Merge pull request diffblue#484 from diffblue/testy/DSpace

Make DSpace pass stage 1

Author: NathanJPhillips

benchmarks/GENUINE/DSpace.sh

@@ -49,10 +49,11 @@ cd $SECURITY_SCANNER_HOME
 python3 $SCRIPT_DIR/../../driver/run.py \
 -C $SCRIPT_DIR/DSpace_rules.json \
 -I $DEPLOY_DIR/webapps/jspui \
+-L $SCRIPT_DIR/DSpace_files/DI/target \
 -R $OUTPUT_DIR/DSpace/results \
 -T $OUTPUT_DIR/DSpace/temp \
 --name DSpace-jspui-BrowseServlet \
---use-models-library --use-apache-tomcat --use-spring-framework \
+--use-models-library \
 --timeout 10000000 --verbosity 9 --rebuild \
 --do-not-use-precise-access-paths \
 --entry-point org.dspace.app.webui.servlet.BrowserServlet.doDSGet

benchmarks/GENUINE/DSpace_files/DI/src/main/java/com/diffblue/IgnoredMethodImplementation.class

@@ -0,0 +1,4 @@
+package com.diffblue;
+
+public @interface IgnoredMethodImplementation {
+}

benchmarks/GENUINE/DSpace_files/DI/src/main/java/com/diffblue/IgnoredMethodImplementation.java

@@ -0,0 +1,4 @@
+package com.diffblue;
+
+public @interface OverlayClassImplementation {
+}

benchmarks/GENUINE/DSpace_files/DI/src/main/java/com/diffblue/OverlayClassImplementation.class

@@ -0,0 +1,4 @@
+package com.diffblue;
+
+public @interface OverlayMethodImplementation {
+}

benchmarks/GENUINE/DSpace_files/DI/src/main/java/com/diffblue/OverlayClassImplementation.java

@@ -0,0 +1,22 @@
+package org.dspace.browse;
+
+import com.diffblue.IgnoredMethodImplementation;
+import com.diffblue.OverlayClassImplementation;
+import com.diffblue.OverlayMethodImplementation;
+import org.dspace.core.Context;
+
+@OverlayClassImplementation
+public class BrowseDAOFactory
+{
+    @IgnoredMethodImplementation
+    BrowseDAOFactory()
+    {
+    }
+
+    @OverlayMethodImplementation
+    public static BrowseDAO getInstance(Context context)
+        throws BrowseException
+    {
+        return new BrowseDAOOracle(context);
+    }
+}

benchmarks/GENUINE/DSpace_files/DI/src/main/java/com/diffblue/OverlayMethodImplementation.class

@@ -0,0 +1,142 @@
+org.dspace.app.webui.servlet.BrowserServlet.doGet [DSpace/dspace-jspui/src/main/java/org/dspace/app/webui/servlet/BrowserServlet.java]
+    - This should be the entry point, but since 'doGet' is not overriden in 'BrowserServlet', we need to pass to the command line:
+        --function org.dspace.app.webui.servlet.DSpaceServlet.doGet
+      implemented in file DSpace/dspace-jspui/src/main/java/org/dspace/app/webui/servlet/DSpaceServlet.java
+    - the class hierarchy is:
+        org.dspace.app.webui.servlet.BrowserServlet             [DSpace/dspace-jspui/src/main/java/org/dspace/app/webui/servlet/BrowserServlet.java]
+        org.dspace.app.webui.servlet.AbstractBrowserServlet     [DSpace/dspace-jspui/src/main/java/org/dspace/app/webui/servlet/AbstractBrowserServlet.java]
+        org.dspace.app.webui.servlet.DSpaceServlet              [DSpace/dspace-jspui/src/main/java/org/dspace/app/webui/servlet/DSpaceServlet.java]
+
+The error-trace:
+
+org.dspace.app.webui.servlet.DSpaceServlet.doGet [DSpace/dspace-jspui/src/main/java/org/dspace/app/webui/servlet/DSpaceServlet.java]
+LINE 67: Calling org.dspace.app.webui.servlet.DSpaceServlet.processRequest [DSpace/dspace-jspui/src/main/java/org/dspace/app/webui/servlet/DSpaceServlet.java]
+    LINE 94: Calling org.dspace.app.webui.util.UIUtil.storeOriginalURL [DSpace/dspace-jspui/src/main/java/org/dspace/app/webui/util/UIUtil.java]
+        LINE 209: RULE APPLICATION: Obtaining 'tainted object' by calling HttpServletRequest.getAttribute (but this one is not of interest)
+        LINE 211: Take ELSE
+        RETURN
+    LINE 100: Calling org.dspace.app.webui.util.UIUtil.obtainContext [DSpace/dspace-jspui/src/main/java/org/dspace/app/webui/util/UIUtil.java]
+        LINE 99: RULE APPLICATION: Obtaining 'tainted object' by calling ServletRequest.getAttribute (but this one is not of interest)
+        LINE 102: Take IF
+        LINE 105: Calling org.dspace.core.Context.Context [DSpace/dspace-api/src/main/java/org/dspace/core/Context.java]
+            LINE 95: Calling org.dspace.core.Context.init [DSpace/dspace-api/src/main/java/org/dspace/core/Context.java]
+                LINE 121: Calling org.dspace.storage.rdbms.DatabaseManager.getConnection [DSpace/dspace-api/src/main/java/org/dspace/storage/rdbms/DatabaseManager.java]
+                    LINE 629: Calling org.dspace.storage.rdbms.DatabaseManager.getDataSource [DSpace/dspace-api/src/main/java/org/dspace/storage/rdbms/DatabaseManager.java]
+                        LINE 646: Take IF
+                        LINE 650: Calling org.dspace.storage.rdbms.DatabaseManager.initialize [DSpace/dspace-api/src/main/java/org/dspace/storage/rdbms/DatabaseManager.java]
+                            LINE 1325: Take ELSE
+                            LINE 1333: Calling org.dspace.storage.rdbms.DatabaseManager.initDataSource [DSpace/dspace-api/src/main/java/org/dspace/storage/rdbms/DatabaseManager.java]
+                                LINE 1409: Taking JNDI name
+                                LINE 1410: Take IF
+                                LINE 1414: Initialise JNDI Context
+                                LINE 1415: Lookup for the root of servlet data
+                                LINE 1416: Obtain the DataSource instance
+                                LINE 1433: Take ELSE
+                                RETURN
+                            LINE 1344: Take ELSE
+                            LINE 1348: Take IF
+                            RETURN
+                        RETURN
+                    LINE 633: Take IF
+                    RETURN
+                RETURN
+            RETURN
+        LINE 109: RULE APPLICATION: Obtaining 'tainted object' by calling ServletRequest.getAttribute (but this one is not of interest)
+        LINE 112: Take ELSE
+        LINE 140: Take ELSE
+        LINE 143: RULE APPLICATION: Obtaining 'tainted request header' by calling ServletRequest.getHeader (but this one is not of interest)
+        LINE 143: Take ELSE
+        LINE 157: RULE APPLICATION: Storing 'tainted object' to request by calling ServletRequest.getAttribute (but the stored object is actually not tainted)
+        RETURN
+    LINE 104: Calling org.dspace.app.webui.util.Authenticate.getRealRequest [DSpace/dspace-jspui/src/main/java/org/dspace/app/webui/util/Authenticate.java]
+        LINE 59: Take ELSE (We do not want to wrap the request due to redirection from successful authentication)
+        RETURN
+    LINE 106: Take ELSE
+    LINE 113: Take ELSE
+    LINE 119: Calling org.dspace.app.webui.servlet.BrowserServlet.doDSGet [DSpace/dspace-jspui/src/main/java/org/dspace/app/webui/servlet/BrowserServlet.java]
+
+
+        LINE 66: Calling org.dspace.app.webui.servlet.AbstractBrowserServlet.getBrowserScopeForRequest [DSpace/dspace-jspui/src/main/java/org/dspace/app/webui/servlet/AbstractBrowserServlet.java]
+            LINE 86: RULE APPLICATION: Obtaining 'tainted string' by calling ServletRequest.getParameter (but this one is not of interest)
+            LINE 87: RULE APPLICATION: Obtaining 'tainted string' by calling ServletRequest.getParameter (but this one is not of interest)
+            LINE 88: RULE APPLICATION: Obtaining 'tainted string' by calling ServletRequest.getParameter (but this one is not of interest)
+            LINE 89: RULE APPLICATION: Obtaining 'tainted string' by calling ServletRequest.getParameter (but this one is not of interest)
+            LINE 90: RULE APPLICATION: Obtaining 'tainted string' by calling ServletRequest.getParameter
+            LINE 91: RULE APPLICATION: Obtaining 'tainted string' by calling ServletRequest.getParameter
+            LINE 92: RULE APPLICATION: Obtaining 'tainted string' by calling ServletRequest.getParameter
+            LINE 92: Assign returned tainted string to startsWith
+
+            - ONLY IN THE VERSION WITH THE XSS ISSUE FIXED:
+                LINE 96: RULE APPLICATION: Sanitised 'tainted string' (exception is thrown, if the string is not a number; then HttpServletResponse.SC_BAD_REQUEST is set to the response and the servlet terminates)
+                LINE 99: RULE APPLICATION: Sanitised 'tainted string' (exception is thrown, if the string is not a number; then HttpServletResponse.SC_BAD_REQUEST is set to the response and the servlet terminates)
+                LINE 102: Calling org.dspace.core.Utils.addEntities [DSpace/dspace-api/src/main/java/org/dspace/core/Utils.java]
+                    LINE 283: RULE APPLICATION: Sanitising 'tainted string' by calling com.coverity.security.Escape.html
+                    RETURN
+
+            LINE 112: RULE APPLICATION: Obtaining 'tainted string' by calling ServletRequest.getParameter (but this one is not of interest)
+            LINE 113: RULE APPLICATION: Obtaining 'tainted string' by calling ServletRequest.getParameter (but this one is not of interest)
+            LINE 114: RULE APPLICATION: Obtaining 'tainted string' by calling ServletRequest.getParameter (but this one is not of interest)
+            LINE 127: Take ANY
+            LINE 134: Take ANY
+            LINE 141: Take ANY
+            LINE 154: Take ANY
+            LINE 163: Take ANY
+            LINE 182: Take ANY
+            LINE 188: Take ANY
+            LINE 194: Take ANY
+            LINE 201: Take ELSE
+            LINE 230: Take ANY
+            LINE 236: Take ANY
+            LINE 242: Take ANY
+            LINE 260: Take ANY
+            LINE 265: Take ANY
+            LINE 281: Create new BrowserScope and assign to scope
+            LINE 282: Call scope.setBrowseIndex(bi)
+            LINE 287: Calling org.dspace.browse.BrowserScope.setStartsWith on scope passing tainted string startsWith [DSpace/dspace-api/src/main/java/org/dspace/browse/BrowserScope.java]
+                LINE 471: Putting the 'tainted string' into the startsWith field of scope.
+                RETURN
+            LINE 296: Take ANY
+            LINE 300: Take ANY
+            LINE 306: Take ANY
+            LINE 313: Return scope
+        LINE 66: Assign return value to scope of type BrowserScope
+        LINE 68: Take ELSE
+        LINE 81: Take ELSE
+        LINE 88: Calling org.dspace.app.webui.servlet.AbstractBrowserServlet.processBrowse, passing tainted scope as second argument [DSpace/dspace-jspui/src/main/java/org/dspace/app/webui/servlet/AbstractBrowserServlet.java]
+            LINE 338: Calling org.dspace.browse.BrowseEngine.BrowseEngine [DSpace/dspace-api/src/main/java/org/dspace/browse/BrowseEngine.java]
+                LINE 64: Calling org.dspace.browse.BrowseDAOFactory.getInstance [DSpace/dspace-api/src/main/java/org/dspace/browse/BrowseDAOFactory.java]
+                    LINE 34: Take ELSE
+                    LINE 41: Resolve the construction
+                    RETURN
+                LINE 64: Assign to member dao
+            LINE 338: Assign newly constructed BrowseEngine to local variable be
+            LINE 339: Calling org.dspace.browse.BrowseEngine.browse on be passing scope as first argument [DSpace/dspace-api/src/main/java/org/dspace/browse/BrowseEngine.java]
+                LINE 77: Tainted scope assigned to parameter bs
+                LINE 83: Assign bs to member scope
+                LINE 90: Take IF
+                LINE 94: Calling org.dspace.browse.BrowseEngine.browseByValue on this passing bs as first argument [DSpace/dspace-api/src/main/java/org/dspace/browse/BrowseEngine.java]
+                    LINE 399: Tainted scope assigned to parameter bs
+                    !! TODO !! Some missing control flow here
+                    LINE 462: Take IF
+                    LINE 470: Calling org.dspace.browse.BrowseEngine.normalizeJumpToValue [DSpace/dspace-api/src/main/java/org/dspace/browse/BrowseEngine.java]
+                        LINE 693: Take ELSE
+                        LINE 698: Take IF
+                        LINE 701: Call scope.getStartsWith() on member scope [DSpace/dspace-api/src/main/java/org/dspace/browse/BrowserScope.java]
+                            LINE 463: Return the tainted string startsWith
+                        LINE 701: Call OrderFormat.makeSortString with the tainted string as parameter 1 [DSpace/dspace-api/src/main/java/org/dspace/sort/OrderFormat.java]
+                            LINE 57: Tainted string assigned to parameter value
+                            LINE 62: Don't take IF
+                            LINE 68: Don't take IF
+                            LINE 104: Return value (the tainted string)
+                        LINE 701: Return the tainted string
+                    LINE 470: Assign the returned tainted string to focusValue
+                    LINE 472: Calling org.dspace.browse.BrowseEngine.getOffsetForDistinctValue passing focusValue as first argument [DSpace/dspace-api/src/main/java/org/dspace/browse/BrowseEngine.java]
+                        LINE 667: Assign tainted string to parameter value
+                        LINE 670: Don't take IF
+                        LINE 678: Calling org.dspace.browse.BrowseDAO.doDistinctOffsetQuery passing value as argument 2 ; This is an interface, so possible callee can be e.g. org.dspace.browse.BrowseDAOOracle [DSpace/dspace-api/src/main/java/org/dspace/browse/BrowseDAOOracle.java]
+                            LINE 282: Assign tainted string to parameter value
+                            LINE 295: Take ANY
+                            LINE 298/303: RULE APPLICATION: 'Tainted list' from inserted 'Tainted string'
+                            LINE 306: Take ANY
+                            LINE 312: RULE APPLICATION: 'tainted list of strings' -> 'tainted array of strings'.
+                            LINE 312: Call DatabaseManager.query - SINK: 'tainted array of strings' used in a query to database.

benchmarks/GENUINE/DSpace_files/DI/src/main/java/com/diffblue/OverlayMethodImplementation.java

@@ -12,7 +12,7 @@
         }
       },
       {
-        "comment": "Obtained ServletRequest's poarameter with potentially tainted data.",
+        "comment": "Obtained ServletRequest's parameter with potentially tainted data.",
         "class": "javax.servlet.http.HttpServletRequest",
         "method": "getParameter:(Ljava/lang/String;)Ljava/lang/String;",
         "result": {
@@ -50,6 +50,15 @@
           "taint": "Tainted string"
         }
       },
+      {
+        "comment": "Passing tainted array to DatabaseManager.query is a sink",
+        "class": "org.dspace.storage.rdbms.DatabaseManager",
+        "method": "query:(Lorg/dspace/core/Context;Ljava/lang/String;[Ljava/lang/Object;)Lorg/dspace/storage/rdbms/TableRowIterator;",
+        "sinkTarget": {
+          "location": "arg2",
+          "taint": "Tainted array"
+        }
+      },
       {
         "comment": "Writing content of a tainted stream to disk is a sink.",
         "class": "java.nio.file.Files",