Merge pull request #13900 from atorralba/atorralba/java/jaxws-getaremotemethod-improv

Java: Improve `JaxWsEndpoint::getARemoteMethod`
2026-03-03 14:29:49 +01:00 · 2023-08-24 13:37:15 +02:00
parent 59de92ce64 3f9701cea7
commit 6b58d11eeb
4 changed files with 182 additions and 11 deletions
--- a/java/ql/lib/semmle/code/java/frameworks/JaxWS.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/JaxWS.qll
@@ -4,6 +4,8 @@
 */

 import java
+private import semmle.code.java.frameworks.Networking
+private import semmle.code.java.frameworks.Rmi
 private import semmle.code.java.security.XSS

 /**
@@ -23,16 +25,112 @@ string getAJaxRsPackage(string subpackage) { result = getAJaxRsPackage() + "." +
 */
 class JaxWsEndpoint extends Class {
  JaxWsEndpoint() {
-    exists(AnnotationType a | a = this.getAnAnnotation().getType() |
+    exists(AnnotationType a | a = this.getAnAncestor().getAnAnnotation().getType() |
      a.hasName(["WebService", "WebServiceProvider", "WebServiceClient"])
    )
  }

-  /** Gets a method annotated with `@WebMethod` or `@WebEndpoint`. */
-  Callable getARemoteMethod() {
+  /**
+   * Gets a method of this class that is not an excluded `@WebMethod`,
+   * and the parameters and return value of which are either of an acceptable type,
+   * or are annotated with `@XmlJavaTypeAdapter`.
+   */
+  Method getARemoteMethod() {
    result = this.getACallable() and
-    exists(AnnotationType a | a = result.getAnAnnotation().getType() |
-      a.hasName(["WebMethod", "WebEndpoint"])
+    result.isPublic() and
+    not result instanceof InitializerMethod and
+    not exists(Annotation a | a = result.getAnAnnotation() |
+      a.getType().hasQualifiedName(["javax", "jakarta"] + ".jws", "WebMethod") and
+      a.getValue("exclude").(BooleanLiteral).getBooleanValue() = true
+    ) and
+    forex(ParamOrReturn paramOrRet | paramOrRet = result.getAParameter() or paramOrRet = result |
+      exists(Type t | t = paramOrRet.getType() |
+        t instanceof JaxAcceptableType
+        or
+        t.(Annotatable).getAnAnnotation().getType() instanceof XmlJavaTypeAdapter
+        or
+        t instanceof VoidType
+      )
+      or
+      paramOrRet.getInheritedAnnotation().getType() instanceof XmlJavaTypeAdapter
+    )
+  }
+}
+
+/** The annotation type `@XmlJavaTypeAdapter`. */
+class XmlJavaTypeAdapter extends AnnotationType {
+  XmlJavaTypeAdapter() {
+    this.hasQualifiedName(["javax", "jakarta"] + ".xml.bind.annotation.adapters",
+      "XmlJavaTypeAdapter")
+  }
+}
+
+private class ParamOrReturn extends Annotatable {
+  ParamOrReturn() { this instanceof Parameter or this instanceof Method }
+
+  Type getType() {
+    result = this.(Parameter).getType()
+    or
+    result = this.(Method).getReturnType()
+  }
+
+  Annotation getInheritedAnnotation() {
+    result = this.getAnAnnotation()
+    or
+    result = this.(Method).getAnOverride*().getAnAnnotation()
+    or
+    result =
+      this.(Parameter)
+          .getCallable()
+          .(Method)
+          .getAnOverride*()
+          .getParameter(this.(Parameter).getPosition())
+          .getAnAnnotation()
+  }
+}
+
+// JAX-RPC 1.1, section 5
+private class JaxAcceptableType extends Type {
+  JaxAcceptableType() {
+    // JAX-RPC 1.1, section 5.1.1
+    this instanceof PrimitiveType
+    or
+    // JAX-RPC 1.1, section 5.1.2
+    this.(Array).getElementType() instanceof JaxAcceptableType
+    or
+    // JAX-RPC 1.1, section 5.1.3
+    this instanceof JaxAcceptableStandardClass
+    or
+    // JAX-RPC 1.1, section 5.1.4
+    this instanceof JaxValueType
+  }
+}
+
+private class JaxAcceptableStandardClass extends RefType {
+  JaxAcceptableStandardClass() {
+    this instanceof TypeString or
+    this.hasQualifiedName("java.util", "Date") or
+    this.hasQualifiedName("java.util", "Calendar") or
+    this.hasQualifiedName("java.math", "BigInteger") or
+    this.hasQualifiedName("java.math", "BigDecimal") or
+    this.hasQualifiedName("javax.xml.namespace", "QName") or
+    this instanceof TypeUri
+  }
+}
+
+// JAX-RPC 1.1, section 5.4
+private class JaxValueType extends RefType {
+  JaxValueType() {
+    not this instanceof Wildcard and
+    // Mutually exclusive with other `JaxAcceptableType`s
+    not this instanceof Array and
+    not this instanceof JaxAcceptableStandardClass and
+    not this.getPackage().getName().matches("java.%") and
+    // Must not implement (directly or indirectly) the java.rmi.Remote interface.
+    not this.getAnAncestor() instanceof TypeRemote and
+    // The Java type of a public field must be a supported JAX-RPC type as specified in the section 5.1.
+    forall(Field f | this.getAMember() = f and f.isPublic() |
+      f.getType() instanceof JaxAcceptableType
    )
  }
 }