Simple Test

Author: Kwstubbs

java/ql/test/library-tests/dataflow/taintsources/App.java

@@ -0,0 +1,22 @@
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.Part;
+
+public class App {
+
+    private HttpServletRequest request;
+    private HttpServletResponse response;
+    private Part filePart;
+
+    private static void sink(Object o) {}
+
+    public void test() throws Exception {
+        sink(filePart.getContentType());  // $hasRemoteValueFlow
+        sink(filePart.getHeader("test")); // $hasRemoteValueFlow
+        sink(filePart.getInputStream()); // $hasRemoteValueFlow
+        sink(filePart.getHeaders("test")); // $hasRemoteValueFlow
+        //sink(filePart.getHeaderNames()); // $hasRemoteValueFlow
+        sink(filePart.getSubmittedFileName()); // $hasRemoteValueFlow
+        sink(filePart.getName()); // $hasRemoteValueFlow
+    }
+}

java/ql/test/library-tests/dataflow/taintsources/FileUpload/App.java

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/test

java/ql/test/library-tests/dataflow/taintsources/FileUpload/options

@@ -0,0 +1,2 @@
+failures
+testFailures

java/ql/test/library-tests/dataflow/taintsources/FileUpload/remote.expected

@@ -0,0 +1,47 @@
+import java
+import semmle.code.java.dataflow.FlowSources
+import TestUtilities.InlineExpectationsTest
+
+predicate isTestSink(DataFlow::Node n) {
+  exists(MethodCall ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
+}
+
+module RemoteValueConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node n) { n instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node n) { isTestSink(n) }
+}
+
+module RemoteValueFlow = DataFlow::Global<RemoteValueConfig>;
+
+module RemoteTaintConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node n) { n instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node n) { isTestSink(n) }
+}
+
+module RemoteTaintFlow = TaintTracking::Global<RemoteTaintConfig>;
+
+module RemoteFlowTest implements TestSig {
+  string getARelevantTag() { result = ["hasRemoteValueFlow", "hasRemoteTaintFlow"] }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasRemoteValueFlow" and
+    exists(DataFlow::Node sink | RemoteValueFlow::flowTo(sink) |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+    or
+    tag = "hasRemoteTaintFlow" and
+    exists(DataFlow::Node src, DataFlow::Node sink |
+      RemoteTaintFlow::flow(src, sink) and not RemoteValueFlow::flow(src, sink)
+    |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+  }
+}
+
+import MakeTest<RemoteFlowTest>

java/ql/test/library-tests/dataflow/taintsources/FileUpload/remote.ql

@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/google-android-9.0.0:${testdir}/../../../stubs/playframework-2.6.x:${testdir}/../../../stubs/jackson-databind-2.12:${testdir}/../../../stubs/jackson-core-2.12:${testdir}/../../../stubs/akka-2.6.x:${testdir}/../../../stubs/jwtk-jjwt-0.11.2:${testdir}/../../../stubs/jenkins:${testdir}/../../../stubs/stapler-1.263:${testdir}/../../../stubs/test
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/google-android-9.0.0:${testdir}/../../../stubs/playframework-2.6.x:${testdir}/../../../stubs/jackson-databind-2.12:${testdir}/../../../stubs/jackson-core-2.12:${testdir}/../../../stubs/akka-2.6.x:${testdir}/../../../stubs/jwtk-jjwt-0.11.2:${testdir}/../../../stubs/jenkins:${testdir}/../../../stubs/stapler-1.263