First pass converting qlref tests to inline expectation with postprocess

Author: owen-mc

java/ql/test/experimental/query-tests/quantum/examples/NonceReuse/NonceReuse.qlref

@@ -1,2 +1,4 @@
 query: experimental/quantum/Examples/ReusedNonce.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

java/ql/test/experimental/query-tests/quantum/examples/NonceReuse/Test.java

@@ -16,7 +16,7 @@ public static SecretKey generateAESKey() throws Exception {
 
     private static byte[] getRandomWrapper1() throws Exception {
         byte[] val = new byte[16];
-        new SecureRandom().nextBytes(val);
+        new SecureRandom().nextBytes(val); // $ Source
         return val;
     }
 
@@ -37,7 +37,7 @@ private static void funcA1(byte[] iv) throws Exception {
         IvParameterSpec ivSpec = new IvParameterSpec(iv);
         Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
         SecretKey key = generateAESKey();
-        cipher.init(Cipher.ENCRYPT_MODE, key, ivSpec); // BAD: Reuse of `iv` in funcB1
+        cipher.init(Cipher.ENCRYPT_MODE, key, ivSpec); // $ Alert // BAD: Reuse of `iv` in funcB1
         byte[] ciphertext = cipher.doFinal("Simple Test Data".getBytes());
     }
 
@@ -46,7 +46,7 @@ private static void funcB1() throws Exception {
         IvParameterSpec ivSpec = new IvParameterSpec(iv);
         Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
         SecretKey key = generateAESKey();
-        cipher.init(Cipher.ENCRYPT_MODE, key, ivSpec); // BAD: Reuse of `iv` in funcA1
+        cipher.init(Cipher.ENCRYPT_MODE, key, ivSpec); // $ Alert // BAD: Reuse of `iv` in funcA1
         byte[] ciphertext = cipher.doFinal("Simple Test Data".getBytes());
     }
 
@@ -73,13 +73,13 @@ private static void funcA3() throws Exception {
         IvParameterSpec ivSpec1 = new IvParameterSpec(iv);
         Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
         SecretKey key1 = generateAESKey();
-        cipher.init(Cipher.ENCRYPT_MODE, key1, ivSpec1); // BAD: reuse of `iv` below
+        cipher.init(Cipher.ENCRYPT_MODE, key1, ivSpec1); // $ Alert // BAD: reuse of `iv` below
         byte[] ciphertext = cipher.doFinal("Simple Test Data".getBytes());
 
         IvParameterSpec ivSpec2 = new IvParameterSpec(iv);
         Cipher cipher2 = Cipher.getInstance("AES/CBC/PKCS5Padding");
         SecretKey key2 = generateAESKey();
-        cipher2.init(Cipher.ENCRYPT_MODE, key2, ivSpec2); // BAD: Reuse of `iv` above
+        cipher2.init(Cipher.ENCRYPT_MODE, key2, ivSpec2); // $ Alert // BAD: Reuse of `iv` above
         byte[] ciphertext2 = cipher2.doFinal("Simple Test Data".getBytes());
     }
 

java/ql/test/experimental/query-tests/security/CWE-020/Log4jInjectionTest.qlref

@@ -1,2 +1,4 @@
 query: experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

java/ql/test/experimental/query-tests/security/CWE-020/Log4jJndiInjectionTest.java

@@ -18,12 +18,12 @@ public class FilePathInjection extends Controller {
 
 	// BAD: Upload file to user specified path without validation
 	public void uploadFile() throws IOException {
-		String savePath = getPara("dir");
+		String savePath = getPara("dir"); // $ Source
 		File file = getFile("fileParam").getFile();
 		String finalFilePath = BASE_PATH + savePath;
 
 		FileInputStream fis = new FileInputStream(file);
-		FileOutputStream fos = new FileOutputStream(finalFilePath);
+		FileOutputStream fos = new FileOutputStream(finalFilePath); // $ Alert
 		int i = 0;
 
 		do {
@@ -61,15 +61,15 @@ public void uploadFile2() throws IOException {
 
 	// BAD: Upload file to user specified path without validation through session attribute
 	public void uploadFile3() throws IOException {
-		String savePath = getPara("dir");
+		String savePath = getPara("dir"); // $ Source
 		setSessionAttr("uploadDir", savePath);
 		String sessionUploadDir = getSessionAttr("uploadDir");
 
 		File file = getFile("fileParam").getFile();
 		String finalFilePath = BASE_PATH + sessionUploadDir;
 
 		FileInputStream fis = new FileInputStream(file);
-		FileOutputStream fos = new FileOutputStream(finalFilePath);
+		FileOutputStream fos = new FileOutputStream(finalFilePath); // $ Alert
 		int i = 0;
 
 		do {
@@ -84,15 +84,15 @@ public void uploadFile3() throws IOException {
 
 	// BAD: Upload file to user specified path without validation through request attribute
 	public void uploadFile4() throws IOException {
-		String savePath = getPara("dir");
+		String savePath = getPara("dir"); // $ Source
 		setAttr("uploadDir2", savePath);
 		String requestUploadDir = getAttr("uploadDir2");
 
 		File file = getFile("fileParam").getFile();
 		String finalFilePath = BASE_PATH + requestUploadDir;
 
 		FileInputStream fis = new FileInputStream(file);
-		FileOutputStream fos = new FileOutputStream(finalFilePath);
+		FileOutputStream fos = new FileOutputStream(finalFilePath); // $ Alert
 		int i = 0;
 
 		do {
@@ -179,7 +179,7 @@ private void readFile(HttpServletResponse resp, File file) {
 		FileInputStream fis = null;
 		try {
 			os = resp.getOutputStream();
-			fis = new FileInputStream(file);
+			fis = new FileInputStream(file); // $ Alert
 			byte fileContent[] = new byte[(int) file.length()];
 			fis.read(fileContent);
 			os.write(fileContent);
@@ -202,12 +202,12 @@ private void readFile(HttpServletResponse resp, File file) {
 	// BAD: Download file to user specified path without validation
 	public void downloadFile() throws FileNotFoundException, IOException {
 		HttpServletRequest request = getRequest();
-		String path = request.getParameter("path");
+		String path = request.getParameter("path"); // $ Source
 		String filePath = BASE_PATH + path;
 
 		HttpServletResponse resp = getResponse();
 		File file = new File(filePath);
-		if (path != null && file.exists()) {
+		if (path != null && file.exists()) { // $ Alert
 			resp.setHeader("Content-type", "application/force-download");
 			resp.setHeader("Content-Disposition", "inline;filename=\"" + filePath + "\"");
 			resp.setHeader("Content-Transfer-Encoding", "Binary");

java/ql/test/experimental/query-tests/security/CWE-073/FilePathInjection.java

@@ -1,2 +1,4 @@
 query: experimental/Security/CWE/CWE-073/FilePathInjection.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

java/ql/test/experimental/query-tests/security/CWE-073/FilePathInjection.qlref

@@ -1,2 +1,4 @@
 query: experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExecLocal.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

java/ql/test/experimental/query-tests/security/CWE-078/CommandInjectionRuntimeExecLocal.qlref

@@ -1,2 +1,4 @@
 query: experimental/Security/CWE/CWE-078/ExecTainted.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

java/ql/test/experimental/query-tests/security/CWE-078/ExecTainted.qlref

@@ -11,7 +11,7 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)
             String host = "sshHost";
             String user = "user";
             String password = "password";
-            String command = request.getParameter("command");
+            String command = request.getParameter("command"); // $ Source[java/command-line-injection-experimental]
 
             java.util.Properties config = new java.util.Properties();
             config.put("StrictHostKeyChecking", "no");
@@ -24,7 +24,7 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)
                 session.connect();
 
                 Channel channel = session.openChannel("exec");
-                ((ChannelExec) channel).setCommand("ping " + command);
+                ((ChannelExec) channel).setCommand("ping " + command); // $ Alert[java/command-line-injection-experimental]
                 channel.setInputStream(null);
                 ((ChannelExec) channel).setErrStream(System.err);
 
@@ -37,7 +37,7 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
             String host = "sshHost";
             String user = "user";
             String password = "password";
-            String command = request.getParameter("command");
+            String command = request.getParameter("command"); // $ Source[java/command-line-injection-experimental]
 
             java.util.Properties config = new java.util.Properties();
             config.put("StrictHostKeyChecking", "no");
@@ -50,7 +50,7 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
                 session.connect();
 
                 ChannelExec channel = (ChannelExec)session.openChannel("exec");
-                channel.setCommand("ping " + command);
+                channel.setCommand("ping " + command); // $ Alert[java/command-line-injection-experimental]
                 channel.setInputStream(null);
                 channel.setErrStream(System.err);
 

java/ql/test/experimental/query-tests/security/CWE-078/JSchOSInjectionTest.java

@@ -14,29 +14,29 @@ public class RuntimeExecTest {
     public static void test() {
         System.out.println("Command injection test");
 
-        String script = System.getenv("SCRIPTNAME");
+        String script = System.getenv("SCRIPTNAME"); // $ Source[java/command-line-injection-extra-local]
 
         if (script != null) {
             try {
                 // 1. array literal in the args
-                Runtime.getRuntime().exec(new String[]{"/bin/sh", script});
+                Runtime.getRuntime().exec(new String[]{"/bin/sh", script}); // $ Alert[java/command-line-injection-extra-local]
 
                 // 2. array literal with dataflow
                 String[] commandArray1 = new String[]{"/bin/sh", script};
-                Runtime.getRuntime().exec(commandArray1);
+                Runtime.getRuntime().exec(commandArray1); // $ Alert[java/command-line-injection-extra-local]
 
                 // 3. array assignment after it is created
                 String[] commandArray2 = new String[4];
                 commandArray2[0] = "/bin/sh";
                 commandArray2[1] = script;
-                Runtime.getRuntime().exec(commandArray2);
+                Runtime.getRuntime().exec(commandArray2); // $ Alert[java/command-line-injection-extra-local]
 
                 // 4. Stream concatenation
                 Runtime.getRuntime().exec(
-                    Stream.concat(
+                    Stream.concat( // $
                         Arrays.stream(new String[]{"/bin/sh"}),
                         Arrays.stream(new String[]{script})
-                    ).toArray(String[]::new)
+                    ).toArray(String[]::new) // $ Alert[java/command-line-injection-extra-local]
                 );
 
             } catch (Exception e) {