Skip to content

Commit b985ddb

Browse files
atorralbaatorralba
committed
Use InlineExpectationsTest
1 parent 079769e commit b985ddb

File tree

5 files changed

+41
-11
lines changed

5 files changed

+41
-11
lines changed

java/ql/src/semmle/code/java/security/SpelInjection.qll

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -56,7 +56,7 @@ private class DefaultSpelExpressionInjectionAdditionalTaintStep extends SpelExpr
5656
/**
5757
* A configuration for safe evaluation context that may be used in expression evaluation.
5858
*/
59-
class SafeEvaluationContextFlowConfig extends DataFlow2::Configuration {
59+
private class SafeEvaluationContextFlowConfig extends DataFlow2::Configuration {
6060
SafeEvaluationContextFlowConfig() { this = "SpelInjection::SafeEvaluationContextFlowConfig" }
6161

6262
override predicate isSource(DataFlow::Node source) { source instanceof SafeContextSource }

java/ql/test/query-tests/security/CWE-094/SpelInjection.qlref

Lines changed: 0 additions & 1 deletion
This file was deleted.

java/ql/test/query-tests/security/CWE-094/SpelInjectionTest.expected

Whitespace-only changes.

java/ql/test/query-tests/security/CWE-094/SpelInjection.java renamed to java/ql/test/query-tests/security/CWE-094/SpelInjectionTest.java

Lines changed: 8 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@
77
import org.springframework.expression.spel.support.SimpleEvaluationContext;
88
import org.springframework.expression.spel.support.StandardEvaluationContext;
99

10-
public class SpelInjection {
10+
public class SpelInjectionTest {
1111

1212
private static final ExpressionParser PARSER = new SpelExpressionParser();
1313

@@ -20,7 +20,7 @@ public void testGetValue(Socket socket) throws IOException {
2020

2121
ExpressionParser parser = new SpelExpressionParser();
2222
Expression expression = parser.parseExpression(input);
23-
expression.getValue();
23+
expression.getValue(); // $hasSpelInjection
2424
}
2525

2626
public void testGetValueWithChainedCalls(Socket socket) throws IOException {
@@ -31,7 +31,7 @@ public void testGetValueWithChainedCalls(Socket socket) throws IOException {
3131
String input = new String(bytes, 0, n);
3232

3333
Expression expression = new SpelExpressionParser().parseExpression(input);
34-
expression.getValue();
34+
expression.getValue(); // $hasSpelInjection
3535
}
3636

3737
public void testSetValueWithRootObject(Socket socket) throws IOException {
@@ -45,7 +45,7 @@ public void testSetValueWithRootObject(Socket socket) throws IOException {
4545

4646
Object root = new Object();
4747
Object value = new Object();
48-
expression.setValue(root, value);
48+
expression.setValue(root, value); // $hasSpelInjection
4949
}
5050

5151
public void testGetValueWithStaticParser(Socket socket) throws IOException {
@@ -56,7 +56,7 @@ public void testGetValueWithStaticParser(Socket socket) throws IOException {
5656
String input = new String(bytes, 0, n);
5757

5858
Expression expression = PARSER.parseExpression(input);
59-
expression.getValue();
59+
expression.getValue(); // $hasSpelInjection
6060
}
6161

6262
public void testGetValueType(Socket socket) throws IOException {
@@ -67,7 +67,7 @@ public void testGetValueType(Socket socket) throws IOException {
6767
String input = new String(bytes, 0, n);
6868

6969
Expression expression = PARSER.parseExpression(input);
70-
expression.getValueType();
70+
expression.getValueType(); // $hasSpelInjection
7171
}
7272

7373
public void testWithStandardEvaluationContext(Socket socket) throws IOException {
@@ -80,7 +80,7 @@ public void testWithStandardEvaluationContext(Socket socket) throws IOException
8080
Expression expression = PARSER.parseExpression(input);
8181

8282
StandardEvaluationContext context = new StandardEvaluationContext();
83-
expression.getValue(context);
83+
expression.getValue(context); // $hasSpelInjection
8484
}
8585

8686
public void testWithSimpleEvaluationContext(Socket socket) throws IOException {
@@ -93,8 +93,7 @@ public void testWithSimpleEvaluationContext(Socket socket) throws IOException {
9393
Expression expression = PARSER.parseExpression(input);
9494
SimpleEvaluationContext context = SimpleEvaluationContext.forReadWriteDataBinding().build();
9595

96-
// the expression is evaluated in a limited context
97-
expression.getValue(context);
96+
expression.getValue(context); // Safe - the expression is evaluated in a limited context
9897
}
9998

10099
}

java/ql/test/query-tests/security/CWE-094/SpelInjectionTest.ql

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,32 @@
1+
import java
2+
import semmle.code.java.dataflow.TaintTracking
3+
import semmle.code.java.dataflow.FlowSources
4+
import semmle.code.java.security.SpelInjection
5+
import TestUtilities.InlineExpectationsTest
6+
7+
class Conf extends TaintTracking::Configuration {
8+
Conf() { this = "test:cwe:spel-injection" }
9+
10+
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
11+
12+
override predicate isSink(DataFlow::Node sink) { sink instanceof SpelExpressionEvaluationSink }
13+
14+
override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
15+
any(SpelExpressionInjectionAdditionalTaintStep c).step(node1, node2)
16+
}
17+
}
18+
19+
class HasSpelInjectionTest extends InlineExpectationsTest {
20+
HasSpelInjectionTest() { this = "HasSpelInjectionTest" }
21+
22+
override string getARelevantTag() { result = "hasSpelInjection" }
23+
24+
override predicate hasActualResult(Location location, string element, string tag, string value) {
25+
tag = "hasSpelInjection" and
26+
exists(DataFlow::Node src, DataFlow::Node sink, Conf conf | conf.hasFlow(src, sink) |
27+
sink.getLocation() = location and
28+
element = sink.toString() and
29+
value = ""
30+
)
31+
}
32+
}

0 commit comments

Comments
 (0)