Java: Fix NashornScriptEngine detection in ScriptEngine query

[p0wn4j]

In case of creating ScriptEngine by this way:
NashornScriptEngine engine = (NashornScriptEngine) factory.getScriptEngine(...);
engine.eval(input);
ScriptEngine.ql cannot detect this sink.

[smowton]

Can you add this example as a test under the query's corresponding ql/test/experimental directory? I note the original query didn't include tests; it would be good to add a basic non-Nashorn test at the same time.

[p0wn4j]

There is a problem with writing unit test because of Java 15.

[smowton]

What in particular? Nashorn is quite old, isn't it?

[p0wn4j]

Yes it's removed from JDK15. Also calls with ScriptEngine are not compiling

[smowton]

So you may have noticed we use stubs when dealing with third-party libraries so that the tests can be built without shipping the lib's entire jar (e.g. https://github.com/github/codeql/tree/main/java/ql/test/stubs/apache-commons-io-2.6)

Even though this is a first-party package, does it suffice to provide some stubs and ensure those are on the classpath as we do for third-party libs?

[p0wn4j]

Yeah, stubs helped, thanks.

[aschackmull]

Error:     ql/java/ql/test/experimental/query-tests/security/CWE-094/ScriptEngine.qlref: Test failure (Expected output does not match)

[p0wn4j]

Where can I see test output?

[aschackmull]

CI logs are not currently public, but you can run it yourself with codeql test run java/ql/test/experimental/query-tests/security/CWE-094/ScriptEngine.qlref. The test output diff is rather long - it looks like most of the line numbers are off-by-one or something like that.

[p0wn4j]

I have created a new pull request #5349