Skip to content

Java: Exclude JUnit test methods from log injection #24

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mrigankpawagi wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Java: Exclude JUnit test methods from log injection #24

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 13 additions & 1 deletion java/ql/src/Security/CWE/CWE-117/LogInjection.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,19 @@ import java
import semmle.code.java.security.LogInjectionQuery
import LogInjectionFlow::PathGraph

/**
* Holds if `m` is a test method annotated with a JUnit test annotation.
*/
private predicate isTestMethod(Method m) {
m.getAnAnnotation().getType().hasQualifiedName("org.junit.jupiter.api",
["Test", "ParameterizedTest", "RepeatedTest", "TestFactory"])
or
m.getAnAnnotation().getType().hasQualifiedName("org.junit", "Test")
}

from LogInjectionFlow::PathNode source, LogInjectionFlow::PathNode sink
where LogInjectionFlow::flowPath(source, sink)
where
LogInjectionFlow::flowPath(source, sink) and
not isTestMethod(sink.getNode().getEnclosingCallable())
select sink.getNode(), source, sink, "This log entry depends on a $@.", source.getNode(),
"user-provided value"
32 changes: 32 additions & 0 deletions java/ql/test/query-tests/security/CWE-117/LogInjectionTestAnnotation.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
import org.junit.jupiter.api.Test;
import org.junit.jupiter.params.ParameterizedTest;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import javax.servlet.http.HttpServletRequest;

/**
* Test that log injection results inside test methods are excluded.
*/
public class LogInjectionTestAnnotation {
private static final Logger logger = LoggerFactory.getLogger(LogInjectionTestAnnotation.class);

// GOOD: test methods should not be flagged for log injection
@Test
void testLogUserInput(HttpServletRequest request) {
String userInput = request.getParameter("input");
logger.info("Testing with input: " + userInput);
}

// GOOD: parameterized test should not be flagged
@ParameterizedTest
void testLogParameterized(HttpServletRequest request) {
String userInput = request.getParameter("input");
logger.warn("Param test: " + userInput);
}

// BAD: non-test method should still be flagged
void handleRequest(HttpServletRequest request) {
String userInput = request.getParameter("input");
logger.info("Processing: " + userInput); // $ Alert
}
}
Loading