Merge pull request #7548 from zbazztian/spring-taint-summaries

Java: Add Spring and Apache Common Langs taint flow steps

Author: aschackmull

java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll

@@ -103,6 +103,7 @@ private module Frameworks {
   private import semmle.code.java.frameworks.ratpack.Ratpack
   private import semmle.code.java.frameworks.ratpack.RatpackExec
   private import semmle.code.java.frameworks.spring.SpringCache
+  private import semmle.code.java.frameworks.spring.SpringContext
   private import semmle.code.java.frameworks.spring.SpringHttp
   private import semmle.code.java.frameworks.spring.SpringUtil
   private import semmle.code.java.frameworks.spring.SpringUi

java/ql/lib/semmle/code/java/frameworks/apache/Lang.qll

@@ -73,6 +73,15 @@ private class ApacheArrayUtilsModel extends SummaryModelCsv {
   }
 }
 
+private class ApacheStringEscapeUtilsModel extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "org.apache.commons.lang3;StringEscapeUtils;false;escapeJson;;;Argument[0];ReturnValue;taint"
+      ]
+  }
+}
+
 private class ApacheStringUtilsModel extends SummaryModelCsv {
   override predicate row(string row) {
     row =

java/ql/lib/semmle/code/java/frameworks/spring/Spring.qll

@@ -9,6 +9,7 @@ import semmle.code.java.frameworks.spring.SpringBeanFile
 import semmle.code.java.frameworks.spring.SpringBeans
 import semmle.code.java.frameworks.spring.SpringBeanRefType
 import semmle.code.java.frameworks.spring.SpringCache
+import semmle.code.java.frameworks.spring.SpringContext
 import semmle.code.java.frameworks.spring.SpringComponentScan
 import semmle.code.java.frameworks.spring.SpringConstructorArg
 import semmle.code.java.frameworks.spring.SpringController

java/ql/lib/semmle/code/java/frameworks/spring/SpringContext.qll

@@ -0,0 +1,18 @@
+/**
+ * Provides models for the `org.springframework.context` package.
+ */
+
+import java
+private import semmle.code.java.dataflow.ExternalFlow
+
+private class StringSummaryCsv extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        //`namespace; type; subtypes; name; signature; ext; input; output; kind`
+        "org.springframework.context;MessageSource;true;getMessage;(String,Object[],String,Locale);;ArrayElement of Argument[1];ReturnValue;taint",
+        "org.springframework.context;MessageSource;true;getMessage;(String,Object[],String,Locale);;Argument[2];ReturnValue;taint",
+        "org.springframework.context;MessageSource;true;getMessage;(String,Object[],Locale);;ArrayElement of Argument[1];ReturnValue;taint"
+      ]
+  }
+}

java/ql/test/library-tests/frameworks/apache-commons-lang3/StringEscapeUtilsTest.java

@@ -0,0 +1,11 @@
+import org.apache.commons.lang3.StringEscapeUtils;
+
+public class StringEscapeUtilsTest {
+  String taint() { return "tainted"; }
+
+  void sink(Object o) {}
+
+  void test() throws Exception {
+    sink(StringEscapeUtils.escapeJson(taint())); // $hasTaintFlow
+  }
+}

java/ql/test/library-tests/frameworks/spring/context/Test.java

@@ -0,0 +1,20 @@
+import org.springframework.context.support.StaticMessageSource;
+import java.util.Locale;
+
+public class Test {
+
+	public static String code = "mycode";
+	public static Locale locale = Locale.US;
+
+	String taint() { return "tainted"; }
+
+	void sink(Object o) {}
+
+	public void test() {
+		StaticMessageSource sms = new StaticMessageSource();
+		sms.addMessage(code, locale, "hello {0}");
+		sink(sms.getMessage(code, new String[]{ taint() }, locale)); // $hasTaintFlow
+		sink(sms.getMessage(code, new String[]{ taint() }, "", locale)); // $hasTaintFlow
+		sink(sms.getMessage(code, null, taint(), locale)); // $hasTaintFlow
+	}
+}

java/ql/test/library-tests/frameworks/spring/context/flow.expected

@@ -0,0 +1,2 @@
+import java
+import TestUtilities.InlineFlowTest

java/ql/test/library-tests/frameworks/spring/context/flow.ql

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.3.8:${testdir}/../../../../stubs/apache-commons-logging-1.2/