Add error-page check

java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.qhelp

@@ -10,7 +10,7 @@ Even though the signatures for methods in a servlet include <code>throws IOExcep
 
 <recommendation>
 <p>
-Handle method calls that throw IOExceptions and/or RuntimeExceptions and display custom error messages without stack traces and sensitive information.
+Handle method calls that throw IOExceptions and/or RuntimeExceptions and display custom error messages without stack traces and sensitive information, or configure an <code>error-page</code> in web.xml to display a generic user-friendly message for any uncaught exception.
 </p>
 </recommendation>
 

java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.ql

@@ -11,6 +11,7 @@ import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.frameworks.Servlets
+import semmle.code.xml.WebXML
 import DataFlow::PathGraph
 
 /** The type `java.io.IOException`. */
@@ -44,6 +45,11 @@ private predicate isServletMethod(Callable c) {
   )
 }
 
+/** Holds if `web.xml` has an error page configured. */
+private predicate hasErrorPage() {
+  exists(WebErrorPage wep | wep.getPageLocation().getValue() != "")
+}
+
 /** Sink of uncaught IO exceptions or runtime exceptions since other exception types must be explicitly caught. */
 class UncaughtServletExceptionSink extends DataFlow::ExprNode {
   UncaughtServletExceptionSink() {
@@ -74,6 +80,6 @@ class UncaughtServletExceptionConfiguration extends TaintTracking::Configuration
 }
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, UncaughtServletExceptionConfiguration c
-where c.hasFlowPath(source, sink)
+where c.hasFlowPath(source, sink) and not hasErrorPage()
 select sink.getNode(), source, sink, "$@ flows to here and can throw uncaught exception.",
   source.getNode(), "User-provided value"

java/ql/src/semmle/code/xml/WebXML.qll

@@ -130,3 +130,40 @@ class WebListenerClass extends WebXMLElement {
    */
   Class getClass() { result.getQualifiedName() = getValue() }
 }
+
+/**
+ * An `<error-page>` element in a `web.xml` file.
+ */
+class WebErrorPage extends WebXMLElement {
+  WebErrorPage() { this.getName() = "error-page" }
+
+  /**
+   * Gets the `<exception-type>` element of this `<error-page>`.
+   */
+  WebErrorPageType getPageType() { result = getAChild() }
+
+  /**
+   * Gets the `<location>` element of this `<error-page>`.
+   */
+  WebErrorPageLocation getPageLocation() { result = getAChild() }
+}
+
+/**
+ * An `<exception-type>` element in a `web.xml` file, nested under an `<error-page>` element.
+ */
+class WebErrorPageType extends WebXMLElement {
+  WebErrorPageType() {
+    getName() = "exception-type" and
+    getParent() instanceof WebErrorPage
+  }
+}
+
+/**
+ * A `<location>` element in a `web.xml` file, nested under an `<error-page>` element.
+ */
+class WebErrorPageLocation extends WebXMLElement {
+  WebErrorPageLocation() {
+    getName() = "location" and
+    getParent() instanceof WebErrorPage
+  }
+}

java/ql/test/experimental/query-tests/security/CWE-600/web.xml

@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
+	xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+	id="myapp" version="3.0">
+
+    <display-name>myapp</display-name>
+
+	<welcome-file-list>
+		<welcome-file>index.jsp</welcome-file>
+		<welcome-file>index.xhtml</welcome-file>
+	</welcome-file-list>
+    
+	<!-- error-page>
+		<location>/index.jsp</location>
+	</error-page -->
+</web-app>