Java: Track flow through HttpEntity and ResponseEntity

- Only track if the body is a String type, as that is the only type at risk of XSS.
2026-04-25 16:55:19 +02:00 · 2020-05-17 17:58:28 +01:00
parent 1d1234093f
commit 7d555a7467
1 changed files with 18 additions and 0 deletions
--- a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -8,6 +8,8 @@ private import semmle.code.java.security.Validation
 private import semmle.code.java.frameworks.android.Intent
 private import semmle.code.java.frameworks.Guice
 private import semmle.code.java.frameworks.Protobuf
+private import semmle.code.java.frameworks.spring.SpringController
+private import semmle.code.java.frameworks.spring.SpringHttp
 private import semmle.code.java.Maps
 private import semmle.code.java.dataflow.internal.ContainerFlow
 private import semmle.code.java.frameworks.jackson.JacksonSerializability
@@ -252,6 +254,22 @@ private predicate constructorStep(Expr tracked, ConstructorCall sink) {
    or
    // a custom InputStream that wraps a tainted data source is tainted
    inputStreamWrapper(sink.getConstructor(), argi)
+    or
+    // A SpringHttpEntity is a wrapper around a body and some headers
+    // Track flow through iff body is a String
+    exists(SpringHttpEntity she |
+      sink.getConstructor() = she.getAConstructor() and
+      argi = 0 and
+      tracked.getType() instanceof TypeString
+    )
+    or
+    // A SpringRequestEntity is a wrapper around a body and some headers
+    // Track flow through iff body is a String
+    exists(SpringResponseEntity sre |
+      sink.getConstructor() = sre.getAConstructor() and
+      argi = 0 and
+      tracked.getType() instanceof TypeString
+    )
  )
 }