github
diff --git a/‎java/ql/test/query-tests/security/CWE-094/GroovyClassLoaderTest.java renamed to ‎java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyClassLoaderTest.java
Lines changed: 12 additions & 13 deletions b/‎java/ql/test/query-tests/security/CWE-094/GroovyClassLoaderTest.java renamed to ‎java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyClassLoaderTest.java
Lines changed: 12 additions & 13 deletions
diff --git a/‎java/ql/test/query-tests/security/CWE-094/GroovyCompilationUnitTest.java renamed to ‎java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyCompilationUnitTest.java
Lines changed: 18 additions & 18 deletions b/‎java/ql/test/query-tests/security/CWE-094/GroovyCompilationUnitTest.java renamed to ‎java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyCompilationUnitTest.java
Lines changed: 18 additions & 18 deletions
diff --git a/‎java/ql/test/query-tests/security/CWE-094/GroovyEvalTest.java renamed to ‎java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyEvalTest.java
Lines changed: 10 additions & 11 deletions b/‎java/ql/test/query-tests/security/CWE-094/GroovyEvalTest.java renamed to ‎java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyEvalTest.java
Lines changed: 10 additions & 11 deletions
@@ -14,42 +14,41 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)
             throws ServletException, IOException {
         // "groovy.lang;GroovyClassLoader;false;parseClass;(GroovyCodeSource);;Argument[0];groovy;manual",
         {
-            String script = request.getParameter("script");
+            String script = request.getParameter("script"); // $Source
             final GroovyClassLoader classLoader = new GroovyClassLoader();
             GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test");
-            classLoader.parseClass(gcs); // $hasGroovyInjection
+            classLoader.parseClass(gcs); // $Alert
         }
         // "groovy.lang;GroovyClassLoader;false;parseClass;(GroovyCodeSource,boolean);;Argument[0];groovy;manual",
         {
-            String script = request.getParameter("script");
+            String script = request.getParameter("script"); // $Source
             final GroovyClassLoader classLoader = new GroovyClassLoader();
             GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test");
-            classLoader.parseClass(gcs, true); // $hasGroovyInjection
+            classLoader.parseClass(gcs, true); // $Alert
         }
         // "groovy.lang;GroovyClassLoader;false;parseClass;(InputStream,String);;Argument[0];groovy;manual",
         {
-            String script = request.getParameter("script");
+            String script = request.getParameter("script"); // $Source
             final GroovyClassLoader classLoader = new GroovyClassLoader();
-            classLoader.parseClass(new ByteArrayInputStream(script.getBytes()), "test"); // $hasGroovyInjection
+            classLoader.parseClass(new ByteArrayInputStream(script.getBytes()), "test"); // $Alert
         }
         // "groovy.lang;GroovyClassLoader;false;parseClass;(Reader,String);;Argument[0];groovy;manual",
         {
-            String script = request.getParameter("script");
+            String script = request.getParameter("script"); // $Source
             final GroovyClassLoader classLoader = new GroovyClassLoader();
-            classLoader.parseClass(new StringReader(script), "test"); // $hasGroovyInjection
+            classLoader.parseClass(new StringReader(script), "test"); // $Alert
         }
         // "groovy.lang;GroovyClassLoader;false;parseClass;(String);;Argument[0];groovy;manual",
         {
-            String script = request.getParameter("script");
+            String script = request.getParameter("script"); // $Source
             final GroovyClassLoader classLoader = new GroovyClassLoader();
-            classLoader.parseClass(script); // $hasGroovyInjection
+            classLoader.parseClass(script); // $Alert
         }
         // "groovy.lang;GroovyClassLoader;false;parseClass;(String,String);;Argument[0];groovy;manual",
         {
-            String script = request.getParameter("script");
+            String script = request.getParameter("script"); // $Source
             final GroovyClassLoader classLoader = new GroovyClassLoader();
-            classLoader.parseClass(script, "test"); // $hasGroovyInjection
+            classLoader.parseClass(script, "test"); // $Alert
         }
     }
 }
-
@@ -18,8 +18,8 @@ public void doGet(HttpServletRequest request, HttpServletResponse response)
         // "org.codehaus.groovy.control;CompilationUnit;false;compile;;;Argument[this];groovy;manual"
         {
             CompilationUnit cu = new CompilationUnit();
-            cu.addSource("test", request.getParameter("source"));
-            cu.compile(); // $hasGroovyInjection
+            cu.addSource("test", request.getParameter("source")); // $Source
+            cu.compile(); // $Alert
         }
         {
             CompilationUnit cu = new CompilationUnit();
@@ -29,20 +29,20 @@ public void doGet(HttpServletRequest request, HttpServletResponse response)
         {
             CompilationUnit cu = new CompilationUnit();
             cu.addSource("test",
-                    new ByteArrayInputStream(request.getParameter("source").getBytes()));
-            cu.compile(); // $hasGroovyInjection
+                    new ByteArrayInputStream(request.getParameter("source").getBytes())); // $Source
+            cu.compile(); // $Alert
         }
         {
             CompilationUnit cu = new CompilationUnit();
-            cu.addSource(new URL(request.getParameter("source")));
-            cu.compile(); // $hasGroovyInjection
+            cu.addSource(new URL(request.getParameter("source"))); // $Source
+            cu.compile(); // $Alert
         }
         {
             CompilationUnit cu = new CompilationUnit();
             SourceUnit su =
-                    new SourceUnit("test", request.getParameter("source"), null, null, null);
+                    new SourceUnit("test", request.getParameter("source"), null, null, null); // $Source
             cu.addSource(su);
-            cu.compile(); // $hasGroovyInjection
+            cu.compile(); // $Alert
         }
         {
             CompilationUnit cu = new CompilationUnit();
@@ -53,29 +53,29 @@ public void doGet(HttpServletRequest request, HttpServletResponse response)
         }
         {
             CompilationUnit cu = new CompilationUnit();
-            StringReaderSource rs = new StringReaderSource(request.getParameter("source"), null);
+            StringReaderSource rs = new StringReaderSource(request.getParameter("source"), null); // $Source
             SourceUnit su = new SourceUnit("test", rs, null, null, null);
             cu.addSource(su);
-            cu.compile(); // $hasGroovyInjection
+            cu.compile(); // $Alert
         }
         {
             CompilationUnit cu = new CompilationUnit();
             SourceUnit su =
-                    new SourceUnit(new URL(request.getParameter("source")), null, null, null);
+                    new SourceUnit(new URL(request.getParameter("source")), null, null, null); // $Source
             cu.addSource(su);
-            cu.compile(); // $hasGroovyInjection
+            cu.compile(); // $Alert
         }
         {
             CompilationUnit cu = new CompilationUnit();
-            SourceUnit su = SourceUnit.create("test", request.getParameter("source"));
+            SourceUnit su = SourceUnit.create("test", request.getParameter("source")); // $Source
             cu.addSource(su);
-            cu.compile(); // $hasGroovyInjection
+            cu.compile(); // $Alert
         }
         {
             CompilationUnit cu = new CompilationUnit();
-            SourceUnit su = SourceUnit.create("test", request.getParameter("source"), 0);
+            SourceUnit su = SourceUnit.create("test", request.getParameter("source"), 0); // $Source
             cu.addSource(su);
-            cu.compile(); // $hasGroovyInjection
+            cu.compile(); // $Alert
         }
         {
             CompilationUnit cu = new CompilationUnit();
@@ -85,8 +85,8 @@ public void doGet(HttpServletRequest request, HttpServletResponse response)
         }
         {
             JavaAwareCompilationUnit cu = new JavaAwareCompilationUnit();
-            cu.addSource("test", request.getParameter("source"));
-            cu.compile(); // $hasGroovyInjection
+            cu.addSource("test", request.getParameter("source")); // $Source
+            cu.compile(); // $Alert
         }
         {
             JavaStubCompilationUnit cu = new JavaStubCompilationUnit(null, null);
 
@@ -11,30 +11,29 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)
             throws ServletException, IOException {
         // "groovy.util;Eval;false;me;(String);;Argument[0];groovy;manual",
         {
-            String script = request.getParameter("script");
-            Eval.me(script); // $hasGroovyInjection
+            String script = request.getParameter("script"); // $Source
+            Eval.me(script); // $Alert
         }
         // "groovy.util;Eval;false;me;(String,Object,String);;Argument[2];groovy;manual",
         {
-            String script = request.getParameter("script");
-            Eval.me("test", "result", script); // $hasGroovyInjection
+            String script = request.getParameter("script"); // $Source
+            Eval.me("test", "result", script); // $Alert
         }
         // "groovy.util;Eval;false;x;(Object,String);;Argument[1];groovy;manual",
         {
-            String script = request.getParameter("script");
-            Eval.x("result2", script); // $hasGroovyInjection
+            String script = request.getParameter("script"); // $Source
+            Eval.x("result2", script); // $Alert
 
         }
         // "groovy.util;Eval;false;xy;(Object,Object,String);;Argument[2];groovy;manual",
         {
-            String script = request.getParameter("script");
-            Eval.xy("result3", "result4", script); // $hasGroovyInjection
+            String script = request.getParameter("script"); // $Source
+            Eval.xy("result3", "result4", script); // $Alert
         }
         // "groovy.util;Eval;false;xyz;(Object,Object,Object,String);;Argument[3];groovy;manual",
         {
-            String script = request.getParameter("script");
-            Eval.xyz("result3", "result4", "aaa", script); // $hasGroovyInjection
+            String script = request.getParameter("script"); // $Source
+            Eval.xyz("result3", "result4", "aaa", script); // $Alert
         }
     }
 }
-
Original file line number	Diff line number	Diff line change
`@@ -14,42 +14,41 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)`
`14`	`14`	`throws ServletException, IOException {`
`15`	`15`	`// "groovy.lang;GroovyClassLoader;false;parseClass;(GroovyCodeSource);;Argument[0];groovy;manual",`
`16`	`16`	`{`
`17`		`- String script = request.getParameter("script");`
	`17`	`+ String script = request.getParameter("script"); // $Source`
`18`	`18`	`final GroovyClassLoader classLoader = new GroovyClassLoader();`
`19`	`19`	`GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test");`
`20`		`- classLoader.parseClass(gcs); // $hasGroovyInjection`
	`20`	`+ classLoader.parseClass(gcs); // $Alert`
`21`	`21`	`}`
`22`	`22`	`// "groovy.lang;GroovyClassLoader;false;parseClass;(GroovyCodeSource,boolean);;Argument[0];groovy;manual",`
`23`	`23`	`{`
`24`		`- String script = request.getParameter("script");`
	`24`	`+ String script = request.getParameter("script"); // $Source`
`25`	`25`	`final GroovyClassLoader classLoader = new GroovyClassLoader();`
`26`	`26`	`GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test");`
`27`		`- classLoader.parseClass(gcs, true); // $hasGroovyInjection`
	`27`	`+ classLoader.parseClass(gcs, true); // $Alert`
`28`	`28`	`}`
`29`	`29`	`// "groovy.lang;GroovyClassLoader;false;parseClass;(InputStream,String);;Argument[0];groovy;manual",`
`30`	`30`	`{`
`31`		`- String script = request.getParameter("script");`
	`31`	`+ String script = request.getParameter("script"); // $Source`
`32`	`32`	`final GroovyClassLoader classLoader = new GroovyClassLoader();`
`33`		`- classLoader.parseClass(new ByteArrayInputStream(script.getBytes()), "test"); // $hasGroovyInjection`
	`33`	`+ classLoader.parseClass(new ByteArrayInputStream(script.getBytes()), "test"); // $Alert`
`34`	`34`	`}`
`35`	`35`	`// "groovy.lang;GroovyClassLoader;false;parseClass;(Reader,String);;Argument[0];groovy;manual",`
`36`	`36`	`{`
`37`		`- String script = request.getParameter("script");`
	`37`	`+ String script = request.getParameter("script"); // $Source`
`38`	`38`	`final GroovyClassLoader classLoader = new GroovyClassLoader();`
`39`		`- classLoader.parseClass(new StringReader(script), "test"); // $hasGroovyInjection`
	`39`	`+ classLoader.parseClass(new StringReader(script), "test"); // $Alert`
`40`	`40`	`}`
`41`	`41`	`// "groovy.lang;GroovyClassLoader;false;parseClass;(String);;Argument[0];groovy;manual",`
`42`	`42`	`{`
`43`		`- String script = request.getParameter("script");`
	`43`	`+ String script = request.getParameter("script"); // $Source`
`44`	`44`	`final GroovyClassLoader classLoader = new GroovyClassLoader();`
`45`		`- classLoader.parseClass(script); // $hasGroovyInjection`
	`45`	`+ classLoader.parseClass(script); // $Alert`
`46`	`46`	`}`
`47`	`47`	`// "groovy.lang;GroovyClassLoader;false;parseClass;(String,String);;Argument[0];groovy;manual",`
`48`	`48`	`{`
`49`		`- String script = request.getParameter("script");`
	`49`	`+ String script = request.getParameter("script"); // $Source`
`50`	`50`	`final GroovyClassLoader classLoader = new GroovyClassLoader();`
`51`		`- classLoader.parseClass(script, "test"); // $hasGroovyInjection`
	`51`	`+ classLoader.parseClass(script, "test"); // $Alert`
`52`	`52`	`}`
`53`	`53`	`}`
`54`	`54`	`}`
`55`		`-`
Original file line number	Diff line number	Diff line change
`@@ -18,8 +18,8 @@ public void doGet(HttpServletRequest request, HttpServletResponse response)`
`18`	`18`	`// "org.codehaus.groovy.control;CompilationUnit;false;compile;;;Argument[this];groovy;manual"`
`19`	`19`	`{`
`20`	`20`	`CompilationUnit cu = new CompilationUnit();`
`21`		`- cu.addSource("test", request.getParameter("source"));`
`22`		`- cu.compile(); // $hasGroovyInjection`
	`21`	`+ cu.addSource("test", request.getParameter("source")); // $Source`
	`22`	`+ cu.compile(); // $Alert`
`23`	`23`	`}`
`24`	`24`	`{`
`25`	`25`	`CompilationUnit cu = new CompilationUnit();`
`@@ -29,20 +29,20 @@ public void doGet(HttpServletRequest request, HttpServletResponse response)`
`29`	`29`	`{`
`30`	`30`	`CompilationUnit cu = new CompilationUnit();`
`31`	`31`	`cu.addSource("test",`
`32`		`- new ByteArrayInputStream(request.getParameter("source").getBytes()));`
`33`		`- cu.compile(); // $hasGroovyInjection`
	`32`	`+ new ByteArrayInputStream(request.getParameter("source").getBytes())); // $Source`
	`33`	`+ cu.compile(); // $Alert`
`34`	`34`	`}`
`35`	`35`	`{`
`36`	`36`	`CompilationUnit cu = new CompilationUnit();`
`37`		`- cu.addSource(new URL(request.getParameter("source")));`
`38`		`- cu.compile(); // $hasGroovyInjection`
	`37`	`+ cu.addSource(new URL(request.getParameter("source"))); // $Source`
	`38`	`+ cu.compile(); // $Alert`
`39`	`39`	`}`
`40`	`40`	`{`
`41`	`41`	`CompilationUnit cu = new CompilationUnit();`
`42`	`42`	`SourceUnit su =`
`43`		`- new SourceUnit("test", request.getParameter("source"), null, null, null);`
	`43`	`+ new SourceUnit("test", request.getParameter("source"), null, null, null); // $Source`
`44`	`44`	`cu.addSource(su);`
`45`		`- cu.compile(); // $hasGroovyInjection`
	`45`	`+ cu.compile(); // $Alert`
`46`	`46`	`}`
`47`	`47`	`{`
`48`	`48`	`CompilationUnit cu = new CompilationUnit();`
`@@ -53,29 +53,29 @@ public void doGet(HttpServletRequest request, HttpServletResponse response)`
`53`	`53`	`}`
`54`	`54`	`{`
`55`	`55`	`CompilationUnit cu = new CompilationUnit();`
`56`		`- StringReaderSource rs = new StringReaderSource(request.getParameter("source"), null);`
	`56`	`+ StringReaderSource rs = new StringReaderSource(request.getParameter("source"), null); // $Source`
`57`	`57`	`SourceUnit su = new SourceUnit("test", rs, null, null, null);`
`58`	`58`	`cu.addSource(su);`
`59`		`- cu.compile(); // $hasGroovyInjection`
	`59`	`+ cu.compile(); // $Alert`
`60`	`60`	`}`
`61`	`61`	`{`
`62`	`62`	`CompilationUnit cu = new CompilationUnit();`
`63`	`63`	`SourceUnit su =`
`64`		`- new SourceUnit(new URL(request.getParameter("source")), null, null, null);`
	`64`	`+ new SourceUnit(new URL(request.getParameter("source")), null, null, null); // $Source`
`65`	`65`	`cu.addSource(su);`
`66`		`- cu.compile(); // $hasGroovyInjection`
	`66`	`+ cu.compile(); // $Alert`
`67`	`67`	`}`
`68`	`68`	`{`
`69`	`69`	`CompilationUnit cu = new CompilationUnit();`
`70`		`- SourceUnit su = SourceUnit.create("test", request.getParameter("source"));`
	`70`	`+ SourceUnit su = SourceUnit.create("test", request.getParameter("source")); // $Source`
`71`	`71`	`cu.addSource(su);`
`72`		`- cu.compile(); // $hasGroovyInjection`
	`72`	`+ cu.compile(); // $Alert`
`73`	`73`	`}`
`74`	`74`	`{`
`75`	`75`	`CompilationUnit cu = new CompilationUnit();`
`76`		`- SourceUnit su = SourceUnit.create("test", request.getParameter("source"), 0);`
	`76`	`+ SourceUnit su = SourceUnit.create("test", request.getParameter("source"), 0); // $Source`
`77`	`77`	`cu.addSource(su);`
`78`		`- cu.compile(); // $hasGroovyInjection`
	`78`	`+ cu.compile(); // $Alert`
`79`	`79`	`}`
`80`	`80`	`{`
`81`	`81`	`CompilationUnit cu = new CompilationUnit();`
`@@ -85,8 +85,8 @@ public void doGet(HttpServletRequest request, HttpServletResponse response)`
`85`	`85`	`}`
`86`	`86`	`{`
`87`	`87`	`JavaAwareCompilationUnit cu = new JavaAwareCompilationUnit();`
`88`		`- cu.addSource("test", request.getParameter("source"));`
`89`		`- cu.compile(); // $hasGroovyInjection`
	`88`	`+ cu.addSource("test", request.getParameter("source")); // $Source`
	`89`	`+ cu.compile(); // $Alert`
`90`	`90`	`}`
`91`	`91`	`{`
`92`	`92`	`JavaStubCompilationUnit cu = new JavaStubCompilationUnit(null, null);`
Original file line number	Diff line number	Diff line change
`@@ -11,30 +11,29 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)`
`11`	`11`	`throws ServletException, IOException {`
`12`	`12`	`// "groovy.util;Eval;false;me;(String);;Argument[0];groovy;manual",`
`13`	`13`	`{`
`14`		`- String script = request.getParameter("script");`
`15`		`- Eval.me(script); // $hasGroovyInjection`
	`14`	`+ String script = request.getParameter("script"); // $Source`
	`15`	`+ Eval.me(script); // $Alert`
`16`	`16`	`}`
`17`	`17`	`// "groovy.util;Eval;false;me;(String,Object,String);;Argument[2];groovy;manual",`
`18`	`18`	`{`
`19`		`- String script = request.getParameter("script");`
`20`		`- Eval.me("test", "result", script); // $hasGroovyInjection`
	`19`	`+ String script = request.getParameter("script"); // $Source`
	`20`	`+ Eval.me("test", "result", script); // $Alert`
`21`	`21`	`}`
`22`	`22`	`// "groovy.util;Eval;false;x;(Object,String);;Argument[1];groovy;manual",`
`23`	`23`	`{`
`24`		`- String script = request.getParameter("script");`
`25`		`- Eval.x("result2", script); // $hasGroovyInjection`
	`24`	`+ String script = request.getParameter("script"); // $Source`
	`25`	`+ Eval.x("result2", script); // $Alert`
`26`	`26`
`27`	`27`	`}`
`28`	`28`	`// "groovy.util;Eval;false;xy;(Object,Object,String);;Argument[2];groovy;manual",`
`29`	`29`	`{`
`30`		`- String script = request.getParameter("script");`
`31`		`- Eval.xy("result3", "result4", script); // $hasGroovyInjection`
	`30`	`+ String script = request.getParameter("script"); // $Source`
	`31`	`+ Eval.xy("result3", "result4", script); // $Alert`
`32`	`32`	`}`
`33`	`33`	`// "groovy.util;Eval;false;xyz;(Object,Object,Object,String);;Argument[3];groovy;manual",`
`34`	`34`	`{`
`35`		`- String script = request.getParameter("script");`
`36`		`- Eval.xyz("result3", "result4", "aaa", script); // $hasGroovyInjection`
	`35`	`+ String script = request.getParameter("script"); // $Source`
	`36`	`+ Eval.xyz("result3", "result4", "aaa", script); // $Alert`
`37`	`37`	`}`
`38`	`38`	`}`
`39`	`39`	`}`
`40`		`-`