Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit cf58a90

Browse files
joefarebrotherjoefarebrother
committed
Add unit tests for utility methods
1 parent e5d624d commit cf58a90

9 files changed

Lines changed: 426 additions & 25 deletions

File tree

java/ql/src/semmle/code/java/frameworks/ApacheHttp.qll

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -48,7 +48,7 @@ class ApacheHttpRequestHandlerParameter extends Parameter {
4848
ApacheHttpRequestHandlerParameter() {
4949
exists(Method m, Interface i |
5050
i.hasQualifiedName(["org.apache.http.protocol", "org.apache.hc.core5.http.io"],
51-
"HttpRequestHandler") and
51+
["HttpRequestHandler", "HttpServerRequestHandler"]) and
5252
m.getDeclaringType().extendsOrImplements+(i) and
5353
m.hasName("handle") and
5454
this = m.getParameter(0)
@@ -264,7 +264,7 @@ private class BufferMethod extends TaintPreservingCallable {
264264
.hasQualifiedName(["org.apache.http.util", "org.apache.hc.core5.util"],
265265
["ByteArrayBuffer", "CharArrayBuffer"]) and
266266
m.hasName([
267-
"append", "buffer", "subSequence", "substring", "substringTrimmed", "toByteAray",
267+
"append", "buffer", "subSequence", "substring", "substringTrimmed", "toByteArray",
268268
"toCharArray", "toString"
269269
])
270270
)

java/ql/test/library-tests/frameworks/apache-http/A.java

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
import org.apache.http.*;
22
import org.apache.http.protocol.*;
3+
import org.apache.http.message.BasicHeader;
34
import org.apache.http.util.*;
45
import org.apache.http.entity.*;
56

@@ -36,6 +37,28 @@ public void handle(HttpRequest req, HttpResponse res, HttpContext ctx) {
3637
A.sink(EntityUtils.getContentMimeType(ent));
3738
res.setEntity(new StringEntity("<a href='" + req.getRequestLine().getUri() + "'>a</a>"));
3839
EntityUtils.updateEntity(res, new ByteArrayEntity(EntityUtils.toByteArray(ent)));
40+
res.setHeader("Location", req.getRequestLine().getUri());
41+
res.setHeader(new BasicHeader("Location", req.getRequestLine().getUri()));
3942
}
4043
}
44+
45+
void test2() {
46+
ByteArrayBuffer bbuf = new ByteArrayBuffer(42);
47+
bbuf.append((byte[]) taint(), 0, 3);
48+
sink(bbuf.buffer());
49+
sink(bbuf.toByteArray());
50+
51+
CharArrayBuffer cbuf = new CharArrayBuffer(42);
52+
cbuf.append(bbuf.toByteArray(), 0, 3);
53+
sink(cbuf.toCharArray());
54+
sink(cbuf.toString());
55+
sink(cbuf.subSequence(0, 3));
56+
sink(cbuf.substring(0, 3));
57+
sink(cbuf.substringTrimmed(0, 3));
58+
59+
sink(Args.notNull(taint(), "x"));
60+
sink(Args.notEmpty((String) taint(), "x"));
61+
sink(Args.notBlank((String) taint(), "x"));
62+
sink(Args.notNull("x", (String) taint())); // Good
63+
}
4164
}

java/ql/test/library-tests/frameworks/apache-http/flow.expected

Lines changed: 35 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -1,23 +1,35 @@
1-
| A.java:12:28:12:42 | req | A.java:13:20:13:39 | getRequestLine(...) |
2-
| A.java:12:28:12:42 | req | A.java:14:20:14:48 | getUri(...) |
3-
| A.java:12:28:12:42 | req | A.java:15:20:15:51 | getMethod(...) |
4-
| A.java:12:28:12:42 | req | A.java:16:20:16:38 | getAllHeaders(...) |
5-
| A.java:12:28:12:42 | req | A.java:18:20:18:28 | next(...) |
6-
| A.java:12:28:12:42 | req | A.java:19:20:19:34 | nextHeader(...) |
7-
| A.java:12:28:12:42 | req | A.java:21:20:21:30 | getName(...) |
8-
| A.java:12:28:12:42 | req | A.java:22:20:22:31 | getValue(...) |
9-
| A.java:12:28:12:42 | req | A.java:24:20:24:31 | getName(...) |
10-
| A.java:12:28:12:42 | req | A.java:25:20:25:32 | getValue(...) |
11-
| A.java:12:28:12:42 | req | A.java:26:20:26:37 | getParameters(...) |
12-
| A.java:12:28:12:42 | req | A.java:27:20:27:58 | getValue(...) |
13-
| A.java:12:28:12:42 | req | A.java:28:20:28:47 | getName(...) |
14-
| A.java:12:28:12:42 | req | A.java:30:20:30:35 | getContent(...) |
15-
| A.java:12:28:12:42 | req | A.java:31:20:31:43 | getContentEncoding(...) |
16-
| A.java:12:28:12:42 | req | A.java:32:20:32:39 | getContentType(...) |
17-
| A.java:12:28:12:42 | req | A.java:33:20:33:44 | toString(...) |
18-
| A.java:12:28:12:42 | req | A.java:34:20:34:47 | toByteArray(...) |
19-
| A.java:12:28:12:42 | req | A.java:35:20:35:53 | getContentCharSet(...) |
20-
| A.java:12:28:12:42 | req | A.java:36:20:36:54 | getContentMimeType(...) |
21-
| A.java:12:28:12:42 | req | A.java:37:27:37:99 | new StringEntity(...) |
22-
| A.java:12:28:12:42 | req | A.java:38:43:38:91 | new ByteArrayEntity(...) |
23-
| A.java:30:20:30:35 | getContent(...) | A.java:30:20:30:35 | getContent(...) |
1+
| A.java:13:28:13:42 | req | A.java:14:20:14:39 | getRequestLine(...) |
2+
| A.java:13:28:13:42 | req | A.java:15:20:15:48 | getUri(...) |
3+
| A.java:13:28:13:42 | req | A.java:16:20:16:51 | getMethod(...) |
4+
| A.java:13:28:13:42 | req | A.java:17:20:17:38 | getAllHeaders(...) |
5+
| A.java:13:28:13:42 | req | A.java:19:20:19:28 | next(...) |
6+
| A.java:13:28:13:42 | req | A.java:20:20:20:34 | nextHeader(...) |
7+
| A.java:13:28:13:42 | req | A.java:22:20:22:30 | getName(...) |
8+
| A.java:13:28:13:42 | req | A.java:23:20:23:31 | getValue(...) |
9+
| A.java:13:28:13:42 | req | A.java:25:20:25:31 | getName(...) |
10+
| A.java:13:28:13:42 | req | A.java:26:20:26:32 | getValue(...) |
11+
| A.java:13:28:13:42 | req | A.java:27:20:27:37 | getParameters(...) |
12+
| A.java:13:28:13:42 | req | A.java:28:20:28:58 | getValue(...) |
13+
| A.java:13:28:13:42 | req | A.java:29:20:29:47 | getName(...) |
14+
| A.java:13:28:13:42 | req | A.java:31:20:31:35 | getContent(...) |
15+
| A.java:13:28:13:42 | req | A.java:32:20:32:43 | getContentEncoding(...) |
16+
| A.java:13:28:13:42 | req | A.java:33:20:33:39 | getContentType(...) |
17+
| A.java:13:28:13:42 | req | A.java:34:20:34:44 | toString(...) |
18+
| A.java:13:28:13:42 | req | A.java:35:20:35:47 | toByteArray(...) |
19+
| A.java:13:28:13:42 | req | A.java:36:20:36:53 | getContentCharSet(...) |
20+
| A.java:13:28:13:42 | req | A.java:37:20:37:54 | getContentMimeType(...) |
21+
| A.java:13:28:13:42 | req | A.java:38:27:38:99 | new StringEntity(...) |
22+
| A.java:13:28:13:42 | req | A.java:39:43:39:91 | new ByteArrayEntity(...) |
23+
| A.java:13:28:13:42 | req | A.java:40:39:40:67 | getUri(...) |
24+
| A.java:13:28:13:42 | req | A.java:41:55:41:83 | getUri(...) |
25+
| A.java:31:20:31:35 | getContent(...) | A.java:31:20:31:35 | getContent(...) |
26+
| A.java:47:30:47:36 | taint(...) | A.java:48:14:48:26 | buffer(...) |
27+
| A.java:47:30:47:36 | taint(...) | A.java:49:14:49:31 | toByteArray(...) |
28+
| A.java:47:30:47:36 | taint(...) | A.java:53:14:53:31 | toCharArray(...) |
29+
| A.java:47:30:47:36 | taint(...) | A.java:54:14:54:28 | toString(...) |
30+
| A.java:47:30:47:36 | taint(...) | A.java:55:14:55:35 | subSequence(...) |
31+
| A.java:47:30:47:36 | taint(...) | A.java:56:14:56:33 | substring(...) |
32+
| A.java:47:30:47:36 | taint(...) | A.java:57:14:57:40 | substringTrimmed(...) |
33+
| A.java:59:27:59:33 | taint(...) | A.java:59:14:59:39 | notNull(...) |
34+
| A.java:60:37:60:43 | taint(...) | A.java:60:14:60:49 | notEmpty(...) |
35+
| A.java:61:37:61:43 | taint(...) | A.java:61:14:61:49 | notBlank(...) |

java/ql/test/library-tests/frameworks/apache-http/flow.ql

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@ import java
22
import semmle.code.java.dataflow.TaintTracking
33
import semmle.code.java.dataflow.FlowSources
44
import semmle.code.java.security.XSS
5+
import semmle.code.java.security.UrlRedirect
56

67
class Conf extends TaintTracking::Configuration {
78
Conf() { this = "qltest:frameworks:apache-http" }
@@ -16,6 +17,8 @@ class Conf extends TaintTracking::Configuration {
1617
exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
1718
or
1819
n instanceof XssSink
20+
or
21+
n instanceof UrlRedirectSink
1922
}
2023
}
2124

java/ql/test/stubs/apache-http-4.4.13/org/apache/http/message/BasicHeader.java

Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
/*
2+
* ====================================================================
3+
* Licensed to the Apache Software Foundation (ASF) under one
4+
* or more contributor license agreements. See the NOTICE file
5+
* distributed with this work for additional information
6+
* regarding copyright ownership. The ASF licenses this file
7+
* to you under the Apache License, Version 2.0 (the
8+
* "License"); you may not use this file except in compliance
9+
* with the License. You may obtain a copy of the License at
10+
*
11+
* http://www.apache.org/licenses/LICENSE-2.0
12+
*
13+
* Unless required by applicable law or agreed to in writing,
14+
* software distributed under the License is distributed on an
15+
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
16+
* KIND, either express or implied. See the License for the
17+
* specific language governing permissions and limitations
18+
* under the License.
19+
* ====================================================================
20+
*
21+
* This software consists of voluntary contributions made by many
22+
* individuals on behalf of the Apache Software Foundation. For more
23+
* information on the Apache Software Foundation, please see
24+
* <http://www.apache.org/>.
25+
*
26+
*/
27+
28+
package org.apache.http.message;
29+
30+
import java.io.Serializable;
31+
32+
import org.apache.http.Header;
33+
import org.apache.http.HeaderElement;
34+
import org.apache.http.ParseException;
35+
36+
public class BasicHeader implements Header, Cloneable, Serializable {
37+
public BasicHeader(final String name, final String value) {
38+
}
39+
40+
@Override
41+
public Object clone() throws CloneNotSupportedException {
42+
return null;
43+
}
44+
45+
@Override
46+
public HeaderElement[] getElements() throws ParseException {
47+
return null;
48+
}
49+
50+
@Override
51+
public String getName() {
52+
return null;
53+
}
54+
55+
@Override
56+
public String getValue() {
57+
return null;
58+
}
59+
60+
@Override
61+
public String toString() {
62+
return null;
63+
}
64+
65+
}

java/ql/test/stubs/apache-http-4.4.13/org/apache/http/util/Args.java

Lines changed: 78 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,78 @@
1+
/*
2+
* ====================================================================
3+
* Licensed to the Apache Software Foundation (ASF) under one
4+
* or more contributor license agreements. See the NOTICE file
5+
* distributed with this work for additional information
6+
* regarding copyright ownership. The ASF licenses this file
7+
* to you under the Apache License, Version 2.0 (the
8+
* "License"); you may not use this file except in compliance
9+
* with the License. You may obtain a copy of the License at
10+
*
11+
* http://www.apache.org/licenses/LICENSE-2.0
12+
*
13+
* Unless required by applicable law or agreed to in writing,
14+
* software distributed under the License is distributed on an
15+
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
16+
* KIND, either express or implied. See the License for the
17+
* specific language governing permissions and limitations
18+
* under the License.
19+
* ====================================================================
20+
*
21+
* This software consists of voluntary contributions made by many
22+
* individuals on behalf of the Apache Software Foundation. For more
23+
* information on the Apache Software Foundation, please see
24+
* <http://www.apache.org/>.
25+
*
26+
*/
27+
28+
package org.apache.http.util;
29+
30+
import java.util.Collection;
31+
32+
public class Args {
33+
public static void check(final boolean expression, final String message) {
34+
}
35+
36+
public static void check(final boolean expression, final String message, final Object... args) {
37+
}
38+
39+
public static void check(final boolean expression, final String message, final Object arg) {
40+
}
41+
42+
public static <T> T notNull(final T argument, final String name) {
43+
return null;
44+
}
45+
46+
public static <T extends CharSequence> T notEmpty(final T argument, final String name) {
47+
return null;
48+
}
49+
50+
public static <T extends CharSequence> T notBlank(final T argument, final String name) {
51+
return null;
52+
}
53+
54+
public static <T extends CharSequence> T containsNoBlanks(final T argument, final String name) {
55+
return null;
56+
}
57+
58+
public static <E, T extends Collection<E>> T notEmpty(final T argument, final String name) {
59+
return null;
60+
}
61+
62+
public static int positive(final int n, final String name) {
63+
return 0;
64+
}
65+
66+
public static long positive(final long n, final String name) {
67+
return 0;
68+
}
69+
70+
public static int notNegative(final int n, final String name) {
71+
return 0;
72+
}
73+
74+
public static long notNegative(final long n, final String name) {
75+
return 0;
76+
}
77+
78+
}

java/ql/test/stubs/apache-http-4.4.13/org/apache/http/util/ByteArrayBuffer.java

Lines changed: 93 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,93 @@
1+
/*
2+
* ====================================================================
3+
* Licensed to the Apache Software Foundation (ASF) under one
4+
* or more contributor license agreements. See the NOTICE file
5+
* distributed with this work for additional information
6+
* regarding copyright ownership. The ASF licenses this file
7+
* to you under the Apache License, Version 2.0 (the
8+
* "License"); you may not use this file except in compliance
9+
* with the License. You may obtain a copy of the License at
10+
*
11+
* http://www.apache.org/licenses/LICENSE-2.0
12+
*
13+
* Unless required by applicable law or agreed to in writing,
14+
* software distributed under the License is distributed on an
15+
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
16+
* KIND, either express or implied. See the License for the
17+
* specific language governing permissions and limitations
18+
* under the License.
19+
* ====================================================================
20+
*
21+
* This software consists of voluntary contributions made by many
22+
* individuals on behalf of the Apache Software Foundation. For more
23+
* information on the Apache Software Foundation, please see
24+
* <http://www.apache.org/>.
25+
*
26+
*/
27+
28+
package org.apache.http.util;
29+
30+
import java.io.Serializable;
31+
32+
public final class ByteArrayBuffer implements Serializable {
33+
public ByteArrayBuffer(final int capacity) {
34+
}
35+
36+
public void append(final byte[] b, final int off, final int len) {
37+
}
38+
39+
public void append(final int b) {
40+
}
41+
42+
public void append(final char[] b, final int off, final int len) {
43+
}
44+
45+
public void append(final CharArrayBuffer b, final int off, final int len) {
46+
}
47+
48+
public void clear() {
49+
}
50+
51+
public byte[] toByteArray() {
52+
return null;
53+
}
54+
55+
public int byteAt(final int i) {
56+
return 0;
57+
}
58+
59+
public int capacity() {
60+
return 0;
61+
}
62+
63+
public int length() {
64+
return 0;
65+
}
66+
67+
public void ensureCapacity(final int required) {
68+
}
69+
70+
public byte[] buffer() {
71+
return null;
72+
}
73+
74+
public void setLength(final int len) {
75+
}
76+
77+
public boolean isEmpty() {
78+
return false;
79+
}
80+
81+
public boolean isFull() {
82+
return false;
83+
}
84+
85+
public int indexOf(final byte b, final int from, final int to) {
86+
return 0;
87+
}
88+
89+
public int indexOf(final byte b) {
90+
return 0;
91+
}
92+
93+
}

java/ql/test/stubs/apache-http-4.4.13/org/apache/http/util/ByteBuffer.java

Whitespace-only changes.

0 commit comments

Comments
 (0)