Java: Add models for the Play Framework

2026-04-30 03:05:15 +02:00 · 2023-05-26 10:23:43 +02:00
parent 081c069b3c
commit 903fdb0cb8
10 changed files with 118 additions and 5 deletions
--- a/java/ql/lib/change-notes/2023-05-26-play-framework-models.md
+++ b/java/ql/lib/change-notes/2023-05-26-play-framework-models.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added more dataflow models for the Play Framework.
--- a/java/ql/lib/ext/play.libs.ws.model.yml
+++ b/java/ql/lib/ext/play.libs.ws.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["play.libs.ws", "WSClient", True, "url", "", "", "Argument[0]", "open-url", "manual"]
+      - ["play.libs.ws", "StandaloneWSClient", True, "url", "", "", "Argument[0]", "open-url", "manual"]
--- a/java/ql/lib/ext/play.mvc.model.yml
+++ b/java/ql/lib/ext/play.mvc.model.yml
@@ -3,7 +3,44 @@ extensions:
      pack: codeql/java-all
      extensible: sourceModel
    data:
-      - ["play.mvc", "Http$RequestHeader", False, "getHeader", "", "", "ReturnValue", "remote", "manual"]
-      - ["play.mvc", "Http$RequestHeader", False, "getQueryString", "", "", "ReturnValue", "remote", "manual"]
-      - ["play.mvc", "Http$RequestHeader", False, "header", "", "", "ReturnValue", "remote", "manual"]
-      - ["play.mvc", "Http$RequestHeader", False, "queryString", "", "", "ReturnValue", "remote", "manual"]
+      - ["play.mvc", "Http$Request", True, "body", "", "", "ReturnValue", "remote", "manual"]
+      - ["play.mvc", "Http$RequestHeader", True, "cookie", "", "", "ReturnValue", "remote", "manual"]
+      - ["play.mvc", "Http$RequestHeader", True, "cookies", "", "", "ReturnValue", "remote", "manual"]
+      - ["play.mvc", "Http$RequestHeader", True, "getHeader", "", "", "ReturnValue", "remote", "manual"] # v2.4.x
+      - ["play.mvc", "Http$RequestHeader", True, "getHeaders", "", "", "ReturnValue", "remote", "manual"] # v2.7.x
+      - ["play.mvc", "Http$RequestHeader", True, "getQueryString", "", "", "ReturnValue", "remote", "manual"]
+      - ["play.mvc", "Http$RequestHeader", True, "header", "", "", "ReturnValue", "remote", "manual"] # v2.7.x
+      - ["play.mvc", "Http$RequestHeader", True, "headers", "", "", "ReturnValue", "remote", "manual"] # v2.4.x
+      - ["play.mvc", "Http$RequestHeader", True, "host", "", "", "ReturnValue", "remote", "manual"]
+      - ["play.mvc", "Http$RequestHeader", True, "path", "", "", "ReturnValue", "remote", "manual"]
+      - ["play.mvc", "Http$RequestHeader", True, "queryString", "", "", "ReturnValue", "remote", "manual"]
+      - ["play.mvc", "Http$RequestHeader", True, "remoteAddress", "", "", "ReturnValue", "remote", "manual"]
+      - ["play.mvc", "Http$RequestHeader", True, "uri", "", "", "ReturnValue", "remote", "manual"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["play.mvc", "Http$RequestBody", True, "as", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["play.mvc", "Http$RequestBody", True, "asBytes", "", "", "Argument[this]", "ReturnValue", "taint", "manual"] # v2.7.x
+      - ["play.mvc", "Http$RequestBody", True, "asFormUrlEncoded", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["play.mvc", "Http$RequestBody", True, "asJson", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["play.mvc", "Http$RequestBody", True, "asMultipartFormData", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["play.mvc", "Http$RequestBody", True, "asRaw", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["play.mvc", "Http$RequestBody", True, "asText", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["play.mvc", "Http$RequestBody", True, "asXml", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["play.mvc", "Http$RequestBody", True, "parseJson", "", "", "Argument[this]", "ReturnValue", "taint", "manual"] # v2.7.x
+      - ["play.mvc", "Http$MultipartFormData", True, "asFormUrlEncoded", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["play.mvc", "Http$MultipartFormData", True, "getFile", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["play.mvc", "Http$MultipartFormData", True, "getFiles", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["play.mvc", "Http$MultipartFormData$FilePart", True, "getContentType", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["play.mvc", "Http$MultipartFormData$FilePart", True, "getDispositionType", "", "", "Argument[this]", "ReturnValue", "taint", "manual"] # v2.7.x
+      - ["play.mvc", "Http$MultipartFormData$FilePart", True, "getFile", "", "", "Argument[this]", "ReturnValue", "taint", "manual"] # v2.4.x
+      - ["play.mvc", "Http$MultipartFormData$FilePart", True, "getFilename", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["play.mvc", "Http$MultipartFormData$FilePart", True, "getKey", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["play.mvc", "Http$MultipartFormData$FilePart", True, "getRef", "", "", "Argument[this]", "ReturnValue", "taint", "manual"] # v2.7.x
+      - ["play.mvc", "Http$RawBuffer", True, "asBytes", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["play.mvc", "Http$RawBuffer", True, "asFile", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["play.mvc", "Http$Cookie", True, "name", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["play.mvc", "Http$Cookie", True, "value", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["play.mvc", "Http$Cookies", True, "get", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["play.mvc", "Http$Cookies", True, "getCookie", "", "", "Argument[this]", "ReturnValue", "taint", "manual"] # v2.7.x
--- a/java/ql/test/library-tests/dataflow/taintsources/PlayMvc.java
+++ b/java/ql/test/library-tests/dataflow/taintsources/PlayMvc.java
@@ -0,0 +1,25 @@
+import play.mvc.Http;
+
+public class PlayMvc {
+
+    private Http.Request request;
+    private Http.RequestHeader header;
+
+    private static void sink(Object o) {}
+
+    public void test() throws Exception {
+        sink(request.body()); // $ hasRemoteValueFlow
+        sink(header.cookie(null)); // $ hasRemoteValueFlow
+        sink(header.cookies()); // $ hasRemoteValueFlow
+        sink(header.getHeader(null)); // $ hasRemoteValueFlow
+        sink(header.getHeaders()); // $ hasRemoteValueFlow
+        sink(header.getQueryString(null)); // $ hasRemoteValueFlow
+        sink(header.header(null)); // $ hasRemoteValueFlow
+        sink(header.headers()); // $ hasRemoteValueFlow
+        sink(header.host()); // $ hasRemoteValueFlow
+        sink(header.path()); // $ hasRemoteValueFlow
+        sink(header.queryString()); // $ hasRemoteValueFlow
+        sink(header.remoteAddress()); // $ hasRemoteValueFlow
+        sink(header.uri()); // $ hasRemoteValueFlow
+    }
+}
--- a/java/ql/test/query-tests/security/CWE-918/mad/Test.java
+++ b/java/ql/test/query-tests/security/CWE-918/mad/Test.java
@@ -9,6 +9,8 @@ import javafx.scene.web.WebEngine;
 import org.apache.commons.jelly.JellyContext;
 import org.codehaus.cargo.container.installer.ZipURLInstaller;
 import org.kohsuke.stapler.HttpResponses;
+import play.libs.ws.WSClient;
+import play.libs.ws.StandaloneWSClient;

 public class Test {

@@ -74,4 +76,14 @@ public class Test {
        r.staticResource((URL) source()); // $ SSRF
    }

+    public void test(WSClient c) {
+        // "play.libs.ws;WSClient;true;url;;;Argument[0];open-url;manual"
+        c.url((String) source()); // $ SSRF
+    }
+
+    public void test(StandaloneWSClient c) {
+        // "play.libs.ws;StandaloneWSClient;true;url;;;Argument[0];open-url;manual"
+        c.url((String) source()); // $ SSRF
+    }
+
 }
--- a/java/ql/test/query-tests/security/CWE-918/options
+++ b/java/ql/test/query-tests/security/CWE-918/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/javax-ws-rs-api-3.0.0:${testdir}/../../../stubs/apache-http-4.4.13/:${testdir}/../../../stubs/projectreactor-3.4.3/:${testdir}/../../../stubs/postgresql-42.3.3/:${testdir}/../../../stubs/HikariCP-3.4.5/:${testdir}/../../../stubs/spring-jdbc-5.3.8/:${testdir}/../../../stubs/jdbi3-core-3.27.2/:${testdir}/../../../stubs/cargo:${testdir}/../../../stubs/javafx-web:${testdir}/../../../stubs/apache-commons-jelly-1.0.1:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/jaxen-1.2.0:${testdir}/../../../stubs/stapler-1.263:${testdir}/../../../stubs/javax-servlet-2.5:${testdir}/../../../stubs/apache-commons-fileupload-1.4:${testdir}/../../../stubs/saxon-xqj-9.x:${testdir}/../../../stubs/apache-commons-beanutils:${testdir}/../../../stubs/apache-commons-lang:${testdir}/../../../stubs/apache-http-5
+//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/javax-ws-rs-api-3.0.0:${testdir}/../../../stubs/apache-http-4.4.13/:${testdir}/../../../stubs/projectreactor-3.4.3/:${testdir}/../../../stubs/postgresql-42.3.3/:${testdir}/../../../stubs/HikariCP-3.4.5/:${testdir}/../../../stubs/spring-jdbc-5.3.8/:${testdir}/../../../stubs/jdbi3-core-3.27.2/:${testdir}/../../../stubs/cargo:${testdir}/../../../stubs/javafx-web:${testdir}/../../../stubs/apache-commons-jelly-1.0.1:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/jaxen-1.2.0:${testdir}/../../../stubs/stapler-1.263:${testdir}/../../../stubs/javax-servlet-2.5:${testdir}/../../../stubs/apache-commons-fileupload-1.4:${testdir}/../../../stubs/saxon-xqj-9.x:${testdir}/../../../stubs/apache-commons-beanutils:${testdir}/../../../stubs/apache-commons-lang:${testdir}/../../../stubs/apache-http-5:${testdir}/../../../stubs/playframework-2.6.x
--- a/java/ql/test/stubs/playframework-2.6.x/play/libs/ws/StandaloneWSClient.java
+++ b/java/ql/test/stubs/playframework-2.6.x/play/libs/ws/StandaloneWSClient.java
@@ -0,0 +1,9 @@
+package play.libs.ws;
+
+public class StandaloneWSClient {
+
+    public StandaloneWSRequest url(String url) {
+        return null;
+    }
+
+}
--- a/java/ql/test/stubs/playframework-2.6.x/play/libs/ws/StandaloneWSRequest.java
+++ b/java/ql/test/stubs/playframework-2.6.x/play/libs/ws/StandaloneWSRequest.java
@@ -0,0 +1,5 @@
+package play.libs.ws;
+
+public class StandaloneWSRequest {
+    
+}
--- a/java/ql/test/stubs/playframework-2.6.x/play/libs/ws/WSClient.java
+++ b/java/ql/test/stubs/playframework-2.6.x/play/libs/ws/WSClient.java
@@ -0,0 +1,9 @@
+package play.libs.ws;
+
+public class WSClient {
+
+    public WSRequest url(String url) {
+        return null;
+    }
+
+}
--- a/java/ql/test/stubs/playframework-2.6.x/play/libs/ws/WSRequest.java
+++ b/java/ql/test/stubs/playframework-2.6.x/play/libs/ws/WSRequest.java
@@ -0,0 +1,5 @@
+package play.libs.ws;
+
+public class WSRequest {
+
+}