hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-02 20:25:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Convert existing spring http steps to csv

Browse Source
This commit is contained in:
Joe Farebrother
2021-03-30 17:09:17 +01:00
parent d34e748c83
commit 9b6213dbf0
3 changed files with 39 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
View File

@@ -104,6 +104,7 @@ private module Frameworks {
private import semmle.code.java.frameworks.MyBatis
private import semmle.code.java.frameworks.Hibernate
private import semmle.code.java.frameworks.jOOQ
private import semmle.code.java.frameworks.spring.SpringHttp
}
private predicate sourceModelCsv(string row) {

29
java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
View File

@@ -209,22 +209,6 @@ private predicate constructorStep(Expr tracked, ConstructorCall sink) {
// a custom InputStream that wraps a tainted data source is tainted
inputStreamWrapper(sink.getConstructor(), argi)
or
// A SpringHttpEntity is a wrapper around a body and some headers
// Track flow through iff body is a String
exists(SpringHttpEntity she |
sink.getConstructor() = she.getAConstructor() and
argi = 0 and
tracked.getType() instanceof TypeString
)
or
// A SpringRequestEntity is a wrapper around a body and some headers
// Track flow through iff body is a String
exists(SpringResponseEntity sre |
sink.getConstructor() = sre.getAConstructor() and
argi = 0 and
tracked.getType() instanceof TypeString
)
or
sink.getConstructor().(TaintPreservingCallable).returnsTaintFrom(argToParam(sink, argi))
)
}
@@ -277,19 +261,6 @@ private predicate taintPreservingQualifierToMethod(Method m) {
m.getDeclaringType().getASubtype*() instanceof SpringUntrustedDataType and
not m.getDeclaringType() instanceof TypeObject
or
m.getDeclaringType() instanceof SpringHttpEntity and
m.getName().regexpMatch("getBody|getHeaders")
or
exists(SpringHttpHeaders headers | m = headers.getAMethod() |
m.getReturnType() instanceof TypeString
or
exists(ParameterizedType stringlist |
m.getReturnType().(RefType).getASupertype*() = stringlist and
stringlist.getSourceDeclaration().hasQualifiedName("java.util", "List") and
stringlist.getTypeArgument(0) instanceof TypeString
)
)
or
m.(TaintPreservingCallable).returnsTaintFrom(-1)
or
exists(JaxRsResourceMethod resourceMethod |

38
java/ql/src/semmle/code/java/frameworks/spring/SpringHttp.qll
View File

@@ -61,3 +61,41 @@ private class UrlOpenSink extends SinkModelCsv {
]
}
}
private class SpringHttpFlowStep extends SinkModelCsv {
override predicate row(string row) {
row =
[
//"package;type;overrides;name;signature;ext;inputspec;outputspec;kind",
"org.springframework.http;HttpEntity;false;HttpEntity;(T);;Argument[0];Argument[-1];taint",
"org.springframework.http;HttpEntity;false;HttpEntity;(T,MultiValueMap<String,String>);;Argument[0];Argument[-1];taint",
"org.springframework.http;HttpEntity;false;getBody;;;Argument[-1];ReturnValue;taint",
"org.springframework.http;HttpEntity;false;HttpEntity;getHeaders;;Argument[-1];ReturnValue;taint",
// Constructor with signature (MultiValueMap<String,String>) dependant on collection flow
"org.springframework.http;ResponseEntity;false;ResponseEntity;(T,HttpStatus);;Argument[0];Argument[-1];taint",
"org.springframework.http;ResponseEntity;false;ResponseEntity;(T,MultiValueMap<String,String>,HttpStatus);;Argument[0];Argument[-1];taint",
"org.springframework.http;ResponseEntity;false;ResponseEntity;(T,MultiValueMap<String,String>,int);;Argument[0];Argument[-1];taint",
"org.springframework.http;HttpHeaders;false;get;(Object);Argument[-1];ReturnValue;taint", // Returns List<String>
"org.springframework.http;HttpHeaders;false;getAccessControlAllowHeaders;();Argument[-1];ReturnValue;taint", // Returns List<String>
"org.springframework.http;HttpHeaders;false;getAccessControlAllowOrigin;();Argument[-1];ReturnValue;taint",
"org.springframework.http;HttpHeaders;false;getAccessControlExposeHeaders;();Argument[-1];ReturnValue;taint", // Returns List<String>
"org.springframework.http;HttpHeaders;false;getAccessControlRequestHeaders;();Argument[-1];ReturnValue;taint", // Returns List<String>
"org.springframework.http;HttpHeaders;false;getCacheControl;();Argument[-1];ReturnValue;taint",
"org.springframework.http;HttpHeaders;false;getConnection;();Argument[-1];ReturnValue;taint", // Returns List<String>
"org.springframework.http;HttpHeaders;false;getETag;();Argument[-1];ReturnValue;taint",
"org.springframework.http;HttpHeaders;false;getETagValuesAsList;(String);Argument[-1];ReturnValue;taint", // Returns List<String>
"org.springframework.http;HttpHeaders;false;getFieldValues;(String);Argument[-1];ReturnValue;taint",
"org.springframework.http;HttpHeaders;false;getFirst;(String);Argument[-1];ReturnValue;taint",
"org.springframework.http;HttpHeaders;false;getIfMatch;();Argument[-1];ReturnValue;taint", // Returns List<String>
"org.springframework.http;HttpHeaders;false;getIfNoneMatch;();Argument[-1];ReturnValue;taint", // Returns List<String>
"org.springframework.http;HttpHeaders;false;getLocation;();Argument[-1];ReturnValue;taint",
"org.springframework.http;HttpHeaders;false;getOrEmpty;(Object);Argument[-1];ReturnValue;taint", // Returns List<String>
"org.springframework.http;HttpHeaders;false;getOrigin;();Argument[-1];ReturnValue;taint",
"org.springframework.http;HttpHeaders;false;getPragma;();Argument[-1];ReturnValue;taint",
"org.springframework.http;HttpHeaders;false;getUpgrade;();Argument[-1];ReturnValue;taint",
"org.springframework.http;HttpHeaders;false;getValuesAsList;(String);Argument[-1];ReturnValue;taint", // Returns List<String>
"org.springframework.http;HttpHeaders;false;getVary;();Argument[-1];ReturnValue;taint", // Returns List<String>
""
]
}
}