Java: Model flow source for apache http requests,

Model flow steps for associated getters Fix rebase conflict
2026-04-30 19:26:02 +02:00 · 2021-02-02 16:21:07 +00:00
parent 4184ebd091
commit 561679611e
2 changed files with 62 additions and 0 deletions
--- a/java/ql/src/semmle/code/java/dataflow/FlowSteps.qll
+++ b/java/ql/src/semmle/code/java/dataflow/FlowSteps.qll
@@ -17,6 +17,7 @@ module Frameworks {
  private import semmle.code.java.frameworks.Protobuf
  private import semmle.code.java.frameworks.guava.Guava
  private import semmle.code.java.frameworks.apache.Lang
+  private import semmle.code.java.frameworks.ApacheHttp
 }

 /**
--- a/java/ql/src/semmle/code/java/frameworks/ApacheHttp.qll
+++ b/java/ql/src/semmle/code/java/frameworks/ApacheHttp.qll
@@ -3,6 +3,7 @@
 */

 import java
+private import semmle.code.java.dataflow.FlowSteps

 class ApacheHttpGetParams extends Method {
  ApacheHttpGetParams() {
@@ -53,3 +54,63 @@ class ApacheHttpRequestHandlerParameter extends Parameter {
    )
  }
 }
+
+private class ApacheHttpGetter extends TaintPreservingCallable {
+  ApacheHttpGetter() {
+    exists(string pkg, string ty, string mtd, Method m |
+      this.(Method).overrides*(m) and
+      m.getDeclaringType().hasQualifiedName(pkg, ty) and
+      m.hasName(mtd)
+    |
+      pkg = "org.apache.http" and
+      (
+        ty = "HttpMessage" and
+        mtd =
+          [
+            "getAllHeaders", "getFirstHeader", "getHeaders", "getLastHeader", "getParams",
+            "headerIterator"
+          ]
+        or
+        ty = "HttpRequest" and
+        mtd = "getRequestLine"
+        or
+        ty = "HttpEntityEnclosingRequest" and
+        mtd = "getEntity"
+        or
+        ty = "Header" and
+        mtd = "getElements"
+        or
+        ty = "HeaderElement" and
+        mtd = ["getName", "getParameter", "getParameterByName", "getParameters", "getValue"]
+        or
+        ty = "NameValuePair" and
+        mtd = ["getName", "getValue"]
+        or
+        ty = "HeaderIterator" and
+        mtd = "nextHeader"
+        or
+        ty = "HttpEntity" and
+        mtd = ["getContent", "getContentEncoding", "getContentType"]
+        or
+        ty = "RequestLine" and
+        mtd = ["getMethod", "getUri"]
+      )
+      or
+      pkg = "org.apache.http.params" and
+      ty = "HttpParams" and
+      mtd.matches("get%Parameter")
+    )
+  }
+
+  override predicate returnsTaintFrom(int arg) { arg = -1 }
+}
+
+private class EntityUtilMethod extends TaintPreservingCallable {
+  EntityUtilMethod() {
+    this.getDeclaringType().hasQualifiedName("org.apache.http.util", "EntityUtils") and
+    this.isStatic() and
+    this.hasName(["toString", "toByteArray"])
+  }
+
+  override predicate returnsTaintFrom(int arg) { arg = 0 }
+}