hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 19:26:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #5953 from github/sauyon/java/spring-webutil

Browse Source 
Java: Add models for the Spring `web.util` package
This commit is contained in:
Chris Smowton
2021-08-18 15:07:28 +01:00
committed by GitHub
parent 27df2727e9 17cef3f498
commit cc4fe7375c
75 changed files with 4341 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
View File

@@ -95,6 +95,7 @@ private module Frameworks {
private import semmle.code.java.frameworks.spring.SpringWebClient
private import semmle.code.java.frameworks.spring.SpringBeans
private import semmle.code.java.frameworks.spring.SpringWebMultipart
private import semmle.code.java.frameworks.spring.SpringWebUtil
private import semmle.code.java.security.ResponseSplitting
private import semmle.code.java.security.InformationLeak
private import semmle.code.java.security.GroovyInjection

1
java/ql/src/semmle/code/java/frameworks/spring/Spring.qll
View File

@@ -39,6 +39,7 @@ import semmle.code.java.frameworks.spring.SpringUtil
import semmle.code.java.frameworks.spring.SpringValidation
import semmle.code.java.frameworks.spring.SpringValue
import semmle.code.java.frameworks.spring.SpringWebMultipart
import semmle.code.java.frameworks.spring.SpringWebUtil
import semmle.code.java.frameworks.spring.SpringXMLElement
import semmle.code.java.frameworks.spring.metrics.MetricSpringBean
import semmle.code.java.frameworks.spring.metrics.MetricSpringBeanFile

176
java/ql/src/semmle/code/java/frameworks/spring/SpringWebUtil.qll Normal file
View File

@@ -0,0 +1,176 @@
/** Provides models of taint flow in `org.springframework.web.util` */
import java
private import semmle.code.java.dataflow.ExternalFlow
private class FlowSummaries extends SummaryModelCsv {
override predicate row(string row) {
row =
[
"org.springframework.web.util;UriBuilder;true;build;;;Argument[-1];ReturnValue;taint",
"org.springframework.web.util;UriBuilder;true;build;(Map);;MapValue of Argument[0];Argument[-1];taint",
"org.springframework.web.util;UriBuilder;true;fragment;;;Argument[-1];ReturnValue;value",
"org.springframework.web.util;UriBuilder;true;fragment;;;Argument[0];Argument[-1];taint",
"org.springframework.web.util;UriBuilder;true;host;;;Argument[-1];ReturnValue;value",
"org.springframework.web.util;UriBuilder;true;host;;;Argument[0];Argument[-1];taint",
"org.springframework.web.util;UriBuilder;true;path;;;Argument[-1];ReturnValue;value",
"org.springframework.web.util;UriBuilder;true;path;;;Argument[0];Argument[-1];taint",
"org.springframework.web.util;UriBuilder;true;pathSegment;;;Argument[-1];ReturnValue;value",
"org.springframework.web.util;UriBuilder;true;pathSegment;;;ArrayElement of Argument[0];Argument[-1];taint",
"org.springframework.web.util;UriBuilder;true;port;;;Argument[-1];ReturnValue;value",
"org.springframework.web.util;UriBuilder;true;port;(java.lang.String);;Argument[0];Argument[-1];taint",
"org.springframework.web.util;UriBuilder;true;query;;;Argument[-1];ReturnValue;value",
"org.springframework.web.util;UriBuilder;true;query;;;Argument[0];Argument[-1];taint",
"org.springframework.web.util;UriBuilder;true;queryParam;;;Argument[-1];ReturnValue;value",
"org.springframework.web.util;UriBuilder;true;queryParam;;;Argument[0];Argument[-1];taint",
"org.springframework.web.util;UriBuilder;true;queryParam;(String,Collection);;Element of Argument[1];Argument[-1];taint",
"org.springframework.web.util;UriBuilder;true;queryParam;(String,Object[]);;ArrayElement of Argument[1];Argument[-1];taint",
"org.springframework.web.util;UriBuilder;true;queryParamIfPresent;;;Argument[-1];ReturnValue;value",
"org.springframework.web.util;UriBuilder;true;queryParamIfPresent;;;Argument[0];Argument[-1];taint",
"org.springframework.web.util;UriBuilder;true;queryParamIfPresent;;;Element of Argument[1];Argument[-1];taint",
"org.springframework.web.util;UriBuilder;true;queryParams;;;Argument[-1];ReturnValue;value",
"org.springframework.web.util;UriBuilder;true;queryParams;;;MapKey of Argument[0];Argument[-1];taint",
"org.springframework.web.util;UriBuilder;true;queryParams;;;Element of MapValue of Argument[0];Argument[-1];taint",
"org.springframework.web.util;UriBuilder;true;replacePath;;;Argument[-1];ReturnValue;value",
"org.springframework.web.util;UriBuilder;true;replacePath;;;Argument[0];Argument[-1];taint",
"org.springframework.web.util;UriBuilder;true;replaceQuery;;;Argument[-1];ReturnValue;value",
"org.springframework.web.util;UriBuilder;true;replaceQuery;;;Argument[0];Argument[-1];taint",
"org.springframework.web.util;UriBuilder;true;replaceQueryParam;;;Argument[-1];ReturnValue;value",
"org.springframework.web.util;UriBuilder;true;replaceQueryParam;;;Argument[0];Argument[-1];taint",
"org.springframework.web.util;UriBuilder;true;replaceQueryParam;(String,Collection);;Element of Argument[1];Argument[-1];taint",
"org.springframework.web.util;UriBuilder;true;replaceQueryParam;(String,Object[]);;ArrayElement of Argument[1];Argument[-1];taint",
"org.springframework.web.util;UriBuilder;true;replaceQueryParams;;;Argument[-1];ReturnValue;value",
"org.springframework.web.util;UriBuilder;true;replaceQueryParams;;;MapKey of Argument[0];Argument[-1];taint",
"org.springframework.web.util;UriBuilder;true;replaceQueryParams;;;Element of MapValue of Argument[0];Argument[-1];taint",
"org.springframework.web.util;UriBuilder;true;scheme;;;Argument[-1];ReturnValue;value",
"org.springframework.web.util;UriBuilder;true;scheme;;;Argument[0];Argument[-1];taint",
"org.springframework.web.util;UriBuilder;true;userInfo;;;Argument[-1];ReturnValue;value",
"org.springframework.web.util;UriBuilder;true;userInfo;;;Argument[0];Argument[-1];taint",
"org.springframework.web.util;UriBuilderFactory;true;builder;;;Argument[-1];ReturnValue;taint",
"org.springframework.web.util;UriBuilderFactory;true;uriString;;;Argument[-1..0];ReturnValue;taint",
"org.springframework.web.util;UriComponents$UriTemplateVariables;true;getValue;;;MapValue of Argument[-1];ReturnValue;value",
"org.springframework.web.util;UriTemplateHandler;true;expand;;;Argument[-1..0];ReturnValue;taint",
"org.springframework.web.util;UriTemplateHandler;true;expand;(String,Map);;MapValue of Argument[1];ReturnValue;taint",
"org.springframework.web.util;UriTemplateHandler;true;expand;(String,Object[]);;ArrayElement of Argument[1];ReturnValue;taint",
"org.springframework.web.util;AbstractUriTemplateHandler;true;getBaseUrl;;;Argument[-1];ReturnValue;taint",
"org.springframework.web.util;AbstractUriTemplateHandler;true;setBaseUrl;;;Argument[0];Argument[-1];taint",
"org.springframework.web.util;AbstractUriTemplateHandler;true;setDefaultUriVariables;;;Argument[0];Argument[-1];taint",
// writing to a `Request` or `Response` currently doesn't propagate taint to the object itself.
"org.springframework.web.util;ContentCachingRequestWrapper;false;ContentCachingRequestWrapper;;;Argument[0];Argument[-1];taint",
"org.springframework.web.util;ContentCachingRequestWrapper;false;getContentAsByteArray;;;Argument[-1];ReturnValue;taint",
"org.springframework.web.util;ContentCachingResponseWrapper;false;ContentCachingResponseWrapper;;;Argument[0];Argument[-1];taint",
"org.springframework.web.util;ContentCachingResponseWrapper;false;getContentAsByteArray;;;Argument[-1];ReturnValue;taint",
"org.springframework.web.util;ContentCachingResponseWrapper;false;getContentInputStream;;;Argument[-1];ReturnValue;taint",
"org.springframework.web.util;DefaultUriBuilderFactory;false;DefaultUriBuilderFactory;;;Argument[0];Argument[-1];taint",
"org.springframework.web.util;DefaultUriBuilderFactory;false;builder;;;Argument[-1];ReturnValue;taint",
"org.springframework.web.util;DefaultUriBuilderFactory;false;getDefaultUriVariables;;;Argument[-1];MapValue of ReturnValue;taint",
"org.springframework.web.util;DefaultUriBuilderFactory;false;setDefaultUriVariables;;;MapValue of Argument[0];Argument[-1];taint",
"org.springframework.web.util;DefaultUriBuilderFactory;false;uriString;;;Argument[-1];ReturnValue;taint",
"org.springframework.web.util;HtmlUtils;false;htmlEscape;;;Argument[0];ReturnValue;taint",
"org.springframework.web.util;HtmlUtils;false;htmlEscapeDecimal;;;Argument[0];ReturnValue;taint",
"org.springframework.web.util;HtmlUtils;false;htmlEscapeHex;;;Argument[0];ReturnValue;taint",
"org.springframework.web.util;HtmlUtils;false;htmlUnescape;;;Argument[0];ReturnValue;taint",
"org.springframework.web.util;ServletContextPropertyUtils;false;resolvePlaceholders;;;Argument[0..1];ReturnValue;taint",
"org.springframework.web.util;ServletRequestPathUtils;false;getCachedPath;;;Argument[0];ReturnValue;taint",
"org.springframework.web.util;ServletRequestPathUtils;false;getCachedPathValue;;;Argument[0];ReturnValue;taint",
"org.springframework.web.util;ServletRequestPathUtils;false;getParsedRequestPath;;;Argument[0];ReturnValue;taint",
"org.springframework.web.util;ServletRequestPathUtils;false;parseAndCache;;;Argument[0];ReturnValue;taint",
"org.springframework.web.util;ServletRequestPathUtils;false;setParsedRequestPath;;;Argument[0];Argument[1];taint",
"org.springframework.web.util;UriComponents;false;UriComponents;;;Argument[0..1];Argument[-1];taint",
"org.springframework.web.util;UriComponents;false;copyToUriComponentsBuilder;;;Argument[-1];Argument[0];taint",
"org.springframework.web.util;UriComponents;false;encode;;;Argument[-1];ReturnValue;taint",
"org.springframework.web.util;UriComponents;false;expand;(Map);;MapValue of Argument[0];ReturnValue;taint",
"org.springframework.web.util;UriComponents;false;expand;(Object[]);;ArrayElement of Argument[0];ReturnValue;taint",
"org.springframework.web.util;UriComponents;false;expand;(UriTemplateVariables);;MapValue of Argument[0];ReturnValue;taint",
"org.springframework.web.util;UriComponents;false;getFragment;;;Argument[-1];ReturnValue;taint",
"org.springframework.web.util;UriComponents;false;getHost;;;Argument[-1];ReturnValue;taint",
"org.springframework.web.util;UriComponents;false;getPath;;;Argument[-1];ReturnValue;taint",
"org.springframework.web.util;UriComponents;false;getPathSegments;;;Argument[-1];ReturnValue;taint",
"org.springframework.web.util;UriComponents;false;getQuery;;;Argument[-1];ReturnValue;taint",
"org.springframework.web.util;UriComponents;false;getQueryParams;;;Argument[-1];MapKey of ReturnValue;taint",
"org.springframework.web.util;UriComponents;false;getQueryParams;;;Argument[-1];Element of MapValue of ReturnValue;taint",
"org.springframework.web.util;UriComponents;false;getScheme;;;Argument[-1];ReturnValue;taint",
"org.springframework.web.util;UriComponents;false;getSchemeSpecificPart;;;Argument[-1];ReturnValue;taint",
"org.springframework.web.util;UriComponents;false;getUserInfo;;;Argument[-1];ReturnValue;taint",
"org.springframework.web.util;UriComponents;false;toUri;;;Argument[-1];ReturnValue;taint",
"org.springframework.web.util;UriComponents;false;toUriString;;;Argument[-1];ReturnValue;taint",
"org.springframework.web.util;UriComponents;false;toString;;;Argument[-1];ReturnValue;taint",
"org.springframework.web.util;UriComponents;false;normalize;;;Argument[-1];ReturnValue;taint",
"org.springframework.web.util;UriComponentsBuilder;false;build;;;Argument[-1];ReturnValue;taint",
"org.springframework.web.util;UriComponentsBuilder;false;build;(Map);;MapValue of Argument[0];ReturnValue;taint",
"org.springframework.web.util;UriComponentsBuilder;false;build;(Object[]);;ArrayElement of Argument[0];ReturnValue;taint",
"org.springframework.web.util;UriComponentsBuilder;false;buildAndExpand;(Map);;MapValue of Argument[0];ReturnValue;taint",
"org.springframework.web.util;UriComponentsBuilder;false;buildAndExpand;(Object[]);;ArrayElement of Argument[0];ReturnValue;taint",
"org.springframework.web.util;UriComponentsBuilder;false;cloneBuilder;;;Argument[-1];ReturnValue;value",
"org.springframework.web.util;UriComponentsBuilder;false;encode;;;Argument[-1];ReturnValue;value",
"org.springframework.web.util;UriComponentsBuilder;false;fromHttpRequest;;;Argument[0];ReturnValue;taint",
"org.springframework.web.util;UriComponentsBuilder;false;fromHttpUrl;;;Argument[0];ReturnValue;taint",
"org.springframework.web.util;UriComponentsBuilder;false;fromOriginHeader;;;Argument[0];ReturnValue;taint",
"org.springframework.web.util;UriComponentsBuilder;false;fromPath;;;Argument[0];ReturnValue;taint",
"org.springframework.web.util;UriComponentsBuilder;false;fromUri;;;Argument[0];ReturnValue;taint",
"org.springframework.web.util;UriComponentsBuilder;false;fromUriString;;;Argument[0];ReturnValue;taint",
"org.springframework.web.util;UriComponentsBuilder;false;parseForwardedFor;;;Argument[0..1];ReturnValue;taint",
"org.springframework.web.util;UriComponentsBuilder;false;schemeSpecificPart;;;Argument[-1];ReturnValue;value",
"org.springframework.web.util;UriComponentsBuilder;false;schemeSpecificPart;;;Argument[0];Argument[-1];taint",
"org.springframework.web.util;UriComponentsBuilder;false;toUriString;;;Argument[-1];ReturnValue;taint",
"org.springframework.web.util;UriComponentsBuilder;false;uri;;;Argument[-1];ReturnValue;value",
"org.springframework.web.util;UriComponentsBuilder;false;uri;;;Argument[0];Argument[-1];taint",
"org.springframework.web.util;UriComponentsBuilder;false;uriComponents;;;Argument[-1];ReturnValue;value",
"org.springframework.web.util;UriComponentsBuilder;false;uriComponents;;;Argument[0];Argument[-1];taint",
"org.springframework.web.util;UriComponentsBuilder;false;uriVariables;;;Argument[-1];ReturnValue;value",
"org.springframework.web.util;UriComponentsBuilder;false;uriVariables;;;MapValue of Argument[0];Argument[-1];taint",
"org.springframework.web.util;UriTemplate;false;expand;(Map);;MapValue of Argument[0];ReturnValue;taint",
"org.springframework.web.util;UriTemplate;false;expand;(Object[]);;ArrayElement of Argument[0];ReturnValue;taint",
"org.springframework.web.util;UriTemplate;false;getVariableNames;;;Argument[-1];Element of ReturnValue;taint",
"org.springframework.web.util;UriTemplate;false;match;;;Argument[0];MapValue of ReturnValue;taint",
"org.springframework.web.util;UriTemplate;false;toString;;;Argument[-1];ReturnValue;taint",
"org.springframework.web.util;UriUtils;false;decode;;;Argument[0];ReturnValue;taint",
"org.springframework.web.util;UriUtils;false;encode;;;Argument[0];ReturnValue;taint",
"org.springframework.web.util;UriUtils;false;encodeAuthority;;;Argument[0];ReturnValue;taint",
"org.springframework.web.util;UriUtils;false;encodeFragment;;;Argument[0];ReturnValue;taint",
"org.springframework.web.util;UriUtils;false;encodeHost;;;Argument[0];ReturnValue;taint",
"org.springframework.web.util;UriUtils;false;encodePath;;;Argument[0];ReturnValue;taint",
"org.springframework.web.util;UriUtils;false;encodePathSegment;;;Argument[0];ReturnValue;taint",
"org.springframework.web.util;UriUtils;false;encodePort;;;Argument[0];ReturnValue;taint",
"org.springframework.web.util;UriUtils;false;encodeQuery;;;Argument[0];ReturnValue;taint",
"org.springframework.web.util;UriUtils;false;encodeQueryParam;;;Argument[0];ReturnValue;taint",
"org.springframework.web.util;UriUtils;false;encodeQueryParams;;;MapKey of Argument[0];MapKey of ReturnValue;taint",
"org.springframework.web.util;UriUtils;false;encodeQueryParams;;;MapValue of Argument[0];MapValue of ReturnValue;taint",
"org.springframework.web.util;UriUtils;false;encodeScheme;;;Argument[0];ReturnValue;taint",
"org.springframework.web.util;UriUtils;false;encodeUriVariables;(Map);;MapValue of Argument[0];MapValue of ReturnValue;taint",
"org.springframework.web.util;UriUtils;false;encodeUriVariables;(Map);;MapKey of Argument[0];MapKey of ReturnValue;taint",
"org.springframework.web.util;UriUtils;false;encodeUriVariables;(Object[]);;ArrayElement of Argument[0];ArrayElement of ReturnValue;taint",
"org.springframework.web.util;UriUtils;false;encodeUserInfo;;;Argument[0];ReturnValue;taint",
"org.springframework.web.util;UriUtils;false;extractFileExtension;;;Argument[0];ReturnValue;taint",
"org.springframework.web.util;UrlPathHelper;false;decodeMatrixVariables;;;MapKey of Argument[1];MapKey of ReturnValue;value",
"org.springframework.web.util;UrlPathHelper;false;decodeMatrixVariables;;;MapValue of Argument[1];MapValue of ReturnValue;taint",
"org.springframework.web.util;UrlPathHelper;false;decodePathVariables;;;MapKey of Argument[1];MapKey of ReturnValue;value",
"org.springframework.web.util;UrlPathHelper;false;decodePathVariables;;;MapValue of Argument[1];MapValue of ReturnValue;taint",
"org.springframework.web.util;UrlPathHelper;false;decodeRequestString;;;Argument[1];ReturnValue;taint",
"org.springframework.web.util;UrlPathHelper;false;getContextPath;;;Argument[0];ReturnValue;taint",
"org.springframework.web.util;UrlPathHelper;false;getOriginatingContextPath;;;Argument[0];ReturnValue;taint",
"org.springframework.web.util;UrlPathHelper;false;getOriginatingQueryString;;;Argument[0];ReturnValue;taint",
"org.springframework.web.util;UrlPathHelper;false;getOriginatingRequestUri;;;Argument[0];ReturnValue;taint",
"org.springframework.web.util;UrlPathHelper;false;getPathWithinApplication;;;Argument[0];ReturnValue;taint",
"org.springframework.web.util;UrlPathHelper;false;getPathWithinServletMapping;;;Argument[0];ReturnValue;taint",
"org.springframework.web.util;UrlPathHelper;false;getRequestUri;;;Argument[0];ReturnValue;taint",
"org.springframework.web.util;UrlPathHelper;false;getResolvedLookupPath;;;Argument[0];ReturnValue;taint",
"org.springframework.web.util;UrlPathHelper;false;getServletPath;;;Argument[0];ReturnValue;taint",
"org.springframework.web.util;UrlPathHelper;false;removeSemicolonContent;;;Argument[0];ReturnValue;taint",
"org.springframework.web.util;UrlPathHelper;false;resolveAndCacheLookupPath;;;Argument[0];ReturnValue;taint",
"org.springframework.web.util;WebUtils;false;findParameterValue;(Map,String);;MapValue of Argument[0];ReturnValue;value",
"org.springframework.web.util;WebUtils;false;findParameterValue;(ServletRequest,String);;Argument[0];ReturnValue;taint",
"org.springframework.web.util;WebUtils;false;getCookie;;;Argument[0];ReturnValue;taint",
"org.springframework.web.util;WebUtils;false;getNativeRequest;;;Argument[0];ReturnValue;taint",
"org.springframework.web.util;WebUtils;false;getNativeResponse;;;Argument[0];ReturnValue;taint",
"org.springframework.web.util;WebUtils;false;getParametersStartingWith;;;Argument[0];MapKey of ReturnValue;taint",
"org.springframework.web.util;WebUtils;false;getParametersStartingWith;;;Argument[0];MapValue of ReturnValue;taint",
"org.springframework.web.util;WebUtils;false;getRealPath;;;Argument[0..1];ReturnValue;taint",
"org.springframework.web.util;WebUtils;false;getRequiredSessionAttribute;;;Argument[0];ReturnValue;taint",
"org.springframework.web.util;WebUtils;false;getSessionAttribute;;;Argument[0];ReturnValue;taint",
"org.springframework.web.util;WebUtils;false;parseMatrixVariables;;;Argument[0];MapKey of ReturnValue;taint",
"org.springframework.web.util;WebUtils;false;parseMatrixVariables;;;Argument[0];MapValue of ReturnValue;taint",
"org.springframework.web.util;WebUtils;false;setSessionAttribute;;;Argument[2];Argument[0];taint"
]
}
}

5
java/ql/src/semmle/code/java/security/XSS.qll
View File

@@ -93,7 +93,10 @@ private class DefaultXssSink extends XssSink {
/** A default sanitizer that considers numeric and boolean typed data safe for writing to output. */
private class DefaultXSSSanitizer extends XssSanitizer {
DefaultXSSSanitizer() {
this.getType() instanceof NumericType or this.getType() instanceof BooleanType
this.getType() instanceof NumericType or
this.getType() instanceof BooleanType or
// Match `org.springframework.web.util.HtmlUtils.htmlEscape` and possibly other methods like it.
this.asExpr().(MethodAccess).getMethod().getName().regexpMatch("(?i)html_?escape.*")
}
}