Add (failing) test for lambda

owen-mc · owen-mc · commit 1f0e26f0d6c8 · 2024-10-11T23:12:44.000+01:00
diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilList.java b/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilList.java
@@ -14,6 +14,7 @@
 import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
+import java.util.function.Consumer;
 
 class AllowListSanitizerWithJavaUtilList {
 	public static Connection connection;
@@ -51,6 +52,7 @@ public static void main(String[] args) throws IOException, SQLException {
 		var x = new AllowListSanitizerWithJavaUtilList();
 		x.testNonStaticFields(args);
 		testMultipleSources(args);
+		testEscape(args);
 	}
 
 	private static void testStaticFields(String[] args) throws IOException, SQLException {
@@ -229,11 +231,11 @@ private static void testLocal(String[] args) throws IOException, SQLException {
 				ResultSet results = connection.createStatement().executeQuery(query);
 			}
 		}
-		// BAD: an allowlist is used but it may contain a non-compile-time constant element
+		// BAD: an allowlist is used but it contains a non-compile-time constant element
 		{
 			List<String> allowlist = new ArrayList<String>();
 			allowlist.add("allowed1");
-			possiblyMutate(allowlist);
+			addNonConstantStringDirectly(allowlist);
 			if(allowlist.contains(tainted)){
 				String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
 						+ tainted + "' ORDER BY PRICE";
@@ -278,8 +280,27 @@ private static void testMultipleSources(String[] args) throws IOException, SQLEx
 		}
 	}
 
-	private static void possiblyMutate(List<String> list) {
+	private static void testEscape(String[] args) throws IOException, SQLException {
+		String tainted = args[1];
+		boolean b = args[2] == "True";
+		{
+			// BAD: an allowlist is used which contains constant strings
+			List<String> allowlist = new ArrayList<String>();
+			addNonConstantStringViaLambda(e -> allowlist.add(e));
+			if(allowlist.contains(tainted)){ // missing result
+				String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
+						+ tainted + "' ORDER BY PRICE";
+				ResultSet results = connection.createStatement().executeQuery(query);
+			}
+		}
+	}
+
+	private static void addNonConstantStringDirectly(List<String> list) {
 		list.add(getNonConstantString());
 	}
 
+	private static void addNonConstantStringViaLambda(Consumer<String> adder) {
+		adder.accept(getNonConstantString());
+	}
+
 }
diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilSet.java b/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilSet.java
@@ -13,6 +13,7 @@
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.Set;
+import java.util.function.Consumer;
 
 class AllowListSanitizerWithJavaUtilSet {
 	public static Connection connection;
@@ -50,6 +51,7 @@ public static void main(String[] args) throws IOException, SQLException {
 		var x = new AllowListSanitizerWithJavaUtilSet();
 		x.testNonStaticFields(args);
 		testMultipleSources(args);
+		testEscape(args);
 	}
 
 	private static void testStaticFields(String[] args) throws IOException, SQLException {
@@ -228,11 +230,11 @@ private static void testLocal(String[] args) throws IOException, SQLException {
 				ResultSet results = connection.createStatement().executeQuery(query);
 			}
 		}
-		// BAD: an allowlist is used but it may contain a non-compile-time constant element
+		// BAD: an allowlist is used but it contains a non-compile-time constant element
 		{
 			Set<String> allowlist = new HashSet<String>();
 			allowlist.add("allowed1");
-			possiblyMutate(allowlist);
+			addNonConstantStringDirectly(allowlist);
 			if(allowlist.contains(tainted)){
 				String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
 						+ tainted + "' ORDER BY PRICE";
@@ -277,8 +279,27 @@ private static void testMultipleSources(String[] args) throws IOException, SQLEx
 		}
 	}
 
-	private static void possiblyMutate(Set<String> set) {
+	private static void testEscape(String[] args) throws IOException, SQLException {
+		String tainted = args[1];
+		boolean b = args[2] == "True";
+		{
+			// BAD: an allowlist is used which contains constant strings
+			Set<String> allowlist = new HashSet<String>();
+			addNonConstantStringViaLambda(e -> allowlist.add(e));
+			if(allowlist.contains(tainted)){ // missing result
+				String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
+						+ tainted + "' ORDER BY PRICE";
+				ResultSet results = connection.createStatement().executeQuery(query);
+			}
+		}
+	}
+
+	private static void addNonConstantStringDirectly(Set<String> set) {
 		set.add(getNonConstantString());
 	}
 
+	private static void addNonConstantStringViaLambda(Consumer<String> adder) {
+		adder.accept(getNonConstantString());
+	}
+
 }
diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.expected b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.expected
