Java: Adjust stubs and unit test.

Author: aschackmull

java/ql/test/query-tests/security/CWE-090/LdapInjection.expected

@@ -27,6 +27,7 @@ edges
 | LdapInjection.java:127:31:127:73 | uBadSearchRequestAsync : String | LdapInjection.java:131:19:131:19 | s |
 | LdapInjection.java:127:76:127:109 | uBadSRDNAsync : String | LdapInjection.java:131:19:131:19 | s |
 | LdapInjection.java:134:31:134:70 | uBadFilterCreateNOT : String | LdapInjection.java:135:58:135:115 | createNOTFilter(...) |
+| LdapInjection.java:138:31:138:75 | uBadFilterCreateToString : String | LdapInjection.java:139:58:139:107 | toString(...) |
 | LdapInjection.java:142:32:142:82 | uBadFilterCreateToStringBuffer : String | LdapInjection.java:145:58:145:69 | toString(...) |
 | LdapInjection.java:148:32:148:78 | uBadSearchRequestDuplicate : String | LdapInjection.java:152:14:152:26 | duplicate(...) |
 | LdapInjection.java:155:32:155:80 | uBadROSearchRequestDuplicate : String | LdapInjection.java:159:14:159:26 | duplicate(...) |
@@ -47,18 +48,15 @@ edges
 | LdapInjection.java:230:30:230:74 | sBadLdapQueryWithFilter2 : String | LdapInjection.java:232:24:232:57 | filter(...) |
 | LdapInjection.java:235:31:235:68 | sBadLdapQueryBase : String | LdapInjection.java:236:12:236:66 | base(...) |
 | LdapInjection.java:239:31:239:71 | sBadLdapQueryComplex : String | LdapInjection.java:240:24:240:98 | is(...) |
+| LdapInjection.java:243:31:243:69 | sBadFilterToString : String | LdapInjection.java:244:18:244:83 | toString(...) |
 | LdapInjection.java:247:31:247:67 | sBadFilterEncode : String | LdapInjection.java:250:18:250:29 | toString(...) |
 | LdapInjection.java:266:30:266:54 | aBad : String | LdapInjection.java:268:36:268:55 | ... + ... |
 | LdapInjection.java:266:57:266:83 | aBadDN : String | LdapInjection.java:268:14:268:33 | ... + ... |
+| LdapInjection.java:271:30:271:54 | aBad : String | LdapInjection.java:273:65:273:84 | ... + ... |
+| LdapInjection.java:271:57:271:94 | aBadDNObjToString : String | LdapInjection.java:273:14:273:62 | getName(...) |
 | LdapInjection.java:276:30:276:67 | aBadSearchRequest : String | LdapInjection.java:280:14:280:14 | s |
 | LdapInjection.java:283:74:283:103 | aBadDNObj : String | LdapInjection.java:287:14:287:14 | s |
 | LdapInjection.java:290:30:290:72 | aBadDNSearchRequestGet : String | LdapInjection.java:294:14:294:24 | getBase(...) |
-| LdapInjection.java:312:23:312:58 | okEncodeForLDAP : String | LdapInjection.java:314:61:314:75 | okEncodeForLDAP : String |
-| LdapInjection.java:314:39:314:76 | encodeForLDAP(...) : String | LdapInjection.java:314:29:314:82 | ... + ... |
-| LdapInjection.java:314:61:314:75 | okEncodeForLDAP : String | LdapInjection.java:314:39:314:76 | encodeForLDAP(...) : String |
-| LdapInjection.java:318:23:318:57 | okFilterEncode : String | LdapInjection.java:319:64:319:77 | okFilterEncode : String |
-| LdapInjection.java:319:39:319:78 | filterEncode(...) : String | LdapInjection.java:319:29:319:84 | ... + ... |
-| LdapInjection.java:319:64:319:77 | okFilterEncode : String | LdapInjection.java:319:39:319:78 | filterEncode(...) : String |
 nodes
 | LdapInjection.java:41:28:41:52 | jBad : String | semmle.label | jBad : String |
 | LdapInjection.java:41:55:41:81 | jBadDN : String | semmle.label | jBadDN : String |
@@ -112,6 +110,8 @@ nodes
 | LdapInjection.java:131:19:131:19 | s | semmle.label | s |
 | LdapInjection.java:134:31:134:70 | uBadFilterCreateNOT : String | semmle.label | uBadFilterCreateNOT : String |
 | LdapInjection.java:135:58:135:115 | createNOTFilter(...) | semmle.label | createNOTFilter(...) |
+| LdapInjection.java:138:31:138:75 | uBadFilterCreateToString : String | semmle.label | uBadFilterCreateToString : String |
+| LdapInjection.java:139:58:139:107 | toString(...) | semmle.label | toString(...) |
 | LdapInjection.java:142:32:142:82 | uBadFilterCreateToStringBuffer : String | semmle.label | uBadFilterCreateToStringBuffer : String |
 | LdapInjection.java:145:58:145:69 | toString(...) | semmle.label | toString(...) |
 | LdapInjection.java:148:32:148:78 | uBadSearchRequestDuplicate : String | semmle.label | uBadSearchRequestDuplicate : String |
@@ -152,26 +152,24 @@ nodes
 | LdapInjection.java:236:12:236:66 | base(...) | semmle.label | base(...) |
 | LdapInjection.java:239:31:239:71 | sBadLdapQueryComplex : String | semmle.label | sBadLdapQueryComplex : String |
 | LdapInjection.java:240:24:240:98 | is(...) | semmle.label | is(...) |
+| LdapInjection.java:243:31:243:69 | sBadFilterToString : String | semmle.label | sBadFilterToString : String |
+| LdapInjection.java:244:18:244:83 | toString(...) | semmle.label | toString(...) |
 | LdapInjection.java:247:31:247:67 | sBadFilterEncode : String | semmle.label | sBadFilterEncode : String |
 | LdapInjection.java:250:18:250:29 | toString(...) | semmle.label | toString(...) |
 | LdapInjection.java:266:30:266:54 | aBad : String | semmle.label | aBad : String |
 | LdapInjection.java:266:57:266:83 | aBadDN : String | semmle.label | aBadDN : String |
 | LdapInjection.java:268:14:268:33 | ... + ... | semmle.label | ... + ... |
 | LdapInjection.java:268:36:268:55 | ... + ... | semmle.label | ... + ... |
+| LdapInjection.java:271:30:271:54 | aBad : String | semmle.label | aBad : String |
+| LdapInjection.java:271:57:271:94 | aBadDNObjToString : String | semmle.label | aBadDNObjToString : String |
+| LdapInjection.java:273:14:273:62 | getName(...) | semmle.label | getName(...) |
+| LdapInjection.java:273:65:273:84 | ... + ... | semmle.label | ... + ... |
 | LdapInjection.java:276:30:276:67 | aBadSearchRequest : String | semmle.label | aBadSearchRequest : String |
 | LdapInjection.java:280:14:280:14 | s | semmle.label | s |
 | LdapInjection.java:283:74:283:103 | aBadDNObj : String | semmle.label | aBadDNObj : String |
 | LdapInjection.java:287:14:287:14 | s | semmle.label | s |
 | LdapInjection.java:290:30:290:72 | aBadDNSearchRequestGet : String | semmle.label | aBadDNSearchRequestGet : String |
 | LdapInjection.java:294:14:294:24 | getBase(...) | semmle.label | getBase(...) |
-| LdapInjection.java:312:23:312:58 | okEncodeForLDAP : String | semmle.label | okEncodeForLDAP : String |
-| LdapInjection.java:314:29:314:82 | ... + ... | semmle.label | ... + ... |
-| LdapInjection.java:314:39:314:76 | encodeForLDAP(...) : String | semmle.label | encodeForLDAP(...) : String |
-| LdapInjection.java:314:61:314:75 | okEncodeForLDAP : String | semmle.label | okEncodeForLDAP : String |
-| LdapInjection.java:318:23:318:57 | okFilterEncode : String | semmle.label | okFilterEncode : String |
-| LdapInjection.java:319:29:319:84 | ... + ... | semmle.label | ... + ... |
-| LdapInjection.java:319:39:319:78 | filterEncode(...) : String | semmle.label | filterEncode(...) : String |
-| LdapInjection.java:319:64:319:77 | okFilterEncode : String | semmle.label | okFilterEncode : String |
 #select
 | LdapInjection.java:43:16:43:35 | ... + ... | LdapInjection.java:41:55:41:81 | jBadDN : String | LdapInjection.java:43:16:43:35 | ... + ... | LDAP query might include code from $@. | LdapInjection.java:41:55:41:81 | jBadDN | this user input |
 | LdapInjection.java:43:38:43:57 | ... + ... | LdapInjection.java:41:28:41:52 | jBad : String | LdapInjection.java:43:38:43:57 | ... + ... | LDAP query might include code from $@. | LdapInjection.java:41:28:41:52 | jBad | this user input |
@@ -201,6 +199,7 @@ nodes
 | LdapInjection.java:131:19:131:19 | s | LdapInjection.java:127:31:127:73 | uBadSearchRequestAsync : String | LdapInjection.java:131:19:131:19 | s | LDAP query might include code from $@. | LdapInjection.java:127:31:127:73 | uBadSearchRequestAsync | this user input |
 | LdapInjection.java:131:19:131:19 | s | LdapInjection.java:127:76:127:109 | uBadSRDNAsync : String | LdapInjection.java:131:19:131:19 | s | LDAP query might include code from $@. | LdapInjection.java:127:76:127:109 | uBadSRDNAsync | this user input |
 | LdapInjection.java:135:58:135:115 | createNOTFilter(...) | LdapInjection.java:134:31:134:70 | uBadFilterCreateNOT : String | LdapInjection.java:135:58:135:115 | createNOTFilter(...) | LDAP query might include code from $@. | LdapInjection.java:134:31:134:70 | uBadFilterCreateNOT | this user input |
+| LdapInjection.java:139:58:139:107 | toString(...) | LdapInjection.java:138:31:138:75 | uBadFilterCreateToString : String | LdapInjection.java:139:58:139:107 | toString(...) | LDAP query might include code from $@. | LdapInjection.java:138:31:138:75 | uBadFilterCreateToString | this user input |
 | LdapInjection.java:145:58:145:69 | toString(...) | LdapInjection.java:142:32:142:82 | uBadFilterCreateToStringBuffer : String | LdapInjection.java:145:58:145:69 | toString(...) | LDAP query might include code from $@. | LdapInjection.java:142:32:142:82 | uBadFilterCreateToStringBuffer | this user input |
 | LdapInjection.java:152:14:152:26 | duplicate(...) | LdapInjection.java:148:32:148:78 | uBadSearchRequestDuplicate : String | LdapInjection.java:152:14:152:26 | duplicate(...) | LDAP query might include code from $@. | LdapInjection.java:148:32:148:78 | uBadSearchRequestDuplicate | this user input |
 | LdapInjection.java:159:14:159:26 | duplicate(...) | LdapInjection.java:155:32:155:80 | uBadROSearchRequestDuplicate : String | LdapInjection.java:159:14:159:26 | duplicate(...) | LDAP query might include code from $@. | LdapInjection.java:155:32:155:80 | uBadROSearchRequestDuplicate | this user input |
@@ -221,11 +220,12 @@ nodes
 | LdapInjection.java:232:24:232:57 | filter(...) | LdapInjection.java:230:30:230:74 | sBadLdapQueryWithFilter2 : String | LdapInjection.java:232:24:232:57 | filter(...) | LDAP query might include code from $@. | LdapInjection.java:230:30:230:74 | sBadLdapQueryWithFilter2 | this user input |
 | LdapInjection.java:236:12:236:66 | base(...) | LdapInjection.java:235:31:235:68 | sBadLdapQueryBase : String | LdapInjection.java:236:12:236:66 | base(...) | LDAP query might include code from $@. | LdapInjection.java:235:31:235:68 | sBadLdapQueryBase | this user input |
 | LdapInjection.java:240:24:240:98 | is(...) | LdapInjection.java:239:31:239:71 | sBadLdapQueryComplex : String | LdapInjection.java:240:24:240:98 | is(...) | LDAP query might include code from $@. | LdapInjection.java:239:31:239:71 | sBadLdapQueryComplex | this user input |
+| LdapInjection.java:244:18:244:83 | toString(...) | LdapInjection.java:243:31:243:69 | sBadFilterToString : String | LdapInjection.java:244:18:244:83 | toString(...) | LDAP query might include code from $@. | LdapInjection.java:243:31:243:69 | sBadFilterToString | this user input |
 | LdapInjection.java:250:18:250:29 | toString(...) | LdapInjection.java:247:31:247:67 | sBadFilterEncode : String | LdapInjection.java:250:18:250:29 | toString(...) | LDAP query might include code from $@. | LdapInjection.java:247:31:247:67 | sBadFilterEncode | this user input |
 | LdapInjection.java:268:14:268:33 | ... + ... | LdapInjection.java:266:57:266:83 | aBadDN : String | LdapInjection.java:268:14:268:33 | ... + ... | LDAP query might include code from $@. | LdapInjection.java:266:57:266:83 | aBadDN | this user input |
 | LdapInjection.java:268:36:268:55 | ... + ... | LdapInjection.java:266:30:266:54 | aBad : String | LdapInjection.java:268:36:268:55 | ... + ... | LDAP query might include code from $@. | LdapInjection.java:266:30:266:54 | aBad | this user input |
+| LdapInjection.java:273:14:273:62 | getName(...) | LdapInjection.java:271:57:271:94 | aBadDNObjToString : String | LdapInjection.java:273:14:273:62 | getName(...) | LDAP query might include code from $@. | LdapInjection.java:271:57:271:94 | aBadDNObjToString | this user input |
+| LdapInjection.java:273:65:273:84 | ... + ... | LdapInjection.java:271:30:271:54 | aBad : String | LdapInjection.java:273:65:273:84 | ... + ... | LDAP query might include code from $@. | LdapInjection.java:271:30:271:54 | aBad | this user input |
 | LdapInjection.java:280:14:280:14 | s | LdapInjection.java:276:30:276:67 | aBadSearchRequest : String | LdapInjection.java:280:14:280:14 | s | LDAP query might include code from $@. | LdapInjection.java:276:30:276:67 | aBadSearchRequest | this user input |
 | LdapInjection.java:287:14:287:14 | s | LdapInjection.java:283:74:283:103 | aBadDNObj : String | LdapInjection.java:287:14:287:14 | s | LDAP query might include code from $@. | LdapInjection.java:283:74:283:103 | aBadDNObj | this user input |
 | LdapInjection.java:294:14:294:24 | getBase(...) | LdapInjection.java:290:30:290:72 | aBadDNSearchRequestGet : String | LdapInjection.java:294:14:294:24 | getBase(...) | LDAP query might include code from $@. | LdapInjection.java:290:30:290:72 | aBadDNSearchRequestGet | this user input |
-| LdapInjection.java:314:29:314:82 | ... + ... | LdapInjection.java:312:23:312:58 | okEncodeForLDAP : String | LdapInjection.java:314:29:314:82 | ... + ... | LDAP query might include code from $@. | LdapInjection.java:312:23:312:58 | okEncodeForLDAP | this user input |
-| LdapInjection.java:319:29:319:84 | ... + ... | LdapInjection.java:318:23:318:57 | okFilterEncode : String | LdapInjection.java:319:29:319:84 | ... + ... | LDAP query might include code from $@. | LdapInjection.java:318:23:318:57 | okFilterEncode | this user input |

java/ql/test/query-tests/security/CWE-090/LdapInjection.java

@@ -136,7 +136,7 @@ public void testUnboundBad8(@RequestParam String uBadFilterCreateNOT, LDAPConnec
   }
 
   public void testUnboundBad9(@RequestParam String uBadFilterCreateToString, LDAPConnection c) throws LDAPException {
-    c.search(null, "ou=system", null, null, 1, 1, false, Filter.create(uBadFilterCreateToString).toString()); // False Negative
+    c.search(null, "ou=system", null, null, 1, 1, false, Filter.create(uBadFilterCreateToString).toString());
   }
 
   public void testUnboundBad10(@RequestParam String uBadFilterCreateToStringBuffer, LDAPConnection c) throws LDAPException {
@@ -241,7 +241,7 @@ public void testSpringBad11(@RequestParam String sBadLdapQueryComplex, LdapTempl
   }
 
   public void testSpringBad12(@RequestParam String sBadFilterToString, LdapTemplate c) {
-    c.search("", new HardcodedFilter("(uid=" + sBadFilterToString + ")").toString(), 1, false, null); // False Negative
+    c.search("", new HardcodedFilter("(uid=" + sBadFilterToString + ")").toString(), 1, false, null);
   }
 
   public void testSpringBad13(@RequestParam String sBadFilterEncode, LdapTemplate c) {
@@ -270,7 +270,7 @@ public void testApacheBad1(@RequestParam String aBad, @RequestParam String aBadD
 
   public void testApacheBad2(@RequestParam String aBad, @RequestParam String aBadDNObjToString, LdapNetworkConnection c)
       throws LdapException {
-    c.search(new Dn("ou=system" + aBadDNObjToString).getName(), "(uid=" + aBad + ")", null); // False Negative
+    c.search(new Dn("ou=system" + aBadDNObjToString).getName(), "(uid=" + aBad + ")", null);
   }
 
   public void testApacheBad3(@RequestParam String aBadSearchRequest, LdapConnection c)
@@ -311,12 +311,12 @@ public void testApacheOk2(@RequestParam String aOk, LdapConnection c)
   // ESAPI encoder sanitizer
   public void testOk3(@RequestParam String okEncodeForLDAP, DirContext ctx) throws NamingException {
     Encoder encoder = DefaultEncoder.getInstance();
-    ctx.search("ou=system", "(uid=" + encoder.encodeForLDAP(okEncodeForLDAP) + ")", new SearchControls()); // False Positive
+    ctx.search("ou=system", "(uid=" + encoder.encodeForLDAP(okEncodeForLDAP) + ")", new SearchControls());
   }
 
   // Spring LdapEncoder sanitizer
   public void testOk4(@RequestParam String okFilterEncode, DirContext ctx) throws NamingException {
-    ctx.search("ou=system", "(uid=" + LdapEncoder.filterEncode(okFilterEncode) + ")", new SearchControls()); // False Positive
+    ctx.search("ou=system", "(uid=" + LdapEncoder.filterEncode(okFilterEncode) + ")", new SearchControls());
   }
 
   // UnboundID Filter.encodeValue sanitizer

java/ql/test/stubs/apache-ldap-1.0.2/org/apache/directory/ldap/client/api/LdapNetworkConnection.java

@@ -2,8 +2,15 @@
 
 import org.apache.directory.api.ldap.model.exception.LdapException;
 import org.apache.directory.api.ldap.model.cursor.EntryCursor;
+import org.apache.directory.api.ldap.model.cursor.SearchCursor;
+import org.apache.directory.api.ldap.model.message.SearchRequest;
 import org.apache.directory.api.ldap.model.message.SearchScope;
+import org.apache.directory.api.ldap.model.name.Dn;
+
+public class LdapNetworkConnection implements LdapConnection {
+  public SearchCursor search(SearchRequest searchRequest) throws LdapException { return null; }
 
-public class LdapNetworkConnection /*implements LdapConnection*/ {
   public EntryCursor search(String baseDn, String filter, SearchScope scope, String... attributes) throws LdapException { return null; }
+
+  public EntryCursor search(Dn baseDn, String filter, SearchScope scope, String... attributes) throws LdapException { return null; }
 }

java/ql/test/stubs/esapi-2.0.1/org/owasp/esapi/reference/DefaultEncoder.java

@@ -4,5 +4,5 @@
 
 public class DefaultEncoder implements Encoder {
   public static Encoder getInstance() { return null; }
-  public String encodeForLDAP(String input) { return input; }
+  public String encodeForLDAP(String input) { return null; }
 }

java/ql/test/stubs/spring-ldap-2.3.2/org/springframework/ldap/filter/HardcodedFilter.java

@@ -3,4 +3,5 @@
 public class HardcodedFilter implements Filter {
   public HardcodedFilter(String filter) { }
   public StringBuffer encode(StringBuffer buff) { return buff; }
+  public String toString() { return ""; }
 }

java/ql/test/stubs/spring-ldap-2.3.2/org/springframework/ldap/support/LdapEncoder.java

@@ -1,5 +1,5 @@
 package org.springframework.ldap.support;
 
 public class LdapEncoder {
-  public static String filterEncode(String value) { return value; }
+  public static String filterEncode(String value) { return null; }
 }

java/ql/test/stubs/unboundid-ldap-4.0.14/com/unboundid/ldap/sdk/Filter.java

@@ -10,4 +10,6 @@ public class Filter {
   public static java.lang.String encodeValue(java.lang.String value) { return null; }
 
   public void toNormalizedString(java.lang.StringBuilder buffer) { }
+
+  public String toString() { return ""; }
 }