Skip to content

Commit 9cd5706

Browse files
d10cd10c
committed
Java: convert JexlInjection test to .qlref
1 parent eddff3d commit 9cd5706

File tree

9 files changed

+332
-42
lines changed

9 files changed

+332
-42
lines changed

java/ql/test/query-tests/security/CWE-094/Jexl2Injection.java renamed to java/ql/test/query-tests/security/CWE-094/JexlInjection/Jexl2Injection.java

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -11,21 +11,21 @@ private static void runJexlExpression(String jexlExpr) {
1111
JexlEngine jexl = new JexlEngine();
1212
Expression e = jexl.createExpression(jexlExpr);
1313
JexlContext jc = new MapContext();
14-
e.evaluate(jc); // $hasJexlInjection
14+
e.evaluate(jc); // $Alert
1515
}
1616

1717
private static void runJexlExpressionWithJexlInfo(String jexlExpr) {
1818
JexlEngine jexl = new JexlEngine();
1919
Expression e = jexl.createExpression(jexlExpr, new DebugInfo("unknown", 0, 0));
2020
JexlContext jc = new MapContext();
21-
e.evaluate(jc); // $hasJexlInjection
21+
e.evaluate(jc); // $Alert
2222
}
2323

2424
private static void runJexlScript(String jexlExpr) {
2525
JexlEngine jexl = new JexlEngine();
2626
Script script = jexl.createScript(jexlExpr);
2727
JexlContext jc = new MapContext();
28-
script.execute(jc); // $hasJexlInjection
28+
script.execute(jc); // $Alert
2929
}
3030

3131
private static void runJexlScriptViaCallable(String jexlExpr) {
@@ -34,45 +34,45 @@ private static void runJexlScriptViaCallable(String jexlExpr) {
3434
JexlContext jc = new MapContext();
3535

3636
try {
37-
script.callable(jc).call(); // $hasJexlInjection
37+
script.callable(jc).call(); // $Alert
3838
} catch (Exception e) {
3939
throw new RuntimeException(e);
4040
}
4141
}
4242

4343
private static void runJexlExpressionViaGetProperty(String jexlExpr) {
4444
JexlEngine jexl = new JexlEngine();
45-
jexl.getProperty(new Object(), jexlExpr); // $hasJexlInjection
45+
jexl.getProperty(new Object(), jexlExpr); // $Alert
4646
}
4747

4848
private static void runJexlExpressionViaSetProperty(String jexlExpr) {
4949
JexlEngine jexl = new JexlEngine();
50-
jexl.setProperty(new Object(), jexlExpr, new Object()); // $hasJexlInjection
50+
jexl.setProperty(new Object(), jexlExpr, new Object()); // $Alert
5151
}
5252

5353
private static void runJexlExpressionViaUnifiedJEXLParseAndEvaluate(String jexlExpr) {
5454
JexlEngine jexl = new JexlEngine();
5555
UnifiedJEXL unifiedJEXL = new UnifiedJEXL(jexl);
56-
unifiedJEXL.parse(jexlExpr).evaluate(new MapContext()); // $hasJexlInjection
56+
unifiedJEXL.parse(jexlExpr).evaluate(new MapContext()); // $Alert
5757
}
5858

5959
private static void runJexlExpressionViaUnifiedJEXLParseAndPrepare(String jexlExpr) {
6060
JexlEngine jexl = new JexlEngine();
6161
UnifiedJEXL unifiedJEXL = new UnifiedJEXL(jexl);
62-
unifiedJEXL.parse(jexlExpr).prepare(new MapContext()); // $hasJexlInjection
62+
unifiedJEXL.parse(jexlExpr).prepare(new MapContext()); // $Alert
6363
}
6464

6565
private static void runJexlExpressionViaUnifiedJEXLTemplateEvaluate(String jexlExpr) {
6666
JexlEngine jexl = new JexlEngine();
6767
UnifiedJEXL unifiedJEXL = new UnifiedJEXL(jexl);
68-
unifiedJEXL.createTemplate(jexlExpr).evaluate(new MapContext(), new StringWriter()); // $hasJexlInjection
68+
unifiedJEXL.createTemplate(jexlExpr).evaluate(new MapContext(), new StringWriter()); // $Alert
6969
}
7070

7171
private static void testWithSocket(Consumer<String> action) throws Exception {
7272
try (ServerSocket serverSocket = new ServerSocket(0)) {
7373
try (Socket socket = serverSocket.accept()) {
7474
byte[] bytes = new byte[1024];
75-
int n = socket.getInputStream().read(bytes);
75+
int n = socket.getInputStream().read(bytes); // $Source
7676
String jexlExpr = new String(bytes, 0, n);
7777
action.accept(jexlExpr);
7878
}

java/ql/test/query-tests/security/CWE-094/Jexl3Injection.java renamed to java/ql/test/query-tests/security/CWE-094/JexlInjection/Jexl3Injection.java

Lines changed: 14 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -18,21 +18,21 @@ private static void runJexlExpression(String jexlExpr) {
1818
JexlEngine jexl = new JexlBuilder().create();
1919
JexlExpression e = jexl.createExpression(jexlExpr);
2020
JexlContext jc = new MapContext();
21-
e.evaluate(jc); // $hasJexlInjection
21+
e.evaluate(jc); // $Alert
2222
}
2323

2424
private static void runJexlExpressionWithJexlInfo(String jexlExpr) {
2525
JexlEngine jexl = new JexlBuilder().create();
2626
JexlExpression e = jexl.createExpression(new JexlInfo("unknown", 0, 0), jexlExpr);
2727
JexlContext jc = new MapContext();
28-
e.evaluate(jc); // $hasJexlInjection
28+
e.evaluate(jc); // $Alert
2929
}
3030

3131
private static void runJexlScript(String jexlExpr) {
3232
JexlEngine jexl = new JexlBuilder().create();
3333
JexlScript script = jexl.createScript(jexlExpr);
3434
JexlContext jc = new MapContext();
35-
script.execute(jc); // $hasJexlInjection
35+
script.execute(jc); // $Alert
3636
}
3737

3838
private static void runJexlScriptViaCallable(String jexlExpr) {
@@ -41,38 +41,38 @@ private static void runJexlScriptViaCallable(String jexlExpr) {
4141
JexlContext jc = new MapContext();
4242

4343
try {
44-
script.callable(jc).call(); // $hasJexlInjection
44+
script.callable(jc).call(); // $Alert
4545
} catch (Exception e) {
4646
throw new RuntimeException(e);
4747
}
4848
}
4949

5050
private static void runJexlExpressionViaGetProperty(String jexlExpr) {
5151
JexlEngine jexl = new JexlBuilder().create();
52-
jexl.getProperty(new Object(), jexlExpr); // $hasJexlInjection
52+
jexl.getProperty(new Object(), jexlExpr); // $Alert
5353
}
5454

5555
private static void runJexlExpressionViaSetProperty(String jexlExpr) {
5656
JexlEngine jexl = new JexlBuilder().create();
57-
jexl.setProperty(new Object(), jexlExpr, new Object()); // $hasJexlInjection
57+
jexl.setProperty(new Object(), jexlExpr, new Object()); // $Alert
5858
}
5959

6060
private static void runJexlExpressionViaJxltEngineExpressionEvaluate(String jexlExpr) {
6161
JexlEngine jexl = new JexlBuilder().create();
6262
JxltEngine jxlt = jexl.createJxltEngine();
63-
jxlt.createExpression(jexlExpr).evaluate(new MapContext()); // $hasJexlInjection
63+
jxlt.createExpression(jexlExpr).evaluate(new MapContext()); // $Alert
6464
}
6565

6666
private static void runJexlExpressionViaJxltEngineExpressionPrepare(String jexlExpr) {
6767
JexlEngine jexl = new JexlBuilder().create();
6868
JxltEngine jxlt = jexl.createJxltEngine();
69-
jxlt.createExpression(jexlExpr).prepare(new MapContext()); // $hasJexlInjection
69+
jxlt.createExpression(jexlExpr).prepare(new MapContext()); // $Alert
7070
}
7171

7272
private static void runJexlExpressionViaJxltEngineTemplateEvaluate(String jexlExpr) {
7373
JexlEngine jexl = new JexlBuilder().create();
7474
JxltEngine jxlt = jexl.createJxltEngine();
75-
jxlt.createTemplate(jexlExpr).evaluate(new MapContext(), new StringWriter()); // $hasJexlInjection
75+
jxlt.createTemplate(jexlExpr).evaluate(new MapContext(), new StringWriter()); // $Alert
7676
}
7777

7878
private static void runJexlExpressionViaCallable(String jexlExpr) {
@@ -81,7 +81,7 @@ private static void runJexlExpressionViaCallable(String jexlExpr) {
8181
JexlContext jc = new MapContext();
8282

8383
try {
84-
e.callable(jc).call(); // $hasJexlInjection
84+
e.callable(jc).call(); // $Alert
8585
} catch (Exception ex) {
8686
throw new RuntimeException(ex);
8787
}
@@ -91,7 +91,7 @@ private static void testWithSocket(Consumer<String> action) throws Exception {
9191
try (ServerSocket serverSocket = new ServerSocket(0)) {
9292
try (Socket socket = serverSocket.accept()) {
9393
byte[] bytes = new byte[1024];
94-
int n = socket.getInputStream().read(bytes);
94+
int n = socket.getInputStream().read(bytes); // $Source
9595
String jexlExpr = new String(bytes, 0, n);
9696
action.accept(jexlExpr);
9797
}
@@ -141,14 +141,14 @@ public static void testWithJexlExpressionCallable() throws Exception {
141141
}
142142

143143
@PostMapping("/request")
144-
public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromPathVariable(@PathVariable String expr) {
144+
public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromPathVariable(@PathVariable String expr) { // $Source
145145

146146
runJexlExpression(expr);
147147
return ResponseEntity.ok(HttpStatus.OK);
148148
}
149149

150150
@PostMapping("/request")
151-
public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromRequestBody(@RequestBody Data data) {
151+
public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromRequestBody(@RequestBody Data data) { // $Source
152152

153153
String expr = data.getExpr();
154154
runJexlExpression(expr);
@@ -158,7 +158,7 @@ public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromRequestBody(@
158158

159159
@PostMapping("/request")
160160
public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromRequestBodyWithNestedObjects(
161-
@RequestBody CustomRequest customRequest) {
161+
@RequestBody CustomRequest customRequest) { // $Source
162162

163163
String expr = customRequest.getData().getExpr();
164164
runJexlExpression(expr);

0 commit comments

Comments
 (0)