Java: Add tests

joefarebrother · joefarebrother · commit 9495c5e800e6 · 2020-10-30T12:41:55.000Z
diff --git a/java/ql/src/Security/CWE/CWE-789/UnboundedAllocationBad.java b/java/ql/src/Security/CWE/CWE-789/UnboundedAllocationBad.java
@@ -1,10 +1,9 @@
 public void processData(Socket sock) {
-    InputStream iStream = sock.getInputStream();
-    ObjectInpuStream oiStream = new ObjectInputStream(iStream);
+    ObjectInputStream stream = new ObjectInputStream(sock.getInputStream());
 
-    int size = oiStream.readInt();
+    int size = stream.readInt();
     // BAD: A user-controlled amount of memory is alocated
     byte[] buffer = new byte[size];
 
-    oiStream.readFully(buffer);
+    // ...
 }
diff --git a/java/ql/src/Security/CWE/CWE-789/UnboundedAllocationDeserializationBad.java b/java/ql/src/Security/CWE/CWE-789/UnboundedAllocationDeserializationBad.java
@@ -16,7 +16,7 @@ private void readObject(java.io.ObjectInputStream in) throws IOException, ClassN
         data = new Object[length];
 
         for (int i = 0; i < length; i++) {
-            data[i] = in.readObject()
+            data[i] = in.readObject();
         }
     }
 }
diff --git a/java/ql/src/Security/CWE/CWE-789/UnboundedAllocationGood.java b/java/ql/src/Security/CWE/CWE-789/UnboundedAllocationGood.java
@@ -1,15 +1,14 @@
 public void processData(Socket sock) {
-    InputStream iStream = sock.getInputStream();
-    ObjectInpuStream oiStream = new ObjectInputStream(iStream);
+    ObjectInputStream stream = new ObjectInputStream(sock.getInputStream());
 
-    int size = oiStream.readInt();
+    int size = stream.readInt();
 
     if (size > 4096) {
-        throw new IllegalArgumentException("Size too large");
+        throw new IOException("Size too large");
     }
 
     // GOOD: There is an upper bound on memory consumption.
     byte[] buffer = new byte[size];
 
-    oiStream.readFully(buffer);
+    // ...
 }
diff --git a/java/ql/src/Security/CWE/CWE-789/UnbounedAllocationDeserializationGood.java b/java/ql/src/Security/CWE/CWE-789/UnbounedAllocationDeserializationGood.java
@@ -5,7 +5,7 @@ private void writeObject(java.io.ObjectOutputStream out) throws IOException {
         out.writeInt(data.length);
 
         for (int i = 0; i < data.length; i++) {
-            out.writeLong(data[i]);
+            out.writeObject(data[i]);
         }
     }
 
diff --git a/java/ql/src/Security/CWE/CWE-789/UndoundedAllocationDeserialization.qhelp b/java/ql/src/Security/CWE/CWE-789/UndoundedAllocationDeserialization.qhelp
@@ -29,7 +29,7 @@ The following example allocates an array of a size provided by the input stream,
 <sample src="UnboundedAllocationDeserializationBad.java" />
 
 <p>
-The following example uses an <code>ArrayList</code> to only allocate as much memory as needed, within a constanat factor:
+The following example uses an <code>ArrayList</code> to only allocate as much memory as needed, within a constant factor:
 </p>
 
 <sample src="UnboundedAllocationDeserializationGood.java" />
diff --git a/java/ql/test/query-tests/security/CWE-789/Test.java b/java/ql/test/query-tests/security/CWE-789/Test.java
@@ -0,0 +1,81 @@
+import java.io.*;
+import java.lang.ClassNotFoundException;
+import java.net.Socket;
+import java.util.ArrayList;
+
+class Test {
+
+    class A implements Serializable{
+        transient Object[] data;
+
+        private void writeObject(java.io.ObjectOutputStream out) throws IOException {
+            out.writeInt(data.length);
+
+            for (int i = 0; i < data.length; i++) {
+                out.writeObject(data[i]);
+            }
+        }
+
+        private void readObject(java.io.ObjectInputStream in) throws IOException, ClassNotFoundException {
+            int length = in.readInt();
+
+            // BAD: An array is allocated whose size could be controlled by an attacker.
+            data = new Object[length];
+
+            for (int i = 0; i < length; i++) {
+                data[i] = in.readObject();
+            }
+        }
+    }
+
+    class B implements Serializable{
+        transient Object[] data;
+
+        private void writeObject(java.io.ObjectOutputStream out) throws IOException {
+            out.writeInt(data.length);
+
+            for (int i = 0; i < data.length; i++) {
+                out.writeObject(data[i]);
+            }
+        }
+
+        private void readObject(java.io.ObjectInputStream in) throws IOException, ClassNotFoundException {
+            int length = in.readInt();
+
+            // GOOD: An ArrayList is used, which dynamically allocates memory as needed.
+            ArrayList<Object> dataList = new ArrayList<Object>();
+
+            for (int i = 0; i < length; i++) {
+                dataList.add(in.readObject());
+            }
+
+            data = dataList.toArray();
+        }
+    }
+
+
+    public void processData1(Socket sock) throws IOException {
+        ObjectInputStream stream = new ObjectInputStream(sock.getInputStream());
+
+        int size = stream.readInt();
+        // BAD: A user-controlled amount of memory is alocated
+        byte[] buffer = new byte[size];
+
+        // ...
+    }
+
+    public void processData2(Socket sock) throws IOException {
+        ObjectInputStream stream = new ObjectInputStream(sock.getInputStream());
+
+        int size = stream.readInt();
+
+        if (size > 4096) {
+            throw new IOException("Size too large");
+        }
+
+        // GOOD: There is an upper bound on memory consumption.
+        byte[] buffer = new byte[size];
+
+        // ...
+    }
+}
diff --git a/java/ql/test/query-tests/security/CWE-789/UnboundedAllocation.expected b/java/ql/test/query-tests/security/CWE-789/UnboundedAllocation.expected
@@ -0,0 +1,7 @@
+edges
+| Test.java:58:58:58:78 | getInputStream(...) : InputStream | Test.java:62:34:62:37 | size |
+nodes
+| Test.java:58:58:58:78 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| Test.java:62:34:62:37 | size | semmle.label | size |
+#select
+| Test.java:62:34:62:37 | size | Test.java:58:58:58:78 | getInputStream(...) : InputStream | Test.java:62:34:62:37 | size | Unbounded memory allocation |
diff --git a/java/ql/test/query-tests/security/CWE-789/UnboundedAllocation.qlref b/java/ql/test/query-tests/security/CWE-789/UnboundedAllocation.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-789/UnboundedAllocation.ql
diff --git a/java/ql/test/query-tests/security/CWE-789/UnboundedAllocationDeserialization.expected b/java/ql/test/query-tests/security/CWE-789/UnboundedAllocationDeserialization.expected
@@ -0,0 +1,7 @@
+edges
+| Test.java:19:33:19:60 | in : ObjectInputStream | Test.java:23:31:23:36 | length |
+nodes
+| Test.java:19:33:19:60 | in : ObjectInputStream | semmle.label | in : ObjectInputStream |
+| Test.java:23:31:23:36 | length | semmle.label | length |
+#select
+| Test.java:23:31:23:36 | length | Test.java:19:33:19:60 | in : ObjectInputStream | Test.java:23:31:23:36 | length | Unbounded memory allocation from deserialization |
diff --git a/java/ql/test/query-tests/security/CWE-789/UnboundedAllocationDeserialization.qlref b/java/ql/test/query-tests/security/CWE-789/UnboundedAllocationDeserialization.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-789/UnboundedAllocationDeserialization.ql

Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,7 @@ private void readObject(java.io.ObjectInputStream in) throws IOException, ClassN`
`16`	`16`	`data = new Object[length];`
`17`	`17`
`18`	`18`	`for (int i = 0; i < length; i++) {`
`19`		`- data[i] = in.readObject()`
	`19`	`+ data[i] = in.readObject();`
`20`	`20`	`}`
`21`	`21`	`}`
`22`	`22`	`}`
Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,7 @@ private void writeObject(java.io.ObjectOutputStream out) throws IOException {`
`5`	`5`	`out.writeInt(data.length);`
`6`	`6`
`7`	`7`	`for (int i = 0; i < data.length; i++) {`
`8`		`- out.writeLong(data[i]);`
	`8`	`+ out.writeObject(data[i]);`
`9`	`9`	`}`
`10`	`10`	`}`
`11`	`11`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Security/CWE/CWE-789/UnboundedAllocation.ql`