hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Convert model to QL

Browse Source
This commit is contained in:
Owen Mansel-Chan
2024-11-28 13:44:55 +00:00
parent b5fbf2e944
commit ba3f9d6134
2 changed files with 18 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
java/ql/lib/ext/org.springframework.web.client.model.yml
View File

@@ -16,9 +16,6 @@ extensions:
- ["org.springframework.web.client", "RestTemplate", False, "execute", "", "", "Argument[0]", "request-forgery", "manual"]
- ["org.springframework.web.client", "RestTemplate", False, "getForEntity", "", "", "Argument[0]", "request-forgery", "manual"]
- ["org.springframework.web.client", "RestTemplate", False, "getForObject", "", "", "Argument[0]", "request-forgery", "manual"]
- ["org.springframework.web.client", "RestTemplate", False, "getForObject", "", "", "Argument[2]", "request-forgery", "manual"] # This is a workaround for the fact that sink model can't currently have access paths
# - ["org.springframework.web.client", "RestTemplate", False, "getForObject", "", "", "Argument[2].ArrayElement", "request-forgery", "manual"]
# - ["org.springframework.web.client", "RestTemplate", False, "getForObject", "", "", "Argument[2].MapValue", "request-forgery", "manual"]
- ["org.springframework.web.client", "RestTemplate", False, "headForHeaders", "", "", "Argument[0]", "request-forgery", "manual"]
- ["org.springframework.web.client", "RestTemplate", False, "optionsForAllow", "", "", "Argument[0]", "request-forgery", "manual"]
- ["org.springframework.web.client", "RestTemplate", False, "patchForObject", "", "", "Argument[0]", "request-forgery", "manual"]

18
java/ql/lib/semmle/code/java/frameworks/spring/SpringWebClient.qll
View File

@@ -27,3 +27,21 @@ class SpringWebClient extends Interface {
this.hasQualifiedName("org.springframework.web.reactive.function.client", "WebClient")
}
}
private import semmle.code.java.security.RequestForgery
private class SpringWebClientRestTemplateGetForObject extends RequestForgerySink {
SpringWebClientRestTemplateGetForObject() {
exists(Method m, MethodCall mc, int i |
m.getDeclaringType() instanceof SpringRestTemplate and
m.hasName("getForObject") and
mc.getMethod() = m
|
// Deal with two overloads, with third parameter type `Object...` and
// `Map<String, ?>`. We cannot deal with mapvalue content easily but
// there is a default implicit taint read at sinks that will catch it.
this.asExpr() = mc.getArgument(i) and
i >= 2
)
}
}