hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 17:25:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add some models for the org.lastaflute.web library

Browse Source 
Methods annotated `@Execute` are handlers for URLs. Therefore, the
parameters of the methods annotated with the
`org.lastaflute.web.Execute` annotation are likely either URL parameters
or forms.
This commit is contained in:
Ed Minnix
2024-07-16 14:40:40 -04:00
parent 9a729144e8
commit 3bd330423d
3 changed files with 32 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
java/ql/lib/ext/org.lastaflute.web.ruts.multipart.model.yml Normal file
View File

@@ -0,0 +1,9 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["org.lastaflute.web.ruts.multipart", "MultipartFormFile", True, "getContentType", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["org.lastaflute.web.ruts.multipart", "MultipartFormFile", True, "getFileData", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["org.lastaflute.web.ruts.multipart", "MultipartFormFile", True, "getFileName", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["org.lastaflute.web.ruts.multipart", "MultipartFormFile", True, "getInputStream", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]

1
java/ql/lib/semmle/code/java/dataflow/FlowSources.qll
View File

@@ -20,6 +20,7 @@ import semmle.code.java.frameworks.android.Android
import semmle.code.java.frameworks.android.ExternalStorage
import semmle.code.java.frameworks.android.OnActivityResultSource
import semmle.code.java.frameworks.android.Intent
private import semmle.code.java.frameworks.Lastaflute
import semmle.code.java.frameworks.play.Play
import semmle.code.java.frameworks.spring.SpringWeb
import semmle.code.java.frameworks.spring.SpringController

22
java/ql/lib/semmle/code/java/frameworks/Lastaflute.qll Normal file
View File

@@ -0,0 +1,22 @@
import java
import semmle.code.java.dataflow.FlowSources
/**
* The `org.lastaflute.web.Execute` annotation.
*/
class LastafluteExecuteAnnotation extends Annotation {
LastafluteExecuteAnnotation() { this.getType().hasQualifiedName("org.lastaflute.web", "Execute") }
}
/**
* The parameter of a method defining a URL handler using the Lastaflute framework.
*/
class LastafluteHandlerParameterSource extends RemoteFlowSource {
LastafluteHandlerParameterSource() {
exists(Parameter p | p.getCallable().getAnAnnotation() instanceof LastafluteExecuteAnnotation |
p = this.asParameter()
)
}
override string getSourceType() { result = "Lastaflute handler parameter" }
}