Java: Add models for the Play Framework

2026-04-26 09:15:12 +02:00 · 2023-05-26 10:23:43 +02:00
parent 081c069b3c
commit 903fdb0cb8
10 changed files with 118 additions and 5 deletions
--- a/java/ql/test/library-tests/dataflow/taintsources/PlayMvc.java
+++ b/java/ql/test/library-tests/dataflow/taintsources/PlayMvc.java
@@ -0,0 +1,25 @@
+import play.mvc.Http;
+
+public class PlayMvc {
+
+    private Http.Request request;
+    private Http.RequestHeader header;
+
+    private static void sink(Object o) {}
+
+    public void test() throws Exception {
+        sink(request.body()); // $ hasRemoteValueFlow
+        sink(header.cookie(null)); // $ hasRemoteValueFlow
+        sink(header.cookies()); // $ hasRemoteValueFlow
+        sink(header.getHeader(null)); // $ hasRemoteValueFlow
+        sink(header.getHeaders()); // $ hasRemoteValueFlow
+        sink(header.getQueryString(null)); // $ hasRemoteValueFlow
+        sink(header.header(null)); // $ hasRemoteValueFlow
+        sink(header.headers()); // $ hasRemoteValueFlow
+        sink(header.host()); // $ hasRemoteValueFlow
+        sink(header.path()); // $ hasRemoteValueFlow
+        sink(header.queryString()); // $ hasRemoteValueFlow
+        sink(header.remoteAddress()); // $ hasRemoteValueFlow
+        sink(header.uri()); // $ hasRemoteValueFlow
+    }
+}
--- a/java/ql/test/query-tests/security/CWE-918/mad/Test.java
+++ b/java/ql/test/query-tests/security/CWE-918/mad/Test.java
@@ -9,6 +9,8 @@ import javafx.scene.web.WebEngine;
 import org.apache.commons.jelly.JellyContext;
 import org.codehaus.cargo.container.installer.ZipURLInstaller;
 import org.kohsuke.stapler.HttpResponses;
+import play.libs.ws.WSClient;
+import play.libs.ws.StandaloneWSClient;

 public class Test {

@@ -74,4 +76,14 @@ public class Test {
        r.staticResource((URL) source()); // $ SSRF
    }

+    public void test(WSClient c) {
+        // "play.libs.ws;WSClient;true;url;;;Argument[0];open-url;manual"
+        c.url((String) source()); // $ SSRF
+    }
+
+    public void test(StandaloneWSClient c) {
+        // "play.libs.ws;StandaloneWSClient;true;url;;;Argument[0];open-url;manual"
+        c.url((String) source()); // $ SSRF
+    }
+
 }
--- a/java/ql/test/query-tests/security/CWE-918/options
+++ b/java/ql/test/query-tests/security/CWE-918/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/javax-ws-rs-api-3.0.0:${testdir}/../../../stubs/apache-http-4.4.13/:${testdir}/../../../stubs/projectreactor-3.4.3/:${testdir}/../../../stubs/postgresql-42.3.3/:${testdir}/../../../stubs/HikariCP-3.4.5/:${testdir}/../../../stubs/spring-jdbc-5.3.8/:${testdir}/../../../stubs/jdbi3-core-3.27.2/:${testdir}/../../../stubs/cargo:${testdir}/../../../stubs/javafx-web:${testdir}/../../../stubs/apache-commons-jelly-1.0.1:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/jaxen-1.2.0:${testdir}/../../../stubs/stapler-1.263:${testdir}/../../../stubs/javax-servlet-2.5:${testdir}/../../../stubs/apache-commons-fileupload-1.4:${testdir}/../../../stubs/saxon-xqj-9.x:${testdir}/../../../stubs/apache-commons-beanutils:${testdir}/../../../stubs/apache-commons-lang:${testdir}/../../../stubs/apache-http-5
+//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/javax-ws-rs-api-3.0.0:${testdir}/../../../stubs/apache-http-4.4.13/:${testdir}/../../../stubs/projectreactor-3.4.3/:${testdir}/../../../stubs/postgresql-42.3.3/:${testdir}/../../../stubs/HikariCP-3.4.5/:${testdir}/../../../stubs/spring-jdbc-5.3.8/:${testdir}/../../../stubs/jdbi3-core-3.27.2/:${testdir}/../../../stubs/cargo:${testdir}/../../../stubs/javafx-web:${testdir}/../../../stubs/apache-commons-jelly-1.0.1:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/jaxen-1.2.0:${testdir}/../../../stubs/stapler-1.263:${testdir}/../../../stubs/javax-servlet-2.5:${testdir}/../../../stubs/apache-commons-fileupload-1.4:${testdir}/../../../stubs/saxon-xqj-9.x:${testdir}/../../../stubs/apache-commons-beanutils:${testdir}/../../../stubs/apache-commons-lang:${testdir}/../../../stubs/apache-http-5:${testdir}/../../../stubs/playframework-2.6.x
--- a/java/ql/test/stubs/playframework-2.6.x/play/libs/ws/StandaloneWSClient.java
+++ b/java/ql/test/stubs/playframework-2.6.x/play/libs/ws/StandaloneWSClient.java
@@ -0,0 +1,9 @@
+package play.libs.ws;
+
+public class StandaloneWSClient {
+
+    public StandaloneWSRequest url(String url) {
+        return null;
+    }
+
+}
--- a/java/ql/test/stubs/playframework-2.6.x/play/libs/ws/StandaloneWSRequest.java
+++ b/java/ql/test/stubs/playframework-2.6.x/play/libs/ws/StandaloneWSRequest.java
@@ -0,0 +1,5 @@
+package play.libs.ws;
+
+public class StandaloneWSRequest {
+    
+}
--- a/java/ql/test/stubs/playframework-2.6.x/play/libs/ws/WSClient.java
+++ b/java/ql/test/stubs/playframework-2.6.x/play/libs/ws/WSClient.java
@@ -0,0 +1,9 @@
+package play.libs.ws;
+
+public class WSClient {
+
+    public WSRequest url(String url) {
+        return null;
+    }
+
+}
--- a/java/ql/test/stubs/playframework-2.6.x/play/libs/ws/WSRequest.java
+++ b/java/ql/test/stubs/playframework-2.6.x/play/libs/ws/WSRequest.java
@@ -0,0 +1,5 @@
+package play.libs.ws;
+
+public class WSRequest {
+
+}