Java: add remote user input and taint step for Guice framework

2026-02-28 21:03:50 +01:00 · 2019-02-05 20:58:22 -05:00
parent 5754eb666c
commit a436369846
3 changed files with 44 additions and 0 deletions
--- a/java/ql/src/semmle/code/java/dataflow/FlowSources.qll
+++ b/java/ql/src/semmle/code/java/dataflow/FlowSources.qll
@@ -17,6 +17,7 @@ import semmle.code.java.frameworks.android.WebView
 import semmle.code.java.frameworks.JaxWS
 import semmle.code.java.frameworks.android.Intent
 import semmle.code.java.frameworks.SpringWeb
+import semmle.code.java.frameworks.Guice

 /** Class for `tainted` user input. */
 abstract class UserInput extends DataFlow::Node { }
@@ -69,6 +70,11 @@ class RemoteUserInput extends UserInput {
    )
    or
    this.asParameter().getAnAnnotation() instanceof SpringServletInputAnnotation
+    or
+    exists(GuiceRequestParametersAnnotation a |
+      a = this.asParameter().getAnAnnotation() or
+      a = this.asExpr().(FieldRead).getField().getAnAnnotation()
+    )
  }

  /**
--- a/java/ql/src/semmle/code/java/dataflow/TaintTracking.qll
+++ b/java/ql/src/semmle/code/java/dataflow/TaintTracking.qll
@@ -12,6 +12,7 @@ private import DefUse
 private import semmle.code.java.security.SecurityTests
 private import semmle.code.java.security.Validation
 private import semmle.code.java.frameworks.android.Intent
+private import semmle.code.java.frameworks.Guice
 private import semmle.code.java.Maps

 module TaintTracking {
@@ -471,6 +472,8 @@ module TaintTracking {
    or
    m.getDeclaringType().hasQualifiedName("java.nio", "ByteBuffer") and
    m.hasName("get")
+    or
+    m = any(GuiceProvider gp).getAnOverridingGetMethod()
  }

  private class StringReplaceMethod extends Method {
--- a/java/ql/src/semmle/code/java/frameworks/Guice.qll
+++ b/java/ql/src/semmle/code/java/frameworks/Guice.qll
@@ -0,0 +1,35 @@
+/**
+ * Provides classes and predicates for working with the Guice framework.
+ */
+
+import java
+
+/**
+ * A `@com.google.inject.servlet.RequestParameters` annotation.
+ */
+class GuiceRequestParametersAnnotation extends Annotation {
+  GuiceRequestParametersAnnotation() {
+    this.getType().hasQualifiedName("com.google.inject.servlet", "RequestParameters")
+  }
+}
+
+/**
+ * The interface `com.google.inject.Provider`.
+ */
+class GuiceProvider extends Interface {
+  GuiceProvider() { this.hasQualifiedName("com.google.inject", "Provider") }
+
+  /**
+   * The method named `get` declared on the interface `com.google.inject.Provider`.
+   */
+  Method getGetMethod() {
+    result.getDeclaringType() = this and result.getName() = "get" and result.hasNoParameters()
+  }
+
+  /**
+   * A method that overrides the `get` method on the interface `com.google.inject.Provider`.
+   */
+  Method getAnOverridingGetMethod() {
+    exists(Method m | m.getSourceDeclaration() = getGetMethod() | result.overrides*(m))
+  }
+}