Skip to content

Commit b88ebd6

Browse files
aschackmullaschackmull
committed
Java: Fix OgnlInjection qltest
1 parent a4fe4f4 commit b88ebd6

File tree

2 files changed

+50
-43
lines changed

2 files changed

+50
-43
lines changed

java/ql/test/experimental/query-tests/security/CWE-917/OgnlInjection.expected

Lines changed: 43 additions & 43 deletions
Original file line numberDiff line numberDiff line change
@@ -1,48 +1,48 @@
11
edges
2-
| OgnlInjection.java:11:39:11:63 | expr : String | OgnlInjection.java:13:19:13:22 | tree |
3-
| OgnlInjection.java:11:39:11:63 | expr : String | OgnlInjection.java:14:19:14:22 | tree |
4-
| OgnlInjection.java:11:39:11:63 | expr : String | OgnlInjection.java:16:17:16:27 | (...)... : Object |
5-
| OgnlInjection.java:16:17:16:27 | (...)... : Object | OgnlInjection.java:17:5:17:8 | node |
6-
| OgnlInjection.java:16:17:16:27 | (...)... : Object | OgnlInjection.java:18:5:18:8 | node |
7-
| OgnlInjection.java:21:41:21:65 | expr : String | OgnlInjection.java:23:19:23:22 | tree |
8-
| OgnlInjection.java:21:41:21:65 | expr : String | OgnlInjection.java:24:19:24:22 | tree |
9-
| OgnlInjection.java:21:41:21:65 | expr : String | OgnlInjection.java:26:5:26:8 | tree |
10-
| OgnlInjection.java:21:41:21:65 | expr : String | OgnlInjection.java:27:5:27:8 | tree |
11-
| OgnlInjection.java:30:40:30:64 | expr : String | OgnlInjection.java:31:19:31:22 | expr |
12-
| OgnlInjection.java:30:40:30:64 | expr : String | OgnlInjection.java:32:19:32:22 | expr |
13-
| OgnlInjection.java:35:26:35:50 | expr : String | OgnlInjection.java:37:19:37:22 | expr |
14-
| OgnlInjection.java:35:26:35:50 | expr : String | OgnlInjection.java:38:19:38:22 | expr |
15-
| OgnlInjection.java:35:26:35:50 | expr : String | OgnlInjection.java:39:31:39:34 | expr |
2+
| OgnlInjection.java:15:39:15:63 | expr : String | OgnlInjection.java:17:19:17:22 | tree |
3+
| OgnlInjection.java:15:39:15:63 | expr : String | OgnlInjection.java:18:19:18:22 | tree |
4+
| OgnlInjection.java:15:39:15:63 | expr : String | OgnlInjection.java:20:17:20:27 | (...)... : Object |
5+
| OgnlInjection.java:20:17:20:27 | (...)... : Object | OgnlInjection.java:21:5:21:8 | node |
6+
| OgnlInjection.java:20:17:20:27 | (...)... : Object | OgnlInjection.java:22:5:22:8 | node |
7+
| OgnlInjection.java:26:41:26:65 | expr : String | OgnlInjection.java:28:19:28:22 | tree |
8+
| OgnlInjection.java:26:41:26:65 | expr : String | OgnlInjection.java:29:19:29:22 | tree |
9+
| OgnlInjection.java:26:41:26:65 | expr : String | OgnlInjection.java:31:5:31:8 | tree |
10+
| OgnlInjection.java:26:41:26:65 | expr : String | OgnlInjection.java:32:5:32:8 | tree |
11+
| OgnlInjection.java:36:40:36:64 | expr : String | OgnlInjection.java:37:19:37:22 | expr |
12+
| OgnlInjection.java:36:40:36:64 | expr : String | OgnlInjection.java:38:19:38:22 | expr |
13+
| OgnlInjection.java:42:26:42:50 | expr : String | OgnlInjection.java:44:19:44:22 | expr |
14+
| OgnlInjection.java:42:26:42:50 | expr : String | OgnlInjection.java:45:19:45:22 | expr |
15+
| OgnlInjection.java:42:26:42:50 | expr : String | OgnlInjection.java:46:31:46:34 | expr |
1616
nodes
17-
| OgnlInjection.java:11:39:11:63 | expr : String | semmle.label | expr : String |
18-
| OgnlInjection.java:13:19:13:22 | tree | semmle.label | tree |
19-
| OgnlInjection.java:14:19:14:22 | tree | semmle.label | tree |
20-
| OgnlInjection.java:16:17:16:27 | (...)... : Object | semmle.label | (...)... : Object |
21-
| OgnlInjection.java:17:5:17:8 | node | semmle.label | node |
22-
| OgnlInjection.java:18:5:18:8 | node | semmle.label | node |
23-
| OgnlInjection.java:21:41:21:65 | expr : String | semmle.label | expr : String |
24-
| OgnlInjection.java:23:19:23:22 | tree | semmle.label | tree |
25-
| OgnlInjection.java:24:19:24:22 | tree | semmle.label | tree |
26-
| OgnlInjection.java:26:5:26:8 | tree | semmle.label | tree |
27-
| OgnlInjection.java:27:5:27:8 | tree | semmle.label | tree |
28-
| OgnlInjection.java:30:40:30:64 | expr : String | semmle.label | expr : String |
29-
| OgnlInjection.java:31:19:31:22 | expr | semmle.label | expr |
30-
| OgnlInjection.java:32:19:32:22 | expr | semmle.label | expr |
31-
| OgnlInjection.java:35:26:35:50 | expr : String | semmle.label | expr : String |
17+
| OgnlInjection.java:15:39:15:63 | expr : String | semmle.label | expr : String |
18+
| OgnlInjection.java:17:19:17:22 | tree | semmle.label | tree |
19+
| OgnlInjection.java:18:19:18:22 | tree | semmle.label | tree |
20+
| OgnlInjection.java:20:17:20:27 | (...)... : Object | semmle.label | (...)... : Object |
21+
| OgnlInjection.java:21:5:21:8 | node | semmle.label | node |
22+
| OgnlInjection.java:22:5:22:8 | node | semmle.label | node |
23+
| OgnlInjection.java:26:41:26:65 | expr : String | semmle.label | expr : String |
24+
| OgnlInjection.java:28:19:28:22 | tree | semmle.label | tree |
25+
| OgnlInjection.java:29:19:29:22 | tree | semmle.label | tree |
26+
| OgnlInjection.java:31:5:31:8 | tree | semmle.label | tree |
27+
| OgnlInjection.java:32:5:32:8 | tree | semmle.label | tree |
28+
| OgnlInjection.java:36:40:36:64 | expr : String | semmle.label | expr : String |
3229
| OgnlInjection.java:37:19:37:22 | expr | semmle.label | expr |
3330
| OgnlInjection.java:38:19:38:22 | expr | semmle.label | expr |
34-
| OgnlInjection.java:39:31:39:34 | expr | semmle.label | expr |
31+
| OgnlInjection.java:42:26:42:50 | expr : String | semmle.label | expr : String |
32+
| OgnlInjection.java:44:19:44:22 | expr | semmle.label | expr |
33+
| OgnlInjection.java:45:19:45:22 | expr | semmle.label | expr |
34+
| OgnlInjection.java:46:31:46:34 | expr | semmle.label | expr |
3535
#select
36-
| OgnlInjection.java:13:19:13:22 | tree | OgnlInjection.java:11:39:11:63 | expr : String | OgnlInjection.java:13:19:13:22 | tree | OGNL expression might include input from $@. | OgnlInjection.java:11:39:11:63 | expr | this user input |
37-
| OgnlInjection.java:14:19:14:22 | tree | OgnlInjection.java:11:39:11:63 | expr : String | OgnlInjection.java:14:19:14:22 | tree | OGNL expression might include input from $@. | OgnlInjection.java:11:39:11:63 | expr | this user input |
38-
| OgnlInjection.java:17:5:17:8 | node | OgnlInjection.java:11:39:11:63 | expr : String | OgnlInjection.java:17:5:17:8 | node | OGNL expression might include input from $@. | OgnlInjection.java:11:39:11:63 | expr | this user input |
39-
| OgnlInjection.java:18:5:18:8 | node | OgnlInjection.java:11:39:11:63 | expr : String | OgnlInjection.java:18:5:18:8 | node | OGNL expression might include input from $@. | OgnlInjection.java:11:39:11:63 | expr | this user input |
40-
| OgnlInjection.java:23:19:23:22 | tree | OgnlInjection.java:21:41:21:65 | expr : String | OgnlInjection.java:23:19:23:22 | tree | OGNL expression might include input from $@. | OgnlInjection.java:21:41:21:65 | expr | this user input |
41-
| OgnlInjection.java:24:19:24:22 | tree | OgnlInjection.java:21:41:21:65 | expr : String | OgnlInjection.java:24:19:24:22 | tree | OGNL expression might include input from $@. | OgnlInjection.java:21:41:21:65 | expr | this user input |
42-
| OgnlInjection.java:26:5:26:8 | tree | OgnlInjection.java:21:41:21:65 | expr : String | OgnlInjection.java:26:5:26:8 | tree | OGNL expression might include input from $@. | OgnlInjection.java:21:41:21:65 | expr | this user input |
43-
| OgnlInjection.java:27:5:27:8 | tree | OgnlInjection.java:21:41:21:65 | expr : String | OgnlInjection.java:27:5:27:8 | tree | OGNL expression might include input from $@. | OgnlInjection.java:21:41:21:65 | expr | this user input |
44-
| OgnlInjection.java:31:19:31:22 | expr | OgnlInjection.java:30:40:30:64 | expr : String | OgnlInjection.java:31:19:31:22 | expr | OGNL expression might include input from $@. | OgnlInjection.java:30:40:30:64 | expr | this user input |
45-
| OgnlInjection.java:32:19:32:22 | expr | OgnlInjection.java:30:40:30:64 | expr : String | OgnlInjection.java:32:19:32:22 | expr | OGNL expression might include input from $@. | OgnlInjection.java:30:40:30:64 | expr | this user input |
46-
| OgnlInjection.java:37:19:37:22 | expr | OgnlInjection.java:35:26:35:50 | expr : String | OgnlInjection.java:37:19:37:22 | expr | OGNL expression might include input from $@. | OgnlInjection.java:35:26:35:50 | expr | this user input |
47-
| OgnlInjection.java:38:19:38:22 | expr | OgnlInjection.java:35:26:35:50 | expr : String | OgnlInjection.java:38:19:38:22 | expr | OGNL expression might include input from $@. | OgnlInjection.java:35:26:35:50 | expr | this user input |
48-
| OgnlInjection.java:39:31:39:34 | expr | OgnlInjection.java:35:26:35:50 | expr : String | OgnlInjection.java:39:31:39:34 | expr | OGNL expression might include input from $@. | OgnlInjection.java:35:26:35:50 | expr | this user input |
36+
| OgnlInjection.java:17:19:17:22 | tree | OgnlInjection.java:15:39:15:63 | expr : String | OgnlInjection.java:17:19:17:22 | tree | OGNL expression might include input from $@. | OgnlInjection.java:15:39:15:63 | expr | this user input |
37+
| OgnlInjection.java:18:19:18:22 | tree | OgnlInjection.java:15:39:15:63 | expr : String | OgnlInjection.java:18:19:18:22 | tree | OGNL expression might include input from $@. | OgnlInjection.java:15:39:15:63 | expr | this user input |
38+
| OgnlInjection.java:21:5:21:8 | node | OgnlInjection.java:15:39:15:63 | expr : String | OgnlInjection.java:21:5:21:8 | node | OGNL expression might include input from $@. | OgnlInjection.java:15:39:15:63 | expr | this user input |
39+
| OgnlInjection.java:22:5:22:8 | node | OgnlInjection.java:15:39:15:63 | expr : String | OgnlInjection.java:22:5:22:8 | node | OGNL expression might include input from $@. | OgnlInjection.java:15:39:15:63 | expr | this user input |
40+
| OgnlInjection.java:28:19:28:22 | tree | OgnlInjection.java:26:41:26:65 | expr : String | OgnlInjection.java:28:19:28:22 | tree | OGNL expression might include input from $@. | OgnlInjection.java:26:41:26:65 | expr | this user input |
41+
| OgnlInjection.java:29:19:29:22 | tree | OgnlInjection.java:26:41:26:65 | expr : String | OgnlInjection.java:29:19:29:22 | tree | OGNL expression might include input from $@. | OgnlInjection.java:26:41:26:65 | expr | this user input |
42+
| OgnlInjection.java:31:5:31:8 | tree | OgnlInjection.java:26:41:26:65 | expr : String | OgnlInjection.java:31:5:31:8 | tree | OGNL expression might include input from $@. | OgnlInjection.java:26:41:26:65 | expr | this user input |
43+
| OgnlInjection.java:32:5:32:8 | tree | OgnlInjection.java:26:41:26:65 | expr : String | OgnlInjection.java:32:5:32:8 | tree | OGNL expression might include input from $@. | OgnlInjection.java:26:41:26:65 | expr | this user input |
44+
| OgnlInjection.java:37:19:37:22 | expr | OgnlInjection.java:36:40:36:64 | expr : String | OgnlInjection.java:37:19:37:22 | expr | OGNL expression might include input from $@. | OgnlInjection.java:36:40:36:64 | expr | this user input |
45+
| OgnlInjection.java:38:19:38:22 | expr | OgnlInjection.java:36:40:36:64 | expr : String | OgnlInjection.java:38:19:38:22 | expr | OGNL expression might include input from $@. | OgnlInjection.java:36:40:36:64 | expr | this user input |
46+
| OgnlInjection.java:44:19:44:22 | expr | OgnlInjection.java:42:26:42:50 | expr : String | OgnlInjection.java:44:19:44:22 | expr | OGNL expression might include input from $@. | OgnlInjection.java:42:26:42:50 | expr | this user input |
47+
| OgnlInjection.java:45:19:45:22 | expr | OgnlInjection.java:42:26:42:50 | expr : String | OgnlInjection.java:45:19:45:22 | expr | OGNL expression might include input from $@. | OgnlInjection.java:42:26:42:50 | expr | this user input |
48+
| OgnlInjection.java:46:31:46:34 | expr | OgnlInjection.java:42:26:42:50 | expr : String | OgnlInjection.java:46:31:46:34 | expr | OGNL expression might include input from $@. | OgnlInjection.java:42:26:42:50 | expr | this user input |

java/ql/test/experimental/query-tests/security/CWE-917/OgnlInjection.java

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,9 +5,13 @@
55

66
import com.opensymphony.xwork2.ognl.OgnlUtil;
77

8+
import org.springframework.stereotype.Controller;
89
import org.springframework.web.bind.annotation.RequestParam;
10+
import org.springframework.web.bind.annotation.RequestMapping;
911

12+
@Controller
1013
public class OgnlInjection {
14+
@RequestMapping
1115
public void testOgnlParseExpression(@RequestParam String expr) throws Exception {
1216
Object tree = Ognl.parseExpression(expr);
1317
Ognl.getValue(tree, new HashMap<>(), new Object());
@@ -18,6 +22,7 @@ public void testOgnlParseExpression(@RequestParam String expr) throws Exception
1822
node.setValue(null, new Object(), new Object());
1923
}
2024

25+
@RequestMapping
2126
public void testOgnlCompileExpression(@RequestParam String expr) throws Exception {
2227
Node tree = Ognl.compileExpression(null, new Object(), expr);
2328
Ognl.getValue(tree, new HashMap<>(), new Object());
@@ -27,11 +32,13 @@ public void testOgnlCompileExpression(@RequestParam String expr) throws Exceptio
2732
tree.setValue(null, new Object(), new Object());
2833
}
2934

35+
@RequestMapping
3036
public void testOgnlDirectlyToGetSet(@RequestParam String expr) throws Exception {
3137
Ognl.getValue(expr, new Object());
3238
Ognl.setValue(expr, new Object(), new Object());
3339
}
3440

41+
@RequestMapping
3542
public void testStruts(@RequestParam String expr) throws Exception {
3643
OgnlUtil ognl = new OgnlUtil();
3744
ognl.getValue(expr, new HashMap<>(), new Object());

0 commit comments

Comments
 (0)