update inline tests

am0o0 · am0o0 · commit 3868b386f373 · 2024-07-13T10:47:42.000+02:00
diff --git a/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/CommonsCompressHandler.java b/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/CommonsCompressHandler.java
@@ -35,29 +35,29 @@
 public class CommonsCompressHandler {
 
     static void commonsCompressArchiveInputStream(InputStream inputStream) throws ArchiveException {
-        new ArArchiveInputStream(inputStream); // $bomb
-        new ArjArchiveInputStream(inputStream); // $bomb
-        new CpioArchiveInputStream(inputStream); // $bomb
-        new JarArchiveInputStream(inputStream); // $bomb
-        new ZipArchiveInputStream(inputStream); // $bomb
+        new ArArchiveInputStream(inputStream); // $ hasTaintFlow="inputStream"
+        new ArjArchiveInputStream(inputStream); // $ hasTaintFlow="inputStream"
+        new CpioArchiveInputStream(inputStream); // $ hasTaintFlow="inputStream"
+        new JarArchiveInputStream(inputStream); // $ hasTaintFlow="inputStream"
+        new ZipArchiveInputStream(inputStream); // $ hasTaintFlow="inputStream"
     }
 
     public static void commonsCompressorInputStream(InputStream inputStream) throws IOException {
         BufferedInputStream in = new BufferedInputStream(inputStream);
         OutputStream out = Files.newOutputStream(Path.of("tmpfile"));
-        GzipCompressorInputStream gzIn = new GzipCompressorInputStream(in); // $bomb
+        GzipCompressorInputStream gzIn = new GzipCompressorInputStream(in); // $ hasTaintFlow="in"
         // for testing
-        new BrotliCompressorInputStream(in); // $bomb
-        new BZip2CompressorInputStream(in); // $bomb
-        new DeflateCompressorInputStream(in); // $bomb
-        new Deflate64CompressorInputStream(in); // $bomb
-        new BlockLZ4CompressorInputStream(in); // $bomb
-        new LZMACompressorInputStream(in); // $bomb
-        new Pack200CompressorInputStream(in); // $bomb
-        new SnappyCompressorInputStream(in); // $bomb
-        new XZCompressorInputStream(in); // $bomb
-        new ZCompressorInputStream(in); // $bomb
-        new ZstdCompressorInputStream(in); // $bomb
+        new BrotliCompressorInputStream(in); // $ hasTaintFlow="in"
+        new BZip2CompressorInputStream(in); // $ hasTaintFlow="in"
+        new DeflateCompressorInputStream(in); // $ hasTaintFlow="in"
+        new Deflate64CompressorInputStream(in); // $ hasTaintFlow="in"
+        new BlockLZ4CompressorInputStream(in); // $ hasTaintFlow="in"
+        new LZMACompressorInputStream(in); // $ hasTaintFlow="in"
+        new Pack200CompressorInputStream(in); // $ hasTaintFlow="in"
+        new SnappyCompressorInputStream(in); // $ hasTaintFlow="in"
+        new XZCompressorInputStream(in); // $ hasTaintFlow="in"
+        new ZCompressorInputStream(in); // $ hasTaintFlow="in"
+        new ZstdCompressorInputStream(in); // $ hasTaintFlow="in"
 
         int buffersize = 4096;
         final byte[] buffer = new byte[buffersize];
@@ -72,7 +72,7 @@ public static void commonsCompressorInputStream(InputStream inputStream) throws
     static void commonsCompressArchiveInputStream2(InputStream inputStream) {
         byte[] readBuffer = new byte[4096];
         try (org.apache.commons.compress.archivers.zip.ZipArchiveInputStream zipInputStream =
-                     new org.apache.commons.compress.archivers.zip.ZipArchiveInputStream(inputStream)) { // $bomb
+                     new org.apache.commons.compress.archivers.zip.ZipArchiveInputStream(inputStream)) { // $ hasTaintFlow="inputStream"
             ArchiveEntry entry = null;
             while ((entry = zipInputStream.getNextEntry()) != null) {
                 if (!zipInputStream.canReadEntryData(entry)) {
@@ -104,7 +104,7 @@ static void commonsCompressArchiveStreamFactory(InputStream inputStream)
             File f = new File("tmpfile");
             try (OutputStream outputStream = new FileOutputStream(f)) {
                 int readLen;
-                while ((readLen = zipInputStream.read(readBuffer)) != -1) {  // $bomb
+                while ((readLen = zipInputStream.read(readBuffer)) != -1) {  // $ hasTaintFlow="zipInputStream"
                     outputStream.write(readBuffer, 0, readLen);
                 }
             }
@@ -119,7 +119,7 @@ static void commonsCompressCompressorStreamFactory(InputStream inputStream)
         int buffersize = 4096;
         final byte[] buffer = new byte[buffersize];
         int n = 0;
-        while (-1 != (n = in.read(buffer))) { // $bomb
+        while (-1 != (n = in.read(buffer))) { // $ hasTaintFlow="in"
             out.write(buffer, 0, n);
         }
         out.close();
diff --git a/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/SnappyHandler.java b/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/SnappyHandler.java
@@ -10,7 +10,7 @@ public class SnappyHandler {
     public static void SnappyZipInputStream(InputStream inputStream) throws IOException {
         int readLen;
         byte[] readBuffer = new byte[4096];
-        try (SnappyInputStream zipInputStream = new SnappyInputStream(inputStream)) {  // $bomb
+        try (SnappyInputStream zipInputStream = new SnappyInputStream(inputStream)) {  // $ hasTaintFlow="inputStream"
             try (OutputStream outputStream = Files.newOutputStream(Paths.get("extractedFile"))) {
                 while ((readLen = zipInputStream.read(readBuffer)) != -1) {
                     outputStream.write(readBuffer, 0, readLen);
diff --git a/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/Zip4jHandler.java b/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/Zip4jHandler.java
@@ -12,7 +12,7 @@ public static void zip4jZipInputStream(InputStream inputStream) throws IOExcepti
         LocalFileHeader localFileHeader;
         int readLen;
         byte[] readBuffer = new byte[4096];
-        try (ZipInputStream zipInputStream = new ZipInputStream(inputStream)) { // $bomb
+        try (ZipInputStream zipInputStream = new ZipInputStream(inputStream)) { // $ hasTaintFlow="inputStream"
             while ((localFileHeader = zipInputStream.getNextEntry()) != null) {
                 File extractedFile = new File(localFileHeader.getFileName());
                 try (OutputStream outputStream = new FileOutputStream(extractedFile)) {
@@ -28,7 +28,7 @@ public static void zip4jZipInputStreamSafe(InputStream inputStream) throws IOExc
         LocalFileHeader localFileHeader;
         int readLen;
         byte[] readBuffer = new byte[4096];
-        try (ZipInputStream zipInputStream = new ZipInputStream(inputStream)) { // $bomb
+        try (ZipInputStream zipInputStream = new ZipInputStream(inputStream)) { // $ hasTaintFlow="inputStream"
             while ((localFileHeader = zipInputStream.getNextEntry()) != null) {
                 File extractedFile = new File(localFileHeader.getFileName());
                 try (OutputStream outputStream = new FileOutputStream(extractedFile)) {
diff --git a/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/ZipHandler.java b/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/ZipHandler.java
@@ -24,7 +24,7 @@ public static void ZipInputStreamSafe(InputStream inputStream) throws IOExceptio
         // FileInputStream fis = new FileInputStream(filename);
         CRC32 checkSum = new CRC32();
         CheckedInputStream gzis = new CheckedInputStream(inputStream, checkSum);
-        try (ZipInputStream zis = new ZipInputStream(new BufferedInputStream(inputStream))) { // $bomb
+        try (ZipInputStream zis = new ZipInputStream(new BufferedInputStream(inputStream))) { // $ hasTaintFlow="new BufferedInputStream(...)"
             ZipEntry entry;
             int entries = 0;
             long total = 0;
@@ -38,7 +38,7 @@ public static void ZipInputStreamSafe(InputStream inputStream) throws IOExceptio
                 }
                 FileOutputStream fos = new FileOutputStream("/tmp/tmptmp");
                 BufferedOutputStream dest = new BufferedOutputStream(fos, BUFFER);
-                while (total + BUFFER <= TOOBIG && (count = zis.read(data, 0, BUFFER)) != -1) { // $bomb
+                while (total + BUFFER <= TOOBIG && (count = zis.read(data, 0, BUFFER)) != -1) { // $ hasTaintFlow="zis"
                     dest.write(data, 0, count);
                     total += count;
                 }
@@ -63,7 +63,7 @@ public static void ZipInputStreamSafe2(InputStream inputStream) throws IOExcepti
         int BUFFER = 512;
         int TOOBIG = 100 * 1024 * 1024; // 100MB
         //        FileInputStream fis = new FileInputStream(filename);
-        try (ZipInputStream zis = new ZipInputStream(new BufferedInputStream(inputStream))) { // $bomb
+        try (ZipInputStream zis = new ZipInputStream(new BufferedInputStream(inputStream))) { // $ hasTaintFlow="new BufferedInputStream(...)"
             ZipEntry entry;
             while ((entry = zis.getNextEntry()) != null) {
                 System.out.println("Extracting: " + entry);
@@ -78,7 +78,7 @@ public static void ZipInputStreamSafe2(InputStream inputStream) throws IOExcepti
                 }
                 FileOutputStream fos = new FileOutputStream(entry.getName());
                 BufferedOutputStream dest = new BufferedOutputStream(fos, BUFFER);
-                while ((count = zis.read(data, 0, BUFFER)) != -1) { // $bomb
+                while ((count = zis.read(data, 0, BUFFER)) != -1) { // $ hasTaintFlow="zis"
                     dest.write(data, 0, count);
                 }
                 dest.flush();
@@ -91,7 +91,7 @@ public static void ZipInputStreamSafe2(InputStream inputStream) throws IOExcepti
     public static void ZipInputStreamUnsafe(InputStream inputStream) throws IOException {
         int BUFFER = 512;
         //        FileInputStream fis = new FileInputStream(filename);
-        try (ZipInputStream zis = new ZipInputStream(new BufferedInputStream(inputStream))) { // $bomb
+        try (ZipInputStream zis = new ZipInputStream(new BufferedInputStream(inputStream))) { // $ hasTaintFlow="new BufferedInputStream(...)"
             ZipEntry entry;
             while ((entry = zis.getNextEntry()) != null) {
                 System.out.println("Extracting: " + entry);
@@ -100,7 +100,7 @@ public static void ZipInputStreamUnsafe(InputStream inputStream) throws IOExcept
                 // Write the files to the disk
                 FileOutputStream fos = new FileOutputStream(entry.getName()); 
                 BufferedOutputStream dest = new BufferedOutputStream(fos, BUFFER);
-                while ((count = zis.read(data, 0, BUFFER)) != -1) { // $bomb
+                while ((count = zis.read(data, 0, BUFFER)) != -1) { // $ hasTaintFlow="zis"
                     dest.write(data, 0, count);
                 }
                 dest.flush();
@@ -112,12 +112,12 @@ public static void ZipInputStreamUnsafe(InputStream inputStream) throws IOExcept
 
     public static void GZipInputStreamUnsafe(InputStream inputStream) throws IOException {
         int BUFFER = 512;
-        try (GZIPInputStream gzis = new GZIPInputStream(inputStream)) { // $bomb
+        try (GZIPInputStream gzis = new GZIPInputStream(inputStream)) { // $ hasTaintFlow="inputStream"
             int count;
             byte[] data = new byte[BUFFER];
             FileOutputStream fos = new FileOutputStream("/tmp/tmp");
             BufferedOutputStream dest = new BufferedOutputStream(fos, BUFFER);
-            while ((count = gzis.read(data, 0, BUFFER)) != -1) { // $bomb
+            while ((count = gzis.read(data, 0, BUFFER)) != -1) { // $ hasTaintFlow="gzis"
                 dest.write(data, 0, count);
             }
             dest.flush();
@@ -127,12 +127,12 @@ public static void GZipInputStreamUnsafe(InputStream inputStream) throws IOExcep
 
     public static void InflaterInputStreamUnsafe(InputStream inputStream) throws IOException {
         int BUFFER = 512;
-        try (InflaterInputStream Izis = new InflaterInputStream(inputStream)) { // $bomb
+        try (InflaterInputStream Izis = new InflaterInputStream(inputStream)) { // $ hasTaintFlow="inputStream"
             int count;
             byte[] data = new byte[BUFFER];
             FileOutputStream fos = new FileOutputStream("/tmp/tmp");
             BufferedOutputStream dest = new BufferedOutputStream(fos, BUFFER);
-            while ((count = Izis.read(data, 0, BUFFER)) != -1) { // $bomb
+            while ((count = Izis.read(data, 0, BUFFER)) != -1) { // $ hasTaintFlow="Izis"
                 dest.write(data, 0, count);
             }
             dest.flush();
@@ -142,7 +142,7 @@ public static void InflaterInputStreamUnsafe(InputStream inputStream) throws IOE
 
     public static void InflaterUnsafe(byte[] inputBytes) throws DataFormatException, IOException {
         Inflater inflater = new Inflater();
-        inflater.setInput(inputBytes); // $bomb
+        inflater.setInput(inputBytes); // $ hasTaintFlow="inputBytes"
         try (final ByteArrayOutputStream outputStream = new ByteArrayOutputStream(inputBytes.length)) {
             byte[] buffer = new byte[1024];
             while (!inflater.finished()) {
@@ -156,7 +156,7 @@ public static void InflaterUnsafe(byte[] inputBytes) throws DataFormatException,
     public static void ZipFile1(String zipFilePath) throws DataFormatException, IOException {
         try {
             System.out.println("zipFilePath = " + zipFilePath);
-            ZipFile zipFile = new ZipFile(zipFilePath); // $bomb
+            ZipFile zipFile = new ZipFile(zipFilePath); // $ hasTaintFlow="zipFilePath"
             Enumeration<? extends ZipEntry> entries = zipFile.entries();
             while (entries.hasMoreElements()) {
                 ZipEntry entry = entries.nextElement();
@@ -169,7 +169,7 @@ public static void ZipFile1(String zipFilePath) throws DataFormatException, IOEx
                 } else {
                     String destPath = "tmp" + File.separator + entry.getName();
 
-                    try (InputStream inputStream = zipFile.getInputStream(entry); // $bomb
+                    try (InputStream inputStream = zipFile.getInputStream(entry); // $ hasTaintFlow="zipFile"
                          FileOutputStream outputStream = new FileOutputStream(destPath);) {
                         int data = inputStream.read();
                         while (data != -1) {
diff --git a/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/test.expected b/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/test.expected
@@ -1,2 +0,0 @@
-testFailures
-failures
diff --git a/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/test.ql b/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/test.ql
@@ -1,18 +1,9 @@
 import java
 import experimental.semmle.code.java.security.DecompressionBombQuery
-import TestUtilities.InlineExpectationsTest
+import TestUtilities.InlineFlowTest
+import TaintFlowTestArgString<DecompressionBombsConfig, getArgString/2>
 
-module BombTest implements TestSig {
-  string getARelevantTag() { result = "bomb" }
-
-  predicate hasActualResult(Location location, string element, string tag, string value) {
-    tag = "bomb" and
-    exists(DataFlow::Node sink | DecompressionBombsFlow::flowTo(sink) |
-      sink.getLocation() = location and
-      element = sink.toString() and
-      value = ""
-    )
-  }
+string getArgString(DataFlow::Node src, DataFlow::Node sink) {
+  exists(src) and
+  result = "\"" + sink.toString() + "\""
 }
-
-import MakeTest<BombTest>
