Generate stubs, adapt tests

Author: atorralba

java/ql/test/query-tests/security/CWE-094/FreemarkerSSTI.java

@@ -11,7 +11,7 @@
 import freemarker.template.Template;
 import freemarker.template.Configuration;
 import freemarker.cache.StringTemplateLoader;
-import freemarker.template.ParserConfiguration;
+import freemarker.core.ParserConfiguration;
 
 @Controller
 public class FreemarkerSSTI {
@@ -121,7 +121,7 @@ public void bad9(HttpServletRequest request) {
 
 	@GetMapping(value = "bad10")
 	public void bad10(HttpServletRequest request) {
-		HashMap root = new HashMap();
+		HashMap<Object,Object> root = new HashMap();
 		String code = request.getParameter("code");
         root.put("code", code);
 		Configuration cfg = new Configuration();

java/ql/test/query-tests/security/CWE-094/TemplateInjection.expected

@@ -36,11 +36,19 @@ edges
 | VelocitySSTI.java:59:17:59:44 | getParameter(...) : String | VelocitySSTI.java:62:42:62:45 | code : String |
 | VelocitySSTI.java:62:25:62:46 | new StringReader(...) : StringReader | VelocitySSTI.java:63:25:63:30 | reader |
 | VelocitySSTI.java:62:42:62:45 | code : String | VelocitySSTI.java:62:25:62:46 | new StringReader(...) : StringReader |
-| VelocitySSTI.java:69:17:69:44 | getParameter(...) : String | VelocitySSTI.java:77:21:77:27 | context |
-| VelocitySSTI.java:83:17:83:44 | getParameter(...) : String | VelocitySSTI.java:89:60:89:66 | context |
-| VelocitySSTI.java:95:17:95:44 | getParameter(...) : String | VelocitySSTI.java:102:11:102:17 | context |
-| VelocitySSTI.java:108:17:108:44 | getParameter(...) : String | VelocitySSTI.java:115:11:115:17 | context |
-| VelocitySSTI.java:120:17:120:44 | getParameter(...) : String | VelocitySSTI.java:123:37:123:40 | code |
+| VelocitySSTI.java:69:17:69:44 | getParameter(...) : String | VelocitySSTI.java:72:23:72:26 | code : String |
+| VelocitySSTI.java:72:3:72:9 | context [post update] : AbstractContext | VelocitySSTI.java:77:21:77:27 | context |
+| VelocitySSTI.java:72:23:72:26 | code : String | VelocitySSTI.java:72:3:72:9 | context [post update] : AbstractContext |
+| VelocitySSTI.java:83:17:83:44 | getParameter(...) : String | VelocitySSTI.java:86:23:86:26 | code : String |
+| VelocitySSTI.java:86:3:86:9 | context [post update] : AbstractContext | VelocitySSTI.java:90:52:90:58 | context |
+| VelocitySSTI.java:86:23:86:26 | code : String | VelocitySSTI.java:86:3:86:9 | context [post update] : AbstractContext |
+| VelocitySSTI.java:96:17:96:44 | getParameter(...) : String | VelocitySSTI.java:99:23:99:26 | code : String |
+| VelocitySSTI.java:99:3:99:9 | context [post update] : AbstractContext | VelocitySSTI.java:103:11:103:17 | context |
+| VelocitySSTI.java:99:23:99:26 | code : String | VelocitySSTI.java:99:3:99:9 | context [post update] : AbstractContext |
+| VelocitySSTI.java:109:17:109:44 | getParameter(...) : String | VelocitySSTI.java:112:23:112:26 | code : String |
+| VelocitySSTI.java:112:3:112:9 | context [post update] : AbstractContext | VelocitySSTI.java:116:11:116:17 | context |
+| VelocitySSTI.java:112:23:112:26 | code : String | VelocitySSTI.java:112:3:112:9 | context [post update] : AbstractContext |
+| VelocitySSTI.java:121:17:121:44 | getParameter(...) : String | VelocitySSTI.java:124:37:124:40 | code |
 nodes
 | FreemarkerSSTI.java:23:17:23:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | FreemarkerSSTI.java:24:19:24:40 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
@@ -99,15 +107,23 @@ nodes
 | VelocitySSTI.java:62:42:62:45 | code : String | semmle.label | code : String |
 | VelocitySSTI.java:63:25:63:30 | reader | semmle.label | reader |
 | VelocitySSTI.java:69:17:69:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| VelocitySSTI.java:72:3:72:9 | context [post update] : AbstractContext | semmle.label | context [post update] : AbstractContext |
+| VelocitySSTI.java:72:23:72:26 | code : String | semmle.label | code : String |
 | VelocitySSTI.java:77:21:77:27 | context | semmle.label | context |
 | VelocitySSTI.java:83:17:83:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| VelocitySSTI.java:89:60:89:66 | context | semmle.label | context |
-| VelocitySSTI.java:95:17:95:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| VelocitySSTI.java:102:11:102:17 | context | semmle.label | context |
-| VelocitySSTI.java:108:17:108:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| VelocitySSTI.java:115:11:115:17 | context | semmle.label | context |
-| VelocitySSTI.java:120:17:120:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| VelocitySSTI.java:123:37:123:40 | code | semmle.label | code |
+| VelocitySSTI.java:86:3:86:9 | context [post update] : AbstractContext | semmle.label | context [post update] : AbstractContext |
+| VelocitySSTI.java:86:23:86:26 | code : String | semmle.label | code : String |
+| VelocitySSTI.java:90:52:90:58 | context | semmle.label | context |
+| VelocitySSTI.java:96:17:96:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| VelocitySSTI.java:99:3:99:9 | context [post update] : AbstractContext | semmle.label | context [post update] : AbstractContext |
+| VelocitySSTI.java:99:23:99:26 | code : String | semmle.label | code : String |
+| VelocitySSTI.java:103:11:103:17 | context | semmle.label | context |
+| VelocitySSTI.java:109:17:109:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| VelocitySSTI.java:112:3:112:9 | context [post update] : AbstractContext | semmle.label | context [post update] : AbstractContext |
+| VelocitySSTI.java:112:23:112:26 | code : String | semmle.label | code : String |
+| VelocitySSTI.java:116:11:116:17 | context | semmle.label | context |
+| VelocitySSTI.java:121:17:121:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| VelocitySSTI.java:124:37:124:40 | code | semmle.label | code |
 subpaths
 #select
 | FreemarkerSSTI.java:27:35:27:40 | reader | FreemarkerSSTI.java:23:17:23:44 | getParameter(...) : String | FreemarkerSSTI.java:27:35:27:40 | reader | Potential arbitrary code execution due to $@. | FreemarkerSSTI.java:23:17:23:44 | getParameter(...) | a template value loaded from a remote source. |
@@ -130,7 +146,7 @@ subpaths
 | VelocitySSTI.java:53:45:53:50 | reader | VelocitySSTI.java:44:17:44:44 | getParameter(...) : String | VelocitySSTI.java:53:45:53:50 | reader | Potential arbitrary code execution due to $@. | VelocitySSTI.java:44:17:44:44 | getParameter(...) | a template value loaded from a remote source. |
 | VelocitySSTI.java:63:25:63:30 | reader | VelocitySSTI.java:59:17:59:44 | getParameter(...) : String | VelocitySSTI.java:63:25:63:30 | reader | Potential arbitrary code execution due to $@. | VelocitySSTI.java:59:17:59:44 | getParameter(...) | a template value loaded from a remote source. |
 | VelocitySSTI.java:77:21:77:27 | context | VelocitySSTI.java:69:17:69:44 | getParameter(...) : String | VelocitySSTI.java:77:21:77:27 | context | Potential arbitrary code execution due to $@. | VelocitySSTI.java:69:17:69:44 | getParameter(...) | a template value loaded from a remote source. |
-| VelocitySSTI.java:89:60:89:66 | context | VelocitySSTI.java:83:17:83:44 | getParameter(...) : String | VelocitySSTI.java:89:60:89:66 | context | Potential arbitrary code execution due to $@. | VelocitySSTI.java:83:17:83:44 | getParameter(...) | a template value loaded from a remote source. |
-| VelocitySSTI.java:102:11:102:17 | context | VelocitySSTI.java:95:17:95:44 | getParameter(...) : String | VelocitySSTI.java:102:11:102:17 | context | Potential arbitrary code execution due to $@. | VelocitySSTI.java:95:17:95:44 | getParameter(...) | a template value loaded from a remote source. |
-| VelocitySSTI.java:115:11:115:17 | context | VelocitySSTI.java:108:17:108:44 | getParameter(...) : String | VelocitySSTI.java:115:11:115:17 | context | Potential arbitrary code execution due to $@. | VelocitySSTI.java:108:17:108:44 | getParameter(...) | a template value loaded from a remote source. |
-| VelocitySSTI.java:123:37:123:40 | code | VelocitySSTI.java:120:17:120:44 | getParameter(...) : String | VelocitySSTI.java:123:37:123:40 | code | Potential arbitrary code execution due to $@. | VelocitySSTI.java:120:17:120:44 | getParameter(...) | a template value loaded from a remote source. |
+| VelocitySSTI.java:90:52:90:58 | context | VelocitySSTI.java:83:17:83:44 | getParameter(...) : String | VelocitySSTI.java:90:52:90:58 | context | Potential arbitrary code execution due to $@. | VelocitySSTI.java:83:17:83:44 | getParameter(...) | a template value loaded from a remote source. |
+| VelocitySSTI.java:103:11:103:17 | context | VelocitySSTI.java:96:17:96:44 | getParameter(...) : String | VelocitySSTI.java:103:11:103:17 | context | Potential arbitrary code execution due to $@. | VelocitySSTI.java:96:17:96:44 | getParameter(...) | a template value loaded from a remote source. |
+| VelocitySSTI.java:116:11:116:17 | context | VelocitySSTI.java:109:17:109:44 | getParameter(...) : String | VelocitySSTI.java:116:11:116:17 | context | Potential arbitrary code execution due to $@. | VelocitySSTI.java:109:17:109:44 | getParameter(...) | a template value loaded from a remote source. |
+| VelocitySSTI.java:124:37:124:40 | code | VelocitySSTI.java:121:17:121:44 | getParameter(...) : String | VelocitySSTI.java:124:37:124:40 | code | Potential arbitrary code execution due to $@. | VelocitySSTI.java:121:17:121:44 | getParameter(...) | a template value loaded from a remote source. |

java/ql/test/query-tests/security/CWE-094/VelocitySSTI.java

@@ -58,7 +58,7 @@ public void bad3(HttpServletRequest request) {
 		String name = "ttemplate";
 		String code = request.getParameter("code");
 
-		RuntimeServices runtimeServices = new RuntimeServices();
+		RuntimeServices runtimeServices = null;
 		StringReader reader = new StringReader(code);
 		runtimeServices.parse(reader, new Template());
 	}
@@ -86,7 +86,8 @@ public void bad5(HttpServletRequest request) {
 		context.put("code", code);
 
 		StringWriter w = new StringWriter();
-		VelocityEngine.mergeTemplate("testtemplate.vm", "UTF-8", context, w);
+		VelocityEngine engine = null;
+		engine.mergeTemplate("testtemplate.vm", "UTF-8", context, w);
 	}
 
 	@GetMapping(value = "bad6")

java/ql/test/query-tests/security/CWE-094/options

@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/validation-api-2.0.1.Final:${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../stubs/apache-commons-logging-1.2:${testdir}/../../../stubs/mvel2-2.4.7:${testdir}/../../../stubs/groovy-all-3.0.7:${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/scriptengine:${testdir}/../../../stubs/jsr223-api:${testdir}/../../../experimental/stubs/apache-freemarker-2.3.31:${testdir}/../../../experimental/stubs/jinjava-2.6.0:${testdir}/../../../experimental/stubs/pebble-3.1.5:${testdir}/../../../experimental/stubs/thymeleaf-3.0.14:${testdir}/../../../experimental/stubs/apache-velocity-2.3
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/validation-api-2.0.1.Final:${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../stubs/apache-commons-logging-1.2:${testdir}/../../../stubs/mvel2-2.4.7:${testdir}/../../../stubs/groovy-all-3.0.7:${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/scriptengine:${testdir}/../../../stubs/jsr223-api:${testdir}/../../../stubs/apache-freemarker-2.3.31:${testdir}/../../../stubs/jinjava-2.6.0:${testdir}/../../../stubs/pebble-3.1.5:${testdir}/../../../stubs/thymeleaf-3.0.14:${testdir}/../../../stubs/apache-velocity-2.3