Merge pull request #8639 from atorralba/atorralba/spring-beans-improvements

Java: Improve Spring models

Author: atorralba

java/ql/lib/change-notes/2022-04-01-spring-models-improvements.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added data-flow models for the Spring Framework component `spring-beans`.

java/ql/lib/semmle/code/java/frameworks/spring/SpringBeans.qll

@@ -22,6 +22,10 @@ private class FlowSummaries extends SummaryModelCsv {
         "org.springframework.beans;PropertyValue;false;getValue;;;Argument[-1].MapValue;ReturnValue;value",
         "org.springframework.beans;PropertyValues;true;getPropertyValue;;;Argument[-1].Element;ReturnValue;value",
         "org.springframework.beans;PropertyValues;true;getPropertyValues;;;Argument[-1].Element;ReturnValue.ArrayElement;value",
+        "org.springframework.beans;MutablePropertyValues;true;MutablePropertyValues;(List);;Argument[0].Element;Argument[-1].Element;value",
+        "org.springframework.beans;MutablePropertyValues;true;MutablePropertyValues;(Map);;Argument[0].MapKey;Argument[-1].Element.MapKey;value",
+        "org.springframework.beans;MutablePropertyValues;true;MutablePropertyValues;(Map);;Argument[0].MapValue;Argument[-1].Element.MapValue;value",
+        "org.springframework.beans;MutablePropertyValues;true;MutablePropertyValues;(PropertyValues);;Argument[0].Element;Argument[-1].Element;value",
         "org.springframework.beans;MutablePropertyValues;true;add;(String,Object);;Argument[0];Argument[-1].Element.MapKey;value",
         "org.springframework.beans;MutablePropertyValues;true;add;(String,Object);;Argument[-1];ReturnValue;value",
         "org.springframework.beans;MutablePropertyValues;true;add;(String,Object);;Argument[1];Argument[-1].Element.MapValue;value",

java/ql/lib/semmle/code/java/frameworks/spring/SpringWeb.qll

@@ -5,14 +5,14 @@
 import java
 
 /** An interface for web requests in the Spring framework. */
-class SpringWebRequest extends Class {
+class SpringWebRequest extends Interface {
   SpringWebRequest() {
     this.hasQualifiedName("org.springframework.web.context.request", "WebRequest")
   }
 }
 
 /** An interface for web requests in the Spring framework. */
-class SpringNativeWebRequest extends Class {
+class SpringNativeWebRequest extends Interface {
   SpringNativeWebRequest() {
     this.hasQualifiedName("org.springframework.web.context.request", "NativeWebRequest")
   }

java/ql/test/library-tests/frameworks/spring/beans/Test.java

@@ -0,0 +1,203 @@
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.Reader;
+import java.io.Writer;
+import java.security.Principal;
+import java.time.ZoneId;
+import java.util.Locale;
+import java.util.TimeZone;
+import javax.servlet.http.HttpSession;
+import javax.servlet.http.PushBuilder;
+import javax.servlet.ServletRequest;
+import org.springframework.data.domain.Pageable;
+import org.springframework.http.HttpEntity;
+import org.springframework.http.HttpMethod;
+import org.springframework.stereotype.Controller;
+import org.springframework.validation.Errors;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.util.UriComponentsBuilder;
+import org.springframework.web.context.request.WebRequest;
+import org.springframework.web.context.request.NativeWebRequest;
+import org.springframework.web.servlet.mvc.support.RedirectAttributes;
+import org.springframework.web.bind.support.SessionStatus;
+import org.springframework.web.bind.annotation.MatrixVariable;
+import org.springframework.web.bind.annotation.RequestHeader;
+import org.springframework.web.bind.annotation.CookieValue;
+import org.springframework.web.bind.annotation.RequestPart;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestAttribute;
+import org.springframework.web.bind.annotation.SessionAttribute;
+
+public class Test {
+
+    static void sink(Object o) {}
+
+    @Controller
+    static class NotTaintedTest {
+        @RequestMapping("/")
+        public void get(WebRequest src) {
+            sink(src);
+        }
+
+        @RequestMapping("/")
+        public void get(NativeWebRequest src) {
+            sink(src);
+        }
+
+        @RequestMapping("/")
+        public void get(ServletRequest src) {
+            sink(src);
+        }
+
+        @RequestMapping("/")
+        public void get(HttpSession src) {
+            sink(src);
+        }
+
+        @RequestMapping("/")
+        public void get(PushBuilder src) {
+            sink(src);
+        }
+
+        @RequestMapping("/")
+        public void get(Principal src) {
+            sink(src);
+        }
+
+        @RequestMapping("/")
+        public void get(HttpMethod src) {
+            sink(src);
+        }
+
+        @RequestMapping("/")
+        public void get(Locale src) {
+            sink(src);
+        }
+
+        @RequestMapping("/")
+        public void get(TimeZone src) {
+            sink(src);
+        }
+
+        @RequestMapping("/")
+        public void get(ZoneId src) {
+            sink(src);
+        }
+
+        @RequestMapping("/")
+        public void get(OutputStream src) {
+            sink(src);
+        }
+
+        @RequestMapping("/")
+        public void get(Writer src) {
+            sink(src);
+        }
+
+        @RequestMapping("/")
+        public void get(RedirectAttributes src) {
+            sink(src);
+        }
+
+        @RequestMapping("/")
+        public void get(Errors src) {
+            sink(src);
+        }
+
+        @RequestMapping("/")
+        public void get(SessionStatus src) {
+            sink(src);
+        }
+
+        @RequestMapping("/")
+        public void get(UriComponentsBuilder src) {
+            sink(src);
+        }
+
+        @RequestMapping("/")
+        public void get(Pageable src) {
+            sink(src);
+        }
+    }
+
+    @Controller
+    static class ExplicitlyTaintedTest {
+        @RequestMapping("/")
+        public void get(InputStream src) {
+            sink(src); // $hasValueFlow
+        }
+
+        @RequestMapping("/")
+        public void get(Reader src) {
+            sink(src); // $hasValueFlow
+        }
+
+        @RequestMapping("/")
+        public void matrixVariable(@MatrixVariable Object src) {
+            sink(src); // $hasValueFlow
+        }
+
+        @RequestMapping("/")
+        public void requestParam(@RequestParam Object src) {
+            sink(src); // $hasValueFlow
+        }
+
+        @RequestMapping("/")
+        public void requestHeader(@RequestHeader Object src) {
+            sink(src); // $hasValueFlow
+        }
+
+        @RequestMapping("/")
+        public void cookieValue(@CookieValue Object src) {
+            sink(src); // $hasValueFlow
+        }
+
+        @RequestMapping("/")
+        public void requestPart(@RequestPart Object src) {
+            sink(src); // $hasValueFlow
+        }
+
+        @RequestMapping("/")
+        public void pathVariable(@PathVariable Object src) {
+            sink(src); // $hasValueFlow
+        }
+
+        @RequestMapping("/")
+        public void requestBody(@RequestBody Object src) {
+            sink(src); // $hasValueFlow
+        }
+
+        @RequestMapping("/")
+        public void get(HttpEntity src) {
+            sink(src); // $hasValueFlow
+        }
+
+        @RequestMapping("/")
+        public void requestAttribute(@RequestAttribute Object src) {
+            sink(src); // $hasValueFlow
+        }
+
+        @RequestMapping("/")
+        public void sessionAttribute(@SessionAttribute Object src) {
+            sink(src); // $hasValueFlow
+        }
+    }
+
+    @Controller
+    static class ImplicitlyTaintedTest {
+        static class Pojo {
+        }
+
+        @RequestMapping("/")
+        public void get(String src) {
+            sink(src); // $hasValueFlow
+        }
+
+        @RequestMapping("/")
+        public void get1(Pojo src) {
+            sink(src); // $hasValueFlow
+        }
+    }
+}

java/ql/test/library-tests/frameworks/spring/controller/Test.java

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.3.8:${testdir}/../../../../stubs/javax-servlet-2.5

java/ql/test/library-tests/frameworks/spring/controller/options

@@ -0,0 +1,17 @@
+import java
+import semmle.code.java.dataflow.FlowSources
+import TestUtilities.InlineFlowTest
+
+class ValueFlowConf extends DataFlow::Configuration {
+  ValueFlowConf() { this = "ValueFlowConf" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink.asExpr().(Argument).getCall().getCallee().hasName("sink")
+  }
+}
+
+class Test extends InlineFlowTest {
+  override DataFlow::Configuration getValueFlowConfig() { result = any(ValueFlowConf config) }
+}