diff --git a/java/ql/lib/semmle/code/java/dataflow/RangeUtils.qll b/java/ql/lib/semmle/code/java/dataflow/RangeUtils.qll index d073868b0f5f..be7f12920914 100644 --- a/java/ql/lib/semmle/code/java/dataflow/RangeUtils.qll +++ b/java/ql/lib/semmle/code/java/dataflow/RangeUtils.qll @@ -104,6 +104,17 @@ private predicate constantBooleanExpr(Expr e, boolean val) { CalcConstants::calculateBooleanValue(e) = val } +pragma[nomagic] +private predicate constantStringExpr(Expr e, string val) { + e.(CompileTimeConstantExpr).getStringValue() = val + or + exists(SsaExplicitUpdate v, Expr src | + e = v.getAUse() and + src = v.getDefiningExpr().(VariableAssign).getSource() and + constantStringExpr(src, val) + ) +} + private boolean getBoolValue(Expr e) { constantBooleanExpr(e, result) } private int getIntValue(Expr e) { constantIntegerExpr(e, result) } @@ -126,6 +137,14 @@ class ConstantBooleanExpr extends Expr { boolean getBooleanValue() { constantBooleanExpr(this, result) } } +/** An expression that always has the same string value. */ +class ConstantStringExpr extends Expr { + ConstantStringExpr() { constantStringExpr(this, _) } + + /** Get the string value of this expression. */ + string getStringValue() { constantStringExpr(this, result) } +} + /** * Gets an expression that equals `v - d`. */ diff --git a/java/ql/lib/semmle/code/java/frameworks/apache/CommonsXml.qll b/java/ql/lib/semmle/code/java/frameworks/apache/CommonsXml.qll new file mode 100644 index 000000000000..42ecc946e504 --- /dev/null +++ b/java/ql/lib/semmle/code/java/frameworks/apache/CommonsXml.qll @@ -0,0 +1,90 @@ +/** Provides XML definitions related to the `org.apache.commons` package. */ + +import java +private import semmle.code.java.dataflow.RangeUtils +private import semmle.code.java.security.XmlParsers + +/** + * The classes `org.apache.commons.digester3.Digester`, `org.apache.commons.digester.Digester` or `org.apache.tomcat.util.digester.Digester`. + */ +private class Digester extends RefType { + Digester() { + this.hasQualifiedName([ + "org.apache.commons.digester3", "org.apache.commons.digester", + "org.apache.tomcat.util.digester" + ], "Digester") + } +} + +/** A call to `Digester.parse`. */ +private class DigesterParse extends XmlParserCall { + DigesterParse() { + exists(Method m | + this.getMethod() = m and + m.getDeclaringType() instanceof Digester and + m.hasName("parse") + ) + } + + override Expr getSink() { result = this.getArgument(0) } + + override predicate isSafe() { SafeDigesterFlow::flowToExpr(this.getQualifier()) } +} + +/** A `ParserConfig` that is specific to `Digester`. */ +private class DigesterConfig extends ParserConfig { + DigesterConfig() { + exists(Method m | + m = this.getMethod() and + m.getDeclaringType() instanceof Digester and + m.hasName("setFeature") + ) + } +} + +/** + * A safely configured `Digester`. + */ +private class SafeDigester extends VarAccess { + SafeDigester() { + exists(Variable v | v = this.getVariable() | + exists(DigesterConfig config | config.getQualifier() = v.getAnAccess() | + config.enables(singleSafeConfig()) + ) + or + exists(DigesterConfig config | config.getQualifier() = v.getAnAccess() | + config + .disables(any(ConstantStringExpr s | + s.getStringValue() = "http://xml.org/sax/features/external-general-entities" + )) + ) and + exists(DigesterConfig config | config.getQualifier() = v.getAnAccess() | + config + .disables(any(ConstantStringExpr s | + s.getStringValue() = "http://xml.org/sax/features/external-parameter-entities" + )) + ) and + exists(DigesterConfig config | config.getQualifier() = v.getAnAccess() | + config + .disables(any(ConstantStringExpr s | + s.getStringValue() = + "http://apache.org/xml/features/nonvalidating/load-external-dtd" + )) + ) + ) + } +} + +private module SafeDigesterFlowConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeDigester } + + predicate isSink(DataFlow::Node sink) { + exists(MethodAccess ma | + sink.asExpr() = ma.getQualifier() and ma.getMethod().getDeclaringType() instanceof Digester + ) + } + + int fieldFlowBranchLimit() { result = 0 } +} + +private module SafeDigesterFlow = DataFlow::Global; diff --git a/java/ql/lib/semmle/code/java/frameworks/javaee/Xml.qll b/java/ql/lib/semmle/code/java/frameworks/javaee/Xml.qll new file mode 100644 index 000000000000..590b172bffa8 --- /dev/null +++ b/java/ql/lib/semmle/code/java/frameworks/javaee/Xml.qll @@ -0,0 +1,64 @@ +/** Provides definitions related to the `javax.xml` package. */ + +import java +private import semmle.code.java.security.XmlParsers + +/** A call to `Validator.validate`. */ +private class ValidatorValidate extends XmlParserCall { + ValidatorValidate() { + exists(Method m | + this.getMethod() = m and + m.getDeclaringType() instanceof Validator and + m.hasName("validate") + ) + } + + override Expr getSink() { result = this.getArgument(0) } + + override predicate isSafe() { SafeValidatorFlow::flowToExpr(this.getQualifier()) } +} + +/** A `TransformerConfig` specific to `Validator`. */ +private class ValidatorConfig extends TransformerConfig { + ValidatorConfig() { + exists(Method m | + this.getMethod() = m and + m.getDeclaringType() instanceof Validator and + m.hasName("setProperty") + ) + } +} + +/** The class `javax.xml.validation.Validator`. */ +private class Validator extends RefType { + Validator() { this.hasQualifiedName("javax.xml.validation", "Validator") } +} + +/** A safely configured `Validator`. */ +private class SafeValidator extends VarAccess { + SafeValidator() { + exists(Variable v | v = this.getVariable() | + exists(ValidatorConfig config | config.getQualifier() = v.getAnAccess() | + config.disables(configAccessExternalDtd()) + ) and + exists(ValidatorConfig config | config.getQualifier() = v.getAnAccess() | + config.disables(configAccessExternalSchema()) + ) + ) + } +} + +private module SafeValidatorFlowConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeValidator } + + predicate isSink(DataFlow::Node sink) { + exists(MethodAccess ma | + sink.asExpr() = ma.getQualifier() and + ma.getMethod().getDeclaringType() instanceof Validator + ) + } + + int fieldFlowBranchLimit() { result = 0 } +} + +private module SafeValidatorFlow = DataFlow::Global; diff --git a/java/ql/lib/semmle/code/java/frameworks/javase/Beans.qll b/java/ql/lib/semmle/code/java/frameworks/javase/Beans.qll new file mode 100644 index 000000000000..dbdaf6960f31 --- /dev/null +++ b/java/ql/lib/semmle/code/java/frameworks/javase/Beans.qll @@ -0,0 +1,24 @@ +/** Provides definitions related to the `java.beans` package. */ + +import java +private import semmle.code.java.security.XmlParsers + +/** The class `java.beans.XMLDecoder`. */ +private class XmlDecoder extends RefType { + XmlDecoder() { this.hasQualifiedName("java.beans", "XMLDecoder") } +} + +/** A call to `XMLDecoder.readObject`. */ +private class XmlDecoderReadObject extends XmlParserCall { + XmlDecoderReadObject() { + exists(Method m | + this.getMethod() = m and + m.getDeclaringType() instanceof XmlDecoder and + m.hasName("readObject") + ) + } + + override Expr getSink() { result = this.getQualifier() } + + override predicate isSafe() { none() } +} diff --git a/java/ql/lib/semmle/code/java/frameworks/rundeck/RundeckXml.qll b/java/ql/lib/semmle/code/java/frameworks/rundeck/RundeckXml.qll new file mode 100644 index 000000000000..0f271e073e6e --- /dev/null +++ b/java/ql/lib/semmle/code/java/frameworks/rundeck/RundeckXml.qll @@ -0,0 +1,19 @@ +/** Provides definitions related to XML parsing in Rundeck. */ + +import java +private import semmle.code.java.security.XmlParsers + +/** A call to `ParserHelper.loadDocument`. */ +private class ParserHelperLoadDocument extends XmlParserCall { + ParserHelperLoadDocument() { + exists(Method m | + this.getMethod() = m and + m.getDeclaringType().hasQualifiedName("org.rundeck.api.parser", "ParserHelper") and + m.hasName("loadDocument") + ) + } + + override Expr getSink() { result = this.getArgument(0) } + + override predicate isSafe() { none() } +} diff --git a/java/ql/lib/semmle/code/java/security/XmlParsers.qll b/java/ql/lib/semmle/code/java/security/XmlParsers.qll index 230b102bd5ee..a079267b131a 100644 --- a/java/ql/lib/semmle/code/java/security/XmlParsers.qll +++ b/java/ql/lib/semmle/code/java/security/XmlParsers.qll @@ -2,15 +2,15 @@ import java import semmle.code.java.dataflow.DataFlow -import semmle.code.java.dataflow.DataFlow2 import semmle.code.java.dataflow.DataFlow3 -import semmle.code.java.dataflow.DataFlow4 -import semmle.code.java.dataflow.DataFlow5 -private import semmle.code.java.dataflow.SSA +private import semmle.code.java.dataflow.RangeUtils -/* - * Various XML parsers in Java. - */ +private module Frameworks { + private import semmle.code.java.frameworks.apache.CommonsXml + private import semmle.code.java.frameworks.javaee.Xml + private import semmle.code.java.frameworks.javase.Beans + private import semmle.code.java.frameworks.rundeck.RundeckXml +} /** * An abstract type representing a call to parse XML files. @@ -130,26 +130,6 @@ class DocumentBuilderFactoryConfig extends ParserConfig { } } -private predicate constantStringExpr(Expr e, string val) { - e.(CompileTimeConstantExpr).getStringValue() = val - or - exists(SsaExplicitUpdate v, Expr src | - e = v.getAUse() and - src = v.getDefiningExpr().(VariableAssign).getSource() and - constantStringExpr(src, val) - ) -} - -/** An expression that always has the same string value. */ -private class ConstantStringExpr extends Expr { - string value; - - ConstantStringExpr() { constantStringExpr(this, value) } - - /** Get the string value of this expression. */ - string getStringValue() { result = value } -} - /** * A general configuration that is safe when enabled. */ @@ -973,7 +953,7 @@ class TransformerFactorySource extends XmlParserCall { exists(Method m | this.getMethod() = m and m.getDeclaringType() instanceof TransformerFactory and - m.hasName("newTransformer") + m.hasName(["newTransformer", "newTransformerHandler"]) ) } diff --git a/java/ql/src/change-notes/2023-04-26-xxe-sinks-promotion.md b/java/ql/src/change-notes/2023-04-26-xxe-sinks-promotion.md new file mode 100644 index 000000000000..01bbfe267bd1 --- /dev/null +++ b/java/ql/src/change-notes/2023-04-26-xxe-sinks-promotion.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* Experimental sinks for the query "Resolving XML external entity in user-controlled data" (`java/xxe`) have been promoted to the main query pack. These sinks were originally [submitted as part of an experimental query by @haby0](https://github.com/github/codeql/pull/6564). diff --git a/java/ql/src/experimental/Security/CWE/CWE-611/XXE.java b/java/ql/src/experimental/Security/CWE/CWE-611/XXE.java deleted file mode 100644 index b56914235a72..000000000000 --- a/java/ql/src/experimental/Security/CWE/CWE-611/XXE.java +++ /dev/null @@ -1,85 +0,0 @@ -import java.beans.XMLDecoder; -import java.io.BufferedReader; -import javax.servlet.ServletInputStream; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import javax.xml.transform.stream.StreamSource; -import javax.xml.validation.Schema; -import javax.xml.validation.SchemaFactory; -import javax.xml.validation.Validator; -import org.apache.commons.digester3.Digester; -import org.dom4j.Document; -import org.dom4j.DocumentHelper; -import org.springframework.stereotype.Controller; -import org.springframework.web.bind.annotation.PostMapping; - -@Controller -public class XxeController { - - @PostMapping(value = "xxe1") - public void bad1(HttpServletRequest request, HttpServletResponse response) throws Exception { - ServletInputStream servletInputStream = request.getInputStream(); - Digester digester = new Digester(); - digester.parse(servletInputStream); - } - - @PostMapping(value = "xxe2") - public void bad2(HttpServletRequest request) throws Exception { - BufferedReader br = request.getReader(); - String str = ""; - StringBuilder listString = new StringBuilder(); - while ((str = br.readLine()) != null) { - listString.append(str).append("\n"); - } - Document document = DocumentHelper.parseText(listString.toString()); - } - - @PostMapping(value = "xxe3") - public void bad3(HttpServletRequest request) throws Exception { - ServletInputStream servletInputStream = request.getInputStream(); - SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema"); - Schema schema = factory.newSchema(); - Validator validator = schema.newValidator(); - StreamSource source = new StreamSource(servletInputStream); - validator.validate(source); - } - - @PostMapping(value = "xxe4") - public void bad4(HttpServletRequest request) throws Exception { - ServletInputStream servletInputStream = request.getInputStream(); - XMLDecoder xmlDecoder = new XMLDecoder(servletInputStream); - xmlDecoder.readObject(); - } - - @PostMapping(value = "good1") - public void good1(HttpServletRequest request, HttpServletResponse response) throws Exception { - BufferedReader br = request.getReader(); - String str = ""; - StringBuilder listString = new StringBuilder(); - while ((str = br.readLine()) != null) { - listString.append(str); - } - Digester digester = new Digester(); - digester.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); - digester.setFeature("http://xml.org/sax/features/external-general-entities", false); - digester.setFeature("http://xml.org/sax/features/external-parameter-entities", false); - digester.parse(listString.toString()); - } - - @PostMapping(value = "good2") - public void good2(HttpServletRequest request, HttpServletResponse response) throws Exception { - BufferedReader br = request.getReader(); - String str = ""; - StringBuilder listString = new StringBuilder(); - while ((str = br.readLine()) != null) { - listString.append(str).append("\n"); - } - SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema"); - Schema schema = factory.newSchema(); - Validator validator = schema.newValidator(); - validator.setProperty("http://javax.xml.XMLConstants/property/accessExternalDTD", ""); - validator.setProperty("http://javax.xml.XMLConstants/property/accessExternalSchema", ""); - StreamSource source = new StreamSource(listString.toString()); - validator.validate(source); - } -} diff --git a/java/ql/src/experimental/Security/CWE/CWE-611/XXE.qhelp b/java/ql/src/experimental/Security/CWE/CWE-611/XXE.qhelp deleted file mode 100644 index c3cc04fdacb7..000000000000 --- a/java/ql/src/experimental/Security/CWE/CWE-611/XXE.qhelp +++ /dev/null @@ -1,67 +0,0 @@ - - - - -

-Parsing untrusted XML files with a weakly configured XML parser may lead to an XML External Entity (XXE) attack. This type of attack -uses external entity references to access arbitrary files on a system, carry out denial of service, or server side -request forgery. Even when the result of parsing is not returned to the user, out-of-band -data retrieval techniques may allow attackers to steal sensitive data. Denial of services can also be -carried out in this situation. -

-

-There are many XML parsers for Java, and most of them are vulnerable to XXE because their default settings enable parsing of -external entities. This query currently identifies vulnerable XML parsing from the following parsers: javax.xml.validation.Validator, -org.dom4j.DocumentHelper, org.rundeck.api.parser.ParserHelper, org.apache.commons.digester3.Digester, -org.apache.commons.digester.Digester, org.apache.tomcat.util.digester.Digester, java.beans.XMLDecoder. -

- - - -

-The best way to prevent XXE attacks is to disable the parsing of any Document Type Declarations (DTDs) in untrusted data. -If this is not possible you should disable the parsing of external general entities and external parameter entities. -This improves security but the code will still be at risk of denial of service and server side request forgery attacks. -Protection against denial of service attacks may also be implemented by setting entity expansion limits, which is done -by default in recent JDK and JRE implementations. -

- - - -

-The following bad examples parses the xml data entered by the user under an unsafe configuration, which is inherently insecure and may cause xml entity injection. -In good examples, the security configuration is carried out, for example: Disable DTD to protect the program from XXE attacks. -

- - - - - -
  • -OWASP vulnerability description: -XML External Entity (XXE) Processing. -
    • -
  • -OWASP guidance on parsing xml files: -XXE Prevention Cheat Sheet. -
    • -
  • -Paper by Timothy Morgen: -XML Schema, DTD, and Entity Attacks -
    • -
  • -Out-of-band data retrieval: Timur Yunusov & Alexey Osipov, Black hat EU 2013: -XML Out-Of-Band Data Retrieval. -
    • -
  • -Denial of service attack (Billion laughs): -Billion Laughs. -
    • -
  • -The Java Tutorials: -Processing Limit Definitions. -
    • - -     - -     diff --git a/java/ql/src/experimental/Security/CWE/CWE-611/XXE.ql b/java/ql/src/experimental/Security/CWE/CWE-611/XXE.ql deleted file mode 100644 index 118fbd5dcaaa..000000000000 --- a/java/ql/src/experimental/Security/CWE/CWE-611/XXE.ql +++ /dev/null @@ -1,32 +0,0 @@ -/** - * @name Resolving XML external entity in user-controlled data (experimental sinks) - * @description Parsing user-controlled XML documents and allowing expansion of external entity - * references may lead to disclosure of confidential data or denial of service. - * (note this version differs from query `java/xxe` by including support for additional possibly-vulnerable XML parsers) - * @kind path-problem - * @problem.severity error - * @precision high - * @id java/xxe-with-experimental-sinks - * @tags security - * experimental - * external/cwe/cwe-611 - */ - -import java -import XXELib -import semmle.code.java.dataflow.TaintTracking -import semmle.code.java.dataflow.FlowSources -import XxeFlow::PathGraph - -module XxeConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource } - - predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeXxeSink } -} - -module XxeFlow = TaintTracking::Global; - -from XxeFlow::PathNode source, XxeFlow::PathNode sink -where XxeFlow::flowPath(source, sink) -select sink.getNode(), source, sink, "Unsafe parsing of XML file from $@.", source.getNode(), - "user input" diff --git a/java/ql/src/experimental/Security/CWE/CWE-611/XXELib.qll b/java/ql/src/experimental/Security/CWE/CWE-611/XXELib.qll deleted file mode 100644 index eb3cb3d269b8..000000000000 --- a/java/ql/src/experimental/Security/CWE/CWE-611/XXELib.qll +++ /dev/null @@ -1,246 +0,0 @@ -import java -import semmle.code.java.dataflow.DataFlow3 -import semmle.code.java.dataflow.DataFlow4 -import semmle.code.java.dataflow.DataFlow5 -import semmle.code.java.security.XmlParsers -private import semmle.code.java.dataflow.SSA - -/** A data flow sink for untrusted user input used to insecure xml parse. */ -class UnsafeXxeSink extends DataFlow::ExprNode { - UnsafeXxeSink() { - exists(XmlParserCall parse | - parse.getSink() = this.getExpr() and - not parse.isSafe() - ) - } -} - -/** The class `org.rundeck.api.parser.ParserHelper`. */ -class ParserHelper extends RefType { - ParserHelper() { this.hasQualifiedName("org.rundeck.api.parser", "ParserHelper") } -} - -/** A call to `ParserHelper.loadDocument`. */ -class ParserHelperLoadDocument extends XmlParserCall { - ParserHelperLoadDocument() { - exists(Method m | - this.getMethod() = m and - m.getDeclaringType() instanceof ParserHelper and - m.hasName("loadDocument") - ) - } - - override Expr getSink() { result = this.getArgument(0) } - - override predicate isSafe() { none() } -} - -/** The class `javax.xml.validation.Validator`. */ -class Validator extends RefType { - Validator() { this.hasQualifiedName("javax.xml.validation", "Validator") } -} - -/** A call to `Validator.validate`. */ -class ValidatorValidate extends XmlParserCall { - ValidatorValidate() { - exists(Method m | - this.getMethod() = m and - m.getDeclaringType() instanceof Validator and - m.hasName("validate") - ) - } - - override Expr getSink() { result = this.getArgument(0) } - - override predicate isSafe() { SafeValidatorFlow::flowToExpr(this.getQualifier()) } -} - -/** A `ParserConfig` specific to `Validator`. */ -class ValidatorConfig extends TransformerConfig { - ValidatorConfig() { - exists(Method m | - this.getMethod() = m and - m.getDeclaringType() instanceof Validator and - m.hasName("setProperty") - ) - } -} - -/** A safely configured `Validator`. */ -class SafeValidator extends VarAccess { - SafeValidator() { - exists(Variable v | v = this.getVariable() | - exists(ValidatorConfig config | config.getQualifier() = v.getAnAccess() | - config.disables(configAccessExternalDtd()) - ) and - exists(ValidatorConfig config | config.getQualifier() = v.getAnAccess() | - config.disables(configAccessExternalSchema()) - ) - ) - } -} - -private module SafeValidatorFlowConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeValidator } - - predicate isSink(DataFlow::Node sink) { - exists(MethodAccess ma | - sink.asExpr() = ma.getQualifier() and - ma.getMethod().getDeclaringType() instanceof Validator - ) - } - - int fieldFlowBranchLimit() { result = 0 } -} - -private module SafeValidatorFlow = DataFlow::Global; - -/** - * The classes `org.apache.commons.digester3.Digester`, `org.apache.commons.digester.Digester` or `org.apache.tomcat.util.digester.Digester`. - */ -class Digester extends RefType { - Digester() { - this.hasQualifiedName([ - "org.apache.commons.digester3", "org.apache.commons.digester", - "org.apache.tomcat.util.digester" - ], "Digester") - } -} - -/** A call to `Digester.parse`. */ -class DigesterParse extends XmlParserCall { - DigesterParse() { - exists(Method m | - this.getMethod() = m and - m.getDeclaringType() instanceof Digester and - m.hasName("parse") - ) - } - - override Expr getSink() { result = this.getArgument(0) } - - override predicate isSafe() { SafeDigesterFlow::flowToExpr(this.getQualifier()) } -} - -/** A `ParserConfig` that is specific to `Digester`. */ -class DigesterConfig extends ParserConfig { - DigesterConfig() { - exists(Method m | - m = this.getMethod() and - m.getDeclaringType() instanceof Digester and - m.hasName("setFeature") - ) - } -} - -/** - * A safely configured `Digester`. - */ -class SafeDigester extends VarAccess { - SafeDigester() { - exists(Variable v | v = this.getVariable() | - exists(DigesterConfig config | config.getQualifier() = v.getAnAccess() | - config.enables(singleSafeConfig()) - ) - or - exists(DigesterConfig config | config.getQualifier() = v.getAnAccess() | - config - .disables(any(ConstantStringExpr s | - s.getStringValue() = "http://xml.org/sax/features/external-general-entities" - )) - ) and - exists(DigesterConfig config | config.getQualifier() = v.getAnAccess() | - config - .disables(any(ConstantStringExpr s | - s.getStringValue() = "http://xml.org/sax/features/external-parameter-entities" - )) - ) and - exists(DigesterConfig config | config.getQualifier() = v.getAnAccess() | - config - .disables(any(ConstantStringExpr s | - s.getStringValue() = - "http://apache.org/xml/features/nonvalidating/load-external-dtd" - )) - ) - ) - } -} - -private module SafeDigesterFlowConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeDigester } - - predicate isSink(DataFlow::Node sink) { - exists(MethodAccess ma | - sink.asExpr() = ma.getQualifier() and ma.getMethod().getDeclaringType() instanceof Digester - ) - } - - int fieldFlowBranchLimit() { result = 0 } -} - -private module SafeDigesterFlow = DataFlow::Global; - -/** The class `java.beans.XMLDecoder`. */ -class XmlDecoder extends RefType { - XmlDecoder() { this.hasQualifiedName("java.beans", "XMLDecoder") } -} - -/** DEPRECATED: Alias for XmlDecoder */ -deprecated class XMLDecoder = XmlDecoder; - -/** A call to `XMLDecoder.readObject`. */ -class XmlDecoderReadObject extends XmlParserCall { - XmlDecoderReadObject() { - exists(Method m | - this.getMethod() = m and - m.getDeclaringType() instanceof XmlDecoder and - m.hasName("readObject") - ) - } - - override Expr getSink() { result = this.getQualifier() } - - override predicate isSafe() { none() } -} - -/** DEPRECATED: Alias for XmlDecoderReadObject */ -deprecated class XMLDecoderReadObject = XmlDecoderReadObject; - -private predicate constantStringExpr(Expr e, string val) { - e.(CompileTimeConstantExpr).getStringValue() = val - or - exists(SsaExplicitUpdate v, Expr src | - e = v.getAUse() and - src = v.getDefiningExpr().(VariableAssign).getSource() and - constantStringExpr(src, val) - ) -} - -/** A call to `SAXTransformerFactory.newTransformerHandler`. */ -class SaxTransformerFactoryNewTransformerHandler extends XmlParserCall { - SaxTransformerFactoryNewTransformerHandler() { - exists(Method m | - this.getMethod() = m and - m.getDeclaringType().hasQualifiedName("javax.xml.transform.sax", "SAXTransformerFactory") and - m.hasName("newTransformerHandler") - ) - } - - override Expr getSink() { result = this.getArgument(0) } - - override predicate isSafe() { SafeTransformerFactoryFlow::flowToExpr(this.getQualifier()) } -} - -/** DEPRECATED: Alias for SaxTransformerFactoryNewTransformerHandler */ -deprecated class SAXTransformerFactoryNewTransformerHandler = - SaxTransformerFactoryNewTransformerHandler; - -/** An expression that always has the same string value. */ -private class ConstantStringExpr extends Expr { - string value; - - ConstantStringExpr() { constantStringExpr(this, value) } - - /** Get the string value of this expression. */ - string getStringValue() { result = value } -} diff --git a/java/ql/src/experimental/Security/CWE/CWE-611/XXELocal.qhelp b/java/ql/src/experimental/Security/CWE/CWE-611/XXELocal.qhelp deleted file mode 100644 index 4dc505dec6aa..000000000000 --- a/java/ql/src/experimental/Security/CWE/CWE-611/XXELocal.qhelp +++ /dev/null @@ -1,5 +0,0 @@ - - - \ No newline at end of file diff --git a/java/ql/src/experimental/Security/CWE/CWE-611/XXELocal.ql b/java/ql/src/experimental/Security/CWE/CWE-611/XXELocal.ql deleted file mode 100644 index 99e65fa99e81..000000000000 --- a/java/ql/src/experimental/Security/CWE/CWE-611/XXELocal.ql +++ /dev/null @@ -1,34 +0,0 @@ -/** - * @name Resolving XML external entity from a local source (experimental sinks) - * @description Parsing user-controlled XML documents and allowing expansion of external entity - * references may lead to disclosure of confidential data or denial of service. - * (note this version differs from query `java/xxe` by including support for additional possibly-vulnerable XML parsers, - * and by considering local information sources dangerous (e.g. environment variables) in addition to the remote sources - * considered by the normal `java/xxe` query) - * @kind path-problem - * @problem.severity recommendation - * @precision medium - * @id java/xxe-local-experimental-sinks - * @tags security - * experimental - * external/cwe/cwe-611 - */ - -import java -import XXELib -import semmle.code.java.dataflow.TaintTracking -import semmle.code.java.dataflow.FlowSources -import XxeLocalFlow::PathGraph - -module XxeLocalConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput } - - predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeXxeSink } -} - -module XxeLocalFlow = TaintTracking::Global; - -from XxeLocalFlow::PathNode source, XxeLocalFlow::PathNode sink -where XxeLocalFlow::flowPath(source, sink) -select sink.getNode(), source, sink, "Unsafe parsing of XML file from $@.", source.getNode(), - "user input" diff --git a/java/ql/test/experimental/query-tests/security/CWE-611/XXE.expected b/java/ql/test/experimental/query-tests/security/CWE-611/XXE.expected deleted file mode 100644 index b99edb2122d6..000000000000 --- a/java/ql/test/experimental/query-tests/security/CWE-611/XXE.expected +++ /dev/null @@ -1,26 +0,0 @@ -edges -| XXE.java:22:43:22:66 | getInputStream(...) : ServletInputStream | XXE.java:24:18:24:35 | servletInputStream | -| XXE.java:29:43:29:66 | getInputStream(...) : ServletInputStream | XXE.java:33:42:33:59 | servletInputStream : ServletInputStream | -| XXE.java:33:25:33:60 | new StreamSource(...) : StreamSource | XXE.java:34:22:34:27 | source | -| XXE.java:33:42:33:59 | servletInputStream : ServletInputStream | XXE.java:33:25:33:60 | new StreamSource(...) : StreamSource | -| XXE.java:39:43:39:66 | getInputStream(...) : ServletInputStream | XXE.java:40:42:40:59 | servletInputStream : ServletInputStream | -| XXE.java:40:27:40:60 | new XMLDecoder(...) : XMLDecoder | XXE.java:41:3:41:12 | xmlDecoder | -| XXE.java:40:42:40:59 | servletInputStream : ServletInputStream | XXE.java:40:27:40:60 | new XMLDecoder(...) : XMLDecoder | -nodes -| XXE.java:22:43:22:66 | getInputStream(...) : ServletInputStream | semmle.label | getInputStream(...) : ServletInputStream | -| XXE.java:24:18:24:35 | servletInputStream | semmle.label | servletInputStream | -| XXE.java:29:43:29:66 | getInputStream(...) : ServletInputStream | semmle.label | getInputStream(...) : ServletInputStream | -| XXE.java:33:25:33:60 | new StreamSource(...) : StreamSource | semmle.label | new StreamSource(...) : StreamSource | -| XXE.java:33:42:33:59 | servletInputStream : ServletInputStream | semmle.label | servletInputStream : ServletInputStream | -| XXE.java:34:22:34:27 | source | semmle.label | source | -| XXE.java:39:43:39:66 | getInputStream(...) : ServletInputStream | semmle.label | getInputStream(...) : ServletInputStream | -| XXE.java:40:27:40:60 | new XMLDecoder(...) : XMLDecoder | semmle.label | new XMLDecoder(...) : XMLDecoder | -| XXE.java:40:42:40:59 | servletInputStream : ServletInputStream | semmle.label | servletInputStream : ServletInputStream | -| XXE.java:41:3:41:12 | xmlDecoder | semmle.label | xmlDecoder | -| XXE.java:46:49:46:72 | getInputStream(...) | semmle.label | getInputStream(...) | -subpaths -#select -| XXE.java:24:18:24:35 | servletInputStream | XXE.java:22:43:22:66 | getInputStream(...) : ServletInputStream | XXE.java:24:18:24:35 | servletInputStream | Unsafe parsing of XML file from $@. | XXE.java:22:43:22:66 | getInputStream(...) | user input | -| XXE.java:34:22:34:27 | source | XXE.java:29:43:29:66 | getInputStream(...) : ServletInputStream | XXE.java:34:22:34:27 | source | Unsafe parsing of XML file from $@. | XXE.java:29:43:29:66 | getInputStream(...) | user input | -| XXE.java:41:3:41:12 | xmlDecoder | XXE.java:39:43:39:66 | getInputStream(...) : ServletInputStream | XXE.java:41:3:41:12 | xmlDecoder | Unsafe parsing of XML file from $@. | XXE.java:39:43:39:66 | getInputStream(...) | user input | -| XXE.java:46:49:46:72 | getInputStream(...) | XXE.java:46:49:46:72 | getInputStream(...) | XXE.java:46:49:46:72 | getInputStream(...) | Unsafe parsing of XML file from $@. | XXE.java:46:49:46:72 | getInputStream(...) | user input | diff --git a/java/ql/test/experimental/query-tests/security/CWE-611/XXE.java b/java/ql/test/experimental/query-tests/security/CWE-611/XXE.java deleted file mode 100644 index 92a669acdc0d..000000000000 --- a/java/ql/test/experimental/query-tests/security/CWE-611/XXE.java +++ /dev/null @@ -1,92 +0,0 @@ -import java.beans.XMLDecoder; -import java.io.BufferedReader; -import javax.servlet.ServletInputStream; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import javax.xml.transform.stream.StreamSource; -import javax.xml.validation.Schema; -import javax.xml.validation.SchemaFactory; -import javax.xml.validation.Validator; -import org.rundeck.api.parser.ParserHelper; -import org.apache.commons.digester3.Digester; -import org.dom4j.Document; -import org.dom4j.DocumentHelper; -import org.springframework.stereotype.Controller; -import org.springframework.web.bind.annotation.PostMapping; - -@Controller -public class XXE { - - @PostMapping(value = "bad1") - public void bad1(HttpServletRequest request, HttpServletResponse response) throws Exception { - ServletInputStream servletInputStream = request.getInputStream(); - Digester digester = new Digester(); - digester.parse(servletInputStream); // bad - } - - @PostMapping(value = "bad2") - public void bad2(HttpServletRequest request) throws Exception { - ServletInputStream servletInputStream = request.getInputStream(); - SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema"); - Schema schema = factory.newSchema(); - Validator validator = schema.newValidator(); - StreamSource source = new StreamSource(servletInputStream); - validator.validate(source); // bad - } - - @PostMapping(value = "bad3") - public void bad3(HttpServletRequest request) throws Exception { - ServletInputStream servletInputStream = request.getInputStream(); - XMLDecoder xmlDecoder = new XMLDecoder(servletInputStream); - xmlDecoder.readObject(); // bad - } - - @PostMapping(value = "bad4") - public void bad4(HttpServletRequest request) throws Exception { - Document document = ParserHelper.loadDocument(request.getInputStream()); // bad - } - - @PostMapping(value = "good1") - public void good1(HttpServletRequest request, HttpServletResponse response) throws Exception { - BufferedReader br = request.getReader(); - String str = ""; - StringBuilder listString = new StringBuilder(); - while ((str = br.readLine()) != null) { - listString.append(str); - } - Digester digester = new Digester(); - digester.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); - digester.setFeature("http://xml.org/sax/features/external-general-entities", false); - digester.setFeature("http://xml.org/sax/features/external-parameter-entities", false); - digester.parse(listString.toString()); - } - - @PostMapping(value = "good2") - public void good2(HttpServletRequest request, HttpServletResponse response) throws Exception { - BufferedReader br = request.getReader(); - String str = ""; - StringBuilder listString = new StringBuilder(); - while ((str = br.readLine()) != null) { - listString.append(str).append("\n"); - } - SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema"); - Schema schema = factory.newSchema(); - Validator validator = schema.newValidator(); - validator.setProperty("http://javax.xml.XMLConstants/property/accessExternalDTD", ""); - validator.setProperty("http://javax.xml.XMLConstants/property/accessExternalSchema", ""); - StreamSource source = new StreamSource(listString.toString()); - validator.validate(source); - } - - @PostMapping(value = "good3") - public void good3(HttpServletRequest request) throws Exception { - BufferedReader br = request.getReader(); - String str = ""; - StringBuilder listString = new StringBuilder(); - while ((str = br.readLine()) != null) { - listString.append(str).append("\n"); - } - // parseText falls back to a default SAXReader, which is safe - Document document = DocumentHelper.parseText(listString.toString()); // Safe - } -} diff --git a/java/ql/test/experimental/query-tests/security/CWE-611/XXE.qlref b/java/ql/test/experimental/query-tests/security/CWE-611/XXE.qlref deleted file mode 100644 index 0675e245daa1..000000000000 --- a/java/ql/test/experimental/query-tests/security/CWE-611/XXE.qlref +++ /dev/null @@ -1 +0,0 @@ -experimental/Security/CWE/CWE-611/XXE.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-611/options b/java/ql/test/experimental/query-tests/security/CWE-611/options deleted file mode 100644 index 9aea8cdbe505..000000000000 --- a/java/ql/test/experimental/query-tests/security/CWE-611/options +++ /dev/null @@ -1 +0,0 @@ -//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4/:${testdir}/../../../../stubs/springframework-5.3.8/:${testdir}/../../../../stubs/dom4j-2.1.1:${testdir}/../../../../stubs/apache-commons-digester3-3.2:${testdir}/../../../../stubs/jaxen-1.2.0/:${testdir}/../../../../stubs/rundeck-api-java-client-13.2 \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-611/DigesterTests.java b/java/ql/test/query-tests/security/CWE-611/DigesterTests.java new file mode 100644 index 000000000000..bace07a9b303 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-611/DigesterTests.java @@ -0,0 +1,33 @@ +import java.io.BufferedReader; +import javax.servlet.ServletInputStream; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import org.apache.commons.digester3.Digester; +import org.springframework.stereotype.Controller; +import org.springframework.web.bind.annotation.PostMapping; + +@Controller +public class DigesterTests { + + @PostMapping(value = "bad") + public void bad1(HttpServletRequest request, HttpServletResponse response) throws Exception { + ServletInputStream servletInputStream = request.getInputStream(); + Digester digester = new Digester(); + digester.parse(servletInputStream); // $ hasTaintFlow + } + + @PostMapping(value = "good") + public void good1(HttpServletRequest request, HttpServletResponse response) throws Exception { + BufferedReader br = request.getReader(); + String str = ""; + StringBuilder listString = new StringBuilder(); + while ((str = br.readLine()) != null) { + listString.append(str); + } + Digester digester = new Digester(); + digester.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + digester.setFeature("http://xml.org/sax/features/external-general-entities", false); + digester.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + digester.parse(listString.toString()); + } +} diff --git a/java/ql/test/query-tests/security/CWE-611/DocumentBuilderTests.java b/java/ql/test/query-tests/security/CWE-611/DocumentBuilderTests.java index 0018e41346a6..98d95686301c 100644 --- a/java/ql/test/query-tests/security/CWE-611/DocumentBuilderTests.java +++ b/java/ql/test/query-tests/security/CWE-611/DocumentBuilderTests.java @@ -11,42 +11,44 @@ class DocumentBuilderTests { public void unconfiguredParse(Socket sock) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); DocumentBuilder builder = factory.newDocumentBuilder(); - builder.parse(sock.getInputStream()); //unsafe + builder.parse(sock.getInputStream()); // $ hasTaintFlow } public void disableDTD(Socket sock) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); DocumentBuilder builder = factory.newDocumentBuilder(); - builder.parse(sock.getInputStream()); //safe + builder.parse(sock.getInputStream()); // safe } public void enableSecurityFeature(Socket sock) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); DocumentBuilder builder = factory.newDocumentBuilder(); - builder.parse(sock.getInputStream()); //unsafe -- secure-processing by itself is insufficient + builder.parse(sock.getInputStream()); // $ hasTaintFlow -- secure-processing by itself is + // insufficient } public void enableSecurityFeature2(Socket sock) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", true); DocumentBuilder builder = factory.newDocumentBuilder(); - builder.parse(sock.getInputStream()); //unsafe -- secure-processing by itself is insufficient + builder.parse(sock.getInputStream()); // $ hasTaintFlow -- secure-processing by itself is + // insufficient } public void enableDTD(Socket sock) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false); DocumentBuilder builder = factory.newDocumentBuilder(); - builder.parse(sock.getInputStream()); //unsafe + builder.parse(sock.getInputStream()); // $ hasTaintFlow } public void disableSecurityFeature(Socket sock) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", false); DocumentBuilder builder = factory.newDocumentBuilder(); - builder.parse(sock.getInputStream()); //unsafe + builder.parse(sock.getInputStream()); // $ hasTaintFlow } public void disableExternalEntities(Socket sock) throws Exception { @@ -54,21 +56,21 @@ public void disableExternalEntities(Socket sock) throws Exception { factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); factory.setFeature("http://xml.org/sax/features/external-general-entities", false); DocumentBuilder builder = factory.newDocumentBuilder(); - builder.parse(sock.getInputStream()); //safe + builder.parse(sock.getInputStream()); // safe } public void partialDisableExternalEntities(Socket sock) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); DocumentBuilder builder = factory.newDocumentBuilder(); - builder.parse(sock.getInputStream()); //unsafe + builder.parse(sock.getInputStream()); // $ hasTaintFlow } public void partialDisableExternalEntities2(Socket sock) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setFeature("http://xml.org/sax/features/external-general-entities", false); DocumentBuilder builder = factory.newDocumentBuilder(); - builder.parse(sock.getInputStream()); //unsafe + builder.parse(sock.getInputStream()); // $ hasTaintFlow } public void misConfigureExternalEntities1(Socket sock) throws Exception { @@ -76,7 +78,7 @@ public void misConfigureExternalEntities1(Socket sock) throws Exception { factory.setFeature("http://xml.org/sax/features/external-parameter-entities", true); factory.setFeature("http://xml.org/sax/features/external-general-entities", false); DocumentBuilder builder = factory.newDocumentBuilder(); - builder.parse(sock.getInputStream()); //unsafe + builder.parse(sock.getInputStream()); // $ hasTaintFlow } public void misConfigureExternalEntities2(Socket sock) throws Exception { @@ -84,22 +86,22 @@ public void misConfigureExternalEntities2(Socket sock) throws Exception { factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); factory.setFeature("http://xml.org/sax/features/external-general-entities", true); DocumentBuilder builder = factory.newDocumentBuilder(); - builder.parse(sock.getInputStream()); //unsafe + builder.parse(sock.getInputStream()); // $ hasTaintFlow } public void taintedSAXInputSource1(Socket sock) throws Exception { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); - DocumentBuilder builder = factory.newDocumentBuilder(); - SAXSource source = new SAXSource(new InputSource(sock.getInputStream())); - builder.parse(source.getInputSource()); //unsafe + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilder builder = factory.newDocumentBuilder(); + SAXSource source = new SAXSource(new InputSource(sock.getInputStream())); + builder.parse(source.getInputSource()); // $ hasTaintFlow } public void taintedSAXInputSource2(Socket sock) throws Exception { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); - DocumentBuilder builder = factory.newDocumentBuilder(); - StreamSource source = new StreamSource(sock.getInputStream()); - builder.parse(SAXSource.sourceToInputSource(source)); //unsafe - builder.parse(source.getInputStream()); //unsafe + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilder builder = factory.newDocumentBuilder(); + StreamSource source = new StreamSource(sock.getInputStream()); + builder.parse(SAXSource.sourceToInputSource(source)); // $ hasTaintFlow + builder.parse(source.getInputStream()); // $ hasTaintFlow } private static DocumentBuilderFactory getDocumentBuilderFactory() throws Exception { @@ -112,21 +114,22 @@ private static DocumentBuilderFactory getDocumentBuilderFactory() throws Excepti return factory; } - private static final ThreadLocal XML_DOCUMENT_BUILDER = new ThreadLocal() { - @Override - protected DocumentBuilder initialValue() { - try { - DocumentBuilderFactory factory = getDocumentBuilderFactory(); - return factory.newDocumentBuilder(); - } catch (Exception ex) { - throw new RuntimeException(ex); - } - } - }; + private static final ThreadLocal XML_DOCUMENT_BUILDER = + new ThreadLocal() { + @Override + protected DocumentBuilder initialValue() { + try { + DocumentBuilderFactory factory = getDocumentBuilderFactory(); + return factory.newDocumentBuilder(); + } catch (Exception ex) { + throw new RuntimeException(ex); + } + } + }; public void disableExternalEntities2(Socket sock) throws Exception { DocumentBuilder builder = XML_DOCUMENT_BUILDER.get(); - builder.parse(sock.getInputStream()); //safe + builder.parse(sock.getInputStream()); // safe } } diff --git a/java/ql/test/query-tests/security/CWE-611/ParserHelperTests.java b/java/ql/test/query-tests/security/CWE-611/ParserHelperTests.java new file mode 100644 index 000000000000..6b43c224d94f --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-611/ParserHelperTests.java @@ -0,0 +1,14 @@ +import javax.servlet.http.HttpServletRequest; +import org.dom4j.Document; +import org.rundeck.api.parser.ParserHelper; +import org.springframework.stereotype.Controller; +import org.springframework.web.bind.annotation.PostMapping; + +@Controller +public class ParserHelperTests { + + @PostMapping(value = "bad4") + public void bad4(HttpServletRequest request) throws Exception { + Document document = ParserHelper.loadDocument(request.getInputStream()); // $ hasTaintFlow + } +} diff --git a/java/ql/test/query-tests/security/CWE-611/SAXBuilderTests.java b/java/ql/test/query-tests/security/CWE-611/SAXBuilderTests.java index c0a58bfc18d0..2b25540b85b6 100644 --- a/java/ql/test/query-tests/security/CWE-611/SAXBuilderTests.java +++ b/java/ql/test/query-tests/security/CWE-611/SAXBuilderTests.java @@ -5,18 +5,18 @@ public class SAXBuilderTests { public void unconfiguredSAXBuilder(Socket sock) throws Exception { SAXBuilder builder = new SAXBuilder(); - builder.build(sock.getInputStream()); //unsafe + builder.build(sock.getInputStream()); // $ hasTaintFlow } - + public void safeBuilder(Socket sock) throws Exception { SAXBuilder builder = new SAXBuilder(); - builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl",true); - builder.build(sock.getInputStream()); //safe + builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + builder.build(sock.getInputStream()); // safe } public void misConfiguredBuilder(Socket sock) throws Exception { SAXBuilder builder = new SAXBuilder(); - builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl",false); - builder.build(sock.getInputStream()); //unsafe + builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false); + builder.build(sock.getInputStream()); // $ hasTaintFlow } } diff --git a/java/ql/test/query-tests/security/CWE-611/SAXParserTests.java b/java/ql/test/query-tests/security/CWE-611/SAXParserTests.java index f8079dd1bc80..a6de7709aed8 100644 --- a/java/ql/test/query-tests/security/CWE-611/SAXParserTests.java +++ b/java/ql/test/query-tests/security/CWE-611/SAXParserTests.java @@ -6,78 +6,78 @@ import org.xml.sax.helpers.DefaultHandler; public class SAXParserTests { - + public void unconfiguredParser(Socket sock) throws Exception { SAXParserFactory factory = SAXParserFactory.newInstance(); SAXParser parser = factory.newSAXParser(); - parser.parse(sock.getInputStream(), new DefaultHandler()); //unsafe + parser.parse(sock.getInputStream(), new DefaultHandler()); // $ hasTaintFlow } - + public void safeParser(Socket sock) throws Exception { SAXParserFactory factory = SAXParserFactory.newInstance(); factory.setFeature("http://xml.org/sax/features/external-general-entities", false); factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); SAXParser parser = factory.newSAXParser(); - parser.parse(sock.getInputStream(), new DefaultHandler()); //safe + parser.parse(sock.getInputStream(), new DefaultHandler()); // safe } - + public void partialConfiguredParser1(Socket sock) throws Exception { SAXParserFactory factory = SAXParserFactory.newInstance(); factory.setFeature("http://xml.org/sax/features/external-general-entities", false); factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); SAXParser parser = factory.newSAXParser(); - parser.parse(sock.getInputStream(), new DefaultHandler()); //unsafe + parser.parse(sock.getInputStream(), new DefaultHandler()); // $ hasTaintFlow } - + public void partialConfiguredParser2(Socket sock) throws Exception { SAXParserFactory factory = SAXParserFactory.newInstance(); factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); SAXParser parser = factory.newSAXParser(); - parser.parse(sock.getInputStream(), new DefaultHandler()); //unsafe + parser.parse(sock.getInputStream(), new DefaultHandler()); // $ hasTaintFlow } - + public void partialConfiguredParser3(Socket sock) throws Exception { SAXParserFactory factory = SAXParserFactory.newInstance(); factory.setFeature("http://xml.org/sax/features/external-general-entities", false); factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); SAXParser parser = factory.newSAXParser(); - parser.parse(sock.getInputStream(), new DefaultHandler()); //unsafe + parser.parse(sock.getInputStream(), new DefaultHandler()); // $ hasTaintFlow } - + public void misConfiguredParser1(Socket sock) throws Exception { SAXParserFactory factory = SAXParserFactory.newInstance(); factory.setFeature("http://xml.org/sax/features/external-general-entities", true); factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); SAXParser parser = factory.newSAXParser(); - parser.parse(sock.getInputStream(), new DefaultHandler()); //unsafe + parser.parse(sock.getInputStream(), new DefaultHandler()); // $ hasTaintFlow } - + public void misConfiguredParser2(Socket sock) throws Exception { SAXParserFactory factory = SAXParserFactory.newInstance(); factory.setFeature("http://xml.org/sax/features/external-general-entities", false); factory.setFeature("http://xml.org/sax/features/external-parameter-entities", true); factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); SAXParser parser = factory.newSAXParser(); - parser.parse(sock.getInputStream(), new DefaultHandler()); //unsafe + parser.parse(sock.getInputStream(), new DefaultHandler()); // $ hasTaintFlow } - + public void misConfiguredParser3(Socket sock) throws Exception { SAXParserFactory factory = SAXParserFactory.newInstance(); factory.setFeature("http://xml.org/sax/features/external-general-entities", false); factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", true); SAXParser parser = factory.newSAXParser(); - parser.parse(sock.getInputStream(), new DefaultHandler()); //unsafe + parser.parse(sock.getInputStream(), new DefaultHandler()); // $ hasTaintFlow } public void safeParser2(Socket sock) throws Exception { SAXParserFactory factory = SAXParserFactory.newInstance(); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); - factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); SAXParser parser = factory.newSAXParser(); - parser.parse(sock.getInputStream(), new DefaultHandler()); //safe + parser.parse(sock.getInputStream(), new DefaultHandler()); // safe } } diff --git a/java/ql/test/query-tests/security/CWE-611/SAXReaderTests.java b/java/ql/test/query-tests/security/CWE-611/SAXReaderTests.java index ba0bfac5a29b..f436074f65f5 100644 --- a/java/ql/test/query-tests/security/CWE-611/SAXReaderTests.java +++ b/java/ql/test/query-tests/security/CWE-611/SAXReaderTests.java @@ -5,59 +5,59 @@ public class SAXReaderTests { public void unconfiguredReader(Socket sock) throws Exception { SAXReader reader = new SAXReader(); - reader.read(sock.getInputStream()); //unsafe + reader.read(sock.getInputStream()); // $ hasTaintFlow } - + public void safeReader(Socket sock) throws Exception { SAXReader reader = new SAXReader(); reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); reader.setFeature("http://xml.org/sax/features/external-general-entities", false); - reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); - reader.read(sock.getInputStream()); //safe + reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + reader.read(sock.getInputStream()); // safe } - + public void partialConfiguredReader1(Socket sock) throws Exception { SAXReader reader = new SAXReader(); reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); reader.setFeature("http://xml.org/sax/features/external-general-entities", false); - reader.read(sock.getInputStream()); //unsafe + reader.read(sock.getInputStream()); // $ hasTaintFlow } - + public void partialConfiguredReader2(Socket sock) throws Exception { SAXReader reader = new SAXReader(); reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); - reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); - reader.read(sock.getInputStream()); //unsafe + reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + reader.read(sock.getInputStream()); // $ hasTaintFlow } - + public void partialConfiguredReader3(Socket sock) throws Exception { SAXReader reader = new SAXReader(); reader.setFeature("http://xml.org/sax/features/external-general-entities", false); - reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); - reader.read(sock.getInputStream()); //unsafe + reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + reader.read(sock.getInputStream()); // $ hasTaintFlow } - + public void misConfiguredReader1(Socket sock) throws Exception { SAXReader reader = new SAXReader(); reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); reader.setFeature("http://xml.org/sax/features/external-general-entities", true); - reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); - reader.read(sock.getInputStream()); //unsafe + reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + reader.read(sock.getInputStream()); // $ hasTaintFlow } - + public void misConfiguredReader2(Socket sock) throws Exception { SAXReader reader = new SAXReader(); reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false); reader.setFeature("http://xml.org/sax/features/external-general-entities", false); - reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); - reader.read(sock.getInputStream()); //unsafe + reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + reader.read(sock.getInputStream()); // $ hasTaintFlow } - + public void misConfiguredReader3(Socket sock) throws Exception { SAXReader reader = new SAXReader(); reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); reader.setFeature("http://xml.org/sax/features/external-general-entities", false); - reader.setFeature("http://xml.org/sax/features/external-parameter-entities", true); - reader.read(sock.getInputStream()); //unsafe + reader.setFeature("http://xml.org/sax/features/external-parameter-entities", true); + reader.read(sock.getInputStream()); // $ hasTaintFlow } } diff --git a/java/ql/test/query-tests/security/CWE-611/SAXSourceTests.java b/java/ql/test/query-tests/security/CWE-611/SAXSourceTests.java index 06a4b5a43f3b..721f596457de 100644 --- a/java/ql/test/query-tests/security/CWE-611/SAXSourceTests.java +++ b/java/ql/test/query-tests/security/CWE-611/SAXSourceTests.java @@ -17,14 +17,14 @@ public void unsafeSource(Socket sock) throws Exception { SAXSource source = new SAXSource(reader, new InputSource(sock.getInputStream())); JAXBContext jc = JAXBContext.newInstance(Object.class); Unmarshaller um = jc.createUnmarshaller(); - um.unmarshal(source); // BAD + um.unmarshal(source); // $ hasTaintFlow } public void explicitlySafeSource1(Socket sock) throws Exception { XMLReader reader = XMLReaderFactory.createXMLReader(); reader.setFeature("http://xml.org/sax/features/external-general-entities", false); reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); - reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd",false); + reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); SAXSource source = new SAXSource(reader, new InputSource(sock.getInputStream())); // GOOD } diff --git a/java/ql/test/query-tests/security/CWE-611/SchemaTests.java b/java/ql/test/query-tests/security/CWE-611/SchemaTests.java index f41e0017af19..d98aeb4a3bac 100644 --- a/java/ql/test/query-tests/security/CWE-611/SchemaTests.java +++ b/java/ql/test/query-tests/security/CWE-611/SchemaTests.java @@ -9,39 +9,39 @@ public class SchemaTests { public void unconfiguredSchemaFactory(Socket sock) throws Exception { SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema"); - Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); //unsafe + Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); // $ hasTaintFlow } public void safeSchemaFactory(Socket sock) throws Exception { SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema"); factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); - Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); //safe + Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); // safe } public void partialConfiguredSchemaFactory1(Socket sock) throws Exception { SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema"); factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); - Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); //unsafe + Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); // $ hasTaintFlow } public void partialConfiguredSchemaFactory2(Socket sock) throws Exception { SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema"); factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); - Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); //unsafe + Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); // $ hasTaintFlow } public void misConfiguredSchemaFactory1(Socket sock) throws Exception { SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema"); factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "ab"); - Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); //unsafe + Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); // $ hasTaintFlow } public void misConfiguredSchemaFactory2(Socket sock) throws Exception { SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema"); factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "cd"); factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); - Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); //unsafe + Schema schema = factory.newSchema(new StreamSource(sock.getInputStream())); // $ hasTaintFlow } } diff --git a/java/ql/test/query-tests/security/CWE-611/SimpleXMLTests.java b/java/ql/test/query-tests/security/CWE-611/SimpleXMLTests.java index baefeadfbe6e..65c759acbf4a 100644 --- a/java/ql/test/query-tests/security/CWE-611/SimpleXMLTests.java +++ b/java/ql/test/query-tests/security/CWE-611/SimpleXMLTests.java @@ -11,145 +11,145 @@ public class SimpleXMLTests { public void persisterValidate1(Socket sock) throws Exception { Persister persister = new Persister(); - persister.validate(this.getClass(), sock.getInputStream()); + persister.validate(this.getClass(), sock.getInputStream()); // $ hasTaintFlow } - + public void persisterValidate2(Socket sock) throws Exception { Persister persister = new Persister(); - persister.validate(this.getClass(), sock.getInputStream(), true); + persister.validate(this.getClass(), sock.getInputStream(), true); // $ hasTaintFlow } public void persisterValidate3(Socket sock) throws Exception { Persister persister = new Persister(); - persister.validate(this.getClass(), new InputStreamReader(sock.getInputStream())); + persister.validate(this.getClass(), new InputStreamReader(sock.getInputStream())); // $ hasTaintFlow } public void persisterValidate4(Socket sock) throws Exception { Persister persister = new Persister(); - byte[] b = new byte[]{}; + byte[] b = new byte[] {}; sock.getInputStream().read(b); - persister.validate(this.getClass(), new String(b)); + persister.validate(this.getClass(), new String(b)); // $ hasTaintFlow } public void persisterValidate5(Socket sock) throws Exception { Persister persister = new Persister(); - byte[] b = new byte[]{}; + byte[] b = new byte[] {}; sock.getInputStream().read(b); - persister.validate(this.getClass(), new String(b), true); + persister.validate(this.getClass(), new String(b), true); // $ hasTaintFlow } public void persisterValidate6(Socket sock) throws Exception { Persister persister = new Persister(); - persister.validate(this.getClass(), new InputStreamReader(sock.getInputStream()), true); + persister.validate(this.getClass(), new InputStreamReader(sock.getInputStream()), true); // $ hasTaintFlow } public void persisterRead1(Socket sock) throws Exception { Persister persister = new Persister(); - persister.read(this.getClass(), sock.getInputStream()); + persister.read(this.getClass(), sock.getInputStream()); // $ hasTaintFlow } - + public void persisterRead2(Socket sock) throws Exception { Persister persister = new Persister(); - persister.read(this.getClass(), sock.getInputStream(), true); + persister.read(this.getClass(), sock.getInputStream(), true); // $ hasTaintFlow } - + public void persisterRead3(Socket sock) throws Exception { Persister persister = new Persister(); - persister.read(this, sock.getInputStream()); + persister.read(this, sock.getInputStream()); // $ hasTaintFlow } - + public void persisterRead4(Socket sock) throws Exception { Persister persister = new Persister(); - persister.read(this, sock.getInputStream(), true); + persister.read(this, sock.getInputStream(), true); // $ hasTaintFlow } - + public void persisterRead5(Socket sock) throws Exception { Persister persister = new Persister(); - persister.read(this.getClass(), new InputStreamReader(sock.getInputStream())); + persister.read(this.getClass(), new InputStreamReader(sock.getInputStream())); // $ hasTaintFlow } public void persisterRead6(Socket sock) throws Exception { Persister persister = new Persister(); - persister.read(this.getClass(), new InputStreamReader(sock.getInputStream()), true); + persister.read(this.getClass(), new InputStreamReader(sock.getInputStream()), true); // $ hasTaintFlow } public void persisterRead7(Socket sock) throws Exception { Persister persister = new Persister(); - persister.read(this, new InputStreamReader(sock.getInputStream())); + persister.read(this, new InputStreamReader(sock.getInputStream())); // $ hasTaintFlow } public void persisterRead8(Socket sock) throws Exception { Persister persister = new Persister(); - persister.read(this, new InputStreamReader(sock.getInputStream()), true); + persister.read(this, new InputStreamReader(sock.getInputStream()), true); // $ hasTaintFlow } - + public void persisterRead9(Socket sock) throws Exception { Persister persister = new Persister(); - byte[] b = new byte[]{}; + byte[] b = new byte[] {}; sock.getInputStream().read(b); - persister.read(this.getClass(), new String(b)); + persister.read(this.getClass(), new String(b)); // $ hasTaintFlow } - + public void persisterRead10(Socket sock) throws Exception { Persister persister = new Persister(); - byte[] b = new byte[]{}; + byte[] b = new byte[] {}; sock.getInputStream().read(b); - persister.read(this.getClass(), new String(b), true); + persister.read(this.getClass(), new String(b), true); // $ hasTaintFlow } - + public void persisterRead11(Socket sock) throws Exception { Persister persister = new Persister(); - byte[] b = new byte[]{}; + byte[] b = new byte[] {}; sock.getInputStream().read(b); - persister.read(this, new String(b)); + persister.read(this, new String(b)); // $ hasTaintFlow } - + public void persisterRead12(Socket sock) throws Exception { Persister persister = new Persister(); - byte[] b = new byte[]{}; + byte[] b = new byte[] {}; sock.getInputStream().read(b); - persister.read(this, new String(b), true); + persister.read(this, new String(b), true); // $ hasTaintFlow } - + public void nodeBuilderRead1(Socket sock) throws Exception { - NodeBuilder.read(sock.getInputStream()); + NodeBuilder.read(sock.getInputStream()); // $ hasTaintFlow } - + public void nodeBuilderRead2(Socket sock) throws Exception { - NodeBuilder.read(new InputStreamReader(sock.getInputStream())); + NodeBuilder.read(new InputStreamReader(sock.getInputStream())); // $ hasTaintFlow } - + public void documentProviderProvide1(Socket sock) throws Exception { DocumentProvider provider = new DocumentProvider(); - provider.provide(sock.getInputStream()); + provider.provide(sock.getInputStream()); // $ hasTaintFlow } - + public void documentProviderProvide2(Socket sock) throws Exception { DocumentProvider provider = new DocumentProvider(); - provider.provide(new InputStreamReader(sock.getInputStream())); + provider.provide(new InputStreamReader(sock.getInputStream())); // $ hasTaintFlow } public void streamProviderProvide1(Socket sock) throws Exception { StreamProvider provider = new StreamProvider(); - provider.provide(sock.getInputStream()); + provider.provide(sock.getInputStream()); // $ hasTaintFlow } public void streamProviderProvide2(Socket sock) throws Exception { StreamProvider provider = new StreamProvider(); - provider.provide(new InputStreamReader(sock.getInputStream())); + provider.provide(new InputStreamReader(sock.getInputStream())); // $ hasTaintFlow } public void formatterFormat1(Socket sock) throws Exception { Formatter formatter = new Formatter(); - byte[] b = new byte[]{}; + byte[] b = new byte[] {}; sock.getInputStream().read(b); - formatter.format(new String(b), null); + formatter.format(new String(b), null); // $ hasTaintFlow } - + public void formatterFormat2(Socket sock) throws Exception { Formatter formatter = new Formatter(); - byte[] b = new byte[]{}; + byte[] b = new byte[] {}; sock.getInputStream().read(b); - formatter.format(new String(b)); + formatter.format(new String(b)); // $ hasTaintFlow } } diff --git a/java/ql/test/query-tests/security/CWE-611/TransformerTests.java b/java/ql/test/query-tests/security/CWE-611/TransformerTests.java index 696d00c3fcf4..afba1790f0cd 100644 --- a/java/ql/test/query-tests/security/CWE-611/TransformerTests.java +++ b/java/ql/test/query-tests/security/CWE-611/TransformerTests.java @@ -17,8 +17,8 @@ public class TransformerTests { public void unconfiguredTransformerFactory(Socket sock) throws Exception { TransformerFactory tf = TransformerFactory.newInstance(); Transformer transformer = tf.newTransformer(); - transformer.transform(new StreamSource(sock.getInputStream()), null); //unsafe - tf.newTransformer(new StreamSource(sock.getInputStream())); //unsafe + transformer.transform(new StreamSource(sock.getInputStream()), null); // $ hasTaintFlow + tf.newTransformer(new StreamSource(sock.getInputStream())); // $ hasTaintFlow } public void safeTransformerFactory1(Socket sock) throws Exception { @@ -26,8 +26,8 @@ public void safeTransformerFactory1(Socket sock) throws Exception { tf.setAttribute("http://javax.xml.XMLConstants/property/accessExternalDTD", ""); tf.setAttribute("http://javax.xml.XMLConstants/property/accessExternalStylesheet", ""); Transformer transformer = tf.newTransformer(); - transformer.transform(new StreamSource(sock.getInputStream()), null); //safe - tf.newTransformer(new StreamSource(sock.getInputStream())); //safe + transformer.transform(new StreamSource(sock.getInputStream()), null); // safe + tf.newTransformer(new StreamSource(sock.getInputStream())); // safe } public void safeTransformerFactory2(Socket sock) throws Exception { @@ -35,49 +35,49 @@ public void safeTransformerFactory2(Socket sock) throws Exception { tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); Transformer transformer = tf.newTransformer(); - transformer.transform(new StreamSource(sock.getInputStream()), null); //safe - tf.newTransformer(new StreamSource(sock.getInputStream())); //safe + transformer.transform(new StreamSource(sock.getInputStream()), null); // safe + tf.newTransformer(new StreamSource(sock.getInputStream())); // safe } public void safeTransformerFactory3(Socket sock) throws Exception { - TransformerFactory tf = TransformerFactory.newInstance(); - Transformer transformer = tf.newTransformer(); + TransformerFactory tf = TransformerFactory.newInstance(); + Transformer transformer = tf.newTransformer(); XMLReader reader = XMLReaderFactory.createXMLReader(); reader.setFeature("http://xml.org/sax/features/external-general-entities", false); reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); - reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd",false); - SAXSource source = new SAXSource(reader, new InputSource(sock.getInputStream())); //safe - transformer.transform(source, null); //safe - tf.newTransformer(source); //safe + reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + SAXSource source = new SAXSource(reader, new InputSource(sock.getInputStream())); // safe + transformer.transform(source, null); // safe + tf.newTransformer(source); // safe } public void safeTransformerFactory4(Socket sock) throws Exception { - TransformerFactory tf = TransformerFactory.newInstance(); - Transformer transformer = tf.newTransformer(); + TransformerFactory tf = TransformerFactory.newInstance(); + Transformer transformer = tf.newTransformer(); XMLReader reader = XMLReaderFactory.createXMLReader(); reader.setFeature("http://xml.org/sax/features/external-general-entities", false); reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); - reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd",false); + reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); SAXSource source = new SAXSource(new InputSource(sock.getInputStream())); source.setXMLReader(reader); - transformer.transform(source, null); //safe - tf.newTransformer(source); //safe + transformer.transform(source, null); // safe + tf.newTransformer(source); // safe } public void partialConfiguredTransformerFactory1(Socket sock) throws Exception { TransformerFactory tf = TransformerFactory.newInstance(); tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); Transformer transformer = tf.newTransformer(); - transformer.transform(new StreamSource(sock.getInputStream()), null); //unsafe - tf.newTransformer(new StreamSource(sock.getInputStream())); //unsafe + transformer.transform(new StreamSource(sock.getInputStream()), null); // $ hasTaintFlow + tf.newTransformer(new StreamSource(sock.getInputStream())); // $ hasTaintFlow } public void partialConfiguredTransformerFactory2(Socket sock) throws Exception { TransformerFactory tf = TransformerFactory.newInstance(); tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); Transformer transformer = tf.newTransformer(); - transformer.transform(new StreamSource(sock.getInputStream()), null); //unsafe - tf.newTransformer(new StreamSource(sock.getInputStream())); //unsafe + transformer.transform(new StreamSource(sock.getInputStream()), null); // $ hasTaintFlow + tf.newTransformer(new StreamSource(sock.getInputStream())); // $ hasTaintFlow } public void misConfiguredTransformerFactory1(Socket sock) throws Exception { @@ -85,8 +85,8 @@ public void misConfiguredTransformerFactory1(Socket sock) throws Exception { Transformer transformer = tf.newTransformer(); tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "ab"); tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); - transformer.transform(new StreamSource(sock.getInputStream()), null); //unsafe - tf.newTransformer(new StreamSource(sock.getInputStream())); //unsafe + transformer.transform(new StreamSource(sock.getInputStream()), null); // $ hasTaintFlow + tf.newTransformer(new StreamSource(sock.getInputStream())); // $ hasTaintFlow } public void misConfiguredTransformerFactory2(Socket sock) throws Exception { @@ -94,50 +94,50 @@ public void misConfiguredTransformerFactory2(Socket sock) throws Exception { Transformer transformer = tf.newTransformer(); tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "cd"); - transformer.transform(new StreamSource(sock.getInputStream()), null); //unsafe - tf.newTransformer(new StreamSource(sock.getInputStream())); //unsafe + transformer.transform(new StreamSource(sock.getInputStream()), null); // $ hasTaintFlow + tf.newTransformer(new StreamSource(sock.getInputStream())); // $ hasTaintFlow } public void unconfiguredSAXTransformerFactory(Socket sock) throws Exception { - SAXTransformerFactory sf = (SAXTransformerFactory)SAXTransformerFactory.newInstance(); - sf.newXMLFilter(new StreamSource(sock.getInputStream())); //unsafe + SAXTransformerFactory sf = (SAXTransformerFactory) SAXTransformerFactory.newInstance(); + sf.newXMLFilter(new StreamSource(sock.getInputStream())); // $ hasTaintFlow } public void safeSAXTransformerFactory(Socket sock) throws Exception { - SAXTransformerFactory sf = (SAXTransformerFactory)SAXTransformerFactory.newInstance(); + SAXTransformerFactory sf = (SAXTransformerFactory) SAXTransformerFactory.newInstance(); sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); - sf.newXMLFilter(new StreamSource(sock.getInputStream())); //safe + sf.newXMLFilter(new StreamSource(sock.getInputStream())); // safe } public void partialConfiguredSAXTransformerFactory1(Socket sock) throws Exception { - SAXTransformerFactory sf = (SAXTransformerFactory)SAXTransformerFactory.newInstance(); + SAXTransformerFactory sf = (SAXTransformerFactory) SAXTransformerFactory.newInstance(); sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); - sf.newXMLFilter(new StreamSource(sock.getInputStream())); //unsafe + sf.newXMLFilter(new StreamSource(sock.getInputStream())); // $ hasTaintFlow } public void partialConfiguredSAXTransformerFactory2(Socket sock) throws Exception { - SAXTransformerFactory sf = (SAXTransformerFactory)SAXTransformerFactory.newInstance(); + SAXTransformerFactory sf = (SAXTransformerFactory) SAXTransformerFactory.newInstance(); sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); - sf.newXMLFilter(new StreamSource(sock.getInputStream())); //unsafe + sf.newXMLFilter(new StreamSource(sock.getInputStream())); // $ hasTaintFlow } public void misConfiguredSAXTransformerFactory1(Socket sock) throws Exception { - SAXTransformerFactory sf = (SAXTransformerFactory)SAXTransformerFactory.newInstance(); + SAXTransformerFactory sf = (SAXTransformerFactory) SAXTransformerFactory.newInstance(); sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "ab"); sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); - sf.newXMLFilter(new StreamSource(sock.getInputStream())); //unsafe + sf.newXMLFilter(new StreamSource(sock.getInputStream())); // $ hasTaintFlow } public void misConfiguredSAXTransformerFactory2(Socket sock) throws Exception { - SAXTransformerFactory sf = (SAXTransformerFactory)SAXTransformerFactory.newInstance(); + SAXTransformerFactory sf = (SAXTransformerFactory) SAXTransformerFactory.newInstance(); sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "cd"); - sf.newXMLFilter(new StreamSource(sock.getInputStream())); //unsafe + sf.newXMLFilter(new StreamSource(sock.getInputStream())); // $ hasTaintFlow } public void taintedSAXSource(Socket sock) throws Exception { - SAXTransformerFactory sf = (SAXTransformerFactory)SAXTransformerFactory.newInstance(); - sf.newXMLFilter(new SAXSource(new InputSource(sock.getInputStream()))); //unsafe + SAXTransformerFactory sf = (SAXTransformerFactory) SAXTransformerFactory.newInstance(); + sf.newXMLFilter(new SAXSource(new InputSource(sock.getInputStream()))); // $ hasTaintFlow } } diff --git a/java/ql/test/query-tests/security/CWE-611/UnmarshallerTests.java b/java/ql/test/query-tests/security/CWE-611/UnmarshallerTests.java index f29018d599a7..54efa567aa3b 100644 --- a/java/ql/test/query-tests/security/CWE-611/UnmarshallerTests.java +++ b/java/ql/test/query-tests/security/CWE-611/UnmarshallerTests.java @@ -16,15 +16,16 @@ public void safeUnmarshal(Socket sock) throws Exception { spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); JAXBContext jc = JAXBContext.newInstance(Object.class); - Source xmlSource = new SAXSource(spf.newSAXParser().getXMLReader(), new InputSource(sock.getInputStream())); + Source xmlSource = + new SAXSource(spf.newSAXParser().getXMLReader(), new InputSource(sock.getInputStream())); Unmarshaller um = jc.createUnmarshaller(); - um.unmarshal(xmlSource); //safe + um.unmarshal(xmlSource); // safe } public void unsafeUnmarshal(Socket sock) throws Exception { SAXParserFactory spf = SAXParserFactory.newInstance(); JAXBContext jc = JAXBContext.newInstance(Object.class); Unmarshaller um = jc.createUnmarshaller(); - um.unmarshal(sock.getInputStream()); //unsafe + um.unmarshal(sock.getInputStream()); // $ hasTaintFlow } } diff --git a/java/ql/test/query-tests/security/CWE-611/ValidatorTests.java b/java/ql/test/query-tests/security/CWE-611/ValidatorTests.java new file mode 100644 index 000000000000..091be21676aa --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-611/ValidatorTests.java @@ -0,0 +1,41 @@ +import java.io.BufferedReader; +import javax.servlet.ServletInputStream; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.xml.transform.stream.StreamSource; +import javax.xml.validation.Schema; +import javax.xml.validation.SchemaFactory; +import javax.xml.validation.Validator; +import org.springframework.stereotype.Controller; +import org.springframework.web.bind.annotation.PostMapping; + +@Controller +public class ValidatorTests { + + @PostMapping(value = "bad") + public void bad2(HttpServletRequest request) throws Exception { + ServletInputStream servletInputStream = request.getInputStream(); + SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema"); + Schema schema = factory.newSchema(); + Validator validator = schema.newValidator(); + StreamSource source = new StreamSource(servletInputStream); + validator.validate(source); // $ hasTaintFlow + } + + @PostMapping(value = "good") + public void good2(HttpServletRequest request, HttpServletResponse response) throws Exception { + BufferedReader br = request.getReader(); + String str = ""; + StringBuilder listString = new StringBuilder(); + while ((str = br.readLine()) != null) { + listString.append(str).append("\n"); + } + SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema"); + Schema schema = factory.newSchema(); + Validator validator = schema.newValidator(); + validator.setProperty("http://javax.xml.XMLConstants/property/accessExternalDTD", ""); + validator.setProperty("http://javax.xml.XMLConstants/property/accessExternalSchema", ""); + StreamSource source = new StreamSource(listString.toString()); + validator.validate(source); + } +} diff --git a/java/ql/test/query-tests/security/CWE-611/XMLDecoderTests.java b/java/ql/test/query-tests/security/CWE-611/XMLDecoderTests.java new file mode 100644 index 000000000000..8e75ebc14017 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-611/XMLDecoderTests.java @@ -0,0 +1,32 @@ +import java.beans.XMLDecoder; +import java.io.BufferedReader; +import javax.servlet.ServletInputStream; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import org.dom4j.Document; +import org.dom4j.DocumentHelper; +import org.springframework.stereotype.Controller; +import org.springframework.web.bind.annotation.PostMapping; + +@Controller +public class XMLDecoderTests { + + @PostMapping(value = "bad") + public void bad3(HttpServletRequest request) throws Exception { + ServletInputStream servletInputStream = request.getInputStream(); + XMLDecoder xmlDecoder = new XMLDecoder(servletInputStream); + xmlDecoder.readObject(); // $ hasTaintFlow + } + + @PostMapping(value = "good") + public void good3(HttpServletRequest request) throws Exception { + BufferedReader br = request.getReader(); + String str = ""; + StringBuilder listString = new StringBuilder(); + while ((str = br.readLine()) != null) { + listString.append(str).append("\n"); + } + // parseText falls back to a default SAXReader, which is safe + Document document = DocumentHelper.parseText(listString.toString()); // Safe + } +} diff --git a/java/ql/test/query-tests/security/CWE-611/XMLReaderTests.java b/java/ql/test/query-tests/security/CWE-611/XMLReaderTests.java index 9f63e64d0c96..15536b766b72 100644 --- a/java/ql/test/query-tests/security/CWE-611/XMLReaderTests.java +++ b/java/ql/test/query-tests/security/CWE-611/XMLReaderTests.java @@ -13,23 +13,23 @@ public class XMLReaderTests { public void unconfiguredReader(Socket sock) throws Exception { XMLReader reader = XMLReaderFactory.createXMLReader(); - reader.parse(new InputSource(sock.getInputStream())); //unsafe + reader.parse(new InputSource(sock.getInputStream())); // $ hasTaintFlow } public void safeReaderFromConfig1(Socket sock) throws Exception { XMLReader reader = XMLReaderFactory.createXMLReader(); reader.setFeature("http://xml.org/sax/features/external-general-entities", false); reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); - reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd",false); - reader.parse(new InputSource(sock.getInputStream())); //safe + reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + reader.parse(new InputSource(sock.getInputStream())); // safe } public void safeReaderFromConfig2(Socket sock) throws Exception { XMLReader reader = XMLReaderFactory.createXMLReader(); reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); - reader.parse(new InputSource(sock.getInputStream())); //safe + reader.parse(new InputSource(sock.getInputStream())); // safe } - + public void safeReaderFromSAXParser(Socket sock) throws Exception { SAXParserFactory factory = SAXParserFactory.newInstance(); factory.setFeature("http://xml.org/sax/features/external-general-entities", false); @@ -37,66 +37,66 @@ public void safeReaderFromSAXParser(Socket sock) throws Exception { factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); SAXParser parser = factory.newSAXParser(); XMLReader reader = parser.getXMLReader(); - reader.parse(new InputSource(sock.getInputStream())); //safe + reader.parse(new InputSource(sock.getInputStream())); // safe } public void safeReaderFromSAXReader(Socket sock) throws Exception { SAXReader reader = new SAXReader(); reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); reader.setFeature("http://xml.org/sax/features/external-general-entities", false); - reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); XMLReader xmlReader = reader.getXMLReader(); - xmlReader.parse(new InputSource(sock.getInputStream())); //safe + xmlReader.parse(new InputSource(sock.getInputStream())); // safe } public void partialConfiguredXMLReader1(Socket sock) throws Exception { XMLReader reader = XMLReaderFactory.createXMLReader(); reader.setFeature("http://xml.org/sax/features/external-general-entities", false); reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); - reader.parse(new InputSource(sock.getInputStream())); //unsafe + reader.parse(new InputSource(sock.getInputStream())); // $ hasTaintFlow } public void partialConfiguredXMLReader2(Socket sock) throws Exception { XMLReader reader = XMLReaderFactory.createXMLReader(); reader.setFeature("http://xml.org/sax/features/external-general-entities", false); - reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd",false); - reader.parse(new InputSource(sock.getInputStream())); //unsafe + reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + reader.parse(new InputSource(sock.getInputStream())); // $ hasTaintFlow } public void partilaConfiguredXMLReader3(Socket sock) throws Exception { XMLReader reader = XMLReaderFactory.createXMLReader(); reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); - reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd",false); - reader.parse(new InputSource(sock.getInputStream())); //unsafe + reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + reader.parse(new InputSource(sock.getInputStream())); // $ hasTaintFlow } public void misConfiguredXMLReader1(Socket sock) throws Exception { XMLReader reader = XMLReaderFactory.createXMLReader(); reader.setFeature("http://xml.org/sax/features/external-general-entities", true); reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); - reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd",false); - reader.parse(new InputSource(sock.getInputStream())); //unsafe + reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + reader.parse(new InputSource(sock.getInputStream())); // $ hasTaintFlow } public void misConfiguredXMLReader2(Socket sock) throws Exception { XMLReader reader = XMLReaderFactory.createXMLReader(); reader.setFeature("http://xml.org/sax/features/external-general-entities", false); reader.setFeature("http://xml.org/sax/features/external-parameter-entities", true); - reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd",false); - reader.parse(new InputSource(sock.getInputStream())); //unsafe + reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + reader.parse(new InputSource(sock.getInputStream())); // $ hasTaintFlow } public void misConfiguredXMLReader3(Socket sock) throws Exception { XMLReader reader = XMLReaderFactory.createXMLReader(); reader.setFeature("http://xml.org/sax/features/external-general-entities", false); reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); - reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", true); - reader.parse(new InputSource(sock.getInputStream())); //unsafe + reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", true); + reader.parse(new InputSource(sock.getInputStream())); // $ hasTaintFlow } - + public void misConfiguredXMLReader4(Socket sock) throws Exception { XMLReader reader = XMLReaderFactory.createXMLReader(); reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false); - reader.parse(new InputSource(sock.getInputStream())); //unsafe + reader.parse(new InputSource(sock.getInputStream())); // $ hasTaintFlow } } diff --git a/java/ql/test/query-tests/security/CWE-611/XPathExpressionTests.java b/java/ql/test/query-tests/security/CWE-611/XPathExpressionTests.java index e15c28e41e2e..088fdb9afd6e 100644 --- a/java/ql/test/query-tests/security/CWE-611/XPathExpressionTests.java +++ b/java/ql/test/query-tests/security/CWE-611/XPathExpressionTests.java @@ -24,7 +24,7 @@ public void unsafeExpressionTests(Socket sock) throws Exception { XPathFactory xFactory = XPathFactory.newInstance(); XPath path = xFactory.newXPath(); XPathExpression expr = path.compile(""); - expr.evaluate(new InputSource(sock.getInputStream())); // unsafe + expr.evaluate(new InputSource(sock.getInputStream())); // $ hasTaintFlow } public void safeXPathEvaluateTest(Socket sock) throws Exception { @@ -33,12 +33,12 @@ public void safeXPathEvaluateTest(Socket sock) throws Exception { DocumentBuilder builder = factory.newDocumentBuilder(); XPathFactory xFactory = XPathFactory.newInstance(); XPath path = xFactory.newXPath(); - path.evaluate("", builder.parse(sock.getInputStream())); + path.evaluate("", builder.parse(sock.getInputStream())); // safe } public void unsafeXPathEvaluateTest(Socket sock) throws Exception { XPathFactory xFactory = XPathFactory.newInstance(); XPath path = xFactory.newXPath(); - path.evaluate("", new InputSource(sock.getInputStream())); // unsafe + path.evaluate("", new InputSource(sock.getInputStream())); // $ hasTaintFlow } } diff --git a/java/ql/test/query-tests/security/CWE-611/XXE.expected b/java/ql/test/query-tests/security/CWE-611/XXE.expected index bfc1eca96c0c..e69de29bb2d1 100644 --- a/java/ql/test/query-tests/security/CWE-611/XXE.expected +++ b/java/ql/test/query-tests/security/CWE-611/XXE.expected @@ -1,355 +0,0 @@ -edges -| DocumentBuilderTests.java:93:21:93:73 | new SAXSource(...) : SAXSource | DocumentBuilderTests.java:94:16:94:21 | source : SAXSource | -| DocumentBuilderTests.java:93:35:93:72 | new InputSource(...) : InputSource | DocumentBuilderTests.java:93:21:93:73 | new SAXSource(...) : SAXSource | -| DocumentBuilderTests.java:93:51:93:71 | getInputStream(...) : InputStream | DocumentBuilderTests.java:93:35:93:72 | new InputSource(...) : InputSource | -| DocumentBuilderTests.java:94:16:94:21 | source : SAXSource | DocumentBuilderTests.java:94:16:94:38 | getInputSource(...) | -| DocumentBuilderTests.java:100:24:100:62 | new StreamSource(...) : StreamSource | DocumentBuilderTests.java:101:46:101:51 | source : StreamSource | -| DocumentBuilderTests.java:100:24:100:62 | new StreamSource(...) : StreamSource | DocumentBuilderTests.java:102:16:102:21 | source : StreamSource | -| DocumentBuilderTests.java:100:41:100:61 | getInputStream(...) : InputStream | DocumentBuilderTests.java:100:24:100:62 | new StreamSource(...) : StreamSource | -| DocumentBuilderTests.java:101:46:101:51 | source : StreamSource | DocumentBuilderTests.java:101:16:101:52 | sourceToInputSource(...) | -| DocumentBuilderTests.java:102:16:102:21 | source : StreamSource | DocumentBuilderTests.java:102:16:102:38 | getInputStream(...) | -| SAXSourceTests.java:17:24:17:84 | new SAXSource(...) : SAXSource | SAXSourceTests.java:20:18:20:23 | source | -| SAXSourceTests.java:17:46:17:83 | new InputSource(...) : InputSource | SAXSourceTests.java:17:24:17:84 | new SAXSource(...) : SAXSource | -| SAXSourceTests.java:17:62:17:82 | getInputStream(...) : InputStream | SAXSourceTests.java:17:46:17:83 | new InputSource(...) : InputSource | -| SchemaTests.java:12:56:12:76 | getInputStream(...) : InputStream | SchemaTests.java:12:39:12:77 | new StreamSource(...) | -| SchemaTests.java:25:56:25:76 | getInputStream(...) : InputStream | SchemaTests.java:25:39:25:77 | new StreamSource(...) | -| SchemaTests.java:31:56:31:76 | getInputStream(...) : InputStream | SchemaTests.java:31:39:31:77 | new StreamSource(...) | -| SchemaTests.java:38:56:38:76 | getInputStream(...) : InputStream | SchemaTests.java:38:39:38:77 | new StreamSource(...) | -| SchemaTests.java:45:56:45:76 | getInputStream(...) : InputStream | SchemaTests.java:45:39:45:77 | new StreamSource(...) | -| SimpleXMLTests.java:24:63:24:83 | getInputStream(...) : InputStream | SimpleXMLTests.java:24:41:24:84 | new InputStreamReader(...) | -| SimpleXMLTests.java:30:5:30:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:30:32:30:32 | b [post update] : byte[] | -| SimpleXMLTests.java:30:32:30:32 | b [post update] : byte[] | SimpleXMLTests.java:31:52:31:52 | b : byte[] | -| SimpleXMLTests.java:31:52:31:52 | b : byte[] | SimpleXMLTests.java:31:41:31:53 | new String(...) | -| SimpleXMLTests.java:37:5:37:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:37:32:37:32 | b [post update] : byte[] | -| SimpleXMLTests.java:37:32:37:32 | b [post update] : byte[] | SimpleXMLTests.java:38:52:38:52 | b : byte[] | -| SimpleXMLTests.java:38:52:38:52 | b : byte[] | SimpleXMLTests.java:38:41:38:53 | new String(...) | -| SimpleXMLTests.java:43:63:43:83 | getInputStream(...) : InputStream | SimpleXMLTests.java:43:41:43:84 | new InputStreamReader(...) | -| SimpleXMLTests.java:68:59:68:79 | getInputStream(...) : InputStream | SimpleXMLTests.java:68:37:68:80 | new InputStreamReader(...) | -| SimpleXMLTests.java:73:59:73:79 | getInputStream(...) : InputStream | SimpleXMLTests.java:73:37:73:80 | new InputStreamReader(...) | -| SimpleXMLTests.java:78:48:78:68 | getInputStream(...) : InputStream | SimpleXMLTests.java:78:26:78:69 | new InputStreamReader(...) | -| SimpleXMLTests.java:83:48:83:68 | getInputStream(...) : InputStream | SimpleXMLTests.java:83:26:83:69 | new InputStreamReader(...) | -| SimpleXMLTests.java:89:5:89:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:89:32:89:32 | b [post update] : byte[] | -| SimpleXMLTests.java:89:32:89:32 | b [post update] : byte[] | SimpleXMLTests.java:90:48:90:48 | b : byte[] | -| SimpleXMLTests.java:90:48:90:48 | b : byte[] | SimpleXMLTests.java:90:37:90:49 | new String(...) | -| SimpleXMLTests.java:96:5:96:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:96:32:96:32 | b [post update] : byte[] | -| SimpleXMLTests.java:96:32:96:32 | b [post update] : byte[] | SimpleXMLTests.java:97:48:97:48 | b : byte[] | -| SimpleXMLTests.java:97:48:97:48 | b : byte[] | SimpleXMLTests.java:97:37:97:49 | new String(...) | -| SimpleXMLTests.java:103:5:103:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:103:32:103:32 | b [post update] : byte[] | -| SimpleXMLTests.java:103:32:103:32 | b [post update] : byte[] | SimpleXMLTests.java:104:37:104:37 | b : byte[] | -| SimpleXMLTests.java:104:37:104:37 | b : byte[] | SimpleXMLTests.java:104:26:104:38 | new String(...) | -| SimpleXMLTests.java:110:5:110:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:110:32:110:32 | b [post update] : byte[] | -| SimpleXMLTests.java:110:32:110:32 | b [post update] : byte[] | SimpleXMLTests.java:111:37:111:37 | b : byte[] | -| SimpleXMLTests.java:111:37:111:37 | b : byte[] | SimpleXMLTests.java:111:26:111:38 | new String(...) | -| SimpleXMLTests.java:119:44:119:64 | getInputStream(...) : InputStream | SimpleXMLTests.java:119:22:119:65 | new InputStreamReader(...) | -| SimpleXMLTests.java:129:44:129:64 | getInputStream(...) : InputStream | SimpleXMLTests.java:129:22:129:65 | new InputStreamReader(...) | -| SimpleXMLTests.java:139:44:139:64 | getInputStream(...) : InputStream | SimpleXMLTests.java:139:22:139:65 | new InputStreamReader(...) | -| SimpleXMLTests.java:145:5:145:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:145:32:145:32 | b [post update] : byte[] | -| SimpleXMLTests.java:145:32:145:32 | b [post update] : byte[] | SimpleXMLTests.java:146:33:146:33 | b : byte[] | -| SimpleXMLTests.java:146:33:146:33 | b : byte[] | SimpleXMLTests.java:146:22:146:34 | new String(...) | -| SimpleXMLTests.java:152:5:152:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:152:32:152:32 | b [post update] : byte[] | -| SimpleXMLTests.java:152:32:152:32 | b [post update] : byte[] | SimpleXMLTests.java:153:33:153:33 | b : byte[] | -| SimpleXMLTests.java:153:33:153:33 | b : byte[] | SimpleXMLTests.java:153:22:153:34 | new String(...) | -| TransformerTests.java:20:44:20:64 | getInputStream(...) : InputStream | TransformerTests.java:20:27:20:65 | new StreamSource(...) | -| TransformerTests.java:21:40:21:60 | getInputStream(...) : InputStream | TransformerTests.java:21:23:21:61 | new StreamSource(...) | -| TransformerTests.java:71:44:71:64 | getInputStream(...) : InputStream | TransformerTests.java:71:27:71:65 | new StreamSource(...) | -| TransformerTests.java:72:40:72:60 | getInputStream(...) : InputStream | TransformerTests.java:72:23:72:61 | new StreamSource(...) | -| TransformerTests.java:79:44:79:64 | getInputStream(...) : InputStream | TransformerTests.java:79:27:79:65 | new StreamSource(...) | -| TransformerTests.java:80:40:80:60 | getInputStream(...) : InputStream | TransformerTests.java:80:23:80:61 | new StreamSource(...) | -| TransformerTests.java:88:44:88:64 | getInputStream(...) : InputStream | TransformerTests.java:88:27:88:65 | new StreamSource(...) | -| TransformerTests.java:89:40:89:60 | getInputStream(...) : InputStream | TransformerTests.java:89:23:89:61 | new StreamSource(...) | -| TransformerTests.java:97:44:97:64 | getInputStream(...) : InputStream | TransformerTests.java:97:27:97:65 | new StreamSource(...) | -| TransformerTests.java:98:40:98:60 | getInputStream(...) : InputStream | TransformerTests.java:98:23:98:61 | new StreamSource(...) | -| TransformerTests.java:103:38:103:58 | getInputStream(...) : InputStream | TransformerTests.java:103:21:103:59 | new StreamSource(...) | -| TransformerTests.java:116:38:116:58 | getInputStream(...) : InputStream | TransformerTests.java:116:21:116:59 | new StreamSource(...) | -| TransformerTests.java:122:38:122:58 | getInputStream(...) : InputStream | TransformerTests.java:122:21:122:59 | new StreamSource(...) | -| TransformerTests.java:129:38:129:58 | getInputStream(...) : InputStream | TransformerTests.java:129:21:129:59 | new StreamSource(...) | -| TransformerTests.java:136:38:136:58 | getInputStream(...) : InputStream | TransformerTests.java:136:21:136:59 | new StreamSource(...) | -| TransformerTests.java:141:32:141:69 | new InputSource(...) : InputSource | TransformerTests.java:141:18:141:70 | new SAXSource(...) | -| TransformerTests.java:141:48:141:68 | getInputStream(...) : InputStream | TransformerTests.java:141:32:141:69 | new InputSource(...) : InputSource | -| XMLReaderTests.java:16:34:16:54 | getInputStream(...) : InputStream | XMLReaderTests.java:16:18:16:55 | new InputSource(...) | -| XMLReaderTests.java:56:34:56:54 | getInputStream(...) : InputStream | XMLReaderTests.java:56:18:56:55 | new InputSource(...) | -| XMLReaderTests.java:63:34:63:54 | getInputStream(...) : InputStream | XMLReaderTests.java:63:18:63:55 | new InputSource(...) | -| XMLReaderTests.java:70:34:70:54 | getInputStream(...) : InputStream | XMLReaderTests.java:70:18:70:55 | new InputSource(...) | -| XMLReaderTests.java:78:34:78:54 | getInputStream(...) : InputStream | XMLReaderTests.java:78:18:78:55 | new InputSource(...) | -| XMLReaderTests.java:86:34:86:54 | getInputStream(...) : InputStream | XMLReaderTests.java:86:18:86:55 | new InputSource(...) | -| XMLReaderTests.java:94:34:94:54 | getInputStream(...) : InputStream | XMLReaderTests.java:94:18:94:55 | new InputSource(...) | -| XMLReaderTests.java:100:34:100:54 | getInputStream(...) : InputStream | XMLReaderTests.java:100:18:100:55 | new InputSource(...) | -| XPathExpressionTests.java:27:35:27:55 | getInputStream(...) : InputStream | XPathExpressionTests.java:27:19:27:56 | new InputSource(...) | -| XPathExpressionTests.java:42:39:42:59 | getInputStream(...) : InputStream | XPathExpressionTests.java:42:23:42:60 | new InputSource(...) | -nodes -| DocumentBuilderTests.java:14:19:14:39 | getInputStream(...) | semmle.label | getInputStream(...) | -| DocumentBuilderTests.java:28:19:28:39 | getInputStream(...) | semmle.label | getInputStream(...) | -| DocumentBuilderTests.java:35:19:35:39 | getInputStream(...) | semmle.label | getInputStream(...) | -| DocumentBuilderTests.java:42:19:42:39 | getInputStream(...) | semmle.label | getInputStream(...) | -| DocumentBuilderTests.java:49:19:49:39 | getInputStream(...) | semmle.label | getInputStream(...) | -| DocumentBuilderTests.java:64:19:64:39 | getInputStream(...) | semmle.label | getInputStream(...) | -| DocumentBuilderTests.java:71:19:71:39 | getInputStream(...) | semmle.label | getInputStream(...) | -| DocumentBuilderTests.java:79:19:79:39 | getInputStream(...) | semmle.label | getInputStream(...) | -| DocumentBuilderTests.java:87:19:87:39 | getInputStream(...) | semmle.label | getInputStream(...) | -| DocumentBuilderTests.java:93:21:93:73 | new SAXSource(...) : SAXSource | semmle.label | new SAXSource(...) : SAXSource | -| DocumentBuilderTests.java:93:35:93:72 | new InputSource(...) : InputSource | semmle.label | new InputSource(...) : InputSource | -| DocumentBuilderTests.java:93:51:93:71 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| DocumentBuilderTests.java:94:16:94:21 | source : SAXSource | semmle.label | source : SAXSource | -| DocumentBuilderTests.java:94:16:94:38 | getInputSource(...) | semmle.label | getInputSource(...) | -| DocumentBuilderTests.java:100:24:100:62 | new StreamSource(...) : StreamSource | semmle.label | new StreamSource(...) : StreamSource | -| DocumentBuilderTests.java:100:41:100:61 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| DocumentBuilderTests.java:101:16:101:52 | sourceToInputSource(...) | semmle.label | sourceToInputSource(...) | -| DocumentBuilderTests.java:101:46:101:51 | source : StreamSource | semmle.label | source : StreamSource | -| DocumentBuilderTests.java:102:16:102:21 | source : StreamSource | semmle.label | source : StreamSource | -| DocumentBuilderTests.java:102:16:102:38 | getInputStream(...) | semmle.label | getInputStream(...) | -| SAXBuilderTests.java:8:19:8:39 | getInputStream(...) | semmle.label | getInputStream(...) | -| SAXBuilderTests.java:20:19:20:39 | getInputStream(...) | semmle.label | getInputStream(...) | -| SAXParserTests.java:13:18:13:38 | getInputStream(...) | semmle.label | getInputStream(...) | -| SAXParserTests.java:30:18:30:38 | getInputStream(...) | semmle.label | getInputStream(...) | -| SAXParserTests.java:38:18:38:38 | getInputStream(...) | semmle.label | getInputStream(...) | -| SAXParserTests.java:46:18:46:38 | getInputStream(...) | semmle.label | getInputStream(...) | -| SAXParserTests.java:55:18:55:38 | getInputStream(...) | semmle.label | getInputStream(...) | -| SAXParserTests.java:64:18:64:38 | getInputStream(...) | semmle.label | getInputStream(...) | -| SAXParserTests.java:73:18:73:38 | getInputStream(...) | semmle.label | getInputStream(...) | -| SAXReaderTests.java:8:17:8:37 | getInputStream(...) | semmle.label | getInputStream(...) | -| SAXReaderTests.java:23:17:23:37 | getInputStream(...) | semmle.label | getInputStream(...) | -| SAXReaderTests.java:30:17:30:37 | getInputStream(...) | semmle.label | getInputStream(...) | -| SAXReaderTests.java:37:17:37:37 | getInputStream(...) | semmle.label | getInputStream(...) | -| SAXReaderTests.java:45:17:45:37 | getInputStream(...) | semmle.label | getInputStream(...) | -| SAXReaderTests.java:53:17:53:37 | getInputStream(...) | semmle.label | getInputStream(...) | -| SAXReaderTests.java:61:17:61:37 | getInputStream(...) | semmle.label | getInputStream(...) | -| SAXSourceTests.java:17:24:17:84 | new SAXSource(...) : SAXSource | semmle.label | new SAXSource(...) : SAXSource | -| SAXSourceTests.java:17:46:17:83 | new InputSource(...) : InputSource | semmle.label | new InputSource(...) : InputSource | -| SAXSourceTests.java:17:62:17:82 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| SAXSourceTests.java:20:18:20:23 | source | semmle.label | source | -| SchemaTests.java:12:39:12:77 | new StreamSource(...) | semmle.label | new StreamSource(...) | -| SchemaTests.java:12:56:12:76 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| SchemaTests.java:25:39:25:77 | new StreamSource(...) | semmle.label | new StreamSource(...) | -| SchemaTests.java:25:56:25:76 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| SchemaTests.java:31:39:31:77 | new StreamSource(...) | semmle.label | new StreamSource(...) | -| SchemaTests.java:31:56:31:76 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| SchemaTests.java:38:39:38:77 | new StreamSource(...) | semmle.label | new StreamSource(...) | -| SchemaTests.java:38:56:38:76 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| SchemaTests.java:45:39:45:77 | new StreamSource(...) | semmle.label | new StreamSource(...) | -| SchemaTests.java:45:56:45:76 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| SimpleXMLTests.java:14:41:14:61 | getInputStream(...) | semmle.label | getInputStream(...) | -| SimpleXMLTests.java:19:41:19:61 | getInputStream(...) | semmle.label | getInputStream(...) | -| SimpleXMLTests.java:24:41:24:84 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) | -| SimpleXMLTests.java:24:63:24:83 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| SimpleXMLTests.java:30:5:30:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| SimpleXMLTests.java:30:32:30:32 | b [post update] : byte[] | semmle.label | b [post update] : byte[] | -| SimpleXMLTests.java:31:41:31:53 | new String(...) | semmle.label | new String(...) | -| SimpleXMLTests.java:31:52:31:52 | b : byte[] | semmle.label | b : byte[] | -| SimpleXMLTests.java:37:5:37:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| SimpleXMLTests.java:37:32:37:32 | b [post update] : byte[] | semmle.label | b [post update] : byte[] | -| SimpleXMLTests.java:38:41:38:53 | new String(...) | semmle.label | new String(...) | -| SimpleXMLTests.java:38:52:38:52 | b : byte[] | semmle.label | b : byte[] | -| SimpleXMLTests.java:43:41:43:84 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) | -| SimpleXMLTests.java:43:63:43:83 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| SimpleXMLTests.java:48:37:48:57 | getInputStream(...) | semmle.label | getInputStream(...) | -| SimpleXMLTests.java:53:37:53:57 | getInputStream(...) | semmle.label | getInputStream(...) | -| SimpleXMLTests.java:58:26:58:46 | getInputStream(...) | semmle.label | getInputStream(...) | -| SimpleXMLTests.java:63:26:63:46 | getInputStream(...) | semmle.label | getInputStream(...) | -| SimpleXMLTests.java:68:37:68:80 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) | -| SimpleXMLTests.java:68:59:68:79 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| SimpleXMLTests.java:73:37:73:80 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) | -| SimpleXMLTests.java:73:59:73:79 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| SimpleXMLTests.java:78:26:78:69 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) | -| SimpleXMLTests.java:78:48:78:68 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| SimpleXMLTests.java:83:26:83:69 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) | -| SimpleXMLTests.java:83:48:83:68 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| SimpleXMLTests.java:89:5:89:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| SimpleXMLTests.java:89:32:89:32 | b [post update] : byte[] | semmle.label | b [post update] : byte[] | -| SimpleXMLTests.java:90:37:90:49 | new String(...) | semmle.label | new String(...) | -| SimpleXMLTests.java:90:48:90:48 | b : byte[] | semmle.label | b : byte[] | -| SimpleXMLTests.java:96:5:96:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| SimpleXMLTests.java:96:32:96:32 | b [post update] : byte[] | semmle.label | b [post update] : byte[] | -| SimpleXMLTests.java:97:37:97:49 | new String(...) | semmle.label | new String(...) | -| SimpleXMLTests.java:97:48:97:48 | b : byte[] | semmle.label | b : byte[] | -| SimpleXMLTests.java:103:5:103:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| SimpleXMLTests.java:103:32:103:32 | b [post update] : byte[] | semmle.label | b [post update] : byte[] | -| SimpleXMLTests.java:104:26:104:38 | new String(...) | semmle.label | new String(...) | -| SimpleXMLTests.java:104:37:104:37 | b : byte[] | semmle.label | b : byte[] | -| SimpleXMLTests.java:110:5:110:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| SimpleXMLTests.java:110:32:110:32 | b [post update] : byte[] | semmle.label | b [post update] : byte[] | -| SimpleXMLTests.java:111:26:111:38 | new String(...) | semmle.label | new String(...) | -| SimpleXMLTests.java:111:37:111:37 | b : byte[] | semmle.label | b : byte[] | -| SimpleXMLTests.java:115:22:115:42 | getInputStream(...) | semmle.label | getInputStream(...) | -| SimpleXMLTests.java:119:22:119:65 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) | -| SimpleXMLTests.java:119:44:119:64 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| SimpleXMLTests.java:124:22:124:42 | getInputStream(...) | semmle.label | getInputStream(...) | -| SimpleXMLTests.java:129:22:129:65 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) | -| SimpleXMLTests.java:129:44:129:64 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| SimpleXMLTests.java:134:22:134:42 | getInputStream(...) | semmle.label | getInputStream(...) | -| SimpleXMLTests.java:139:22:139:65 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) | -| SimpleXMLTests.java:139:44:139:64 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| SimpleXMLTests.java:145:5:145:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| SimpleXMLTests.java:145:32:145:32 | b [post update] : byte[] | semmle.label | b [post update] : byte[] | -| SimpleXMLTests.java:146:22:146:34 | new String(...) | semmle.label | new String(...) | -| SimpleXMLTests.java:146:33:146:33 | b : byte[] | semmle.label | b : byte[] | -| SimpleXMLTests.java:152:5:152:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| SimpleXMLTests.java:152:32:152:32 | b [post update] : byte[] | semmle.label | b [post update] : byte[] | -| SimpleXMLTests.java:153:22:153:34 | new String(...) | semmle.label | new String(...) | -| SimpleXMLTests.java:153:33:153:33 | b : byte[] | semmle.label | b : byte[] | -| TransformerTests.java:20:27:20:65 | new StreamSource(...) | semmle.label | new StreamSource(...) | -| TransformerTests.java:20:44:20:64 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| TransformerTests.java:21:23:21:61 | new StreamSource(...) | semmle.label | new StreamSource(...) | -| TransformerTests.java:21:40:21:60 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| TransformerTests.java:71:27:71:65 | new StreamSource(...) | semmle.label | new StreamSource(...) | -| TransformerTests.java:71:44:71:64 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| TransformerTests.java:72:23:72:61 | new StreamSource(...) | semmle.label | new StreamSource(...) | -| TransformerTests.java:72:40:72:60 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| TransformerTests.java:79:27:79:65 | new StreamSource(...) | semmle.label | new StreamSource(...) | -| TransformerTests.java:79:44:79:64 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| TransformerTests.java:80:23:80:61 | new StreamSource(...) | semmle.label | new StreamSource(...) | -| TransformerTests.java:80:40:80:60 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| TransformerTests.java:88:27:88:65 | new StreamSource(...) | semmle.label | new StreamSource(...) | -| TransformerTests.java:88:44:88:64 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| TransformerTests.java:89:23:89:61 | new StreamSource(...) | semmle.label | new StreamSource(...) | -| TransformerTests.java:89:40:89:60 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| TransformerTests.java:97:27:97:65 | new StreamSource(...) | semmle.label | new StreamSource(...) | -| TransformerTests.java:97:44:97:64 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| TransformerTests.java:98:23:98:61 | new StreamSource(...) | semmle.label | new StreamSource(...) | -| TransformerTests.java:98:40:98:60 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| TransformerTests.java:103:21:103:59 | new StreamSource(...) | semmle.label | new StreamSource(...) | -| TransformerTests.java:103:38:103:58 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| TransformerTests.java:116:21:116:59 | new StreamSource(...) | semmle.label | new StreamSource(...) | -| TransformerTests.java:116:38:116:58 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| TransformerTests.java:122:21:122:59 | new StreamSource(...) | semmle.label | new StreamSource(...) | -| TransformerTests.java:122:38:122:58 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| TransformerTests.java:129:21:129:59 | new StreamSource(...) | semmle.label | new StreamSource(...) | -| TransformerTests.java:129:38:129:58 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| TransformerTests.java:136:21:136:59 | new StreamSource(...) | semmle.label | new StreamSource(...) | -| TransformerTests.java:136:38:136:58 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| TransformerTests.java:141:18:141:70 | new SAXSource(...) | semmle.label | new SAXSource(...) | -| TransformerTests.java:141:32:141:69 | new InputSource(...) : InputSource | semmle.label | new InputSource(...) : InputSource | -| TransformerTests.java:141:48:141:68 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| UnmarshallerTests.java:28:18:28:38 | getInputStream(...) | semmle.label | getInputStream(...) | -| XMLReaderTests.java:16:18:16:55 | new InputSource(...) | semmle.label | new InputSource(...) | -| XMLReaderTests.java:16:34:16:54 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| XMLReaderTests.java:56:18:56:55 | new InputSource(...) | semmle.label | new InputSource(...) | -| XMLReaderTests.java:56:34:56:54 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| XMLReaderTests.java:63:18:63:55 | new InputSource(...) | semmle.label | new InputSource(...) | -| XMLReaderTests.java:63:34:63:54 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| XMLReaderTests.java:70:18:70:55 | new InputSource(...) | semmle.label | new InputSource(...) | -| XMLReaderTests.java:70:34:70:54 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| XMLReaderTests.java:78:18:78:55 | new InputSource(...) | semmle.label | new InputSource(...) | -| XMLReaderTests.java:78:34:78:54 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| XMLReaderTests.java:86:18:86:55 | new InputSource(...) | semmle.label | new InputSource(...) | -| XMLReaderTests.java:86:34:86:54 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| XMLReaderTests.java:94:18:94:55 | new InputSource(...) | semmle.label | new InputSource(...) | -| XMLReaderTests.java:94:34:94:54 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| XMLReaderTests.java:100:18:100:55 | new InputSource(...) | semmle.label | new InputSource(...) | -| XMLReaderTests.java:100:34:100:54 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| XPathExpressionTests.java:27:19:27:56 | new InputSource(...) | semmle.label | new InputSource(...) | -| XPathExpressionTests.java:27:35:27:55 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| XPathExpressionTests.java:42:23:42:60 | new InputSource(...) | semmle.label | new InputSource(...) | -| XPathExpressionTests.java:42:39:42:59 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | -| XmlInputFactoryTests.java:9:35:9:55 | getInputStream(...) | semmle.label | getInputStream(...) | -| XmlInputFactoryTests.java:10:34:10:54 | getInputStream(...) | semmle.label | getInputStream(...) | -| XmlInputFactoryTests.java:24:35:24:55 | getInputStream(...) | semmle.label | getInputStream(...) | -| XmlInputFactoryTests.java:25:34:25:54 | getInputStream(...) | semmle.label | getInputStream(...) | -| XmlInputFactoryTests.java:31:35:31:55 | getInputStream(...) | semmle.label | getInputStream(...) | -| XmlInputFactoryTests.java:32:34:32:54 | getInputStream(...) | semmle.label | getInputStream(...) | -| XmlInputFactoryTests.java:39:35:39:55 | getInputStream(...) | semmle.label | getInputStream(...) | -| XmlInputFactoryTests.java:40:34:40:54 | getInputStream(...) | semmle.label | getInputStream(...) | -| XmlInputFactoryTests.java:47:35:47:55 | getInputStream(...) | semmle.label | getInputStream(...) | -| XmlInputFactoryTests.java:48:34:48:54 | getInputStream(...) | semmle.label | getInputStream(...) | -| XmlInputFactoryTests.java:55:35:55:55 | getInputStream(...) | semmle.label | getInputStream(...) | -| XmlInputFactoryTests.java:56:34:56:54 | getInputStream(...) | semmle.label | getInputStream(...) | -subpaths -#select -| DocumentBuilderTests.java:14:19:14:39 | getInputStream(...) | DocumentBuilderTests.java:14:19:14:39 | getInputStream(...) | DocumentBuilderTests.java:14:19:14:39 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:14:19:14:39 | getInputStream(...) | user-provided value | -| DocumentBuilderTests.java:28:19:28:39 | getInputStream(...) | DocumentBuilderTests.java:28:19:28:39 | getInputStream(...) | DocumentBuilderTests.java:28:19:28:39 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:28:19:28:39 | getInputStream(...) | user-provided value | -| DocumentBuilderTests.java:35:19:35:39 | getInputStream(...) | DocumentBuilderTests.java:35:19:35:39 | getInputStream(...) | DocumentBuilderTests.java:35:19:35:39 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:35:19:35:39 | getInputStream(...) | user-provided value | -| DocumentBuilderTests.java:42:19:42:39 | getInputStream(...) | DocumentBuilderTests.java:42:19:42:39 | getInputStream(...) | DocumentBuilderTests.java:42:19:42:39 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:42:19:42:39 | getInputStream(...) | user-provided value | -| DocumentBuilderTests.java:49:19:49:39 | getInputStream(...) | DocumentBuilderTests.java:49:19:49:39 | getInputStream(...) | DocumentBuilderTests.java:49:19:49:39 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:49:19:49:39 | getInputStream(...) | user-provided value | -| DocumentBuilderTests.java:64:19:64:39 | getInputStream(...) | DocumentBuilderTests.java:64:19:64:39 | getInputStream(...) | DocumentBuilderTests.java:64:19:64:39 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:64:19:64:39 | getInputStream(...) | user-provided value | -| DocumentBuilderTests.java:71:19:71:39 | getInputStream(...) | DocumentBuilderTests.java:71:19:71:39 | getInputStream(...) | DocumentBuilderTests.java:71:19:71:39 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:71:19:71:39 | getInputStream(...) | user-provided value | -| DocumentBuilderTests.java:79:19:79:39 | getInputStream(...) | DocumentBuilderTests.java:79:19:79:39 | getInputStream(...) | DocumentBuilderTests.java:79:19:79:39 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:79:19:79:39 | getInputStream(...) | user-provided value | -| DocumentBuilderTests.java:87:19:87:39 | getInputStream(...) | DocumentBuilderTests.java:87:19:87:39 | getInputStream(...) | DocumentBuilderTests.java:87:19:87:39 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:87:19:87:39 | getInputStream(...) | user-provided value | -| DocumentBuilderTests.java:94:16:94:38 | getInputSource(...) | DocumentBuilderTests.java:93:51:93:71 | getInputStream(...) : InputStream | DocumentBuilderTests.java:94:16:94:38 | getInputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:93:51:93:71 | getInputStream(...) | user-provided value | -| DocumentBuilderTests.java:101:16:101:52 | sourceToInputSource(...) | DocumentBuilderTests.java:100:41:100:61 | getInputStream(...) : InputStream | DocumentBuilderTests.java:101:16:101:52 | sourceToInputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:100:41:100:61 | getInputStream(...) | user-provided value | -| DocumentBuilderTests.java:102:16:102:38 | getInputStream(...) | DocumentBuilderTests.java:100:41:100:61 | getInputStream(...) : InputStream | DocumentBuilderTests.java:102:16:102:38 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | DocumentBuilderTests.java:100:41:100:61 | getInputStream(...) | user-provided value | -| SAXBuilderTests.java:8:19:8:39 | getInputStream(...) | SAXBuilderTests.java:8:19:8:39 | getInputStream(...) | SAXBuilderTests.java:8:19:8:39 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXBuilderTests.java:8:19:8:39 | getInputStream(...) | user-provided value | -| SAXBuilderTests.java:20:19:20:39 | getInputStream(...) | SAXBuilderTests.java:20:19:20:39 | getInputStream(...) | SAXBuilderTests.java:20:19:20:39 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXBuilderTests.java:20:19:20:39 | getInputStream(...) | user-provided value | -| SAXParserTests.java:13:18:13:38 | getInputStream(...) | SAXParserTests.java:13:18:13:38 | getInputStream(...) | SAXParserTests.java:13:18:13:38 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXParserTests.java:13:18:13:38 | getInputStream(...) | user-provided value | -| SAXParserTests.java:30:18:30:38 | getInputStream(...) | SAXParserTests.java:30:18:30:38 | getInputStream(...) | SAXParserTests.java:30:18:30:38 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXParserTests.java:30:18:30:38 | getInputStream(...) | user-provided value | -| SAXParserTests.java:38:18:38:38 | getInputStream(...) | SAXParserTests.java:38:18:38:38 | getInputStream(...) | SAXParserTests.java:38:18:38:38 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXParserTests.java:38:18:38:38 | getInputStream(...) | user-provided value | -| SAXParserTests.java:46:18:46:38 | getInputStream(...) | SAXParserTests.java:46:18:46:38 | getInputStream(...) | SAXParserTests.java:46:18:46:38 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXParserTests.java:46:18:46:38 | getInputStream(...) | user-provided value | -| SAXParserTests.java:55:18:55:38 | getInputStream(...) | SAXParserTests.java:55:18:55:38 | getInputStream(...) | SAXParserTests.java:55:18:55:38 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXParserTests.java:55:18:55:38 | getInputStream(...) | user-provided value | -| SAXParserTests.java:64:18:64:38 | getInputStream(...) | SAXParserTests.java:64:18:64:38 | getInputStream(...) | SAXParserTests.java:64:18:64:38 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXParserTests.java:64:18:64:38 | getInputStream(...) | user-provided value | -| SAXParserTests.java:73:18:73:38 | getInputStream(...) | SAXParserTests.java:73:18:73:38 | getInputStream(...) | SAXParserTests.java:73:18:73:38 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXParserTests.java:73:18:73:38 | getInputStream(...) | user-provided value | -| SAXReaderTests.java:8:17:8:37 | getInputStream(...) | SAXReaderTests.java:8:17:8:37 | getInputStream(...) | SAXReaderTests.java:8:17:8:37 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXReaderTests.java:8:17:8:37 | getInputStream(...) | user-provided value | -| SAXReaderTests.java:23:17:23:37 | getInputStream(...) | SAXReaderTests.java:23:17:23:37 | getInputStream(...) | SAXReaderTests.java:23:17:23:37 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXReaderTests.java:23:17:23:37 | getInputStream(...) | user-provided value | -| SAXReaderTests.java:30:17:30:37 | getInputStream(...) | SAXReaderTests.java:30:17:30:37 | getInputStream(...) | SAXReaderTests.java:30:17:30:37 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXReaderTests.java:30:17:30:37 | getInputStream(...) | user-provided value | -| SAXReaderTests.java:37:17:37:37 | getInputStream(...) | SAXReaderTests.java:37:17:37:37 | getInputStream(...) | SAXReaderTests.java:37:17:37:37 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXReaderTests.java:37:17:37:37 | getInputStream(...) | user-provided value | -| SAXReaderTests.java:45:17:45:37 | getInputStream(...) | SAXReaderTests.java:45:17:45:37 | getInputStream(...) | SAXReaderTests.java:45:17:45:37 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXReaderTests.java:45:17:45:37 | getInputStream(...) | user-provided value | -| SAXReaderTests.java:53:17:53:37 | getInputStream(...) | SAXReaderTests.java:53:17:53:37 | getInputStream(...) | SAXReaderTests.java:53:17:53:37 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXReaderTests.java:53:17:53:37 | getInputStream(...) | user-provided value | -| SAXReaderTests.java:61:17:61:37 | getInputStream(...) | SAXReaderTests.java:61:17:61:37 | getInputStream(...) | SAXReaderTests.java:61:17:61:37 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SAXReaderTests.java:61:17:61:37 | getInputStream(...) | user-provided value | -| SAXSourceTests.java:20:18:20:23 | source | SAXSourceTests.java:17:62:17:82 | getInputStream(...) : InputStream | SAXSourceTests.java:20:18:20:23 | source | XML parsing depends on a $@ without guarding against external entity expansion. | SAXSourceTests.java:17:62:17:82 | getInputStream(...) | user-provided value | -| SchemaTests.java:12:39:12:77 | new StreamSource(...) | SchemaTests.java:12:56:12:76 | getInputStream(...) : InputStream | SchemaTests.java:12:39:12:77 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SchemaTests.java:12:56:12:76 | getInputStream(...) | user-provided value | -| SchemaTests.java:25:39:25:77 | new StreamSource(...) | SchemaTests.java:25:56:25:76 | getInputStream(...) : InputStream | SchemaTests.java:25:39:25:77 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SchemaTests.java:25:56:25:76 | getInputStream(...) | user-provided value | -| SchemaTests.java:31:39:31:77 | new StreamSource(...) | SchemaTests.java:31:56:31:76 | getInputStream(...) : InputStream | SchemaTests.java:31:39:31:77 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SchemaTests.java:31:56:31:76 | getInputStream(...) | user-provided value | -| SchemaTests.java:38:39:38:77 | new StreamSource(...) | SchemaTests.java:38:56:38:76 | getInputStream(...) : InputStream | SchemaTests.java:38:39:38:77 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SchemaTests.java:38:56:38:76 | getInputStream(...) | user-provided value | -| SchemaTests.java:45:39:45:77 | new StreamSource(...) | SchemaTests.java:45:56:45:76 | getInputStream(...) : InputStream | SchemaTests.java:45:39:45:77 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SchemaTests.java:45:56:45:76 | getInputStream(...) | user-provided value | -| SimpleXMLTests.java:14:41:14:61 | getInputStream(...) | SimpleXMLTests.java:14:41:14:61 | getInputStream(...) | SimpleXMLTests.java:14:41:14:61 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:14:41:14:61 | getInputStream(...) | user-provided value | -| SimpleXMLTests.java:19:41:19:61 | getInputStream(...) | SimpleXMLTests.java:19:41:19:61 | getInputStream(...) | SimpleXMLTests.java:19:41:19:61 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:19:41:19:61 | getInputStream(...) | user-provided value | -| SimpleXMLTests.java:24:41:24:84 | new InputStreamReader(...) | SimpleXMLTests.java:24:63:24:83 | getInputStream(...) : InputStream | SimpleXMLTests.java:24:41:24:84 | new InputStreamReader(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:24:63:24:83 | getInputStream(...) | user-provided value | -| SimpleXMLTests.java:31:41:31:53 | new String(...) | SimpleXMLTests.java:30:5:30:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:31:41:31:53 | new String(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:30:5:30:25 | getInputStream(...) | user-provided value | -| SimpleXMLTests.java:38:41:38:53 | new String(...) | SimpleXMLTests.java:37:5:37:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:38:41:38:53 | new String(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:37:5:37:25 | getInputStream(...) | user-provided value | -| SimpleXMLTests.java:43:41:43:84 | new InputStreamReader(...) | SimpleXMLTests.java:43:63:43:83 | getInputStream(...) : InputStream | SimpleXMLTests.java:43:41:43:84 | new InputStreamReader(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:43:63:43:83 | getInputStream(...) | user-provided value | -| SimpleXMLTests.java:48:37:48:57 | getInputStream(...) | SimpleXMLTests.java:48:37:48:57 | getInputStream(...) | SimpleXMLTests.java:48:37:48:57 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:48:37:48:57 | getInputStream(...) | user-provided value | -| SimpleXMLTests.java:53:37:53:57 | getInputStream(...) | SimpleXMLTests.java:53:37:53:57 | getInputStream(...) | SimpleXMLTests.java:53:37:53:57 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:53:37:53:57 | getInputStream(...) | user-provided value | -| SimpleXMLTests.java:58:26:58:46 | getInputStream(...) | SimpleXMLTests.java:58:26:58:46 | getInputStream(...) | SimpleXMLTests.java:58:26:58:46 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:58:26:58:46 | getInputStream(...) | user-provided value | -| SimpleXMLTests.java:63:26:63:46 | getInputStream(...) | SimpleXMLTests.java:63:26:63:46 | getInputStream(...) | SimpleXMLTests.java:63:26:63:46 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:63:26:63:46 | getInputStream(...) | user-provided value | -| SimpleXMLTests.java:68:37:68:80 | new InputStreamReader(...) | SimpleXMLTests.java:68:59:68:79 | getInputStream(...) : InputStream | SimpleXMLTests.java:68:37:68:80 | new InputStreamReader(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:68:59:68:79 | getInputStream(...) | user-provided value | -| SimpleXMLTests.java:73:37:73:80 | new InputStreamReader(...) | SimpleXMLTests.java:73:59:73:79 | getInputStream(...) : InputStream | SimpleXMLTests.java:73:37:73:80 | new InputStreamReader(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:73:59:73:79 | getInputStream(...) | user-provided value | -| SimpleXMLTests.java:78:26:78:69 | new InputStreamReader(...) | SimpleXMLTests.java:78:48:78:68 | getInputStream(...) : InputStream | SimpleXMLTests.java:78:26:78:69 | new InputStreamReader(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:78:48:78:68 | getInputStream(...) | user-provided value | -| SimpleXMLTests.java:83:26:83:69 | new InputStreamReader(...) | SimpleXMLTests.java:83:48:83:68 | getInputStream(...) : InputStream | SimpleXMLTests.java:83:26:83:69 | new InputStreamReader(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:83:48:83:68 | getInputStream(...) | user-provided value | -| SimpleXMLTests.java:90:37:90:49 | new String(...) | SimpleXMLTests.java:89:5:89:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:90:37:90:49 | new String(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:89:5:89:25 | getInputStream(...) | user-provided value | -| SimpleXMLTests.java:97:37:97:49 | new String(...) | SimpleXMLTests.java:96:5:96:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:97:37:97:49 | new String(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:96:5:96:25 | getInputStream(...) | user-provided value | -| SimpleXMLTests.java:104:26:104:38 | new String(...) | SimpleXMLTests.java:103:5:103:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:104:26:104:38 | new String(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:103:5:103:25 | getInputStream(...) | user-provided value | -| SimpleXMLTests.java:111:26:111:38 | new String(...) | SimpleXMLTests.java:110:5:110:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:111:26:111:38 | new String(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:110:5:110:25 | getInputStream(...) | user-provided value | -| SimpleXMLTests.java:115:22:115:42 | getInputStream(...) | SimpleXMLTests.java:115:22:115:42 | getInputStream(...) | SimpleXMLTests.java:115:22:115:42 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:115:22:115:42 | getInputStream(...) | user-provided value | -| SimpleXMLTests.java:119:22:119:65 | new InputStreamReader(...) | SimpleXMLTests.java:119:44:119:64 | getInputStream(...) : InputStream | SimpleXMLTests.java:119:22:119:65 | new InputStreamReader(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:119:44:119:64 | getInputStream(...) | user-provided value | -| SimpleXMLTests.java:124:22:124:42 | getInputStream(...) | SimpleXMLTests.java:124:22:124:42 | getInputStream(...) | SimpleXMLTests.java:124:22:124:42 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:124:22:124:42 | getInputStream(...) | user-provided value | -| SimpleXMLTests.java:129:22:129:65 | new InputStreamReader(...) | SimpleXMLTests.java:129:44:129:64 | getInputStream(...) : InputStream | SimpleXMLTests.java:129:22:129:65 | new InputStreamReader(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:129:44:129:64 | getInputStream(...) | user-provided value | -| SimpleXMLTests.java:134:22:134:42 | getInputStream(...) | SimpleXMLTests.java:134:22:134:42 | getInputStream(...) | SimpleXMLTests.java:134:22:134:42 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:134:22:134:42 | getInputStream(...) | user-provided value | -| SimpleXMLTests.java:139:22:139:65 | new InputStreamReader(...) | SimpleXMLTests.java:139:44:139:64 | getInputStream(...) : InputStream | SimpleXMLTests.java:139:22:139:65 | new InputStreamReader(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:139:44:139:64 | getInputStream(...) | user-provided value | -| SimpleXMLTests.java:146:22:146:34 | new String(...) | SimpleXMLTests.java:145:5:145:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:146:22:146:34 | new String(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:145:5:145:25 | getInputStream(...) | user-provided value | -| SimpleXMLTests.java:153:22:153:34 | new String(...) | SimpleXMLTests.java:152:5:152:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:153:22:153:34 | new String(...) | XML parsing depends on a $@ without guarding against external entity expansion. | SimpleXMLTests.java:152:5:152:25 | getInputStream(...) | user-provided value | -| TransformerTests.java:20:27:20:65 | new StreamSource(...) | TransformerTests.java:20:44:20:64 | getInputStream(...) : InputStream | TransformerTests.java:20:27:20:65 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:20:44:20:64 | getInputStream(...) | user-provided value | -| TransformerTests.java:21:23:21:61 | new StreamSource(...) | TransformerTests.java:21:40:21:60 | getInputStream(...) : InputStream | TransformerTests.java:21:23:21:61 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:21:40:21:60 | getInputStream(...) | user-provided value | -| TransformerTests.java:71:27:71:65 | new StreamSource(...) | TransformerTests.java:71:44:71:64 | getInputStream(...) : InputStream | TransformerTests.java:71:27:71:65 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:71:44:71:64 | getInputStream(...) | user-provided value | -| TransformerTests.java:72:23:72:61 | new StreamSource(...) | TransformerTests.java:72:40:72:60 | getInputStream(...) : InputStream | TransformerTests.java:72:23:72:61 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:72:40:72:60 | getInputStream(...) | user-provided value | -| TransformerTests.java:79:27:79:65 | new StreamSource(...) | TransformerTests.java:79:44:79:64 | getInputStream(...) : InputStream | TransformerTests.java:79:27:79:65 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:79:44:79:64 | getInputStream(...) | user-provided value | -| TransformerTests.java:80:23:80:61 | new StreamSource(...) | TransformerTests.java:80:40:80:60 | getInputStream(...) : InputStream | TransformerTests.java:80:23:80:61 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:80:40:80:60 | getInputStream(...) | user-provided value | -| TransformerTests.java:88:27:88:65 | new StreamSource(...) | TransformerTests.java:88:44:88:64 | getInputStream(...) : InputStream | TransformerTests.java:88:27:88:65 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:88:44:88:64 | getInputStream(...) | user-provided value | -| TransformerTests.java:89:23:89:61 | new StreamSource(...) | TransformerTests.java:89:40:89:60 | getInputStream(...) : InputStream | TransformerTests.java:89:23:89:61 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:89:40:89:60 | getInputStream(...) | user-provided value | -| TransformerTests.java:97:27:97:65 | new StreamSource(...) | TransformerTests.java:97:44:97:64 | getInputStream(...) : InputStream | TransformerTests.java:97:27:97:65 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:97:44:97:64 | getInputStream(...) | user-provided value | -| TransformerTests.java:98:23:98:61 | new StreamSource(...) | TransformerTests.java:98:40:98:60 | getInputStream(...) : InputStream | TransformerTests.java:98:23:98:61 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:98:40:98:60 | getInputStream(...) | user-provided value | -| TransformerTests.java:103:21:103:59 | new StreamSource(...) | TransformerTests.java:103:38:103:58 | getInputStream(...) : InputStream | TransformerTests.java:103:21:103:59 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:103:38:103:58 | getInputStream(...) | user-provided value | -| TransformerTests.java:116:21:116:59 | new StreamSource(...) | TransformerTests.java:116:38:116:58 | getInputStream(...) : InputStream | TransformerTests.java:116:21:116:59 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:116:38:116:58 | getInputStream(...) | user-provided value | -| TransformerTests.java:122:21:122:59 | new StreamSource(...) | TransformerTests.java:122:38:122:58 | getInputStream(...) : InputStream | TransformerTests.java:122:21:122:59 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:122:38:122:58 | getInputStream(...) | user-provided value | -| TransformerTests.java:129:21:129:59 | new StreamSource(...) | TransformerTests.java:129:38:129:58 | getInputStream(...) : InputStream | TransformerTests.java:129:21:129:59 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:129:38:129:58 | getInputStream(...) | user-provided value | -| TransformerTests.java:136:21:136:59 | new StreamSource(...) | TransformerTests.java:136:38:136:58 | getInputStream(...) : InputStream | TransformerTests.java:136:21:136:59 | new StreamSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:136:38:136:58 | getInputStream(...) | user-provided value | -| TransformerTests.java:141:18:141:70 | new SAXSource(...) | TransformerTests.java:141:48:141:68 | getInputStream(...) : InputStream | TransformerTests.java:141:18:141:70 | new SAXSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:141:48:141:68 | getInputStream(...) | user-provided value | -| UnmarshallerTests.java:28:18:28:38 | getInputStream(...) | UnmarshallerTests.java:28:18:28:38 | getInputStream(...) | UnmarshallerTests.java:28:18:28:38 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | UnmarshallerTests.java:28:18:28:38 | getInputStream(...) | user-provided value | -| XMLReaderTests.java:16:18:16:55 | new InputSource(...) | XMLReaderTests.java:16:34:16:54 | getInputStream(...) : InputStream | XMLReaderTests.java:16:18:16:55 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XMLReaderTests.java:16:34:16:54 | getInputStream(...) | user-provided value | -| XMLReaderTests.java:56:18:56:55 | new InputSource(...) | XMLReaderTests.java:56:34:56:54 | getInputStream(...) : InputStream | XMLReaderTests.java:56:18:56:55 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XMLReaderTests.java:56:34:56:54 | getInputStream(...) | user-provided value | -| XMLReaderTests.java:63:18:63:55 | new InputSource(...) | XMLReaderTests.java:63:34:63:54 | getInputStream(...) : InputStream | XMLReaderTests.java:63:18:63:55 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XMLReaderTests.java:63:34:63:54 | getInputStream(...) | user-provided value | -| XMLReaderTests.java:70:18:70:55 | new InputSource(...) | XMLReaderTests.java:70:34:70:54 | getInputStream(...) : InputStream | XMLReaderTests.java:70:18:70:55 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XMLReaderTests.java:70:34:70:54 | getInputStream(...) | user-provided value | -| XMLReaderTests.java:78:18:78:55 | new InputSource(...) | XMLReaderTests.java:78:34:78:54 | getInputStream(...) : InputStream | XMLReaderTests.java:78:18:78:55 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XMLReaderTests.java:78:34:78:54 | getInputStream(...) | user-provided value | -| XMLReaderTests.java:86:18:86:55 | new InputSource(...) | XMLReaderTests.java:86:34:86:54 | getInputStream(...) : InputStream | XMLReaderTests.java:86:18:86:55 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XMLReaderTests.java:86:34:86:54 | getInputStream(...) | user-provided value | -| XMLReaderTests.java:94:18:94:55 | new InputSource(...) | XMLReaderTests.java:94:34:94:54 | getInputStream(...) : InputStream | XMLReaderTests.java:94:18:94:55 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XMLReaderTests.java:94:34:94:54 | getInputStream(...) | user-provided value | -| XMLReaderTests.java:100:18:100:55 | new InputSource(...) | XMLReaderTests.java:100:34:100:54 | getInputStream(...) : InputStream | XMLReaderTests.java:100:18:100:55 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XMLReaderTests.java:100:34:100:54 | getInputStream(...) | user-provided value | -| XPathExpressionTests.java:27:19:27:56 | new InputSource(...) | XPathExpressionTests.java:27:35:27:55 | getInputStream(...) : InputStream | XPathExpressionTests.java:27:19:27:56 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XPathExpressionTests.java:27:35:27:55 | getInputStream(...) | user-provided value | -| XPathExpressionTests.java:42:23:42:60 | new InputSource(...) | XPathExpressionTests.java:42:39:42:59 | getInputStream(...) : InputStream | XPathExpressionTests.java:42:23:42:60 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XPathExpressionTests.java:42:39:42:59 | getInputStream(...) | user-provided value | -| XmlInputFactoryTests.java:9:35:9:55 | getInputStream(...) | XmlInputFactoryTests.java:9:35:9:55 | getInputStream(...) | XmlInputFactoryTests.java:9:35:9:55 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:9:35:9:55 | getInputStream(...) | user-provided value | -| XmlInputFactoryTests.java:10:34:10:54 | getInputStream(...) | XmlInputFactoryTests.java:10:34:10:54 | getInputStream(...) | XmlInputFactoryTests.java:10:34:10:54 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:10:34:10:54 | getInputStream(...) | user-provided value | -| XmlInputFactoryTests.java:24:35:24:55 | getInputStream(...) | XmlInputFactoryTests.java:24:35:24:55 | getInputStream(...) | XmlInputFactoryTests.java:24:35:24:55 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:24:35:24:55 | getInputStream(...) | user-provided value | -| XmlInputFactoryTests.java:25:34:25:54 | getInputStream(...) | XmlInputFactoryTests.java:25:34:25:54 | getInputStream(...) | XmlInputFactoryTests.java:25:34:25:54 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:25:34:25:54 | getInputStream(...) | user-provided value | -| XmlInputFactoryTests.java:31:35:31:55 | getInputStream(...) | XmlInputFactoryTests.java:31:35:31:55 | getInputStream(...) | XmlInputFactoryTests.java:31:35:31:55 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:31:35:31:55 | getInputStream(...) | user-provided value | -| XmlInputFactoryTests.java:32:34:32:54 | getInputStream(...) | XmlInputFactoryTests.java:32:34:32:54 | getInputStream(...) | XmlInputFactoryTests.java:32:34:32:54 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:32:34:32:54 | getInputStream(...) | user-provided value | -| XmlInputFactoryTests.java:39:35:39:55 | getInputStream(...) | XmlInputFactoryTests.java:39:35:39:55 | getInputStream(...) | XmlInputFactoryTests.java:39:35:39:55 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:39:35:39:55 | getInputStream(...) | user-provided value | -| XmlInputFactoryTests.java:40:34:40:54 | getInputStream(...) | XmlInputFactoryTests.java:40:34:40:54 | getInputStream(...) | XmlInputFactoryTests.java:40:34:40:54 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:40:34:40:54 | getInputStream(...) | user-provided value | -| XmlInputFactoryTests.java:47:35:47:55 | getInputStream(...) | XmlInputFactoryTests.java:47:35:47:55 | getInputStream(...) | XmlInputFactoryTests.java:47:35:47:55 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:47:35:47:55 | getInputStream(...) | user-provided value | -| XmlInputFactoryTests.java:48:34:48:54 | getInputStream(...) | XmlInputFactoryTests.java:48:34:48:54 | getInputStream(...) | XmlInputFactoryTests.java:48:34:48:54 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:48:34:48:54 | getInputStream(...) | user-provided value | -| XmlInputFactoryTests.java:55:35:55:55 | getInputStream(...) | XmlInputFactoryTests.java:55:35:55:55 | getInputStream(...) | XmlInputFactoryTests.java:55:35:55:55 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:55:35:55:55 | getInputStream(...) | user-provided value | -| XmlInputFactoryTests.java:56:34:56:54 | getInputStream(...) | XmlInputFactoryTests.java:56:34:56:54 | getInputStream(...) | XmlInputFactoryTests.java:56:34:56:54 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XmlInputFactoryTests.java:56:34:56:54 | getInputStream(...) | user-provided value | diff --git a/java/ql/test/query-tests/security/CWE-611/XXE.ql b/java/ql/test/query-tests/security/CWE-611/XXE.ql new file mode 100644 index 000000000000..f1463f561f3d --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-611/XXE.ql @@ -0,0 +1,11 @@ +import java +import TestUtilities.InlineFlowTest +import semmle.code.java.security.XxeRemoteQuery + +class HasFlowTest extends InlineFlowTest { + override predicate hasTaintFlow(DataFlow::Node src, DataFlow::Node sink) { + XxeFlow::flow(src, sink) + } + + override predicate hasValueFlow(DataFlow::Node src, DataFlow::Node sink) { none() } +} diff --git a/java/ql/test/query-tests/security/CWE-611/XXE.qlref b/java/ql/test/query-tests/security/CWE-611/XXE.qlref deleted file mode 100644 index dc71ddf9ddbf..000000000000 --- a/java/ql/test/query-tests/security/CWE-611/XXE.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE/CWE-611/XXE.ql \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-611/XmlInputFactoryTests.java b/java/ql/test/query-tests/security/CWE-611/XmlInputFactoryTests.java index ce0f9c43e197..a75bcde8c1fe 100644 --- a/java/ql/test/query-tests/security/CWE-611/XmlInputFactoryTests.java +++ b/java/ql/test/query-tests/security/CWE-611/XmlInputFactoryTests.java @@ -6,53 +6,53 @@ public class XmlInputFactoryTests { public void unconfigureFactory(Socket sock) throws Exception { XMLInputFactory factory = XMLInputFactory.newFactory(); - factory.createXMLStreamReader(sock.getInputStream()); //unsafe - factory.createXMLEventReader(sock.getInputStream()); //unsafe + factory.createXMLStreamReader(sock.getInputStream()); // $ hasTaintFlow + factory.createXMLEventReader(sock.getInputStream()); // $ hasTaintFlow } - + public void safeFactory(Socket sock) throws Exception { XMLInputFactory factory = XMLInputFactory.newFactory(); factory.setProperty(XMLInputFactory.SUPPORT_DTD, false); factory.setProperty("javax.xml.stream.isSupportingExternalEntities", false); - factory.createXMLStreamReader(sock.getInputStream()); //safe - factory.createXMLEventReader(sock.getInputStream()); //safe + factory.createXMLStreamReader(sock.getInputStream()); // safe + factory.createXMLEventReader(sock.getInputStream()); // safe } - + public void misConfiguredFactory(Socket sock) throws Exception { XMLInputFactory factory = XMLInputFactory.newFactory(); factory.setProperty("javax.xml.stream.isSupportingExternalEntities", false); - factory.createXMLStreamReader(sock.getInputStream()); //unsafe - factory.createXMLEventReader(sock.getInputStream()); //unsafe + factory.createXMLStreamReader(sock.getInputStream()); // $ hasTaintFlow + factory.createXMLEventReader(sock.getInputStream()); // $ hasTaintFlow } - + public void misConfiguredFactory2(Socket sock) throws Exception { XMLInputFactory factory = XMLInputFactory.newFactory(); factory.setProperty(XMLInputFactory.SUPPORT_DTD, false); - factory.createXMLStreamReader(sock.getInputStream()); //unsafe - factory.createXMLEventReader(sock.getInputStream()); //unsafe + factory.createXMLStreamReader(sock.getInputStream()); // $ hasTaintFlow + factory.createXMLEventReader(sock.getInputStream()); // $ hasTaintFlow } - + public void misConfiguredFactory3(Socket sock) throws Exception { XMLInputFactory factory = XMLInputFactory.newFactory(); factory.setProperty("javax.xml.stream.isSupportingExternalEntities", true); factory.setProperty(XMLInputFactory.SUPPORT_DTD, true); - factory.createXMLStreamReader(sock.getInputStream()); //unsafe - factory.createXMLEventReader(sock.getInputStream()); //unsafe + factory.createXMLStreamReader(sock.getInputStream()); // $ hasTaintFlow + factory.createXMLEventReader(sock.getInputStream()); // $ hasTaintFlow } - + public void misConfiguredFactory4(Socket sock) throws Exception { XMLInputFactory factory = XMLInputFactory.newFactory(); factory.setProperty("javax.xml.stream.isSupportingExternalEntities", false); factory.setProperty(XMLInputFactory.SUPPORT_DTD, true); - factory.createXMLStreamReader(sock.getInputStream()); //unsafe - factory.createXMLEventReader(sock.getInputStream()); //unsafe + factory.createXMLStreamReader(sock.getInputStream()); // $ hasTaintFlow + factory.createXMLEventReader(sock.getInputStream()); // $ hasTaintFlow } - + public void misConfiguredFactory5(Socket sock) throws Exception { XMLInputFactory factory = XMLInputFactory.newFactory(); factory.setProperty("javax.xml.stream.isSupportingExternalEntities", true); factory.setProperty(XMLInputFactory.SUPPORT_DTD, false); - factory.createXMLStreamReader(sock.getInputStream()); //unsafe - factory.createXMLEventReader(sock.getInputStream()); //unsafe - } + factory.createXMLStreamReader(sock.getInputStream()); // $ hasTaintFlow + factory.createXMLEventReader(sock.getInputStream()); // $ hasTaintFlow + } } diff --git a/java/ql/test/query-tests/security/CWE-611/options b/java/ql/test/query-tests/security/CWE-611/options index c3935792c6be..bec95f191631 100644 --- a/java/ql/test/query-tests/security/CWE-611/options +++ b/java/ql/test/query-tests/security/CWE-611/options @@ -1 +1 @@ -//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jdom-1.1.3:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/simple-xml-2.7.1:${testdir}/../../../stubs/jaxb-api-2.3.1:${testdir}/../../../stubs/jaxen-1.2.0 +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jdom-1.1.3:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/simple-xml-2.7.1:${testdir}/../../../stubs/jaxb-api-2.3.1:${testdir}/../../../stubs/jaxen-1.2.0:${testdir}/../../../stubs/apache-commons-digester3-3.2:${testdir}/../../../stubs/servlet-api-2.4/:${testdir}/../../../stubs/rundeck-api-java-client-13.2:${testdir}/../../../stubs/springframework-5.3.8/