Add tests for HttpServletResponse.setContentType

Author: owen-mc

java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.java

@@ -12,7 +12,7 @@
 import javax.servlet.http.HttpServletResponse;
 
 public class XSS extends HttpServlet {
-	protected void doGet(HttpServletRequest request, HttpServletResponse response)
+	protected void doGet(HttpServletRequest request, HttpServletResponse response, boolean safeContentType, boolean getWriter)
 			throws ServletException, IOException {
 		// BAD: a request parameter is written directly to the Servlet response stream
 		response.getWriter()
@@ -38,6 +38,31 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)
 
 		// GOOD: sanitizer
 		response.getOutputStream().write(hudson.Util.escape(request.getPathInfo()).getBytes()); // safe
+
+		if(safeContentType) {
+			if(getWriter) {
+				// GOOD: set content-type to something safe
+				response.setContentType("text/plain");
+				response.getWriter().print(request.getPathInfo()); // $ SPURIOUS: xss
+			}
+			else {
+				// GOOD: set content-type to something safe
+				response.setContentType("text/plain");
+				response.getOutputStream().write(request.getPathInfo()); // $ SPURIOUS: xss
+			}
+		}
+		else {
+			if(getWriter) {
+				// BAD: set content-type to something that is not safe
+				response.setContentType("text/html");
+				response.getWriter().print(request.getPathInfo()); // $ xss
+			}
+			else {
+				// BAD: set content-type to something that is not safe
+				response.setContentType("text/html");
+				response.getOutputStream().write(request.getPathInfo()); // $ xss
+			}
+		}
 	}
 
 	/**