update tests, is not completed yet :)

am0o0 · am0o0 · commit 7df59ffe6cd3 · 2024-07-01T18:22:27.000+02:00
diff --git a/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/CommonsCompressHandler.java b/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/CommonsCompressHandler.java
@@ -1,5 +1,3 @@
-package com.Bombs;
-
 import java.io.*;
 import java.nio.file.Files;
 import java.nio.file.Path;
diff --git a/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/DecompressionBombs.qlref b/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/DecompressionBombs.qlref
@@ -1 +1 @@
-experimental/Security/CWE/CWE-522-DecompressionBombs/DecompressionBombFlowState.ql
+experimental/Security/CWE/CWE-522-DecompressionBombs/DecompressionBomb.ql
diff --git a/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/HelloServlet.java b/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/HelloServlet.java
@@ -0,0 +1,59 @@
+import org.apache.commons.compress.archivers.ArchiveException;
+import org.apache.commons.compress.compressors.CompressorException;
+import org.apache.commons.io.IOUtils;
+
+import java.io.*;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.util.zip.DataFormatException;
+import javax.servlet.http.*;
+import javax.servlet.ServletException;
+import java.io.IOException;
+
+public class Bombs extends HttpServlet {
+
+    protected void doGet(HttpServletRequest request, HttpServletResponse response)
+            throws IOException, ServletException, ServletException, IOException {
+        response.setContentType("text/html");
+        Part remoteFile = request.getPart("zipFile");
+        // Zip
+        ZipHandler.ZipInputStreamSafe2(remoteFile.getInputStream());
+        ZipHandler.ZipInputStreamSafe(request.getPart("zipFile").getInputStream());
+        ZipHandler.ZipInputStreamUnsafe(remoteFile.getInputStream());
+        ZipHandler.GZipInputStreamUnsafe(request.getPart("zipFile").getInputStream());
+        ZipHandler.InflaterInputStreamUnsafe(request.getPart("zipFile").getInputStream());
+        try {
+            ZipHandler.InflaterUnsafe(request.getParameter("data").getBytes(StandardCharsets.UTF_8));
+        } catch (DataFormatException e) {
+            throw new RuntimeException(e);
+        }
+        try {
+           ZipHandler. ZipFile1(request.getParameter("zipFileName"));
+        } catch (DataFormatException e) {
+            throw new RuntimeException(e);
+        }
+
+        // Zip4j
+        Zip4jHandler.zip4jZipInputStream(remoteFile.getInputStream());
+        Zip4jHandler.zip4jZipInputStreamSafe(remoteFile.getInputStream());
+        // SnappyZip
+        SnappyHandler.SnappyZipInputStream(remoteFile.getInputStream());
+        // apache Commons
+        commonsCompressArchiveInputStream2(remoteFile.getInputStream());
+        CommonsCompressHandler.commonsCompressorInputStream(remoteFile.getInputStream());
+        try {
+            CommonsCompressHandler.commonsCompressArchiveInputStream(remoteFile.getInputStream());
+            CommonsCompressHandler.commonsCompressArchiveStreamFactory(remoteFile.getInputStream());
+        } catch (ArchiveException e) {
+            throw new RuntimeException(e);
+        }
+        try {
+            CommonsCompressHandler.commonsCompressCompressorStreamFactory(remoteFile.getInputStream());
+        } catch (CompressorException e) {
+            throw new RuntimeException(e);
+        }
+
+        PrintWriter out = response.getWriter();
+        out.println("<html><body>end</body></html>");
+    }
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/SnappyHandler.java b/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/SnappyHandler.java
@@ -1,5 +1,3 @@
-package com.Bombs;
-
 import java.io.*;
 import java.nio.file.Files;
 import java.nio.file.Paths;
diff --git a/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/Zip4jHandler.java b/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/Zip4jHandler.java
@@ -1,5 +1,3 @@
-package com.Bombs;
-
 import net.lingala.zip4j.model.LocalFileHeader;
 import net.lingala.zip4j.io.inputstream.ZipInputStream;
 import java.io.*;
diff --git a/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/ZipHandler.java b/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/ZipHandler.java
@@ -1,5 +1,3 @@
-package com.Bombs;
-
 import java.io.*;
 import java.io.FileOutputStream;
 import java.nio.ByteBuffer;
diff --git a/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/options b/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/options
@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/stubs
diff --git a/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/pom.xml b/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/pom.xml
@@ -1,5 +1,6 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
     <modelVersion>4.0.0</modelVersion>
     <groupId>org.example</groupId>
     <artifactId>BombsRemoteSourceMavenJavax2</artifactId>
@@ -76,4 +77,4 @@
             <version>1.23.0</version>
         </dependency>
     </dependencies>
-</project>
+</project>
diff --git a/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/src/main/java/com/Bombs/HelloServlet.java b/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/src/main/java/com/Bombs/HelloServlet.java
diff --git a/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/src/main/webapp/WEB-INF/web.xml b/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/src/main/webapp/WEB-INF/web.xml
diff --git a/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/src/main/webapp/index.jsp b/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/src/main/webapp/index.jsp

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,3 @@`
`1`		`-package com.Bombs;`
`2`		`-`
`3`	`1`	`import java.io.*;`
`4`	`2`	`import java.nio.file.Files;`
`5`	`3`	`import java.nio.file.Path;`
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-experimental/Security/CWE/CWE-522-DecompressionBombs/DecompressionBombFlowState.ql`
	`1`	`+experimental/Security/CWE/CWE-522-DecompressionBombs/DecompressionBomb.ql`
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,3 @@`
`1`		`-package com.Bombs;`
`2`		`-`
`3`	`1`	`import net.lingala.zip4j.model.LocalFileHeader;`
`4`	`2`	`import net.lingala.zip4j.io.inputstream.ZipInputStream;`
`5`	`3`	`import java.io.*;`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+//semmle-extractor-options: --javac-args -cp ${testdir}/stubs`