Added missing "GOOD" and "BAD" to some examples

Author: fabienpe

java/ql/src/Security/CWE/CWE-020/ExternalAPITaintStepExample.java

@@ -4,6 +4,7 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)
 
 		StringBuilder sqlQueryBuilder = new StringBuilder();
 		sqlQueryBuilder.append("SELECT * FROM user WHERE user_id='");
+		// BAD: a request parameter is concatenated directly into a SQL query
 		sqlQueryBuilder.append(request.getParameter("user_id"));
 		sqlQueryBuilder.append("'");
 

java/ql/src/Security/CWE/CWE-023/PartialPathTraversalBad.java

@@ -1,6 +1,6 @@
 public class PartialPathTraversalBad {
     public void example(File dir, File parent) throws IOException {
-        if (!dir.getCanonicalPath().startsWith(parent.getCanonicalPath())) {
+        if (!dir.getCanonicalPath().startsWith(parent.getCanonicalPath())) { // BAD: dir.getCanonicalPath() not slash-terminated
             throw new IOException("Path traversal attempt: " + dir.getCanonicalPath());
         }
     }

java/ql/src/Security/CWE/CWE-023/PartialPathTraversalGood.java

@@ -2,7 +2,7 @@
 
 public class PartialPathTraversalGood {
     public void example(File dir, File parent) throws IOException {
-        if (!dir.toPath().normalize().startsWith(parent.toPath())) {
+        if (!dir.toPath().normalize().startsWith(parent.toPath())) {  // GOOD: Check if dir.Path() is normalised
             throw new IOException("Path traversal attempt: " + dir.getCanonicalPath());
         }
     }

java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterfaceExample.java

@@ -20,4 +20,4 @@ public String studentEmail(String studentName) {
 webview.loadData("", "text/html", null);
 
 String name = "Robert'; DROP TABLE students; --";
-webview.loadUrl("javascript:alert(exposedObject.studentEmail(\""+ name +"\"))");
+webview.loadUrl("javascript:alert(exposedObject.studentEmail(\""+ name +"\"))"); // BAD: Untrusted input loaded into WebView

java/ql/src/Security/CWE/CWE-079/WebSettingsDisableJavascript.java

@@ -1,2 +1,2 @@
 WebSettings settings = webview.getSettings();
-settings.setJavaScriptEnabled(false);
+settings.setJavaScriptEnabled(false); // GOOD: webview has JavaScript disabled

java/ql/src/Security/CWE/CWE-079/WebSettingsEnableJavascript.java

@@ -1,2 +1,2 @@
 WebSettings settings = webview.getSettings();
-settings.setJavaScriptEnabled(true);
+settings.setJavaScriptEnabled(true); // BAD: webview has JavaScript enabled

java/ql/src/Security/CWE/CWE-094/GroovyInjectionBad.java

@@ -2,26 +2,26 @@ public class GroovyInjection {
     void injectionViaClassLoader(HttpServletRequest request) {    
         String script = request.getParameter("script");
         final GroovyClassLoader classLoader = new GroovyClassLoader();
-        Class groovy = classLoader.parseClass(script);
+        Class groovy = classLoader.parseClass(script); // BAD: Groovy code injection
         GroovyObject groovyObj = (GroovyObject) groovy.newInstance();
     }
 
     void injectionViaEval(HttpServletRequest request) {
         String script = request.getParameter("script");
-        Eval.me(script);
+        Eval.me(script); // BAD: Groovy code injection
     }
 
     void injectionViaGroovyShell(HttpServletRequest request) {
         GroovyShell shell = new GroovyShell();
         String script = request.getParameter("script");
-        shell.evaluate(script);
+        shell.evaluate(script); // BAD: Groovy code injection
     }
 
     void injectionViaGroovyShellGroovyCodeSource(HttpServletRequest request) {
         GroovyShell shell = new GroovyShell();
         String script = request.getParameter("script");
         GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test");
-        shell.evaluate(gcs);
+        shell.evaluate(gcs); // BAD: Groovy code injection
     }
 }
 

java/ql/src/Security/CWE/CWE-094/InstallApkWithFile.java

@@ -9,6 +9,6 @@
 File file = new File(Environment.getExternalStorageDirectory(), "myapp.apk");
 Intent intent = new Intent(Intent.ACTION_VIEW);
 /* Set the mimetype to APK */
-intent.setDataAndType(Uri.fromFile(file), "application/vnd.android.package-archive");
+intent.setDataAndType(Uri.fromFile(file), "application/vnd.android.package-archive"); // BAD: The file may be altered by another app
 
 startActivity(intent);

java/ql/src/Security/CWE/CWE-094/InstallApkWithFileProvider.java

@@ -21,7 +21,7 @@
 
 /* Expose temporary file with FileProvider */
 File toInstall = new File(this.getFilesDir(), tempFilename);
-Uri applicationUri = FileProvider.getUriForFile(this, "com.example.apkprovider", toInstall);
+Uri applicationUri = FileProvider.getUriForFile(this, "com.example.apkprovider", toInstall); // GOOD: The file is protected by FileProvider
 
 /* Create Intent and set data to APK file. */
 Intent intent = new Intent(Intent.ACTION_INSTALL_PACKAGE);

java/ql/src/Security/CWE/CWE-094/InstallApkWithPackageInstaller.java

@@ -1,3 +1,4 @@
+// GOOD: Package installed using PackageInstaller
 import android.content.Context;
 import android.content.Intent;
 import android.content.pm.PackageInstaller;