Merge pull request #14913 from jcogs33/jcogs33/unsafe-url-forward_path-inj-related_cve-2019-3799

Java: add Spring models

java/ql/lib/change-notes/2023-11-29-new-spring-models.md

@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* Added a sink model for the `createRelative` method of the `org.springframework.core.io.Resource` interface.
+* Added source models for methods of the `org.springframework.web.util.UrlPathHelper` class and removed their taint flow models.

java/ql/lib/ext/org.springframework.core.io.model.yml

@@ -3,5 +3,6 @@ extensions:
       pack: codeql/java-all
       extensible: sinkModel
     data:
+      - ["org.springframework.core.io", "Resource", True, "createRelative", "(String)", "", "Argument[0]", "path-injection", "manual"]
       - ["org.springframework.core.io", "ResourceLoader", True, "getResource", "(String)", "", "Argument[0]", "path-injection", "ai-manual"]
       - ["org.springframework.core.io", "ResourceLoader", True, "getResource", "(String)", "", "Argument[0]", "request-forgery", "manual"]

java/ql/lib/ext/org.springframework.web.util.model.yml

@@ -1,4 +1,18 @@
 extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sourceModel
+    data:
+      - ["org.springframework.web.util", "UrlPathHelper", False, "getLookupPathForRequest", "", "", "ReturnValue", "remote", "manual"]
+      - ["org.springframework.web.util", "UrlPathHelper", False, "getOriginatingQueryString", "", "", "ReturnValue", "remote", "manual"]
+      - ["org.springframework.web.util", "UrlPathHelper", False, "getOriginatingRequestUri", "", "", "ReturnValue", "remote", "manual"]
+      - ["org.springframework.web.util", "UrlPathHelper", False, "getPathWithinApplication", "", "", "ReturnValue", "remote", "manual"]
+      - ["org.springframework.web.util", "UrlPathHelper", False, "getPathWithinServletMapping", "", "", "ReturnValue", "remote", "manual"]
+      - ["org.springframework.web.util", "UrlPathHelper", False, "getRequestUri", "", "", "ReturnValue", "remote", "manual"]
+      - ["org.springframework.web.util", "UrlPathHelper", False, "getResolvedLookupPath", "", "", "ReturnValue", "remote", "manual"]
+      - ["org.springframework.web.util", "UrlPathHelper", False, "getServletPath", "", "", "ReturnValue", "remote", "manual"]
+      - ["org.springframework.web.util", "UrlPathHelper", False, "resolveAndCacheLookupPath", "", "", "ReturnValue", "remote", "manual"]
+
   - addsTo:
       pack: codeql/java-all
       extensible: summaryModel
@@ -147,15 +161,7 @@ extensions:
       - ["org.springframework.web.util", "UrlPathHelper", False, "decodeRequestString", "", "", "Argument[1]", "ReturnValue", "taint", "manual"]
       - ["org.springframework.web.util", "UrlPathHelper", False, "getContextPath", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["org.springframework.web.util", "UrlPathHelper", False, "getOriginatingContextPath", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["org.springframework.web.util", "UrlPathHelper", False, "getOriginatingQueryString", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["org.springframework.web.util", "UrlPathHelper", False, "getOriginatingRequestUri", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["org.springframework.web.util", "UrlPathHelper", False, "getPathWithinApplication", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["org.springframework.web.util", "UrlPathHelper", False, "getPathWithinServletMapping", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["org.springframework.web.util", "UrlPathHelper", False, "getRequestUri", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["org.springframework.web.util", "UrlPathHelper", False, "getResolvedLookupPath", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["org.springframework.web.util", "UrlPathHelper", False, "getServletPath", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["org.springframework.web.util", "UrlPathHelper", False, "removeSemicolonContent", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["org.springframework.web.util", "UrlPathHelper", False, "resolveAndCacheLookupPath", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["org.springframework.web.util", "WebUtils", False, "findParameterValue", "(Map,String)", "", "Argument[0].MapValue", "ReturnValue", "value", "manual"]
       - ["org.springframework.web.util", "WebUtils", False, "findParameterValue", "(ServletRequest,String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["org.springframework.web.util", "WebUtils", False, "getCookie", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]

java/ql/test/library-tests/frameworks/spring/webutil/Test.java

@@ -2396,45 +2396,6 @@ public class Test {
 			out = instance.getOriginatingContextPath(in);
 			sink(out); // $hasTaintFlow
 		}
-		{
-			// "org.springframework.web.util;UrlPathHelper;false;getOriginatingQueryString;;;Argument[0];ReturnValue;taint;manual"
-			String out = null;
-			HttpServletRequest in = (HttpServletRequest)source();
-			UrlPathHelper instance = null;
-			out = instance.getOriginatingQueryString(in);
-			sink(out); // $hasTaintFlow
-		}
-		{
-			// "org.springframework.web.util;UrlPathHelper;false;getOriginatingRequestUri;;;Argument[0];ReturnValue;taint;manual"
-			String out = null;
-			HttpServletRequest in = (HttpServletRequest)source();
-			UrlPathHelper instance = null;
-			out = instance.getOriginatingRequestUri(in);
-			sink(out); // $hasTaintFlow
-		}
-		{
-			// "org.springframework.web.util;UrlPathHelper;false;getRequestUri;;;Argument[0];ReturnValue;taint;manual"
-			String out = null;
-			HttpServletRequest in = (HttpServletRequest)source();
-			UrlPathHelper instance = null;
-			out = instance.getRequestUri(in);
-			sink(out); // $hasTaintFlow
-		}
-		{
-			// "org.springframework.web.util;UrlPathHelper;false;getResolvedLookupPath;;;Argument[0];ReturnValue;taint;manual"
-			String out = null;
-			ServletRequest in = (ServletRequest)source();
-			out = UrlPathHelper.getResolvedLookupPath(in);
-			sink(out); // $hasTaintFlow
-		}
-		{
-			// "org.springframework.web.util;UrlPathHelper;false;getServletPath;;;Argument[0];ReturnValue;taint;manual"
-			String out = null;
-			HttpServletRequest in = (HttpServletRequest)source();
-			UrlPathHelper instance = null;
-			out = instance.getServletPath(in);
-			sink(out); // $hasTaintFlow
-		}
 		{
 			// "org.springframework.web.util;UrlPathHelper;false;removeSemicolonContent;;;Argument[0];ReturnValue;taint;manual"
 			String out = null;
@@ -2443,14 +2404,6 @@ public class Test {
 			out = instance.removeSemicolonContent(in);
 			sink(out); // $hasTaintFlow
 		}
-		{
-			// "org.springframework.web.util;UrlPathHelper;false;resolveAndCacheLookupPath;;;Argument[0];ReturnValue;taint;manual"
-			String out = null;
-			HttpServletRequest in = (HttpServletRequest)source();
-			UrlPathHelper instance = null;
-			out = instance.resolveAndCacheLookupPath(in);
-			sink(out); // $hasTaintFlow
-		}
 		{
 			// "org.springframework.web.util;WebUtils;false;findParameterValue;(Map,String);;MapValue of Argument[0];ReturnValue;value;manual"
 			String out = null;
@@ -2605,22 +2558,6 @@ public class Test {
 			out = in.toString();
 			sink(out); // $ hasTaintFlow
 		}
-		{
-			// "org.springframework.web.util;UrlPathHelper;false;getPathWithinApplication;;;Argument[0];ReturnValue;taint;manual"
-			String out = null;
-			HttpServletRequest in = (HttpServletRequest)source();
-			UrlPathHelper instance = null;
-			out = instance.getPathWithinApplication(in);
-			sink(out); // $ hasTaintFlow
-		}
-		{
-			// "org.springframework.web.util;UrlPathHelper;false;getPathWithinServletMapping;;;Argument[0];ReturnValue;taint;manual"
-			String out = null;
-			HttpServletRequest in = (HttpServletRequest)source();
-			UrlPathHelper instance = null;
-			out = instance.getPathWithinServletMapping(in);
-			sink(out); // $ hasTaintFlow
-		}
 		{
 			// "org.springframework.web.util;WebUtils;false;setSessionAttribute;;;Argument[2];Argument[0];taint;manual"
 			HttpServletRequest out = null;