Merge pull request #1262 from sb-semmle/more-spring-sources

Parameters annotated with Spring's @RequestBody and @PathVariable are remote input sources.

change-notes/1.21/analysis-java.md

@@ -22,5 +22,6 @@
   methods. This means that more guards are recognized yielding precision
   improvements in a number of queries including `java/index-out-of-bounds`,
   `java/dereferenced-value-may-be-null`, and `java/useless-null-check`.
-
-
+* Spring framework support is enhanced by taking into account additional
+  annotations that indicate remote user input. This affects all security
+  queries, which may yield additional results.

java/ql/src/semmle/code/java/frameworks/SpringWeb.qll

@@ -11,7 +11,9 @@ class SpringServletInputAnnotation extends Annotation {
       a.hasName("RequestParam") or
       a.hasName("RequestHeader") or
       a.hasName("CookieValue") or
-      a.hasName("RequestPart")
+      a.hasName("RequestPart") or
+      a.hasName("PathVariable") or
+      a.hasName("RequestBody")
     )
   }
 }