (String,String); ; Argument[0]; groovy-injection; manual | +| 12 | Sink: groovy.lang; GroovyShell; false; evaluate; (String,String,String); ; Argument[0]; groovy-injection; manual | +| 13 | Sink: groovy.lang; GroovyShell; false; parse; (Reader); ; Argument[0]; groovy-injection; manual | +| 14 | Sink: groovy.lang; GroovyShell; false; parse; (Reader,String); ; Argument[0]; groovy-injection; manual | +| 15 | Sink: groovy.lang; GroovyShell; false; parse; (String); ; Argument[0]; groovy-injection; manual | +| 16 | Sink: groovy.lang; GroovyShell; false; parse; (String,String); ; Argument[0]; groovy-injection; manual | +| 17 | Sink: groovy.lang; GroovyShell; false; parse; (URI); ; Argument[0]; groovy-injection; manual | +| 18 | Sink: groovy.lang; GroovyShell; false; run; (GroovyCodeSource,List); ; Argument[0]; groovy-injection; manual | +| 19 | Sink: groovy.lang; GroovyShell; false; run; (GroovyCodeSource,String[]); ; Argument[0]; groovy-injection; manual | +| 20 | Sink: groovy.lang; GroovyShell; false; run; (Reader,String,List); ; Argument[0]; groovy-injection; manual | +| 21 | Sink: groovy.lang; GroovyShell; false; run; (Reader,String,String[]); ; Argument[0]; groovy-injection; manual | +| 22 | Sink: groovy.lang; GroovyShell; false; run; (String,String,List); ; Argument[0]; groovy-injection; manual | +| 23 | Sink: groovy.lang; GroovyShell; false; run; (String,String,String[]); ; Argument[0]; groovy-injection; manual | +| 24 | Sink: groovy.lang; GroovyShell; false; run; (URI,List); ; Argument[0]; groovy-injection; manual | +| 25 | Sink: groovy.lang; GroovyShell; false; run; (URI,String[]); ; Argument[0]; groovy-injection; manual | +| 26 | Sink: groovy.text; TemplateEngine; true; createTemplate; ; ; Argument[0]; groovy-injection; manual | +| 27 | Sink: groovy.util; Eval; false; me; (String); ; Argument[0]; groovy-injection; manual | +| 28 | Sink: groovy.util; Eval; false; me; (String,Object,String); ; Argument[2]; groovy-injection; manual | +| 29 | Sink: groovy.util; Eval; false; x; (Object,String); ; Argument[1]; groovy-injection; manual | +| 30 | Sink: groovy.util; Eval; false; xy; (Object,Object,String); ; Argument[2]; groovy-injection; manual | +| 31 | Sink: groovy.util; Eval; false; xyz; (Object,Object,Object,String); ; Argument[3]; groovy-injection; manual | +| 32 | Sink: org.codehaus.groovy.control; CompilationUnit; false; compile; ; ; Argument[this]; groovy-injection; manual | +| 33 | Source: javax.servlet; ServletRequest; false; getParameter; (String); ; ReturnValue; remote; manual | +| 34 | Summary: java.io; ByteArrayInputStream; false; ByteArrayInputStream; ; ; Argument[0]; Argument[this]; taint; manual | +| 35 | Summary: java.io; StringReader; false; StringReader; ; ; Argument[0]; Argument[this]; taint; manual | +| 36 | Summary: java.lang; String; false; getBytes; ; ; Argument[this]; ReturnValue; taint; manual | +| 37 | Summary: java.net; URI; false; URI; (String); ; Argument[0]; Argument[this]; taint; manual | +| 38 | Summary: java.net; URL; false; URL; (String); ; Argument[0]; Argument[this]; taint; manual | +nodes +| GroovyClassLoaderTest.java:17:29:17:58 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| GroovyClassLoaderTest.java:19:36:19:79 | new GroovyCodeSource(...) : GroovyCodeSource | semmle.label | new GroovyCodeSource(...) : GroovyCodeSource | +| GroovyClassLoaderTest.java:19:57:19:62 | script : String | semmle.label | script : String | +| GroovyClassLoaderTest.java:20:36:20:38 | gcs | semmle.label | gcs | +| GroovyClassLoaderTest.java:24:29:24:58 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| GroovyClassLoaderTest.java:26:36:26:79 | new GroovyCodeSource(...) : GroovyCodeSource | semmle.label | new GroovyCodeSource(...) : GroovyCodeSource | +| GroovyClassLoaderTest.java:26:57:26:62 | script : String | semmle.label | script : String | +| GroovyClassLoaderTest.java:27:36:27:38 | gcs | semmle.label | gcs | +| GroovyClassLoaderTest.java:31:29:31:58 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| GroovyClassLoaderTest.java:33:36:33:78 | new ByteArrayInputStream(...) | semmle.label | new ByteArrayInputStream(...) | +| GroovyClassLoaderTest.java:33:61:33:66 | script : String | semmle.label | script : String | +| GroovyClassLoaderTest.java:33:61:33:77 | getBytes(...) : byte[] | semmle.label | getBytes(...) : byte[] | +| GroovyClassLoaderTest.java:37:29:37:58 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| GroovyClassLoaderTest.java:39:36:39:59 | new StringReader(...) | semmle.label | new StringReader(...) | +| GroovyClassLoaderTest.java:39:53:39:58 | script : String | semmle.label | script : String | +| GroovyClassLoaderTest.java:43:29:43:58 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| GroovyClassLoaderTest.java:45:36:45:41 | script | semmle.label | script | +| GroovyClassLoaderTest.java:49:29:49:58 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| GroovyClassLoaderTest.java:51:36:51:41 | script | semmle.label | script | +| GroovyCompilationUnitTest.java:21:13:21:14 | cu [post update] : CompilationUnit | semmle.label | cu [post update] : CompilationUnit | +| GroovyCompilationUnitTest.java:21:34:21:63 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| GroovyCompilationUnitTest.java:22:13:22:14 | cu | semmle.label | cu | +| GroovyCompilationUnitTest.java:31:13:31:14 | cu [post update] : CompilationUnit | semmle.label | cu [post update] : CompilationUnit | +| GroovyCompilationUnitTest.java:32:21:32:87 | new ByteArrayInputStream(...) : ByteArrayInputStream | semmle.label | new ByteArrayInputStream(...) : ByteArrayInputStream | +| GroovyCompilationUnitTest.java:32:46:32:75 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| GroovyCompilationUnitTest.java:32:46:32:86 | getBytes(...) : byte[] | semmle.label | getBytes(...) : byte[] | +| GroovyCompilationUnitTest.java:33:13:33:14 | cu | semmle.label | cu | +| GroovyCompilationUnitTest.java:37:13:37:14 | cu [post update] : CompilationUnit | semmle.label | cu [post update] : CompilationUnit | +| GroovyCompilationUnitTest.java:37:26:37:64 | new URL(...) : URL | semmle.label | new URL(...) : URL | +| GroovyCompilationUnitTest.java:37:34:37:63 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| GroovyCompilationUnitTest.java:38:13:38:14 | cu | semmle.label | cu | +| GroovyCompilationUnitTest.java:43:21:43:92 | new SourceUnit(...) : SourceUnit | semmle.label | new SourceUnit(...) : SourceUnit | +| GroovyCompilationUnitTest.java:43:44:43:73 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| GroovyCompilationUnitTest.java:44:13:44:14 | cu [post update] : CompilationUnit | semmle.label | cu [post update] : CompilationUnit | +| GroovyCompilationUnitTest.java:44:26:44:27 | su : SourceUnit | semmle.label | su : SourceUnit | +| GroovyCompilationUnitTest.java:45:13:45:14 | cu | semmle.label | cu | +| GroovyCompilationUnitTest.java:56:37:56:96 | new StringReaderSource(...) : StringReaderSource | semmle.label | new StringReaderSource(...) : StringReaderSource | +| GroovyCompilationUnitTest.java:56:60:56:89 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| GroovyCompilationUnitTest.java:57:29:57:72 | new SourceUnit(...) : SourceUnit | semmle.label | new SourceUnit(...) : SourceUnit | +| GroovyCompilationUnitTest.java:57:52:57:53 | rs : StringReaderSource | semmle.label | rs : StringReaderSource | +| GroovyCompilationUnitTest.java:58:13:58:14 | cu [post update] : CompilationUnit | semmle.label | cu [post update] : CompilationUnit | +| GroovyCompilationUnitTest.java:58:26:58:27 | su : SourceUnit | semmle.label | su : SourceUnit | +| GroovyCompilationUnitTest.java:59:13:59:14 | cu | semmle.label | cu | +| GroovyCompilationUnitTest.java:64:21:64:93 | new SourceUnit(...) : SourceUnit | semmle.label | new SourceUnit(...) : SourceUnit | +| GroovyCompilationUnitTest.java:64:36:64:74 | new URL(...) : URL | semmle.label | new URL(...) : URL | +| GroovyCompilationUnitTest.java:64:44:64:73 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| GroovyCompilationUnitTest.java:65:13:65:14 | cu [post update] : CompilationUnit | semmle.label | cu [post update] : CompilationUnit | +| GroovyCompilationUnitTest.java:65:26:65:27 | su : SourceUnit | semmle.label | su : SourceUnit | +| GroovyCompilationUnitTest.java:66:13:66:14 | cu | semmle.label | cu | +| GroovyCompilationUnitTest.java:70:29:70:85 | create(...) : SourceUnit | semmle.label | create(...) : SourceUnit | +| GroovyCompilationUnitTest.java:70:55:70:84 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| GroovyCompilationUnitTest.java:71:13:71:14 | cu [post update] : CompilationUnit | semmle.label | cu [post update] : CompilationUnit | +| GroovyCompilationUnitTest.java:71:26:71:27 | su : SourceUnit | semmle.label | su : SourceUnit | +| GroovyCompilationUnitTest.java:72:13:72:14 | cu | semmle.label | cu | +| GroovyCompilationUnitTest.java:76:29:76:88 | create(...) : SourceUnit | semmle.label | create(...) : SourceUnit | +| GroovyCompilationUnitTest.java:76:55:76:84 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| GroovyCompilationUnitTest.java:77:13:77:14 | cu [post update] : CompilationUnit | semmle.label | cu [post update] : CompilationUnit | +| GroovyCompilationUnitTest.java:77:26:77:27 | su : SourceUnit | semmle.label | su : SourceUnit | +| GroovyCompilationUnitTest.java:78:13:78:14 | cu | semmle.label | cu | +| GroovyCompilationUnitTest.java:88:13:88:14 | cu [post update] : JavaAwareCompilationUnit | semmle.label | cu [post update] : JavaAwareCompilationUnit | +| GroovyCompilationUnitTest.java:88:34:88:63 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| GroovyCompilationUnitTest.java:89:13:89:14 | cu | semmle.label | cu | +| GroovyEvalTest.java:14:29:14:58 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| GroovyEvalTest.java:15:21:15:26 | script | semmle.label | script | +| GroovyEvalTest.java:19:29:19:58 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| GroovyEvalTest.java:20:39:20:44 | script | semmle.label | script | +| GroovyEvalTest.java:24:29:24:58 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| GroovyEvalTest.java:25:31:25:36 | script | semmle.label | script | +| GroovyEvalTest.java:30:29:30:58 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| GroovyEvalTest.java:31:43:31:48 | script | semmle.label | script | +| GroovyEvalTest.java:35:29:35:58 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| GroovyEvalTest.java:36:51:36:56 | script | semmle.label | script | +| GroovyShellTest.java:22:29:22:58 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| GroovyShellTest.java:23:36:23:79 | new GroovyCodeSource(...) : GroovyCodeSource | semmle.label | new GroovyCodeSource(...) : GroovyCodeSource | +| GroovyShellTest.java:23:57:23:62 | script : String | semmle.label | script : String | +| GroovyShellTest.java:24:28:24:30 | gcs | semmle.label | gcs | +| GroovyShellTest.java:29:29:29:58 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| GroovyShellTest.java:30:29:30:52 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader | +| GroovyShellTest.java:30:46:30:51 | script : String | semmle.label | script : String | +| GroovyShellTest.java:31:28:31:33 | reader | semmle.label | reader | +| GroovyShellTest.java:36:29:36:58 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| GroovyShellTest.java:37:29:37:52 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader | +| GroovyShellTest.java:37:46:37:51 | script : String | semmle.label | script : String | +| GroovyShellTest.java:38:28:38:33 | reader | semmle.label | reader | +| GroovyShellTest.java:43:29:43:58 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| GroovyShellTest.java:44:28:44:33 | script | semmle.label | script | +| GroovyShellTest.java:49:29:49:58 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| GroovyShellTest.java:50:28:50:33 | script | semmle.label | script | +| GroovyShellTest.java:55:29:55:58 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| GroovyShellTest.java:56:28:56:33 | script | semmle.label | script | +| GroovyShellTest.java:61:29:61:58 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| GroovyShellTest.java:62:25:62:39 | new URI(...) | semmle.label | new URI(...) | +| GroovyShellTest.java:62:33:62:38 | script : String | semmle.label | script : String | +| GroovyShellTest.java:68:29:68:58 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| GroovyShellTest.java:69:29:69:52 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader | +| GroovyShellTest.java:69:46:69:51 | script : String | semmle.label | script : String | +| GroovyShellTest.java:70:25:70:30 | reader | semmle.label | reader | +| GroovyShellTest.java:75:29:75:58 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| GroovyShellTest.java:76:29:76:52 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader | +| GroovyShellTest.java:76:46:76:51 | script : String | semmle.label | script : String | +| GroovyShellTest.java:77:25:77:30 | reader | semmle.label | reader | +| GroovyShellTest.java:82:29:82:58 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| GroovyShellTest.java:83:25:83:30 | script | semmle.label | script | +| GroovyShellTest.java:88:29:88:58 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| GroovyShellTest.java:89:25:89:30 | script | semmle.label | script | +| GroovyShellTest.java:94:29:94:58 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| GroovyShellTest.java:95:25:95:39 | new URI(...) | semmle.label | new URI(...) | +| GroovyShellTest.java:95:33:95:38 | script : String | semmle.label | script : String | +| GroovyShellTest.java:101:29:101:58 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| GroovyShellTest.java:102:36:102:79 | new GroovyCodeSource(...) : GroovyCodeSource | semmle.label | new GroovyCodeSource(...) : GroovyCodeSource | +| GroovyShellTest.java:102:57:102:62 | script : String | semmle.label | script : String | +| GroovyShellTest.java:103:23:103:25 | gcs | semmle.label | gcs | +| GroovyShellTest.java:108:29:108:58 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| GroovyShellTest.java:109:36:109:79 | new GroovyCodeSource(...) : GroovyCodeSource | semmle.label | new GroovyCodeSource(...) : GroovyCodeSource | +| GroovyShellTest.java:109:57:109:62 | script : String | semmle.label | script : String | +| GroovyShellTest.java:110:23:110:25 | gcs | semmle.label | gcs | +| GroovyShellTest.java:115:29:115:58 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| GroovyShellTest.java:116:29:116:52 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader | +| GroovyShellTest.java:116:46:116:51 | script : String | semmle.label | script : String | +| GroovyShellTest.java:117:23:117:28 | reader | semmle.label | reader | +| GroovyShellTest.java:122:29:122:58 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| GroovyShellTest.java:123:29:123:52 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader | +| GroovyShellTest.java:123:46:123:51 | script : String | semmle.label | script : String | +| GroovyShellTest.java:124:23:124:28 | reader | semmle.label | reader | +| GroovyShellTest.java:129:29:129:58 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| GroovyShellTest.java:130:23:130:28 | script | semmle.label | script | +| GroovyShellTest.java:135:29:135:58 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| GroovyShellTest.java:136:23:136:28 | script | semmle.label | script | +| GroovyShellTest.java:141:29:141:58 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| GroovyShellTest.java:142:23:142:37 | new URI(...) | semmle.label | new URI(...) | +| GroovyShellTest.java:142:31:142:36 | script : String | semmle.label | script : String | +| GroovyShellTest.java:148:29:148:58 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| GroovyShellTest.java:149:23:149:37 | new URI(...) | semmle.label | new URI(...) | +| GroovyShellTest.java:149:31:149:36 | script : String | semmle.label | script : String | +| TemplateEngineTest.java:14:16:14:45 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| TemplateEngineTest.java:20:29:20:43 | source(...) : String | semmle.label | source(...) : String | +| TemplateEngineTest.java:22:35:22:64 | getParameter(...) | semmle.label | getParameter(...) | +| TemplateEngineTest.java:23:35:23:47 | (...)... | semmle.label | (...)... | +| TemplateEngineTest.java:24:35:24:49 | (...)... | semmle.label | (...)... | +| TemplateEngineTest.java:25:35:25:46 | (...)... | semmle.label | (...)... | +subpaths diff --git a/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyInjectionTest.qlref b/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyInjectionTest.qlref new file mode 100644 index 000000000000..b19d5fce5227 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyInjectionTest.qlref @@ -0,0 +1,4 @@ +query: Security/CWE/CWE-094/GroovyInjection.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-094/GroovyShellTest.java b/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyShellTest.java similarity index 66% rename from java/ql/test/query-tests/security/CWE-094/GroovyShellTest.java rename to java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyShellTest.java index 1e5b806f18e3..6e2e773b03c1 100644 --- a/java/ql/test/query-tests/security/CWE-094/GroovyShellTest.java +++ b/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyShellTest.java @@ -19,136 +19,135 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) // "groovy.lang;GroovyShell;false;evaluate;(GroovyCodeSource);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); + String script = request.getParameter("script"); // $ Source GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test"); - shell.evaluate(gcs); // $hasGroovyInjection + shell.evaluate(gcs); // $ Alert } // "groovy.lang;GroovyShell;false;evaluate;(Reader);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); + String script = request.getParameter("script"); // $ Source Reader reader = new StringReader(script); - shell.evaluate(reader); // $hasGroovyInjection + shell.evaluate(reader); // $ Alert } // "groovy.lang;GroovyShell;false;evaluate;(Reader,String);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); + String script = request.getParameter("script"); // $ Source Reader reader = new StringReader(script); - shell.evaluate(reader, "_"); // $hasGroovyInjection + shell.evaluate(reader, "_"); // $ Alert } // "groovy.lang;GroovyShell;false;evaluate;(String);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); - shell.evaluate(script); // $hasGroovyInjection + String script = request.getParameter("script"); // $ Source + shell.evaluate(script); // $ Alert } // "groovy.lang;GroovyShell;false;evaluate;(String,String);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); - shell.evaluate(script, "test"); // $hasGroovyInjection + String script = request.getParameter("script"); // $ Source + shell.evaluate(script, "test"); // $ Alert } // "groovy.lang;GroovyShell;false;evaluate;(String,String,String);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); - shell.evaluate(script, "test", "test2"); // $hasGroovyInjection + String script = request.getParameter("script"); // $ Source + shell.evaluate(script, "test", "test2"); // $ Alert } // "groovy.lang;GroovyShell;false;evaluate;(URI);;Argument[0];groovy;manual", try { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); - shell.parse(new URI(script)); // $hasGroovyInjection + String script = request.getParameter("script"); // $ Source + shell.parse(new URI(script)); // $ Alert } catch (URISyntaxException e) { } // "groovy.lang;GroovyShell;false;parse;(Reader);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); + String script = request.getParameter("script"); // $ Source Reader reader = new StringReader(script); - shell.parse(reader); // $hasGroovyInjection + shell.parse(reader); // $ Alert } // "groovy.lang;GroovyShell;false;parse;(Reader,String);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); + String script = request.getParameter("script"); // $ Source Reader reader = new StringReader(script); - shell.parse(reader, "_"); // $hasGroovyInjection + shell.parse(reader, "_"); // $ Alert } // "groovy.lang;GroovyShell;false;parse;(String);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); - shell.parse(script); // $hasGroovyInjection + String script = request.getParameter("script"); // $ Source + shell.parse(script); // $ Alert } // "groovy.lang;GroovyShell;false;parse;(String,String);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); - shell.parse(script, "_"); // $hasGroovyInjection + String script = request.getParameter("script"); // $ Source + shell.parse(script, "_"); // $ Alert } // "groovy.lang;GroovyShell;false;parse;(URI);;Argument[0];groovy;manual", try { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); - shell.parse(new URI(script)); // $hasGroovyInjection + String script = request.getParameter("script"); // $ Source + shell.parse(new URI(script)); // $ Alert } catch (URISyntaxException e) { } // "groovy.lang;GroovyShell;false;run;(GroovyCodeSource,String[]);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); + String script = request.getParameter("script"); // $ Source GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test"); - shell.run(gcs, new String[] {}); // $hasGroovyInjection + shell.run(gcs, new String[] {}); // $ Alert } // "groovy.lang;GroovyShell;false;run;(GroovyCodeSource,List);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); + String script = request.getParameter("script"); // $ Source GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test"); - shell.run(gcs, new ArrayList()); // $hasGroovyInjection + shell.run(gcs, new ArrayList()); // $ Alert } // "groovy.lang;GroovyShell;false;run;(Reader,String,String[]);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); + String script = request.getParameter("script"); // $ Source Reader reader = new StringReader(script); - shell.run(reader, "test", new String[] {}); // $hasGroovyInjection + shell.run(reader, "test", new String[] {}); // $ Alert } // "groovy.lang;GroovyShell;false;run;(Reader,String,List);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); + String script = request.getParameter("script"); // $ Source Reader reader = new StringReader(script); - shell.run(reader, "test", new ArrayList()); // $hasGroovyInjection + shell.run(reader, "test", new ArrayList()); // $ Alert } // "groovy.lang;GroovyShell;false;run;(String,String,String[]);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); - shell.run(script, "_", new String[] {}); // $hasGroovyInjection + String script = request.getParameter("script"); // $ Source + shell.run(script, "_", new String[] {}); // $ Alert } // "groovy.lang;GroovyShell;false;run;(String,String,List);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); - shell.run(script, "_", new ArrayList()); // $hasGroovyInjection + String script = request.getParameter("script"); // $ Source + shell.run(script, "_", new ArrayList()); // $ Alert } // "groovy.lang;GroovyShell;false;run;(URI,String[]);;Argument[0];groovy;manual", try { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); - shell.run(new URI(script), new String[] {}); // $hasGroovyInjection + String script = request.getParameter("script"); // $ Source + shell.run(new URI(script), new String[] {}); // $ Alert } catch (URISyntaxException e) { } // "groovy.lang;GroovyShell;false;run;(URI,List);;Argument[0];groovy;manual", try { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); - shell.run(new URI(script), new ArrayList()); // $hasGroovyInjection + String script = request.getParameter("script"); // $ Source + shell.run(new URI(script), new ArrayList()); // $ Alert } catch (URISyntaxException e) { } } } - diff --git a/java/ql/test/query-tests/security/CWE-094/TemplateEngineTest.java b/java/ql/test/query-tests/security/CWE-094/GroovyInjection/TemplateEngineTest.java similarity index 72% rename from java/ql/test/query-tests/security/CWE-094/TemplateEngineTest.java rename to java/ql/test/query-tests/security/CWE-094/GroovyInjection/TemplateEngineTest.java index dbf32494e10e..a046b9cd332a 100644 --- a/java/ql/test/query-tests/security/CWE-094/TemplateEngineTest.java +++ b/java/ql/test/query-tests/security/CWE-094/GroovyInjection/TemplateEngineTest.java @@ -11,7 +11,7 @@ public class TemplateEngineTest extends HttpServlet { private Object source(HttpServletRequest request) { - return request.getParameter("script"); + return request.getParameter("script"); // $ Source } protected void doGet(HttpServletRequest request, HttpServletResponse response) @@ -19,10 +19,10 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) try { Object script = source(request); TemplateEngine engine = null; - engine.createTemplate(request.getParameter("script")); // $ hasGroovyInjection - engine.createTemplate((File) script); // $ hasGroovyInjection - engine.createTemplate((Reader) script); // $ hasGroovyInjection - engine.createTemplate((URL) script); // $ hasGroovyInjection + engine.createTemplate(request.getParameter("script")); // $ Alert + engine.createTemplate((File) script); // $ Alert + engine.createTemplate((Reader) script); // $ Alert + engine.createTemplate((URL) script); // $ Alert } catch (Exception e) { } diff --git a/java/ql/test/query-tests/security/CWE-094/GroovyInjection/options b/java/ql/test/query-tests/security/CWE-094/GroovyInjection/options new file mode 100644 index 000000000000..d7c8332682ba --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-094/GroovyInjection/options @@ -0,0 +1 @@ +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/validation-api-2.0.1.Final:${testdir}/../../../../stubs/springframework-5.8.x:${testdir}/../../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../../stubs/apache-commons-logging-1.2:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/groovy-all-3.0.7:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/apache-freemarker-2.3.31:${testdir}/../../../../stubs/jinjava-2.6.0:${testdir}/../../../../stubs/pebble-3.1.5:${testdir}/../../../../stubs/thymeleaf-3.0.14:${testdir}/../../../../stubs/apache-velocity-2.3:${testdir}/../../../..//stubs/google-android-9.0.0 diff --git a/java/ql/test/query-tests/security/CWE-094/GroovyInjectionTest.expected b/java/ql/test/query-tests/security/CWE-094/GroovyInjectionTest.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/java/ql/test/query-tests/security/CWE-094/GroovyInjectionTest.ql b/java/ql/test/query-tests/security/CWE-094/GroovyInjectionTest.ql deleted file mode 100644 index 26f32638d918..000000000000 --- a/java/ql/test/query-tests/security/CWE-094/GroovyInjectionTest.ql +++ /dev/null @@ -1,20 +0,0 @@ -import java -import semmle.code.java.dataflow.TaintTracking -import semmle.code.java.dataflow.FlowSources -import semmle.code.java.security.GroovyInjectionQuery -import utils.test.InlineExpectationsTest - -module HasGroovyInjectionTest implements TestSig { - string getARelevantTag() { result = "hasGroovyInjection" } - - predicate hasActualResult(Location location, string element, string tag, string value) { - tag = "hasGroovyInjection" and - exists(DataFlow::Node sink | GroovyInjectionFlow::flowTo(sink) | - sink.getLocation() = location and - element = sink.toString() and - value = "" - ) - } -} - -import MakeTest diff --git a/java/ql/test/query-tests/security/CWE-094/Jexl2Injection.java b/java/ql/test/query-tests/security/CWE-094/JexlInjection/Jexl2Injection.java similarity index 90% rename from java/ql/test/query-tests/security/CWE-094/Jexl2Injection.java rename to java/ql/test/query-tests/security/CWE-094/JexlInjection/Jexl2Injection.java index d7ee659a4c85..b306cf4e535a 100644 --- a/java/ql/test/query-tests/security/CWE-094/Jexl2Injection.java +++ b/java/ql/test/query-tests/security/CWE-094/JexlInjection/Jexl2Injection.java @@ -11,21 +11,21 @@ private static void runJexlExpression(String jexlExpr) { JexlEngine jexl = new JexlEngine(); Expression e = jexl.createExpression(jexlExpr); JexlContext jc = new MapContext(); - e.evaluate(jc); // $hasJexlInjection + e.evaluate(jc); // $ Alert } private static void runJexlExpressionWithJexlInfo(String jexlExpr) { JexlEngine jexl = new JexlEngine(); Expression e = jexl.createExpression(jexlExpr, new DebugInfo("unknown", 0, 0)); JexlContext jc = new MapContext(); - e.evaluate(jc); // $hasJexlInjection + e.evaluate(jc); // $ Alert } private static void runJexlScript(String jexlExpr) { JexlEngine jexl = new JexlEngine(); Script script = jexl.createScript(jexlExpr); JexlContext jc = new MapContext(); - script.execute(jc); // $hasJexlInjection + script.execute(jc); // $ Alert } private static void runJexlScriptViaCallable(String jexlExpr) { @@ -34,7 +34,7 @@ private static void runJexlScriptViaCallable(String jexlExpr) { JexlContext jc = new MapContext(); try { - script.callable(jc).call(); // $hasJexlInjection + script.callable(jc).call(); // $ Alert } catch (Exception e) { throw new RuntimeException(e); } @@ -42,37 +42,37 @@ private static void runJexlScriptViaCallable(String jexlExpr) { private static void runJexlExpressionViaGetProperty(String jexlExpr) { JexlEngine jexl = new JexlEngine(); - jexl.getProperty(new Object(), jexlExpr); // $hasJexlInjection + jexl.getProperty(new Object(), jexlExpr); // $ Alert } private static void runJexlExpressionViaSetProperty(String jexlExpr) { JexlEngine jexl = new JexlEngine(); - jexl.setProperty(new Object(), jexlExpr, new Object()); // $hasJexlInjection + jexl.setProperty(new Object(), jexlExpr, new Object()); // $ Alert } private static void runJexlExpressionViaUnifiedJEXLParseAndEvaluate(String jexlExpr) { JexlEngine jexl = new JexlEngine(); UnifiedJEXL unifiedJEXL = new UnifiedJEXL(jexl); - unifiedJEXL.parse(jexlExpr).evaluate(new MapContext()); // $hasJexlInjection + unifiedJEXL.parse(jexlExpr).evaluate(new MapContext()); // $ Alert } private static void runJexlExpressionViaUnifiedJEXLParseAndPrepare(String jexlExpr) { JexlEngine jexl = new JexlEngine(); UnifiedJEXL unifiedJEXL = new UnifiedJEXL(jexl); - unifiedJEXL.parse(jexlExpr).prepare(new MapContext()); // $hasJexlInjection + unifiedJEXL.parse(jexlExpr).prepare(new MapContext()); // $ Alert } private static void runJexlExpressionViaUnifiedJEXLTemplateEvaluate(String jexlExpr) { JexlEngine jexl = new JexlEngine(); UnifiedJEXL unifiedJEXL = new UnifiedJEXL(jexl); - unifiedJEXL.createTemplate(jexlExpr).evaluate(new MapContext(), new StringWriter()); // $hasJexlInjection + unifiedJEXL.createTemplate(jexlExpr).evaluate(new MapContext(), new StringWriter()); // $ Alert } private static void testWithSocket(Consumer action) throws Exception { try (ServerSocket serverSocket = new ServerSocket(0)) { try (Socket socket = serverSocket.accept()) { byte[] bytes = new byte[1024]; - int n = socket.getInputStream().read(bytes); + int n = socket.getInputStream().read(bytes); // $ Source String jexlExpr = new String(bytes, 0, n); action.accept(jexlExpr); } diff --git a/java/ql/test/query-tests/security/CWE-094/Jexl3Injection.java b/java/ql/test/query-tests/security/CWE-094/JexlInjection/Jexl3Injection.java similarity index 90% rename from java/ql/test/query-tests/security/CWE-094/Jexl3Injection.java rename to java/ql/test/query-tests/security/CWE-094/JexlInjection/Jexl3Injection.java index 0300b8ffe3f6..c047bb5b3158 100644 --- a/java/ql/test/query-tests/security/CWE-094/Jexl3Injection.java +++ b/java/ql/test/query-tests/security/CWE-094/JexlInjection/Jexl3Injection.java @@ -18,21 +18,21 @@ private static void runJexlExpression(String jexlExpr) { JexlEngine jexl = new JexlBuilder().create(); JexlExpression e = jexl.createExpression(jexlExpr); JexlContext jc = new MapContext(); - e.evaluate(jc); // $hasJexlInjection + e.evaluate(jc); // $ Alert } private static void runJexlExpressionWithJexlInfo(String jexlExpr) { JexlEngine jexl = new JexlBuilder().create(); JexlExpression e = jexl.createExpression(new JexlInfo("unknown", 0, 0), jexlExpr); JexlContext jc = new MapContext(); - e.evaluate(jc); // $hasJexlInjection + e.evaluate(jc); // $ Alert } private static void runJexlScript(String jexlExpr) { JexlEngine jexl = new JexlBuilder().create(); JexlScript script = jexl.createScript(jexlExpr); JexlContext jc = new MapContext(); - script.execute(jc); // $hasJexlInjection + script.execute(jc); // $ Alert } private static void runJexlScriptViaCallable(String jexlExpr) { @@ -41,7 +41,7 @@ private static void runJexlScriptViaCallable(String jexlExpr) { JexlContext jc = new MapContext(); try { - script.callable(jc).call(); // $hasJexlInjection + script.callable(jc).call(); // $ Alert } catch (Exception e) { throw new RuntimeException(e); } @@ -49,30 +49,30 @@ private static void runJexlScriptViaCallable(String jexlExpr) { private static void runJexlExpressionViaGetProperty(String jexlExpr) { JexlEngine jexl = new JexlBuilder().create(); - jexl.getProperty(new Object(), jexlExpr); // $hasJexlInjection + jexl.getProperty(new Object(), jexlExpr); // $ Alert } private static void runJexlExpressionViaSetProperty(String jexlExpr) { JexlEngine jexl = new JexlBuilder().create(); - jexl.setProperty(new Object(), jexlExpr, new Object()); // $hasJexlInjection + jexl.setProperty(new Object(), jexlExpr, new Object()); // $ Alert } private static void runJexlExpressionViaJxltEngineExpressionEvaluate(String jexlExpr) { JexlEngine jexl = new JexlBuilder().create(); JxltEngine jxlt = jexl.createJxltEngine(); - jxlt.createExpression(jexlExpr).evaluate(new MapContext()); // $hasJexlInjection + jxlt.createExpression(jexlExpr).evaluate(new MapContext()); // $ Alert } private static void runJexlExpressionViaJxltEngineExpressionPrepare(String jexlExpr) { JexlEngine jexl = new JexlBuilder().create(); JxltEngine jxlt = jexl.createJxltEngine(); - jxlt.createExpression(jexlExpr).prepare(new MapContext()); // $hasJexlInjection + jxlt.createExpression(jexlExpr).prepare(new MapContext()); // $ Alert } private static void runJexlExpressionViaJxltEngineTemplateEvaluate(String jexlExpr) { JexlEngine jexl = new JexlBuilder().create(); JxltEngine jxlt = jexl.createJxltEngine(); - jxlt.createTemplate(jexlExpr).evaluate(new MapContext(), new StringWriter()); // $hasJexlInjection + jxlt.createTemplate(jexlExpr).evaluate(new MapContext(), new StringWriter()); // $ Alert } private static void runJexlExpressionViaCallable(String jexlExpr) { @@ -81,7 +81,7 @@ private static void runJexlExpressionViaCallable(String jexlExpr) { JexlContext jc = new MapContext(); try { - e.callable(jc).call(); // $hasJexlInjection + e.callable(jc).call(); // $ Alert } catch (Exception ex) { throw new RuntimeException(ex); } @@ -91,7 +91,7 @@ private static void testWithSocket(Consumer action) throws Exception { try (ServerSocket serverSocket = new ServerSocket(0)) { try (Socket socket = serverSocket.accept()) { byte[] bytes = new byte[1024]; - int n = socket.getInputStream().read(bytes); + int n = socket.getInputStream().read(bytes); // $ Source String jexlExpr = new String(bytes, 0, n); action.accept(jexlExpr); } @@ -141,14 +141,14 @@ public static void testWithJexlExpressionCallable() throws Exception { } @PostMapping("/request") - public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromPathVariable(@PathVariable String expr) { + public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromPathVariable(@PathVariable String expr) { // $ Source runJexlExpression(expr); return ResponseEntity.ok(HttpStatus.OK); } @PostMapping("/request") - public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromRequestBody(@RequestBody Data data) { + public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromRequestBody(@RequestBody Data data) { // $ Source String expr = data.getExpr(); runJexlExpression(expr); @@ -158,7 +158,7 @@ public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromRequestBody(@ @PostMapping("/request") public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromRequestBodyWithNestedObjects( - @RequestBody CustomRequest customRequest) { + @RequestBody CustomRequest customRequest) { // $ Source String expr = customRequest.getData().getExpr(); runJexlExpression(expr); diff --git a/java/ql/test/query-tests/security/CWE-094/JexlInjection/JexlInjectionTest.expected b/java/ql/test/query-tests/security/CWE-094/JexlInjection/JexlInjectionTest.expected new file mode 100644 index 000000000000..24e02a7ac019 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-094/JexlInjection/JexlInjectionTest.expected @@ -0,0 +1,303 @@ +#select +| Jexl2Injection.java:14:9:14:9 | e | Jexl2Injection.java:75:25:75:47 | getInputStream(...) : InputStream | Jexl2Injection.java:14:9:14:9 | e | JEXL expression depends on a $@. | Jexl2Injection.java:75:25:75:47 | getInputStream(...) | user-provided value | +| Jexl2Injection.java:21:9:21:9 | e | Jexl2Injection.java:75:25:75:47 | getInputStream(...) : InputStream | Jexl2Injection.java:21:9:21:9 | e | JEXL expression depends on a $@. | Jexl2Injection.java:75:25:75:47 | getInputStream(...) | user-provided value | +| Jexl2Injection.java:28:9:28:14 | script | Jexl2Injection.java:75:25:75:47 | getInputStream(...) : InputStream | Jexl2Injection.java:28:9:28:14 | script | JEXL expression depends on a $@. | Jexl2Injection.java:75:25:75:47 | getInputStream(...) | user-provided value | +| Jexl2Injection.java:37:13:37:18 | script | Jexl2Injection.java:75:25:75:47 | getInputStream(...) : InputStream | Jexl2Injection.java:37:13:37:18 | script | JEXL expression depends on a $@. | Jexl2Injection.java:75:25:75:47 | getInputStream(...) | user-provided value | +| Jexl2Injection.java:45:40:45:47 | jexlExpr | Jexl2Injection.java:75:25:75:47 | getInputStream(...) : InputStream | Jexl2Injection.java:45:40:45:47 | jexlExpr | JEXL expression depends on a $@. | Jexl2Injection.java:75:25:75:47 | getInputStream(...) | user-provided value | +| Jexl2Injection.java:50:40:50:47 | jexlExpr | Jexl2Injection.java:75:25:75:47 | getInputStream(...) : InputStream | Jexl2Injection.java:50:40:50:47 | jexlExpr | JEXL expression depends on a $@. | Jexl2Injection.java:75:25:75:47 | getInputStream(...) | user-provided value | +| Jexl2Injection.java:56:9:56:35 | parse(...) | Jexl2Injection.java:75:25:75:47 | getInputStream(...) : InputStream | Jexl2Injection.java:56:9:56:35 | parse(...) | JEXL expression depends on a $@. | Jexl2Injection.java:75:25:75:47 | getInputStream(...) | user-provided value | +| Jexl2Injection.java:62:9:62:35 | parse(...) | Jexl2Injection.java:75:25:75:47 | getInputStream(...) : InputStream | Jexl2Injection.java:62:9:62:35 | parse(...) | JEXL expression depends on a $@. | Jexl2Injection.java:75:25:75:47 | getInputStream(...) | user-provided value | +| Jexl2Injection.java:68:9:68:44 | createTemplate(...) | Jexl2Injection.java:75:25:75:47 | getInputStream(...) : InputStream | Jexl2Injection.java:68:9:68:44 | createTemplate(...) | JEXL expression depends on a $@. | Jexl2Injection.java:75:25:75:47 | getInputStream(...) | user-provided value | +| Jexl3Injection.java:21:9:21:9 | e | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:21:9:21:9 | e | JEXL expression depends on a $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | user-provided value | +| Jexl3Injection.java:21:9:21:9 | e | Jexl3Injection.java:144:85:144:109 | expr : String | Jexl3Injection.java:21:9:21:9 | e | JEXL expression depends on a $@. | Jexl3Injection.java:144:85:144:109 | expr | user-provided value | +| Jexl3Injection.java:21:9:21:9 | e | Jexl3Injection.java:151:84:151:105 | data : Data | Jexl3Injection.java:21:9:21:9 | e | JEXL expression depends on a $@. | Jexl3Injection.java:151:84:151:105 | data | user-provided value | +| Jexl3Injection.java:21:9:21:9 | e | Jexl3Injection.java:161:13:161:52 | customRequest : CustomRequest | Jexl3Injection.java:21:9:21:9 | e | JEXL expression depends on a $@. | Jexl3Injection.java:161:13:161:52 | customRequest | user-provided value | +| Jexl3Injection.java:28:9:28:9 | e | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:28:9:28:9 | e | JEXL expression depends on a $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | user-provided value | +| Jexl3Injection.java:35:9:35:14 | script | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:35:9:35:14 | script | JEXL expression depends on a $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | user-provided value | +| Jexl3Injection.java:44:13:44:18 | script | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:44:13:44:18 | script | JEXL expression depends on a $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | user-provided value | +| Jexl3Injection.java:52:40:52:47 | jexlExpr | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:52:40:52:47 | jexlExpr | JEXL expression depends on a $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | user-provided value | +| Jexl3Injection.java:57:40:57:47 | jexlExpr | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:57:40:57:47 | jexlExpr | JEXL expression depends on a $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | user-provided value | +| Jexl3Injection.java:63:9:63:39 | createExpression(...) | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:63:9:63:39 | createExpression(...) | JEXL expression depends on a $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | user-provided value | +| Jexl3Injection.java:69:9:69:39 | createExpression(...) | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:69:9:69:39 | createExpression(...) | JEXL expression depends on a $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | user-provided value | +| Jexl3Injection.java:75:9:75:37 | createTemplate(...) | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:75:9:75:37 | createTemplate(...) | JEXL expression depends on a $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | user-provided value | +| Jexl3Injection.java:84:13:84:13 | e | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:84:13:84:13 | e | JEXL expression depends on a $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | user-provided value | +edges +| Jexl2Injection.java:10:43:10:57 | jexlExpr : String | Jexl2Injection.java:12:46:12:53 | jexlExpr : String | provenance | | +| Jexl2Injection.java:12:24:12:54 | createExpression(...) : Expression | Jexl2Injection.java:14:9:14:9 | e | provenance | Sink:MaD:1 | +| Jexl2Injection.java:12:46:12:53 | jexlExpr : String | Jexl2Injection.java:12:24:12:54 | createExpression(...) : Expression | provenance | Config | +| Jexl2Injection.java:17:55:17:69 | jexlExpr : String | Jexl2Injection.java:19:46:19:53 | jexlExpr : String | provenance | | +| Jexl2Injection.java:19:24:19:86 | createExpression(...) : Expression | Jexl2Injection.java:21:9:21:9 | e | provenance | Sink:MaD:1 | +| Jexl2Injection.java:19:46:19:53 | jexlExpr : String | Jexl2Injection.java:19:24:19:86 | createExpression(...) : Expression | provenance | Config | +| Jexl2Injection.java:24:39:24:53 | jexlExpr : String | Jexl2Injection.java:26:43:26:50 | jexlExpr : String | provenance | | +| Jexl2Injection.java:26:25:26:51 | createScript(...) : Script | Jexl2Injection.java:28:9:28:14 | script | provenance | Sink:MaD:5 | +| Jexl2Injection.java:26:43:26:50 | jexlExpr : String | Jexl2Injection.java:26:25:26:51 | createScript(...) : Script | provenance | Config | +| Jexl2Injection.java:31:50:31:64 | jexlExpr : String | Jexl2Injection.java:33:43:33:50 | jexlExpr : String | provenance | | +| Jexl2Injection.java:33:25:33:51 | createScript(...) : Script | Jexl2Injection.java:37:13:37:18 | script | provenance | Sink:MaD:4 | +| Jexl2Injection.java:33:43:33:50 | jexlExpr : String | Jexl2Injection.java:33:25:33:51 | createScript(...) : Script | provenance | Config | +| Jexl2Injection.java:43:57:43:71 | jexlExpr : String | Jexl2Injection.java:45:40:45:47 | jexlExpr | provenance | Sink:MaD:2 | +| Jexl2Injection.java:48:57:48:71 | jexlExpr : String | Jexl2Injection.java:50:40:50:47 | jexlExpr | provenance | Sink:MaD:3 | +| Jexl2Injection.java:53:73:53:87 | jexlExpr : String | Jexl2Injection.java:56:27:56:34 | jexlExpr : String | provenance | | +| Jexl2Injection.java:56:27:56:34 | jexlExpr : String | Jexl2Injection.java:56:9:56:35 | parse(...) | provenance | Config Sink:MaD:6 | +| Jexl2Injection.java:59:72:59:86 | jexlExpr : String | Jexl2Injection.java:62:27:62:34 | jexlExpr : String | provenance | | +| Jexl2Injection.java:62:27:62:34 | jexlExpr : String | Jexl2Injection.java:62:9:62:35 | parse(...) | provenance | Config Sink:MaD:7 | +| Jexl2Injection.java:65:73:65:87 | jexlExpr : String | Jexl2Injection.java:68:36:68:43 | jexlExpr : String | provenance | | +| Jexl2Injection.java:68:36:68:43 | jexlExpr : String | Jexl2Injection.java:68:9:68:44 | createTemplate(...) | provenance | Config Sink:MaD:8 | +| Jexl2Injection.java:75:25:75:47 | getInputStream(...) : InputStream | Jexl2Injection.java:75:54:75:58 | bytes [post update] : byte[] | provenance | Src:MaD:18 MaD:19 | +| Jexl2Injection.java:75:54:75:58 | bytes [post update] : byte[] | Jexl2Injection.java:76:46:76:50 | bytes : byte[] | provenance | | +| Jexl2Injection.java:76:35:76:57 | new String(...) : String | Jexl2Injection.java:77:31:77:38 | jexlExpr : String | provenance | | +| Jexl2Injection.java:76:46:76:50 | bytes : byte[] | Jexl2Injection.java:76:35:76:57 | new String(...) : String | provenance | MaD:20 | +| Jexl2Injection.java:77:31:77:38 | jexlExpr : String | Jexl2Injection.java:85:24:85:56 | jexlExpr : String | provenance | | +| Jexl2Injection.java:77:31:77:38 | jexlExpr : String | Jexl2Injection.java:89:24:89:68 | jexlExpr : String | provenance | | +| Jexl2Injection.java:77:31:77:38 | jexlExpr : String | Jexl2Injection.java:93:24:93:52 | jexlExpr : String | provenance | | +| Jexl2Injection.java:77:31:77:38 | jexlExpr : String | Jexl2Injection.java:97:24:97:63 | jexlExpr : String | provenance | | +| Jexl2Injection.java:77:31:77:38 | jexlExpr : String | Jexl2Injection.java:101:24:101:70 | jexlExpr : String | provenance | | +| Jexl2Injection.java:77:31:77:38 | jexlExpr : String | Jexl2Injection.java:105:24:105:70 | jexlExpr : String | provenance | | +| Jexl2Injection.java:77:31:77:38 | jexlExpr : String | Jexl2Injection.java:109:24:109:86 | jexlExpr : String | provenance | | +| Jexl2Injection.java:77:31:77:38 | jexlExpr : String | Jexl2Injection.java:113:24:113:85 | jexlExpr : String | provenance | | +| Jexl2Injection.java:77:31:77:38 | jexlExpr : String | Jexl2Injection.java:117:24:117:86 | jexlExpr : String | provenance | | +| Jexl2Injection.java:85:24:85:56 | jexlExpr : String | Jexl2Injection.java:10:43:10:57 | jexlExpr : String | provenance | | +| Jexl2Injection.java:85:24:85:56 | jexlExpr : String | Jexl2Injection.java:85:24:85:56 | jexlExpr : String | provenance | | +| Jexl2Injection.java:89:24:89:68 | jexlExpr : String | Jexl2Injection.java:17:55:17:69 | jexlExpr : String | provenance | | +| Jexl2Injection.java:89:24:89:68 | jexlExpr : String | Jexl2Injection.java:89:24:89:68 | jexlExpr : String | provenance | | +| Jexl2Injection.java:93:24:93:52 | jexlExpr : String | Jexl2Injection.java:24:39:24:53 | jexlExpr : String | provenance | | +| Jexl2Injection.java:93:24:93:52 | jexlExpr : String | Jexl2Injection.java:93:24:93:52 | jexlExpr : String | provenance | | +| Jexl2Injection.java:97:24:97:63 | jexlExpr : String | Jexl2Injection.java:31:50:31:64 | jexlExpr : String | provenance | | +| Jexl2Injection.java:97:24:97:63 | jexlExpr : String | Jexl2Injection.java:97:24:97:63 | jexlExpr : String | provenance | | +| Jexl2Injection.java:101:24:101:70 | jexlExpr : String | Jexl2Injection.java:43:57:43:71 | jexlExpr : String | provenance | | +| Jexl2Injection.java:101:24:101:70 | jexlExpr : String | Jexl2Injection.java:101:24:101:70 | jexlExpr : String | provenance | | +| Jexl2Injection.java:105:24:105:70 | jexlExpr : String | Jexl2Injection.java:48:57:48:71 | jexlExpr : String | provenance | | +| Jexl2Injection.java:105:24:105:70 | jexlExpr : String | Jexl2Injection.java:105:24:105:70 | jexlExpr : String | provenance | | +| Jexl2Injection.java:109:24:109:86 | jexlExpr : String | Jexl2Injection.java:53:73:53:87 | jexlExpr : String | provenance | | +| Jexl2Injection.java:109:24:109:86 | jexlExpr : String | Jexl2Injection.java:109:24:109:86 | jexlExpr : String | provenance | | +| Jexl2Injection.java:113:24:113:85 | jexlExpr : String | Jexl2Injection.java:59:72:59:86 | jexlExpr : String | provenance | | +| Jexl2Injection.java:113:24:113:85 | jexlExpr : String | Jexl2Injection.java:113:24:113:85 | jexlExpr : String | provenance | | +| Jexl2Injection.java:117:24:117:86 | jexlExpr : String | Jexl2Injection.java:65:73:65:87 | jexlExpr : String | provenance | | +| Jexl2Injection.java:117:24:117:86 | jexlExpr : String | Jexl2Injection.java:117:24:117:86 | jexlExpr : String | provenance | | +| Jexl3Injection.java:17:43:17:57 | jexlExpr : String | Jexl3Injection.java:19:50:19:57 | jexlExpr : String | provenance | | +| Jexl3Injection.java:19:28:19:58 | createExpression(...) : JexlExpression | Jexl3Injection.java:21:9:21:9 | e | provenance | Sink:MaD:12 | +| Jexl3Injection.java:19:50:19:57 | jexlExpr : String | Jexl3Injection.java:19:28:19:58 | createExpression(...) : JexlExpression | provenance | Config | +| Jexl3Injection.java:24:55:24:69 | jexlExpr : String | Jexl3Injection.java:26:81:26:88 | jexlExpr : String | provenance | | +| Jexl3Injection.java:26:28:26:89 | createExpression(...) : JexlExpression | Jexl3Injection.java:28:9:28:9 | e | provenance | Sink:MaD:12 | +| Jexl3Injection.java:26:81:26:88 | jexlExpr : String | Jexl3Injection.java:26:28:26:89 | createExpression(...) : JexlExpression | provenance | Config | +| Jexl3Injection.java:31:39:31:53 | jexlExpr : String | Jexl3Injection.java:33:47:33:54 | jexlExpr : String | provenance | | +| Jexl3Injection.java:33:29:33:55 | createScript(...) : JexlScript | Jexl3Injection.java:35:9:35:14 | script | provenance | Sink:MaD:14 | +| Jexl3Injection.java:33:47:33:54 | jexlExpr : String | Jexl3Injection.java:33:29:33:55 | createScript(...) : JexlScript | provenance | Config | +| Jexl3Injection.java:38:50:38:64 | jexlExpr : String | Jexl3Injection.java:40:47:40:54 | jexlExpr : String | provenance | | +| Jexl3Injection.java:40:29:40:55 | createScript(...) : JexlScript | Jexl3Injection.java:44:13:44:18 | script | provenance | Sink:MaD:13 | +| Jexl3Injection.java:40:47:40:54 | jexlExpr : String | Jexl3Injection.java:40:29:40:55 | createScript(...) : JexlScript | provenance | Config | +| Jexl3Injection.java:50:57:50:71 | jexlExpr : String | Jexl3Injection.java:52:40:52:47 | jexlExpr | provenance | Sink:MaD:9 | +| Jexl3Injection.java:55:57:55:71 | jexlExpr : String | Jexl3Injection.java:57:40:57:47 | jexlExpr | provenance | Sink:MaD:10 | +| Jexl3Injection.java:60:74:60:88 | jexlExpr : String | Jexl3Injection.java:63:31:63:38 | jexlExpr : String | provenance | | +| Jexl3Injection.java:63:31:63:38 | jexlExpr : String | Jexl3Injection.java:63:9:63:39 | createExpression(...) | provenance | Config Sink:MaD:15 | +| Jexl3Injection.java:66:73:66:87 | jexlExpr : String | Jexl3Injection.java:69:31:69:38 | jexlExpr : String | provenance | | +| Jexl3Injection.java:69:31:69:38 | jexlExpr : String | Jexl3Injection.java:69:9:69:39 | createExpression(...) | provenance | Config Sink:MaD:16 | +| Jexl3Injection.java:72:72:72:86 | jexlExpr : String | Jexl3Injection.java:75:29:75:36 | jexlExpr : String | provenance | | +| Jexl3Injection.java:75:29:75:36 | jexlExpr : String | Jexl3Injection.java:75:9:75:37 | createTemplate(...) | provenance | Config Sink:MaD:17 | +| Jexl3Injection.java:78:54:78:68 | jexlExpr : String | Jexl3Injection.java:80:50:80:57 | jexlExpr : String | provenance | | +| Jexl3Injection.java:80:28:80:58 | createExpression(...) : JexlExpression | Jexl3Injection.java:84:13:84:13 | e | provenance | Sink:MaD:11 | +| Jexl3Injection.java:80:50:80:57 | jexlExpr : String | Jexl3Injection.java:80:28:80:58 | createExpression(...) : JexlExpression | provenance | Config | +| Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:94:54:94:58 | bytes [post update] : byte[] | provenance | Src:MaD:18 MaD:19 | +| Jexl3Injection.java:94:54:94:58 | bytes [post update] : byte[] | Jexl3Injection.java:95:46:95:50 | bytes : byte[] | provenance | | +| Jexl3Injection.java:95:35:95:57 | new String(...) : String | Jexl3Injection.java:96:31:96:38 | jexlExpr : String | provenance | | +| Jexl3Injection.java:95:46:95:50 | bytes : byte[] | Jexl3Injection.java:95:35:95:57 | new String(...) : String | provenance | MaD:20 | +| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:104:24:104:56 | jexlExpr : String | provenance | | +| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:108:24:108:68 | jexlExpr : String | provenance | | +| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:112:24:112:52 | jexlExpr : String | provenance | | +| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:116:24:116:63 | jexlExpr : String | provenance | | +| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:120:24:120:70 | jexlExpr : String | provenance | | +| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:124:24:124:70 | jexlExpr : String | provenance | | +| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:128:24:128:87 | jexlExpr : String | provenance | | +| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:132:24:132:86 | jexlExpr : String | provenance | | +| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:136:24:136:85 | jexlExpr : String | provenance | | +| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:140:24:140:67 | jexlExpr : String | provenance | | +| Jexl3Injection.java:104:24:104:56 | jexlExpr : String | Jexl3Injection.java:17:43:17:57 | jexlExpr : String | provenance | | +| Jexl3Injection.java:104:24:104:56 | jexlExpr : String | Jexl3Injection.java:104:24:104:56 | jexlExpr : String | provenance | | +| Jexl3Injection.java:108:24:108:68 | jexlExpr : String | Jexl3Injection.java:24:55:24:69 | jexlExpr : String | provenance | | +| Jexl3Injection.java:108:24:108:68 | jexlExpr : String | Jexl3Injection.java:108:24:108:68 | jexlExpr : String | provenance | | +| Jexl3Injection.java:112:24:112:52 | jexlExpr : String | Jexl3Injection.java:31:39:31:53 | jexlExpr : String | provenance | | +| Jexl3Injection.java:112:24:112:52 | jexlExpr : String | Jexl3Injection.java:112:24:112:52 | jexlExpr : String | provenance | | +| Jexl3Injection.java:116:24:116:63 | jexlExpr : String | Jexl3Injection.java:38:50:38:64 | jexlExpr : String | provenance | | +| Jexl3Injection.java:116:24:116:63 | jexlExpr : String | Jexl3Injection.java:116:24:116:63 | jexlExpr : String | provenance | | +| Jexl3Injection.java:120:24:120:70 | jexlExpr : String | Jexl3Injection.java:50:57:50:71 | jexlExpr : String | provenance | | +| Jexl3Injection.java:120:24:120:70 | jexlExpr : String | Jexl3Injection.java:120:24:120:70 | jexlExpr : String | provenance | | +| Jexl3Injection.java:124:24:124:70 | jexlExpr : String | Jexl3Injection.java:55:57:55:71 | jexlExpr : String | provenance | | +| Jexl3Injection.java:124:24:124:70 | jexlExpr : String | Jexl3Injection.java:124:24:124:70 | jexlExpr : String | provenance | | +| Jexl3Injection.java:128:24:128:87 | jexlExpr : String | Jexl3Injection.java:60:74:60:88 | jexlExpr : String | provenance | | +| Jexl3Injection.java:128:24:128:87 | jexlExpr : String | Jexl3Injection.java:128:24:128:87 | jexlExpr : String | provenance | | +| Jexl3Injection.java:132:24:132:86 | jexlExpr : String | Jexl3Injection.java:66:73:66:87 | jexlExpr : String | provenance | | +| Jexl3Injection.java:132:24:132:86 | jexlExpr : String | Jexl3Injection.java:132:24:132:86 | jexlExpr : String | provenance | | +| Jexl3Injection.java:136:24:136:85 | jexlExpr : String | Jexl3Injection.java:72:72:72:86 | jexlExpr : String | provenance | | +| Jexl3Injection.java:136:24:136:85 | jexlExpr : String | Jexl3Injection.java:136:24:136:85 | jexlExpr : String | provenance | | +| Jexl3Injection.java:140:24:140:67 | jexlExpr : String | Jexl3Injection.java:78:54:78:68 | jexlExpr : String | provenance | | +| Jexl3Injection.java:140:24:140:67 | jexlExpr : String | Jexl3Injection.java:140:24:140:67 | jexlExpr : String | provenance | | +| Jexl3Injection.java:144:85:144:109 | expr : String | Jexl3Injection.java:146:27:146:30 | expr : String | provenance | | +| Jexl3Injection.java:146:27:146:30 | expr : String | Jexl3Injection.java:17:43:17:57 | jexlExpr : String | provenance | | +| Jexl3Injection.java:151:84:151:105 | data : Data | Jexl3Injection.java:153:23:153:26 | data : Data | provenance | | +| Jexl3Injection.java:151:84:151:105 | data : Data | Jexl3Injection.java:154:27:154:30 | expr : String | provenance | SpringUntrustedDataType.getter | +| Jexl3Injection.java:153:23:153:26 | data : Data | Jexl3Injection.java:153:23:153:36 | getExpr(...) : String | provenance | entrypointFieldStep | +| Jexl3Injection.java:153:23:153:26 | data : Data | Jexl3Injection.java:190:23:190:29 | parameter this : Data | provenance | | +| Jexl3Injection.java:153:23:153:36 | getExpr(...) : String | Jexl3Injection.java:154:27:154:30 | expr : String | provenance | | +| Jexl3Injection.java:154:27:154:30 | expr : String | Jexl3Injection.java:17:43:17:57 | jexlExpr : String | provenance | | +| Jexl3Injection.java:161:13:161:52 | customRequest : CustomRequest | Jexl3Injection.java:163:23:163:35 | customRequest : CustomRequest | provenance | | +| Jexl3Injection.java:161:13:161:52 | customRequest : CustomRequest | Jexl3Injection.java:163:23:163:45 | getData(...) : Data | provenance | SpringUntrustedDataType.getter | +| Jexl3Injection.java:161:13:161:52 | customRequest : CustomRequest | Jexl3Injection.java:164:27:164:30 | expr : String | provenance | SpringUntrustedDataType.getter | +| Jexl3Injection.java:163:23:163:35 | customRequest : CustomRequest | Jexl3Injection.java:163:23:163:45 | getData(...) : Data | provenance | entrypointFieldStep | +| Jexl3Injection.java:163:23:163:35 | customRequest : CustomRequest | Jexl3Injection.java:177:21:177:27 | parameter this : CustomRequest | provenance | | +| Jexl3Injection.java:163:23:163:45 | getData(...) : Data | Jexl3Injection.java:163:23:163:55 | getExpr(...) : String | provenance | entrypointFieldStep | +| Jexl3Injection.java:163:23:163:45 | getData(...) : Data | Jexl3Injection.java:164:27:164:30 | expr : String | provenance | SpringUntrustedDataType.getter | +| Jexl3Injection.java:163:23:163:45 | getData(...) : Data | Jexl3Injection.java:190:23:190:29 | parameter this : Data | provenance | | +| Jexl3Injection.java:163:23:163:55 | getExpr(...) : String | Jexl3Injection.java:164:27:164:30 | expr : String | provenance | | +| Jexl3Injection.java:164:27:164:30 | expr : String | Jexl3Injection.java:17:43:17:57 | jexlExpr : String | provenance | | +| Jexl3Injection.java:177:21:177:27 | parameter this : CustomRequest | Jexl3Injection.java:178:20:178:23 | data : Data | provenance | entrypointFieldStep | +| Jexl3Injection.java:190:23:190:29 | parameter this : Data | Jexl3Injection.java:191:20:191:23 | expr : String | provenance | entrypointFieldStep | +models +| 1 | Sink: org.apache.commons.jexl2; Expression; false; evaluate; ; ; Argument[this]; jexl-injection; manual | +| 2 | Sink: org.apache.commons.jexl2; JexlEngine; false; getProperty; (Object,String); ; Argument[1]; jexl-injection; manual | +| 3 | Sink: org.apache.commons.jexl2; JexlEngine; false; setProperty; (Object,String,Object); ; Argument[1]; jexl-injection; manual | +| 4 | Sink: org.apache.commons.jexl2; Script; false; callable; ; ; Argument[this]; jexl-injection; manual | +| 5 | Sink: org.apache.commons.jexl2; Script; false; execute; ; ; Argument[this]; jexl-injection; manual | +| 6 | Sink: org.apache.commons.jexl2; UnifiedJEXL$Expression; false; evaluate; ; ; Argument[this]; jexl-injection; manual | +| 7 | Sink: org.apache.commons.jexl2; UnifiedJEXL$Expression; false; prepare; ; ; Argument[this]; jexl-injection; manual | +| 8 | Sink: org.apache.commons.jexl2; UnifiedJEXL$Template; false; evaluate; ; ; Argument[this]; jexl-injection; manual | +| 9 | Sink: org.apache.commons.jexl3; JexlEngine; false; getProperty; (Object,String); ; Argument[1]; jexl-injection; manual | +| 10 | Sink: org.apache.commons.jexl3; JexlEngine; false; setProperty; (Object,String,Object); ; Argument[1]; jexl-injection; manual | +| 11 | Sink: org.apache.commons.jexl3; JexlExpression; false; callable; ; ; Argument[this]; jexl-injection; manual | +| 12 | Sink: org.apache.commons.jexl3; JexlExpression; false; evaluate; ; ; Argument[this]; jexl-injection; manual | +| 13 | Sink: org.apache.commons.jexl3; JexlScript; false; callable; ; ; Argument[this]; jexl-injection; manual | +| 14 | Sink: org.apache.commons.jexl3; JexlScript; false; execute; ; ; Argument[this]; jexl-injection; manual | +| 15 | Sink: org.apache.commons.jexl3; JxltEngine$Expression; false; evaluate; ; ; Argument[this]; jexl-injection; manual | +| 16 | Sink: org.apache.commons.jexl3; JxltEngine$Expression; false; prepare; ; ; Argument[this]; jexl-injection; manual | +| 17 | Sink: org.apache.commons.jexl3; JxltEngine$Template; false; evaluate; ; ; Argument[this]; jexl-injection; manual | +| 18 | Source: java.net; Socket; false; getInputStream; (); ; ReturnValue; remote; manual | +| 19 | Summary: java.io; InputStream; true; read; (byte[]); ; Argument[this]; Argument[0]; taint; manual | +| 20 | Summary: java.lang; String; false; String; ; ; Argument[0]; Argument[this]; taint; manual | +nodes +| Jexl2Injection.java:10:43:10:57 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl2Injection.java:12:24:12:54 | createExpression(...) : Expression | semmle.label | createExpression(...) : Expression | +| Jexl2Injection.java:12:46:12:53 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl2Injection.java:14:9:14:9 | e | semmle.label | e | +| Jexl2Injection.java:17:55:17:69 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl2Injection.java:19:24:19:86 | createExpression(...) : Expression | semmle.label | createExpression(...) : Expression | +| Jexl2Injection.java:19:46:19:53 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl2Injection.java:21:9:21:9 | e | semmle.label | e | +| Jexl2Injection.java:24:39:24:53 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl2Injection.java:26:25:26:51 | createScript(...) : Script | semmle.label | createScript(...) : Script | +| Jexl2Injection.java:26:43:26:50 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl2Injection.java:28:9:28:14 | script | semmle.label | script | +| Jexl2Injection.java:31:50:31:64 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl2Injection.java:33:25:33:51 | createScript(...) : Script | semmle.label | createScript(...) : Script | +| Jexl2Injection.java:33:43:33:50 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl2Injection.java:37:13:37:18 | script | semmle.label | script | +| Jexl2Injection.java:43:57:43:71 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl2Injection.java:45:40:45:47 | jexlExpr | semmle.label | jexlExpr | +| Jexl2Injection.java:48:57:48:71 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl2Injection.java:50:40:50:47 | jexlExpr | semmle.label | jexlExpr | +| Jexl2Injection.java:53:73:53:87 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl2Injection.java:56:9:56:35 | parse(...) | semmle.label | parse(...) | +| Jexl2Injection.java:56:27:56:34 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl2Injection.java:59:72:59:86 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl2Injection.java:62:9:62:35 | parse(...) | semmle.label | parse(...) | +| Jexl2Injection.java:62:27:62:34 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl2Injection.java:65:73:65:87 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl2Injection.java:68:9:68:44 | createTemplate(...) | semmle.label | createTemplate(...) | +| Jexl2Injection.java:68:36:68:43 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl2Injection.java:75:25:75:47 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| Jexl2Injection.java:75:54:75:58 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] | +| Jexl2Injection.java:76:35:76:57 | new String(...) : String | semmle.label | new String(...) : String | +| Jexl2Injection.java:76:46:76:50 | bytes : byte[] | semmle.label | bytes : byte[] | +| Jexl2Injection.java:77:31:77:38 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl2Injection.java:85:24:85:56 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl2Injection.java:85:24:85:56 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl2Injection.java:89:24:89:68 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl2Injection.java:89:24:89:68 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl2Injection.java:93:24:93:52 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl2Injection.java:93:24:93:52 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl2Injection.java:97:24:97:63 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl2Injection.java:97:24:97:63 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl2Injection.java:101:24:101:70 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl2Injection.java:101:24:101:70 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl2Injection.java:105:24:105:70 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl2Injection.java:105:24:105:70 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl2Injection.java:109:24:109:86 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl2Injection.java:109:24:109:86 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl2Injection.java:113:24:113:85 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl2Injection.java:113:24:113:85 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl2Injection.java:117:24:117:86 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl2Injection.java:117:24:117:86 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl3Injection.java:17:43:17:57 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl3Injection.java:19:28:19:58 | createExpression(...) : JexlExpression | semmle.label | createExpression(...) : JexlExpression | +| Jexl3Injection.java:19:50:19:57 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl3Injection.java:21:9:21:9 | e | semmle.label | e | +| Jexl3Injection.java:24:55:24:69 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl3Injection.java:26:28:26:89 | createExpression(...) : JexlExpression | semmle.label | createExpression(...) : JexlExpression | +| Jexl3Injection.java:26:81:26:88 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl3Injection.java:28:9:28:9 | e | semmle.label | e | +| Jexl3Injection.java:31:39:31:53 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl3Injection.java:33:29:33:55 | createScript(...) : JexlScript | semmle.label | createScript(...) : JexlScript | +| Jexl3Injection.java:33:47:33:54 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl3Injection.java:35:9:35:14 | script | semmle.label | script | +| Jexl3Injection.java:38:50:38:64 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl3Injection.java:40:29:40:55 | createScript(...) : JexlScript | semmle.label | createScript(...) : JexlScript | +| Jexl3Injection.java:40:47:40:54 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl3Injection.java:44:13:44:18 | script | semmle.label | script | +| Jexl3Injection.java:50:57:50:71 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl3Injection.java:52:40:52:47 | jexlExpr | semmle.label | jexlExpr | +| Jexl3Injection.java:55:57:55:71 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl3Injection.java:57:40:57:47 | jexlExpr | semmle.label | jexlExpr | +| Jexl3Injection.java:60:74:60:88 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl3Injection.java:63:9:63:39 | createExpression(...) | semmle.label | createExpression(...) | +| Jexl3Injection.java:63:31:63:38 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl3Injection.java:66:73:66:87 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl3Injection.java:69:9:69:39 | createExpression(...) | semmle.label | createExpression(...) | +| Jexl3Injection.java:69:31:69:38 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl3Injection.java:72:72:72:86 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl3Injection.java:75:9:75:37 | createTemplate(...) | semmle.label | createTemplate(...) | +| Jexl3Injection.java:75:29:75:36 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl3Injection.java:78:54:78:68 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl3Injection.java:80:28:80:58 | createExpression(...) : JexlExpression | semmle.label | createExpression(...) : JexlExpression | +| Jexl3Injection.java:80:50:80:57 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl3Injection.java:84:13:84:13 | e | semmle.label | e | +| Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| Jexl3Injection.java:94:54:94:58 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] | +| Jexl3Injection.java:95:35:95:57 | new String(...) : String | semmle.label | new String(...) : String | +| Jexl3Injection.java:95:46:95:50 | bytes : byte[] | semmle.label | bytes : byte[] | +| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl3Injection.java:104:24:104:56 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl3Injection.java:104:24:104:56 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl3Injection.java:108:24:108:68 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl3Injection.java:108:24:108:68 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl3Injection.java:112:24:112:52 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl3Injection.java:112:24:112:52 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl3Injection.java:116:24:116:63 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl3Injection.java:116:24:116:63 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl3Injection.java:120:24:120:70 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl3Injection.java:120:24:120:70 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl3Injection.java:124:24:124:70 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl3Injection.java:124:24:124:70 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl3Injection.java:128:24:128:87 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl3Injection.java:128:24:128:87 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl3Injection.java:132:24:132:86 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl3Injection.java:132:24:132:86 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl3Injection.java:136:24:136:85 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl3Injection.java:136:24:136:85 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl3Injection.java:140:24:140:67 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl3Injection.java:140:24:140:67 | jexlExpr : String | semmle.label | jexlExpr : String | +| Jexl3Injection.java:144:85:144:109 | expr : String | semmle.label | expr : String | +| Jexl3Injection.java:146:27:146:30 | expr : String | semmle.label | expr : String | +| Jexl3Injection.java:151:84:151:105 | data : Data | semmle.label | data : Data | +| Jexl3Injection.java:153:23:153:26 | data : Data | semmle.label | data : Data | +| Jexl3Injection.java:153:23:153:36 | getExpr(...) : String | semmle.label | getExpr(...) : String | +| Jexl3Injection.java:154:27:154:30 | expr : String | semmle.label | expr : String | +| Jexl3Injection.java:161:13:161:52 | customRequest : CustomRequest | semmle.label | customRequest : CustomRequest | +| Jexl3Injection.java:163:23:163:35 | customRequest : CustomRequest | semmle.label | customRequest : CustomRequest | +| Jexl3Injection.java:163:23:163:45 | getData(...) : Data | semmle.label | getData(...) : Data | +| Jexl3Injection.java:163:23:163:55 | getExpr(...) : String | semmle.label | getExpr(...) : String | +| Jexl3Injection.java:164:27:164:30 | expr : String | semmle.label | expr : String | +| Jexl3Injection.java:177:21:177:27 | parameter this : CustomRequest | semmle.label | parameter this : CustomRequest | +| Jexl3Injection.java:178:20:178:23 | data : Data | semmle.label | data : Data | +| Jexl3Injection.java:190:23:190:29 | parameter this : Data | semmle.label | parameter this : Data | +| Jexl3Injection.java:191:20:191:23 | expr : String | semmle.label | expr : String | +subpaths +| Jexl3Injection.java:153:23:153:26 | data : Data | Jexl3Injection.java:190:23:190:29 | parameter this : Data | Jexl3Injection.java:191:20:191:23 | expr : String | Jexl3Injection.java:153:23:153:36 | getExpr(...) : String | +| Jexl3Injection.java:163:23:163:35 | customRequest : CustomRequest | Jexl3Injection.java:177:21:177:27 | parameter this : CustomRequest | Jexl3Injection.java:178:20:178:23 | data : Data | Jexl3Injection.java:163:23:163:45 | getData(...) : Data | +| Jexl3Injection.java:163:23:163:45 | getData(...) : Data | Jexl3Injection.java:190:23:190:29 | parameter this : Data | Jexl3Injection.java:191:20:191:23 | expr : String | Jexl3Injection.java:163:23:163:55 | getExpr(...) : String | diff --git a/java/ql/test/query-tests/security/CWE-094/JexlInjection/JexlInjectionTest.qlref b/java/ql/test/query-tests/security/CWE-094/JexlInjection/JexlInjectionTest.qlref new file mode 100644 index 000000000000..a33d55722f6d --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-094/JexlInjection/JexlInjectionTest.qlref @@ -0,0 +1,4 @@ +query: Security/CWE/CWE-094/JexlInjection.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-094/SandboxedJexl2.java b/java/ql/test/query-tests/security/CWE-094/JexlInjection/SandboxedJexl2.java similarity index 100% rename from java/ql/test/query-tests/security/CWE-094/SandboxedJexl2.java rename to java/ql/test/query-tests/security/CWE-094/JexlInjection/SandboxedJexl2.java diff --git a/java/ql/test/query-tests/security/CWE-094/SandboxedJexl3.java b/java/ql/test/query-tests/security/CWE-094/JexlInjection/SandboxedJexl3.java similarity index 100% rename from java/ql/test/query-tests/security/CWE-094/SandboxedJexl3.java rename to java/ql/test/query-tests/security/CWE-094/JexlInjection/SandboxedJexl3.java diff --git a/java/ql/test/query-tests/security/CWE-094/JexlInjection/options b/java/ql/test/query-tests/security/CWE-094/JexlInjection/options new file mode 100644 index 000000000000..d7c8332682ba --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-094/JexlInjection/options @@ -0,0 +1 @@ +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/validation-api-2.0.1.Final:${testdir}/../../../../stubs/springframework-5.8.x:${testdir}/../../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../../stubs/apache-commons-logging-1.2:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/groovy-all-3.0.7:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/apache-freemarker-2.3.31:${testdir}/../../../../stubs/jinjava-2.6.0:${testdir}/../../../../stubs/pebble-3.1.5:${testdir}/../../../../stubs/thymeleaf-3.0.14:${testdir}/../../../../stubs/apache-velocity-2.3:${testdir}/../../../..//stubs/google-android-9.0.0 diff --git a/java/ql/test/query-tests/security/CWE-094/JexlInjectionTest.expected b/java/ql/test/query-tests/security/CWE-094/JexlInjectionTest.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/java/ql/test/query-tests/security/CWE-094/JexlInjectionTest.ql b/java/ql/test/query-tests/security/CWE-094/JexlInjectionTest.ql deleted file mode 100644 index 0515c0fc75da..000000000000 --- a/java/ql/test/query-tests/security/CWE-094/JexlInjectionTest.ql +++ /dev/null @@ -1,18 +0,0 @@ -import java -import semmle.code.java.security.JexlInjectionQuery -import utils.test.InlineExpectationsTest - -module JexlInjectionTest implements TestSig { - string getARelevantTag() { result = "hasJexlInjection" } - - predicate hasActualResult(Location location, string element, string tag, string value) { - tag = "hasJexlInjection" and - exists(DataFlow::Node sink | JexlInjectionFlow::flowTo(sink) | - sink.getLocation() = location and - element = sink.toString() and - value = "" - ) - } -} - -import MakeTest diff --git a/java/ql/test/query-tests/security/CWE-094/MvelInjection/MvelInjectionTest.expected b/java/ql/test/query-tests/security/CWE-094/MvelInjection/MvelInjectionTest.expected new file mode 100644 index 000000000000..eb2034ab06de --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-094/MvelInjection/MvelInjectionTest.expected @@ -0,0 +1,133 @@ +#select +| MvelInjectionTest.java:24:15:24:26 | read(...) | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) : InputStream | MvelInjectionTest.java:24:15:24:26 | read(...) | MVEL expression depends on a $@. | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) | user-provided value | +| MvelInjectionTest.java:29:28:29:37 | expression | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) : InputStream | MvelInjectionTest.java:29:28:29:37 | expression | MVEL expression depends on a $@. | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) | user-provided value | +| MvelInjectionTest.java:35:5:35:13 | statement | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) : InputStream | MvelInjectionTest.java:35:5:35:13 | statement | MVEL expression depends on a $@. | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) | user-provided value | +| MvelInjectionTest.java:36:5:36:13 | statement | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) : InputStream | MvelInjectionTest.java:36:5:36:13 | statement | MVEL expression depends on a $@. | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) | user-provided value | +| MvelInjectionTest.java:42:5:42:14 | expression | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) : InputStream | MvelInjectionTest.java:42:5:42:14 | expression | MVEL expression depends on a $@. | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) | user-provided value | +| MvelInjectionTest.java:48:5:48:14 | expression | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) : InputStream | MvelInjectionTest.java:48:5:48:14 | expression | MVEL expression depends on a $@. | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) | user-provided value | +| MvelInjectionTest.java:56:5:56:18 | compiledScript | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) : InputStream | MvelInjectionTest.java:56:5:56:18 | compiledScript | MVEL expression depends on a $@. | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) | user-provided value | +| MvelInjectionTest.java:59:21:59:26 | script | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) : InputStream | MvelInjectionTest.java:59:21:59:26 | script | MVEL expression depends on a $@. | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) | user-provided value | +| MvelInjectionTest.java:67:5:67:10 | script | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) : InputStream | MvelInjectionTest.java:67:5:67:10 | script | MVEL expression depends on a $@. | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) | user-provided value | +| MvelInjectionTest.java:71:26:71:37 | read(...) | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) : InputStream | MvelInjectionTest.java:71:26:71:37 | read(...) | MVEL expression depends on a $@. | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) | user-provided value | +| MvelInjectionTest.java:75:29:75:74 | compileTemplate(...) | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) : InputStream | MvelInjectionTest.java:75:29:75:74 | compileTemplate(...) | MVEL expression depends on a $@. | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) | user-provided value | +| MvelInjectionTest.java:80:29:80:46 | compile(...) | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) : InputStream | MvelInjectionTest.java:80:29:80:46 | compile(...) | MVEL expression depends on a $@. | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) | user-provided value | +| MvelInjectionTest.java:86:32:86:41 | expression | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) : InputStream | MvelInjectionTest.java:86:32:86:41 | expression | MVEL expression depends on a $@. | MvelInjectionTest.java:90:27:90:49 | getInputStream(...) | user-provided value | +edges +| MvelInjectionTest.java:28:31:28:66 | compileExpression(...) : Serializable | MvelInjectionTest.java:29:28:29:37 | expression | provenance | Sink:MaD:11 | +| MvelInjectionTest.java:28:54:28:65 | read(...) : String | MvelInjectionTest.java:28:31:28:66 | compileExpression(...) : Serializable | provenance | Config | +| MvelInjectionTest.java:33:35:33:70 | new ExpressionCompiler(...) : ExpressionCompiler | MvelInjectionTest.java:34:37:34:44 | compiler : ExpressionCompiler | provenance | | +| MvelInjectionTest.java:33:58:33:69 | read(...) : String | MvelInjectionTest.java:33:35:33:70 | new ExpressionCompiler(...) : ExpressionCompiler | provenance | Config | +| MvelInjectionTest.java:34:37:34:44 | compiler : ExpressionCompiler | MvelInjectionTest.java:34:37:34:54 | compile(...) : CompiledExpression | provenance | Config | +| MvelInjectionTest.java:34:37:34:54 | compile(...) : CompiledExpression | MvelInjectionTest.java:35:5:35:13 | statement | provenance | Sink:MaD:5 | +| MvelInjectionTest.java:34:37:34:54 | compile(...) : CompiledExpression | MvelInjectionTest.java:36:5:36:13 | statement | provenance | Sink:MaD:2 | +| MvelInjectionTest.java:40:35:40:70 | new ExpressionCompiler(...) : ExpressionCompiler | MvelInjectionTest.java:41:37:41:44 | compiler : ExpressionCompiler | provenance | | +| MvelInjectionTest.java:40:58:40:69 | read(...) : String | MvelInjectionTest.java:40:35:40:70 | new ExpressionCompiler(...) : ExpressionCompiler | provenance | Config | +| MvelInjectionTest.java:41:37:41:44 | compiler : ExpressionCompiler | MvelInjectionTest.java:41:37:41:54 | compile(...) : CompiledExpression | provenance | Config | +| MvelInjectionTest.java:41:37:41:54 | compile(...) : CompiledExpression | MvelInjectionTest.java:42:5:42:14 | expression | provenance | Sink:MaD:4 | +| MvelInjectionTest.java:47:9:47:96 | new CompiledAccExpression(...) : CompiledAccExpression | MvelInjectionTest.java:48:5:48:14 | expression | provenance | Sink:MaD:3 | +| MvelInjectionTest.java:47:35:47:46 | read(...) : String | MvelInjectionTest.java:47:35:47:60 | toCharArray(...) : char[] | provenance | MaD:16 | +| MvelInjectionTest.java:47:35:47:60 | toCharArray(...) : char[] | MvelInjectionTest.java:47:9:47:96 | new CompiledAccExpression(...) : CompiledAccExpression | provenance | Config | +| MvelInjectionTest.java:52:20:52:31 | read(...) : String | MvelInjectionTest.java:55:52:55:56 | input : String | provenance | | +| MvelInjectionTest.java:55:37:55:57 | compile(...) : CompiledScript | MvelInjectionTest.java:56:5:56:18 | compiledScript | provenance | Sink:MaD:1 | +| MvelInjectionTest.java:55:52:55:56 | input : String | MvelInjectionTest.java:55:37:55:57 | compile(...) : CompiledScript | provenance | Config | +| MvelInjectionTest.java:55:52:55:56 | input : String | MvelInjectionTest.java:58:49:58:53 | input : String | provenance | | +| MvelInjectionTest.java:58:27:58:54 | compiledScript(...) : Serializable | MvelInjectionTest.java:59:21:59:26 | script | provenance | Sink:MaD:7 | +| MvelInjectionTest.java:58:49:58:53 | input : String | MvelInjectionTest.java:58:27:58:54 | compiledScript(...) : Serializable | provenance | Config | +| MvelInjectionTest.java:64:35:64:70 | new ExpressionCompiler(...) : ExpressionCompiler | MvelInjectionTest.java:65:37:65:44 | compiler : ExpressionCompiler | provenance | | +| MvelInjectionTest.java:64:58:64:69 | read(...) : String | MvelInjectionTest.java:64:35:64:70 | new ExpressionCompiler(...) : ExpressionCompiler | provenance | Config | +| MvelInjectionTest.java:65:37:65:44 | compiler : ExpressionCompiler | MvelInjectionTest.java:65:37:65:54 | compile(...) : CompiledExpression | provenance | Config | +| MvelInjectionTest.java:65:37:65:54 | compile(...) : CompiledExpression | MvelInjectionTest.java:66:64:66:72 | statement : CompiledExpression | provenance | | +| MvelInjectionTest.java:66:33:66:73 | new MvelCompiledScript(...) : MvelCompiledScript | MvelInjectionTest.java:67:5:67:10 | script | provenance | Sink:MaD:6 | +| MvelInjectionTest.java:66:64:66:72 | statement : CompiledExpression | MvelInjectionTest.java:66:33:66:73 | new MvelCompiledScript(...) : MvelCompiledScript | provenance | Config | +| MvelInjectionTest.java:75:62:75:73 | read(...) : String | MvelInjectionTest.java:75:29:75:74 | compileTemplate(...) | provenance | Config Sink:MaD:9 | +| MvelInjectionTest.java:79:33:79:66 | new TemplateCompiler(...) : TemplateCompiler | MvelInjectionTest.java:80:29:80:36 | compiler : TemplateCompiler | provenance | | +| MvelInjectionTest.java:79:54:79:65 | read(...) : String | MvelInjectionTest.java:79:33:79:66 | new TemplateCompiler(...) : TemplateCompiler | provenance | Config | +| MvelInjectionTest.java:80:29:80:36 | compiler : TemplateCompiler | MvelInjectionTest.java:80:29:80:46 | compile(...) | provenance | Config Sink:MaD:9 | +| MvelInjectionTest.java:84:35:84:70 | new ExpressionCompiler(...) : ExpressionCompiler | MvelInjectionTest.java:85:37:85:44 | compiler : ExpressionCompiler | provenance | | +| MvelInjectionTest.java:84:58:84:69 | read(...) : String | MvelInjectionTest.java:84:35:84:70 | new ExpressionCompiler(...) : ExpressionCompiler | provenance | Config | +| MvelInjectionTest.java:85:37:85:44 | compiler : ExpressionCompiler | MvelInjectionTest.java:85:37:85:54 | compile(...) : CompiledExpression | provenance | Config | +| MvelInjectionTest.java:85:37:85:54 | compile(...) : CompiledExpression | MvelInjectionTest.java:86:32:86:41 | expression | provenance | Sink:MaD:12 | +| MvelInjectionTest.java:90:27:90:49 | getInputStream(...) : InputStream | MvelInjectionTest.java:92:15:92:16 | is : InputStream | provenance | Src:MaD:13 | +| MvelInjectionTest.java:92:15:92:16 | is : InputStream | MvelInjectionTest.java:92:23:92:27 | bytes [post update] : byte[] | provenance | MaD:14 | +| MvelInjectionTest.java:92:23:92:27 | bytes [post update] : byte[] | MvelInjectionTest.java:93:25:93:29 | bytes : byte[] | provenance | | +| MvelInjectionTest.java:93:14:93:36 | new String(...) : String | MvelInjectionTest.java:24:15:24:26 | read(...) | provenance | Sink:MaD:10 | +| MvelInjectionTest.java:93:14:93:36 | new String(...) : String | MvelInjectionTest.java:28:54:28:65 | read(...) : String | provenance | | +| MvelInjectionTest.java:93:14:93:36 | new String(...) : String | MvelInjectionTest.java:33:58:33:69 | read(...) : String | provenance | | +| MvelInjectionTest.java:93:14:93:36 | new String(...) : String | MvelInjectionTest.java:40:58:40:69 | read(...) : String | provenance | | +| MvelInjectionTest.java:93:14:93:36 | new String(...) : String | MvelInjectionTest.java:47:35:47:46 | read(...) : String | provenance | | +| MvelInjectionTest.java:93:14:93:36 | new String(...) : String | MvelInjectionTest.java:52:20:52:31 | read(...) : String | provenance | | +| MvelInjectionTest.java:93:14:93:36 | new String(...) : String | MvelInjectionTest.java:64:58:64:69 | read(...) : String | provenance | | +| MvelInjectionTest.java:93:14:93:36 | new String(...) : String | MvelInjectionTest.java:71:26:71:37 | read(...) | provenance | Sink:MaD:8 | +| MvelInjectionTest.java:93:14:93:36 | new String(...) : String | MvelInjectionTest.java:75:62:75:73 | read(...) : String | provenance | | +| MvelInjectionTest.java:93:14:93:36 | new String(...) : String | MvelInjectionTest.java:79:54:79:65 | read(...) : String | provenance | | +| MvelInjectionTest.java:93:14:93:36 | new String(...) : String | MvelInjectionTest.java:84:58:84:69 | read(...) : String | provenance | | +| MvelInjectionTest.java:93:25:93:29 | bytes : byte[] | MvelInjectionTest.java:93:14:93:36 | new String(...) : String | provenance | MaD:15 | +models +| 1 | Sink: javax.script; CompiledScript; false; eval; ; ; Argument[this]; mvel-injection; manual | +| 2 | Sink: org.mvel2.compiler; Accessor; false; getValue; ; ; Argument[this]; mvel-injection; manual | +| 3 | Sink: org.mvel2.compiler; CompiledAccExpression; false; getValue; ; ; Argument[this]; mvel-injection; manual | +| 4 | Sink: org.mvel2.compiler; CompiledExpression; false; getDirectValue; ; ; Argument[this]; mvel-injection; manual | +| 5 | Sink: org.mvel2.compiler; ExecutableStatement; false; getValue; ; ; Argument[this]; mvel-injection; manual | +| 6 | Sink: org.mvel2.jsr223; MvelCompiledScript; false; eval; ; ; Argument[this]; mvel-injection; manual | +| 7 | Sink: org.mvel2.jsr223; MvelScriptEngine; false; evaluate; ; ; Argument[0]; mvel-injection; manual | +| 8 | Sink: org.mvel2.templates; TemplateRuntime; false; eval; ; ; Argument[0]; mvel-injection; manual | +| 9 | Sink: org.mvel2.templates; TemplateRuntime; false; execute; ; ; Argument[0]; mvel-injection; manual | +| 10 | Sink: org.mvel2; MVEL; false; eval; ; ; Argument[0]; mvel-injection; manual | +| 11 | Sink: org.mvel2; MVEL; false; executeExpression; ; ; Argument[0]; mvel-injection; manual | +| 12 | Sink: org.mvel2; MVELRuntime; false; execute; ; ; Argument[1]; mvel-injection; manual | +| 13 | Source: java.net; Socket; false; getInputStream; (); ; ReturnValue; remote; manual | +| 14 | Summary: java.io; InputStream; true; read; (byte[]); ; Argument[this]; Argument[0]; taint; manual | +| 15 | Summary: java.lang; String; false; String; ; ; Argument[0]; Argument[this]; taint; manual | +| 16 | Summary: java.lang; String; false; toCharArray; ; ; Argument[this]; ReturnValue; taint; manual | +nodes +| MvelInjectionTest.java:24:15:24:26 | read(...) | semmle.label | read(...) | +| MvelInjectionTest.java:28:31:28:66 | compileExpression(...) : Serializable | semmle.label | compileExpression(...) : Serializable | +| MvelInjectionTest.java:28:54:28:65 | read(...) : String | semmle.label | read(...) : String | +| MvelInjectionTest.java:29:28:29:37 | expression | semmle.label | expression | +| MvelInjectionTest.java:33:35:33:70 | new ExpressionCompiler(...) : ExpressionCompiler | semmle.label | new ExpressionCompiler(...) : ExpressionCompiler | +| MvelInjectionTest.java:33:58:33:69 | read(...) : String | semmle.label | read(...) : String | +| MvelInjectionTest.java:34:37:34:44 | compiler : ExpressionCompiler | semmle.label | compiler : ExpressionCompiler | +| MvelInjectionTest.java:34:37:34:54 | compile(...) : CompiledExpression | semmle.label | compile(...) : CompiledExpression | +| MvelInjectionTest.java:35:5:35:13 | statement | semmle.label | statement | +| MvelInjectionTest.java:36:5:36:13 | statement | semmle.label | statement | +| MvelInjectionTest.java:40:35:40:70 | new ExpressionCompiler(...) : ExpressionCompiler | semmle.label | new ExpressionCompiler(...) : ExpressionCompiler | +| MvelInjectionTest.java:40:58:40:69 | read(...) : String | semmle.label | read(...) : String | +| MvelInjectionTest.java:41:37:41:44 | compiler : ExpressionCompiler | semmle.label | compiler : ExpressionCompiler | +| MvelInjectionTest.java:41:37:41:54 | compile(...) : CompiledExpression | semmle.label | compile(...) : CompiledExpression | +| MvelInjectionTest.java:42:5:42:14 | expression | semmle.label | expression | +| MvelInjectionTest.java:47:9:47:96 | new CompiledAccExpression(...) : CompiledAccExpression | semmle.label | new CompiledAccExpression(...) : CompiledAccExpression | +| MvelInjectionTest.java:47:35:47:46 | read(...) : String | semmle.label | read(...) : String | +| MvelInjectionTest.java:47:35:47:60 | toCharArray(...) : char[] | semmle.label | toCharArray(...) : char[] | +| MvelInjectionTest.java:48:5:48:14 | expression | semmle.label | expression | +| MvelInjectionTest.java:52:20:52:31 | read(...) : String | semmle.label | read(...) : String | +| MvelInjectionTest.java:55:37:55:57 | compile(...) : CompiledScript | semmle.label | compile(...) : CompiledScript | +| MvelInjectionTest.java:55:52:55:56 | input : String | semmle.label | input : String | +| MvelInjectionTest.java:56:5:56:18 | compiledScript | semmle.label | compiledScript | +| MvelInjectionTest.java:58:27:58:54 | compiledScript(...) : Serializable | semmle.label | compiledScript(...) : Serializable | +| MvelInjectionTest.java:58:49:58:53 | input : String | semmle.label | input : String | +| MvelInjectionTest.java:59:21:59:26 | script | semmle.label | script | +| MvelInjectionTest.java:64:35:64:70 | new ExpressionCompiler(...) : ExpressionCompiler | semmle.label | new ExpressionCompiler(...) : ExpressionCompiler | +| MvelInjectionTest.java:64:58:64:69 | read(...) : String | semmle.label | read(...) : String | +| MvelInjectionTest.java:65:37:65:44 | compiler : ExpressionCompiler | semmle.label | compiler : ExpressionCompiler | +| MvelInjectionTest.java:65:37:65:54 | compile(...) : CompiledExpression | semmle.label | compile(...) : CompiledExpression | +| MvelInjectionTest.java:66:33:66:73 | new MvelCompiledScript(...) : MvelCompiledScript | semmle.label | new MvelCompiledScript(...) : MvelCompiledScript | +| MvelInjectionTest.java:66:64:66:72 | statement : CompiledExpression | semmle.label | statement : CompiledExpression | +| MvelInjectionTest.java:67:5:67:10 | script | semmle.label | script | +| MvelInjectionTest.java:71:26:71:37 | read(...) | semmle.label | read(...) | +| MvelInjectionTest.java:75:29:75:74 | compileTemplate(...) | semmle.label | compileTemplate(...) | +| MvelInjectionTest.java:75:62:75:73 | read(...) : String | semmle.label | read(...) : String | +| MvelInjectionTest.java:79:33:79:66 | new TemplateCompiler(...) : TemplateCompiler | semmle.label | new TemplateCompiler(...) : TemplateCompiler | +| MvelInjectionTest.java:79:54:79:65 | read(...) : String | semmle.label | read(...) : String | +| MvelInjectionTest.java:80:29:80:36 | compiler : TemplateCompiler | semmle.label | compiler : TemplateCompiler | +| MvelInjectionTest.java:80:29:80:46 | compile(...) | semmle.label | compile(...) | +| MvelInjectionTest.java:84:35:84:70 | new ExpressionCompiler(...) : ExpressionCompiler | semmle.label | new ExpressionCompiler(...) : ExpressionCompiler | +| MvelInjectionTest.java:84:58:84:69 | read(...) : String | semmle.label | read(...) : String | +| MvelInjectionTest.java:85:37:85:44 | compiler : ExpressionCompiler | semmle.label | compiler : ExpressionCompiler | +| MvelInjectionTest.java:85:37:85:54 | compile(...) : CompiledExpression | semmle.label | compile(...) : CompiledExpression | +| MvelInjectionTest.java:86:32:86:41 | expression | semmle.label | expression | +| MvelInjectionTest.java:90:27:90:49 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| MvelInjectionTest.java:92:15:92:16 | is : InputStream | semmle.label | is : InputStream | +| MvelInjectionTest.java:92:23:92:27 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] | +| MvelInjectionTest.java:93:14:93:36 | new String(...) : String | semmle.label | new String(...) : String | +| MvelInjectionTest.java:93:25:93:29 | bytes : byte[] | semmle.label | bytes : byte[] | +subpaths diff --git a/java/ql/test/query-tests/security/CWE-094/MvelInjectionTest.java b/java/ql/test/query-tests/security/CWE-094/MvelInjection/MvelInjectionTest.java similarity index 84% rename from java/ql/test/query-tests/security/CWE-094/MvelInjectionTest.java rename to java/ql/test/query-tests/security/CWE-094/MvelInjection/MvelInjectionTest.java index 4013246eecda..4e6738dbfd9a 100644 --- a/java/ql/test/query-tests/security/CWE-094/MvelInjectionTest.java +++ b/java/ql/test/query-tests/security/CWE-094/MvelInjection/MvelInjectionTest.java @@ -21,31 +21,31 @@ public class MvelInjectionTest { public static void testWithMvelEval(Socket socket) throws IOException { - MVEL.eval(read(socket)); // $hasMvelInjection + MVEL.eval(read(socket)); // $ Alert } public static void testWithMvelCompileAndExecute(Socket socket) throws IOException { Serializable expression = MVEL.compileExpression(read(socket)); - MVEL.executeExpression(expression); // $hasMvelInjection + MVEL.executeExpression(expression); // $ Alert } public static void testWithExpressionCompiler(Socket socket) throws IOException { ExpressionCompiler compiler = new ExpressionCompiler(read(socket)); ExecutableStatement statement = compiler.compile(); - statement.getValue(new Object(), new ImmutableDefaultFactory()); // $hasMvelInjection - statement.getValue(new Object(), new Object(), new ImmutableDefaultFactory()); // $hasMvelInjection + statement.getValue(new Object(), new ImmutableDefaultFactory()); // $ Alert + statement.getValue(new Object(), new Object(), new ImmutableDefaultFactory()); // $ Alert } public static void testWithCompiledExpressionGetDirectValue(Socket socket) throws IOException { ExpressionCompiler compiler = new ExpressionCompiler(read(socket)); CompiledExpression expression = compiler.compile(); - expression.getDirectValue(new Object(), new ImmutableDefaultFactory()); // $hasMvelInjection + expression.getDirectValue(new Object(), new ImmutableDefaultFactory()); // $ Alert } public static void testCompiledAccExpressionGetValue(Socket socket) throws IOException { CompiledAccExpression expression = new CompiledAccExpression(read(socket).toCharArray(), Object.class, new ParserContext()); - expression.getValue(new Object(), new ImmutableDefaultFactory()); // $hasMvelInjection + expression.getValue(new Object(), new ImmutableDefaultFactory()); // $ Alert } public static void testMvelScriptEngineCompileAndEvaluate(Socket socket) throws Exception { @@ -53,10 +53,10 @@ public static void testMvelScriptEngineCompileAndEvaluate(Socket socket) throws MvelScriptEngine engine = new MvelScriptEngine(); CompiledScript compiledScript = engine.compile(input); - compiledScript.eval(); // $hasMvelInjection + compiledScript.eval(); // $ Alert Serializable script = engine.compiledScript(input); - engine.evaluate(script, new SimpleScriptContext()); // $hasMvelInjection + engine.evaluate(script, new SimpleScriptContext()); // $ Alert } public static void testMvelCompiledScriptCompileAndEvaluate(Socket socket) throws Exception { @@ -64,30 +64,30 @@ public static void testMvelCompiledScriptCompileAndEvaluate(Socket socket) throw ExpressionCompiler compiler = new ExpressionCompiler(read(socket)); ExecutableStatement statement = compiler.compile(); MvelCompiledScript script = new MvelCompiledScript(engine, statement); - script.eval(new SimpleScriptContext()); // $hasMvelInjection + script.eval(new SimpleScriptContext()); // $ Alert } public static void testTemplateRuntimeEval(Socket socket) throws Exception { - TemplateRuntime.eval(read(socket), new HashMap()); // $hasMvelInjection + TemplateRuntime.eval(read(socket), new HashMap()); // $ Alert } public static void testTemplateRuntimeCompileTemplateAndExecute(Socket socket) throws Exception { - TemplateRuntime.execute(TemplateCompiler.compileTemplate(read(socket)), new HashMap()); // $hasMvelInjection + TemplateRuntime.execute(TemplateCompiler.compileTemplate(read(socket)), new HashMap()); // $ Alert } public static void testTemplateRuntimeCompileAndExecute(Socket socket) throws Exception { TemplateCompiler compiler = new TemplateCompiler(read(socket)); - TemplateRuntime.execute(compiler.compile(), new HashMap()); // $hasMvelInjection + TemplateRuntime.execute(compiler.compile(), new HashMap()); // $ Alert } public static void testMvelRuntimeExecute(Socket socket) throws Exception { ExpressionCompiler compiler = new ExpressionCompiler(read(socket)); CompiledExpression expression = compiler.compile(); - MVELRuntime.execute(false, expression, new Object(), new ImmutableDefaultFactory()); // $hasMvelInjection + MVELRuntime.execute(false, expression, new Object(), new ImmutableDefaultFactory()); // $ Alert } public static String read(Socket socket) throws IOException { - try (InputStream is = socket.getInputStream()) { + try (InputStream is = socket.getInputStream()) { // $ Source byte[] bytes = new byte[1024]; int n = is.read(bytes); return new String(bytes, 0, n); diff --git a/java/ql/test/query-tests/security/CWE-094/MvelInjection/MvelInjectionTest.qlref b/java/ql/test/query-tests/security/CWE-094/MvelInjection/MvelInjectionTest.qlref new file mode 100644 index 000000000000..9236766fe8c6 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-094/MvelInjection/MvelInjectionTest.qlref @@ -0,0 +1,4 @@ +query: Security/CWE/CWE-094/MvelInjection.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-094/MvelInjection/options b/java/ql/test/query-tests/security/CWE-094/MvelInjection/options new file mode 100644 index 000000000000..d7c8332682ba --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-094/MvelInjection/options @@ -0,0 +1 @@ +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/validation-api-2.0.1.Final:${testdir}/../../../../stubs/springframework-5.8.x:${testdir}/../../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../../stubs/apache-commons-logging-1.2:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/groovy-all-3.0.7:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/apache-freemarker-2.3.31:${testdir}/../../../../stubs/jinjava-2.6.0:${testdir}/../../../../stubs/pebble-3.1.5:${testdir}/../../../../stubs/thymeleaf-3.0.14:${testdir}/../../../../stubs/apache-velocity-2.3:${testdir}/../../../..//stubs/google-android-9.0.0 diff --git a/java/ql/test/query-tests/security/CWE-094/MvelInjectionTest.expected b/java/ql/test/query-tests/security/CWE-094/MvelInjectionTest.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/java/ql/test/query-tests/security/CWE-094/MvelInjectionTest.ql b/java/ql/test/query-tests/security/CWE-094/MvelInjectionTest.ql deleted file mode 100644 index 08dc091898c8..000000000000 --- a/java/ql/test/query-tests/security/CWE-094/MvelInjectionTest.ql +++ /dev/null @@ -1,20 +0,0 @@ -import java -import semmle.code.java.dataflow.TaintTracking -import semmle.code.java.dataflow.FlowSources -import semmle.code.java.security.MvelInjectionQuery -import utils.test.InlineExpectationsTest - -module HasMvelInjectionTest implements TestSig { - string getARelevantTag() { result = "hasMvelInjection" } - - predicate hasActualResult(Location location, string element, string tag, string value) { - tag = "hasMvelInjection" and - exists(DataFlow::Node sink | MvelInjectionFlow::flowTo(sink) | - sink.getLocation() = location and - element = sink.toString() and - value = "" - ) - } -} - -import MakeTest diff --git a/java/ql/test/query-tests/security/CWE-094/SpelInjection/SpelInjectionTest.expected b/java/ql/test/query-tests/security/CWE-094/SpelInjection/SpelInjectionTest.expected new file mode 100644 index 000000000000..37df514bac5f --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-094/SpelInjection/SpelInjectionTest.expected @@ -0,0 +1,120 @@ +#select +| SpelInjectionTest.java:24:5:24:14 | expression | SpelInjectionTest.java:16:22:16:44 | getInputStream(...) : InputStream | SpelInjectionTest.java:24:5:24:14 | expression | SpEL expression depends on a $@. | SpelInjectionTest.java:16:22:16:44 | getInputStream(...) | user-provided value | +| SpelInjectionTest.java:35:5:35:14 | expression | SpelInjectionTest.java:28:22:28:44 | getInputStream(...) : InputStream | SpelInjectionTest.java:35:5:35:14 | expression | SpEL expression depends on a $@. | SpelInjectionTest.java:28:22:28:44 | getInputStream(...) | user-provided value | +| SpelInjectionTest.java:46:5:46:14 | expression | SpelInjectionTest.java:39:22:39:44 | getInputStream(...) : InputStream | SpelInjectionTest.java:46:5:46:14 | expression | SpEL expression depends on a $@. | SpelInjectionTest.java:39:22:39:44 | getInputStream(...) | user-provided value | +| SpelInjectionTest.java:60:5:60:14 | expression | SpelInjectionTest.java:50:22:50:44 | getInputStream(...) : InputStream | SpelInjectionTest.java:60:5:60:14 | expression | SpEL expression depends on a $@. | SpelInjectionTest.java:50:22:50:44 | getInputStream(...) | user-provided value | +| SpelInjectionTest.java:71:5:71:14 | expression | SpelInjectionTest.java:64:22:64:44 | getInputStream(...) : InputStream | SpelInjectionTest.java:71:5:71:14 | expression | SpEL expression depends on a $@. | SpelInjectionTest.java:64:22:64:44 | getInputStream(...) | user-provided value | +| SpelInjectionTest.java:82:5:82:14 | expression | SpelInjectionTest.java:75:22:75:44 | getInputStream(...) : InputStream | SpelInjectionTest.java:82:5:82:14 | expression | SpEL expression depends on a $@. | SpelInjectionTest.java:75:22:75:44 | getInputStream(...) | user-provided value | +| SpelInjectionTest.java:95:5:95:14 | expression | SpelInjectionTest.java:86:22:86:44 | getInputStream(...) : InputStream | SpelInjectionTest.java:95:5:95:14 | expression | SpEL expression depends on a $@. | SpelInjectionTest.java:86:22:86:44 | getInputStream(...) | user-provided value | +edges +| SpelInjectionTest.java:16:22:16:44 | getInputStream(...) : InputStream | SpelInjectionTest.java:19:13:19:14 | in : InputStream | provenance | Src:MaD:1 | +| SpelInjectionTest.java:19:13:19:14 | in : InputStream | SpelInjectionTest.java:19:21:19:25 | bytes [post update] : byte[] | provenance | MaD:2 | +| SpelInjectionTest.java:19:21:19:25 | bytes [post update] : byte[] | SpelInjectionTest.java:20:31:20:35 | bytes : byte[] | provenance | | +| SpelInjectionTest.java:20:20:20:42 | new String(...) : String | SpelInjectionTest.java:23:52:23:56 | input : String | provenance | | +| SpelInjectionTest.java:20:31:20:35 | bytes : byte[] | SpelInjectionTest.java:20:20:20:42 | new String(...) : String | provenance | MaD:3 | +| SpelInjectionTest.java:23:29:23:57 | parseExpression(...) : Expression | SpelInjectionTest.java:24:5:24:14 | expression | provenance | | +| SpelInjectionTest.java:23:52:23:56 | input : String | SpelInjectionTest.java:23:29:23:57 | parseExpression(...) : Expression | provenance | Config | +| SpelInjectionTest.java:28:22:28:44 | getInputStream(...) : InputStream | SpelInjectionTest.java:31:13:31:14 | in : InputStream | provenance | Src:MaD:1 | +| SpelInjectionTest.java:31:13:31:14 | in : InputStream | SpelInjectionTest.java:31:21:31:25 | bytes [post update] : byte[] | provenance | MaD:2 | +| SpelInjectionTest.java:31:21:31:25 | bytes [post update] : byte[] | SpelInjectionTest.java:32:31:32:35 | bytes : byte[] | provenance | | +| SpelInjectionTest.java:32:20:32:42 | new String(...) : String | SpelInjectionTest.java:34:49:34:53 | input : String | provenance | | +| SpelInjectionTest.java:32:31:32:35 | bytes : byte[] | SpelInjectionTest.java:32:20:32:42 | new String(...) : String | provenance | MaD:3 | +| SpelInjectionTest.java:34:33:34:54 | parseRaw(...) : SpelExpression | SpelInjectionTest.java:35:5:35:14 | expression | provenance | | +| SpelInjectionTest.java:34:49:34:53 | input : String | SpelInjectionTest.java:34:33:34:54 | parseRaw(...) : SpelExpression | provenance | Config | +| SpelInjectionTest.java:39:22:39:44 | getInputStream(...) : InputStream | SpelInjectionTest.java:42:13:42:14 | in : InputStream | provenance | Src:MaD:1 | +| SpelInjectionTest.java:42:13:42:14 | in : InputStream | SpelInjectionTest.java:42:21:42:25 | bytes [post update] : byte[] | provenance | MaD:2 | +| SpelInjectionTest.java:42:21:42:25 | bytes [post update] : byte[] | SpelInjectionTest.java:43:31:43:35 | bytes : byte[] | provenance | | +| SpelInjectionTest.java:43:20:43:42 | new String(...) : String | SpelInjectionTest.java:45:72:45:76 | input : String | provenance | | +| SpelInjectionTest.java:43:31:43:35 | bytes : byte[] | SpelInjectionTest.java:43:20:43:42 | new String(...) : String | provenance | MaD:3 | +| SpelInjectionTest.java:45:29:45:77 | parseExpression(...) : Expression | SpelInjectionTest.java:46:5:46:14 | expression | provenance | | +| SpelInjectionTest.java:45:72:45:76 | input : String | SpelInjectionTest.java:45:29:45:77 | parseExpression(...) : Expression | provenance | Config | +| SpelInjectionTest.java:50:22:50:44 | getInputStream(...) : InputStream | SpelInjectionTest.java:53:13:53:14 | in : InputStream | provenance | Src:MaD:1 | +| SpelInjectionTest.java:53:13:53:14 | in : InputStream | SpelInjectionTest.java:53:21:53:25 | bytes [post update] : byte[] | provenance | MaD:2 | +| SpelInjectionTest.java:53:21:53:25 | bytes [post update] : byte[] | SpelInjectionTest.java:54:31:54:35 | bytes : byte[] | provenance | | +| SpelInjectionTest.java:54:20:54:42 | new String(...) : String | SpelInjectionTest.java:56:72:56:76 | input : String | provenance | | +| SpelInjectionTest.java:54:31:54:35 | bytes : byte[] | SpelInjectionTest.java:54:20:54:42 | new String(...) : String | provenance | MaD:3 | +| SpelInjectionTest.java:56:29:56:77 | parseExpression(...) : Expression | SpelInjectionTest.java:60:5:60:14 | expression | provenance | | +| SpelInjectionTest.java:56:72:56:76 | input : String | SpelInjectionTest.java:56:29:56:77 | parseExpression(...) : Expression | provenance | Config | +| SpelInjectionTest.java:64:22:64:44 | getInputStream(...) : InputStream | SpelInjectionTest.java:67:13:67:14 | in : InputStream | provenance | Src:MaD:1 | +| SpelInjectionTest.java:67:13:67:14 | in : InputStream | SpelInjectionTest.java:67:21:67:25 | bytes [post update] : byte[] | provenance | MaD:2 | +| SpelInjectionTest.java:67:21:67:25 | bytes [post update] : byte[] | SpelInjectionTest.java:68:31:68:35 | bytes : byte[] | provenance | | +| SpelInjectionTest.java:68:20:68:42 | new String(...) : String | SpelInjectionTest.java:70:52:70:56 | input : String | provenance | | +| SpelInjectionTest.java:68:31:68:35 | bytes : byte[] | SpelInjectionTest.java:68:20:68:42 | new String(...) : String | provenance | MaD:3 | +| SpelInjectionTest.java:70:29:70:57 | parseExpression(...) : Expression | SpelInjectionTest.java:71:5:71:14 | expression | provenance | | +| SpelInjectionTest.java:70:52:70:56 | input : String | SpelInjectionTest.java:70:29:70:57 | parseExpression(...) : Expression | provenance | Config | +| SpelInjectionTest.java:75:22:75:44 | getInputStream(...) : InputStream | SpelInjectionTest.java:78:13:78:14 | in : InputStream | provenance | Src:MaD:1 | +| SpelInjectionTest.java:78:13:78:14 | in : InputStream | SpelInjectionTest.java:78:21:78:25 | bytes [post update] : byte[] | provenance | MaD:2 | +| SpelInjectionTest.java:78:21:78:25 | bytes [post update] : byte[] | SpelInjectionTest.java:79:31:79:35 | bytes : byte[] | provenance | | +| SpelInjectionTest.java:79:20:79:42 | new String(...) : String | SpelInjectionTest.java:81:52:81:56 | input : String | provenance | | +| SpelInjectionTest.java:79:31:79:35 | bytes : byte[] | SpelInjectionTest.java:79:20:79:42 | new String(...) : String | provenance | MaD:3 | +| SpelInjectionTest.java:81:29:81:57 | parseExpression(...) : Expression | SpelInjectionTest.java:82:5:82:14 | expression | provenance | | +| SpelInjectionTest.java:81:52:81:56 | input : String | SpelInjectionTest.java:81:29:81:57 | parseExpression(...) : Expression | provenance | Config | +| SpelInjectionTest.java:86:22:86:44 | getInputStream(...) : InputStream | SpelInjectionTest.java:89:13:89:14 | in : InputStream | provenance | Src:MaD:1 | +| SpelInjectionTest.java:89:13:89:14 | in : InputStream | SpelInjectionTest.java:89:21:89:25 | bytes [post update] : byte[] | provenance | MaD:2 | +| SpelInjectionTest.java:89:21:89:25 | bytes [post update] : byte[] | SpelInjectionTest.java:90:31:90:35 | bytes : byte[] | provenance | | +| SpelInjectionTest.java:90:20:90:42 | new String(...) : String | SpelInjectionTest.java:92:52:92:56 | input : String | provenance | | +| SpelInjectionTest.java:90:31:90:35 | bytes : byte[] | SpelInjectionTest.java:90:20:90:42 | new String(...) : String | provenance | MaD:3 | +| SpelInjectionTest.java:92:29:92:57 | parseExpression(...) : Expression | SpelInjectionTest.java:95:5:95:14 | expression | provenance | | +| SpelInjectionTest.java:92:52:92:56 | input : String | SpelInjectionTest.java:92:29:92:57 | parseExpression(...) : Expression | provenance | Config | +models +| 1 | Source: java.net; Socket; false; getInputStream; (); ; ReturnValue; remote; manual | +| 2 | Summary: java.io; InputStream; true; read; (byte[]); ; Argument[this]; Argument[0]; taint; manual | +| 3 | Summary: java.lang; String; false; String; ; ; Argument[0]; Argument[this]; taint; manual | +nodes +| SpelInjectionTest.java:16:22:16:44 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| SpelInjectionTest.java:19:13:19:14 | in : InputStream | semmle.label | in : InputStream | +| SpelInjectionTest.java:19:21:19:25 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] | +| SpelInjectionTest.java:20:20:20:42 | new String(...) : String | semmle.label | new String(...) : String | +| SpelInjectionTest.java:20:31:20:35 | bytes : byte[] | semmle.label | bytes : byte[] | +| SpelInjectionTest.java:23:29:23:57 | parseExpression(...) : Expression | semmle.label | parseExpression(...) : Expression | +| SpelInjectionTest.java:23:52:23:56 | input : String | semmle.label | input : String | +| SpelInjectionTest.java:24:5:24:14 | expression | semmle.label | expression | +| SpelInjectionTest.java:28:22:28:44 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| SpelInjectionTest.java:31:13:31:14 | in : InputStream | semmle.label | in : InputStream | +| SpelInjectionTest.java:31:21:31:25 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] | +| SpelInjectionTest.java:32:20:32:42 | new String(...) : String | semmle.label | new String(...) : String | +| SpelInjectionTest.java:32:31:32:35 | bytes : byte[] | semmle.label | bytes : byte[] | +| SpelInjectionTest.java:34:33:34:54 | parseRaw(...) : SpelExpression | semmle.label | parseRaw(...) : SpelExpression | +| SpelInjectionTest.java:34:49:34:53 | input : String | semmle.label | input : String | +| SpelInjectionTest.java:35:5:35:14 | expression | semmle.label | expression | +| SpelInjectionTest.java:39:22:39:44 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| SpelInjectionTest.java:42:13:42:14 | in : InputStream | semmle.label | in : InputStream | +| SpelInjectionTest.java:42:21:42:25 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] | +| SpelInjectionTest.java:43:20:43:42 | new String(...) : String | semmle.label | new String(...) : String | +| SpelInjectionTest.java:43:31:43:35 | bytes : byte[] | semmle.label | bytes : byte[] | +| SpelInjectionTest.java:45:29:45:77 | parseExpression(...) : Expression | semmle.label | parseExpression(...) : Expression | +| SpelInjectionTest.java:45:72:45:76 | input : String | semmle.label | input : String | +| SpelInjectionTest.java:46:5:46:14 | expression | semmle.label | expression | +| SpelInjectionTest.java:50:22:50:44 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| SpelInjectionTest.java:53:13:53:14 | in : InputStream | semmle.label | in : InputStream | +| SpelInjectionTest.java:53:21:53:25 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] | +| SpelInjectionTest.java:54:20:54:42 | new String(...) : String | semmle.label | new String(...) : String | +| SpelInjectionTest.java:54:31:54:35 | bytes : byte[] | semmle.label | bytes : byte[] | +| SpelInjectionTest.java:56:29:56:77 | parseExpression(...) : Expression | semmle.label | parseExpression(...) : Expression | +| SpelInjectionTest.java:56:72:56:76 | input : String | semmle.label | input : String | +| SpelInjectionTest.java:60:5:60:14 | expression | semmle.label | expression | +| SpelInjectionTest.java:64:22:64:44 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| SpelInjectionTest.java:67:13:67:14 | in : InputStream | semmle.label | in : InputStream | +| SpelInjectionTest.java:67:21:67:25 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] | +| SpelInjectionTest.java:68:20:68:42 | new String(...) : String | semmle.label | new String(...) : String | +| SpelInjectionTest.java:68:31:68:35 | bytes : byte[] | semmle.label | bytes : byte[] | +| SpelInjectionTest.java:70:29:70:57 | parseExpression(...) : Expression | semmle.label | parseExpression(...) : Expression | +| SpelInjectionTest.java:70:52:70:56 | input : String | semmle.label | input : String | +| SpelInjectionTest.java:71:5:71:14 | expression | semmle.label | expression | +| SpelInjectionTest.java:75:22:75:44 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| SpelInjectionTest.java:78:13:78:14 | in : InputStream | semmle.label | in : InputStream | +| SpelInjectionTest.java:78:21:78:25 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] | +| SpelInjectionTest.java:79:20:79:42 | new String(...) : String | semmle.label | new String(...) : String | +| SpelInjectionTest.java:79:31:79:35 | bytes : byte[] | semmle.label | bytes : byte[] | +| SpelInjectionTest.java:81:29:81:57 | parseExpression(...) : Expression | semmle.label | parseExpression(...) : Expression | +| SpelInjectionTest.java:81:52:81:56 | input : String | semmle.label | input : String | +| SpelInjectionTest.java:82:5:82:14 | expression | semmle.label | expression | +| SpelInjectionTest.java:86:22:86:44 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| SpelInjectionTest.java:89:13:89:14 | in : InputStream | semmle.label | in : InputStream | +| SpelInjectionTest.java:89:21:89:25 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] | +| SpelInjectionTest.java:90:20:90:42 | new String(...) : String | semmle.label | new String(...) : String | +| SpelInjectionTest.java:90:31:90:35 | bytes : byte[] | semmle.label | bytes : byte[] | +| SpelInjectionTest.java:92:29:92:57 | parseExpression(...) : Expression | semmle.label | parseExpression(...) : Expression | +| SpelInjectionTest.java:92:52:92:56 | input : String | semmle.label | input : String | +| SpelInjectionTest.java:95:5:95:14 | expression | semmle.label | expression | +subpaths diff --git a/java/ql/test/query-tests/security/CWE-094/SpelInjectionTest.java b/java/ql/test/query-tests/security/CWE-094/SpelInjection/SpelInjectionTest.java similarity index 81% rename from java/ql/test/query-tests/security/CWE-094/SpelInjectionTest.java rename to java/ql/test/query-tests/security/CWE-094/SpelInjection/SpelInjectionTest.java index d10bcfa66864..88c4e913d493 100644 --- a/java/ql/test/query-tests/security/CWE-094/SpelInjectionTest.java +++ b/java/ql/test/query-tests/security/CWE-094/SpelInjection/SpelInjectionTest.java @@ -13,7 +13,7 @@ public class SpelInjectionTest { private static final ExpressionParser PARSER = new SpelExpressionParser(); public void testGetValue(Socket socket) throws IOException { - InputStream in = socket.getInputStream(); + InputStream in = socket.getInputStream(); // $ Source byte[] bytes = new byte[1024]; int n = in.read(bytes); @@ -21,33 +21,33 @@ public void testGetValue(Socket socket) throws IOException { ExpressionParser parser = new SpelExpressionParser(); Expression expression = parser.parseExpression(input); - expression.getValue(); // $hasSpelInjection + expression.getValue(); // $ Alert } public void testGetValueWithParseRaw(Socket socket) throws IOException { - InputStream in = socket.getInputStream(); + InputStream in = socket.getInputStream(); // $ Source byte[] bytes = new byte[1024]; int n = in.read(bytes); String input = new String(bytes, 0, n); SpelExpressionParser parser = new SpelExpressionParser(); SpelExpression expression = parser.parseRaw(input); - expression.getValue(); // $hasSpelInjection + expression.getValue(); // $ Alert } public void testGetValueWithChainedCalls(Socket socket) throws IOException { - InputStream in = socket.getInputStream(); + InputStream in = socket.getInputStream(); // $ Source byte[] bytes = new byte[1024]; int n = in.read(bytes); String input = new String(bytes, 0, n); Expression expression = new SpelExpressionParser().parseExpression(input); - expression.getValue(); // $hasSpelInjection + expression.getValue(); // $ Alert } public void testSetValueWithRootObject(Socket socket) throws IOException { - InputStream in = socket.getInputStream(); + InputStream in = socket.getInputStream(); // $ Source byte[] bytes = new byte[1024]; int n = in.read(bytes); @@ -57,33 +57,33 @@ public void testSetValueWithRootObject(Socket socket) throws IOException { Object root = new Object(); Object value = new Object(); - expression.setValue(root, value); // $hasSpelInjection + expression.setValue(root, value); // $ Alert } public void testGetValueWithStaticParser(Socket socket) throws IOException { - InputStream in = socket.getInputStream(); + InputStream in = socket.getInputStream(); // $ Source byte[] bytes = new byte[1024]; int n = in.read(bytes); String input = new String(bytes, 0, n); Expression expression = PARSER.parseExpression(input); - expression.getValue(); // $hasSpelInjection + expression.getValue(); // $ Alert } public void testGetValueType(Socket socket) throws IOException { - InputStream in = socket.getInputStream(); + InputStream in = socket.getInputStream(); // $ Source byte[] bytes = new byte[1024]; int n = in.read(bytes); String input = new String(bytes, 0, n); Expression expression = PARSER.parseExpression(input); - expression.getValueType(); // $hasSpelInjection + expression.getValueType(); // $ Alert } public void testWithStandardEvaluationContext(Socket socket) throws IOException { - InputStream in = socket.getInputStream(); + InputStream in = socket.getInputStream(); // $ Source byte[] bytes = new byte[1024]; int n = in.read(bytes); @@ -92,7 +92,7 @@ public void testWithStandardEvaluationContext(Socket socket) throws IOException Expression expression = PARSER.parseExpression(input); StandardEvaluationContext context = new StandardEvaluationContext(); - expression.getValue(context); // $hasSpelInjection + expression.getValue(context); // $ Alert } public void testWithSimpleEvaluationContext(Socket socket) throws IOException { diff --git a/java/ql/test/query-tests/security/CWE-094/SpelInjection/SpelInjectionTest.qlref b/java/ql/test/query-tests/security/CWE-094/SpelInjection/SpelInjectionTest.qlref new file mode 100644 index 000000000000..5effbcb98298 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-094/SpelInjection/SpelInjectionTest.qlref @@ -0,0 +1,4 @@ +query: Security/CWE/CWE-094/SpelInjection.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-094/SpelInjection/options b/java/ql/test/query-tests/security/CWE-094/SpelInjection/options new file mode 100644 index 000000000000..d7c8332682ba --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-094/SpelInjection/options @@ -0,0 +1 @@ +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/validation-api-2.0.1.Final:${testdir}/../../../../stubs/springframework-5.8.x:${testdir}/../../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../../stubs/apache-commons-logging-1.2:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/groovy-all-3.0.7:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/apache-freemarker-2.3.31:${testdir}/../../../../stubs/jinjava-2.6.0:${testdir}/../../../../stubs/pebble-3.1.5:${testdir}/../../../../stubs/thymeleaf-3.0.14:${testdir}/../../../../stubs/apache-velocity-2.3:${testdir}/../../../..//stubs/google-android-9.0.0 diff --git a/java/ql/test/query-tests/security/CWE-094/SpelInjectionTest.expected b/java/ql/test/query-tests/security/CWE-094/SpelInjectionTest.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/java/ql/test/query-tests/security/CWE-094/SpelInjectionTest.ql b/java/ql/test/query-tests/security/CWE-094/SpelInjectionTest.ql deleted file mode 100644 index 727229e989d3..000000000000 --- a/java/ql/test/query-tests/security/CWE-094/SpelInjectionTest.ql +++ /dev/null @@ -1,20 +0,0 @@ -import java -import semmle.code.java.dataflow.TaintTracking -import semmle.code.java.dataflow.FlowSources -import semmle.code.java.security.SpelInjectionQuery -import utils.test.InlineExpectationsTest - -module HasSpelInjectionTest implements TestSig { - string getARelevantTag() { result = "hasSpelInjection" } - - predicate hasActualResult(Location location, string element, string tag, string value) { - tag = "hasSpelInjection" and - exists(DataFlow::Node sink | SpelInjectionFlow::flowTo(sink) | - sink.getLocation() = location and - element = sink.toString() and - value = "" - ) - } -} - -import MakeTest diff --git a/java/ql/test/query-tests/security/CWE-094/FreemarkerSSTI.java b/java/ql/test/query-tests/security/CWE-094/TemplateInjection/FreemarkerSSTI.java similarity index 74% rename from java/ql/test/query-tests/security/CWE-094/FreemarkerSSTI.java rename to java/ql/test/query-tests/security/CWE-094/TemplateInjection/FreemarkerSSTI.java index 31eb634a5fe4..a39ed8c5a4e5 100644 --- a/java/ql/test/query-tests/security/CWE-094/FreemarkerSSTI.java +++ b/java/ql/test/query-tests/security/CWE-094/TemplateInjection/FreemarkerSSTI.java @@ -20,88 +20,88 @@ public class FreemarkerSSTI { @GetMapping(value = "bad1") public void bad1(HttpServletRequest request) { String name = "ttemplate"; - String code = request.getParameter("code"); + String code = request.getParameter("code"); // $ Source Reader reader = new StringReader(code); - Template t = new Template(name, reader); // $hasTemplateInjection + Template t = new Template(name, reader); // $ Alert } @GetMapping(value = "bad2") public void bad2(HttpServletRequest request) { String name = "ttemplate"; - String code = request.getParameter("code"); + String code = request.getParameter("code"); // $ Source Reader reader = new StringReader(code); Configuration cfg = new Configuration(); - Template t = new Template(name, reader, cfg); // $hasTemplateInjection + Template t = new Template(name, reader, cfg); // $ Alert } @GetMapping(value = "bad3") public void bad3(HttpServletRequest request) { String name = "ttemplate"; - String code = request.getParameter("code"); + String code = request.getParameter("code"); // $ Source Reader reader = new StringReader(code); Configuration cfg = new Configuration(); - Template t = new Template(name, reader, cfg, "UTF-8"); // $hasTemplateInjection + Template t = new Template(name, reader, cfg, "UTF-8"); // $ Alert } @GetMapping(value = "bad4") public void bad4(HttpServletRequest request) { String name = "ttemplate"; - String sourceCode = request.getParameter("sourceCode"); + String sourceCode = request.getParameter("sourceCode"); // $ Source Configuration cfg = new Configuration(); - Template t = new Template(name, sourceCode, cfg); // $hasTemplateInjection + Template t = new Template(name, sourceCode, cfg); // $ Alert } @GetMapping(value = "bad5") public void bad5(HttpServletRequest request) { String name = "ttemplate"; - String code = request.getParameter("code"); + String code = request.getParameter("code"); // $ Source Configuration cfg = new Configuration(); Reader reader = new StringReader(code); - Template t = new Template(name, sourceName, reader, cfg); // $hasTemplateInjection + Template t = new Template(name, sourceName, reader, cfg); // $ Alert } @GetMapping(value = "bad6") public void bad6(HttpServletRequest request) { String name = "ttemplate"; - String code = request.getParameter("code"); + String code = request.getParameter("code"); // $ Source Configuration cfg = new Configuration(); ParserConfiguration customParserConfiguration = new Configuration(); Reader reader = new StringReader(code); Template t = - new Template(name, sourceName, reader, cfg, customParserConfiguration, "UTF-8"); // $hasTemplateInjection + new Template(name, sourceName, reader, cfg, customParserConfiguration, "UTF-8"); // $ Alert } @GetMapping(value = "bad7") public void bad7(HttpServletRequest request) { String name = "ttemplate"; - String code = request.getParameter("code"); + String code = request.getParameter("code"); // $ Source Configuration cfg = new Configuration(); ParserConfiguration customParserConfiguration = new Configuration(); Reader reader = new StringReader(code); - Template t = new Template(name, sourceName, reader, cfg, "UTF-8"); // $hasTemplateInjection + Template t = new Template(name, sourceName, reader, cfg, "UTF-8"); // $ Alert } @GetMapping(value = "bad8") public void bad8(HttpServletRequest request) { - String code = request.getParameter("code"); + String code = request.getParameter("code"); // $ Source StringTemplateLoader stringLoader = new StringTemplateLoader(); - stringLoader.putTemplate("myTemplate", code); // $hasTemplateInjection + stringLoader.putTemplate("myTemplate", code); // $ Alert } @GetMapping(value = "bad9") public void bad9(HttpServletRequest request) { - String code = request.getParameter("code"); + String code = request.getParameter("code"); // $ Source StringTemplateLoader stringLoader = new StringTemplateLoader(); - stringLoader.putTemplate("myTemplate", code, 0); // $hasTemplateInjection + stringLoader.putTemplate("myTemplate", code, 0); // $ Alert } @GetMapping(value = "good1") diff --git a/java/ql/test/query-tests/security/CWE-094/JinJavaSSTI.java b/java/ql/test/query-tests/security/CWE-094/TemplateInjection/JinJavaSSTI.java similarity index 81% rename from java/ql/test/query-tests/security/CWE-094/JinJavaSSTI.java rename to java/ql/test/query-tests/security/CWE-094/TemplateInjection/JinJavaSSTI.java index 4341a44f192c..9bd9bad4ca8f 100644 --- a/java/ql/test/query-tests/security/CWE-094/JinJavaSSTI.java +++ b/java/ql/test/query-tests/security/CWE-094/TemplateInjection/JinJavaSSTI.java @@ -18,27 +18,27 @@ public class JinJavaSSTI { @GetMapping(value = "bad1") public void bad1(HttpServletRequest request) { - String template = request.getParameter("template"); + String template = request.getParameter("template"); // $ Source Jinjava jinjava = new Jinjava(); Map context = new HashMap<>(); - String renderedTemplate = jinjava.render(template, context); // $hasTemplateInjection + String renderedTemplate = jinjava.render(template, context); // $ Alert } @GetMapping(value = "bad2") public void bad2(HttpServletRequest request) { - String template = request.getParameter("template"); + String template = request.getParameter("template"); // $ Source Jinjava jinjava = new Jinjava(); Map bindings = new HashMap<>(); - RenderResult renderResult = jinjava.renderForResult(template, bindings); // $hasTemplateInjection + RenderResult renderResult = jinjava.renderForResult(template, bindings); // $ Alert } @GetMapping(value = "bad3") public void bad3(HttpServletRequest request) { - String template = request.getParameter("template"); + String template = request.getParameter("template"); // $ Source Jinjava jinjava = new Jinjava(); Map bindings = new HashMap<>(); JinjavaConfig renderConfig = new JinjavaConfig(); - RenderResult renderResult = jinjava.renderForResult(template, bindings, renderConfig); // $hasTemplateInjection + RenderResult renderResult = jinjava.renderForResult(template, bindings, renderConfig); // $ Alert } } diff --git a/java/ql/test/query-tests/security/CWE-094/PebbleSSTI.java b/java/ql/test/query-tests/security/CWE-094/TemplateInjection/PebbleSSTI.java similarity index 80% rename from java/ql/test/query-tests/security/CWE-094/PebbleSSTI.java rename to java/ql/test/query-tests/security/CWE-094/TemplateInjection/PebbleSSTI.java index c026f98645bb..45beaf46fa19 100644 --- a/java/ql/test/query-tests/security/CWE-094/PebbleSSTI.java +++ b/java/ql/test/query-tests/security/CWE-094/TemplateInjection/PebbleSSTI.java @@ -15,15 +15,15 @@ public class PebbleSSTI { @GetMapping(value = "bad1") public void bad1(HttpServletRequest request) { - String templateName = request.getParameter("templateName"); + String templateName = request.getParameter("templateName"); // $ Source PebbleEngine engine = new PebbleEngine.Builder().build(); - PebbleTemplate compiledTemplate = engine.getTemplate(templateName); // $hasTemplateInjection + PebbleTemplate compiledTemplate = engine.getTemplate(templateName); // $ Alert } @GetMapping(value = "bad2") public void bad2(HttpServletRequest request) { - String templateName = request.getParameter("templateName"); + String templateName = request.getParameter("templateName"); // $ Source PebbleEngine engine = new PebbleEngine.Builder().build(); - PebbleTemplate compiledTemplate = engine.getLiteralTemplate(templateName); // $hasTemplateInjection + PebbleTemplate compiledTemplate = engine.getLiteralTemplate(templateName); // $ Alert } } diff --git a/java/ql/test/query-tests/security/CWE-094/TemplateInjection/TemplateInjectionTest.expected b/java/ql/test/query-tests/security/CWE-094/TemplateInjection/TemplateInjectionTest.expected new file mode 100644 index 000000000000..6727f69b5388 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-094/TemplateInjection/TemplateInjectionTest.expected @@ -0,0 +1,171 @@ +#select +| FreemarkerSSTI.java:26:35:26:40 | reader | FreemarkerSSTI.java:23:17:23:44 | getParameter(...) : String | FreemarkerSSTI.java:26:35:26:40 | reader | Template, which may contain code, depends on a $@. | FreemarkerSSTI.java:23:17:23:44 | getParameter(...) | user-provided value | +| FreemarkerSSTI.java:36:35:36:40 | reader | FreemarkerSSTI.java:32:17:32:44 | getParameter(...) : String | FreemarkerSSTI.java:36:35:36:40 | reader | Template, which may contain code, depends on a $@. | FreemarkerSSTI.java:32:17:32:44 | getParameter(...) | user-provided value | +| FreemarkerSSTI.java:46:35:46:40 | reader | FreemarkerSSTI.java:42:17:42:44 | getParameter(...) : String | FreemarkerSSTI.java:46:35:46:40 | reader | Template, which may contain code, depends on a $@. | FreemarkerSSTI.java:42:17:42:44 | getParameter(...) | user-provided value | +| FreemarkerSSTI.java:55:35:55:44 | sourceCode | FreemarkerSSTI.java:52:23:52:56 | getParameter(...) : String | FreemarkerSSTI.java:55:35:55:44 | sourceCode | Template, which may contain code, depends on a $@. | FreemarkerSSTI.java:52:23:52:56 | getParameter(...) | user-provided value | +| FreemarkerSSTI.java:65:47:65:52 | reader | FreemarkerSSTI.java:61:17:61:44 | getParameter(...) : String | FreemarkerSSTI.java:65:47:65:52 | reader | Template, which may contain code, depends on a $@. | FreemarkerSSTI.java:61:17:61:44 | getParameter(...) | user-provided value | +| FreemarkerSSTI.java:77:36:77:41 | reader | FreemarkerSSTI.java:71:17:71:44 | getParameter(...) : String | FreemarkerSSTI.java:77:36:77:41 | reader | Template, which may contain code, depends on a $@. | FreemarkerSSTI.java:71:17:71:44 | getParameter(...) | user-provided value | +| FreemarkerSSTI.java:88:47:88:52 | reader | FreemarkerSSTI.java:83:17:83:44 | getParameter(...) : String | FreemarkerSSTI.java:88:47:88:52 | reader | Template, which may contain code, depends on a $@. | FreemarkerSSTI.java:83:17:83:44 | getParameter(...) | user-provided value | +| FreemarkerSSTI.java:96:42:96:45 | code | FreemarkerSSTI.java:93:17:93:44 | getParameter(...) : String | FreemarkerSSTI.java:96:42:96:45 | code | Template, which may contain code, depends on a $@. | FreemarkerSSTI.java:93:17:93:44 | getParameter(...) | user-provided value | +| FreemarkerSSTI.java:104:42:104:45 | code | FreemarkerSSTI.java:101:17:101:44 | getParameter(...) : String | FreemarkerSSTI.java:104:42:104:45 | code | Template, which may contain code, depends on a $@. | FreemarkerSSTI.java:101:17:101:44 | getParameter(...) | user-provided value | +| JinJavaSSTI.java:24:44:24:51 | template | JinJavaSSTI.java:21:21:21:52 | getParameter(...) : String | JinJavaSSTI.java:24:44:24:51 | template | Template, which may contain code, depends on a $@. | JinJavaSSTI.java:21:21:21:52 | getParameter(...) | user-provided value | +| JinJavaSSTI.java:32:55:32:62 | template | JinJavaSSTI.java:29:21:29:52 | getParameter(...) : String | JinJavaSSTI.java:32:55:32:62 | template | Template, which may contain code, depends on a $@. | JinJavaSSTI.java:29:21:29:52 | getParameter(...) | user-provided value | +| JinJavaSSTI.java:42:55:42:62 | template | JinJavaSSTI.java:37:21:37:52 | getParameter(...) : String | JinJavaSSTI.java:42:55:42:62 | template | Template, which may contain code, depends on a $@. | JinJavaSSTI.java:37:21:37:52 | getParameter(...) | user-provided value | +| PebbleSSTI.java:20:56:20:67 | templateName | PebbleSSTI.java:18:25:18:60 | getParameter(...) : String | PebbleSSTI.java:20:56:20:67 | templateName | Template, which may contain code, depends on a $@. | PebbleSSTI.java:18:25:18:60 | getParameter(...) | user-provided value | +| PebbleSSTI.java:27:63:27:74 | templateName | PebbleSSTI.java:25:25:25:60 | getParameter(...) : String | PebbleSSTI.java:27:63:27:74 | templateName | Template, which may contain code, depends on a $@. | PebbleSSTI.java:25:25:25:60 | getParameter(...) | user-provided value | +| ThymeleafSSTI.java:24:27:24:30 | code | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:24:27:24:30 | code | Template, which may contain code, depends on a $@. | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) | user-provided value | +| ThymeleafSSTI.java:25:27:25:30 | code | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:25:27:25:30 | code | Template, which may contain code, depends on a $@. | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) | user-provided value | +| ThymeleafSSTI.java:26:27:26:30 | code | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:26:27:26:30 | code | Template, which may contain code, depends on a $@. | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) | user-provided value | +| ThymeleafSSTI.java:27:27:27:30 | code | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:27:27:27:30 | code | Template, which may contain code, depends on a $@. | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) | user-provided value | +| ThymeleafSSTI.java:28:36:28:39 | code | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:28:36:28:39 | code | Template, which may contain code, depends on a $@. | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) | user-provided value | +| ThymeleafSSTI.java:29:36:29:39 | code | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:29:36:29:39 | code | Template, which may contain code, depends on a $@. | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) | user-provided value | +| ThymeleafSSTI.java:32:27:32:30 | spec | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:32:27:32:30 | spec | Template, which may contain code, depends on a $@. | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) | user-provided value | +| ThymeleafSSTI.java:33:27:33:30 | spec | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:33:27:33:30 | spec | Template, which may contain code, depends on a $@. | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) | user-provided value | +| ThymeleafSSTI.java:34:36:34:39 | spec | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:34:36:34:39 | spec | Template, which may contain code, depends on a $@. | ThymeleafSSTI.java:21:17:21:44 | getParameter(...) | user-provided value | +| VelocitySSTI.java:37:45:37:48 | code | VelocitySSTI.java:31:17:31:44 | getParameter(...) : String | VelocitySSTI.java:37:45:37:48 | code | Template, which may contain code, depends on a $@. | VelocitySSTI.java:31:17:31:44 | getParameter(...) | user-provided value | +| VelocitySSTI.java:51:45:51:50 | reader | VelocitySSTI.java:43:17:43:44 | getParameter(...) : String | VelocitySSTI.java:51:45:51:50 | reader | Template, which may contain code, depends on a $@. | VelocitySSTI.java:43:17:43:44 | getParameter(...) | user-provided value | +| VelocitySSTI.java:61:25:61:30 | reader | VelocitySSTI.java:57:17:57:44 | getParameter(...) : String | VelocitySSTI.java:61:25:61:30 | reader | Template, which may contain code, depends on a $@. | VelocitySSTI.java:57:17:57:44 | getParameter(...) | user-provided value | +| VelocitySSTI.java:93:37:93:40 | code | VelocitySSTI.java:81:17:81:44 | getParameter(...) : String | VelocitySSTI.java:93:37:93:40 | code | Template, which may contain code, depends on a $@. | VelocitySSTI.java:81:17:81:44 | getParameter(...) | user-provided value | +| VelocitySSTI.java:94:37:94:58 | new StringReader(...) | VelocitySSTI.java:81:17:81:44 | getParameter(...) : String | VelocitySSTI.java:94:37:94:58 | new StringReader(...) | Template, which may contain code, depends on a $@. | VelocitySSTI.java:81:17:81:44 | getParameter(...) | user-provided value | +| VelocitySSTI.java:117:37:117:40 | code | VelocitySSTI.java:114:17:114:44 | getParameter(...) : String | VelocitySSTI.java:117:37:117:40 | code | Template, which may contain code, depends on a $@. | VelocitySSTI.java:114:17:114:44 | getParameter(...) | user-provided value | +edges +| FreemarkerSSTI.java:23:17:23:44 | getParameter(...) : String | FreemarkerSSTI.java:24:36:24:39 | code : String | provenance | Src:MaD:19 | +| FreemarkerSSTI.java:24:19:24:40 | new StringReader(...) : StringReader | FreemarkerSSTI.java:26:35:26:40 | reader | provenance | Sink:MaD:6 | +| FreemarkerSSTI.java:24:36:24:39 | code : String | FreemarkerSSTI.java:24:19:24:40 | new StringReader(...) : StringReader | provenance | MaD:20 | +| FreemarkerSSTI.java:32:17:32:44 | getParameter(...) : String | FreemarkerSSTI.java:33:36:33:39 | code : String | provenance | Src:MaD:19 | +| FreemarkerSSTI.java:33:19:33:40 | new StringReader(...) : StringReader | FreemarkerSSTI.java:36:35:36:40 | reader | provenance | Sink:MaD:7 | +| FreemarkerSSTI.java:33:36:33:39 | code : String | FreemarkerSSTI.java:33:19:33:40 | new StringReader(...) : StringReader | provenance | MaD:20 | +| FreemarkerSSTI.java:42:17:42:44 | getParameter(...) : String | FreemarkerSSTI.java:43:36:43:39 | code : String | provenance | Src:MaD:19 | +| FreemarkerSSTI.java:43:19:43:40 | new StringReader(...) : StringReader | FreemarkerSSTI.java:46:35:46:40 | reader | provenance | Sink:MaD:8 | +| FreemarkerSSTI.java:43:36:43:39 | code : String | FreemarkerSSTI.java:43:19:43:40 | new StringReader(...) : StringReader | provenance | MaD:20 | +| FreemarkerSSTI.java:52:23:52:56 | getParameter(...) : String | FreemarkerSSTI.java:55:35:55:44 | sourceCode | provenance | Src:MaD:19 Sink:MaD:9 | +| FreemarkerSSTI.java:61:17:61:44 | getParameter(...) : String | FreemarkerSSTI.java:63:36:63:39 | code : String | provenance | Src:MaD:19 | +| FreemarkerSSTI.java:63:19:63:40 | new StringReader(...) : StringReader | FreemarkerSSTI.java:65:47:65:52 | reader | provenance | Sink:MaD:10 | +| FreemarkerSSTI.java:63:36:63:39 | code : String | FreemarkerSSTI.java:63:19:63:40 | new StringReader(...) : StringReader | provenance | MaD:20 | +| FreemarkerSSTI.java:71:17:71:44 | getParameter(...) : String | FreemarkerSSTI.java:74:36:74:39 | code : String | provenance | Src:MaD:19 | +| FreemarkerSSTI.java:74:19:74:40 | new StringReader(...) : StringReader | FreemarkerSSTI.java:77:36:77:41 | reader | provenance | Sink:MaD:11 | +| FreemarkerSSTI.java:74:36:74:39 | code : String | FreemarkerSSTI.java:74:19:74:40 | new StringReader(...) : StringReader | provenance | MaD:20 | +| FreemarkerSSTI.java:83:17:83:44 | getParameter(...) : String | FreemarkerSSTI.java:86:36:86:39 | code : String | provenance | Src:MaD:19 | +| FreemarkerSSTI.java:86:19:86:40 | new StringReader(...) : StringReader | FreemarkerSSTI.java:88:47:88:52 | reader | provenance | Sink:MaD:12 | +| FreemarkerSSTI.java:86:36:86:39 | code : String | FreemarkerSSTI.java:86:19:86:40 | new StringReader(...) : StringReader | provenance | MaD:20 | +| FreemarkerSSTI.java:93:17:93:44 | getParameter(...) : String | FreemarkerSSTI.java:96:42:96:45 | code | provenance | Src:MaD:19 Sink:MaD:5 | +| FreemarkerSSTI.java:101:17:101:44 | getParameter(...) : String | FreemarkerSSTI.java:104:42:104:45 | code | provenance | Src:MaD:19 Sink:MaD:5 | +| JinJavaSSTI.java:21:21:21:52 | getParameter(...) : String | JinJavaSSTI.java:24:44:24:51 | template | provenance | Src:MaD:19 Sink:MaD:1 | +| JinJavaSSTI.java:29:21:29:52 | getParameter(...) : String | JinJavaSSTI.java:32:55:32:62 | template | provenance | Src:MaD:19 Sink:MaD:2 | +| JinJavaSSTI.java:37:21:37:52 | getParameter(...) : String | JinJavaSSTI.java:42:55:42:62 | template | provenance | Src:MaD:19 Sink:MaD:2 | +| PebbleSSTI.java:18:25:18:60 | getParameter(...) : String | PebbleSSTI.java:20:56:20:67 | templateName | provenance | Src:MaD:19 Sink:MaD:4 | +| PebbleSSTI.java:25:25:25:60 | getParameter(...) : String | PebbleSSTI.java:27:63:27:74 | templateName | provenance | Src:MaD:19 Sink:MaD:3 | +| ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:24:27:24:30 | code | provenance | Src:MaD:19 Sink:MaD:17 | +| ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:25:27:25:30 | code | provenance | Src:MaD:19 Sink:MaD:17 | +| ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:26:27:26:30 | code | provenance | Src:MaD:19 Sink:MaD:17 | +| ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:27:27:27:30 | code | provenance | Src:MaD:19 Sink:MaD:17 | +| ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:28:36:28:39 | code | provenance | Src:MaD:19 Sink:MaD:18 | +| ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:29:36:29:39 | code | provenance | Src:MaD:19 Sink:MaD:18 | +| ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | ThymeleafSSTI.java:31:41:31:44 | code : String | provenance | Src:MaD:19 | +| ThymeleafSSTI.java:31:24:31:49 | new TemplateSpec(...) : TemplateSpec | ThymeleafSSTI.java:32:27:32:30 | spec | provenance | Sink:MaD:17 | +| ThymeleafSSTI.java:31:24:31:49 | new TemplateSpec(...) : TemplateSpec | ThymeleafSSTI.java:33:27:33:30 | spec | provenance | Sink:MaD:17 | +| ThymeleafSSTI.java:31:24:31:49 | new TemplateSpec(...) : TemplateSpec | ThymeleafSSTI.java:34:36:34:39 | spec | provenance | Sink:MaD:18 | +| ThymeleafSSTI.java:31:41:31:44 | code : String | ThymeleafSSTI.java:31:24:31:49 | new TemplateSpec(...) : TemplateSpec | provenance | MaD:21 | +| VelocitySSTI.java:31:17:31:44 | getParameter(...) : String | VelocitySSTI.java:37:45:37:48 | code | provenance | Src:MaD:19 Sink:MaD:13 | +| VelocitySSTI.java:43:17:43:44 | getParameter(...) : String | VelocitySSTI.java:49:42:49:45 | code : String | provenance | Src:MaD:19 | +| VelocitySSTI.java:49:25:49:46 | new StringReader(...) : StringReader | VelocitySSTI.java:51:45:51:50 | reader | provenance | Sink:MaD:13 | +| VelocitySSTI.java:49:42:49:45 | code : String | VelocitySSTI.java:49:25:49:46 | new StringReader(...) : StringReader | provenance | MaD:20 | +| VelocitySSTI.java:57:17:57:44 | getParameter(...) : String | VelocitySSTI.java:60:42:60:45 | code : String | provenance | Src:MaD:19 | +| VelocitySSTI.java:60:25:60:46 | new StringReader(...) : StringReader | VelocitySSTI.java:61:25:61:30 | reader | provenance | Sink:MaD:16 | +| VelocitySSTI.java:60:42:60:45 | code : String | VelocitySSTI.java:60:25:60:46 | new StringReader(...) : StringReader | provenance | MaD:20 | +| VelocitySSTI.java:81:17:81:44 | getParameter(...) : String | VelocitySSTI.java:93:37:93:40 | code | provenance | Src:MaD:19 Sink:MaD:14 | +| VelocitySSTI.java:81:17:81:44 | getParameter(...) : String | VelocitySSTI.java:94:54:94:57 | code : String | provenance | Src:MaD:19 | +| VelocitySSTI.java:94:54:94:57 | code : String | VelocitySSTI.java:94:37:94:58 | new StringReader(...) | provenance | MaD:20 Sink:MaD:14 | +| VelocitySSTI.java:114:17:114:44 | getParameter(...) : String | VelocitySSTI.java:117:37:117:40 | code | provenance | Src:MaD:19 Sink:MaD:15 | +models +| 1 | Sink: com.hubspot.jinjava; Jinjava; true; render; ; ; Argument[0]; template-injection; manual | +| 2 | Sink: com.hubspot.jinjava; Jinjava; true; renderForResult; ; ; Argument[0]; template-injection; manual | +| 3 | Sink: com.mitchellbosecke.pebble; PebbleEngine; true; getLiteralTemplate; ; ; Argument[0]; template-injection; manual | +| 4 | Sink: com.mitchellbosecke.pebble; PebbleEngine; true; getTemplate; ; ; Argument[0]; template-injection; manual | +| 5 | Sink: freemarker.cache; StringTemplateLoader; true; putTemplate; ; ; Argument[1]; template-injection; manual | +| 6 | Sink: freemarker.template; Template; true; Template; (String,Reader); ; Argument[1]; template-injection; manual | +| 7 | Sink: freemarker.template; Template; true; Template; (String,Reader,Configuration); ; Argument[1]; template-injection; manual | +| 8 | Sink: freemarker.template; Template; true; Template; (String,Reader,Configuration,String); ; Argument[1]; template-injection; manual | +| 9 | Sink: freemarker.template; Template; true; Template; (String,String,Configuration); ; Argument[1]; template-injection; manual | +| 10 | Sink: freemarker.template; Template; true; Template; (String,String,Reader,Configuration); ; Argument[2]; template-injection; manual | +| 11 | Sink: freemarker.template; Template; true; Template; (String,String,Reader,Configuration,ParserConfiguration,String); ; Argument[2]; template-injection; manual | +| 12 | Sink: freemarker.template; Template; true; Template; (String,String,Reader,Configuration,String); ; Argument[2]; template-injection; manual | +| 13 | Sink: org.apache.velocity.app; Velocity; true; evaluate; ; ; Argument[3]; template-injection; manual | +| 14 | Sink: org.apache.velocity.app; VelocityEngine; true; evaluate; ; ; Argument[3]; template-injection; manual | +| 15 | Sink: org.apache.velocity.runtime.resource.util; StringResourceRepository; true; putStringResource; ; ; Argument[1]; template-injection; manual | +| 16 | Sink: org.apache.velocity.runtime; RuntimeServices; true; parse; ; ; Argument[0]; template-injection; manual | +| 17 | Sink: org.thymeleaf; ITemplateEngine; true; process; ; ; Argument[0]; template-injection; manual | +| 18 | Sink: org.thymeleaf; ITemplateEngine; true; processThrottled; ; ; Argument[0]; template-injection; manual | +| 19 | Source: javax.servlet; ServletRequest; false; getParameter; (String); ; ReturnValue; remote; manual | +| 20 | Summary: java.io; StringReader; false; StringReader; ; ; Argument[0]; Argument[this]; taint; manual | +| 21 | Summary: org.thymeleaf; TemplateSpec; false; TemplateSpec; ; ; Argument[0]; Argument[this]; taint; manual | +nodes +| FreemarkerSSTI.java:23:17:23:44 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| FreemarkerSSTI.java:24:19:24:40 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader | +| FreemarkerSSTI.java:24:36:24:39 | code : String | semmle.label | code : String | +| FreemarkerSSTI.java:26:35:26:40 | reader | semmle.label | reader | +| FreemarkerSSTI.java:32:17:32:44 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| FreemarkerSSTI.java:33:19:33:40 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader | +| FreemarkerSSTI.java:33:36:33:39 | code : String | semmle.label | code : String | +| FreemarkerSSTI.java:36:35:36:40 | reader | semmle.label | reader | +| FreemarkerSSTI.java:42:17:42:44 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| FreemarkerSSTI.java:43:19:43:40 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader | +| FreemarkerSSTI.java:43:36:43:39 | code : String | semmle.label | code : String | +| FreemarkerSSTI.java:46:35:46:40 | reader | semmle.label | reader | +| FreemarkerSSTI.java:52:23:52:56 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| FreemarkerSSTI.java:55:35:55:44 | sourceCode | semmle.label | sourceCode | +| FreemarkerSSTI.java:61:17:61:44 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| FreemarkerSSTI.java:63:19:63:40 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader | +| FreemarkerSSTI.java:63:36:63:39 | code : String | semmle.label | code : String | +| FreemarkerSSTI.java:65:47:65:52 | reader | semmle.label | reader | +| FreemarkerSSTI.java:71:17:71:44 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| FreemarkerSSTI.java:74:19:74:40 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader | +| FreemarkerSSTI.java:74:36:74:39 | code : String | semmle.label | code : String | +| FreemarkerSSTI.java:77:36:77:41 | reader | semmle.label | reader | +| FreemarkerSSTI.java:83:17:83:44 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| FreemarkerSSTI.java:86:19:86:40 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader | +| FreemarkerSSTI.java:86:36:86:39 | code : String | semmle.label | code : String | +| FreemarkerSSTI.java:88:47:88:52 | reader | semmle.label | reader | +| FreemarkerSSTI.java:93:17:93:44 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| FreemarkerSSTI.java:96:42:96:45 | code | semmle.label | code | +| FreemarkerSSTI.java:101:17:101:44 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| FreemarkerSSTI.java:104:42:104:45 | code | semmle.label | code | +| JinJavaSSTI.java:21:21:21:52 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| JinJavaSSTI.java:24:44:24:51 | template | semmle.label | template | +| JinJavaSSTI.java:29:21:29:52 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| JinJavaSSTI.java:32:55:32:62 | template | semmle.label | template | +| JinJavaSSTI.java:37:21:37:52 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| JinJavaSSTI.java:42:55:42:62 | template | semmle.label | template | +| PebbleSSTI.java:18:25:18:60 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| PebbleSSTI.java:20:56:20:67 | templateName | semmle.label | templateName | +| PebbleSSTI.java:25:25:25:60 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| PebbleSSTI.java:27:63:27:74 | templateName | semmle.label | templateName | +| ThymeleafSSTI.java:21:17:21:44 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| ThymeleafSSTI.java:24:27:24:30 | code | semmle.label | code | +| ThymeleafSSTI.java:25:27:25:30 | code | semmle.label | code | +| ThymeleafSSTI.java:26:27:26:30 | code | semmle.label | code | +| ThymeleafSSTI.java:27:27:27:30 | code | semmle.label | code | +| ThymeleafSSTI.java:28:36:28:39 | code | semmle.label | code | +| ThymeleafSSTI.java:29:36:29:39 | code | semmle.label | code | +| ThymeleafSSTI.java:31:24:31:49 | new TemplateSpec(...) : TemplateSpec | semmle.label | new TemplateSpec(...) : TemplateSpec | +| ThymeleafSSTI.java:31:41:31:44 | code : String | semmle.label | code : String | +| ThymeleafSSTI.java:32:27:32:30 | spec | semmle.label | spec | +| ThymeleafSSTI.java:33:27:33:30 | spec | semmle.label | spec | +| ThymeleafSSTI.java:34:36:34:39 | spec | semmle.label | spec | +| VelocitySSTI.java:31:17:31:44 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| VelocitySSTI.java:37:45:37:48 | code | semmle.label | code | +| VelocitySSTI.java:43:17:43:44 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| VelocitySSTI.java:49:25:49:46 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader | +| VelocitySSTI.java:49:42:49:45 | code : String | semmle.label | code : String | +| VelocitySSTI.java:51:45:51:50 | reader | semmle.label | reader | +| VelocitySSTI.java:57:17:57:44 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| VelocitySSTI.java:60:25:60:46 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader | +| VelocitySSTI.java:60:42:60:45 | code : String | semmle.label | code : String | +| VelocitySSTI.java:61:25:61:30 | reader | semmle.label | reader | +| VelocitySSTI.java:81:17:81:44 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| VelocitySSTI.java:93:37:93:40 | code | semmle.label | code | +| VelocitySSTI.java:94:37:94:58 | new StringReader(...) | semmle.label | new StringReader(...) | +| VelocitySSTI.java:94:54:94:57 | code : String | semmle.label | code : String | +| VelocitySSTI.java:114:17:114:44 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| VelocitySSTI.java:117:37:117:40 | code | semmle.label | code | +subpaths diff --git a/java/ql/test/query-tests/security/CWE-094/TemplateInjection/TemplateInjectionTest.qlref b/java/ql/test/query-tests/security/CWE-094/TemplateInjection/TemplateInjectionTest.qlref new file mode 100644 index 000000000000..e346322b6d43 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-094/TemplateInjection/TemplateInjectionTest.qlref @@ -0,0 +1,4 @@ +query: Security/CWE/CWE-094/TemplateInjection.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-094/ThymeleafSSTI.java b/java/ql/test/query-tests/security/CWE-094/TemplateInjection/ThymeleafSSTI.java similarity index 66% rename from java/ql/test/query-tests/security/CWE-094/ThymeleafSSTI.java rename to java/ql/test/query-tests/security/CWE-094/TemplateInjection/ThymeleafSSTI.java index 4b3906689483..669b287ea797 100644 --- a/java/ql/test/query-tests/security/CWE-094/ThymeleafSSTI.java +++ b/java/ql/test/query-tests/security/CWE-094/TemplateInjection/ThymeleafSSTI.java @@ -18,20 +18,20 @@ public class ThymeleafSSTI { @GetMapping(value = "bad1") public void bad1(HttpServletRequest request) { - String code = request.getParameter("code"); + String code = request.getParameter("code"); // $ Source try { TemplateEngine templateEngine = new TemplateEngine(); - templateEngine.process(code, (Set) null, (Context) null); // $hasTemplateInjection - templateEngine.process(code, (Set) null, (Context) null, (Writer) null); // $hasTemplateInjection - templateEngine.process(code, (Context) null); // $hasTemplateInjection - templateEngine.process(code, (Context) null, (Writer) null); // $hasTemplateInjection - templateEngine.processThrottled(code, (Set) null, (Context) null); // $hasTemplateInjection - templateEngine.processThrottled(code, (Context) null); // $hasTemplateInjection + templateEngine.process(code, (Set) null, (Context) null); // $ Alert + templateEngine.process(code, (Set) null, (Context) null, (Writer) null); // $ Alert + templateEngine.process(code, (Context) null); // $ Alert + templateEngine.process(code, (Context) null, (Writer) null); // $ Alert + templateEngine.processThrottled(code, (Set) null, (Context) null); // $ Alert + templateEngine.processThrottled(code, (Context) null); // $ Alert TemplateSpec spec = new TemplateSpec(code, ""); - templateEngine.process(spec, (Context) null); // $hasTemplateInjection - templateEngine.process(spec, (Context) null, (Writer) null); // $hasTemplateInjection - templateEngine.processThrottled(spec, (Context) null); // $hasTemplateInjection + templateEngine.process(spec, (Context) null); // $ Alert + templateEngine.process(spec, (Context) null, (Writer) null); // $ Alert + templateEngine.processThrottled(spec, (Context) null); // $ Alert } catch (Exception e) { } } diff --git a/java/ql/test/query-tests/security/CWE-094/VelocitySSTI.java b/java/ql/test/query-tests/security/CWE-094/TemplateInjection/VelocitySSTI.java similarity index 83% rename from java/ql/test/query-tests/security/CWE-094/VelocitySSTI.java rename to java/ql/test/query-tests/security/CWE-094/TemplateInjection/VelocitySSTI.java index 09c7a07058f2..463a653525e5 100644 --- a/java/ql/test/query-tests/security/CWE-094/VelocitySSTI.java +++ b/java/ql/test/query-tests/security/CWE-094/TemplateInjection/VelocitySSTI.java @@ -28,19 +28,19 @@ public class VelocitySSTI { @GetMapping(value = "bad1") public void bad1(HttpServletRequest request) { String name = "ttemplate"; - String code = request.getParameter("code"); + String code = request.getParameter("code"); // $ Source VelocityContext context = null; String s = "We are using $project $name to render this."; StringWriter w = new StringWriter(); - Velocity.evaluate(context, w, "mystring", code); // $hasTemplateInjection + Velocity.evaluate(context, w, "mystring", code); // $ Alert } @GetMapping(value = "bad2") public void bad2(HttpServletRequest request) { String name = "ttemplate"; - String code = request.getParameter("code"); + String code = request.getParameter("code"); // $ Source VelocityContext context = null; @@ -48,17 +48,17 @@ public void bad2(HttpServletRequest request) { StringWriter w = new StringWriter(); StringReader reader = new StringReader(code); - Velocity.evaluate(context, w, "mystring", reader); // $hasTemplateInjection + Velocity.evaluate(context, w, "mystring", reader); // $ Alert } @GetMapping(value = "bad3") public void bad3(HttpServletRequest request) { String name = "ttemplate"; - String code = request.getParameter("code"); + String code = request.getParameter("code"); // $ Source RuntimeServices runtimeServices = null; StringReader reader = new StringReader(code); - runtimeServices.parse(reader, new Template()); // $hasTemplateInjection + runtimeServices.parse(reader, new Template()); // $ Alert } @GetMapping(value = "good1") @@ -78,7 +78,7 @@ public void good1(HttpServletRequest request) { @GetMapping(value = "bad5") public void bad5(HttpServletRequest request) { String name = "ttemplate"; - String code = request.getParameter("code"); + String code = request.getParameter("code"); // $ Source VelocityContext context = new VelocityContext(); context.put("code", code); @@ -90,8 +90,8 @@ public void bad5(HttpServletRequest request) { ctx.put("key", code); engine.evaluate(ctx, null, null, (String) null); // Safe engine.evaluate(ctx, null, null, (Reader) null); // Safe - engine.evaluate(null, null, null, code); // $hasTemplateInjection - engine.evaluate(null, null, null, new StringReader(code)); // $hasTemplateInjection + engine.evaluate(null, null, null, code); // $ Alert + engine.evaluate(null, null, null, new StringReader(code)); // $ Alert } @GetMapping(value = "good2") @@ -111,10 +111,10 @@ public void good2(HttpServletRequest request) { @GetMapping(value = "bad6") public void bad6(HttpServletRequest request) { - String code = request.getParameter("code"); + String code = request.getParameter("code"); // $ Source StringResourceRepository repo = new StringResourceRepositoryImpl(); - repo.putStringResource("woogie2", code); // $hasTemplateInjection + repo.putStringResource("woogie2", code); // $ Alert } } diff --git a/java/ql/test/query-tests/security/CWE-094/TemplateInjection/options b/java/ql/test/query-tests/security/CWE-094/TemplateInjection/options new file mode 100644 index 000000000000..d7c8332682ba --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-094/TemplateInjection/options @@ -0,0 +1 @@ +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/validation-api-2.0.1.Final:${testdir}/../../../../stubs/springframework-5.8.x:${testdir}/../../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../../stubs/apache-commons-logging-1.2:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/groovy-all-3.0.7:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/apache-freemarker-2.3.31:${testdir}/../../../../stubs/jinjava-2.6.0:${testdir}/../../../../stubs/pebble-3.1.5:${testdir}/../../../../stubs/thymeleaf-3.0.14:${testdir}/../../../../stubs/apache-velocity-2.3:${testdir}/../../../..//stubs/google-android-9.0.0 diff --git a/java/ql/test/query-tests/security/CWE-094/TemplateInjectionTest.expected b/java/ql/test/query-tests/security/CWE-094/TemplateInjectionTest.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/java/ql/test/query-tests/security/CWE-094/TemplateInjectionTest.ql b/java/ql/test/query-tests/security/CWE-094/TemplateInjectionTest.ql deleted file mode 100644 index 809175bcd376..000000000000 --- a/java/ql/test/query-tests/security/CWE-094/TemplateInjectionTest.ql +++ /dev/null @@ -1,18 +0,0 @@ -import java -import semmle.code.java.security.TemplateInjectionQuery -import utils.test.InlineExpectationsTest - -module TemplateInjectionTest implements TestSig { - string getARelevantTag() { result = "hasTemplateInjection" } - - predicate hasActualResult(Location location, string element, string tag, string value) { - tag = "hasTemplateInjection" and - exists(DataFlow::Node sink | TemplateInjectionFlow::flowTo(sink) | - sink.getLocation() = location and - element = sink.toString() and - value = "" - ) - } -} - -import MakeTest diff --git a/java/ql/test/query-tests/security/CWE-266/IntentUriPermissionManipulationTest.expected b/java/ql/test/query-tests/security/CWE-266/IntentUriPermissionManipulationTest.expected index e69de29bb2d1..d96abdbd6bc0 100644 --- a/java/ql/test/query-tests/security/CWE-266/IntentUriPermissionManipulationTest.expected +++ b/java/ql/test/query-tests/security/CWE-266/IntentUriPermissionManipulationTest.expected @@ -0,0 +1,43 @@ +#select +| MainActivity.java:13:34:13:39 | intent | MainActivity.java:12:29:12:39 | getIntent(...) : Intent | MainActivity.java:13:34:13:39 | intent | This Intent can be set with arbitrary flags from a $@, and used to give access to internal content providers. | MainActivity.java:12:29:12:39 | getIntent(...) | user-provided value | +| MainActivity.java:17:34:17:44 | extraIntent | MainActivity.java:16:43:16:53 | getIntent(...) : Intent | MainActivity.java:17:34:17:44 | extraIntent | This Intent can be set with arbitrary flags from a $@, and used to give access to internal content providers. | MainActivity.java:16:43:16:53 | getIntent(...) | user-provided value | +| MainActivity.java:33:34:33:39 | intent | MainActivity.java:30:29:30:39 | getIntent(...) : Intent | MainActivity.java:33:34:33:39 | intent | This Intent can be set with arbitrary flags from a $@, and used to give access to internal content providers. | MainActivity.java:30:29:30:39 | getIntent(...) | user-provided value | +| MainActivity.java:46:34:46:39 | intent | MainActivity.java:42:29:42:39 | getIntent(...) : Intent | MainActivity.java:46:34:46:39 | intent | This Intent can be set with arbitrary flags from a $@, and used to give access to internal content providers. | MainActivity.java:42:29:42:39 | getIntent(...) | user-provided value | +| MainActivity.java:52:34:52:39 | intent | MainActivity.java:49:29:49:39 | getIntent(...) : Intent | MainActivity.java:52:34:52:39 | intent | This Intent can be set with arbitrary flags from a $@, and used to give access to internal content providers. | MainActivity.java:49:29:49:39 | getIntent(...) | user-provided value | +| MainActivity.java:60:38:60:43 | intent | MainActivity.java:55:29:55:39 | getIntent(...) : Intent | MainActivity.java:60:38:60:43 | intent | This Intent can be set with arbitrary flags from a $@, and used to give access to internal content providers. | MainActivity.java:55:29:55:39 | getIntent(...) | user-provided value | +| MainActivity.java:71:38:71:43 | intent | MainActivity.java:64:29:64:39 | getIntent(...) : Intent | MainActivity.java:71:38:71:43 | intent | This Intent can be set with arbitrary flags from a $@, and used to give access to internal content providers. | MainActivity.java:64:29:64:39 | getIntent(...) | user-provided value | +| MainActivity.java:81:38:81:43 | intent | MainActivity.java:75:29:75:39 | getIntent(...) : Intent | MainActivity.java:81:38:81:43 | intent | This Intent can be set with arbitrary flags from a $@, and used to give access to internal content providers. | MainActivity.java:75:29:75:39 | getIntent(...) | user-provided value | +edges +| MainActivity.java:12:29:12:39 | getIntent(...) : Intent | MainActivity.java:13:34:13:39 | intent | provenance | Sink:MaD:1 | +| MainActivity.java:16:34:16:87 | (...)... : Intent | MainActivity.java:17:34:17:44 | extraIntent | provenance | Sink:MaD:1 | +| MainActivity.java:16:43:16:53 | getIntent(...) : Intent | MainActivity.java:16:43:16:87 | getParcelableExtra(...) : Parcelable | provenance | MaD:2 | +| MainActivity.java:16:43:16:87 | getParcelableExtra(...) : Parcelable | MainActivity.java:16:34:16:87 | (...)... : Intent | provenance | | +| MainActivity.java:30:29:30:39 | getIntent(...) : Intent | MainActivity.java:33:34:33:39 | intent | provenance | Sink:MaD:1 | +| MainActivity.java:42:29:42:39 | getIntent(...) : Intent | MainActivity.java:46:34:46:39 | intent | provenance | Sink:MaD:1 | +| MainActivity.java:49:29:49:39 | getIntent(...) : Intent | MainActivity.java:52:34:52:39 | intent | provenance | Sink:MaD:1 | +| MainActivity.java:55:29:55:39 | getIntent(...) : Intent | MainActivity.java:60:38:60:43 | intent | provenance | Sink:MaD:1 | +| MainActivity.java:64:29:64:39 | getIntent(...) : Intent | MainActivity.java:71:38:71:43 | intent | provenance | Sink:MaD:1 | +| MainActivity.java:75:29:75:39 | getIntent(...) : Intent | MainActivity.java:81:38:81:43 | intent | provenance | Sink:MaD:1 | +models +| 1 | Sink: android.app; Activity; true; setResult; (int,Intent); ; Argument[1]; pending-intents; manual | +| 2 | Summary: android.content; Intent; true; getParcelableExtra; (String); ; Argument[this].SyntheticField[android.content.Intent.extras].MapValue; ReturnValue; value; manual | +nodes +| MainActivity.java:12:29:12:39 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent | +| MainActivity.java:13:34:13:39 | intent | semmle.label | intent | +| MainActivity.java:16:34:16:87 | (...)... : Intent | semmle.label | (...)... : Intent | +| MainActivity.java:16:43:16:53 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent | +| MainActivity.java:16:43:16:87 | getParcelableExtra(...) : Parcelable | semmle.label | getParcelableExtra(...) : Parcelable | +| MainActivity.java:17:34:17:44 | extraIntent | semmle.label | extraIntent | +| MainActivity.java:30:29:30:39 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent | +| MainActivity.java:33:34:33:39 | intent | semmle.label | intent | +| MainActivity.java:42:29:42:39 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent | +| MainActivity.java:46:34:46:39 | intent | semmle.label | intent | +| MainActivity.java:49:29:49:39 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent | +| MainActivity.java:52:34:52:39 | intent | semmle.label | intent | +| MainActivity.java:55:29:55:39 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent | +| MainActivity.java:60:38:60:43 | intent | semmle.label | intent | +| MainActivity.java:64:29:64:39 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent | +| MainActivity.java:71:38:71:43 | intent | semmle.label | intent | +| MainActivity.java:75:29:75:39 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent | +| MainActivity.java:81:38:81:43 | intent | semmle.label | intent | +subpaths diff --git a/java/ql/test/query-tests/security/CWE-266/IntentUriPermissionManipulationTest.ql b/java/ql/test/query-tests/security/CWE-266/IntentUriPermissionManipulationTest.ql deleted file mode 100644 index f2f820743d1c..000000000000 --- a/java/ql/test/query-tests/security/CWE-266/IntentUriPermissionManipulationTest.ql +++ /dev/null @@ -1,4 +0,0 @@ -import java -import utils.test.InlineFlowTest -import semmle.code.java.security.IntentUriPermissionManipulationQuery -import TaintFlowTest diff --git a/java/ql/test/query-tests/security/CWE-266/IntentUriPermissionManipulationTest.qlref b/java/ql/test/query-tests/security/CWE-266/IntentUriPermissionManipulationTest.qlref new file mode 100644 index 000000000000..caac7a302e4d --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-266/IntentUriPermissionManipulationTest.qlref @@ -0,0 +1,4 @@ +query: Security/CWE/CWE-266/IntentUriPermissionManipulation.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-266/MainActivity.java b/java/ql/test/query-tests/security/CWE-266/MainActivity.java index 4af80cc2b18a..3f146d20af02 100644 --- a/java/ql/test/query-tests/security/CWE-266/MainActivity.java +++ b/java/ql/test/query-tests/security/CWE-266/MainActivity.java @@ -9,12 +9,12 @@ public class MainActivity extends Activity { public void onCreate(Bundle savedInstance) { { - Intent intent = getIntent(); - setResult(RESULT_OK, intent); // $ hasTaintFlow + Intent intent = getIntent(); // $ Source + setResult(RESULT_OK, intent); // $ Alert } { - Intent extraIntent = (Intent) getIntent().getParcelableExtra("extraIntent"); - setResult(RESULT_OK, extraIntent); // $ hasTaintFlow + Intent extraIntent = (Intent) getIntent().getParcelableExtra("extraIntent"); // $ Source + setResult(RESULT_OK, extraIntent); // $ Alert } { Intent intent = getIntent(); @@ -27,10 +27,10 @@ public void onCreate(Bundle savedInstance) { setResult(RESULT_OK, intent); // Safe } { - Intent intent = getIntent(); + Intent intent = getIntent(); // $ Source intent.setFlags( // Not properly sanitized Intent.FLAG_GRANT_WRITE_URI_PERMISSION | Intent.FLAG_ACTIVITY_CLEAR_TOP); - setResult(RESULT_OK, intent); // $ hasTaintFlow + setResult(RESULT_OK, intent); // $ Alert } { Intent intent = getIntent(); @@ -39,46 +39,46 @@ public void onCreate(Bundle savedInstance) { setResult(RESULT_OK, intent); // Safe } { - Intent intent = getIntent(); + Intent intent = getIntent(); // $ Source // Combined, the following two calls are a sanitizer intent.removeFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION); intent.removeFlags(Intent.FLAG_GRANT_WRITE_URI_PERMISSION); - setResult(RESULT_OK, intent); // $ SPURIOUS: $ hasTaintFlow + setResult(RESULT_OK, intent); // $ SPURIOUS: $ Alert } { - Intent intent = getIntent(); + Intent intent = getIntent(); // $ Source intent.removeFlags( // Not properly sanitized Intent.FLAG_GRANT_WRITE_URI_PERMISSION | Intent.FLAG_ACTIVITY_CLEAR_TOP); - setResult(RESULT_OK, intent); // $ hasTaintFlow + setResult(RESULT_OK, intent); // $ Alert } { - Intent intent = getIntent(); + Intent intent = getIntent(); // $ Source // Good check if (intent.getData().equals(Uri.parse("content://safe/uri"))) { setResult(RESULT_OK, intent); // Safe } else { - setResult(RESULT_OK, intent); // $ hasTaintFlow + setResult(RESULT_OK, intent); // $ Alert } } { - Intent intent = getIntent(); + Intent intent = getIntent(); // $ Source int flags = intent.getFlags(); // Good check if ((flags & Intent.FLAG_GRANT_READ_URI_PERMISSION) == 0 && (flags & Intent.FLAG_GRANT_WRITE_URI_PERMISSION) == 0) { setResult(RESULT_OK, intent); // Safe } else { - setResult(RESULT_OK, intent); // $ hasTaintFlow + setResult(RESULT_OK, intent); // $ Alert } } { - Intent intent = getIntent(); + Intent intent = getIntent(); // $ Source int flags = intent.getFlags(); // Insufficient check if ((flags & Intent.FLAG_GRANT_READ_URI_PERMISSION) == 0) { - setResult(RESULT_OK, intent); // $ MISSING: $ hasTaintFlow + setResult(RESULT_OK, intent); // $ MISSING: $ Alert } else { - setResult(RESULT_OK, intent); // $ hasTaintFlow + setResult(RESULT_OK, intent); // $ Alert } } } diff --git a/java/ql/test/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManagerTest.expected b/java/ql/test/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManagerTest.expected index e69de29bb2d1..6d142f2b6348 100644 --- a/java/ql/test/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManagerTest.expected +++ b/java/ql/test/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManagerTest.expected @@ -0,0 +1,94 @@ +#select +| InsecureTrustManagerTest.java:124:22:124:33 | trustManager | InsecureTrustManagerTest.java:123:53:123:78 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:124:22:124:33 | trustManager | This uses $@, which is defined in $@ and trusts any certificate. | InsecureTrustManagerTest.java:123:53:123:78 | new InsecureTrustManager(...) : InsecureTrustManager | TrustManager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | InsecureTrustManagerTest$InsecureTrustManager | +| InsecureTrustManagerTest.java:148:23:148:34 | trustManager | InsecureTrustManagerTest.java:147:54:147:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:148:23:148:34 | trustManager | This uses $@, which is defined in $@ and trusts any certificate. | InsecureTrustManagerTest.java:147:54:147:79 | new InsecureTrustManager(...) : InsecureTrustManager | TrustManager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | InsecureTrustManagerTest$InsecureTrustManager | +| InsecureTrustManagerTest.java:180:23:180:34 | trustManager | InsecureTrustManagerTest.java:179:54:179:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:180:23:180:34 | trustManager | This uses $@, which is defined in $@ and trusts any certificate. | InsecureTrustManagerTest.java:179:54:179:79 | new InsecureTrustManager(...) : InsecureTrustManager | TrustManager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | InsecureTrustManagerTest$InsecureTrustManager | +| InsecureTrustManagerTest.java:212:23:212:34 | trustManager | InsecureTrustManagerTest.java:211:54:211:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:212:23:212:34 | trustManager | This uses $@, which is defined in $@ and trusts any certificate. | InsecureTrustManagerTest.java:211:54:211:79 | new InsecureTrustManager(...) : InsecureTrustManager | TrustManager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | InsecureTrustManagerTest$InsecureTrustManager | +| InsecureTrustManagerTest.java:229:23:229:34 | trustManager | InsecureTrustManagerTest.java:228:54:228:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:229:23:229:34 | trustManager | This uses $@, which is defined in $@ and trusts any certificate. | InsecureTrustManagerTest.java:228:54:228:79 | new InsecureTrustManager(...) : InsecureTrustManager | TrustManager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | InsecureTrustManagerTest$InsecureTrustManager | +| InsecureTrustManagerTest.java:247:23:247:34 | trustManager | InsecureTrustManagerTest.java:246:54:246:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:247:23:247:34 | trustManager | This uses $@, which is defined in $@ and trusts any certificate. | InsecureTrustManagerTest.java:246:54:246:79 | new InsecureTrustManager(...) : InsecureTrustManager | TrustManager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | InsecureTrustManagerTest$InsecureTrustManager | +| InsecureTrustManagerTest.java:267:22:267:33 | trustManager | InsecureTrustManagerTest.java:266:53:266:78 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:267:22:267:33 | trustManager | This uses $@, which is defined in $@ and trusts any certificate. | InsecureTrustManagerTest.java:266:53:266:78 | new InsecureTrustManager(...) : InsecureTrustManager | TrustManager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | InsecureTrustManagerTest$InsecureTrustManager | +| InsecureTrustManagerTest.java:279:22:279:33 | trustManager | InsecureTrustManagerTest.java:278:53:278:78 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:279:22:279:33 | trustManager | This uses $@, which is defined in $@ and trusts any certificate. | InsecureTrustManagerTest.java:278:53:278:78 | new InsecureTrustManager(...) : InsecureTrustManager | TrustManager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | InsecureTrustManagerTest$InsecureTrustManager | +| InsecureTrustManagerTest.java:291:22:291:33 | trustManager | InsecureTrustManagerTest.java:290:53:290:78 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:291:22:291:33 | trustManager | This uses $@, which is defined in $@ and trusts any certificate. | InsecureTrustManagerTest.java:290:53:290:78 | new InsecureTrustManager(...) : InsecureTrustManager | TrustManager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | InsecureTrustManagerTest$InsecureTrustManager | +| InsecureTrustManagerTest.java:303:22:303:33 | trustManager | InsecureTrustManagerTest.java:302:53:302:78 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:303:22:303:33 | trustManager | This uses $@, which is defined in $@ and trusts any certificate. | InsecureTrustManagerTest.java:302:53:302:78 | new InsecureTrustManager(...) : InsecureTrustManager | TrustManager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | InsecureTrustManagerTest$InsecureTrustManager | +| InsecureTrustManagerTest.java:315:22:315:33 | trustManager | InsecureTrustManagerTest.java:314:53:314:78 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:315:22:315:33 | trustManager | This uses $@, which is defined in $@ and trusts any certificate. | InsecureTrustManagerTest.java:314:53:314:78 | new InsecureTrustManager(...) : InsecureTrustManager | TrustManager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | InsecureTrustManagerTest$InsecureTrustManager | +| InsecureTrustManagerTest.java:327:22:327:33 | trustManager | InsecureTrustManagerTest.java:326:53:326:78 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:327:22:327:33 | trustManager | This uses $@, which is defined in $@ and trusts any certificate. | InsecureTrustManagerTest.java:326:53:326:78 | new InsecureTrustManager(...) : InsecureTrustManager | TrustManager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | InsecureTrustManagerTest$InsecureTrustManager | +| InsecureTrustManagerTest.java:339:22:339:33 | trustManager | InsecureTrustManagerTest.java:338:53:338:78 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:339:22:339:33 | trustManager | This uses $@, which is defined in $@ and trusts any certificate. | InsecureTrustManagerTest.java:338:53:338:78 | new InsecureTrustManager(...) : InsecureTrustManager | TrustManager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | InsecureTrustManagerTest$InsecureTrustManager | +| InsecureTrustManagerTest.java:352:22:352:33 | trustManager | InsecureTrustManagerTest.java:351:53:351:78 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:352:22:352:33 | trustManager | This uses $@, which is defined in $@ and trusts any certificate. | InsecureTrustManagerTest.java:351:53:351:78 | new InsecureTrustManager(...) : InsecureTrustManager | TrustManager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | InsecureTrustManagerTest$InsecureTrustManager | +| InsecureTrustManagerTest.java:360:22:360:33 | trustManager | InsecureTrustManagerTest.java:359:53:359:78 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:360:22:360:33 | trustManager | This uses $@, which is defined in $@ and trusts any certificate. | InsecureTrustManagerTest.java:359:53:359:78 | new InsecureTrustManager(...) : InsecureTrustManager | TrustManager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | InsecureTrustManagerTest$InsecureTrustManager | +edges +| InsecureTrustManagerTest.java:123:33:123:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:124:22:124:33 | trustManager | provenance | | +| InsecureTrustManagerTest.java:123:53:123:78 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:123:33:123:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | provenance | | +| InsecureTrustManagerTest.java:147:34:147:80 | {...} : TrustManager[] [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:148:23:148:34 | trustManager | provenance | | +| InsecureTrustManagerTest.java:147:54:147:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:147:34:147:80 | {...} : TrustManager[] [[]] : InsecureTrustManager | provenance | | +| InsecureTrustManagerTest.java:179:34:179:80 | {...} : TrustManager[] [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:180:23:180:34 | trustManager | provenance | | +| InsecureTrustManagerTest.java:179:54:179:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:179:34:179:80 | {...} : TrustManager[] [[]] : InsecureTrustManager | provenance | | +| InsecureTrustManagerTest.java:211:34:211:80 | {...} : TrustManager[] [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:212:23:212:34 | trustManager | provenance | | +| InsecureTrustManagerTest.java:211:54:211:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:211:34:211:80 | {...} : TrustManager[] [[]] : InsecureTrustManager | provenance | | +| InsecureTrustManagerTest.java:228:34:228:80 | {...} : TrustManager[] [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:229:23:229:34 | trustManager | provenance | | +| InsecureTrustManagerTest.java:228:54:228:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:228:34:228:80 | {...} : TrustManager[] [[]] : InsecureTrustManager | provenance | | +| InsecureTrustManagerTest.java:246:34:246:80 | {...} : TrustManager[] [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:247:23:247:34 | trustManager | provenance | | +| InsecureTrustManagerTest.java:246:54:246:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:246:34:246:80 | {...} : TrustManager[] [[]] : InsecureTrustManager | provenance | | +| InsecureTrustManagerTest.java:266:33:266:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:267:22:267:33 | trustManager | provenance | | +| InsecureTrustManagerTest.java:266:53:266:78 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:266:33:266:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | provenance | | +| InsecureTrustManagerTest.java:278:33:278:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:279:22:279:33 | trustManager | provenance | | +| InsecureTrustManagerTest.java:278:53:278:78 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:278:33:278:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | provenance | | +| InsecureTrustManagerTest.java:290:33:290:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:291:22:291:33 | trustManager | provenance | | +| InsecureTrustManagerTest.java:290:53:290:78 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:290:33:290:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | provenance | | +| InsecureTrustManagerTest.java:302:33:302:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:303:22:303:33 | trustManager | provenance | | +| InsecureTrustManagerTest.java:302:53:302:78 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:302:33:302:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | provenance | | +| InsecureTrustManagerTest.java:314:33:314:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:315:22:315:33 | trustManager | provenance | | +| InsecureTrustManagerTest.java:314:53:314:78 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:314:33:314:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | provenance | | +| InsecureTrustManagerTest.java:326:33:326:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:327:22:327:33 | trustManager | provenance | | +| InsecureTrustManagerTest.java:326:53:326:78 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:326:33:326:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | provenance | | +| InsecureTrustManagerTest.java:338:33:338:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:339:22:339:33 | trustManager | provenance | | +| InsecureTrustManagerTest.java:338:53:338:78 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:338:33:338:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | provenance | | +| InsecureTrustManagerTest.java:351:33:351:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:352:22:352:33 | trustManager | provenance | | +| InsecureTrustManagerTest.java:351:53:351:78 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:351:33:351:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | provenance | | +| InsecureTrustManagerTest.java:359:33:359:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:360:22:360:33 | trustManager | provenance | | +| InsecureTrustManagerTest.java:359:53:359:78 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:359:33:359:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | provenance | | +nodes +| InsecureTrustManagerTest.java:123:33:123:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | semmle.label | {...} : TrustManager[] [[]] : InsecureTrustManager | +| InsecureTrustManagerTest.java:123:53:123:78 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager | +| InsecureTrustManagerTest.java:124:22:124:33 | trustManager | semmle.label | trustManager | +| InsecureTrustManagerTest.java:147:34:147:80 | {...} : TrustManager[] [[]] : InsecureTrustManager | semmle.label | {...} : TrustManager[] [[]] : InsecureTrustManager | +| InsecureTrustManagerTest.java:147:54:147:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager | +| InsecureTrustManagerTest.java:148:23:148:34 | trustManager | semmle.label | trustManager | +| InsecureTrustManagerTest.java:179:34:179:80 | {...} : TrustManager[] [[]] : InsecureTrustManager | semmle.label | {...} : TrustManager[] [[]] : InsecureTrustManager | +| InsecureTrustManagerTest.java:179:54:179:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager | +| InsecureTrustManagerTest.java:180:23:180:34 | trustManager | semmle.label | trustManager | +| InsecureTrustManagerTest.java:211:34:211:80 | {...} : TrustManager[] [[]] : InsecureTrustManager | semmle.label | {...} : TrustManager[] [[]] : InsecureTrustManager | +| InsecureTrustManagerTest.java:211:54:211:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager | +| InsecureTrustManagerTest.java:212:23:212:34 | trustManager | semmle.label | trustManager | +| InsecureTrustManagerTest.java:228:34:228:80 | {...} : TrustManager[] [[]] : InsecureTrustManager | semmle.label | {...} : TrustManager[] [[]] : InsecureTrustManager | +| InsecureTrustManagerTest.java:228:54:228:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager | +| InsecureTrustManagerTest.java:229:23:229:34 | trustManager | semmle.label | trustManager | +| InsecureTrustManagerTest.java:246:34:246:80 | {...} : TrustManager[] [[]] : InsecureTrustManager | semmle.label | {...} : TrustManager[] [[]] : InsecureTrustManager | +| InsecureTrustManagerTest.java:246:54:246:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager | +| InsecureTrustManagerTest.java:247:23:247:34 | trustManager | semmle.label | trustManager | +| InsecureTrustManagerTest.java:266:33:266:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | semmle.label | {...} : TrustManager[] [[]] : InsecureTrustManager | +| InsecureTrustManagerTest.java:266:53:266:78 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager | +| InsecureTrustManagerTest.java:267:22:267:33 | trustManager | semmle.label | trustManager | +| InsecureTrustManagerTest.java:278:33:278:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | semmle.label | {...} : TrustManager[] [[]] : InsecureTrustManager | +| InsecureTrustManagerTest.java:278:53:278:78 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager | +| InsecureTrustManagerTest.java:279:22:279:33 | trustManager | semmle.label | trustManager | +| InsecureTrustManagerTest.java:290:33:290:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | semmle.label | {...} : TrustManager[] [[]] : InsecureTrustManager | +| InsecureTrustManagerTest.java:290:53:290:78 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager | +| InsecureTrustManagerTest.java:291:22:291:33 | trustManager | semmle.label | trustManager | +| InsecureTrustManagerTest.java:302:33:302:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | semmle.label | {...} : TrustManager[] [[]] : InsecureTrustManager | +| InsecureTrustManagerTest.java:302:53:302:78 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager | +| InsecureTrustManagerTest.java:303:22:303:33 | trustManager | semmle.label | trustManager | +| InsecureTrustManagerTest.java:314:33:314:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | semmle.label | {...} : TrustManager[] [[]] : InsecureTrustManager | +| InsecureTrustManagerTest.java:314:53:314:78 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager | +| InsecureTrustManagerTest.java:315:22:315:33 | trustManager | semmle.label | trustManager | +| InsecureTrustManagerTest.java:326:33:326:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | semmle.label | {...} : TrustManager[] [[]] : InsecureTrustManager | +| InsecureTrustManagerTest.java:326:53:326:78 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager | +| InsecureTrustManagerTest.java:327:22:327:33 | trustManager | semmle.label | trustManager | +| InsecureTrustManagerTest.java:338:33:338:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | semmle.label | {...} : TrustManager[] [[]] : InsecureTrustManager | +| InsecureTrustManagerTest.java:338:53:338:78 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager | +| InsecureTrustManagerTest.java:339:22:339:33 | trustManager | semmle.label | trustManager | +| InsecureTrustManagerTest.java:351:33:351:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | semmle.label | {...} : TrustManager[] [[]] : InsecureTrustManager | +| InsecureTrustManagerTest.java:351:53:351:78 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager | +| InsecureTrustManagerTest.java:352:22:352:33 | trustManager | semmle.label | trustManager | +| InsecureTrustManagerTest.java:359:33:359:79 | {...} : TrustManager[] [[]] : InsecureTrustManager | semmle.label | {...} : TrustManager[] [[]] : InsecureTrustManager | +| InsecureTrustManagerTest.java:359:53:359:78 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager | +| InsecureTrustManagerTest.java:360:22:360:33 | trustManager | semmle.label | trustManager | +subpaths diff --git a/java/ql/test/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManagerTest.java b/java/ql/test/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManagerTest.java index 17e8fc60afcd..4e098fa29887 100644 --- a/java/ql/test/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManagerTest.java +++ b/java/ql/test/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManagerTest.java @@ -120,8 +120,8 @@ private static void directSecureTrustManagerCall() private static void directInsecureTrustManagerCall() throws NoSuchAlgorithmException, KeyManagementException { SSLContext context = SSLContext.getInstance("TLS"); - TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; - context.init(null, trustManager, null); // $ hasValueFlow + TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; // $ Source + context.init(null, trustManager, null); // $ Alert } private static void namedVariableFlagDirectInsecureTrustManagerCall() @@ -144,8 +144,8 @@ private static void noNamedVariableFlagDirectInsecureTrustManagerCall() throws NoSuchAlgorithmException, KeyManagementException { if (SOME_NAME_THAT_IS_NOT_A_FLAG_NAME) { SSLContext context = SSLContext.getInstance("TLS"); - TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; - context.init(null, trustManager, null); // $ hasValueFlow + TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; // $ Source + context.init(null, trustManager, null); // $ Alert } } @@ -176,8 +176,8 @@ private static void noStringLiteralFlagDirectInsecureTrustManagerCall() throws NoSuchAlgorithmException, KeyManagementException { if (Boolean.parseBoolean(System.getProperty("SOME_NAME_THAT_IS_NOT_A_FLAG_NAME"))) { SSLContext context = SSLContext.getInstance("TLS"); - TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; - context.init(null, trustManager, null); // $ hasValueFlow + TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; // $ Source + context.init(null, trustManager, null); // $ Alert } } @@ -208,8 +208,8 @@ private static void noMethodAccessFlagDirectInsecureTrustManagerCall() throws NoSuchAlgorithmException, KeyManagementException { if (is42TheAnswerForEverything()) { SSLContext context = SSLContext.getInstance("TLS"); - TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; - context.init(null, trustManager, null); // $ hasValueFlow + TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; // $ Source + context.init(null, trustManager, null); // $ Alert } } @@ -225,8 +225,8 @@ private static void isEqualsIgnoreCaseDirectInsecureTrustManagerCall() String schemaFromHttpRequest = "HTTPS"; if (schemaFromHttpRequest.equalsIgnoreCase("https")) { SSLContext context = SSLContext.getInstance("TLS"); - TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; - context.init(null, trustManager, null); // $ hasValueFlow + TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; // $ Source + context.init(null, trustManager, null); // $ Alert } } @@ -243,8 +243,8 @@ private static void noIsEqualsIgnoreCaseDirectInsecureTrustManagerCall() String schemaFromHttpRequest = "HTTPS"; if (!schemaFromHttpRequest.equalsIgnoreCase("https")) { SSLContext context = SSLContext.getInstance("TLS"); - TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; - context.init(null, trustManager, null); // $ hasValueFlow + TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; // $ Source + context.init(null, trustManager, null); // $ Alert } } @@ -263,8 +263,8 @@ private static void namedVariableFlagNOTGuardingDirectInsecureTrustManagerCall() } SSLContext context = SSLContext.getInstance("TLS"); - TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; - context.init(null, trustManager, null); // $ hasValueFlow + TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; // $ Source + context.init(null, trustManager, null); // $ Alert } @@ -275,8 +275,8 @@ private static void noNamedVariableFlagNOTGuardingDirectInsecureTrustManagerCall } SSLContext context = SSLContext.getInstance("TLS"); - TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; - context.init(null, trustManager, null); // $ hasValueFlow + TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; // $ Source + context.init(null, trustManager, null); // $ Alert } @@ -287,8 +287,8 @@ private static void stringLiteralFlagNOTGuardingDirectInsecureTrustManagerCall() } SSLContext context = SSLContext.getInstance("TLS"); - TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; - context.init(null, trustManager, null); // $ hasValueFlow + TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; // $ Source + context.init(null, trustManager, null); // $ Alert } @@ -299,8 +299,8 @@ private static void noStringLiteralFlagNOTGuardingDirectInsecureTrustManagerCall } SSLContext context = SSLContext.getInstance("TLS"); - TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; - context.init(null, trustManager, null); // $ hasValueFlow + TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; // $ Source + context.init(null, trustManager, null); // $ Alert } @@ -311,8 +311,8 @@ private static void methodAccessFlagNOTGuardingDirectInsecureTrustManagerCall() } SSLContext context = SSLContext.getInstance("TLS"); - TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; - context.init(null, trustManager, null); // $ hasValueFlow + TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; // $ Source + context.init(null, trustManager, null); // $ Alert } @@ -323,8 +323,8 @@ private static void noMethodAccessFlagNOTGuardingDirectInsecureTrustManagerCall( } SSLContext context = SSLContext.getInstance("TLS"); - TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; - context.init(null, trustManager, null); // $ hasValueFlow + TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; // $ Source + context.init(null, trustManager, null); // $ Alert } private static void isEqualsIgnoreCaseNOTGuardingDirectInsecureTrustManagerCall() @@ -335,8 +335,8 @@ private static void isEqualsIgnoreCaseNOTGuardingDirectInsecureTrustManagerCall( } SSLContext context = SSLContext.getInstance("TLS"); - TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; - context.init(null, trustManager, null); // $ hasValueFlow + TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; // $ Source + context.init(null, trustManager, null); // $ Alert } @@ -348,15 +348,15 @@ private static void noIsEqualsIgnoreCaseNOTGuardingDirectInsecureTrustManagerCal } SSLContext context = SSLContext.getInstance("TLS"); - TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; - context.init(null, trustManager, null); // $ hasValueFlow + TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; // $ Source + context.init(null, trustManager, null); // $ Alert } private static void disableTrustManager() throws NoSuchAlgorithmException, KeyManagementException { SSLContext context = SSLContext.getInstance("TLS"); - TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; - context.init(null, trustManager, null); // $ hasValueFlow + TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()}; // $ Source + context.init(null, trustManager, null); // $ Alert } } diff --git a/java/ql/test/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManagerTest.ql b/java/ql/test/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManagerTest.ql deleted file mode 100644 index 1c0ffc49eba4..000000000000 --- a/java/ql/test/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManagerTest.ql +++ /dev/null @@ -1,18 +0,0 @@ -import java -import semmle.code.java.security.InsecureTrustManagerQuery -import utils.test.InlineExpectationsTest - -module InsecureTrustManagerTest implements TestSig { - string getARelevantTag() { result = "hasValueFlow" } - - predicate hasActualResult(Location location, string element, string tag, string value) { - tag = "hasValueFlow" and - exists(DataFlow::Node sink | InsecureTrustManagerFlow::flowTo(sink) | - sink.getLocation() = location and - element = sink.toString() and - value = "" - ) - } -} - -import MakeTest diff --git a/java/ql/test/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManagerTest.qlref b/java/ql/test/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManagerTest.qlref new file mode 100644 index 000000000000..f4c00b42347d --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManagerTest.qlref @@ -0,0 +1,4 @@ +query: Security/CWE/CWE-295/InsecureTrustManager.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-312/CleartextStorageCookie/CleartextStorageCookieTest.expected b/java/ql/test/query-tests/security/CWE-312/CleartextStorageCookie/CleartextStorageCookieTest.expected new file mode 100644 index 000000000000..d39985a091bb --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-312/CleartextStorageCookie/CleartextStorageCookieTest.expected @@ -0,0 +1,21 @@ +| CleartextStorageCookieTest.java:22:7:22:40 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:20:31:20:62 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:20:54:20:61 | password | sensitive data | CleartextStorageCookieTest.java:20:54:20:61 | password | added to the cookie | +| CleartextStorageCookieTest.java:44:7:44:32 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:43:23:43:51 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:20:54:20:61 | password | sensitive data | CleartextStorageCookieTest.java:43:46:43:50 | value | added to the cookie | +| CleartextStorageCookieTest.java:44:7:44:32 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:43:23:43:51 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:21:31:21:38 | password | sensitive data | CleartextStorageCookieTest.java:43:46:43:50 | value | added to the cookie | +| CleartextStorageCookieTest.java:44:7:44:32 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:43:23:43:51 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:23:69:23:76 | password | sensitive data | CleartextStorageCookieTest.java:43:46:43:50 | value | added to the cookie | +| CleartextStorageCookieTest.java:44:7:44:32 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:43:23:43:51 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:24:46:24:53 | password | sensitive data | CleartextStorageCookieTest.java:43:46:43:50 | value | added to the cookie | +| CleartextStorageCookieTest.java:44:7:44:32 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:43:23:43:51 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:33:67:33:74 | password | sensitive data | CleartextStorageCookieTest.java:43:46:43:50 | value | added to the cookie | +| CleartextStorageCookieTest.java:44:7:44:32 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:43:23:43:51 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:34:36:34:43 | password | sensitive data | CleartextStorageCookieTest.java:43:46:43:50 | value | added to the cookie | +| CleartextStorageCookieTest.java:44:7:44:32 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:43:23:43:51 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:37:84:37:91 | password | sensitive data | CleartextStorageCookieTest.java:43:46:43:50 | value | added to the cookie | +| CleartextStorageCookieTest.java:44:7:44:32 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:43:23:43:51 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:38:51:38:58 | password | sensitive data | CleartextStorageCookieTest.java:43:46:43:50 | value | added to the cookie | +| CleartextStorageCookieTest.java:44:7:44:32 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:43:23:43:51 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:42:40:42:47 | password | sensitive data | CleartextStorageCookieTest.java:43:46:43:50 | value | added to the cookie | +| CleartextStorageCookieTest.java:52:7:52:50 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:52:26:52:49 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:20:54:20:61 | password | sensitive data | CleartextStorageCookieTest.java:52:45:52:48 | data | added to the cookie | +| CleartextStorageCookieTest.java:52:7:52:50 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:52:26:52:49 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:21:31:21:38 | password | sensitive data | CleartextStorageCookieTest.java:52:45:52:48 | data | added to the cookie | +| CleartextStorageCookieTest.java:52:7:52:50 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:52:26:52:49 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:23:69:23:76 | password | sensitive data | CleartextStorageCookieTest.java:52:45:52:48 | data | added to the cookie | +| CleartextStorageCookieTest.java:52:7:52:50 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:52:26:52:49 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:24:46:24:53 | password | sensitive data | CleartextStorageCookieTest.java:52:45:52:48 | data | added to the cookie | +| CleartextStorageCookieTest.java:52:7:52:50 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:52:26:52:49 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:33:67:33:74 | password | sensitive data | CleartextStorageCookieTest.java:52:45:52:48 | data | added to the cookie | +| CleartextStorageCookieTest.java:52:7:52:50 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:52:26:52:49 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:34:36:34:43 | password | sensitive data | CleartextStorageCookieTest.java:52:45:52:48 | data | added to the cookie | +| CleartextStorageCookieTest.java:52:7:52:50 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:52:26:52:49 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:37:84:37:91 | password | sensitive data | CleartextStorageCookieTest.java:52:45:52:48 | data | added to the cookie | +| CleartextStorageCookieTest.java:52:7:52:50 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:52:26:52:49 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:38:51:38:58 | password | sensitive data | CleartextStorageCookieTest.java:52:45:52:48 | data | added to the cookie | +| CleartextStorageCookieTest.java:52:7:52:50 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:52:26:52:49 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:42:40:42:47 | password | sensitive data | CleartextStorageCookieTest.java:52:45:52:48 | data | added to the cookie | +| CleartextStorageCookieTest.java:52:7:52:50 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:52:26:52:49 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:48:77:48:84 | password | sensitive data | CleartextStorageCookieTest.java:52:45:52:48 | data | added to the cookie | +| CleartextStorageCookieTest.java:52:7:52:50 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:52:26:52:49 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:49:59:49:83 | getPassword(...) | sensitive data | CleartextStorageCookieTest.java:52:45:52:48 | data | added to the cookie | diff --git a/java/ql/test/query-tests/security/CWE-312/CleartextStorageCookie/CleartextStorageCookieTest.java b/java/ql/test/query-tests/security/CWE-312/CleartextStorageCookie/CleartextStorageCookieTest.java new file mode 100644 index 000000000000..5e4e949ca11e --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-312/CleartextStorageCookie/CleartextStorageCookieTest.java @@ -0,0 +1,79 @@ +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.Cookie; +import org.owasp.esapi.Encoder; +import java.nio.charset.StandardCharsets; +import java.util.Base64; +import java.security.MessageDigest; +import java.net.PasswordAuthentication; + +public class CleartextStorageCookieTest extends HttpServlet { + HttpServletResponse response; + String name = "user"; + String password = "BP@ssw0rd"; // $ Source + + public void doGet() throws Exception { + { + Cookie nameCookie = new Cookie("name", name); + nameCookie.setValue(name); + response.addCookie(nameCookie); // Safe + Cookie passwordCookie = new Cookie("password", password); + passwordCookie.setValue(password); + response.addCookie(passwordCookie); // $ Alert + Cookie encodedPasswordCookie = new Cookie("password", encrypt(password)); + encodedPasswordCookie.setValue(encrypt(password)); + response.addCookie(encodedPasswordCookie); // Safe + } + { + io.netty.handler.codec.http.Cookie nettyNameCookie = + new io.netty.handler.codec.http.DefaultCookie("name", name); + nettyNameCookie.setValue(name); // Safe + + io.netty.handler.codec.http.Cookie nettyPasswordCookie = + new io.netty.handler.codec.http.DefaultCookie("password", password); + nettyPasswordCookie.setValue(password); // $ MISSING: Alert (netty not supported by query) + + io.netty.handler.codec.http.cookie.Cookie nettyEncodedPasswordCookie = + new io.netty.handler.codec.http.cookie.DefaultCookie("password", encrypt(password)); + nettyEncodedPasswordCookie.setValue(encrypt(password)); // Safe + } + { + Encoder enc = null; + String value = enc.encodeForHTML(password); + Cookie cookie = new Cookie("password", value); + response.addCookie(cookie); // $ Alert + } + { + String data; + PasswordAuthentication credentials = new PasswordAuthentication(name, password.toCharArray()); + data = credentials.getUserName() + ":" + new String(credentials.getPassword()); + + // BAD: store data in a cookie in cleartext form + response.addCookie(new Cookie("auth", data)); // $ Alert + } + { + String data; + PasswordAuthentication credentials = + new PasswordAuthentication(name, password.toCharArray()); + String salt = "ThisIsMySalt"; + MessageDigest messageDigest = MessageDigest.getInstance("SHA-512"); + messageDigest.reset(); + String credentialsToHash = + credentials.getUserName() + ":" + new String(credentials.getPassword()); + byte[] hashedCredsAsBytes = + messageDigest.digest((salt+credentialsToHash).getBytes("UTF-8")); + data = new String(hashedCredsAsBytes); + + // GOOD: store data in a cookie in encrypted form + response.addCookie(new Cookie("auth", data)); // Safe + } + } + + + private static String encrypt(String cleartext) throws Exception { + MessageDigest digest = MessageDigest.getInstance("SHA-256"); + byte[] hash = digest.digest(cleartext.getBytes(StandardCharsets.UTF_8)); + String encoded = Base64.getEncoder().encodeToString(hash); + return encoded; + } +} diff --git a/java/ql/test/query-tests/security/CWE-312/CleartextStorageCookie/CleartextStorageCookieTest.qlref b/java/ql/test/query-tests/security/CWE-312/CleartextStorageCookie/CleartextStorageCookieTest.qlref new file mode 100644 index 000000000000..923d1277eebf --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-312/CleartextStorageCookie/CleartextStorageCookieTest.qlref @@ -0,0 +1,4 @@ +query: Security/CWE/CWE-312/CleartextStorageCookie.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-312/CleartextStorageCookie/options b/java/ql/test/query-tests/security/CWE-312/CleartextStorageCookie/options new file mode 100644 index 000000000000..068e49acc977 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-312/CleartextStorageCookie/options @@ -0,0 +1 @@ +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/apache-commons-lang3-3.7:${testdir}/../../../../stubs/esapi-2.0.1:${testdir}/../../../../stubs/netty-4.1.x diff --git a/java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.expected b/java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.expected index e69de29bb2d1..25c0a616e861 100644 --- a/java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.expected +++ b/java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.expected @@ -0,0 +1,120 @@ +#select +| InsufficientKeySizeTest.java:17:26:17:27 | 64 | InsufficientKeySizeTest.java:17:26:17:27 | 64 | InsufficientKeySizeTest.java:17:26:17:27 | 64 | This $@ is less than the recommended key size of 128 bits. | InsufficientKeySizeTest.java:17:26:17:27 | 64 | key size | +| InsufficientKeySizeTest.java:27:26:27:30 | size1 | InsufficientKeySizeTest.java:23:31:23:32 | 64 : Number | InsufficientKeySizeTest.java:27:26:27:30 | size1 | This $@ is less than the recommended key size of 128 bits. | InsufficientKeySizeTest.java:23:31:23:32 | 64 | key size | +| InsufficientKeySizeTest.java:30:26:30:30 | size2 | InsufficientKeySizeTest.java:24:25:24:26 | 64 : Number | InsufficientKeySizeTest.java:30:26:30:30 | size2 | This $@ is less than the recommended key size of 128 bits. | InsufficientKeySizeTest.java:24:25:24:26 | 64 | key size | +| InsufficientKeySizeTest.java:40:26:40:27 | 64 | InsufficientKeySizeTest.java:40:26:40:27 | 64 | InsufficientKeySizeTest.java:40:26:40:27 | 64 | This $@ is less than the recommended key size of 128 bits. | InsufficientKeySizeTest.java:40:26:40:27 | 64 | key size | +| InsufficientKeySizeTest.java:51:36:51:39 | 1024 | InsufficientKeySizeTest.java:51:36:51:39 | 1024 | InsufficientKeySizeTest.java:51:36:51:39 | 1024 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:51:36:51:39 | 1024 | key size | +| InsufficientKeySizeTest.java:58:73:58:76 | 1024 | InsufficientKeySizeTest.java:58:73:58:76 | 1024 | InsufficientKeySizeTest.java:58:73:58:76 | 1024 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:58:73:58:76 | 1024 | key size | +| InsufficientKeySizeTest.java:62:63:62:66 | 1024 | InsufficientKeySizeTest.java:62:63:62:66 | 1024 | InsufficientKeySizeTest.java:62:63:62:66 | 1024 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:62:63:62:66 | 1024 | key size | +| InsufficientKeySizeTest.java:69:36:69:40 | size1 | InsufficientKeySizeTest.java:65:31:65:34 | 1024 : Number | InsufficientKeySizeTest.java:69:36:69:40 | size1 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:65:31:65:34 | 1024 | key size | +| InsufficientKeySizeTest.java:72:36:72:40 | size2 | InsufficientKeySizeTest.java:66:25:66:28 | 1024 : Number | InsufficientKeySizeTest.java:72:36:72:40 | size2 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:66:25:66:28 | 1024 | key size | +| InsufficientKeySizeTest.java:81:36:81:50 | getRSAKeySize(...) | InsufficientKeySizeTest.java:255:40:255:43 | 1024 : Number | InsufficientKeySizeTest.java:81:36:81:50 | getRSAKeySize(...) | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:255:40:255:43 | 1024 | key size | +| InsufficientKeySizeTest.java:86:36:86:39 | 1024 | InsufficientKeySizeTest.java:86:36:86:39 | 1024 | InsufficientKeySizeTest.java:86:36:86:39 | 1024 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:86:36:86:39 | 1024 | key size | +| InsufficientKeySizeTest.java:97:36:97:39 | 1024 | InsufficientKeySizeTest.java:97:36:97:39 | 1024 | InsufficientKeySizeTest.java:97:36:97:39 | 1024 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:97:36:97:39 | 1024 | key size | +| InsufficientKeySizeTest.java:104:67:104:70 | 1024 | InsufficientKeySizeTest.java:104:67:104:70 | 1024 | InsufficientKeySizeTest.java:104:67:104:70 | 1024 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:104:67:104:70 | 1024 | key size | +| InsufficientKeySizeTest.java:108:60:108:63 | 1024 | InsufficientKeySizeTest.java:108:60:108:63 | 1024 | InsufficientKeySizeTest.java:108:60:108:63 | 1024 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:108:60:108:63 | 1024 | key size | +| InsufficientKeySizeTest.java:112:27:112:30 | 1024 | InsufficientKeySizeTest.java:112:27:112:30 | 1024 | InsufficientKeySizeTest.java:112:27:112:30 | 1024 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:112:27:112:30 | 1024 | key size | +| InsufficientKeySizeTest.java:117:28:117:31 | 1024 | InsufficientKeySizeTest.java:117:28:117:31 | 1024 | InsufficientKeySizeTest.java:117:28:117:31 | 1024 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:117:28:117:31 | 1024 | key size | +| InsufficientKeySizeTest.java:128:36:128:39 | 1024 | InsufficientKeySizeTest.java:128:36:128:39 | 1024 | InsufficientKeySizeTest.java:128:36:128:39 | 1024 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:128:36:128:39 | 1024 | key size | +| InsufficientKeySizeTest.java:135:64:135:67 | 1024 | InsufficientKeySizeTest.java:135:64:135:67 | 1024 | InsufficientKeySizeTest.java:135:64:135:67 | 1024 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:135:64:135:67 | 1024 | key size | +| InsufficientKeySizeTest.java:139:59:139:62 | 1024 | InsufficientKeySizeTest.java:139:59:139:62 | 1024 | InsufficientKeySizeTest.java:139:59:139:62 | 1024 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:139:59:139:62 | 1024 | key size | +| InsufficientKeySizeTest.java:143:27:143:30 | 1024 | InsufficientKeySizeTest.java:143:27:143:30 | 1024 | InsufficientKeySizeTest.java:143:27:143:30 | 1024 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:143:27:143:30 | 1024 | key size | +| InsufficientKeySizeTest.java:150:36:150:38 | 128 | InsufficientKeySizeTest.java:150:36:150:38 | 128 | InsufficientKeySizeTest.java:150:36:150:38 | 128 | This $@ is less than the recommended key size of 256 bits. | InsufficientKeySizeTest.java:150:36:150:38 | 128 | key size | +| InsufficientKeySizeTest.java:154:65:154:75 | "secp112r1" | InsufficientKeySizeTest.java:154:65:154:75 | "secp112r1" | InsufficientKeySizeTest.java:154:65:154:75 | "secp112r1" | This $@ is less than the recommended key size of EC bits. | InsufficientKeySizeTest.java:154:65:154:75 | "secp112r1" | key size | +| InsufficientKeySizeTest.java:158:59:158:69 | "secp112r1" | InsufficientKeySizeTest.java:158:59:158:69 | "secp112r1" | InsufficientKeySizeTest.java:158:59:158:69 | "secp112r1" | This $@ is less than the recommended key size of EC bits. | InsufficientKeySizeTest.java:158:59:158:69 | "secp112r1" | key size | +| InsufficientKeySizeTest.java:165:65:165:82 | "X9.62 prime192v2" | InsufficientKeySizeTest.java:165:65:165:82 | "X9.62 prime192v2" | InsufficientKeySizeTest.java:165:65:165:82 | "X9.62 prime192v2" | This $@ is less than the recommended key size of EC bits. | InsufficientKeySizeTest.java:165:65:165:82 | "X9.62 prime192v2" | key size | +| InsufficientKeySizeTest.java:169:65:169:82 | "X9.62 c2tnb191v3" | InsufficientKeySizeTest.java:169:65:169:82 | "X9.62 c2tnb191v3" | InsufficientKeySizeTest.java:169:65:169:82 | "X9.62 c2tnb191v3" | This $@ is less than the recommended key size of EC bits. | InsufficientKeySizeTest.java:169:65:169:82 | "X9.62 c2tnb191v3" | key size | +| InsufficientKeySizeTest.java:173:65:173:75 | "sect163k1" | InsufficientKeySizeTest.java:173:65:173:75 | "sect163k1" | InsufficientKeySizeTest.java:173:65:173:75 | "sect163k1" | This $@ is less than the recommended key size of EC bits. | InsufficientKeySizeTest.java:173:65:173:75 | "sect163k1" | key size | +| InsufficientKeySizeTest.java:181:65:181:76 | "prime192v2" | InsufficientKeySizeTest.java:181:65:181:76 | "prime192v2" | InsufficientKeySizeTest.java:181:65:181:76 | "prime192v2" | This $@ is less than the recommended key size of EC bits. | InsufficientKeySizeTest.java:181:65:181:76 | "prime192v2" | key size | +| InsufficientKeySizeTest.java:189:65:189:76 | "c2tnb191v1" | InsufficientKeySizeTest.java:189:65:189:76 | "c2tnb191v1" | InsufficientKeySizeTest.java:189:65:189:76 | "c2tnb191v1" | This $@ is less than the recommended key size of EC bits. | InsufficientKeySizeTest.java:189:65:189:76 | "c2tnb191v1" | key size | +| InsufficientKeySizeTest.java:197:64:197:74 | "secp112r1" | InsufficientKeySizeTest.java:197:64:197:74 | "secp112r1" | InsufficientKeySizeTest.java:197:64:197:74 | "secp112r1" | This $@ is less than the recommended key size of EC bits. | InsufficientKeySizeTest.java:197:64:197:74 | "secp112r1" | key size | +| InsufficientKeySizeTest.java:207:66:207:75 | curveName1 | InsufficientKeySizeTest.java:205:39:205:49 | "secp112r1" : String | InsufficientKeySizeTest.java:207:66:207:75 | curveName1 | This $@ is less than the recommended key size of EC bits. | InsufficientKeySizeTest.java:205:39:205:49 | "secp112r1" | key size | +| InsufficientKeySizeTest.java:212:66:212:75 | curveName2 | InsufficientKeySizeTest.java:210:33:210:43 | "secp112r1" : String | InsufficientKeySizeTest.java:212:66:212:75 | curveName2 | This $@ is less than the recommended key size of EC bits. | InsufficientKeySizeTest.java:210:33:210:43 | "secp112r1" | key size | +| InsufficientKeySizeTest.java:219:21:219:27 | keySize | InsufficientKeySizeTest.java:24:25:24:26 | 64 : Number | InsufficientKeySizeTest.java:219:21:219:27 | keySize | This $@ is less than the recommended key size of 128 bits. | InsufficientKeySizeTest.java:24:25:24:26 | 64 | key size | +| InsufficientKeySizeTest.java:225:21:225:27 | keySize | InsufficientKeySizeTest.java:35:30:35:31 | 64 : Number | InsufficientKeySizeTest.java:225:21:225:27 | keySize | This $@ is less than the recommended key size of 128 bits. | InsufficientKeySizeTest.java:35:30:35:31 | 64 | key size | +| InsufficientKeySizeTest.java:230:31:230:37 | keySize | InsufficientKeySizeTest.java:66:25:66:28 | 1024 : Number | InsufficientKeySizeTest.java:230:31:230:37 | keySize | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:66:25:66:28 | 1024 | key size | +| InsufficientKeySizeTest.java:236:31:236:37 | keySize | InsufficientKeySizeTest.java:77:36:77:39 | 1024 : Number | InsufficientKeySizeTest.java:236:31:236:37 | keySize | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:77:36:77:39 | 1024 | key size | +| InsufficientKeySizeTest.java:246:31:246:37 | keySize | InsufficientKeySizeTest.java:199:24:199:26 | 128 : Number | InsufficientKeySizeTest.java:246:31:246:37 | keySize | This $@ is less than the recommended key size of 256 bits. | InsufficientKeySizeTest.java:199:24:199:26 | 128 | key size | +| InsufficientKeySizeTest.java:252:31:252:37 | keySize | InsufficientKeySizeTest.java:202:40:202:42 | 128 : Number | InsufficientKeySizeTest.java:252:31:252:37 | keySize | This $@ is less than the recommended key size of 256 bits. | InsufficientKeySizeTest.java:202:40:202:42 | 128 | key size | +edges +| InsufficientKeySizeTest.java:23:31:23:32 | 64 : Number | InsufficientKeySizeTest.java:27:26:27:30 | size1 | provenance | | +| InsufficientKeySizeTest.java:24:25:24:26 | 64 : Number | InsufficientKeySizeTest.java:30:26:30:30 | size2 | provenance | | +| InsufficientKeySizeTest.java:24:25:24:26 | 64 : Number | InsufficientKeySizeTest.java:34:35:34:39 | size2 : Number | provenance | | +| InsufficientKeySizeTest.java:34:35:34:39 | size2 : Number | InsufficientKeySizeTest.java:217:46:217:56 | keySize : Number | provenance | | +| InsufficientKeySizeTest.java:35:30:35:31 | 64 : Number | InsufficientKeySizeTest.java:223:41:223:51 | keySize : Number | provenance | | +| InsufficientKeySizeTest.java:65:31:65:34 | 1024 : Number | InsufficientKeySizeTest.java:69:36:69:40 | size1 | provenance | | +| InsufficientKeySizeTest.java:66:25:66:28 | 1024 : Number | InsufficientKeySizeTest.java:72:36:72:40 | size2 | provenance | | +| InsufficientKeySizeTest.java:66:25:66:28 | 1024 : Number | InsufficientKeySizeTest.java:76:41:76:45 | size2 : Number | provenance | | +| InsufficientKeySizeTest.java:76:41:76:45 | size2 : Number | InsufficientKeySizeTest.java:228:52:228:62 | keySize : Number | provenance | | +| InsufficientKeySizeTest.java:77:36:77:39 | 1024 : Number | InsufficientKeySizeTest.java:234:47:234:57 | keySize : Number | provenance | | +| InsufficientKeySizeTest.java:199:24:199:26 | 128 : Number | InsufficientKeySizeTest.java:201:41:201:44 | size : Number | provenance | | +| InsufficientKeySizeTest.java:201:41:201:44 | size : Number | InsufficientKeySizeTest.java:244:52:244:62 | keySize : Number | provenance | | +| InsufficientKeySizeTest.java:202:40:202:42 | 128 : Number | InsufficientKeySizeTest.java:250:51:250:61 | keySize : Number | provenance | | +| InsufficientKeySizeTest.java:205:39:205:49 | "secp112r1" : String | InsufficientKeySizeTest.java:207:66:207:75 | curveName1 | provenance | | +| InsufficientKeySizeTest.java:210:33:210:43 | "secp112r1" : String | InsufficientKeySizeTest.java:212:66:212:75 | curveName2 | provenance | | +| InsufficientKeySizeTest.java:217:46:217:56 | keySize : Number | InsufficientKeySizeTest.java:219:21:219:27 | keySize | provenance | | +| InsufficientKeySizeTest.java:223:41:223:51 | keySize : Number | InsufficientKeySizeTest.java:225:21:225:27 | keySize | provenance | | +| InsufficientKeySizeTest.java:228:52:228:62 | keySize : Number | InsufficientKeySizeTest.java:230:31:230:37 | keySize | provenance | | +| InsufficientKeySizeTest.java:234:47:234:57 | keySize : Number | InsufficientKeySizeTest.java:236:31:236:37 | keySize | provenance | | +| InsufficientKeySizeTest.java:244:52:244:62 | keySize : Number | InsufficientKeySizeTest.java:246:31:246:37 | keySize | provenance | | +| InsufficientKeySizeTest.java:250:51:250:61 | keySize : Number | InsufficientKeySizeTest.java:252:31:252:37 | keySize | provenance | | +| InsufficientKeySizeTest.java:255:40:255:43 | 1024 : Number | InsufficientKeySizeTest.java:81:36:81:50 | getRSAKeySize(...) | provenance | | +nodes +| InsufficientKeySizeTest.java:17:26:17:27 | 64 | semmle.label | 64 | +| InsufficientKeySizeTest.java:23:31:23:32 | 64 : Number | semmle.label | 64 : Number | +| InsufficientKeySizeTest.java:24:25:24:26 | 64 : Number | semmle.label | 64 : Number | +| InsufficientKeySizeTest.java:27:26:27:30 | size1 | semmle.label | size1 | +| InsufficientKeySizeTest.java:30:26:30:30 | size2 | semmle.label | size2 | +| InsufficientKeySizeTest.java:34:35:34:39 | size2 : Number | semmle.label | size2 : Number | +| InsufficientKeySizeTest.java:35:30:35:31 | 64 : Number | semmle.label | 64 : Number | +| InsufficientKeySizeTest.java:40:26:40:27 | 64 | semmle.label | 64 | +| InsufficientKeySizeTest.java:51:36:51:39 | 1024 | semmle.label | 1024 | +| InsufficientKeySizeTest.java:58:73:58:76 | 1024 | semmle.label | 1024 | +| InsufficientKeySizeTest.java:62:63:62:66 | 1024 | semmle.label | 1024 | +| InsufficientKeySizeTest.java:65:31:65:34 | 1024 : Number | semmle.label | 1024 : Number | +| InsufficientKeySizeTest.java:66:25:66:28 | 1024 : Number | semmle.label | 1024 : Number | +| InsufficientKeySizeTest.java:69:36:69:40 | size1 | semmle.label | size1 | +| InsufficientKeySizeTest.java:72:36:72:40 | size2 | semmle.label | size2 | +| InsufficientKeySizeTest.java:76:41:76:45 | size2 : Number | semmle.label | size2 : Number | +| InsufficientKeySizeTest.java:77:36:77:39 | 1024 : Number | semmle.label | 1024 : Number | +| InsufficientKeySizeTest.java:81:36:81:50 | getRSAKeySize(...) | semmle.label | getRSAKeySize(...) | +| InsufficientKeySizeTest.java:86:36:86:39 | 1024 | semmle.label | 1024 | +| InsufficientKeySizeTest.java:97:36:97:39 | 1024 | semmle.label | 1024 | +| InsufficientKeySizeTest.java:104:67:104:70 | 1024 | semmle.label | 1024 | +| InsufficientKeySizeTest.java:108:60:108:63 | 1024 | semmle.label | 1024 | +| InsufficientKeySizeTest.java:112:27:112:30 | 1024 | semmle.label | 1024 | +| InsufficientKeySizeTest.java:117:28:117:31 | 1024 | semmle.label | 1024 | +| InsufficientKeySizeTest.java:128:36:128:39 | 1024 | semmle.label | 1024 | +| InsufficientKeySizeTest.java:135:64:135:67 | 1024 | semmle.label | 1024 | +| InsufficientKeySizeTest.java:139:59:139:62 | 1024 | semmle.label | 1024 | +| InsufficientKeySizeTest.java:143:27:143:30 | 1024 | semmle.label | 1024 | +| InsufficientKeySizeTest.java:150:36:150:38 | 128 | semmle.label | 128 | +| InsufficientKeySizeTest.java:154:65:154:75 | "secp112r1" | semmle.label | "secp112r1" | +| InsufficientKeySizeTest.java:158:59:158:69 | "secp112r1" | semmle.label | "secp112r1" | +| InsufficientKeySizeTest.java:165:65:165:82 | "X9.62 prime192v2" | semmle.label | "X9.62 prime192v2" | +| InsufficientKeySizeTest.java:169:65:169:82 | "X9.62 c2tnb191v3" | semmle.label | "X9.62 c2tnb191v3" | +| InsufficientKeySizeTest.java:173:65:173:75 | "sect163k1" | semmle.label | "sect163k1" | +| InsufficientKeySizeTest.java:181:65:181:76 | "prime192v2" | semmle.label | "prime192v2" | +| InsufficientKeySizeTest.java:189:65:189:76 | "c2tnb191v1" | semmle.label | "c2tnb191v1" | +| InsufficientKeySizeTest.java:197:64:197:74 | "secp112r1" | semmle.label | "secp112r1" | +| InsufficientKeySizeTest.java:199:24:199:26 | 128 : Number | semmle.label | 128 : Number | +| InsufficientKeySizeTest.java:201:41:201:44 | size : Number | semmle.label | size : Number | +| InsufficientKeySizeTest.java:202:40:202:42 | 128 : Number | semmle.label | 128 : Number | +| InsufficientKeySizeTest.java:205:39:205:49 | "secp112r1" : String | semmle.label | "secp112r1" : String | +| InsufficientKeySizeTest.java:207:66:207:75 | curveName1 | semmle.label | curveName1 | +| InsufficientKeySizeTest.java:210:33:210:43 | "secp112r1" : String | semmle.label | "secp112r1" : String | +| InsufficientKeySizeTest.java:212:66:212:75 | curveName2 | semmle.label | curveName2 | +| InsufficientKeySizeTest.java:217:46:217:56 | keySize : Number | semmle.label | keySize : Number | +| InsufficientKeySizeTest.java:219:21:219:27 | keySize | semmle.label | keySize | +| InsufficientKeySizeTest.java:223:41:223:51 | keySize : Number | semmle.label | keySize : Number | +| InsufficientKeySizeTest.java:225:21:225:27 | keySize | semmle.label | keySize | +| InsufficientKeySizeTest.java:228:52:228:62 | keySize : Number | semmle.label | keySize : Number | +| InsufficientKeySizeTest.java:230:31:230:37 | keySize | semmle.label | keySize | +| InsufficientKeySizeTest.java:234:47:234:57 | keySize : Number | semmle.label | keySize : Number | +| InsufficientKeySizeTest.java:236:31:236:37 | keySize | semmle.label | keySize | +| InsufficientKeySizeTest.java:244:52:244:62 | keySize : Number | semmle.label | keySize : Number | +| InsufficientKeySizeTest.java:246:31:246:37 | keySize | semmle.label | keySize | +| InsufficientKeySizeTest.java:250:51:250:61 | keySize : Number | semmle.label | keySize : Number | +| InsufficientKeySizeTest.java:252:31:252:37 | keySize | semmle.label | keySize | +| InsufficientKeySizeTest.java:255:40:255:43 | 1024 : Number | semmle.label | 1024 : Number | +subpaths diff --git a/java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.java b/java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.java index 6f0d1f7115c7..9f3728f9640a 100644 --- a/java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.java +++ b/java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.java @@ -14,30 +14,30 @@ public void keySizeTesting() throws java.security.NoSuchAlgorithmException, java { /* Test with keysize as int */ KeyGenerator keyGen1 = KeyGenerator.getInstance("AES"); - keyGen1.init(64); // $ hasInsufficientKeySize + keyGen1.init(64); // $ Alert KeyGenerator keyGen2 = KeyGenerator.getInstance("AES"); keyGen2.init(128); // Safe: Key size is no less than 128 /* Test with local variable as keysize */ - final int size1 = 64; // compile-time constant - int size2 = 64; // not a compile-time constant + final int size1 = 64; // $ Source// compile-time constant + int size2 = 64; // $ Source// not a compile-time constant KeyGenerator keyGen3 = KeyGenerator.getInstance("AES"); - keyGen3.init(size1); // $ hasInsufficientKeySize + keyGen3.init(size1); // $ Alert KeyGenerator keyGen4 = KeyGenerator.getInstance("AES"); - keyGen4.init(size2); // $ hasInsufficientKeySize + keyGen4.init(size2); // $ Alert /* Test variables passed to another method */ KeyGenerator keyGen5 = KeyGenerator.getInstance("AES"); // MISSING: test KeyGenerator variable as argument testSymmetricVariable(size2, keyGen5); // test with variable as key size - testSymmetricInt(64); // test with int literal as key size + testSymmetricInt(64); // $ Source // test with int literal as key size /* Test with variable as algo name argument in `getInstance` method. */ final String algoName1 = "AES"; // compile-time constant KeyGenerator keyGen6 = KeyGenerator.getInstance(algoName1); - keyGen6.init(64); // $ hasInsufficientKeySize + keyGen6.init(64); // $ Alert String algoName2 = "AES"; // not a compile-time constant KeyGenerator keyGen7 = KeyGenerator.getInstance(algoName2); @@ -48,42 +48,42 @@ public void keySizeTesting() throws java.security.NoSuchAlgorithmException, java { /* Test with keysize as int */ KeyPairGenerator keyPairGen1 = KeyPairGenerator.getInstance("RSA"); - keyPairGen1.initialize(1024); // $ hasInsufficientKeySize + keyPairGen1.initialize(1024); // $ Alert KeyPairGenerator keyPairGen2 = KeyPairGenerator.getInstance("RSA"); keyPairGen2.initialize(2048); // Safe: Key size is no less than 2048 /* Test spec */ KeyPairGenerator keyPairGen3 = KeyPairGenerator.getInstance("RSA"); - RSAKeyGenParameterSpec rsaSpec = new RSAKeyGenParameterSpec(1024, null); // $ hasInsufficientKeySize + RSAKeyGenParameterSpec rsaSpec = new RSAKeyGenParameterSpec(1024, null); // $ Alert keyPairGen3.initialize(rsaSpec); KeyPairGenerator keyPairGen4 = KeyPairGenerator.getInstance("RSA"); - keyPairGen4.initialize(new RSAKeyGenParameterSpec(1024, null)); // $ hasInsufficientKeySize + keyPairGen4.initialize(new RSAKeyGenParameterSpec(1024, null)); // $ Alert /* Test with local variable as keysize */ - final int size1 = 1024; // compile-time constant - int size2 = 1024; // not a compile-time constant + final int size1 = 1024; // $ Source // compile-time constant + int size2 = 1024; // $ Source // not a compile-time constant KeyPairGenerator keyPairGen5 = KeyPairGenerator.getInstance("RSA"); - keyPairGen5.initialize(size1); // $ hasInsufficientKeySize + keyPairGen5.initialize(size1); // $ Alert KeyPairGenerator keyPairGen6 = KeyPairGenerator.getInstance("RSA"); - keyPairGen6.initialize(size2); // $ hasInsufficientKeySize + keyPairGen6.initialize(size2); // $ Alert /* Test variables passed to another method */ KeyPairGenerator keyPairGen7 = KeyPairGenerator.getInstance("RSA"); // MISSING: test KeyGenerator variable as argument testAsymmetricNonEcVariable(size2, keyPairGen7); // test with variable as key size - testAsymmetricNonEcInt(1024); // test with int literal as key size + testAsymmetricNonEcInt(1024); // $ Source // test with int literal as key size /* Test getting key size as return value of another method */ KeyPairGenerator keyPairGen8 = KeyPairGenerator.getInstance("RSA"); - keyPairGen8.initialize(getRSAKeySize()); // $ hasInsufficientKeySize + keyPairGen8.initialize(getRSAKeySize()); // $ Alert /* Test with variable as algo name argument in `getInstance` method. */ final String algoName1 = "RSA"; // compile-time constant KeyPairGenerator keyPairGen9 = KeyPairGenerator.getInstance(algoName1); - keyPairGen9.initialize(1024); // $ hasInsufficientKeySize + keyPairGen9.initialize(1024); // $ Alert String algoName2 = "RSA"; // not a compile-time constant KeyPairGenerator keyPairGen10 = KeyPairGenerator.getInstance(algoName2); @@ -94,27 +94,27 @@ public void keySizeTesting() throws java.security.NoSuchAlgorithmException, java { /* Test with keysize as int */ KeyPairGenerator keyPairGen1 = KeyPairGenerator.getInstance("DSA"); - keyPairGen1.initialize(1024); // $ hasInsufficientKeySize + keyPairGen1.initialize(1024); // $ Alert KeyPairGenerator keyPairGen2 = KeyPairGenerator.getInstance("DSA"); keyPairGen2.initialize(2048); // Safe: Key size is no less than 2048 /* Test spec */ KeyPairGenerator keyPairGen3 = KeyPairGenerator.getInstance("DSA"); - DSAGenParameterSpec dsaSpec = new DSAGenParameterSpec(1024, 0); // $ hasInsufficientKeySize + DSAGenParameterSpec dsaSpec = new DSAGenParameterSpec(1024, 0); // $ Alert keyPairGen3.initialize(dsaSpec); KeyPairGenerator keyPairGen4 = KeyPairGenerator.getInstance("DSA"); - keyPairGen4.initialize(new DSAGenParameterSpec(1024, 0)); // $ hasInsufficientKeySize + keyPairGen4.initialize(new DSAGenParameterSpec(1024, 0)); // $ Alert /* Test `AlgorithmParameterGenerator` */ AlgorithmParameterGenerator paramGen = AlgorithmParameterGenerator.getInstance("DSA"); - paramGen.init(1024); // $ hasInsufficientKeySize + paramGen.init(1024); // $ Alert /* Test with variable as algo name argument in `getInstance` method. */ final String algoName1 = "DSA"; // compile-time constant AlgorithmParameterGenerator paramGen1 = AlgorithmParameterGenerator.getInstance(algoName1); - paramGen1.init(1024); // $ hasInsufficientKeySize + paramGen1.init(1024); // $ Alert String algoName2 = "DSA"; // not a compile-time constant AlgorithmParameterGenerator paramGen2 = AlgorithmParameterGenerator.getInstance(algoName2); @@ -125,52 +125,52 @@ public void keySizeTesting() throws java.security.NoSuchAlgorithmException, java { /* Test with keysize as int */ KeyPairGenerator keyPairGen1 = KeyPairGenerator.getInstance("dh"); - keyPairGen1.initialize(1024); // $ hasInsufficientKeySize + keyPairGen1.initialize(1024); // $ Alert KeyPairGenerator keyPairGen2 = KeyPairGenerator.getInstance("DH"); keyPairGen2.initialize(2048); // Safe: Key size is no less than 2048 /* Test spec */ KeyPairGenerator keyPairGen3 = KeyPairGenerator.getInstance("DH"); - DHGenParameterSpec dhSpec = new DHGenParameterSpec(1024, 0); // $ hasInsufficientKeySize + DHGenParameterSpec dhSpec = new DHGenParameterSpec(1024, 0); // $ Alert keyPairGen3.initialize(dhSpec); KeyPairGenerator keyPairGen4 = KeyPairGenerator.getInstance("DH"); - keyPairGen4.initialize(new DHGenParameterSpec(1024, 0)); // $ hasInsufficientKeySize + keyPairGen4.initialize(new DHGenParameterSpec(1024, 0)); // $ Alert /* Test `AlgorithmParameterGenerator` */ AlgorithmParameterGenerator paramGen = AlgorithmParameterGenerator.getInstance("DH"); - paramGen.init(1024); // $ hasInsufficientKeySize + paramGen.init(1024); // $ Alert } // EC (Asymmetric): minimum recommended key size is 256 { /* Test with keysize as int */ KeyPairGenerator keyPairGen1 = KeyPairGenerator.getInstance("EC"); - keyPairGen1.initialize(128); // $ hasInsufficientKeySize + keyPairGen1.initialize(128); // $ Alert /* Test with keysize as curve name in spec */ KeyPairGenerator keyPairGen2 = KeyPairGenerator.getInstance("EC"); - ECGenParameterSpec ecSpec1 = new ECGenParameterSpec("secp112r1"); // $ hasInsufficientKeySize + ECGenParameterSpec ecSpec1 = new ECGenParameterSpec("secp112r1"); // $ Alert keyPairGen2.initialize(ecSpec1); KeyPairGenerator keyPairGen3 = KeyPairGenerator.getInstance("EC"); - keyPairGen3.initialize(new ECGenParameterSpec("secp112r1")); // $ hasInsufficientKeySize + keyPairGen3.initialize(new ECGenParameterSpec("secp112r1")); // $ Alert KeyPairGenerator keyPairGen4 = KeyPairGenerator.getInstance("EC"); ECGenParameterSpec ecSpec2 = new ECGenParameterSpec("secp256r1"); // Safe: Key size is no less than 256 keyPairGen4.initialize(ecSpec2); KeyPairGenerator keyPairGen5 = KeyPairGenerator.getInstance("EC"); - ECGenParameterSpec ecSpec3 = new ECGenParameterSpec("X9.62 prime192v2"); // $ hasInsufficientKeySize + ECGenParameterSpec ecSpec3 = new ECGenParameterSpec("X9.62 prime192v2"); // $ Alert keyPairGen5.initialize(ecSpec3); KeyPairGenerator keyPairGen6 = KeyPairGenerator.getInstance("EC"); - ECGenParameterSpec ecSpec4 = new ECGenParameterSpec("X9.62 c2tnb191v3"); // $ hasInsufficientKeySize + ECGenParameterSpec ecSpec4 = new ECGenParameterSpec("X9.62 c2tnb191v3"); // $ Alert keyPairGen6.initialize(ecSpec4); KeyPairGenerator keyPairGen7 = KeyPairGenerator.getInstance("EC"); - ECGenParameterSpec ecSpec5 = new ECGenParameterSpec("sect163k1"); // $ hasInsufficientKeySize + ECGenParameterSpec ecSpec5 = new ECGenParameterSpec("sect163k1"); // $ Alert keyPairGen7.initialize(ecSpec5); KeyPairGenerator keyPairGen8 = KeyPairGenerator.getInstance("EC"); @@ -178,7 +178,7 @@ public void keySizeTesting() throws java.security.NoSuchAlgorithmException, java keyPairGen8.initialize(ecSpec6); KeyPairGenerator keyPairGen9 = KeyPairGenerator.getInstance("EC"); - ECGenParameterSpec ecSpec7 = new ECGenParameterSpec("prime192v2"); // $ hasInsufficientKeySize + ECGenParameterSpec ecSpec7 = new ECGenParameterSpec("prime192v2"); // $ Alert keyPairGen9.initialize(ecSpec7); KeyPairGenerator keyPairGen10 = KeyPairGenerator.getInstance("EC"); @@ -186,7 +186,7 @@ public void keySizeTesting() throws java.security.NoSuchAlgorithmException, java keyPairGen10.initialize(ecSpec8); KeyPairGenerator keyPairGen14 = KeyPairGenerator.getInstance("EC"); - ECGenParameterSpec ecSpec9 = new ECGenParameterSpec("c2tnb191v1"); // $ hasInsufficientKeySize + ECGenParameterSpec ecSpec9 = new ECGenParameterSpec("c2tnb191v1"); // $ Alert keyPairGen14.initialize(ecSpec9); KeyPairGenerator keyPairGen15 = KeyPairGenerator.getInstance("EC"); @@ -194,46 +194,46 @@ public void keySizeTesting() throws java.security.NoSuchAlgorithmException, java keyPairGen15.initialize(ecSpec10); // Safe: Key size is no less than 256 /* Test variables passed to another method */ - ECGenParameterSpec ecSpec = new ECGenParameterSpec("secp112r1"); // $ hasInsufficientKeySize + ECGenParameterSpec ecSpec = new ECGenParameterSpec("secp112r1"); // $ Alert testAsymmetricEcSpecVariable(ecSpec); // test spec as an argument - int size = 128; + int size = 128; // $ Source KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("EC"); // MISSING: test KeyGenerator variable as argument testAsymmetricEcIntVariable(size, keyPairGen); // test with variable as key size - testAsymmetricEcIntLiteral(128); // test with int literal as key size + testAsymmetricEcIntLiteral(128); // $ Source // test with int literal as key size /* Test with variable as curve name argument in `ECGenParameterSpec` constructor. */ - final String curveName1 = "secp112r1"; // compile-time constant + final String curveName1 = "secp112r1"; // $ Source // compile-time constant KeyPairGenerator keyPairGen16 = KeyPairGenerator.getInstance("EC"); - ECGenParameterSpec ecSpec11 = new ECGenParameterSpec(curveName1); // $ hasInsufficientKeySize + ECGenParameterSpec ecSpec11 = new ECGenParameterSpec(curveName1); // $ Alert keyPairGen16.initialize(ecSpec11); - String curveName2 = "secp112r1"; // not a compile-time constant + String curveName2 = "secp112r1"; // $ Source // not a compile-time constant KeyPairGenerator keyPairGen17 = KeyPairGenerator.getInstance("EC"); - ECGenParameterSpec ecSpec12 = new ECGenParameterSpec(curveName2); // $ hasInsufficientKeySize + ECGenParameterSpec ecSpec12 = new ECGenParameterSpec(curveName2); // $ Alert keyPairGen17.initialize(ecSpec12); } } public static void testSymmetricVariable(int keySize, KeyGenerator kg) throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException { KeyGenerator keyGen = KeyGenerator.getInstance("AES"); - keyGen.init(keySize); // $ hasInsufficientKeySize + keyGen.init(keySize); // $ Alert kg.init(64); // $ MISSING: hasInsufficientKeySize } public static void testSymmetricInt(int keySize) throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException { KeyGenerator keyGen = KeyGenerator.getInstance("AES"); - keyGen.init(keySize); // $ hasInsufficientKeySize + keyGen.init(keySize); // $ Alert } public static void testAsymmetricNonEcVariable(int keySize, KeyPairGenerator kpg) throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException { KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("RSA"); - keyPairGen.initialize(keySize); // $ hasInsufficientKeySize + keyPairGen.initialize(keySize); // $ Alert kpg.initialize(1024); // $ MISSING: hasInsufficientKeySize } public static void testAsymmetricNonEcInt(int keySize) throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException { KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("RSA"); - keyPairGen.initialize(keySize); // $ hasInsufficientKeySize + keyPairGen.initialize(keySize); // $ Alert } public static void testAsymmetricEcSpecVariable(ECGenParameterSpec spec) throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException { @@ -243,14 +243,14 @@ public static void testAsymmetricEcSpecVariable(ECGenParameterSpec spec) throws public static void testAsymmetricEcIntVariable(int keySize, KeyPairGenerator kpg) throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException { KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("EC"); - keyPairGen.initialize(keySize); // $ hasInsufficientKeySize + keyPairGen.initialize(keySize); // $ Alert kpg.initialize(128); // $ MISSING: hasInsufficientKeySize } public static void testAsymmetricEcIntLiteral(int keySize) throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException { KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("EC"); - keyPairGen.initialize(keySize); // $ hasInsufficientKeySize + keyPairGen.initialize(keySize); // $ Alert } - public int getRSAKeySize(){ return 1024; } + public int getRSAKeySize(){ return 1024; } // $ Source } diff --git a/java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.ql b/java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.ql deleted file mode 100644 index 441faa888e34..000000000000 --- a/java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.ql +++ /dev/null @@ -1,18 +0,0 @@ -import java -import utils.test.InlineExpectationsTest -import semmle.code.java.security.InsufficientKeySizeQuery - -module InsufficientKeySizeTest implements TestSig { - string getARelevantTag() { result = "hasInsufficientKeySize" } - - predicate hasActualResult(Location location, string element, string tag, string value) { - tag = "hasInsufficientKeySize" and - exists(KeySizeFlow::PathNode sink | KeySizeFlow::flowPath(_, sink) | - sink.getNode().getLocation() = location and - element = sink.getNode().toString() and - value = "" - ) - } -} - -import MakeTest diff --git a/java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.qlref b/java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.qlref new file mode 100644 index 000000000000..6b3f44f4ca2d --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.qlref @@ -0,0 +1,4 @@ +query: Security/CWE/CWE-326/InsufficientKeySize.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-330/InsecureRandomCookies.java b/java/ql/test/query-tests/security/CWE-330/InsecureRandomCookies.java index d34a0283313e..742c2cebcf9d 100644 --- a/java/ql/test/query-tests/security/CWE-330/InsecureRandomCookies.java +++ b/java/ql/test/query-tests/security/CWE-330/InsecureRandomCookies.java @@ -16,28 +16,28 @@ public class InsecureRandomCookies extends HttpServlet { public void doGet() { Random r = new Random(); - int c = r.nextInt(); + int c = r.nextInt(); // $ Source // BAD: The cookie value may be predictable. - Cookie cookie = new Cookie("name", Integer.toString(c)); // $hasWeakRandomFlow - cookie.setValue(Integer.toString(c)); // $hasWeakRandomFlow + Cookie cookie = new Cookie("name", Integer.toString(c)); // $ Alert + cookie.setValue(Integer.toString(c)); // $ Alert io.netty.handler.codec.http.Cookie nettyCookie = - new io.netty.handler.codec.http.DefaultCookie("name", Integer.toString(c)); // $hasWeakRandomFlow - nettyCookie.setValue(Integer.toString(c)); // $hasWeakRandomFlow + new io.netty.handler.codec.http.DefaultCookie("name", Integer.toString(c)); // $ Alert + nettyCookie.setValue(Integer.toString(c)); // $ Alert io.netty.handler.codec.http.cookie.Cookie nettyCookie2 = - new io.netty.handler.codec.http.cookie.DefaultCookie("name", Integer.toString(c)); // $hasWeakRandomFlow - nettyCookie2.setValue(Integer.toString(c)); // $hasWeakRandomFlow + new io.netty.handler.codec.http.cookie.DefaultCookie("name", Integer.toString(c)); // $ Alert + nettyCookie2.setValue(Integer.toString(c)); // $ Alert Encoder enc = null; - int c2 = r.nextInt(); + int c2 = r.nextInt(); // $ Source String value = enc.encodeForHTML(Integer.toString(c2)); // BAD: The cookie value may be predictable. - Cookie cookie2 = new Cookie("name", value); // $hasWeakRandomFlow + Cookie cookie2 = new Cookie("name", value); // $ Alert byte[] bytes = new byte[16]; - r.nextBytes(bytes); + r.nextBytes(bytes); // $ Source // BAD: The cookie value may be predictable. - Cookie cookie3 = new Cookie("name", new String(bytes)); // $hasWeakRandomFlow + Cookie cookie3 = new Cookie("name", new String(bytes)); // $ Alert SecureRandom sr = new SecureRandom(); @@ -48,22 +48,22 @@ public void doGet() { ThreadLocalRandom tlr = ThreadLocalRandom.current(); - Cookie cookie5 = new Cookie("name", Integer.toString(tlr.nextInt())); // $hasWeakRandomFlow + Cookie cookie5 = new Cookie("name", Integer.toString(tlr.nextInt())); // $ Alert - Cookie cookie6 = new Cookie("name", RandomStringUtils.random(10)); // $hasWeakRandomFlow + Cookie cookie6 = new Cookie("name", RandomStringUtils.random(10)); // $ Alert - Cookie cookie7 = new Cookie("name", RandomStringUtils.randomAscii(10)); // $hasWeakRandomFlow + Cookie cookie7 = new Cookie("name", RandomStringUtils.randomAscii(10)); // $ Alert - long c3 = r.nextLong(); + long c3 = r.nextLong(); // $ Source // BAD: The cookie value may be predictable. - Cookie cookie8 = new Cookie("name", Long.toString(c3 * 5)); // $hasWeakRandomFlow + Cookie cookie8 = new Cookie("name", Long.toString(c3 * 5)); // $ Alert - double c4 = Math.random(); + double c4 = Math.random(); // $ Source // BAD: The cookie value may be predictable. - Cookie cookie9 = new Cookie("name", Double.toString(c4)); // $hasWeakRandomFlow + Cookie cookie9 = new Cookie("name", Double.toString(c4)); // $ Alert - double c5 = Math.random(); + double c5 = Math.random(); // $ Source // BAD: The cookie value may be predictable. - Cookie cookie10 = new Cookie("name", Double.toString(++c5)); // $hasWeakRandomFlow + Cookie cookie10 = new Cookie("name", Double.toString(++c5)); // $ Alert } } diff --git a/java/ql/test/query-tests/security/CWE-330/InsecureRandomnessTest.expected b/java/ql/test/query-tests/security/CWE-330/InsecureRandomnessTest.expected index e69de29bb2d1..3b460aeec32b 100644 --- a/java/ql/test/query-tests/security/CWE-330/InsecureRandomnessTest.expected +++ b/java/ql/test/query-tests/security/CWE-330/InsecureRandomnessTest.expected @@ -0,0 +1,69 @@ +#select +| InsecureRandomCookies.java:21:44:21:62 | toString(...) | InsecureRandomCookies.java:19:17:19:27 | nextInt(...) : Number | InsecureRandomCookies.java:21:44:21:62 | toString(...) | Potential Insecure randomness due to a $@. | InsecureRandomCookies.java:19:17:19:27 | nextInt(...) | Insecure randomness source. | +| InsecureRandomCookies.java:22:25:22:43 | toString(...) | InsecureRandomCookies.java:19:17:19:27 | nextInt(...) : Number | InsecureRandomCookies.java:22:25:22:43 | toString(...) | Potential Insecure randomness due to a $@. | InsecureRandomCookies.java:19:17:19:27 | nextInt(...) | Insecure randomness source. | +| InsecureRandomCookies.java:25:71:25:89 | toString(...) | InsecureRandomCookies.java:19:17:19:27 | nextInt(...) : Number | InsecureRandomCookies.java:25:71:25:89 | toString(...) | Potential Insecure randomness due to a $@. | InsecureRandomCookies.java:19:17:19:27 | nextInt(...) | Insecure randomness source. | +| InsecureRandomCookies.java:26:30:26:48 | toString(...) | InsecureRandomCookies.java:19:17:19:27 | nextInt(...) : Number | InsecureRandomCookies.java:26:30:26:48 | toString(...) | Potential Insecure randomness due to a $@. | InsecureRandomCookies.java:19:17:19:27 | nextInt(...) | Insecure randomness source. | +| InsecureRandomCookies.java:28:78:28:96 | toString(...) | InsecureRandomCookies.java:19:17:19:27 | nextInt(...) : Number | InsecureRandomCookies.java:28:78:28:96 | toString(...) | Potential Insecure randomness due to a $@. | InsecureRandomCookies.java:19:17:19:27 | nextInt(...) | Insecure randomness source. | +| InsecureRandomCookies.java:29:31:29:49 | toString(...) | InsecureRandomCookies.java:19:17:19:27 | nextInt(...) : Number | InsecureRandomCookies.java:29:31:29:49 | toString(...) | Potential Insecure randomness due to a $@. | InsecureRandomCookies.java:19:17:19:27 | nextInt(...) | Insecure randomness source. | +| InsecureRandomCookies.java:35:45:35:49 | value | InsecureRandomCookies.java:32:18:32:28 | nextInt(...) : Number | InsecureRandomCookies.java:35:45:35:49 | value | Potential Insecure randomness due to a $@. | InsecureRandomCookies.java:32:18:32:28 | nextInt(...) | Insecure randomness source. | +| InsecureRandomCookies.java:40:45:40:61 | new String(...) | InsecureRandomCookies.java:38:21:38:25 | bytes : byte[] | InsecureRandomCookies.java:40:45:40:61 | new String(...) | Potential Insecure randomness due to a $@. | InsecureRandomCookies.java:38:21:38:25 | bytes | Insecure randomness source. | +| InsecureRandomCookies.java:51:45:51:75 | toString(...) | InsecureRandomCookies.java:51:62:51:74 | nextInt(...) : Number | InsecureRandomCookies.java:51:45:51:75 | toString(...) | Potential Insecure randomness due to a $@. | InsecureRandomCookies.java:51:62:51:74 | nextInt(...) | Insecure randomness source. | +| InsecureRandomCookies.java:53:45:53:72 | random(...) | InsecureRandomCookies.java:53:45:53:72 | random(...) | InsecureRandomCookies.java:53:45:53:72 | random(...) | Potential Insecure randomness due to a $@. | InsecureRandomCookies.java:53:45:53:72 | random(...) | Insecure randomness source. | +| InsecureRandomCookies.java:55:45:55:77 | randomAscii(...) | InsecureRandomCookies.java:55:45:55:77 | randomAscii(...) | InsecureRandomCookies.java:55:45:55:77 | randomAscii(...) | Potential Insecure randomness due to a $@. | InsecureRandomCookies.java:55:45:55:77 | randomAscii(...) | Insecure randomness source. | +| InsecureRandomCookies.java:59:45:59:65 | toString(...) | InsecureRandomCookies.java:57:19:57:30 | nextLong(...) : Number | InsecureRandomCookies.java:59:45:59:65 | toString(...) | Potential Insecure randomness due to a $@. | InsecureRandomCookies.java:57:19:57:30 | nextLong(...) | Insecure randomness source. | +| InsecureRandomCookies.java:63:45:63:63 | toString(...) | InsecureRandomCookies.java:61:21:61:33 | random(...) : Number | InsecureRandomCookies.java:63:45:63:63 | toString(...) | Potential Insecure randomness due to a $@. | InsecureRandomCookies.java:61:21:61:33 | random(...) | Insecure randomness source. | +| InsecureRandomCookies.java:67:46:67:66 | toString(...) | InsecureRandomCookies.java:65:21:65:33 | random(...) : Number | InsecureRandomCookies.java:67:46:67:66 | toString(...) | Potential Insecure randomness due to a $@. | InsecureRandomCookies.java:65:21:65:33 | random(...) | Insecure randomness source. | +edges +| InsecureRandomCookies.java:19:17:19:27 | nextInt(...) : Number | InsecureRandomCookies.java:21:44:21:62 | toString(...) | provenance | TaintPreservingCallable | +| InsecureRandomCookies.java:19:17:19:27 | nextInt(...) : Number | InsecureRandomCookies.java:22:25:22:43 | toString(...) | provenance | TaintPreservingCallable | +| InsecureRandomCookies.java:19:17:19:27 | nextInt(...) : Number | InsecureRandomCookies.java:25:71:25:89 | toString(...) | provenance | TaintPreservingCallable | +| InsecureRandomCookies.java:19:17:19:27 | nextInt(...) : Number | InsecureRandomCookies.java:26:30:26:48 | toString(...) | provenance | TaintPreservingCallable | +| InsecureRandomCookies.java:19:17:19:27 | nextInt(...) : Number | InsecureRandomCookies.java:28:78:28:96 | toString(...) | provenance | TaintPreservingCallable | +| InsecureRandomCookies.java:19:17:19:27 | nextInt(...) : Number | InsecureRandomCookies.java:29:31:29:49 | toString(...) | provenance | TaintPreservingCallable | +| InsecureRandomCookies.java:32:18:32:28 | nextInt(...) : Number | InsecureRandomCookies.java:33:42:33:61 | toString(...) : String | provenance | TaintPreservingCallable | +| InsecureRandomCookies.java:33:24:33:62 | encodeForHTML(...) : String | InsecureRandomCookies.java:35:45:35:49 | value | provenance | | +| InsecureRandomCookies.java:33:42:33:61 | toString(...) : String | InsecureRandomCookies.java:33:24:33:62 | encodeForHTML(...) : String | provenance | Config | +| InsecureRandomCookies.java:33:42:33:61 | toString(...) : String | InsecureRandomCookies.java:33:24:33:62 | encodeForHTML(...) : String | provenance | MaD:2 | +| InsecureRandomCookies.java:38:21:38:25 | bytes : byte[] | InsecureRandomCookies.java:40:56:40:60 | bytes : byte[] | provenance | | +| InsecureRandomCookies.java:40:56:40:60 | bytes : byte[] | InsecureRandomCookies.java:40:45:40:61 | new String(...) | provenance | MaD:1 | +| InsecureRandomCookies.java:51:62:51:74 | nextInt(...) : Number | InsecureRandomCookies.java:51:45:51:75 | toString(...) | provenance | TaintPreservingCallable | +| InsecureRandomCookies.java:57:19:57:30 | nextLong(...) : Number | InsecureRandomCookies.java:59:59:59:60 | c3 : Number | provenance | | +| InsecureRandomCookies.java:59:59:59:60 | c3 : Number | InsecureRandomCookies.java:59:59:59:64 | ... * ... : Number | provenance | Config | +| InsecureRandomCookies.java:59:59:59:64 | ... * ... : Number | InsecureRandomCookies.java:59:45:59:65 | toString(...) | provenance | TaintPreservingCallable | +| InsecureRandomCookies.java:61:21:61:33 | random(...) : Number | InsecureRandomCookies.java:63:45:63:63 | toString(...) | provenance | TaintPreservingCallable | +| InsecureRandomCookies.java:65:21:65:33 | random(...) : Number | InsecureRandomCookies.java:67:64:67:65 | c5 : Number | provenance | | +| InsecureRandomCookies.java:67:62:67:65 | ++... : Number | InsecureRandomCookies.java:67:46:67:66 | toString(...) | provenance | TaintPreservingCallable | +| InsecureRandomCookies.java:67:64:67:65 | c5 : Number | InsecureRandomCookies.java:67:62:67:65 | ++... : Number | provenance | Config | +models +| 1 | Summary: java.lang; String; false; String; ; ; Argument[0]; Argument[this]; taint; manual | +| 2 | Summary: org.owasp.esapi; Encoder; true; encodeForHTML; (String); ; Argument[0]; ReturnValue; taint; manual | +nodes +| InsecureRandomCookies.java:19:17:19:27 | nextInt(...) : Number | semmle.label | nextInt(...) : Number | +| InsecureRandomCookies.java:21:44:21:62 | toString(...) | semmle.label | toString(...) | +| InsecureRandomCookies.java:22:25:22:43 | toString(...) | semmle.label | toString(...) | +| InsecureRandomCookies.java:25:71:25:89 | toString(...) | semmle.label | toString(...) | +| InsecureRandomCookies.java:26:30:26:48 | toString(...) | semmle.label | toString(...) | +| InsecureRandomCookies.java:28:78:28:96 | toString(...) | semmle.label | toString(...) | +| InsecureRandomCookies.java:29:31:29:49 | toString(...) | semmle.label | toString(...) | +| InsecureRandomCookies.java:32:18:32:28 | nextInt(...) : Number | semmle.label | nextInt(...) : Number | +| InsecureRandomCookies.java:33:24:33:62 | encodeForHTML(...) : String | semmle.label | encodeForHTML(...) : String | +| InsecureRandomCookies.java:33:42:33:61 | toString(...) : String | semmle.label | toString(...) : String | +| InsecureRandomCookies.java:35:45:35:49 | value | semmle.label | value | +| InsecureRandomCookies.java:38:21:38:25 | bytes : byte[] | semmle.label | bytes : byte[] | +| InsecureRandomCookies.java:40:45:40:61 | new String(...) | semmle.label | new String(...) | +| InsecureRandomCookies.java:40:56:40:60 | bytes : byte[] | semmle.label | bytes : byte[] | +| InsecureRandomCookies.java:51:45:51:75 | toString(...) | semmle.label | toString(...) | +| InsecureRandomCookies.java:51:62:51:74 | nextInt(...) : Number | semmle.label | nextInt(...) : Number | +| InsecureRandomCookies.java:53:45:53:72 | random(...) | semmle.label | random(...) | +| InsecureRandomCookies.java:55:45:55:77 | randomAscii(...) | semmle.label | randomAscii(...) | +| InsecureRandomCookies.java:57:19:57:30 | nextLong(...) : Number | semmle.label | nextLong(...) : Number | +| InsecureRandomCookies.java:59:45:59:65 | toString(...) | semmle.label | toString(...) | +| InsecureRandomCookies.java:59:59:59:60 | c3 : Number | semmle.label | c3 : Number | +| InsecureRandomCookies.java:59:59:59:64 | ... * ... : Number | semmle.label | ... * ... : Number | +| InsecureRandomCookies.java:61:21:61:33 | random(...) : Number | semmle.label | random(...) : Number | +| InsecureRandomCookies.java:63:45:63:63 | toString(...) | semmle.label | toString(...) | +| InsecureRandomCookies.java:65:21:65:33 | random(...) : Number | semmle.label | random(...) : Number | +| InsecureRandomCookies.java:67:46:67:66 | toString(...) | semmle.label | toString(...) | +| InsecureRandomCookies.java:67:62:67:65 | ++... : Number | semmle.label | ++... : Number | +| InsecureRandomCookies.java:67:64:67:65 | c5 : Number | semmle.label | c5 : Number | +subpaths diff --git a/java/ql/test/query-tests/security/CWE-330/InsecureRandomnessTest.ql b/java/ql/test/query-tests/security/CWE-330/InsecureRandomnessTest.ql deleted file mode 100644 index a9e8cbb2dc4d..000000000000 --- a/java/ql/test/query-tests/security/CWE-330/InsecureRandomnessTest.ql +++ /dev/null @@ -1,19 +0,0 @@ -import java -import semmle.code.java.dataflow.DataFlow -import semmle.code.java.security.InsecureRandomnessQuery -import utils.test.InlineExpectationsTest - -module WeakRandomTest implements TestSig { - string getARelevantTag() { result = "hasWeakRandomFlow" } - - predicate hasActualResult(Location location, string element, string tag, string value) { - tag = "hasWeakRandomFlow" and - exists(DataFlow::Node sink | InsecureRandomnessFlow::flowTo(sink) | - sink.getLocation() = location and - element = sink.toString() and - value = "" - ) - } -} - -import MakeTest diff --git a/java/ql/test/query-tests/security/CWE-330/InsecureRandomnessTest.qlref b/java/ql/test/query-tests/security/CWE-330/InsecureRandomnessTest.qlref new file mode 100644 index 000000000000..2d02acfab9a4 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-330/InsecureRandomnessTest.qlref @@ -0,0 +1,4 @@ +query: Security/CWE/CWE-330/InsecureRandomness.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.expected b/java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.expected index e69de29bb2d1..ba513e95a2d9 100644 --- a/java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.expected +++ b/java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.expected @@ -0,0 +1,55 @@ +#select +| MissingJWTSignatureCheckTest.java:83:9:83:14 | parser | MissingJWTSignatureCheckTest.java:13:16:13:66 | setSigningKey(...) : JwtParser | MissingJWTSignatureCheckTest.java:83:9:83:14 | parser | This parser sets a $@, but the signature is not verified. | MissingJWTSignatureCheckTest.java:13:16:13:66 | setSigningKey(...) | JWT signing key | +| MissingJWTSignatureCheckTest.java:83:9:83:14 | parser | MissingJWTSignatureCheckTest.java:17:16:17:73 | setSigningKey(...) : DefaultJwtParserBuilder | MissingJWTSignatureCheckTest.java:83:9:83:14 | parser | This parser sets a $@, but the signature is not verified. | MissingJWTSignatureCheckTest.java:17:16:17:73 | setSigningKey(...) | JWT signing key | +| MissingJWTSignatureCheckTest.java:83:9:83:14 | parser | MissingJWTSignatureCheckTest.java:21:16:21:75 | setSigningKey(...) : JwtParser | MissingJWTSignatureCheckTest.java:83:9:83:14 | parser | This parser sets a $@, but the signature is not verified. | MissingJWTSignatureCheckTest.java:21:16:21:75 | setSigningKey(...) | JWT signing key | +| MissingJWTSignatureCheckTest.java:87:9:87:14 | parser | MissingJWTSignatureCheckTest.java:13:16:13:66 | setSigningKey(...) : JwtParser | MissingJWTSignatureCheckTest.java:87:9:87:14 | parser | This parser sets a $@, but the signature is not verified. | MissingJWTSignatureCheckTest.java:13:16:13:66 | setSigningKey(...) | JWT signing key | +| MissingJWTSignatureCheckTest.java:87:9:87:14 | parser | MissingJWTSignatureCheckTest.java:17:16:17:73 | setSigningKey(...) : DefaultJwtParserBuilder | MissingJWTSignatureCheckTest.java:87:9:87:14 | parser | This parser sets a $@, but the signature is not verified. | MissingJWTSignatureCheckTest.java:17:16:17:73 | setSigningKey(...) | JWT signing key | +| MissingJWTSignatureCheckTest.java:87:9:87:14 | parser | MissingJWTSignatureCheckTest.java:21:16:21:75 | setSigningKey(...) : JwtParser | MissingJWTSignatureCheckTest.java:87:9:87:14 | parser | This parser sets a $@, but the signature is not verified. | MissingJWTSignatureCheckTest.java:21:16:21:75 | setSigningKey(...) | JWT signing key | +| MissingJWTSignatureCheckTest.java:110:9:110:74 | build(...) | MissingJWTSignatureCheckTest.java:110:9:110:66 | setSigningKey(...) : DefaultJwtParserBuilder | MissingJWTSignatureCheckTest.java:110:9:110:74 | build(...) | This parser sets a $@, but the signature is not verified. | MissingJWTSignatureCheckTest.java:110:9:110:66 | setSigningKey(...) | JWT signing key | +| MissingJWTSignatureCheckTest.java:114:9:114:83 | build(...) | MissingJWTSignatureCheckTest.java:114:9:114:75 | setSigningKey(...) : DefaultJwtParserBuilder | MissingJWTSignatureCheckTest.java:114:9:114:83 | build(...) | This parser sets a $@, but the signature is not verified. | MissingJWTSignatureCheckTest.java:114:9:114:75 | setSigningKey(...) | JWT signing key | +| MissingJWTSignatureCheckTest.java:118:9:118:59 | setSigningKey(...) | MissingJWTSignatureCheckTest.java:118:9:118:59 | setSigningKey(...) | MissingJWTSignatureCheckTest.java:118:9:118:59 | setSigningKey(...) | This parser sets a $@, but the signature is not verified. | MissingJWTSignatureCheckTest.java:118:9:118:59 | setSigningKey(...) | JWT signing key | +edges +| MissingJWTSignatureCheckTest.java:13:16:13:66 | setSigningKey(...) : JwtParser | MissingJWTSignatureCheckTest.java:25:29:25:46 | getASignedParser(...) : JwtParser | provenance | | +| MissingJWTSignatureCheckTest.java:17:16:17:73 | setSigningKey(...) : DefaultJwtParserBuilder | MissingJWTSignatureCheckTest.java:17:16:17:81 | build(...) : JwtParser | provenance | Config | +| MissingJWTSignatureCheckTest.java:17:16:17:81 | build(...) : JwtParser | MissingJWTSignatureCheckTest.java:31:29:31:63 | getASignedParserFromParserBuilder(...) : JwtParser | provenance | | +| MissingJWTSignatureCheckTest.java:21:16:21:75 | setSigningKey(...) : JwtParser | MissingJWTSignatureCheckTest.java:37:29:37:49 | getASignedNewParser(...) : JwtParser | provenance | | +| MissingJWTSignatureCheckTest.java:25:29:25:46 | getASignedParser(...) : JwtParser | MissingJWTSignatureCheckTest.java:26:31:26:37 | parser1 : JwtParser | provenance | | +| MissingJWTSignatureCheckTest.java:25:29:25:46 | getASignedParser(...) : JwtParser | MissingJWTSignatureCheckTest.java:27:38:27:44 | parser1 : JwtParser | provenance | | +| MissingJWTSignatureCheckTest.java:26:31:26:37 | parser1 : JwtParser | MissingJWTSignatureCheckTest.java:82:40:82:55 | parser : JwtParser | provenance | | +| MissingJWTSignatureCheckTest.java:27:38:27:44 | parser1 : JwtParser | MissingJWTSignatureCheckTest.java:86:47:86:62 | parser : JwtParser | provenance | | +| MissingJWTSignatureCheckTest.java:31:29:31:63 | getASignedParserFromParserBuilder(...) : JwtParser | MissingJWTSignatureCheckTest.java:32:31:32:37 | parser2 : JwtParser | provenance | | +| MissingJWTSignatureCheckTest.java:31:29:31:63 | getASignedParserFromParserBuilder(...) : JwtParser | MissingJWTSignatureCheckTest.java:33:38:33:44 | parser2 : JwtParser | provenance | | +| MissingJWTSignatureCheckTest.java:32:31:32:37 | parser2 : JwtParser | MissingJWTSignatureCheckTest.java:82:40:82:55 | parser : JwtParser | provenance | | +| MissingJWTSignatureCheckTest.java:33:38:33:44 | parser2 : JwtParser | MissingJWTSignatureCheckTest.java:86:47:86:62 | parser : JwtParser | provenance | | +| MissingJWTSignatureCheckTest.java:37:29:37:49 | getASignedNewParser(...) : JwtParser | MissingJWTSignatureCheckTest.java:38:31:38:37 | parser3 : JwtParser | provenance | | +| MissingJWTSignatureCheckTest.java:37:29:37:49 | getASignedNewParser(...) : JwtParser | MissingJWTSignatureCheckTest.java:39:38:39:44 | parser3 : JwtParser | provenance | | +| MissingJWTSignatureCheckTest.java:38:31:38:37 | parser3 : JwtParser | MissingJWTSignatureCheckTest.java:82:40:82:55 | parser : JwtParser | provenance | | +| MissingJWTSignatureCheckTest.java:39:38:39:44 | parser3 : JwtParser | MissingJWTSignatureCheckTest.java:86:47:86:62 | parser : JwtParser | provenance | | +| MissingJWTSignatureCheckTest.java:82:40:82:55 | parser : JwtParser | MissingJWTSignatureCheckTest.java:83:9:83:14 | parser | provenance | | +| MissingJWTSignatureCheckTest.java:86:47:86:62 | parser : JwtParser | MissingJWTSignatureCheckTest.java:87:9:87:14 | parser | provenance | | +| MissingJWTSignatureCheckTest.java:110:9:110:66 | setSigningKey(...) : DefaultJwtParserBuilder | MissingJWTSignatureCheckTest.java:110:9:110:74 | build(...) | provenance | Config | +| MissingJWTSignatureCheckTest.java:114:9:114:75 | setSigningKey(...) : DefaultJwtParserBuilder | MissingJWTSignatureCheckTest.java:114:9:114:83 | build(...) | provenance | Config | +nodes +| MissingJWTSignatureCheckTest.java:13:16:13:66 | setSigningKey(...) : JwtParser | semmle.label | setSigningKey(...) : JwtParser | +| MissingJWTSignatureCheckTest.java:17:16:17:73 | setSigningKey(...) : DefaultJwtParserBuilder | semmle.label | setSigningKey(...) : DefaultJwtParserBuilder | +| MissingJWTSignatureCheckTest.java:17:16:17:81 | build(...) : JwtParser | semmle.label | build(...) : JwtParser | +| MissingJWTSignatureCheckTest.java:21:16:21:75 | setSigningKey(...) : JwtParser | semmle.label | setSigningKey(...) : JwtParser | +| MissingJWTSignatureCheckTest.java:25:29:25:46 | getASignedParser(...) : JwtParser | semmle.label | getASignedParser(...) : JwtParser | +| MissingJWTSignatureCheckTest.java:26:31:26:37 | parser1 : JwtParser | semmle.label | parser1 : JwtParser | +| MissingJWTSignatureCheckTest.java:27:38:27:44 | parser1 : JwtParser | semmle.label | parser1 : JwtParser | +| MissingJWTSignatureCheckTest.java:31:29:31:63 | getASignedParserFromParserBuilder(...) : JwtParser | semmle.label | getASignedParserFromParserBuilder(...) : JwtParser | +| MissingJWTSignatureCheckTest.java:32:31:32:37 | parser2 : JwtParser | semmle.label | parser2 : JwtParser | +| MissingJWTSignatureCheckTest.java:33:38:33:44 | parser2 : JwtParser | semmle.label | parser2 : JwtParser | +| MissingJWTSignatureCheckTest.java:37:29:37:49 | getASignedNewParser(...) : JwtParser | semmle.label | getASignedNewParser(...) : JwtParser | +| MissingJWTSignatureCheckTest.java:38:31:38:37 | parser3 : JwtParser | semmle.label | parser3 : JwtParser | +| MissingJWTSignatureCheckTest.java:39:38:39:44 | parser3 : JwtParser | semmle.label | parser3 : JwtParser | +| MissingJWTSignatureCheckTest.java:82:40:82:55 | parser : JwtParser | semmle.label | parser : JwtParser | +| MissingJWTSignatureCheckTest.java:83:9:83:14 | parser | semmle.label | parser | +| MissingJWTSignatureCheckTest.java:86:47:86:62 | parser : JwtParser | semmle.label | parser : JwtParser | +| MissingJWTSignatureCheckTest.java:87:9:87:14 | parser | semmle.label | parser | +| MissingJWTSignatureCheckTest.java:110:9:110:66 | setSigningKey(...) : DefaultJwtParserBuilder | semmle.label | setSigningKey(...) : DefaultJwtParserBuilder | +| MissingJWTSignatureCheckTest.java:110:9:110:74 | build(...) | semmle.label | build(...) | +| MissingJWTSignatureCheckTest.java:114:9:114:75 | setSigningKey(...) : DefaultJwtParserBuilder | semmle.label | setSigningKey(...) : DefaultJwtParserBuilder | +| MissingJWTSignatureCheckTest.java:114:9:114:83 | build(...) | semmle.label | build(...) | +| MissingJWTSignatureCheckTest.java:118:9:118:59 | setSigningKey(...) | semmle.label | setSigningKey(...) | +subpaths diff --git a/java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.java b/java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.java index 93b54154ffc1..c4ab09b27e6d 100644 --- a/java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.java +++ b/java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.java @@ -10,15 +10,15 @@ public class MissingJWTSignatureCheckTest { private JwtParser getASignedParser() { - return Jwts.parser().setSigningKey("someBase64EncodedKey"); + return Jwts.parser().setSigningKey("someBase64EncodedKey"); // $ Source } private JwtParser getASignedParserFromParserBuilder() { - return Jwts.parserBuilder().setSigningKey("someBase64EncodedKey").build(); + return Jwts.parserBuilder().setSigningKey("someBase64EncodedKey").build(); // $ Source } private JwtParser getASignedNewParser() { - return new DefaultJwtParser().setSigningKey("someBase64EncodedKey"); + return new DefaultJwtParser().setSigningKey("someBase64EncodedKey"); // $ Source } private void callSignedParsers() { @@ -80,11 +80,11 @@ private void signParserAfterParseCall() { } private void badJwtOnParserBuilder(JwtParser parser, String token) { - parser.parse(token); // $hasMissingJwtSignatureCheck + parser.parse(token); // $ Alert } private void badJwtHandlerOnParserBuilder(JwtParser parser, String token) { - parser.parse(token, new JwtHandlerAdapter>() { // $hasMissingJwtSignatureCheck + parser.parse(token, new JwtHandlerAdapter>() { // $ Alert @Override public Jwt onPlaintextJwt(Jwt jwt) { return jwt; @@ -107,15 +107,15 @@ public Jws onPlaintextJws(Jws jws) { } private void badJwtOnParserBuilder(String token) { - Jwts.parserBuilder().setSigningKey("someBase64EncodedKey").build().parse(token); // $hasMissingJwtSignatureCheck + Jwts.parserBuilder().setSigningKey("someBase64EncodedKey").build().parse(token); // $ Alert } private void badJwtOnDefaultParserBuilder(String token) { - new DefaultJwtParserBuilder().setSigningKey("someBase64EncodedKey").build().parse(token); // $hasMissingJwtSignatureCheck + new DefaultJwtParserBuilder().setSigningKey("someBase64EncodedKey").build().parse(token); // $ Alert } private void badJwtHandlerOnParser(String token) { - Jwts.parser().setSigningKey("someBase64EncodedKey").parse(token, // $hasMissingJwtSignatureCheck + Jwts.parser().setSigningKey("someBase64EncodedKey").parse(token, // $ Alert new JwtHandlerAdapter>() { @Override public Jwt onPlaintextJwt(Jwt jwt) { diff --git a/java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.ql b/java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.ql deleted file mode 100644 index 4ce6116e27f2..000000000000 --- a/java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.ql +++ /dev/null @@ -1,18 +0,0 @@ -import java -import semmle.code.java.security.MissingJWTSignatureCheckQuery -import utils.test.InlineExpectationsTest - -module HasMissingJwtSignatureCheckTest implements TestSig { - string getARelevantTag() { result = "hasMissingJwtSignatureCheck" } - - predicate hasActualResult(Location location, string element, string tag, string value) { - tag = "hasMissingJwtSignatureCheck" and - exists(DataFlow::Node sink | MissingJwtSignatureCheckFlow::flowTo(sink) | - sink.getLocation() = location and - element = sink.toString() and - value = "" - ) - } -} - -import MakeTest diff --git a/java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.qlref b/java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.qlref new file mode 100644 index 000000000000..79b63ee641f5 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.qlref @@ -0,0 +1,4 @@ +query: Security/CWE/CWE-347/MissingJWTSignatureCheck.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-441/Test.java b/java/ql/test/query-tests/security/CWE-441/Test.java index 0bda09331159..be8bedeb7e7e 100644 --- a/java/ql/test/query-tests/security/CWE-441/Test.java +++ b/java/ql/test/query-tests/security/CWE-441/Test.java @@ -29,23 +29,23 @@ private void validateWithBlockList(Uri uri) throws SecurityException { public void onCreate() { { ContentResolver contentResolver = getContentResolver(); - Uri uri = (Uri) getIntent().getParcelableExtra("URI_EXTRA"); - contentResolver.openInputStream(uri); // $ hasTaintFlow - contentResolver.openOutputStream(uri); // $ hasTaintFlow - contentResolver.openAssetFile(uri, null, null); // $ hasTaintFlow - contentResolver.openAssetFileDescriptor(uri, null); // $ hasTaintFlow - contentResolver.openFile(uri, null, null); // $ hasTaintFlow - contentResolver.openFileDescriptor(uri, null); // $ hasTaintFlow - contentResolver.openTypedAssetFile(uri, null, null, null); // $ hasTaintFlow - contentResolver.openTypedAssetFileDescriptor(uri, null, null); // $ hasTaintFlow + Uri uri = (Uri) getIntent().getParcelableExtra("URI_EXTRA"); // $ Source + contentResolver.openInputStream(uri); // $ Alert + contentResolver.openOutputStream(uri); // $ Alert + contentResolver.openAssetFile(uri, null, null); // $ Alert + contentResolver.openAssetFileDescriptor(uri, null); // $ Alert + contentResolver.openFile(uri, null, null); // $ Alert + contentResolver.openFileDescriptor(uri, null); // $ Alert + contentResolver.openTypedAssetFile(uri, null, null, null); // $ Alert + contentResolver.openTypedAssetFileDescriptor(uri, null, null); // $ Alert } { ContentResolver contentResolver = getContentResolver(); - Uri uri = (Uri) getIntent().getParcelableExtra("URI_EXTRA"); + Uri uri = (Uri) getIntent().getParcelableExtra("URI_EXTRA"); // $ Source String path = uri.getPath(); if (path.startsWith("/data")) throw new SecurityException(); - contentResolver.openInputStream(uri); // $ hasTaintFlow + contentResolver.openInputStream(uri); // $ Alert } // Equals checks { @@ -64,11 +64,11 @@ public void onCreate() { // Allow list checks { ContentResolver contentResolver = getContentResolver(); - Uri uri = (Uri) getIntent().getParcelableExtra("URI_EXTRA"); + Uri uri = (Uri) getIntent().getParcelableExtra("URI_EXTRA"); // $ Source String path = uri.getPath(); if (!path.startsWith("/safe/path")) throw new SecurityException(); - contentResolver.openInputStream(uri); // $ hasTaintFlow + contentResolver.openInputStream(uri); // $ Alert } { ContentResolver contentResolver = getContentResolver(); @@ -89,11 +89,11 @@ public void onCreate() { // Block list checks { ContentResolver contentResolver = getContentResolver(); - Uri uri = (Uri) getIntent().getParcelableExtra("URI_EXTRA"); + Uri uri = (Uri) getIntent().getParcelableExtra("URI_EXTRA"); // $ Source String path = uri.getPath(); if (path.startsWith("/data")) throw new SecurityException(); - contentResolver.openInputStream(uri); // $ hasTaintFlow + contentResolver.openInputStream(uri); // $ Alert } { ContentResolver contentResolver = getContentResolver(); diff --git a/java/ql/test/query-tests/security/CWE-441/UnsafeContentUriResolutionTest.expected b/java/ql/test/query-tests/security/CWE-441/UnsafeContentUriResolutionTest.expected index e69de29bb2d1..73fe6b44f3c7 100644 --- a/java/ql/test/query-tests/security/CWE-441/UnsafeContentUriResolutionTest.expected +++ b/java/ql/test/query-tests/security/CWE-441/UnsafeContentUriResolutionTest.expected @@ -0,0 +1,59 @@ +#select +| Test.java:33:45:33:47 | uri | Test.java:32:29:32:39 | getIntent(...) : Intent | Test.java:33:45:33:47 | uri | This ContentResolver method that resolves a URI depends on a $@. | Test.java:32:29:32:39 | getIntent(...) | user-provided value | +| Test.java:34:46:34:48 | uri | Test.java:32:29:32:39 | getIntent(...) : Intent | Test.java:34:46:34:48 | uri | This ContentResolver method that resolves a URI depends on a $@. | Test.java:32:29:32:39 | getIntent(...) | user-provided value | +| Test.java:35:43:35:45 | uri | Test.java:32:29:32:39 | getIntent(...) : Intent | Test.java:35:43:35:45 | uri | This ContentResolver method that resolves a URI depends on a $@. | Test.java:32:29:32:39 | getIntent(...) | user-provided value | +| Test.java:36:53:36:55 | uri | Test.java:32:29:32:39 | getIntent(...) : Intent | Test.java:36:53:36:55 | uri | This ContentResolver method that resolves a URI depends on a $@. | Test.java:32:29:32:39 | getIntent(...) | user-provided value | +| Test.java:37:38:37:40 | uri | Test.java:32:29:32:39 | getIntent(...) : Intent | Test.java:37:38:37:40 | uri | This ContentResolver method that resolves a URI depends on a $@. | Test.java:32:29:32:39 | getIntent(...) | user-provided value | +| Test.java:38:48:38:50 | uri | Test.java:32:29:32:39 | getIntent(...) : Intent | Test.java:38:48:38:50 | uri | This ContentResolver method that resolves a URI depends on a $@. | Test.java:32:29:32:39 | getIntent(...) | user-provided value | +| Test.java:39:48:39:50 | uri | Test.java:32:29:32:39 | getIntent(...) : Intent | Test.java:39:48:39:50 | uri | This ContentResolver method that resolves a URI depends on a $@. | Test.java:32:29:32:39 | getIntent(...) | user-provided value | +| Test.java:40:58:40:60 | uri | Test.java:32:29:32:39 | getIntent(...) : Intent | Test.java:40:58:40:60 | uri | This ContentResolver method that resolves a URI depends on a $@. | Test.java:32:29:32:39 | getIntent(...) | user-provided value | +| Test.java:48:45:48:47 | uri | Test.java:44:29:44:39 | getIntent(...) : Intent | Test.java:48:45:48:47 | uri | This ContentResolver method that resolves a URI depends on a $@. | Test.java:44:29:44:39 | getIntent(...) | user-provided value | +| Test.java:71:45:71:47 | uri | Test.java:67:29:67:39 | getIntent(...) : Intent | Test.java:71:45:71:47 | uri | This ContentResolver method that resolves a URI depends on a $@. | Test.java:67:29:67:39 | getIntent(...) | user-provided value | +| Test.java:96:45:96:47 | uri | Test.java:92:29:92:39 | getIntent(...) : Intent | Test.java:96:45:96:47 | uri | This ContentResolver method that resolves a URI depends on a $@. | Test.java:92:29:92:39 | getIntent(...) | user-provided value | +edges +| Test.java:32:23:32:71 | (...)... : Uri | Test.java:33:45:33:47 | uri | provenance | | +| Test.java:32:23:32:71 | (...)... : Uri | Test.java:34:46:34:48 | uri | provenance | | +| Test.java:32:23:32:71 | (...)... : Uri | Test.java:35:43:35:45 | uri | provenance | | +| Test.java:32:23:32:71 | (...)... : Uri | Test.java:36:53:36:55 | uri | provenance | | +| Test.java:32:23:32:71 | (...)... : Uri | Test.java:37:38:37:40 | uri | provenance | | +| Test.java:32:23:32:71 | (...)... : Uri | Test.java:38:48:38:50 | uri | provenance | | +| Test.java:32:23:32:71 | (...)... : Uri | Test.java:39:48:39:50 | uri | provenance | | +| Test.java:32:23:32:71 | (...)... : Uri | Test.java:40:58:40:60 | uri | provenance | | +| Test.java:32:29:32:39 | getIntent(...) : Intent | Test.java:32:29:32:71 | getParcelableExtra(...) : Parcelable | provenance | MaD:1 | +| Test.java:32:29:32:71 | getParcelableExtra(...) : Parcelable | Test.java:32:23:32:71 | (...)... : Uri | provenance | | +| Test.java:44:23:44:71 | (...)... : Uri | Test.java:48:45:48:47 | uri | provenance | | +| Test.java:44:29:44:39 | getIntent(...) : Intent | Test.java:44:29:44:71 | getParcelableExtra(...) : Parcelable | provenance | MaD:1 | +| Test.java:44:29:44:71 | getParcelableExtra(...) : Parcelable | Test.java:44:23:44:71 | (...)... : Uri | provenance | | +| Test.java:67:23:67:71 | (...)... : Uri | Test.java:71:45:71:47 | uri | provenance | | +| Test.java:67:29:67:39 | getIntent(...) : Intent | Test.java:67:29:67:71 | getParcelableExtra(...) : Parcelable | provenance | MaD:1 | +| Test.java:67:29:67:71 | getParcelableExtra(...) : Parcelable | Test.java:67:23:67:71 | (...)... : Uri | provenance | | +| Test.java:92:23:92:71 | (...)... : Uri | Test.java:96:45:96:47 | uri | provenance | | +| Test.java:92:29:92:39 | getIntent(...) : Intent | Test.java:92:29:92:71 | getParcelableExtra(...) : Parcelable | provenance | MaD:1 | +| Test.java:92:29:92:71 | getParcelableExtra(...) : Parcelable | Test.java:92:23:92:71 | (...)... : Uri | provenance | | +models +| 1 | Summary: android.content; Intent; true; getParcelableExtra; (String); ; Argument[this].SyntheticField[android.content.Intent.extras].MapValue; ReturnValue; value; manual | +nodes +| Test.java:32:23:32:71 | (...)... : Uri | semmle.label | (...)... : Uri | +| Test.java:32:29:32:39 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent | +| Test.java:32:29:32:71 | getParcelableExtra(...) : Parcelable | semmle.label | getParcelableExtra(...) : Parcelable | +| Test.java:33:45:33:47 | uri | semmle.label | uri | +| Test.java:34:46:34:48 | uri | semmle.label | uri | +| Test.java:35:43:35:45 | uri | semmle.label | uri | +| Test.java:36:53:36:55 | uri | semmle.label | uri | +| Test.java:37:38:37:40 | uri | semmle.label | uri | +| Test.java:38:48:38:50 | uri | semmle.label | uri | +| Test.java:39:48:39:50 | uri | semmle.label | uri | +| Test.java:40:58:40:60 | uri | semmle.label | uri | +| Test.java:44:23:44:71 | (...)... : Uri | semmle.label | (...)... : Uri | +| Test.java:44:29:44:39 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent | +| Test.java:44:29:44:71 | getParcelableExtra(...) : Parcelable | semmle.label | getParcelableExtra(...) : Parcelable | +| Test.java:48:45:48:47 | uri | semmle.label | uri | +| Test.java:67:23:67:71 | (...)... : Uri | semmle.label | (...)... : Uri | +| Test.java:67:29:67:39 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent | +| Test.java:67:29:67:71 | getParcelableExtra(...) : Parcelable | semmle.label | getParcelableExtra(...) : Parcelable | +| Test.java:71:45:71:47 | uri | semmle.label | uri | +| Test.java:92:23:92:71 | (...)... : Uri | semmle.label | (...)... : Uri | +| Test.java:92:29:92:39 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent | +| Test.java:92:29:92:71 | getParcelableExtra(...) : Parcelable | semmle.label | getParcelableExtra(...) : Parcelable | +| Test.java:96:45:96:47 | uri | semmle.label | uri | +subpaths diff --git a/java/ql/test/query-tests/security/CWE-441/UnsafeContentUriResolutionTest.ql b/java/ql/test/query-tests/security/CWE-441/UnsafeContentUriResolutionTest.ql deleted file mode 100644 index ded8a8d69798..000000000000 --- a/java/ql/test/query-tests/security/CWE-441/UnsafeContentUriResolutionTest.ql +++ /dev/null @@ -1,4 +0,0 @@ -import java -import utils.test.InlineFlowTest -import semmle.code.java.security.UnsafeContentUriResolutionQuery -import TaintFlowTest diff --git a/java/ql/test/query-tests/security/CWE-441/UnsafeContentUriResolutionTest.qlref b/java/ql/test/query-tests/security/CWE-441/UnsafeContentUriResolutionTest.qlref new file mode 100644 index 000000000000..abcbe555e289 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-441/UnsafeContentUriResolutionTest.qlref @@ -0,0 +1,4 @@ +query: Security/CWE/CWE-441/UnsafeContentUriResolution.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-470/FragmentInjectionTest.expected b/java/ql/test/query-tests/security/CWE-470/FragmentInjectionTest.expected index e69de29bb2d1..27281d078111 100644 --- a/java/ql/test/query-tests/security/CWE-470/FragmentInjectionTest.expected +++ b/java/ql/test/query-tests/security/CWE-470/FragmentInjectionTest.expected @@ -0,0 +1,68 @@ +#select +| MainActivity.java:17:20:17:39 | newInstance(...) | MainActivity.java:14:34:14:44 | getIntent(...) : Intent | MainActivity.java:17:20:17:39 | newInstance(...) | Fragment depends on a $@, which may allow a malicious application to bypass access controls. | MainActivity.java:14:34:14:44 | getIntent(...) | user-provided value | +| MainActivity.java:18:23:18:55 | instantiate(...) | MainActivity.java:14:34:14:44 | getIntent(...) : Intent | MainActivity.java:18:23:18:55 | instantiate(...) | Fragment depends on a $@, which may allow a malicious application to bypass access controls. | MainActivity.java:14:34:14:44 | getIntent(...) | user-provided value | +| MainActivity.java:19:23:19:61 | instantiate(...) | MainActivity.java:14:34:14:44 | getIntent(...) : Intent | MainActivity.java:19:23:19:61 | instantiate(...) | Fragment depends on a $@, which may allow a malicious application to bypass access controls. | MainActivity.java:14:34:14:44 | getIntent(...) | user-provided value | +| MainActivity.java:20:23:20:28 | fClass | MainActivity.java:14:34:14:44 | getIntent(...) : Intent | MainActivity.java:20:23:20:28 | fClass | Fragment depends on a $@, which may allow a malicious application to bypass access controls. | MainActivity.java:14:34:14:44 | getIntent(...) | user-provided value | +| MainActivity.java:21:23:21:42 | newInstance(...) | MainActivity.java:14:34:14:44 | getIntent(...) : Intent | MainActivity.java:21:23:21:42 | newInstance(...) | Fragment depends on a $@, which may allow a malicious application to bypass access controls. | MainActivity.java:14:34:14:44 | getIntent(...) | user-provided value | +| MainActivity.java:22:23:22:42 | newInstance(...) | MainActivity.java:14:34:14:44 | getIntent(...) : Intent | MainActivity.java:22:23:22:42 | newInstance(...) | Fragment depends on a $@, which may allow a malicious application to bypass access controls. | MainActivity.java:14:34:14:44 | getIntent(...) | user-provided value | +| MainActivity.java:23:27:23:32 | fClass | MainActivity.java:14:34:14:44 | getIntent(...) : Intent | MainActivity.java:23:27:23:32 | fClass | Fragment depends on a $@, which may allow a malicious application to bypass access controls. | MainActivity.java:14:34:14:44 | getIntent(...) | user-provided value | +| MainActivity.java:24:27:24:46 | newInstance(...) | MainActivity.java:14:34:14:44 | getIntent(...) : Intent | MainActivity.java:24:27:24:46 | newInstance(...) | Fragment depends on a $@, which may allow a malicious application to bypass access controls. | MainActivity.java:14:34:14:44 | getIntent(...) | user-provided value | +| MainActivity.java:25:27:25:32 | fClass | MainActivity.java:14:34:14:44 | getIntent(...) : Intent | MainActivity.java:25:27:25:32 | fClass | Fragment depends on a $@, which may allow a malicious application to bypass access controls. | MainActivity.java:14:34:14:44 | getIntent(...) | user-provided value | +| MainActivity.java:26:27:26:46 | newInstance(...) | MainActivity.java:14:34:14:44 | getIntent(...) : Intent | MainActivity.java:26:27:26:46 | newInstance(...) | Fragment depends on a $@, which may allow a malicious application to bypass access controls. | MainActivity.java:14:34:14:44 | getIntent(...) | user-provided value | +edges +| MainActivity.java:14:34:14:44 | getIntent(...) : Intent | MainActivity.java:14:34:14:68 | getStringExtra(...) : String | provenance | MaD:10 | +| MainActivity.java:14:34:14:68 | getStringExtra(...) : String | MainActivity.java:16:70:16:74 | fname : String | provenance | | +| MainActivity.java:16:38:16:75 | (...)... : Class | MainActivity.java:17:20:17:25 | fClass : Class | provenance | | +| MainActivity.java:16:56:16:75 | forName(...) : Class | MainActivity.java:16:38:16:75 | (...)... : Class | provenance | | +| MainActivity.java:16:70:16:74 | fname : String | MainActivity.java:16:56:16:75 | forName(...) : Class | provenance | Config | +| MainActivity.java:16:70:16:74 | fname : String | MainActivity.java:18:50:18:54 | fname : String | provenance | | +| MainActivity.java:17:20:17:25 | fClass : Class | MainActivity.java:17:20:17:39 | newInstance(...) | provenance | Config Sink:MaD:1 | +| MainActivity.java:17:20:17:25 | fClass : Class | MainActivity.java:20:23:20:28 | fClass | provenance | Sink:MaD:2 | +| MainActivity.java:17:20:17:25 | fClass : Class | MainActivity.java:21:23:21:28 | fClass : Class | provenance | | +| MainActivity.java:18:50:18:54 | fname : String | MainActivity.java:18:23:18:55 | instantiate(...) | provenance | Config Sink:MaD:4 | +| MainActivity.java:18:50:18:54 | fname : String | MainActivity.java:19:50:19:54 | fname : String | provenance | | +| MainActivity.java:19:50:19:54 | fname : String | MainActivity.java:19:23:19:61 | instantiate(...) | provenance | Config Sink:MaD:3 | +| MainActivity.java:21:23:21:28 | fClass : Class | MainActivity.java:21:23:21:42 | newInstance(...) | provenance | Config Sink:MaD:4 | +| MainActivity.java:21:23:21:28 | fClass : Class | MainActivity.java:22:23:22:28 | fClass : Class | provenance | | +| MainActivity.java:22:23:22:28 | fClass : Class | MainActivity.java:22:23:22:42 | newInstance(...) | provenance | Config Sink:MaD:5 | +| MainActivity.java:22:23:22:28 | fClass : Class | MainActivity.java:23:27:23:32 | fClass | provenance | Sink:MaD:6 | +| MainActivity.java:22:23:22:28 | fClass : Class | MainActivity.java:24:27:24:32 | fClass : Class | provenance | | +| MainActivity.java:24:27:24:32 | fClass : Class | MainActivity.java:24:27:24:46 | newInstance(...) | provenance | Config Sink:MaD:8 | +| MainActivity.java:24:27:24:32 | fClass : Class | MainActivity.java:25:27:25:32 | fClass | provenance | Sink:MaD:7 | +| MainActivity.java:24:27:24:32 | fClass : Class | MainActivity.java:26:27:26:32 | fClass : Class | provenance | | +| MainActivity.java:26:27:26:32 | fClass : Class | MainActivity.java:26:27:26:46 | newInstance(...) | provenance | Config Sink:MaD:9 | +models +| 1 | Sink: androidx.fragment.app; FragmentTransaction; true; add; (Fragment,String); ; Argument[0]; fragment-injection; manual | +| 2 | Sink: androidx.fragment.app; FragmentTransaction; true; add; (int,Class,Bundle,String); ; Argument[1]; fragment-injection; manual | +| 3 | Sink: androidx.fragment.app; FragmentTransaction; true; add; (int,Fragment); ; Argument[1]; fragment-injection; manual | +| 4 | Sink: androidx.fragment.app; FragmentTransaction; true; add; (int,Fragment,String); ; Argument[1]; fragment-injection; manual | +| 5 | Sink: androidx.fragment.app; FragmentTransaction; true; attach; (Fragment); ; Argument[0]; fragment-injection; manual | +| 6 | Sink: androidx.fragment.app; FragmentTransaction; true; replace; (int,Class,Bundle); ; Argument[1]; fragment-injection; manual | +| 7 | Sink: androidx.fragment.app; FragmentTransaction; true; replace; (int,Class,Bundle,String); ; Argument[1]; fragment-injection; manual | +| 8 | Sink: androidx.fragment.app; FragmentTransaction; true; replace; (int,Fragment); ; Argument[1]; fragment-injection; manual | +| 9 | Sink: androidx.fragment.app; FragmentTransaction; true; replace; (int,Fragment,String); ; Argument[1]; fragment-injection; manual | +| 10 | Summary: android.content; Intent; true; getStringExtra; (String); ; Argument[this].SyntheticField[android.content.Intent.extras].MapValue; ReturnValue; value; manual | +nodes +| MainActivity.java:14:34:14:44 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent | +| MainActivity.java:14:34:14:68 | getStringExtra(...) : String | semmle.label | getStringExtra(...) : String | +| MainActivity.java:16:38:16:75 | (...)... : Class | semmle.label | (...)... : Class | +| MainActivity.java:16:56:16:75 | forName(...) : Class | semmle.label | forName(...) : Class | +| MainActivity.java:16:70:16:74 | fname : String | semmle.label | fname : String | +| MainActivity.java:17:20:17:25 | fClass : Class | semmle.label | fClass : Class | +| MainActivity.java:17:20:17:39 | newInstance(...) | semmle.label | newInstance(...) | +| MainActivity.java:18:23:18:55 | instantiate(...) | semmle.label | instantiate(...) | +| MainActivity.java:18:50:18:54 | fname : String | semmle.label | fname : String | +| MainActivity.java:19:23:19:61 | instantiate(...) | semmle.label | instantiate(...) | +| MainActivity.java:19:50:19:54 | fname : String | semmle.label | fname : String | +| MainActivity.java:20:23:20:28 | fClass | semmle.label | fClass | +| MainActivity.java:21:23:21:28 | fClass : Class | semmle.label | fClass : Class | +| MainActivity.java:21:23:21:42 | newInstance(...) | semmle.label | newInstance(...) | +| MainActivity.java:22:23:22:28 | fClass : Class | semmle.label | fClass : Class | +| MainActivity.java:22:23:22:42 | newInstance(...) | semmle.label | newInstance(...) | +| MainActivity.java:23:27:23:32 | fClass | semmle.label | fClass | +| MainActivity.java:24:27:24:32 | fClass : Class | semmle.label | fClass : Class | +| MainActivity.java:24:27:24:46 | newInstance(...) | semmle.label | newInstance(...) | +| MainActivity.java:25:27:25:32 | fClass | semmle.label | fClass | +| MainActivity.java:26:27:26:32 | fClass : Class | semmle.label | fClass : Class | +| MainActivity.java:26:27:26:46 | newInstance(...) | semmle.label | newInstance(...) | +subpaths diff --git a/java/ql/test/query-tests/security/CWE-470/FragmentInjectionTest.ql b/java/ql/test/query-tests/security/CWE-470/FragmentInjectionTest.ql deleted file mode 100644 index 665d750ee204..000000000000 --- a/java/ql/test/query-tests/security/CWE-470/FragmentInjectionTest.ql +++ /dev/null @@ -1,4 +0,0 @@ -import java -import semmle.code.java.security.FragmentInjectionQuery -import utils.test.InlineFlowTest -import TaintFlowTest diff --git a/java/ql/test/query-tests/security/CWE-470/FragmentInjectionTest.qlref b/java/ql/test/query-tests/security/CWE-470/FragmentInjectionTest.qlref new file mode 100644 index 000000000000..f6d0df1bfcda --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-470/FragmentInjectionTest.qlref @@ -0,0 +1,4 @@ +query: Security/CWE/CWE-470/FragmentInjection.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-470/MainActivity.java b/java/ql/test/query-tests/security/CWE-470/MainActivity.java index 3773a9dbe37e..fccc2d21ff68 100644 --- a/java/ql/test/query-tests/security/CWE-470/MainActivity.java +++ b/java/ql/test/query-tests/security/CWE-470/MainActivity.java @@ -11,19 +11,19 @@ public class MainActivity extends FragmentActivity { public void onCreate(Bundle savedInstance) { try { super.onCreate(savedInstance); - final String fname = getIntent().getStringExtra("fname"); + final String fname = getIntent().getStringExtra("fname"); // $ Source FragmentTransaction ft = getSupportFragmentManager().beginTransaction(); Class fClass = (Class) Class.forName(fname); - ft.add(fClass.newInstance(), ""); // $ hasTaintFlow - ft.add(0, Fragment.instantiate(this, fname), null); // $ hasTaintFlow - ft.add(0, Fragment.instantiate(this, fname, null)); // $ hasTaintFlow - ft.add(0, fClass, null, ""); // $ hasTaintFlow - ft.add(0, fClass.newInstance(), ""); // $ hasTaintFlow - ft.attach(fClass.newInstance()); // $ hasTaintFlow - ft.replace(0, fClass, null); // $ hasTaintFlow - ft.replace(0, fClass.newInstance()); // $ hasTaintFlow - ft.replace(0, fClass, null, ""); // $ hasTaintFlow - ft.replace(0, fClass.newInstance(), ""); // $ hasTaintFlow + ft.add(fClass.newInstance(), ""); // $ Alert + ft.add(0, Fragment.instantiate(this, fname), null); // $ Alert + ft.add(0, Fragment.instantiate(this, fname, null)); // $ Alert + ft.add(0, fClass, null, ""); // $ Alert + ft.add(0, fClass.newInstance(), ""); // $ Alert + ft.attach(fClass.newInstance()); // $ Alert + ft.replace(0, fClass, null); // $ Alert + ft.replace(0, fClass.newInstance()); // $ Alert + ft.replace(0, fClass, null, ""); // $ Alert + ft.replace(0, fClass.newInstance(), ""); // $ Alert ft.add(Fragment.class.newInstance(), ""); // Safe ft.attach(Fragment.class.newInstance()); // Safe diff --git a/java/ql/test/query-tests/security/CWE-489/webview-debugging/Test.java b/java/ql/test/query-tests/security/CWE-489/webview-debugging/Test.java index 3fe75e893889..378d5920cdd1 100644 --- a/java/ql/test/query-tests/security/CWE-489/webview-debugging/Test.java +++ b/java/ql/test/query-tests/security/CWE-489/webview-debugging/Test.java @@ -4,20 +4,20 @@ class Test { boolean DEBUG_BUILD; void test1() { - WebView.setWebContentsDebuggingEnabled(true); // $hasValueFlow + WebView.setWebContentsDebuggingEnabled(true); // $ Alert } void test2(){ if (DEBUG_BUILD) { - WebView.setWebContentsDebuggingEnabled(true); + WebView.setWebContentsDebuggingEnabled(true); } } void test3(boolean enabled){ - WebView.setWebContentsDebuggingEnabled(enabled); // $hasValueFlow + WebView.setWebContentsDebuggingEnabled(enabled); // $ Alert } void test4(){ - test3(true); + test3(true); // $ Source } -} \ No newline at end of file +} diff --git a/java/ql/test/query-tests/security/CWE-489/webview-debugging/WebviewDebuggingEnabled.expected b/java/ql/test/query-tests/security/CWE-489/webview-debugging/WebviewDebuggingEnabled.expected index e69de29bb2d1..040ae7e3f3f8 100644 --- a/java/ql/test/query-tests/security/CWE-489/webview-debugging/WebviewDebuggingEnabled.expected +++ b/java/ql/test/query-tests/security/CWE-489/webview-debugging/WebviewDebuggingEnabled.expected @@ -0,0 +1,12 @@ +#select +| Test.java:7:48:7:51 | true | Test.java:7:48:7:51 | true | Test.java:7:48:7:51 | true | Webview debugging is enabled. | +| Test.java:17:48:17:54 | enabled | Test.java:21:15:21:18 | true : Boolean | Test.java:17:48:17:54 | enabled | Webview debugging is enabled. | +edges +| Test.java:16:16:16:30 | enabled : Boolean | Test.java:17:48:17:54 | enabled | provenance | | +| Test.java:21:15:21:18 | true : Boolean | Test.java:16:16:16:30 | enabled : Boolean | provenance | | +nodes +| Test.java:7:48:7:51 | true | semmle.label | true | +| Test.java:16:16:16:30 | enabled : Boolean | semmle.label | enabled : Boolean | +| Test.java:17:48:17:54 | enabled | semmle.label | enabled | +| Test.java:21:15:21:18 | true : Boolean | semmle.label | true : Boolean | +subpaths diff --git a/java/ql/test/query-tests/security/CWE-489/webview-debugging/WebviewDebuggingEnabled.ql b/java/ql/test/query-tests/security/CWE-489/webview-debugging/WebviewDebuggingEnabled.ql deleted file mode 100644 index f0b9cf08f820..000000000000 --- a/java/ql/test/query-tests/security/CWE-489/webview-debugging/WebviewDebuggingEnabled.ql +++ /dev/null @@ -1,4 +0,0 @@ -import java -import utils.test.InlineFlowTest -import semmle.code.java.security.WebviewDebuggingEnabledQuery -import ValueFlowTest diff --git a/java/ql/test/query-tests/security/CWE-489/webview-debugging/WebviewDebuggingEnabled.qlref b/java/ql/test/query-tests/security/CWE-489/webview-debugging/WebviewDebuggingEnabled.qlref new file mode 100644 index 000000000000..596b3c6d005c --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-489/webview-debugging/WebviewDebuggingEnabled.qlref @@ -0,0 +1,4 @@ +query: Security/CWE/CWE-489/WebviewDebuggingEnabled.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-502/A.java b/java/ql/test/query-tests/security/CWE-502/A.java index f3bd633f8804..81974edf283e 100644 --- a/java/ql/test/query-tests/security/CWE-502/A.java +++ b/java/ql/test/query-tests/security/CWE-502/A.java @@ -11,15 +11,15 @@ public class A { public Object deserialize1(Socket sock) throws java.io.IOException, ClassNotFoundException { - InputStream inputStream = sock.getInputStream(); + InputStream inputStream = sock.getInputStream(); // $ Source ObjectInputStream in = new ObjectInputStream(inputStream); - return in.readObject(); // $unsafeDeserialization + return in.readObject(); // $ Alert } public Object deserialize2(Socket sock) throws java.io.IOException, ClassNotFoundException { - InputStream inputStream = sock.getInputStream(); + InputStream inputStream = sock.getInputStream(); // $ Source ObjectInputStream in = new ObjectInputStream(inputStream); - return in.readUnshared(); // $unsafeDeserialization + return in.readUnshared(); // $ Alert } public Object deserializeWithSerialKiller(Socket sock) throws java.io.IOException, ClassNotFoundException { @@ -29,24 +29,24 @@ public Object deserializeWithSerialKiller(Socket sock) throws java.io.IOExceptio } public Object deserialize3(Socket sock) throws java.io.IOException { - InputStream inputStream = sock.getInputStream(); + InputStream inputStream = sock.getInputStream(); // $ Source XMLDecoder d = new XMLDecoder(inputStream); - return d.readObject(); // $unsafeDeserialization + return d.readObject(); // $ Alert } public Object deserialize4(Socket sock) throws java.io.IOException { XStream xs = new XStream(); - InputStream inputStream = sock.getInputStream(); + InputStream inputStream = sock.getInputStream(); // $ Source Reader reader = new InputStreamReader(inputStream); - return xs.fromXML(reader); // $unsafeDeserialization + return xs.fromXML(reader); // $ Alert } public void deserialize5(Socket sock) throws java.io.IOException { Kryo kryo = new Kryo(); - Input input = new Input(sock.getInputStream()); - A a1 = kryo.readObject(input, A.class); // $unsafeDeserialization - A a2 = kryo.readObjectOrNull(input, A.class); // $unsafeDeserialization - Object o = kryo.readClassAndObject(input); // $unsafeDeserialization + Input input = new Input(sock.getInputStream()); // $ Source + A a1 = kryo.readObject(input, A.class); // $ Alert + A a2 = kryo.readObjectOrNull(input, A.class); // $ Alert + Object o = kryo.readClassAndObject(input); // $ Alert } private Kryo getSafeKryo() throws java.io.IOException { @@ -64,22 +64,22 @@ public void deserialize6(Socket sock) throws java.io.IOException { public void deserializeSnakeYaml(Socket sock) throws java.io.IOException { Yaml yaml = new Yaml(); - InputStream input = sock.getInputStream(); - Object o = yaml.load(input); // $unsafeDeserialization - Object o2 = yaml.loadAll(input); // $unsafeDeserialization - Object o3 = yaml.parse(new InputStreamReader(input)); // $unsafeDeserialization - A o4 = yaml.loadAs(input, A.class); // $unsafeDeserialization - A o5 = yaml.loadAs(new InputStreamReader(input), A.class); // $unsafeDeserialization + InputStream input = sock.getInputStream(); // $ Source + Object o = yaml.load(input); // $ Alert + Object o2 = yaml.loadAll(input); // $ Alert + Object o3 = yaml.parse(new InputStreamReader(input)); // $ Alert + A o4 = yaml.loadAs(input, A.class); // $ Alert + A o5 = yaml.loadAs(new InputStreamReader(input), A.class); // $ Alert } public void deserializeSnakeYaml2(Socket sock) throws java.io.IOException { Yaml yaml = new Yaml(new Constructor()); - InputStream input = sock.getInputStream(); - Object o = yaml.load(input); // $unsafeDeserialization - Object o2 = yaml.loadAll(input); // $unsafeDeserialization - Object o3 = yaml.parse(new InputStreamReader(input)); // $unsafeDeserialization - A o4 = yaml.loadAs(input, A.class); // $unsafeDeserialization - A o5 = yaml.loadAs(new InputStreamReader(input), A.class); // $unsafeDeserialization + InputStream input = sock.getInputStream(); // $ Source + Object o = yaml.load(input); // $ Alert + Object o2 = yaml.loadAll(input); // $ Alert + Object o3 = yaml.parse(new InputStreamReader(input)); // $ Alert + A o4 = yaml.loadAs(input, A.class); // $ Alert + A o5 = yaml.loadAs(new InputStreamReader(input), A.class); // $ Alert } public void deserializeSnakeYaml3(Socket sock) throws java.io.IOException { @@ -94,11 +94,11 @@ public void deserializeSnakeYaml3(Socket sock) throws java.io.IOException { public void deserializeSnakeYaml4(Socket sock) throws java.io.IOException { Yaml yaml = new Yaml(new Constructor(A.class)); - InputStream input = sock.getInputStream(); - Object o = yaml.load(input); // $unsafeDeserialization - Object o2 = yaml.loadAll(input); // $unsafeDeserialization - Object o3 = yaml.parse(new InputStreamReader(input)); // $unsafeDeserialization - A o4 = yaml.loadAs(input, A.class); // $unsafeDeserialization - A o5 = yaml.loadAs(new InputStreamReader(input), A.class); // $unsafeDeserialization + InputStream input = sock.getInputStream(); // $ Source + Object o = yaml.load(input); // $ Alert + Object o2 = yaml.loadAll(input); // $ Alert + Object o3 = yaml.parse(new InputStreamReader(input)); // $ Alert + A o4 = yaml.loadAs(input, A.class); // $ Alert + A o5 = yaml.loadAs(new InputStreamReader(input), A.class); // $ Alert } } diff --git a/java/ql/test/query-tests/security/CWE-502/B.java b/java/ql/test/query-tests/security/CWE-502/B.java index d97a44cfd58a..803982081ad8 100644 --- a/java/ql/test/query-tests/security/CWE-502/B.java +++ b/java/ql/test/query-tests/security/CWE-502/B.java @@ -4,30 +4,30 @@ public class B { public Object deserializeJson1(Socket sock) throws java.io.IOException { - InputStream inputStream = sock.getInputStream(); - return JSON.parseObject(inputStream, null); // $unsafeDeserialization + InputStream inputStream = sock.getInputStream(); // $ Source + return JSON.parseObject(inputStream, null); // $ Alert } public Object deserializeJson2(Socket sock) throws java.io.IOException { - InputStream inputStream = sock.getInputStream(); + InputStream inputStream = sock.getInputStream(); // $ Source byte[] bytes = new byte[100]; inputStream.read(bytes); - return JSON.parse(bytes); // $unsafeDeserialization + return JSON.parse(bytes); // $ Alert } public Object deserializeJson3(Socket sock) throws java.io.IOException { - InputStream inputStream = sock.getInputStream(); + InputStream inputStream = sock.getInputStream(); // $ Source byte[] bytes = new byte[100]; inputStream.read(bytes); String s = new String(bytes); - return JSON.parseObject(s); // $unsafeDeserialization + return JSON.parseObject(s); // $ Alert } public Object deserializeJson4(Socket sock) throws java.io.IOException { - InputStream inputStream = sock.getInputStream(); + InputStream inputStream = sock.getInputStream(); // $ Source byte[] bytes = new byte[100]; inputStream.read(bytes); String s = new String(bytes); - return JSON.parse(s); // $unsafeDeserialization + return JSON.parse(s); // $ Alert } } diff --git a/java/ql/test/query-tests/security/CWE-502/C.java b/java/ql/test/query-tests/security/CWE-502/C.java index e13ae98ead52..e63515b85bd5 100644 --- a/java/ql/test/query-tests/security/CWE-502/C.java +++ b/java/ql/test/query-tests/security/CWE-502/C.java @@ -20,75 +20,75 @@ public class C { @GetMapping(value = "jyaml") public void bad1(HttpServletRequest request) throws Exception { - String data = request.getParameter("data"); - Yaml.load(data); // $unsafeDeserialization - Yaml.loadStream(data); // $unsafeDeserialization - Yaml.loadStreamOfType(data, Object.class); // $unsafeDeserialization - Yaml.loadType(data, Object.class); // $unsafeDeserialization + String data = request.getParameter("data"); // $ Source + Yaml.load(data); // $ Alert + Yaml.loadStream(data); // $ Alert + Yaml.loadStreamOfType(data, Object.class); // $ Alert + Yaml.loadType(data, Object.class); // $ Alert org.ho.yaml.YamlConfig yamlConfig = new YamlConfig(); - yamlConfig.load(data); // $unsafeDeserialization - yamlConfig.loadStream(data); // $unsafeDeserialization - yamlConfig.loadStreamOfType(data, Object.class); // $unsafeDeserialization - yamlConfig.loadType(data, Object.class); // $unsafeDeserialization + yamlConfig.load(data); // $ Alert + yamlConfig.loadStream(data); // $ Alert + yamlConfig.loadStreamOfType(data, Object.class); // $ Alert + yamlConfig.loadType(data, Object.class); // $ Alert } @GetMapping(value = "jsonio") public void bad2(HttpServletRequest request) { - String data = request.getParameter("data"); + String data = request.getParameter("data"); // $ Source HashMap hashMap = new HashMap(); hashMap.put("USE_MAPS", true); - JsonReader.jsonToJava(data); // $unsafeDeserialization + JsonReader.jsonToJava(data); // $ Alert JsonReader jr = new JsonReader(data, null); - jr.readObject(); // $unsafeDeserialization + jr.readObject(); // $ Alert } @GetMapping(value = "yamlbeans") public void bad3(HttpServletRequest request) throws Exception { - String data = request.getParameter("data"); + String data = request.getParameter("data"); // $ Source YamlReader r = new YamlReader(data); - r.read(); // $unsafeDeserialization - r.read(Object.class); // $unsafeDeserialization - r.read(Object.class, Object.class); // $unsafeDeserialization + r.read(); // $ Alert + r.read(Object.class); // $ Alert + r.read(Object.class, Object.class); // $ Alert } @GetMapping(value = "hessian") public void bad4(HttpServletRequest request) throws Exception { - byte[] bytes = request.getParameter("data").getBytes(); + byte[] bytes = request.getParameter("data").getBytes(); // $ Source ByteArrayInputStream bis = new ByteArrayInputStream(bytes); HessianInput hessianInput = new HessianInput(bis); - hessianInput.readObject(); // $unsafeDeserialization - hessianInput.readObject(Object.class); // $unsafeDeserialization + hessianInput.readObject(); // $ Alert + hessianInput.readObject(Object.class); // $ Alert } @GetMapping(value = "hessian2") public void bad5(HttpServletRequest request) throws Exception { - byte[] bytes = request.getParameter("data").getBytes(); + byte[] bytes = request.getParameter("data").getBytes(); // $ Source ByteArrayInputStream bis = new ByteArrayInputStream(bytes); Hessian2Input hessianInput = new Hessian2Input(bis); - hessianInput.readObject(); // $unsafeDeserialization - hessianInput.readObject(Object.class); // $unsafeDeserialization + hessianInput.readObject(); // $ Alert + hessianInput.readObject(Object.class); // $ Alert } @GetMapping(value = "castor") public void bad6(HttpServletRequest request) throws Exception { Unmarshaller unmarshaller = new Unmarshaller(); - unmarshaller.unmarshal(new StringReader(request.getParameter("data"))); // $unsafeDeserialization + unmarshaller.unmarshal(new StringReader(request.getParameter("data"))); // $ Alert } @GetMapping(value = "burlap") public void bad7(HttpServletRequest request) throws Exception { - byte[] serializedData = request.getParameter("data").getBytes(); + byte[] serializedData = request.getParameter("data").getBytes(); // $ Source ByteArrayInputStream is = new ByteArrayInputStream(serializedData); BurlapInput burlapInput = new BurlapInput(is); - burlapInput.readObject(); // $unsafeDeserialization + burlapInput.readObject(); // $ Alert BurlapInput burlapInput1 = new BurlapInput(); burlapInput1.init(is); - burlapInput1.readObject(); // $unsafeDeserialization + burlapInput1.readObject(); // $ Alert } @GetMapping(value = "jsonio1") diff --git a/java/ql/test/query-tests/security/CWE-502/FlexjsonServlet.java b/java/ql/test/query-tests/security/CWE-502/FlexjsonServlet.java index c7e5c1ce5871..1d47bd2b7fd2 100644 --- a/java/ql/test/query-tests/security/CWE-502/FlexjsonServlet.java +++ b/java/ql/test/query-tests/security/CWE-502/FlexjsonServlet.java @@ -33,7 +33,7 @@ public void doHead(HttpServletRequest req, HttpServletResponse resp) throws IOEx // BAD: allow class name to be controlled by remote source public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException { JSONDeserializer deserializer = new JSONDeserializer<>(); - User user = (User) deserializer.deserialize(req.getReader()); // $unsafeDeserialization + User user = (User) deserializer.deserialize(req.getReader()); // $ Alert } @@ -41,7 +41,7 @@ public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOEx // BAD: allow class name to be controlled by remote source public void doTrace(HttpServletRequest req, HttpServletResponse resp) throws IOException { JSONDeserializer deserializer = new JSONDeserializer<>(); - User user = (User) deserializer.deserialize(req.getReader()); // $unsafeDeserialization + User user = (User) deserializer.deserialize(req.getReader()); // $ Alert } @@ -49,7 +49,7 @@ public void doTrace(HttpServletRequest req, HttpServletResponse resp) throws IOE // BAD: specify overly generic class type public void doPut(HttpServletRequest req, HttpServletResponse resp) throws IOException { JSONDeserializer deserializer = new JSONDeserializer(); - User user = (User) deserializer.deserialize(req.getReader(), Object.class); // $unsafeDeserialization + User user = (User) deserializer.deserialize(req.getReader(), Object.class); // $ Alert } private Person fromJsonToPerson(String json) { @@ -64,8 +64,8 @@ public void doPut2(HttpServletRequest req, HttpServletResponse resp) throws IOEx // BAD: Specify a concrete class type to `use` with `ObjectFactory` public void doPut3(HttpServletRequest req, HttpServletResponse resp) throws IOException { - String json = req.getParameter("json"); - Person person = new JSONDeserializer().use(Person.class, new ExistingObjectFactory(new Person())).deserialize(json); // $unsafeDeserialization + String json = req.getParameter("json"); // $ Source + Person person = new JSONDeserializer().use(Person.class, new ExistingObjectFactory(new Person())).deserialize(json); // $ Alert } // GOOD: Specify a null path to `use` with a concrete class type @@ -76,8 +76,8 @@ public void doPut4(HttpServletRequest req, HttpServletResponse resp) throws IOEx // BAD: Specify a non-null json path to `use` with a concrete class type public void doPut5(HttpServletRequest req, HttpServletResponse resp) throws IOException { - String json = req.getParameter("json"); - Person person = new JSONDeserializer().use("abc", Person.class).deserialize(json); // $unsafeDeserialization + String json = req.getParameter("json"); // $ Source + Person person = new JSONDeserializer().use("abc", Person.class).deserialize(json); // $ Alert } // GOOD: Specify a null json path to `use` with `ObjectFactory` @@ -116,11 +116,11 @@ public void doPut10(HttpServletRequest req, HttpServletResponse resp) throws IOE // BAD: Specify a non-null json path to `use` with a concrete class type, interwoven with irrelevant use directives, without using fluent method chaining public void doPut11(HttpServletRequest req, HttpServletResponse resp) throws IOException { - String json = req.getParameter("json"); + String json = req.getParameter("json"); // $ Source JSONDeserializer deserializer = new JSONDeserializer(); deserializer.use(Person.class, null); deserializer.use("someKey", Person.class); deserializer.use(String.class, null); - Person person = deserializer.deserialize(json); // $unsafeDeserialization + Person person = deserializer.deserialize(json); // $ Alert } } diff --git a/java/ql/test/query-tests/security/CWE-502/GsonActivity.java b/java/ql/test/query-tests/security/CWE-502/GsonActivity.java index a080924c6cd4..93e944118340 100644 --- a/java/ql/test/query-tests/security/CWE-502/GsonActivity.java +++ b/java/ql/test/query-tests/security/CWE-502/GsonActivity.java @@ -5,13 +5,13 @@ import android.os.Parcel; import android.os.Parcelable; -import com.google.gson.Gson; +import com.google.gson.Gson; public class GsonActivity extends Activity { public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(-1); - ParcelableEntity entity = (ParcelableEntity) getIntent().getParcelableExtra("jsonEntity"); + ParcelableEntity entity = (ParcelableEntity) getIntent().getParcelableExtra("jsonEntity"); // $ Source } } diff --git a/java/ql/test/query-tests/security/CWE-502/GsonServlet.java b/java/ql/test/query-tests/security/CWE-502/GsonServlet.java index 47534d2d7a09..0ee62249031b 100644 --- a/java/ql/test/query-tests/security/CWE-502/GsonServlet.java +++ b/java/ql/test/query-tests/security/CWE-502/GsonServlet.java @@ -36,12 +36,12 @@ public void doPut(HttpServletRequest req, HttpServletResponse resp) throws IOExc @Override // BAD: allow class name to be controlled by remote source public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException { - String json = req.getParameter("json"); + String json = req.getParameter("json"); // $ Source String clazz = req.getParameter("class"); try { Gson gson = new Gson(); - Object obj = gson.fromJson(json, Class.forName(clazz)); // $unsafeDeserialization + Object obj = gson.fromJson(json, Class.forName(clazz)); // $ Alert } catch (ClassNotFoundException cne) { throw new IOException(cne.getMessage()); } @@ -50,14 +50,14 @@ public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOEx @Override // BAD: allow class name to be controlled by remote source even with a type adapter factory public void doHead(HttpServletRequest req, HttpServletResponse resp) throws IOException { - String json = req.getParameter("json"); + String json = req.getParameter("json"); // $ Source String clazz = req.getParameter("class"); try { RuntimeTypeAdapterFactory runtimeTypeAdapterFactory = RuntimeTypeAdapterFactory .of(User.class, "type"); Gson gson = new GsonBuilder().registerTypeAdapterFactory(runtimeTypeAdapterFactory).create(); - Object obj = gson.fromJson(json, Class.forName(clazz)); // $unsafeDeserialization + Object obj = gson.fromJson(json, Class.forName(clazz)); // $ Alert } catch (ClassNotFoundException cne) { throw new IOException(cne.getMessage()); } @@ -74,4 +74,4 @@ public void doTrace(HttpServletRequest req, HttpServletResponse resp) throws IOE Gson gson = new GsonBuilder().registerTypeAdapterFactory(runtimeTypeAdapterFactory).create(); Person obj = gson.fromJson(json, Person.class); } -} \ No newline at end of file +} diff --git a/java/ql/test/query-tests/security/CWE-502/JabsorbServlet.java b/java/ql/test/query-tests/security/CWE-502/JabsorbServlet.java index 14e8d1819c6f..c5a072e65f1a 100644 --- a/java/ql/test/query-tests/security/CWE-502/JabsorbServlet.java +++ b/java/ql/test/query-tests/security/CWE-502/JabsorbServlet.java @@ -86,7 +86,7 @@ public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOEx @Override // BAD: allow class name to be controlled by remote source public void doPut(HttpServletRequest req, HttpServletResponse resp) throws IOException { - String json = req.getParameter("json"); + String json = req.getParameter("json"); // $ Source String clazz = req.getParameter("class"); try { @@ -99,7 +99,7 @@ public void doPut(HttpServletRequest req, HttpServletResponse resp) throws IOExc serializer.setMarshallNullAttributes(true); SerializerState state = new SerializerState(); - User user = (User) serializer.unmarshall(state, Class.forName(clazz), jsonObject); // $unsafeDeserialization + User user = (User) serializer.unmarshall(state, Class.forName(clazz), jsonObject); // $ Alert } catch (Exception e) { throw new IOException(e.getMessage()); } @@ -107,15 +107,15 @@ public void doPut(HttpServletRequest req, HttpServletResponse resp) throws IOExc // BAD: allow explicit class type controlled by remote source in the format of "json={\"javaClass\":\"com.thirdparty.Attacker\", ...}" public void doPut2(HttpServletRequest req, HttpServletResponse resp) throws IOException { - String json = req.getParameter("json"); + String json = req.getParameter("json"); // $ Source try { JSONSerializer serializer = new JSONSerializer(); serializer.registerDefaultSerializers(); - User user = (User) serializer.fromJSON(json); // $unsafeDeserialization + User user = (User) serializer.fromJSON(json); // $ Alert } catch (Exception e) { throw new IOException(e.getMessage()); } } -} \ No newline at end of file +} diff --git a/java/ql/test/query-tests/security/CWE-502/JacksonTest.java b/java/ql/test/query-tests/security/CWE-502/JacksonTest.java index 3520e4eaa116..71be753b89a1 100644 --- a/java/ql/test/query-tests/security/CWE-502/JacksonTest.java +++ b/java/ql/test/query-tests/security/CWE-502/JacksonTest.java @@ -17,7 +17,7 @@ public static void withSocket(Action action) throws Exception { try (ServerSocket serverSocket = new ServerSocket(0)) { try (Socket socket = serverSocket.accept()) { byte[] bytes = new byte[1024]; - int n = socket.getInputStream().read(bytes); + int n = socket.getInputStream().read(bytes); // $ Source String jexlExpr = new String(bytes, 0, n); action.run(jexlExpr); } @@ -73,7 +73,7 @@ class UnsafePersonDeserialization { private static void testUnsafeDeserialization() throws Exception { JacksonTest.withSocket(string -> { ObjectMapper mapper = new ObjectMapper(); - mapper.readValue(string, Person.class); // $unsafeDeserialization + mapper.readValue(string, Person.class); // $ Alert }); } @@ -82,7 +82,7 @@ private static void testUnsafeDeserialization() throws Exception { private static void testUnsafeDeserializationWithExtendedClass() throws Exception { JacksonTest.withSocket(string -> { ObjectMapper mapper = new ObjectMapper(); - mapper.readValue(string, Employee.class); // $unsafeDeserialization + mapper.readValue(string, Employee.class); // $ Alert }); } @@ -91,7 +91,7 @@ private static void testUnsafeDeserializationWithExtendedClass() throws Exceptio private static void testUnsafeDeserializationWithWrapper() throws Exception { JacksonTest.withSocket(string -> { ObjectMapper mapper = new ObjectMapper(); - mapper.readValue(string, Task.class); // $unsafeDeserialization + mapper.readValue(string, Task.class); // $ Alert }); } } @@ -102,7 +102,7 @@ class SaferPersonDeserialization { // has a validator private static void testSafeDeserializationWithValidator() throws Exception { JacksonTest.withSocket(string -> { - PolymorphicTypeValidator ptv = + PolymorphicTypeValidator ptv = BasicPolymorphicTypeValidator.builder() .allowIfSubType("only.allowed.package") .build(); @@ -118,7 +118,7 @@ private static void testSafeDeserializationWithValidator() throws Exception { // has a validator private static void testSafeDeserializationWithValidatorAndBuilder() throws Exception { JacksonTest.withSocket(string -> { - PolymorphicTypeValidator ptv = + PolymorphicTypeValidator ptv = BasicPolymorphicTypeValidator.builder() .allowIfSubType("only.allowed.package") .build(); @@ -139,7 +139,7 @@ private static void testUnsafeDeserialization() throws Exception { JacksonTest.withSocket(string -> { ObjectMapper mapper = new ObjectMapper(); mapper.enableDefaultTyping(); // this enables polymorphic type handling - mapper.readValue(string, Cat.class); // $unsafeDeserialization + mapper.readValue(string, Cat.class); // $ Alert }); } @@ -148,7 +148,7 @@ private static void testUnsafeDeserializationWithObjectMapperReadValues() throws JacksonTest.withSocket(string -> { ObjectMapper mapper = new ObjectMapper(); mapper.enableDefaultTyping(); - mapper.readValues(new JsonFactory().createParser(string), Cat.class).readAll(); // $unsafeDeserialization + mapper.readValues(new JsonFactory().createParser(string), Cat.class).readAll(); // $ Alert }); } @@ -157,7 +157,7 @@ private static void testUnsafeDeserializationWithObjectMapperTreeToValue() throw JacksonTest.withSocket(string -> { ObjectMapper mapper = new ObjectMapper(); mapper.enableDefaultTyping(); - mapper.treeToValue(mapper.readTree(string), Cat.class); // $unsafeDeserialization + mapper.treeToValue(mapper.readTree(string), Cat.class); // $ Alert }); } @@ -169,7 +169,7 @@ private static void testUnsafeDeserializationWithUnsafeClass() throws Exception String type = parts[1]; Class clazz = Class.forName(type); ObjectMapper mapper = new ObjectMapper(); - mapper.readValue(data, clazz); // $unsafeDeserialization + mapper.readValue(data, clazz); // $ Alert }); } @@ -180,7 +180,7 @@ private static void testUnsafeDeserializationWithUnsafeClassAndCustomTypeResolve String data = parts[0]; String type = parts[1]; ObjectMapper mapper = new ObjectMapper(); - mapper.readValue(data, resolveImpl(type, mapper)); // $unsafeDeserialization + mapper.readValue(data, resolveImpl(type, mapper)); // $ Alert }); } @@ -195,15 +195,15 @@ class SaferCatDeserialization { // has a validator private static void testUnsafeDeserialization() throws Exception { JacksonTest.withSocket(string -> { - PolymorphicTypeValidator ptv = + PolymorphicTypeValidator ptv = BasicPolymorphicTypeValidator.builder() .allowIfSubType("only.allowed.pachage") .build(); - + ObjectMapper mapper = JsonMapper.builder().polymorphicTypeValidator(ptv).build(); mapper.enableDefaultTyping(); // this enables polymorphic type handling mapper.readValue(string, Cat.class); }); } -} \ No newline at end of file +} diff --git a/java/ql/test/query-tests/security/CWE-502/JoddJsonServlet.java b/java/ql/test/query-tests/security/CWE-502/JoddJsonServlet.java index c10bfbc46b98..caeff0028f20 100644 --- a/java/ql/test/query-tests/security/CWE-502/JoddJsonServlet.java +++ b/java/ql/test/query-tests/security/CWE-502/JoddJsonServlet.java @@ -29,7 +29,7 @@ public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOExc // BAD: dangerously configured parser with no class restriction passed to `parse`, // using a few different possible call sequences. public void doHead(HttpServletRequest req, HttpServletResponse resp) throws IOException { - String json = req.getParameter("json"); + String json = req.getParameter("json"); // $ Source String clazz = req.getParameter("class"); int callOrder; try { @@ -42,25 +42,25 @@ public void doHead(HttpServletRequest req, HttpServletResponse resp) throws IOEx JsonParser parser = new JsonParser(); if(callOrder == 0) { parser.setClassMetadataName("class"); - User obj = parser.parse(json, null); // $unsafeDeserialization + User obj = parser.parse(json, null); // $ Alert } else if(callOrder == 1) { - parser.setClassMetadataName("class").parse(json, null); // $unsafeDeserialization + parser.setClassMetadataName("class").parse(json, null); // $ Alert } else if(callOrder == 2) { - parser.setClassMetadataName("class").lazy(true).parse(json, null); // $unsafeDeserialization + parser.setClassMetadataName("class").lazy(true).parse(json, null); // $ Alert } else if(callOrder == 3) { - parser.withClassMetadata(true).lazy(true).parse(json, null); // $unsafeDeserialization + parser.withClassMetadata(true).lazy(true).parse(json, null); // $ Alert } } @Override // BAD: allow class name to be controlled by remote source public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException { - String json = req.getParameter("json"); + String json = req.getParameter("json"); // $ Source String clazz = req.getParameter("class"); try { JsonParser parser = new JsonParser(); - Object obj = parser.parse(json, Class.forName(clazz)); // $unsafeDeserialization + Object obj = parser.parse(json, Class.forName(clazz)); // $ Alert } catch (ClassNotFoundException cne) { throw new IOException(cne.getMessage()); } @@ -99,4 +99,4 @@ public void doPut(HttpServletRequest req, HttpServletResponse resp) throws IOExc parser.withClassMetadata(true).setClassMetadataName(null).parse(json, null); } } -} \ No newline at end of file +} diff --git a/java/ql/test/query-tests/security/CWE-502/ObjectMessageTest.java b/java/ql/test/query-tests/security/CWE-502/ObjectMessageTest.java index 15da41b93c8a..2ccf7c282c21 100644 --- a/java/ql/test/query-tests/security/CWE-502/ObjectMessageTest.java +++ b/java/ql/test/query-tests/security/CWE-502/ObjectMessageTest.java @@ -3,7 +3,7 @@ import javax.jms.ObjectMessage; public class ObjectMessageTest implements MessageListener { - public void onMessage(Message message) { - ((ObjectMessage) message).getObject(); // $ unsafeDeserialization + public void onMessage(Message message) { // $ Source + ((ObjectMessage) message).getObject(); // $ Alert } } diff --git a/java/ql/test/query-tests/security/CWE-502/ParcelableEntity.java b/java/ql/test/query-tests/security/CWE-502/ParcelableEntity.java index a9cbcabd9d39..33b43ce8d6df 100644 --- a/java/ql/test/query-tests/security/CWE-502/ParcelableEntity.java +++ b/java/ql/test/query-tests/security/CWE-502/ParcelableEntity.java @@ -29,7 +29,7 @@ public void writeToParcel(Parcel parcel, int i) { public ParcelableEntity createFromParcel(Parcel parcel) { try { Class clazz = Class.forName(parcel.readString()); - Object obj = GSON.fromJson(parcel.readString(), clazz); // $unsafeDeserialization + Object obj = GSON.fromJson(parcel.readString(), clazz); // $ Alert return new ParcelableEntity(obj); } catch (ClassNotFoundException e) { diff --git a/java/ql/test/query-tests/security/CWE-502/TestMessageBodyReader.java b/java/ql/test/query-tests/security/CWE-502/TestMessageBodyReader.java index 2132041254da..54cc4f5d6146 100644 --- a/java/ql/test/query-tests/security/CWE-502/TestMessageBodyReader.java +++ b/java/ql/test/query-tests/security/CWE-502/TestMessageBodyReader.java @@ -17,12 +17,12 @@ public boolean isReadable(Class type, Type genericType, Annotation[] annotati @Override public Object readFrom(Class type, Type genericType, Annotation[] annotations, MediaType mediaType, - MultivaluedMap httpHeaders, InputStream entityStream) throws IOException { + MultivaluedMap httpHeaders, InputStream entityStream) throws IOException { // $ Source try { - return new ObjectInputStream(entityStream).readObject(); // $unsafeDeserialization + return new ObjectInputStream(entityStream).readObject(); // $ Alert } catch (ClassNotFoundException e) { e.printStackTrace(); } return null; } -} \ No newline at end of file +} diff --git a/java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.expected b/java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.expected index e69de29bb2d1..b4064231bec6 100644 --- a/java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.expected +++ b/java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.expected @@ -0,0 +1,411 @@ +#select +| A.java:16:12:16:26 | readObject(...) | A.java:14:31:14:51 | getInputStream(...) : InputStream | A.java:16:12:16:13 | in | Unsafe deserialization depends on a $@. | A.java:14:31:14:51 | getInputStream(...) | user-provided value | +| A.java:22:12:22:28 | readUnshared(...) | A.java:20:31:20:51 | getInputStream(...) : InputStream | A.java:22:12:22:13 | in | Unsafe deserialization depends on a $@. | A.java:20:31:20:51 | getInputStream(...) | user-provided value | +| A.java:34:12:34:25 | readObject(...) | A.java:32:31:32:51 | getInputStream(...) : InputStream | A.java:34:12:34:12 | d | Unsafe deserialization depends on a $@. | A.java:32:31:32:51 | getInputStream(...) | user-provided value | +| A.java:41:12:41:29 | fromXML(...) | A.java:39:31:39:51 | getInputStream(...) : InputStream | A.java:41:23:41:28 | reader | Unsafe deserialization depends on a $@. | A.java:39:31:39:51 | getInputStream(...) | user-provided value | +| A.java:47:12:47:42 | readObject(...) | A.java:46:29:46:49 | getInputStream(...) : InputStream | A.java:47:28:47:32 | input | Unsafe deserialization depends on a $@. | A.java:46:29:46:49 | getInputStream(...) | user-provided value | +| A.java:48:12:48:48 | readObjectOrNull(...) | A.java:46:29:46:49 | getInputStream(...) : InputStream | A.java:48:34:48:38 | input | Unsafe deserialization depends on a $@. | A.java:46:29:46:49 | getInputStream(...) | user-provided value | +| A.java:49:16:49:45 | readClassAndObject(...) | A.java:46:29:46:49 | getInputStream(...) : InputStream | A.java:49:40:49:44 | input | Unsafe deserialization depends on a $@. | A.java:46:29:46:49 | getInputStream(...) | user-provided value | +| A.java:68:16:68:31 | load(...) | A.java:67:25:67:45 | getInputStream(...) : InputStream | A.java:68:26:68:30 | input | Unsafe deserialization depends on a $@. | A.java:67:25:67:45 | getInputStream(...) | user-provided value | +| A.java:69:17:69:35 | loadAll(...) | A.java:67:25:67:45 | getInputStream(...) : InputStream | A.java:69:30:69:34 | input | Unsafe deserialization depends on a $@. | A.java:67:25:67:45 | getInputStream(...) | user-provided value | +| A.java:70:17:70:56 | parse(...) | A.java:67:25:67:45 | getInputStream(...) : InputStream | A.java:70:28:70:55 | new InputStreamReader(...) | Unsafe deserialization depends on a $@. | A.java:67:25:67:45 | getInputStream(...) | user-provided value | +| A.java:71:12:71:38 | loadAs(...) | A.java:67:25:67:45 | getInputStream(...) : InputStream | A.java:71:24:71:28 | input | Unsafe deserialization depends on a $@. | A.java:67:25:67:45 | getInputStream(...) | user-provided value | +| A.java:72:12:72:61 | loadAs(...) | A.java:67:25:67:45 | getInputStream(...) : InputStream | A.java:72:24:72:51 | new InputStreamReader(...) | Unsafe deserialization depends on a $@. | A.java:67:25:67:45 | getInputStream(...) | user-provided value | +| A.java:78:16:78:31 | load(...) | A.java:77:25:77:45 | getInputStream(...) : InputStream | A.java:78:26:78:30 | input | Unsafe deserialization depends on a $@. | A.java:77:25:77:45 | getInputStream(...) | user-provided value | +| A.java:79:17:79:35 | loadAll(...) | A.java:77:25:77:45 | getInputStream(...) : InputStream | A.java:79:30:79:34 | input | Unsafe deserialization depends on a $@. | A.java:77:25:77:45 | getInputStream(...) | user-provided value | +| A.java:80:17:80:56 | parse(...) | A.java:77:25:77:45 | getInputStream(...) : InputStream | A.java:80:28:80:55 | new InputStreamReader(...) | Unsafe deserialization depends on a $@. | A.java:77:25:77:45 | getInputStream(...) | user-provided value | +| A.java:81:12:81:38 | loadAs(...) | A.java:77:25:77:45 | getInputStream(...) : InputStream | A.java:81:24:81:28 | input | Unsafe deserialization depends on a $@. | A.java:77:25:77:45 | getInputStream(...) | user-provided value | +| A.java:82:12:82:61 | loadAs(...) | A.java:77:25:77:45 | getInputStream(...) : InputStream | A.java:82:24:82:51 | new InputStreamReader(...) | Unsafe deserialization depends on a $@. | A.java:77:25:77:45 | getInputStream(...) | user-provided value | +| A.java:98:16:98:31 | load(...) | A.java:97:25:97:45 | getInputStream(...) : InputStream | A.java:98:26:98:30 | input | Unsafe deserialization depends on a $@. | A.java:97:25:97:45 | getInputStream(...) | user-provided value | +| A.java:99:17:99:35 | loadAll(...) | A.java:97:25:97:45 | getInputStream(...) : InputStream | A.java:99:30:99:34 | input | Unsafe deserialization depends on a $@. | A.java:97:25:97:45 | getInputStream(...) | user-provided value | +| A.java:100:17:100:56 | parse(...) | A.java:97:25:97:45 | getInputStream(...) : InputStream | A.java:100:28:100:55 | new InputStreamReader(...) | Unsafe deserialization depends on a $@. | A.java:97:25:97:45 | getInputStream(...) | user-provided value | +| A.java:101:12:101:38 | loadAs(...) | A.java:97:25:97:45 | getInputStream(...) : InputStream | A.java:101:24:101:28 | input | Unsafe deserialization depends on a $@. | A.java:97:25:97:45 | getInputStream(...) | user-provided value | +| A.java:102:12:102:61 | loadAs(...) | A.java:97:25:97:45 | getInputStream(...) : InputStream | A.java:102:24:102:51 | new InputStreamReader(...) | Unsafe deserialization depends on a $@. | A.java:97:25:97:45 | getInputStream(...) | user-provided value | +| B.java:8:12:8:46 | parseObject(...) | B.java:7:31:7:51 | getInputStream(...) : InputStream | B.java:8:29:8:39 | inputStream | Unsafe deserialization depends on a $@. | B.java:7:31:7:51 | getInputStream(...) | user-provided value | +| B.java:15:12:15:28 | parse(...) | B.java:12:31:12:51 | getInputStream(...) : InputStream | B.java:15:23:15:27 | bytes | Unsafe deserialization depends on a $@. | B.java:12:31:12:51 | getInputStream(...) | user-provided value | +| B.java:23:12:23:30 | parseObject(...) | B.java:19:31:19:51 | getInputStream(...) : InputStream | B.java:23:29:23:29 | s | Unsafe deserialization depends on a $@. | B.java:19:31:19:51 | getInputStream(...) | user-provided value | +| B.java:31:12:31:24 | parse(...) | B.java:27:31:27:51 | getInputStream(...) : InputStream | B.java:31:23:31:23 | s | Unsafe deserialization depends on a $@. | B.java:27:31:27:51 | getInputStream(...) | user-provided value | +| C.java:24:3:24:17 | load(...) | C.java:23:17:23:44 | getParameter(...) : String | C.java:24:13:24:16 | data | Unsafe deserialization depends on a $@. | C.java:23:17:23:44 | getParameter(...) | user-provided value | +| C.java:25:3:25:23 | loadStream(...) | C.java:23:17:23:44 | getParameter(...) : String | C.java:25:19:25:22 | data | Unsafe deserialization depends on a $@. | C.java:23:17:23:44 | getParameter(...) | user-provided value | +| C.java:26:3:26:43 | loadStreamOfType(...) | C.java:23:17:23:44 | getParameter(...) : String | C.java:26:25:26:28 | data | Unsafe deserialization depends on a $@. | C.java:23:17:23:44 | getParameter(...) | user-provided value | +| C.java:27:3:27:35 | loadType(...) | C.java:23:17:23:44 | getParameter(...) : String | C.java:27:17:27:20 | data | Unsafe deserialization depends on a $@. | C.java:23:17:23:44 | getParameter(...) | user-provided value | +| C.java:30:3:30:23 | load(...) | C.java:23:17:23:44 | getParameter(...) : String | C.java:30:19:30:22 | data | Unsafe deserialization depends on a $@. | C.java:23:17:23:44 | getParameter(...) | user-provided value | +| C.java:31:3:31:29 | loadStream(...) | C.java:23:17:23:44 | getParameter(...) : String | C.java:31:25:31:28 | data | Unsafe deserialization depends on a $@. | C.java:23:17:23:44 | getParameter(...) | user-provided value | +| C.java:32:3:32:49 | loadStreamOfType(...) | C.java:23:17:23:44 | getParameter(...) : String | C.java:32:31:32:34 | data | Unsafe deserialization depends on a $@. | C.java:23:17:23:44 | getParameter(...) | user-provided value | +| C.java:33:3:33:41 | loadType(...) | C.java:23:17:23:44 | getParameter(...) : String | C.java:33:23:33:26 | data | Unsafe deserialization depends on a $@. | C.java:23:17:23:44 | getParameter(...) | user-provided value | +| C.java:43:3:43:29 | jsonToJava(...) | C.java:38:17:38:44 | getParameter(...) : String | C.java:43:25:43:28 | data | Unsafe deserialization depends on a $@. | C.java:38:17:38:44 | getParameter(...) | user-provided value | +| C.java:46:3:46:17 | readObject(...) | C.java:38:17:38:44 | getParameter(...) : String | C.java:46:3:46:4 | jr | Unsafe deserialization depends on a $@. | C.java:38:17:38:44 | getParameter(...) | user-provided value | +| C.java:53:3:53:10 | read(...) | C.java:51:17:51:44 | getParameter(...) : String | C.java:53:3:53:3 | r | Unsafe deserialization depends on a $@. | C.java:51:17:51:44 | getParameter(...) | user-provided value | +| C.java:54:3:54:22 | read(...) | C.java:51:17:51:44 | getParameter(...) : String | C.java:54:3:54:3 | r | Unsafe deserialization depends on a $@. | C.java:51:17:51:44 | getParameter(...) | user-provided value | +| C.java:55:3:55:36 | read(...) | C.java:51:17:51:44 | getParameter(...) : String | C.java:55:3:55:3 | r | Unsafe deserialization depends on a $@. | C.java:51:17:51:44 | getParameter(...) | user-provided value | +| C.java:63:3:63:27 | readObject(...) | C.java:60:18:60:45 | getParameter(...) : String | C.java:63:3:63:14 | hessianInput | Unsafe deserialization depends on a $@. | C.java:60:18:60:45 | getParameter(...) | user-provided value | +| C.java:64:3:64:39 | readObject(...) | C.java:60:18:60:45 | getParameter(...) : String | C.java:64:3:64:14 | hessianInput | Unsafe deserialization depends on a $@. | C.java:60:18:60:45 | getParameter(...) | user-provided value | +| C.java:72:3:72:27 | readObject(...) | C.java:69:18:69:45 | getParameter(...) : String | C.java:72:3:72:14 | hessianInput | Unsafe deserialization depends on a $@. | C.java:69:18:69:45 | getParameter(...) | user-provided value | +| C.java:73:3:73:39 | readObject(...) | C.java:69:18:69:45 | getParameter(...) : String | C.java:73:3:73:14 | hessianInput | Unsafe deserialization depends on a $@. | C.java:69:18:69:45 | getParameter(...) | user-provided value | +| C.java:79:3:79:72 | unmarshal(...) | C.java:79:43:79:70 | getParameter(...) : String | C.java:79:26:79:71 | new StringReader(...) | Unsafe deserialization depends on a $@. | C.java:79:43:79:70 | getParameter(...) | user-provided value | +| C.java:87:3:87:26 | readObject(...) | C.java:84:27:84:54 | getParameter(...) : String | C.java:87:3:87:13 | burlapInput | Unsafe deserialization depends on a $@. | C.java:84:27:84:54 | getParameter(...) | user-provided value | +| C.java:91:3:91:27 | readObject(...) | C.java:84:27:84:54 | getParameter(...) : String | C.java:91:3:91:14 | burlapInput1 | Unsafe deserialization depends on a $@. | C.java:84:27:84:54 | getParameter(...) | user-provided value | +| FlexjsonServlet.java:36:28:36:68 | deserialize(...) | FlexjsonServlet.java:36:53:36:67 | getReader(...) | FlexjsonServlet.java:36:53:36:67 | getReader(...) | Unsafe deserialization depends on a $@. | FlexjsonServlet.java:36:53:36:67 | getReader(...) | user-provided value | +| FlexjsonServlet.java:44:28:44:68 | deserialize(...) | FlexjsonServlet.java:44:53:44:67 | getReader(...) | FlexjsonServlet.java:44:53:44:67 | getReader(...) | Unsafe deserialization depends on a $@. | FlexjsonServlet.java:44:53:44:67 | getReader(...) | user-provided value | +| FlexjsonServlet.java:52:28:52:82 | deserialize(...) | FlexjsonServlet.java:52:53:52:67 | getReader(...) | FlexjsonServlet.java:52:53:52:67 | getReader(...) | Unsafe deserialization depends on a $@. | FlexjsonServlet.java:52:53:52:67 | getReader(...) | user-provided value | +| FlexjsonServlet.java:68:25:68:131 | deserialize(...) | FlexjsonServlet.java:67:23:67:46 | getParameter(...) : String | FlexjsonServlet.java:68:127:68:130 | json | Unsafe deserialization depends on a $@. | FlexjsonServlet.java:67:23:67:46 | getParameter(...) | user-provided value | +| FlexjsonServlet.java:80:25:80:97 | deserialize(...) | FlexjsonServlet.java:79:23:79:46 | getParameter(...) : String | FlexjsonServlet.java:80:93:80:96 | json | Unsafe deserialization depends on a $@. | FlexjsonServlet.java:79:23:79:46 | getParameter(...) | user-provided value | +| FlexjsonServlet.java:124:25:124:54 | deserialize(...) | FlexjsonServlet.java:119:23:119:46 | getParameter(...) : String | FlexjsonServlet.java:124:50:124:53 | json | Unsafe deserialization depends on a $@. | FlexjsonServlet.java:119:23:119:46 | getParameter(...) | user-provided value | +| GsonServlet.java:44:26:44:66 | fromJson(...) | GsonServlet.java:39:23:39:46 | getParameter(...) : String | GsonServlet.java:44:40:44:43 | json | Unsafe deserialization depends on a $@. | GsonServlet.java:39:23:39:46 | getParameter(...) | user-provided value | +| GsonServlet.java:60:26:60:66 | fromJson(...) | GsonServlet.java:53:23:53:46 | getParameter(...) : String | GsonServlet.java:60:40:60:43 | json | Unsafe deserialization depends on a $@. | GsonServlet.java:53:23:53:46 | getParameter(...) | user-provided value | +| JabsorbServlet.java:102:32:102:93 | unmarshall(...) | JabsorbServlet.java:89:23:89:46 | getParameter(...) : String | JabsorbServlet.java:102:83:102:92 | jsonObject | Unsafe deserialization depends on a $@. | JabsorbServlet.java:89:23:89:46 | getParameter(...) | user-provided value | +| JabsorbServlet.java:116:32:116:56 | fromJSON(...) | JabsorbServlet.java:110:23:110:46 | getParameter(...) : String | JabsorbServlet.java:116:52:116:55 | json | Unsafe deserialization depends on a $@. | JabsorbServlet.java:110:23:110:46 | getParameter(...) | user-provided value | +| JacksonTest.java:76:13:76:50 | readValue(...) | JacksonTest.java:20:25:20:47 | getInputStream(...) : InputStream | JacksonTest.java:76:30:76:35 | string | Unsafe deserialization depends on a $@. | JacksonTest.java:20:25:20:47 | getInputStream(...) | user-provided value | +| JacksonTest.java:85:13:85:52 | readValue(...) | JacksonTest.java:20:25:20:47 | getInputStream(...) : InputStream | JacksonTest.java:85:30:85:35 | string | Unsafe deserialization depends on a $@. | JacksonTest.java:20:25:20:47 | getInputStream(...) | user-provided value | +| JacksonTest.java:94:13:94:48 | readValue(...) | JacksonTest.java:20:25:20:47 | getInputStream(...) : InputStream | JacksonTest.java:94:30:94:35 | string | Unsafe deserialization depends on a $@. | JacksonTest.java:20:25:20:47 | getInputStream(...) | user-provided value | +| JacksonTest.java:142:13:142:47 | readValue(...) | JacksonTest.java:20:25:20:47 | getInputStream(...) : InputStream | JacksonTest.java:142:30:142:35 | string | Unsafe deserialization depends on a $@. | JacksonTest.java:20:25:20:47 | getInputStream(...) | user-provided value | +| JacksonTest.java:151:13:151:80 | readValues(...) | JacksonTest.java:20:25:20:47 | getInputStream(...) : InputStream | JacksonTest.java:151:31:151:68 | createParser(...) | Unsafe deserialization depends on a $@. | JacksonTest.java:20:25:20:47 | getInputStream(...) | user-provided value | +| JacksonTest.java:160:13:160:66 | treeToValue(...) | JacksonTest.java:20:25:20:47 | getInputStream(...) : InputStream | JacksonTest.java:160:32:160:54 | readTree(...) | Unsafe deserialization depends on a $@. | JacksonTest.java:20:25:20:47 | getInputStream(...) | user-provided value | +| JacksonTest.java:172:13:172:41 | readValue(...) | JacksonTest.java:20:25:20:47 | getInputStream(...) : InputStream | JacksonTest.java:172:30:172:33 | data | Unsafe deserialization depends on a $@. | JacksonTest.java:20:25:20:47 | getInputStream(...) | user-provided value | +| JacksonTest.java:183:13:183:61 | readValue(...) | JacksonTest.java:20:25:20:47 | getInputStream(...) : InputStream | JacksonTest.java:183:30:183:33 | data | Unsafe deserialization depends on a $@. | JacksonTest.java:20:25:20:47 | getInputStream(...) | user-provided value | +| JoddJsonServlet.java:45:24:45:47 | parse(...) | JoddJsonServlet.java:32:23:32:46 | getParameter(...) : String | JoddJsonServlet.java:45:37:45:40 | json | Unsafe deserialization depends on a $@. | JoddJsonServlet.java:32:23:32:46 | getParameter(...) | user-provided value | +| JoddJsonServlet.java:47:13:47:66 | parse(...) | JoddJsonServlet.java:32:23:32:46 | getParameter(...) : String | JoddJsonServlet.java:47:56:47:59 | json | Unsafe deserialization depends on a $@. | JoddJsonServlet.java:32:23:32:46 | getParameter(...) | user-provided value | +| JoddJsonServlet.java:49:13:49:77 | parse(...) | JoddJsonServlet.java:32:23:32:46 | getParameter(...) : String | JoddJsonServlet.java:49:67:49:70 | json | Unsafe deserialization depends on a $@. | JoddJsonServlet.java:32:23:32:46 | getParameter(...) | user-provided value | +| JoddJsonServlet.java:51:13:51:71 | parse(...) | JoddJsonServlet.java:32:23:32:46 | getParameter(...) : String | JoddJsonServlet.java:51:61:51:64 | json | Unsafe deserialization depends on a $@. | JoddJsonServlet.java:32:23:32:46 | getParameter(...) | user-provided value | +| JoddJsonServlet.java:63:26:63:65 | parse(...) | JoddJsonServlet.java:58:23:58:46 | getParameter(...) : String | JoddJsonServlet.java:63:39:63:42 | json | Unsafe deserialization depends on a $@. | JoddJsonServlet.java:58:23:58:46 | getParameter(...) | user-provided value | +| ObjectMessageTest.java:7:9:7:45 | getObject(...) | ObjectMessageTest.java:6:27:6:41 | message : Message | ObjectMessageTest.java:7:26:7:32 | message | Unsafe deserialization depends on a $@. | ObjectMessageTest.java:6:27:6:41 | message | user-provided value | +| ParcelableEntity.java:32:30:32:70 | fromJson(...) | GsonActivity.java:15:54:15:64 | getIntent(...) : Intent | ParcelableEntity.java:32:44:32:62 | readString(...) | Unsafe deserialization depends on a $@. | GsonActivity.java:15:54:15:64 | getIntent(...) | user-provided value | +| TestMessageBodyReader.java:22:18:22:65 | readObject(...) | TestMessageBodyReader.java:20:55:20:78 | entityStream : InputStream | TestMessageBodyReader.java:22:18:22:52 | new ObjectInputStream(...) | Unsafe deserialization depends on a $@. | TestMessageBodyReader.java:20:55:20:78 | entityStream | user-provided value | +edges +| A.java:14:31:14:51 | getInputStream(...) : InputStream | A.java:15:50:15:60 | inputStream : InputStream | provenance | Src:MaD:1 | +| A.java:14:31:14:51 | getInputStream(...) : InputStream | A.java:16:12:16:13 | in | provenance | Src:MaD:1 inputStreamWrapper | +| A.java:15:28:15:61 | new ObjectInputStream(...) : ObjectInputStream | A.java:16:12:16:13 | in | provenance | | +| A.java:15:50:15:60 | inputStream : InputStream | A.java:15:28:15:61 | new ObjectInputStream(...) : ObjectInputStream | provenance | MaD:11 | +| A.java:20:31:20:51 | getInputStream(...) : InputStream | A.java:21:50:21:60 | inputStream : InputStream | provenance | Src:MaD:1 | +| A.java:20:31:20:51 | getInputStream(...) : InputStream | A.java:22:12:22:13 | in | provenance | Src:MaD:1 inputStreamWrapper | +| A.java:21:28:21:61 | new ObjectInputStream(...) : ObjectInputStream | A.java:22:12:22:13 | in | provenance | | +| A.java:21:50:21:60 | inputStream : InputStream | A.java:21:28:21:61 | new ObjectInputStream(...) : ObjectInputStream | provenance | MaD:11 | +| A.java:32:31:32:51 | getInputStream(...) : InputStream | A.java:33:35:33:45 | inputStream : InputStream | provenance | Src:MaD:1 | +| A.java:33:20:33:46 | new XMLDecoder(...) : XMLDecoder | A.java:34:12:34:12 | d | provenance | | +| A.java:33:35:33:45 | inputStream : InputStream | A.java:33:20:33:46 | new XMLDecoder(...) : XMLDecoder | provenance | MaD:7 | +| A.java:39:31:39:51 | getInputStream(...) : InputStream | A.java:40:43:40:53 | inputStream : InputStream | provenance | Src:MaD:1 | +| A.java:40:21:40:54 | new InputStreamReader(...) : InputStreamReader | A.java:41:23:41:28 | reader | provenance | | +| A.java:40:43:40:53 | inputStream : InputStream | A.java:40:21:40:54 | new InputStreamReader(...) : InputStreamReader | provenance | MaD:10 | +| A.java:46:19:46:50 | new Input(...) : Input | A.java:47:28:47:32 | input | provenance | | +| A.java:46:19:46:50 | new Input(...) : Input | A.java:48:34:48:38 | input | provenance | | +| A.java:46:19:46:50 | new Input(...) : Input | A.java:49:40:49:44 | input | provenance | | +| A.java:46:29:46:49 | getInputStream(...) : InputStream | A.java:46:19:46:50 | new Input(...) : Input | provenance | Src:MaD:1 MaD:5 | +| A.java:67:25:67:45 | getInputStream(...) : InputStream | A.java:68:26:68:30 | input | provenance | Src:MaD:1 | +| A.java:67:25:67:45 | getInputStream(...) : InputStream | A.java:69:30:69:34 | input | provenance | Src:MaD:1 | +| A.java:67:25:67:45 | getInputStream(...) : InputStream | A.java:70:50:70:54 | input : InputStream | provenance | Src:MaD:1 | +| A.java:67:25:67:45 | getInputStream(...) : InputStream | A.java:71:24:71:28 | input | provenance | Src:MaD:1 | +| A.java:67:25:67:45 | getInputStream(...) : InputStream | A.java:72:46:72:50 | input : InputStream | provenance | Src:MaD:1 | +| A.java:70:50:70:54 | input : InputStream | A.java:70:28:70:55 | new InputStreamReader(...) | provenance | MaD:10 | +| A.java:72:46:72:50 | input : InputStream | A.java:72:24:72:51 | new InputStreamReader(...) | provenance | MaD:10 | +| A.java:77:25:77:45 | getInputStream(...) : InputStream | A.java:78:26:78:30 | input | provenance | Src:MaD:1 | +| A.java:77:25:77:45 | getInputStream(...) : InputStream | A.java:79:30:79:34 | input | provenance | Src:MaD:1 | +| A.java:77:25:77:45 | getInputStream(...) : InputStream | A.java:80:50:80:54 | input : InputStream | provenance | Src:MaD:1 | +| A.java:77:25:77:45 | getInputStream(...) : InputStream | A.java:81:24:81:28 | input | provenance | Src:MaD:1 | +| A.java:77:25:77:45 | getInputStream(...) : InputStream | A.java:82:46:82:50 | input : InputStream | provenance | Src:MaD:1 | +| A.java:80:50:80:54 | input : InputStream | A.java:80:28:80:55 | new InputStreamReader(...) | provenance | MaD:10 | +| A.java:82:46:82:50 | input : InputStream | A.java:82:24:82:51 | new InputStreamReader(...) | provenance | MaD:10 | +| A.java:97:25:97:45 | getInputStream(...) : InputStream | A.java:98:26:98:30 | input | provenance | Src:MaD:1 | +| A.java:97:25:97:45 | getInputStream(...) : InputStream | A.java:99:30:99:34 | input | provenance | Src:MaD:1 | +| A.java:97:25:97:45 | getInputStream(...) : InputStream | A.java:100:50:100:54 | input : InputStream | provenance | Src:MaD:1 | +| A.java:97:25:97:45 | getInputStream(...) : InputStream | A.java:101:24:101:28 | input | provenance | Src:MaD:1 | +| A.java:97:25:97:45 | getInputStream(...) : InputStream | A.java:102:46:102:50 | input : InputStream | provenance | Src:MaD:1 | +| A.java:100:50:100:54 | input : InputStream | A.java:100:28:100:55 | new InputStreamReader(...) | provenance | MaD:10 | +| A.java:102:46:102:50 | input : InputStream | A.java:102:24:102:51 | new InputStreamReader(...) | provenance | MaD:10 | +| B.java:7:31:7:51 | getInputStream(...) : InputStream | B.java:8:29:8:39 | inputStream | provenance | Src:MaD:1 | +| B.java:12:31:12:51 | getInputStream(...) : InputStream | B.java:14:5:14:15 | inputStream : InputStream | provenance | Src:MaD:1 | +| B.java:14:5:14:15 | inputStream : InputStream | B.java:14:22:14:26 | bytes [post update] : byte[] | provenance | MaD:9 | +| B.java:14:22:14:26 | bytes [post update] : byte[] | B.java:15:23:15:27 | bytes | provenance | | +| B.java:19:31:19:51 | getInputStream(...) : InputStream | B.java:21:5:21:15 | inputStream : InputStream | provenance | Src:MaD:1 | +| B.java:21:5:21:15 | inputStream : InputStream | B.java:21:22:21:26 | bytes [post update] : byte[] | provenance | MaD:9 | +| B.java:21:22:21:26 | bytes [post update] : byte[] | B.java:22:27:22:31 | bytes : byte[] | provenance | | +| B.java:22:16:22:32 | new String(...) : String | B.java:23:29:23:29 | s | provenance | | +| B.java:22:27:22:31 | bytes : byte[] | B.java:22:16:22:32 | new String(...) : String | provenance | MaD:13 | +| B.java:27:31:27:51 | getInputStream(...) : InputStream | B.java:29:5:29:15 | inputStream : InputStream | provenance | Src:MaD:1 | +| B.java:29:5:29:15 | inputStream : InputStream | B.java:29:22:29:26 | bytes [post update] : byte[] | provenance | MaD:9 | +| B.java:29:22:29:26 | bytes [post update] : byte[] | B.java:30:27:30:31 | bytes : byte[] | provenance | | +| B.java:30:16:30:32 | new String(...) : String | B.java:31:23:31:23 | s | provenance | | +| B.java:30:27:30:31 | bytes : byte[] | B.java:30:16:30:32 | new String(...) : String | provenance | MaD:13 | +| C.java:23:17:23:44 | getParameter(...) : String | C.java:24:13:24:16 | data | provenance | Src:MaD:3 | +| C.java:23:17:23:44 | getParameter(...) : String | C.java:25:19:25:22 | data | provenance | Src:MaD:3 | +| C.java:23:17:23:44 | getParameter(...) : String | C.java:26:25:26:28 | data | provenance | Src:MaD:3 | +| C.java:23:17:23:44 | getParameter(...) : String | C.java:27:17:27:20 | data | provenance | Src:MaD:3 | +| C.java:23:17:23:44 | getParameter(...) : String | C.java:30:19:30:22 | data | provenance | Src:MaD:3 | +| C.java:23:17:23:44 | getParameter(...) : String | C.java:31:25:31:28 | data | provenance | Src:MaD:3 | +| C.java:23:17:23:44 | getParameter(...) : String | C.java:32:31:32:34 | data | provenance | Src:MaD:3 | +| C.java:23:17:23:44 | getParameter(...) : String | C.java:33:23:33:26 | data | provenance | Src:MaD:3 | +| C.java:38:17:38:44 | getParameter(...) : String | C.java:43:25:43:28 | data | provenance | Src:MaD:3 | +| C.java:38:17:38:44 | getParameter(...) : String | C.java:45:34:45:37 | data : String | provenance | Src:MaD:3 | +| C.java:45:19:45:44 | new JsonReader(...) : JsonReader | C.java:46:3:46:4 | jr | provenance | | +| C.java:45:34:45:37 | data : String | C.java:45:19:45:44 | new JsonReader(...) : JsonReader | provenance | Config | +| C.java:51:17:51:44 | getParameter(...) : String | C.java:52:33:52:36 | data : String | provenance | Src:MaD:3 | +| C.java:52:18:52:37 | new YamlReader(...) : YamlReader | C.java:53:3:53:3 | r | provenance | | +| C.java:52:18:52:37 | new YamlReader(...) : YamlReader | C.java:54:3:54:3 | r | provenance | | +| C.java:52:18:52:37 | new YamlReader(...) : YamlReader | C.java:55:3:55:3 | r | provenance | | +| C.java:52:33:52:36 | data : String | C.java:52:18:52:37 | new YamlReader(...) : YamlReader | provenance | Config | +| C.java:60:18:60:45 | getParameter(...) : String | C.java:60:18:60:56 | getBytes(...) : byte[] | provenance | Src:MaD:3 MaD:14 | +| C.java:60:18:60:56 | getBytes(...) : byte[] | C.java:61:55:61:59 | bytes : byte[] | provenance | | +| C.java:60:18:60:56 | getBytes(...) : byte[] | C.java:62:48:62:50 | bis : ByteArrayInputStream | provenance | inputStreamWrapper | +| C.java:61:30:61:60 | new ByteArrayInputStream(...) : ByteArrayInputStream | C.java:62:48:62:50 | bis : ByteArrayInputStream | provenance | | +| C.java:61:55:61:59 | bytes : byte[] | C.java:61:30:61:60 | new ByteArrayInputStream(...) : ByteArrayInputStream | provenance | MaD:8 | +| C.java:62:31:62:51 | new HessianInput(...) : HessianInput | C.java:63:3:63:14 | hessianInput | provenance | | +| C.java:62:31:62:51 | new HessianInput(...) : HessianInput | C.java:64:3:64:14 | hessianInput | provenance | | +| C.java:62:48:62:50 | bis : ByteArrayInputStream | C.java:62:31:62:51 | new HessianInput(...) : HessianInput | provenance | Config | +| C.java:69:18:69:45 | getParameter(...) : String | C.java:69:18:69:56 | getBytes(...) : byte[] | provenance | Src:MaD:3 MaD:14 | +| C.java:69:18:69:56 | getBytes(...) : byte[] | C.java:70:55:70:59 | bytes : byte[] | provenance | | +| C.java:69:18:69:56 | getBytes(...) : byte[] | C.java:71:50:71:52 | bis : ByteArrayInputStream | provenance | inputStreamWrapper | +| C.java:70:30:70:60 | new ByteArrayInputStream(...) : ByteArrayInputStream | C.java:71:50:71:52 | bis : ByteArrayInputStream | provenance | | +| C.java:70:55:70:59 | bytes : byte[] | C.java:70:30:70:60 | new ByteArrayInputStream(...) : ByteArrayInputStream | provenance | MaD:8 | +| C.java:71:32:71:53 | new Hessian2Input(...) : Hessian2Input | C.java:72:3:72:14 | hessianInput | provenance | | +| C.java:71:32:71:53 | new Hessian2Input(...) : Hessian2Input | C.java:73:3:73:14 | hessianInput | provenance | | +| C.java:71:50:71:52 | bis : ByteArrayInputStream | C.java:71:32:71:53 | new Hessian2Input(...) : Hessian2Input | provenance | Config | +| C.java:79:43:79:70 | getParameter(...) : String | C.java:79:26:79:71 | new StringReader(...) | provenance | Src:MaD:3 MaD:12 | +| C.java:84:27:84:54 | getParameter(...) : String | C.java:84:27:84:65 | getBytes(...) : byte[] | provenance | Src:MaD:3 MaD:14 | +| C.java:84:27:84:65 | getBytes(...) : byte[] | C.java:85:54:85:67 | serializedData : byte[] | provenance | | +| C.java:84:27:84:65 | getBytes(...) : byte[] | C.java:86:45:86:46 | is : ByteArrayInputStream | provenance | inputStreamWrapper | +| C.java:85:29:85:68 | new ByteArrayInputStream(...) : ByteArrayInputStream | C.java:86:45:86:46 | is : ByteArrayInputStream | provenance | | +| C.java:85:54:85:67 | serializedData : byte[] | C.java:85:29:85:68 | new ByteArrayInputStream(...) : ByteArrayInputStream | provenance | MaD:8 | +| C.java:86:29:86:47 | new BurlapInput(...) : BurlapInput | C.java:87:3:87:13 | burlapInput | provenance | | +| C.java:86:45:86:46 | is : ByteArrayInputStream | C.java:86:29:86:47 | new BurlapInput(...) : BurlapInput | provenance | Config | +| C.java:86:45:86:46 | is : ByteArrayInputStream | C.java:90:21:90:22 | is : ByteArrayInputStream | provenance | | +| C.java:90:3:90:14 | burlapInput1 : BurlapInput | C.java:91:3:91:14 | burlapInput1 | provenance | | +| C.java:90:21:90:22 | is : ByteArrayInputStream | C.java:90:3:90:14 | burlapInput1 : BurlapInput | provenance | Config | +| FlexjsonServlet.java:67:23:67:46 | getParameter(...) : String | FlexjsonServlet.java:68:127:68:130 | json | provenance | Src:MaD:3 | +| FlexjsonServlet.java:79:23:79:46 | getParameter(...) : String | FlexjsonServlet.java:80:93:80:96 | json | provenance | Src:MaD:3 | +| FlexjsonServlet.java:119:23:119:46 | getParameter(...) : String | FlexjsonServlet.java:124:50:124:53 | json | provenance | Src:MaD:3 | +| GsonActivity.java:15:54:15:64 | getIntent(...) : Intent | ParcelableEntity.java:29:50:29:62 | parcel : Parcel | provenance | Config | +| GsonServlet.java:39:23:39:46 | getParameter(...) : String | GsonServlet.java:44:40:44:43 | json | provenance | Src:MaD:3 | +| GsonServlet.java:53:23:53:46 | getParameter(...) : String | GsonServlet.java:60:40:60:43 | json | provenance | Src:MaD:3 | +| JabsorbServlet.java:89:23:89:46 | getParameter(...) : String | JabsorbServlet.java:93:48:93:51 | json : String | provenance | Src:MaD:3 | +| JabsorbServlet.java:93:33:93:52 | new JSONObject(...) : JSONObject | JabsorbServlet.java:102:83:102:92 | jsonObject | provenance | | +| JabsorbServlet.java:93:48:93:51 | json : String | JabsorbServlet.java:93:33:93:52 | new JSONObject(...) : JSONObject | provenance | MaD:16 | +| JabsorbServlet.java:110:23:110:46 | getParameter(...) : String | JabsorbServlet.java:116:52:116:55 | json | provenance | Src:MaD:3 | +| JacksonTest.java:20:25:20:47 | getInputStream(...) : InputStream | JacksonTest.java:20:54:20:58 | bytes [post update] : byte[] | provenance | Src:MaD:1 MaD:9 | +| JacksonTest.java:20:54:20:58 | bytes [post update] : byte[] | JacksonTest.java:21:46:21:50 | bytes : byte[] | provenance | | +| JacksonTest.java:21:35:21:57 | new String(...) : String | JacksonTest.java:22:28:22:35 | jexlExpr : String | provenance | | +| JacksonTest.java:21:46:21:50 | bytes : byte[] | JacksonTest.java:21:35:21:57 | new String(...) : String | provenance | MaD:13 | +| JacksonTest.java:22:28:22:35 | jexlExpr : String | JacksonTest.java:74:32:74:37 | string : String | provenance | | +| JacksonTest.java:22:28:22:35 | jexlExpr : String | JacksonTest.java:83:32:83:37 | string : String | provenance | | +| JacksonTest.java:22:28:22:35 | jexlExpr : String | JacksonTest.java:92:32:92:37 | string : String | provenance | | +| JacksonTest.java:22:28:22:35 | jexlExpr : String | JacksonTest.java:139:32:139:37 | string : String | provenance | | +| JacksonTest.java:22:28:22:35 | jexlExpr : String | JacksonTest.java:148:32:148:37 | string : String | provenance | | +| JacksonTest.java:22:28:22:35 | jexlExpr : String | JacksonTest.java:157:32:157:37 | string : String | provenance | | +| JacksonTest.java:22:28:22:35 | jexlExpr : String | JacksonTest.java:166:32:166:36 | input : String | provenance | | +| JacksonTest.java:22:28:22:35 | jexlExpr : String | JacksonTest.java:178:32:178:36 | input : String | provenance | | +| JacksonTest.java:74:32:74:37 | string : String | JacksonTest.java:76:30:76:35 | string | provenance | | +| JacksonTest.java:83:32:83:37 | string : String | JacksonTest.java:85:30:85:35 | string | provenance | | +| JacksonTest.java:92:32:92:37 | string : String | JacksonTest.java:94:30:94:35 | string | provenance | | +| JacksonTest.java:139:32:139:37 | string : String | JacksonTest.java:142:30:142:35 | string | provenance | | +| JacksonTest.java:148:32:148:37 | string : String | JacksonTest.java:151:62:151:67 | string : String | provenance | | +| JacksonTest.java:151:62:151:67 | string : String | JacksonTest.java:151:31:151:68 | createParser(...) | provenance | Config | +| JacksonTest.java:151:62:151:67 | string : String | JacksonTest.java:151:31:151:68 | createParser(...) | provenance | MaD:6 | +| JacksonTest.java:157:32:157:37 | string : String | JacksonTest.java:160:48:160:53 | string : String | provenance | | +| JacksonTest.java:160:48:160:53 | string : String | JacksonTest.java:160:32:160:54 | readTree(...) | provenance | Config | +| JacksonTest.java:166:32:166:36 | input : String | JacksonTest.java:167:30:167:34 | input : String | provenance | | +| JacksonTest.java:167:30:167:34 | input : String | JacksonTest.java:167:30:167:45 | split(...) : String[] | provenance | MaD:15 | +| JacksonTest.java:167:30:167:45 | split(...) : String[] | JacksonTest.java:172:30:172:33 | data | provenance | | +| JacksonTest.java:178:32:178:36 | input : String | JacksonTest.java:179:30:179:34 | input : String | provenance | | +| JacksonTest.java:179:30:179:34 | input : String | JacksonTest.java:179:30:179:45 | split(...) : String[] | provenance | MaD:15 | +| JacksonTest.java:179:30:179:45 | split(...) : String[] | JacksonTest.java:183:30:183:33 | data | provenance | | +| JoddJsonServlet.java:32:23:32:46 | getParameter(...) : String | JoddJsonServlet.java:45:37:45:40 | json | provenance | Src:MaD:3 | +| JoddJsonServlet.java:32:23:32:46 | getParameter(...) : String | JoddJsonServlet.java:47:56:47:59 | json | provenance | Src:MaD:3 | +| JoddJsonServlet.java:32:23:32:46 | getParameter(...) : String | JoddJsonServlet.java:49:67:49:70 | json | provenance | Src:MaD:3 | +| JoddJsonServlet.java:32:23:32:46 | getParameter(...) : String | JoddJsonServlet.java:51:61:51:64 | json | provenance | Src:MaD:3 | +| JoddJsonServlet.java:58:23:58:46 | getParameter(...) : String | JoddJsonServlet.java:63:39:63:42 | json | provenance | Src:MaD:3 | +| ObjectMessageTest.java:6:27:6:41 | message : Message | ObjectMessageTest.java:7:26:7:32 | message | provenance | Src:MaD:2 | +| ParcelableEntity.java:29:50:29:62 | parcel : Parcel | ParcelableEntity.java:32:44:32:49 | parcel : Parcel | provenance | | +| ParcelableEntity.java:32:44:32:49 | parcel : Parcel | ParcelableEntity.java:32:44:32:62 | readString(...) | provenance | MaD:4 | +| TestMessageBodyReader.java:20:55:20:78 | entityStream : InputStream | TestMessageBodyReader.java:22:18:22:52 | new ObjectInputStream(...) | provenance | inputStreamWrapper | +| TestMessageBodyReader.java:20:55:20:78 | entityStream : InputStream | TestMessageBodyReader.java:22:40:22:51 | entityStream : InputStream | provenance | | +| TestMessageBodyReader.java:22:40:22:51 | entityStream : InputStream | TestMessageBodyReader.java:22:18:22:52 | new ObjectInputStream(...) | provenance | MaD:11 | +models +| 1 | Source: java.net; Socket; false; getInputStream; (); ; ReturnValue; remote; manual | +| 2 | Source: javax.jms; MessageListener; true; onMessage; (Message); ; Parameter[0]; remote; manual | +| 3 | Source: javax.servlet; ServletRequest; false; getParameter; (String); ; ReturnValue; remote; manual | +| 4 | Summary: android.os; Parcel; false; readString; ; ; Argument[this]; ReturnValue; taint; manual | +| 5 | Summary: com.esotericsoftware.kryo.io; Input; false; Input; ; ; Argument[0]; Argument[this]; taint; manual | +| 6 | Summary: com.fasterxml.jackson.core; JsonFactory; false; createParser; ; ; Argument[0]; ReturnValue; taint; manual | +| 7 | Summary: java.beans; XMLDecoder; false; XMLDecoder; ; ; Argument[0]; Argument[this]; taint; manual | +| 8 | Summary: java.io; ByteArrayInputStream; false; ByteArrayInputStream; ; ; Argument[0]; Argument[this]; taint; manual | +| 9 | Summary: java.io; InputStream; true; read; (byte[]); ; Argument[this]; Argument[0]; taint; manual | +| 10 | Summary: java.io; InputStreamReader; false; InputStreamReader; ; ; Argument[0]; Argument[this]; taint; manual | +| 11 | Summary: java.io; ObjectInputStream; false; ObjectInputStream; ; ; Argument[0]; Argument[this]; taint; manual | +| 12 | Summary: java.io; StringReader; false; StringReader; ; ; Argument[0]; Argument[this]; taint; manual | +| 13 | Summary: java.lang; String; false; String; ; ; Argument[0]; Argument[this]; taint; manual | +| 14 | Summary: java.lang; String; false; getBytes; ; ; Argument[this]; ReturnValue; taint; manual | +| 15 | Summary: java.lang; String; false; split; ; ; Argument[this]; ReturnValue; taint; manual | +| 16 | Summary: org.json; JSONObject; false; JSONObject; (String); ; Argument[0]; Argument[this]; taint; manual | +nodes +| A.java:14:31:14:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| A.java:15:28:15:61 | new ObjectInputStream(...) : ObjectInputStream | semmle.label | new ObjectInputStream(...) : ObjectInputStream | +| A.java:15:50:15:60 | inputStream : InputStream | semmle.label | inputStream : InputStream | +| A.java:16:12:16:13 | in | semmle.label | in | +| A.java:20:31:20:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| A.java:21:28:21:61 | new ObjectInputStream(...) : ObjectInputStream | semmle.label | new ObjectInputStream(...) : ObjectInputStream | +| A.java:21:50:21:60 | inputStream : InputStream | semmle.label | inputStream : InputStream | +| A.java:22:12:22:13 | in | semmle.label | in | +| A.java:32:31:32:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| A.java:33:20:33:46 | new XMLDecoder(...) : XMLDecoder | semmle.label | new XMLDecoder(...) : XMLDecoder | +| A.java:33:35:33:45 | inputStream : InputStream | semmle.label | inputStream : InputStream | +| A.java:34:12:34:12 | d | semmle.label | d | +| A.java:39:31:39:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| A.java:40:21:40:54 | new InputStreamReader(...) : InputStreamReader | semmle.label | new InputStreamReader(...) : InputStreamReader | +| A.java:40:43:40:53 | inputStream : InputStream | semmle.label | inputStream : InputStream | +| A.java:41:23:41:28 | reader | semmle.label | reader | +| A.java:46:19:46:50 | new Input(...) : Input | semmle.label | new Input(...) : Input | +| A.java:46:29:46:49 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| A.java:47:28:47:32 | input | semmle.label | input | +| A.java:48:34:48:38 | input | semmle.label | input | +| A.java:49:40:49:44 | input | semmle.label | input | +| A.java:67:25:67:45 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| A.java:68:26:68:30 | input | semmle.label | input | +| A.java:69:30:69:34 | input | semmle.label | input | +| A.java:70:28:70:55 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) | +| A.java:70:50:70:54 | input : InputStream | semmle.label | input : InputStream | +| A.java:71:24:71:28 | input | semmle.label | input | +| A.java:72:24:72:51 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) | +| A.java:72:46:72:50 | input : InputStream | semmle.label | input : InputStream | +| A.java:77:25:77:45 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| A.java:78:26:78:30 | input | semmle.label | input | +| A.java:79:30:79:34 | input | semmle.label | input | +| A.java:80:28:80:55 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) | +| A.java:80:50:80:54 | input : InputStream | semmle.label | input : InputStream | +| A.java:81:24:81:28 | input | semmle.label | input | +| A.java:82:24:82:51 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) | +| A.java:82:46:82:50 | input : InputStream | semmle.label | input : InputStream | +| A.java:97:25:97:45 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| A.java:98:26:98:30 | input | semmle.label | input | +| A.java:99:30:99:34 | input | semmle.label | input | +| A.java:100:28:100:55 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) | +| A.java:100:50:100:54 | input : InputStream | semmle.label | input : InputStream | +| A.java:101:24:101:28 | input | semmle.label | input | +| A.java:102:24:102:51 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) | +| A.java:102:46:102:50 | input : InputStream | semmle.label | input : InputStream | +| B.java:7:31:7:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| B.java:8:29:8:39 | inputStream | semmle.label | inputStream | +| B.java:12:31:12:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| B.java:14:5:14:15 | inputStream : InputStream | semmle.label | inputStream : InputStream | +| B.java:14:22:14:26 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] | +| B.java:15:23:15:27 | bytes | semmle.label | bytes | +| B.java:19:31:19:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| B.java:21:5:21:15 | inputStream : InputStream | semmle.label | inputStream : InputStream | +| B.java:21:22:21:26 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] | +| B.java:22:16:22:32 | new String(...) : String | semmle.label | new String(...) : String | +| B.java:22:27:22:31 | bytes : byte[] | semmle.label | bytes : byte[] | +| B.java:23:29:23:29 | s | semmle.label | s | +| B.java:27:31:27:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| B.java:29:5:29:15 | inputStream : InputStream | semmle.label | inputStream : InputStream | +| B.java:29:22:29:26 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] | +| B.java:30:16:30:32 | new String(...) : String | semmle.label | new String(...) : String | +| B.java:30:27:30:31 | bytes : byte[] | semmle.label | bytes : byte[] | +| B.java:31:23:31:23 | s | semmle.label | s | +| C.java:23:17:23:44 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| C.java:24:13:24:16 | data | semmle.label | data | +| C.java:25:19:25:22 | data | semmle.label | data | +| C.java:26:25:26:28 | data | semmle.label | data | +| C.java:27:17:27:20 | data | semmle.label | data | +| C.java:30:19:30:22 | data | semmle.label | data | +| C.java:31:25:31:28 | data | semmle.label | data | +| C.java:32:31:32:34 | data | semmle.label | data | +| C.java:33:23:33:26 | data | semmle.label | data | +| C.java:38:17:38:44 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| C.java:43:25:43:28 | data | semmle.label | data | +| C.java:45:19:45:44 | new JsonReader(...) : JsonReader | semmle.label | new JsonReader(...) : JsonReader | +| C.java:45:34:45:37 | data : String | semmle.label | data : String | +| C.java:46:3:46:4 | jr | semmle.label | jr | +| C.java:51:17:51:44 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| C.java:52:18:52:37 | new YamlReader(...) : YamlReader | semmle.label | new YamlReader(...) : YamlReader | +| C.java:52:33:52:36 | data : String | semmle.label | data : String | +| C.java:53:3:53:3 | r | semmle.label | r | +| C.java:54:3:54:3 | r | semmle.label | r | +| C.java:55:3:55:3 | r | semmle.label | r | +| C.java:60:18:60:45 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| C.java:60:18:60:56 | getBytes(...) : byte[] | semmle.label | getBytes(...) : byte[] | +| C.java:61:30:61:60 | new ByteArrayInputStream(...) : ByteArrayInputStream | semmle.label | new ByteArrayInputStream(...) : ByteArrayInputStream | +| C.java:61:55:61:59 | bytes : byte[] | semmle.label | bytes : byte[] | +| C.java:62:31:62:51 | new HessianInput(...) : HessianInput | semmle.label | new HessianInput(...) : HessianInput | +| C.java:62:48:62:50 | bis : ByteArrayInputStream | semmle.label | bis : ByteArrayInputStream | +| C.java:63:3:63:14 | hessianInput | semmle.label | hessianInput | +| C.java:64:3:64:14 | hessianInput | semmle.label | hessianInput | +| C.java:69:18:69:45 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| C.java:69:18:69:56 | getBytes(...) : byte[] | semmle.label | getBytes(...) : byte[] | +| C.java:70:30:70:60 | new ByteArrayInputStream(...) : ByteArrayInputStream | semmle.label | new ByteArrayInputStream(...) : ByteArrayInputStream | +| C.java:70:55:70:59 | bytes : byte[] | semmle.label | bytes : byte[] | +| C.java:71:32:71:53 | new Hessian2Input(...) : Hessian2Input | semmle.label | new Hessian2Input(...) : Hessian2Input | +| C.java:71:50:71:52 | bis : ByteArrayInputStream | semmle.label | bis : ByteArrayInputStream | +| C.java:72:3:72:14 | hessianInput | semmle.label | hessianInput | +| C.java:73:3:73:14 | hessianInput | semmle.label | hessianInput | +| C.java:79:26:79:71 | new StringReader(...) | semmle.label | new StringReader(...) | +| C.java:79:43:79:70 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| C.java:84:27:84:54 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| C.java:84:27:84:65 | getBytes(...) : byte[] | semmle.label | getBytes(...) : byte[] | +| C.java:85:29:85:68 | new ByteArrayInputStream(...) : ByteArrayInputStream | semmle.label | new ByteArrayInputStream(...) : ByteArrayInputStream | +| C.java:85:54:85:67 | serializedData : byte[] | semmle.label | serializedData : byte[] | +| C.java:86:29:86:47 | new BurlapInput(...) : BurlapInput | semmle.label | new BurlapInput(...) : BurlapInput | +| C.java:86:45:86:46 | is : ByteArrayInputStream | semmle.label | is : ByteArrayInputStream | +| C.java:87:3:87:13 | burlapInput | semmle.label | burlapInput | +| C.java:90:3:90:14 | burlapInput1 : BurlapInput | semmle.label | burlapInput1 : BurlapInput | +| C.java:90:21:90:22 | is : ByteArrayInputStream | semmle.label | is : ByteArrayInputStream | +| C.java:91:3:91:14 | burlapInput1 | semmle.label | burlapInput1 | +| FlexjsonServlet.java:36:53:36:67 | getReader(...) | semmle.label | getReader(...) | +| FlexjsonServlet.java:44:53:44:67 | getReader(...) | semmle.label | getReader(...) | +| FlexjsonServlet.java:52:53:52:67 | getReader(...) | semmle.label | getReader(...) | +| FlexjsonServlet.java:67:23:67:46 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| FlexjsonServlet.java:68:127:68:130 | json | semmle.label | json | +| FlexjsonServlet.java:79:23:79:46 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| FlexjsonServlet.java:80:93:80:96 | json | semmle.label | json | +| FlexjsonServlet.java:119:23:119:46 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| FlexjsonServlet.java:124:50:124:53 | json | semmle.label | json | +| GsonActivity.java:15:54:15:64 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent | +| GsonServlet.java:39:23:39:46 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| GsonServlet.java:44:40:44:43 | json | semmle.label | json | +| GsonServlet.java:53:23:53:46 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| GsonServlet.java:60:40:60:43 | json | semmle.label | json | +| JabsorbServlet.java:89:23:89:46 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| JabsorbServlet.java:93:33:93:52 | new JSONObject(...) : JSONObject | semmle.label | new JSONObject(...) : JSONObject | +| JabsorbServlet.java:93:48:93:51 | json : String | semmle.label | json : String | +| JabsorbServlet.java:102:83:102:92 | jsonObject | semmle.label | jsonObject | +| JabsorbServlet.java:110:23:110:46 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| JabsorbServlet.java:116:52:116:55 | json | semmle.label | json | +| JacksonTest.java:20:25:20:47 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| JacksonTest.java:20:54:20:58 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] | +| JacksonTest.java:21:35:21:57 | new String(...) : String | semmle.label | new String(...) : String | +| JacksonTest.java:21:46:21:50 | bytes : byte[] | semmle.label | bytes : byte[] | +| JacksonTest.java:22:28:22:35 | jexlExpr : String | semmle.label | jexlExpr : String | +| JacksonTest.java:74:32:74:37 | string : String | semmle.label | string : String | +| JacksonTest.java:76:30:76:35 | string | semmle.label | string | +| JacksonTest.java:83:32:83:37 | string : String | semmle.label | string : String | +| JacksonTest.java:85:30:85:35 | string | semmle.label | string | +| JacksonTest.java:92:32:92:37 | string : String | semmle.label | string : String | +| JacksonTest.java:94:30:94:35 | string | semmle.label | string | +| JacksonTest.java:139:32:139:37 | string : String | semmle.label | string : String | +| JacksonTest.java:142:30:142:35 | string | semmle.label | string | +| JacksonTest.java:148:32:148:37 | string : String | semmle.label | string : String | +| JacksonTest.java:151:31:151:68 | createParser(...) | semmle.label | createParser(...) | +| JacksonTest.java:151:62:151:67 | string : String | semmle.label | string : String | +| JacksonTest.java:157:32:157:37 | string : String | semmle.label | string : String | +| JacksonTest.java:160:32:160:54 | readTree(...) | semmle.label | readTree(...) | +| JacksonTest.java:160:48:160:53 | string : String | semmle.label | string : String | +| JacksonTest.java:166:32:166:36 | input : String | semmle.label | input : String | +| JacksonTest.java:167:30:167:34 | input : String | semmle.label | input : String | +| JacksonTest.java:167:30:167:45 | split(...) : String[] | semmle.label | split(...) : String[] | +| JacksonTest.java:172:30:172:33 | data | semmle.label | data | +| JacksonTest.java:178:32:178:36 | input : String | semmle.label | input : String | +| JacksonTest.java:179:30:179:34 | input : String | semmle.label | input : String | +| JacksonTest.java:179:30:179:45 | split(...) : String[] | semmle.label | split(...) : String[] | +| JacksonTest.java:183:30:183:33 | data | semmle.label | data | +| JoddJsonServlet.java:32:23:32:46 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| JoddJsonServlet.java:45:37:45:40 | json | semmle.label | json | +| JoddJsonServlet.java:47:56:47:59 | json | semmle.label | json | +| JoddJsonServlet.java:49:67:49:70 | json | semmle.label | json | +| JoddJsonServlet.java:51:61:51:64 | json | semmle.label | json | +| JoddJsonServlet.java:58:23:58:46 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| JoddJsonServlet.java:63:39:63:42 | json | semmle.label | json | +| ObjectMessageTest.java:6:27:6:41 | message : Message | semmle.label | message : Message | +| ObjectMessageTest.java:7:26:7:32 | message | semmle.label | message | +| ParcelableEntity.java:29:50:29:62 | parcel : Parcel | semmle.label | parcel : Parcel | +| ParcelableEntity.java:32:44:32:49 | parcel : Parcel | semmle.label | parcel : Parcel | +| ParcelableEntity.java:32:44:32:62 | readString(...) | semmle.label | readString(...) | +| TestMessageBodyReader.java:20:55:20:78 | entityStream : InputStream | semmle.label | entityStream : InputStream | +| TestMessageBodyReader.java:22:18:22:52 | new ObjectInputStream(...) | semmle.label | new ObjectInputStream(...) | +| TestMessageBodyReader.java:22:40:22:51 | entityStream : InputStream | semmle.label | entityStream : InputStream | +subpaths diff --git a/java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.ql b/java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.ql deleted file mode 100644 index f4570b64ef81..000000000000 --- a/java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.ql +++ /dev/null @@ -1,18 +0,0 @@ -import java -import semmle.code.java.security.UnsafeDeserializationQuery -import utils.test.InlineExpectationsTest - -module UnsafeDeserializationTest implements TestSig { - string getARelevantTag() { result = "unsafeDeserialization" } - - predicate hasActualResult(Location location, string element, string tag, string value) { - tag = "unsafeDeserialization" and - exists(DataFlow::Node sink | UnsafeDeserializationFlow::flowTo(sink) | - sink.getLocation() = location and - element = sink.toString() and - value = "" - ) - } -} - -import MakeTest diff --git a/java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.qlref b/java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.qlref new file mode 100644 index 000000000000..c0d276968341 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.qlref @@ -0,0 +1,4 @@ +query: Security/CWE/CWE-502/UnsafeDeserialization.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-522/InsecureBasicAuth/InsecureBasicAuthTest.expected b/java/ql/test/query-tests/security/CWE-522/InsecureBasicAuth/InsecureBasicAuthTest.expected new file mode 100644 index 000000000000..228de5b637a3 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-522/InsecureBasicAuth/InsecureBasicAuthTest.expected @@ -0,0 +1,105 @@ +#select +| InsecureBasicAuthTest.java:28:4:28:7 | post | InsecureBasicAuthTest.java:25:40:25:48 | "http://" : String | InsecureBasicAuthTest.java:28:4:28:7 | post | Insecure basic authentication from a $@. | InsecureBasicAuthTest.java:25:40:25:48 | "http://" | HTTP URL | +| InsecureBasicAuthTest.java:46:4:46:6 | get | InsecureBasicAuthTest.java:43:20:43:65 | "http://www.example.com:8000/payment/retrieve" : String | InsecureBasicAuthTest.java:46:4:46:6 | get | Insecure basic authentication from a $@. | InsecureBasicAuthTest.java:43:20:43:65 | "http://www.example.com:8000/payment/retrieve" | HTTP URL | +| InsecureBasicAuthTest.java:70:4:70:7 | post | InsecureBasicAuthTest.java:66:20:66:69 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuthTest.java:70:4:70:7 | post | Insecure basic authentication from a $@. | InsecureBasicAuthTest.java:66:20:66:69 | "http://www.example.com/rest/getuser.do?uid=abcdx" | HTTP URL | +| InsecureBasicAuthTest.java:95:4:95:7 | post | InsecureBasicAuthTest.java:90:20:90:69 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuthTest.java:95:4:95:7 | post | Insecure basic authentication from a $@. | InsecureBasicAuthTest.java:90:20:90:69 | "http://www.example.com/rest/getuser.do?uid=abcdx" | HTTP URL | +| InsecureBasicAuthTest.java:120:4:120:7 | post | InsecureBasicAuthTest.java:117:27:117:32 | "http" : String | InsecureBasicAuthTest.java:120:4:120:7 | post | Insecure basic authentication from a $@. | InsecureBasicAuthTest.java:117:27:117:32 | "http" | HTTP URL | +| InsecureBasicAuthTest.java:143:4:143:7 | post | InsecureBasicAuthTest.java:139:20:139:69 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuthTest.java:143:4:143:7 | post | Insecure basic authentication from a $@. | InsecureBasicAuthTest.java:139:20:139:69 | "http://www.example.com/rest/getuser.do?uid=abcdx" | HTTP URL | +| InsecureBasicAuthTest.java:167:4:167:7 | post | InsecureBasicAuthTest.java:162:20:162:69 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuthTest.java:167:4:167:7 | post | Insecure basic authentication from a $@. | InsecureBasicAuthTest.java:162:20:162:69 | "http://www.example.com/rest/getuser.do?uid=abcdx" | HTTP URL | +| InsecureBasicAuthTest.java:192:4:192:7 | conn | InsecureBasicAuthTest.java:187:20:187:69 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuthTest.java:192:4:192:7 | conn | Insecure basic authentication from a $@. | InsecureBasicAuthTest.java:187:20:187:69 | "http://www.example.com/rest/getuser.do?uid=abcdx" | HTTP URL | +| InsecureBasicAuthTest.java:219:4:219:7 | conn | InsecureBasicAuthTest.java:214:22:214:27 | "http" : String | InsecureBasicAuthTest.java:219:4:219:7 | conn | Insecure basic authentication from a $@. | InsecureBasicAuthTest.java:214:22:214:27 | "http" | HTTP URL | +edges +| InsecureBasicAuthTest.java:25:27:25:87 | new HttpPost(...) : HttpPost | InsecureBasicAuthTest.java:28:4:28:7 | post | provenance | | +| InsecureBasicAuthTest.java:25:40:25:48 | "http://" : String | InsecureBasicAuthTest.java:25:40:25:86 | ... + ... : String | provenance | | +| InsecureBasicAuthTest.java:25:40:25:86 | ... + ... : String | InsecureBasicAuthTest.java:25:27:25:87 | new HttpPost(...) : HttpPost | provenance | Config | +| InsecureBasicAuthTest.java:43:20:43:65 | "http://www.example.com:8000/payment/retrieve" : String | InsecureBasicAuthTest.java:44:30:44:35 | urlStr : String | provenance | | +| InsecureBasicAuthTest.java:44:18:44:36 | new HttpGet(...) : HttpGet | InsecureBasicAuthTest.java:46:4:46:6 | get | provenance | | +| InsecureBasicAuthTest.java:44:30:44:35 | urlStr : String | InsecureBasicAuthTest.java:44:18:44:36 | new HttpGet(...) : HttpGet | provenance | Config | +| InsecureBasicAuthTest.java:66:20:66:69 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuthTest.java:67:51:67:56 | uriStr : String | provenance | | +| InsecureBasicAuthTest.java:67:27:67:58 | new HttpPost(...) : HttpPost | InsecureBasicAuthTest.java:70:4:70:7 | post | provenance | | +| InsecureBasicAuthTest.java:67:40:67:57 | create(...) : URI | InsecureBasicAuthTest.java:67:27:67:58 | new HttpPost(...) : HttpPost | provenance | Config | +| InsecureBasicAuthTest.java:67:51:67:56 | uriStr : String | InsecureBasicAuthTest.java:67:40:67:57 | create(...) : URI | provenance | MaD:2 | +| InsecureBasicAuthTest.java:90:20:90:69 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuthTest.java:91:22:91:27 | uriStr : String | provenance | | +| InsecureBasicAuthTest.java:91:14:91:28 | new URI(...) : URI | InsecureBasicAuthTest.java:92:40:92:42 | uri : URI | provenance | | +| InsecureBasicAuthTest.java:91:22:91:27 | uriStr : String | InsecureBasicAuthTest.java:91:14:91:28 | new URI(...) : URI | provenance | Config | +| InsecureBasicAuthTest.java:91:22:91:27 | uriStr : String | InsecureBasicAuthTest.java:91:14:91:28 | new URI(...) : URI | provenance | MaD:1 | +| InsecureBasicAuthTest.java:92:27:92:43 | new HttpPost(...) : HttpPost | InsecureBasicAuthTest.java:95:4:95:7 | post | provenance | | +| InsecureBasicAuthTest.java:92:40:92:42 | uri : URI | InsecureBasicAuthTest.java:92:27:92:43 | new HttpPost(...) : HttpPost | provenance | Config | +| InsecureBasicAuthTest.java:117:6:117:79 | new HttpPost(...) : HttpPost | InsecureBasicAuthTest.java:120:4:120:7 | post | provenance | | +| InsecureBasicAuthTest.java:117:19:117:78 | new URI(...) : URI | InsecureBasicAuthTest.java:117:6:117:79 | new HttpPost(...) : HttpPost | provenance | Config | +| InsecureBasicAuthTest.java:117:27:117:32 | "http" : String | InsecureBasicAuthTest.java:117:19:117:78 | new URI(...) : URI | provenance | Config | +| InsecureBasicAuthTest.java:139:20:139:69 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuthTest.java:140:57:140:62 | uriStr : String | provenance | | +| InsecureBasicAuthTest.java:140:28:140:63 | new BasicHttpRequest(...) : BasicHttpRequest | InsecureBasicAuthTest.java:143:4:143:7 | post | provenance | | +| InsecureBasicAuthTest.java:140:57:140:62 | uriStr : String | InsecureBasicAuthTest.java:140:28:140:63 | new BasicHttpRequest(...) : BasicHttpRequest | provenance | Config | +| InsecureBasicAuthTest.java:162:20:162:69 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuthTest.java:163:59:163:64 | uriStr : String | provenance | | +| InsecureBasicAuthTest.java:163:30:163:71 | new BasicRequestLine(...) : BasicRequestLine | InsecureBasicAuthTest.java:164:49:164:59 | requestLine : BasicRequestLine | provenance | | +| InsecureBasicAuthTest.java:163:59:163:64 | uriStr : String | InsecureBasicAuthTest.java:163:30:163:71 | new BasicRequestLine(...) : BasicRequestLine | provenance | MaD:4 | +| InsecureBasicAuthTest.java:164:28:164:60 | new BasicHttpRequest(...) : BasicHttpRequest | InsecureBasicAuthTest.java:167:4:167:7 | post | provenance | | +| InsecureBasicAuthTest.java:164:49:164:59 | requestLine : BasicRequestLine | InsecureBasicAuthTest.java:164:28:164:60 | new BasicHttpRequest(...) : BasicHttpRequest | provenance | Config | +| InsecureBasicAuthTest.java:187:20:187:69 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuthTest.java:188:22:188:27 | urlStr : String | provenance | | +| InsecureBasicAuthTest.java:188:14:188:28 | new URL(...) : URL | InsecureBasicAuthTest.java:189:49:189:51 | url : URL | provenance | | +| InsecureBasicAuthTest.java:188:22:188:27 | urlStr : String | InsecureBasicAuthTest.java:188:14:188:28 | new URL(...) : URL | provenance | Config | +| InsecureBasicAuthTest.java:188:22:188:27 | urlStr : String | InsecureBasicAuthTest.java:188:14:188:28 | new URL(...) : URL | provenance | MaD:3 | +| InsecureBasicAuthTest.java:189:29:189:68 | (...)... : HttpURLConnection | InsecureBasicAuthTest.java:192:4:192:7 | conn | provenance | | +| InsecureBasicAuthTest.java:189:49:189:51 | url : URL | InsecureBasicAuthTest.java:189:49:189:68 | openConnection(...) : URLConnection | provenance | Config | +| InsecureBasicAuthTest.java:189:49:189:68 | openConnection(...) : URLConnection | InsecureBasicAuthTest.java:189:29:189:68 | (...)... : HttpURLConnection | provenance | | +| InsecureBasicAuthTest.java:214:22:214:27 | "http" : String | InsecureBasicAuthTest.java:215:22:215:29 | protocol : String | provenance | | +| InsecureBasicAuthTest.java:215:14:215:42 | new URL(...) : URL | InsecureBasicAuthTest.java:216:49:216:51 | url : URL | provenance | | +| InsecureBasicAuthTest.java:215:22:215:29 | protocol : String | InsecureBasicAuthTest.java:215:14:215:42 | new URL(...) : URL | provenance | Config | +| InsecureBasicAuthTest.java:216:29:216:68 | (...)... : HttpURLConnection | InsecureBasicAuthTest.java:219:4:219:7 | conn | provenance | | +| InsecureBasicAuthTest.java:216:49:216:51 | url : URL | InsecureBasicAuthTest.java:216:49:216:68 | openConnection(...) : URLConnection | provenance | Config | +| InsecureBasicAuthTest.java:216:49:216:68 | openConnection(...) : URLConnection | InsecureBasicAuthTest.java:216:29:216:68 | (...)... : HttpURLConnection | provenance | | +models +| 1 | Summary: java.net; URI; false; URI; (String); ; Argument[0]; Argument[this]; taint; manual | +| 2 | Summary: java.net; URI; false; create; ; ; Argument[0]; ReturnValue; taint; manual | +| 3 | Summary: java.net; URL; false; URL; (String); ; Argument[0]; Argument[this]; taint; manual | +| 4 | Summary: org.apache.http.message; BasicRequestLine; false; BasicRequestLine; ; ; Argument[1]; Argument[this]; taint; manual | +nodes +| InsecureBasicAuthTest.java:25:27:25:87 | new HttpPost(...) : HttpPost | semmle.label | new HttpPost(...) : HttpPost | +| InsecureBasicAuthTest.java:25:40:25:48 | "http://" : String | semmle.label | "http://" : String | +| InsecureBasicAuthTest.java:25:40:25:86 | ... + ... : String | semmle.label | ... + ... : String | +| InsecureBasicAuthTest.java:28:4:28:7 | post | semmle.label | post | +| InsecureBasicAuthTest.java:43:20:43:65 | "http://www.example.com:8000/payment/retrieve" : String | semmle.label | "http://www.example.com:8000/payment/retrieve" : String | +| InsecureBasicAuthTest.java:44:18:44:36 | new HttpGet(...) : HttpGet | semmle.label | new HttpGet(...) : HttpGet | +| InsecureBasicAuthTest.java:44:30:44:35 | urlStr : String | semmle.label | urlStr : String | +| InsecureBasicAuthTest.java:46:4:46:6 | get | semmle.label | get | +| InsecureBasicAuthTest.java:66:20:66:69 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | semmle.label | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | +| InsecureBasicAuthTest.java:67:27:67:58 | new HttpPost(...) : HttpPost | semmle.label | new HttpPost(...) : HttpPost | +| InsecureBasicAuthTest.java:67:40:67:57 | create(...) : URI | semmle.label | create(...) : URI | +| InsecureBasicAuthTest.java:67:51:67:56 | uriStr : String | semmle.label | uriStr : String | +| InsecureBasicAuthTest.java:70:4:70:7 | post | semmle.label | post | +| InsecureBasicAuthTest.java:90:20:90:69 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | semmle.label | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | +| InsecureBasicAuthTest.java:91:14:91:28 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| InsecureBasicAuthTest.java:91:22:91:27 | uriStr : String | semmle.label | uriStr : String | +| InsecureBasicAuthTest.java:92:27:92:43 | new HttpPost(...) : HttpPost | semmle.label | new HttpPost(...) : HttpPost | +| InsecureBasicAuthTest.java:92:40:92:42 | uri : URI | semmle.label | uri : URI | +| InsecureBasicAuthTest.java:95:4:95:7 | post | semmle.label | post | +| InsecureBasicAuthTest.java:117:6:117:79 | new HttpPost(...) : HttpPost | semmle.label | new HttpPost(...) : HttpPost | +| InsecureBasicAuthTest.java:117:19:117:78 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| InsecureBasicAuthTest.java:117:27:117:32 | "http" : String | semmle.label | "http" : String | +| InsecureBasicAuthTest.java:120:4:120:7 | post | semmle.label | post | +| InsecureBasicAuthTest.java:139:20:139:69 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | semmle.label | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | +| InsecureBasicAuthTest.java:140:28:140:63 | new BasicHttpRequest(...) : BasicHttpRequest | semmle.label | new BasicHttpRequest(...) : BasicHttpRequest | +| InsecureBasicAuthTest.java:140:57:140:62 | uriStr : String | semmle.label | uriStr : String | +| InsecureBasicAuthTest.java:143:4:143:7 | post | semmle.label | post | +| InsecureBasicAuthTest.java:162:20:162:69 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | semmle.label | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | +| InsecureBasicAuthTest.java:163:30:163:71 | new BasicRequestLine(...) : BasicRequestLine | semmle.label | new BasicRequestLine(...) : BasicRequestLine | +| InsecureBasicAuthTest.java:163:59:163:64 | uriStr : String | semmle.label | uriStr : String | +| InsecureBasicAuthTest.java:164:28:164:60 | new BasicHttpRequest(...) : BasicHttpRequest | semmle.label | new BasicHttpRequest(...) : BasicHttpRequest | +| InsecureBasicAuthTest.java:164:49:164:59 | requestLine : BasicRequestLine | semmle.label | requestLine : BasicRequestLine | +| InsecureBasicAuthTest.java:167:4:167:7 | post | semmle.label | post | +| InsecureBasicAuthTest.java:187:20:187:69 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | semmle.label | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | +| InsecureBasicAuthTest.java:188:14:188:28 | new URL(...) : URL | semmle.label | new URL(...) : URL | +| InsecureBasicAuthTest.java:188:22:188:27 | urlStr : String | semmle.label | urlStr : String | +| InsecureBasicAuthTest.java:189:29:189:68 | (...)... : HttpURLConnection | semmle.label | (...)... : HttpURLConnection | +| InsecureBasicAuthTest.java:189:49:189:51 | url : URL | semmle.label | url : URL | +| InsecureBasicAuthTest.java:189:49:189:68 | openConnection(...) : URLConnection | semmle.label | openConnection(...) : URLConnection | +| InsecureBasicAuthTest.java:192:4:192:7 | conn | semmle.label | conn | +| InsecureBasicAuthTest.java:214:22:214:27 | "http" : String | semmle.label | "http" : String | +| InsecureBasicAuthTest.java:215:14:215:42 | new URL(...) : URL | semmle.label | new URL(...) : URL | +| InsecureBasicAuthTest.java:215:22:215:29 | protocol : String | semmle.label | protocol : String | +| InsecureBasicAuthTest.java:216:29:216:68 | (...)... : HttpURLConnection | semmle.label | (...)... : HttpURLConnection | +| InsecureBasicAuthTest.java:216:49:216:51 | url : URL | semmle.label | url : URL | +| InsecureBasicAuthTest.java:216:49:216:68 | openConnection(...) : URLConnection | semmle.label | openConnection(...) : URLConnection | +| InsecureBasicAuthTest.java:219:4:219:7 | conn | semmle.label | conn | +subpaths diff --git a/java/ql/test/query-tests/security/CWE-522/InsecureBasicAuthTest.java b/java/ql/test/query-tests/security/CWE-522/InsecureBasicAuth/InsecureBasicAuthTest.java similarity index 96% rename from java/ql/test/query-tests/security/CWE-522/InsecureBasicAuthTest.java rename to java/ql/test/query-tests/security/CWE-522/InsecureBasicAuth/InsecureBasicAuthTest.java index 2098dd4139cb..c174c9643de4 100644 --- a/java/ql/test/query-tests/security/CWE-522/InsecureBasicAuthTest.java +++ b/java/ql/test/query-tests/security/CWE-522/InsecureBasicAuth/InsecureBasicAuthTest.java @@ -22,10 +22,10 @@ public void testApacheHttpRequest(String username, String password) { byte[] authEncBytes = Base64.getEncoder().encode(authString.getBytes()); String authStringEnc = new String(authEncBytes); { - HttpRequestBase post = new HttpPost("http://" + host + "/rest/getuser.do?uid=abcdx"); + HttpRequestBase post = new HttpPost("http://" + host + "/rest/getuser.do?uid=abcdx"); // $ Source post.setHeader("Accept", "application/json"); post.setHeader("Content-type", "application/json"); - post.addHeader("Authorization", "Basic " + authStringEnc); // $hasInsecureBasicAuth + post.addHeader("Authorization", "Basic " + authStringEnc); // $ Alert } { HttpRequestBase post = new HttpPost("https://" + host + "/rest/getuser.do?uid=abcdx"); @@ -40,10 +40,10 @@ public void testApacheHttpRequest(String username, String password) { */ public void testApacheHttpRequest2(String url) throws java.io.IOException { { - String urlStr = "http://www.example.com:8000/payment/retrieve"; + String urlStr = "http://www.example.com:8000/payment/retrieve"; // $ Source HttpGet get = new HttpGet(urlStr); get.setHeader("Accept", "application/json"); - get.setHeader("Authorization", // $hasInsecureBasicAuth + get.setHeader("Authorization", // $ Alert "Basic " + new String(Base64.getEncoder().encode("admin:test".getBytes()))); } { @@ -63,11 +63,11 @@ public void testApacheHttpRequest3(String username, String password) { byte[] authEncBytes = Base64.getEncoder().encode(authString.getBytes()); String authStringEnc = new String(authEncBytes); { - String uriStr = "http://www.example.com/rest/getuser.do?uid=abcdx"; + String uriStr = "http://www.example.com/rest/getuser.do?uid=abcdx"; // $ Source HttpRequestBase post = new HttpPost(URI.create(uriStr)); post.setHeader("Accept", "application/json"); post.setHeader("Content-type", "application/json"); - post.addHeader("Authorization", "Basic " + authStringEnc); // $hasInsecureBasicAuth + post.addHeader("Authorization", "Basic " + authStringEnc); // $ Alert } { String uriStr = "https://www.example.com/rest/getuser.do?uid=abcdx"; @@ -87,12 +87,12 @@ public void testApacheHttpRequest4(String username, String password) throws Exce byte[] authEncBytes = Base64.getEncoder().encode(authString.getBytes()); String authStringEnc = new String(authEncBytes); { - String uriStr = "http://www.example.com/rest/getuser.do?uid=abcdx"; + String uriStr = "http://www.example.com/rest/getuser.do?uid=abcdx"; // $ Source URI uri = new URI(uriStr); HttpRequestBase post = new HttpPost(uri); post.setHeader("Accept", "application/json"); post.setHeader("Content-type", "application/json"); - post.addHeader("Authorization", "Basic " + authStringEnc); // $hasInsecureBasicAuth + post.addHeader("Authorization", "Basic " + authStringEnc); // $ Alert } { String uriStr = "https://www.example.com/rest/getuser.do?uid=abcdx"; @@ -114,10 +114,10 @@ public void testApacheHttpRequest5(String username, String password) throws Exce String authStringEnc = new String(authEncBytes); { HttpRequestBase post = - new HttpPost(new URI("http", "www.example.com", "/test", "abc=123", null)); + new HttpPost(new URI("http", "www.example.com", "/test", "abc=123", null)); // $ Source post.setHeader("Accept", "application/json"); post.setHeader("Content-type", "application/json"); - post.addHeader("Authorization", "Basic " + authStringEnc); // $hasInsecureBasicAuth + post.addHeader("Authorization", "Basic " + authStringEnc); // $ Alert } { HttpRequestBase post = @@ -136,11 +136,11 @@ public void testApacheHttpRequest6(String username, String password) { byte[] authEncBytes = Base64.getEncoder().encode(authString.getBytes()); String authStringEnc = new String(authEncBytes); { - String uriStr = "http://www.example.com/rest/getuser.do?uid=abcdx"; + String uriStr = "http://www.example.com/rest/getuser.do?uid=abcdx"; // $ Source BasicHttpRequest post = new BasicHttpRequest("POST", uriStr); post.setHeader("Accept", "application/json"); post.setHeader("Content-type", "application/json"); - post.addHeader("Authorization", "Basic " + authStringEnc); // $hasInsecureBasicAuth + post.addHeader("Authorization", "Basic " + authStringEnc); // $ Alert } { String uriStr = "https://www.example.com/rest/getuser.do?uid=abcdx"; @@ -159,12 +159,12 @@ public void testApacheHttpRequest7(String username, String password) { byte[] authEncBytes = Base64.getEncoder().encode(authString.getBytes()); String authStringEnc = new String(authEncBytes); { - String uriStr = "http://www.example.com/rest/getuser.do?uid=abcdx"; + String uriStr = "http://www.example.com/rest/getuser.do?uid=abcdx"; // $ Source RequestLine requestLine = new BasicRequestLine("POST", uriStr, null); BasicHttpRequest post = new BasicHttpRequest(requestLine); post.setHeader("Accept", "application/json"); post.setHeader("Content-type", "application/json"); - post.addHeader("Authorization", "Basic " + authStringEnc); // $hasInsecureBasicAuth + post.addHeader("Authorization", "Basic " + authStringEnc); // $ Alert } { String uriStr = "https://www.example.com/rest/getuser.do?uid=abcdx"; @@ -184,12 +184,12 @@ public void testHttpUrlConnection(String username, String password) throws Excep String authString = username + ":" + password; String encoding = Base64.getEncoder().encodeToString(authString.getBytes("UTF-8")); { - String urlStr = "http://www.example.com/rest/getuser.do?uid=abcdx"; + String urlStr = "http://www.example.com/rest/getuser.do?uid=abcdx"; // $ Source URL url = new URL(urlStr); HttpURLConnection conn = (HttpURLConnection) url.openConnection(); conn.setRequestMethod("POST"); conn.setDoOutput(true); - conn.setRequestProperty("Authorization", "Basic " + encoding); // $hasInsecureBasicAuth + conn.setRequestProperty("Authorization", "Basic " + encoding); // $ Alert } { String urlStr = "https://www.example.com/rest/getuser.do?uid=abcdx"; @@ -211,12 +211,12 @@ public void testHttpUrlConnection2(String username, String password) throws Exce String host = "www.example.com"; String path = "/rest/getuser.do?uid=abcdx"; { - String protocol = "http"; + String protocol = "http"; // $ Source URL url = new URL(protocol, host, path); HttpURLConnection conn = (HttpURLConnection) url.openConnection(); conn.setRequestMethod("POST"); conn.setDoOutput(true); - conn.setRequestProperty("Authorization", "Basic " + encoding); // $hasInsecureBasicAuth + conn.setRequestProperty("Authorization", "Basic " + encoding); // $ Alert } { String protocol = "https"; diff --git a/java/ql/test/query-tests/security/CWE-522/InsecureBasicAuth/InsecureBasicAuthTest.qlref b/java/ql/test/query-tests/security/CWE-522/InsecureBasicAuth/InsecureBasicAuthTest.qlref new file mode 100644 index 000000000000..053e0f22a26b --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-522/InsecureBasicAuth/InsecureBasicAuthTest.qlref @@ -0,0 +1,4 @@ +query: Security/CWE/CWE-522/InsecureBasicAuth.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-522/options b/java/ql/test/query-tests/security/CWE-522/InsecureBasicAuth/options similarity index 68% rename from java/ql/test/query-tests/security/CWE-522/options rename to java/ql/test/query-tests/security/CWE-522/InsecureBasicAuth/options index 2e6054aac456..7eaf4cb235f4 100644 --- a/java/ql/test/query-tests/security/CWE-522/options +++ b/java/ql/test/query-tests/security/CWE-522/InsecureBasicAuth/options @@ -1 +1 @@ -// semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/apache-http-4.4.13 +// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/apache-http-4.4.13 diff --git a/java/ql/test/query-tests/security/CWE-522/InsecureBasicAuthTest.expected b/java/ql/test/query-tests/security/CWE-522/InsecureBasicAuthTest.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/java/ql/test/query-tests/security/CWE-522/InsecureBasicAuthTest.ql b/java/ql/test/query-tests/security/CWE-522/InsecureBasicAuthTest.ql deleted file mode 100644 index d3e99009eeec..000000000000 --- a/java/ql/test/query-tests/security/CWE-522/InsecureBasicAuthTest.ql +++ /dev/null @@ -1,18 +0,0 @@ -import java -import semmle.code.java.security.InsecureBasicAuthQuery -import utils.test.InlineExpectationsTest - -module HasInsecureBasicAuthTest implements TestSig { - string getARelevantTag() { result = "hasInsecureBasicAuth" } - - predicate hasActualResult(Location location, string element, string tag, string value) { - tag = "hasInsecureBasicAuth" and - exists(DataFlow::Node sink | InsecureBasicAuthFlow::flowTo(sink) | - sink.getLocation() = location and - element = sink.toString() and - value = "" - ) - } -} - -import MakeTest diff --git a/java/ql/test/query-tests/security/CWE-522/InsecureLdapAuth.java b/java/ql/test/query-tests/security/CWE-522/InsecureLdapAuth/InsecureLdapAuth.java similarity index 94% rename from java/ql/test/query-tests/security/CWE-522/InsecureLdapAuth.java rename to java/ql/test/query-tests/security/CWE-522/InsecureLdapAuth/InsecureLdapAuth.java index d769258a6119..1ed8a7f35899 100644 --- a/java/ql/test/query-tests/security/CWE-522/InsecureLdapAuth.java +++ b/java/ql/test/query-tests/security/CWE-522/InsecureLdapAuth/InsecureLdapAuth.java @@ -8,7 +8,7 @@ public class InsecureLdapAuth { // BAD - Test LDAP authentication in cleartext using `DirContext`. public void testCleartextLdapAuth(String ldapUserName, String password) throws Exception { - String ldapUrl = "ldap://ad.your-server.com:389"; + String ldapUrl = "ldap://ad.your-server.com:389"; // $ Source Hashtable environment = new Hashtable(); environment.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); @@ -17,12 +17,12 @@ public void testCleartextLdapAuth(String ldapUserName, String password) throws E environment.put(Context.SECURITY_AUTHENTICATION, "simple"); environment.put(Context.SECURITY_PRINCIPAL, ldapUserName); environment.put(Context.SECURITY_CREDENTIALS, password); - DirContext dirContext = new InitialDirContext(environment); // $ hasInsecureLdapAuth + DirContext dirContext = new InitialDirContext(environment); // $ Alert } // BAD - Test LDAP authentication in cleartext using `DirContext`. public void testCleartextLdapAuth(String ldapUserName, String password, String serverName) throws Exception { - String ldapUrl = "ldap://"+serverName+":389"; + String ldapUrl = "ldap://"+serverName+":389"; // $ Source Hashtable environment = new Hashtable(); environment.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); @@ -31,7 +31,7 @@ public void testCleartextLdapAuth(String ldapUserName, String password, String s environment.put(Context.SECURITY_AUTHENTICATION, "simple"); environment.put(Context.SECURITY_PRINCIPAL, ldapUserName); environment.put(Context.SECURITY_CREDENTIALS, password); - DirContext dirContext = new InitialDirContext(environment); // $ hasInsecureLdapAuth + DirContext dirContext = new InitialDirContext(environment); // $ Alert } // GOOD - Test LDAP authentication over SSL. @@ -93,7 +93,7 @@ public void testCleartextLdapAuth2(String ldapUserName, String password) throws // BAD - Test LDAP authentication in cleartext using `InitialLdapContext`. public void testCleartextLdapAuth3(String ldapUserName, String password) throws Exception { - String ldapUrl = "ldap://ad.your-server.com:389"; + String ldapUrl = "ldap://ad.your-server.com:389"; // $ Source Hashtable environment = new Hashtable(); environment.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); @@ -102,13 +102,13 @@ public void testCleartextLdapAuth3(String ldapUserName, String password) throws environment.put(Context.SECURITY_AUTHENTICATION, "simple"); environment.put(Context.SECURITY_PRINCIPAL, ldapUserName); environment.put(Context.SECURITY_CREDENTIALS, password); - InitialLdapContext ldapContext = new InitialLdapContext(environment, null); // $ hasInsecureLdapAuth + InitialLdapContext ldapContext = new InitialLdapContext(environment, null); // $ Alert } // BAD - Test LDAP authentication in cleartext using `DirContext` and string literals. public void testCleartextLdapAuth4(String ldapUserName, String password) throws Exception { - String ldapUrl = "ldap://ad.your-server.com:389"; + String ldapUrl = "ldap://ad.your-server.com:389"; // $ Source Hashtable environment = new Hashtable(); environment.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory"); @@ -117,7 +117,7 @@ public void testCleartextLdapAuth4(String ldapUserName, String password) throws environment.put("java.naming.security.authentication", "simple"); environment.put("java.naming.security.principal", ldapUserName); environment.put("java.naming.security.credentials", password); - DirContext dirContext = new InitialDirContext(environment); // $ hasInsecureLdapAuth + DirContext dirContext = new InitialDirContext(environment); // $ Alert } private void setSSL(Hashtable env) { @@ -144,12 +144,12 @@ public void testCleartextLdapAuth5(String ldapUserName, String password, String // BAD - Test LDAP authentication with basic authentication. public void testCleartextLdapAuth6(String ldapUserName, String password, String serverName) throws Exception { - String ldapUrl = "ldap://"+serverName+":389"; + String ldapUrl = "ldap://"+serverName+":389"; // $ Source Hashtable environment = new Hashtable(); environment.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); environment.put(Context.PROVIDER_URL, ldapUrl); setBasicAuth(environment, ldapUserName, password); - DirContext dirContext = new InitialLdapContext(environment, null); // $ hasInsecureLdapAuth + DirContext dirContext = new InitialLdapContext(environment, null); // $ Alert } } diff --git a/java/ql/test/query-tests/security/CWE-522/InsecureLdapAuth/InsecureLdapAuthTest.expected b/java/ql/test/query-tests/security/CWE-522/InsecureLdapAuth/InsecureLdapAuthTest.expected new file mode 100644 index 000000000000..5df9a4f5c956 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-522/InsecureLdapAuth/InsecureLdapAuthTest.expected @@ -0,0 +1,100 @@ +#select +| InsecureLdapAuth.java:20:49:20:59 | environment | InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:20:49:20:59 | environment | Insecure LDAP authentication from $@. | InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" | LDAP connection string | +| InsecureLdapAuth.java:34:49:34:59 | environment | InsecureLdapAuth.java:25:20:25:39 | ... + ... : String | InsecureLdapAuth.java:34:49:34:59 | environment | Insecure LDAP authentication from $@. | InsecureLdapAuth.java:25:20:25:39 | ... + ... | LDAP connection string | +| InsecureLdapAuth.java:105:59:105:69 | environment | InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:105:59:105:69 | environment | Insecure LDAP authentication from $@. | InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" | LDAP connection string | +| InsecureLdapAuth.java:120:49:120:59 | environment | InsecureLdapAuth.java:111:20:111:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:120:49:120:59 | environment | Insecure LDAP authentication from $@. | InsecureLdapAuth.java:111:20:111:50 | "ldap://ad.your-server.com:389" | LDAP connection string | +| InsecureLdapAuth.java:153:50:153:60 | environment | InsecureLdapAuth.java:147:20:147:39 | ... + ... : String | InsecureLdapAuth.java:153:50:153:60 | environment | Insecure LDAP authentication from $@. | InsecureLdapAuth.java:147:20:147:39 | ... + ... | LDAP connection string | +edges +| InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:15:41:15:47 | ldapUrl : String | provenance | | +| InsecureLdapAuth.java:15:3:15:13 | environment : Hashtable | InsecureLdapAuth.java:20:49:20:59 | environment | provenance | | +| InsecureLdapAuth.java:15:3:15:13 | environment [post update] : Hashtable [] : String | InsecureLdapAuth.java:20:49:20:59 | environment | provenance | | +| InsecureLdapAuth.java:15:41:15:47 | ldapUrl : String | InsecureLdapAuth.java:15:3:15:13 | environment : Hashtable | provenance | Config | +| InsecureLdapAuth.java:15:41:15:47 | ldapUrl : String | InsecureLdapAuth.java:15:3:15:13 | environment [post update] : Hashtable [] : String | provenance | MaD:1 | +| InsecureLdapAuth.java:15:41:15:47 | ldapUrl : String | InsecureLdapAuth.java:15:3:15:13 | environment [post update] : Hashtable [] : String | provenance | MaD:2 | +| InsecureLdapAuth.java:25:20:25:39 | ... + ... : String | InsecureLdapAuth.java:29:41:29:47 | ldapUrl : String | provenance | | +| InsecureLdapAuth.java:29:3:29:13 | environment : Hashtable | InsecureLdapAuth.java:34:49:34:59 | environment | provenance | | +| InsecureLdapAuth.java:29:3:29:13 | environment [post update] : Hashtable [] : String | InsecureLdapAuth.java:34:49:34:59 | environment | provenance | | +| InsecureLdapAuth.java:29:41:29:47 | ldapUrl : String | InsecureLdapAuth.java:29:3:29:13 | environment : Hashtable | provenance | Config | +| InsecureLdapAuth.java:29:41:29:47 | ldapUrl : String | InsecureLdapAuth.java:29:3:29:13 | environment [post update] : Hashtable [] : String | provenance | MaD:1 | +| InsecureLdapAuth.java:29:41:29:47 | ldapUrl : String | InsecureLdapAuth.java:29:3:29:13 | environment [post update] : Hashtable [] : String | provenance | MaD:2 | +| InsecureLdapAuth.java:53:20:53:50 | "ldap://ad.your-server.com:636" : String | InsecureLdapAuth.java:57:41:57:47 | ldapUrl : String | provenance | | +| InsecureLdapAuth.java:57:3:57:13 | environment : Hashtable | InsecureLdapAuth.java:63:49:63:59 | environment | provenance | | +| InsecureLdapAuth.java:57:3:57:13 | environment [post update] : Hashtable [] : String | InsecureLdapAuth.java:63:49:63:59 | environment | provenance | | +| InsecureLdapAuth.java:57:41:57:47 | ldapUrl : String | InsecureLdapAuth.java:57:3:57:13 | environment : Hashtable | provenance | Config | +| InsecureLdapAuth.java:57:41:57:47 | ldapUrl : String | InsecureLdapAuth.java:57:3:57:13 | environment [post update] : Hashtable [] : String | provenance | MaD:1 | +| InsecureLdapAuth.java:57:41:57:47 | ldapUrl : String | InsecureLdapAuth.java:57:3:57:13 | environment [post update] : Hashtable [] : String | provenance | MaD:2 | +| InsecureLdapAuth.java:68:20:68:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:72:41:72:47 | ldapUrl : String | provenance | | +| InsecureLdapAuth.java:72:3:72:13 | environment : Hashtable | InsecureLdapAuth.java:77:49:77:59 | environment | provenance | | +| InsecureLdapAuth.java:72:3:72:13 | environment [post update] : Hashtable [] : String | InsecureLdapAuth.java:77:49:77:59 | environment | provenance | | +| InsecureLdapAuth.java:72:41:72:47 | ldapUrl : String | InsecureLdapAuth.java:72:3:72:13 | environment : Hashtable | provenance | Config | +| InsecureLdapAuth.java:72:41:72:47 | ldapUrl : String | InsecureLdapAuth.java:72:3:72:13 | environment [post update] : Hashtable [] : String | provenance | MaD:1 | +| InsecureLdapAuth.java:72:41:72:47 | ldapUrl : String | InsecureLdapAuth.java:72:3:72:13 | environment [post update] : Hashtable [] : String | provenance | MaD:2 | +| InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:100:41:100:47 | ldapUrl : String | provenance | | +| InsecureLdapAuth.java:100:3:100:13 | environment : Hashtable | InsecureLdapAuth.java:105:59:105:69 | environment | provenance | | +| InsecureLdapAuth.java:100:3:100:13 | environment [post update] : Hashtable [] : String | InsecureLdapAuth.java:105:59:105:69 | environment | provenance | | +| InsecureLdapAuth.java:100:41:100:47 | ldapUrl : String | InsecureLdapAuth.java:100:3:100:13 | environment : Hashtable | provenance | Config | +| InsecureLdapAuth.java:100:41:100:47 | ldapUrl : String | InsecureLdapAuth.java:100:3:100:13 | environment [post update] : Hashtable [] : String | provenance | MaD:1 | +| InsecureLdapAuth.java:100:41:100:47 | ldapUrl : String | InsecureLdapAuth.java:100:3:100:13 | environment [post update] : Hashtable [] : String | provenance | MaD:2 | +| InsecureLdapAuth.java:111:20:111:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:115:47:115:53 | ldapUrl : String | provenance | | +| InsecureLdapAuth.java:115:3:115:13 | environment : Hashtable | InsecureLdapAuth.java:120:49:120:59 | environment | provenance | | +| InsecureLdapAuth.java:115:3:115:13 | environment [post update] : Hashtable [] : String | InsecureLdapAuth.java:120:49:120:59 | environment | provenance | | +| InsecureLdapAuth.java:115:47:115:53 | ldapUrl : String | InsecureLdapAuth.java:115:3:115:13 | environment : Hashtable | provenance | Config | +| InsecureLdapAuth.java:115:47:115:53 | ldapUrl : String | InsecureLdapAuth.java:115:3:115:13 | environment [post update] : Hashtable [] : String | provenance | MaD:1 | +| InsecureLdapAuth.java:115:47:115:53 | ldapUrl : String | InsecureLdapAuth.java:115:3:115:13 | environment [post update] : Hashtable [] : String | provenance | MaD:2 | +| InsecureLdapAuth.java:135:20:135:39 | ... + ... : String | InsecureLdapAuth.java:140:41:140:47 | ldapUrl : String | provenance | | +| InsecureLdapAuth.java:140:3:140:13 | environment : Hashtable | InsecureLdapAuth.java:142:50:142:60 | environment | provenance | | +| InsecureLdapAuth.java:140:3:140:13 | environment [post update] : Hashtable [] : String | InsecureLdapAuth.java:142:50:142:60 | environment | provenance | | +| InsecureLdapAuth.java:140:41:140:47 | ldapUrl : String | InsecureLdapAuth.java:140:3:140:13 | environment : Hashtable | provenance | Config | +| InsecureLdapAuth.java:140:41:140:47 | ldapUrl : String | InsecureLdapAuth.java:140:3:140:13 | environment [post update] : Hashtable [] : String | provenance | MaD:1 | +| InsecureLdapAuth.java:140:41:140:47 | ldapUrl : String | InsecureLdapAuth.java:140:3:140:13 | environment [post update] : Hashtable [] : String | provenance | MaD:2 | +| InsecureLdapAuth.java:147:20:147:39 | ... + ... : String | InsecureLdapAuth.java:151:41:151:47 | ldapUrl : String | provenance | | +| InsecureLdapAuth.java:151:3:151:13 | environment : Hashtable | InsecureLdapAuth.java:153:50:153:60 | environment | provenance | | +| InsecureLdapAuth.java:151:3:151:13 | environment [post update] : Hashtable [] : String | InsecureLdapAuth.java:153:50:153:60 | environment | provenance | | +| InsecureLdapAuth.java:151:41:151:47 | ldapUrl : String | InsecureLdapAuth.java:151:3:151:13 | environment : Hashtable | provenance | Config | +| InsecureLdapAuth.java:151:41:151:47 | ldapUrl : String | InsecureLdapAuth.java:151:3:151:13 | environment [post update] : Hashtable [] : String | provenance | MaD:1 | +| InsecureLdapAuth.java:151:41:151:47 | ldapUrl : String | InsecureLdapAuth.java:151:3:151:13 | environment [post update] : Hashtable [] : String | provenance | MaD:2 | +models +| 1 | Summary: java.util; Dictionary; true; put; (Object,Object); ; Argument[1]; Argument[this].MapValue; value; manual | +| 2 | Summary: java.util; Map; true; put; (Object,Object); ; Argument[1]; Argument[this].MapValue; value; manual | +nodes +| InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String | +| InsecureLdapAuth.java:15:3:15:13 | environment : Hashtable | semmle.label | environment : Hashtable | +| InsecureLdapAuth.java:15:3:15:13 | environment [post update] : Hashtable [] : String | semmle.label | environment [post update] : Hashtable [] : String | +| InsecureLdapAuth.java:15:41:15:47 | ldapUrl : String | semmle.label | ldapUrl : String | +| InsecureLdapAuth.java:20:49:20:59 | environment | semmle.label | environment | +| InsecureLdapAuth.java:25:20:25:39 | ... + ... : String | semmle.label | ... + ... : String | +| InsecureLdapAuth.java:29:3:29:13 | environment : Hashtable | semmle.label | environment : Hashtable | +| InsecureLdapAuth.java:29:3:29:13 | environment [post update] : Hashtable [] : String | semmle.label | environment [post update] : Hashtable [] : String | +| InsecureLdapAuth.java:29:41:29:47 | ldapUrl : String | semmle.label | ldapUrl : String | +| InsecureLdapAuth.java:34:49:34:59 | environment | semmle.label | environment | +| InsecureLdapAuth.java:53:20:53:50 | "ldap://ad.your-server.com:636" : String | semmle.label | "ldap://ad.your-server.com:636" : String | +| InsecureLdapAuth.java:57:3:57:13 | environment : Hashtable | semmle.label | environment : Hashtable | +| InsecureLdapAuth.java:57:3:57:13 | environment [post update] : Hashtable [] : String | semmle.label | environment [post update] : Hashtable [] : String | +| InsecureLdapAuth.java:57:41:57:47 | ldapUrl : String | semmle.label | ldapUrl : String | +| InsecureLdapAuth.java:63:49:63:59 | environment | semmle.label | environment | +| InsecureLdapAuth.java:68:20:68:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String | +| InsecureLdapAuth.java:72:3:72:13 | environment : Hashtable | semmle.label | environment : Hashtable | +| InsecureLdapAuth.java:72:3:72:13 | environment [post update] : Hashtable [] : String | semmle.label | environment [post update] : Hashtable [] : String | +| InsecureLdapAuth.java:72:41:72:47 | ldapUrl : String | semmle.label | ldapUrl : String | +| InsecureLdapAuth.java:77:49:77:59 | environment | semmle.label | environment | +| InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String | +| InsecureLdapAuth.java:100:3:100:13 | environment : Hashtable | semmle.label | environment : Hashtable | +| InsecureLdapAuth.java:100:3:100:13 | environment [post update] : Hashtable [] : String | semmle.label | environment [post update] : Hashtable [] : String | +| InsecureLdapAuth.java:100:41:100:47 | ldapUrl : String | semmle.label | ldapUrl : String | +| InsecureLdapAuth.java:105:59:105:69 | environment | semmle.label | environment | +| InsecureLdapAuth.java:111:20:111:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String | +| InsecureLdapAuth.java:115:3:115:13 | environment : Hashtable | semmle.label | environment : Hashtable | +| InsecureLdapAuth.java:115:3:115:13 | environment [post update] : Hashtable [] : String | semmle.label | environment [post update] : Hashtable [] : String | +| InsecureLdapAuth.java:115:47:115:53 | ldapUrl : String | semmle.label | ldapUrl : String | +| InsecureLdapAuth.java:120:49:120:59 | environment | semmle.label | environment | +| InsecureLdapAuth.java:135:20:135:39 | ... + ... : String | semmle.label | ... + ... : String | +| InsecureLdapAuth.java:140:3:140:13 | environment : Hashtable | semmle.label | environment : Hashtable | +| InsecureLdapAuth.java:140:3:140:13 | environment [post update] : Hashtable [] : String | semmle.label | environment [post update] : Hashtable [] : String | +| InsecureLdapAuth.java:140:41:140:47 | ldapUrl : String | semmle.label | ldapUrl : String | +| InsecureLdapAuth.java:142:50:142:60 | environment | semmle.label | environment | +| InsecureLdapAuth.java:147:20:147:39 | ... + ... : String | semmle.label | ... + ... : String | +| InsecureLdapAuth.java:151:3:151:13 | environment : Hashtable | semmle.label | environment : Hashtable | +| InsecureLdapAuth.java:151:3:151:13 | environment [post update] : Hashtable [] : String | semmle.label | environment [post update] : Hashtable [] : String | +| InsecureLdapAuth.java:151:41:151:47 | ldapUrl : String | semmle.label | ldapUrl : String | +| InsecureLdapAuth.java:153:50:153:60 | environment | semmle.label | environment | +subpaths diff --git a/java/ql/test/query-tests/security/CWE-522/InsecureLdapAuth/InsecureLdapAuthTest.qlref b/java/ql/test/query-tests/security/CWE-522/InsecureLdapAuth/InsecureLdapAuthTest.qlref new file mode 100644 index 000000000000..0ef383243379 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-522/InsecureLdapAuth/InsecureLdapAuthTest.qlref @@ -0,0 +1,4 @@ +query: Security/CWE/CWE-522/InsecureLdapAuth.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-522/InsecureLdapAuth/options b/java/ql/test/query-tests/security/CWE-522/InsecureLdapAuth/options new file mode 100644 index 000000000000..7eaf4cb235f4 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-522/InsecureLdapAuth/options @@ -0,0 +1 @@ +// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/apache-http-4.4.13 diff --git a/java/ql/test/query-tests/security/CWE-522/InsecureLdapAuthTest.expected b/java/ql/test/query-tests/security/CWE-522/InsecureLdapAuthTest.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/java/ql/test/query-tests/security/CWE-522/InsecureLdapAuthTest.ql b/java/ql/test/query-tests/security/CWE-522/InsecureLdapAuthTest.ql deleted file mode 100644 index 7c75f5192ed3..000000000000 --- a/java/ql/test/query-tests/security/CWE-522/InsecureLdapAuthTest.ql +++ /dev/null @@ -1,20 +0,0 @@ -import java -import semmle.code.java.security.InsecureLdapAuthQuery -import utils.test.InlineExpectationsTest - -module InsecureLdapAuthenticationTest implements TestSig { - string getARelevantTag() { result = "hasInsecureLdapAuth" } - - predicate hasActualResult(Location location, string element, string tag, string value) { - tag = "hasInsecureLdapAuth" and - exists(DataFlow::Node sink | InsecureLdapUrlFlow::flowTo(sink) | - BasicAuthFlow::flowTo(sink) and - not RequiresSslFlow::flowTo(sink) and - sink.getLocation() = location and - element = sink.toString() and - value = "" - ) - } -} - -import MakeTest diff --git a/java/ql/test/query-tests/security/CWE-552/UrlForwardTest.expected b/java/ql/test/query-tests/security/CWE-552/UrlForwardTest.expected index e69de29bb2d1..8beed804aca0 100644 --- a/java/ql/test/query-tests/security/CWE-552/UrlForwardTest.expected +++ b/java/ql/test/query-tests/security/CWE-552/UrlForwardTest.expected @@ -0,0 +1,127 @@ +#select +| UrlForwardTest.java:29:27:29:29 | url | UrlForwardTest.java:28:27:28:36 | url : String | UrlForwardTest.java:29:27:29:29 | url | Untrusted URL forward depends on a $@. | UrlForwardTest.java:28:27:28:36 | url | user-provided value | +| UrlForwardTest.java:35:28:35:30 | url | UrlForwardTest.java:33:27:33:36 | url : String | UrlForwardTest.java:35:28:35:30 | url | Untrusted URL forward depends on a $@. | UrlForwardTest.java:33:27:33:36 | url | user-provided value | +| UrlForwardTest.java:42:23:42:25 | url | UrlForwardTest.java:41:21:41:30 | url : String | UrlForwardTest.java:42:23:42:25 | url | Untrusted URL forward depends on a $@. | UrlForwardTest.java:41:21:41:30 | url | user-provided value | +| UrlForwardTest.java:47:48:47:63 | ... + ... | UrlForwardTest.java:46:27:46:36 | url : String | UrlForwardTest.java:47:48:47:63 | ... + ... | Untrusted URL forward depends on a $@. | UrlForwardTest.java:46:27:46:36 | url | user-provided value | +| UrlForwardTest.java:47:61:47:63 | url | UrlForwardTest.java:46:27:46:36 | url : String | UrlForwardTest.java:47:61:47:63 | url | Untrusted URL forward depends on a $@. | UrlForwardTest.java:46:27:46:36 | url | user-provided value | +| UrlForwardTest.java:63:33:63:35 | url | UrlForwardTest.java:61:19:61:28 | url : String | UrlForwardTest.java:63:33:63:35 | url | Untrusted URL forward depends on a $@. | UrlForwardTest.java:61:19:61:28 | url | user-provided value | +| UrlForwardTest.java:74:33:74:62 | ... + ... | UrlForwardTest.java:72:19:72:28 | url : String | UrlForwardTest.java:74:33:74:62 | ... + ... | Untrusted URL forward depends on a $@. | UrlForwardTest.java:72:19:72:28 | url | user-provided value | +| UrlForwardTest.java:85:33:85:62 | ... + ... | UrlForwardTest.java:83:19:83:28 | url : String | UrlForwardTest.java:85:33:85:62 | ... + ... | Untrusted URL forward depends on a $@. | UrlForwardTest.java:83:19:83:28 | url | user-provided value | +| UrlForwardTest.java:109:33:109:35 | url | UrlForwardTest.java:106:19:106:32 | urlPath : String | UrlForwardTest.java:109:33:109:35 | url | Untrusted URL forward depends on a $@. | UrlForwardTest.java:106:19:106:32 | urlPath | user-provided value | +| UrlForwardTest.java:148:33:148:36 | path | UrlForwardTest.java:145:17:145:63 | getServletPath(...) : String | UrlForwardTest.java:148:33:148:36 | path | Untrusted URL forward depends on a $@. | UrlForwardTest.java:145:17:145:63 | getServletPath(...) | user-provided value | +| UrlForwardTest.java:161:33:161:36 | path | UrlForwardTest.java:158:17:158:63 | getServletPath(...) : String | UrlForwardTest.java:161:33:161:36 | path | Untrusted URL forward depends on a $@. | UrlForwardTest.java:158:17:158:63 | getServletPath(...) | user-provided value | +| UrlForwardTest.java:193:51:193:59 | returnURL | UrlForwardTest.java:184:22:184:54 | getParameter(...) : String | UrlForwardTest.java:193:51:193:59 | returnURL | Untrusted URL forward depends on a $@. | UrlForwardTest.java:184:22:184:54 | getParameter(...) | user-provided value | +| UrlForwardTest.java:209:56:209:64 | returnURL | UrlForwardTest.java:203:22:203:54 | getParameter(...) : String | UrlForwardTest.java:209:56:209:64 | returnURL | Untrusted URL forward depends on a $@. | UrlForwardTest.java:203:22:203:54 | getParameter(...) | user-provided value | +| UrlForwardTest.java:236:53:236:56 | path | UrlForwardTest.java:232:17:232:44 | getParameter(...) : String | UrlForwardTest.java:236:53:236:56 | path | Untrusted URL forward depends on a $@. | UrlForwardTest.java:232:17:232:44 | getParameter(...) | user-provided value | +| UrlForwardTest.java:247:53:247:56 | path | UrlForwardTest.java:244:17:244:44 | getParameter(...) : String | UrlForwardTest.java:247:53:247:56 | path | Untrusted URL forward depends on a $@. | UrlForwardTest.java:244:17:244:44 | getParameter(...) | user-provided value | +| UrlForwardTest.java:261:53:261:76 | toString(...) | UrlForwardTest.java:255:17:255:44 | getParameter(...) : String | UrlForwardTest.java:261:53:261:76 | toString(...) | Untrusted URL forward depends on a $@. | UrlForwardTest.java:255:17:255:44 | getParameter(...) | user-provided value | +| UrlForwardTest.java:273:53:273:76 | toString(...) | UrlForwardTest.java:268:17:268:44 | getParameter(...) : String | UrlForwardTest.java:273:53:273:76 | toString(...) | Untrusted URL forward depends on a $@. | UrlForwardTest.java:268:17:268:44 | getParameter(...) | user-provided value | +| UrlForwardTest.java:284:53:284:56 | path | UrlForwardTest.java:280:17:280:44 | getParameter(...) : String | UrlForwardTest.java:284:53:284:56 | path | Untrusted URL forward depends on a $@. | UrlForwardTest.java:280:17:280:44 | getParameter(...) | user-provided value | +| UrlForwardTest.java:322:54:322:57 | path | UrlForwardTest.java:319:17:319:44 | getParameter(...) : String | UrlForwardTest.java:322:54:322:57 | path | Untrusted URL forward depends on a $@. | UrlForwardTest.java:319:17:319:44 | getParameter(...) | user-provided value | +| UrlForwardTest.java:365:53:365:56 | path | UrlForwardTest.java:355:17:355:44 | getParameter(...) : String | UrlForwardTest.java:365:53:365:56 | path | Untrusted URL forward depends on a $@. | UrlForwardTest.java:355:17:355:44 | getParameter(...) | user-provided value | +| UrlForwardTest.java:372:20:372:22 | url | UrlForwardTest.java:371:16:371:41 | getParameter(...) : String | UrlForwardTest.java:372:20:372:22 | url | Untrusted URL forward depends on a $@. | UrlForwardTest.java:371:16:371:41 | getParameter(...) | user-provided value | +| UrlForwardTest.java:384:27:384:56 | getParameter(...) | UrlForwardTest.java:384:27:384:56 | getParameter(...) | UrlForwardTest.java:384:27:384:56 | getParameter(...) | Untrusted URL forward depends on a $@. | UrlForwardTest.java:384:27:384:56 | getParameter(...) | user-provided value | +edges +| UrlForwardTest.java:28:27:28:36 | url : String | UrlForwardTest.java:29:27:29:29 | url | provenance | Sink:MaD:4 | +| UrlForwardTest.java:33:27:33:36 | url : String | UrlForwardTest.java:35:28:35:30 | url | provenance | Sink:MaD:5 | +| UrlForwardTest.java:41:21:41:30 | url : String | UrlForwardTest.java:42:23:42:25 | url | provenance | | +| UrlForwardTest.java:46:27:46:36 | url : String | UrlForwardTest.java:47:48:47:63 | ... + ... | provenance | Sink:MaD:4 | +| UrlForwardTest.java:46:27:46:36 | url : String | UrlForwardTest.java:47:61:47:63 | url | provenance | | +| UrlForwardTest.java:61:19:61:28 | url : String | UrlForwardTest.java:63:33:63:35 | url | provenance | Sink:MaD:2 | +| UrlForwardTest.java:72:19:72:28 | url : String | UrlForwardTest.java:74:33:74:62 | ... + ... | provenance | Sink:MaD:2 | +| UrlForwardTest.java:83:19:83:28 | url : String | UrlForwardTest.java:85:33:85:62 | ... + ... | provenance | Sink:MaD:2 | +| UrlForwardTest.java:106:19:106:32 | urlPath : String | UrlForwardTest.java:109:33:109:35 | url | provenance | Sink:MaD:2 | +| UrlForwardTest.java:145:17:145:63 | getServletPath(...) : String | UrlForwardTest.java:148:33:148:36 | path | provenance | Src:MaD:6 Sink:MaD:2 | +| UrlForwardTest.java:158:17:158:63 | getServletPath(...) : String | UrlForwardTest.java:161:33:161:36 | path | provenance | Src:MaD:6 Sink:MaD:2 | +| UrlForwardTest.java:184:22:184:54 | getParameter(...) : String | UrlForwardTest.java:193:51:193:59 | returnURL | provenance | Src:MaD:7 Sink:MaD:1 | +| UrlForwardTest.java:203:22:203:54 | getParameter(...) : String | UrlForwardTest.java:209:56:209:64 | returnURL | provenance | Src:MaD:7 Sink:MaD:2 | +| UrlForwardTest.java:232:17:232:44 | getParameter(...) : String | UrlForwardTest.java:236:53:236:56 | path | provenance | Src:MaD:7 Sink:MaD:1 | +| UrlForwardTest.java:244:17:244:44 | getParameter(...) : String | UrlForwardTest.java:247:53:247:56 | path | provenance | Src:MaD:7 Sink:MaD:1 | +| UrlForwardTest.java:255:17:255:44 | getParameter(...) : String | UrlForwardTest.java:258:53:258:56 | path : String | provenance | Src:MaD:7 | +| UrlForwardTest.java:258:24:258:57 | resolve(...) : Path | UrlForwardTest.java:258:24:258:69 | normalize(...) : Path | provenance | MaD:9 | +| UrlForwardTest.java:258:24:258:69 | normalize(...) : Path | UrlForwardTest.java:261:53:261:65 | requestedPath : Path | provenance | | +| UrlForwardTest.java:258:53:258:56 | path : String | UrlForwardTest.java:258:24:258:57 | resolve(...) : Path | provenance | MaD:10 | +| UrlForwardTest.java:261:53:261:65 | requestedPath : Path | UrlForwardTest.java:261:53:261:76 | toString(...) | provenance | MaD:11 Sink:MaD:1 | +| UrlForwardTest.java:268:17:268:44 | getParameter(...) : String | UrlForwardTest.java:270:53:270:56 | path : String | provenance | Src:MaD:7 | +| UrlForwardTest.java:270:24:270:57 | resolve(...) : Path | UrlForwardTest.java:270:24:270:69 | normalize(...) : Path | provenance | MaD:9 | +| UrlForwardTest.java:270:24:270:69 | normalize(...) : Path | UrlForwardTest.java:273:53:273:65 | requestedPath : Path | provenance | | +| UrlForwardTest.java:270:53:270:56 | path : String | UrlForwardTest.java:270:24:270:57 | resolve(...) : Path | provenance | MaD:10 | +| UrlForwardTest.java:273:53:273:65 | requestedPath : Path | UrlForwardTest.java:273:53:273:76 | toString(...) | provenance | MaD:11 Sink:MaD:1 | +| UrlForwardTest.java:280:17:280:44 | getParameter(...) : String | UrlForwardTest.java:281:28:281:31 | path : String | provenance | Src:MaD:7 | +| UrlForwardTest.java:281:10:281:41 | decode(...) : String | UrlForwardTest.java:284:53:284:56 | path | provenance | Sink:MaD:1 | +| UrlForwardTest.java:281:28:281:31 | path : String | UrlForwardTest.java:281:10:281:41 | decode(...) : String | provenance | MaD:8 | +| UrlForwardTest.java:319:17:319:44 | getParameter(...) : String | UrlForwardTest.java:322:54:322:57 | path | provenance | Src:MaD:7 Sink:MaD:1 | +| UrlForwardTest.java:355:17:355:44 | getParameter(...) : String | UrlForwardTest.java:360:29:360:32 | path : String | provenance | Src:MaD:7 | +| UrlForwardTest.java:355:17:355:44 | getParameter(...) : String | UrlForwardTest.java:365:53:365:56 | path | provenance | Src:MaD:7 Sink:MaD:1 | +| UrlForwardTest.java:360:11:360:42 | decode(...) : String | UrlForwardTest.java:360:29:360:32 | path : String | provenance | | +| UrlForwardTest.java:360:11:360:42 | decode(...) : String | UrlForwardTest.java:365:53:365:56 | path | provenance | Sink:MaD:1 | +| UrlForwardTest.java:360:29:360:32 | path : String | UrlForwardTest.java:360:11:360:42 | decode(...) : String | provenance | MaD:8 | +| UrlForwardTest.java:371:16:371:41 | getParameter(...) : String | UrlForwardTest.java:372:20:372:22 | url | provenance | Src:MaD:7 Sink:MaD:3 | +models +| 1 | Sink: javax.servlet; ServletContext; true; getRequestDispatcher; (String); ; Argument[0]; url-forward; manual | +| 2 | Sink: javax.servlet; ServletRequest; true; getRequestDispatcher; (String); ; Argument[0]; url-forward; manual | +| 3 | Sink: org.kohsuke.stapler; StaplerResponse; true; forward; (Object,String,StaplerRequest); ; Argument[1]; url-forward; manual | +| 4 | Sink: org.springframework.web.servlet; ModelAndView; false; ModelAndView; ; ; Argument[0]; url-forward; manual | +| 5 | Sink: org.springframework.web.servlet; ModelAndView; false; setViewName; ; ; Argument[0]; url-forward; manual | +| 6 | Source: javax.servlet.http; HttpServletRequest; false; getServletPath; (); ; ReturnValue; remote; manual | +| 7 | Source: javax.servlet; ServletRequest; false; getParameter; (String); ; ReturnValue; remote; manual | +| 8 | Summary: java.net; URLDecoder; false; decode; ; ; Argument[0]; ReturnValue; taint; manual | +| 9 | Summary: java.nio.file; Path; true; normalize; ; ; Argument[this]; ReturnValue; taint; manual | +| 10 | Summary: java.nio.file; Path; true; resolve; ; ; Argument[0]; ReturnValue; taint; manual | +| 11 | Summary: java.nio.file; Path; true; toString; ; ; Argument[this]; ReturnValue; taint; manual | +nodes +| UrlForwardTest.java:28:27:28:36 | url : String | semmle.label | url : String | +| UrlForwardTest.java:29:27:29:29 | url | semmle.label | url | +| UrlForwardTest.java:33:27:33:36 | url : String | semmle.label | url : String | +| UrlForwardTest.java:35:28:35:30 | url | semmle.label | url | +| UrlForwardTest.java:41:21:41:30 | url : String | semmle.label | url : String | +| UrlForwardTest.java:42:23:42:25 | url | semmle.label | url | +| UrlForwardTest.java:46:27:46:36 | url : String | semmle.label | url : String | +| UrlForwardTest.java:47:48:47:63 | ... + ... | semmle.label | ... + ... | +| UrlForwardTest.java:47:61:47:63 | url | semmle.label | url | +| UrlForwardTest.java:61:19:61:28 | url : String | semmle.label | url : String | +| UrlForwardTest.java:63:33:63:35 | url | semmle.label | url | +| UrlForwardTest.java:72:19:72:28 | url : String | semmle.label | url : String | +| UrlForwardTest.java:74:33:74:62 | ... + ... | semmle.label | ... + ... | +| UrlForwardTest.java:83:19:83:28 | url : String | semmle.label | url : String | +| UrlForwardTest.java:85:33:85:62 | ... + ... | semmle.label | ... + ... | +| UrlForwardTest.java:106:19:106:32 | urlPath : String | semmle.label | urlPath : String | +| UrlForwardTest.java:109:33:109:35 | url | semmle.label | url | +| UrlForwardTest.java:145:17:145:63 | getServletPath(...) : String | semmle.label | getServletPath(...) : String | +| UrlForwardTest.java:148:33:148:36 | path | semmle.label | path | +| UrlForwardTest.java:158:17:158:63 | getServletPath(...) : String | semmle.label | getServletPath(...) : String | +| UrlForwardTest.java:161:33:161:36 | path | semmle.label | path | +| UrlForwardTest.java:184:22:184:54 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| UrlForwardTest.java:193:51:193:59 | returnURL | semmle.label | returnURL | +| UrlForwardTest.java:203:22:203:54 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| UrlForwardTest.java:209:56:209:64 | returnURL | semmle.label | returnURL | +| UrlForwardTest.java:232:17:232:44 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| UrlForwardTest.java:236:53:236:56 | path | semmle.label | path | +| UrlForwardTest.java:244:17:244:44 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| UrlForwardTest.java:247:53:247:56 | path | semmle.label | path | +| UrlForwardTest.java:255:17:255:44 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| UrlForwardTest.java:258:24:258:57 | resolve(...) : Path | semmle.label | resolve(...) : Path | +| UrlForwardTest.java:258:24:258:69 | normalize(...) : Path | semmle.label | normalize(...) : Path | +| UrlForwardTest.java:258:53:258:56 | path : String | semmle.label | path : String | +| UrlForwardTest.java:261:53:261:65 | requestedPath : Path | semmle.label | requestedPath : Path | +| UrlForwardTest.java:261:53:261:76 | toString(...) | semmle.label | toString(...) | +| UrlForwardTest.java:268:17:268:44 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| UrlForwardTest.java:270:24:270:57 | resolve(...) : Path | semmle.label | resolve(...) : Path | +| UrlForwardTest.java:270:24:270:69 | normalize(...) : Path | semmle.label | normalize(...) : Path | +| UrlForwardTest.java:270:53:270:56 | path : String | semmle.label | path : String | +| UrlForwardTest.java:273:53:273:65 | requestedPath : Path | semmle.label | requestedPath : Path | +| UrlForwardTest.java:273:53:273:76 | toString(...) | semmle.label | toString(...) | +| UrlForwardTest.java:280:17:280:44 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| UrlForwardTest.java:281:10:281:41 | decode(...) : String | semmle.label | decode(...) : String | +| UrlForwardTest.java:281:28:281:31 | path : String | semmle.label | path : String | +| UrlForwardTest.java:284:53:284:56 | path | semmle.label | path | +| UrlForwardTest.java:319:17:319:44 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| UrlForwardTest.java:322:54:322:57 | path | semmle.label | path | +| UrlForwardTest.java:355:17:355:44 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| UrlForwardTest.java:360:11:360:42 | decode(...) : String | semmle.label | decode(...) : String | +| UrlForwardTest.java:360:29:360:32 | path : String | semmle.label | path : String | +| UrlForwardTest.java:365:53:365:56 | path | semmle.label | path | +| UrlForwardTest.java:371:16:371:41 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| UrlForwardTest.java:372:20:372:22 | url | semmle.label | url | +| UrlForwardTest.java:384:27:384:56 | getParameter(...) | semmle.label | getParameter(...) | +subpaths diff --git a/java/ql/test/query-tests/security/CWE-552/UrlForwardTest.java b/java/ql/test/query-tests/security/CWE-552/UrlForwardTest.java index a1437a692a2f..72ccf2c3b54e 100644 --- a/java/ql/test/query-tests/security/CWE-552/UrlForwardTest.java +++ b/java/ql/test/query-tests/security/CWE-552/UrlForwardTest.java @@ -25,26 +25,26 @@ public class UrlForwardTest extends HttpServlet implements Filter { // Spring `ModelAndView` test cases @GetMapping("/bad1") - public ModelAndView bad1(String url) { - return new ModelAndView(url); // $ hasTaintFlow + public ModelAndView bad1(String url) { // $ Source + return new ModelAndView(url); // $ Alert } @GetMapping("/bad2") - public ModelAndView bad2(String url) { + public ModelAndView bad2(String url) { // $ Source ModelAndView modelAndView = new ModelAndView(); - modelAndView.setViewName(url); // $ hasTaintFlow + modelAndView.setViewName(url); // $ Alert return modelAndView; } // Spring `"forward:"` prefix test cases @GetMapping("/bad3") - public String bad3(String url) { - return "forward:" + url + "/swagger-ui/index.html"; // $ hasTaintFlow + public String bad3(String url) { // $ Source + return "forward:" + url + "/swagger-ui/index.html"; // $ Alert } @GetMapping("/bad4") - public ModelAndView bad4(String url) { - ModelAndView modelAndView = new ModelAndView("forward:" + url); // $ hasTaintFlow + public ModelAndView bad4(String url) { // $ Source + ModelAndView modelAndView = new ModelAndView("forward:" + url); // $ Alert return modelAndView; } @@ -58,9 +58,9 @@ public ModelAndView redirect(String url) { // `RequestDispatcher` test cases from a Spring `GetMapping` entry point @GetMapping("/bad5") - public void bad5(String url, HttpServletRequest request, HttpServletResponse response) { + public void bad5(String url, HttpServletRequest request, HttpServletResponse response) { // $ Source try { - request.getRequestDispatcher(url).include(request, response); // $ hasTaintFlow + request.getRequestDispatcher(url).include(request, response); // $ Alert } catch (ServletException e) { e.printStackTrace(); } catch (IOException e) { @@ -69,9 +69,9 @@ public void bad5(String url, HttpServletRequest request, HttpServletResponse res } @GetMapping("/bad6") - public void bad6(String url, HttpServletRequest request, HttpServletResponse response) { + public void bad6(String url, HttpServletRequest request, HttpServletResponse response) { // $ Source try { - request.getRequestDispatcher("/WEB-INF/jsp/" + url + ".jsp").include(request, response); // $ hasTaintFlow + request.getRequestDispatcher("/WEB-INF/jsp/" + url + ".jsp").include(request, response); // $ Alert } catch (ServletException e) { e.printStackTrace(); } catch (IOException e) { @@ -80,9 +80,9 @@ public void bad6(String url, HttpServletRequest request, HttpServletResponse res } @GetMapping("/bad7") - public void bad7(String url, HttpServletRequest request, HttpServletResponse response) { + public void bad7(String url, HttpServletRequest request, HttpServletResponse response) { // $ Source try { - request.getRequestDispatcher("/WEB-INF/jsp/" + url + ".jsp").forward(request, response); // $ hasTaintFlow + request.getRequestDispatcher("/WEB-INF/jsp/" + url + ".jsp").forward(request, response); // $ Alert } catch (ServletException e) { e.printStackTrace(); } catch (IOException e) { @@ -103,10 +103,10 @@ public void good1(String url, HttpServletRequest request, HttpServletResponse re // BAD: appended to a prefix without path sanitization @GetMapping("/bad8") - public void bad8(String urlPath, HttpServletRequest request, HttpServletResponse response) { + public void bad8(String urlPath, HttpServletRequest request, HttpServletResponse response) { // $ Source try { String url = "/pages" + urlPath; - request.getRequestDispatcher(url).forward(request, response); // $ hasTaintFlow + request.getRequestDispatcher(url).forward(request, response); // $ Alert } catch (ServletException e) { e.printStackTrace(); } catch (IOException e) { @@ -142,10 +142,10 @@ public void good2(String urlPath, HttpServletRequest request, HttpServletRespons // BAD: Request dispatcher from servlet path without check public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { - String path = ((HttpServletRequest) request).getServletPath(); + String path = ((HttpServletRequest) request).getServletPath(); // $ Source // A sample payload "/%57EB-INF/web.xml" can bypass this `startsWith` check if (path != null && !path.startsWith("/WEB-INF")) { - request.getRequestDispatcher(path).forward(request, response); // $ hasTaintFlow + request.getRequestDispatcher(path).forward(request, response); // $ Alert } else { chain.doFilter(request, response); } @@ -155,10 +155,10 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha // the user-supplied path; could bypass check with ".." encoded as "%2e%2e". public void doFilter2(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { - String path = ((HttpServletRequest) request).getServletPath(); + String path = ((HttpServletRequest) request).getServletPath(); // $ Source if (path.startsWith(BASE_PATH) && !path.contains("..")) { - request.getRequestDispatcher(path).forward(request, response); // $ hasTaintFlow + request.getRequestDispatcher(path).forward(request, response); // $ Alert } else { chain.doFilter(request, response); } @@ -181,7 +181,7 @@ public void doFilter3(ServletRequest request, ServletResponse response, FilterCh protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String action = request.getParameter("action"); - String returnURL = request.getParameter("returnURL"); + String returnURL = request.getParameter("returnURL"); // $ Source ServletConfig cfg = getServletConfig(); if (action.equals("Login")) { @@ -190,7 +190,7 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) rd.forward(request, response); } else { ServletContext sc = cfg.getServletContext(); - RequestDispatcher rd = sc.getRequestDispatcher(returnURL); // $ hasTaintFlow + RequestDispatcher rd = sc.getRequestDispatcher(returnURL); // $ Alert rd.forward(request, response); } } @@ -200,13 +200,13 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String action = request.getParameter("action"); - String returnURL = request.getParameter("returnURL"); + String returnURL = request.getParameter("returnURL"); // $ Source if (action.equals("Login")) { RequestDispatcher rd = request.getRequestDispatcher("/Login.jsp"); rd.forward(request, response); } else { - RequestDispatcher rd = request.getRequestDispatcher(returnURL); // $ hasTaintFlow + RequestDispatcher rd = request.getRequestDispatcher(returnURL); // $ Alert rd.forward(request, response); } } @@ -229,11 +229,11 @@ protected void doPut(HttpServletRequest request, HttpServletResponse response) // BAD: Request dispatcher without path traversal check protected void doHead1(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { - String path = request.getParameter("path"); + String path = request.getParameter("path"); // $ Source // A sample payload "/pages/welcome.jsp/../WEB-INF/web.xml" can bypass the `startsWith` check if (path.startsWith(BASE_PATH)) { - request.getServletContext().getRequestDispatcher(path).include(request, response); // $ hasTaintFlow + request.getServletContext().getRequestDispatcher(path).include(request, response); // $ Alert } } @@ -241,10 +241,10 @@ protected void doHead1(HttpServletRequest request, HttpServletResponse response) // the user-supplied path; could bypass check with ".." encoded as "%2e%2e". protected void doHead2(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { - String path = request.getParameter("path"); + String path = request.getParameter("path"); // $ Source if (path.startsWith(BASE_PATH) && !path.contains("..")) { - request.getServletContext().getRequestDispatcher(path).include(request, response); // $ hasTaintFlow + request.getServletContext().getRequestDispatcher(path).include(request, response); // $ Alert } } @@ -252,36 +252,36 @@ protected void doHead2(HttpServletRequest request, HttpServletResponse response) // does not decode before normalization. protected void doHead3(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { - String path = request.getParameter("path"); + String path = request.getParameter("path"); // $ Source // Since not decoded before normalization, "%2e%2e" can remain in the path Path requestedPath = Paths.get(BASE_PATH).resolve(path).normalize(); if (requestedPath.startsWith(BASE_PATH)) { - request.getServletContext().getRequestDispatcher(requestedPath.toString()).forward(request, response); // $ hasTaintFlow + request.getServletContext().getRequestDispatcher(requestedPath.toString()).forward(request, response); // $ Alert } } // BAD: Request dispatcher with negation check and path normalization, but without URL decoding. protected void doHead4(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { - String path = request.getParameter("path"); + String path = request.getParameter("path"); // $ Source // Since not decoded before normalization, "/%57EB-INF" can remain in the path and pass the `startsWith` check. Path requestedPath = Paths.get(BASE_PATH).resolve(path).normalize(); if (!requestedPath.startsWith("/WEB-INF") && !requestedPath.startsWith("/META-INF")) { - request.getServletContext().getRequestDispatcher(requestedPath.toString()).forward(request, response); // $ hasTaintFlow + request.getServletContext().getRequestDispatcher(requestedPath.toString()).forward(request, response); // $ Alert } } // BAD: Request dispatcher with path traversal check and single URL decoding; may be vulnerable to double-encoding protected void doHead5(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { - String path = request.getParameter("path"); + String path = request.getParameter("path"); // $ Source path = URLDecoder.decode(path, "UTF-8"); if (!path.startsWith("/WEB-INF/") && !path.contains("..")) { - request.getServletContext().getRequestDispatcher(path).include(request, response); // $ hasTaintFlow + request.getServletContext().getRequestDispatcher(path).include(request, response); // $ Alert } } @@ -316,10 +316,10 @@ protected void doHead7(HttpServletRequest request, HttpServletResponse response) // BAD: Request dispatcher without URL decoding before WEB-INF and path traversal checks protected void doHead8(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { - String path = request.getParameter("path"); + String path = request.getParameter("path"); // $ Source if (path.contains("%")){ // incorrect check if (!path.startsWith("/WEB-INF/") && !path.contains("..")) { - request.getServletContext().getRequestDispatcher(path).include(request, response); // $ hasTaintFlow + request.getServletContext().getRequestDispatcher(path).include(request, response); // $ Alert } } } @@ -352,7 +352,7 @@ protected void doHead10(HttpServletRequest request, HttpServletResponse response // GOOD: Request dispatcher with path traversal check and URL decoding in a loop to avoid double-encoding bypass protected void doHead11(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { - String path = request.getParameter("path"); + String path = request.getParameter("path"); // $ Source // FP: we don't currently handle the scenario where the // `path.contains("%")` check is stored in a variable. boolean hasEncoding = path.contains("%"); @@ -362,14 +362,14 @@ protected void doHead11(HttpServletRequest request, HttpServletResponse response } if (!path.startsWith("/WEB-INF/") && !path.contains("..")) { - request.getServletContext().getRequestDispatcher(path).include(request, response); // $ SPURIOUS: hasTaintFlow + request.getServletContext().getRequestDispatcher(path).include(request, response); // $ SPURIOUS: Alert } } // BAD: `StaplerResponse.forward` without any checks public void generateResponse(StaplerRequest req, StaplerResponse rsp, Object obj) throws IOException, ServletException { - String url = req.getParameter("target"); - rsp.forward(obj, url, req); // $ hasTaintFlow + String url = req.getParameter("target"); // $ Source + rsp.forward(obj, url, req); // $ Alert } // QHelp example @@ -381,7 +381,7 @@ protected void doGet2(HttpServletRequest request, HttpServletResponse response) ServletContext sc = cfg.getServletContext(); // BAD: a request parameter is incorporated without validation into a URL forward - sc.getRequestDispatcher(request.getParameter("target")).forward(request, response); // $ hasTaintFlow + sc.getRequestDispatcher(request.getParameter("target")).forward(request, response); // $ Alert // GOOD: the request parameter is validated against a known fixed string if (VALID_FORWARD.equals(request.getParameter("target"))) { diff --git a/java/ql/test/query-tests/security/CWE-552/UrlForwardTest.ql b/java/ql/test/query-tests/security/CWE-552/UrlForwardTest.ql deleted file mode 100644 index f7240bf0c303..000000000000 --- a/java/ql/test/query-tests/security/CWE-552/UrlForwardTest.ql +++ /dev/null @@ -1,4 +0,0 @@ -import java -import utils.test.InlineFlowTest -import semmle.code.java.security.UrlForwardQuery -import TaintFlowTest diff --git a/java/ql/test/query-tests/security/CWE-552/UrlForwardTest.qlref b/java/ql/test/query-tests/security/CWE-552/UrlForwardTest.qlref new file mode 100644 index 000000000000..1e8912766b2c --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-552/UrlForwardTest.qlref @@ -0,0 +1,4 @@ +query: Security/CWE/CWE-552/UrlForward.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-611/CdaUtilTests.java b/java/ql/test/query-tests/security/CWE-611/CdaUtilTests.java index 6c19a8424722..ca74ae93521b 100644 --- a/java/ql/test/query-tests/security/CWE-611/CdaUtilTests.java +++ b/java/ql/test/query-tests/security/CWE-611/CdaUtilTests.java @@ -7,17 +7,17 @@ public class CdaUtilTests { public void test(Socket sock) throws Exception { - InputStream is = sock.getInputStream(); + InputStream is = sock.getInputStream(); // $ Source InputSource iSrc = new InputSource(new InputStreamReader(is)); - CDAUtil.load(is); // $ hasTaintFlow - CDAUtil.load(iSrc); // $ hasTaintFlow - CDAUtil.load(is, (CDAUtil.ValidationHandler) null); // $ hasTaintFlow - CDAUtil.load(is, (CDAUtil.LoadHandler) null); // $ hasTaintFlow - CDAUtil.load(null, null, is, null); // $ hasTaintFlow - CDAUtil.load(iSrc, (CDAUtil.ValidationHandler) null); // $ hasTaintFlow - CDAUtil.load(iSrc, (CDAUtil.LoadHandler) null); // $ hasTaintFlow - CDAUtil.load(null, null, iSrc, null); // $ hasTaintFlow - CDAUtil.loadAs(is, null); // $ hasTaintFlow - CDAUtil.loadAs(is, null, null); // $ hasTaintFlow + CDAUtil.load(is); // $ Alert + CDAUtil.load(iSrc); // $ Alert + CDAUtil.load(is, (CDAUtil.ValidationHandler) null); // $ Alert + CDAUtil.load(is, (CDAUtil.LoadHandler) null); // $ Alert + CDAUtil.load(null, null, is, null); // $ Alert + CDAUtil.load(iSrc, (CDAUtil.ValidationHandler) null); // $ Alert + CDAUtil.load(iSrc, (CDAUtil.LoadHandler) null); // $ Alert + CDAUtil.load(null, null, iSrc, null); // $ Alert + CDAUtil.loadAs(is, null); // $ Alert + CDAUtil.loadAs(is, null, null); // $ Alert } } diff --git a/java/ql/test/query-tests/security/CWE-611/DigesterTests.java b/java/ql/test/query-tests/security/CWE-611/DigesterTests.java index bace07a9b303..fbb3afbdd042 100644 --- a/java/ql/test/query-tests/security/CWE-611/DigesterTests.java +++ b/java/ql/test/query-tests/security/CWE-611/DigesterTests.java @@ -11,9 +11,9 @@ public class DigesterTests { @PostMapping(value = "bad") public void bad1(HttpServletRequest request, HttpServletResponse response) throws Exception { - ServletInputStream servletInputStream = request.getInputStream(); + ServletInputStream servletInputStream = request.getInputStream(); // $ Source Digester digester = new Digester(); - digester.parse(servletInputStream); // $ hasTaintFlow + digester.parse(servletInputStream); // $ Alert } @PostMapping(value = "good") diff --git a/java/ql/test/query-tests/security/CWE-611/DocumentBuilderTests.java b/java/ql/test/query-tests/security/CWE-611/DocumentBuilderTests.java index 98d95686301c..f6a8f94cbb0c 100644 --- a/java/ql/test/query-tests/security/CWE-611/DocumentBuilderTests.java +++ b/java/ql/test/query-tests/security/CWE-611/DocumentBuilderTests.java @@ -11,7 +11,7 @@ class DocumentBuilderTests { public void unconfiguredParse(Socket sock) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); DocumentBuilder builder = factory.newDocumentBuilder(); - builder.parse(sock.getInputStream()); // $ hasTaintFlow + builder.parse(sock.getInputStream()); // $ Alert } public void disableDTD(Socket sock) throws Exception { @@ -25,7 +25,7 @@ public void enableSecurityFeature(Socket sock) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); DocumentBuilder builder = factory.newDocumentBuilder(); - builder.parse(sock.getInputStream()); // $ hasTaintFlow -- secure-processing by itself is + builder.parse(sock.getInputStream()); // $ Alert -- secure-processing by itself is // insufficient } @@ -33,7 +33,7 @@ public void enableSecurityFeature2(Socket sock) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", true); DocumentBuilder builder = factory.newDocumentBuilder(); - builder.parse(sock.getInputStream()); // $ hasTaintFlow -- secure-processing by itself is + builder.parse(sock.getInputStream()); // $ Alert -- secure-processing by itself is // insufficient } @@ -41,14 +41,14 @@ public void enableDTD(Socket sock) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false); DocumentBuilder builder = factory.newDocumentBuilder(); - builder.parse(sock.getInputStream()); // $ hasTaintFlow + builder.parse(sock.getInputStream()); // $ Alert } public void disableSecurityFeature(Socket sock) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", false); DocumentBuilder builder = factory.newDocumentBuilder(); - builder.parse(sock.getInputStream()); // $ hasTaintFlow + builder.parse(sock.getInputStream()); // $ Alert } public void disableExternalEntities(Socket sock) throws Exception { @@ -63,14 +63,14 @@ public void partialDisableExternalEntities(Socket sock) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); DocumentBuilder builder = factory.newDocumentBuilder(); - builder.parse(sock.getInputStream()); // $ hasTaintFlow + builder.parse(sock.getInputStream()); // $ Alert } public void partialDisableExternalEntities2(Socket sock) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setFeature("http://xml.org/sax/features/external-general-entities", false); DocumentBuilder builder = factory.newDocumentBuilder(); - builder.parse(sock.getInputStream()); // $ hasTaintFlow + builder.parse(sock.getInputStream()); // $ Alert } public void misConfigureExternalEntities1(Socket sock) throws Exception { @@ -78,7 +78,7 @@ public void misConfigureExternalEntities1(Socket sock) throws Exception { factory.setFeature("http://xml.org/sax/features/external-parameter-entities", true); factory.setFeature("http://xml.org/sax/features/external-general-entities", false); DocumentBuilder builder = factory.newDocumentBuilder(); - builder.parse(sock.getInputStream()); // $ hasTaintFlow + builder.parse(sock.getInputStream()); // $ Alert } public void misConfigureExternalEntities2(Socket sock) throws Exception { @@ -86,22 +86,22 @@ public void misConfigureExternalEntities2(Socket sock) throws Exception { factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); factory.setFeature("http://xml.org/sax/features/external-general-entities", true); DocumentBuilder builder = factory.newDocumentBuilder(); - builder.parse(sock.getInputStream()); // $ hasTaintFlow + builder.parse(sock.getInputStream()); // $ Alert } public void taintedSAXInputSource1(Socket sock) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); DocumentBuilder builder = factory.newDocumentBuilder(); - SAXSource source = new SAXSource(new InputSource(sock.getInputStream())); - builder.parse(source.getInputSource()); // $ hasTaintFlow + SAXSource source = new SAXSource(new InputSource(sock.getInputStream())); // $ Source + builder.parse(source.getInputSource()); // $ Alert } public void taintedSAXInputSource2(Socket sock) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); DocumentBuilder builder = factory.newDocumentBuilder(); - StreamSource source = new StreamSource(sock.getInputStream()); - builder.parse(SAXSource.sourceToInputSource(source)); // $ hasTaintFlow - builder.parse(source.getInputStream()); // $ hasTaintFlow + StreamSource source = new StreamSource(sock.getInputStream()); // $ Source + builder.parse(SAXSource.sourceToInputSource(source)); // $ Alert + builder.parse(source.getInputStream()); // $ Alert } private static DocumentBuilderFactory getDocumentBuilderFactory() throws Exception { diff --git a/java/ql/test/query-tests/security/CWE-611/ParserHelperTests.java b/java/ql/test/query-tests/security/CWE-611/ParserHelperTests.java index 6b43c224d94f..94aef644106a 100644 --- a/java/ql/test/query-tests/security/CWE-611/ParserHelperTests.java +++ b/java/ql/test/query-tests/security/CWE-611/ParserHelperTests.java @@ -9,6 +9,6 @@ public class ParserHelperTests { @PostMapping(value = "bad4") public void bad4(HttpServletRequest request) throws Exception { - Document document = ParserHelper.loadDocument(request.getInputStream()); // $ hasTaintFlow + Document document = ParserHelper.loadDocument(request.getInputStream()); // $ Alert } } diff --git a/java/ql/test/query-tests/security/CWE-611/SAXBuilderTests.java b/java/ql/test/query-tests/security/CWE-611/SAXBuilderTests.java index 2b25540b85b6..8458d7a5bc20 100644 --- a/java/ql/test/query-tests/security/CWE-611/SAXBuilderTests.java +++ b/java/ql/test/query-tests/security/CWE-611/SAXBuilderTests.java @@ -5,7 +5,7 @@ public class SAXBuilderTests { public void unconfiguredSAXBuilder(Socket sock) throws Exception { SAXBuilder builder = new SAXBuilder(); - builder.build(sock.getInputStream()); // $ hasTaintFlow + builder.build(sock.getInputStream()); // $ Alert } public void safeBuilder(Socket sock) throws Exception { @@ -17,6 +17,6 @@ public void safeBuilder(Socket sock) throws Exception { public void misConfiguredBuilder(Socket sock) throws Exception { SAXBuilder builder = new SAXBuilder(); builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false); - builder.build(sock.getInputStream()); // $ hasTaintFlow + builder.build(sock.getInputStream()); // $ Alert } } diff --git a/java/ql/test/query-tests/security/CWE-611/SAXParserTests.java b/java/ql/test/query-tests/security/CWE-611/SAXParserTests.java index a6de7709aed8..f726fa367017 100644 --- a/java/ql/test/query-tests/security/CWE-611/SAXParserTests.java +++ b/java/ql/test/query-tests/security/CWE-611/SAXParserTests.java @@ -10,7 +10,7 @@ public class SAXParserTests { public void unconfiguredParser(Socket sock) throws Exception { SAXParserFactory factory = SAXParserFactory.newInstance(); SAXParser parser = factory.newSAXParser(); - parser.parse(sock.getInputStream(), new DefaultHandler()); // $ hasTaintFlow + parser.parse(sock.getInputStream(), new DefaultHandler()); // $ Alert } public void safeParser(Socket sock) throws Exception { @@ -27,7 +27,7 @@ public void partialConfiguredParser1(Socket sock) throws Exception { factory.setFeature("http://xml.org/sax/features/external-general-entities", false); factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); SAXParser parser = factory.newSAXParser(); - parser.parse(sock.getInputStream(), new DefaultHandler()); // $ hasTaintFlow + parser.parse(sock.getInputStream(), new DefaultHandler()); // $ Alert } public void partialConfiguredParser2(Socket sock) throws Exception { @@ -35,7 +35,7 @@ public void partialConfiguredParser2(Socket sock) throws Exception { factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); SAXParser parser = factory.newSAXParser(); - parser.parse(sock.getInputStream(), new DefaultHandler()); // $ hasTaintFlow + parser.parse(sock.getInputStream(), new DefaultHandler()); // $ Alert } public void partialConfiguredParser3(Socket sock) throws Exception { @@ -43,7 +43,7 @@ public void partialConfiguredParser3(Socket sock) throws Exception { factory.setFeature("http://xml.org/sax/features/external-general-entities", false); factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); SAXParser parser = factory.newSAXParser(); - parser.parse(sock.getInputStream(), new DefaultHandler()); // $ hasTaintFlow + parser.parse(sock.getInputStream(), new DefaultHandler()); // $ Alert } public void misConfiguredParser1(Socket sock) throws Exception { @@ -52,7 +52,7 @@ public void misConfiguredParser1(Socket sock) throws Exception { factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); SAXParser parser = factory.newSAXParser(); - parser.parse(sock.getInputStream(), new DefaultHandler()); // $ hasTaintFlow + parser.parse(sock.getInputStream(), new DefaultHandler()); // $ Alert } public void misConfiguredParser2(Socket sock) throws Exception { @@ -61,7 +61,7 @@ public void misConfiguredParser2(Socket sock) throws Exception { factory.setFeature("http://xml.org/sax/features/external-parameter-entities", true); factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); SAXParser parser = factory.newSAXParser(); - parser.parse(sock.getInputStream(), new DefaultHandler()); // $ hasTaintFlow + parser.parse(sock.getInputStream(), new DefaultHandler()); // $ Alert } public void misConfiguredParser3(Socket sock) throws Exception { @@ -70,7 +70,7 @@ public void misConfiguredParser3(Socket sock) throws Exception { factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", true); SAXParser parser = factory.newSAXParser(); - parser.parse(sock.getInputStream(), new DefaultHandler()); // $ hasTaintFlow + parser.parse(sock.getInputStream(), new DefaultHandler()); // $ Alert } public void safeParser2(Socket sock) throws Exception { diff --git a/java/ql/test/query-tests/security/CWE-611/SAXReaderTests.java b/java/ql/test/query-tests/security/CWE-611/SAXReaderTests.java index f436074f65f5..c30a68c896e0 100644 --- a/java/ql/test/query-tests/security/CWE-611/SAXReaderTests.java +++ b/java/ql/test/query-tests/security/CWE-611/SAXReaderTests.java @@ -5,7 +5,7 @@ public class SAXReaderTests { public void unconfiguredReader(Socket sock) throws Exception { SAXReader reader = new SAXReader(); - reader.read(sock.getInputStream()); // $ hasTaintFlow + reader.read(sock.getInputStream()); // $ Alert } public void safeReader(Socket sock) throws Exception { @@ -20,21 +20,21 @@ public void partialConfiguredReader1(Socket sock) throws Exception { SAXReader reader = new SAXReader(); reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); reader.setFeature("http://xml.org/sax/features/external-general-entities", false); - reader.read(sock.getInputStream()); // $ hasTaintFlow + reader.read(sock.getInputStream()); // $ Alert } public void partialConfiguredReader2(Socket sock) throws Exception { SAXReader reader = new SAXReader(); reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); - reader.read(sock.getInputStream()); // $ hasTaintFlow + reader.read(sock.getInputStream()); // $ Alert } public void partialConfiguredReader3(Socket sock) throws Exception { SAXReader reader = new SAXReader(); reader.setFeature("http://xml.org/sax/features/external-general-entities", false); reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); - reader.read(sock.getInputStream()); // $ hasTaintFlow + reader.read(sock.getInputStream()); // $ Alert } public void misConfiguredReader1(Socket sock) throws Exception { @@ -42,7 +42,7 @@ public void misConfiguredReader1(Socket sock) throws Exception { reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); reader.setFeature("http://xml.org/sax/features/external-general-entities", true); reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); - reader.read(sock.getInputStream()); // $ hasTaintFlow + reader.read(sock.getInputStream()); // $ Alert } public void misConfiguredReader2(Socket sock) throws Exception { @@ -50,7 +50,7 @@ public void misConfiguredReader2(Socket sock) throws Exception { reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false); reader.setFeature("http://xml.org/sax/features/external-general-entities", false); reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); - reader.read(sock.getInputStream()); // $ hasTaintFlow + reader.read(sock.getInputStream()); // $ Alert } public void misConfiguredReader3(Socket sock) throws Exception { @@ -58,6 +58,6 @@ public void misConfiguredReader3(Socket sock) throws Exception { reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); reader.setFeature("http://xml.org/sax/features/external-general-entities", false); reader.setFeature("http://xml.org/sax/features/external-parameter-entities", true); - reader.read(sock.getInputStream()); // $ hasTaintFlow + reader.read(sock.getInputStream()); // $ Alert } } diff --git a/java/ql/test/query-tests/security/CWE-611/SAXSourceTests.java b/java/ql/test/query-tests/security/CWE-611/SAXSourceTests.java index 721f596457de..1bb67b310c75 100644 --- a/java/ql/test/query-tests/security/CWE-611/SAXSourceTests.java +++ b/java/ql/test/query-tests/security/CWE-611/SAXSourceTests.java @@ -14,10 +14,10 @@ public class SAXSourceTests { public void unsafeSource(Socket sock) throws Exception { XMLReader reader = XMLReaderFactory.createXMLReader(); - SAXSource source = new SAXSource(reader, new InputSource(sock.getInputStream())); + SAXSource source = new SAXSource(reader, new InputSource(sock.getInputStream())); // $ Source JAXBContext jc = JAXBContext.newInstance(Object.class); Unmarshaller um = jc.createUnmarshaller(); - um.unmarshal(source); // $ hasTaintFlow + um.unmarshal(source); // $ Alert } public void explicitlySafeSource1(Socket sock) throws Exception { diff --git a/java/ql/test/query-tests/security/CWE-611/SchemaTests.java b/java/ql/test/query-tests/security/CWE-611/SchemaTests.java index d98aeb4a3bac..9ed251363930 100644 --- a/java/ql/test/query-tests/security/CWE-611/SchemaTests.java +++ b/java/ql/test/query-tests/security/CWE-611/SchemaTests.java @@ -9,7 +9,7 @@ public class SchemaTests { public void unconfiguredSchemaFactory(Socket sock) throws Exception { SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema"); - Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); // $ hasTaintFlow + Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); // $ Alert } public void safeSchemaFactory(Socket sock) throws Exception { @@ -22,26 +22,26 @@ public void safeSchemaFactory(Socket sock) throws Exception { public void partialConfiguredSchemaFactory1(Socket sock) throws Exception { SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema"); factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); - Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); // $ hasTaintFlow + Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); // $ Alert } public void partialConfiguredSchemaFactory2(Socket sock) throws Exception { SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema"); factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); - Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); // $ hasTaintFlow + Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); // $ Alert } public void misConfiguredSchemaFactory1(Socket sock) throws Exception { SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema"); factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "ab"); - Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); // $ hasTaintFlow + Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); // $ Alert } public void misConfiguredSchemaFactory2(Socket sock) throws Exception { SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema"); factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "cd"); factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); - Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); // $ hasTaintFlow + Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); // $ Alert } } diff --git a/java/ql/test/query-tests/security/CWE-611/SimpleXMLTests.java b/java/ql/test/query-tests/security/CWE-611/SimpleXMLTests.java index 65c759acbf4a..d28ec2ca66dc 100644 --- a/java/ql/test/query-tests/security/CWE-611/SimpleXMLTests.java +++ b/java/ql/test/query-tests/security/CWE-611/SimpleXMLTests.java @@ -11,145 +11,145 @@ public class SimpleXMLTests { public void persisterValidate1(Socket sock) throws Exception { Persister persister = new Persister(); - persister.validate(this.getClass(), sock.getInputStream()); // $ hasTaintFlow + persister.validate(this.getClass(), sock.getInputStream()); // $ Alert } public void persisterValidate2(Socket sock) throws Exception { Persister persister = new Persister(); - persister.validate(this.getClass(), sock.getInputStream(), true); // $ hasTaintFlow + persister.validate(this.getClass(), sock.getInputStream(), true); // $ Alert } public void persisterValidate3(Socket sock) throws Exception { Persister persister = new Persister(); - persister.validate(this.getClass(), new InputStreamReader(sock.getInputStream())); // $ hasTaintFlow + persister.validate(this.getClass(), new InputStreamReader(sock.getInputStream())); // $ Alert } public void persisterValidate4(Socket sock) throws Exception { Persister persister = new Persister(); byte[] b = new byte[] {}; - sock.getInputStream().read(b); - persister.validate(this.getClass(), new String(b)); // $ hasTaintFlow + sock.getInputStream().read(b); // $ Source + persister.validate(this.getClass(), new String(b)); // $ Alert } public void persisterValidate5(Socket sock) throws Exception { Persister persister = new Persister(); byte[] b = new byte[] {}; - sock.getInputStream().read(b); - persister.validate(this.getClass(), new String(b), true); // $ hasTaintFlow + sock.getInputStream().read(b); // $ Source + persister.validate(this.getClass(), new String(b), true); // $ Alert } public void persisterValidate6(Socket sock) throws Exception { Persister persister = new Persister(); - persister.validate(this.getClass(), new InputStreamReader(sock.getInputStream()), true); // $ hasTaintFlow + persister.validate(this.getClass(), new InputStreamReader(sock.getInputStream()), true); // $ Alert } public void persisterRead1(Socket sock) throws Exception { Persister persister = new Persister(); - persister.read(this.getClass(), sock.getInputStream()); // $ hasTaintFlow + persister.read(this.getClass(), sock.getInputStream()); // $ Alert } public void persisterRead2(Socket sock) throws Exception { Persister persister = new Persister(); - persister.read(this.getClass(), sock.getInputStream(), true); // $ hasTaintFlow + persister.read(this.getClass(), sock.getInputStream(), true); // $ Alert } public void persisterRead3(Socket sock) throws Exception { Persister persister = new Persister(); - persister.read(this, sock.getInputStream()); // $ hasTaintFlow + persister.read(this, sock.getInputStream()); // $ Alert } public void persisterRead4(Socket sock) throws Exception { Persister persister = new Persister(); - persister.read(this, sock.getInputStream(), true); // $ hasTaintFlow + persister.read(this, sock.getInputStream(), true); // $ Alert } public void persisterRead5(Socket sock) throws Exception { Persister persister = new Persister(); - persister.read(this.getClass(), new InputStreamReader(sock.getInputStream())); // $ hasTaintFlow + persister.read(this.getClass(), new InputStreamReader(sock.getInputStream())); // $ Alert } public void persisterRead6(Socket sock) throws Exception { Persister persister = new Persister(); - persister.read(this.getClass(), new InputStreamReader(sock.getInputStream()), true); // $ hasTaintFlow + persister.read(this.getClass(), new InputStreamReader(sock.getInputStream()), true); // $ Alert } public void persisterRead7(Socket sock) throws Exception { Persister persister = new Persister(); - persister.read(this, new InputStreamReader(sock.getInputStream())); // $ hasTaintFlow + persister.read(this, new InputStreamReader(sock.getInputStream())); // $ Alert } public void persisterRead8(Socket sock) throws Exception { Persister persister = new Persister(); - persister.read(this, new InputStreamReader(sock.getInputStream()), true); // $ hasTaintFlow + persister.read(this, new InputStreamReader(sock.getInputStream()), true); // $ Alert } public void persisterRead9(Socket sock) throws Exception { Persister persister = new Persister(); byte[] b = new byte[] {}; - sock.getInputStream().read(b); - persister.read(this.getClass(), new String(b)); // $ hasTaintFlow + sock.getInputStream().read(b); // $ Source + persister.read(this.getClass(), new String(b)); // $ Alert } public void persisterRead10(Socket sock) throws Exception { Persister persister = new Persister(); byte[] b = new byte[] {}; - sock.getInputStream().read(b); - persister.read(this.getClass(), new String(b), true); // $ hasTaintFlow + sock.getInputStream().read(b); // $ Source + persister.read(this.getClass(), new String(b), true); // $ Alert } public void persisterRead11(Socket sock) throws Exception { Persister persister = new Persister(); byte[] b = new byte[] {}; - sock.getInputStream().read(b); - persister.read(this, new String(b)); // $ hasTaintFlow + sock.getInputStream().read(b); // $ Source + persister.read(this, new String(b)); // $ Alert } public void persisterRead12(Socket sock) throws Exception { Persister persister = new Persister(); byte[] b = new byte[] {}; - sock.getInputStream().read(b); - persister.read(this, new String(b), true); // $ hasTaintFlow + sock.getInputStream().read(b); // $ Source + persister.read(this, new String(b), true); // $ Alert } public void nodeBuilderRead1(Socket sock) throws Exception { - NodeBuilder.read(sock.getInputStream()); // $ hasTaintFlow + NodeBuilder.read(sock.getInputStream()); // $ Alert } public void nodeBuilderRead2(Socket sock) throws Exception { - NodeBuilder.read(new InputStreamReader(sock.getInputStream())); // $ hasTaintFlow + NodeBuilder.read(new InputStreamReader(sock.getInputStream())); // $ Alert } public void documentProviderProvide1(Socket sock) throws Exception { DocumentProvider provider = new DocumentProvider(); - provider.provide(sock.getInputStream()); // $ hasTaintFlow + provider.provide(sock.getInputStream()); // $ Alert } public void documentProviderProvide2(Socket sock) throws Exception { DocumentProvider provider = new DocumentProvider(); - provider.provide(new InputStreamReader(sock.getInputStream())); // $ hasTaintFlow + provider.provide(new InputStreamReader(sock.getInputStream())); // $ Alert } public void streamProviderProvide1(Socket sock) throws Exception { StreamProvider provider = new StreamProvider(); - provider.provide(sock.getInputStream()); // $ hasTaintFlow + provider.provide(sock.getInputStream()); // $ Alert } public void streamProviderProvide2(Socket sock) throws Exception { StreamProvider provider = new StreamProvider(); - provider.provide(new InputStreamReader(sock.getInputStream())); // $ hasTaintFlow + provider.provide(new InputStreamReader(sock.getInputStream())); // $ Alert } public void formatterFormat1(Socket sock) throws Exception { Formatter formatter = new Formatter(); byte[] b = new byte[] {}; - sock.getInputStream().read(b); - formatter.format(new String(b), null); // $ hasTaintFlow + sock.getInputStream().read(b); // $ Source + formatter.format(new String(b), null); // $ Alert } public void formatterFormat2(Socket sock) throws Exception { Formatter formatter = new Formatter(); byte[] b = new byte[] {}; - sock.getInputStream().read(b); - formatter.format(new String(b)); // $ hasTaintFlow + sock.getInputStream().read(b); // $ Source + formatter.format(new String(b)); // $ Alert } } diff --git a/java/ql/test/query-tests/security/CWE-611/TransformerTests.java b/java/ql/test/query-tests/security/CWE-611/TransformerTests.java index afba1790f0cd..2ad0a29b358f 100644 --- a/java/ql/test/query-tests/security/CWE-611/TransformerTests.java +++ b/java/ql/test/query-tests/security/CWE-611/TransformerTests.java @@ -17,8 +17,8 @@ public class TransformerTests { public void unconfiguredTransformerFactory(Socket sock) throws Exception { TransformerFactory tf = TransformerFactory.newInstance(); Transformer transformer = tf.newTransformer(); - transformer.transform(new StreamSource(sock.getInputStream()), null); // $ hasTaintFlow - tf.newTransformer(new StreamSource(sock.getInputStream())); // $ hasTaintFlow + transformer.transform(new StreamSource(sock.getInputStream()), null); // $ Alert + tf.newTransformer(new StreamSource(sock.getInputStream())); // $ Alert } public void safeTransformerFactory1(Socket sock) throws Exception { @@ -68,16 +68,16 @@ public void partialConfiguredTransformerFactory1(Socket sock) throws Exception { TransformerFactory tf = TransformerFactory.newInstance(); tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); Transformer transformer = tf.newTransformer(); - transformer.transform(new StreamSource(sock.getInputStream()), null); // $ hasTaintFlow - tf.newTransformer(new StreamSource(sock.getInputStream())); // $ hasTaintFlow + transformer.transform(new StreamSource(sock.getInputStream()), null); // $ Alert + tf.newTransformer(new StreamSource(sock.getInputStream())); // $ Alert } public void partialConfiguredTransformerFactory2(Socket sock) throws Exception { TransformerFactory tf = TransformerFactory.newInstance(); tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); Transformer transformer = tf.newTransformer(); - transformer.transform(new StreamSource(sock.getInputStream()), null); // $ hasTaintFlow - tf.newTransformer(new StreamSource(sock.getInputStream())); // $ hasTaintFlow + transformer.transform(new StreamSource(sock.getInputStream()), null); // $ Alert + tf.newTransformer(new StreamSource(sock.getInputStream())); // $ Alert } public void misConfiguredTransformerFactory1(Socket sock) throws Exception { @@ -85,8 +85,8 @@ public void misConfiguredTransformerFactory1(Socket sock) throws Exception { Transformer transformer = tf.newTransformer(); tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "ab"); tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); - transformer.transform(new StreamSource(sock.getInputStream()), null); // $ hasTaintFlow - tf.newTransformer(new StreamSource(sock.getInputStream())); // $ hasTaintFlow + transformer.transform(new StreamSource(sock.getInputStream()), null); // $ Alert + tf.newTransformer(new StreamSource(sock.getInputStream())); // $ Alert } public void misConfiguredTransformerFactory2(Socket sock) throws Exception { @@ -94,13 +94,13 @@ public void misConfiguredTransformerFactory2(Socket sock) throws Exception { Transformer transformer = tf.newTransformer(); tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "cd"); - transformer.transform(new StreamSource(sock.getInputStream()), null); // $ hasTaintFlow - tf.newTransformer(new StreamSource(sock.getInputStream())); // $ hasTaintFlow + transformer.transform(new StreamSource(sock.getInputStream()), null); // $ Alert + tf.newTransformer(new StreamSource(sock.getInputStream())); // $ Alert } public void unconfiguredSAXTransformerFactory(Socket sock) throws Exception { SAXTransformerFactory sf = (SAXTransformerFactory) SAXTransformerFactory.newInstance(); - sf.newXMLFilter(new StreamSource(sock.getInputStream())); // $ hasTaintFlow + sf.newXMLFilter(new StreamSource(sock.getInputStream())); // $ Alert } public void safeSAXTransformerFactory(Socket sock) throws Exception { @@ -113,31 +113,31 @@ public void safeSAXTransformerFactory(Socket sock) throws Exception { public void partialConfiguredSAXTransformerFactory1(Socket sock) throws Exception { SAXTransformerFactory sf = (SAXTransformerFactory) SAXTransformerFactory.newInstance(); sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); - sf.newXMLFilter(new StreamSource(sock.getInputStream())); // $ hasTaintFlow + sf.newXMLFilter(new StreamSource(sock.getInputStream())); // $ Alert } public void partialConfiguredSAXTransformerFactory2(Socket sock) throws Exception { SAXTransformerFactory sf = (SAXTransformerFactory) SAXTransformerFactory.newInstance(); sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); - sf.newXMLFilter(new StreamSource(sock.getInputStream())); // $ hasTaintFlow + sf.newXMLFilter(new StreamSource(sock.getInputStream())); // $ Alert } public void misConfiguredSAXTransformerFactory1(Socket sock) throws Exception { SAXTransformerFactory sf = (SAXTransformerFactory) SAXTransformerFactory.newInstance(); sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "ab"); sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); - sf.newXMLFilter(new StreamSource(sock.getInputStream())); // $ hasTaintFlow + sf.newXMLFilter(new StreamSource(sock.getInputStream())); // $ Alert } public void misConfiguredSAXTransformerFactory2(Socket sock) throws Exception { SAXTransformerFactory sf = (SAXTransformerFactory) SAXTransformerFactory.newInstance(); sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "cd"); - sf.newXMLFilter(new StreamSource(sock.getInputStream())); // $ hasTaintFlow + sf.newXMLFilter(new StreamSource(sock.getInputStream())); // $ Alert } public void taintedSAXSource(Socket sock) throws Exception { SAXTransformerFactory sf = (SAXTransformerFactory) SAXTransformerFactory.newInstance(); - sf.newXMLFilter(new SAXSource(new InputSource(sock.getInputStream()))); // $ hasTaintFlow + sf.newXMLFilter(new SAXSource(new InputSource(sock.getInputStream()))); // $ Alert } } diff --git a/java/ql/test/query-tests/security/CWE-611/UnmarshallerTests.java b/java/ql/test/query-tests/security/CWE-611/UnmarshallerTests.java index 54efa567aa3b..7516c08c7d39 100644 --- a/java/ql/test/query-tests/security/CWE-611/UnmarshallerTests.java +++ b/java/ql/test/query-tests/security/CWE-611/UnmarshallerTests.java @@ -26,6 +26,6 @@ public void unsafeUnmarshal(Socket sock) throws Exception { SAXParserFactory spf = SAXParserFactory.newInstance(); JAXBContext jc = JAXBContext.newInstance(Object.class); Unmarshaller um = jc.createUnmarshaller(); - um.unmarshal(sock.getInputStream()); // $ hasTaintFlow + um.unmarshal(sock.getInputStream()); // $ Alert } } diff --git a/java/ql/test/query-tests/security/CWE-611/ValidatorTests.java b/java/ql/test/query-tests/security/CWE-611/ValidatorTests.java index 091be21676aa..1464b9c5fc60 100644 --- a/java/ql/test/query-tests/security/CWE-611/ValidatorTests.java +++ b/java/ql/test/query-tests/security/CWE-611/ValidatorTests.java @@ -14,12 +14,12 @@ public class ValidatorTests { @PostMapping(value = "bad") public void bad2(HttpServletRequest request) throws Exception { - ServletInputStream servletInputStream = request.getInputStream(); + ServletInputStream servletInputStream = request.getInputStream(); // $ Source SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema"); Schema schema = factory.newSchema(); Validator validator = schema.newValidator(); StreamSource source = new StreamSource(servletInputStream); - validator.validate(source); // $ hasTaintFlow + validator.validate(source); // $ Alert } @PostMapping(value = "good") diff --git a/java/ql/test/query-tests/security/CWE-611/XMLDecoderTests.java b/java/ql/test/query-tests/security/CWE-611/XMLDecoderTests.java index 8e75ebc14017..a9ced49512e0 100644 --- a/java/ql/test/query-tests/security/CWE-611/XMLDecoderTests.java +++ b/java/ql/test/query-tests/security/CWE-611/XMLDecoderTests.java @@ -13,9 +13,9 @@ public class XMLDecoderTests { @PostMapping(value = "bad") public void bad3(HttpServletRequest request) throws Exception { - ServletInputStream servletInputStream = request.getInputStream(); + ServletInputStream servletInputStream = request.getInputStream(); // $ Source XMLDecoder xmlDecoder = new XMLDecoder(servletInputStream); - xmlDecoder.readObject(); // $ hasTaintFlow + xmlDecoder.readObject(); // $ Alert } @PostMapping(value = "good") diff --git a/java/ql/test/query-tests/security/CWE-611/XMLReaderTests.java b/java/ql/test/query-tests/security/CWE-611/XMLReaderTests.java index 15536b766b72..7cc09df77639 100644 --- a/java/ql/test/query-tests/security/CWE-611/XMLReaderTests.java +++ b/java/ql/test/query-tests/security/CWE-611/XMLReaderTests.java @@ -13,7 +13,7 @@ public class XMLReaderTests { public void unconfiguredReader(Socket sock) throws Exception { XMLReader reader = XMLReaderFactory.createXMLReader(); - reader.parse(new InputSource(sock.getInputStream())); // $ hasTaintFlow + reader.parse(new InputSource(sock.getInputStream())); // $ Alert } public void safeReaderFromConfig1(Socket sock) throws Exception { @@ -53,21 +53,21 @@ public void partialConfiguredXMLReader1(Socket sock) throws Exception { XMLReader reader = XMLReaderFactory.createXMLReader(); reader.setFeature("http://xml.org/sax/features/external-general-entities", false); reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); - reader.parse(new InputSource(sock.getInputStream())); // $ hasTaintFlow + reader.parse(new InputSource(sock.getInputStream())); // $ Alert } public void partialConfiguredXMLReader2(Socket sock) throws Exception { XMLReader reader = XMLReaderFactory.createXMLReader(); reader.setFeature("http://xml.org/sax/features/external-general-entities", false); reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); - reader.parse(new InputSource(sock.getInputStream())); // $ hasTaintFlow + reader.parse(new InputSource(sock.getInputStream())); // $ Alert } public void partilaConfiguredXMLReader3(Socket sock) throws Exception { XMLReader reader = XMLReaderFactory.createXMLReader(); reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); - reader.parse(new InputSource(sock.getInputStream())); // $ hasTaintFlow + reader.parse(new InputSource(sock.getInputStream())); // $ Alert } public void misConfiguredXMLReader1(Socket sock) throws Exception { @@ -75,7 +75,7 @@ public void misConfiguredXMLReader1(Socket sock) throws Exception { reader.setFeature("http://xml.org/sax/features/external-general-entities", true); reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); - reader.parse(new InputSource(sock.getInputStream())); // $ hasTaintFlow + reader.parse(new InputSource(sock.getInputStream())); // $ Alert } public void misConfiguredXMLReader2(Socket sock) throws Exception { @@ -83,7 +83,7 @@ public void misConfiguredXMLReader2(Socket sock) throws Exception { reader.setFeature("http://xml.org/sax/features/external-general-entities", false); reader.setFeature("http://xml.org/sax/features/external-parameter-entities", true); reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); - reader.parse(new InputSource(sock.getInputStream())); // $ hasTaintFlow + reader.parse(new InputSource(sock.getInputStream())); // $ Alert } public void misConfiguredXMLReader3(Socket sock) throws Exception { @@ -91,12 +91,12 @@ public void misConfiguredXMLReader3(Socket sock) throws Exception { reader.setFeature("http://xml.org/sax/features/external-general-entities", false); reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", true); - reader.parse(new InputSource(sock.getInputStream())); // $ hasTaintFlow + reader.parse(new InputSource(sock.getInputStream())); // $ Alert } public void misConfiguredXMLReader4(Socket sock) throws Exception { XMLReader reader = XMLReaderFactory.createXMLReader(); reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false); - reader.parse(new InputSource(sock.getInputStream())); // $ hasTaintFlow + reader.parse(new InputSource(sock.getInputStream())); // $ Alert } } diff --git a/java/ql/test/query-tests/security/CWE-611/XPathExpressionTests.java b/java/ql/test/query-tests/security/CWE-611/XPathExpressionTests.java index 088fdb9afd6e..646222545d72 100644 --- a/java/ql/test/query-tests/security/CWE-611/XPathExpressionTests.java +++ b/java/ql/test/query-tests/security/CWE-611/XPathExpressionTests.java @@ -24,7 +24,7 @@ public void unsafeExpressionTests(Socket sock) throws Exception { XPathFactory xFactory = XPathFactory.newInstance(); XPath path = xFactory.newXPath(); XPathExpression expr = path.compile(""); - expr.evaluate(new InputSource(sock.getInputStream())); // $ hasTaintFlow + expr.evaluate(new InputSource(sock.getInputStream())); // $ Alert } public void safeXPathEvaluateTest(Socket sock) throws Exception { @@ -39,6 +39,6 @@ public void safeXPathEvaluateTest(Socket sock) throws Exception { public void unsafeXPathEvaluateTest(Socket sock) throws Exception { XPathFactory xFactory = XPathFactory.newInstance(); XPath path = xFactory.newXPath(); - path.evaluate("", new InputSource(sock.getInputStream())); // $ hasTaintFlow + path.evaluate("", new InputSource(sock.getInputStream())); // $ Alert } } diff --git a/java/ql/test/query-tests/security/CWE-611/XXE.expected b/java/ql/test/query-tests/security/CWE-611/XXE.expected index e69de29bb2d1..463ea4ec8728 100644 --- a/java/ql/test/query-tests/security/CWE-611/XXE.expected +++ b/java/ql/test/query-tests/security/CWE-611/XXE.expected @@ -0,0 +1,428 @@ +#select +| CdaUtilTests.java:12:22:12:23 | is | CdaUtilTests.java:10:26:10:46 | getInputStream(...) : InputStream | CdaUtilTests.java:12:22:12:23 | is | XML parsing depends on a $@ without guarding against external entity expansion. | CdaUtilTests.java:10:26:10:46 | getInputStream(...) | user-provided value | +| CdaUtilTests.java:13:22:13:25 | iSrc | CdaUtilTests.java:10:26:10:46 | getInputStream(...) : InputStream | CdaUtilTests.java:13:22:13:25 | iSrc | XML parsing depends on a $@ without guarding against external entity expansion. | CdaUtilTests.java:10:26:10:46 | getInputStream(...) | user-provided value | +| CdaUtilTests.java:14:22:14:23 | is | CdaUtilTests.java:10:26:10:46 | getInputStream(...) : InputStream | CdaUtilTests.java:14:22:14:23 | is | XML parsing depends on a $@ without guarding against external entity expansion. | CdaUtilTests.java:10:26:10:46 | getInputStream(...) | user-provided value | +| CdaUtilTests.java:15:22:15:23 | is | CdaUtilTests.java:10:26:10:46 | getInputStream(...) : InputStream | CdaUtilTests.java:15:22:15:23 | is | XML parsing depends on a $@ without guarding against external entity expansion. | CdaUtilTests.java:10:26:10:46 | getInputStream(...) | user-provided value | +| CdaUtilTests.java:16:34:16:35 | is | CdaUtilTests.java:10:26:10:46 | getInputStream(...) : InputStream | CdaUtilTests.java:16:34:16:35 | is | XML parsing depends on a $@ without guarding against external entity expansion. | CdaUtilTests.java:10:26:10:46 | getInputStream(...) | user-provided value | +| CdaUtilTests.java:17:22:17:25 | iSrc | CdaUtilTests.java:10:26:10:46 | getInputStream(...) : InputStream | CdaUtilTests.java:17:22:17:25 | iSrc | XML parsing depends on a $@ without guarding against external entity expansion. | CdaUtilTests.java:10:26:10:46 | getInputStream(...) | user-provided value | +| CdaUtilTests.java:18:22:18:25 | iSrc | CdaUtilTests.java:10:26:10:46 | getInputStream(...) : InputStream | CdaUtilTests.java:18:22:18:25 | iSrc | XML parsing depends on a $@ without guarding against external entity expansion. | CdaUtilTests.java:10:26:10:46 | getInputStream(...) | user-provided value | +| CdaUtilTests.java:19:34:19:37 | iSrc | CdaUtilTests.java:10:26:10:46 | getInputStream(...) : InputStream | CdaUtilTests.java:19:34:19:37 | iSrc | XML parsing depends on a $@ without guarding against external entity expansion. | CdaUtilTests.java:10:26:10:46 | getInputStream(...) | user-provided value | +| CdaUtilTests.java:20:24:20:25 | is | CdaUtilTests.java:10:26:10:46 | getInputStream(...) : InputStream | CdaUtilTests.java:20:24:20:25 | is | XML parsing depends on a $@ without guarding against external entity expansion. | CdaUtilTests.java:10:26:10:46 | getInputStream(...) | user-provided value | +| CdaUtilTests.java:21:24:21:25 | is | CdaUtilTests.java:10:26:10:46 | getInputStream(...) : InputStream | CdaUtilTests.java:21:24:21:25 | is | XML parsing depends on a $@ without guarding against external entity expansion. | CdaUtilTests.java:10:26:10:46 | getInputStream(...) | user-provided value | +| DigesterTests.java:16:24:16:41 | servletInputStream | DigesterTests.java:14:49:14:72 | getInputStream(...) : ServletInputStream | DigesterTests.java:16:24:16:41 | servletInputStream | XML parsing depends on a $@ without guarding against external entity expansion. | DigesterTests.java:14:49:14:72 | getInputStream(...) | user-provided value | +| DocumentBuilderTests.java:14:19:14:39 | getInputStream(...) | DocumentBuilderTests.java:14:19:14:39 | getInputStream(...) | DocumentBuilderTests.java:14:19:14:39 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:14:19:14:39 | getInputStream(...) | user-provided value | +| DocumentBuilderTests.java:28:19:28:39 | getInputStream(...) | DocumentBuilderTests.java:28:19:28:39 | getInputStream(...) | DocumentBuilderTests.java:28:19:28:39 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:28:19:28:39 | getInputStream(...) | user-provided value | +| DocumentBuilderTests.java:36:19:36:39 | getInputStream(...) | DocumentBuilderTests.java:36:19:36:39 | getInputStream(...) | DocumentBuilderTests.java:36:19:36:39 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:36:19:36:39 | getInputStream(...) | user-provided value | +| DocumentBuilderTests.java:44:19:44:39 | getInputStream(...) | DocumentBuilderTests.java:44:19:44:39 | getInputStream(...) | DocumentBuilderTests.java:44:19:44:39 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:44:19:44:39 | getInputStream(...) | user-provided value | +| DocumentBuilderTests.java:51:19:51:39 | getInputStream(...) | DocumentBuilderTests.java:51:19:51:39 | getInputStream(...) | DocumentBuilderTests.java:51:19:51:39 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:51:19:51:39 | getInputStream(...) | user-provided value | +| DocumentBuilderTests.java:66:19:66:39 | getInputStream(...) | DocumentBuilderTests.java:66:19:66:39 | getInputStream(...) | DocumentBuilderTests.java:66:19:66:39 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:66:19:66:39 | getInputStream(...) | user-provided value | +| DocumentBuilderTests.java:73:19:73:39 | getInputStream(...) | DocumentBuilderTests.java:73:19:73:39 | getInputStream(...) | DocumentBuilderTests.java:73:19:73:39 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:73:19:73:39 | getInputStream(...) | user-provided value | +| DocumentBuilderTests.java:81:19:81:39 | getInputStream(...) | DocumentBuilderTests.java:81:19:81:39 | getInputStream(...) | DocumentBuilderTests.java:81:19:81:39 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:81:19:81:39 | getInputStream(...) | user-provided value | +| DocumentBuilderTests.java:89:19:89:39 | getInputStream(...) | DocumentBuilderTests.java:89:19:89:39 | getInputStream(...) | DocumentBuilderTests.java:89:19:89:39 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:89:19:89:39 | getInputStream(...) | user-provided value | +| DocumentBuilderTests.java:96:19:96:41 | getInputSource(...) | DocumentBuilderTests.java:95:54:95:74 | getInputStream(...) : InputStream | DocumentBuilderTests.java:96:19:96:41 | getInputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:95:54:95:74 | getInputStream(...) | user-provided value | +| DocumentBuilderTests.java:103:19:103:55 | sourceToInputSource(...) | DocumentBuilderTests.java:102:44:102:64 | getInputStream(...) : InputStream | DocumentBuilderTests.java:103:19:103:55 | sourceToInputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:102:44:102:64 | getInputStream(...) | user-provided value | +| DocumentBuilderTests.java:104:19:104:41 | getInputStream(...) | DocumentBuilderTests.java:102:44:102:64 | getInputStream(...) : InputStream | DocumentBuilderTests.java:104:19:104:41 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:102:44:102:64 | getInputStream(...) | user-provided value | +| ParserHelperTests.java:12:55:12:78 | getInputStream(...) | ParserHelperTests.java:12:55:12:78 | getInputStream(...) | ParserHelperTests.java:12:55:12:78 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | ParserHelperTests.java:12:55:12:78 | getInputStream(...) | user-provided value | +| SAXBuilderTests.java:8:19:8:39 | getInputStream(...) | SAXBuilderTests.java:8:19:8:39 | getInputStream(...) | SAXBuilderTests.java:8:19:8:39 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXBuilderTests.java:8:19:8:39 | getInputStream(...) | user-provided value | +| SAXBuilderTests.java:20:19:20:39 | getInputStream(...) | SAXBuilderTests.java:20:19:20:39 | getInputStream(...) | SAXBuilderTests.java:20:19:20:39 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXBuilderTests.java:20:19:20:39 | getInputStream(...) | user-provided value | +| SAXParserTests.java:13:18:13:38 | getInputStream(...) | SAXParserTests.java:13:18:13:38 | getInputStream(...) | SAXParserTests.java:13:18:13:38 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXParserTests.java:13:18:13:38 | getInputStream(...) | user-provided value | +| SAXParserTests.java:30:18:30:38 | getInputStream(...) | SAXParserTests.java:30:18:30:38 | getInputStream(...) | SAXParserTests.java:30:18:30:38 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXParserTests.java:30:18:30:38 | getInputStream(...) | user-provided value | +| SAXParserTests.java:38:18:38:38 | getInputStream(...) | SAXParserTests.java:38:18:38:38 | getInputStream(...) | SAXParserTests.java:38:18:38:38 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXParserTests.java:38:18:38:38 | getInputStream(...) | user-provided value | +| SAXParserTests.java:46:18:46:38 | getInputStream(...) | SAXParserTests.java:46:18:46:38 | getInputStream(...) | SAXParserTests.java:46:18:46:38 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXParserTests.java:46:18:46:38 | getInputStream(...) | user-provided value | +| SAXParserTests.java:55:18:55:38 | getInputStream(...) | SAXParserTests.java:55:18:55:38 | getInputStream(...) | SAXParserTests.java:55:18:55:38 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXParserTests.java:55:18:55:38 | getInputStream(...) | user-provided value | +| SAXParserTests.java:64:18:64:38 | getInputStream(...) | SAXParserTests.java:64:18:64:38 | getInputStream(...) | SAXParserTests.java:64:18:64:38 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXParserTests.java:64:18:64:38 | getInputStream(...) | user-provided value | +| SAXParserTests.java:73:18:73:38 | getInputStream(...) | SAXParserTests.java:73:18:73:38 | getInputStream(...) | SAXParserTests.java:73:18:73:38 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXParserTests.java:73:18:73:38 | getInputStream(...) | user-provided value | +| SAXReaderTests.java:8:17:8:37 | getInputStream(...) | SAXReaderTests.java:8:17:8:37 | getInputStream(...) | SAXReaderTests.java:8:17:8:37 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXReaderTests.java:8:17:8:37 | getInputStream(...) | user-provided value | +| SAXReaderTests.java:23:17:23:37 | getInputStream(...) | SAXReaderTests.java:23:17:23:37 | getInputStream(...) | SAXReaderTests.java:23:17:23:37 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXReaderTests.java:23:17:23:37 | getInputStream(...) | user-provided value | +| SAXReaderTests.java:30:17:30:37 | getInputStream(...) | SAXReaderTests.java:30:17:30:37 | getInputStream(...) | SAXReaderTests.java:30:17:30:37 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXReaderTests.java:30:17:30:37 | getInputStream(...) | user-provided value | +| SAXReaderTests.java:37:17:37:37 | getInputStream(...) | SAXReaderTests.java:37:17:37:37 | getInputStream(...) | SAXReaderTests.java:37:17:37:37 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXReaderTests.java:37:17:37:37 | getInputStream(...) | user-provided value | +| SAXReaderTests.java:45:17:45:37 | getInputStream(...) | SAXReaderTests.java:45:17:45:37 | getInputStream(...) | SAXReaderTests.java:45:17:45:37 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXReaderTests.java:45:17:45:37 | getInputStream(...) | user-provided value | +| SAXReaderTests.java:53:17:53:37 | getInputStream(...) | SAXReaderTests.java:53:17:53:37 | getInputStream(...) | SAXReaderTests.java:53:17:53:37 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXReaderTests.java:53:17:53:37 | getInputStream(...) | user-provided value | +| SAXReaderTests.java:61:17:61:37 | getInputStream(...) | SAXReaderTests.java:61:17:61:37 | getInputStream(...) | SAXReaderTests.java:61:17:61:37 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXReaderTests.java:61:17:61:37 | getInputStream(...) | user-provided value | +| SAXSourceTests.java:20:18:20:23 | source | SAXSourceTests.java:17:62:17:82 | getInputStream(...) : InputStream | SAXSourceTests.java:20:18:20:23 | source | XML parsing depends on a $@ without guarding against external entity expansion. | SAXSourceTests.java:17:62:17:82 | getInputStream(...) | user-provided value | +| SchemaTests.java:12:39:12:77 | new StreamSource(...) | SchemaTests.java:12:56:12:76 | getInputStream(...) : InputStream | SchemaTests.java:12:39:12:77 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SchemaTests.java:12:56:12:76 | getInputStream(...) | user-provided value | +| SchemaTests.java:25:39:25:77 | new StreamSource(...) | SchemaTests.java:25:56:25:76 | getInputStream(...) : InputStream | SchemaTests.java:25:39:25:77 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SchemaTests.java:25:56:25:76 | getInputStream(...) | user-provided value | +| SchemaTests.java:31:39:31:77 | new StreamSource(...) | SchemaTests.java:31:56:31:76 | getInputStream(...) : InputStream | SchemaTests.java:31:39:31:77 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SchemaTests.java:31:56:31:76 | getInputStream(...) | user-provided value | +| SchemaTests.java:38:39:38:77 | new StreamSource(...) | SchemaTests.java:38:56:38:76 | getInputStream(...) : InputStream | SchemaTests.java:38:39:38:77 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SchemaTests.java:38:56:38:76 | getInputStream(...) | user-provided value | +| SchemaTests.java:45:39:45:77 | new StreamSource(...) | SchemaTests.java:45:56:45:76 | getInputStream(...) : InputStream | SchemaTests.java:45:39:45:77 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SchemaTests.java:45:56:45:76 | getInputStream(...) | user-provided value | +| SimpleXMLTests.java:14:41:14:61 | getInputStream(...) | SimpleXMLTests.java:14:41:14:61 | getInputStream(...) | SimpleXMLTests.java:14:41:14:61 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:14:41:14:61 | getInputStream(...) | user-provided value | +| SimpleXMLTests.java:19:41:19:61 | getInputStream(...) | SimpleXMLTests.java:19:41:19:61 | getInputStream(...) | SimpleXMLTests.java:19:41:19:61 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:19:41:19:61 | getInputStream(...) | user-provided value | +| SimpleXMLTests.java:24:41:24:84 | new InputStreamReader(...) | SimpleXMLTests.java:24:63:24:83 | getInputStream(...) : InputStream | SimpleXMLTests.java:24:41:24:84 | new InputStreamReader(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:24:63:24:83 | getInputStream(...) | user-provided value | +| SimpleXMLTests.java:31:41:31:53 | new String(...) | SimpleXMLTests.java:30:5:30:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:31:41:31:53 | new String(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:30:5:30:25 | getInputStream(...) | user-provided value | +| SimpleXMLTests.java:38:41:38:53 | new String(...) | SimpleXMLTests.java:37:5:37:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:38:41:38:53 | new String(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:37:5:37:25 | getInputStream(...) | user-provided value | +| SimpleXMLTests.java:43:41:43:84 | new InputStreamReader(...) | SimpleXMLTests.java:43:63:43:83 | getInputStream(...) : InputStream | SimpleXMLTests.java:43:41:43:84 | new InputStreamReader(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:43:63:43:83 | getInputStream(...) | user-provided value | +| SimpleXMLTests.java:48:37:48:57 | getInputStream(...) | SimpleXMLTests.java:48:37:48:57 | getInputStream(...) | SimpleXMLTests.java:48:37:48:57 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:48:37:48:57 | getInputStream(...) | user-provided value | +| SimpleXMLTests.java:53:37:53:57 | getInputStream(...) | SimpleXMLTests.java:53:37:53:57 | getInputStream(...) | SimpleXMLTests.java:53:37:53:57 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:53:37:53:57 | getInputStream(...) | user-provided value | +| SimpleXMLTests.java:58:26:58:46 | getInputStream(...) | SimpleXMLTests.java:58:26:58:46 | getInputStream(...) | SimpleXMLTests.java:58:26:58:46 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:58:26:58:46 | getInputStream(...) | user-provided value | +| SimpleXMLTests.java:63:26:63:46 | getInputStream(...) | SimpleXMLTests.java:63:26:63:46 | getInputStream(...) | SimpleXMLTests.java:63:26:63:46 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:63:26:63:46 | getInputStream(...) | user-provided value | +| SimpleXMLTests.java:68:37:68:80 | new InputStreamReader(...) | SimpleXMLTests.java:68:59:68:79 | getInputStream(...) : InputStream | SimpleXMLTests.java:68:37:68:80 | new InputStreamReader(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:68:59:68:79 | getInputStream(...) | user-provided value | +| SimpleXMLTests.java:73:37:73:80 | new InputStreamReader(...) | SimpleXMLTests.java:73:59:73:79 | getInputStream(...) : InputStream | SimpleXMLTests.java:73:37:73:80 | new InputStreamReader(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:73:59:73:79 | getInputStream(...) | user-provided value | +| SimpleXMLTests.java:78:26:78:69 | new InputStreamReader(...) | SimpleXMLTests.java:78:48:78:68 | getInputStream(...) : InputStream | SimpleXMLTests.java:78:26:78:69 | new InputStreamReader(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:78:48:78:68 | getInputStream(...) | user-provided value | +| SimpleXMLTests.java:83:26:83:69 | new InputStreamReader(...) | SimpleXMLTests.java:83:48:83:68 | getInputStream(...) : InputStream | SimpleXMLTests.java:83:26:83:69 | new InputStreamReader(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:83:48:83:68 | getInputStream(...) | user-provided value | +| SimpleXMLTests.java:90:37:90:49 | new String(...) | SimpleXMLTests.java:89:5:89:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:90:37:90:49 | new String(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:89:5:89:25 | getInputStream(...) | user-provided value | +| SimpleXMLTests.java:97:37:97:49 | new String(...) | SimpleXMLTests.java:96:5:96:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:97:37:97:49 | new String(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:96:5:96:25 | getInputStream(...) | user-provided value | +| SimpleXMLTests.java:104:26:104:38 | new String(...) | SimpleXMLTests.java:103:5:103:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:104:26:104:38 | new String(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:103:5:103:25 | getInputStream(...) | user-provided value | +| SimpleXMLTests.java:111:26:111:38 | new String(...) | SimpleXMLTests.java:110:5:110:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:111:26:111:38 | new String(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:110:5:110:25 | getInputStream(...) | user-provided value | +| SimpleXMLTests.java:115:22:115:42 | getInputStream(...) | SimpleXMLTests.java:115:22:115:42 | getInputStream(...) | SimpleXMLTests.java:115:22:115:42 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:115:22:115:42 | getInputStream(...) | user-provided value | +| SimpleXMLTests.java:119:22:119:65 | new InputStreamReader(...) | SimpleXMLTests.java:119:44:119:64 | getInputStream(...) : InputStream | SimpleXMLTests.java:119:22:119:65 | new InputStreamReader(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:119:44:119:64 | getInputStream(...) | user-provided value | +| SimpleXMLTests.java:124:22:124:42 | getInputStream(...) | SimpleXMLTests.java:124:22:124:42 | getInputStream(...) | SimpleXMLTests.java:124:22:124:42 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:124:22:124:42 | getInputStream(...) | user-provided value | +| SimpleXMLTests.java:129:22:129:65 | new InputStreamReader(...) | SimpleXMLTests.java:129:44:129:64 | getInputStream(...) : InputStream | SimpleXMLTests.java:129:22:129:65 | new InputStreamReader(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:129:44:129:64 | getInputStream(...) | user-provided value | +| SimpleXMLTests.java:134:22:134:42 | getInputStream(...) | SimpleXMLTests.java:134:22:134:42 | getInputStream(...) | SimpleXMLTests.java:134:22:134:42 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:134:22:134:42 | getInputStream(...) | user-provided value | +| SimpleXMLTests.java:139:22:139:65 | new InputStreamReader(...) | SimpleXMLTests.java:139:44:139:64 | getInputStream(...) : InputStream | SimpleXMLTests.java:139:22:139:65 | new InputStreamReader(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:139:44:139:64 | getInputStream(...) | user-provided value | +| SimpleXMLTests.java:146:22:146:34 | new String(...) | SimpleXMLTests.java:145:5:145:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:146:22:146:34 | new String(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:145:5:145:25 | getInputStream(...) | user-provided value | +| SimpleXMLTests.java:153:22:153:34 | new String(...) | SimpleXMLTests.java:152:5:152:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:153:22:153:34 | new String(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:152:5:152:25 | getInputStream(...) | user-provided value | +| TransformerTests.java:20:27:20:65 | new StreamSource(...) | TransformerTests.java:20:44:20:64 | getInputStream(...) : InputStream | TransformerTests.java:20:27:20:65 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:20:44:20:64 | getInputStream(...) | user-provided value | +| TransformerTests.java:21:23:21:61 | new StreamSource(...) | TransformerTests.java:21:40:21:60 | getInputStream(...) : InputStream | TransformerTests.java:21:23:21:61 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:21:40:21:60 | getInputStream(...) | user-provided value | +| TransformerTests.java:71:27:71:65 | new StreamSource(...) | TransformerTests.java:71:44:71:64 | getInputStream(...) : InputStream | TransformerTests.java:71:27:71:65 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:71:44:71:64 | getInputStream(...) | user-provided value | +| TransformerTests.java:72:23:72:61 | new StreamSource(...) | TransformerTests.java:72:40:72:60 | getInputStream(...) : InputStream | TransformerTests.java:72:23:72:61 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:72:40:72:60 | getInputStream(...) | user-provided value | +| TransformerTests.java:79:27:79:65 | new StreamSource(...) | TransformerTests.java:79:44:79:64 | getInputStream(...) : InputStream | TransformerTests.java:79:27:79:65 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:79:44:79:64 | getInputStream(...) | user-provided value | +| TransformerTests.java:80:23:80:61 | new StreamSource(...) | TransformerTests.java:80:40:80:60 | getInputStream(...) : InputStream | TransformerTests.java:80:23:80:61 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:80:40:80:60 | getInputStream(...) | user-provided value | +| TransformerTests.java:88:27:88:65 | new StreamSource(...) | TransformerTests.java:88:44:88:64 | getInputStream(...) : InputStream | TransformerTests.java:88:27:88:65 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:88:44:88:64 | getInputStream(...) | user-provided value | +| TransformerTests.java:89:23:89:61 | new StreamSource(...) | TransformerTests.java:89:40:89:60 | getInputStream(...) : InputStream | TransformerTests.java:89:23:89:61 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:89:40:89:60 | getInputStream(...) | user-provided value | +| TransformerTests.java:97:27:97:65 | new StreamSource(...) | TransformerTests.java:97:44:97:64 | getInputStream(...) : InputStream | TransformerTests.java:97:27:97:65 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:97:44:97:64 | getInputStream(...) | user-provided value | +| TransformerTests.java:98:23:98:61 | new StreamSource(...) | TransformerTests.java:98:40:98:60 | getInputStream(...) : InputStream | TransformerTests.java:98:23:98:61 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:98:40:98:60 | getInputStream(...) | user-provided value | +| TransformerTests.java:103:21:103:59 | new StreamSource(...) | TransformerTests.java:103:38:103:58 | getInputStream(...) : InputStream | TransformerTests.java:103:21:103:59 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:103:38:103:58 | getInputStream(...) | user-provided value | +| TransformerTests.java:116:21:116:59 | new StreamSource(...) | TransformerTests.java:116:38:116:58 | getInputStream(...) : InputStream | TransformerTests.java:116:21:116:59 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:116:38:116:58 | getInputStream(...) | user-provided value | +| TransformerTests.java:122:21:122:59 | new StreamSource(...) | TransformerTests.java:122:38:122:58 | getInputStream(...) : InputStream | TransformerTests.java:122:21:122:59 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:122:38:122:58 | getInputStream(...) | user-provided value | +| TransformerTests.java:129:21:129:59 | new StreamSource(...) | TransformerTests.java:129:38:129:58 | getInputStream(...) : InputStream | TransformerTests.java:129:21:129:59 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:129:38:129:58 | getInputStream(...) | user-provided value | +| TransformerTests.java:136:21:136:59 | new StreamSource(...) | TransformerTests.java:136:38:136:58 | getInputStream(...) : InputStream | TransformerTests.java:136:21:136:59 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:136:38:136:58 | getInputStream(...) | user-provided value | +| TransformerTests.java:141:21:141:73 | new SAXSource(...) | TransformerTests.java:141:51:141:71 | getInputStream(...) : InputStream | TransformerTests.java:141:21:141:73 | new SAXSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:141:51:141:71 | getInputStream(...) | user-provided value | +| UnmarshallerTests.java:29:18:29:38 | getInputStream(...) | UnmarshallerTests.java:29:18:29:38 | getInputStream(...) | UnmarshallerTests.java:29:18:29:38 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | UnmarshallerTests.java:29:18:29:38 | getInputStream(...) | user-provided value | +| ValidatorTests.java:22:28:22:33 | source | ValidatorTests.java:17:49:17:72 | getInputStream(...) : ServletInputStream | ValidatorTests.java:22:28:22:33 | source | XML parsing depends on a $@ without guarding against external entity expansion. | ValidatorTests.java:17:49:17:72 | getInputStream(...) | user-provided value | +| XMLDecoderTests.java:18:9:18:18 | xmlDecoder | XMLDecoderTests.java:16:49:16:72 | getInputStream(...) : ServletInputStream | XMLDecoderTests.java:18:9:18:18 | xmlDecoder | XML parsing depends on a $@ without guarding against external entity expansion. | XMLDecoderTests.java:16:49:16:72 | getInputStream(...) | user-provided value | +| XMLReaderTests.java:16:18:16:55 | new InputSource(...) | XMLReaderTests.java:16:34:16:54 | getInputStream(...) : InputStream | XMLReaderTests.java:16:18:16:55 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XMLReaderTests.java:16:34:16:54 | getInputStream(...) | user-provided value | +| XMLReaderTests.java:56:18:56:55 | new InputSource(...) | XMLReaderTests.java:56:34:56:54 | getInputStream(...) : InputStream | XMLReaderTests.java:56:18:56:55 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XMLReaderTests.java:56:34:56:54 | getInputStream(...) | user-provided value | +| XMLReaderTests.java:63:18:63:55 | new InputSource(...) | XMLReaderTests.java:63:34:63:54 | getInputStream(...) : InputStream | XMLReaderTests.java:63:18:63:55 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XMLReaderTests.java:63:34:63:54 | getInputStream(...) | user-provided value | +| XMLReaderTests.java:70:18:70:55 | new InputSource(...) | XMLReaderTests.java:70:34:70:54 | getInputStream(...) : InputStream | XMLReaderTests.java:70:18:70:55 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XMLReaderTests.java:70:34:70:54 | getInputStream(...) | user-provided value | +| XMLReaderTests.java:78:18:78:55 | new InputSource(...) | XMLReaderTests.java:78:34:78:54 | getInputStream(...) : InputStream | XMLReaderTests.java:78:18:78:55 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XMLReaderTests.java:78:34:78:54 | getInputStream(...) | user-provided value | +| XMLReaderTests.java:86:18:86:55 | new InputSource(...) | XMLReaderTests.java:86:34:86:54 | getInputStream(...) : InputStream | XMLReaderTests.java:86:18:86:55 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XMLReaderTests.java:86:34:86:54 | getInputStream(...) | user-provided value | +| XMLReaderTests.java:94:18:94:55 | new InputSource(...) | XMLReaderTests.java:94:34:94:54 | getInputStream(...) : InputStream | XMLReaderTests.java:94:18:94:55 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XMLReaderTests.java:94:34:94:54 | getInputStream(...) | user-provided value | +| XMLReaderTests.java:100:18:100:55 | new InputSource(...) | XMLReaderTests.java:100:34:100:54 | getInputStream(...) : InputStream | XMLReaderTests.java:100:18:100:55 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XMLReaderTests.java:100:34:100:54 | getInputStream(...) | user-provided value | +| XPathExpressionTests.java:27:19:27:56 | new InputSource(...) | XPathExpressionTests.java:27:35:27:55 | getInputStream(...) : InputStream | XPathExpressionTests.java:27:19:27:56 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XPathExpressionTests.java:27:35:27:55 | getInputStream(...) | user-provided value | +| XPathExpressionTests.java:42:23:42:60 | new InputSource(...) | XPathExpressionTests.java:42:39:42:59 | getInputStream(...) : InputStream | XPathExpressionTests.java:42:23:42:60 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XPathExpressionTests.java:42:39:42:59 | getInputStream(...) | user-provided value | +| XmlInputFactoryTests.java:9:35:9:55 | getInputStream(...) | XmlInputFactoryTests.java:9:35:9:55 | getInputStream(...) | XmlInputFactoryTests.java:9:35:9:55 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:9:35:9:55 | getInputStream(...) | user-provided value | +| XmlInputFactoryTests.java:10:34:10:54 | getInputStream(...) | XmlInputFactoryTests.java:10:34:10:54 | getInputStream(...) | XmlInputFactoryTests.java:10:34:10:54 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:10:34:10:54 | getInputStream(...) | user-provided value | +| XmlInputFactoryTests.java:24:35:24:55 | getInputStream(...) | XmlInputFactoryTests.java:24:35:24:55 | getInputStream(...) | XmlInputFactoryTests.java:24:35:24:55 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:24:35:24:55 | getInputStream(...) | user-provided value | +| XmlInputFactoryTests.java:25:34:25:54 | getInputStream(...) | XmlInputFactoryTests.java:25:34:25:54 | getInputStream(...) | XmlInputFactoryTests.java:25:34:25:54 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:25:34:25:54 | getInputStream(...) | user-provided value | +| XmlInputFactoryTests.java:31:35:31:55 | getInputStream(...) | XmlInputFactoryTests.java:31:35:31:55 | getInputStream(...) | XmlInputFactoryTests.java:31:35:31:55 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:31:35:31:55 | getInputStream(...) | user-provided value | +| XmlInputFactoryTests.java:32:34:32:54 | getInputStream(...) | XmlInputFactoryTests.java:32:34:32:54 | getInputStream(...) | XmlInputFactoryTests.java:32:34:32:54 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:32:34:32:54 | getInputStream(...) | user-provided value | +| XmlInputFactoryTests.java:39:35:39:55 | getInputStream(...) | XmlInputFactoryTests.java:39:35:39:55 | getInputStream(...) | XmlInputFactoryTests.java:39:35:39:55 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:39:35:39:55 | getInputStream(...) | user-provided value | +| XmlInputFactoryTests.java:40:34:40:54 | getInputStream(...) | XmlInputFactoryTests.java:40:34:40:54 | getInputStream(...) | XmlInputFactoryTests.java:40:34:40:54 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:40:34:40:54 | getInputStream(...) | user-provided value | +| XmlInputFactoryTests.java:47:35:47:55 | getInputStream(...) | XmlInputFactoryTests.java:47:35:47:55 | getInputStream(...) | XmlInputFactoryTests.java:47:35:47:55 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:47:35:47:55 | getInputStream(...) | user-provided value | +| XmlInputFactoryTests.java:48:34:48:54 | getInputStream(...) | XmlInputFactoryTests.java:48:34:48:54 | getInputStream(...) | XmlInputFactoryTests.java:48:34:48:54 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:48:34:48:54 | getInputStream(...) | user-provided value | +| XmlInputFactoryTests.java:55:35:55:55 | getInputStream(...) | XmlInputFactoryTests.java:55:35:55:55 | getInputStream(...) | XmlInputFactoryTests.java:55:35:55:55 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:55:35:55:55 | getInputStream(...) | user-provided value | +| XmlInputFactoryTests.java:56:34:56:54 | getInputStream(...) | XmlInputFactoryTests.java:56:34:56:54 | getInputStream(...) | XmlInputFactoryTests.java:56:34:56:54 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:56:34:56:54 | getInputStream(...) | user-provided value | +edges +| CdaUtilTests.java:10:26:10:46 | getInputStream(...) : InputStream | CdaUtilTests.java:11:66:11:67 | is : InputStream | provenance | Src:MaD:1 | +| CdaUtilTests.java:10:26:10:46 | getInputStream(...) : InputStream | CdaUtilTests.java:12:22:12:23 | is | provenance | Src:MaD:1 | +| CdaUtilTests.java:10:26:10:46 | getInputStream(...) : InputStream | CdaUtilTests.java:14:22:14:23 | is | provenance | Src:MaD:1 | +| CdaUtilTests.java:10:26:10:46 | getInputStream(...) : InputStream | CdaUtilTests.java:15:22:15:23 | is | provenance | Src:MaD:1 | +| CdaUtilTests.java:10:26:10:46 | getInputStream(...) : InputStream | CdaUtilTests.java:16:34:16:35 | is | provenance | Src:MaD:1 | +| CdaUtilTests.java:10:26:10:46 | getInputStream(...) : InputStream | CdaUtilTests.java:20:24:20:25 | is | provenance | Src:MaD:1 | +| CdaUtilTests.java:10:26:10:46 | getInputStream(...) : InputStream | CdaUtilTests.java:21:24:21:25 | is | provenance | Src:MaD:1 | +| CdaUtilTests.java:11:28:11:69 | new InputSource(...) : InputSource | CdaUtilTests.java:13:22:13:25 | iSrc | provenance | | +| CdaUtilTests.java:11:28:11:69 | new InputSource(...) : InputSource | CdaUtilTests.java:17:22:17:25 | iSrc | provenance | | +| CdaUtilTests.java:11:28:11:69 | new InputSource(...) : InputSource | CdaUtilTests.java:18:22:18:25 | iSrc | provenance | | +| CdaUtilTests.java:11:28:11:69 | new InputSource(...) : InputSource | CdaUtilTests.java:19:34:19:37 | iSrc | provenance | | +| CdaUtilTests.java:11:44:11:68 | new InputStreamReader(...) : InputStreamReader | CdaUtilTests.java:11:28:11:69 | new InputSource(...) : InputSource | provenance | MaD:13 | +| CdaUtilTests.java:11:66:11:67 | is : InputStream | CdaUtilTests.java:11:44:11:68 | new InputStreamReader(...) : InputStreamReader | provenance | MaD:5 | +| DigesterTests.java:14:49:14:72 | getInputStream(...) : ServletInputStream | DigesterTests.java:16:24:16:41 | servletInputStream | provenance | Src:MaD:2 | +| DocumentBuilderTests.java:95:24:95:76 | new SAXSource(...) : SAXSource | DocumentBuilderTests.java:96:19:96:24 | source : SAXSource | provenance | | +| DocumentBuilderTests.java:95:38:95:75 | new InputSource(...) : InputSource | DocumentBuilderTests.java:95:24:95:76 | new SAXSource(...) : SAXSource | provenance | MaD:7 | +| DocumentBuilderTests.java:95:54:95:74 | getInputStream(...) : InputStream | DocumentBuilderTests.java:95:38:95:75 | new InputSource(...) : InputSource | provenance | Src:MaD:1 MaD:13 | +| DocumentBuilderTests.java:96:19:96:24 | source : SAXSource | DocumentBuilderTests.java:96:19:96:41 | getInputSource(...) | provenance | MaD:9 | +| DocumentBuilderTests.java:102:27:102:65 | new StreamSource(...) : StreamSource | DocumentBuilderTests.java:103:49:103:54 | source : StreamSource | provenance | | +| DocumentBuilderTests.java:102:27:102:65 | new StreamSource(...) : StreamSource | DocumentBuilderTests.java:104:19:104:24 | source : StreamSource | provenance | | +| DocumentBuilderTests.java:102:44:102:64 | getInputStream(...) : InputStream | DocumentBuilderTests.java:102:27:102:65 | new StreamSource(...) : StreamSource | provenance | Src:MaD:1 MaD:11 | +| DocumentBuilderTests.java:103:49:103:54 | source : StreamSource | DocumentBuilderTests.java:103:19:103:55 | sourceToInputSource(...) | provenance | MaD:10 | +| DocumentBuilderTests.java:104:19:104:24 | source : StreamSource | DocumentBuilderTests.java:104:19:104:41 | getInputStream(...) | provenance | MaD:12 | +| SAXSourceTests.java:17:24:17:84 | new SAXSource(...) : SAXSource | SAXSourceTests.java:20:18:20:23 | source | provenance | | +| SAXSourceTests.java:17:46:17:83 | new InputSource(...) : InputSource | SAXSourceTests.java:17:24:17:84 | new SAXSource(...) : SAXSource | provenance | MaD:8 | +| SAXSourceTests.java:17:62:17:82 | getInputStream(...) : InputStream | SAXSourceTests.java:17:46:17:83 | new InputSource(...) : InputSource | provenance | Src:MaD:1 MaD:13 | +| SchemaTests.java:12:56:12:76 | getInputStream(...) : InputStream | SchemaTests.java:12:39:12:77 | new StreamSource(...) | provenance | Src:MaD:1 MaD:11 | +| SchemaTests.java:25:56:25:76 | getInputStream(...) : InputStream | SchemaTests.java:25:39:25:77 | new StreamSource(...) | provenance | Src:MaD:1 MaD:11 | +| SchemaTests.java:31:56:31:76 | getInputStream(...) : InputStream | SchemaTests.java:31:39:31:77 | new StreamSource(...) | provenance | Src:MaD:1 MaD:11 | +| SchemaTests.java:38:56:38:76 | getInputStream(...) : InputStream | SchemaTests.java:38:39:38:77 | new StreamSource(...) | provenance | Src:MaD:1 MaD:11 | +| SchemaTests.java:45:56:45:76 | getInputStream(...) : InputStream | SchemaTests.java:45:39:45:77 | new StreamSource(...) | provenance | Src:MaD:1 MaD:11 | +| SimpleXMLTests.java:24:63:24:83 | getInputStream(...) : InputStream | SimpleXMLTests.java:24:41:24:84 | new InputStreamReader(...) | provenance | Src:MaD:1 MaD:5 | +| SimpleXMLTests.java:30:5:30:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:30:32:30:32 | b [post update] : byte[] | provenance | Src:MaD:1 MaD:4 | +| SimpleXMLTests.java:30:32:30:32 | b [post update] : byte[] | SimpleXMLTests.java:31:52:31:52 | b : byte[] | provenance | | +| SimpleXMLTests.java:31:52:31:52 | b : byte[] | SimpleXMLTests.java:31:41:31:53 | new String(...) | provenance | MaD:6 | +| SimpleXMLTests.java:37:5:37:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:37:32:37:32 | b [post update] : byte[] | provenance | Src:MaD:1 MaD:4 | +| SimpleXMLTests.java:37:32:37:32 | b [post update] : byte[] | SimpleXMLTests.java:38:52:38:52 | b : byte[] | provenance | | +| SimpleXMLTests.java:38:52:38:52 | b : byte[] | SimpleXMLTests.java:38:41:38:53 | new String(...) | provenance | MaD:6 | +| SimpleXMLTests.java:43:63:43:83 | getInputStream(...) : InputStream | SimpleXMLTests.java:43:41:43:84 | new InputStreamReader(...) | provenance | Src:MaD:1 MaD:5 | +| SimpleXMLTests.java:68:59:68:79 | getInputStream(...) : InputStream | SimpleXMLTests.java:68:37:68:80 | new InputStreamReader(...) | provenance | Src:MaD:1 MaD:5 | +| SimpleXMLTests.java:73:59:73:79 | getInputStream(...) : InputStream | SimpleXMLTests.java:73:37:73:80 | new InputStreamReader(...) | provenance | Src:MaD:1 MaD:5 | +| SimpleXMLTests.java:78:48:78:68 | getInputStream(...) : InputStream | SimpleXMLTests.java:78:26:78:69 | new InputStreamReader(...) | provenance | Src:MaD:1 MaD:5 | +| SimpleXMLTests.java:83:48:83:68 | getInputStream(...) : InputStream | SimpleXMLTests.java:83:26:83:69 | new InputStreamReader(...) | provenance | Src:MaD:1 MaD:5 | +| SimpleXMLTests.java:89:5:89:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:89:32:89:32 | b [post update] : byte[] | provenance | Src:MaD:1 MaD:4 | +| SimpleXMLTests.java:89:32:89:32 | b [post update] : byte[] | SimpleXMLTests.java:90:48:90:48 | b : byte[] | provenance | | +| SimpleXMLTests.java:90:48:90:48 | b : byte[] | SimpleXMLTests.java:90:37:90:49 | new String(...) | provenance | MaD:6 | +| SimpleXMLTests.java:96:5:96:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:96:32:96:32 | b [post update] : byte[] | provenance | Src:MaD:1 MaD:4 | +| SimpleXMLTests.java:96:32:96:32 | b [post update] : byte[] | SimpleXMLTests.java:97:48:97:48 | b : byte[] | provenance | | +| SimpleXMLTests.java:97:48:97:48 | b : byte[] | SimpleXMLTests.java:97:37:97:49 | new String(...) | provenance | MaD:6 | +| SimpleXMLTests.java:103:5:103:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:103:32:103:32 | b [post update] : byte[] | provenance | Src:MaD:1 MaD:4 | +| SimpleXMLTests.java:103:32:103:32 | b [post update] : byte[] | SimpleXMLTests.java:104:37:104:37 | b : byte[] | provenance | | +| SimpleXMLTests.java:104:37:104:37 | b : byte[] | SimpleXMLTests.java:104:26:104:38 | new String(...) | provenance | MaD:6 | +| SimpleXMLTests.java:110:5:110:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:110:32:110:32 | b [post update] : byte[] | provenance | Src:MaD:1 MaD:4 | +| SimpleXMLTests.java:110:32:110:32 | b [post update] : byte[] | SimpleXMLTests.java:111:37:111:37 | b : byte[] | provenance | | +| SimpleXMLTests.java:111:37:111:37 | b : byte[] | SimpleXMLTests.java:111:26:111:38 | new String(...) | provenance | MaD:6 | +| SimpleXMLTests.java:119:44:119:64 | getInputStream(...) : InputStream | SimpleXMLTests.java:119:22:119:65 | new InputStreamReader(...) | provenance | Src:MaD:1 MaD:5 | +| SimpleXMLTests.java:129:44:129:64 | getInputStream(...) : InputStream | SimpleXMLTests.java:129:22:129:65 | new InputStreamReader(...) | provenance | Src:MaD:1 MaD:5 | +| SimpleXMLTests.java:139:44:139:64 | getInputStream(...) : InputStream | SimpleXMLTests.java:139:22:139:65 | new InputStreamReader(...) | provenance | Src:MaD:1 MaD:5 | +| SimpleXMLTests.java:145:5:145:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:145:32:145:32 | b [post update] : byte[] | provenance | Src:MaD:1 MaD:4 | +| SimpleXMLTests.java:145:32:145:32 | b [post update] : byte[] | SimpleXMLTests.java:146:33:146:33 | b : byte[] | provenance | | +| SimpleXMLTests.java:146:33:146:33 | b : byte[] | SimpleXMLTests.java:146:22:146:34 | new String(...) | provenance | MaD:6 | +| SimpleXMLTests.java:152:5:152:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:152:32:152:32 | b [post update] : byte[] | provenance | Src:MaD:1 MaD:4 | +| SimpleXMLTests.java:152:32:152:32 | b [post update] : byte[] | SimpleXMLTests.java:153:33:153:33 | b : byte[] | provenance | | +| SimpleXMLTests.java:153:33:153:33 | b : byte[] | SimpleXMLTests.java:153:22:153:34 | new String(...) | provenance | MaD:6 | +| TransformerTests.java:20:44:20:64 | getInputStream(...) : InputStream | TransformerTests.java:20:27:20:65 | new StreamSource(...) | provenance | Src:MaD:1 MaD:11 | +| TransformerTests.java:21:40:21:60 | getInputStream(...) : InputStream | TransformerTests.java:21:23:21:61 | new StreamSource(...) | provenance | Src:MaD:1 MaD:11 | +| TransformerTests.java:71:44:71:64 | getInputStream(...) : InputStream | TransformerTests.java:71:27:71:65 | new StreamSource(...) | provenance | Src:MaD:1 MaD:11 | +| TransformerTests.java:72:40:72:60 | getInputStream(...) : InputStream | TransformerTests.java:72:23:72:61 | new StreamSource(...) | provenance | Src:MaD:1 MaD:11 | +| TransformerTests.java:79:44:79:64 | getInputStream(...) : InputStream | TransformerTests.java:79:27:79:65 | new StreamSource(...) | provenance | Src:MaD:1 MaD:11 | +| TransformerTests.java:80:40:80:60 | getInputStream(...) : InputStream | TransformerTests.java:80:23:80:61 | new StreamSource(...) | provenance | Src:MaD:1 MaD:11 | +| TransformerTests.java:88:44:88:64 | getInputStream(...) : InputStream | TransformerTests.java:88:27:88:65 | new StreamSource(...) | provenance | Src:MaD:1 MaD:11 | +| TransformerTests.java:89:40:89:60 | getInputStream(...) : InputStream | TransformerTests.java:89:23:89:61 | new StreamSource(...) | provenance | Src:MaD:1 MaD:11 | +| TransformerTests.java:97:44:97:64 | getInputStream(...) : InputStream | TransformerTests.java:97:27:97:65 | new StreamSource(...) | provenance | Src:MaD:1 MaD:11 | +| TransformerTests.java:98:40:98:60 | getInputStream(...) : InputStream | TransformerTests.java:98:23:98:61 | new StreamSource(...) | provenance | Src:MaD:1 MaD:11 | +| TransformerTests.java:103:38:103:58 | getInputStream(...) : InputStream | TransformerTests.java:103:21:103:59 | new StreamSource(...) | provenance | Src:MaD:1 MaD:11 | +| TransformerTests.java:116:38:116:58 | getInputStream(...) : InputStream | TransformerTests.java:116:21:116:59 | new StreamSource(...) | provenance | Src:MaD:1 MaD:11 | +| TransformerTests.java:122:38:122:58 | getInputStream(...) : InputStream | TransformerTests.java:122:21:122:59 | new StreamSource(...) | provenance | Src:MaD:1 MaD:11 | +| TransformerTests.java:129:38:129:58 | getInputStream(...) : InputStream | TransformerTests.java:129:21:129:59 | new StreamSource(...) | provenance | Src:MaD:1 MaD:11 | +| TransformerTests.java:136:38:136:58 | getInputStream(...) : InputStream | TransformerTests.java:136:21:136:59 | new StreamSource(...) | provenance | Src:MaD:1 MaD:11 | +| TransformerTests.java:141:35:141:72 | new InputSource(...) : InputSource | TransformerTests.java:141:21:141:73 | new SAXSource(...) | provenance | MaD:7 | +| TransformerTests.java:141:51:141:71 | getInputStream(...) : InputStream | TransformerTests.java:141:35:141:72 | new InputSource(...) : InputSource | provenance | Src:MaD:1 MaD:13 | +| ValidatorTests.java:17:49:17:72 | getInputStream(...) : ServletInputStream | ValidatorTests.java:21:48:21:65 | servletInputStream : ServletInputStream | provenance | Src:MaD:2 | +| ValidatorTests.java:21:31:21:66 | new StreamSource(...) : StreamSource | ValidatorTests.java:22:28:22:33 | source | provenance | | +| ValidatorTests.java:21:48:21:65 | servletInputStream : ServletInputStream | ValidatorTests.java:21:31:21:66 | new StreamSource(...) : StreamSource | provenance | MaD:11 | +| XMLDecoderTests.java:16:49:16:72 | getInputStream(...) : ServletInputStream | XMLDecoderTests.java:17:48:17:65 | servletInputStream : ServletInputStream | provenance | Src:MaD:2 | +| XMLDecoderTests.java:17:33:17:66 | new XMLDecoder(...) : XMLDecoder | XMLDecoderTests.java:18:9:18:18 | xmlDecoder | provenance | | +| XMLDecoderTests.java:17:48:17:65 | servletInputStream : ServletInputStream | XMLDecoderTests.java:17:33:17:66 | new XMLDecoder(...) : XMLDecoder | provenance | MaD:3 | +| XMLReaderTests.java:16:34:16:54 | getInputStream(...) : InputStream | XMLReaderTests.java:16:18:16:55 | new InputSource(...) | provenance | Src:MaD:1 MaD:13 | +| XMLReaderTests.java:56:34:56:54 | getInputStream(...) : InputStream | XMLReaderTests.java:56:18:56:55 | new InputSource(...) | provenance | Src:MaD:1 MaD:13 | +| XMLReaderTests.java:63:34:63:54 | getInputStream(...) : InputStream | XMLReaderTests.java:63:18:63:55 | new InputSource(...) | provenance | Src:MaD:1 MaD:13 | +| XMLReaderTests.java:70:34:70:54 | getInputStream(...) : InputStream | XMLReaderTests.java:70:18:70:55 | new InputSource(...) | provenance | Src:MaD:1 MaD:13 | +| XMLReaderTests.java:78:34:78:54 | getInputStream(...) : InputStream | XMLReaderTests.java:78:18:78:55 | new InputSource(...) | provenance | Src:MaD:1 MaD:13 | +| XMLReaderTests.java:86:34:86:54 | getInputStream(...) : InputStream | XMLReaderTests.java:86:18:86:55 | new InputSource(...) | provenance | Src:MaD:1 MaD:13 | +| XMLReaderTests.java:94:34:94:54 | getInputStream(...) : InputStream | XMLReaderTests.java:94:18:94:55 | new InputSource(...) | provenance | Src:MaD:1 MaD:13 | +| XMLReaderTests.java:100:34:100:54 | getInputStream(...) : InputStream | XMLReaderTests.java:100:18:100:55 | new InputSource(...) | provenance | Src:MaD:1 MaD:13 | +| XPathExpressionTests.java:27:35:27:55 | getInputStream(...) : InputStream | XPathExpressionTests.java:27:19:27:56 | new InputSource(...) | provenance | Src:MaD:1 MaD:13 | +| XPathExpressionTests.java:42:39:42:59 | getInputStream(...) : InputStream | XPathExpressionTests.java:42:23:42:60 | new InputSource(...) | provenance | Src:MaD:1 MaD:13 | +models +| 1 | Source: java.net; Socket; false; getInputStream; (); ; ReturnValue; remote; manual | +| 2 | Source: javax.servlet; ServletRequest; false; getInputStream; (); ; ReturnValue; remote; manual | +| 3 | Summary: java.beans; XMLDecoder; false; XMLDecoder; ; ; Argument[0]; Argument[this]; taint; manual | +| 4 | Summary: java.io; InputStream; true; read; (byte[]); ; Argument[this]; Argument[0]; taint; manual | +| 5 | Summary: java.io; InputStreamReader; false; InputStreamReader; ; ; Argument[0]; Argument[this]; taint; manual | +| 6 | Summary: java.lang; String; false; String; ; ; Argument[0]; Argument[this]; taint; manual | +| 7 | Summary: javax.xml.transform.sax; SAXSource; false; SAXSource; (InputSource); ; Argument[0]; Argument[this]; taint; manual | +| 8 | Summary: javax.xml.transform.sax; SAXSource; false; SAXSource; (XMLReader,InputSource); ; Argument[1]; Argument[this]; taint; manual | +| 9 | Summary: javax.xml.transform.sax; SAXSource; false; getInputSource; ; ; Argument[this]; ReturnValue; taint; manual | +| 10 | Summary: javax.xml.transform.sax; SAXSource; false; sourceToInputSource; ; ; Argument[0]; ReturnValue; taint; manual | +| 11 | Summary: javax.xml.transform.stream; StreamSource; false; StreamSource; ; ; Argument[0]; Argument[this]; taint; manual | +| 12 | Summary: javax.xml.transform.stream; StreamSource; false; getInputStream; ; ; Argument[this]; ReturnValue; taint; manual | +| 13 | Summary: org.xml.sax; InputSource; false; InputSource; ; ; Argument[0]; Argument[this]; taint; manual | +nodes +| CdaUtilTests.java:10:26:10:46 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| CdaUtilTests.java:11:28:11:69 | new InputSource(...) : InputSource | semmle.label | new InputSource(...) : InputSource | +| CdaUtilTests.java:11:44:11:68 | new InputStreamReader(...) : InputStreamReader | semmle.label | new InputStreamReader(...) : InputStreamReader | +| CdaUtilTests.java:11:66:11:67 | is : InputStream | semmle.label | is : InputStream | +| CdaUtilTests.java:12:22:12:23 | is | semmle.label | is | +| CdaUtilTests.java:13:22:13:25 | iSrc | semmle.label | iSrc | +| CdaUtilTests.java:14:22:14:23 | is | semmle.label | is | +| CdaUtilTests.java:15:22:15:23 | is | semmle.label | is | +| CdaUtilTests.java:16:34:16:35 | is | semmle.label | is | +| CdaUtilTests.java:17:22:17:25 | iSrc | semmle.label | iSrc | +| CdaUtilTests.java:18:22:18:25 | iSrc | semmle.label | iSrc | +| CdaUtilTests.java:19:34:19:37 | iSrc | semmle.label | iSrc | +| CdaUtilTests.java:20:24:20:25 | is | semmle.label | is | +| CdaUtilTests.java:21:24:21:25 | is | semmle.label | is | +| DigesterTests.java:14:49:14:72 | getInputStream(...) : ServletInputStream | semmle.label | getInputStream(...) : ServletInputStream | +| DigesterTests.java:16:24:16:41 | servletInputStream | semmle.label | servletInputStream | +| DocumentBuilderTests.java:14:19:14:39 | getInputStream(...) | semmle.label | getInputStream(...) | +| DocumentBuilderTests.java:28:19:28:39 | getInputStream(...) | semmle.label | getInputStream(...) | +| DocumentBuilderTests.java:36:19:36:39 | getInputStream(...) | semmle.label | getInputStream(...) | +| DocumentBuilderTests.java:44:19:44:39 | getInputStream(...) | semmle.label | getInputStream(...) | +| DocumentBuilderTests.java:51:19:51:39 | getInputStream(...) | semmle.label | getInputStream(...) | +| DocumentBuilderTests.java:66:19:66:39 | getInputStream(...) | semmle.label | getInputStream(...) | +| DocumentBuilderTests.java:73:19:73:39 | getInputStream(...) | semmle.label | getInputStream(...) | +| DocumentBuilderTests.java:81:19:81:39 | getInputStream(...) | semmle.label | getInputStream(...) | +| DocumentBuilderTests.java:89:19:89:39 | getInputStream(...) | semmle.label | getInputStream(...) | +| DocumentBuilderTests.java:95:24:95:76 | new SAXSource(...) : SAXSource | semmle.label | new SAXSource(...) : SAXSource | +| DocumentBuilderTests.java:95:38:95:75 | new InputSource(...) : InputSource | semmle.label | new InputSource(...) : InputSource | +| DocumentBuilderTests.java:95:54:95:74 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| DocumentBuilderTests.java:96:19:96:24 | source : SAXSource | semmle.label | source : SAXSource | +| DocumentBuilderTests.java:96:19:96:41 | getInputSource(...) | semmle.label | getInputSource(...) | +| DocumentBuilderTests.java:102:27:102:65 | new StreamSource(...) : StreamSource | semmle.label | new StreamSource(...) : StreamSource | +| DocumentBuilderTests.java:102:44:102:64 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| DocumentBuilderTests.java:103:19:103:55 | sourceToInputSource(...) | semmle.label | sourceToInputSource(...) | +| DocumentBuilderTests.java:103:49:103:54 | source : StreamSource | semmle.label | source : StreamSource | +| DocumentBuilderTests.java:104:19:104:24 | source : StreamSource | semmle.label | source : StreamSource | +| DocumentBuilderTests.java:104:19:104:41 | getInputStream(...) | semmle.label | getInputStream(...) | +| ParserHelperTests.java:12:55:12:78 | getInputStream(...) | semmle.label | getInputStream(...) | +| SAXBuilderTests.java:8:19:8:39 | getInputStream(...) | semmle.label | getInputStream(...) | +| SAXBuilderTests.java:20:19:20:39 | getInputStream(...) | semmle.label | getInputStream(...) | +| SAXParserTests.java:13:18:13:38 | getInputStream(...) | semmle.label | getInputStream(...) | +| SAXParserTests.java:30:18:30:38 | getInputStream(...) | semmle.label | getInputStream(...) | +| SAXParserTests.java:38:18:38:38 | getInputStream(...) | semmle.label | getInputStream(...) | +| SAXParserTests.java:46:18:46:38 | getInputStream(...) | semmle.label | getInputStream(...) | +| SAXParserTests.java:55:18:55:38 | getInputStream(...) | semmle.label | getInputStream(...) | +| SAXParserTests.java:64:18:64:38 | getInputStream(...) | semmle.label | getInputStream(...) | +| SAXParserTests.java:73:18:73:38 | getInputStream(...) | semmle.label | getInputStream(...) | +| SAXReaderTests.java:8:17:8:37 | getInputStream(...) | semmle.label | getInputStream(...) | +| SAXReaderTests.java:23:17:23:37 | getInputStream(...) | semmle.label | getInputStream(...) | +| SAXReaderTests.java:30:17:30:37 | getInputStream(...) | semmle.label | getInputStream(...) | +| SAXReaderTests.java:37:17:37:37 | getInputStream(...) | semmle.label | getInputStream(...) | +| SAXReaderTests.java:45:17:45:37 | getInputStream(...) | semmle.label | getInputStream(...) | +| SAXReaderTests.java:53:17:53:37 | getInputStream(...) | semmle.label | getInputStream(...) | +| SAXReaderTests.java:61:17:61:37 | getInputStream(...) | semmle.label | getInputStream(...) | +| SAXSourceTests.java:17:24:17:84 | new SAXSource(...) : SAXSource | semmle.label | new SAXSource(...) : SAXSource | +| SAXSourceTests.java:17:46:17:83 | new InputSource(...) : InputSource | semmle.label | new InputSource(...) : InputSource | +| SAXSourceTests.java:17:62:17:82 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| SAXSourceTests.java:20:18:20:23 | source | semmle.label | source | +| SchemaTests.java:12:39:12:77 | new StreamSource(...) | semmle.label | new StreamSource(...) | +| SchemaTests.java:12:56:12:76 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| SchemaTests.java:25:39:25:77 | new StreamSource(...) | semmle.label | new StreamSource(...) | +| SchemaTests.java:25:56:25:76 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| SchemaTests.java:31:39:31:77 | new StreamSource(...) | semmle.label | new StreamSource(...) | +| SchemaTests.java:31:56:31:76 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| SchemaTests.java:38:39:38:77 | new StreamSource(...) | semmle.label | new StreamSource(...) | +| SchemaTests.java:38:56:38:76 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| SchemaTests.java:45:39:45:77 | new StreamSource(...) | semmle.label | new StreamSource(...) | +| SchemaTests.java:45:56:45:76 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| SimpleXMLTests.java:14:41:14:61 | getInputStream(...) | semmle.label | getInputStream(...) | +| SimpleXMLTests.java:19:41:19:61 | getInputStream(...) | semmle.label | getInputStream(...) | +| SimpleXMLTests.java:24:41:24:84 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) | +| SimpleXMLTests.java:24:63:24:83 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| SimpleXMLTests.java:30:5:30:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| SimpleXMLTests.java:30:32:30:32 | b [post update] : byte[] | semmle.label | b [post update] : byte[] | +| SimpleXMLTests.java:31:41:31:53 | new String(...) | semmle.label | new String(...) | +| SimpleXMLTests.java:31:52:31:52 | b : byte[] | semmle.label | b : byte[] | +| SimpleXMLTests.java:37:5:37:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| SimpleXMLTests.java:37:32:37:32 | b [post update] : byte[] | semmle.label | b [post update] : byte[] | +| SimpleXMLTests.java:38:41:38:53 | new String(...) | semmle.label | new String(...) | +| SimpleXMLTests.java:38:52:38:52 | b : byte[] | semmle.label | b : byte[] | +| SimpleXMLTests.java:43:41:43:84 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) | +| SimpleXMLTests.java:43:63:43:83 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| SimpleXMLTests.java:48:37:48:57 | getInputStream(...) | semmle.label | getInputStream(...) | +| SimpleXMLTests.java:53:37:53:57 | getInputStream(...) | semmle.label | getInputStream(...) | +| SimpleXMLTests.java:58:26:58:46 | getInputStream(...) | semmle.label | getInputStream(...) | +| SimpleXMLTests.java:63:26:63:46 | getInputStream(...) | semmle.label | getInputStream(...) | +| SimpleXMLTests.java:68:37:68:80 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) | +| SimpleXMLTests.java:68:59:68:79 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| SimpleXMLTests.java:73:37:73:80 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) | +| SimpleXMLTests.java:73:59:73:79 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| SimpleXMLTests.java:78:26:78:69 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) | +| SimpleXMLTests.java:78:48:78:68 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| SimpleXMLTests.java:83:26:83:69 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) | +| SimpleXMLTests.java:83:48:83:68 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| SimpleXMLTests.java:89:5:89:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| SimpleXMLTests.java:89:32:89:32 | b [post update] : byte[] | semmle.label | b [post update] : byte[] | +| SimpleXMLTests.java:90:37:90:49 | new String(...) | semmle.label | new String(...) | +| SimpleXMLTests.java:90:48:90:48 | b : byte[] | semmle.label | b : byte[] | +| SimpleXMLTests.java:96:5:96:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| SimpleXMLTests.java:96:32:96:32 | b [post update] : byte[] | semmle.label | b [post update] : byte[] | +| SimpleXMLTests.java:97:37:97:49 | new String(...) | semmle.label | new String(...) | +| SimpleXMLTests.java:97:48:97:48 | b : byte[] | semmle.label | b : byte[] | +| SimpleXMLTests.java:103:5:103:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| SimpleXMLTests.java:103:32:103:32 | b [post update] : byte[] | semmle.label | b [post update] : byte[] | +| SimpleXMLTests.java:104:26:104:38 | new String(...) | semmle.label | new String(...) | +| SimpleXMLTests.java:104:37:104:37 | b : byte[] | semmle.label | b : byte[] | +| SimpleXMLTests.java:110:5:110:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| SimpleXMLTests.java:110:32:110:32 | b [post update] : byte[] | semmle.label | b [post update] : byte[] | +| SimpleXMLTests.java:111:26:111:38 | new String(...) | semmle.label | new String(...) | +| SimpleXMLTests.java:111:37:111:37 | b : byte[] | semmle.label | b : byte[] | +| SimpleXMLTests.java:115:22:115:42 | getInputStream(...) | semmle.label | getInputStream(...) | +| SimpleXMLTests.java:119:22:119:65 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) | +| SimpleXMLTests.java:119:44:119:64 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| SimpleXMLTests.java:124:22:124:42 | getInputStream(...) | semmle.label | getInputStream(...) | +| SimpleXMLTests.java:129:22:129:65 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) | +| SimpleXMLTests.java:129:44:129:64 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| SimpleXMLTests.java:134:22:134:42 | getInputStream(...) | semmle.label | getInputStream(...) | +| SimpleXMLTests.java:139:22:139:65 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) | +| SimpleXMLTests.java:139:44:139:64 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| SimpleXMLTests.java:145:5:145:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| SimpleXMLTests.java:145:32:145:32 | b [post update] : byte[] | semmle.label | b [post update] : byte[] | +| SimpleXMLTests.java:146:22:146:34 | new String(...) | semmle.label | new String(...) | +| SimpleXMLTests.java:146:33:146:33 | b : byte[] | semmle.label | b : byte[] | +| SimpleXMLTests.java:152:5:152:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| SimpleXMLTests.java:152:32:152:32 | b [post update] : byte[] | semmle.label | b [post update] : byte[] | +| SimpleXMLTests.java:153:22:153:34 | new String(...) | semmle.label | new String(...) | +| SimpleXMLTests.java:153:33:153:33 | b : byte[] | semmle.label | b : byte[] | +| TransformerTests.java:20:27:20:65 | new StreamSource(...) | semmle.label | new StreamSource(...) | +| TransformerTests.java:20:44:20:64 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| TransformerTests.java:21:23:21:61 | new StreamSource(...) | semmle.label | new StreamSource(...) | +| TransformerTests.java:21:40:21:60 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| TransformerTests.java:71:27:71:65 | new StreamSource(...) | semmle.label | new StreamSource(...) | +| TransformerTests.java:71:44:71:64 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| TransformerTests.java:72:23:72:61 | new StreamSource(...) | semmle.label | new StreamSource(...) | +| TransformerTests.java:72:40:72:60 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| TransformerTests.java:79:27:79:65 | new StreamSource(...) | semmle.label | new StreamSource(...) | +| TransformerTests.java:79:44:79:64 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| TransformerTests.java:80:23:80:61 | new StreamSource(...) | semmle.label | new StreamSource(...) | +| TransformerTests.java:80:40:80:60 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| TransformerTests.java:88:27:88:65 | new StreamSource(...) | semmle.label | new StreamSource(...) | +| TransformerTests.java:88:44:88:64 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| TransformerTests.java:89:23:89:61 | new StreamSource(...) | semmle.label | new StreamSource(...) | +| TransformerTests.java:89:40:89:60 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| TransformerTests.java:97:27:97:65 | new StreamSource(...) | semmle.label | new StreamSource(...) | +| TransformerTests.java:97:44:97:64 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| TransformerTests.java:98:23:98:61 | new StreamSource(...) | semmle.label | new StreamSource(...) | +| TransformerTests.java:98:40:98:60 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| TransformerTests.java:103:21:103:59 | new StreamSource(...) | semmle.label | new StreamSource(...) | +| TransformerTests.java:103:38:103:58 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| TransformerTests.java:116:21:116:59 | new StreamSource(...) | semmle.label | new StreamSource(...) | +| TransformerTests.java:116:38:116:58 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| TransformerTests.java:122:21:122:59 | new StreamSource(...) | semmle.label | new StreamSource(...) | +| TransformerTests.java:122:38:122:58 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| TransformerTests.java:129:21:129:59 | new StreamSource(...) | semmle.label | new StreamSource(...) | +| TransformerTests.java:129:38:129:58 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| TransformerTests.java:136:21:136:59 | new StreamSource(...) | semmle.label | new StreamSource(...) | +| TransformerTests.java:136:38:136:58 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| TransformerTests.java:141:21:141:73 | new SAXSource(...) | semmle.label | new SAXSource(...) | +| TransformerTests.java:141:35:141:72 | new InputSource(...) : InputSource | semmle.label | new InputSource(...) : InputSource | +| TransformerTests.java:141:51:141:71 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| UnmarshallerTests.java:29:18:29:38 | getInputStream(...) | semmle.label | getInputStream(...) | +| ValidatorTests.java:17:49:17:72 | getInputStream(...) : ServletInputStream | semmle.label | getInputStream(...) : ServletInputStream | +| ValidatorTests.java:21:31:21:66 | new StreamSource(...) : StreamSource | semmle.label | new StreamSource(...) : StreamSource | +| ValidatorTests.java:21:48:21:65 | servletInputStream : ServletInputStream | semmle.label | servletInputStream : ServletInputStream | +| ValidatorTests.java:22:28:22:33 | source | semmle.label | source | +| XMLDecoderTests.java:16:49:16:72 | getInputStream(...) : ServletInputStream | semmle.label | getInputStream(...) : ServletInputStream | +| XMLDecoderTests.java:17:33:17:66 | new XMLDecoder(...) : XMLDecoder | semmle.label | new XMLDecoder(...) : XMLDecoder | +| XMLDecoderTests.java:17:48:17:65 | servletInputStream : ServletInputStream | semmle.label | servletInputStream : ServletInputStream | +| XMLDecoderTests.java:18:9:18:18 | xmlDecoder | semmle.label | xmlDecoder | +| XMLReaderTests.java:16:18:16:55 | new InputSource(...) | semmle.label | new InputSource(...) | +| XMLReaderTests.java:16:34:16:54 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| XMLReaderTests.java:56:18:56:55 | new InputSource(...) | semmle.label | new InputSource(...) | +| XMLReaderTests.java:56:34:56:54 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| XMLReaderTests.java:63:18:63:55 | new InputSource(...) | semmle.label | new InputSource(...) | +| XMLReaderTests.java:63:34:63:54 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| XMLReaderTests.java:70:18:70:55 | new InputSource(...) | semmle.label | new InputSource(...) | +| XMLReaderTests.java:70:34:70:54 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| XMLReaderTests.java:78:18:78:55 | new InputSource(...) | semmle.label | new InputSource(...) | +| XMLReaderTests.java:78:34:78:54 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| XMLReaderTests.java:86:18:86:55 | new InputSource(...) | semmle.label | new InputSource(...) | +| XMLReaderTests.java:86:34:86:54 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| XMLReaderTests.java:94:18:94:55 | new InputSource(...) | semmle.label | new InputSource(...) | +| XMLReaderTests.java:94:34:94:54 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| XMLReaderTests.java:100:18:100:55 | new InputSource(...) | semmle.label | new InputSource(...) | +| XMLReaderTests.java:100:34:100:54 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| XPathExpressionTests.java:27:19:27:56 | new InputSource(...) | semmle.label | new InputSource(...) | +| XPathExpressionTests.java:27:35:27:55 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| XPathExpressionTests.java:42:23:42:60 | new InputSource(...) | semmle.label | new InputSource(...) | +| XPathExpressionTests.java:42:39:42:59 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| XmlInputFactoryTests.java:9:35:9:55 | getInputStream(...) | semmle.label | getInputStream(...) | +| XmlInputFactoryTests.java:10:34:10:54 | getInputStream(...) | semmle.label | getInputStream(...) | +| XmlInputFactoryTests.java:24:35:24:55 | getInputStream(...) | semmle.label | getInputStream(...) | +| XmlInputFactoryTests.java:25:34:25:54 | getInputStream(...) | semmle.label | getInputStream(...) | +| XmlInputFactoryTests.java:31:35:31:55 | getInputStream(...) | semmle.label | getInputStream(...) | +| XmlInputFactoryTests.java:32:34:32:54 | getInputStream(...) | semmle.label | getInputStream(...) | +| XmlInputFactoryTests.java:39:35:39:55 | getInputStream(...) | semmle.label | getInputStream(...) | +| XmlInputFactoryTests.java:40:34:40:54 | getInputStream(...) | semmle.label | getInputStream(...) | +| XmlInputFactoryTests.java:47:35:47:55 | getInputStream(...) | semmle.label | getInputStream(...) | +| XmlInputFactoryTests.java:48:34:48:54 | getInputStream(...) | semmle.label | getInputStream(...) | +| XmlInputFactoryTests.java:55:35:55:55 | getInputStream(...) | semmle.label | getInputStream(...) | +| XmlInputFactoryTests.java:56:34:56:54 | getInputStream(...) | semmle.label | getInputStream(...) | +subpaths diff --git a/java/ql/test/query-tests/security/CWE-611/XXE.ql b/java/ql/test/query-tests/security/CWE-611/XXE.ql deleted file mode 100644 index 21483d8f658d..000000000000 --- a/java/ql/test/query-tests/security/CWE-611/XXE.ql +++ /dev/null @@ -1,4 +0,0 @@ -import java -import utils.test.InlineFlowTest -import semmle.code.java.security.XxeRemoteQuery -import TaintFlowTest diff --git a/java/ql/test/query-tests/security/CWE-611/XXE.qlref b/java/ql/test/query-tests/security/CWE-611/XXE.qlref new file mode 100644 index 000000000000..29f544d9a457 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-611/XXE.qlref @@ -0,0 +1,4 @@ +query: Security/CWE/CWE-611/XXE.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-611/XmlInputFactoryTests.java b/java/ql/test/query-tests/security/CWE-611/XmlInputFactoryTests.java index a75bcde8c1fe..343b8ec3df06 100644 --- a/java/ql/test/query-tests/security/CWE-611/XmlInputFactoryTests.java +++ b/java/ql/test/query-tests/security/CWE-611/XmlInputFactoryTests.java @@ -6,8 +6,8 @@ public class XmlInputFactoryTests { public void unconfigureFactory(Socket sock) throws Exception { XMLInputFactory factory = XMLInputFactory.newFactory(); - factory.createXMLStreamReader(sock.getInputStream()); // $ hasTaintFlow - factory.createXMLEventReader(sock.getInputStream()); // $ hasTaintFlow + factory.createXMLStreamReader(sock.getInputStream()); // $ Alert + factory.createXMLEventReader(sock.getInputStream()); // $ Alert } public void safeFactory(Socket sock) throws Exception { @@ -21,38 +21,38 @@ public void safeFactory(Socket sock) throws Exception { public void misConfiguredFactory(Socket sock) throws Exception { XMLInputFactory factory = XMLInputFactory.newFactory(); factory.setProperty("javax.xml.stream.isSupportingExternalEntities", false); - factory.createXMLStreamReader(sock.getInputStream()); // $ hasTaintFlow - factory.createXMLEventReader(sock.getInputStream()); // $ hasTaintFlow + factory.createXMLStreamReader(sock.getInputStream()); // $ Alert + factory.createXMLEventReader(sock.getInputStream()); // $ Alert } public void misConfiguredFactory2(Socket sock) throws Exception { XMLInputFactory factory = XMLInputFactory.newFactory(); factory.setProperty(XMLInputFactory.SUPPORT_DTD, false); - factory.createXMLStreamReader(sock.getInputStream()); // $ hasTaintFlow - factory.createXMLEventReader(sock.getInputStream()); // $ hasTaintFlow + factory.createXMLStreamReader(sock.getInputStream()); // $ Alert + factory.createXMLEventReader(sock.getInputStream()); // $ Alert } public void misConfiguredFactory3(Socket sock) throws Exception { XMLInputFactory factory = XMLInputFactory.newFactory(); factory.setProperty("javax.xml.stream.isSupportingExternalEntities", true); factory.setProperty(XMLInputFactory.SUPPORT_DTD, true); - factory.createXMLStreamReader(sock.getInputStream()); // $ hasTaintFlow - factory.createXMLEventReader(sock.getInputStream()); // $ hasTaintFlow + factory.createXMLStreamReader(sock.getInputStream()); // $ Alert + factory.createXMLEventReader(sock.getInputStream()); // $ Alert } public void misConfiguredFactory4(Socket sock) throws Exception { XMLInputFactory factory = XMLInputFactory.newFactory(); factory.setProperty("javax.xml.stream.isSupportingExternalEntities", false); factory.setProperty(XMLInputFactory.SUPPORT_DTD, true); - factory.createXMLStreamReader(sock.getInputStream()); // $ hasTaintFlow - factory.createXMLEventReader(sock.getInputStream()); // $ hasTaintFlow + factory.createXMLStreamReader(sock.getInputStream()); // $ Alert + factory.createXMLEventReader(sock.getInputStream()); // $ Alert } public void misConfiguredFactory5(Socket sock) throws Exception { XMLInputFactory factory = XMLInputFactory.newFactory(); factory.setProperty("javax.xml.stream.isSupportingExternalEntities", true); factory.setProperty(XMLInputFactory.SUPPORT_DTD, false); - factory.createXMLStreamReader(sock.getInputStream()); // $ hasTaintFlow - factory.createXMLEventReader(sock.getInputStream()); // $ hasTaintFlow + factory.createXMLStreamReader(sock.getInputStream()); // $ Alert + factory.createXMLEventReader(sock.getInputStream()); // $ Alert } } diff --git a/java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.expected b/java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.expected index e69de29bb2d1..5a460dbde52b 100644 --- a/java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.expected +++ b/java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.expected @@ -0,0 +1,197 @@ +#select +| XPathInjectionTest.java:91:24:91:33 | expression | XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:91:24:91:33 | expression | XPath expression depends on a $@. | XPathInjectionTest.java:77:23:77:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:91:24:91:33 | expression | XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:91:24:91:33 | expression | XPath expression depends on a $@. | XPathInjectionTest.java:78:23:78:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:92:34:92:43 | expression | XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:92:34:92:43 | expression | XPath expression depends on a $@. | XPathInjectionTest.java:77:23:77:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:92:34:92:43 | expression | XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:92:34:92:43 | expression | XPath expression depends on a $@. | XPathInjectionTest.java:78:23:78:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:93:23:93:82 | ... + ... | XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:93:23:93:82 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:77:23:77:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:93:23:93:82 | ... + ... | XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:93:23:93:82 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:78:23:78:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:96:28:96:37 | expression | XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:96:28:96:37 | expression | XPath expression depends on a $@. | XPathInjectionTest.java:77:23:77:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:96:28:96:37 | expression | XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:96:28:96:37 | expression | XPath expression depends on a $@. | XPathInjectionTest.java:78:23:78:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:97:38:97:47 | expression | XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:97:38:97:47 | expression | XPath expression depends on a $@. | XPathInjectionTest.java:77:23:77:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:97:38:97:47 | expression | XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:97:38:97:47 | expression | XPath expression depends on a $@. | XPathInjectionTest.java:78:23:78:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:98:27:98:86 | ... + ... | XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:98:27:98:86 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:77:23:77:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:98:27:98:86 | ... + ... | XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:98:27:98:86 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:78:23:78:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:107:23:107:27 | query | XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:107:23:107:27 | query | XPath expression depends on a $@. | XPathInjectionTest.java:77:23:77:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:107:23:107:27 | query | XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:107:23:107:27 | query | XPath expression depends on a $@. | XPathInjectionTest.java:78:23:78:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:108:27:108:31 | query | XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:108:27:108:31 | query | XPath expression depends on a $@. | XPathInjectionTest.java:77:23:77:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:108:27:108:31 | query | XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:108:27:108:31 | query | XPath expression depends on a $@. | XPathInjectionTest.java:78:23:78:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:125:31:125:90 | ... + ... | XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:125:31:125:90 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:77:23:77:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:125:31:125:90 | ... + ... | XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:125:31:125:90 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:78:23:78:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:126:30:126:89 | ... + ... | XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:126:30:126:89 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:77:23:77:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:126:30:126:89 | ... + ... | XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:126:30:126:89 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:78:23:78:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:127:59:127:93 | ... + ... | XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:127:59:127:93 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:78:23:78:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:128:35:128:94 | ... + ... | XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:128:35:128:94 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:77:23:77:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:128:35:128:94 | ... + ... | XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:128:35:128:94 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:78:23:78:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:129:26:129:85 | ... + ... | XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:129:26:129:85 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:77:23:77:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:129:26:129:85 | ... + ... | XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:129:26:129:85 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:78:23:78:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:130:32:130:91 | ... + ... | XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:130:32:130:91 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:77:23:77:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:130:32:130:91 | ... + ... | XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:130:32:130:91 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:78:23:78:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:131:26:131:85 | ... + ... | XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:131:26:131:85 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:77:23:77:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:131:26:131:85 | ... + ... | XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:131:26:131:85 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:78:23:78:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:132:30:132:89 | ... + ... | XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:132:30:132:89 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:77:23:77:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:132:30:132:89 | ... + ... | XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:132:30:132:89 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:78:23:78:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:134:26:134:85 | ... + ... | XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:134:26:134:85 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:77:23:77:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:134:26:134:85 | ... + ... | XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:134:26:134:85 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:78:23:78:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:135:26:135:85 | ... + ... | XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:135:26:135:85 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:77:23:77:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:135:26:135:85 | ... + ... | XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:135:26:135:85 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:78:23:78:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:139:34:139:93 | ... + ... | XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:139:34:139:93 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:77:23:77:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:139:34:139:93 | ... + ... | XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:139:34:139:93 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:78:23:78:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:140:32:140:91 | ... + ... | XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:140:32:140:91 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:77:23:77:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:140:32:140:91 | ... + ... | XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:140:32:140:91 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:78:23:78:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:141:38:141:97 | ... + ... | XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:141:38:141:97 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:77:23:77:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:141:38:141:97 | ... + ... | XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:141:38:141:97 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:78:23:78:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:143:38:143:97 | ... + ... | XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:143:38:143:97 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:77:23:77:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:143:38:143:97 | ... + ... | XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:143:38:143:97 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:78:23:78:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:144:36:144:95 | ... + ... | XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:144:36:144:95 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:77:23:77:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:144:36:144:95 | ... + ... | XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:144:36:144:95 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:78:23:78:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:145:42:145:101 | ... + ... | XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:145:42:145:101 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:77:23:77:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:145:42:145:101 | ... + ... | XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:145:42:145:101 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:78:23:78:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:146:36:146:95 | ... + ... | XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:146:36:146:95 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:77:23:77:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:146:36:146:95 | ... + ... | XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:146:36:146:95 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:78:23:78:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:147:52:147:111 | ... + ... | XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:147:52:147:111 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:77:23:77:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:147:52:147:111 | ... + ... | XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:147:52:147:111 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:78:23:78:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:150:39:150:98 | ... + ... | XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:150:39:150:98 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:77:23:77:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:150:39:150:98 | ... + ... | XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:150:39:150:98 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:78:23:78:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:151:37:151:96 | ... + ... | XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:151:37:151:96 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:77:23:77:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:151:37:151:96 | ... + ... | XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:151:37:151:96 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:78:23:78:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:152:43:152:102 | ... + ... | XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:152:43:152:102 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:77:23:77:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:152:43:152:102 | ... + ... | XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:152:43:152:102 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:78:23:78:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:155:33:155:92 | ... + ... | XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:155:33:155:92 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:77:23:77:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:155:33:155:92 | ... + ... | XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:155:33:155:92 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:78:23:78:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:156:37:156:96 | ... + ... | XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:156:37:156:96 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:77:23:77:50 | getParameter(...) | user-provided value | +| XPathInjectionTest.java:156:37:156:96 | ... + ... | XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:156:37:156:96 | ... + ... | XPath expression depends on a $@. | XPathInjectionTest.java:78:23:78:50 | getParameter(...) | user-provided value | +edges +| XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:91:24:91:33 | expression | provenance | Src:MaD:24 Sink:MaD:2 | +| XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:92:34:92:43 | expression | provenance | Src:MaD:24 Sink:MaD:3 | +| XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:93:23:93:82 | ... + ... | provenance | Src:MaD:24 Sink:MaD:1 | +| XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:96:28:96:37 | expression | provenance | Src:MaD:24 Sink:MaD:2 | +| XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:97:38:97:47 | expression | provenance | Src:MaD:24 Sink:MaD:3 | +| XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:98:27:98:86 | ... + ... | provenance | Src:MaD:24 Sink:MaD:1 | +| XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:101:19:101:22 | user : String | provenance | Src:MaD:24 | +| XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:125:31:125:90 | ... + ... | provenance | Src:MaD:24 Sink:MaD:21 | +| XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:126:30:126:89 | ... + ... | provenance | Src:MaD:24 Sink:MaD:20 | +| XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:128:35:128:94 | ... + ... | provenance | Src:MaD:24 Sink:MaD:22 | +| XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:129:26:129:85 | ... + ... | provenance | Src:MaD:24 Sink:MaD:23 | +| XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:130:32:130:91 | ... + ... | provenance | Src:MaD:24 Sink:MaD:19 | +| XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:131:26:131:85 | ... + ... | provenance | Src:MaD:24 Sink:MaD:18 | +| XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:132:30:132:89 | ... + ... | provenance | Src:MaD:24 Sink:MaD:17 | +| XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:134:26:134:85 | ... + ... | provenance | Src:MaD:24 | +| XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:135:26:135:85 | ... + ... | provenance | Src:MaD:24 | +| XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:139:34:139:93 | ... + ... | provenance | Src:MaD:24 Sink:MaD:9 | +| XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:140:32:140:91 | ... + ... | provenance | Src:MaD:24 Sink:MaD:10 | +| XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:141:38:141:97 | ... + ... | provenance | Src:MaD:24 Sink:MaD:11 | +| XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:143:38:143:97 | ... + ... | provenance | Src:MaD:24 Sink:MaD:12 | +| XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:144:36:144:95 | ... + ... | provenance | Src:MaD:24 Sink:MaD:13 | +| XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:145:42:145:101 | ... + ... | provenance | Src:MaD:24 Sink:MaD:14 | +| XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:146:36:146:95 | ... + ... | provenance | Src:MaD:24 Sink:MaD:15 | +| XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:147:52:147:111 | ... + ... | provenance | Src:MaD:24 Sink:MaD:16 | +| XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:150:39:150:98 | ... + ... | provenance | Src:MaD:24 Sink:MaD:6 | +| XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:151:37:151:96 | ... + ... | provenance | Src:MaD:24 Sink:MaD:7 | +| XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:152:43:152:102 | ... + ... | provenance | Src:MaD:24 Sink:MaD:8 | +| XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:155:33:155:92 | ... + ... | provenance | Src:MaD:24 Sink:MaD:4 | +| XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | XPathInjectionTest.java:156:37:156:96 | ... + ... | provenance | Src:MaD:24 Sink:MaD:5 | +| XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:91:24:91:33 | expression | provenance | Src:MaD:24 Sink:MaD:2 | +| XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:92:34:92:43 | expression | provenance | Src:MaD:24 Sink:MaD:3 | +| XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:93:23:93:82 | ... + ... | provenance | Src:MaD:24 Sink:MaD:1 | +| XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:96:28:96:37 | expression | provenance | Src:MaD:24 Sink:MaD:2 | +| XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:97:38:97:47 | expression | provenance | Src:MaD:24 Sink:MaD:3 | +| XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:98:27:98:86 | ... + ... | provenance | Src:MaD:24 Sink:MaD:1 | +| XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:103:19:103:22 | pass : String | provenance | Src:MaD:24 | +| XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:125:31:125:90 | ... + ... | provenance | Src:MaD:24 Sink:MaD:21 | +| XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:126:30:126:89 | ... + ... | provenance | Src:MaD:24 Sink:MaD:20 | +| XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:127:59:127:93 | ... + ... | provenance | Src:MaD:24 Sink:MaD:20 | +| XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:128:35:128:94 | ... + ... | provenance | Src:MaD:24 Sink:MaD:22 | +| XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:129:26:129:85 | ... + ... | provenance | Src:MaD:24 Sink:MaD:23 | +| XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:130:32:130:91 | ... + ... | provenance | Src:MaD:24 Sink:MaD:19 | +| XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:131:26:131:85 | ... + ... | provenance | Src:MaD:24 Sink:MaD:18 | +| XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:132:30:132:89 | ... + ... | provenance | Src:MaD:24 Sink:MaD:17 | +| XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:134:26:134:85 | ... + ... | provenance | Src:MaD:24 | +| XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:135:26:135:85 | ... + ... | provenance | Src:MaD:24 | +| XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:139:34:139:93 | ... + ... | provenance | Src:MaD:24 Sink:MaD:9 | +| XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:140:32:140:91 | ... + ... | provenance | Src:MaD:24 Sink:MaD:10 | +| XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:141:38:141:97 | ... + ... | provenance | Src:MaD:24 Sink:MaD:11 | +| XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:143:38:143:97 | ... + ... | provenance | Src:MaD:24 Sink:MaD:12 | +| XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:144:36:144:95 | ... + ... | provenance | Src:MaD:24 Sink:MaD:13 | +| XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:145:42:145:101 | ... + ... | provenance | Src:MaD:24 Sink:MaD:14 | +| XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:146:36:146:95 | ... + ... | provenance | Src:MaD:24 Sink:MaD:15 | +| XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:147:52:147:111 | ... + ... | provenance | Src:MaD:24 Sink:MaD:16 | +| XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:150:39:150:98 | ... + ... | provenance | Src:MaD:24 Sink:MaD:6 | +| XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:151:37:151:96 | ... + ... | provenance | Src:MaD:24 Sink:MaD:7 | +| XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:152:43:152:102 | ... + ... | provenance | Src:MaD:24 Sink:MaD:8 | +| XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:155:33:155:92 | ... + ... | provenance | Src:MaD:24 Sink:MaD:4 | +| XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | XPathInjectionTest.java:156:37:156:96 | ... + ... | provenance | Src:MaD:24 Sink:MaD:5 | +| XPathInjectionTest.java:101:9:101:10 | sb [post update] : StringBuffer | XPathInjectionTest.java:105:24:105:25 | sb : StringBuffer | provenance | | +| XPathInjectionTest.java:101:19:101:22 | user : String | XPathInjectionTest.java:101:9:101:10 | sb [post update] : StringBuffer | provenance | MaD:25 | +| XPathInjectionTest.java:103:9:103:10 | sb [post update] : StringBuffer | XPathInjectionTest.java:105:24:105:25 | sb : StringBuffer | provenance | | +| XPathInjectionTest.java:103:19:103:22 | pass : String | XPathInjectionTest.java:103:9:103:10 | sb [post update] : StringBuffer | provenance | MaD:25 | +| XPathInjectionTest.java:105:24:105:25 | sb : StringBuffer | XPathInjectionTest.java:105:24:105:36 | toString(...) : String | provenance | MaD:26 | +| XPathInjectionTest.java:105:24:105:36 | toString(...) : String | XPathInjectionTest.java:107:23:107:27 | query | provenance | Sink:MaD:1 | +| XPathInjectionTest.java:105:24:105:36 | toString(...) : String | XPathInjectionTest.java:108:27:108:31 | query | provenance | Sink:MaD:1 | +models +| 1 | Sink: javax.xml.xpath; XPath; true; compile; ; ; Argument[0]; xpath-injection; manual | +| 2 | Sink: javax.xml.xpath; XPath; true; evaluate; ; ; Argument[0]; xpath-injection; manual | +| 3 | Sink: javax.xml.xpath; XPath; true; evaluateExpression; ; ; Argument[0]; xpath-injection; manual | +| 4 | Sink: org.dom4j.tree; AbstractNode; true; createPattern; ; ; Argument[0]; xpath-injection; manual | +| 5 | Sink: org.dom4j.tree; AbstractNode; true; createXPathFilter; ; ; Argument[0]; xpath-injection; manual | +| 6 | Sink: org.dom4j.util; ProxyDocumentFactory; true; createPattern; ; ; Argument[0]; xpath-injection; manual | +| 7 | Sink: org.dom4j.util; ProxyDocumentFactory; true; createXPath; ; ; Argument[0]; xpath-injection; manual | +| 8 | Sink: org.dom4j.util; ProxyDocumentFactory; true; createXPathFilter; ; ; Argument[0]; xpath-injection; manual | +| 9 | Sink: org.dom4j; DocumentFactory; true; createPattern; ; ; Argument[0]; xpath-injection; manual | +| 10 | Sink: org.dom4j; DocumentFactory; true; createXPath; ; ; Argument[0]; xpath-injection; manual | +| 11 | Sink: org.dom4j; DocumentFactory; true; createXPathFilter; ; ; Argument[0]; xpath-injection; manual | +| 12 | Sink: org.dom4j; DocumentHelper; false; createPattern; ; ; Argument[0]; xpath-injection; manual | +| 13 | Sink: org.dom4j; DocumentHelper; false; createXPath; ; ; Argument[0]; xpath-injection; manual | +| 14 | Sink: org.dom4j; DocumentHelper; false; createXPathFilter; ; ; Argument[0]; xpath-injection; manual | +| 15 | Sink: org.dom4j; DocumentHelper; false; selectNodes; ; ; Argument[0]; xpath-injection; manual | +| 16 | Sink: org.dom4j; DocumentHelper; false; sort; ; ; Argument[1]; xpath-injection; manual | +| 17 | Sink: org.dom4j; Node; true; createXPath; ; ; Argument[0]; xpath-injection; manual | +| 18 | Sink: org.dom4j; Node; true; matches; ; ; Argument[0]; xpath-injection; manual | +| 19 | Sink: org.dom4j; Node; true; numberValueOf; ; ; Argument[0]; xpath-injection; manual | +| 20 | Sink: org.dom4j; Node; true; selectNodes; ; ; Argument[0..1]; xpath-injection; manual | +| 21 | Sink: org.dom4j; Node; true; selectObject; ; ; Argument[0]; xpath-injection; manual | +| 22 | Sink: org.dom4j; Node; true; selectSingleNode; ; ; Argument[0]; xpath-injection; manual | +| 23 | Sink: org.dom4j; Node; true; valueOf; ; ; Argument[0]; xpath-injection; manual | +| 24 | Source: javax.servlet; ServletRequest; false; getParameter; (String); ; ReturnValue; remote; manual | +| 25 | Summary: java.lang; AbstractStringBuilder; true; append; ; ; Argument[0]; Argument[this]; taint; manual | +| 26 | Summary: java.lang; CharSequence; true; toString; ; ; Argument[this]; ReturnValue; taint; manual | +nodes +| XPathInjectionTest.java:77:23:77:50 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| XPathInjectionTest.java:78:23:78:50 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| XPathInjectionTest.java:91:24:91:33 | expression | semmle.label | expression | +| XPathInjectionTest.java:92:34:92:43 | expression | semmle.label | expression | +| XPathInjectionTest.java:93:23:93:82 | ... + ... | semmle.label | ... + ... | +| XPathInjectionTest.java:96:28:96:37 | expression | semmle.label | expression | +| XPathInjectionTest.java:97:38:97:47 | expression | semmle.label | expression | +| XPathInjectionTest.java:98:27:98:86 | ... + ... | semmle.label | ... + ... | +| XPathInjectionTest.java:101:9:101:10 | sb [post update] : StringBuffer | semmle.label | sb [post update] : StringBuffer | +| XPathInjectionTest.java:101:19:101:22 | user : String | semmle.label | user : String | +| XPathInjectionTest.java:103:9:103:10 | sb [post update] : StringBuffer | semmle.label | sb [post update] : StringBuffer | +| XPathInjectionTest.java:103:19:103:22 | pass : String | semmle.label | pass : String | +| XPathInjectionTest.java:105:24:105:25 | sb : StringBuffer | semmle.label | sb : StringBuffer | +| XPathInjectionTest.java:105:24:105:36 | toString(...) : String | semmle.label | toString(...) : String | +| XPathInjectionTest.java:107:23:107:27 | query | semmle.label | query | +| XPathInjectionTest.java:108:27:108:31 | query | semmle.label | query | +| XPathInjectionTest.java:125:31:125:90 | ... + ... | semmle.label | ... + ... | +| XPathInjectionTest.java:126:30:126:89 | ... + ... | semmle.label | ... + ... | +| XPathInjectionTest.java:127:59:127:93 | ... + ... | semmle.label | ... + ... | +| XPathInjectionTest.java:128:35:128:94 | ... + ... | semmle.label | ... + ... | +| XPathInjectionTest.java:129:26:129:85 | ... + ... | semmle.label | ... + ... | +| XPathInjectionTest.java:130:32:130:91 | ... + ... | semmle.label | ... + ... | +| XPathInjectionTest.java:131:26:131:85 | ... + ... | semmle.label | ... + ... | +| XPathInjectionTest.java:132:30:132:89 | ... + ... | semmle.label | ... + ... | +| XPathInjectionTest.java:134:26:134:85 | ... + ... | semmle.label | ... + ... | +| XPathInjectionTest.java:135:26:135:85 | ... + ... | semmle.label | ... + ... | +| XPathInjectionTest.java:139:34:139:93 | ... + ... | semmle.label | ... + ... | +| XPathInjectionTest.java:140:32:140:91 | ... + ... | semmle.label | ... + ... | +| XPathInjectionTest.java:141:38:141:97 | ... + ... | semmle.label | ... + ... | +| XPathInjectionTest.java:143:38:143:97 | ... + ... | semmle.label | ... + ... | +| XPathInjectionTest.java:144:36:144:95 | ... + ... | semmle.label | ... + ... | +| XPathInjectionTest.java:145:42:145:101 | ... + ... | semmle.label | ... + ... | +| XPathInjectionTest.java:146:36:146:95 | ... + ... | semmle.label | ... + ... | +| XPathInjectionTest.java:147:52:147:111 | ... + ... | semmle.label | ... + ... | +| XPathInjectionTest.java:150:39:150:98 | ... + ... | semmle.label | ... + ... | +| XPathInjectionTest.java:151:37:151:96 | ... + ... | semmle.label | ... + ... | +| XPathInjectionTest.java:152:43:152:102 | ... + ... | semmle.label | ... + ... | +| XPathInjectionTest.java:155:33:155:92 | ... + ... | semmle.label | ... + ... | +| XPathInjectionTest.java:156:37:156:96 | ... + ... | semmle.label | ... + ... | +subpaths diff --git a/java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.java b/java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.java index 5631f3a4ae9e..af5d2c11e5ff 100644 --- a/java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.java +++ b/java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.java @@ -74,8 +74,8 @@ public String getText() { } public void handle(HttpServletRequest request) throws Exception { - String user = request.getParameter("user"); - String pass = request.getParameter("pass"); + String user = request.getParameter("user"); // $ Source + String pass = request.getParameter("pass"); // $ Source String expression = "/users/user[@name='" + user + "' and @pass='" + pass + "']"; final String xmlStr = "" + " " @@ -88,14 +88,14 @@ public void handle(HttpServletRequest request) throws Exception { XPathFactory factory = XPathFactory.newInstance(); XPath xpath = factory.newXPath(); - xpath.evaluate(expression, doc, XPathConstants.BOOLEAN); // $hasXPathInjection - xpath.evaluateExpression(expression, xmlSource); // $hasXPathInjection - xpath.compile("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection + xpath.evaluate(expression, doc, XPathConstants.BOOLEAN); // $ Alert + xpath.evaluateExpression(expression, xmlSource); // $ Alert + xpath.compile("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $ Alert XPathImplStub xpathStub = XPathImplStub.getInstance(); - xpathStub.evaluate(expression, doc, XPathConstants.BOOLEAN); // $hasXPathInjection - xpathStub.evaluateExpression(expression, xmlSource); // $hasXPathInjection - xpathStub.compile("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection + xpathStub.evaluate(expression, doc, XPathConstants.BOOLEAN); // $ Alert + xpathStub.evaluateExpression(expression, xmlSource); // $ Alert + xpathStub.compile("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $ Alert StringBuffer sb = new StringBuffer("/users/user[@name="); sb.append(user); @@ -104,8 +104,8 @@ public void handle(HttpServletRequest request) throws Exception { sb.append("']"); String query = sb.toString(); - xpath.compile(query); // $hasXPathInjection - xpathStub.compile(query); // $hasXPathInjection + xpath.compile(query); // $ Alert + xpathStub.compile(query); // $ Alert String expression4 = "/users/user[@name=$user and @pass=$pass]"; xpath.setXPathVariableResolver(v -> { @@ -122,38 +122,38 @@ public void handle(HttpServletRequest request) throws Exception { SAXReader reader = new SAXReader(); org.dom4j.Document document = reader.read(new ByteArrayInputStream(xmlStr.getBytes())); - document.selectObject("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection - document.selectNodes("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection - document.selectNodes("/users/user[@name='test']", "/users/user[@pass='" + pass + "']"); // $hasXPathInjection - document.selectSingleNode("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection - document.valueOf("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection - document.numberValueOf("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection - document.matches("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection - document.createXPath("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection - - new DefaultXPath("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection - new XPathPattern("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection + document.selectObject("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $ Alert + document.selectNodes("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $ Alert + document.selectNodes("/users/user[@name='test']", "/users/user[@pass='" + pass + "']"); // $ Alert + document.selectSingleNode("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $ Alert + document.valueOf("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $ Alert + document.numberValueOf("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $ Alert + document.matches("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $ Alert + document.createXPath("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $ Alert + + new DefaultXPath("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $ Alert + new XPathPattern("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $ Alert new XPathPattern(new PatternStub(user)); // $ MISSING: hasXPathInjection // Jaxen is not modeled yet DocumentFactory docFactory = DocumentFactory.getInstance(); - docFactory.createPattern("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection - docFactory.createXPath("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection - docFactory.createXPathFilter("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection + docFactory.createPattern("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $ Alert + docFactory.createXPath("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $ Alert + docFactory.createXPathFilter("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $ Alert - DocumentHelper.createPattern("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection - DocumentHelper.createXPath("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection - DocumentHelper.createXPathFilter("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection - DocumentHelper.selectNodes("/users/user[@name='" + user + "' and @pass='" + pass + "']", new ArrayList()); // $hasXPathInjection - DocumentHelper.sort(new ArrayList(), "/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection + DocumentHelper.createPattern("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $ Alert + DocumentHelper.createXPath("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $ Alert + DocumentHelper.createXPathFilter("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $ Alert + DocumentHelper.selectNodes("/users/user[@name='" + user + "' and @pass='" + pass + "']", new ArrayList()); // $ Alert + DocumentHelper.sort(new ArrayList(), "/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $ Alert ProxyDocumentFactoryStub proxyDocFactory = new ProxyDocumentFactoryStub(); - proxyDocFactory.createPattern("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection - proxyDocFactory.createXPath("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection - proxyDocFactory.createXPathFilter("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection + proxyDocFactory.createPattern("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $ Alert + proxyDocFactory.createXPath("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $ Alert + proxyDocFactory.createXPathFilter("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $ Alert Namespace namespace = new Namespace("prefix", "http://some.uri.io"); - namespace.createPattern("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection - namespace.createXPathFilter("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection + namespace.createPattern("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $ Alert + namespace.createXPathFilter("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $ Alert org.jaxen.SimpleVariableContext svc = new org.jaxen.SimpleVariableContext(); svc.setVariableValue("user", user); diff --git a/java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.ql b/java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.ql deleted file mode 100644 index 3c7110d8011f..000000000000 --- a/java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.ql +++ /dev/null @@ -1,19 +0,0 @@ -import java -import semmle.code.java.dataflow.DataFlow -import semmle.code.java.security.XPathInjectionQuery -import utils.test.InlineExpectationsTest - -module HasXPathInjectionTest implements TestSig { - string getARelevantTag() { result = "hasXPathInjection" } - - predicate hasActualResult(Location location, string element, string tag, string value) { - tag = "hasXPathInjection" and - exists(DataFlow::Node sink | XPathInjectionFlow::flowTo(sink) | - sink.getLocation() = location and - element = sink.toString() and - value = "" - ) - } -} - -import MakeTest diff --git a/java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.qlref b/java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.qlref new file mode 100644 index 000000000000..0ea1a794f4c5 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.qlref @@ -0,0 +1,4 @@ +query: Security/CWE/CWE-643/XPathInjection.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-730/ExpRedosTest.java b/java/ql/test/query-tests/security/CWE-730/ExpRedos/ExpRedosTest.java similarity index 100% rename from java/ql/test/query-tests/security/CWE-730/ExpRedosTest.java rename to java/ql/test/query-tests/security/CWE-730/ExpRedos/ExpRedosTest.java diff --git a/java/ql/test/query-tests/security/CWE-730/ReDoS.expected b/java/ql/test/query-tests/security/CWE-730/ExpRedos/ReDoS.expected similarity index 100% rename from java/ql/test/query-tests/security/CWE-730/ReDoS.expected rename to java/ql/test/query-tests/security/CWE-730/ExpRedos/ReDoS.expected diff --git a/java/ql/test/query-tests/security/CWE-730/ReDoS.ql b/java/ql/test/query-tests/security/CWE-730/ExpRedos/ReDoS.ql similarity index 100% rename from java/ql/test/query-tests/security/CWE-730/ReDoS.ql rename to java/ql/test/query-tests/security/CWE-730/ExpRedos/ReDoS.ql diff --git a/java/ql/test/query-tests/security/CWE-730/ExpRedos/options b/java/ql/test/query-tests/security/CWE-730/ExpRedos/options new file mode 100644 index 000000000000..591d7fd827b6 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-730/ExpRedos/options @@ -0,0 +1 @@ +// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/guava-30.0:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/apache-commons-lang3-3.7 diff --git a/java/ql/test/query-tests/security/CWE-730/PolyRedos/PolyRedosTest.java b/java/ql/test/query-tests/security/CWE-730/PolyRedos/PolyRedosTest.java new file mode 100644 index 000000000000..34e527456c53 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-730/PolyRedos/PolyRedosTest.java @@ -0,0 +1,84 @@ +import java.util.regex.Pattern; +import java.util.function.Predicate; +import javax.servlet.http.HttpServletRequest; +import com.google.common.base.Splitter; + +class PolyRedosTest { + void test(HttpServletRequest request) { + String tainted = request.getParameter("inp"); // $ Source + String reg = "0\\.\\d+E?\\d+!"; + Predicate dummyPred = (s -> s.length() % 7 == 0); + + tainted.matches(reg); // $ Alert + tainted.split(reg); // $ Alert + tainted.split(reg, 7); // $ Alert + tainted.replaceAll(reg, "a"); // $ Alert + tainted.replaceFirst(reg, "a"); // $ Alert + Pattern.matches(reg, tainted); // $ Alert + Pattern.compile(reg).matcher(tainted).matches(); // $ Alert + Pattern.compile(reg).split(tainted); // $ Alert + Pattern.compile(reg, Pattern.DOTALL).split(tainted); // $ Alert + Pattern.compile(reg).split(tainted, 7); // $ Alert + Pattern.compile(reg).splitAsStream(tainted); // $ Alert + Pattern.compile(reg).asPredicate().test(tainted); // $ Alert + Pattern.compile(reg).asMatchPredicate().negate().and(dummyPred).or(dummyPred).test(tainted); // $ Alert + Predicate.not(dummyPred.and(dummyPred.or(Pattern.compile(reg).asPredicate()))).test(tainted); // $ Alert + + Splitter.on(Pattern.compile(reg)).split(tainted); // $ Alert + Splitter.on(reg).split(tainted); + Splitter.onPattern(reg).split(tainted); // $ Alert + Splitter.onPattern(reg).splitToList(tainted); // $ Alert + Splitter.onPattern(reg).limit(7).omitEmptyStrings().trimResults().split(tainted); // $ Alert + Splitter.onPattern(reg).withKeyValueSeparator(" => ").split(tainted); // $ Alert + Splitter.on(";").withKeyValueSeparator(reg).split(tainted); + Splitter.on(";").withKeyValueSeparator(Splitter.onPattern(reg)).split(tainted); // $ Alert + + } + + void test2(HttpServletRequest request) { + String tainted = request.getParameter("inp"); // $ Source + + Pattern p1 = Pattern.compile(".*a"); + Pattern p2 = Pattern.compile(".*b"); + + p1.matcher(tainted).matches(); + p2.matcher(tainted).find(); // $ Alert + } + + void test3(HttpServletRequest request) { + String tainted = request.getParameter("inp"); // $ Source + + Pattern p1 = Pattern.compile("ab*b*"); + Pattern p2 = Pattern.compile("cd*d*"); + + p1.matcher(tainted).matches(); // $ Alert + p2.matcher(tainted).find(); + } + + void test4(HttpServletRequest request) { + String tainted = request.getParameter("inp"); // $ Source + + tainted.matches(".*a"); + tainted.replaceAll(".*b", "c"); // $ Alert + } + + static Pattern p3 = Pattern.compile(".*a"); + static Pattern p4 = Pattern.compile(".*b"); + + + void test5(HttpServletRequest request) { + String tainted = request.getParameter("inp"); // $ Source + + p3.asMatchPredicate().test(tainted); + p4.asPredicate().test(tainted); // $ Alert + } + + void test6(HttpServletRequest request) { + Pattern p = Pattern.compile("^a*a*$"); + + p.matcher(request.getParameter("inp")).matches(); // $ Alert + p.matcher(request.getHeader("If-None-Match")).matches(); + p.matcher(request.getRequestURI()).matches(); + p.matcher(request.getCookies()[0].getName()).matches(); + } +} diff --git a/java/ql/test/query-tests/security/CWE-730/PolyRedos/PolynomialReDoS.expected b/java/ql/test/query-tests/security/CWE-730/PolyRedos/PolynomialReDoS.expected new file mode 100644 index 000000000000..baac0e0596a0 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-730/PolyRedos/PolynomialReDoS.expected @@ -0,0 +1,85 @@ +#select +| PolyRedosTest.java:12:9:12:15 | tainted | PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:12:9:12:15 | tainted | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | PolyRedosTest.java:9:33:9:36 | \\d+ | regular expression | PolyRedosTest.java:8:26:8:52 | getParameter(...) | user-provided value | +| PolyRedosTest.java:13:9:13:15 | tainted | PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:13:9:13:15 | tainted | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | PolyRedosTest.java:9:33:9:36 | \\d+ | regular expression | PolyRedosTest.java:8:26:8:52 | getParameter(...) | user-provided value | +| PolyRedosTest.java:14:9:14:15 | tainted | PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:14:9:14:15 | tainted | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | PolyRedosTest.java:9:33:9:36 | \\d+ | regular expression | PolyRedosTest.java:8:26:8:52 | getParameter(...) | user-provided value | +| PolyRedosTest.java:15:9:15:15 | tainted | PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:15:9:15:15 | tainted | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | PolyRedosTest.java:9:33:9:36 | \\d+ | regular expression | PolyRedosTest.java:8:26:8:52 | getParameter(...) | user-provided value | +| PolyRedosTest.java:16:9:16:15 | tainted | PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:16:9:16:15 | tainted | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | PolyRedosTest.java:9:33:9:36 | \\d+ | regular expression | PolyRedosTest.java:8:26:8:52 | getParameter(...) | user-provided value | +| PolyRedosTest.java:17:30:17:36 | tainted | PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:17:30:17:36 | tainted | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | PolyRedosTest.java:9:33:9:36 | \\d+ | regular expression | PolyRedosTest.java:8:26:8:52 | getParameter(...) | user-provided value | +| PolyRedosTest.java:18:38:18:44 | tainted | PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:18:38:18:44 | tainted | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | PolyRedosTest.java:9:33:9:36 | \\d+ | regular expression | PolyRedosTest.java:8:26:8:52 | getParameter(...) | user-provided value | +| PolyRedosTest.java:19:36:19:42 | tainted | PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:19:36:19:42 | tainted | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | PolyRedosTest.java:9:33:9:36 | \\d+ | regular expression | PolyRedosTest.java:8:26:8:52 | getParameter(...) | user-provided value | +| PolyRedosTest.java:20:52:20:58 | tainted | PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:20:52:20:58 | tainted | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | PolyRedosTest.java:9:33:9:36 | \\d+ | regular expression | PolyRedosTest.java:8:26:8:52 | getParameter(...) | user-provided value | +| PolyRedosTest.java:21:36:21:42 | tainted | PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:21:36:21:42 | tainted | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | PolyRedosTest.java:9:33:9:36 | \\d+ | regular expression | PolyRedosTest.java:8:26:8:52 | getParameter(...) | user-provided value | +| PolyRedosTest.java:22:44:22:50 | tainted | PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:22:44:22:50 | tainted | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | PolyRedosTest.java:9:33:9:36 | \\d+ | regular expression | PolyRedosTest.java:8:26:8:52 | getParameter(...) | user-provided value | +| PolyRedosTest.java:23:49:23:55 | tainted | PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:23:49:23:55 | tainted | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | PolyRedosTest.java:9:33:9:36 | \\d+ | regular expression | PolyRedosTest.java:8:26:8:52 | getParameter(...) | user-provided value | +| PolyRedosTest.java:24:92:24:98 | tainted | PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:24:92:24:98 | tainted | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | PolyRedosTest.java:9:33:9:36 | \\d+ | regular expression | PolyRedosTest.java:8:26:8:52 | getParameter(...) | user-provided value | +| PolyRedosTest.java:25:93:25:99 | tainted | PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:25:93:25:99 | tainted | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | PolyRedosTest.java:9:33:9:36 | \\d+ | regular expression | PolyRedosTest.java:8:26:8:52 | getParameter(...) | user-provided value | +| PolyRedosTest.java:27:49:27:55 | tainted | PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:27:49:27:55 | tainted | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | PolyRedosTest.java:9:33:9:36 | \\d+ | regular expression | PolyRedosTest.java:8:26:8:52 | getParameter(...) | user-provided value | +| PolyRedosTest.java:29:39:29:45 | tainted | PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:29:39:29:45 | tainted | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | PolyRedosTest.java:9:33:9:36 | \\d+ | regular expression | PolyRedosTest.java:8:26:8:52 | getParameter(...) | user-provided value | +| PolyRedosTest.java:30:45:30:51 | tainted | PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:30:45:30:51 | tainted | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | PolyRedosTest.java:9:33:9:36 | \\d+ | regular expression | PolyRedosTest.java:8:26:8:52 | getParameter(...) | user-provided value | +| PolyRedosTest.java:31:81:31:87 | tainted | PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:31:81:31:87 | tainted | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | PolyRedosTest.java:9:33:9:36 | \\d+ | regular expression | PolyRedosTest.java:8:26:8:52 | getParameter(...) | user-provided value | +| PolyRedosTest.java:32:69:32:75 | tainted | PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:32:69:32:75 | tainted | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | PolyRedosTest.java:9:33:9:36 | \\d+ | regular expression | PolyRedosTest.java:8:26:8:52 | getParameter(...) | user-provided value | +| PolyRedosTest.java:34:79:34:85 | tainted | PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:34:79:34:85 | tainted | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | PolyRedosTest.java:9:33:9:36 | \\d+ | regular expression | PolyRedosTest.java:8:26:8:52 | getParameter(...) | user-provided value | +| PolyRedosTest.java:45:20:45:26 | tainted | PolyRedosTest.java:39:26:39:52 | getParameter(...) : String | PolyRedosTest.java:45:20:45:26 | tainted | This $@ that depends on a $@ may run slow on strings with many repetitions of 'a'. | PolyRedosTest.java:42:39:42:40 | .* | regular expression | PolyRedosTest.java:39:26:39:52 | getParameter(...) | user-provided value | +| PolyRedosTest.java:54:20:54:26 | tainted | PolyRedosTest.java:49:26:49:52 | getParameter(...) : String | PolyRedosTest.java:54:20:54:26 | tainted | This $@ that depends on a $@ may run slow on strings starting with 'a' and with many repetitions of 'b'. | PolyRedosTest.java:51:42:51:43 | b* | regular expression | PolyRedosTest.java:49:26:49:52 | getParameter(...) | user-provided value | +| PolyRedosTest.java:62:9:62:15 | tainted | PolyRedosTest.java:59:26:59:52 | getParameter(...) : String | PolyRedosTest.java:62:9:62:15 | tainted | This $@ that depends on a $@ may run slow on strings with many repetitions of 'a'. | PolyRedosTest.java:62:29:62:30 | .* | regular expression | PolyRedosTest.java:59:26:59:52 | getParameter(...) | user-provided value | +| PolyRedosTest.java:73:31:73:37 | tainted | PolyRedosTest.java:70:26:70:52 | getParameter(...) : String | PolyRedosTest.java:73:31:73:37 | tainted | This $@ that depends on a $@ may run slow on strings with many repetitions of 'a'. | PolyRedosTest.java:66:42:66:43 | .* | regular expression | PolyRedosTest.java:70:26:70:52 | getParameter(...) | user-provided value | +| PolyRedosTest.java:79:19:79:45 | getParameter(...) | PolyRedosTest.java:79:19:79:45 | getParameter(...) | PolyRedosTest.java:79:19:79:45 | getParameter(...) | This $@ that depends on a $@ may run slow on strings with many repetitions of 'a'. | PolyRedosTest.java:77:41:77:42 | a* | regular expression | PolyRedosTest.java:79:19:79:45 | getParameter(...) | user-provided value | +edges +| PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:12:9:12:15 | tainted | provenance | Src:MaD:1 | +| PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:13:9:13:15 | tainted | provenance | Src:MaD:1 | +| PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:14:9:14:15 | tainted | provenance | Src:MaD:1 | +| PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:15:9:15:15 | tainted | provenance | Src:MaD:1 | +| PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:16:9:16:15 | tainted | provenance | Src:MaD:1 | +| PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:17:30:17:36 | tainted | provenance | Src:MaD:1 | +| PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:18:38:18:44 | tainted | provenance | Src:MaD:1 | +| PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:19:36:19:42 | tainted | provenance | Src:MaD:1 | +| PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:20:52:20:58 | tainted | provenance | Src:MaD:1 | +| PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:21:36:21:42 | tainted | provenance | Src:MaD:1 | +| PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:22:44:22:50 | tainted | provenance | Src:MaD:1 | +| PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:23:49:23:55 | tainted | provenance | Src:MaD:1 | +| PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:24:92:24:98 | tainted | provenance | Src:MaD:1 | +| PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:25:93:25:99 | tainted | provenance | Src:MaD:1 | +| PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:27:49:27:55 | tainted | provenance | Src:MaD:1 | +| PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:29:39:29:45 | tainted | provenance | Src:MaD:1 | +| PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:30:45:30:51 | tainted | provenance | Src:MaD:1 | +| PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:31:81:31:87 | tainted | provenance | Src:MaD:1 | +| PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:32:69:32:75 | tainted | provenance | Src:MaD:1 | +| PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:34:79:34:85 | tainted | provenance | Src:MaD:1 | +| PolyRedosTest.java:39:26:39:52 | getParameter(...) : String | PolyRedosTest.java:45:20:45:26 | tainted | provenance | Src:MaD:1 | +| PolyRedosTest.java:49:26:49:52 | getParameter(...) : String | PolyRedosTest.java:54:20:54:26 | tainted | provenance | Src:MaD:1 | +| PolyRedosTest.java:59:26:59:52 | getParameter(...) : String | PolyRedosTest.java:62:9:62:15 | tainted | provenance | Src:MaD:1 | +| PolyRedosTest.java:70:26:70:52 | getParameter(...) : String | PolyRedosTest.java:73:31:73:37 | tainted | provenance | Src:MaD:1 | +models +| 1 | Source: javax.servlet; ServletRequest; false; getParameter; (String); ; ReturnValue; remote; manual | +nodes +| PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| PolyRedosTest.java:12:9:12:15 | tainted | semmle.label | tainted | +| PolyRedosTest.java:13:9:13:15 | tainted | semmle.label | tainted | +| PolyRedosTest.java:14:9:14:15 | tainted | semmle.label | tainted | +| PolyRedosTest.java:15:9:15:15 | tainted | semmle.label | tainted | +| PolyRedosTest.java:16:9:16:15 | tainted | semmle.label | tainted | +| PolyRedosTest.java:17:30:17:36 | tainted | semmle.label | tainted | +| PolyRedosTest.java:18:38:18:44 | tainted | semmle.label | tainted | +| PolyRedosTest.java:19:36:19:42 | tainted | semmle.label | tainted | +| PolyRedosTest.java:20:52:20:58 | tainted | semmle.label | tainted | +| PolyRedosTest.java:21:36:21:42 | tainted | semmle.label | tainted | +| PolyRedosTest.java:22:44:22:50 | tainted | semmle.label | tainted | +| PolyRedosTest.java:23:49:23:55 | tainted | semmle.label | tainted | +| PolyRedosTest.java:24:92:24:98 | tainted | semmle.label | tainted | +| PolyRedosTest.java:25:93:25:99 | tainted | semmle.label | tainted | +| PolyRedosTest.java:27:49:27:55 | tainted | semmle.label | tainted | +| PolyRedosTest.java:29:39:29:45 | tainted | semmle.label | tainted | +| PolyRedosTest.java:30:45:30:51 | tainted | semmle.label | tainted | +| PolyRedosTest.java:31:81:31:87 | tainted | semmle.label | tainted | +| PolyRedosTest.java:32:69:32:75 | tainted | semmle.label | tainted | +| PolyRedosTest.java:34:79:34:85 | tainted | semmle.label | tainted | +| PolyRedosTest.java:39:26:39:52 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| PolyRedosTest.java:45:20:45:26 | tainted | semmle.label | tainted | +| PolyRedosTest.java:49:26:49:52 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| PolyRedosTest.java:54:20:54:26 | tainted | semmle.label | tainted | +| PolyRedosTest.java:59:26:59:52 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| PolyRedosTest.java:62:9:62:15 | tainted | semmle.label | tainted | +| PolyRedosTest.java:70:26:70:52 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| PolyRedosTest.java:73:31:73:37 | tainted | semmle.label | tainted | +| PolyRedosTest.java:79:19:79:45 | getParameter(...) | semmle.label | getParameter(...) | +subpaths diff --git a/java/ql/test/query-tests/security/CWE-730/PolyRedos/PolynomialReDoS.qlref b/java/ql/test/query-tests/security/CWE-730/PolyRedos/PolynomialReDoS.qlref new file mode 100644 index 000000000000..f5dd1d5ca3aa --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-730/PolyRedos/PolynomialReDoS.qlref @@ -0,0 +1,4 @@ +query: Security/CWE/CWE-730/PolynomialReDoS.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-730/PolyRedos/options b/java/ql/test/query-tests/security/CWE-730/PolyRedos/options new file mode 100644 index 000000000000..591d7fd827b6 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-730/PolyRedos/options @@ -0,0 +1 @@ +// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/guava-30.0:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/apache-commons-lang3-3.7 diff --git a/java/ql/test/query-tests/security/CWE-730/PolyRedosTest.java b/java/ql/test/query-tests/security/CWE-730/PolyRedosTest.java deleted file mode 100644 index 449311904605..000000000000 --- a/java/ql/test/query-tests/security/CWE-730/PolyRedosTest.java +++ /dev/null @@ -1,84 +0,0 @@ -import java.util.regex.Pattern; -import java.util.function.Predicate; -import javax.servlet.http.HttpServletRequest; -import com.google.common.base.Splitter; - -class PolyRedosTest { - void test(HttpServletRequest request) { - String tainted = request.getParameter("inp"); - String reg = "0\\.\\d+E?\\d+!"; - Predicate dummyPred = (s -> s.length() % 7 == 0); - - tainted.matches(reg); // $ hasPolyRedos - tainted.split(reg); // $ hasPolyRedos - tainted.split(reg, 7); // $ hasPolyRedos - tainted.replaceAll(reg, "a"); // $ hasPolyRedos - tainted.replaceFirst(reg, "a"); // $ hasPolyRedos - Pattern.matches(reg, tainted); // $ hasPolyRedos - Pattern.compile(reg).matcher(tainted).matches(); // $ hasPolyRedos - Pattern.compile(reg).split(tainted); // $ hasPolyRedos - Pattern.compile(reg, Pattern.DOTALL).split(tainted); // $ hasPolyRedos - Pattern.compile(reg).split(tainted, 7); // $ hasPolyRedos - Pattern.compile(reg).splitAsStream(tainted); // $ hasPolyRedos - Pattern.compile(reg).asPredicate().test(tainted); // $ hasPolyRedos - Pattern.compile(reg).asMatchPredicate().negate().and(dummyPred).or(dummyPred).test(tainted); // $ hasPolyRedos - Predicate.not(dummyPred.and(dummyPred.or(Pattern.compile(reg).asPredicate()))).test(tainted); // $ hasPolyRedos - - Splitter.on(Pattern.compile(reg)).split(tainted); // $ hasPolyRedos - Splitter.on(reg).split(tainted); - Splitter.onPattern(reg).split(tainted); // $ hasPolyRedos - Splitter.onPattern(reg).splitToList(tainted); // $ hasPolyRedos - Splitter.onPattern(reg).limit(7).omitEmptyStrings().trimResults().split(tainted); // $ hasPolyRedos - Splitter.onPattern(reg).withKeyValueSeparator(" => ").split(tainted); // $ hasPolyRedos - Splitter.on(";").withKeyValueSeparator(reg).split(tainted); - Splitter.on(";").withKeyValueSeparator(Splitter.onPattern(reg)).split(tainted); // $ hasPolyRedos - - } - - void test2(HttpServletRequest request) { - String tainted = request.getParameter("inp"); - - Pattern p1 = Pattern.compile(".*a"); - Pattern p2 = Pattern.compile(".*b"); - - p1.matcher(tainted).matches(); - p2.matcher(tainted).find(); // $ hasPolyRedos - } - - void test3(HttpServletRequest request) { - String tainted = request.getParameter("inp"); - - Pattern p1 = Pattern.compile("ab*b*"); - Pattern p2 = Pattern.compile("cd*d*"); - - p1.matcher(tainted).matches(); // $ hasPolyRedos - p2.matcher(tainted).find(); - } - - void test4(HttpServletRequest request) { - String tainted = request.getParameter("inp"); - - tainted.matches(".*a"); - tainted.replaceAll(".*b", "c"); // $ hasPolyRedos - } - - static Pattern p3 = Pattern.compile(".*a"); - static Pattern p4 = Pattern.compile(".*b"); - - - void test5(HttpServletRequest request) { - String tainted = request.getParameter("inp"); - - p3.asMatchPredicate().test(tainted); - p4.asPredicate().test(tainted); // $ hasPolyRedos - } - - void test6(HttpServletRequest request) { - Pattern p = Pattern.compile("^a*a*$"); - - p.matcher(request.getParameter("inp")).matches(); // $ hasPolyRedos - p.matcher(request.getHeader("If-None-Match")).matches(); - p.matcher(request.getRequestURI()).matches(); - p.matcher(request.getCookies()[0].getName()).matches(); - } -} \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-730/PolynomialReDoS.expected b/java/ql/test/query-tests/security/CWE-730/PolynomialReDoS.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/java/ql/test/query-tests/security/CWE-730/PolynomialReDoS.ql b/java/ql/test/query-tests/security/CWE-730/PolynomialReDoS.ql deleted file mode 100644 index d8c1a790e70a..000000000000 --- a/java/ql/test/query-tests/security/CWE-730/PolynomialReDoS.ql +++ /dev/null @@ -1,18 +0,0 @@ -import utils.test.InlineExpectationsTest -import semmle.code.java.security.regexp.PolynomialReDoSQuery - -module HasPolyRedos implements TestSig { - string getARelevantTag() { result = "hasPolyRedos" } - - predicate hasActualResult(Location location, string element, string tag, string value) { - tag = "hasPolyRedos" and - exists(DataFlow::Node sink | - PolynomialRedosFlow::flowTo(sink) and - location = sink.getLocation() and - element = sink.toString() and - value = "" - ) - } -} - -import MakeTest diff --git a/java/ql/test/query-tests/security/CWE-730/RegexInjection/RegexInjectionTest.expected b/java/ql/test/query-tests/security/CWE-730/RegexInjection/RegexInjectionTest.expected new file mode 100644 index 000000000000..9d0c7ec5c8b3 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-730/RegexInjection/RegexInjectionTest.expected @@ -0,0 +1,102 @@ +#select +| RegexInjectionTest.java:17:26:17:47 | ... + ... | RegexInjectionTest.java:14:22:14:52 | getParameter(...) : String | RegexInjectionTest.java:17:26:17:47 | ... + ... | This regular expression is constructed from a $@. | RegexInjectionTest.java:14:22:14:52 | getParameter(...) | user-provided value | +| RegexInjectionTest.java:24:24:24:30 | pattern | RegexInjectionTest.java:21:22:21:52 | getParameter(...) : String | RegexInjectionTest.java:24:24:24:30 | pattern | This regular expression is constructed from a $@. | RegexInjectionTest.java:21:22:21:52 | getParameter(...) | user-provided value | +| RegexInjectionTest.java:31:24:31:30 | pattern | RegexInjectionTest.java:28:22:28:52 | getParameter(...) : String | RegexInjectionTest.java:31:24:31:30 | pattern | This regular expression is constructed from a $@. | RegexInjectionTest.java:28:22:28:52 | getParameter(...) | user-provided value | +| RegexInjectionTest.java:38:31:38:37 | pattern | RegexInjectionTest.java:35:22:35:52 | getParameter(...) : String | RegexInjectionTest.java:38:31:38:37 | pattern | This regular expression is constructed from a $@. | RegexInjectionTest.java:35:22:35:52 | getParameter(...) | user-provided value | +| RegexInjectionTest.java:45:29:45:35 | pattern | RegexInjectionTest.java:42:22:42:52 | getParameter(...) : String | RegexInjectionTest.java:45:29:45:35 | pattern | This regular expression is constructed from a $@. | RegexInjectionTest.java:42:22:42:52 | getParameter(...) | user-provided value | +| RegexInjectionTest.java:52:34:52:40 | pattern | RegexInjectionTest.java:49:22:49:52 | getParameter(...) : String | RegexInjectionTest.java:52:34:52:40 | pattern | This regular expression is constructed from a $@. | RegexInjectionTest.java:49:22:49:52 | getParameter(...) | user-provided value | +| RegexInjectionTest.java:62:28:62:34 | pattern | RegexInjectionTest.java:59:22:59:52 | getParameter(...) : String | RegexInjectionTest.java:62:28:62:34 | pattern | This regular expression is constructed from a $@. | RegexInjectionTest.java:59:22:59:52 | getParameter(...) | user-provided value | +| RegexInjectionTest.java:69:28:69:34 | pattern | RegexInjectionTest.java:66:22:66:52 | getParameter(...) : String | RegexInjectionTest.java:69:28:69:34 | pattern | This regular expression is constructed from a $@. | RegexInjectionTest.java:66:22:66:52 | getParameter(...) | user-provided value | +| RegexInjectionTest.java:76:28:76:34 | pattern | RegexInjectionTest.java:73:22:73:52 | getParameter(...) : String | RegexInjectionTest.java:76:28:76:34 | pattern | This regular expression is constructed from a $@. | RegexInjectionTest.java:73:22:73:52 | getParameter(...) | user-provided value | +| RegexInjectionTest.java:83:26:83:52 | ... + ... | RegexInjectionTest.java:80:22:80:52 | getParameter(...) : String | RegexInjectionTest.java:83:26:83:52 | ... + ... | This regular expression is constructed from a $@. | RegexInjectionTest.java:80:22:80:52 | getParameter(...) | user-provided value | +| RegexInjectionTest.java:94:40:94:46 | pattern | RegexInjectionTest.java:91:22:91:52 | getParameter(...) : String | RegexInjectionTest.java:94:40:94:46 | pattern | This regular expression is constructed from a $@. | RegexInjectionTest.java:91:22:91:52 | getParameter(...) | user-provided value | +| RegexInjectionTest.java:101:42:101:48 | pattern | RegexInjectionTest.java:98:22:98:52 | getParameter(...) : String | RegexInjectionTest.java:101:42:101:48 | pattern | This regular expression is constructed from a $@. | RegexInjectionTest.java:98:22:98:52 | getParameter(...) | user-provided value | +| RegexInjectionTest.java:108:44:108:50 | pattern | RegexInjectionTest.java:105:22:105:52 | getParameter(...) : String | RegexInjectionTest.java:108:44:108:50 | pattern | This regular expression is constructed from a $@. | RegexInjectionTest.java:105:22:105:52 | getParameter(...) | user-provided value | +| RegexInjectionTest.java:115:41:115:47 | pattern | RegexInjectionTest.java:112:22:112:52 | getParameter(...) : String | RegexInjectionTest.java:115:41:115:47 | pattern | This regular expression is constructed from a $@. | RegexInjectionTest.java:112:22:112:52 | getParameter(...) | user-provided value | +| RegexInjectionTest.java:122:43:122:49 | pattern | RegexInjectionTest.java:119:22:119:52 | getParameter(...) : String | RegexInjectionTest.java:122:43:122:49 | pattern | This regular expression is constructed from a $@. | RegexInjectionTest.java:119:22:119:52 | getParameter(...) | user-provided value | +| RegexInjectionTest.java:137:45:137:51 | pattern | RegexInjectionTest.java:134:22:134:52 | getParameter(...) : String | RegexInjectionTest.java:137:45:137:51 | pattern | This regular expression is constructed from a $@. | RegexInjectionTest.java:134:22:134:52 | getParameter(...) | user-provided value | +| RegexInjectionTest.java:158:31:158:37 | pattern | RegexInjectionTest.java:157:22:157:52 | getParameter(...) : String | RegexInjectionTest.java:158:31:158:37 | pattern | This regular expression is constructed from a $@. | RegexInjectionTest.java:157:22:157:52 | getParameter(...) | user-provided value | +| RegexInjectionTest.java:164:41:164:47 | pattern | RegexInjectionTest.java:162:22:162:52 | getParameter(...) : String | RegexInjectionTest.java:164:41:164:47 | pattern | This regular expression is constructed from a $@. | RegexInjectionTest.java:162:22:162:52 | getParameter(...) | user-provided value | +edges +| RegexInjectionTest.java:14:22:14:52 | getParameter(...) : String | RegexInjectionTest.java:17:26:17:47 | ... + ... | provenance | Src:MaD:16 Sink:MaD:2 | +| RegexInjectionTest.java:21:22:21:52 | getParameter(...) : String | RegexInjectionTest.java:24:24:24:30 | pattern | provenance | Src:MaD:16 Sink:MaD:5 | +| RegexInjectionTest.java:28:22:28:52 | getParameter(...) : String | RegexInjectionTest.java:31:24:31:30 | pattern | provenance | Src:MaD:16 Sink:MaD:6 | +| RegexInjectionTest.java:35:22:35:52 | getParameter(...) : String | RegexInjectionTest.java:38:31:38:37 | pattern | provenance | Src:MaD:16 Sink:MaD:4 | +| RegexInjectionTest.java:42:22:42:52 | getParameter(...) : String | RegexInjectionTest.java:45:29:45:35 | pattern | provenance | Src:MaD:16 Sink:MaD:3 | +| RegexInjectionTest.java:49:22:49:52 | getParameter(...) : String | RegexInjectionTest.java:52:34:52:40 | pattern | provenance | Src:MaD:16 Sink:MaD:7 | +| RegexInjectionTest.java:59:22:59:52 | getParameter(...) : String | RegexInjectionTest.java:62:28:62:34 | pattern | provenance | Src:MaD:16 Sink:MaD:7 | +| RegexInjectionTest.java:66:22:66:52 | getParameter(...) : String | RegexInjectionTest.java:69:28:69:34 | pattern | provenance | Src:MaD:16 Sink:MaD:8 | +| RegexInjectionTest.java:73:22:73:52 | getParameter(...) : String | RegexInjectionTest.java:76:28:76:34 | pattern | provenance | Src:MaD:16 Sink:MaD:9 | +| RegexInjectionTest.java:80:22:80:52 | getParameter(...) : String | RegexInjectionTest.java:83:36:83:42 | pattern : String | provenance | Src:MaD:16 | +| RegexInjectionTest.java:83:32:83:43 | foo(...) : String | RegexInjectionTest.java:83:26:83:52 | ... + ... | provenance | Sink:MaD:2 | +| RegexInjectionTest.java:83:36:83:42 | pattern : String | RegexInjectionTest.java:83:32:83:43 | foo(...) : String | provenance | | +| RegexInjectionTest.java:83:36:83:42 | pattern : String | RegexInjectionTest.java:86:14:86:23 | str : String | provenance | | +| RegexInjectionTest.java:86:14:86:23 | str : String | RegexInjectionTest.java:87:12:87:14 | str : String | provenance | | +| RegexInjectionTest.java:91:22:91:52 | getParameter(...) : String | RegexInjectionTest.java:94:40:94:46 | pattern | provenance | Src:MaD:16 Sink:MaD:10 | +| RegexInjectionTest.java:98:22:98:52 | getParameter(...) : String | RegexInjectionTest.java:101:42:101:48 | pattern | provenance | Src:MaD:16 Sink:MaD:11 | +| RegexInjectionTest.java:105:22:105:52 | getParameter(...) : String | RegexInjectionTest.java:108:44:108:50 | pattern | provenance | Src:MaD:16 Sink:MaD:12 | +| RegexInjectionTest.java:112:22:112:52 | getParameter(...) : String | RegexInjectionTest.java:115:41:115:47 | pattern | provenance | Src:MaD:16 Sink:MaD:13 | +| RegexInjectionTest.java:119:22:119:52 | getParameter(...) : String | RegexInjectionTest.java:122:43:122:49 | pattern | provenance | Src:MaD:16 Sink:MaD:14 | +| RegexInjectionTest.java:134:22:134:52 | getParameter(...) : String | RegexInjectionTest.java:137:45:137:51 | pattern | provenance | Src:MaD:16 Sink:MaD:15 | +| RegexInjectionTest.java:157:22:157:52 | getParameter(...) : String | RegexInjectionTest.java:158:31:158:37 | pattern | provenance | Src:MaD:16 Sink:MaD:1 | +| RegexInjectionTest.java:162:22:162:52 | getParameter(...) : String | RegexInjectionTest.java:164:41:164:47 | pattern | provenance | Src:MaD:16 Sink:MaD:7 | +models +| 1 | Sink: com.google.common.base; Splitter; false; onPattern; (String); ; Argument[0]; regex-use[]; manual | +| 2 | Sink: java.lang; String; false; matches; (String); ; Argument[0]; regex-use[f-1]; manual | +| 3 | Sink: java.lang; String; false; replaceAll; (String,String); ; Argument[0]; regex-use[-1]; manual | +| 4 | Sink: java.lang; String; false; replaceFirst; (String,String); ; Argument[0]; regex-use[-1]; manual | +| 5 | Sink: java.lang; String; false; split; (String); ; Argument[0]; regex-use[-1]; manual | +| 6 | Sink: java.lang; String; false; split; (String,int); ; Argument[0]; regex-use[-1]; manual | +| 7 | Sink: java.util.regex; Pattern; false; compile; (String); ; Argument[0]; regex-use[]; manual | +| 8 | Sink: java.util.regex; Pattern; false; compile; (String,int); ; Argument[0]; regex-use[]; manual | +| 9 | Sink: java.util.regex; Pattern; false; matches; (String,CharSequence); ; Argument[0]; regex-use[f1]; manual | +| 10 | Sink: org.apache.commons.lang3; RegExUtils; false; removeAll; (String,String); ; Argument[1]; regex-use; manual | +| 11 | Sink: org.apache.commons.lang3; RegExUtils; false; removeFirst; (String,String); ; Argument[1]; regex-use; manual | +| 12 | Sink: org.apache.commons.lang3; RegExUtils; false; removePattern; (String,String); ; Argument[1]; regex-use; manual | +| 13 | Sink: org.apache.commons.lang3; RegExUtils; false; replaceAll; (String,String,String); ; Argument[1]; regex-use; manual | +| 14 | Sink: org.apache.commons.lang3; RegExUtils; false; replaceFirst; (String,String,String); ; Argument[1]; regex-use; manual | +| 15 | Sink: org.apache.commons.lang3; RegExUtils; false; replacePattern; (String,String,String); ; Argument[1]; regex-use; manual | +| 16 | Source: javax.servlet; ServletRequest; false; getParameter; (String); ; ReturnValue; remote; manual | +nodes +| RegexInjectionTest.java:14:22:14:52 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| RegexInjectionTest.java:17:26:17:47 | ... + ... | semmle.label | ... + ... | +| RegexInjectionTest.java:21:22:21:52 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| RegexInjectionTest.java:24:24:24:30 | pattern | semmle.label | pattern | +| RegexInjectionTest.java:28:22:28:52 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| RegexInjectionTest.java:31:24:31:30 | pattern | semmle.label | pattern | +| RegexInjectionTest.java:35:22:35:52 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| RegexInjectionTest.java:38:31:38:37 | pattern | semmle.label | pattern | +| RegexInjectionTest.java:42:22:42:52 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| RegexInjectionTest.java:45:29:45:35 | pattern | semmle.label | pattern | +| RegexInjectionTest.java:49:22:49:52 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| RegexInjectionTest.java:52:34:52:40 | pattern | semmle.label | pattern | +| RegexInjectionTest.java:59:22:59:52 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| RegexInjectionTest.java:62:28:62:34 | pattern | semmle.label | pattern | +| RegexInjectionTest.java:66:22:66:52 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| RegexInjectionTest.java:69:28:69:34 | pattern | semmle.label | pattern | +| RegexInjectionTest.java:73:22:73:52 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| RegexInjectionTest.java:76:28:76:34 | pattern | semmle.label | pattern | +| RegexInjectionTest.java:80:22:80:52 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| RegexInjectionTest.java:83:26:83:52 | ... + ... | semmle.label | ... + ... | +| RegexInjectionTest.java:83:32:83:43 | foo(...) : String | semmle.label | foo(...) : String | +| RegexInjectionTest.java:83:36:83:42 | pattern : String | semmle.label | pattern : String | +| RegexInjectionTest.java:86:14:86:23 | str : String | semmle.label | str : String | +| RegexInjectionTest.java:87:12:87:14 | str : String | semmle.label | str : String | +| RegexInjectionTest.java:91:22:91:52 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| RegexInjectionTest.java:94:40:94:46 | pattern | semmle.label | pattern | +| RegexInjectionTest.java:98:22:98:52 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| RegexInjectionTest.java:101:42:101:48 | pattern | semmle.label | pattern | +| RegexInjectionTest.java:105:22:105:52 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| RegexInjectionTest.java:108:44:108:50 | pattern | semmle.label | pattern | +| RegexInjectionTest.java:112:22:112:52 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| RegexInjectionTest.java:115:41:115:47 | pattern | semmle.label | pattern | +| RegexInjectionTest.java:119:22:119:52 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| RegexInjectionTest.java:122:43:122:49 | pattern | semmle.label | pattern | +| RegexInjectionTest.java:134:22:134:52 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| RegexInjectionTest.java:137:45:137:51 | pattern | semmle.label | pattern | +| RegexInjectionTest.java:157:22:157:52 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| RegexInjectionTest.java:158:31:158:37 | pattern | semmle.label | pattern | +| RegexInjectionTest.java:162:22:162:52 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| RegexInjectionTest.java:164:41:164:47 | pattern | semmle.label | pattern | +subpaths +| RegexInjectionTest.java:83:36:83:42 | pattern : String | RegexInjectionTest.java:86:14:86:23 | str : String | RegexInjectionTest.java:87:12:87:14 | str : String | RegexInjectionTest.java:83:32:83:43 | foo(...) : String | diff --git a/java/ql/test/query-tests/security/CWE-730/RegexInjectionTest.java b/java/ql/test/query-tests/security/CWE-730/RegexInjection/RegexInjectionTest.java similarity index 68% rename from java/ql/test/query-tests/security/CWE-730/RegexInjectionTest.java rename to java/ql/test/query-tests/security/CWE-730/RegexInjection/RegexInjectionTest.java index 5c7a3ca05746..c4643de9a779 100644 --- a/java/ql/test/query-tests/security/CWE-730/RegexInjectionTest.java +++ b/java/ql/test/query-tests/security/CWE-730/RegexInjection/RegexInjectionTest.java @@ -11,76 +11,76 @@ public class RegexInjectionTest extends HttpServlet { public boolean string1(javax.servlet.http.HttpServletRequest request) { - String pattern = request.getParameter("pattern"); + String pattern = request.getParameter("pattern"); // $ Source String input = request.getParameter("input"); - return input.matches("^" + pattern + "=.*$"); // $ hasRegexInjection + return input.matches("^" + pattern + "=.*$"); // $ Alert } public boolean string2(javax.servlet.http.HttpServletRequest request) { - String pattern = request.getParameter("pattern"); + String pattern = request.getParameter("pattern"); // $ Source String input = request.getParameter("input"); - return input.split(pattern).length > 0; // $ hasRegexInjection + return input.split(pattern).length > 0; // $ Alert } public boolean string3(javax.servlet.http.HttpServletRequest request) { - String pattern = request.getParameter("pattern"); + String pattern = request.getParameter("pattern"); // $ Source String input = request.getParameter("input"); - return input.split(pattern, 0).length > 0; // $ hasRegexInjection + return input.split(pattern, 0).length > 0; // $ Alert } public boolean string4(javax.servlet.http.HttpServletRequest request) { - String pattern = request.getParameter("pattern"); + String pattern = request.getParameter("pattern"); // $ Source String input = request.getParameter("input"); - return input.replaceFirst(pattern, "").length() > 0; // $ hasRegexInjection + return input.replaceFirst(pattern, "").length() > 0; // $ Alert } public boolean string5(javax.servlet.http.HttpServletRequest request) { - String pattern = request.getParameter("pattern"); + String pattern = request.getParameter("pattern"); // $ Source String input = request.getParameter("input"); - return input.replaceAll(pattern, "").length() > 0; // $ hasRegexInjection + return input.replaceAll(pattern, "").length() > 0; // $ Alert } public boolean pattern1(javax.servlet.http.HttpServletRequest request) { - String pattern = request.getParameter("pattern"); + String pattern = request.getParameter("pattern"); // $ Source String input = request.getParameter("input"); - Pattern pt = Pattern.compile(pattern); // $ hasRegexInjection + Pattern pt = Pattern.compile(pattern); // $ Alert Matcher matcher = pt.matcher(input); return matcher.find(); } public boolean pattern2(javax.servlet.http.HttpServletRequest request) { - String pattern = request.getParameter("pattern"); + String pattern = request.getParameter("pattern"); // $ Source String input = request.getParameter("input"); - return Pattern.compile(pattern).matcher(input).matches(); // $ hasRegexInjection + return Pattern.compile(pattern).matcher(input).matches(); // $ Alert } public boolean pattern3(javax.servlet.http.HttpServletRequest request) { - String pattern = request.getParameter("pattern"); + String pattern = request.getParameter("pattern"); // $ Source String input = request.getParameter("input"); - return Pattern.compile(pattern, 0).matcher(input).matches(); // $ hasRegexInjection + return Pattern.compile(pattern, 0).matcher(input).matches(); // $ Alert } public boolean pattern4(javax.servlet.http.HttpServletRequest request) { - String pattern = request.getParameter("pattern"); + String pattern = request.getParameter("pattern"); // $ Source String input = request.getParameter("input"); - return Pattern.matches(pattern, input); // $ hasRegexInjection + return Pattern.matches(pattern, input); // $ Alert } public boolean pattern5(javax.servlet.http.HttpServletRequest request) { - String pattern = request.getParameter("pattern"); + String pattern = request.getParameter("pattern"); // $ Source String input = request.getParameter("input"); - return input.matches("^" + foo(pattern) + "=.*$"); // $ hasRegexInjection + return input.matches("^" + foo(pattern) + "=.*$"); // $ Alert } String foo(String str) { @@ -88,38 +88,38 @@ String foo(String str) { } public boolean apache1(javax.servlet.http.HttpServletRequest request) { - String pattern = request.getParameter("pattern"); + String pattern = request.getParameter("pattern"); // $ Source String input = request.getParameter("input"); - return RegExUtils.removeAll(input, pattern).length() > 0; // $ hasRegexInjection + return RegExUtils.removeAll(input, pattern).length() > 0; // $ Alert } public boolean apache2(javax.servlet.http.HttpServletRequest request) { - String pattern = request.getParameter("pattern"); + String pattern = request.getParameter("pattern"); // $ Source String input = request.getParameter("input"); - return RegExUtils.removeFirst(input, pattern).length() > 0; // $ hasRegexInjection + return RegExUtils.removeFirst(input, pattern).length() > 0; // $ Alert } public boolean apache3(javax.servlet.http.HttpServletRequest request) { - String pattern = request.getParameter("pattern"); + String pattern = request.getParameter("pattern"); // $ Source String input = request.getParameter("input"); - return RegExUtils.removePattern(input, pattern).length() > 0; // $ hasRegexInjection + return RegExUtils.removePattern(input, pattern).length() > 0; // $ Alert } public boolean apache4(javax.servlet.http.HttpServletRequest request) { - String pattern = request.getParameter("pattern"); + String pattern = request.getParameter("pattern"); // $ Source String input = request.getParameter("input"); - return RegExUtils.replaceAll(input, pattern, "").length() > 0; // $ hasRegexInjection + return RegExUtils.replaceAll(input, pattern, "").length() > 0; // $ Alert } public boolean apache5(javax.servlet.http.HttpServletRequest request) { - String pattern = request.getParameter("pattern"); + String pattern = request.getParameter("pattern"); // $ Source String input = request.getParameter("input"); - return RegExUtils.replaceFirst(input, pattern, "").length() > 0; // $ hasRegexInjection + return RegExUtils.replaceFirst(input, pattern, "").length() > 0; // $ Alert } public boolean apache6(javax.servlet.http.HttpServletRequest request) { @@ -131,10 +131,10 @@ public boolean apache6(javax.servlet.http.HttpServletRequest request) { } public boolean apache7(javax.servlet.http.HttpServletRequest request) { - String pattern = request.getParameter("pattern"); + String pattern = request.getParameter("pattern"); // $ Source String input = request.getParameter("input"); - return RegExUtils.replacePattern(input, pattern, "").length() > 0; // $ hasRegexInjection + return RegExUtils.replacePattern(input, pattern, "").length() > 0; // $ Alert } // test `Pattern.quote` sanitizer @@ -154,13 +154,13 @@ public boolean literalTest(javax.servlet.http.HttpServletRequest request) { } public Splitter guava1(javax.servlet.http.HttpServletRequest request) { - String pattern = request.getParameter("pattern"); - return Splitter.onPattern(pattern); // $ hasRegexInjection + String pattern = request.getParameter("pattern"); // $ Source + return Splitter.onPattern(pattern); // $ Alert } public Splitter guava2(javax.servlet.http.HttpServletRequest request) { - String pattern = request.getParameter("pattern"); + String pattern = request.getParameter("pattern"); // $ Source // sink is `Pattern.compile` - return Splitter.on(Pattern.compile(pattern)); // $ hasRegexInjection + return Splitter.on(Pattern.compile(pattern)); // $ Alert } } diff --git a/java/ql/test/query-tests/security/CWE-730/RegexInjection/RegexInjectionTest.qlref b/java/ql/test/query-tests/security/CWE-730/RegexInjection/RegexInjectionTest.qlref new file mode 100644 index 000000000000..613229f956b6 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-730/RegexInjection/RegexInjectionTest.qlref @@ -0,0 +1,4 @@ +query: Security/CWE/CWE-730/RegexInjection.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-730/RegexInjection/options b/java/ql/test/query-tests/security/CWE-730/RegexInjection/options new file mode 100644 index 000000000000..591d7fd827b6 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-730/RegexInjection/options @@ -0,0 +1 @@ +// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/guava-30.0:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/apache-commons-lang3-3.7 diff --git a/java/ql/test/query-tests/security/CWE-730/RegexInjectionTest.expected b/java/ql/test/query-tests/security/CWE-730/RegexInjectionTest.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/java/ql/test/query-tests/security/CWE-730/RegexInjectionTest.ql b/java/ql/test/query-tests/security/CWE-730/RegexInjectionTest.ql deleted file mode 100644 index cba14c212e98..000000000000 --- a/java/ql/test/query-tests/security/CWE-730/RegexInjectionTest.ql +++ /dev/null @@ -1,18 +0,0 @@ -import java -import utils.test.InlineExpectationsTest -import semmle.code.java.security.regexp.RegexInjectionQuery - -module RegexInjectionTest implements TestSig { - string getARelevantTag() { result = "hasRegexInjection" } - - predicate hasActualResult(Location location, string element, string tag, string value) { - tag = "hasRegexInjection" and - exists(RegexInjectionFlow::PathNode sink | RegexInjectionFlow::flowPath(_, sink) | - location = sink.getNode().getLocation() and - element = sink.getNode().toString() and - value = "" - ) - } -} - -import MakeTest diff --git a/java/ql/test/query-tests/security/CWE-730/options b/java/ql/test/query-tests/security/CWE-730/options deleted file mode 100644 index 884cb21114c3..000000000000 --- a/java/ql/test/query-tests/security/CWE-730/options +++ /dev/null @@ -1 +0,0 @@ -// semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/guava-30.0:${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/apache-commons-lang3-3.7 diff --git a/java/ql/test/query-tests/security/CWE-780/RsaWithoutOaepTest.expected b/java/ql/test/query-tests/security/CWE-780/RsaWithoutOaepTest.expected index e69de29bb2d1..3509f576dfa3 100644 --- a/java/ql/test/query-tests/security/CWE-780/RsaWithoutOaepTest.expected +++ b/java/ql/test/query-tests/security/CWE-780/RsaWithoutOaepTest.expected @@ -0,0 +1,12 @@ +#select +| RsaWithoutOaepTest.java:5:44:5:62 | "RSA/ECB/NoPadding" | RsaWithoutOaepTest.java:5:44:5:62 | "RSA/ECB/NoPadding" | RsaWithoutOaepTest.java:5:44:5:62 | "RSA/ECB/NoPadding" | This specification is used to $@ without OAEP padding. | RsaWithoutOaepTest.java:5:44:5:62 | "RSA/ECB/NoPadding" | initialize an RSA cipher | +| RsaWithoutOaepTest.java:15:32:15:50 | "RSA/ECB/NoPadding" : String | RsaWithoutOaepTest.java:15:32:15:50 | "RSA/ECB/NoPadding" : String | RsaWithoutOaepTest.java:11:35:11:38 | spec | This specification is used to $@ without OAEP padding. | RsaWithoutOaepTest.java:11:35:11:38 | spec | initialize an RSA cipher | +edges +| RsaWithoutOaepTest.java:10:29:10:39 | spec : String | RsaWithoutOaepTest.java:11:35:11:38 | spec | provenance | | +| RsaWithoutOaepTest.java:15:32:15:50 | "RSA/ECB/NoPadding" : String | RsaWithoutOaepTest.java:10:29:10:39 | spec : String | provenance | | +nodes +| RsaWithoutOaepTest.java:5:44:5:62 | "RSA/ECB/NoPadding" | semmle.label | "RSA/ECB/NoPadding" | +| RsaWithoutOaepTest.java:10:29:10:39 | spec : String | semmle.label | spec : String | +| RsaWithoutOaepTest.java:11:35:11:38 | spec | semmle.label | spec | +| RsaWithoutOaepTest.java:15:32:15:50 | "RSA/ECB/NoPadding" : String | semmle.label | "RSA/ECB/NoPadding" : String | +subpaths diff --git a/java/ql/test/query-tests/security/CWE-780/RsaWithoutOaepTest.java b/java/ql/test/query-tests/security/CWE-780/RsaWithoutOaepTest.java index b8a1c73110c5..d953522d76be 100644 --- a/java/ql/test/query-tests/security/CWE-780/RsaWithoutOaepTest.java +++ b/java/ql/test/query-tests/security/CWE-780/RsaWithoutOaepTest.java @@ -2,16 +2,16 @@ class RsaWithoutOaep { public void test() throws Exception { - Cipher rsaBad = Cipher.getInstance("RSA/ECB/NoPadding"); // $hasTaintFlow + Cipher rsaBad = Cipher.getInstance("RSA/ECB/NoPadding"); // $ Alert - Cipher rsaGood = Cipher.getInstance("RSA/ECB/OAEPWithSHA-1AndMGF1Padding"); + Cipher rsaGood = Cipher.getInstance("RSA/ECB/OAEPWithSHA-1AndMGF1Padding"); } public Cipher getCipher(String spec) throws Exception { - return Cipher.getInstance(spec); // $hasTaintFlow + return Cipher.getInstance(spec); // $ Sink } public void test2() throws Exception { - Cipher rsa = getCipher("RSA/ECB/NoPadding"); + Cipher rsa = getCipher("RSA/ECB/NoPadding"); // $ Alert } -} \ No newline at end of file +} diff --git a/java/ql/test/query-tests/security/CWE-780/RsaWithoutOaepTest.ql b/java/ql/test/query-tests/security/CWE-780/RsaWithoutOaepTest.ql deleted file mode 100644 index b91765e6b7cc..000000000000 --- a/java/ql/test/query-tests/security/CWE-780/RsaWithoutOaepTest.ql +++ /dev/null @@ -1,4 +0,0 @@ -import java -import utils.test.InlineFlowTest -import semmle.code.java.security.RsaWithoutOaepQuery -import TaintFlowTest diff --git a/java/ql/test/query-tests/security/CWE-780/RsaWithoutOaepTest.qlref b/java/ql/test/query-tests/security/CWE-780/RsaWithoutOaepTest.qlref new file mode 100644 index 000000000000..72ada3ecfc25 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-780/RsaWithoutOaepTest.qlref @@ -0,0 +1,4 @@ +query: Security/CWE/CWE-780/RsaWithoutOaep.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-917/OgnlInjection.java b/java/ql/test/query-tests/security/CWE-917/OgnlInjection.java index 777bbcb06aac..99f641f11d46 100644 --- a/java/ql/test/query-tests/security/CWE-917/OgnlInjection.java +++ b/java/ql/test/query-tests/security/CWE-917/OgnlInjection.java @@ -13,61 +13,61 @@ @Controller public class OgnlInjection { @RequestMapping - public void testOgnlParseExpression(@RequestParam String expr) throws Exception { + public void testOgnlParseExpression(@RequestParam String expr) throws Exception { // $ Source Object tree = Ognl.parseExpression(expr); - Ognl.getValue(tree, new HashMap<>(), new Object()); // $hasOgnlInjection - Ognl.setValue(tree, new HashMap<>(), new Object()); // $hasOgnlInjection + Ognl.getValue(tree, new HashMap<>(), new Object()); // $ Alert + Ognl.setValue(tree, new HashMap<>(), new Object()); // $ Alert Node node = (Node) tree; - node.getValue(null, new Object()); // $hasOgnlInjection - node.setValue(null, new Object(), new Object()); // $hasOgnlInjection + node.getValue(null, new Object()); // $ Alert + node.setValue(null, new Object(), new Object()); // $ Alert } @RequestMapping - public void testOgnlCompileExpression(@RequestParam String expr) throws Exception { + public void testOgnlCompileExpression(@RequestParam String expr) throws Exception { // $ Source Node tree = Ognl.compileExpression(null, new Object(), expr); - Ognl.getValue(tree, new HashMap<>(), new Object()); // $hasOgnlInjection - Ognl.setValue(tree, new HashMap<>(), new Object()); // $hasOgnlInjection + Ognl.getValue(tree, new HashMap<>(), new Object()); // $ Alert + Ognl.setValue(tree, new HashMap<>(), new Object()); // $ Alert - tree.getValue(null, new Object()); // $hasOgnlInjection - tree.setValue(null, new Object(), new Object()); // $hasOgnlInjection + tree.getValue(null, new Object()); // $ Alert + tree.setValue(null, new Object(), new Object()); // $ Alert } @RequestMapping - public void testOgnlDirectlyToGetSet(@RequestParam String expr) throws Exception { - Ognl.getValue(expr, new Object()); // $hasOgnlInjection - Ognl.setValue(expr, new Object(), new Object()); // $hasOgnlInjection + public void testOgnlDirectlyToGetSet(@RequestParam String expr) throws Exception { // $ Source + Ognl.getValue(expr, new Object()); // $ Alert + Ognl.setValue(expr, new Object(), new Object()); // $ Alert } @RequestMapping - public void testStruts(@RequestParam String expr) throws Exception { + public void testStruts(@RequestParam String expr) throws Exception { // $ Source OgnlUtil ognl = new OgnlUtil(); - ognl.getValue(expr, new HashMap<>(), new Object()); // $hasOgnlInjection - ognl.setValue(expr, new HashMap<>(), new Object(), new Object()); // $hasOgnlInjection - new OgnlUtil().callMethod(expr, new HashMap<>(), new Object()); // $hasOgnlInjection + ognl.getValue(expr, new HashMap<>(), new Object()); // $ Alert + ognl.setValue(expr, new HashMap<>(), new Object(), new Object()); // $ Alert + new OgnlUtil().callMethod(expr, new HashMap<>(), new Object()); // $ Alert } @RequestMapping - public void testExpressionAccessor(@RequestParam String expr) throws Exception { + public void testExpressionAccessor(@RequestParam String expr) throws Exception { // $ Source Node tree = Ognl.compileExpression(null, new Object(), expr); ExpressionAccessor accessor = tree.getAccessor(); - accessor.get(null, new Object()); // $hasOgnlInjection - accessor.set(null, new Object(), new Object()); // $hasOgnlInjection + accessor.get(null, new Object()); // $ Alert + accessor.set(null, new Object(), new Object()); // $ Alert - Ognl.getValue(accessor, null, new Object()); // $hasOgnlInjection - Ognl.setValue(accessor, null, new Object()); // $hasOgnlInjection + Ognl.getValue(accessor, null, new Object()); // $ Alert + Ognl.setValue(accessor, null, new Object()); // $ Alert } @RequestMapping - public void testExpressionAccessorSetExpression(@RequestParam String expr) throws Exception { + public void testExpressionAccessorSetExpression(@RequestParam String expr) throws Exception { // $ Source Node tree = Ognl.compileExpression(null, new Object(), "\"some safe expression\".toString()"); ExpressionAccessor accessor = tree.getAccessor(); Node taintedTree = Ognl.compileExpression(null, new Object(), expr); accessor.setExpression(taintedTree); - accessor.get(null, new Object()); // $hasOgnlInjection - accessor.set(null, new Object(), new Object()); // $hasOgnlInjection + accessor.get(null, new Object()); // $ Alert + accessor.set(null, new Object(), new Object()); // $ Alert - Ognl.getValue(accessor, null, new Object()); // $hasOgnlInjection - Ognl.setValue(accessor, null, new Object()); // $hasOgnlInjection + Ognl.getValue(accessor, null, new Object()); // $ Alert + Ognl.setValue(accessor, null, new Object()); // $ Alert } } diff --git a/java/ql/test/query-tests/security/CWE-917/OgnlInjectionTest.expected b/java/ql/test/query-tests/security/CWE-917/OgnlInjectionTest.expected index e69de29bb2d1..bcdf14e0c2ba 100644 --- a/java/ql/test/query-tests/security/CWE-917/OgnlInjectionTest.expected +++ b/java/ql/test/query-tests/security/CWE-917/OgnlInjectionTest.expected @@ -0,0 +1,109 @@ +#select +| OgnlInjection.java:18:19:18:22 | tree | OgnlInjection.java:16:39:16:63 | expr : String | OgnlInjection.java:18:19:18:22 | tree | OGNL Expression Language statement depends on a $@. | OgnlInjection.java:16:39:16:63 | expr | user-provided value | +| OgnlInjection.java:19:19:19:22 | tree | OgnlInjection.java:16:39:16:63 | expr : String | OgnlInjection.java:19:19:19:22 | tree | OGNL Expression Language statement depends on a $@. | OgnlInjection.java:16:39:16:63 | expr | user-provided value | +| OgnlInjection.java:22:5:22:8 | node | OgnlInjection.java:16:39:16:63 | expr : String | OgnlInjection.java:22:5:22:8 | node | OGNL Expression Language statement depends on a $@. | OgnlInjection.java:16:39:16:63 | expr | user-provided value | +| OgnlInjection.java:23:5:23:8 | node | OgnlInjection.java:16:39:16:63 | expr : String | OgnlInjection.java:23:5:23:8 | node | OGNL Expression Language statement depends on a $@. | OgnlInjection.java:16:39:16:63 | expr | user-provided value | +| OgnlInjection.java:29:19:29:22 | tree | OgnlInjection.java:27:41:27:65 | expr : String | OgnlInjection.java:29:19:29:22 | tree | OGNL Expression Language statement depends on a $@. | OgnlInjection.java:27:41:27:65 | expr | user-provided value | +| OgnlInjection.java:30:19:30:22 | tree | OgnlInjection.java:27:41:27:65 | expr : String | OgnlInjection.java:30:19:30:22 | tree | OGNL Expression Language statement depends on a $@. | OgnlInjection.java:27:41:27:65 | expr | user-provided value | +| OgnlInjection.java:32:5:32:8 | tree | OgnlInjection.java:27:41:27:65 | expr : String | OgnlInjection.java:32:5:32:8 | tree | OGNL Expression Language statement depends on a $@. | OgnlInjection.java:27:41:27:65 | expr | user-provided value | +| OgnlInjection.java:33:5:33:8 | tree | OgnlInjection.java:27:41:27:65 | expr : String | OgnlInjection.java:33:5:33:8 | tree | OGNL Expression Language statement depends on a $@. | OgnlInjection.java:27:41:27:65 | expr | user-provided value | +| OgnlInjection.java:38:19:38:22 | expr | OgnlInjection.java:37:40:37:64 | expr : String | OgnlInjection.java:38:19:38:22 | expr | OGNL Expression Language statement depends on a $@. | OgnlInjection.java:37:40:37:64 | expr | user-provided value | +| OgnlInjection.java:39:19:39:22 | expr | OgnlInjection.java:37:40:37:64 | expr : String | OgnlInjection.java:39:19:39:22 | expr | OGNL Expression Language statement depends on a $@. | OgnlInjection.java:37:40:37:64 | expr | user-provided value | +| OgnlInjection.java:45:19:45:22 | expr | OgnlInjection.java:43:26:43:50 | expr : String | OgnlInjection.java:45:19:45:22 | expr | OGNL Expression Language statement depends on a $@. | OgnlInjection.java:43:26:43:50 | expr | user-provided value | +| OgnlInjection.java:46:19:46:22 | expr | OgnlInjection.java:43:26:43:50 | expr : String | OgnlInjection.java:46:19:46:22 | expr | OGNL Expression Language statement depends on a $@. | OgnlInjection.java:43:26:43:50 | expr | user-provided value | +| OgnlInjection.java:47:31:47:34 | expr | OgnlInjection.java:43:26:43:50 | expr : String | OgnlInjection.java:47:31:47:34 | expr | OGNL Expression Language statement depends on a $@. | OgnlInjection.java:43:26:43:50 | expr | user-provided value | +| OgnlInjection.java:54:5:54:12 | accessor | OgnlInjection.java:51:38:51:62 | expr : String | OgnlInjection.java:54:5:54:12 | accessor | OGNL Expression Language statement depends on a $@. | OgnlInjection.java:51:38:51:62 | expr | user-provided value | +| OgnlInjection.java:55:5:55:12 | accessor | OgnlInjection.java:51:38:51:62 | expr : String | OgnlInjection.java:55:5:55:12 | accessor | OGNL Expression Language statement depends on a $@. | OgnlInjection.java:51:38:51:62 | expr | user-provided value | +| OgnlInjection.java:57:19:57:26 | accessor | OgnlInjection.java:51:38:51:62 | expr : String | OgnlInjection.java:57:19:57:26 | accessor | OGNL Expression Language statement depends on a $@. | OgnlInjection.java:51:38:51:62 | expr | user-provided value | +| OgnlInjection.java:58:19:58:26 | accessor | OgnlInjection.java:51:38:51:62 | expr : String | OgnlInjection.java:58:19:58:26 | accessor | OGNL Expression Language statement depends on a $@. | OgnlInjection.java:51:38:51:62 | expr | user-provided value | +| OgnlInjection.java:67:5:67:12 | accessor | OgnlInjection.java:62:51:62:75 | expr : String | OgnlInjection.java:67:5:67:12 | accessor | OGNL Expression Language statement depends on a $@. | OgnlInjection.java:62:51:62:75 | expr | user-provided value | +| OgnlInjection.java:68:5:68:12 | accessor | OgnlInjection.java:62:51:62:75 | expr : String | OgnlInjection.java:68:5:68:12 | accessor | OGNL Expression Language statement depends on a $@. | OgnlInjection.java:62:51:62:75 | expr | user-provided value | +| OgnlInjection.java:70:19:70:26 | accessor | OgnlInjection.java:62:51:62:75 | expr : String | OgnlInjection.java:70:19:70:26 | accessor | OGNL Expression Language statement depends on a $@. | OgnlInjection.java:62:51:62:75 | expr | user-provided value | +| OgnlInjection.java:71:19:71:26 | accessor | OgnlInjection.java:62:51:62:75 | expr : String | OgnlInjection.java:71:19:71:26 | accessor | OGNL Expression Language statement depends on a $@. | OgnlInjection.java:62:51:62:75 | expr | user-provided value | +edges +| OgnlInjection.java:16:39:16:63 | expr : String | OgnlInjection.java:17:40:17:43 | expr : String | provenance | | +| OgnlInjection.java:17:19:17:44 | parseExpression(...) : Object | OgnlInjection.java:18:19:18:22 | tree | provenance | Sink:MaD:8 | +| OgnlInjection.java:17:19:17:44 | parseExpression(...) : Object | OgnlInjection.java:19:19:19:22 | tree | provenance | Sink:MaD:9 | +| OgnlInjection.java:17:19:17:44 | parseExpression(...) : Object | OgnlInjection.java:21:17:21:27 | (...)... : Object | provenance | | +| OgnlInjection.java:17:40:17:43 | expr : String | OgnlInjection.java:17:19:17:44 | parseExpression(...) : Object | provenance | Config | +| OgnlInjection.java:21:17:21:27 | (...)... : Object | OgnlInjection.java:22:5:22:8 | node | provenance | Sink:MaD:6 | +| OgnlInjection.java:21:17:21:27 | (...)... : Object | OgnlInjection.java:23:5:23:8 | node | provenance | Sink:MaD:7 | +| OgnlInjection.java:27:41:27:65 | expr : String | OgnlInjection.java:28:60:28:63 | expr : String | provenance | | +| OgnlInjection.java:28:17:28:64 | compileExpression(...) : Node | OgnlInjection.java:29:19:29:22 | tree | provenance | Sink:MaD:8 | +| OgnlInjection.java:28:17:28:64 | compileExpression(...) : Node | OgnlInjection.java:30:19:30:22 | tree | provenance | Sink:MaD:9 | +| OgnlInjection.java:28:17:28:64 | compileExpression(...) : Node | OgnlInjection.java:32:5:32:8 | tree | provenance | Sink:MaD:6 | +| OgnlInjection.java:28:17:28:64 | compileExpression(...) : Node | OgnlInjection.java:33:5:33:8 | tree | provenance | Sink:MaD:7 | +| OgnlInjection.java:28:60:28:63 | expr : String | OgnlInjection.java:28:17:28:64 | compileExpression(...) : Node | provenance | Config | +| OgnlInjection.java:37:40:37:64 | expr : String | OgnlInjection.java:38:19:38:22 | expr | provenance | Sink:MaD:8 | +| OgnlInjection.java:37:40:37:64 | expr : String | OgnlInjection.java:39:19:39:22 | expr | provenance | Sink:MaD:9 | +| OgnlInjection.java:43:26:43:50 | expr : String | OgnlInjection.java:45:19:45:22 | expr | provenance | Sink:MaD:2 | +| OgnlInjection.java:43:26:43:50 | expr : String | OgnlInjection.java:46:19:46:22 | expr | provenance | Sink:MaD:3 | +| OgnlInjection.java:43:26:43:50 | expr : String | OgnlInjection.java:47:31:47:34 | expr | provenance | Sink:MaD:1 | +| OgnlInjection.java:51:38:51:62 | expr : String | OgnlInjection.java:52:60:52:63 | expr : String | provenance | | +| OgnlInjection.java:52:17:52:64 | compileExpression(...) : Node | OgnlInjection.java:53:35:53:38 | tree : Node | provenance | | +| OgnlInjection.java:52:60:52:63 | expr : String | OgnlInjection.java:52:17:52:64 | compileExpression(...) : Node | provenance | Config | +| OgnlInjection.java:53:35:53:38 | tree : Node | OgnlInjection.java:53:35:53:52 | getAccessor(...) : ExpressionAccessor | provenance | Config | +| OgnlInjection.java:53:35:53:52 | getAccessor(...) : ExpressionAccessor | OgnlInjection.java:54:5:54:12 | accessor | provenance | Sink:MaD:4 | +| OgnlInjection.java:53:35:53:52 | getAccessor(...) : ExpressionAccessor | OgnlInjection.java:55:5:55:12 | accessor | provenance | Sink:MaD:5 | +| OgnlInjection.java:53:35:53:52 | getAccessor(...) : ExpressionAccessor | OgnlInjection.java:57:19:57:26 | accessor | provenance | Sink:MaD:8 | +| OgnlInjection.java:53:35:53:52 | getAccessor(...) : ExpressionAccessor | OgnlInjection.java:58:19:58:26 | accessor | provenance | Sink:MaD:9 | +| OgnlInjection.java:62:51:62:75 | expr : String | OgnlInjection.java:65:67:65:70 | expr : String | provenance | | +| OgnlInjection.java:65:24:65:71 | compileExpression(...) : Node | OgnlInjection.java:66:28:66:38 | taintedTree : Node | provenance | | +| OgnlInjection.java:65:67:65:70 | expr : String | OgnlInjection.java:65:24:65:71 | compileExpression(...) : Node | provenance | Config | +| OgnlInjection.java:66:5:66:12 | accessor [post update] : ExpressionAccessor | OgnlInjection.java:67:5:67:12 | accessor | provenance | Sink:MaD:4 | +| OgnlInjection.java:66:5:66:12 | accessor [post update] : ExpressionAccessor | OgnlInjection.java:68:5:68:12 | accessor | provenance | Sink:MaD:5 | +| OgnlInjection.java:66:5:66:12 | accessor [post update] : ExpressionAccessor | OgnlInjection.java:70:19:70:26 | accessor | provenance | Sink:MaD:8 | +| OgnlInjection.java:66:5:66:12 | accessor [post update] : ExpressionAccessor | OgnlInjection.java:71:19:71:26 | accessor | provenance | Sink:MaD:9 | +| OgnlInjection.java:66:28:66:38 | taintedTree : Node | OgnlInjection.java:66:5:66:12 | accessor [post update] : ExpressionAccessor | provenance | Config | +models +| 1 | Sink: com.opensymphony.xwork2.ognl; OgnlUtil; false; callMethod; ; ; Argument[0]; ognl-injection; manual | +| 2 | Sink: com.opensymphony.xwork2.ognl; OgnlUtil; false; getValue; ; ; Argument[0]; ognl-injection; manual | +| 3 | Sink: com.opensymphony.xwork2.ognl; OgnlUtil; false; setValue; ; ; Argument[0]; ognl-injection; manual | +| 4 | Sink: ognl.enhance; ExpressionAccessor; true; get; ; ; Argument[this]; ognl-injection; manual | +| 5 | Sink: ognl.enhance; ExpressionAccessor; true; set; ; ; Argument[this]; ognl-injection; manual | +| 6 | Sink: ognl; Node; false; getValue; ; ; Argument[this]; ognl-injection; manual | +| 7 | Sink: ognl; Node; false; setValue; ; ; Argument[this]; ognl-injection; manual | +| 8 | Sink: ognl; Ognl; false; getValue; ; ; Argument[0]; ognl-injection; manual | +| 9 | Sink: ognl; Ognl; false; setValue; ; ; Argument[0]; ognl-injection; manual | +nodes +| OgnlInjection.java:16:39:16:63 | expr : String | semmle.label | expr : String | +| OgnlInjection.java:17:19:17:44 | parseExpression(...) : Object | semmle.label | parseExpression(...) : Object | +| OgnlInjection.java:17:40:17:43 | expr : String | semmle.label | expr : String | +| OgnlInjection.java:18:19:18:22 | tree | semmle.label | tree | +| OgnlInjection.java:19:19:19:22 | tree | semmle.label | tree | +| OgnlInjection.java:21:17:21:27 | (...)... : Object | semmle.label | (...)... : Object | +| OgnlInjection.java:22:5:22:8 | node | semmle.label | node | +| OgnlInjection.java:23:5:23:8 | node | semmle.label | node | +| OgnlInjection.java:27:41:27:65 | expr : String | semmle.label | expr : String | +| OgnlInjection.java:28:17:28:64 | compileExpression(...) : Node | semmle.label | compileExpression(...) : Node | +| OgnlInjection.java:28:60:28:63 | expr : String | semmle.label | expr : String | +| OgnlInjection.java:29:19:29:22 | tree | semmle.label | tree | +| OgnlInjection.java:30:19:30:22 | tree | semmle.label | tree | +| OgnlInjection.java:32:5:32:8 | tree | semmle.label | tree | +| OgnlInjection.java:33:5:33:8 | tree | semmle.label | tree | +| OgnlInjection.java:37:40:37:64 | expr : String | semmle.label | expr : String | +| OgnlInjection.java:38:19:38:22 | expr | semmle.label | expr | +| OgnlInjection.java:39:19:39:22 | expr | semmle.label | expr | +| OgnlInjection.java:43:26:43:50 | expr : String | semmle.label | expr : String | +| OgnlInjection.java:45:19:45:22 | expr | semmle.label | expr | +| OgnlInjection.java:46:19:46:22 | expr | semmle.label | expr | +| OgnlInjection.java:47:31:47:34 | expr | semmle.label | expr | +| OgnlInjection.java:51:38:51:62 | expr : String | semmle.label | expr : String | +| OgnlInjection.java:52:17:52:64 | compileExpression(...) : Node | semmle.label | compileExpression(...) : Node | +| OgnlInjection.java:52:60:52:63 | expr : String | semmle.label | expr : String | +| OgnlInjection.java:53:35:53:38 | tree : Node | semmle.label | tree : Node | +| OgnlInjection.java:53:35:53:52 | getAccessor(...) : ExpressionAccessor | semmle.label | getAccessor(...) : ExpressionAccessor | +| OgnlInjection.java:54:5:54:12 | accessor | semmle.label | accessor | +| OgnlInjection.java:55:5:55:12 | accessor | semmle.label | accessor | +| OgnlInjection.java:57:19:57:26 | accessor | semmle.label | accessor | +| OgnlInjection.java:58:19:58:26 | accessor | semmle.label | accessor | +| OgnlInjection.java:62:51:62:75 | expr : String | semmle.label | expr : String | +| OgnlInjection.java:65:24:65:71 | compileExpression(...) : Node | semmle.label | compileExpression(...) : Node | +| OgnlInjection.java:65:67:65:70 | expr : String | semmle.label | expr : String | +| OgnlInjection.java:66:5:66:12 | accessor [post update] : ExpressionAccessor | semmle.label | accessor [post update] : ExpressionAccessor | +| OgnlInjection.java:66:28:66:38 | taintedTree : Node | semmle.label | taintedTree : Node | +| OgnlInjection.java:67:5:67:12 | accessor | semmle.label | accessor | +| OgnlInjection.java:68:5:68:12 | accessor | semmle.label | accessor | +| OgnlInjection.java:70:19:70:26 | accessor | semmle.label | accessor | +| OgnlInjection.java:71:19:71:26 | accessor | semmle.label | accessor | +subpaths diff --git a/java/ql/test/query-tests/security/CWE-917/OgnlInjectionTest.ql b/java/ql/test/query-tests/security/CWE-917/OgnlInjectionTest.ql deleted file mode 100644 index 5957bdf5fa28..000000000000 --- a/java/ql/test/query-tests/security/CWE-917/OgnlInjectionTest.ql +++ /dev/null @@ -1,18 +0,0 @@ -import java -import semmle.code.java.security.OgnlInjectionQuery -import utils.test.InlineExpectationsTest - -module OgnlInjectionTest implements TestSig { - string getARelevantTag() { result = "hasOgnlInjection" } - - predicate hasActualResult(Location location, string element, string tag, string value) { - tag = "hasOgnlInjection" and - exists(DataFlow::Node sink | OgnlInjectionFlow::flowTo(sink) | - sink.getLocation() = location and - element = sink.toString() and - value = "" - ) - } -} - -import MakeTest diff --git a/java/ql/test/query-tests/security/CWE-917/OgnlInjectionTest.qlref b/java/ql/test/query-tests/security/CWE-917/OgnlInjectionTest.qlref new file mode 100644 index 000000000000..f27fdc29657f --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-917/OgnlInjectionTest.qlref @@ -0,0 +1,4 @@ +query: Security/CWE/CWE-917/OgnlInjection.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-918/ApacheHttpSSRF.java b/java/ql/test/query-tests/security/CWE-918/ApacheHttpSSRF.java index a3f476ccfec4..0fcb3c129754 100644 --- a/java/ql/test/query-tests/security/CWE-918/ApacheHttpSSRF.java +++ b/java/ql/test/query-tests/security/CWE-918/ApacheHttpSSRF.java @@ -24,38 +24,38 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { try { - String sink = request.getParameter("uri"); + String sink = request.getParameter("uri"); // $ Source URI uri = new URI(sink); - HttpGet httpGet = new HttpGet(uri); // $ SSRF + HttpGet httpGet = new HttpGet(uri); // $ Alert HttpGet httpGet2 = new HttpGet(); - httpGet2.setURI(uri); // $ SSRF + httpGet2.setURI(uri); // $ Alert - new HttpHead(uri); // $ SSRF - new HttpPost(uri); // $ SSRF - new HttpPut(uri); // $ SSRF - new HttpDelete(uri); // $ SSRF - new HttpOptions(uri); // $ SSRF - new HttpTrace(uri); // $ SSRF - new HttpPatch(uri); // $ SSRF + new HttpHead(uri); // $ Alert + new HttpPost(uri); // $ Alert + new HttpPut(uri); // $ Alert + new HttpDelete(uri); // $ Alert + new HttpOptions(uri); // $ Alert + new HttpTrace(uri); // $ Alert + new HttpPatch(uri); // $ Alert - new BasicHttpRequest(new BasicRequestLine("GET", uri.toString(), null)); // $ SSRF - new BasicHttpRequest("GET", uri.toString()); // $ SSRF - new BasicHttpRequest("GET", uri.toString(), null); // $ SSRF + new BasicHttpRequest(new BasicRequestLine("GET", uri.toString(), null)); // $ Alert + new BasicHttpRequest("GET", uri.toString()); // $ Alert + new BasicHttpRequest("GET", uri.toString(), null); // $ Alert - new BasicHttpEntityEnclosingRequest(new BasicRequestLine("GET", uri.toString(), null)); // $ SSRF - new BasicHttpEntityEnclosingRequest("GET", uri.toString()); // $ SSRF - new BasicHttpEntityEnclosingRequest("GET", uri.toString(), null); // $ SSRF + new BasicHttpEntityEnclosingRequest(new BasicRequestLine("GET", uri.toString(), null)); // $ Alert + new BasicHttpEntityEnclosingRequest("GET", uri.toString()); // $ Alert + new BasicHttpEntityEnclosingRequest("GET", uri.toString(), null); // $ Alert - RequestBuilder.get(uri); // $ SSRF - RequestBuilder.post(uri); // $ SSRF - RequestBuilder.put(uri); // $ SSRF - RequestBuilder.delete(uri); // $ SSRF - RequestBuilder.options(uri); // $ SSRF - RequestBuilder.head(uri); // $ SSRF - RequestBuilder.trace(uri); // $ SSRF - RequestBuilder.patch(uri); // $ SSRF - RequestBuilder.get("").setUri(uri); // $ SSRF + RequestBuilder.get(uri); // $ Alert + RequestBuilder.post(uri); // $ Alert + RequestBuilder.put(uri); // $ Alert + RequestBuilder.delete(uri); // $ Alert + RequestBuilder.options(uri); // $ Alert + RequestBuilder.head(uri); // $ Alert + RequestBuilder.trace(uri); // $ Alert + RequestBuilder.patch(uri); // $ Alert + RequestBuilder.get("").setUri(uri); // $ Alert } catch (Exception e) { // TODO: handle exception diff --git a/java/ql/test/query-tests/security/CWE-918/ApacheHttpSSRFVersion5.java b/java/ql/test/query-tests/security/CWE-918/ApacheHttpSSRFVersion5.java index de22dd02fac0..ad9bf4546a98 100644 --- a/java/ql/test/query-tests/security/CWE-918/ApacheHttpSSRFVersion5.java +++ b/java/ql/test/query-tests/security/CWE-918/ApacheHttpSSRFVersion5.java @@ -38,134 +38,134 @@ protected void doGet1(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { try { - String uriSink = request.getParameter("uri"); + String uriSink = request.getParameter("uri"); // $ Source URI uri = new URI(uriSink); - String hostSink = request.getParameter("host"); + String hostSink = request.getParameter("host"); // $ Source HttpHost host = new HttpHost(hostSink); // org.apache.hc.client5.http.async.methods.BasicHttpRequests - BasicHttpRequests.create(Method.CONNECT, host, "path"); // $ SSRF - BasicHttpRequests.create(Method.CONNECT, uri.toString()); // $ SSRF - BasicHttpRequests.create(Method.CONNECT, uri); // $ SSRF - BasicHttpRequests.create("method", uri.toString()); // $ SSRF - BasicHttpRequests.create("method", uri); // $ SSRF + BasicHttpRequests.create(Method.CONNECT, host, "path"); // $ Alert + BasicHttpRequests.create(Method.CONNECT, uri.toString()); // $ Alert + BasicHttpRequests.create(Method.CONNECT, uri); // $ Alert + BasicHttpRequests.create("method", uri.toString()); // $ Alert + BasicHttpRequests.create("method", uri); // $ Alert - BasicHttpRequests.delete(host, "path"); // $ SSRF - BasicHttpRequests.delete(uri.toString()); // $ SSRF - BasicHttpRequests.delete(uri); // $ SSRF + BasicHttpRequests.delete(host, "path"); // $ Alert + BasicHttpRequests.delete(uri.toString()); // $ Alert + BasicHttpRequests.delete(uri); // $ Alert - BasicHttpRequests.get(host, "path"); // $ SSRF - BasicHttpRequests.get(uri.toString()); // $ SSRF - BasicHttpRequests.get(uri); // $ SSRF + BasicHttpRequests.get(host, "path"); // $ Alert + BasicHttpRequests.get(uri.toString()); // $ Alert + BasicHttpRequests.get(uri); // $ Alert - BasicHttpRequests.head(host, "path"); // $ SSRF - BasicHttpRequests.head(uri.toString()); // $ SSRF - BasicHttpRequests.head(uri); // $ SSRF + BasicHttpRequests.head(host, "path"); // $ Alert + BasicHttpRequests.head(uri.toString()); // $ Alert + BasicHttpRequests.head(uri); // $ Alert - BasicHttpRequests.options(host, "path"); // $ SSRF - BasicHttpRequests.options(uri.toString()); // $ SSRF - BasicHttpRequests.options(uri); // $ SSRF + BasicHttpRequests.options(host, "path"); // $ Alert + BasicHttpRequests.options(uri.toString()); // $ Alert + BasicHttpRequests.options(uri); // $ Alert - BasicHttpRequests.patch(host, "path"); // $ SSRF - BasicHttpRequests.patch(uri.toString()); // $ SSRF - BasicHttpRequests.patch(uri); // $ SSRF + BasicHttpRequests.patch(host, "path"); // $ Alert + BasicHttpRequests.patch(uri.toString()); // $ Alert + BasicHttpRequests.patch(uri); // $ Alert - BasicHttpRequests.post(host, "path"); // $ SSRF - BasicHttpRequests.post(uri.toString()); // $ SSRF - BasicHttpRequests.post(uri); // $ SSRF + BasicHttpRequests.post(host, "path"); // $ Alert + BasicHttpRequests.post(uri.toString()); // $ Alert + BasicHttpRequests.post(uri); // $ Alert - BasicHttpRequests.put(host, "path"); // $ SSRF - BasicHttpRequests.put(uri.toString()); // $ SSRF - BasicHttpRequests.put(uri); // $ SSRF + BasicHttpRequests.put(host, "path"); // $ Alert + BasicHttpRequests.put(uri.toString()); // $ Alert + BasicHttpRequests.put(uri); // $ Alert - BasicHttpRequests.trace(host, "path"); // $ SSRF - BasicHttpRequests.trace(uri.toString()); // $ SSRF - BasicHttpRequests.trace(uri); // $ SSRF + BasicHttpRequests.trace(host, "path"); // $ Alert + BasicHttpRequests.trace(uri.toString()); // $ Alert + BasicHttpRequests.trace(uri); // $ Alert // org.apache.hc.client5.http.async.methods.ConfigurableHttpRequest - new ConfigurableHttpRequest("method", host, "path"); // $ SSRF - new ConfigurableHttpRequest("method", uri); // $ SSRF + new ConfigurableHttpRequest("method", host, "path"); // $ Alert + new ConfigurableHttpRequest("method", uri); // $ Alert // org.apache.hc.client5.http.async.methods.SimpleHttpRequest - new SimpleHttpRequest(Method.CONNECT, host, "path"); // $ SSRF - new SimpleHttpRequest(Method.CONNECT, uri); // $ SSRF - new SimpleHttpRequest("method", host, "path"); // $ SSRF - new SimpleHttpRequest("method", uri); // $ SSRF + new SimpleHttpRequest(Method.CONNECT, host, "path"); // $ Alert + new SimpleHttpRequest(Method.CONNECT, uri); // $ Alert + new SimpleHttpRequest("method", host, "path"); // $ Alert + new SimpleHttpRequest("method", uri); // $ Alert - SimpleHttpRequest.create(Method.CONNECT, host, "path"); // $ SSRF - SimpleHttpRequest.create(Method.CONNECT, uri); // $ SSRF - SimpleHttpRequest.create("method", uri.toString()); // $ SSRF - SimpleHttpRequest.create("method", uri); // $ SSRF + SimpleHttpRequest.create(Method.CONNECT, host, "path"); // $ Alert + SimpleHttpRequest.create(Method.CONNECT, uri); // $ Alert + SimpleHttpRequest.create("method", uri.toString()); // $ Alert + SimpleHttpRequest.create("method", uri); // $ Alert // org.apache.hc.client5.http.async.methods.SimpleHttpRequests - SimpleHttpRequests.create(Method.CONNECT, host, "path"); // $ SSRF - SimpleHttpRequests.create(Method.CONNECT, uri.toString()); // $ SSRF - SimpleHttpRequests.create(Method.CONNECT, uri); // $ SSRF - SimpleHttpRequests.create("method", uri.toString()); // $ SSRF - SimpleHttpRequests.create("method", uri); // $ SSRF + SimpleHttpRequests.create(Method.CONNECT, host, "path"); // $ Alert + SimpleHttpRequests.create(Method.CONNECT, uri.toString()); // $ Alert + SimpleHttpRequests.create(Method.CONNECT, uri); // $ Alert + SimpleHttpRequests.create("method", uri.toString()); // $ Alert + SimpleHttpRequests.create("method", uri); // $ Alert - SimpleHttpRequests.delete(host, "path"); // $ SSRF - SimpleHttpRequests.delete(uri.toString()); // $ SSRF - SimpleHttpRequests.delete(uri); // $ SSRF + SimpleHttpRequests.delete(host, "path"); // $ Alert + SimpleHttpRequests.delete(uri.toString()); // $ Alert + SimpleHttpRequests.delete(uri); // $ Alert - SimpleHttpRequests.get(host, "path"); // $ SSRF - SimpleHttpRequests.get(uri.toString()); // $ SSRF - SimpleHttpRequests.get(uri); // $ SSRF + SimpleHttpRequests.get(host, "path"); // $ Alert + SimpleHttpRequests.get(uri.toString()); // $ Alert + SimpleHttpRequests.get(uri); // $ Alert - SimpleHttpRequests.head(host, "path"); // $ SSRF - SimpleHttpRequests.head(uri.toString()); // $ SSRF - SimpleHttpRequests.head(uri); // $ SSRF + SimpleHttpRequests.head(host, "path"); // $ Alert + SimpleHttpRequests.head(uri.toString()); // $ Alert + SimpleHttpRequests.head(uri); // $ Alert - SimpleHttpRequests.options(host, "path"); // $ SSRF - SimpleHttpRequests.options(uri.toString()); // $ SSRF - SimpleHttpRequests.options(uri); // $ SSRF + SimpleHttpRequests.options(host, "path"); // $ Alert + SimpleHttpRequests.options(uri.toString()); // $ Alert + SimpleHttpRequests.options(uri); // $ Alert - SimpleHttpRequests.patch(host, "path"); // $ SSRF - SimpleHttpRequests.patch(uri.toString()); // $ SSRF - SimpleHttpRequests.patch(uri); // $ SSRF + SimpleHttpRequests.patch(host, "path"); // $ Alert + SimpleHttpRequests.patch(uri.toString()); // $ Alert + SimpleHttpRequests.patch(uri); // $ Alert - SimpleHttpRequests.post(host, "path"); // $ SSRF - SimpleHttpRequests.post(uri.toString()); // $ SSRF - SimpleHttpRequests.post(uri); // $ SSRF + SimpleHttpRequests.post(host, "path"); // $ Alert + SimpleHttpRequests.post(uri.toString()); // $ Alert + SimpleHttpRequests.post(uri); // $ Alert - SimpleHttpRequests.put(host, "path"); // $ SSRF - SimpleHttpRequests.put(uri.toString()); // $ SSRF - SimpleHttpRequests.put(uri); // $ SSRF + SimpleHttpRequests.put(host, "path"); // $ Alert + SimpleHttpRequests.put(uri.toString()); // $ Alert + SimpleHttpRequests.put(uri); // $ Alert - SimpleHttpRequests.trace(host, "path"); // $ SSRF - SimpleHttpRequests.trace(uri.toString()); // $ SSRF - SimpleHttpRequests.trace(uri); // $ SSRF + SimpleHttpRequests.trace(host, "path"); // $ Alert + SimpleHttpRequests.trace(uri.toString()); // $ Alert + SimpleHttpRequests.trace(uri); // $ Alert // org.apache.hc.client5.http.async.methods.SimpleRequestBuilder - SimpleRequestBuilder.delete(uri.toString()); // $ SSRF - SimpleRequestBuilder.delete(uri); // $ SSRF + SimpleRequestBuilder.delete(uri.toString()); // $ Alert + SimpleRequestBuilder.delete(uri); // $ Alert - SimpleRequestBuilder.get(uri.toString()); // $ SSRF - SimpleRequestBuilder.get(uri); // $ SSRF + SimpleRequestBuilder.get(uri.toString()); // $ Alert + SimpleRequestBuilder.get(uri); // $ Alert - SimpleRequestBuilder.head(uri.toString()); // $ SSRF - SimpleRequestBuilder.head(uri); // $ SSRF + SimpleRequestBuilder.head(uri.toString()); // $ Alert + SimpleRequestBuilder.head(uri); // $ Alert - SimpleRequestBuilder.options(uri.toString()); // $ SSRF - SimpleRequestBuilder.options(uri); // $ SSRF + SimpleRequestBuilder.options(uri.toString()); // $ Alert + SimpleRequestBuilder.options(uri); // $ Alert - SimpleRequestBuilder.patch(uri.toString()); // $ SSRF - SimpleRequestBuilder.patch(uri); // $ SSRF + SimpleRequestBuilder.patch(uri.toString()); // $ Alert + SimpleRequestBuilder.patch(uri); // $ Alert - SimpleRequestBuilder.post(uri.toString()); // $ SSRF - SimpleRequestBuilder.post(uri); // $ SSRF + SimpleRequestBuilder.post(uri.toString()); // $ Alert + SimpleRequestBuilder.post(uri); // $ Alert - SimpleRequestBuilder.put(uri.toString()); // $ SSRF - SimpleRequestBuilder.put(uri); // $ SSRF + SimpleRequestBuilder.put(uri.toString()); // $ Alert + SimpleRequestBuilder.put(uri); // $ Alert - SimpleRequestBuilder.get().setHttpHost(host); // $ SSRF + SimpleRequestBuilder.get().setHttpHost(host); // $ Alert - SimpleRequestBuilder.get().setUri(uri.toString()); // $ SSRF - SimpleRequestBuilder.get().setUri(uri); // $ SSRF + SimpleRequestBuilder.get().setUri(uri.toString()); // $ Alert + SimpleRequestBuilder.get().setUri(uri); // $ Alert - SimpleRequestBuilder.trace(uri.toString()); // $ SSRF - SimpleRequestBuilder.trace(uri); // $ SSRF + SimpleRequestBuilder.trace(uri.toString()); // $ Alert + SimpleRequestBuilder.trace(uri); // $ Alert } catch (Exception e) { // TODO: handle exception @@ -177,66 +177,66 @@ protected void doGet2(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { try { - String uriSink = request.getParameter("uri"); + String uriSink = request.getParameter("uri"); // $ Source URI uri = new URI(uriSink); // org.apache.hc.client5.http.classic.methods.ClassicHttpRequests - ClassicHttpRequests.create(Method.CONNECT, uri.toString()); // $ SSRF - ClassicHttpRequests.create(Method.CONNECT, uri); // $ SSRF - ClassicHttpRequests.create("method", uri.toString()); // $ SSRF - ClassicHttpRequests.create("method", uri); // $ SSRF + ClassicHttpRequests.create(Method.CONNECT, uri.toString()); // $ Alert + ClassicHttpRequests.create(Method.CONNECT, uri); // $ Alert + ClassicHttpRequests.create("method", uri.toString()); // $ Alert + ClassicHttpRequests.create("method", uri); // $ Alert - ClassicHttpRequests.delete(uri.toString()); // $ SSRF - ClassicHttpRequests.delete(uri); // $ SSRF + ClassicHttpRequests.delete(uri.toString()); // $ Alert + ClassicHttpRequests.delete(uri); // $ Alert - ClassicHttpRequests.get(uri.toString()); // $ SSRF - ClassicHttpRequests.get(uri); // $ SSRF + ClassicHttpRequests.get(uri.toString()); // $ Alert + ClassicHttpRequests.get(uri); // $ Alert - ClassicHttpRequests.head(uri.toString()); // $ SSRF - ClassicHttpRequests.head(uri); // $ SSRF + ClassicHttpRequests.head(uri.toString()); // $ Alert + ClassicHttpRequests.head(uri); // $ Alert - ClassicHttpRequests.options(uri.toString()); // $ SSRF - ClassicHttpRequests.options(uri); // $ SSRF + ClassicHttpRequests.options(uri.toString()); // $ Alert + ClassicHttpRequests.options(uri); // $ Alert - ClassicHttpRequests.patch(uri.toString()); // $ SSRF - ClassicHttpRequests.patch(uri); // $ SSRF + ClassicHttpRequests.patch(uri.toString()); // $ Alert + ClassicHttpRequests.patch(uri); // $ Alert - ClassicHttpRequests.post(uri.toString()); // $ SSRF - ClassicHttpRequests.post(uri); // $ SSRF + ClassicHttpRequests.post(uri.toString()); // $ Alert + ClassicHttpRequests.post(uri); // $ Alert - ClassicHttpRequests.put(uri.toString()); // $ SSRF - ClassicHttpRequests.put(uri); // $ SSRF + ClassicHttpRequests.put(uri.toString()); // $ Alert + ClassicHttpRequests.put(uri); // $ Alert - ClassicHttpRequests.trace(uri.toString()); // $ SSRF - ClassicHttpRequests.trace(uri); // $ SSRF + ClassicHttpRequests.trace(uri.toString()); // $ Alert + ClassicHttpRequests.trace(uri); // $ Alert // org.apache.hc.client5.http.classic.methods.HttpDelete through HttpTrace - new HttpDelete(uri.toString()); // $ SSRF - new HttpDelete(uri); // $ SSRF + new HttpDelete(uri.toString()); // $ Alert + new HttpDelete(uri); // $ Alert - new HttpGet(uri.toString()); // $ SSRF - new HttpGet(uri); // $ SSRF + new HttpGet(uri.toString()); // $ Alert + new HttpGet(uri); // $ Alert - new HttpHead(uri.toString()); // $ SSRF - new HttpHead(uri); // $ SSRF + new HttpHead(uri.toString()); // $ Alert + new HttpHead(uri); // $ Alert - new HttpOptions(uri.toString()); // $ SSRF - new HttpOptions(uri); // $ SSRF + new HttpOptions(uri.toString()); // $ Alert + new HttpOptions(uri); // $ Alert - new HttpPatch(uri.toString()); // $ SSRF - new HttpPatch(uri); // $ SSRF + new HttpPatch(uri.toString()); // $ Alert + new HttpPatch(uri); // $ Alert - new HttpPost(uri.toString()); // $ SSRF - new HttpPost(uri); // $ SSRF + new HttpPost(uri.toString()); // $ Alert + new HttpPost(uri); // $ Alert - new HttpPut(uri.toString()); // $ SSRF - new HttpPut(uri); // $ SSRF + new HttpPut(uri.toString()); // $ Alert + new HttpPut(uri); // $ Alert - new HttpTrace(uri.toString()); // $ SSRF - new HttpTrace(uri); // $ SSRF + new HttpTrace(uri.toString()); // $ Alert + new HttpTrace(uri); // $ Alert // org.apache.hc.client5.http.classic.methods.HttpUriRequestBase - new HttpUriRequestBase("method", uri); // $ SSRF + new HttpUriRequestBase("method", uri); // $ Alert } catch (Exception e) { // TODO: handle exception @@ -248,37 +248,37 @@ protected void doGet3(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { try { - String uriSink = request.getParameter("uri"); + String uriSink = request.getParameter("uri"); // $ Source URI uri = new URI(uriSink); // org.apache.hc.client5.http.fluent.Request - Request.create(Method.CONNECT, uri); // $ SSRF - Request.create("method", uri.toString()); // $ SSRF - Request.create("method", uri); // $ SSRF + Request.create(Method.CONNECT, uri); // $ Alert + Request.create("method", uri.toString()); // $ Alert + Request.create("method", uri); // $ Alert - Request.delete(uri.toString()); // $ SSRF - Request.delete(uri); // $ SSRF + Request.delete(uri.toString()); // $ Alert + Request.delete(uri); // $ Alert - Request.get(uri.toString()); // $ SSRF - Request.get(uri); // $ SSRF + Request.get(uri.toString()); // $ Alert + Request.get(uri); // $ Alert - Request.head(uri.toString()); // $ SSRF - Request.head(uri); // $ SSRF + Request.head(uri.toString()); // $ Alert + Request.head(uri); // $ Alert - Request.options(uri.toString()); // $ SSRF - Request.options(uri); // $ SSRF + Request.options(uri.toString()); // $ Alert + Request.options(uri); // $ Alert - Request.patch(uri.toString()); // $ SSRF - Request.patch(uri); // $ SSRF + Request.patch(uri.toString()); // $ Alert + Request.patch(uri); // $ Alert - Request.post(uri.toString()); // $ SSRF - Request.post(uri); // $ SSRF + Request.post(uri.toString()); // $ Alert + Request.post(uri); // $ Alert - Request.put(uri.toString()); // $ SSRF - Request.put(uri); // $ SSRF + Request.put(uri.toString()); // $ Alert + Request.put(uri); // $ Alert - Request.trace(uri.toString()); // $ SSRF - Request.trace(uri); // $ SSRF + Request.trace(uri.toString()); // $ Alert + Request.trace(uri); // $ Alert } catch (Exception e) { // TODO: handle exception @@ -292,26 +292,26 @@ protected void doGet4(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { try { - String uriSink = request.getParameter("uri"); + String uriSink = request.getParameter("uri"); // $ Source URI uri = new URI(uriSink); - String hostSink = request.getParameter("host"); + String hostSink = request.getParameter("host"); // $ Source HttpHost host = new HttpHost(hostSink); // org.apache.hc.core5.http.impl.bootstrap HttpAsyncRequester httpAsyncReq = new HttpAsyncRequester(null, null, null, null, null, null); - httpAsyncReq.connect(host, null); // $ SSRF - httpAsyncReq.connect(host, null, null, null); // $ SSRF + httpAsyncReq.connect(host, null); // $ Alert + httpAsyncReq.connect(host, null, null, null); // $ Alert // org.apache.hc.core5.http.impl.io DefaultClassicHttpRequestFactory defClassicHttpReqFact = new DefaultClassicHttpRequestFactory(); - defClassicHttpReqFact.newHttpRequest("method", uri.toString()); // $ SSRF - defClassicHttpReqFact.newHttpRequest("method", uri); // $ SSRF + defClassicHttpReqFact.newHttpRequest("method", uri.toString()); // $ Alert + defClassicHttpReqFact.newHttpRequest("method", uri); // $ Alert // org.apache.hc.core5.http.impl.nio DefaultHttpRequestFactory defHttpReqFact = new DefaultHttpRequestFactory(); - defHttpReqFact.newHttpRequest("method", uri.toString()); // $ SSRF - defHttpReqFact.newHttpRequest("method", uri); // $ SSRF + defHttpReqFact.newHttpRequest("method", uri.toString()); // $ Alert + defHttpReqFact.newHttpRequest("method", uri); // $ Alert } catch (Exception e) { // TODO: handle exception @@ -323,41 +323,41 @@ protected void doGet5(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { try { - String uriSink = request.getParameter("uri"); + String uriSink = request.getParameter("uri"); // $ Source URI uri = new URI(uriSink); - String hostSink = request.getParameter("host"); + String hostSink = request.getParameter("host"); // $ Source HttpHost host = new HttpHost(hostSink); // org.apache.hc.core5.http.io.support.ClassicRequestBuilder - ClassicRequestBuilder.delete(uri.toString()); // $ SSRF - ClassicRequestBuilder.delete(uri); // $ SSRF + ClassicRequestBuilder.delete(uri.toString()); // $ Alert + ClassicRequestBuilder.delete(uri); // $ Alert - ClassicRequestBuilder.get(uri.toString()); // $ SSRF - ClassicRequestBuilder.get(uri); // $ SSRF + ClassicRequestBuilder.get(uri.toString()); // $ Alert + ClassicRequestBuilder.get(uri); // $ Alert - ClassicRequestBuilder.head(uri.toString()); // $ SSRF - ClassicRequestBuilder.head(uri); // $ SSRF + ClassicRequestBuilder.head(uri.toString()); // $ Alert + ClassicRequestBuilder.head(uri); // $ Alert - ClassicRequestBuilder.options(uri.toString()); // $ SSRF - ClassicRequestBuilder.options(uri); // $ SSRF + ClassicRequestBuilder.options(uri.toString()); // $ Alert + ClassicRequestBuilder.options(uri); // $ Alert - ClassicRequestBuilder.patch(uri.toString()); // $ SSRF - ClassicRequestBuilder.patch(uri); // $ SSRF + ClassicRequestBuilder.patch(uri.toString()); // $ Alert + ClassicRequestBuilder.patch(uri); // $ Alert - ClassicRequestBuilder.post(uri.toString()); // $ SSRF - ClassicRequestBuilder.post(uri); // $ SSRF + ClassicRequestBuilder.post(uri.toString()); // $ Alert + ClassicRequestBuilder.post(uri); // $ Alert - ClassicRequestBuilder.put(uri.toString()); // $ SSRF - ClassicRequestBuilder.put(uri); // $ SSRF + ClassicRequestBuilder.put(uri.toString()); // $ Alert + ClassicRequestBuilder.put(uri); // $ Alert - ClassicRequestBuilder.get().setHttpHost(host); // $ SSRF + ClassicRequestBuilder.get().setHttpHost(host); // $ Alert - ClassicRequestBuilder.get().setUri(uri.toString()); // $ SSRF - ClassicRequestBuilder.get().setUri(uri); // $ SSRF + ClassicRequestBuilder.get().setUri(uri.toString()); // $ Alert + ClassicRequestBuilder.get().setUri(uri); // $ Alert - ClassicRequestBuilder.trace(uri.toString()); // $ SSRF - ClassicRequestBuilder.trace(uri); // $ SSRF + ClassicRequestBuilder.trace(uri.toString()); // $ Alert + ClassicRequestBuilder.trace(uri); // $ Alert } catch (Exception e) { // TODO: handle exception @@ -369,29 +369,29 @@ protected void doGet6(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { try { - String uriSink = request.getParameter("uri"); + String uriSink = request.getParameter("uri"); // $ Source URI uri = new URI(uriSink); - String hostSink = request.getParameter("host"); + String hostSink = request.getParameter("host"); // $ Source HttpHost host = new HttpHost(hostSink); // BasicClassicHttpRequest - new BasicClassicHttpRequest(Method.CONNECT, host, "path"); // $ SSRF - new BasicClassicHttpRequest(Method.CONNECT, uri); // $ SSRF - new BasicClassicHttpRequest("method", host, "path"); // $ SSRF - new BasicClassicHttpRequest("method", uri); // $ SSRF + new BasicClassicHttpRequest(Method.CONNECT, host, "path"); // $ Alert + new BasicClassicHttpRequest(Method.CONNECT, uri); // $ Alert + new BasicClassicHttpRequest("method", host, "path"); // $ Alert + new BasicClassicHttpRequest("method", uri); // $ Alert // BasicHttpRequest - new BasicHttpRequest(Method.CONNECT, host, "path"); // $ SSRF - new BasicHttpRequest(Method.CONNECT, uri); // $ SSRF - new BasicHttpRequest("method", host, "path"); // $ SSRF - new BasicHttpRequest("method", uri); // $ SSRF + new BasicHttpRequest(Method.CONNECT, host, "path"); // $ Alert + new BasicHttpRequest(Method.CONNECT, uri); // $ Alert + new BasicHttpRequest("method", host, "path"); // $ Alert + new BasicHttpRequest("method", uri); // $ Alert BasicHttpRequest bhr = new BasicHttpRequest("method", "path"); - bhr.setUri(uri); // $ SSRF + bhr.setUri(uri); // $ Alert // HttpRequestWrapper HttpRequestWrapper hrw = new HttpRequestWrapper(null); - hrw.setUri(uri); // $ SSRF + hrw.setUri(uri); // $ Alert } catch (Exception e) { // TODO: handle exception diff --git a/java/ql/test/query-tests/security/CWE-918/JakartaWsSSRF.java b/java/ql/test/query-tests/security/CWE-918/JakartaWsSSRF.java index ced253652111..37bf91d81fd2 100644 --- a/java/ql/test/query-tests/security/CWE-918/JakartaWsSSRF.java +++ b/java/ql/test/query-tests/security/CWE-918/JakartaWsSSRF.java @@ -11,8 +11,8 @@ public class JakartaWsSSRF extends HttpServlet { protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { Client client = ClientBuilder.newClient(); - String url = request.getParameter("url"); - client.target(url); // $ SSRF + String url = request.getParameter("url"); // $ Source + client.target(url); // $ Alert } } diff --git a/java/ql/test/query-tests/security/CWE-918/JavaNetHttpSSRF.java b/java/ql/test/query-tests/security/CWE-918/JavaNetHttpSSRF.java index 7cc5578ebf33..7181d426ffba 100644 --- a/java/ql/test/query-tests/security/CWE-918/JavaNetHttpSSRF.java +++ b/java/ql/test/query-tests/security/CWE-918/JavaNetHttpSSRF.java @@ -22,21 +22,21 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { try { - String sink = request.getParameter("uri"); + String sink = request.getParameter("uri"); // $ Source URI uri = new URI(sink); URI uri2 = new URI("http", sink, "fragement"); URL url1 = new URL(sink); - URLConnection c1 = url1.openConnection(); // $ SSRF + URLConnection c1 = url1.openConnection(); // $ Alert SocketAddress sa = new SocketAddress() { }; - URLConnection c2 = url1.openConnection(new Proxy(Type.HTTP, sa)); // $ SSRF - InputStream c3 = url1.openStream(); // $ SSRF + URLConnection c2 = url1.openConnection(new Proxy(Type.HTTP, sa)); // $ Alert + InputStream c3 = url1.openStream(); // $ Alert // java.net.http HttpClient client = HttpClient.newHttpClient(); - HttpRequest request2 = HttpRequest.newBuilder().uri(uri2).build(); // $ SSRF - HttpRequest request3 = HttpRequest.newBuilder(uri).build(); // $ SSRF + HttpRequest request2 = HttpRequest.newBuilder().uri(uri2).build(); // $ Alert + HttpRequest request3 = HttpRequest.newBuilder(uri).build(); // $ Alert } catch (Exception e) { // TODO: handle exception diff --git a/java/ql/test/query-tests/security/CWE-918/JaxWsSSRF.java b/java/ql/test/query-tests/security/CWE-918/JaxWsSSRF.java index da650e2de6cb..97602b29b553 100644 --- a/java/ql/test/query-tests/security/CWE-918/JaxWsSSRF.java +++ b/java/ql/test/query-tests/security/CWE-918/JaxWsSSRF.java @@ -11,8 +11,8 @@ public class JaxWsSSRF extends HttpServlet { protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { Client client = ClientBuilder.newClient(); - String url = request.getParameter("url"); - client.target(url); // $ SSRF + String url = request.getParameter("url"); // $ Source + client.target(url); // $ Alert } } diff --git a/java/ql/test/query-tests/security/CWE-918/JdbcUrlSSRF.java b/java/ql/test/query-tests/security/CWE-918/JdbcUrlSSRF.java index 94704c3d8621..859b998c9ea4 100644 --- a/java/ql/test/query-tests/security/CWE-918/JdbcUrlSSRF.java +++ b/java/ql/test/query-tests/security/CWE-918/JdbcUrlSSRF.java @@ -17,75 +17,75 @@ public class JdbcUrlSSRF extends HttpServlet { protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { - - String jdbcUrl = request.getParameter("jdbcUrl"); + + String jdbcUrl = request.getParameter("jdbcUrl"); // $ Source Driver driver = new org.postgresql.Driver(); DataSourceBuilder dsBuilder = DataSourceBuilder.create(); - + try { - driver.connect(jdbcUrl, null); // $ SSRF + driver.connect(jdbcUrl, null); // $ Alert - DriverManager.getConnection(jdbcUrl); // $ SSRF - DriverManager.getConnection(jdbcUrl, "user", "password"); // $ SSRF - DriverManager.getConnection(jdbcUrl, null); // $ SSRF + DriverManager.getConnection(jdbcUrl); // $ Alert + DriverManager.getConnection(jdbcUrl, "user", "password"); // $ Alert + DriverManager.getConnection(jdbcUrl, null); // $ Alert - dsBuilder.url(jdbcUrl); // $ SSRF + dsBuilder.url(jdbcUrl); // $ Alert } catch(SQLException e) {} } protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { - - String jdbcUrl = request.getParameter("jdbcUrl"); + + String jdbcUrl = request.getParameter("jdbcUrl"); // $ Source HikariConfig config = new HikariConfig(); - config.setJdbcUrl(jdbcUrl); // $ SSRF + config.setJdbcUrl(jdbcUrl); // $ Alert config.setUsername("database_username"); config.setPassword("database_password"); HikariDataSource ds = new HikariDataSource(); - ds.setJdbcUrl(jdbcUrl); // $ SSRF + ds.setJdbcUrl(jdbcUrl); // $ Alert Properties props = new Properties(); props.setProperty("driverClassName", "org.postgresql.Driver"); props.setProperty("jdbcUrl", jdbcUrl); - HikariConfig config2 = new HikariConfig(props); // $ SSRF + HikariConfig config2 = new HikariConfig(props); // $ Alert } protected void doPut(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { - String jdbcUrl = request.getParameter("jdbcUrl"); - + String jdbcUrl = request.getParameter("jdbcUrl"); // $ Source + DriverManagerDataSource dataSource = new DriverManagerDataSource(); - + dataSource.setDriverClassName("org.postgresql.Driver"); - dataSource.setUrl(jdbcUrl); // $ SSRF + dataSource.setUrl(jdbcUrl); // $ Alert - DriverManagerDataSource dataSource2 = new DriverManagerDataSource(jdbcUrl); // $ SSRF + DriverManagerDataSource dataSource2 = new DriverManagerDataSource(jdbcUrl); // $ Alert dataSource2.setDriverClassName("org.postgresql.Driver"); - DriverManagerDataSource dataSource3 = new DriverManagerDataSource(jdbcUrl, "user", "pass"); // $ SSRF + DriverManagerDataSource dataSource3 = new DriverManagerDataSource(jdbcUrl, "user", "pass"); // $ Alert dataSource3.setDriverClassName("org.postgresql.Driver"); - DriverManagerDataSource dataSource4 = new DriverManagerDataSource(jdbcUrl, null); // $ SSRF + DriverManagerDataSource dataSource4 = new DriverManagerDataSource(jdbcUrl, null); // $ Alert dataSource4.setDriverClassName("org.postgresql.Driver"); } protected void doDelete(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { - String jdbcUrl = request.getParameter("jdbcUrl"); + String jdbcUrl = request.getParameter("jdbcUrl"); // $ Source - Jdbi.create(jdbcUrl); // $ SSRF - Jdbi.create(jdbcUrl, null); // $ SSRF - Jdbi.create(jdbcUrl, "user", "pass"); // $ SSRF + Jdbi.create(jdbcUrl); // $ Alert + Jdbi.create(jdbcUrl, null); // $ Alert + Jdbi.create(jdbcUrl, "user", "pass"); // $ Alert - Jdbi.open(jdbcUrl); // $ SSRF - Jdbi.open(jdbcUrl, null); // $ SSRF - Jdbi.open(jdbcUrl, "user", "pass"); // $ SSRF + Jdbi.open(jdbcUrl); // $ Alert + Jdbi.open(jdbcUrl, null); // $ Alert + Jdbi.open(jdbcUrl, "user", "pass"); // $ Alert } - -} \ No newline at end of file + +} diff --git a/java/ql/test/query-tests/security/CWE-918/ReactiveWebClientSSRF.java b/java/ql/test/query-tests/security/CWE-918/ReactiveWebClientSSRF.java index 00d707f71e47..e7e350b054af 100644 --- a/java/ql/test/query-tests/security/CWE-918/ReactiveWebClientSSRF.java +++ b/java/ql/test/query-tests/security/CWE-918/ReactiveWebClientSSRF.java @@ -12,8 +12,8 @@ public class ReactiveWebClientSSRF extends HttpServlet { protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { try { - String url = request.getParameter("uri"); - WebClient webClient = WebClient.create(url); // $ SSRF + String url = request.getParameter("uri"); // $ Source + WebClient webClient = WebClient.create(url); // $ Alert Mono result = webClient.get() .uri("/") @@ -29,10 +29,10 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { try { - String url = request.getParameter("uri"); + String url = request.getParameter("uri"); // $ Source WebClient webClient = WebClient.builder() .defaultHeader("User-Agent", "Java") - .baseUrl(url) // $ SSRF + .baseUrl(url) // $ Alert .build(); @@ -46,4 +46,4 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response) // Ignore } } -} \ No newline at end of file +} diff --git a/java/ql/test/query-tests/security/CWE-918/RequestForgery.expected b/java/ql/test/query-tests/security/CWE-918/RequestForgery.expected index e69de29bb2d1..b08273da0ca9 100644 --- a/java/ql/test/query-tests/security/CWE-918/RequestForgery.expected +++ b/java/ql/test/query-tests/security/CWE-918/RequestForgery.expected @@ -0,0 +1,1825 @@ +#select +| ApacheHttpSSRF.java:30:43:30:45 | uri | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) : String | ApacheHttpSSRF.java:30:43:30:45 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) | user-provided value | +| ApacheHttpSSRF.java:32:29:32:31 | uri | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) : String | ApacheHttpSSRF.java:32:29:32:31 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) | user-provided value | +| ApacheHttpSSRF.java:34:26:34:28 | uri | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) : String | ApacheHttpSSRF.java:34:26:34:28 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) | user-provided value | +| ApacheHttpSSRF.java:35:26:35:28 | uri | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) : String | ApacheHttpSSRF.java:35:26:35:28 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) | user-provided value | +| ApacheHttpSSRF.java:36:25:36:27 | uri | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) : String | ApacheHttpSSRF.java:36:25:36:27 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) | user-provided value | +| ApacheHttpSSRF.java:37:28:37:30 | uri | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) : String | ApacheHttpSSRF.java:37:28:37:30 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) | user-provided value | +| ApacheHttpSSRF.java:38:29:38:31 | uri | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) : String | ApacheHttpSSRF.java:38:29:38:31 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) | user-provided value | +| ApacheHttpSSRF.java:39:27:39:29 | uri | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) : String | ApacheHttpSSRF.java:39:27:39:29 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) | user-provided value | +| ApacheHttpSSRF.java:40:27:40:29 | uri | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) : String | ApacheHttpSSRF.java:40:27:40:29 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) | user-provided value | +| ApacheHttpSSRF.java:42:34:42:82 | new BasicRequestLine(...) | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) : String | ApacheHttpSSRF.java:42:34:42:82 | new BasicRequestLine(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) | user-provided value | +| ApacheHttpSSRF.java:43:41:43:54 | toString(...) | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) : String | ApacheHttpSSRF.java:43:41:43:54 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) | user-provided value | +| ApacheHttpSSRF.java:44:41:44:54 | toString(...) | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) : String | ApacheHttpSSRF.java:44:41:44:54 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) | user-provided value | +| ApacheHttpSSRF.java:46:49:46:97 | new BasicRequestLine(...) | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) : String | ApacheHttpSSRF.java:46:49:46:97 | new BasicRequestLine(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) | user-provided value | +| ApacheHttpSSRF.java:47:56:47:69 | toString(...) | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) : String | ApacheHttpSSRF.java:47:56:47:69 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) | user-provided value | +| ApacheHttpSSRF.java:48:56:48:69 | toString(...) | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) : String | ApacheHttpSSRF.java:48:56:48:69 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) | user-provided value | +| ApacheHttpSSRF.java:50:32:50:34 | uri | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) : String | ApacheHttpSSRF.java:50:32:50:34 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) | user-provided value | +| ApacheHttpSSRF.java:51:33:51:35 | uri | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) : String | ApacheHttpSSRF.java:51:33:51:35 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) | user-provided value | +| ApacheHttpSSRF.java:52:32:52:34 | uri | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) : String | ApacheHttpSSRF.java:52:32:52:34 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) | user-provided value | +| ApacheHttpSSRF.java:53:35:53:37 | uri | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) : String | ApacheHttpSSRF.java:53:35:53:37 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) | user-provided value | +| ApacheHttpSSRF.java:54:36:54:38 | uri | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) : String | ApacheHttpSSRF.java:54:36:54:38 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) | user-provided value | +| ApacheHttpSSRF.java:55:33:55:35 | uri | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) : String | ApacheHttpSSRF.java:55:33:55:35 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) | user-provided value | +| ApacheHttpSSRF.java:56:34:56:36 | uri | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) : String | ApacheHttpSSRF.java:56:34:56:36 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) | user-provided value | +| ApacheHttpSSRF.java:57:34:57:36 | uri | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) : String | ApacheHttpSSRF.java:57:34:57:36 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) | user-provided value | +| ApacheHttpSSRF.java:58:43:58:45 | uri | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) : String | ApacheHttpSSRF.java:58:43:58:45 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:48:54:48:57 | host | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:48:54:48:57 | host | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:49:54:49:67 | toString(...) | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:49:54:49:67 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:50:54:50:56 | uri | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:50:54:50:56 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:51:48:51:61 | toString(...) | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:51:48:51:61 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:52:48:52:50 | uri | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:52:48:52:50 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:54:38:54:41 | host | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:54:38:54:41 | host | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:55:38:55:51 | toString(...) | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:55:38:55:51 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:56:38:56:40 | uri | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:56:38:56:40 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:58:35:58:38 | host | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:58:35:58:38 | host | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:59:35:59:48 | toString(...) | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:59:35:59:48 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:60:35:60:37 | uri | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:60:35:60:37 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:62:36:62:39 | host | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:62:36:62:39 | host | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:63:36:63:49 | toString(...) | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:63:36:63:49 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:64:36:64:38 | uri | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:64:36:64:38 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:66:39:66:42 | host | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:66:39:66:42 | host | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:67:39:67:52 | toString(...) | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:67:39:67:52 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:68:39:68:41 | uri | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:68:39:68:41 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:70:37:70:40 | host | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:70:37:70:40 | host | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:71:37:71:50 | toString(...) | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:71:37:71:50 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:72:37:72:39 | uri | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:72:37:72:39 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:74:36:74:39 | host | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:74:36:74:39 | host | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:75:36:75:49 | toString(...) | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:75:36:75:49 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:76:36:76:38 | uri | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:76:36:76:38 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:78:35:78:38 | host | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:78:35:78:38 | host | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:79:35:79:48 | toString(...) | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:79:35:79:48 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:80:35:80:37 | uri | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:80:35:80:37 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:82:37:82:40 | host | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:82:37:82:40 | host | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:83:37:83:50 | toString(...) | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:83:37:83:50 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:84:37:84:39 | uri | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:84:37:84:39 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:87:51:87:54 | host | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:87:51:87:54 | host | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:88:51:88:53 | uri | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:88:51:88:53 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:91:51:91:54 | host | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:91:51:91:54 | host | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:92:51:92:53 | uri | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:92:51:92:53 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:93:45:93:48 | host | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:93:45:93:48 | host | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:94:45:94:47 | uri | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:94:45:94:47 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:96:54:96:57 | host | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:96:54:96:57 | host | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:97:54:97:56 | uri | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:97:54:97:56 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:98:48:98:61 | toString(...) | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:98:48:98:61 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:99:48:99:50 | uri | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:99:48:99:50 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:102:55:102:58 | host | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:102:55:102:58 | host | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:103:55:103:68 | toString(...) | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:103:55:103:68 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:104:55:104:57 | uri | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:104:55:104:57 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:105:49:105:62 | toString(...) | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:105:49:105:62 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:106:49:106:51 | uri | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:106:49:106:51 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:108:39:108:42 | host | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:108:39:108:42 | host | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:109:39:109:52 | toString(...) | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:109:39:109:52 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:110:39:110:41 | uri | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:110:39:110:41 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:112:36:112:39 | host | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:112:36:112:39 | host | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:113:36:113:49 | toString(...) | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:113:36:113:49 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:114:36:114:38 | uri | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:114:36:114:38 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:116:37:116:40 | host | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:116:37:116:40 | host | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:117:37:117:50 | toString(...) | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:117:37:117:50 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:118:37:118:39 | uri | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:118:37:118:39 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:120:40:120:43 | host | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:120:40:120:43 | host | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:121:40:121:53 | toString(...) | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:121:40:121:53 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:122:40:122:42 | uri | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:122:40:122:42 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:124:38:124:41 | host | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:124:38:124:41 | host | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:125:38:125:51 | toString(...) | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:125:38:125:51 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:126:38:126:40 | uri | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:126:38:126:40 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:128:37:128:40 | host | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:128:37:128:40 | host | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:129:37:129:50 | toString(...) | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:129:37:129:50 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:130:37:130:39 | uri | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:130:37:130:39 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:132:36:132:39 | host | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:132:36:132:39 | host | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:133:36:133:49 | toString(...) | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:133:36:133:49 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:134:36:134:38 | uri | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:134:36:134:38 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:136:38:136:41 | host | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:136:38:136:41 | host | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:137:38:137:51 | toString(...) | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:137:38:137:51 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:138:38:138:40 | uri | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:138:38:138:40 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:141:41:141:54 | toString(...) | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:141:41:141:54 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:142:41:142:43 | uri | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:142:41:142:43 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:144:38:144:51 | toString(...) | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:144:38:144:51 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:145:38:145:40 | uri | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:145:38:145:40 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:147:39:147:52 | toString(...) | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:147:39:147:52 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:148:39:148:41 | uri | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:148:39:148:41 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:150:42:150:55 | toString(...) | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:150:42:150:55 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:151:42:151:44 | uri | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:151:42:151:44 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:153:40:153:53 | toString(...) | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:153:40:153:53 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:154:40:154:42 | uri | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:154:40:154:42 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:156:39:156:52 | toString(...) | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:156:39:156:52 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:157:39:157:41 | uri | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:157:39:157:41 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:159:38:159:51 | toString(...) | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:159:38:159:51 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:160:38:160:40 | uri | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:160:38:160:40 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:162:52:162:55 | host | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:162:52:162:55 | host | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:164:47:164:60 | toString(...) | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:164:47:164:60 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:165:47:165:49 | uri | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:165:47:165:49 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:167:40:167:53 | toString(...) | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:167:40:167:53 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:168:40:168:42 | uri | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:168:40:168:42 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:184:56:184:69 | toString(...) | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:184:56:184:69 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:185:56:185:58 | uri | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:185:56:185:58 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:186:50:186:63 | toString(...) | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:186:50:186:63 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:187:50:187:52 | uri | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:187:50:187:52 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:189:40:189:53 | toString(...) | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:189:40:189:53 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:190:40:190:42 | uri | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:190:40:190:42 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:192:37:192:50 | toString(...) | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:192:37:192:50 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:193:37:193:39 | uri | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:193:37:193:39 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:195:38:195:51 | toString(...) | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:195:38:195:51 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:196:38:196:40 | uri | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:196:38:196:40 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:198:41:198:54 | toString(...) | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:198:41:198:54 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:199:41:199:43 | uri | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:199:41:199:43 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:201:39:201:52 | toString(...) | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:201:39:201:52 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:202:39:202:41 | uri | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:202:39:202:41 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:204:38:204:51 | toString(...) | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:204:38:204:51 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:205:38:205:40 | uri | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:205:38:205:40 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:207:37:207:50 | toString(...) | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:207:37:207:50 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:208:37:208:39 | uri | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:208:37:208:39 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:210:39:210:52 | toString(...) | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:210:39:210:52 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:211:39:211:41 | uri | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:211:39:211:41 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:214:28:214:41 | toString(...) | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:214:28:214:41 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:215:28:215:30 | uri | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:215:28:215:30 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:217:25:217:38 | toString(...) | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:217:25:217:38 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:218:25:218:27 | uri | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:218:25:218:27 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:220:26:220:39 | toString(...) | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:220:26:220:39 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:221:26:221:28 | uri | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:221:26:221:28 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:223:29:223:42 | toString(...) | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:223:29:223:42 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:224:29:224:31 | uri | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:224:29:224:31 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:226:27:226:40 | toString(...) | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:226:27:226:40 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:227:27:227:29 | uri | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:227:27:227:29 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:229:26:229:39 | toString(...) | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:229:26:229:39 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:230:26:230:28 | uri | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:230:26:230:28 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:232:25:232:38 | toString(...) | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:232:25:232:38 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:233:25:233:27 | uri | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:233:25:233:27 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:235:27:235:40 | toString(...) | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:235:27:235:40 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:236:27:236:29 | uri | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:236:27:236:29 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:239:46:239:48 | uri | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:239:46:239:48 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:255:44:255:46 | uri | ApacheHttpSSRFVersion5.java:251:30:251:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:255:44:255:46 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:251:30:251:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:256:38:256:51 | toString(...) | ApacheHttpSSRFVersion5.java:251:30:251:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:256:38:256:51 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:251:30:251:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:257:38:257:40 | uri | ApacheHttpSSRFVersion5.java:251:30:251:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:257:38:257:40 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:251:30:251:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:259:28:259:41 | toString(...) | ApacheHttpSSRFVersion5.java:251:30:251:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:259:28:259:41 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:251:30:251:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:260:28:260:30 | uri | ApacheHttpSSRFVersion5.java:251:30:251:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:260:28:260:30 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:251:30:251:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:262:25:262:38 | toString(...) | ApacheHttpSSRFVersion5.java:251:30:251:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:262:25:262:38 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:251:30:251:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:263:25:263:27 | uri | ApacheHttpSSRFVersion5.java:251:30:251:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:263:25:263:27 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:251:30:251:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:265:26:265:39 | toString(...) | ApacheHttpSSRFVersion5.java:251:30:251:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:265:26:265:39 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:251:30:251:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:266:26:266:28 | uri | ApacheHttpSSRFVersion5.java:251:30:251:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:266:26:266:28 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:251:30:251:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:268:29:268:42 | toString(...) | ApacheHttpSSRFVersion5.java:251:30:251:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:268:29:268:42 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:251:30:251:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:269:29:269:31 | uri | ApacheHttpSSRFVersion5.java:251:30:251:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:269:29:269:31 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:251:30:251:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:271:27:271:40 | toString(...) | ApacheHttpSSRFVersion5.java:251:30:251:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:271:27:271:40 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:251:30:251:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:272:27:272:29 | uri | ApacheHttpSSRFVersion5.java:251:30:251:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:272:27:272:29 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:251:30:251:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:274:26:274:39 | toString(...) | ApacheHttpSSRFVersion5.java:251:30:251:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:274:26:274:39 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:251:30:251:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:275:26:275:28 | uri | ApacheHttpSSRFVersion5.java:251:30:251:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:275:26:275:28 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:251:30:251:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:277:25:277:38 | toString(...) | ApacheHttpSSRFVersion5.java:251:30:251:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:277:25:277:38 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:251:30:251:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:278:25:278:27 | uri | ApacheHttpSSRFVersion5.java:251:30:251:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:278:25:278:27 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:251:30:251:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:280:27:280:40 | toString(...) | ApacheHttpSSRFVersion5.java:251:30:251:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:280:27:280:40 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:251:30:251:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:281:27:281:29 | uri | ApacheHttpSSRFVersion5.java:251:30:251:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:281:27:281:29 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:251:30:251:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:303:34:303:37 | host | ApacheHttpSSRFVersion5.java:298:31:298:58 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:303:34:303:37 | host | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:298:31:298:58 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:304:34:304:37 | host | ApacheHttpSSRFVersion5.java:298:31:298:58 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:304:34:304:37 | host | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:298:31:298:58 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:308:60:308:73 | toString(...) | ApacheHttpSSRFVersion5.java:295:30:295:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:308:60:308:73 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:295:30:295:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:309:60:309:62 | uri | ApacheHttpSSRFVersion5.java:295:30:295:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:309:60:309:62 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:295:30:295:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:313:53:313:66 | toString(...) | ApacheHttpSSRFVersion5.java:295:30:295:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:313:53:313:66 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:295:30:295:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:314:53:314:55 | uri | ApacheHttpSSRFVersion5.java:295:30:295:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:314:53:314:55 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:295:30:295:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:333:42:333:55 | toString(...) | ApacheHttpSSRFVersion5.java:326:30:326:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:333:42:333:55 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:326:30:326:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:334:42:334:44 | uri | ApacheHttpSSRFVersion5.java:326:30:326:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:334:42:334:44 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:326:30:326:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:336:39:336:52 | toString(...) | ApacheHttpSSRFVersion5.java:326:30:326:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:336:39:336:52 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:326:30:326:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:337:39:337:41 | uri | ApacheHttpSSRFVersion5.java:326:30:326:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:337:39:337:41 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:326:30:326:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:339:40:339:53 | toString(...) | ApacheHttpSSRFVersion5.java:326:30:326:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:339:40:339:53 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:326:30:326:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:340:40:340:42 | uri | ApacheHttpSSRFVersion5.java:326:30:326:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:340:40:340:42 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:326:30:326:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:342:43:342:56 | toString(...) | ApacheHttpSSRFVersion5.java:326:30:326:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:342:43:342:56 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:326:30:326:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:343:43:343:45 | uri | ApacheHttpSSRFVersion5.java:326:30:326:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:343:43:343:45 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:326:30:326:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:345:41:345:54 | toString(...) | ApacheHttpSSRFVersion5.java:326:30:326:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:345:41:345:54 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:326:30:326:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:346:41:346:43 | uri | ApacheHttpSSRFVersion5.java:326:30:326:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:346:41:346:43 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:326:30:326:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:348:40:348:53 | toString(...) | ApacheHttpSSRFVersion5.java:326:30:326:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:348:40:348:53 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:326:30:326:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:349:40:349:42 | uri | ApacheHttpSSRFVersion5.java:326:30:326:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:349:40:349:42 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:326:30:326:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:351:39:351:52 | toString(...) | ApacheHttpSSRFVersion5.java:326:30:326:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:351:39:351:52 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:326:30:326:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:352:39:352:41 | uri | ApacheHttpSSRFVersion5.java:326:30:326:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:352:39:352:41 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:326:30:326:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:354:53:354:56 | host | ApacheHttpSSRFVersion5.java:329:31:329:58 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:354:53:354:56 | host | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:329:31:329:58 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:356:48:356:61 | toString(...) | ApacheHttpSSRFVersion5.java:326:30:326:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:356:48:356:61 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:326:30:326:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:357:48:357:50 | uri | ApacheHttpSSRFVersion5.java:326:30:326:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:357:48:357:50 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:326:30:326:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:359:41:359:54 | toString(...) | ApacheHttpSSRFVersion5.java:326:30:326:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:359:41:359:54 | toString(...) | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:326:30:326:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:360:41:360:43 | uri | ApacheHttpSSRFVersion5.java:326:30:326:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:360:41:360:43 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:326:30:326:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:379:57:379:60 | host | ApacheHttpSSRFVersion5.java:375:31:375:58 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:379:57:379:60 | host | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:375:31:375:58 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:380:57:380:59 | uri | ApacheHttpSSRFVersion5.java:372:30:372:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:380:57:380:59 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:372:30:372:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:381:51:381:54 | host | ApacheHttpSSRFVersion5.java:375:31:375:58 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:381:51:381:54 | host | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:375:31:375:58 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:382:51:382:53 | uri | ApacheHttpSSRFVersion5.java:372:30:372:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:382:51:382:53 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:372:30:372:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:385:50:385:53 | host | ApacheHttpSSRFVersion5.java:375:31:375:58 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:385:50:385:53 | host | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:375:31:375:58 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:386:50:386:52 | uri | ApacheHttpSSRFVersion5.java:372:30:372:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:386:50:386:52 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:372:30:372:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:387:44:387:47 | host | ApacheHttpSSRFVersion5.java:375:31:375:58 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:387:44:387:47 | host | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:375:31:375:58 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:388:44:388:46 | uri | ApacheHttpSSRFVersion5.java:372:30:372:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:388:44:388:46 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:372:30:372:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:390:24:390:26 | uri | ApacheHttpSSRFVersion5.java:372:30:372:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:390:24:390:26 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:372:30:372:56 | getParameter(...) | user-provided value | +| ApacheHttpSSRFVersion5.java:394:24:394:26 | uri | ApacheHttpSSRFVersion5.java:372:30:372:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:394:24:394:26 | uri | Potential server-side request forgery due to a $@. | ApacheHttpSSRFVersion5.java:372:30:372:56 | getParameter(...) | user-provided value | +| JakartaWsSSRF.java:15:23:15:25 | url | JakartaWsSSRF.java:14:22:14:48 | getParameter(...) : String | JakartaWsSSRF.java:15:23:15:25 | url | Potential server-side request forgery due to a $@. | JakartaWsSSRF.java:14:22:14:48 | getParameter(...) | user-provided value | +| JavaNetHttpSSRF.java:30:32:30:35 | url1 | JavaNetHttpSSRF.java:25:27:25:53 | getParameter(...) : String | JavaNetHttpSSRF.java:30:32:30:35 | url1 | Potential server-side request forgery due to a $@. | JavaNetHttpSSRF.java:25:27:25:53 | getParameter(...) | user-provided value | +| JavaNetHttpSSRF.java:33:32:33:35 | url1 | JavaNetHttpSSRF.java:25:27:25:53 | getParameter(...) : String | JavaNetHttpSSRF.java:33:32:33:35 | url1 | Potential server-side request forgery due to a $@. | JavaNetHttpSSRF.java:25:27:25:53 | getParameter(...) | user-provided value | +| JavaNetHttpSSRF.java:34:30:34:33 | url1 | JavaNetHttpSSRF.java:25:27:25:53 | getParameter(...) : String | JavaNetHttpSSRF.java:34:30:34:33 | url1 | Potential server-side request forgery due to a $@. | JavaNetHttpSSRF.java:25:27:25:53 | getParameter(...) | user-provided value | +| JavaNetHttpSSRF.java:38:65:38:68 | uri2 | JavaNetHttpSSRF.java:25:27:25:53 | getParameter(...) : String | JavaNetHttpSSRF.java:38:65:38:68 | uri2 | Potential server-side request forgery due to a $@. | JavaNetHttpSSRF.java:25:27:25:53 | getParameter(...) | user-provided value | +| JavaNetHttpSSRF.java:39:59:39:61 | uri | JavaNetHttpSSRF.java:25:27:25:53 | getParameter(...) : String | JavaNetHttpSSRF.java:39:59:39:61 | uri | Potential server-side request forgery due to a $@. | JavaNetHttpSSRF.java:25:27:25:53 | getParameter(...) | user-provided value | +| JaxWsSSRF.java:15:23:15:25 | url | JaxWsSSRF.java:14:22:14:48 | getParameter(...) : String | JaxWsSSRF.java:15:23:15:25 | url | Potential server-side request forgery due to a $@. | JaxWsSSRF.java:14:22:14:48 | getParameter(...) | user-provided value | +| JdbcUrlSSRF.java:26:28:26:34 | jdbcUrl | JdbcUrlSSRF.java:21:26:21:56 | getParameter(...) : String | JdbcUrlSSRF.java:26:28:26:34 | jdbcUrl | Potential server-side request forgery due to a $@. | JdbcUrlSSRF.java:21:26:21:56 | getParameter(...) | user-provided value | +| JdbcUrlSSRF.java:28:41:28:47 | jdbcUrl | JdbcUrlSSRF.java:21:26:21:56 | getParameter(...) : String | JdbcUrlSSRF.java:28:41:28:47 | jdbcUrl | Potential server-side request forgery due to a $@. | JdbcUrlSSRF.java:21:26:21:56 | getParameter(...) | user-provided value | +| JdbcUrlSSRF.java:29:41:29:47 | jdbcUrl | JdbcUrlSSRF.java:21:26:21:56 | getParameter(...) : String | JdbcUrlSSRF.java:29:41:29:47 | jdbcUrl | Potential server-side request forgery due to a $@. | JdbcUrlSSRF.java:21:26:21:56 | getParameter(...) | user-provided value | +| JdbcUrlSSRF.java:30:41:30:47 | jdbcUrl | JdbcUrlSSRF.java:21:26:21:56 | getParameter(...) : String | JdbcUrlSSRF.java:30:41:30:47 | jdbcUrl | Potential server-side request forgery due to a $@. | JdbcUrlSSRF.java:21:26:21:56 | getParameter(...) | user-provided value | +| JdbcUrlSSRF.java:32:27:32:33 | jdbcUrl | JdbcUrlSSRF.java:21:26:21:56 | getParameter(...) : String | JdbcUrlSSRF.java:32:27:32:33 | jdbcUrl | Potential server-side request forgery due to a $@. | JdbcUrlSSRF.java:21:26:21:56 | getParameter(...) | user-provided value | +| JdbcUrlSSRF.java:43:27:43:33 | jdbcUrl | JdbcUrlSSRF.java:40:26:40:56 | getParameter(...) : String | JdbcUrlSSRF.java:43:27:43:33 | jdbcUrl | Potential server-side request forgery due to a $@. | JdbcUrlSSRF.java:40:26:40:56 | getParameter(...) | user-provided value | +| JdbcUrlSSRF.java:48:23:48:29 | jdbcUrl | JdbcUrlSSRF.java:40:26:40:56 | getParameter(...) : String | JdbcUrlSSRF.java:48:23:48:29 | jdbcUrl | Potential server-side request forgery due to a $@. | JdbcUrlSSRF.java:40:26:40:56 | getParameter(...) | user-provided value | +| JdbcUrlSSRF.java:54:49:54:53 | props | JdbcUrlSSRF.java:40:26:40:56 | getParameter(...) : String | JdbcUrlSSRF.java:54:49:54:53 | props | Potential server-side request forgery due to a $@. | JdbcUrlSSRF.java:40:26:40:56 | getParameter(...) | user-provided value | +| JdbcUrlSSRF.java:65:27:65:33 | jdbcUrl | JdbcUrlSSRF.java:60:26:60:56 | getParameter(...) : String | JdbcUrlSSRF.java:65:27:65:33 | jdbcUrl | Potential server-side request forgery due to a $@. | JdbcUrlSSRF.java:60:26:60:56 | getParameter(...) | user-provided value | +| JdbcUrlSSRF.java:67:75:67:81 | jdbcUrl | JdbcUrlSSRF.java:60:26:60:56 | getParameter(...) : String | JdbcUrlSSRF.java:67:75:67:81 | jdbcUrl | Potential server-side request forgery due to a $@. | JdbcUrlSSRF.java:60:26:60:56 | getParameter(...) | user-provided value | +| JdbcUrlSSRF.java:70:75:70:81 | jdbcUrl | JdbcUrlSSRF.java:60:26:60:56 | getParameter(...) : String | JdbcUrlSSRF.java:70:75:70:81 | jdbcUrl | Potential server-side request forgery due to a $@. | JdbcUrlSSRF.java:60:26:60:56 | getParameter(...) | user-provided value | +| JdbcUrlSSRF.java:73:75:73:81 | jdbcUrl | JdbcUrlSSRF.java:60:26:60:56 | getParameter(...) : String | JdbcUrlSSRF.java:73:75:73:81 | jdbcUrl | Potential server-side request forgery due to a $@. | JdbcUrlSSRF.java:60:26:60:56 | getParameter(...) | user-provided value | +| JdbcUrlSSRF.java:82:21:82:27 | jdbcUrl | JdbcUrlSSRF.java:80:26:80:56 | getParameter(...) : String | JdbcUrlSSRF.java:82:21:82:27 | jdbcUrl | Potential server-side request forgery due to a $@. | JdbcUrlSSRF.java:80:26:80:56 | getParameter(...) | user-provided value | +| JdbcUrlSSRF.java:83:21:83:27 | jdbcUrl | JdbcUrlSSRF.java:80:26:80:56 | getParameter(...) : String | JdbcUrlSSRF.java:83:21:83:27 | jdbcUrl | Potential server-side request forgery due to a $@. | JdbcUrlSSRF.java:80:26:80:56 | getParameter(...) | user-provided value | +| JdbcUrlSSRF.java:84:21:84:27 | jdbcUrl | JdbcUrlSSRF.java:80:26:80:56 | getParameter(...) : String | JdbcUrlSSRF.java:84:21:84:27 | jdbcUrl | Potential server-side request forgery due to a $@. | JdbcUrlSSRF.java:80:26:80:56 | getParameter(...) | user-provided value | +| JdbcUrlSSRF.java:86:19:86:25 | jdbcUrl | JdbcUrlSSRF.java:80:26:80:56 | getParameter(...) : String | JdbcUrlSSRF.java:86:19:86:25 | jdbcUrl | Potential server-side request forgery due to a $@. | JdbcUrlSSRF.java:80:26:80:56 | getParameter(...) | user-provided value | +| JdbcUrlSSRF.java:87:19:87:25 | jdbcUrl | JdbcUrlSSRF.java:80:26:80:56 | getParameter(...) : String | JdbcUrlSSRF.java:87:19:87:25 | jdbcUrl | Potential server-side request forgery due to a $@. | JdbcUrlSSRF.java:80:26:80:56 | getParameter(...) | user-provided value | +| JdbcUrlSSRF.java:88:19:88:25 | jdbcUrl | JdbcUrlSSRF.java:80:26:80:56 | getParameter(...) : String | JdbcUrlSSRF.java:88:19:88:25 | jdbcUrl | Potential server-side request forgery due to a $@. | JdbcUrlSSRF.java:80:26:80:56 | getParameter(...) | user-provided value | +| ReactiveWebClientSSRF.java:16:52:16:54 | url | ReactiveWebClientSSRF.java:15:26:15:52 | getParameter(...) : String | ReactiveWebClientSSRF.java:16:52:16:54 | url | Potential server-side request forgery due to a $@. | ReactiveWebClientSSRF.java:15:26:15:52 | getParameter(...) | user-provided value | +| ReactiveWebClientSSRF.java:35:30:35:32 | url | ReactiveWebClientSSRF.java:32:26:32:52 | getParameter(...) : String | ReactiveWebClientSSRF.java:35:30:35:32 | url | Potential server-side request forgery due to a $@. | ReactiveWebClientSSRF.java:32:26:32:52 | getParameter(...) | user-provided value | +| SanitizationTests.java:22:52:22:54 | uri | SanitizationTests.java:19:31:19:57 | getParameter(...) : String | SanitizationTests.java:22:52:22:54 | uri | Potential server-side request forgery due to a $@. | SanitizationTests.java:19:31:19:57 | getParameter(...) | user-provided value | +| SanitizationTests.java:23:25:23:25 | r | SanitizationTests.java:19:31:19:57 | getParameter(...) : String | SanitizationTests.java:23:25:23:25 | r | Potential server-side request forgery due to a $@. | SanitizationTests.java:19:31:19:57 | getParameter(...) | user-provided value | +| SanitizationTests.java:76:59:76:77 | new URI(...) | SanitizationTests.java:75:33:75:63 | getParameter(...) : String | SanitizationTests.java:76:59:76:77 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:75:33:75:63 | getParameter(...) | user-provided value | +| SanitizationTests.java:77:25:77:32 | unsafer3 | SanitizationTests.java:75:33:75:63 | getParameter(...) : String | SanitizationTests.java:77:25:77:32 | unsafer3 | Potential server-side request forgery due to a $@. | SanitizationTests.java:75:33:75:63 | getParameter(...) | user-provided value | +| SanitizationTests.java:80:59:80:77 | new URI(...) | SanitizationTests.java:79:49:79:79 | getParameter(...) : String | SanitizationTests.java:80:59:80:77 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:79:49:79:79 | getParameter(...) | user-provided value | +| SanitizationTests.java:81:25:81:32 | unsafer4 | SanitizationTests.java:79:49:79:79 | getParameter(...) : String | SanitizationTests.java:81:25:81:32 | unsafer4 | Potential server-side request forgery due to a $@. | SanitizationTests.java:79:49:79:79 | getParameter(...) | user-provided value | +| SanitizationTests.java:85:59:85:88 | new URI(...) | SanitizationTests.java:84:31:84:61 | getParameter(...) : String | SanitizationTests.java:85:59:85:88 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:84:31:84:61 | getParameter(...) | user-provided value | +| SanitizationTests.java:86:25:86:32 | unsafer5 | SanitizationTests.java:84:31:84:61 | getParameter(...) : String | SanitizationTests.java:86:25:86:32 | unsafer5 | Potential server-side request forgery due to a $@. | SanitizationTests.java:84:31:84:61 | getParameter(...) | user-provided value | +| SanitizationTests.java:90:60:90:89 | new URI(...) | SanitizationTests.java:88:58:88:86 | getParameter(...) : String | SanitizationTests.java:90:60:90:89 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:88:58:88:86 | getParameter(...) | user-provided value | +| SanitizationTests.java:91:25:91:33 | unsafer5a | SanitizationTests.java:88:58:88:86 | getParameter(...) : String | SanitizationTests.java:91:25:91:33 | unsafer5a | Potential server-side request forgery due to a $@. | SanitizationTests.java:88:58:88:86 | getParameter(...) | user-provided value | +| SanitizationTests.java:95:60:95:90 | new URI(...) | SanitizationTests.java:93:60:93:88 | getParameter(...) : String | SanitizationTests.java:95:60:95:90 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:93:60:93:88 | getParameter(...) | user-provided value | +| SanitizationTests.java:96:25:96:33 | unsafer5b | SanitizationTests.java:93:60:93:88 | getParameter(...) : String | SanitizationTests.java:96:25:96:33 | unsafer5b | Potential server-side request forgery due to a $@. | SanitizationTests.java:93:60:93:88 | getParameter(...) | user-provided value | +| SanitizationTests.java:100:60:100:90 | new URI(...) | SanitizationTests.java:98:77:98:105 | getParameter(...) : String | SanitizationTests.java:100:60:100:90 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:98:77:98:105 | getParameter(...) | user-provided value | +| SanitizationTests.java:101:25:101:33 | unsafer5c | SanitizationTests.java:98:77:98:105 | getParameter(...) : String | SanitizationTests.java:101:25:101:33 | unsafer5c | Potential server-side request forgery due to a $@. | SanitizationTests.java:98:77:98:105 | getParameter(...) | user-provided value | +| SanitizationTests.java:104:59:104:77 | new URI(...) | SanitizationTests.java:103:73:103:103 | getParameter(...) : String | SanitizationTests.java:104:59:104:77 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:103:73:103:103 | getParameter(...) | user-provided value | +| SanitizationTests.java:105:25:105:32 | unsafer6 | SanitizationTests.java:103:73:103:103 | getParameter(...) : String | SanitizationTests.java:105:25:105:32 | unsafer6 | Potential server-side request forgery due to a $@. | SanitizationTests.java:103:73:103:103 | getParameter(...) | user-provided value | +| SanitizationTests.java:108:59:108:77 | new URI(...) | SanitizationTests.java:107:56:107:86 | getParameter(...) : String | SanitizationTests.java:108:59:108:77 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:107:56:107:86 | getParameter(...) | user-provided value | +| SanitizationTests.java:109:25:109:32 | unsafer7 | SanitizationTests.java:107:56:107:86 | getParameter(...) : String | SanitizationTests.java:109:25:109:32 | unsafer7 | Potential server-side request forgery due to a $@. | SanitizationTests.java:107:56:107:86 | getParameter(...) | user-provided value | +| SanitizationTests.java:112:59:112:77 | new URI(...) | SanitizationTests.java:111:55:111:85 | getParameter(...) : String | SanitizationTests.java:112:59:112:77 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:111:55:111:85 | getParameter(...) | user-provided value | +| SanitizationTests.java:113:25:113:32 | unsafer8 | SanitizationTests.java:111:55:111:85 | getParameter(...) : String | SanitizationTests.java:113:25:113:32 | unsafer8 | Potential server-side request forgery due to a $@. | SanitizationTests.java:111:55:111:85 | getParameter(...) | user-provided value | +| SanitizationTests.java:116:59:116:77 | new URI(...) | SanitizationTests.java:115:33:115:63 | getParameter(...) : String | SanitizationTests.java:116:59:116:77 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:115:33:115:63 | getParameter(...) | user-provided value | +| SanitizationTests.java:117:25:117:32 | unsafer9 | SanitizationTests.java:115:33:115:63 | getParameter(...) : String | SanitizationTests.java:117:25:117:32 | unsafer9 | Potential server-side request forgery due to a $@. | SanitizationTests.java:115:33:115:63 | getParameter(...) | user-provided value | +| SanitizationTests.java:120:60:120:79 | new URI(...) | SanitizationTests.java:119:94:119:125 | getParameter(...) : String | SanitizationTests.java:120:60:120:79 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:119:94:119:125 | getParameter(...) | user-provided value | +| SanitizationTests.java:121:25:121:33 | unsafer10 | SanitizationTests.java:119:94:119:125 | getParameter(...) : String | SanitizationTests.java:121:25:121:33 | unsafer10 | Potential server-side request forgery due to a $@. | SanitizationTests.java:119:94:119:125 | getParameter(...) | user-provided value | +| SpringSSRF.java:32:39:32:59 | ... + ... | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:32:39:32:59 | ... + ... | Potential server-side request forgery due to a $@. | SpringSSRF.java:28:33:28:60 | getParameter(...) | user-provided value | +| SpringSSRF.java:33:35:33:48 | fooResourceUrl | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:33:35:33:48 | fooResourceUrl | Potential server-side request forgery due to a $@. | SpringSSRF.java:28:33:28:60 | getParameter(...) | user-provided value | +| SpringSSRF.java:34:34:34:47 | fooResourceUrl | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:34:34:34:47 | fooResourceUrl | Potential server-side request forgery due to a $@. | SpringSSRF.java:28:33:28:60 | getParameter(...) | user-provided value | +| SpringSSRF.java:35:39:35:52 | fooResourceUrl | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:35:39:35:52 | fooResourceUrl | Potential server-side request forgery due to a $@. | SpringSSRF.java:28:33:28:60 | getParameter(...) | user-provided value | +| SpringSSRF.java:36:69:36:82 | fooResourceUrl | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:36:69:36:82 | fooResourceUrl | Potential server-side request forgery due to a $@. | SpringSSRF.java:28:33:28:60 | getParameter(...) | user-provided value | +| SpringSSRF.java:37:73:37:86 | fooResourceUrl | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:37:73:37:86 | fooResourceUrl | Potential server-side request forgery due to a $@. | SpringSSRF.java:28:33:28:60 | getParameter(...) | user-provided value | +| SpringSSRF.java:40:69:40:97 | of(...) | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:40:69:40:97 | of(...) | Potential server-side request forgery due to a $@. | SpringSSRF.java:28:33:28:60 | getParameter(...) | user-provided value | +| SpringSSRF.java:42:69:42:119 | of(...) | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:42:69:42:119 | of(...) | Potential server-side request forgery due to a $@. | SpringSSRF.java:28:33:28:60 | getParameter(...) | user-provided value | +| SpringSSRF.java:44:41:44:54 | fooResourceUrl | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:44:41:44:54 | fooResourceUrl | Potential server-side request forgery due to a $@. | SpringSSRF.java:28:33:28:60 | getParameter(...) | user-provided value | +| SpringSSRF.java:45:40:45:62 | new URI(...) | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:45:40:45:62 | new URI(...) | Potential server-side request forgery due to a $@. | SpringSSRF.java:28:33:28:60 | getParameter(...) | user-provided value | +| SpringSSRF.java:46:42:46:55 | fooResourceUrl | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:46:42:46:55 | fooResourceUrl | Potential server-side request forgery due to a $@. | SpringSSRF.java:28:33:28:60 | getParameter(...) | user-provided value | +| SpringSSRF.java:47:40:47:53 | fooResourceUrl | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:47:40:47:53 | fooResourceUrl | Potential server-side request forgery due to a $@. | SpringSSRF.java:28:33:28:60 | getParameter(...) | user-provided value | +| SpringSSRF.java:48:30:48:43 | fooResourceUrl | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:48:30:48:43 | fooResourceUrl | Potential server-side request forgery due to a $@. | SpringSSRF.java:28:33:28:60 | getParameter(...) | user-provided value | +| SpringSSRF.java:49:33:49:46 | fooResourceUrl | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:49:33:49:46 | fooResourceUrl | Potential server-side request forgery due to a $@. | SpringSSRF.java:28:33:28:60 | getParameter(...) | user-provided value | +| SpringSSRF.java:50:41:50:54 | fooResourceUrl | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:50:41:50:54 | fooResourceUrl | Potential server-side request forgery due to a $@. | SpringSSRF.java:28:33:28:60 | getParameter(...) | user-provided value | +| SpringSSRF.java:51:42:51:55 | fooResourceUrl | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:51:42:51:55 | fooResourceUrl | Potential server-side request forgery due to a $@. | SpringSSRF.java:28:33:28:60 | getParameter(...) | user-provided value | +| SpringSSRF.java:56:44:56:46 | uri | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:56:44:56:46 | uri | Potential server-side request forgery due to a $@. | SpringSSRF.java:28:33:28:60 | getParameter(...) | user-provided value | +| SpringSSRF.java:58:35:58:37 | uri | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:58:35:58:37 | uri | Potential server-side request forgery due to a $@. | SpringSSRF.java:28:33:28:60 | getParameter(...) | user-provided value | +| SpringSSRF.java:59:35:59:37 | uri | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:59:35:59:37 | uri | Potential server-side request forgery due to a $@. | SpringSSRF.java:28:33:28:60 | getParameter(...) | user-provided value | +| SpringSSRF.java:60:38:60:40 | uri | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:60:38:60:40 | uri | Potential server-side request forgery due to a $@. | SpringSSRF.java:28:33:28:60 | getParameter(...) | user-provided value | +| SpringSSRF.java:61:39:61:41 | uri | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:61:39:61:41 | uri | Potential server-side request forgery due to a $@. | SpringSSRF.java:28:33:28:60 | getParameter(...) | user-provided value | +| SpringSSRF.java:62:37:62:39 | uri | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:62:37:62:39 | uri | Potential server-side request forgery due to a $@. | SpringSSRF.java:28:33:28:60 | getParameter(...) | user-provided value | +| SpringSSRF.java:63:36:63:38 | uri | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:63:36:63:38 | uri | Potential server-side request forgery due to a $@. | SpringSSRF.java:28:33:28:60 | getParameter(...) | user-provided value | +| SpringSSRF.java:64:44:64:46 | uri | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:64:44:64:46 | uri | Potential server-side request forgery due to a $@. | SpringSSRF.java:28:33:28:60 | getParameter(...) | user-provided value | +| SpringSSRF.java:70:49:70:51 | uri | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:70:49:70:51 | uri | Potential server-side request forgery due to a $@. | SpringSSRF.java:28:33:28:60 | getParameter(...) | user-provided value | +| SpringSSRF.java:71:58:71:60 | uri | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:71:58:71:60 | uri | Potential server-side request forgery due to a $@. | SpringSSRF.java:28:33:28:60 | getParameter(...) | user-provided value | +| SpringSSRF.java:72:57:72:59 | uri | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:72:57:72:59 | uri | Potential server-side request forgery due to a $@. | SpringSSRF.java:28:33:28:60 | getParameter(...) | user-provided value | +| SpringSSRF.java:73:66:73:68 | uri | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:73:66:73:68 | uri | Potential server-side request forgery due to a $@. | SpringSSRF.java:28:33:28:60 | getParameter(...) | user-provided value | +| SpringSSRF.java:74:57:74:59 | uri | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:74:57:74:59 | uri | Potential server-side request forgery due to a $@. | SpringSSRF.java:28:33:28:60 | getParameter(...) | user-provided value | +| SpringSSRF.java:75:66:75:68 | uri | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:75:66:75:68 | uri | Potential server-side request forgery due to a $@. | SpringSSRF.java:28:33:28:60 | getParameter(...) | user-provided value | +| URLClassLoaderSSRF.java:18:64:18:85 | new URL[] | URLClassLoaderSSRF.java:16:26:16:52 | getParameter(...) : String | URLClassLoaderSSRF.java:18:64:18:85 | new URL[] | Potential server-side request forgery due to a $@. | URLClassLoaderSSRF.java:16:26:16:52 | getParameter(...) | user-provided value | +| URLClassLoaderSSRF.java:30:64:30:85 | new URL[] | URLClassLoaderSSRF.java:28:26:28:52 | getParameter(...) : String | URLClassLoaderSSRF.java:30:64:30:85 | new URL[] | Potential server-side request forgery due to a $@. | URLClassLoaderSSRF.java:28:26:28:52 | getParameter(...) | user-provided value | +| URLClassLoaderSSRF.java:44:64:44:85 | new URL[] | URLClassLoaderSSRF.java:40:26:40:52 | getParameter(...) : String | URLClassLoaderSSRF.java:44:64:44:85 | new URL[] | Potential server-side request forgery due to a $@. | URLClassLoaderSSRF.java:40:26:40:52 | getParameter(...) | user-provided value | +| URLClassLoaderSSRF.java:56:72:56:93 | new URL[] | URLClassLoaderSSRF.java:54:26:54:52 | getParameter(...) : String | URLClassLoaderSSRF.java:56:72:56:93 | new URL[] | Potential server-side request forgery due to a $@. | URLClassLoaderSSRF.java:54:26:54:52 | getParameter(...) | user-provided value | +| URLClassLoaderSSRF.java:70:21:70:42 | new URL[] | URLClassLoaderSSRF.java:66:26:66:52 | getParameter(...) : String | URLClassLoaderSSRF.java:70:21:70:42 | new URL[] | Potential server-side request forgery due to a $@. | URLClassLoaderSSRF.java:66:26:66:52 | getParameter(...) | user-provided value | +| URLClassLoaderSSRF.java:89:21:89:42 | new URL[] | URLClassLoaderSSRF.java:83:26:83:52 | getParameter(...) : String | URLClassLoaderSSRF.java:89:21:89:42 | new URL[] | Potential server-side request forgery due to a $@. | URLClassLoaderSSRF.java:83:26:83:52 | getParameter(...) | user-provided value | +| mad/Test.java:31:24:31:47 | (...)... | mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:31:24:31:47 | (...)... | Potential server-side request forgery due to a $@. | mad/Test.java:26:16:26:41 | getParameter(...) | user-provided value | +| mad/Test.java:36:10:36:23 | (...)... | mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:36:10:36:23 | (...)... | Potential server-side request forgery due to a $@. | mad/Test.java:26:16:26:41 | getParameter(...) | user-provided value | +| mad/Test.java:38:28:38:43 | (...)... | mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:38:28:38:43 | (...)... | Potential server-side request forgery due to a $@. | mad/Test.java:26:16:26:41 | getParameter(...) | user-provided value | +| mad/Test.java:40:10:40:23 | (...)... | mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:40:10:40:23 | (...)... | Potential server-side request forgery due to a $@. | mad/Test.java:26:16:26:41 | getParameter(...) | user-provided value | +| mad/Test.java:45:32:45:47 | (...)... | mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:45:32:45:47 | (...)... | Potential server-side request forgery due to a $@. | mad/Test.java:26:16:26:41 | getParameter(...) | user-provided value | +| mad/Test.java:47:32:47:47 | (...)... | mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:47:32:47:47 | (...)... | Potential server-side request forgery due to a $@. | mad/Test.java:26:16:26:41 | getParameter(...) | user-provided value | +| mad/Test.java:49:28:49:43 | (...)... | mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:49:28:49:43 | (...)... | Potential server-side request forgery due to a $@. | mad/Test.java:26:16:26:41 | getParameter(...) | user-provided value | +| mad/Test.java:51:28:51:43 | (...)... | mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:51:28:51:43 | (...)... | Potential server-side request forgery due to a $@. | mad/Test.java:26:16:26:41 | getParameter(...) | user-provided value | +| mad/Test.java:53:28:53:43 | (...)... | mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:53:28:53:43 | (...)... | Potential server-side request forgery due to a $@. | mad/Test.java:26:16:26:41 | getParameter(...) | user-provided value | +| mad/Test.java:55:36:55:51 | (...)... | mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:55:36:55:51 | (...)... | Potential server-side request forgery due to a $@. | mad/Test.java:26:16:26:41 | getParameter(...) | user-provided value | +| mad/Test.java:57:32:57:45 | (...)... | mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:57:32:57:45 | (...)... | Potential server-side request forgery due to a $@. | mad/Test.java:26:16:26:41 | getParameter(...) | user-provided value | +| mad/Test.java:59:38:59:51 | (...)... | mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:59:38:59:51 | (...)... | Potential server-side request forgery due to a $@. | mad/Test.java:26:16:26:41 | getParameter(...) | user-provided value | +| mad/Test.java:61:47:61:60 | (...)... | mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:61:47:61:60 | (...)... | Potential server-side request forgery due to a $@. | mad/Test.java:26:16:26:41 | getParameter(...) | user-provided value | +| mad/Test.java:63:26:63:39 | (...)... | mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:63:26:63:39 | (...)... | Potential server-side request forgery due to a $@. | mad/Test.java:26:16:26:41 | getParameter(...) | user-provided value | +| mad/Test.java:65:38:65:51 | (...)... | mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:65:38:65:51 | (...)... | Potential server-side request forgery due to a $@. | mad/Test.java:26:16:26:41 | getParameter(...) | user-provided value | +| mad/Test.java:67:26:67:39 | (...)... | mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:67:26:67:39 | (...)... | Potential server-side request forgery due to a $@. | mad/Test.java:26:16:26:41 | getParameter(...) | user-provided value | +| mad/Test.java:69:27:69:40 | (...)... | mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:69:27:69:40 | (...)... | Potential server-side request forgery due to a $@. | mad/Test.java:26:16:26:41 | getParameter(...) | user-provided value | +| mad/Test.java:71:47:71:60 | (...)... | mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:71:47:71:60 | (...)... | Potential server-side request forgery due to a $@. | mad/Test.java:26:16:26:41 | getParameter(...) | user-provided value | +| mad/Test.java:74:50:74:65 | (...)... | mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:74:50:74:65 | (...)... | Potential server-side request forgery due to a $@. | mad/Test.java:26:16:26:41 | getParameter(...) | user-provided value | +| mad/Test.java:76:50:76:69 | (...)... | mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:76:50:76:69 | (...)... | Potential server-side request forgery due to a $@. | mad/Test.java:26:16:26:41 | getParameter(...) | user-provided value | +| mad/Test.java:78:43:78:59 | (...)... | mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:78:43:78:59 | (...)... | Potential server-side request forgery due to a $@. | mad/Test.java:26:16:26:41 | getParameter(...) | user-provided value | +| mad/Test.java:80:25:80:41 | (...)... | mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:80:25:80:41 | (...)... | Potential server-side request forgery due to a $@. | mad/Test.java:26:16:26:41 | getParameter(...) | user-provided value | +| mad/Test.java:82:31:82:47 | (...)... | mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:82:31:82:47 | (...)... | Potential server-side request forgery due to a $@. | mad/Test.java:26:16:26:41 | getParameter(...) | user-provided value | +| mad/Test.java:84:31:84:47 | (...)... | mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:84:31:84:47 | (...)... | Potential server-side request forgery due to a $@. | mad/Test.java:26:16:26:41 | getParameter(...) | user-provided value | +| mad/Test.java:86:41:86:57 | (...)... | mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:86:41:86:57 | (...)... | Potential server-side request forgery due to a $@. | mad/Test.java:26:16:26:41 | getParameter(...) | user-provided value | +| mad/Test.java:92:24:92:40 | (...)... | mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:92:24:92:40 | (...)... | Potential server-side request forgery due to a $@. | mad/Test.java:26:16:26:41 | getParameter(...) | user-provided value | +| mad/Test.java:97:29:97:42 | (...)... | mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:97:29:97:42 | (...)... | Potential server-side request forgery due to a $@. | mad/Test.java:26:16:26:41 | getParameter(...) | user-provided value | +| mad/Test.java:102:26:102:39 | (...)... | mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:102:26:102:39 | (...)... | Potential server-side request forgery due to a $@. | mad/Test.java:26:16:26:41 | getParameter(...) | user-provided value | +| mad/Test.java:107:15:107:31 | (...)... | mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:107:15:107:31 | (...)... | Potential server-side request forgery due to a $@. | mad/Test.java:26:16:26:41 | getParameter(...) | user-provided value | +| mad/Test.java:112:15:112:31 | (...)... | mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:112:15:112:31 | (...)... | Potential server-side request forgery due to a $@. | mad/Test.java:26:16:26:41 | getParameter(...) | user-provided value | +edges +| ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) : String | ApacheHttpSSRF.java:28:31:28:34 | sink : String | provenance | Src:MaD:277 | +| ApacheHttpSSRF.java:28:23:28:35 | new URI(...) : URI | ApacheHttpSSRF.java:30:43:30:45 | uri | provenance | Sink:MaD:211 | +| ApacheHttpSSRF.java:28:23:28:35 | new URI(...) : URI | ApacheHttpSSRF.java:32:29:32:31 | uri | provenance | Sink:MaD:217 | +| ApacheHttpSSRF.java:28:23:28:35 | new URI(...) : URI | ApacheHttpSSRF.java:34:26:34:28 | uri | provenance | Sink:MaD:212 | +| ApacheHttpSSRF.java:28:23:28:35 | new URI(...) : URI | ApacheHttpSSRF.java:35:26:35:28 | uri | provenance | Sink:MaD:215 | +| ApacheHttpSSRF.java:28:23:28:35 | new URI(...) : URI | ApacheHttpSSRF.java:36:25:36:27 | uri | provenance | Sink:MaD:216 | +| ApacheHttpSSRF.java:28:23:28:35 | new URI(...) : URI | ApacheHttpSSRF.java:37:28:37:30 | uri | provenance | Sink:MaD:210 | +| ApacheHttpSSRF.java:28:23:28:35 | new URI(...) : URI | ApacheHttpSSRF.java:38:29:38:31 | uri | provenance | Sink:MaD:213 | +| ApacheHttpSSRF.java:28:23:28:35 | new URI(...) : URI | ApacheHttpSSRF.java:39:27:39:29 | uri | provenance | Sink:MaD:218 | +| ApacheHttpSSRF.java:28:23:28:35 | new URI(...) : URI | ApacheHttpSSRF.java:40:27:40:29 | uri | provenance | Sink:MaD:214 | +| ApacheHttpSSRF.java:28:23:28:35 | new URI(...) : URI | ApacheHttpSSRF.java:42:62:42:64 | uri : URI | provenance | | +| ApacheHttpSSRF.java:28:23:28:35 | new URI(...) : URI | ApacheHttpSSRF.java:43:41:43:43 | uri : URI | provenance | | +| ApacheHttpSSRF.java:28:23:28:35 | new URI(...) : URI | ApacheHttpSSRF.java:44:41:44:43 | uri : URI | provenance | | +| ApacheHttpSSRF.java:28:23:28:35 | new URI(...) : URI | ApacheHttpSSRF.java:46:77:46:79 | uri : URI | provenance | | +| ApacheHttpSSRF.java:28:23:28:35 | new URI(...) : URI | ApacheHttpSSRF.java:47:56:47:58 | uri : URI | provenance | | +| ApacheHttpSSRF.java:28:23:28:35 | new URI(...) : URI | ApacheHttpSSRF.java:48:56:48:58 | uri : URI | provenance | | +| ApacheHttpSSRF.java:28:23:28:35 | new URI(...) : URI | ApacheHttpSSRF.java:50:32:50:34 | uri | provenance | Sink:MaD:220 | +| ApacheHttpSSRF.java:28:23:28:35 | new URI(...) : URI | ApacheHttpSSRF.java:51:33:51:35 | uri | provenance | Sink:MaD:224 | +| ApacheHttpSSRF.java:28:23:28:35 | new URI(...) : URI | ApacheHttpSSRF.java:52:32:52:34 | uri | provenance | Sink:MaD:225 | +| ApacheHttpSSRF.java:28:23:28:35 | new URI(...) : URI | ApacheHttpSSRF.java:53:35:53:37 | uri | provenance | Sink:MaD:219 | +| ApacheHttpSSRF.java:28:23:28:35 | new URI(...) : URI | ApacheHttpSSRF.java:54:36:54:38 | uri | provenance | Sink:MaD:222 | +| ApacheHttpSSRF.java:28:23:28:35 | new URI(...) : URI | ApacheHttpSSRF.java:55:33:55:35 | uri | provenance | Sink:MaD:221 | +| ApacheHttpSSRF.java:28:23:28:35 | new URI(...) : URI | ApacheHttpSSRF.java:56:34:56:36 | uri | provenance | Sink:MaD:227 | +| ApacheHttpSSRF.java:28:23:28:35 | new URI(...) : URI | ApacheHttpSSRF.java:57:34:57:36 | uri | provenance | Sink:MaD:223 | +| ApacheHttpSSRF.java:28:23:28:35 | new URI(...) : URI | ApacheHttpSSRF.java:58:43:58:45 | uri | provenance | Sink:MaD:226 | +| ApacheHttpSSRF.java:28:31:28:34 | sink : String | ApacheHttpSSRF.java:28:23:28:35 | new URI(...) : URI | provenance | Config | +| ApacheHttpSSRF.java:28:31:28:34 | sink : String | ApacheHttpSSRF.java:28:23:28:35 | new URI(...) : URI | provenance | MaD:285 | +| ApacheHttpSSRF.java:42:62:42:64 | uri : URI | ApacheHttpSSRF.java:42:62:42:75 | toString(...) : String | provenance | MaD:286 | +| ApacheHttpSSRF.java:42:62:42:75 | toString(...) : String | ApacheHttpSSRF.java:42:34:42:82 | new BasicRequestLine(...) | provenance | MaD:293 Sink:MaD:231 | +| ApacheHttpSSRF.java:43:41:43:43 | uri : URI | ApacheHttpSSRF.java:43:41:43:54 | toString(...) | provenance | MaD:286 Sink:MaD:232 | +| ApacheHttpSSRF.java:44:41:44:43 | uri : URI | ApacheHttpSSRF.java:44:41:44:54 | toString(...) | provenance | MaD:286 Sink:MaD:233 | +| ApacheHttpSSRF.java:46:77:46:79 | uri : URI | ApacheHttpSSRF.java:46:77:46:90 | toString(...) : String | provenance | MaD:286 | +| ApacheHttpSSRF.java:46:77:46:90 | toString(...) : String | ApacheHttpSSRF.java:46:49:46:97 | new BasicRequestLine(...) | provenance | MaD:293 Sink:MaD:228 | +| ApacheHttpSSRF.java:47:56:47:58 | uri : URI | ApacheHttpSSRF.java:47:56:47:69 | toString(...) | provenance | MaD:286 Sink:MaD:229 | +| ApacheHttpSSRF.java:48:56:48:58 | uri : URI | ApacheHttpSSRF.java:48:56:48:69 | toString(...) | provenance | MaD:286 Sink:MaD:230 | +| ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:42:31:42:37 | uriSink : String | provenance | Src:MaD:277 | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:49:54:49:56 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:50:54:50:56 | uri | provenance | Sink:MaD:40 | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:51:48:51:50 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:52:48:52:50 | uri | provenance | Sink:MaD:42 | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:55:38:55:40 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:56:38:56:40 | uri | provenance | Sink:MaD:45 | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:59:35:59:37 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:60:35:60:37 | uri | provenance | Sink:MaD:48 | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:63:36:63:38 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:64:36:64:38 | uri | provenance | Sink:MaD:51 | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:67:39:67:41 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:68:39:68:41 | uri | provenance | Sink:MaD:54 | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:71:37:71:39 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:72:37:72:39 | uri | provenance | Sink:MaD:57 | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:75:36:75:38 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:76:36:76:38 | uri | provenance | Sink:MaD:60 | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:79:35:79:37 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:80:35:80:37 | uri | provenance | Sink:MaD:63 | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:83:37:83:39 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:84:37:84:39 | uri | provenance | Sink:MaD:66 | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:88:51:88:53 | uri | provenance | Sink:MaD:68 | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:92:51:92:53 | uri | provenance | Sink:MaD:70 | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:94:45:94:47 | uri | provenance | Sink:MaD:72 | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:97:54:97:56 | uri | provenance | Sink:MaD:74 | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:98:48:98:50 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:99:48:99:50 | uri | provenance | Sink:MaD:76 | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:103:55:103:57 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:104:55:104:57 | uri | provenance | Sink:MaD:79 | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:105:49:105:51 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:106:49:106:51 | uri | provenance | Sink:MaD:81 | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:109:39:109:41 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:110:39:110:41 | uri | provenance | Sink:MaD:84 | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:113:36:113:38 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:114:36:114:38 | uri | provenance | Sink:MaD:87 | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:117:37:117:39 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:118:37:118:39 | uri | provenance | Sink:MaD:90 | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:121:40:121:42 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:122:40:122:42 | uri | provenance | Sink:MaD:93 | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:125:38:125:40 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:126:38:126:40 | uri | provenance | Sink:MaD:96 | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:129:37:129:39 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:130:37:130:39 | uri | provenance | Sink:MaD:99 | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:133:36:133:38 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:134:36:134:38 | uri | provenance | Sink:MaD:102 | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:137:38:137:40 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:138:38:138:40 | uri | provenance | Sink:MaD:105 | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:141:41:141:43 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:142:41:142:43 | uri | provenance | Sink:MaD:107 | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:144:38:144:40 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:145:38:145:40 | uri | provenance | Sink:MaD:109 | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:147:39:147:41 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:148:39:148:41 | uri | provenance | Sink:MaD:111 | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:150:42:150:44 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:151:42:151:44 | uri | provenance | Sink:MaD:113 | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:153:40:153:42 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:154:40:154:42 | uri | provenance | Sink:MaD:115 | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:156:39:156:41 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:157:39:157:41 | uri | provenance | Sink:MaD:117 | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:159:38:159:40 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:160:38:160:40 | uri | provenance | Sink:MaD:119 | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:164:47:164:49 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:165:47:165:49 | uri | provenance | Sink:MaD:206 | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:167:40:167:42 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:168:40:168:42 | uri | provenance | Sink:MaD:121 | +| ApacheHttpSSRFVersion5.java:42:31:42:37 | uriSink : String | ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | provenance | Config | +| ApacheHttpSSRFVersion5.java:42:31:42:37 | uriSink : String | ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | provenance | MaD:285 | +| ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:45:42:45:49 | hostSink : String | provenance | Src:MaD:277 | +| ApacheHttpSSRFVersion5.java:45:29:45:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:48:54:48:57 | host | provenance | Sink:MaD:38 | +| ApacheHttpSSRFVersion5.java:45:29:45:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:54:38:54:41 | host | provenance | Sink:MaD:43 | +| ApacheHttpSSRFVersion5.java:45:29:45:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:58:35:58:38 | host | provenance | Sink:MaD:46 | +| ApacheHttpSSRFVersion5.java:45:29:45:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:62:36:62:39 | host | provenance | Sink:MaD:49 | +| ApacheHttpSSRFVersion5.java:45:29:45:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:66:39:66:42 | host | provenance | Sink:MaD:52 | +| ApacheHttpSSRFVersion5.java:45:29:45:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:70:37:70:40 | host | provenance | Sink:MaD:55 | +| ApacheHttpSSRFVersion5.java:45:29:45:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:74:36:74:39 | host | provenance | Sink:MaD:58 | +| ApacheHttpSSRFVersion5.java:45:29:45:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:78:35:78:38 | host | provenance | Sink:MaD:61 | +| ApacheHttpSSRFVersion5.java:45:29:45:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:82:37:82:40 | host | provenance | Sink:MaD:64 | +| ApacheHttpSSRFVersion5.java:45:29:45:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:87:51:87:54 | host | provenance | Sink:MaD:67 | +| ApacheHttpSSRFVersion5.java:45:29:45:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:91:51:91:54 | host | provenance | Sink:MaD:69 | +| ApacheHttpSSRFVersion5.java:45:29:45:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:93:45:93:48 | host | provenance | Sink:MaD:71 | +| ApacheHttpSSRFVersion5.java:45:29:45:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:96:54:96:57 | host | provenance | Sink:MaD:73 | +| ApacheHttpSSRFVersion5.java:45:29:45:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:102:55:102:58 | host | provenance | Sink:MaD:77 | +| ApacheHttpSSRFVersion5.java:45:29:45:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:108:39:108:42 | host | provenance | Sink:MaD:82 | +| ApacheHttpSSRFVersion5.java:45:29:45:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:112:36:112:39 | host | provenance | Sink:MaD:85 | +| ApacheHttpSSRFVersion5.java:45:29:45:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:116:37:116:40 | host | provenance | Sink:MaD:88 | +| ApacheHttpSSRFVersion5.java:45:29:45:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:120:40:120:43 | host | provenance | Sink:MaD:91 | +| ApacheHttpSSRFVersion5.java:45:29:45:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:124:38:124:41 | host | provenance | Sink:MaD:94 | +| ApacheHttpSSRFVersion5.java:45:29:45:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:128:37:128:40 | host | provenance | Sink:MaD:97 | +| ApacheHttpSSRFVersion5.java:45:29:45:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:132:36:132:39 | host | provenance | Sink:MaD:100 | +| ApacheHttpSSRFVersion5.java:45:29:45:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:136:38:136:41 | host | provenance | Sink:MaD:103 | +| ApacheHttpSSRFVersion5.java:45:29:45:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:162:52:162:55 | host | provenance | Sink:MaD:204 | +| ApacheHttpSSRFVersion5.java:45:42:45:49 | hostSink : String | ApacheHttpSSRFVersion5.java:45:29:45:50 | new HttpHost(...) : HttpHost | provenance | MaD:292 | +| ApacheHttpSSRFVersion5.java:49:54:49:56 | uri : URI | ApacheHttpSSRFVersion5.java:49:54:49:67 | toString(...) | provenance | MaD:286 Sink:MaD:39 | +| ApacheHttpSSRFVersion5.java:51:48:51:50 | uri : URI | ApacheHttpSSRFVersion5.java:51:48:51:61 | toString(...) | provenance | MaD:286 Sink:MaD:41 | +| ApacheHttpSSRFVersion5.java:55:38:55:40 | uri : URI | ApacheHttpSSRFVersion5.java:55:38:55:51 | toString(...) | provenance | MaD:286 Sink:MaD:44 | +| ApacheHttpSSRFVersion5.java:59:35:59:37 | uri : URI | ApacheHttpSSRFVersion5.java:59:35:59:48 | toString(...) | provenance | MaD:286 Sink:MaD:47 | +| ApacheHttpSSRFVersion5.java:63:36:63:38 | uri : URI | ApacheHttpSSRFVersion5.java:63:36:63:49 | toString(...) | provenance | MaD:286 Sink:MaD:50 | +| ApacheHttpSSRFVersion5.java:67:39:67:41 | uri : URI | ApacheHttpSSRFVersion5.java:67:39:67:52 | toString(...) | provenance | MaD:286 Sink:MaD:53 | +| ApacheHttpSSRFVersion5.java:71:37:71:39 | uri : URI | ApacheHttpSSRFVersion5.java:71:37:71:50 | toString(...) | provenance | MaD:286 Sink:MaD:56 | +| ApacheHttpSSRFVersion5.java:75:36:75:38 | uri : URI | ApacheHttpSSRFVersion5.java:75:36:75:49 | toString(...) | provenance | MaD:286 Sink:MaD:59 | +| ApacheHttpSSRFVersion5.java:79:35:79:37 | uri : URI | ApacheHttpSSRFVersion5.java:79:35:79:48 | toString(...) | provenance | MaD:286 Sink:MaD:62 | +| ApacheHttpSSRFVersion5.java:83:37:83:39 | uri : URI | ApacheHttpSSRFVersion5.java:83:37:83:50 | toString(...) | provenance | MaD:286 Sink:MaD:65 | +| ApacheHttpSSRFVersion5.java:98:48:98:50 | uri : URI | ApacheHttpSSRFVersion5.java:98:48:98:61 | toString(...) | provenance | MaD:286 Sink:MaD:75 | +| ApacheHttpSSRFVersion5.java:103:55:103:57 | uri : URI | ApacheHttpSSRFVersion5.java:103:55:103:68 | toString(...) | provenance | MaD:286 Sink:MaD:78 | +| ApacheHttpSSRFVersion5.java:105:49:105:51 | uri : URI | ApacheHttpSSRFVersion5.java:105:49:105:62 | toString(...) | provenance | MaD:286 Sink:MaD:80 | +| ApacheHttpSSRFVersion5.java:109:39:109:41 | uri : URI | ApacheHttpSSRFVersion5.java:109:39:109:52 | toString(...) | provenance | MaD:286 Sink:MaD:83 | +| ApacheHttpSSRFVersion5.java:113:36:113:38 | uri : URI | ApacheHttpSSRFVersion5.java:113:36:113:49 | toString(...) | provenance | MaD:286 Sink:MaD:86 | +| ApacheHttpSSRFVersion5.java:117:37:117:39 | uri : URI | ApacheHttpSSRFVersion5.java:117:37:117:50 | toString(...) | provenance | MaD:286 Sink:MaD:89 | +| ApacheHttpSSRFVersion5.java:121:40:121:42 | uri : URI | ApacheHttpSSRFVersion5.java:121:40:121:53 | toString(...) | provenance | MaD:286 Sink:MaD:92 | +| ApacheHttpSSRFVersion5.java:125:38:125:40 | uri : URI | ApacheHttpSSRFVersion5.java:125:38:125:51 | toString(...) | provenance | MaD:286 Sink:MaD:95 | +| ApacheHttpSSRFVersion5.java:129:37:129:39 | uri : URI | ApacheHttpSSRFVersion5.java:129:37:129:50 | toString(...) | provenance | MaD:286 Sink:MaD:98 | +| ApacheHttpSSRFVersion5.java:133:36:133:38 | uri : URI | ApacheHttpSSRFVersion5.java:133:36:133:49 | toString(...) | provenance | MaD:286 Sink:MaD:101 | +| ApacheHttpSSRFVersion5.java:137:38:137:40 | uri : URI | ApacheHttpSSRFVersion5.java:137:38:137:51 | toString(...) | provenance | MaD:286 Sink:MaD:104 | +| ApacheHttpSSRFVersion5.java:141:41:141:43 | uri : URI | ApacheHttpSSRFVersion5.java:141:41:141:54 | toString(...) | provenance | MaD:286 Sink:MaD:106 | +| ApacheHttpSSRFVersion5.java:144:38:144:40 | uri : URI | ApacheHttpSSRFVersion5.java:144:38:144:51 | toString(...) | provenance | MaD:286 Sink:MaD:108 | +| ApacheHttpSSRFVersion5.java:147:39:147:41 | uri : URI | ApacheHttpSSRFVersion5.java:147:39:147:52 | toString(...) | provenance | MaD:286 Sink:MaD:110 | +| ApacheHttpSSRFVersion5.java:150:42:150:44 | uri : URI | ApacheHttpSSRFVersion5.java:150:42:150:55 | toString(...) | provenance | MaD:286 Sink:MaD:112 | +| ApacheHttpSSRFVersion5.java:153:40:153:42 | uri : URI | ApacheHttpSSRFVersion5.java:153:40:153:53 | toString(...) | provenance | MaD:286 Sink:MaD:114 | +| ApacheHttpSSRFVersion5.java:156:39:156:41 | uri : URI | ApacheHttpSSRFVersion5.java:156:39:156:52 | toString(...) | provenance | MaD:286 Sink:MaD:116 | +| ApacheHttpSSRFVersion5.java:159:38:159:40 | uri : URI | ApacheHttpSSRFVersion5.java:159:38:159:51 | toString(...) | provenance | MaD:286 Sink:MaD:118 | +| ApacheHttpSSRFVersion5.java:164:47:164:49 | uri : URI | ApacheHttpSSRFVersion5.java:164:47:164:60 | toString(...) | provenance | MaD:286 Sink:MaD:205 | +| ApacheHttpSSRFVersion5.java:167:40:167:42 | uri : URI | ApacheHttpSSRFVersion5.java:167:40:167:53 | toString(...) | provenance | MaD:286 Sink:MaD:120 | +| ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:181:31:181:37 | uriSink : String | provenance | Src:MaD:277 | +| ApacheHttpSSRFVersion5.java:181:23:181:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:184:56:184:58 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:181:23:181:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:185:56:185:58 | uri | provenance | Sink:MaD:123 | +| ApacheHttpSSRFVersion5.java:181:23:181:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:186:50:186:52 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:181:23:181:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:187:50:187:52 | uri | provenance | Sink:MaD:125 | +| ApacheHttpSSRFVersion5.java:181:23:181:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:189:40:189:42 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:181:23:181:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:190:40:190:42 | uri | provenance | Sink:MaD:127 | +| ApacheHttpSSRFVersion5.java:181:23:181:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:192:37:192:39 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:181:23:181:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:193:37:193:39 | uri | provenance | Sink:MaD:129 | +| ApacheHttpSSRFVersion5.java:181:23:181:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:195:38:195:40 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:181:23:181:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:196:38:196:40 | uri | provenance | Sink:MaD:131 | +| ApacheHttpSSRFVersion5.java:181:23:181:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:198:41:198:43 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:181:23:181:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:199:41:199:43 | uri | provenance | Sink:MaD:133 | +| ApacheHttpSSRFVersion5.java:181:23:181:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:201:39:201:41 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:181:23:181:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:202:39:202:41 | uri | provenance | Sink:MaD:135 | +| ApacheHttpSSRFVersion5.java:181:23:181:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:204:38:204:40 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:181:23:181:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:205:38:205:40 | uri | provenance | Sink:MaD:137 | +| ApacheHttpSSRFVersion5.java:181:23:181:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:207:37:207:39 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:181:23:181:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:208:37:208:39 | uri | provenance | Sink:MaD:139 | +| ApacheHttpSSRFVersion5.java:181:23:181:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:210:39:210:41 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:181:23:181:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:211:39:211:41 | uri | provenance | Sink:MaD:141 | +| ApacheHttpSSRFVersion5.java:181:23:181:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:214:28:214:30 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:181:23:181:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:215:28:215:30 | uri | provenance | Sink:MaD:143 | +| ApacheHttpSSRFVersion5.java:181:23:181:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:217:25:217:27 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:181:23:181:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:218:25:218:27 | uri | provenance | Sink:MaD:145 | +| ApacheHttpSSRFVersion5.java:181:23:181:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:220:26:220:28 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:181:23:181:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:221:26:221:28 | uri | provenance | Sink:MaD:147 | +| ApacheHttpSSRFVersion5.java:181:23:181:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:223:29:223:31 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:181:23:181:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:224:29:224:31 | uri | provenance | Sink:MaD:149 | +| ApacheHttpSSRFVersion5.java:181:23:181:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:226:27:226:29 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:181:23:181:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:227:27:227:29 | uri | provenance | Sink:MaD:151 | +| ApacheHttpSSRFVersion5.java:181:23:181:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:229:26:229:28 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:181:23:181:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:230:26:230:28 | uri | provenance | Sink:MaD:153 | +| ApacheHttpSSRFVersion5.java:181:23:181:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:232:25:232:27 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:181:23:181:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:233:25:233:27 | uri | provenance | Sink:MaD:155 | +| ApacheHttpSSRFVersion5.java:181:23:181:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:235:27:235:29 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:181:23:181:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:236:27:236:29 | uri | provenance | Sink:MaD:157 | +| ApacheHttpSSRFVersion5.java:181:23:181:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:239:46:239:48 | uri | provenance | Sink:MaD:158 | +| ApacheHttpSSRFVersion5.java:181:31:181:37 | uriSink : String | ApacheHttpSSRFVersion5.java:181:23:181:38 | new URI(...) : URI | provenance | Config | +| ApacheHttpSSRFVersion5.java:181:31:181:37 | uriSink : String | ApacheHttpSSRFVersion5.java:181:23:181:38 | new URI(...) : URI | provenance | MaD:285 | +| ApacheHttpSSRFVersion5.java:184:56:184:58 | uri : URI | ApacheHttpSSRFVersion5.java:184:56:184:69 | toString(...) | provenance | MaD:286 Sink:MaD:122 | +| ApacheHttpSSRFVersion5.java:186:50:186:52 | uri : URI | ApacheHttpSSRFVersion5.java:186:50:186:63 | toString(...) | provenance | MaD:286 Sink:MaD:124 | +| ApacheHttpSSRFVersion5.java:189:40:189:42 | uri : URI | ApacheHttpSSRFVersion5.java:189:40:189:53 | toString(...) | provenance | MaD:286 Sink:MaD:126 | +| ApacheHttpSSRFVersion5.java:192:37:192:39 | uri : URI | ApacheHttpSSRFVersion5.java:192:37:192:50 | toString(...) | provenance | MaD:286 Sink:MaD:128 | +| ApacheHttpSSRFVersion5.java:195:38:195:40 | uri : URI | ApacheHttpSSRFVersion5.java:195:38:195:51 | toString(...) | provenance | MaD:286 Sink:MaD:130 | +| ApacheHttpSSRFVersion5.java:198:41:198:43 | uri : URI | ApacheHttpSSRFVersion5.java:198:41:198:54 | toString(...) | provenance | MaD:286 Sink:MaD:132 | +| ApacheHttpSSRFVersion5.java:201:39:201:41 | uri : URI | ApacheHttpSSRFVersion5.java:201:39:201:52 | toString(...) | provenance | MaD:286 Sink:MaD:134 | +| ApacheHttpSSRFVersion5.java:204:38:204:40 | uri : URI | ApacheHttpSSRFVersion5.java:204:38:204:51 | toString(...) | provenance | MaD:286 Sink:MaD:136 | +| ApacheHttpSSRFVersion5.java:207:37:207:39 | uri : URI | ApacheHttpSSRFVersion5.java:207:37:207:50 | toString(...) | provenance | MaD:286 Sink:MaD:138 | +| ApacheHttpSSRFVersion5.java:210:39:210:41 | uri : URI | ApacheHttpSSRFVersion5.java:210:39:210:52 | toString(...) | provenance | MaD:286 Sink:MaD:140 | +| ApacheHttpSSRFVersion5.java:214:28:214:30 | uri : URI | ApacheHttpSSRFVersion5.java:214:28:214:41 | toString(...) | provenance | MaD:286 Sink:MaD:142 | +| ApacheHttpSSRFVersion5.java:217:25:217:27 | uri : URI | ApacheHttpSSRFVersion5.java:217:25:217:38 | toString(...) | provenance | MaD:286 Sink:MaD:144 | +| ApacheHttpSSRFVersion5.java:220:26:220:28 | uri : URI | ApacheHttpSSRFVersion5.java:220:26:220:39 | toString(...) | provenance | MaD:286 Sink:MaD:146 | +| ApacheHttpSSRFVersion5.java:223:29:223:31 | uri : URI | ApacheHttpSSRFVersion5.java:223:29:223:42 | toString(...) | provenance | MaD:286 Sink:MaD:148 | +| ApacheHttpSSRFVersion5.java:226:27:226:29 | uri : URI | ApacheHttpSSRFVersion5.java:226:27:226:40 | toString(...) | provenance | MaD:286 Sink:MaD:150 | +| ApacheHttpSSRFVersion5.java:229:26:229:28 | uri : URI | ApacheHttpSSRFVersion5.java:229:26:229:39 | toString(...) | provenance | MaD:286 Sink:MaD:152 | +| ApacheHttpSSRFVersion5.java:232:25:232:27 | uri : URI | ApacheHttpSSRFVersion5.java:232:25:232:38 | toString(...) | provenance | MaD:286 Sink:MaD:154 | +| ApacheHttpSSRFVersion5.java:235:27:235:29 | uri : URI | ApacheHttpSSRFVersion5.java:235:27:235:40 | toString(...) | provenance | MaD:286 Sink:MaD:156 | +| ApacheHttpSSRFVersion5.java:251:30:251:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:252:31:252:37 | uriSink : String | provenance | Src:MaD:277 | +| ApacheHttpSSRFVersion5.java:252:23:252:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:255:44:255:46 | uri | provenance | Sink:MaD:159 | +| ApacheHttpSSRFVersion5.java:252:23:252:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:256:38:256:40 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:252:23:252:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:257:38:257:40 | uri | provenance | Sink:MaD:161 | +| ApacheHttpSSRFVersion5.java:252:23:252:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:259:28:259:30 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:252:23:252:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:260:28:260:30 | uri | provenance | Sink:MaD:163 | +| ApacheHttpSSRFVersion5.java:252:23:252:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:262:25:262:27 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:252:23:252:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:263:25:263:27 | uri | provenance | Sink:MaD:165 | +| ApacheHttpSSRFVersion5.java:252:23:252:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:265:26:265:28 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:252:23:252:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:266:26:266:28 | uri | provenance | Sink:MaD:167 | +| ApacheHttpSSRFVersion5.java:252:23:252:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:268:29:268:31 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:252:23:252:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:269:29:269:31 | uri | provenance | Sink:MaD:169 | +| ApacheHttpSSRFVersion5.java:252:23:252:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:271:27:271:29 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:252:23:252:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:272:27:272:29 | uri | provenance | Sink:MaD:171 | +| ApacheHttpSSRFVersion5.java:252:23:252:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:274:26:274:28 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:252:23:252:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:275:26:275:28 | uri | provenance | Sink:MaD:173 | +| ApacheHttpSSRFVersion5.java:252:23:252:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:277:25:277:27 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:252:23:252:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:278:25:278:27 | uri | provenance | Sink:MaD:175 | +| ApacheHttpSSRFVersion5.java:252:23:252:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:280:27:280:29 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:252:23:252:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:281:27:281:29 | uri | provenance | Sink:MaD:177 | +| ApacheHttpSSRFVersion5.java:252:31:252:37 | uriSink : String | ApacheHttpSSRFVersion5.java:252:23:252:38 | new URI(...) : URI | provenance | Config | +| ApacheHttpSSRFVersion5.java:252:31:252:37 | uriSink : String | ApacheHttpSSRFVersion5.java:252:23:252:38 | new URI(...) : URI | provenance | MaD:285 | +| ApacheHttpSSRFVersion5.java:256:38:256:40 | uri : URI | ApacheHttpSSRFVersion5.java:256:38:256:51 | toString(...) | provenance | MaD:286 Sink:MaD:160 | +| ApacheHttpSSRFVersion5.java:259:28:259:30 | uri : URI | ApacheHttpSSRFVersion5.java:259:28:259:41 | toString(...) | provenance | MaD:286 Sink:MaD:162 | +| ApacheHttpSSRFVersion5.java:262:25:262:27 | uri : URI | ApacheHttpSSRFVersion5.java:262:25:262:38 | toString(...) | provenance | MaD:286 Sink:MaD:164 | +| ApacheHttpSSRFVersion5.java:265:26:265:28 | uri : URI | ApacheHttpSSRFVersion5.java:265:26:265:39 | toString(...) | provenance | MaD:286 Sink:MaD:166 | +| ApacheHttpSSRFVersion5.java:268:29:268:31 | uri : URI | ApacheHttpSSRFVersion5.java:268:29:268:42 | toString(...) | provenance | MaD:286 Sink:MaD:168 | +| ApacheHttpSSRFVersion5.java:271:27:271:29 | uri : URI | ApacheHttpSSRFVersion5.java:271:27:271:40 | toString(...) | provenance | MaD:286 Sink:MaD:170 | +| ApacheHttpSSRFVersion5.java:274:26:274:28 | uri : URI | ApacheHttpSSRFVersion5.java:274:26:274:39 | toString(...) | provenance | MaD:286 Sink:MaD:172 | +| ApacheHttpSSRFVersion5.java:277:25:277:27 | uri : URI | ApacheHttpSSRFVersion5.java:277:25:277:38 | toString(...) | provenance | MaD:286 Sink:MaD:174 | +| ApacheHttpSSRFVersion5.java:280:27:280:29 | uri : URI | ApacheHttpSSRFVersion5.java:280:27:280:40 | toString(...) | provenance | MaD:286 Sink:MaD:176 | +| ApacheHttpSSRFVersion5.java:295:30:295:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:296:31:296:37 | uriSink : String | provenance | Src:MaD:277 | +| ApacheHttpSSRFVersion5.java:296:23:296:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:308:60:308:62 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:296:23:296:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:309:60:309:62 | uri | provenance | Sink:MaD:209 | +| ApacheHttpSSRFVersion5.java:296:23:296:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:313:53:313:55 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:296:23:296:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:314:53:314:55 | uri | provenance | Sink:MaD:209 | +| ApacheHttpSSRFVersion5.java:296:31:296:37 | uriSink : String | ApacheHttpSSRFVersion5.java:296:23:296:38 | new URI(...) : URI | provenance | Config | +| ApacheHttpSSRFVersion5.java:296:31:296:37 | uriSink : String | ApacheHttpSSRFVersion5.java:296:23:296:38 | new URI(...) : URI | provenance | MaD:285 | +| ApacheHttpSSRFVersion5.java:298:31:298:58 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:299:42:299:49 | hostSink : String | provenance | Src:MaD:277 | +| ApacheHttpSSRFVersion5.java:299:29:299:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:303:34:303:37 | host | provenance | Sink:MaD:178 | +| ApacheHttpSSRFVersion5.java:299:29:299:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:304:34:304:37 | host | provenance | Sink:MaD:179 | +| ApacheHttpSSRFVersion5.java:299:42:299:49 | hostSink : String | ApacheHttpSSRFVersion5.java:299:29:299:50 | new HttpHost(...) : HttpHost | provenance | MaD:292 | +| ApacheHttpSSRFVersion5.java:308:60:308:62 | uri : URI | ApacheHttpSSRFVersion5.java:308:60:308:73 | toString(...) | provenance | MaD:286 Sink:MaD:208 | +| ApacheHttpSSRFVersion5.java:313:53:313:55 | uri : URI | ApacheHttpSSRFVersion5.java:313:53:313:66 | toString(...) | provenance | MaD:286 Sink:MaD:208 | +| ApacheHttpSSRFVersion5.java:326:30:326:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:327:31:327:37 | uriSink : String | provenance | Src:MaD:277 | +| ApacheHttpSSRFVersion5.java:327:23:327:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:333:42:333:44 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:327:23:327:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:334:42:334:44 | uri | provenance | Sink:MaD:181 | +| ApacheHttpSSRFVersion5.java:327:23:327:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:336:39:336:41 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:327:23:327:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:337:39:337:41 | uri | provenance | Sink:MaD:183 | +| ApacheHttpSSRFVersion5.java:327:23:327:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:339:40:339:42 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:327:23:327:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:340:40:340:42 | uri | provenance | Sink:MaD:185 | +| ApacheHttpSSRFVersion5.java:327:23:327:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:342:43:342:45 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:327:23:327:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:343:43:343:45 | uri | provenance | Sink:MaD:187 | +| ApacheHttpSSRFVersion5.java:327:23:327:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:345:41:345:43 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:327:23:327:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:346:41:346:43 | uri | provenance | Sink:MaD:189 | +| ApacheHttpSSRFVersion5.java:327:23:327:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:348:40:348:42 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:327:23:327:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:349:40:349:42 | uri | provenance | Sink:MaD:191 | +| ApacheHttpSSRFVersion5.java:327:23:327:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:351:39:351:41 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:327:23:327:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:352:39:352:41 | uri | provenance | Sink:MaD:193 | +| ApacheHttpSSRFVersion5.java:327:23:327:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:356:48:356:50 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:327:23:327:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:357:48:357:50 | uri | provenance | Sink:MaD:206 | +| ApacheHttpSSRFVersion5.java:327:23:327:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:359:41:359:43 | uri : URI | provenance | | +| ApacheHttpSSRFVersion5.java:327:23:327:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:360:41:360:43 | uri | provenance | Sink:MaD:195 | +| ApacheHttpSSRFVersion5.java:327:31:327:37 | uriSink : String | ApacheHttpSSRFVersion5.java:327:23:327:38 | new URI(...) : URI | provenance | Config | +| ApacheHttpSSRFVersion5.java:327:31:327:37 | uriSink : String | ApacheHttpSSRFVersion5.java:327:23:327:38 | new URI(...) : URI | provenance | MaD:285 | +| ApacheHttpSSRFVersion5.java:329:31:329:58 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:330:42:330:49 | hostSink : String | provenance | Src:MaD:277 | +| ApacheHttpSSRFVersion5.java:330:29:330:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:354:53:354:56 | host | provenance | Sink:MaD:204 | +| ApacheHttpSSRFVersion5.java:330:42:330:49 | hostSink : String | ApacheHttpSSRFVersion5.java:330:29:330:50 | new HttpHost(...) : HttpHost | provenance | MaD:292 | +| ApacheHttpSSRFVersion5.java:333:42:333:44 | uri : URI | ApacheHttpSSRFVersion5.java:333:42:333:55 | toString(...) | provenance | MaD:286 Sink:MaD:180 | +| ApacheHttpSSRFVersion5.java:336:39:336:41 | uri : URI | ApacheHttpSSRFVersion5.java:336:39:336:52 | toString(...) | provenance | MaD:286 Sink:MaD:182 | +| ApacheHttpSSRFVersion5.java:339:40:339:42 | uri : URI | ApacheHttpSSRFVersion5.java:339:40:339:53 | toString(...) | provenance | MaD:286 Sink:MaD:184 | +| ApacheHttpSSRFVersion5.java:342:43:342:45 | uri : URI | ApacheHttpSSRFVersion5.java:342:43:342:56 | toString(...) | provenance | MaD:286 Sink:MaD:186 | +| ApacheHttpSSRFVersion5.java:345:41:345:43 | uri : URI | ApacheHttpSSRFVersion5.java:345:41:345:54 | toString(...) | provenance | MaD:286 Sink:MaD:188 | +| ApacheHttpSSRFVersion5.java:348:40:348:42 | uri : URI | ApacheHttpSSRFVersion5.java:348:40:348:53 | toString(...) | provenance | MaD:286 Sink:MaD:190 | +| ApacheHttpSSRFVersion5.java:351:39:351:41 | uri : URI | ApacheHttpSSRFVersion5.java:351:39:351:52 | toString(...) | provenance | MaD:286 Sink:MaD:192 | +| ApacheHttpSSRFVersion5.java:356:48:356:50 | uri : URI | ApacheHttpSSRFVersion5.java:356:48:356:61 | toString(...) | provenance | MaD:286 Sink:MaD:205 | +| ApacheHttpSSRFVersion5.java:359:41:359:43 | uri : URI | ApacheHttpSSRFVersion5.java:359:41:359:54 | toString(...) | provenance | MaD:286 Sink:MaD:194 | +| ApacheHttpSSRFVersion5.java:372:30:372:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:373:31:373:37 | uriSink : String | provenance | Src:MaD:277 | +| ApacheHttpSSRFVersion5.java:373:23:373:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:380:57:380:59 | uri | provenance | Sink:MaD:197 | +| ApacheHttpSSRFVersion5.java:373:23:373:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:382:51:382:53 | uri | provenance | Sink:MaD:199 | +| ApacheHttpSSRFVersion5.java:373:23:373:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:386:50:386:52 | uri | provenance | Sink:MaD:201 | +| ApacheHttpSSRFVersion5.java:373:23:373:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:388:44:388:46 | uri | provenance | Sink:MaD:203 | +| ApacheHttpSSRFVersion5.java:373:23:373:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:390:24:390:26 | uri | provenance | Sink:MaD:207 | +| ApacheHttpSSRFVersion5.java:373:23:373:38 | new URI(...) : URI | ApacheHttpSSRFVersion5.java:394:24:394:26 | uri | provenance | Sink:MaD:207 | +| ApacheHttpSSRFVersion5.java:373:31:373:37 | uriSink : String | ApacheHttpSSRFVersion5.java:373:23:373:38 | new URI(...) : URI | provenance | Config | +| ApacheHttpSSRFVersion5.java:373:31:373:37 | uriSink : String | ApacheHttpSSRFVersion5.java:373:23:373:38 | new URI(...) : URI | provenance | MaD:285 | +| ApacheHttpSSRFVersion5.java:375:31:375:58 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:376:42:376:49 | hostSink : String | provenance | Src:MaD:277 | +| ApacheHttpSSRFVersion5.java:376:29:376:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:379:57:379:60 | host | provenance | Sink:MaD:196 | +| ApacheHttpSSRFVersion5.java:376:29:376:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:381:51:381:54 | host | provenance | Sink:MaD:198 | +| ApacheHttpSSRFVersion5.java:376:29:376:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:385:50:385:53 | host | provenance | Sink:MaD:200 | +| ApacheHttpSSRFVersion5.java:376:29:376:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:387:44:387:47 | host | provenance | Sink:MaD:202 | +| ApacheHttpSSRFVersion5.java:376:42:376:49 | hostSink : String | ApacheHttpSSRFVersion5.java:376:29:376:50 | new HttpHost(...) : HttpHost | provenance | MaD:292 | +| JakartaWsSSRF.java:14:22:14:48 | getParameter(...) : String | JakartaWsSSRF.java:15:23:15:25 | url | provenance | Src:MaD:277 Sink:MaD:3 | +| JavaNetHttpSSRF.java:25:27:25:53 | getParameter(...) : String | JavaNetHttpSSRF.java:26:31:26:34 | sink : String | provenance | Src:MaD:277 | +| JavaNetHttpSSRF.java:26:23:26:35 | new URI(...) : URI | JavaNetHttpSSRF.java:39:59:39:61 | uri | provenance | Sink:MaD:6 | +| JavaNetHttpSSRF.java:26:31:26:34 | sink : String | JavaNetHttpSSRF.java:26:23:26:35 | new URI(...) : URI | provenance | Config | +| JavaNetHttpSSRF.java:26:31:26:34 | sink : String | JavaNetHttpSSRF.java:26:23:26:35 | new URI(...) : URI | provenance | MaD:285 | +| JavaNetHttpSSRF.java:26:31:26:34 | sink : String | JavaNetHttpSSRF.java:27:40:27:43 | sink : String | provenance | | +| JavaNetHttpSSRF.java:27:24:27:57 | new URI(...) : URI | JavaNetHttpSSRF.java:38:65:38:68 | uri2 | provenance | Sink:MaD:5 | +| JavaNetHttpSSRF.java:27:40:27:43 | sink : String | JavaNetHttpSSRF.java:27:24:27:57 | new URI(...) : URI | provenance | Config | +| JavaNetHttpSSRF.java:27:40:27:43 | sink : String | JavaNetHttpSSRF.java:28:32:28:35 | sink : String | provenance | | +| JavaNetHttpSSRF.java:28:24:28:36 | new URL(...) : URL | JavaNetHttpSSRF.java:30:32:30:35 | url1 | provenance | Sink:MaD:9 | +| JavaNetHttpSSRF.java:28:24:28:36 | new URL(...) : URL | JavaNetHttpSSRF.java:33:32:33:35 | url1 | provenance | Sink:MaD:9 | +| JavaNetHttpSSRF.java:28:24:28:36 | new URL(...) : URL | JavaNetHttpSSRF.java:34:30:34:33 | url1 | provenance | Sink:MaD:10 | +| JavaNetHttpSSRF.java:28:32:28:35 | sink : String | JavaNetHttpSSRF.java:28:24:28:36 | new URL(...) : URL | provenance | Config | +| JavaNetHttpSSRF.java:28:32:28:35 | sink : String | JavaNetHttpSSRF.java:28:24:28:36 | new URL(...) : URL | provenance | MaD:288 | +| JaxWsSSRF.java:14:22:14:48 | getParameter(...) : String | JaxWsSSRF.java:15:23:15:25 | url | provenance | Src:MaD:277 Sink:MaD:23 | +| JdbcUrlSSRF.java:21:26:21:56 | getParameter(...) : String | JdbcUrlSSRF.java:26:28:26:34 | jdbcUrl | provenance | Src:MaD:277 Sink:MaD:17 | +| JdbcUrlSSRF.java:21:26:21:56 | getParameter(...) : String | JdbcUrlSSRF.java:28:41:28:47 | jdbcUrl | provenance | Src:MaD:277 Sink:MaD:18 | +| JdbcUrlSSRF.java:21:26:21:56 | getParameter(...) : String | JdbcUrlSSRF.java:29:41:29:47 | jdbcUrl | provenance | Src:MaD:277 Sink:MaD:20 | +| JdbcUrlSSRF.java:21:26:21:56 | getParameter(...) : String | JdbcUrlSSRF.java:30:41:30:47 | jdbcUrl | provenance | Src:MaD:277 Sink:MaD:19 | +| JdbcUrlSSRF.java:21:26:21:56 | getParameter(...) : String | JdbcUrlSSRF.java:32:27:32:33 | jdbcUrl | provenance | Src:MaD:277 Sink:MaD:242 | +| JdbcUrlSSRF.java:40:26:40:56 | getParameter(...) : String | JdbcUrlSSRF.java:43:27:43:33 | jdbcUrl | provenance | Src:MaD:277 Sink:MaD:2 | +| JdbcUrlSSRF.java:40:26:40:56 | getParameter(...) : String | JdbcUrlSSRF.java:48:23:48:29 | jdbcUrl | provenance | Src:MaD:277 Sink:MaD:2 | +| JdbcUrlSSRF.java:40:26:40:56 | getParameter(...) : String | JdbcUrlSSRF.java:52:38:52:44 | jdbcUrl : String | provenance | Src:MaD:277 | +| JdbcUrlSSRF.java:52:9:52:13 | props : Properties | JdbcUrlSSRF.java:54:49:54:53 | props | provenance | Sink:MaD:1 | +| JdbcUrlSSRF.java:52:9:52:13 | props [post update] : Properties [] : String | JdbcUrlSSRF.java:54:49:54:53 | props | provenance | Sink:MaD:1 | +| JdbcUrlSSRF.java:52:38:52:44 | jdbcUrl : String | JdbcUrlSSRF.java:52:9:52:13 | props : Properties | provenance | Config | +| JdbcUrlSSRF.java:52:38:52:44 | jdbcUrl : String | JdbcUrlSSRF.java:52:9:52:13 | props [post update] : Properties [] : String | provenance | MaD:291 | +| JdbcUrlSSRF.java:60:26:60:56 | getParameter(...) : String | JdbcUrlSSRF.java:65:27:65:33 | jdbcUrl | provenance | Src:MaD:277 Sink:MaD:257 | +| JdbcUrlSSRF.java:60:26:60:56 | getParameter(...) : String | JdbcUrlSSRF.java:67:75:67:81 | jdbcUrl | provenance | Src:MaD:277 Sink:MaD:258 | +| JdbcUrlSSRF.java:60:26:60:56 | getParameter(...) : String | JdbcUrlSSRF.java:70:75:70:81 | jdbcUrl | provenance | Src:MaD:277 Sink:MaD:260 | +| JdbcUrlSSRF.java:60:26:60:56 | getParameter(...) : String | JdbcUrlSSRF.java:73:75:73:81 | jdbcUrl | provenance | Src:MaD:277 Sink:MaD:259 | +| JdbcUrlSSRF.java:80:26:80:56 | getParameter(...) : String | JdbcUrlSSRF.java:82:21:82:27 | jdbcUrl | provenance | Src:MaD:277 Sink:MaD:235 | +| JdbcUrlSSRF.java:80:26:80:56 | getParameter(...) : String | JdbcUrlSSRF.java:83:21:83:27 | jdbcUrl | provenance | Src:MaD:277 Sink:MaD:236 | +| JdbcUrlSSRF.java:80:26:80:56 | getParameter(...) : String | JdbcUrlSSRF.java:84:21:84:27 | jdbcUrl | provenance | Src:MaD:277 Sink:MaD:237 | +| JdbcUrlSSRF.java:80:26:80:56 | getParameter(...) : String | JdbcUrlSSRF.java:86:19:86:25 | jdbcUrl | provenance | Src:MaD:277 Sink:MaD:238 | +| JdbcUrlSSRF.java:80:26:80:56 | getParameter(...) : String | JdbcUrlSSRF.java:87:19:87:25 | jdbcUrl | provenance | Src:MaD:277 Sink:MaD:239 | +| JdbcUrlSSRF.java:80:26:80:56 | getParameter(...) : String | JdbcUrlSSRF.java:88:19:88:25 | jdbcUrl | provenance | Src:MaD:277 Sink:MaD:240 | +| ReactiveWebClientSSRF.java:15:26:15:52 | getParameter(...) : String | ReactiveWebClientSSRF.java:16:52:16:54 | url | provenance | Src:MaD:277 Sink:MaD:274 | +| ReactiveWebClientSSRF.java:32:26:32:52 | getParameter(...) : String | ReactiveWebClientSSRF.java:35:30:35:32 | url | provenance | Src:MaD:277 Sink:MaD:273 | +| SanitizationTests.java:19:23:19:58 | new URI(...) : URI | SanitizationTests.java:22:52:22:54 | uri | provenance | Sink:MaD:6 | +| SanitizationTests.java:19:23:19:58 | new URI(...) : URI | SanitizationTests.java:22:52:22:54 | uri : URI | provenance | | +| SanitizationTests.java:19:31:19:57 | getParameter(...) : String | SanitizationTests.java:19:23:19:58 | new URI(...) : URI | provenance | Src:MaD:277 Config | +| SanitizationTests.java:19:31:19:57 | getParameter(...) : String | SanitizationTests.java:19:23:19:58 | new URI(...) : URI | provenance | Src:MaD:277 MaD:285 | +| SanitizationTests.java:22:29:22:55 | newBuilder(...) : Builder | SanitizationTests.java:22:29:22:63 | build(...) : HttpRequest | provenance | MaD:283 | +| SanitizationTests.java:22:29:22:63 | build(...) : HttpRequest | SanitizationTests.java:23:25:23:25 | r | provenance | Sink:MaD:4 | +| SanitizationTests.java:22:52:22:54 | uri : URI | SanitizationTests.java:22:29:22:55 | newBuilder(...) : Builder | provenance | MaD:284 | +| SanitizationTests.java:75:33:75:63 | getParameter(...) : String | SanitizationTests.java:76:67:76:76 | unsafeUri3 : String | provenance | Src:MaD:277 | +| SanitizationTests.java:76:36:76:78 | newBuilder(...) : Builder | SanitizationTests.java:76:36:76:86 | build(...) : HttpRequest | provenance | MaD:283 | +| SanitizationTests.java:76:36:76:86 | build(...) : HttpRequest | SanitizationTests.java:77:25:77:32 | unsafer3 | provenance | Sink:MaD:4 | +| SanitizationTests.java:76:59:76:77 | new URI(...) : URI | SanitizationTests.java:76:36:76:78 | newBuilder(...) : Builder | provenance | MaD:284 | +| SanitizationTests.java:76:67:76:76 | unsafeUri3 : String | SanitizationTests.java:76:59:76:77 | new URI(...) | provenance | Config Sink:MaD:6 | +| SanitizationTests.java:76:67:76:76 | unsafeUri3 : String | SanitizationTests.java:76:59:76:77 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | +| SanitizationTests.java:76:67:76:76 | unsafeUri3 : String | SanitizationTests.java:76:59:76:77 | new URI(...) : URI | provenance | Config | +| SanitizationTests.java:76:67:76:76 | unsafeUri3 : String | SanitizationTests.java:76:59:76:77 | new URI(...) : URI | provenance | MaD:285 | +| SanitizationTests.java:79:49:79:79 | getParameter(...) : String | SanitizationTests.java:80:67:80:76 | unsafeUri4 : String | provenance | Src:MaD:277 | +| SanitizationTests.java:80:36:80:78 | newBuilder(...) : Builder | SanitizationTests.java:80:36:80:86 | build(...) : HttpRequest | provenance | MaD:283 | +| SanitizationTests.java:80:36:80:86 | build(...) : HttpRequest | SanitizationTests.java:81:25:81:32 | unsafer4 | provenance | Sink:MaD:4 | +| SanitizationTests.java:80:59:80:77 | new URI(...) : URI | SanitizationTests.java:80:36:80:78 | newBuilder(...) : Builder | provenance | MaD:284 | +| SanitizationTests.java:80:67:80:76 | unsafeUri4 : String | SanitizationTests.java:80:59:80:77 | new URI(...) | provenance | Config Sink:MaD:6 | +| SanitizationTests.java:80:67:80:76 | unsafeUri4 : String | SanitizationTests.java:80:59:80:77 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | +| SanitizationTests.java:80:67:80:76 | unsafeUri4 : String | SanitizationTests.java:80:59:80:77 | new URI(...) : URI | provenance | Config | +| SanitizationTests.java:80:67:80:76 | unsafeUri4 : String | SanitizationTests.java:80:59:80:77 | new URI(...) : URI | provenance | MaD:285 | +| SanitizationTests.java:84:13:84:22 | unsafeUri5 [post update] : StringBuilder | SanitizationTests.java:85:67:85:76 | unsafeUri5 : StringBuilder | provenance | | +| SanitizationTests.java:84:31:84:61 | getParameter(...) : String | SanitizationTests.java:84:13:84:22 | unsafeUri5 [post update] : StringBuilder | provenance | Src:MaD:277 MaD:278 | +| SanitizationTests.java:85:36:85:89 | newBuilder(...) : Builder | SanitizationTests.java:85:36:85:97 | build(...) : HttpRequest | provenance | MaD:283 | +| SanitizationTests.java:85:36:85:97 | build(...) : HttpRequest | SanitizationTests.java:86:25:86:32 | unsafer5 | provenance | Sink:MaD:4 | +| SanitizationTests.java:85:59:85:88 | new URI(...) : URI | SanitizationTests.java:85:36:85:89 | newBuilder(...) : Builder | provenance | MaD:284 | +| SanitizationTests.java:85:67:85:76 | unsafeUri5 : StringBuilder | SanitizationTests.java:85:67:85:87 | toString(...) : String | provenance | MaD:280 | +| SanitizationTests.java:85:67:85:87 | toString(...) : String | SanitizationTests.java:85:59:85:88 | new URI(...) | provenance | Config Sink:MaD:6 | +| SanitizationTests.java:85:67:85:87 | toString(...) : String | SanitizationTests.java:85:59:85:88 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | +| SanitizationTests.java:85:67:85:87 | toString(...) : String | SanitizationTests.java:85:59:85:88 | new URI(...) : URI | provenance | Config | +| SanitizationTests.java:85:67:85:87 | toString(...) : String | SanitizationTests.java:85:59:85:88 | new URI(...) : URI | provenance | MaD:285 | +| SanitizationTests.java:88:40:88:87 | new StringBuilder(...) : StringBuilder | SanitizationTests.java:90:68:90:77 | unafeUri5a : StringBuilder | provenance | | +| SanitizationTests.java:88:58:88:86 | getParameter(...) : String | SanitizationTests.java:88:40:88:87 | new StringBuilder(...) : StringBuilder | provenance | Src:MaD:277 MaD:282 | +| SanitizationTests.java:90:37:90:90 | newBuilder(...) : Builder | SanitizationTests.java:90:37:90:98 | build(...) : HttpRequest | provenance | MaD:283 | +| SanitizationTests.java:90:37:90:98 | build(...) : HttpRequest | SanitizationTests.java:91:25:91:33 | unsafer5a | provenance | Sink:MaD:4 | +| SanitizationTests.java:90:60:90:89 | new URI(...) : URI | SanitizationTests.java:90:37:90:90 | newBuilder(...) : Builder | provenance | MaD:284 | +| SanitizationTests.java:90:68:90:77 | unafeUri5a : StringBuilder | SanitizationTests.java:90:68:90:88 | toString(...) : String | provenance | MaD:280 | +| SanitizationTests.java:90:68:90:88 | toString(...) : String | SanitizationTests.java:90:60:90:89 | new URI(...) | provenance | Config Sink:MaD:6 | +| SanitizationTests.java:90:68:90:88 | toString(...) : String | SanitizationTests.java:90:60:90:89 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | +| SanitizationTests.java:90:68:90:88 | toString(...) : String | SanitizationTests.java:90:60:90:89 | new URI(...) : URI | provenance | Config | +| SanitizationTests.java:90:68:90:88 | toString(...) : String | SanitizationTests.java:90:60:90:89 | new URI(...) : URI | provenance | MaD:285 | +| SanitizationTests.java:93:41:93:105 | append(...) : StringBuilder | SanitizationTests.java:95:68:95:78 | unsafeUri5b : StringBuilder | provenance | | +| SanitizationTests.java:93:42:93:89 | new StringBuilder(...) : StringBuilder | SanitizationTests.java:93:41:93:105 | append(...) : StringBuilder | provenance | MaD:279 | +| SanitizationTests.java:93:60:93:88 | getParameter(...) : String | SanitizationTests.java:93:42:93:89 | new StringBuilder(...) : StringBuilder | provenance | Src:MaD:277 MaD:282 | +| SanitizationTests.java:95:37:95:91 | newBuilder(...) : Builder | SanitizationTests.java:95:37:95:99 | build(...) : HttpRequest | provenance | MaD:283 | +| SanitizationTests.java:95:37:95:99 | build(...) : HttpRequest | SanitizationTests.java:96:25:96:33 | unsafer5b | provenance | Sink:MaD:4 | +| SanitizationTests.java:95:60:95:90 | new URI(...) : URI | SanitizationTests.java:95:37:95:91 | newBuilder(...) : Builder | provenance | MaD:284 | +| SanitizationTests.java:95:68:95:78 | unsafeUri5b : StringBuilder | SanitizationTests.java:95:68:95:89 | toString(...) : String | provenance | MaD:280 | +| SanitizationTests.java:95:68:95:89 | toString(...) : String | SanitizationTests.java:95:60:95:90 | new URI(...) | provenance | Config Sink:MaD:6 | +| SanitizationTests.java:95:68:95:89 | toString(...) : String | SanitizationTests.java:95:60:95:90 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | +| SanitizationTests.java:95:68:95:89 | toString(...) : String | SanitizationTests.java:95:60:95:90 | new URI(...) : URI | provenance | Config | +| SanitizationTests.java:95:68:95:89 | toString(...) : String | SanitizationTests.java:95:60:95:90 | new URI(...) : URI | provenance | MaD:285 | +| SanitizationTests.java:98:41:98:106 | append(...) : StringBuilder | SanitizationTests.java:100:68:100:78 | unsafeUri5c : StringBuilder | provenance | | +| SanitizationTests.java:98:77:98:105 | getParameter(...) : String | SanitizationTests.java:98:41:98:106 | append(...) : StringBuilder | provenance | Src:MaD:277 MaD:278+MaD:279 | +| SanitizationTests.java:100:37:100:91 | newBuilder(...) : Builder | SanitizationTests.java:100:37:100:99 | build(...) : HttpRequest | provenance | MaD:283 | +| SanitizationTests.java:100:37:100:99 | build(...) : HttpRequest | SanitizationTests.java:101:25:101:33 | unsafer5c | provenance | Sink:MaD:4 | +| SanitizationTests.java:100:60:100:90 | new URI(...) : URI | SanitizationTests.java:100:37:100:91 | newBuilder(...) : Builder | provenance | MaD:284 | +| SanitizationTests.java:100:68:100:78 | unsafeUri5c : StringBuilder | SanitizationTests.java:100:68:100:89 | toString(...) : String | provenance | MaD:280 | +| SanitizationTests.java:100:68:100:89 | toString(...) : String | SanitizationTests.java:100:60:100:90 | new URI(...) | provenance | Config Sink:MaD:6 | +| SanitizationTests.java:100:68:100:89 | toString(...) : String | SanitizationTests.java:100:60:100:90 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | +| SanitizationTests.java:100:68:100:89 | toString(...) : String | SanitizationTests.java:100:60:100:90 | new URI(...) : URI | provenance | Config | +| SanitizationTests.java:100:68:100:89 | toString(...) : String | SanitizationTests.java:100:60:100:90 | new URI(...) : URI | provenance | MaD:285 | +| SanitizationTests.java:103:33:103:104 | format(...) : String | SanitizationTests.java:104:67:104:76 | unsafeUri6 : String | provenance | | +| SanitizationTests.java:103:33:103:104 | new ..[] { .. } : Object[] [[]] : String | SanitizationTests.java:103:33:103:104 | format(...) : String | provenance | MaD:281 | +| SanitizationTests.java:103:73:103:103 | getParameter(...) : String | SanitizationTests.java:103:33:103:104 | new ..[] { .. } : Object[] [[]] : String | provenance | Src:MaD:277 | +| SanitizationTests.java:104:36:104:78 | newBuilder(...) : Builder | SanitizationTests.java:104:36:104:86 | build(...) : HttpRequest | provenance | MaD:283 | +| SanitizationTests.java:104:36:104:86 | build(...) : HttpRequest | SanitizationTests.java:105:25:105:32 | unsafer6 | provenance | Sink:MaD:4 | +| SanitizationTests.java:104:59:104:77 | new URI(...) : URI | SanitizationTests.java:104:36:104:78 | newBuilder(...) : Builder | provenance | MaD:284 | +| SanitizationTests.java:104:67:104:76 | unsafeUri6 : String | SanitizationTests.java:104:59:104:77 | new URI(...) | provenance | Config Sink:MaD:6 | +| SanitizationTests.java:104:67:104:76 | unsafeUri6 : String | SanitizationTests.java:104:59:104:77 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | +| SanitizationTests.java:104:67:104:76 | unsafeUri6 : String | SanitizationTests.java:104:59:104:77 | new URI(...) : URI | provenance | Config | +| SanitizationTests.java:104:67:104:76 | unsafeUri6 : String | SanitizationTests.java:104:59:104:77 | new URI(...) : URI | provenance | MaD:285 | +| SanitizationTests.java:107:33:107:110 | format(...) : String | SanitizationTests.java:108:67:108:76 | unsafeUri7 : String | provenance | | +| SanitizationTests.java:107:33:107:110 | new ..[] { .. } : Object[] [[]] : String | SanitizationTests.java:107:33:107:110 | format(...) : String | provenance | MaD:281 | +| SanitizationTests.java:107:56:107:86 | getParameter(...) : String | SanitizationTests.java:107:33:107:110 | new ..[] { .. } : Object[] [[]] : String | provenance | Src:MaD:277 | +| SanitizationTests.java:108:36:108:78 | newBuilder(...) : Builder | SanitizationTests.java:108:36:108:86 | build(...) : HttpRequest | provenance | MaD:283 | +| SanitizationTests.java:108:36:108:86 | build(...) : HttpRequest | SanitizationTests.java:109:25:109:32 | unsafer7 | provenance | Sink:MaD:4 | +| SanitizationTests.java:108:59:108:77 | new URI(...) : URI | SanitizationTests.java:108:36:108:78 | newBuilder(...) : Builder | provenance | MaD:284 | +| SanitizationTests.java:108:67:108:76 | unsafeUri7 : String | SanitizationTests.java:108:59:108:77 | new URI(...) | provenance | Config Sink:MaD:6 | +| SanitizationTests.java:108:67:108:76 | unsafeUri7 : String | SanitizationTests.java:108:59:108:77 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | +| SanitizationTests.java:108:67:108:76 | unsafeUri7 : String | SanitizationTests.java:108:59:108:77 | new URI(...) : URI | provenance | Config | +| SanitizationTests.java:108:67:108:76 | unsafeUri7 : String | SanitizationTests.java:108:59:108:77 | new URI(...) : URI | provenance | MaD:285 | +| SanitizationTests.java:111:33:111:110 | format(...) : String | SanitizationTests.java:112:67:112:76 | unsafeUri8 : String | provenance | | +| SanitizationTests.java:111:33:111:110 | new ..[] { .. } : Object[] [[]] : String | SanitizationTests.java:111:33:111:110 | format(...) : String | provenance | MaD:281 | +| SanitizationTests.java:111:55:111:85 | getParameter(...) : String | SanitizationTests.java:111:33:111:110 | new ..[] { .. } : Object[] [[]] : String | provenance | Src:MaD:277 | +| SanitizationTests.java:112:36:112:78 | newBuilder(...) : Builder | SanitizationTests.java:112:36:112:86 | build(...) : HttpRequest | provenance | MaD:283 | +| SanitizationTests.java:112:36:112:86 | build(...) : HttpRequest | SanitizationTests.java:113:25:113:32 | unsafer8 | provenance | Sink:MaD:4 | +| SanitizationTests.java:112:59:112:77 | new URI(...) : URI | SanitizationTests.java:112:36:112:78 | newBuilder(...) : Builder | provenance | MaD:284 | +| SanitizationTests.java:112:67:112:76 | unsafeUri8 : String | SanitizationTests.java:112:59:112:77 | new URI(...) | provenance | Config Sink:MaD:6 | +| SanitizationTests.java:112:67:112:76 | unsafeUri8 : String | SanitizationTests.java:112:59:112:77 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | +| SanitizationTests.java:112:67:112:76 | unsafeUri8 : String | SanitizationTests.java:112:59:112:77 | new URI(...) : URI | provenance | Config | +| SanitizationTests.java:112:67:112:76 | unsafeUri8 : String | SanitizationTests.java:112:59:112:77 | new URI(...) : URI | provenance | MaD:285 | +| SanitizationTests.java:115:33:115:63 | getParameter(...) : String | SanitizationTests.java:116:67:116:76 | unsafeUri9 : String | provenance | Src:MaD:277 | +| SanitizationTests.java:116:36:116:78 | newBuilder(...) : Builder | SanitizationTests.java:116:36:116:86 | build(...) : HttpRequest | provenance | MaD:283 | +| SanitizationTests.java:116:36:116:86 | build(...) : HttpRequest | SanitizationTests.java:117:25:117:32 | unsafer9 | provenance | Sink:MaD:4 | +| SanitizationTests.java:116:59:116:77 | new URI(...) : URI | SanitizationTests.java:116:36:116:78 | newBuilder(...) : Builder | provenance | MaD:284 | +| SanitizationTests.java:116:67:116:76 | unsafeUri9 : String | SanitizationTests.java:116:59:116:77 | new URI(...) | provenance | Config Sink:MaD:6 | +| SanitizationTests.java:116:67:116:76 | unsafeUri9 : String | SanitizationTests.java:116:59:116:77 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | +| SanitizationTests.java:116:67:116:76 | unsafeUri9 : String | SanitizationTests.java:116:59:116:77 | new URI(...) : URI | provenance | Config | +| SanitizationTests.java:116:67:116:76 | unsafeUri9 : String | SanitizationTests.java:116:59:116:77 | new URI(...) : URI | provenance | MaD:285 | +| SanitizationTests.java:119:34:119:126 | format(...) : String | SanitizationTests.java:120:68:120:78 | unsafeUri10 : String | provenance | | +| SanitizationTests.java:119:34:119:126 | new ..[] { .. } : Object[] [[]] : String | SanitizationTests.java:119:34:119:126 | format(...) : String | provenance | MaD:281 | +| SanitizationTests.java:119:94:119:125 | getParameter(...) : String | SanitizationTests.java:119:34:119:126 | new ..[] { .. } : Object[] [[]] : String | provenance | Src:MaD:277 | +| SanitizationTests.java:120:37:120:80 | newBuilder(...) : Builder | SanitizationTests.java:120:37:120:88 | build(...) : HttpRequest | provenance | MaD:283 | +| SanitizationTests.java:120:37:120:88 | build(...) : HttpRequest | SanitizationTests.java:121:25:121:33 | unsafer10 | provenance | Sink:MaD:4 | +| SanitizationTests.java:120:60:120:79 | new URI(...) : URI | SanitizationTests.java:120:37:120:80 | newBuilder(...) : Builder | provenance | MaD:284 | +| SanitizationTests.java:120:68:120:78 | unsafeUri10 : String | SanitizationTests.java:120:60:120:79 | new URI(...) | provenance | Config Sink:MaD:6 | +| SanitizationTests.java:120:68:120:78 | unsafeUri10 : String | SanitizationTests.java:120:60:120:79 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | +| SanitizationTests.java:120:68:120:78 | unsafeUri10 : String | SanitizationTests.java:120:60:120:79 | new URI(...) : URI | provenance | Config | +| SanitizationTests.java:120:68:120:78 | unsafeUri10 : String | SanitizationTests.java:120:60:120:79 | new URI(...) : URI | provenance | MaD:285 | +| SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:32:39:32:59 | ... + ... | provenance | Src:MaD:277 Sink:MaD:264 | +| SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:33:35:33:48 | fooResourceUrl | provenance | Src:MaD:277 Sink:MaD:262 | +| SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:34:34:34:47 | fooResourceUrl | provenance | Src:MaD:277 Sink:MaD:263 | +| SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:35:39:35:52 | fooResourceUrl | provenance | Src:MaD:277 Sink:MaD:265 | +| SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:36:69:36:82 | fooResourceUrl | provenance | Src:MaD:277 | +| SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:37:73:37:86 | fooResourceUrl | provenance | Src:MaD:277 | +| SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:40:83:40:96 | fooResourceUrl : String | provenance | Src:MaD:277 | +| SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:42:105:42:118 | fooResourceUrl : String | provenance | Src:MaD:277 | +| SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:44:41:44:54 | fooResourceUrl | provenance | Src:MaD:277 Sink:MaD:268 | +| SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:45:48:45:61 | fooResourceUrl : String | provenance | Src:MaD:277 | +| SpringSSRF.java:40:83:40:96 | fooResourceUrl : String | SpringSSRF.java:40:69:40:97 | of(...) | provenance | MaD:289 | +| SpringSSRF.java:42:105:42:118 | fooResourceUrl : String | SpringSSRF.java:42:69:42:119 | of(...) | provenance | MaD:290 | +| SpringSSRF.java:45:48:45:61 | fooResourceUrl : String | SpringSSRF.java:45:40:45:62 | new URI(...) | provenance | Config Sink:MaD:269 | +| SpringSSRF.java:45:48:45:61 | fooResourceUrl : String | SpringSSRF.java:45:40:45:62 | new URI(...) | provenance | MaD:285 Sink:MaD:269 | +| SpringSSRF.java:45:48:45:61 | fooResourceUrl : String | SpringSSRF.java:46:42:46:55 | fooResourceUrl | provenance | Sink:MaD:270 | +| SpringSSRF.java:45:48:45:61 | fooResourceUrl : String | SpringSSRF.java:47:40:47:53 | fooResourceUrl | provenance | Sink:MaD:271 | +| SpringSSRF.java:45:48:45:61 | fooResourceUrl : String | SpringSSRF.java:48:30:48:43 | fooResourceUrl | provenance | Sink:MaD:272 | +| SpringSSRF.java:45:48:45:61 | fooResourceUrl : String | SpringSSRF.java:49:33:49:46 | fooResourceUrl | provenance | Sink:MaD:261 | +| SpringSSRF.java:45:48:45:61 | fooResourceUrl : String | SpringSSRF.java:50:41:50:54 | fooResourceUrl | provenance | Sink:MaD:266 | +| SpringSSRF.java:45:48:45:61 | fooResourceUrl : String | SpringSSRF.java:51:42:51:55 | fooResourceUrl | provenance | Sink:MaD:267 | +| SpringSSRF.java:45:48:45:61 | fooResourceUrl : String | SpringSSRF.java:54:35:54:48 | fooResourceUrl : String | provenance | | +| SpringSSRF.java:54:27:54:49 | new URI(...) : URI | SpringSSRF.java:56:44:56:46 | uri | provenance | Sink:MaD:255 | +| SpringSSRF.java:54:27:54:49 | new URI(...) : URI | SpringSSRF.java:58:35:58:37 | uri | provenance | Sink:MaD:250 | +| SpringSSRF.java:54:27:54:49 | new URI(...) : URI | SpringSSRF.java:59:35:59:37 | uri | provenance | Sink:MaD:256 | +| SpringSSRF.java:54:27:54:49 | new URI(...) : URI | SpringSSRF.java:60:38:60:40 | uri | provenance | Sink:MaD:249 | +| SpringSSRF.java:54:27:54:49 | new URI(...) : URI | SpringSSRF.java:61:39:61:41 | uri | provenance | Sink:MaD:253 | +| SpringSSRF.java:54:27:54:49 | new URI(...) : URI | SpringSSRF.java:62:37:62:39 | uri | provenance | Sink:MaD:254 | +| SpringSSRF.java:54:27:54:49 | new URI(...) : URI | SpringSSRF.java:63:36:63:38 | uri | provenance | Sink:MaD:251 | +| SpringSSRF.java:54:27:54:49 | new URI(...) : URI | SpringSSRF.java:64:44:64:46 | uri | provenance | Sink:MaD:252 | +| SpringSSRF.java:54:35:54:48 | fooResourceUrl : String | SpringSSRF.java:54:27:54:49 | new URI(...) : URI | provenance | Config | +| SpringSSRF.java:54:35:54:48 | fooResourceUrl : String | SpringSSRF.java:54:27:54:49 | new URI(...) : URI | provenance | MaD:285 | +| SpringSSRF.java:54:35:54:48 | fooResourceUrl : String | SpringSSRF.java:67:35:67:48 | fooResourceUrl : String | provenance | | +| SpringSSRF.java:67:27:67:49 | new URI(...) : URI | SpringSSRF.java:70:49:70:51 | uri | provenance | Sink:MaD:243 | +| SpringSSRF.java:67:27:67:49 | new URI(...) : URI | SpringSSRF.java:71:58:71:60 | uri | provenance | Sink:MaD:244 | +| SpringSSRF.java:67:27:67:49 | new URI(...) : URI | SpringSSRF.java:72:57:72:59 | uri | provenance | Sink:MaD:245 | +| SpringSSRF.java:67:27:67:49 | new URI(...) : URI | SpringSSRF.java:73:66:73:68 | uri | provenance | Sink:MaD:247 | +| SpringSSRF.java:67:27:67:49 | new URI(...) : URI | SpringSSRF.java:74:57:74:59 | uri | provenance | Sink:MaD:246 | +| SpringSSRF.java:67:27:67:49 | new URI(...) : URI | SpringSSRF.java:75:66:75:68 | uri | provenance | Sink:MaD:248 | +| SpringSSRF.java:67:35:67:48 | fooResourceUrl : String | SpringSSRF.java:67:27:67:49 | new URI(...) : URI | provenance | Config | +| SpringSSRF.java:67:35:67:48 | fooResourceUrl : String | SpringSSRF.java:67:27:67:49 | new URI(...) : URI | provenance | MaD:285 | +| URLClassLoaderSSRF.java:16:26:16:52 | getParameter(...) : String | URLClassLoaderSSRF.java:17:31:17:33 | url : String | provenance | Src:MaD:277 | +| URLClassLoaderSSRF.java:17:23:17:34 | new URI(...) : URI | URLClassLoaderSSRF.java:18:74:18:76 | uri : URI | provenance | | +| URLClassLoaderSSRF.java:17:31:17:33 | url : String | URLClassLoaderSSRF.java:17:23:17:34 | new URI(...) : URI | provenance | Config | +| URLClassLoaderSSRF.java:17:31:17:33 | url : String | URLClassLoaderSSRF.java:17:23:17:34 | new URI(...) : URI | provenance | MaD:285 | +| URLClassLoaderSSRF.java:18:64:18:85 | {...} : URL[] [[]] : URL | URLClassLoaderSSRF.java:18:64:18:85 | new URL[] | provenance | Sink:MaD:13 | +| URLClassLoaderSSRF.java:18:64:18:85 | {...} : URL[] [[]] : URL | URLClassLoaderSSRF.java:18:64:18:85 | new URL[] | provenance | Sink:MaD:13 | +| URLClassLoaderSSRF.java:18:74:18:76 | uri : URI | URLClassLoaderSSRF.java:18:74:18:84 | toURL(...) : URL | provenance | MaD:287 | +| URLClassLoaderSSRF.java:18:74:18:84 | toURL(...) : URL | URLClassLoaderSSRF.java:18:64:18:85 | {...} : URL[] [[]] : URL | provenance | | +| URLClassLoaderSSRF.java:28:26:28:52 | getParameter(...) : String | URLClassLoaderSSRF.java:29:31:29:33 | url : String | provenance | Src:MaD:277 | +| URLClassLoaderSSRF.java:29:23:29:34 | new URI(...) : URI | URLClassLoaderSSRF.java:30:74:30:76 | uri : URI | provenance | | +| URLClassLoaderSSRF.java:29:31:29:33 | url : String | URLClassLoaderSSRF.java:29:23:29:34 | new URI(...) : URI | provenance | Config | +| URLClassLoaderSSRF.java:29:31:29:33 | url : String | URLClassLoaderSSRF.java:29:23:29:34 | new URI(...) : URI | provenance | MaD:285 | +| URLClassLoaderSSRF.java:30:64:30:85 | {...} : URL[] [[]] : URL | URLClassLoaderSSRF.java:30:64:30:85 | new URL[] | provenance | Sink:MaD:14 | +| URLClassLoaderSSRF.java:30:64:30:85 | {...} : URL[] [[]] : URL | URLClassLoaderSSRF.java:30:64:30:85 | new URL[] | provenance | Sink:MaD:14 | +| URLClassLoaderSSRF.java:30:74:30:76 | uri : URI | URLClassLoaderSSRF.java:30:74:30:84 | toURL(...) : URL | provenance | MaD:287 | +| URLClassLoaderSSRF.java:30:74:30:84 | toURL(...) : URL | URLClassLoaderSSRF.java:30:64:30:85 | {...} : URL[] [[]] : URL | provenance | | +| URLClassLoaderSSRF.java:40:26:40:52 | getParameter(...) : String | URLClassLoaderSSRF.java:41:31:41:33 | url : String | provenance | Src:MaD:277 | +| URLClassLoaderSSRF.java:41:23:41:34 | new URI(...) : URI | URLClassLoaderSSRF.java:44:74:44:76 | uri : URI | provenance | | +| URLClassLoaderSSRF.java:41:31:41:33 | url : String | URLClassLoaderSSRF.java:41:23:41:34 | new URI(...) : URI | provenance | Config | +| URLClassLoaderSSRF.java:41:31:41:33 | url : String | URLClassLoaderSSRF.java:41:23:41:34 | new URI(...) : URI | provenance | MaD:285 | +| URLClassLoaderSSRF.java:44:64:44:85 | {...} : URL[] [[]] : URL | URLClassLoaderSSRF.java:44:64:44:85 | new URL[] | provenance | Sink:MaD:15 | +| URLClassLoaderSSRF.java:44:64:44:85 | {...} : URL[] [[]] : URL | URLClassLoaderSSRF.java:44:64:44:85 | new URL[] | provenance | Sink:MaD:15 | +| URLClassLoaderSSRF.java:44:74:44:76 | uri : URI | URLClassLoaderSSRF.java:44:74:44:84 | toURL(...) : URL | provenance | MaD:287 | +| URLClassLoaderSSRF.java:44:74:44:84 | toURL(...) : URL | URLClassLoaderSSRF.java:44:64:44:85 | {...} : URL[] [[]] : URL | provenance | | +| URLClassLoaderSSRF.java:54:26:54:52 | getParameter(...) : String | URLClassLoaderSSRF.java:55:31:55:33 | url : String | provenance | Src:MaD:277 | +| URLClassLoaderSSRF.java:55:23:55:34 | new URI(...) : URI | URLClassLoaderSSRF.java:56:82:56:84 | uri : URI | provenance | | +| URLClassLoaderSSRF.java:55:31:55:33 | url : String | URLClassLoaderSSRF.java:55:23:55:34 | new URI(...) : URI | provenance | Config | +| URLClassLoaderSSRF.java:55:31:55:33 | url : String | URLClassLoaderSSRF.java:55:23:55:34 | new URI(...) : URI | provenance | MaD:285 | +| URLClassLoaderSSRF.java:56:72:56:93 | {...} : URL[] [[]] : URL | URLClassLoaderSSRF.java:56:72:56:93 | new URL[] | provenance | Sink:MaD:16 | +| URLClassLoaderSSRF.java:56:82:56:84 | uri : URI | URLClassLoaderSSRF.java:56:82:56:92 | toURL(...) : URL | provenance | MaD:287 | +| URLClassLoaderSSRF.java:56:82:56:92 | toURL(...) : URL | URLClassLoaderSSRF.java:56:72:56:93 | {...} : URL[] [[]] : URL | provenance | | +| URLClassLoaderSSRF.java:66:26:66:52 | getParameter(...) : String | URLClassLoaderSSRF.java:67:31:67:33 | url : String | provenance | Src:MaD:277 | +| URLClassLoaderSSRF.java:67:23:67:34 | new URI(...) : URI | URLClassLoaderSSRF.java:70:31:70:33 | uri : URI | provenance | | +| URLClassLoaderSSRF.java:67:31:67:33 | url : String | URLClassLoaderSSRF.java:67:23:67:34 | new URI(...) : URI | provenance | Config | +| URLClassLoaderSSRF.java:67:31:67:33 | url : String | URLClassLoaderSSRF.java:67:23:67:34 | new URI(...) : URI | provenance | MaD:285 | +| URLClassLoaderSSRF.java:70:21:70:42 | {...} : URL[] [[]] : URL | URLClassLoaderSSRF.java:70:21:70:42 | new URL[] | provenance | Sink:MaD:11 | +| URLClassLoaderSSRF.java:70:21:70:42 | {...} : URL[] [[]] : URL | URLClassLoaderSSRF.java:70:21:70:42 | new URL[] | provenance | Sink:MaD:11 | +| URLClassLoaderSSRF.java:70:31:70:33 | uri : URI | URLClassLoaderSSRF.java:70:31:70:41 | toURL(...) : URL | provenance | MaD:287 | +| URLClassLoaderSSRF.java:70:31:70:41 | toURL(...) : URL | URLClassLoaderSSRF.java:70:21:70:42 | {...} : URL[] [[]] : URL | provenance | | +| URLClassLoaderSSRF.java:83:26:83:52 | getParameter(...) : String | URLClassLoaderSSRF.java:84:31:84:33 | url : String | provenance | Src:MaD:277 | +| URLClassLoaderSSRF.java:84:23:84:34 | new URI(...) : URI | URLClassLoaderSSRF.java:89:31:89:33 | uri : URI | provenance | | +| URLClassLoaderSSRF.java:84:31:84:33 | url : String | URLClassLoaderSSRF.java:84:23:84:34 | new URI(...) : URI | provenance | Config | +| URLClassLoaderSSRF.java:84:31:84:33 | url : String | URLClassLoaderSSRF.java:84:23:84:34 | new URI(...) : URI | provenance | MaD:285 | +| URLClassLoaderSSRF.java:89:21:89:42 | {...} : URL[] [[]] : URL | URLClassLoaderSSRF.java:89:21:89:42 | new URL[] | provenance | Sink:MaD:12 | +| URLClassLoaderSSRF.java:89:21:89:42 | {...} : URL[] [[]] : URL | URLClassLoaderSSRF.java:89:21:89:42 | new URL[] | provenance | Sink:MaD:12 | +| URLClassLoaderSSRF.java:89:31:89:33 | uri : URI | URLClassLoaderSSRF.java:89:31:89:41 | toURL(...) : URL | provenance | MaD:287 | +| URLClassLoaderSSRF.java:89:31:89:41 | toURL(...) : URL | URLClassLoaderSSRF.java:89:21:89:42 | {...} : URL[] [[]] : URL | provenance | | +| mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:31:40:31:47 | source(...) : String | provenance | Src:MaD:277 | +| mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:36:16:36:23 | source(...) : String | provenance | Src:MaD:277 | +| mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:38:36:38:43 | source(...) : String | provenance | Src:MaD:277 | +| mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:40:16:40:23 | source(...) : String | provenance | Src:MaD:277 | +| mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:45:40:45:47 | source(...) : String | provenance | Src:MaD:277 | +| mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:47:40:47:47 | source(...) : String | provenance | Src:MaD:277 | +| mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:49:36:49:43 | source(...) : String | provenance | Src:MaD:277 | +| mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:51:36:51:43 | source(...) : String | provenance | Src:MaD:277 | +| mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:53:36:53:43 | source(...) : String | provenance | Src:MaD:277 | +| mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:55:44:55:51 | source(...) : String | provenance | Src:MaD:277 | +| mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:57:38:57:45 | source(...) : String | provenance | Src:MaD:277 | +| mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:59:44:59:51 | source(...) : String | provenance | Src:MaD:277 | +| mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:61:53:61:60 | source(...) : String | provenance | Src:MaD:277 | +| mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:63:32:63:39 | source(...) : String | provenance | Src:MaD:277 | +| mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:65:44:65:51 | source(...) : String | provenance | Src:MaD:277 | +| mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:67:32:67:39 | source(...) : String | provenance | Src:MaD:277 | +| mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:69:33:69:40 | source(...) : String | provenance | Src:MaD:277 | +| mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:71:53:71:60 | source(...) : String | provenance | Src:MaD:277 | +| mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:74:58:74:65 | source(...) : String | provenance | Src:MaD:277 | +| mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:76:62:76:69 | source(...) : String | provenance | Src:MaD:277 | +| mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:78:52:78:59 | source(...) : String | provenance | Src:MaD:277 | +| mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:80:34:80:41 | source(...) : String | provenance | Src:MaD:277 | +| mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:82:40:82:47 | source(...) : String | provenance | Src:MaD:277 | +| mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:84:40:84:47 | source(...) : String | provenance | Src:MaD:277 | +| mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:86:50:86:57 | source(...) : String | provenance | Src:MaD:277 | +| mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:92:33:92:40 | source(...) : String | provenance | Src:MaD:277 | +| mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:97:35:97:42 | source(...) : String | provenance | Src:MaD:277 | +| mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:102:32:102:39 | source(...) : String | provenance | Src:MaD:277 | +| mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:107:24:107:31 | source(...) : String | provenance | Src:MaD:277 | +| mad/Test.java:26:16:26:41 | getParameter(...) : String | mad/Test.java:112:24:112:31 | source(...) : String | provenance | Src:MaD:277 | +| mad/Test.java:31:40:31:47 | source(...) : String | mad/Test.java:31:24:31:47 | (...)... | provenance | Sink:MaD:7 | +| mad/Test.java:36:16:36:23 | source(...) : String | mad/Test.java:36:10:36:23 | (...)... | provenance | Sink:MaD:9 | +| mad/Test.java:38:36:38:43 | source(...) : String | mad/Test.java:38:28:38:43 | (...)... | provenance | Sink:MaD:8 | +| mad/Test.java:40:16:40:23 | source(...) : String | mad/Test.java:40:10:40:23 | (...)... | provenance | Sink:MaD:10 | +| mad/Test.java:45:40:45:47 | source(...) : String | mad/Test.java:45:32:45:47 | (...)... | provenance | Sink:MaD:11 | +| mad/Test.java:45:40:45:47 | source(...) : String | mad/Test.java:45:32:45:47 | (...)... | provenance | Sink:MaD:11 | +| mad/Test.java:47:40:47:47 | source(...) : String | mad/Test.java:47:32:47:47 | (...)... | provenance | Sink:MaD:12 | +| mad/Test.java:47:40:47:47 | source(...) : String | mad/Test.java:47:32:47:47 | (...)... | provenance | Sink:MaD:12 | +| mad/Test.java:49:36:49:43 | source(...) : String | mad/Test.java:49:28:49:43 | (...)... | provenance | Sink:MaD:13 | +| mad/Test.java:49:36:49:43 | source(...) : String | mad/Test.java:49:28:49:43 | (...)... | provenance | Sink:MaD:13 | +| mad/Test.java:51:36:51:43 | source(...) : String | mad/Test.java:51:28:51:43 | (...)... | provenance | Sink:MaD:14 | +| mad/Test.java:51:36:51:43 | source(...) : String | mad/Test.java:51:28:51:43 | (...)... | provenance | Sink:MaD:14 | +| mad/Test.java:53:36:53:43 | source(...) : String | mad/Test.java:53:28:53:43 | (...)... | provenance | Sink:MaD:15 | +| mad/Test.java:53:36:53:43 | source(...) : String | mad/Test.java:53:28:53:43 | (...)... | provenance | Sink:MaD:15 | +| mad/Test.java:55:44:55:51 | source(...) : String | mad/Test.java:55:36:55:51 | (...)... | provenance | Sink:MaD:16 | +| mad/Test.java:57:38:57:45 | source(...) : String | mad/Test.java:57:32:57:45 | (...)... | provenance | Sink:MaD:25 | +| mad/Test.java:59:44:59:51 | source(...) : String | mad/Test.java:59:38:59:51 | (...)... | provenance | Sink:MaD:26 | +| mad/Test.java:61:53:61:60 | source(...) : String | mad/Test.java:61:47:61:60 | (...)... | provenance | Sink:MaD:24 | +| mad/Test.java:63:32:63:39 | source(...) : String | mad/Test.java:63:26:63:39 | (...)... | provenance | Sink:MaD:28 | +| mad/Test.java:65:44:65:51 | source(...) : String | mad/Test.java:65:38:65:51 | (...)... | provenance | Sink:MaD:29 | +| mad/Test.java:67:32:67:39 | source(...) : String | mad/Test.java:67:26:67:39 | (...)... | provenance | Sink:MaD:27 | +| mad/Test.java:69:33:69:40 | source(...) : String | mad/Test.java:69:27:69:40 | (...)... | provenance | Sink:MaD:22 | +| mad/Test.java:71:53:71:60 | source(...) : String | mad/Test.java:71:47:71:60 | (...)... | provenance | Sink:MaD:30 | +| mad/Test.java:74:58:74:65 | source(...) : String | mad/Test.java:74:50:74:65 | (...)... | provenance | Sink:MaD:32 | +| mad/Test.java:76:62:76:69 | source(...) : String | mad/Test.java:76:50:76:69 | (...)... | provenance | Sink:MaD:31 | +| mad/Test.java:78:52:78:59 | source(...) : String | mad/Test.java:78:43:78:59 | (...)... | provenance | Sink:MaD:33 | +| mad/Test.java:80:34:80:41 | source(...) : String | mad/Test.java:80:25:80:41 | (...)... | provenance | Sink:MaD:34 | +| mad/Test.java:82:40:82:47 | source(...) : String | mad/Test.java:82:31:82:47 | (...)... | provenance | Sink:MaD:35 | +| mad/Test.java:84:40:84:47 | source(...) : String | mad/Test.java:84:31:84:47 | (...)... | provenance | Sink:MaD:36 | +| mad/Test.java:86:50:86:57 | source(...) : String | mad/Test.java:86:41:86:57 | (...)... | provenance | Sink:MaD:37 | +| mad/Test.java:92:33:92:40 | source(...) : String | mad/Test.java:92:24:92:40 | (...)... | provenance | Sink:MaD:21 | +| mad/Test.java:97:35:97:42 | source(...) : String | mad/Test.java:97:29:97:42 | (...)... | provenance | Sink:MaD:234 | +| mad/Test.java:102:32:102:39 | source(...) : String | mad/Test.java:102:26:102:39 | (...)... | provenance | Sink:MaD:241 | +| mad/Test.java:107:24:107:31 | source(...) : String | mad/Test.java:107:15:107:31 | (...)... | provenance | Sink:MaD:276 | +| mad/Test.java:112:24:112:31 | source(...) : String | mad/Test.java:112:15:112:31 | (...)... | provenance | Sink:MaD:275 | +models +| 1 | Sink: com.zaxxer.hikari; HikariConfig; false; HikariConfig; (Properties); ; Argument[0]; request-forgery; manual | +| 2 | Sink: com.zaxxer.hikari; HikariConfig; false; setJdbcUrl; (String); ; Argument[0]; request-forgery; manual | +| 3 | Sink: jakarta.ws.rs.client; Client; true; target; ; ; Argument[0]; request-forgery; manual | +| 4 | Sink: java.net.http; HttpClient; true; send; (HttpRequest,HttpResponse$BodyHandler); ; Argument[0]; request-forgery; ai-manual | +| 5 | Sink: java.net.http; HttpRequest$Builder; false; uri; ; ; Argument[0]; request-forgery; manual | +| 6 | Sink: java.net.http; HttpRequest; false; newBuilder; ; ; Argument[0]; request-forgery; manual | +| 7 | Sink: java.net; DatagramSocket; true; connect; (SocketAddress); ; Argument[0]; request-forgery; ai-manual | +| 8 | Sink: java.net; URL; false; openConnection; (Proxy); ; Argument[0]; request-forgery; ai-manual | +| 9 | Sink: java.net; URL; false; openConnection; ; ; Argument[this]; request-forgery; manual | +| 10 | Sink: java.net; URL; false; openStream; ; ; Argument[this]; request-forgery; manual | +| 11 | Sink: java.net; URLClassLoader; false; URLClassLoader; (String,URL[],ClassLoader); ; Argument[1]; request-forgery; manual | +| 12 | Sink: java.net; URLClassLoader; false; URLClassLoader; (String,URL[],ClassLoader,URLStreamHandlerFactory); ; Argument[1]; request-forgery; manual | +| 13 | Sink: java.net; URLClassLoader; false; URLClassLoader; (URL[]); ; Argument[0]; request-forgery; manual | +| 14 | Sink: java.net; URLClassLoader; false; URLClassLoader; (URL[],ClassLoader); ; Argument[0]; request-forgery; manual | +| 15 | Sink: java.net; URLClassLoader; false; URLClassLoader; (URL[],ClassLoader,URLStreamHandlerFactory); ; Argument[0]; request-forgery; manual | +| 16 | Sink: java.net; URLClassLoader; false; newInstance; ; ; Argument[0]; request-forgery; manual | +| 17 | Sink: java.sql; Driver; false; connect; (String,Properties); ; Argument[0]; request-forgery; manual | +| 18 | Sink: java.sql; DriverManager; false; getConnection; (String); ; Argument[0]; request-forgery; manual | +| 19 | Sink: java.sql; DriverManager; false; getConnection; (String,Properties); ; Argument[0]; request-forgery; manual | +| 20 | Sink: java.sql; DriverManager; false; getConnection; (String,String,String); ; Argument[0]; request-forgery; manual | +| 21 | Sink: javafx.scene.web; WebEngine; false; load; (String); ; Argument[0]; request-forgery; ai-manual | +| 22 | Sink: javax.activation; URLDataSource; true; URLDataSource; ; ; Argument[0]; request-forgery; manual | +| 23 | Sink: javax.ws.rs.client; Client; true; target; ; ; Argument[0]; request-forgery; manual | +| 24 | Sink: org.apache.commons.jelly; JellyContext; true; JellyContext; (JellyContext,URL); ; Argument[1]; request-forgery; ai-manual | +| 25 | Sink: org.apache.commons.jelly; JellyContext; true; JellyContext; (JellyContext,URL,URL); ; Argument[1]; request-forgery; ai-manual | +| 26 | Sink: org.apache.commons.jelly; JellyContext; true; JellyContext; (JellyContext,URL,URL); ; Argument[2]; request-forgery; ai-manual | +| 27 | Sink: org.apache.commons.jelly; JellyContext; true; JellyContext; (URL); ; Argument[0]; request-forgery; ai-manual | +| 28 | Sink: org.apache.commons.jelly; JellyContext; true; JellyContext; (URL,URL); ; Argument[0]; request-forgery; ai-manual | +| 29 | Sink: org.apache.commons.jelly; JellyContext; true; JellyContext; (URL,URL); ; Argument[1]; request-forgery; ai-manual | +| 30 | Sink: org.apache.cxf.catalog; OASISCatalogManager; true; loadCatalog; (URL); ; Argument[0]; request-forgery; manual | +| 31 | Sink: org.apache.cxf.common.classloader; ClassLoaderUtils; true; getURLClassLoader; (List,ClassLoader); ; Argument[0]; request-forgery; manual | +| 32 | Sink: org.apache.cxf.common.classloader; ClassLoaderUtils; true; getURLClassLoader; (URL[],ClassLoader); ; Argument[0]; request-forgery; manual | +| 33 | Sink: org.apache.cxf.resource; ExtendedURIResolver; true; resolve; (String,String); ; Argument[0]; request-forgery; manual | +| 34 | Sink: org.apache.cxf.resource; URIResolver; true; URIResolver; (String); ; Argument[0]; request-forgery; manual | +| 35 | Sink: org.apache.cxf.resource; URIResolver; true; URIResolver; (String,String); ; Argument[1]; request-forgery; manual | +| 36 | Sink: org.apache.cxf.resource; URIResolver; true; URIResolver; (String,String,Class); ; Argument[1]; request-forgery; manual | +| 37 | Sink: org.apache.cxf.resource; URIResolver; true; resolve; (String,String,Class); ; Argument[1]; request-forgery; manual | +| 38 | Sink: org.apache.hc.client5.http.async.methods; BasicHttpRequests; true; create; (Method,HttpHost,String); ; Argument[1]; request-forgery; hq-manual | +| 39 | Sink: org.apache.hc.client5.http.async.methods; BasicHttpRequests; true; create; (Method,String); ; Argument[1]; request-forgery; hq-manual | +| 40 | Sink: org.apache.hc.client5.http.async.methods; BasicHttpRequests; true; create; (Method,URI); ; Argument[1]; request-forgery; hq-manual | +| 41 | Sink: org.apache.hc.client5.http.async.methods; BasicHttpRequests; true; create; (String,String); ; Argument[1]; request-forgery; hq-manual | +| 42 | Sink: org.apache.hc.client5.http.async.methods; BasicHttpRequests; true; create; (String,URI); ; Argument[1]; request-forgery; hq-manual | +| 43 | Sink: org.apache.hc.client5.http.async.methods; BasicHttpRequests; true; delete; (HttpHost,String); ; Argument[0]; request-forgery; hq-manual | +| 44 | Sink: org.apache.hc.client5.http.async.methods; BasicHttpRequests; true; delete; (String); ; Argument[0]; request-forgery; hq-manual | +| 45 | Sink: org.apache.hc.client5.http.async.methods; BasicHttpRequests; true; delete; (URI); ; Argument[0]; request-forgery; hq-manual | +| 46 | Sink: org.apache.hc.client5.http.async.methods; BasicHttpRequests; true; get; (HttpHost,String); ; Argument[0]; request-forgery; hq-manual | +| 47 | Sink: org.apache.hc.client5.http.async.methods; BasicHttpRequests; true; get; (String); ; Argument[0]; request-forgery; hq-manual | +| 48 | Sink: org.apache.hc.client5.http.async.methods; BasicHttpRequests; true; get; (URI); ; Argument[0]; request-forgery; hq-manual | +| 49 | Sink: org.apache.hc.client5.http.async.methods; BasicHttpRequests; true; head; (HttpHost,String); ; Argument[0]; request-forgery; hq-manual | +| 50 | Sink: org.apache.hc.client5.http.async.methods; BasicHttpRequests; true; head; (String); ; Argument[0]; request-forgery; hq-manual | +| 51 | Sink: org.apache.hc.client5.http.async.methods; BasicHttpRequests; true; head; (URI); ; Argument[0]; request-forgery; hq-manual | +| 52 | Sink: org.apache.hc.client5.http.async.methods; BasicHttpRequests; true; options; (HttpHost,String); ; Argument[0]; request-forgery; hq-manual | +| 53 | Sink: org.apache.hc.client5.http.async.methods; BasicHttpRequests; true; options; (String); ; Argument[0]; request-forgery; hq-manual | +| 54 | Sink: org.apache.hc.client5.http.async.methods; BasicHttpRequests; true; options; (URI); ; Argument[0]; request-forgery; hq-manual | +| 55 | Sink: org.apache.hc.client5.http.async.methods; BasicHttpRequests; true; patch; (HttpHost,String); ; Argument[0]; request-forgery; hq-manual | +| 56 | Sink: org.apache.hc.client5.http.async.methods; BasicHttpRequests; true; patch; (String); ; Argument[0]; request-forgery; hq-manual | +| 57 | Sink: org.apache.hc.client5.http.async.methods; BasicHttpRequests; true; patch; (URI); ; Argument[0]; request-forgery; hq-manual | +| 58 | Sink: org.apache.hc.client5.http.async.methods; BasicHttpRequests; true; post; (HttpHost,String); ; Argument[0]; request-forgery; hq-manual | +| 59 | Sink: org.apache.hc.client5.http.async.methods; BasicHttpRequests; true; post; (String); ; Argument[0]; request-forgery; hq-manual | +| 60 | Sink: org.apache.hc.client5.http.async.methods; BasicHttpRequests; true; post; (URI); ; Argument[0]; request-forgery; hq-manual | +| 61 | Sink: org.apache.hc.client5.http.async.methods; BasicHttpRequests; true; put; (HttpHost,String); ; Argument[0]; request-forgery; hq-manual | +| 62 | Sink: org.apache.hc.client5.http.async.methods; BasicHttpRequests; true; put; (String); ; Argument[0]; request-forgery; hq-manual | +| 63 | Sink: org.apache.hc.client5.http.async.methods; BasicHttpRequests; true; put; (URI); ; Argument[0]; request-forgery; hq-manual | +| 64 | Sink: org.apache.hc.client5.http.async.methods; BasicHttpRequests; true; trace; (HttpHost,String); ; Argument[0]; request-forgery; hq-manual | +| 65 | Sink: org.apache.hc.client5.http.async.methods; BasicHttpRequests; true; trace; (String); ; Argument[0]; request-forgery; hq-manual | +| 66 | Sink: org.apache.hc.client5.http.async.methods; BasicHttpRequests; true; trace; (URI); ; Argument[0]; request-forgery; hq-manual | +| 67 | Sink: org.apache.hc.client5.http.async.methods; ConfigurableHttpRequest; true; ConfigurableHttpRequest; (String,HttpHost,String); ; Argument[1]; request-forgery; hq-manual | +| 68 | Sink: org.apache.hc.client5.http.async.methods; ConfigurableHttpRequest; true; ConfigurableHttpRequest; (String,URI); ; Argument[1]; request-forgery; hq-manual | +| 69 | Sink: org.apache.hc.client5.http.async.methods; SimpleHttpRequest; true; SimpleHttpRequest; (Method,HttpHost,String); ; Argument[1]; request-forgery; hq-manual | +| 70 | Sink: org.apache.hc.client5.http.async.methods; SimpleHttpRequest; true; SimpleHttpRequest; (Method,URI); ; Argument[1]; request-forgery; hq-manual | +| 71 | Sink: org.apache.hc.client5.http.async.methods; SimpleHttpRequest; true; SimpleHttpRequest; (String,HttpHost,String); ; Argument[1]; request-forgery; hq-manual | +| 72 | Sink: org.apache.hc.client5.http.async.methods; SimpleHttpRequest; true; SimpleHttpRequest; (String,URI); ; Argument[1]; request-forgery; hq-manual | +| 73 | Sink: org.apache.hc.client5.http.async.methods; SimpleHttpRequest; true; create; (Method,HttpHost,String); ; Argument[1]; request-forgery; hq-manual | +| 74 | Sink: org.apache.hc.client5.http.async.methods; SimpleHttpRequest; true; create; (Method,URI); ; Argument[1]; request-forgery; hq-manual | +| 75 | Sink: org.apache.hc.client5.http.async.methods; SimpleHttpRequest; true; create; (String,String); ; Argument[1]; request-forgery; hq-manual | +| 76 | Sink: org.apache.hc.client5.http.async.methods; SimpleHttpRequest; true; create; (String,URI); ; Argument[1]; request-forgery; hq-manual | +| 77 | Sink: org.apache.hc.client5.http.async.methods; SimpleHttpRequests; true; create; (Method,HttpHost,String); ; Argument[1]; request-forgery; hq-manual | +| 78 | Sink: org.apache.hc.client5.http.async.methods; SimpleHttpRequests; true; create; (Method,String); ; Argument[1]; request-forgery; hq-manual | +| 79 | Sink: org.apache.hc.client5.http.async.methods; SimpleHttpRequests; true; create; (Method,URI); ; Argument[1]; request-forgery; hq-manual | +| 80 | Sink: org.apache.hc.client5.http.async.methods; SimpleHttpRequests; true; create; (String,String); ; Argument[1]; request-forgery; hq-manual | +| 81 | Sink: org.apache.hc.client5.http.async.methods; SimpleHttpRequests; true; create; (String,URI); ; Argument[1]; request-forgery; hq-manual | +| 82 | Sink: org.apache.hc.client5.http.async.methods; SimpleHttpRequests; true; delete; (HttpHost,String); ; Argument[0]; request-forgery; hq-manual | +| 83 | Sink: org.apache.hc.client5.http.async.methods; SimpleHttpRequests; true; delete; (String); ; Argument[0]; request-forgery; hq-manual | +| 84 | Sink: org.apache.hc.client5.http.async.methods; SimpleHttpRequests; true; delete; (URI); ; Argument[0]; request-forgery; hq-manual | +| 85 | Sink: org.apache.hc.client5.http.async.methods; SimpleHttpRequests; true; get; (HttpHost,String); ; Argument[0]; request-forgery; hq-manual | +| 86 | Sink: org.apache.hc.client5.http.async.methods; SimpleHttpRequests; true; get; (String); ; Argument[0]; request-forgery; hq-manual | +| 87 | Sink: org.apache.hc.client5.http.async.methods; SimpleHttpRequests; true; get; (URI); ; Argument[0]; request-forgery; hq-manual | +| 88 | Sink: org.apache.hc.client5.http.async.methods; SimpleHttpRequests; true; head; (HttpHost,String); ; Argument[0]; request-forgery; hq-manual | +| 89 | Sink: org.apache.hc.client5.http.async.methods; SimpleHttpRequests; true; head; (String); ; Argument[0]; request-forgery; hq-manual | +| 90 | Sink: org.apache.hc.client5.http.async.methods; SimpleHttpRequests; true; head; (URI); ; Argument[0]; request-forgery; hq-manual | +| 91 | Sink: org.apache.hc.client5.http.async.methods; SimpleHttpRequests; true; options; (HttpHost,String); ; Argument[0]; request-forgery; hq-manual | +| 92 | Sink: org.apache.hc.client5.http.async.methods; SimpleHttpRequests; true; options; (String); ; Argument[0]; request-forgery; hq-manual | +| 93 | Sink: org.apache.hc.client5.http.async.methods; SimpleHttpRequests; true; options; (URI); ; Argument[0]; request-forgery; hq-manual | +| 94 | Sink: org.apache.hc.client5.http.async.methods; SimpleHttpRequests; true; patch; (HttpHost,String); ; Argument[0]; request-forgery; hq-manual | +| 95 | Sink: org.apache.hc.client5.http.async.methods; SimpleHttpRequests; true; patch; (String); ; Argument[0]; request-forgery; hq-manual | +| 96 | Sink: org.apache.hc.client5.http.async.methods; SimpleHttpRequests; true; patch; (URI); ; Argument[0]; request-forgery; hq-manual | +| 97 | Sink: org.apache.hc.client5.http.async.methods; SimpleHttpRequests; true; post; (HttpHost,String); ; Argument[0]; request-forgery; hq-manual | +| 98 | Sink: org.apache.hc.client5.http.async.methods; SimpleHttpRequests; true; post; (String); ; Argument[0]; request-forgery; hq-manual | +| 99 | Sink: org.apache.hc.client5.http.async.methods; SimpleHttpRequests; true; post; (URI); ; Argument[0]; request-forgery; hq-manual | +| 100 | Sink: org.apache.hc.client5.http.async.methods; SimpleHttpRequests; true; put; (HttpHost,String); ; Argument[0]; request-forgery; hq-manual | +| 101 | Sink: org.apache.hc.client5.http.async.methods; SimpleHttpRequests; true; put; (String); ; Argument[0]; request-forgery; hq-manual | +| 102 | Sink: org.apache.hc.client5.http.async.methods; SimpleHttpRequests; true; put; (URI); ; Argument[0]; request-forgery; hq-manual | +| 103 | Sink: org.apache.hc.client5.http.async.methods; SimpleHttpRequests; true; trace; (HttpHost,String); ; Argument[0]; request-forgery; hq-manual | +| 104 | Sink: org.apache.hc.client5.http.async.methods; SimpleHttpRequests; true; trace; (String); ; Argument[0]; request-forgery; hq-manual | +| 105 | Sink: org.apache.hc.client5.http.async.methods; SimpleHttpRequests; true; trace; (URI); ; Argument[0]; request-forgery; hq-manual | +| 106 | Sink: org.apache.hc.client5.http.async.methods; SimpleRequestBuilder; true; delete; (String); ; Argument[0]; request-forgery; hq-manual | +| 107 | Sink: org.apache.hc.client5.http.async.methods; SimpleRequestBuilder; true; delete; (URI); ; Argument[0]; request-forgery; hq-manual | +| 108 | Sink: org.apache.hc.client5.http.async.methods; SimpleRequestBuilder; true; get; (String); ; Argument[0]; request-forgery; hq-manual | +| 109 | Sink: org.apache.hc.client5.http.async.methods; SimpleRequestBuilder; true; get; (URI); ; Argument[0]; request-forgery; hq-manual | +| 110 | Sink: org.apache.hc.client5.http.async.methods; SimpleRequestBuilder; true; head; (String); ; Argument[0]; request-forgery; hq-manual | +| 111 | Sink: org.apache.hc.client5.http.async.methods; SimpleRequestBuilder; true; head; (URI); ; Argument[0]; request-forgery; hq-manual | +| 112 | Sink: org.apache.hc.client5.http.async.methods; SimpleRequestBuilder; true; options; (String); ; Argument[0]; request-forgery; hq-manual | +| 113 | Sink: org.apache.hc.client5.http.async.methods; SimpleRequestBuilder; true; options; (URI); ; Argument[0]; request-forgery; hq-manual | +| 114 | Sink: org.apache.hc.client5.http.async.methods; SimpleRequestBuilder; true; patch; (String); ; Argument[0]; request-forgery; hq-manual | +| 115 | Sink: org.apache.hc.client5.http.async.methods; SimpleRequestBuilder; true; patch; (URI); ; Argument[0]; request-forgery; hq-manual | +| 116 | Sink: org.apache.hc.client5.http.async.methods; SimpleRequestBuilder; true; post; (String); ; Argument[0]; request-forgery; hq-manual | +| 117 | Sink: org.apache.hc.client5.http.async.methods; SimpleRequestBuilder; true; post; (URI); ; Argument[0]; request-forgery; hq-manual | +| 118 | Sink: org.apache.hc.client5.http.async.methods; SimpleRequestBuilder; true; put; (String); ; Argument[0]; request-forgery; hq-manual | +| 119 | Sink: org.apache.hc.client5.http.async.methods; SimpleRequestBuilder; true; put; (URI); ; Argument[0]; request-forgery; hq-manual | +| 120 | Sink: org.apache.hc.client5.http.async.methods; SimpleRequestBuilder; true; trace; (String); ; Argument[0]; request-forgery; hq-manual | +| 121 | Sink: org.apache.hc.client5.http.async.methods; SimpleRequestBuilder; true; trace; (URI); ; Argument[0]; request-forgery; hq-manual | +| 122 | Sink: org.apache.hc.client5.http.classic.methods; ClassicHttpRequests; true; create; (Method,String); ; Argument[1]; request-forgery; hq-manual | +| 123 | Sink: org.apache.hc.client5.http.classic.methods; ClassicHttpRequests; true; create; (Method,URI); ; Argument[1]; request-forgery; hq-manual | +| 124 | Sink: org.apache.hc.client5.http.classic.methods; ClassicHttpRequests; true; create; (String,String); ; Argument[1]; request-forgery; hq-manual | +| 125 | Sink: org.apache.hc.client5.http.classic.methods; ClassicHttpRequests; true; create; (String,URI); ; Argument[1]; request-forgery; hq-manual | +| 126 | Sink: org.apache.hc.client5.http.classic.methods; ClassicHttpRequests; true; delete; (String); ; Argument[0]; request-forgery; hq-manual | +| 127 | Sink: org.apache.hc.client5.http.classic.methods; ClassicHttpRequests; true; delete; (URI); ; Argument[0]; request-forgery; hq-manual | +| 128 | Sink: org.apache.hc.client5.http.classic.methods; ClassicHttpRequests; true; get; (String); ; Argument[0]; request-forgery; hq-manual | +| 129 | Sink: org.apache.hc.client5.http.classic.methods; ClassicHttpRequests; true; get; (URI); ; Argument[0]; request-forgery; hq-manual | +| 130 | Sink: org.apache.hc.client5.http.classic.methods; ClassicHttpRequests; true; head; (String); ; Argument[0]; request-forgery; hq-manual | +| 131 | Sink: org.apache.hc.client5.http.classic.methods; ClassicHttpRequests; true; head; (URI); ; Argument[0]; request-forgery; hq-manual | +| 132 | Sink: org.apache.hc.client5.http.classic.methods; ClassicHttpRequests; true; options; (String); ; Argument[0]; request-forgery; hq-manual | +| 133 | Sink: org.apache.hc.client5.http.classic.methods; ClassicHttpRequests; true; options; (URI); ; Argument[0]; request-forgery; hq-manual | +| 134 | Sink: org.apache.hc.client5.http.classic.methods; ClassicHttpRequests; true; patch; (String); ; Argument[0]; request-forgery; hq-manual | +| 135 | Sink: org.apache.hc.client5.http.classic.methods; ClassicHttpRequests; true; patch; (URI); ; Argument[0]; request-forgery; hq-manual | +| 136 | Sink: org.apache.hc.client5.http.classic.methods; ClassicHttpRequests; true; post; (String); ; Argument[0]; request-forgery; hq-manual | +| 137 | Sink: org.apache.hc.client5.http.classic.methods; ClassicHttpRequests; true; post; (URI); ; Argument[0]; request-forgery; hq-manual | +| 138 | Sink: org.apache.hc.client5.http.classic.methods; ClassicHttpRequests; true; put; (String); ; Argument[0]; request-forgery; hq-manual | +| 139 | Sink: org.apache.hc.client5.http.classic.methods; ClassicHttpRequests; true; put; (URI); ; Argument[0]; request-forgery; hq-manual | +| 140 | Sink: org.apache.hc.client5.http.classic.methods; ClassicHttpRequests; true; trace; (String); ; Argument[0]; request-forgery; hq-manual | +| 141 | Sink: org.apache.hc.client5.http.classic.methods; ClassicHttpRequests; true; trace; (URI); ; Argument[0]; request-forgery; hq-manual | +| 142 | Sink: org.apache.hc.client5.http.classic.methods; HttpDelete; true; HttpDelete; (String); ; Argument[0]; request-forgery; hq-manual | +| 143 | Sink: org.apache.hc.client5.http.classic.methods; HttpDelete; true; HttpDelete; (URI); ; Argument[0]; request-forgery; hq-manual | +| 144 | Sink: org.apache.hc.client5.http.classic.methods; HttpGet; true; HttpGet; (String); ; Argument[0]; request-forgery; hq-manual | +| 145 | Sink: org.apache.hc.client5.http.classic.methods; HttpGet; true; HttpGet; (URI); ; Argument[0]; request-forgery; hq-manual | +| 146 | Sink: org.apache.hc.client5.http.classic.methods; HttpHead; true; HttpHead; (String); ; Argument[0]; request-forgery; hq-manual | +| 147 | Sink: org.apache.hc.client5.http.classic.methods; HttpHead; true; HttpHead; (URI); ; Argument[0]; request-forgery; hq-manual | +| 148 | Sink: org.apache.hc.client5.http.classic.methods; HttpOptions; true; HttpOptions; (String); ; Argument[0]; request-forgery; hq-manual | +| 149 | Sink: org.apache.hc.client5.http.classic.methods; HttpOptions; true; HttpOptions; (URI); ; Argument[0]; request-forgery; hq-manual | +| 150 | Sink: org.apache.hc.client5.http.classic.methods; HttpPatch; true; HttpPatch; (String); ; Argument[0]; request-forgery; hq-manual | +| 151 | Sink: org.apache.hc.client5.http.classic.methods; HttpPatch; true; HttpPatch; (URI); ; Argument[0]; request-forgery; hq-manual | +| 152 | Sink: org.apache.hc.client5.http.classic.methods; HttpPost; true; HttpPost; (String); ; Argument[0]; request-forgery; hq-manual | +| 153 | Sink: org.apache.hc.client5.http.classic.methods; HttpPost; true; HttpPost; (URI); ; Argument[0]; request-forgery; hq-manual | +| 154 | Sink: org.apache.hc.client5.http.classic.methods; HttpPut; true; HttpPut; (String); ; Argument[0]; request-forgery; hq-manual | +| 155 | Sink: org.apache.hc.client5.http.classic.methods; HttpPut; true; HttpPut; (URI); ; Argument[0]; request-forgery; hq-manual | +| 156 | Sink: org.apache.hc.client5.http.classic.methods; HttpTrace; true; HttpTrace; (String); ; Argument[0]; request-forgery; hq-manual | +| 157 | Sink: org.apache.hc.client5.http.classic.methods; HttpTrace; true; HttpTrace; (URI); ; Argument[0]; request-forgery; hq-manual | +| 158 | Sink: org.apache.hc.client5.http.classic.methods; HttpUriRequestBase; true; HttpUriRequestBase; (String,URI); ; Argument[1]; request-forgery; hq-manual | +| 159 | Sink: org.apache.hc.client5.http.fluent; Request; true; create; (Method,URI); ; Argument[1]; request-forgery; hq-manual | +| 160 | Sink: org.apache.hc.client5.http.fluent; Request; true; create; (String,String); ; Argument[1]; request-forgery; hq-manual | +| 161 | Sink: org.apache.hc.client5.http.fluent; Request; true; create; (String,URI); ; Argument[1]; request-forgery; hq-manual | +| 162 | Sink: org.apache.hc.client5.http.fluent; Request; true; delete; (String); ; Argument[0]; request-forgery; hq-manual | +| 163 | Sink: org.apache.hc.client5.http.fluent; Request; true; delete; (URI); ; Argument[0]; request-forgery; hq-manual | +| 164 | Sink: org.apache.hc.client5.http.fluent; Request; true; get; (String); ; Argument[0]; request-forgery; hq-manual | +| 165 | Sink: org.apache.hc.client5.http.fluent; Request; true; get; (URI); ; Argument[0]; request-forgery; hq-manual | +| 166 | Sink: org.apache.hc.client5.http.fluent; Request; true; head; (String); ; Argument[0]; request-forgery; hq-manual | +| 167 | Sink: org.apache.hc.client5.http.fluent; Request; true; head; (URI); ; Argument[0]; request-forgery; hq-manual | +| 168 | Sink: org.apache.hc.client5.http.fluent; Request; true; options; (String); ; Argument[0]; request-forgery; hq-manual | +| 169 | Sink: org.apache.hc.client5.http.fluent; Request; true; options; (URI); ; Argument[0]; request-forgery; hq-manual | +| 170 | Sink: org.apache.hc.client5.http.fluent; Request; true; patch; (String); ; Argument[0]; request-forgery; hq-manual | +| 171 | Sink: org.apache.hc.client5.http.fluent; Request; true; patch; (URI); ; Argument[0]; request-forgery; hq-manual | +| 172 | Sink: org.apache.hc.client5.http.fluent; Request; true; post; (String); ; Argument[0]; request-forgery; hq-manual | +| 173 | Sink: org.apache.hc.client5.http.fluent; Request; true; post; (URI); ; Argument[0]; request-forgery; hq-manual | +| 174 | Sink: org.apache.hc.client5.http.fluent; Request; true; put; (String); ; Argument[0]; request-forgery; hq-manual | +| 175 | Sink: org.apache.hc.client5.http.fluent; Request; true; put; (URI); ; Argument[0]; request-forgery; hq-manual | +| 176 | Sink: org.apache.hc.client5.http.fluent; Request; true; trace; (String); ; Argument[0]; request-forgery; hq-manual | +| 177 | Sink: org.apache.hc.client5.http.fluent; Request; true; trace; (URI); ; Argument[0]; request-forgery; hq-manual | +| 178 | Sink: org.apache.hc.core5.http.impl.bootstrap; HttpAsyncRequester; true; connect; (HttpHost,Timeout); ; Argument[0]; request-forgery; hq-manual | +| 179 | Sink: org.apache.hc.core5.http.impl.bootstrap; HttpAsyncRequester; true; connect; (HttpHost,Timeout,Object,FutureCallback); ; Argument[0]; request-forgery; hq-manual | +| 180 | Sink: org.apache.hc.core5.http.io.support; ClassicRequestBuilder; true; delete; (String); ; Argument[0]; request-forgery; hq-manual | +| 181 | Sink: org.apache.hc.core5.http.io.support; ClassicRequestBuilder; true; delete; (URI); ; Argument[0]; request-forgery; hq-manual | +| 182 | Sink: org.apache.hc.core5.http.io.support; ClassicRequestBuilder; true; get; (String); ; Argument[0]; request-forgery; hq-manual | +| 183 | Sink: org.apache.hc.core5.http.io.support; ClassicRequestBuilder; true; get; (URI); ; Argument[0]; request-forgery; hq-manual | +| 184 | Sink: org.apache.hc.core5.http.io.support; ClassicRequestBuilder; true; head; (String); ; Argument[0]; request-forgery; hq-manual | +| 185 | Sink: org.apache.hc.core5.http.io.support; ClassicRequestBuilder; true; head; (URI); ; Argument[0]; request-forgery; hq-manual | +| 186 | Sink: org.apache.hc.core5.http.io.support; ClassicRequestBuilder; true; options; (String); ; Argument[0]; request-forgery; hq-manual | +| 187 | Sink: org.apache.hc.core5.http.io.support; ClassicRequestBuilder; true; options; (URI); ; Argument[0]; request-forgery; hq-manual | +| 188 | Sink: org.apache.hc.core5.http.io.support; ClassicRequestBuilder; true; patch; (String); ; Argument[0]; request-forgery; hq-manual | +| 189 | Sink: org.apache.hc.core5.http.io.support; ClassicRequestBuilder; true; patch; (URI); ; Argument[0]; request-forgery; hq-manual | +| 190 | Sink: org.apache.hc.core5.http.io.support; ClassicRequestBuilder; true; post; (String); ; Argument[0]; request-forgery; hq-manual | +| 191 | Sink: org.apache.hc.core5.http.io.support; ClassicRequestBuilder; true; post; (URI); ; Argument[0]; request-forgery; hq-manual | +| 192 | Sink: org.apache.hc.core5.http.io.support; ClassicRequestBuilder; true; put; (String); ; Argument[0]; request-forgery; hq-manual | +| 193 | Sink: org.apache.hc.core5.http.io.support; ClassicRequestBuilder; true; put; (URI); ; Argument[0]; request-forgery; hq-manual | +| 194 | Sink: org.apache.hc.core5.http.io.support; ClassicRequestBuilder; true; trace; (String); ; Argument[0]; request-forgery; hq-manual | +| 195 | Sink: org.apache.hc.core5.http.io.support; ClassicRequestBuilder; true; trace; (URI); ; Argument[0]; request-forgery; hq-manual | +| 196 | Sink: org.apache.hc.core5.http.message; BasicClassicHttpRequest; true; BasicClassicHttpRequest; (Method,HttpHost,String); ; Argument[1]; request-forgery; hq-manual | +| 197 | Sink: org.apache.hc.core5.http.message; BasicClassicHttpRequest; true; BasicClassicHttpRequest; (Method,URI); ; Argument[1]; request-forgery; hq-manual | +| 198 | Sink: org.apache.hc.core5.http.message; BasicClassicHttpRequest; true; BasicClassicHttpRequest; (String,HttpHost,String); ; Argument[1]; request-forgery; hq-manual | +| 199 | Sink: org.apache.hc.core5.http.message; BasicClassicHttpRequest; true; BasicClassicHttpRequest; (String,URI); ; Argument[1]; request-forgery; hq-manual | +| 200 | Sink: org.apache.hc.core5.http.message; BasicHttpRequest; true; BasicHttpRequest; (Method,HttpHost,String); ; Argument[1]; request-forgery; hq-manual | +| 201 | Sink: org.apache.hc.core5.http.message; BasicHttpRequest; true; BasicHttpRequest; (Method,URI); ; Argument[1]; request-forgery; hq-manual | +| 202 | Sink: org.apache.hc.core5.http.message; BasicHttpRequest; true; BasicHttpRequest; (String,HttpHost,String); ; Argument[1]; request-forgery; hq-manual | +| 203 | Sink: org.apache.hc.core5.http.message; BasicHttpRequest; true; BasicHttpRequest; (String,URI); ; Argument[1]; request-forgery; hq-manual | +| 204 | Sink: org.apache.hc.core5.http.support; AbstractRequestBuilder; true; setHttpHost; (HttpHost); ; Argument[0]; request-forgery; hq-manual | +| 205 | Sink: org.apache.hc.core5.http.support; AbstractRequestBuilder; true; setUri; (String); ; Argument[0]; request-forgery; hq-manual | +| 206 | Sink: org.apache.hc.core5.http.support; AbstractRequestBuilder; true; setUri; (URI); ; Argument[0]; request-forgery; hq-manual | +| 207 | Sink: org.apache.hc.core5.http; HttpRequest; true; setUri; (URI); ; Argument[0]; request-forgery; hq-manual | +| 208 | Sink: org.apache.hc.core5.http; HttpRequestFactory; true; newHttpRequest; (String,String); ; Argument[1]; request-forgery; hq-manual | +| 209 | Sink: org.apache.hc.core5.http; HttpRequestFactory; true; newHttpRequest; (String,URI); ; Argument[1]; request-forgery; hq-manual | +| 210 | Sink: org.apache.http.client.methods; HttpDelete; false; HttpDelete; ; ; Argument[0]; request-forgery; manual | +| 211 | Sink: org.apache.http.client.methods; HttpGet; false; HttpGet; ; ; Argument[0]; request-forgery; manual | +| 212 | Sink: org.apache.http.client.methods; HttpHead; false; HttpHead; ; ; Argument[0]; request-forgery; manual | +| 213 | Sink: org.apache.http.client.methods; HttpOptions; false; HttpOptions; ; ; Argument[0]; request-forgery; manual | +| 214 | Sink: org.apache.http.client.methods; HttpPatch; false; HttpPatch; ; ; Argument[0]; request-forgery; manual | +| 215 | Sink: org.apache.http.client.methods; HttpPost; false; HttpPost; ; ; Argument[0]; request-forgery; manual | +| 216 | Sink: org.apache.http.client.methods; HttpPut; false; HttpPut; ; ; Argument[0]; request-forgery; manual | +| 217 | Sink: org.apache.http.client.methods; HttpRequestBase; true; setURI; ; ; Argument[0]; request-forgery; manual | +| 218 | Sink: org.apache.http.client.methods; HttpTrace; false; HttpTrace; ; ; Argument[0]; request-forgery; manual | +| 219 | Sink: org.apache.http.client.methods; RequestBuilder; false; delete; ; ; Argument[0]; request-forgery; manual | +| 220 | Sink: org.apache.http.client.methods; RequestBuilder; false; get; ; ; Argument[0]; request-forgery; manual | +| 221 | Sink: org.apache.http.client.methods; RequestBuilder; false; head; ; ; Argument[0]; request-forgery; manual | +| 222 | Sink: org.apache.http.client.methods; RequestBuilder; false; options; ; ; Argument[0]; request-forgery; manual | +| 223 | Sink: org.apache.http.client.methods; RequestBuilder; false; patch; ; ; Argument[0]; request-forgery; manual | +| 224 | Sink: org.apache.http.client.methods; RequestBuilder; false; post; ; ; Argument[0]; request-forgery; manual | +| 225 | Sink: org.apache.http.client.methods; RequestBuilder; false; put; ; ; Argument[0]; request-forgery; manual | +| 226 | Sink: org.apache.http.client.methods; RequestBuilder; false; setUri; ; ; Argument[0]; request-forgery; manual | +| 227 | Sink: org.apache.http.client.methods; RequestBuilder; false; trace; ; ; Argument[0]; request-forgery; manual | +| 228 | Sink: org.apache.http.message; BasicHttpEntityEnclosingRequest; false; BasicHttpEntityEnclosingRequest; (RequestLine); ; Argument[0]; request-forgery; manual | +| 229 | Sink: org.apache.http.message; BasicHttpEntityEnclosingRequest; false; BasicHttpEntityEnclosingRequest; (String,String); ; Argument[1]; request-forgery; manual | +| 230 | Sink: org.apache.http.message; BasicHttpEntityEnclosingRequest; false; BasicHttpEntityEnclosingRequest; (String,String,ProtocolVersion); ; Argument[1]; request-forgery; manual | +| 231 | Sink: org.apache.http.message; BasicHttpRequest; false; BasicHttpRequest; (RequestLine); ; Argument[0]; request-forgery; manual | +| 232 | Sink: org.apache.http.message; BasicHttpRequest; false; BasicHttpRequest; (String,String); ; Argument[1]; request-forgery; manual | +| 233 | Sink: org.apache.http.message; BasicHttpRequest; false; BasicHttpRequest; (String,String,ProtocolVersion); ; Argument[1]; request-forgery; manual | +| 234 | Sink: org.codehaus.cargo.container.installer; ZipURLInstaller; true; ZipURLInstaller; (URL,String,String); ; Argument[0]; request-forgery; ai-manual | +| 235 | Sink: org.jdbi.v3.core; Jdbi; false; create; (String); ; Argument[0]; request-forgery; manual | +| 236 | Sink: org.jdbi.v3.core; Jdbi; false; create; (String,Properties); ; Argument[0]; request-forgery; manual | +| 237 | Sink: org.jdbi.v3.core; Jdbi; false; create; (String,String,String); ; Argument[0]; request-forgery; manual | +| 238 | Sink: org.jdbi.v3.core; Jdbi; false; open; (String); ; Argument[0]; request-forgery; manual | +| 239 | Sink: org.jdbi.v3.core; Jdbi; false; open; (String,Properties); ; Argument[0]; request-forgery; manual | +| 240 | Sink: org.jdbi.v3.core; Jdbi; false; open; (String,String,String); ; Argument[0]; request-forgery; manual | +| 241 | Sink: org.kohsuke.stapler; HttpResponses; true; staticResource; (URL); ; Argument[0]; request-forgery; ai-manual | +| 242 | Sink: org.springframework.boot.jdbc; DataSourceBuilder; false; url; (String); ; Argument[0]; request-forgery; manual | +| 243 | Sink: org.springframework.http; RequestEntity; false; RequestEntity; (HttpMethod,URI); ; Argument[1]; request-forgery; manual | +| 244 | Sink: org.springframework.http; RequestEntity; false; RequestEntity; (MultiValueMap,HttpMethod,URI); ; Argument[2]; request-forgery; manual | +| 245 | Sink: org.springframework.http; RequestEntity; false; RequestEntity; (Object,HttpMethod,URI); ; Argument[2]; request-forgery; manual | +| 246 | Sink: org.springframework.http; RequestEntity; false; RequestEntity; (Object,HttpMethod,URI,Type); ; Argument[2]; request-forgery; manual | +| 247 | Sink: org.springframework.http; RequestEntity; false; RequestEntity; (Object,MultiValueMap,HttpMethod,URI); ; Argument[3]; request-forgery; manual | +| 248 | Sink: org.springframework.http; RequestEntity; false; RequestEntity; (Object,MultiValueMap,HttpMethod,URI,Type); ; Argument[3]; request-forgery; manual | +| 249 | Sink: org.springframework.http; RequestEntity; false; delete; ; ; Argument[0]; request-forgery; manual | +| 250 | Sink: org.springframework.http; RequestEntity; false; get; ; ; Argument[0]; request-forgery; manual | +| 251 | Sink: org.springframework.http; RequestEntity; false; head; ; ; Argument[0]; request-forgery; manual | +| 252 | Sink: org.springframework.http; RequestEntity; false; method; ; ; Argument[1]; request-forgery; manual | +| 253 | Sink: org.springframework.http; RequestEntity; false; options; ; ; Argument[0]; request-forgery; manual | +| 254 | Sink: org.springframework.http; RequestEntity; false; patch; ; ; Argument[0]; request-forgery; manual | +| 255 | Sink: org.springframework.http; RequestEntity; false; post; ; ; Argument[0]; request-forgery; manual | +| 256 | Sink: org.springframework.http; RequestEntity; false; put; ; ; Argument[0]; request-forgery; manual | +| 257 | Sink: org.springframework.jdbc.datasource; AbstractDriverBasedDataSource; false; setUrl; (String); ; Argument[0]; request-forgery; manual | +| 258 | Sink: org.springframework.jdbc.datasource; DriverManagerDataSource; false; DriverManagerDataSource; (String); ; Argument[0]; request-forgery; manual | +| 259 | Sink: org.springframework.jdbc.datasource; DriverManagerDataSource; false; DriverManagerDataSource; (String,Properties); ; Argument[0]; request-forgery; manual | +| 260 | Sink: org.springframework.jdbc.datasource; DriverManagerDataSource; false; DriverManagerDataSource; (String,String,String); ; Argument[0]; request-forgery; manual | +| 261 | Sink: org.springframework.web.client; RestTemplate; false; delete; ; ; Argument[0]; request-forgery; manual | +| 262 | Sink: org.springframework.web.client; RestTemplate; false; exchange; ; ; Argument[0]; request-forgery; manual | +| 263 | Sink: org.springframework.web.client; RestTemplate; false; execute; ; ; Argument[0]; request-forgery; manual | +| 264 | Sink: org.springframework.web.client; RestTemplate; false; getForEntity; ; ; Argument[0]; request-forgery; manual | +| 265 | Sink: org.springframework.web.client; RestTemplate; false; getForObject; ; ; Argument[0]; request-forgery; manual | +| 266 | Sink: org.springframework.web.client; RestTemplate; false; headForHeaders; ; ; Argument[0]; request-forgery; manual | +| 267 | Sink: org.springframework.web.client; RestTemplate; false; optionsForAllow; ; ; Argument[0]; request-forgery; manual | +| 268 | Sink: org.springframework.web.client; RestTemplate; false; patchForObject; ; ; Argument[0]; request-forgery; manual | +| 269 | Sink: org.springframework.web.client; RestTemplate; false; postForEntity; ; ; Argument[0]; request-forgery; manual | +| 270 | Sink: org.springframework.web.client; RestTemplate; false; postForLocation; ; ; Argument[0]; request-forgery; manual | +| 271 | Sink: org.springframework.web.client; RestTemplate; false; postForObject; ; ; Argument[0]; request-forgery; manual | +| 272 | Sink: org.springframework.web.client; RestTemplate; false; put; ; ; Argument[0]; request-forgery; manual | +| 273 | Sink: org.springframework.web.reactive.function.client; WebClient$Builder; false; baseUrl; ; ; Argument[0]; request-forgery; manual | +| 274 | Sink: org.springframework.web.reactive.function.client; WebClient; false; create; ; ; Argument[0]; request-forgery; manual | +| 275 | Sink: play.libs.ws; StandaloneWSClient; true; url; ; ; Argument[0]; request-forgery; manual | +| 276 | Sink: play.libs.ws; WSClient; true; url; ; ; Argument[0]; request-forgery; manual | +| 277 | Source: javax.servlet; ServletRequest; false; getParameter; (String); ; ReturnValue; remote; manual | +| 278 | Summary: java.lang; AbstractStringBuilder; true; append; ; ; Argument[0]; Argument[this]; taint; manual | +| 279 | Summary: java.lang; AbstractStringBuilder; true; append; ; ; Argument[this]; ReturnValue; value; manual | +| 280 | Summary: java.lang; CharSequence; true; toString; ; ; Argument[this]; ReturnValue; taint; manual | +| 281 | Summary: java.lang; String; false; format; (String,Object[]); ; Argument[1].ArrayElement; ReturnValue; taint; manual | +| 282 | Summary: java.lang; StringBuilder; true; StringBuilder; ; ; Argument[0]; Argument[this]; taint; manual | +| 283 | Summary: java.net.http; HttpRequest$Builder; true; build; (); ; Argument[this]; ReturnValue; taint; df-generated | +| 284 | Summary: java.net.http; HttpRequest; true; newBuilder; (URI); ; Argument[0]; ReturnValue; taint; df-generated | +| 285 | Summary: java.net; URI; false; URI; (String); ; Argument[0]; Argument[this]; taint; manual | +| 286 | Summary: java.net; URI; false; toString; ; ; Argument[this]; ReturnValue; taint; manual | +| 287 | Summary: java.net; URI; false; toURL; ; ; Argument[this]; ReturnValue; taint; manual | +| 288 | Summary: java.net; URL; false; URL; (String); ; Argument[0]; Argument[this]; taint; manual | +| 289 | Summary: java.util; Map; false; of; ; ; Argument[1]; ReturnValue.MapValue; value; manual | +| 290 | Summary: java.util; Map; false; of; ; ; Argument[3]; ReturnValue.MapValue; value; manual | +| 291 | Summary: java.util; Properties; true; setProperty; (String,String); ; Argument[1]; Argument[this].MapValue; value; manual | +| 292 | Summary: org.apache.hc.core5.http; HttpHost; true; HttpHost; (String); ; Argument[0]; Argument[this]; taint; hq-manual | +| 293 | Summary: org.apache.http.message; BasicRequestLine; false; BasicRequestLine; ; ; Argument[1]; Argument[this]; taint; manual | +nodes +| ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| ApacheHttpSSRF.java:28:23:28:35 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| ApacheHttpSSRF.java:28:31:28:34 | sink : String | semmle.label | sink : String | +| ApacheHttpSSRF.java:30:43:30:45 | uri | semmle.label | uri | +| ApacheHttpSSRF.java:32:29:32:31 | uri | semmle.label | uri | +| ApacheHttpSSRF.java:34:26:34:28 | uri | semmle.label | uri | +| ApacheHttpSSRF.java:35:26:35:28 | uri | semmle.label | uri | +| ApacheHttpSSRF.java:36:25:36:27 | uri | semmle.label | uri | +| ApacheHttpSSRF.java:37:28:37:30 | uri | semmle.label | uri | +| ApacheHttpSSRF.java:38:29:38:31 | uri | semmle.label | uri | +| ApacheHttpSSRF.java:39:27:39:29 | uri | semmle.label | uri | +| ApacheHttpSSRF.java:40:27:40:29 | uri | semmle.label | uri | +| ApacheHttpSSRF.java:42:34:42:82 | new BasicRequestLine(...) | semmle.label | new BasicRequestLine(...) | +| ApacheHttpSSRF.java:42:62:42:64 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRF.java:42:62:42:75 | toString(...) : String | semmle.label | toString(...) : String | +| ApacheHttpSSRF.java:43:41:43:43 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRF.java:43:41:43:54 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRF.java:44:41:44:43 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRF.java:44:41:44:54 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRF.java:46:49:46:97 | new BasicRequestLine(...) | semmle.label | new BasicRequestLine(...) | +| ApacheHttpSSRF.java:46:77:46:79 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRF.java:46:77:46:90 | toString(...) : String | semmle.label | toString(...) : String | +| ApacheHttpSSRF.java:47:56:47:58 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRF.java:47:56:47:69 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRF.java:48:56:48:58 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRF.java:48:56:48:69 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRF.java:50:32:50:34 | uri | semmle.label | uri | +| ApacheHttpSSRF.java:51:33:51:35 | uri | semmle.label | uri | +| ApacheHttpSSRF.java:52:32:52:34 | uri | semmle.label | uri | +| ApacheHttpSSRF.java:53:35:53:37 | uri | semmle.label | uri | +| ApacheHttpSSRF.java:54:36:54:38 | uri | semmle.label | uri | +| ApacheHttpSSRF.java:55:33:55:35 | uri | semmle.label | uri | +| ApacheHttpSSRF.java:56:34:56:36 | uri | semmle.label | uri | +| ApacheHttpSSRF.java:57:34:57:36 | uri | semmle.label | uri | +| ApacheHttpSSRF.java:58:43:58:45 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| ApacheHttpSSRFVersion5.java:42:23:42:38 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| ApacheHttpSSRFVersion5.java:42:31:42:37 | uriSink : String | semmle.label | uriSink : String | +| ApacheHttpSSRFVersion5.java:44:31:44:58 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| ApacheHttpSSRFVersion5.java:45:29:45:50 | new HttpHost(...) : HttpHost | semmle.label | new HttpHost(...) : HttpHost | +| ApacheHttpSSRFVersion5.java:45:42:45:49 | hostSink : String | semmle.label | hostSink : String | +| ApacheHttpSSRFVersion5.java:48:54:48:57 | host | semmle.label | host | +| ApacheHttpSSRFVersion5.java:49:54:49:56 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:49:54:49:67 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:50:54:50:56 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:51:48:51:50 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:51:48:51:61 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:52:48:52:50 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:54:38:54:41 | host | semmle.label | host | +| ApacheHttpSSRFVersion5.java:55:38:55:40 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:55:38:55:51 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:56:38:56:40 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:58:35:58:38 | host | semmle.label | host | +| ApacheHttpSSRFVersion5.java:59:35:59:37 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:59:35:59:48 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:60:35:60:37 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:62:36:62:39 | host | semmle.label | host | +| ApacheHttpSSRFVersion5.java:63:36:63:38 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:63:36:63:49 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:64:36:64:38 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:66:39:66:42 | host | semmle.label | host | +| ApacheHttpSSRFVersion5.java:67:39:67:41 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:67:39:67:52 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:68:39:68:41 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:70:37:70:40 | host | semmle.label | host | +| ApacheHttpSSRFVersion5.java:71:37:71:39 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:71:37:71:50 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:72:37:72:39 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:74:36:74:39 | host | semmle.label | host | +| ApacheHttpSSRFVersion5.java:75:36:75:38 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:75:36:75:49 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:76:36:76:38 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:78:35:78:38 | host | semmle.label | host | +| ApacheHttpSSRFVersion5.java:79:35:79:37 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:79:35:79:48 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:80:35:80:37 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:82:37:82:40 | host | semmle.label | host | +| ApacheHttpSSRFVersion5.java:83:37:83:39 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:83:37:83:50 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:84:37:84:39 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:87:51:87:54 | host | semmle.label | host | +| ApacheHttpSSRFVersion5.java:88:51:88:53 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:91:51:91:54 | host | semmle.label | host | +| ApacheHttpSSRFVersion5.java:92:51:92:53 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:93:45:93:48 | host | semmle.label | host | +| ApacheHttpSSRFVersion5.java:94:45:94:47 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:96:54:96:57 | host | semmle.label | host | +| ApacheHttpSSRFVersion5.java:97:54:97:56 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:98:48:98:50 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:98:48:98:61 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:99:48:99:50 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:102:55:102:58 | host | semmle.label | host | +| ApacheHttpSSRFVersion5.java:103:55:103:57 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:103:55:103:68 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:104:55:104:57 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:105:49:105:51 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:105:49:105:62 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:106:49:106:51 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:108:39:108:42 | host | semmle.label | host | +| ApacheHttpSSRFVersion5.java:109:39:109:41 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:109:39:109:52 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:110:39:110:41 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:112:36:112:39 | host | semmle.label | host | +| ApacheHttpSSRFVersion5.java:113:36:113:38 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:113:36:113:49 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:114:36:114:38 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:116:37:116:40 | host | semmle.label | host | +| ApacheHttpSSRFVersion5.java:117:37:117:39 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:117:37:117:50 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:118:37:118:39 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:120:40:120:43 | host | semmle.label | host | +| ApacheHttpSSRFVersion5.java:121:40:121:42 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:121:40:121:53 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:122:40:122:42 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:124:38:124:41 | host | semmle.label | host | +| ApacheHttpSSRFVersion5.java:125:38:125:40 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:125:38:125:51 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:126:38:126:40 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:128:37:128:40 | host | semmle.label | host | +| ApacheHttpSSRFVersion5.java:129:37:129:39 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:129:37:129:50 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:130:37:130:39 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:132:36:132:39 | host | semmle.label | host | +| ApacheHttpSSRFVersion5.java:133:36:133:38 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:133:36:133:49 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:134:36:134:38 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:136:38:136:41 | host | semmle.label | host | +| ApacheHttpSSRFVersion5.java:137:38:137:40 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:137:38:137:51 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:138:38:138:40 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:141:41:141:43 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:141:41:141:54 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:142:41:142:43 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:144:38:144:40 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:144:38:144:51 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:145:38:145:40 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:147:39:147:41 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:147:39:147:52 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:148:39:148:41 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:150:42:150:44 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:150:42:150:55 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:151:42:151:44 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:153:40:153:42 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:153:40:153:53 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:154:40:154:42 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:156:39:156:41 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:156:39:156:52 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:157:39:157:41 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:159:38:159:40 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:159:38:159:51 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:160:38:160:40 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:162:52:162:55 | host | semmle.label | host | +| ApacheHttpSSRFVersion5.java:164:47:164:49 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:164:47:164:60 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:165:47:165:49 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:167:40:167:42 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:167:40:167:53 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:168:40:168:42 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:180:30:180:56 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| ApacheHttpSSRFVersion5.java:181:23:181:38 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| ApacheHttpSSRFVersion5.java:181:31:181:37 | uriSink : String | semmle.label | uriSink : String | +| ApacheHttpSSRFVersion5.java:184:56:184:58 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:184:56:184:69 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:185:56:185:58 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:186:50:186:52 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:186:50:186:63 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:187:50:187:52 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:189:40:189:42 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:189:40:189:53 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:190:40:190:42 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:192:37:192:39 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:192:37:192:50 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:193:37:193:39 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:195:38:195:40 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:195:38:195:51 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:196:38:196:40 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:198:41:198:43 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:198:41:198:54 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:199:41:199:43 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:201:39:201:41 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:201:39:201:52 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:202:39:202:41 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:204:38:204:40 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:204:38:204:51 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:205:38:205:40 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:207:37:207:39 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:207:37:207:50 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:208:37:208:39 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:210:39:210:41 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:210:39:210:52 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:211:39:211:41 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:214:28:214:30 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:214:28:214:41 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:215:28:215:30 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:217:25:217:27 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:217:25:217:38 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:218:25:218:27 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:220:26:220:28 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:220:26:220:39 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:221:26:221:28 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:223:29:223:31 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:223:29:223:42 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:224:29:224:31 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:226:27:226:29 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:226:27:226:40 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:227:27:227:29 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:229:26:229:28 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:229:26:229:39 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:230:26:230:28 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:232:25:232:27 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:232:25:232:38 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:233:25:233:27 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:235:27:235:29 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:235:27:235:40 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:236:27:236:29 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:239:46:239:48 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:251:30:251:56 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| ApacheHttpSSRFVersion5.java:252:23:252:38 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| ApacheHttpSSRFVersion5.java:252:31:252:37 | uriSink : String | semmle.label | uriSink : String | +| ApacheHttpSSRFVersion5.java:255:44:255:46 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:256:38:256:40 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:256:38:256:51 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:257:38:257:40 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:259:28:259:30 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:259:28:259:41 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:260:28:260:30 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:262:25:262:27 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:262:25:262:38 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:263:25:263:27 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:265:26:265:28 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:265:26:265:39 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:266:26:266:28 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:268:29:268:31 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:268:29:268:42 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:269:29:269:31 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:271:27:271:29 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:271:27:271:40 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:272:27:272:29 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:274:26:274:28 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:274:26:274:39 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:275:26:275:28 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:277:25:277:27 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:277:25:277:38 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:278:25:278:27 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:280:27:280:29 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:280:27:280:40 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:281:27:281:29 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:295:30:295:56 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| ApacheHttpSSRFVersion5.java:296:23:296:38 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| ApacheHttpSSRFVersion5.java:296:31:296:37 | uriSink : String | semmle.label | uriSink : String | +| ApacheHttpSSRFVersion5.java:298:31:298:58 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| ApacheHttpSSRFVersion5.java:299:29:299:50 | new HttpHost(...) : HttpHost | semmle.label | new HttpHost(...) : HttpHost | +| ApacheHttpSSRFVersion5.java:299:42:299:49 | hostSink : String | semmle.label | hostSink : String | +| ApacheHttpSSRFVersion5.java:303:34:303:37 | host | semmle.label | host | +| ApacheHttpSSRFVersion5.java:304:34:304:37 | host | semmle.label | host | +| ApacheHttpSSRFVersion5.java:308:60:308:62 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:308:60:308:73 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:309:60:309:62 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:313:53:313:55 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:313:53:313:66 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:314:53:314:55 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:326:30:326:56 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| ApacheHttpSSRFVersion5.java:327:23:327:38 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| ApacheHttpSSRFVersion5.java:327:31:327:37 | uriSink : String | semmle.label | uriSink : String | +| ApacheHttpSSRFVersion5.java:329:31:329:58 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| ApacheHttpSSRFVersion5.java:330:29:330:50 | new HttpHost(...) : HttpHost | semmle.label | new HttpHost(...) : HttpHost | +| ApacheHttpSSRFVersion5.java:330:42:330:49 | hostSink : String | semmle.label | hostSink : String | +| ApacheHttpSSRFVersion5.java:333:42:333:44 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:333:42:333:55 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:334:42:334:44 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:336:39:336:41 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:336:39:336:52 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:337:39:337:41 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:339:40:339:42 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:339:40:339:53 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:340:40:340:42 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:342:43:342:45 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:342:43:342:56 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:343:43:343:45 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:345:41:345:43 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:345:41:345:54 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:346:41:346:43 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:348:40:348:42 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:348:40:348:53 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:349:40:349:42 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:351:39:351:41 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:351:39:351:52 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:352:39:352:41 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:354:53:354:56 | host | semmle.label | host | +| ApacheHttpSSRFVersion5.java:356:48:356:50 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:356:48:356:61 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:357:48:357:50 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:359:41:359:43 | uri : URI | semmle.label | uri : URI | +| ApacheHttpSSRFVersion5.java:359:41:359:54 | toString(...) | semmle.label | toString(...) | +| ApacheHttpSSRFVersion5.java:360:41:360:43 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:372:30:372:56 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| ApacheHttpSSRFVersion5.java:373:23:373:38 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| ApacheHttpSSRFVersion5.java:373:31:373:37 | uriSink : String | semmle.label | uriSink : String | +| ApacheHttpSSRFVersion5.java:375:31:375:58 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| ApacheHttpSSRFVersion5.java:376:29:376:50 | new HttpHost(...) : HttpHost | semmle.label | new HttpHost(...) : HttpHost | +| ApacheHttpSSRFVersion5.java:376:42:376:49 | hostSink : String | semmle.label | hostSink : String | +| ApacheHttpSSRFVersion5.java:379:57:379:60 | host | semmle.label | host | +| ApacheHttpSSRFVersion5.java:380:57:380:59 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:381:51:381:54 | host | semmle.label | host | +| ApacheHttpSSRFVersion5.java:382:51:382:53 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:385:50:385:53 | host | semmle.label | host | +| ApacheHttpSSRFVersion5.java:386:50:386:52 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:387:44:387:47 | host | semmle.label | host | +| ApacheHttpSSRFVersion5.java:388:44:388:46 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:390:24:390:26 | uri | semmle.label | uri | +| ApacheHttpSSRFVersion5.java:394:24:394:26 | uri | semmle.label | uri | +| JakartaWsSSRF.java:14:22:14:48 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| JakartaWsSSRF.java:15:23:15:25 | url | semmle.label | url | +| JavaNetHttpSSRF.java:25:27:25:53 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| JavaNetHttpSSRF.java:26:23:26:35 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| JavaNetHttpSSRF.java:26:31:26:34 | sink : String | semmle.label | sink : String | +| JavaNetHttpSSRF.java:27:24:27:57 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| JavaNetHttpSSRF.java:27:40:27:43 | sink : String | semmle.label | sink : String | +| JavaNetHttpSSRF.java:28:24:28:36 | new URL(...) : URL | semmle.label | new URL(...) : URL | +| JavaNetHttpSSRF.java:28:32:28:35 | sink : String | semmle.label | sink : String | +| JavaNetHttpSSRF.java:30:32:30:35 | url1 | semmle.label | url1 | +| JavaNetHttpSSRF.java:33:32:33:35 | url1 | semmle.label | url1 | +| JavaNetHttpSSRF.java:34:30:34:33 | url1 | semmle.label | url1 | +| JavaNetHttpSSRF.java:38:65:38:68 | uri2 | semmle.label | uri2 | +| JavaNetHttpSSRF.java:39:59:39:61 | uri | semmle.label | uri | +| JaxWsSSRF.java:14:22:14:48 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| JaxWsSSRF.java:15:23:15:25 | url | semmle.label | url | +| JdbcUrlSSRF.java:21:26:21:56 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| JdbcUrlSSRF.java:26:28:26:34 | jdbcUrl | semmle.label | jdbcUrl | +| JdbcUrlSSRF.java:28:41:28:47 | jdbcUrl | semmle.label | jdbcUrl | +| JdbcUrlSSRF.java:29:41:29:47 | jdbcUrl | semmle.label | jdbcUrl | +| JdbcUrlSSRF.java:30:41:30:47 | jdbcUrl | semmle.label | jdbcUrl | +| JdbcUrlSSRF.java:32:27:32:33 | jdbcUrl | semmle.label | jdbcUrl | +| JdbcUrlSSRF.java:40:26:40:56 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| JdbcUrlSSRF.java:43:27:43:33 | jdbcUrl | semmle.label | jdbcUrl | +| JdbcUrlSSRF.java:48:23:48:29 | jdbcUrl | semmle.label | jdbcUrl | +| JdbcUrlSSRF.java:52:9:52:13 | props : Properties | semmle.label | props : Properties | +| JdbcUrlSSRF.java:52:9:52:13 | props [post update] : Properties [] : String | semmle.label | props [post update] : Properties [] : String | +| JdbcUrlSSRF.java:52:38:52:44 | jdbcUrl : String | semmle.label | jdbcUrl : String | +| JdbcUrlSSRF.java:54:49:54:53 | props | semmle.label | props | +| JdbcUrlSSRF.java:60:26:60:56 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| JdbcUrlSSRF.java:65:27:65:33 | jdbcUrl | semmle.label | jdbcUrl | +| JdbcUrlSSRF.java:67:75:67:81 | jdbcUrl | semmle.label | jdbcUrl | +| JdbcUrlSSRF.java:70:75:70:81 | jdbcUrl | semmle.label | jdbcUrl | +| JdbcUrlSSRF.java:73:75:73:81 | jdbcUrl | semmle.label | jdbcUrl | +| JdbcUrlSSRF.java:80:26:80:56 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| JdbcUrlSSRF.java:82:21:82:27 | jdbcUrl | semmle.label | jdbcUrl | +| JdbcUrlSSRF.java:83:21:83:27 | jdbcUrl | semmle.label | jdbcUrl | +| JdbcUrlSSRF.java:84:21:84:27 | jdbcUrl | semmle.label | jdbcUrl | +| JdbcUrlSSRF.java:86:19:86:25 | jdbcUrl | semmle.label | jdbcUrl | +| JdbcUrlSSRF.java:87:19:87:25 | jdbcUrl | semmle.label | jdbcUrl | +| JdbcUrlSSRF.java:88:19:88:25 | jdbcUrl | semmle.label | jdbcUrl | +| ReactiveWebClientSSRF.java:15:26:15:52 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| ReactiveWebClientSSRF.java:16:52:16:54 | url | semmle.label | url | +| ReactiveWebClientSSRF.java:32:26:32:52 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| ReactiveWebClientSSRF.java:35:30:35:32 | url | semmle.label | url | +| SanitizationTests.java:19:23:19:58 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| SanitizationTests.java:19:31:19:57 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| SanitizationTests.java:22:29:22:55 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | +| SanitizationTests.java:22:29:22:63 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | +| SanitizationTests.java:22:52:22:54 | uri | semmle.label | uri | +| SanitizationTests.java:22:52:22:54 | uri : URI | semmle.label | uri : URI | +| SanitizationTests.java:23:25:23:25 | r | semmle.label | r | +| SanitizationTests.java:75:33:75:63 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| SanitizationTests.java:76:36:76:78 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | +| SanitizationTests.java:76:36:76:86 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | +| SanitizationTests.java:76:59:76:77 | new URI(...) | semmle.label | new URI(...) | +| SanitizationTests.java:76:59:76:77 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| SanitizationTests.java:76:67:76:76 | unsafeUri3 : String | semmle.label | unsafeUri3 : String | +| SanitizationTests.java:77:25:77:32 | unsafer3 | semmle.label | unsafer3 | +| SanitizationTests.java:79:49:79:79 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| SanitizationTests.java:80:36:80:78 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | +| SanitizationTests.java:80:36:80:86 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | +| SanitizationTests.java:80:59:80:77 | new URI(...) | semmle.label | new URI(...) | +| SanitizationTests.java:80:59:80:77 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| SanitizationTests.java:80:67:80:76 | unsafeUri4 : String | semmle.label | unsafeUri4 : String | +| SanitizationTests.java:81:25:81:32 | unsafer4 | semmle.label | unsafer4 | +| SanitizationTests.java:84:13:84:22 | unsafeUri5 [post update] : StringBuilder | semmle.label | unsafeUri5 [post update] : StringBuilder | +| SanitizationTests.java:84:31:84:61 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| SanitizationTests.java:85:36:85:89 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | +| SanitizationTests.java:85:36:85:97 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | +| SanitizationTests.java:85:59:85:88 | new URI(...) | semmle.label | new URI(...) | +| SanitizationTests.java:85:59:85:88 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| SanitizationTests.java:85:67:85:76 | unsafeUri5 : StringBuilder | semmle.label | unsafeUri5 : StringBuilder | +| SanitizationTests.java:85:67:85:87 | toString(...) : String | semmle.label | toString(...) : String | +| SanitizationTests.java:86:25:86:32 | unsafer5 | semmle.label | unsafer5 | +| SanitizationTests.java:88:40:88:87 | new StringBuilder(...) : StringBuilder | semmle.label | new StringBuilder(...) : StringBuilder | +| SanitizationTests.java:88:58:88:86 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| SanitizationTests.java:90:37:90:90 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | +| SanitizationTests.java:90:37:90:98 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | +| SanitizationTests.java:90:60:90:89 | new URI(...) | semmle.label | new URI(...) | +| SanitizationTests.java:90:60:90:89 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| SanitizationTests.java:90:68:90:77 | unafeUri5a : StringBuilder | semmle.label | unafeUri5a : StringBuilder | +| SanitizationTests.java:90:68:90:88 | toString(...) : String | semmle.label | toString(...) : String | +| SanitizationTests.java:91:25:91:33 | unsafer5a | semmle.label | unsafer5a | +| SanitizationTests.java:93:41:93:105 | append(...) : StringBuilder | semmle.label | append(...) : StringBuilder | +| SanitizationTests.java:93:42:93:89 | new StringBuilder(...) : StringBuilder | semmle.label | new StringBuilder(...) : StringBuilder | +| SanitizationTests.java:93:60:93:88 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| SanitizationTests.java:95:37:95:91 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | +| SanitizationTests.java:95:37:95:99 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | +| SanitizationTests.java:95:60:95:90 | new URI(...) | semmle.label | new URI(...) | +| SanitizationTests.java:95:60:95:90 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| SanitizationTests.java:95:68:95:78 | unsafeUri5b : StringBuilder | semmle.label | unsafeUri5b : StringBuilder | +| SanitizationTests.java:95:68:95:89 | toString(...) : String | semmle.label | toString(...) : String | +| SanitizationTests.java:96:25:96:33 | unsafer5b | semmle.label | unsafer5b | +| SanitizationTests.java:98:41:98:106 | append(...) : StringBuilder | semmle.label | append(...) : StringBuilder | +| SanitizationTests.java:98:77:98:105 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| SanitizationTests.java:100:37:100:91 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | +| SanitizationTests.java:100:37:100:99 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | +| SanitizationTests.java:100:60:100:90 | new URI(...) | semmle.label | new URI(...) | +| SanitizationTests.java:100:60:100:90 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| SanitizationTests.java:100:68:100:78 | unsafeUri5c : StringBuilder | semmle.label | unsafeUri5c : StringBuilder | +| SanitizationTests.java:100:68:100:89 | toString(...) : String | semmle.label | toString(...) : String | +| SanitizationTests.java:101:25:101:33 | unsafer5c | semmle.label | unsafer5c | +| SanitizationTests.java:103:33:103:104 | format(...) : String | semmle.label | format(...) : String | +| SanitizationTests.java:103:33:103:104 | new ..[] { .. } : Object[] [[]] : String | semmle.label | new ..[] { .. } : Object[] [[]] : String | +| SanitizationTests.java:103:73:103:103 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| SanitizationTests.java:104:36:104:78 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | +| SanitizationTests.java:104:36:104:86 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | +| SanitizationTests.java:104:59:104:77 | new URI(...) | semmle.label | new URI(...) | +| SanitizationTests.java:104:59:104:77 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| SanitizationTests.java:104:67:104:76 | unsafeUri6 : String | semmle.label | unsafeUri6 : String | +| SanitizationTests.java:105:25:105:32 | unsafer6 | semmle.label | unsafer6 | +| SanitizationTests.java:107:33:107:110 | format(...) : String | semmle.label | format(...) : String | +| SanitizationTests.java:107:33:107:110 | new ..[] { .. } : Object[] [[]] : String | semmle.label | new ..[] { .. } : Object[] [[]] : String | +| SanitizationTests.java:107:56:107:86 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| SanitizationTests.java:108:36:108:78 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | +| SanitizationTests.java:108:36:108:86 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | +| SanitizationTests.java:108:59:108:77 | new URI(...) | semmle.label | new URI(...) | +| SanitizationTests.java:108:59:108:77 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| SanitizationTests.java:108:67:108:76 | unsafeUri7 : String | semmle.label | unsafeUri7 : String | +| SanitizationTests.java:109:25:109:32 | unsafer7 | semmle.label | unsafer7 | +| SanitizationTests.java:111:33:111:110 | format(...) : String | semmle.label | format(...) : String | +| SanitizationTests.java:111:33:111:110 | new ..[] { .. } : Object[] [[]] : String | semmle.label | new ..[] { .. } : Object[] [[]] : String | +| SanitizationTests.java:111:55:111:85 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| SanitizationTests.java:112:36:112:78 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | +| SanitizationTests.java:112:36:112:86 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | +| SanitizationTests.java:112:59:112:77 | new URI(...) | semmle.label | new URI(...) | +| SanitizationTests.java:112:59:112:77 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| SanitizationTests.java:112:67:112:76 | unsafeUri8 : String | semmle.label | unsafeUri8 : String | +| SanitizationTests.java:113:25:113:32 | unsafer8 | semmle.label | unsafer8 | +| SanitizationTests.java:115:33:115:63 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| SanitizationTests.java:116:36:116:78 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | +| SanitizationTests.java:116:36:116:86 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | +| SanitizationTests.java:116:59:116:77 | new URI(...) | semmle.label | new URI(...) | +| SanitizationTests.java:116:59:116:77 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| SanitizationTests.java:116:67:116:76 | unsafeUri9 : String | semmle.label | unsafeUri9 : String | +| SanitizationTests.java:117:25:117:32 | unsafer9 | semmle.label | unsafer9 | +| SanitizationTests.java:119:34:119:126 | format(...) : String | semmle.label | format(...) : String | +| SanitizationTests.java:119:34:119:126 | new ..[] { .. } : Object[] [[]] : String | semmle.label | new ..[] { .. } : Object[] [[]] : String | +| SanitizationTests.java:119:94:119:125 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| SanitizationTests.java:120:37:120:80 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | +| SanitizationTests.java:120:37:120:88 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | +| SanitizationTests.java:120:60:120:79 | new URI(...) | semmle.label | new URI(...) | +| SanitizationTests.java:120:60:120:79 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| SanitizationTests.java:120:68:120:78 | unsafeUri10 : String | semmle.label | unsafeUri10 : String | +| SanitizationTests.java:121:25:121:33 | unsafer10 | semmle.label | unsafer10 | +| SpringSSRF.java:28:33:28:60 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| SpringSSRF.java:32:39:32:59 | ... + ... | semmle.label | ... + ... | +| SpringSSRF.java:33:35:33:48 | fooResourceUrl | semmle.label | fooResourceUrl | +| SpringSSRF.java:34:34:34:47 | fooResourceUrl | semmle.label | fooResourceUrl | +| SpringSSRF.java:35:39:35:52 | fooResourceUrl | semmle.label | fooResourceUrl | +| SpringSSRF.java:36:69:36:82 | fooResourceUrl | semmle.label | fooResourceUrl | +| SpringSSRF.java:37:73:37:86 | fooResourceUrl | semmle.label | fooResourceUrl | +| SpringSSRF.java:40:69:40:97 | of(...) | semmle.label | of(...) | +| SpringSSRF.java:40:83:40:96 | fooResourceUrl : String | semmle.label | fooResourceUrl : String | +| SpringSSRF.java:42:69:42:119 | of(...) | semmle.label | of(...) | +| SpringSSRF.java:42:105:42:118 | fooResourceUrl : String | semmle.label | fooResourceUrl : String | +| SpringSSRF.java:44:41:44:54 | fooResourceUrl | semmle.label | fooResourceUrl | +| SpringSSRF.java:45:40:45:62 | new URI(...) | semmle.label | new URI(...) | +| SpringSSRF.java:45:48:45:61 | fooResourceUrl : String | semmle.label | fooResourceUrl : String | +| SpringSSRF.java:46:42:46:55 | fooResourceUrl | semmle.label | fooResourceUrl | +| SpringSSRF.java:47:40:47:53 | fooResourceUrl | semmle.label | fooResourceUrl | +| SpringSSRF.java:48:30:48:43 | fooResourceUrl | semmle.label | fooResourceUrl | +| SpringSSRF.java:49:33:49:46 | fooResourceUrl | semmle.label | fooResourceUrl | +| SpringSSRF.java:50:41:50:54 | fooResourceUrl | semmle.label | fooResourceUrl | +| SpringSSRF.java:51:42:51:55 | fooResourceUrl | semmle.label | fooResourceUrl | +| SpringSSRF.java:54:27:54:49 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| SpringSSRF.java:54:35:54:48 | fooResourceUrl : String | semmle.label | fooResourceUrl : String | +| SpringSSRF.java:56:44:56:46 | uri | semmle.label | uri | +| SpringSSRF.java:58:35:58:37 | uri | semmle.label | uri | +| SpringSSRF.java:59:35:59:37 | uri | semmle.label | uri | +| SpringSSRF.java:60:38:60:40 | uri | semmle.label | uri | +| SpringSSRF.java:61:39:61:41 | uri | semmle.label | uri | +| SpringSSRF.java:62:37:62:39 | uri | semmle.label | uri | +| SpringSSRF.java:63:36:63:38 | uri | semmle.label | uri | +| SpringSSRF.java:64:44:64:46 | uri | semmle.label | uri | +| SpringSSRF.java:67:27:67:49 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| SpringSSRF.java:67:35:67:48 | fooResourceUrl : String | semmle.label | fooResourceUrl : String | +| SpringSSRF.java:70:49:70:51 | uri | semmle.label | uri | +| SpringSSRF.java:71:58:71:60 | uri | semmle.label | uri | +| SpringSSRF.java:72:57:72:59 | uri | semmle.label | uri | +| SpringSSRF.java:73:66:73:68 | uri | semmle.label | uri | +| SpringSSRF.java:74:57:74:59 | uri | semmle.label | uri | +| SpringSSRF.java:75:66:75:68 | uri | semmle.label | uri | +| URLClassLoaderSSRF.java:16:26:16:52 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| URLClassLoaderSSRF.java:17:23:17:34 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| URLClassLoaderSSRF.java:17:31:17:33 | url : String | semmle.label | url : String | +| URLClassLoaderSSRF.java:18:64:18:85 | new URL[] | semmle.label | new URL[] | +| URLClassLoaderSSRF.java:18:64:18:85 | {...} : URL[] [[]] : URL | semmle.label | {...} : URL[] [[]] : URL | +| URLClassLoaderSSRF.java:18:74:18:76 | uri : URI | semmle.label | uri : URI | +| URLClassLoaderSSRF.java:18:74:18:84 | toURL(...) : URL | semmle.label | toURL(...) : URL | +| URLClassLoaderSSRF.java:28:26:28:52 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| URLClassLoaderSSRF.java:29:23:29:34 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| URLClassLoaderSSRF.java:29:31:29:33 | url : String | semmle.label | url : String | +| URLClassLoaderSSRF.java:30:64:30:85 | new URL[] | semmle.label | new URL[] | +| URLClassLoaderSSRF.java:30:64:30:85 | {...} : URL[] [[]] : URL | semmle.label | {...} : URL[] [[]] : URL | +| URLClassLoaderSSRF.java:30:74:30:76 | uri : URI | semmle.label | uri : URI | +| URLClassLoaderSSRF.java:30:74:30:84 | toURL(...) : URL | semmle.label | toURL(...) : URL | +| URLClassLoaderSSRF.java:40:26:40:52 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| URLClassLoaderSSRF.java:41:23:41:34 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| URLClassLoaderSSRF.java:41:31:41:33 | url : String | semmle.label | url : String | +| URLClassLoaderSSRF.java:44:64:44:85 | new URL[] | semmle.label | new URL[] | +| URLClassLoaderSSRF.java:44:64:44:85 | {...} : URL[] [[]] : URL | semmle.label | {...} : URL[] [[]] : URL | +| URLClassLoaderSSRF.java:44:74:44:76 | uri : URI | semmle.label | uri : URI | +| URLClassLoaderSSRF.java:44:74:44:84 | toURL(...) : URL | semmle.label | toURL(...) : URL | +| URLClassLoaderSSRF.java:54:26:54:52 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| URLClassLoaderSSRF.java:55:23:55:34 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| URLClassLoaderSSRF.java:55:31:55:33 | url : String | semmle.label | url : String | +| URLClassLoaderSSRF.java:56:72:56:93 | new URL[] | semmle.label | new URL[] | +| URLClassLoaderSSRF.java:56:72:56:93 | {...} : URL[] [[]] : URL | semmle.label | {...} : URL[] [[]] : URL | +| URLClassLoaderSSRF.java:56:82:56:84 | uri : URI | semmle.label | uri : URI | +| URLClassLoaderSSRF.java:56:82:56:92 | toURL(...) : URL | semmle.label | toURL(...) : URL | +| URLClassLoaderSSRF.java:66:26:66:52 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| URLClassLoaderSSRF.java:67:23:67:34 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| URLClassLoaderSSRF.java:67:31:67:33 | url : String | semmle.label | url : String | +| URLClassLoaderSSRF.java:70:21:70:42 | new URL[] | semmle.label | new URL[] | +| URLClassLoaderSSRF.java:70:21:70:42 | {...} : URL[] [[]] : URL | semmle.label | {...} : URL[] [[]] : URL | +| URLClassLoaderSSRF.java:70:31:70:33 | uri : URI | semmle.label | uri : URI | +| URLClassLoaderSSRF.java:70:31:70:41 | toURL(...) : URL | semmle.label | toURL(...) : URL | +| URLClassLoaderSSRF.java:83:26:83:52 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| URLClassLoaderSSRF.java:84:23:84:34 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| URLClassLoaderSSRF.java:84:31:84:33 | url : String | semmle.label | url : String | +| URLClassLoaderSSRF.java:89:21:89:42 | new URL[] | semmle.label | new URL[] | +| URLClassLoaderSSRF.java:89:21:89:42 | {...} : URL[] [[]] : URL | semmle.label | {...} : URL[] [[]] : URL | +| URLClassLoaderSSRF.java:89:31:89:33 | uri : URI | semmle.label | uri : URI | +| URLClassLoaderSSRF.java:89:31:89:41 | toURL(...) : URL | semmle.label | toURL(...) : URL | +| mad/Test.java:26:16:26:41 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| mad/Test.java:31:24:31:47 | (...)... | semmle.label | (...)... | +| mad/Test.java:31:40:31:47 | source(...) : String | semmle.label | source(...) : String | +| mad/Test.java:36:10:36:23 | (...)... | semmle.label | (...)... | +| mad/Test.java:36:16:36:23 | source(...) : String | semmle.label | source(...) : String | +| mad/Test.java:38:28:38:43 | (...)... | semmle.label | (...)... | +| mad/Test.java:38:36:38:43 | source(...) : String | semmle.label | source(...) : String | +| mad/Test.java:40:10:40:23 | (...)... | semmle.label | (...)... | +| mad/Test.java:40:16:40:23 | source(...) : String | semmle.label | source(...) : String | +| mad/Test.java:45:32:45:47 | (...)... | semmle.label | (...)... | +| mad/Test.java:45:40:45:47 | source(...) : String | semmle.label | source(...) : String | +| mad/Test.java:47:32:47:47 | (...)... | semmle.label | (...)... | +| mad/Test.java:47:40:47:47 | source(...) : String | semmle.label | source(...) : String | +| mad/Test.java:49:28:49:43 | (...)... | semmle.label | (...)... | +| mad/Test.java:49:36:49:43 | source(...) : String | semmle.label | source(...) : String | +| mad/Test.java:51:28:51:43 | (...)... | semmle.label | (...)... | +| mad/Test.java:51:36:51:43 | source(...) : String | semmle.label | source(...) : String | +| mad/Test.java:53:28:53:43 | (...)... | semmle.label | (...)... | +| mad/Test.java:53:36:53:43 | source(...) : String | semmle.label | source(...) : String | +| mad/Test.java:55:36:55:51 | (...)... | semmle.label | (...)... | +| mad/Test.java:55:44:55:51 | source(...) : String | semmle.label | source(...) : String | +| mad/Test.java:57:32:57:45 | (...)... | semmle.label | (...)... | +| mad/Test.java:57:38:57:45 | source(...) : String | semmle.label | source(...) : String | +| mad/Test.java:59:38:59:51 | (...)... | semmle.label | (...)... | +| mad/Test.java:59:44:59:51 | source(...) : String | semmle.label | source(...) : String | +| mad/Test.java:61:47:61:60 | (...)... | semmle.label | (...)... | +| mad/Test.java:61:53:61:60 | source(...) : String | semmle.label | source(...) : String | +| mad/Test.java:63:26:63:39 | (...)... | semmle.label | (...)... | +| mad/Test.java:63:32:63:39 | source(...) : String | semmle.label | source(...) : String | +| mad/Test.java:65:38:65:51 | (...)... | semmle.label | (...)... | +| mad/Test.java:65:44:65:51 | source(...) : String | semmle.label | source(...) : String | +| mad/Test.java:67:26:67:39 | (...)... | semmle.label | (...)... | +| mad/Test.java:67:32:67:39 | source(...) : String | semmle.label | source(...) : String | +| mad/Test.java:69:27:69:40 | (...)... | semmle.label | (...)... | +| mad/Test.java:69:33:69:40 | source(...) : String | semmle.label | source(...) : String | +| mad/Test.java:71:47:71:60 | (...)... | semmle.label | (...)... | +| mad/Test.java:71:53:71:60 | source(...) : String | semmle.label | source(...) : String | +| mad/Test.java:74:50:74:65 | (...)... | semmle.label | (...)... | +| mad/Test.java:74:58:74:65 | source(...) : String | semmle.label | source(...) : String | +| mad/Test.java:76:50:76:69 | (...)... | semmle.label | (...)... | +| mad/Test.java:76:62:76:69 | source(...) : String | semmle.label | source(...) : String | +| mad/Test.java:78:43:78:59 | (...)... | semmle.label | (...)... | +| mad/Test.java:78:52:78:59 | source(...) : String | semmle.label | source(...) : String | +| mad/Test.java:80:25:80:41 | (...)... | semmle.label | (...)... | +| mad/Test.java:80:34:80:41 | source(...) : String | semmle.label | source(...) : String | +| mad/Test.java:82:31:82:47 | (...)... | semmle.label | (...)... | +| mad/Test.java:82:40:82:47 | source(...) : String | semmle.label | source(...) : String | +| mad/Test.java:84:31:84:47 | (...)... | semmle.label | (...)... | +| mad/Test.java:84:40:84:47 | source(...) : String | semmle.label | source(...) : String | +| mad/Test.java:86:41:86:57 | (...)... | semmle.label | (...)... | +| mad/Test.java:86:50:86:57 | source(...) : String | semmle.label | source(...) : String | +| mad/Test.java:92:24:92:40 | (...)... | semmle.label | (...)... | +| mad/Test.java:92:33:92:40 | source(...) : String | semmle.label | source(...) : String | +| mad/Test.java:97:29:97:42 | (...)... | semmle.label | (...)... | +| mad/Test.java:97:35:97:42 | source(...) : String | semmle.label | source(...) : String | +| mad/Test.java:102:26:102:39 | (...)... | semmle.label | (...)... | +| mad/Test.java:102:32:102:39 | source(...) : String | semmle.label | source(...) : String | +| mad/Test.java:107:15:107:31 | (...)... | semmle.label | (...)... | +| mad/Test.java:107:24:107:31 | source(...) : String | semmle.label | source(...) : String | +| mad/Test.java:112:15:112:31 | (...)... | semmle.label | (...)... | +| mad/Test.java:112:24:112:31 | source(...) : String | semmle.label | source(...) : String | +subpaths diff --git a/java/ql/test/query-tests/security/CWE-918/RequestForgery.ql b/java/ql/test/query-tests/security/CWE-918/RequestForgery.ql deleted file mode 100644 index 971a9532bd6f..000000000000 --- a/java/ql/test/query-tests/security/CWE-918/RequestForgery.ql +++ /dev/null @@ -1,19 +0,0 @@ -import java -import semmle.code.java.security.RequestForgeryConfig -import utils.test.InlineExpectationsTest - -module HasFlowTest implements TestSig { - string getARelevantTag() { result = "SSRF" } - - predicate hasActualResult(Location location, string element, string tag, string value) { - tag = "SSRF" and - exists(DataFlow::Node sink | - RequestForgeryFlow::flowTo(sink) and - sink.getLocation() = location and - element = sink.toString() and - value = "" - ) - } -} - -import MakeTest diff --git a/java/ql/test/query-tests/security/CWE-918/RequestForgery.qlref b/java/ql/test/query-tests/security/CWE-918/RequestForgery.qlref new file mode 100644 index 000000000000..be2312049e7d --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-918/RequestForgery.qlref @@ -0,0 +1,4 @@ +query: Security/CWE/CWE-918/RequestForgery.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-918/SanitizationTests.java b/java/ql/test/query-tests/security/CWE-918/SanitizationTests.java index 33df1a586308..03a61cfcf97d 100644 --- a/java/ql/test/query-tests/security/CWE-918/SanitizationTests.java +++ b/java/ql/test/query-tests/security/CWE-918/SanitizationTests.java @@ -16,11 +16,11 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { try { - URI uri = new URI(request.getParameter("uri")); + URI uri = new URI(request.getParameter("uri")); // $ Source // BAD: a request parameter is incorporated without validation into a Http // request - HttpRequest r = HttpRequest.newBuilder(uri).build(); // $ SSRF - client.send(r, null); // $ SSRF + HttpRequest r = HttpRequest.newBuilder(uri).build(); // $ Alert + client.send(r, null); // $ Alert // GOOD: sanitisation by concatenation with a prefix that prevents targeting an arbitrary host. // We test a few different ways of sanitisation: via string conctentation (perhaps nested), @@ -72,55 +72,55 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) // BAD: cases where a string that would sanitise is used, but occurs in the wrong // place to sanitise user input: - String unsafeUri3 = request.getParameter("baduri3") + "https://example.com/"; - HttpRequest unsafer3 = HttpRequest.newBuilder(new URI(unsafeUri3)).build(); // $ SSRF - client.send(unsafer3, null); // $ SSRF + String unsafeUri3 = request.getParameter("baduri3") + "https://example.com/"; // $ Source + HttpRequest unsafer3 = HttpRequest.newBuilder(new URI(unsafeUri3)).build(); // $ Alert + client.send(unsafer3, null); // $ Alert - String unsafeUri4 = ("someprefix" + request.getParameter("baduri4")) + "https://example.com/"; - HttpRequest unsafer4 = HttpRequest.newBuilder(new URI(unsafeUri4)).build(); // $ SSRF - client.send(unsafer4, null); // $ SSRF + String unsafeUri4 = ("someprefix" + request.getParameter("baduri4")) + "https://example.com/"; // $ Source + HttpRequest unsafer4 = HttpRequest.newBuilder(new URI(unsafeUri4)).build(); // $ Alert + client.send(unsafer4, null); // $ Alert StringBuilder unsafeUri5 = new StringBuilder(); - unsafeUri5.append(request.getParameter("baduri5")).append("https://example.com/"); - HttpRequest unsafer5 = HttpRequest.newBuilder(new URI(unsafeUri5.toString())).build(); // $ SSRF - client.send(unsafer5, null); // $ SSRF + unsafeUri5.append(request.getParameter("baduri5")).append("https://example.com/"); // $ Source + HttpRequest unsafer5 = HttpRequest.newBuilder(new URI(unsafeUri5.toString())).build(); // $ Alert + client.send(unsafer5, null); // $ Alert - StringBuilder unafeUri5a = new StringBuilder(request.getParameter("uri5a")); + StringBuilder unafeUri5a = new StringBuilder(request.getParameter("uri5a")); // $ Source unafeUri5a.append("https://example.com/"); - HttpRequest unsafer5a = HttpRequest.newBuilder(new URI(unafeUri5a.toString())).build(); // $ SSRF - client.send(unsafer5a, null); // $ SSRF + HttpRequest unsafer5a = HttpRequest.newBuilder(new URI(unafeUri5a.toString())).build(); // $ Alert + client.send(unsafer5a, null); // $ Alert - StringBuilder unsafeUri5b = (new StringBuilder(request.getParameter("uri5b"))).append("dir/"); + StringBuilder unsafeUri5b = (new StringBuilder(request.getParameter("uri5b"))).append("dir/"); // $ Source unsafeUri5b.append("https://example.com/"); - HttpRequest unsafer5b = HttpRequest.newBuilder(new URI(unsafeUri5b.toString())).build(); // $ SSRF - client.send(unsafer5b, null); // $ SSRF + HttpRequest unsafer5b = HttpRequest.newBuilder(new URI(unsafeUri5b.toString())).build(); // $ Alert + client.send(unsafer5b, null); // $ Alert - StringBuilder unsafeUri5c = (new StringBuilder("https")).append(request.getParameter("uri5c")); + StringBuilder unsafeUri5c = (new StringBuilder("https")).append(request.getParameter("uri5c")); // $ Source unsafeUri5c.append("://example.com/dir/"); - HttpRequest unsafer5c = HttpRequest.newBuilder(new URI(unsafeUri5c.toString())).build(); // $ SSRF - client.send(unsafer5c, null); // $ SSRF + HttpRequest unsafer5c = HttpRequest.newBuilder(new URI(unsafeUri5c.toString())).build(); // $ Alert + client.send(unsafer5c, null); // $ Alert - String unsafeUri6 = String.format("%shttps://example.com/", request.getParameter("baduri6")); - HttpRequest unsafer6 = HttpRequest.newBuilder(new URI(unsafeUri6)).build(); // $ SSRF - client.send(unsafer6, null); // $ SSRF + String unsafeUri6 = String.format("%shttps://example.com/", request.getParameter("baduri6")); // $ Source + HttpRequest unsafer6 = HttpRequest.newBuilder(new URI(unsafeUri6)).build(); // $ Alert + client.send(unsafer6, null); // $ Alert - String unsafeUri7 = String.format("%s/%s", request.getParameter("baduri7"), "https://example.com"); - HttpRequest unsafer7 = HttpRequest.newBuilder(new URI(unsafeUri7)).build(); // $ SSRF - client.send(unsafer7, null); // $ SSRF + String unsafeUri7 = String.format("%s/%s", request.getParameter("baduri7"), "https://example.com"); // $ Source + HttpRequest unsafer7 = HttpRequest.newBuilder(new URI(unsafeUri7)).build(); // $ Alert + client.send(unsafer7, null); // $ Alert - String unsafeUri8 = String.format("%s%s", request.getParameter("baduri8"), "https://example.com/"); - HttpRequest unsafer8 = HttpRequest.newBuilder(new URI(unsafeUri8)).build(); // $ SSRF - client.send(unsafer8, null); // $ SSRF + String unsafeUri8 = String.format("%s%s", request.getParameter("baduri8"), "https://example.com/"); // $ Source + HttpRequest unsafer8 = HttpRequest.newBuilder(new URI(unsafeUri8)).build(); // $ Alert + client.send(unsafer8, null); // $ Alert - String unsafeUri9 = request.getParameter("baduri9") + "/" + String.format("http://%s", "myserver.com"); - HttpRequest unsafer9 = HttpRequest.newBuilder(new URI(unsafeUri9)).build(); // $ SSRF - client.send(unsafer9, null); // $ SSRF + String unsafeUri9 = request.getParameter("baduri9") + "/" + String.format("http://%s", "myserver.com"); // $ Source + HttpRequest unsafer9 = HttpRequest.newBuilder(new URI(unsafeUri9)).build(); // $ Alert + client.send(unsafer9, null); // $ Alert - String unsafeUri10 = String.format("%s://%s:%s%s", "http", "myserver.com", "80", request.getParameter("baduri10")); - HttpRequest unsafer10 = HttpRequest.newBuilder(new URI(unsafeUri10)).build(); // $ SSRF - client.send(unsafer10, null); // $ SSRF + String unsafeUri10 = String.format("%s://%s:%s%s", "http", "myserver.com", "80", request.getParameter("baduri10")); // $ Source + HttpRequest unsafer10 = HttpRequest.newBuilder(new URI(unsafeUri10)).build(); // $ Alert + client.send(unsafer10, null); // $ Alert } catch (Exception e) { // TODO: handle exception } } -} \ No newline at end of file +} diff --git a/java/ql/test/query-tests/security/CWE-918/SpringSSRF.java b/java/ql/test/query-tests/security/CWE-918/SpringSSRF.java index 895c68eda69a..446e774214dc 100644 --- a/java/ql/test/query-tests/security/CWE-918/SpringSSRF.java +++ b/java/ql/test/query-tests/security/CWE-918/SpringSSRF.java @@ -25,54 +25,54 @@ public class SpringSSRF extends HttpServlet { protected void doGet(HttpServletRequest request2, HttpServletResponse response2) throws ServletException, IOException { - String fooResourceUrl = request2.getParameter("uri");; + String fooResourceUrl = request2.getParameter("uri"); // $ Source RestTemplate restTemplate = new RestTemplate(); HttpEntity request = new HttpEntity<>(new String("bar")); try { - restTemplate.getForEntity(fooResourceUrl + "/1", String.class); // $ SSRF - restTemplate.exchange(fooResourceUrl, HttpMethod.POST, request, String.class); // $ SSRF - restTemplate.execute(fooResourceUrl, HttpMethod.POST, null, null, "test"); // $ SSRF - restTemplate.getForObject(fooResourceUrl, String.class, "test"); // $ SSRF - restTemplate.getForObject("http://{foo}", String.class, fooResourceUrl); // $ SSRF - restTemplate.getForObject("http://{foo}/a/b", String.class, fooResourceUrl); // $ SSRF + restTemplate.getForEntity(fooResourceUrl + "/1", String.class); // $ Alert + restTemplate.exchange(fooResourceUrl, HttpMethod.POST, request, String.class); // $ Alert + restTemplate.execute(fooResourceUrl, HttpMethod.POST, null, null, "test"); // $ Alert + restTemplate.getForObject(fooResourceUrl, String.class, "test"); // $ Alert + restTemplate.getForObject("http://{foo}", String.class, fooResourceUrl); // $ Alert + restTemplate.getForObject("http://{foo}/a/b", String.class, fooResourceUrl); // $ Alert restTemplate.getForObject("http://safe.com/{foo}", String.class, fooResourceUrl); // not bad - the tainted value does not affect the host restTemplate.getForObject("http://{foo}", String.class, "safe.com", fooResourceUrl); // not bad - the tainted value is unused - restTemplate.getForObject("http://{foo}", String.class, Map.of("foo", fooResourceUrl)); // $ SSRF + restTemplate.getForObject("http://{foo}", String.class, Map.of("foo", fooResourceUrl)); // $ Alert restTemplate.getForObject("http://safe.com/{foo}", String.class, Map.of("foo", fooResourceUrl)); // not bad - the tainted value does not affect the host - restTemplate.getForObject("http://{foo}", String.class, Map.of("foo", "safe.com", "unused", fooResourceUrl)); // $ SPURIOUS: SSRF // not bad - the key for the tainted value is unused + restTemplate.getForObject("http://{foo}", String.class, Map.of("foo", "safe.com", "unused", fooResourceUrl)); // $ SPURIOUS: Alert // not bad - the key for the tainted value is unused restTemplate.getForObject("http://{foo}", String.class, Map.of("foo", "safe.com", fooResourceUrl, "unused")); // not bad - the tainted value is in a map key - restTemplate.patchForObject(fooResourceUrl, new String("object"), String.class, "hi"); // $ SSRF - restTemplate.postForEntity(new URI(fooResourceUrl), new String("object"), String.class); // $ SSRF - restTemplate.postForLocation(fooResourceUrl, new String("object")); // $ SSRF - restTemplate.postForObject(fooResourceUrl, new String("object"), String.class); // $ SSRF - restTemplate.put(fooResourceUrl, new String("object")); // $ SSRF - restTemplate.delete(fooResourceUrl); // $ SSRF - restTemplate.headForHeaders(fooResourceUrl); // $ SSRF - restTemplate.optionsForAllow(fooResourceUrl); // $ SSRF + restTemplate.patchForObject(fooResourceUrl, new String("object"), String.class, "hi"); // $ Alert + restTemplate.postForEntity(new URI(fooResourceUrl), new String("object"), String.class); // $ Alert + restTemplate.postForLocation(fooResourceUrl, new String("object")); // $ Alert + restTemplate.postForObject(fooResourceUrl, new String("object"), String.class); // $ Alert + restTemplate.put(fooResourceUrl, new String("object")); // $ Alert + restTemplate.delete(fooResourceUrl); // $ Alert + restTemplate.headForHeaders(fooResourceUrl); // $ Alert + restTemplate.optionsForAllow(fooResourceUrl); // $ Alert { String body = new String("body"); URI uri = new URI(fooResourceUrl); RequestEntity requestEntity = - RequestEntity.post(uri).body(body); // $ SSRF + RequestEntity.post(uri).body(body); // $ Alert ResponseEntity response = restTemplate.exchange(requestEntity, String.class); - RequestEntity.get(uri); // $ SSRF - RequestEntity.put(uri); // $ SSRF - RequestEntity.delete(uri); // $ SSRF - RequestEntity.options(uri); // $ SSRF - RequestEntity.patch(uri); // $ SSRF - RequestEntity.head(uri); // $ SSRF - RequestEntity.method(null, uri); // $ SSRF + RequestEntity.get(uri); // $ Alert + RequestEntity.put(uri); // $ Alert + RequestEntity.delete(uri); // $ Alert + RequestEntity.options(uri); // $ Alert + RequestEntity.patch(uri); // $ Alert + RequestEntity.head(uri); // $ Alert + RequestEntity.method(null, uri); // $ Alert } { URI uri = new URI(fooResourceUrl); MultiValueMap headers = null; java.lang.reflect.Type type = null; - new RequestEntity(null, uri); // $ SSRF - new RequestEntity(headers, null, uri); // $ SSRF - new RequestEntity("body", null, uri); // $ SSRF - new RequestEntity("body", headers, null, uri); // $ SSRF - new RequestEntity("body", null, uri, type); // $ SSRF - new RequestEntity("body", headers, null, uri, type); // $ SSRF + new RequestEntity(null, uri); // $ Alert + new RequestEntity(headers, null, uri); // $ Alert + new RequestEntity("body", null, uri); // $ Alert + new RequestEntity("body", headers, null, uri); // $ Alert + new RequestEntity("body", null, uri, type); // $ Alert + new RequestEntity("body", headers, null, uri, type); // $ Alert } } catch (org.springframework.web.client.RestClientException | java.net.URISyntaxException e) {} } diff --git a/java/ql/test/query-tests/security/CWE-918/URLClassLoaderSSRF.java b/java/ql/test/query-tests/security/CWE-918/URLClassLoaderSSRF.java index 84d53f797be5..64070c765980 100644 --- a/java/ql/test/query-tests/security/CWE-918/URLClassLoaderSSRF.java +++ b/java/ql/test/query-tests/security/CWE-918/URLClassLoaderSSRF.java @@ -13,9 +13,9 @@ public class URLClassLoaderSSRF extends HttpServlet { protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { try { - String url = request.getParameter("uri"); + String url = request.getParameter("uri"); // $ Source URI uri = new URI(url); - URLClassLoader urlClassLoader = new URLClassLoader(new URL[]{uri.toURL()}); // $ SSRF + URLClassLoader urlClassLoader = new URLClassLoader(new URL[]{uri.toURL()}); // $ Alert Class test = urlClassLoader.loadClass("test"); } catch (Exception e) { // Ignore @@ -25,9 +25,9 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { try { - String url = request.getParameter("uri"); + String url = request.getParameter("uri"); // $ Source URI uri = new URI(url); - URLClassLoader urlClassLoader = new URLClassLoader(new URL[]{uri.toURL()}, URLClassLoaderSSRF.class.getClassLoader()); // $ SSRF + URLClassLoader urlClassLoader = new URLClassLoader(new URL[]{uri.toURL()}, URLClassLoaderSSRF.class.getClassLoader()); // $ Alert Class test = urlClassLoader.loadClass("test"); } catch (Exception e) { // Ignore @@ -37,11 +37,11 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response) protected void doPut(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { try { - String url = request.getParameter("uri"); + String url = request.getParameter("uri"); // $ Source URI uri = new URI(url); URLStreamHandlerFactory urlStreamHandlerFactory = null; - URLClassLoader urlClassLoader = new URLClassLoader(new URL[]{uri.toURL()}, URLClassLoaderSSRF.class.getClassLoader(), urlStreamHandlerFactory); // $ SSRF + URLClassLoader urlClassLoader = new URLClassLoader(new URL[]{uri.toURL()}, URLClassLoaderSSRF.class.getClassLoader(), urlStreamHandlerFactory); // $ Alert urlClassLoader.findResource("test"); } catch (Exception e) { // Ignore @@ -51,9 +51,9 @@ protected void doPut(HttpServletRequest request, HttpServletResponse response) protected void doDelete(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { try { - String url = request.getParameter("uri"); + String url = request.getParameter("uri"); // $ Source URI uri = new URI(url); - URLClassLoader urlClassLoader = URLClassLoader.newInstance(new URL[]{uri.toURL()}); // $ SSRF + URLClassLoader urlClassLoader = URLClassLoader.newInstance(new URL[]{uri.toURL()}); // $ Alert urlClassLoader.getResourceAsStream("test"); } catch (Exception e) { // Ignore @@ -63,11 +63,11 @@ protected void doDelete(HttpServletRequest request, HttpServletResponse response protected void doOptions(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { try { - String url = request.getParameter("uri"); + String url = request.getParameter("uri"); // $ Source URI uri = new URI(url); URLClassLoader urlClassLoader = new URLClassLoader("testClassLoader", - new URL[]{uri.toURL()}, // $ SSRF + new URL[]{uri.toURL()}, // $ Alert URLClassLoaderSSRF.class.getClassLoader() ); @@ -80,13 +80,13 @@ protected void doOptions(HttpServletRequest request, HttpServletResponse respons protected void doTrace(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { try { - String url = request.getParameter("uri"); + String url = request.getParameter("uri"); // $ Source URI uri = new URI(url); URLStreamHandlerFactory urlStreamHandlerFactory = null; URLClassLoader urlClassLoader = new URLClassLoader("testClassLoader", - new URL[]{uri.toURL()}, // $ SSRF + new URL[]{uri.toURL()}, // $ Alert URLClassLoaderSSRF.class.getClassLoader(), urlStreamHandlerFactory ); @@ -96,4 +96,4 @@ protected void doTrace(HttpServletRequest request, HttpServletResponse response) // Ignore } } -} \ No newline at end of file +} diff --git a/java/ql/test/query-tests/security/CWE-918/mad/Test.java b/java/ql/test/query-tests/security/CWE-918/mad/Test.java index 5bf070bbe507..c1bc4e12e08e 100644 --- a/java/ql/test/query-tests/security/CWE-918/mad/Test.java +++ b/java/ql/test/query-tests/security/CWE-918/mad/Test.java @@ -23,93 +23,93 @@ public class Test { private static HttpServletRequest request; public static Object source() { - return request.getParameter(null); + return request.getParameter(null); // $ Source } public void test(DatagramSocket socket) throws Exception { // "java.net;DatagramSocket;true;connect;(SocketAddress);;Argument[0];open-url;ai-generated" - socket.connect((SocketAddress) source()); // $ SSRF + socket.connect((SocketAddress) source()); // $ Alert } public void test(URL url) throws Exception { // "java.net;URL;false;openConnection;(Proxy);:Argument[this]:open-url;manual" - ((URL) source()).openConnection(); // $ SSRF + ((URL) source()).openConnection(); // $ Alert // "java.net;URL;false;openConnection;(Proxy);:Argument[0]:open-url;ai-generated" - url.openConnection((Proxy) source()); // $ SSRF + url.openConnection((Proxy) source()); // $ Alert // "java.net;URL;false;openStream;;:Argument[this]:open-url;manual" - ((URL) source()).openStream(); // $ SSRF + ((URL) source()).openStream(); // $ Alert } public void test() throws Exception { // "java.net;URLClassLoader;false;URLClassLoader;(String,URL[],ClassLoader);;Argument[1];open-url;manual" - new URLClassLoader("", (URL[]) source(), null); // $ SSRF + new URLClassLoader("", (URL[]) source(), null); // $ Alert // "java.net;URLClassLoader;false;URLClassLoader;(String,URL[],ClassLoader,URLStreamHandlerFactory);;Argument[1];open-url;manual" - new URLClassLoader("", (URL[]) source(), null, null); // $ SSRF + new URLClassLoader("", (URL[]) source(), null, null); // $ Alert // "java.net;URLClassLoader;false;URLClassLoader;(URL[]);;Argument[0];open-url;manual" - new URLClassLoader((URL[]) source()); // $ SSRF + new URLClassLoader((URL[]) source()); // $ Alert // "java.net;URLClassLoader;false;URLClassLoader;(URL[],ClassLoader);;Argument[0];open-url;manual" - new URLClassLoader((URL[]) source(), null); // $ SSRF + new URLClassLoader((URL[]) source(), null); // $ Alert // "java.net;URLClassLoader;false;URLClassLoader;(URL[],ClassLoader,URLStreamHandlerFactory);;Argument[0];open-url;manual" - new URLClassLoader((URL[]) source(), null, null); // $ SSRF + new URLClassLoader((URL[]) source(), null, null); // $ Alert // "java.net;URLClassLoader;false;newInstance;;;Argument[0];open-url;manual" - URLClassLoader.newInstance((URL[]) source()); // $ SSRF + URLClassLoader.newInstance((URL[]) source()); // $ Alert // "org.apache.commons.jelly;JellyContext;true;JellyContext;(JellyContext,URL,URL);;Argument[1];open-url;ai-generated" - new JellyContext(null, (URL) source(), null); // $ SSRF + new JellyContext(null, (URL) source(), null); // $ Alert // "org.apache.commons.jelly;JellyContext;true;JellyContext;(JellyContext,URL,URL);;Argument[2];open-url;ai-generated" - new JellyContext(null, null, (URL) source()); // $ SSRF + new JellyContext(null, null, (URL) source()); // $ Alert // "org.apache.commons.jelly;JellyContext;true;JellyContext;(JellyContext,URL);;Argument[1];open-url;ai-generated" - new JellyContext((JellyContext) null, (URL) source()); // $ SSRF + new JellyContext((JellyContext) null, (URL) source()); // $ Alert // "org.apache.commons.jelly;JellyContext;true;JellyContext;(URL,URL);;Argument[0];open-url;ai-generated" - new JellyContext((URL) source(), null); // $ SSRF + new JellyContext((URL) source(), null); // $ Alert // "org.apache.commons.jelly;JellyContext;true;JellyContext;(URL,URL);;Argument[1];open-url;ai-generated" - new JellyContext((URL) null, (URL) source()); // $ SSRF + new JellyContext((URL) null, (URL) source()); // $ Alert // "org.apache.commons.jelly;JellyContext;true;JellyContext;(URL);;Argument[0];open-url;ai-generated" - new JellyContext((URL) source()); // $ SSRF + new JellyContext((URL) source()); // $ Alert // "javax.activation;URLDataSource;true;URLDataSource;(URL);;Argument[0];request-forgery;manual" - new URLDataSource((URL) source()); // $ SSRF + new URLDataSource((URL) source()); // $ Alert // "org.apache.cxf.catalog;OASISCatalogManager;true;loadCatalog;(URL);;Argument[0];request-forgery;manual" - new OASISCatalogManager().loadCatalog((URL) source()); // $ SSRF + new OASISCatalogManager().loadCatalog((URL) source()); // $ Alert // @formatter:off // "org.apache.cxf.common.classloader;ClassLoaderUtils;true;getURLClassLoader;(URL[],ClassLoader);;Argument[0];request-forgery;manual" - new ClassLoaderUtils().getURLClassLoader((URL[]) source(), null); // $ SSRF + new ClassLoaderUtils().getURLClassLoader((URL[]) source(), null); // $ Alert // "org.apache.cxf.common.classloader;ClassLoaderUtils;true;getURLClassLoader;(List,ClassLoader);;Argument[0];request-forgery;manual" - new ClassLoaderUtils().getURLClassLoader((List) source(), null); // $ SSRF + new ClassLoaderUtils().getURLClassLoader((List) source(), null); // $ Alert // "org.apache.cxf.resource;ExtendedURIResolver;true;resolve;(String,String);;Argument[0];request-forgery;manual"] - new ExtendedURIResolver().resolve((String) source(), null); // $ SSRF + new ExtendedURIResolver().resolve((String) source(), null); // $ Alert // "org.apache.cxf.resource;URIResolver;true;URIResolver;(String);;Argument[0];request-forgery;manual"] - new URIResolver((String) source()); // $ SSRF + new URIResolver((String) source()); // $ Alert // "org.apache.cxf.resource;URIResolver;true;URIResolver;(String,String);;Argument[1];request-forgery;manual"] - new URIResolver(null, (String) source()); // $ SSRF + new URIResolver(null, (String) source()); // $ Alert // "org.apache.cxf.resource;URIResolver;true;URIResolver;(String,String,Class);;Argument[1];request-forgery;manual"] - new URIResolver(null, (String) source(), null); // $ SSRF + new URIResolver(null, (String) source(), null); // $ Alert // "org.apache.cxf.resource;URIResolver;true;resolve;(String,String,Class);;Argument[1];request-forgery;manual" - new URIResolver().resolve(null, (String) source(), null); // $ SSRF + new URIResolver().resolve(null, (String) source(), null); // $ Alert // @formatter:on } public void test(WebEngine webEngine) { // "javafx.scene.web;WebEngine;false;load;(String);;Argument[0];open-url;ai-generated" - webEngine.load((String) source()); // $ SSRF + webEngine.load((String) source()); // $ Alert } public void test(ZipURLInstaller zui) { // "org.codehaus.cargo.container.installer;ZipURLInstaller;true;ZipURLInstaller;(URL,String,String);;Argument[0];open-url:ai-generated" - new ZipURLInstaller((URL) source(), "", ""); // $ SSRF + new ZipURLInstaller((URL) source(), "", ""); // $ Alert } public void test(HttpResponses r) { // "org.kohsuke.stapler;HttpResponses;true;staticResource;(URL);;Argument[0];open-url;ai-generated" - r.staticResource((URL) source()); // $ SSRF + r.staticResource((URL) source()); // $ Alert } public void test(WSClient c) { // "play.libs.ws;WSClient;true;url;;;Argument[0];open-url;manual" - c.url((String) source()); // $ SSRF + c.url((String) source()); // $ Alert } public void test(StandaloneWSClient c) { // "play.libs.ws;StandaloneWSClient;true;url;;;Argument[0];open-url;manual" - c.url((String) source()); // $ SSRF + c.url((String) source()); // $ Alert } } diff --git a/java/ql/test/query-tests/security/CWE-925/BootReceiverXml.java b/java/ql/test/query-tests/security/CWE-925/BootReceiverXml.java index 3a9f84983966..af9ca5926d78 100644 --- a/java/ql/test/query-tests/security/CWE-925/BootReceiverXml.java +++ b/java/ql/test/query-tests/security/CWE-925/BootReceiverXml.java @@ -6,8 +6,8 @@ class BootReceiverXml extends BroadcastReceiver { void doStuff(Intent intent) {} - @Override - public void onReceive(Context ctx, Intent intent) { // $hasResult + @Override + public void onReceive(Context ctx, Intent intent) { // $ Alert doStuff(intent); } -} \ No newline at end of file +} diff --git a/java/ql/test/query-tests/security/CWE-925/ImproperIntentVerification.expected b/java/ql/test/query-tests/security/CWE-925/ImproperIntentVerification.expected index e69de29bb2d1..862b9a736928 100644 --- a/java/ql/test/query-tests/security/CWE-925/ImproperIntentVerification.expected +++ b/java/ql/test/query-tests/security/CWE-925/ImproperIntentVerification.expected @@ -0,0 +1 @@ +| BootReceiverXml.java:10:17:10:25 | onReceive | This reciever doesn't verify intents it receives, and $@ to receive $@. | AndroidManifest.xml:3:9:7:20 | receiver | it is registered | AndroidManifest.xml:5:17:5:79 | action | the system action action | diff --git a/java/ql/test/query-tests/security/CWE-925/ImproperIntentVerification.ql b/java/ql/test/query-tests/security/CWE-925/ImproperIntentVerification.ql deleted file mode 100644 index 67da4ee9b297..000000000000 --- a/java/ql/test/query-tests/security/CWE-925/ImproperIntentVerification.ql +++ /dev/null @@ -1,18 +0,0 @@ -import java -import semmle.code.java.security.ImproperIntentVerificationQuery -import utils.test.InlineExpectationsTest - -module HasFlowTest implements TestSig { - string getARelevantTag() { result = "hasResult" } - - predicate hasActualResult(Location location, string element, string tag, string value) { - tag = "hasResult" and - exists(Method orm | unverifiedSystemReceiver(_, orm, _) | - orm.getLocation() = location and - element = orm.toString() and - value = "" - ) - } -} - -import MakeTest diff --git a/java/ql/test/query-tests/security/CWE-925/ImproperIntentVerification.qlref b/java/ql/test/query-tests/security/CWE-925/ImproperIntentVerification.qlref new file mode 100644 index 000000000000..1402eeee2a16 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-925/ImproperIntentVerification.qlref @@ -0,0 +1,4 @@ +query: Security/CWE/CWE-925/ImproperIntentVerification.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-927/ImplicitPendingIntents/ImplicitPendingIntentsTest.expected b/java/ql/test/query-tests/security/CWE-927/ImplicitPendingIntents/ImplicitPendingIntentsTest.expected new file mode 100644 index 000000000000..c1c694c5fbd2 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-927/ImplicitPendingIntents/ImplicitPendingIntentsTest.expected @@ -0,0 +1,341 @@ +#select +| ImplicitPendingIntentsTest.java:36:31:36:39 | fwdIntent | ImplicitPendingIntentsTest.java:31:33:31:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:36:31:36:39 | fwdIntent | $@ and sent to an unspecified third party through a PendingIntent. | ImplicitPendingIntentsTest.java:31:33:31:44 | new Intent(...) | An implicit Intent is created | +| ImplicitPendingIntentsTest.java:38:31:38:39 | fwdIntent | ImplicitPendingIntentsTest.java:31:33:31:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:38:31:38:39 | fwdIntent | $@ and sent to an unspecified third party through a PendingIntent. | ImplicitPendingIntentsTest.java:31:33:31:44 | new Intent(...) | An implicit Intent is created | +| ImplicitPendingIntentsTest.java:41:31:41:39 | fwdIntent | ImplicitPendingIntentsTest.java:31:33:31:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:41:31:41:39 | fwdIntent | $@ and sent to an unspecified third party through a PendingIntent. | ImplicitPendingIntentsTest.java:31:33:31:44 | new Intent(...) | An implicit Intent is created | +| ImplicitPendingIntentsTest.java:52:31:52:39 | fwdIntent | ImplicitPendingIntentsTest.java:48:33:48:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:52:31:52:39 | fwdIntent | $@ and sent to an unspecified third party through a PendingIntent. | ImplicitPendingIntentsTest.java:48:33:48:44 | new Intent(...) | An implicit Intent is created | +| ImplicitPendingIntentsTest.java:60:31:60:39 | fwdIntent | ImplicitPendingIntentsTest.java:56:33:56:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:60:31:60:39 | fwdIntent | $@ and sent to an unspecified third party through a PendingIntent. | ImplicitPendingIntentsTest.java:56:33:56:44 | new Intent(...) | An implicit Intent is created | +| ImplicitPendingIntentsTest.java:69:31:69:39 | fwdIntent | ImplicitPendingIntentsTest.java:64:33:64:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:69:31:69:39 | fwdIntent | $@ and sent to an unspecified third party through a PendingIntent. | ImplicitPendingIntentsTest.java:64:33:64:44 | new Intent(...) | An implicit Intent is created | +| ImplicitPendingIntentsTest.java:77:31:77:39 | fwdIntent | ImplicitPendingIntentsTest.java:73:33:73:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:77:31:77:39 | fwdIntent | $@ and sent to an unspecified third party through a PendingIntent. | ImplicitPendingIntentsTest.java:73:33:73:44 | new Intent(...) | An implicit Intent is created | +| ImplicitPendingIntentsTest.java:85:31:85:39 | fwdIntent | ImplicitPendingIntentsTest.java:81:33:81:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:85:31:85:39 | fwdIntent | $@ and sent to an unspecified third party through a PendingIntent. | ImplicitPendingIntentsTest.java:81:33:81:44 | new Intent(...) | An implicit Intent is created | +| ImplicitPendingIntentsTest.java:93:31:93:39 | fwdIntent | ImplicitPendingIntentsTest.java:89:33:89:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:93:31:93:39 | fwdIntent | $@ and sent to an unspecified third party through a PendingIntent. | ImplicitPendingIntentsTest.java:89:33:89:44 | new Intent(...) | An implicit Intent is created | +| ImplicitPendingIntentsTest.java:101:31:101:39 | fwdIntent | ImplicitPendingIntentsTest.java:97:33:97:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:101:31:101:39 | fwdIntent | $@ and sent to an unspecified third party through a PendingIntent. | ImplicitPendingIntentsTest.java:97:33:97:44 | new Intent(...) | An implicit Intent is created | +| ImplicitPendingIntentsTest.java:170:32:170:40 | fwdIntent | ImplicitPendingIntentsTest.java:166:33:166:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:170:32:170:40 | fwdIntent | $@ and sent to an unspecified third party through a PendingIntent. | ImplicitPendingIntentsTest.java:166:33:166:44 | new Intent(...) | An implicit Intent is created | +| ImplicitPendingIntentsTest.java:171:32:171:40 | fwdIntent | ImplicitPendingIntentsTest.java:166:33:166:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:171:32:171:40 | fwdIntent | $@ and sent to an unspecified third party through a PendingIntent. | ImplicitPendingIntentsTest.java:166:33:166:44 | new Intent(...) | An implicit Intent is created | +| ImplicitPendingIntentsTest.java:172:32:172:40 | fwdIntent | ImplicitPendingIntentsTest.java:166:33:166:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:172:32:172:40 | fwdIntent | $@ and sent to an unspecified third party through a PendingIntent. | ImplicitPendingIntentsTest.java:166:33:166:44 | new Intent(...) | An implicit Intent is created | +| ImplicitPendingIntentsTest.java:173:32:173:40 | fwdIntent | ImplicitPendingIntentsTest.java:166:33:166:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:173:32:173:40 | fwdIntent | $@ and sent to an unspecified third party through a PendingIntent. | ImplicitPendingIntentsTest.java:166:33:166:44 | new Intent(...) | An implicit Intent is created | +| ImplicitPendingIntentsTest.java:188:65:188:76 | notification | ImplicitPendingIntentsTest.java:181:33:181:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:188:65:188:76 | notification | $@ and sent to an unspecified third party through a PendingIntent. | ImplicitPendingIntentsTest.java:181:33:181:44 | new Intent(...) | An implicit Intent is created | +| ImplicitPendingIntentsTest.java:189:32:189:43 | notification | ImplicitPendingIntentsTest.java:181:33:181:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:189:32:189:43 | notification | $@ and sent to an unspecified third party through a PendingIntent. | ImplicitPendingIntentsTest.java:181:33:181:44 | new Intent(...) | An implicit Intent is created | +| ImplicitPendingIntentsTest.java:190:42:190:53 | notification | ImplicitPendingIntentsTest.java:181:33:181:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:190:42:190:53 | notification | $@ and sent to an unspecified third party through a PendingIntent. | ImplicitPendingIntentsTest.java:181:33:181:44 | new Intent(...) | An implicit Intent is created | +| ImplicitPendingIntentsTest.java:229:32:229:43 | notification | ImplicitPendingIntentsTest.java:222:33:222:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:229:32:229:43 | notification | $@ and sent to an unspecified third party through a PendingIntent. | ImplicitPendingIntentsTest.java:222:33:222:44 | new Intent(...) | An implicit Intent is created | +| ImplicitPendingIntentsTest.java:230:36:230:47 | notification | ImplicitPendingIntentsTest.java:222:33:222:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:230:36:230:47 | notification | $@ and sent to an unspecified third party through a PendingIntent. | ImplicitPendingIntentsTest.java:222:33:222:44 | new Intent(...) | An implicit Intent is created | +| ImplicitPendingIntentsTest.java:239:32:239:33 | pi | ImplicitPendingIntentsTest.java:237:33:237:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:239:32:239:33 | pi | $@ and sent to an unspecified third party through a PendingIntent. | ImplicitPendingIntentsTest.java:237:33:237:44 | new Intent(...) | An implicit Intent is created | +| ImplicitPendingIntentsTest.java:240:42:240:43 | pi | ImplicitPendingIntentsTest.java:237:33:237:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:240:42:240:43 | pi | $@ and sent to an unspecified third party through a PendingIntent. | ImplicitPendingIntentsTest.java:237:33:237:44 | new Intent(...) | An implicit Intent is created | +| ImplicitPendingIntentsTest.java:241:49:241:50 | pi | ImplicitPendingIntentsTest.java:237:33:237:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:241:49:241:50 | pi | $@ and sent to an unspecified third party through a PendingIntent. | ImplicitPendingIntentsTest.java:237:33:237:44 | new Intent(...) | An implicit Intent is created | +| ImplicitPendingIntentsTest.java:242:37:242:38 | pi | ImplicitPendingIntentsTest.java:237:33:237:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:242:37:242:38 | pi | $@ and sent to an unspecified third party through a PendingIntent. | ImplicitPendingIntentsTest.java:237:33:237:44 | new Intent(...) | An implicit Intent is created | +| ImplicitPendingIntentsTest.java:243:54:243:55 | pi | ImplicitPendingIntentsTest.java:237:33:237:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:243:54:243:55 | pi | $@ and sent to an unspecified third party through a PendingIntent. | ImplicitPendingIntentsTest.java:237:33:237:44 | new Intent(...) | An implicit Intent is created | +| ImplicitPendingIntentsTest.java:244:51:244:52 | pi | ImplicitPendingIntentsTest.java:237:33:237:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:244:51:244:52 | pi | $@ and sent to an unspecified third party through a PendingIntent. | ImplicitPendingIntentsTest.java:237:33:237:44 | new Intent(...) | An implicit Intent is created | +| ImplicitPendingIntentsTest.java:245:44:245:45 | pi | ImplicitPendingIntentsTest.java:237:33:237:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:245:44:245:45 | pi | $@ and sent to an unspecified third party through a PendingIntent. | ImplicitPendingIntentsTest.java:237:33:237:44 | new Intent(...) | An implicit Intent is created | +| ImplicitPendingIntentsTest.java:246:41:246:42 | pi | ImplicitPendingIntentsTest.java:237:33:237:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:246:41:246:42 | pi | $@ and sent to an unspecified third party through a PendingIntent. | ImplicitPendingIntentsTest.java:237:33:237:44 | new Intent(...) | An implicit Intent is created | +| ImplicitPendingIntentsTest.java:258:59:258:60 | pi | ImplicitPendingIntentsTest.java:256:33:256:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:258:59:258:60 | pi | $@ and sent to an unspecified third party through a PendingIntent. | ImplicitPendingIntentsTest.java:256:33:256:44 | new Intent(...) | An implicit Intent is created | +| ImplicitPendingIntentsTest.java:259:65:259:66 | pi | ImplicitPendingIntentsTest.java:256:33:256:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:259:65:259:66 | pi | $@ and sent to an unspecified third party through a PendingIntent. | ImplicitPendingIntentsTest.java:256:33:256:44 | new Intent(...) | An implicit Intent is created | +| ImplicitPendingIntentsTest.java:260:69:260:70 | pi | ImplicitPendingIntentsTest.java:256:33:256:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:260:69:260:70 | pi | $@ and sent to an unspecified third party through a PendingIntent. | ImplicitPendingIntentsTest.java:256:33:256:44 | new Intent(...) | An implicit Intent is created | +| ImplicitPendingIntentsTest.java:261:57:261:58 | pi | ImplicitPendingIntentsTest.java:256:33:256:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:261:57:261:58 | pi | $@ and sent to an unspecified third party through a PendingIntent. | ImplicitPendingIntentsTest.java:256:33:256:44 | new Intent(...) | An implicit Intent is created | +| ImplicitPendingIntentsTest.java:262:74:262:75 | pi | ImplicitPendingIntentsTest.java:256:33:256:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:262:74:262:75 | pi | $@ and sent to an unspecified third party through a PendingIntent. | ImplicitPendingIntentsTest.java:256:33:256:44 | new Intent(...) | An implicit Intent is created | +| ImplicitPendingIntentsTest.java:273:26:273:34 | fwdIntent | ImplicitPendingIntentsTest.java:269:33:269:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:273:26:273:34 | fwdIntent | $@ and sent to an unspecified third party through a PendingIntent. | ImplicitPendingIntentsTest.java:269:33:269:44 | new Intent(...) | An implicit Intent is created | +| ImplicitPendingIntentsTest.java:290:24:290:42 | build(...) | ImplicitPendingIntentsTest.java:284:37:284:48 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:290:24:290:42 | build(...) | $@ and sent to an unspecified third party through a PendingIntent. | ImplicitPendingIntentsTest.java:284:37:284:48 | new Intent(...) | An implicit Intent is created | +| ImplicitPendingIntentsTest.java:317:24:317:42 | build(...) | ImplicitPendingIntentsTest.java:339:33:339:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:317:24:317:42 | build(...) | $@ and sent to an unspecified third party through a PendingIntent. | ImplicitPendingIntentsTest.java:339:33:339:44 | new Intent(...) | An implicit Intent is created | +| ImplicitPendingIntentsTest.java:326:24:326:25 | pi | ImplicitPendingIntentsTest.java:324:37:324:48 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:326:24:326:25 | pi | $@ and sent to an unspecified third party through a PendingIntent. | ImplicitPendingIntentsTest.java:324:37:324:48 | new Intent(...) | An implicit Intent is created | +edges +| ImplicitPendingIntentsTest.java:31:33:31:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:32:66:32:75 | baseIntent : Intent | provenance | | +| ImplicitPendingIntentsTest.java:32:32:32:79 | getActivity(...) : PendingIntent | ImplicitPendingIntentsTest.java:34:45:34:46 | pi : PendingIntent | provenance | | +| ImplicitPendingIntentsTest.java:32:66:32:75 | baseIntent : Intent | ImplicitPendingIntentsTest.java:32:32:32:79 | getActivity(...) : PendingIntent | provenance | Config | +| ImplicitPendingIntentsTest.java:34:13:34:21 | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | ImplicitPendingIntentsTest.java:36:31:36:39 | fwdIntent | provenance | Sink:MaD:18 Sink:MaD:18 | +| ImplicitPendingIntentsTest.java:34:13:34:21 | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | ImplicitPendingIntentsTest.java:38:31:38:39 | fwdIntent | provenance | Sink:MaD:17 Sink:MaD:17 | +| ImplicitPendingIntentsTest.java:34:13:34:21 | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | ImplicitPendingIntentsTest.java:41:31:41:39 | fwdIntent | provenance | Sink:MaD:18 Sink:MaD:18 | +| ImplicitPendingIntentsTest.java:34:45:34:46 | pi : PendingIntent | ImplicitPendingIntentsTest.java:34:13:34:21 | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | provenance | MaD:32 | +| ImplicitPendingIntentsTest.java:48:33:48:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:49:72:49:81 | baseIntent : Intent | provenance | | +| ImplicitPendingIntentsTest.java:49:32:49:97 | getActivityAsUser(...) : PendingIntent | ImplicitPendingIntentsTest.java:51:45:51:46 | pi : PendingIntent | provenance | | +| ImplicitPendingIntentsTest.java:49:72:49:81 | baseIntent : Intent | ImplicitPendingIntentsTest.java:49:32:49:97 | getActivityAsUser(...) : PendingIntent | provenance | Config | +| ImplicitPendingIntentsTest.java:51:13:51:21 | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | ImplicitPendingIntentsTest.java:52:31:52:39 | fwdIntent | provenance | Sink:MaD:18 Sink:MaD:18 | +| ImplicitPendingIntentsTest.java:51:45:51:46 | pi : PendingIntent | ImplicitPendingIntentsTest.java:51:13:51:21 | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | provenance | MaD:32 | +| ImplicitPendingIntentsTest.java:56:33:56:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:57:82:57:91 | baseIntent : Intent | provenance | | +| ImplicitPendingIntentsTest.java:57:32:57:96 | getActivities(...) : PendingIntent | ImplicitPendingIntentsTest.java:59:45:59:46 | pi : PendingIntent | provenance | | +| ImplicitPendingIntentsTest.java:57:68:57:92 | new Intent[] : Intent[] [[]] : Intent | ImplicitPendingIntentsTest.java:57:32:57:96 | getActivities(...) : PendingIntent | provenance | Config | +| ImplicitPendingIntentsTest.java:57:68:57:92 | {...} : Intent[] [[]] : Intent | ImplicitPendingIntentsTest.java:57:68:57:92 | new Intent[] : Intent[] [[]] : Intent | provenance | | +| ImplicitPendingIntentsTest.java:57:82:57:91 | baseIntent : Intent | ImplicitPendingIntentsTest.java:57:68:57:92 | {...} : Intent[] [[]] : Intent | provenance | | +| ImplicitPendingIntentsTest.java:59:13:59:21 | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | ImplicitPendingIntentsTest.java:60:31:60:39 | fwdIntent | provenance | Sink:MaD:18 Sink:MaD:18 | +| ImplicitPendingIntentsTest.java:59:45:59:46 | pi : PendingIntent | ImplicitPendingIntentsTest.java:59:13:59:21 | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | provenance | MaD:32 | +| ImplicitPendingIntentsTest.java:64:33:64:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:65:88:65:97 | baseIntent : Intent | provenance | | +| ImplicitPendingIntentsTest.java:65:32:66:34 | getActivitiesAsUser(...) : PendingIntent | ImplicitPendingIntentsTest.java:68:45:68:46 | pi : PendingIntent | provenance | | +| ImplicitPendingIntentsTest.java:65:74:65:98 | new Intent[] : Intent[] [[]] : Intent | ImplicitPendingIntentsTest.java:65:32:66:34 | getActivitiesAsUser(...) : PendingIntent | provenance | Config | +| ImplicitPendingIntentsTest.java:65:74:65:98 | {...} : Intent[] [[]] : Intent | ImplicitPendingIntentsTest.java:65:74:65:98 | new Intent[] : Intent[] [[]] : Intent | provenance | | +| ImplicitPendingIntentsTest.java:65:88:65:97 | baseIntent : Intent | ImplicitPendingIntentsTest.java:65:74:65:98 | {...} : Intent[] [[]] : Intent | provenance | | +| ImplicitPendingIntentsTest.java:68:13:68:21 | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | ImplicitPendingIntentsTest.java:69:31:69:39 | fwdIntent | provenance | Sink:MaD:18 Sink:MaD:18 | +| ImplicitPendingIntentsTest.java:68:45:68:46 | pi : PendingIntent | ImplicitPendingIntentsTest.java:68:13:68:21 | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | provenance | MaD:32 | +| ImplicitPendingIntentsTest.java:73:33:73:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:74:67:74:76 | baseIntent : Intent | provenance | | +| ImplicitPendingIntentsTest.java:74:32:74:80 | getBroadcast(...) : PendingIntent | ImplicitPendingIntentsTest.java:76:45:76:46 | pi : PendingIntent | provenance | | +| ImplicitPendingIntentsTest.java:74:67:74:76 | baseIntent : Intent | ImplicitPendingIntentsTest.java:74:32:74:80 | getBroadcast(...) : PendingIntent | provenance | Config | +| ImplicitPendingIntentsTest.java:76:13:76:21 | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | ImplicitPendingIntentsTest.java:77:31:77:39 | fwdIntent | provenance | Sink:MaD:17 Sink:MaD:17 | +| ImplicitPendingIntentsTest.java:76:45:76:46 | pi : PendingIntent | ImplicitPendingIntentsTest.java:76:13:76:21 | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | provenance | MaD:32 | +| ImplicitPendingIntentsTest.java:81:33:81:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:82:73:82:82 | baseIntent : Intent | provenance | | +| ImplicitPendingIntentsTest.java:82:32:82:92 | getBroadcastAsUser(...) : PendingIntent | ImplicitPendingIntentsTest.java:84:45:84:46 | pi : PendingIntent | provenance | | +| ImplicitPendingIntentsTest.java:82:73:82:82 | baseIntent : Intent | ImplicitPendingIntentsTest.java:82:32:82:92 | getBroadcastAsUser(...) : PendingIntent | provenance | Config | +| ImplicitPendingIntentsTest.java:84:13:84:21 | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | ImplicitPendingIntentsTest.java:85:31:85:39 | fwdIntent | provenance | Sink:MaD:17 Sink:MaD:17 | +| ImplicitPendingIntentsTest.java:84:45:84:46 | pi : PendingIntent | ImplicitPendingIntentsTest.java:84:13:84:21 | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | provenance | MaD:32 | +| ImplicitPendingIntentsTest.java:89:33:89:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:90:65:90:74 | baseIntent : Intent | provenance | | +| ImplicitPendingIntentsTest.java:90:32:90:78 | getService(...) : PendingIntent | ImplicitPendingIntentsTest.java:92:45:92:46 | pi : PendingIntent | provenance | | +| ImplicitPendingIntentsTest.java:90:65:90:74 | baseIntent : Intent | ImplicitPendingIntentsTest.java:90:32:90:78 | getService(...) : PendingIntent | provenance | Config | +| ImplicitPendingIntentsTest.java:92:13:92:21 | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | ImplicitPendingIntentsTest.java:93:31:93:39 | fwdIntent | provenance | Sink:MaD:18 Sink:MaD:18 | +| ImplicitPendingIntentsTest.java:92:45:92:46 | pi : PendingIntent | ImplicitPendingIntentsTest.java:92:13:92:21 | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | provenance | MaD:32 | +| ImplicitPendingIntentsTest.java:97:33:97:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:98:75:98:84 | baseIntent : Intent | provenance | | +| ImplicitPendingIntentsTest.java:98:32:98:88 | getForegroundService(...) : PendingIntent | ImplicitPendingIntentsTest.java:100:45:100:46 | pi : PendingIntent | provenance | | +| ImplicitPendingIntentsTest.java:98:75:98:84 | baseIntent : Intent | ImplicitPendingIntentsTest.java:98:32:98:88 | getForegroundService(...) : PendingIntent | provenance | Config | +| ImplicitPendingIntentsTest.java:100:13:100:21 | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | ImplicitPendingIntentsTest.java:101:31:101:39 | fwdIntent | provenance | Sink:MaD:18 Sink:MaD:18 | +| ImplicitPendingIntentsTest.java:100:45:100:46 | pi : PendingIntent | ImplicitPendingIntentsTest.java:100:13:100:21 | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | provenance | MaD:32 | +| ImplicitPendingIntentsTest.java:166:33:166:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:167:66:167:75 | baseIntent : Intent | provenance | | +| ImplicitPendingIntentsTest.java:167:32:167:79 | getActivity(...) : PendingIntent | ImplicitPendingIntentsTest.java:169:45:169:46 | pi : PendingIntent | provenance | | +| ImplicitPendingIntentsTest.java:167:66:167:75 | baseIntent : Intent | ImplicitPendingIntentsTest.java:167:32:167:79 | getActivity(...) : PendingIntent | provenance | Config | +| ImplicitPendingIntentsTest.java:169:13:169:21 | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | ImplicitPendingIntentsTest.java:170:32:170:40 | fwdIntent | provenance | Sink:MaD:13 Sink:MaD:13 | +| ImplicitPendingIntentsTest.java:169:13:169:21 | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | ImplicitPendingIntentsTest.java:171:32:171:40 | fwdIntent | provenance | Sink:MaD:14 Sink:MaD:14 | +| ImplicitPendingIntentsTest.java:169:13:169:21 | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | ImplicitPendingIntentsTest.java:172:32:172:40 | fwdIntent | provenance | Sink:MaD:15 Sink:MaD:15 | +| ImplicitPendingIntentsTest.java:169:13:169:21 | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | ImplicitPendingIntentsTest.java:173:32:173:40 | fwdIntent | provenance | Sink:MaD:16 Sink:MaD:16 | +| ImplicitPendingIntentsTest.java:169:45:169:46 | pi : PendingIntent | ImplicitPendingIntentsTest.java:169:13:169:21 | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | provenance | MaD:32 | +| ImplicitPendingIntentsTest.java:181:33:181:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:182:66:182:75 | baseIntent : Intent | provenance | | +| ImplicitPendingIntentsTest.java:182:32:182:79 | getActivity(...) : PendingIntent | ImplicitPendingIntentsTest.java:183:91:183:92 | pi : PendingIntent | provenance | | +| ImplicitPendingIntentsTest.java:182:66:182:75 | baseIntent : Intent | ImplicitPendingIntentsTest.java:182:32:182:79 | getActivity(...) : PendingIntent | provenance | Config | +| ImplicitPendingIntentsTest.java:183:52:183:93 | new Builder(...) : Builder | ImplicitPendingIntentsTest.java:185:61:185:68 | aBuilder : Builder | provenance | | +| ImplicitPendingIntentsTest.java:183:91:183:92 | pi : PendingIntent | ImplicitPendingIntentsTest.java:183:52:183:93 | new Builder(...) : Builder | provenance | MaD:27 | +| ImplicitPendingIntentsTest.java:185:21:185:77 | addAction(...) : Builder | ImplicitPendingIntentsTest.java:186:41:186:48 | nBuilder : Builder | provenance | | +| ImplicitPendingIntentsTest.java:185:61:185:68 | aBuilder : Builder | ImplicitPendingIntentsTest.java:185:61:185:76 | build(...) : Action | provenance | MaD:28 | +| ImplicitPendingIntentsTest.java:185:61:185:76 | build(...) : Action | ImplicitPendingIntentsTest.java:185:21:185:77 | addAction(...) : Builder | provenance | MaD:29+MaD:30 | +| ImplicitPendingIntentsTest.java:186:41:186:48 | nBuilder : Builder | ImplicitPendingIntentsTest.java:186:41:186:56 | build(...) : Notification | provenance | MaD:31 | +| ImplicitPendingIntentsTest.java:186:41:186:56 | build(...) : Notification | ImplicitPendingIntentsTest.java:188:65:188:76 | notification | provenance | Sink:MaD:11 | +| ImplicitPendingIntentsTest.java:186:41:186:56 | build(...) : Notification | ImplicitPendingIntentsTest.java:189:32:189:43 | notification | provenance | Sink:MaD:10 | +| ImplicitPendingIntentsTest.java:186:41:186:56 | build(...) : Notification | ImplicitPendingIntentsTest.java:190:42:190:53 | notification | provenance | Sink:MaD:12 | +| ImplicitPendingIntentsTest.java:222:33:222:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:223:66:223:75 | baseIntent : Intent | provenance | | +| ImplicitPendingIntentsTest.java:223:32:223:79 | getActivity(...) : PendingIntent | ImplicitPendingIntentsTest.java:224:91:224:92 | pi : PendingIntent | provenance | | +| ImplicitPendingIntentsTest.java:223:66:223:75 | baseIntent : Intent | ImplicitPendingIntentsTest.java:223:32:223:79 | getActivity(...) : PendingIntent | provenance | Config | +| ImplicitPendingIntentsTest.java:224:52:224:93 | new Builder(...) : Builder | ImplicitPendingIntentsTest.java:226:61:226:68 | aBuilder : Builder | provenance | | +| ImplicitPendingIntentsTest.java:224:91:224:92 | pi : PendingIntent | ImplicitPendingIntentsTest.java:224:52:224:93 | new Builder(...) : Builder | provenance | MaD:27 | +| ImplicitPendingIntentsTest.java:226:21:226:77 | addAction(...) : Builder | ImplicitPendingIntentsTest.java:227:41:227:48 | nBuilder : Builder | provenance | | +| ImplicitPendingIntentsTest.java:226:61:226:68 | aBuilder : Builder | ImplicitPendingIntentsTest.java:226:61:226:76 | build(...) : Action | provenance | MaD:28 | +| ImplicitPendingIntentsTest.java:226:61:226:76 | build(...) : Action | ImplicitPendingIntentsTest.java:226:21:226:77 | addAction(...) : Builder | provenance | MaD:29+MaD:30 | +| ImplicitPendingIntentsTest.java:227:41:227:48 | nBuilder : Builder | ImplicitPendingIntentsTest.java:227:41:227:56 | build(...) : Notification | provenance | MaD:31 | +| ImplicitPendingIntentsTest.java:227:41:227:56 | build(...) : Notification | ImplicitPendingIntentsTest.java:229:32:229:43 | notification | provenance | Sink:MaD:24 | +| ImplicitPendingIntentsTest.java:227:41:227:56 | build(...) : Notification | ImplicitPendingIntentsTest.java:230:36:230:47 | notification | provenance | Sink:MaD:23 | +| ImplicitPendingIntentsTest.java:237:33:237:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:238:66:238:75 | baseIntent : Intent | provenance | | +| ImplicitPendingIntentsTest.java:238:32:238:79 | getActivity(...) : PendingIntent | ImplicitPendingIntentsTest.java:239:32:239:33 | pi | provenance | Sink:MaD:2 | +| ImplicitPendingIntentsTest.java:238:32:238:79 | getActivity(...) : PendingIntent | ImplicitPendingIntentsTest.java:240:42:240:43 | pi | provenance | Sink:MaD:3 | +| ImplicitPendingIntentsTest.java:238:32:238:79 | getActivity(...) : PendingIntent | ImplicitPendingIntentsTest.java:241:49:241:50 | pi | provenance | Sink:MaD:4 | +| ImplicitPendingIntentsTest.java:238:32:238:79 | getActivity(...) : PendingIntent | ImplicitPendingIntentsTest.java:242:37:242:38 | pi | provenance | Sink:MaD:5 | +| ImplicitPendingIntentsTest.java:238:32:238:79 | getActivity(...) : PendingIntent | ImplicitPendingIntentsTest.java:243:54:243:55 | pi | provenance | Sink:MaD:6 | +| ImplicitPendingIntentsTest.java:238:32:238:79 | getActivity(...) : PendingIntent | ImplicitPendingIntentsTest.java:244:51:244:52 | pi | provenance | Sink:MaD:7 | +| ImplicitPendingIntentsTest.java:238:32:238:79 | getActivity(...) : PendingIntent | ImplicitPendingIntentsTest.java:245:44:245:45 | pi | provenance | Sink:MaD:8 | +| ImplicitPendingIntentsTest.java:238:32:238:79 | getActivity(...) : PendingIntent | ImplicitPendingIntentsTest.java:246:41:246:42 | pi | provenance | Sink:MaD:9 | +| ImplicitPendingIntentsTest.java:238:66:238:75 | baseIntent : Intent | ImplicitPendingIntentsTest.java:238:32:238:79 | getActivity(...) : PendingIntent | provenance | Config | +| ImplicitPendingIntentsTest.java:256:33:256:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:257:66:257:75 | baseIntent : Intent | provenance | | +| ImplicitPendingIntentsTest.java:257:32:257:79 | getActivity(...) : PendingIntent | ImplicitPendingIntentsTest.java:258:59:258:60 | pi | provenance | Sink:MaD:19 | +| ImplicitPendingIntentsTest.java:257:32:257:79 | getActivity(...) : PendingIntent | ImplicitPendingIntentsTest.java:259:65:259:66 | pi | provenance | Sink:MaD:19 | +| ImplicitPendingIntentsTest.java:257:32:257:79 | getActivity(...) : PendingIntent | ImplicitPendingIntentsTest.java:260:69:260:70 | pi | provenance | Sink:MaD:20 | +| ImplicitPendingIntentsTest.java:257:32:257:79 | getActivity(...) : PendingIntent | ImplicitPendingIntentsTest.java:261:57:261:58 | pi | provenance | Sink:MaD:21 | +| ImplicitPendingIntentsTest.java:257:32:257:79 | getActivity(...) : PendingIntent | ImplicitPendingIntentsTest.java:262:74:262:75 | pi | provenance | Sink:MaD:22 | +| ImplicitPendingIntentsTest.java:257:66:257:75 | baseIntent : Intent | ImplicitPendingIntentsTest.java:257:32:257:79 | getActivity(...) : PendingIntent | provenance | Config | +| ImplicitPendingIntentsTest.java:269:33:269:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:270:67:270:76 | baseIntent : Intent | provenance | | +| ImplicitPendingIntentsTest.java:270:32:270:80 | getActivity(...) : PendingIntent | ImplicitPendingIntentsTest.java:272:45:272:46 | pi : PendingIntent | provenance | | +| ImplicitPendingIntentsTest.java:270:67:270:76 | baseIntent : Intent | ImplicitPendingIntentsTest.java:270:32:270:80 | getActivity(...) : PendingIntent | provenance | Config | +| ImplicitPendingIntentsTest.java:272:13:272:21 | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | ImplicitPendingIntentsTest.java:273:26:273:34 | fwdIntent | provenance | Sink:MaD:1 Sink:MaD:1 | +| ImplicitPendingIntentsTest.java:272:45:272:46 | pi : PendingIntent | ImplicitPendingIntentsTest.java:272:13:272:21 | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | provenance | MaD:32 | +| ImplicitPendingIntentsTest.java:282:22:282:32 | parameter this : TestSliceProvider [mPendingIntent] : PendingIntent | ImplicitPendingIntentsTest.java:314:65:314:78 | this <.field> : TestSliceProvider [mPendingIntent] : PendingIntent | provenance | | +| ImplicitPendingIntentsTest.java:284:37:284:48 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:285:79:285:88 | baseIntent : Intent | provenance | | +| ImplicitPendingIntentsTest.java:285:36:285:92 | getActivity(...) : PendingIntent | ImplicitPendingIntentsTest.java:286:73:286:74 | pi : PendingIntent | provenance | | +| ImplicitPendingIntentsTest.java:285:79:285:88 | baseIntent : Intent | ImplicitPendingIntentsTest.java:285:36:285:92 | getActivity(...) : PendingIntent | provenance | Config | +| ImplicitPendingIntentsTest.java:286:46:286:92 | createDeeplink(...) : SliceAction [androidx.slice.Slice.action] : Object | ImplicitPendingIntentsTest.java:289:43:289:56 | activityAction : SliceAction [androidx.slice.Slice.action] : Object | provenance | | +| ImplicitPendingIntentsTest.java:286:73:286:74 | pi : PendingIntent | ImplicitPendingIntentsTest.java:286:46:286:92 | createDeeplink(...) : SliceAction [androidx.slice.Slice.action] : Object | provenance | MaD:37 | +| ImplicitPendingIntentsTest.java:288:17:288:27 | listBuilder [post update] : ListBuilder [androidx.slice.Slice.action] : Object | ImplicitPendingIntentsTest.java:290:24:290:34 | listBuilder : ListBuilder [androidx.slice.Slice.action] : Object | provenance | | +| ImplicitPendingIntentsTest.java:288:36:289:57 | setPrimaryAction(...) : RowBuilder [androidx.slice.Slice.action] : Object | ImplicitPendingIntentsTest.java:288:17:288:27 | listBuilder [post update] : ListBuilder [androidx.slice.Slice.action] : Object | provenance | MaD:35 | +| ImplicitPendingIntentsTest.java:289:43:289:56 | activityAction : SliceAction [androidx.slice.Slice.action] : Object | ImplicitPendingIntentsTest.java:288:36:289:57 | setPrimaryAction(...) : RowBuilder [androidx.slice.Slice.action] : Object | provenance | MaD:33+MaD:34 | +| ImplicitPendingIntentsTest.java:290:24:290:34 | listBuilder : ListBuilder [androidx.slice.Slice.action] : Object | ImplicitPendingIntentsTest.java:290:24:290:42 | build(...) | provenance | MaD:36 Sink:MaD:25 | +| ImplicitPendingIntentsTest.java:314:38:314:92 | createDeeplink(...) : SliceAction [androidx.slice.Slice.action] : Object | ImplicitPendingIntentsTest.java:316:90:316:95 | action : SliceAction [androidx.slice.Slice.action] : Object | provenance | | +| ImplicitPendingIntentsTest.java:314:65:314:78 | mPendingIntent : PendingIntent | ImplicitPendingIntentsTest.java:314:38:314:92 | createDeeplink(...) : SliceAction [androidx.slice.Slice.action] : Object | provenance | MaD:37 | +| ImplicitPendingIntentsTest.java:314:65:314:78 | this <.field> : TestSliceProvider [mPendingIntent] : PendingIntent | ImplicitPendingIntentsTest.java:314:65:314:78 | mPendingIntent : PendingIntent | provenance | | +| ImplicitPendingIntentsTest.java:316:17:316:27 | listBuilder [post update] : ListBuilder [androidx.slice.Slice.action] : Object | ImplicitPendingIntentsTest.java:317:24:317:34 | listBuilder : ListBuilder [androidx.slice.Slice.action] : Object | provenance | | +| ImplicitPendingIntentsTest.java:316:36:316:96 | setPrimaryAction(...) : RowBuilder [androidx.slice.Slice.action] : Object | ImplicitPendingIntentsTest.java:316:17:316:27 | listBuilder [post update] : ListBuilder [androidx.slice.Slice.action] : Object | provenance | MaD:35 | +| ImplicitPendingIntentsTest.java:316:90:316:95 | action : SliceAction [androidx.slice.Slice.action] : Object | ImplicitPendingIntentsTest.java:316:36:316:96 | setPrimaryAction(...) : RowBuilder [androidx.slice.Slice.action] : Object | provenance | MaD:33+MaD:34 | +| ImplicitPendingIntentsTest.java:317:24:317:34 | listBuilder : ListBuilder [androidx.slice.Slice.action] : Object | ImplicitPendingIntentsTest.java:317:24:317:42 | build(...) | provenance | MaD:36 Sink:MaD:25 | +| ImplicitPendingIntentsTest.java:324:37:324:48 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:325:79:325:88 | baseIntent : Intent | provenance | | +| ImplicitPendingIntentsTest.java:325:36:325:92 | getActivity(...) : PendingIntent | ImplicitPendingIntentsTest.java:326:24:326:25 | pi | provenance | Sink:MaD:26 | +| ImplicitPendingIntentsTest.java:325:79:325:88 | baseIntent : Intent | ImplicitPendingIntentsTest.java:325:36:325:92 | getActivity(...) : PendingIntent | provenance | Config | +| ImplicitPendingIntentsTest.java:339:33:339:44 | new Intent(...) : Intent | ImplicitPendingIntentsTest.java:340:73:340:82 | baseIntent : Intent | provenance | | +| ImplicitPendingIntentsTest.java:340:13:340:26 | this <.field> [post update] : TestSliceProvider [mPendingIntent] : PendingIntent | ImplicitPendingIntentsTest.java:282:22:282:32 | parameter this : TestSliceProvider [mPendingIntent] : PendingIntent | provenance | | +| ImplicitPendingIntentsTest.java:340:30:340:86 | getActivity(...) : PendingIntent | ImplicitPendingIntentsTest.java:340:13:340:26 | this <.field> [post update] : TestSliceProvider [mPendingIntent] : PendingIntent | provenance | | +| ImplicitPendingIntentsTest.java:340:73:340:82 | baseIntent : Intent | ImplicitPendingIntentsTest.java:340:30:340:86 | getActivity(...) : PendingIntent | provenance | Config | +models +| 1 | Sink: android.app; Activity; true; setResult; (int,Intent); ; Argument[1]; pending-intents; manual | +| 2 | Sink: android.app; AlarmManager; true; set; (int,long,PendingIntent); ; Argument[2]; pending-intents; manual | +| 3 | Sink: android.app; AlarmManager; true; setAlarmClock; ; ; Argument[1]; pending-intents; manual | +| 4 | Sink: android.app; AlarmManager; true; setAndAllowWhileIdle; ; ; Argument[2]; pending-intents; manual | +| 5 | Sink: android.app; AlarmManager; true; setExact; (int,long,PendingIntent); ; Argument[2]; pending-intents; manual | +| 6 | Sink: android.app; AlarmManager; true; setExactAndAllowWhileIdle; ; ; Argument[2]; pending-intents; manual | +| 7 | Sink: android.app; AlarmManager; true; setInexactRepeating; ; ; Argument[3]; pending-intents; manual | +| 8 | Sink: android.app; AlarmManager; true; setRepeating; ; ; Argument[3]; pending-intents; manual | +| 9 | Sink: android.app; AlarmManager; true; setWindow; (int,long,long,PendingIntent); ; Argument[3]; pending-intents; manual | +| 10 | Sink: android.app; NotificationManager; true; notify; (int,Notification); ; Argument[1]; pending-intents; manual | +| 11 | Sink: android.app; NotificationManager; true; notifyAsPackage; (String,String,int,Notification); ; Argument[3]; pending-intents; manual | +| 12 | Sink: android.app; NotificationManager; true; notifyAsUser; (String,int,Notification,UserHandle); ; Argument[2]; pending-intents; manual | +| 13 | Sink: android.app; PendingIntent; false; send; (Context,int,Intent); ; Argument[2]; pending-intents; manual | +| 14 | Sink: android.app; PendingIntent; false; send; (Context,int,Intent,PendingIntent$OnFinished,Handler); ; Argument[2]; pending-intents; manual | +| 15 | Sink: android.app; PendingIntent; false; send; (Context,int,Intent,PendingIntent$OnFinished,Handler,String); ; Argument[2]; pending-intents; manual | +| 16 | Sink: android.app; PendingIntent; false; send; (Context,int,Intent,PendingIntent$OnFinished,Handler,String,Bundle); ; Argument[2]; pending-intents; manual | +| 17 | Sink: android.content; Context; true; sendBroadcast; ; ; Argument[0]; intent-redirection; manual | +| 18 | Sink: android.content; Context; true; startActivity; ; ; Argument[0]; intent-redirection; manual | +| 19 | Sink: androidx.core.app; AlarmManagerCompat; true; setAlarmClock; ; ; Argument[2..3]; pending-intents; manual | +| 20 | Sink: androidx.core.app; AlarmManagerCompat; true; setAndAllowWhileIdle; ; ; Argument[3]; pending-intents; manual | +| 21 | Sink: androidx.core.app; AlarmManagerCompat; true; setExact; ; ; Argument[3]; pending-intents; manual | +| 22 | Sink: androidx.core.app; AlarmManagerCompat; true; setExactAndAllowWhileIdle; ; ; Argument[3]; pending-intents; manual | +| 23 | Sink: androidx.core.app; NotificationManagerCompat; true; notify; (String,int,Notification); ; Argument[2]; pending-intents; manual | +| 24 | Sink: androidx.core.app; NotificationManagerCompat; true; notify; (int,Notification); ; Argument[1]; pending-intents; manual | +| 25 | Sink: androidx.slice; SliceProvider; true; onBindSlice; ; ; ReturnValue; pending-intents; manual | +| 26 | Sink: androidx.slice; SliceProvider; true; onCreatePermissionRequest; ; ; ReturnValue; pending-intents; manual | +| 27 | Summary: android.app; Notification$Action$Builder; true; Builder; (int,CharSequence,PendingIntent); ; Argument[2]; Argument[this]; taint; manual | +| 28 | Summary: android.app; Notification$Action$Builder; true; build; ; ; Argument[this]; ReturnValue; taint; manual | +| 29 | Summary: android.app; Notification$Builder; true; addAction; (Notification$Action); ; Argument[0]; Argument[this]; taint; manual | +| 30 | Summary: android.app; Notification$Builder; true; addAction; ; ; Argument[this]; ReturnValue; value; manual | +| 31 | Summary: android.app; Notification$Builder; true; build; ; ; Argument[this]; ReturnValue; taint; manual | +| 32 | Summary: android.content; Intent; true; putExtra; ; ; Argument[1]; Argument[this].SyntheticField[android.content.Intent.extras].MapValue; value; manual | +| 33 | Summary: androidx.slice.builders; ListBuilder$RowBuilder; true; setPrimaryAction; ; ; Argument[0].SyntheticField[androidx.slice.Slice.action]; Argument[this].SyntheticField[androidx.slice.Slice.action]; taint; manual | +| 34 | Summary: androidx.slice.builders; ListBuilder$RowBuilder; true; setPrimaryAction; ; ; Argument[this]; ReturnValue; value; manual | +| 35 | Summary: androidx.slice.builders; ListBuilder; true; addRow; ; ; Argument[0].SyntheticField[androidx.slice.Slice.action]; Argument[this].SyntheticField[androidx.slice.Slice.action]; taint; manual | +| 36 | Summary: androidx.slice.builders; ListBuilder; true; build; ; ; Argument[this].SyntheticField[androidx.slice.Slice.action]; ReturnValue; taint; manual | +| 37 | Summary: androidx.slice.builders; SliceAction; true; createDeeplink; (PendingIntent,IconCompat,int,CharSequence); ; Argument[0]; ReturnValue.SyntheticField[androidx.slice.Slice.action]; taint; manual | +nodes +| ImplicitPendingIntentsTest.java:31:33:31:44 | new Intent(...) : Intent | semmle.label | new Intent(...) : Intent | +| ImplicitPendingIntentsTest.java:32:32:32:79 | getActivity(...) : PendingIntent | semmle.label | getActivity(...) : PendingIntent | +| ImplicitPendingIntentsTest.java:32:66:32:75 | baseIntent : Intent | semmle.label | baseIntent : Intent | +| ImplicitPendingIntentsTest.java:34:13:34:21 | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | semmle.label | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | +| ImplicitPendingIntentsTest.java:34:45:34:46 | pi : PendingIntent | semmle.label | pi : PendingIntent | +| ImplicitPendingIntentsTest.java:36:31:36:39 | fwdIntent | semmle.label | fwdIntent | +| ImplicitPendingIntentsTest.java:38:31:38:39 | fwdIntent | semmle.label | fwdIntent | +| ImplicitPendingIntentsTest.java:41:31:41:39 | fwdIntent | semmle.label | fwdIntent | +| ImplicitPendingIntentsTest.java:48:33:48:44 | new Intent(...) : Intent | semmle.label | new Intent(...) : Intent | +| ImplicitPendingIntentsTest.java:49:32:49:97 | getActivityAsUser(...) : PendingIntent | semmle.label | getActivityAsUser(...) : PendingIntent | +| ImplicitPendingIntentsTest.java:49:72:49:81 | baseIntent : Intent | semmle.label | baseIntent : Intent | +| ImplicitPendingIntentsTest.java:51:13:51:21 | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | semmle.label | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | +| ImplicitPendingIntentsTest.java:51:45:51:46 | pi : PendingIntent | semmle.label | pi : PendingIntent | +| ImplicitPendingIntentsTest.java:52:31:52:39 | fwdIntent | semmle.label | fwdIntent | +| ImplicitPendingIntentsTest.java:56:33:56:44 | new Intent(...) : Intent | semmle.label | new Intent(...) : Intent | +| ImplicitPendingIntentsTest.java:57:32:57:96 | getActivities(...) : PendingIntent | semmle.label | getActivities(...) : PendingIntent | +| ImplicitPendingIntentsTest.java:57:68:57:92 | new Intent[] : Intent[] [[]] : Intent | semmle.label | new Intent[] : Intent[] [[]] : Intent | +| ImplicitPendingIntentsTest.java:57:68:57:92 | {...} : Intent[] [[]] : Intent | semmle.label | {...} : Intent[] [[]] : Intent | +| ImplicitPendingIntentsTest.java:57:82:57:91 | baseIntent : Intent | semmle.label | baseIntent : Intent | +| ImplicitPendingIntentsTest.java:59:13:59:21 | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | semmle.label | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | +| ImplicitPendingIntentsTest.java:59:45:59:46 | pi : PendingIntent | semmle.label | pi : PendingIntent | +| ImplicitPendingIntentsTest.java:60:31:60:39 | fwdIntent | semmle.label | fwdIntent | +| ImplicitPendingIntentsTest.java:64:33:64:44 | new Intent(...) : Intent | semmle.label | new Intent(...) : Intent | +| ImplicitPendingIntentsTest.java:65:32:66:34 | getActivitiesAsUser(...) : PendingIntent | semmle.label | getActivitiesAsUser(...) : PendingIntent | +| ImplicitPendingIntentsTest.java:65:74:65:98 | new Intent[] : Intent[] [[]] : Intent | semmle.label | new Intent[] : Intent[] [[]] : Intent | +| ImplicitPendingIntentsTest.java:65:74:65:98 | {...} : Intent[] [[]] : Intent | semmle.label | {...} : Intent[] [[]] : Intent | +| ImplicitPendingIntentsTest.java:65:88:65:97 | baseIntent : Intent | semmle.label | baseIntent : Intent | +| ImplicitPendingIntentsTest.java:68:13:68:21 | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | semmle.label | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | +| ImplicitPendingIntentsTest.java:68:45:68:46 | pi : PendingIntent | semmle.label | pi : PendingIntent | +| ImplicitPendingIntentsTest.java:69:31:69:39 | fwdIntent | semmle.label | fwdIntent | +| ImplicitPendingIntentsTest.java:73:33:73:44 | new Intent(...) : Intent | semmle.label | new Intent(...) : Intent | +| ImplicitPendingIntentsTest.java:74:32:74:80 | getBroadcast(...) : PendingIntent | semmle.label | getBroadcast(...) : PendingIntent | +| ImplicitPendingIntentsTest.java:74:67:74:76 | baseIntent : Intent | semmle.label | baseIntent : Intent | +| ImplicitPendingIntentsTest.java:76:13:76:21 | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | semmle.label | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | +| ImplicitPendingIntentsTest.java:76:45:76:46 | pi : PendingIntent | semmle.label | pi : PendingIntent | +| ImplicitPendingIntentsTest.java:77:31:77:39 | fwdIntent | semmle.label | fwdIntent | +| ImplicitPendingIntentsTest.java:81:33:81:44 | new Intent(...) : Intent | semmle.label | new Intent(...) : Intent | +| ImplicitPendingIntentsTest.java:82:32:82:92 | getBroadcastAsUser(...) : PendingIntent | semmle.label | getBroadcastAsUser(...) : PendingIntent | +| ImplicitPendingIntentsTest.java:82:73:82:82 | baseIntent : Intent | semmle.label | baseIntent : Intent | +| ImplicitPendingIntentsTest.java:84:13:84:21 | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | semmle.label | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | +| ImplicitPendingIntentsTest.java:84:45:84:46 | pi : PendingIntent | semmle.label | pi : PendingIntent | +| ImplicitPendingIntentsTest.java:85:31:85:39 | fwdIntent | semmle.label | fwdIntent | +| ImplicitPendingIntentsTest.java:89:33:89:44 | new Intent(...) : Intent | semmle.label | new Intent(...) : Intent | +| ImplicitPendingIntentsTest.java:90:32:90:78 | getService(...) : PendingIntent | semmle.label | getService(...) : PendingIntent | +| ImplicitPendingIntentsTest.java:90:65:90:74 | baseIntent : Intent | semmle.label | baseIntent : Intent | +| ImplicitPendingIntentsTest.java:92:13:92:21 | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | semmle.label | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | +| ImplicitPendingIntentsTest.java:92:45:92:46 | pi : PendingIntent | semmle.label | pi : PendingIntent | +| ImplicitPendingIntentsTest.java:93:31:93:39 | fwdIntent | semmle.label | fwdIntent | +| ImplicitPendingIntentsTest.java:97:33:97:44 | new Intent(...) : Intent | semmle.label | new Intent(...) : Intent | +| ImplicitPendingIntentsTest.java:98:32:98:88 | getForegroundService(...) : PendingIntent | semmle.label | getForegroundService(...) : PendingIntent | +| ImplicitPendingIntentsTest.java:98:75:98:84 | baseIntent : Intent | semmle.label | baseIntent : Intent | +| ImplicitPendingIntentsTest.java:100:13:100:21 | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | semmle.label | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | +| ImplicitPendingIntentsTest.java:100:45:100:46 | pi : PendingIntent | semmle.label | pi : PendingIntent | +| ImplicitPendingIntentsTest.java:101:31:101:39 | fwdIntent | semmle.label | fwdIntent | +| ImplicitPendingIntentsTest.java:166:33:166:44 | new Intent(...) : Intent | semmle.label | new Intent(...) : Intent | +| ImplicitPendingIntentsTest.java:167:32:167:79 | getActivity(...) : PendingIntent | semmle.label | getActivity(...) : PendingIntent | +| ImplicitPendingIntentsTest.java:167:66:167:75 | baseIntent : Intent | semmle.label | baseIntent : Intent | +| ImplicitPendingIntentsTest.java:169:13:169:21 | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | semmle.label | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | +| ImplicitPendingIntentsTest.java:169:45:169:46 | pi : PendingIntent | semmle.label | pi : PendingIntent | +| ImplicitPendingIntentsTest.java:170:32:170:40 | fwdIntent | semmle.label | fwdIntent | +| ImplicitPendingIntentsTest.java:171:32:171:40 | fwdIntent | semmle.label | fwdIntent | +| ImplicitPendingIntentsTest.java:172:32:172:40 | fwdIntent | semmle.label | fwdIntent | +| ImplicitPendingIntentsTest.java:173:32:173:40 | fwdIntent | semmle.label | fwdIntent | +| ImplicitPendingIntentsTest.java:181:33:181:44 | new Intent(...) : Intent | semmle.label | new Intent(...) : Intent | +| ImplicitPendingIntentsTest.java:182:32:182:79 | getActivity(...) : PendingIntent | semmle.label | getActivity(...) : PendingIntent | +| ImplicitPendingIntentsTest.java:182:66:182:75 | baseIntent : Intent | semmle.label | baseIntent : Intent | +| ImplicitPendingIntentsTest.java:183:52:183:93 | new Builder(...) : Builder | semmle.label | new Builder(...) : Builder | +| ImplicitPendingIntentsTest.java:183:91:183:92 | pi : PendingIntent | semmle.label | pi : PendingIntent | +| ImplicitPendingIntentsTest.java:185:21:185:77 | addAction(...) : Builder | semmle.label | addAction(...) : Builder | +| ImplicitPendingIntentsTest.java:185:61:185:68 | aBuilder : Builder | semmle.label | aBuilder : Builder | +| ImplicitPendingIntentsTest.java:185:61:185:76 | build(...) : Action | semmle.label | build(...) : Action | +| ImplicitPendingIntentsTest.java:186:41:186:48 | nBuilder : Builder | semmle.label | nBuilder : Builder | +| ImplicitPendingIntentsTest.java:186:41:186:56 | build(...) : Notification | semmle.label | build(...) : Notification | +| ImplicitPendingIntentsTest.java:188:65:188:76 | notification | semmle.label | notification | +| ImplicitPendingIntentsTest.java:189:32:189:43 | notification | semmle.label | notification | +| ImplicitPendingIntentsTest.java:190:42:190:53 | notification | semmle.label | notification | +| ImplicitPendingIntentsTest.java:222:33:222:44 | new Intent(...) : Intent | semmle.label | new Intent(...) : Intent | +| ImplicitPendingIntentsTest.java:223:32:223:79 | getActivity(...) : PendingIntent | semmle.label | getActivity(...) : PendingIntent | +| ImplicitPendingIntentsTest.java:223:66:223:75 | baseIntent : Intent | semmle.label | baseIntent : Intent | +| ImplicitPendingIntentsTest.java:224:52:224:93 | new Builder(...) : Builder | semmle.label | new Builder(...) : Builder | +| ImplicitPendingIntentsTest.java:224:91:224:92 | pi : PendingIntent | semmle.label | pi : PendingIntent | +| ImplicitPendingIntentsTest.java:226:21:226:77 | addAction(...) : Builder | semmle.label | addAction(...) : Builder | +| ImplicitPendingIntentsTest.java:226:61:226:68 | aBuilder : Builder | semmle.label | aBuilder : Builder | +| ImplicitPendingIntentsTest.java:226:61:226:76 | build(...) : Action | semmle.label | build(...) : Action | +| ImplicitPendingIntentsTest.java:227:41:227:48 | nBuilder : Builder | semmle.label | nBuilder : Builder | +| ImplicitPendingIntentsTest.java:227:41:227:56 | build(...) : Notification | semmle.label | build(...) : Notification | +| ImplicitPendingIntentsTest.java:229:32:229:43 | notification | semmle.label | notification | +| ImplicitPendingIntentsTest.java:230:36:230:47 | notification | semmle.label | notification | +| ImplicitPendingIntentsTest.java:237:33:237:44 | new Intent(...) : Intent | semmle.label | new Intent(...) : Intent | +| ImplicitPendingIntentsTest.java:238:32:238:79 | getActivity(...) : PendingIntent | semmle.label | getActivity(...) : PendingIntent | +| ImplicitPendingIntentsTest.java:238:66:238:75 | baseIntent : Intent | semmle.label | baseIntent : Intent | +| ImplicitPendingIntentsTest.java:239:32:239:33 | pi | semmle.label | pi | +| ImplicitPendingIntentsTest.java:240:42:240:43 | pi | semmle.label | pi | +| ImplicitPendingIntentsTest.java:241:49:241:50 | pi | semmle.label | pi | +| ImplicitPendingIntentsTest.java:242:37:242:38 | pi | semmle.label | pi | +| ImplicitPendingIntentsTest.java:243:54:243:55 | pi | semmle.label | pi | +| ImplicitPendingIntentsTest.java:244:51:244:52 | pi | semmle.label | pi | +| ImplicitPendingIntentsTest.java:245:44:245:45 | pi | semmle.label | pi | +| ImplicitPendingIntentsTest.java:246:41:246:42 | pi | semmle.label | pi | +| ImplicitPendingIntentsTest.java:256:33:256:44 | new Intent(...) : Intent | semmle.label | new Intent(...) : Intent | +| ImplicitPendingIntentsTest.java:257:32:257:79 | getActivity(...) : PendingIntent | semmle.label | getActivity(...) : PendingIntent | +| ImplicitPendingIntentsTest.java:257:66:257:75 | baseIntent : Intent | semmle.label | baseIntent : Intent | +| ImplicitPendingIntentsTest.java:258:59:258:60 | pi | semmle.label | pi | +| ImplicitPendingIntentsTest.java:259:65:259:66 | pi | semmle.label | pi | +| ImplicitPendingIntentsTest.java:260:69:260:70 | pi | semmle.label | pi | +| ImplicitPendingIntentsTest.java:261:57:261:58 | pi | semmle.label | pi | +| ImplicitPendingIntentsTest.java:262:74:262:75 | pi | semmle.label | pi | +| ImplicitPendingIntentsTest.java:269:33:269:44 | new Intent(...) : Intent | semmle.label | new Intent(...) : Intent | +| ImplicitPendingIntentsTest.java:270:32:270:80 | getActivity(...) : PendingIntent | semmle.label | getActivity(...) : PendingIntent | +| ImplicitPendingIntentsTest.java:270:67:270:76 | baseIntent : Intent | semmle.label | baseIntent : Intent | +| ImplicitPendingIntentsTest.java:272:13:272:21 | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | semmle.label | fwdIntent [post update] : Intent [android.content.Intent.extras, ] : PendingIntent | +| ImplicitPendingIntentsTest.java:272:45:272:46 | pi : PendingIntent | semmle.label | pi : PendingIntent | +| ImplicitPendingIntentsTest.java:273:26:273:34 | fwdIntent | semmle.label | fwdIntent | +| ImplicitPendingIntentsTest.java:282:22:282:32 | parameter this : TestSliceProvider [mPendingIntent] : PendingIntent | semmle.label | parameter this : TestSliceProvider [mPendingIntent] : PendingIntent | +| ImplicitPendingIntentsTest.java:284:37:284:48 | new Intent(...) : Intent | semmle.label | new Intent(...) : Intent | +| ImplicitPendingIntentsTest.java:285:36:285:92 | getActivity(...) : PendingIntent | semmle.label | getActivity(...) : PendingIntent | +| ImplicitPendingIntentsTest.java:285:79:285:88 | baseIntent : Intent | semmle.label | baseIntent : Intent | +| ImplicitPendingIntentsTest.java:286:46:286:92 | createDeeplink(...) : SliceAction [androidx.slice.Slice.action] : Object | semmle.label | createDeeplink(...) : SliceAction [androidx.slice.Slice.action] : Object | +| ImplicitPendingIntentsTest.java:286:73:286:74 | pi : PendingIntent | semmle.label | pi : PendingIntent | +| ImplicitPendingIntentsTest.java:288:17:288:27 | listBuilder [post update] : ListBuilder [androidx.slice.Slice.action] : Object | semmle.label | listBuilder [post update] : ListBuilder [androidx.slice.Slice.action] : Object | +| ImplicitPendingIntentsTest.java:288:36:289:57 | setPrimaryAction(...) : RowBuilder [androidx.slice.Slice.action] : Object | semmle.label | setPrimaryAction(...) : RowBuilder [androidx.slice.Slice.action] : Object | +| ImplicitPendingIntentsTest.java:289:43:289:56 | activityAction : SliceAction [androidx.slice.Slice.action] : Object | semmle.label | activityAction : SliceAction [androidx.slice.Slice.action] : Object | +| ImplicitPendingIntentsTest.java:290:24:290:34 | listBuilder : ListBuilder [androidx.slice.Slice.action] : Object | semmle.label | listBuilder : ListBuilder [androidx.slice.Slice.action] : Object | +| ImplicitPendingIntentsTest.java:290:24:290:42 | build(...) | semmle.label | build(...) | +| ImplicitPendingIntentsTest.java:314:38:314:92 | createDeeplink(...) : SliceAction [androidx.slice.Slice.action] : Object | semmle.label | createDeeplink(...) : SliceAction [androidx.slice.Slice.action] : Object | +| ImplicitPendingIntentsTest.java:314:65:314:78 | mPendingIntent : PendingIntent | semmle.label | mPendingIntent : PendingIntent | +| ImplicitPendingIntentsTest.java:314:65:314:78 | this <.field> : TestSliceProvider [mPendingIntent] : PendingIntent | semmle.label | this <.field> : TestSliceProvider [mPendingIntent] : PendingIntent | +| ImplicitPendingIntentsTest.java:316:17:316:27 | listBuilder [post update] : ListBuilder [androidx.slice.Slice.action] : Object | semmle.label | listBuilder [post update] : ListBuilder [androidx.slice.Slice.action] : Object | +| ImplicitPendingIntentsTest.java:316:36:316:96 | setPrimaryAction(...) : RowBuilder [androidx.slice.Slice.action] : Object | semmle.label | setPrimaryAction(...) : RowBuilder [androidx.slice.Slice.action] : Object | +| ImplicitPendingIntentsTest.java:316:90:316:95 | action : SliceAction [androidx.slice.Slice.action] : Object | semmle.label | action : SliceAction [androidx.slice.Slice.action] : Object | +| ImplicitPendingIntentsTest.java:317:24:317:34 | listBuilder : ListBuilder [androidx.slice.Slice.action] : Object | semmle.label | listBuilder : ListBuilder [androidx.slice.Slice.action] : Object | +| ImplicitPendingIntentsTest.java:317:24:317:42 | build(...) | semmle.label | build(...) | +| ImplicitPendingIntentsTest.java:324:37:324:48 | new Intent(...) : Intent | semmle.label | new Intent(...) : Intent | +| ImplicitPendingIntentsTest.java:325:36:325:92 | getActivity(...) : PendingIntent | semmle.label | getActivity(...) : PendingIntent | +| ImplicitPendingIntentsTest.java:325:79:325:88 | baseIntent : Intent | semmle.label | baseIntent : Intent | +| ImplicitPendingIntentsTest.java:326:24:326:25 | pi | semmle.label | pi | +| ImplicitPendingIntentsTest.java:339:33:339:44 | new Intent(...) : Intent | semmle.label | new Intent(...) : Intent | +| ImplicitPendingIntentsTest.java:340:13:340:26 | this <.field> [post update] : TestSliceProvider [mPendingIntent] : PendingIntent | semmle.label | this <.field> [post update] : TestSliceProvider [mPendingIntent] : PendingIntent | +| ImplicitPendingIntentsTest.java:340:30:340:86 | getActivity(...) : PendingIntent | semmle.label | getActivity(...) : PendingIntent | +| ImplicitPendingIntentsTest.java:340:73:340:82 | baseIntent : Intent | semmle.label | baseIntent : Intent | +subpaths diff --git a/java/ql/test/query-tests/security/CWE-927/ImplicitPendingIntentsTest.java b/java/ql/test/query-tests/security/CWE-927/ImplicitPendingIntents/ImplicitPendingIntentsTest.java similarity index 80% rename from java/ql/test/query-tests/security/CWE-927/ImplicitPendingIntentsTest.java rename to java/ql/test/query-tests/security/CWE-927/ImplicitPendingIntents/ImplicitPendingIntentsTest.java index 80f661492211..5bada3e77369 100644 --- a/java/ql/test/query-tests/security/CWE-927/ImplicitPendingIntentsTest.java +++ b/java/ql/test/query-tests/security/CWE-927/ImplicitPendingIntents/ImplicitPendingIntentsTest.java @@ -28,77 +28,77 @@ public class ImplicitPendingIntentsTest { public static void testPendingIntentAsAnExtra(Context ctx) throws PendingIntent.CanceledException { { - Intent baseIntent = new Intent(); + Intent baseIntent = new Intent(); // $ Source PendingIntent pi = PendingIntent.getActivity(ctx, 0, baseIntent, 0); Intent fwdIntent = new Intent(); fwdIntent.putExtra("fwdIntent", pi); - ctx.startActivities(new Intent[] {fwdIntent}); // $ MISSING: hasImplicitPendingIntent - ctx.startActivity(fwdIntent); // $hasImplicitPendingIntent + ctx.startActivities(new Intent[] {fwdIntent}); // $ MISSING: Alert + ctx.startActivity(fwdIntent); // $ Alert ctx.startService(fwdIntent); // Safe - ctx.sendBroadcast(fwdIntent); // $hasImplicitPendingIntent + ctx.sendBroadcast(fwdIntent); // $ Alert fwdIntent.setComponent(null); // Not a sanitizer - ctx.startActivity(fwdIntent); // $hasImplicitPendingIntent + ctx.startActivity(fwdIntent); // $ Alert fwdIntent.setPackage("a.safe.package"); // Sanitizer ctx.startActivity(fwdIntent); // Safe } { - Intent baseIntent = new Intent(); + Intent baseIntent = new Intent(); // $ Source PendingIntent pi = PendingIntent.getActivityAsUser(ctx, 0, baseIntent, 0, null, null); Intent fwdIntent = new Intent(); fwdIntent.putExtra("fwdIntent", pi); - ctx.startActivity(fwdIntent); // $hasImplicitPendingIntent + ctx.startActivity(fwdIntent); // $ Alert } { - Intent baseIntent = new Intent(); + Intent baseIntent = new Intent(); // $ Source PendingIntent pi = PendingIntent.getActivities(ctx, 0, new Intent[] {baseIntent}, 0); Intent fwdIntent = new Intent(); fwdIntent.putExtra("fwdIntent", pi); - ctx.startActivity(fwdIntent); // $hasImplicitPendingIntent + ctx.startActivity(fwdIntent); // $ Alert } { - Intent baseIntent = new Intent(); + Intent baseIntent = new Intent(); // $ Source PendingIntent pi = PendingIntent.getActivitiesAsUser(ctx, 0, new Intent[] {baseIntent}, 0, null, null); Intent fwdIntent = new Intent(); fwdIntent.putExtra("fwdIntent", pi); - ctx.startActivity(fwdIntent); // $hasImplicitPendingIntent + ctx.startActivity(fwdIntent); // $ Alert } { - Intent baseIntent = new Intent(); + Intent baseIntent = new Intent(); // $ Source PendingIntent pi = PendingIntent.getBroadcast(ctx, 0, baseIntent, 0); Intent fwdIntent = new Intent(); fwdIntent.putExtra("fwdIntent", pi); - ctx.sendBroadcast(fwdIntent); // $hasImplicitPendingIntent + ctx.sendBroadcast(fwdIntent); // $ Alert } { - Intent baseIntent = new Intent(); + Intent baseIntent = new Intent(); // $ Source PendingIntent pi = PendingIntent.getBroadcastAsUser(ctx, 0, baseIntent, 0, null); Intent fwdIntent = new Intent(); fwdIntent.putExtra("fwdIntent", pi); - ctx.sendBroadcast(fwdIntent); // $hasImplicitPendingIntent + ctx.sendBroadcast(fwdIntent); // $ Alert } { - Intent baseIntent = new Intent(); + Intent baseIntent = new Intent(); // $ Source PendingIntent pi = PendingIntent.getService(ctx, 0, baseIntent, 0); Intent fwdIntent = new Intent(); fwdIntent.putExtra("fwdIntent", pi); - ctx.startActivity(fwdIntent); // $hasImplicitPendingIntent + ctx.startActivity(fwdIntent); // $ Alert } { - Intent baseIntent = new Intent(); + Intent baseIntent = new Intent(); // $ Source PendingIntent pi = PendingIntent.getForegroundService(ctx, 0, baseIntent, 0); Intent fwdIntent = new Intent(); fwdIntent.putExtra("fwdIntent", pi); - ctx.startActivity(fwdIntent); // $hasImplicitPendingIntent + ctx.startActivity(fwdIntent); // $ Alert } { @@ -163,14 +163,14 @@ public static void testPendingIntentAsAnExtra(Context ctx) public static void testPendingIntentWrappedInAnotherPendingIntent(Context ctx, PendingIntent other) throws PendingIntent.CanceledException { { - Intent baseIntent = new Intent(); + Intent baseIntent = new Intent(); // $ Source PendingIntent pi = PendingIntent.getActivity(ctx, 0, baseIntent, 0); Intent fwdIntent = new Intent(); fwdIntent.putExtra("fwdIntent", pi); - other.send(ctx, 0, fwdIntent); // $hasImplicitPendingIntent - other.send(ctx, 0, fwdIntent, null, null); // $hasImplicitPendingIntent - other.send(ctx, 0, fwdIntent, null, null, null); // $hasImplicitPendingIntent - other.send(ctx, 0, fwdIntent, null, null, null, null); // $hasImplicitPendingIntent + other.send(ctx, 0, fwdIntent); // $ Alert + other.send(ctx, 0, fwdIntent, null, null); // $ Alert + other.send(ctx, 0, fwdIntent, null, null, null); // $ Alert + other.send(ctx, 0, fwdIntent, null, null, null, null); // $ Alert } } @@ -178,16 +178,16 @@ public static void testPendingIntentInANotification(Context ctx) throws PendingIntent.CanceledException { { - Intent baseIntent = new Intent(); + Intent baseIntent = new Intent(); // $ Source PendingIntent pi = PendingIntent.getActivity(ctx, 0, baseIntent, 0); Notification.Action.Builder aBuilder = new Notification.Action.Builder(0, "", pi); Notification.Builder nBuilder = new Notification.Builder(ctx).addAction(aBuilder.build()); Notification notification = nBuilder.build(); NotificationManager nManager = null; - nManager.notifyAsPackage("targetPackage", "tag", 0, notification); // $hasImplicitPendingIntent - nManager.notify(0, notification); // $hasImplicitPendingIntent - nManager.notifyAsUser("", 0, notification, null); // $hasImplicitPendingIntent + nManager.notifyAsPackage("targetPackage", "tag", 0, notification); // $ Alert + nManager.notify(0, notification); // $ Alert + nManager.notifyAsUser("", 0, notification, null); // $ Alert } { Intent baseIntent = new Intent(); @@ -219,31 +219,31 @@ public static void testPendingIntentInANotification(Context ctx) } // Compat sinks { - Intent baseIntent = new Intent(); + Intent baseIntent = new Intent(); // $ Source PendingIntent pi = PendingIntent.getActivity(ctx, 0, baseIntent, 0); Notification.Action.Builder aBuilder = new Notification.Action.Builder(0, "", pi); Notification.Builder nBuilder = new Notification.Builder(ctx).addAction(aBuilder.build()); Notification notification = nBuilder.build(); NotificationManagerCompat nManager = null; - nManager.notify(0, notification); // $hasImplicitPendingIntent - nManager.notify("", 0, notification); // $hasImplicitPendingIntent + nManager.notify(0, notification); // $ Alert + nManager.notify("", 0, notification); // $ Alert } } public static void testPendingIntentInAnAlarm(Context ctx) { AlarmManager aManager = (AlarmManager) ctx.getSystemService(Context.ALARM_SERVICE); { - Intent baseIntent = new Intent(); + Intent baseIntent = new Intent(); // $ Source PendingIntent pi = PendingIntent.getActivity(ctx, 0, baseIntent, 0); - aManager.set(0, 0, pi); // $hasImplicitPendingIntent - aManager.setAlarmClock(null, pi); // $hasImplicitPendingIntent - aManager.setAndAllowWhileIdle(0, 0, pi); // $hasImplicitPendingIntent - aManager.setExact(0, 0, pi); // $hasImplicitPendingIntent - aManager.setExactAndAllowWhileIdle(0, 0, pi); // $hasImplicitPendingIntent - aManager.setInexactRepeating(0, 0, 0, pi); // $hasImplicitPendingIntent - aManager.setRepeating(0, 0, 0, pi); // $hasImplicitPendingIntent - aManager.setWindow(0, 0, 0, pi); // $hasImplicitPendingIntent + aManager.set(0, 0, pi); // $ Alert + aManager.setAlarmClock(null, pi); // $ Alert + aManager.setAndAllowWhileIdle(0, 0, pi); // $ Alert + aManager.setExact(0, 0, pi); // $ Alert + aManager.setExactAndAllowWhileIdle(0, 0, pi); // $ Alert + aManager.setInexactRepeating(0, 0, 0, pi); // $ Alert + aManager.setRepeating(0, 0, 0, pi); // $ Alert + aManager.setWindow(0, 0, 0, pi); // $ Alert } { Intent baseIntent = new Intent(); @@ -253,24 +253,24 @@ public static void testPendingIntentInAnAlarm(Context ctx) { } // Compat sinks { - Intent baseIntent = new Intent(); + Intent baseIntent = new Intent(); // $ Source PendingIntent pi = PendingIntent.getActivity(ctx, 0, baseIntent, 0); - AlarmManagerCompat.setAlarmClock(aManager, 0, pi, null); // $hasImplicitPendingIntent - AlarmManagerCompat.setAlarmClock(aManager, 0, null, pi); // $hasImplicitPendingIntent - AlarmManagerCompat.setAndAllowWhileIdle(aManager, 0, 0, pi); // $hasImplicitPendingIntent - AlarmManagerCompat.setExact(aManager, 0, 0, pi); // $hasImplicitPendingIntent - AlarmManagerCompat.setExactAndAllowWhileIdle(aManager, 0, 0, pi); // $hasImplicitPendingIntent + AlarmManagerCompat.setAlarmClock(aManager, 0, pi, null); // $ Alert + AlarmManagerCompat.setAlarmClock(aManager, 0, null, pi); // $ Alert + AlarmManagerCompat.setAndAllowWhileIdle(aManager, 0, 0, pi); // $ Alert + AlarmManagerCompat.setExact(aManager, 0, 0, pi); // $ Alert + AlarmManagerCompat.setExactAndAllowWhileIdle(aManager, 0, 0, pi); // $ Alert } } static class TestActivity extends Activity { @Override public void onCreate(Bundle bundle) { - Intent baseIntent = new Intent(); + Intent baseIntent = new Intent(); // $ Source PendingIntent pi = PendingIntent.getActivity(null, 0, baseIntent, 0); Intent fwdIntent = new Intent(); fwdIntent.putExtra("fwdIntent", pi); - setResult(0, fwdIntent); // $hasImplicitPendingIntent + setResult(0, fwdIntent); // $ Alert } } @@ -281,13 +281,13 @@ static class TestSliceProvider extends SliceProvider { @Override public Slice onBindSlice(Uri sliceUri) { if (sliceUri.getAuthority().equals("1")) { - Intent baseIntent = new Intent(); + Intent baseIntent = new Intent(); // $ Source PendingIntent pi = PendingIntent.getActivity(getContext(), 0, baseIntent, 0); SliceAction activityAction = SliceAction.createDeeplink(pi, null, 0, "Test"); ListBuilder listBuilder = new ListBuilder(getContext(), sliceUri, null); listBuilder.addRow(new ListBuilder.RowBuilder().setTitle("Title") .setPrimaryAction(activityAction)); - return listBuilder.build(); // $hasImplicitPendingIntent + return listBuilder.build(); // $ Alert } else if (sliceUri.getAuthority().equals("2")) { Intent baseIntent = new Intent(getContext(), Activity.class); // Sanitizer @@ -314,16 +314,16 @@ public Slice onBindSlice(Uri sliceUri) { SliceAction action = SliceAction.createDeeplink(mPendingIntent, null, 0, ""); ListBuilder listBuilder = new ListBuilder(getContext(), sliceUri, 0); listBuilder.addRow(new ListBuilder.RowBuilder(sliceUri).setPrimaryAction(action)); - return listBuilder.build(); // $hasImplicitPendingIntent + return listBuilder.build(); // $ Alert } } @Override public PendingIntent onCreatePermissionRequest(Uri sliceUri, String callingPackage) { if (sliceUri.getAuthority().equals("1")) { - Intent baseIntent = new Intent(); + Intent baseIntent = new Intent(); // $ Source PendingIntent pi = PendingIntent.getActivity(getContext(), 0, baseIntent, 0); - return pi; // $hasImplicitPendingIntent + return pi; // $ Alert } else { Intent baseIntent = new Intent(); PendingIntent pi = PendingIntent.getActivity(getContext(), 0, baseIntent, @@ -336,7 +336,7 @@ public PendingIntent onCreatePermissionRequest(Uri sliceUri, String callingPacka public boolean onCreateSliceProvider() { // Testing implicit field read flows: // mPendingIntent is used in onBindSlice - Intent baseIntent = new Intent(); + Intent baseIntent = new Intent(); // $ Source mPendingIntent = PendingIntent.getActivity(getContext(), 0, baseIntent, 0); return true; } diff --git a/java/ql/test/query-tests/security/CWE-927/ImplicitPendingIntents/ImplicitPendingIntentsTest.qlref b/java/ql/test/query-tests/security/CWE-927/ImplicitPendingIntents/ImplicitPendingIntentsTest.qlref new file mode 100644 index 000000000000..beeff5417fcd --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-927/ImplicitPendingIntents/ImplicitPendingIntentsTest.qlref @@ -0,0 +1,4 @@ +query: Security/CWE/CWE-927/ImplicitPendingIntents.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-927/ImplicitPendingIntents/options b/java/ql/test/query-tests/security/CWE-927/ImplicitPendingIntents/options new file mode 100644 index 000000000000..43e25f608b67 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-927/ImplicitPendingIntents/options @@ -0,0 +1 @@ +// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/google-android-9.0.0 diff --git a/java/ql/test/query-tests/security/CWE-927/ImplicitPendingIntentsTest.expected b/java/ql/test/query-tests/security/CWE-927/ImplicitPendingIntentsTest.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/java/ql/test/query-tests/security/CWE-927/ImplicitPendingIntentsTest.ql b/java/ql/test/query-tests/security/CWE-927/ImplicitPendingIntentsTest.ql deleted file mode 100644 index b474a32b52c7..000000000000 --- a/java/ql/test/query-tests/security/CWE-927/ImplicitPendingIntentsTest.ql +++ /dev/null @@ -1,18 +0,0 @@ -import java -import semmle.code.java.security.ImplicitPendingIntentsQuery -import utils.test.InlineExpectationsTest - -module ImplicitPendingIntentsTest implements TestSig { - string getARelevantTag() { result = "hasImplicitPendingIntent" } - - predicate hasActualResult(Location location, string element, string tag, string value) { - tag = "hasImplicitPendingIntent" and - exists(DataFlow::Node sink | ImplicitPendingIntentStartFlow::flowTo(sink) | - sink.getLocation() = location and - element = sink.toString() and - value = "" - ) - } -} - -import MakeTest