From 89546cbc83806a69e4f13619e421e48d77f419ce Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 28 Nov 2025 01:09:07 +0000 Subject: [PATCH] Fix qldoc inaccuracies --- .../frameworks/spring/SpringWebClient.qll | 23 +++++++++++-------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/java/ql/lib/semmle/code/java/frameworks/spring/SpringWebClient.qll b/java/ql/lib/semmle/code/java/frameworks/spring/SpringWebClient.qll index 42661ce9183..6f10cf3bad4 100644 --- a/java/ql/lib/semmle/code/java/frameworks/spring/SpringWebClient.qll +++ b/java/ql/lib/semmle/code/java/frameworks/spring/SpringWebClient.qll @@ -72,10 +72,14 @@ private class SpringRestTemplateMethodWithUriVariablesParameter extends Method { int getUriVariablesPosition() { result = pos } } -/** Gets the first argument, if it is a compile time constant. */ +/** Gets the first argument of `mc`, if it is a compile-time constant. */ pragma[inline] private CompileTimeConstantExpr getConstantUrl(MethodCall mc) { result = mc.getArgument(0) } +/** + * Holds if the first argument of `mc` is a compile-time constant URL template + * which has its `idx`-th placeholder at the offset `offset`. + */ pragma[inline] private predicate urlHasPlaceholderAtOffset(MethodCall mc, int idx, int offset) { exists( @@ -87,15 +91,16 @@ private predicate urlHasPlaceholderAtOffset(MethodCall mc, int idx, int offset) ) } -private class SpringWebClientRestTemplateGetForObject extends RequestForgerySink { - SpringWebClientRestTemplateGetForObject() { +private class SpringWebClientRestTemplateUriVariable extends RequestForgerySink { + SpringWebClientRestTemplateUriVariable() { exists(SpringRestTemplateMethodWithUriVariablesParameter m, MethodCall mc, int i | - // Note that the first argument is modeled as a request forgery sink - // separately. This model is for arguments beyond the first two. There - // are two relevant overloads, one with third parameter type `Object...` - // and one with third parameter type `Map`. For the latter we - // cannot deal with MapValue content easily but there is a default - // implicit taint read at sinks that will catch it. + // Note that the first argument of `m` is modeled as a request forgery + // sink separately. This model is for arguments corresponding to the + // `uriVariables` parameter. There are always two relevant overloads, one + // with parameter type `Object...` and one with parameter type + // `Map`. For the latter we cannot deal with MapValue content + // easily but there is a default implicit taint read at sinks that will + // catch it. mc.getMethod() = m and i >= 0 and this.asExpr() = mc.getArgument(m.getUriVariablesPosition() + i)