From 17cef3f4986147e3793d406af15dba0a0554e045 Mon Sep 17 00:00:00 2001
From: Sauyon Lee <sauyon@github.com>
Date: Tue, 17 Aug 2021 12:45:47 -0700
Subject: [PATCH] Address review comments

---
 .../java/frameworks/spring/SpringWebUtil.qll  |  9 +++-
 .../frameworks/spring/webutil/Test.java       | 52 ++++++++++++++++---
 2 files changed, 51 insertions(+), 10 deletions(-)

diff --git a/java/ql/src/semmle/code/java/frameworks/spring/SpringWebUtil.qll b/java/ql/src/semmle/code/java/frameworks/spring/SpringWebUtil.qll
index 89def3a3e61..78f6bfb281c 100644
--- a/java/ql/src/semmle/code/java/frameworks/spring/SpringWebUtil.qll
+++ b/java/ql/src/semmle/code/java/frameworks/spring/SpringWebUtil.qll
@@ -94,6 +94,8 @@ private class FlowSummaries extends SummaryModelCsv {
         "org.springframework.web.util;UriComponents;false;getUserInfo;;;Argument[-1];ReturnValue;taint",
         "org.springframework.web.util;UriComponents;false;toUri;;;Argument[-1];ReturnValue;taint",
         "org.springframework.web.util;UriComponents;false;toUriString;;;Argument[-1];ReturnValue;taint",
+        "org.springframework.web.util;UriComponents;false;toString;;;Argument[-1];ReturnValue;taint",
+        "org.springframework.web.util;UriComponents;false;normalize;;;Argument[-1];ReturnValue;taint",
         "org.springframework.web.util;UriComponentsBuilder;false;build;;;Argument[-1];ReturnValue;taint",
         "org.springframework.web.util;UriComponentsBuilder;false;build;(Map);;MapValue of Argument[0];ReturnValue;taint",
         "org.springframework.web.util;UriComponentsBuilder;false;build;(Object[]);;ArrayElement of Argument[0];ReturnValue;taint",
@@ -121,6 +123,7 @@ private class FlowSummaries extends SummaryModelCsv {
         "org.springframework.web.util;UriTemplate;false;expand;(Object[]);;ArrayElement of Argument[0];ReturnValue;taint",
         "org.springframework.web.util;UriTemplate;false;getVariableNames;;;Argument[-1];Element of ReturnValue;taint",
         "org.springframework.web.util;UriTemplate;false;match;;;Argument[0];MapValue of ReturnValue;taint",
+        "org.springframework.web.util;UriTemplate;false;toString;;;Argument[-1];ReturnValue;taint",
         "org.springframework.web.util;UriUtils;false;decode;;;Argument[0];ReturnValue;taint",
         "org.springframework.web.util;UriUtils;false;encode;;;Argument[0];ReturnValue;taint",
         "org.springframework.web.util;UriUtils;false;encodeAuthority;;;Argument[0];ReturnValue;taint",
@@ -148,7 +151,8 @@ private class FlowSummaries extends SummaryModelCsv {
         "org.springframework.web.util;UrlPathHelper;false;getOriginatingContextPath;;;Argument[0];ReturnValue;taint",
         "org.springframework.web.util;UrlPathHelper;false;getOriginatingQueryString;;;Argument[0];ReturnValue;taint",
         "org.springframework.web.util;UrlPathHelper;false;getOriginatingRequestUri;;;Argument[0];ReturnValue;taint",
-        "org.springframework.web.util;UrlPathHelper;false;getOriginatingServletPath;;;Argument[0];ReturnValue;taint",
+        "org.springframework.web.util;UrlPathHelper;false;getPathWithinApplication;;;Argument[0];ReturnValue;taint",
+        "org.springframework.web.util;UrlPathHelper;false;getPathWithinServletMapping;;;Argument[0];ReturnValue;taint",
         "org.springframework.web.util;UrlPathHelper;false;getRequestUri;;;Argument[0];ReturnValue;taint",
         "org.springframework.web.util;UrlPathHelper;false;getResolvedLookupPath;;;Argument[0];ReturnValue;taint",
         "org.springframework.web.util;UrlPathHelper;false;getServletPath;;;Argument[0];ReturnValue;taint",
@@ -165,7 +169,8 @@ private class FlowSummaries extends SummaryModelCsv {
         "org.springframework.web.util;WebUtils;false;getRequiredSessionAttribute;;;Argument[0];ReturnValue;taint",
         "org.springframework.web.util;WebUtils;false;getSessionAttribute;;;Argument[0];ReturnValue;taint",
         "org.springframework.web.util;WebUtils;false;parseMatrixVariables;;;Argument[0];MapKey of ReturnValue;taint",
-        "org.springframework.web.util;WebUtils;false;parseMatrixVariables;;;Argument[0];MapValue of ReturnValue;taint"
+        "org.springframework.web.util;WebUtils;false;parseMatrixVariables;;;Argument[0];MapValue of ReturnValue;taint",
+        "org.springframework.web.util;WebUtils;false;setSessionAttribute;;;Argument[2];Argument[0];taint"
       ]
   }
 }
diff --git a/java/ql/test/library-tests/frameworks/spring/webutil/Test.java b/java/ql/test/library-tests/frameworks/spring/webutil/Test.java
index e37426ea4a6..1e93454fbd7 100644
--- a/java/ql/test/library-tests/frameworks/spring/webutil/Test.java
+++ b/java/ql/test/library-tests/frameworks/spring/webutil/Test.java
@@ -2441,14 +2441,6 @@ public class Test {
 			out = instance.getOriginatingRequestUri(in);
 			sink(out); // $hasTaintFlow
 		}
-		{
-			// "org.springframework.web.util;UrlPathHelper;false;getOriginatingServletPath;;;Argument[0];ReturnValue;taint"
-			String out = null;
-			HttpServletRequest in = (HttpServletRequest)source();
-			UrlPathHelper instance = null;
-			out = instance.getOriginatingServletPath(in);
-			sink(out); // $hasTaintFlow
-		}
 		{
 			// "org.springframework.web.util;UrlPathHelper;false;getRequestUri;;;Argument[0];ReturnValue;taint"
 			String out = null;
@@ -2621,6 +2613,50 @@ public class Test {
       out = HtmlUtils.htmlEscapeHex(in);
       sink(out); // $ hasTaintFlow
     }
+		{
+			// "org.springframework.web.util;UriComponents;false;normalize;;;Argument[-1];ReturnValue;taint"
+			UriComponents out = null;
+			UriComponents in = (UriComponents)source();
+			out = in.normalize();
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "org.springframework.web.util;UriComponents;false;toString;;;Argument[-1];ReturnValue;taint"
+			String out = null;
+			UriComponents in = (UriComponents)source();
+			out = in.toString();
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "org.springframework.web.util;UriTemplate;false;toString;;;Argument[-1];ReturnValue;taint"
+			String out = null;
+			UriTemplate in = (UriTemplate)source();
+			out = in.toString();
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "org.springframework.web.util;UrlPathHelper;false;getPathWithinApplication;;;Argument[0];ReturnValue;taint"
+			String out = null;
+			HttpServletRequest in = (HttpServletRequest)source();
+			UrlPathHelper instance = null;
+			out = instance.getPathWithinApplication(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "org.springframework.web.util;UrlPathHelper;false;getPathWithinServletMapping;;;Argument[0];ReturnValue;taint"
+			String out = null;
+			HttpServletRequest in = (HttpServletRequest)source();
+			UrlPathHelper instance = null;
+			out = instance.getPathWithinServletMapping(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "org.springframework.web.util;WebUtils;false;setSessionAttribute;;;Argument[2];Argument[0];taint"
+			HttpServletRequest out = null;
+			Object in = (Object)source();
+			WebUtils.setSessionAttribute(out, null, in);
+			sink(out); // $ hasTaintFlow
+		}
 
 	}