mirror of
https://github.com/github/codeql.git
synced 2025-12-21 11:16:30 +01:00
Merge pull request #6042 from joefarebrother/spring-http
[Java] Model spring `http` package
This commit is contained in:
Anders Schack-Mulligen
@@ -105,6 +105,7 @@ private module Frameworks {
|
||||
private import semmle.code.java.frameworks.MyBatis
|
||||
private import semmle.code.java.frameworks.Hibernate
|
||||
private import semmle.code.java.frameworks.jOOQ
|
||||
private import semmle.code.java.frameworks.spring.SpringHttp
|
||||
}
|
||||
|
||||
private predicate sourceModelCsv(string row) {
|
||||
|
||||
@@ -209,22 +209,6 @@ private predicate constructorStep(Expr tracked, ConstructorCall sink) {
|
||||
// a custom InputStream that wraps a tainted data source is tainted
|
||||
inputStreamWrapper(sink.getConstructor(), argi)
|
||||
or
|
||||
// A SpringHttpEntity is a wrapper around a body and some headers
|
||||
// Track flow through iff body is a String
|
||||
exists(SpringHttpEntity she |
|
||||
sink.getConstructor() = she.getAConstructor() and
|
||||
argi = 0 and
|
||||
tracked.getType() instanceof TypeString
|
||||
)
|
||||
or
|
||||
// A SpringRequestEntity is a wrapper around a body and some headers
|
||||
// Track flow through iff body is a String
|
||||
exists(SpringResponseEntity sre |
|
||||
sink.getConstructor() = sre.getAConstructor() and
|
||||
argi = 0 and
|
||||
tracked.getType() instanceof TypeString
|
||||
)
|
||||
or
|
||||
sink.getConstructor().(TaintPreservingCallable).returnsTaintFrom(argToParam(sink, argi))
|
||||
)
|
||||
}
|
||||
@@ -277,19 +261,6 @@ private predicate taintPreservingQualifierToMethod(Method m) {
|
||||
m.getDeclaringType().getASubtype*() instanceof SpringUntrustedDataType and
|
||||
not m.getDeclaringType() instanceof TypeObject
|
||||
or
|
||||
m.getDeclaringType() instanceof SpringHttpEntity and
|
||||
m.getName().regexpMatch("getBody|getHeaders")
|
||||
or
|
||||
exists(SpringHttpHeaders headers | m = headers.getAMethod() |
|
||||
m.getReturnType() instanceof TypeString
|
||||
or
|
||||
exists(ParameterizedType stringlist |
|
||||
m.getReturnType().(RefType).getASupertype*() = stringlist and
|
||||
stringlist.getSourceDeclaration().hasQualifiedName("java.util", "List") and
|
||||
stringlist.getTypeArgument(0) instanceof TypeString
|
||||
)
|
||||
)
|
||||
or
|
||||
m.(TaintPreservingCallable).returnsTaintFrom(-1)
|
||||
or
|
||||
exists(JaxRsResourceMethod resourceMethod |
|
||||
|
||||
@@ -61,3 +61,82 @@ private class UrlOpenSink extends SinkModelCsv {
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
private class SpringHttpFlowStep extends SummaryModelCsv {
|
||||
override predicate row(string row) {
|
||||
row =
|
||||
[
|
||||
//"package;type;overrides;name;signature;ext;inputspec;outputspec;kind",
|
||||
"org.springframework.http;HttpEntity;true;HttpEntity;(Object);;Argument[0];Argument[-1];taint",
|
||||
"org.springframework.http;HttpEntity;true;HttpEntity;(Object,MultiValueMap);;Argument[0];Argument[-1];taint",
|
||||
"org.springframework.http;HttpEntity;true;HttpEntity;(Object,MultiValueMap);;MapKey of Argument[1];Argument[-1];taint",
|
||||
"org.springframework.http;HttpEntity;true;HttpEntity;(Object,MultiValueMap);;Element of MapValue of Argument[1];Argument[-1];taint",
|
||||
"org.springframework.http;HttpEntity;true;HttpEntity;(MultiValueMap);;MapKey of Argument[0];Argument[-1];taint",
|
||||
"org.springframework.http;HttpEntity;true;HttpEntity;(MultiValueMap);;Element of MapValue of Argument[0];Argument[-1];taint",
|
||||
"org.springframework.http;HttpEntity;true;getBody;;;Argument[-1];ReturnValue;taint",
|
||||
"org.springframework.http;HttpEntity;true;getHeaders;;;Argument[-1];ReturnValue;taint",
|
||||
"org.springframework.http;ResponseEntity;true;ResponseEntity;(Object,HttpStatus);;Argument[0];Argument[-1];taint",
|
||||
"org.springframework.http;ResponseEntity;true;ResponseEntity;(Object,MultiValueMap,HttpStatus);;Argument[0];Argument[-1];taint",
|
||||
"org.springframework.http;ResponseEntity;true;ResponseEntity;(Object,MultiValueMap,HttpStatus);;MapKey of Argument[1];Argument[-1];taint",
|
||||
"org.springframework.http;ResponseEntity;true;ResponseEntity;(Object,MultiValueMap,HttpStatus);;Element of MapValue of Argument[1];Argument[-1];taint",
|
||||
"org.springframework.http;ResponseEntity;true;ResponseEntity;(MultiValueMap,HttpStatus);;MapKey of Argument[0];Argument[-1];taint",
|
||||
"org.springframework.http;ResponseEntity;true;ResponseEntity;(MultiValueMap,HttpStatus);;Element of MapValue of Argument[0];Argument[-1];taint",
|
||||
"org.springframework.http;ResponseEntity;true;ResponseEntity;(Object,MultiValueMap,int);;Argument[0];Argument[-1];taint",
|
||||
"org.springframework.http;ResponseEntity;true;ResponseEntity;(Object,MultiValueMap,int);;MapKey of Argument[1];Argument[-1];taint",
|
||||
"org.springframework.http;ResponseEntity;true;ResponseEntity;(Object,MultiValueMap,int);;Element of MapValue of Argument[1];Argument[-1];taint",
|
||||
"org.springframework.http;ResponseEntity;true;of;(Optional);;Element of Argument[0];ReturnValue;taint",
|
||||
"org.springframework.http;ResponseEntity;true;ok;(Object);;Argument[0];ReturnValue;taint",
|
||||
"org.springframework.http;ResponseEntity;true;created;(URI);;Argument[0];ReturnValue;taint",
|
||||
"org.springframework.http;ResponseEntity$BodyBuilder;true;contentLength;(long);;Argument[-1];ReturnValue;value",
|
||||
"org.springframework.http;ResponseEntity$BodyBuilder;true;contentType;(MediaType);;Argument[-1];ReturnValue;value",
|
||||
"org.springframework.http;ResponseEntity$BodyBuilder;true;body;(Object);;Argument[-1..0];ReturnValue;taint",
|
||||
"org.springframework.http;ResponseEntity$HeadersBuilder;true;allow;(HttpMethod[]);;Argument[-1];ReturnValue;value",
|
||||
"org.springframework.http;ResponseEntity$HeadersBuilder;true;eTag;(String);;Argument[-1];ReturnValue;value",
|
||||
"org.springframework.http;ResponseEntity$HeadersBuilder;true;eTag;(String);;Argument[0];Argument[-1];taint",
|
||||
"org.springframework.http;ResponseEntity$HeadersBuilder;true;header;(String,String[]);;Argument[-1];ReturnValue;value",
|
||||
"org.springframework.http;ResponseEntity$HeadersBuilder;true;header;(String,String[]);;Argument[0];Argument[-1];taint",
|
||||
"org.springframework.http;ResponseEntity$HeadersBuilder;true;header;(String,String[]);;ArrayElement of Argument[1];Argument[-1];taint",
|
||||
"org.springframework.http;ResponseEntity$HeadersBuilder;true;headers;(Consumer);;Argument[-1];ReturnValue;value",
|
||||
"org.springframework.http;ResponseEntity$HeadersBuilder;true;headers;(HttpHeaders);;Argument[-1];ReturnValue;value",
|
||||
"org.springframework.http;ResponseEntity$HeadersBuilder;true;headers;(HttpHeaders);;Argument[0];Argument[-1];taint",
|
||||
"org.springframework.http;ResponseEntity$HeadersBuilder;true;lastModified;;;Argument[-1];ReturnValue;value",
|
||||
"org.springframework.http;ResponseEntity$HeadersBuilder;true;location;(URI);;Argument[-1];ReturnValue;value",
|
||||
"org.springframework.http;ResponseEntity$HeadersBuilder;true;location;(URI);;Argument[0];Argument[-1];taint",
|
||||
"org.springframework.http;ResponseEntity$HeadersBuilder;true;varyBy;(String[]);;Argument[-1];ReturnValue;value",
|
||||
"org.springframework.http;ResponseEntity$HeadersBuilder;true;build;();;Argument[-1];ReturnValue;taint",
|
||||
"org.springframework.http;RequestEntity;true;getUrl;();;Argument[-1];ReturnValue;taint",
|
||||
"org.springframework.http;HttpHeaders;true;HttpHeaders;(MultiValueMap);;MapKey of Argument[0];Argument[-1];taint",
|
||||
"org.springframework.http;HttpHeaders;true;HttpHeaders;(MultiValueMap);;Element of MapValue of Argument[0];Argument[-1];taint",
|
||||
"org.springframework.http;HttpHeaders;true;get;(Object);;Argument[-1];Element of ReturnValue;taint",
|
||||
"org.springframework.http;HttpHeaders;true;getAccessControlAllowHeaders;();;Argument[-1];Element of ReturnValue;taint",
|
||||
"org.springframework.http;HttpHeaders;true;getAccessControlAllowOrigin;();;Argument[-1];ReturnValue;taint",
|
||||
"org.springframework.http;HttpHeaders;true;getAccessControlExposeHeaders;();;Argument[-1];Element of ReturnValue;taint",
|
||||
"org.springframework.http;HttpHeaders;true;getAccessControlRequestHeaders;();;Argument[-1];Element of ReturnValue;taint",
|
||||
"org.springframework.http;HttpHeaders;true;getCacheControl;();;Argument[-1];ReturnValue;taint",
|
||||
"org.springframework.http;HttpHeaders;true;getConnection;();;Argument[-1];Element of ReturnValue;taint",
|
||||
"org.springframework.http;HttpHeaders;true;getETag;();;Argument[-1];ReturnValue;taint",
|
||||
"org.springframework.http;HttpHeaders;true;getETagValuesAsList;(String);;Argument[-1];Element of ReturnValue;taint",
|
||||
"org.springframework.http;HttpHeaders;true;getFieldValues;(String);;Argument[-1];ReturnValue;taint",
|
||||
"org.springframework.http;HttpHeaders;true;getFirst;(String);;Argument[-1];ReturnValue;taint",
|
||||
"org.springframework.http;HttpHeaders;true;getIfMatch;();;Argument[-1];Element of ReturnValue;taint",
|
||||
"org.springframework.http;HttpHeaders;true;getIfNoneMatch;();;Argument[-1];Element of ReturnValue;taint",
|
||||
"org.springframework.http;HttpHeaders;true;getHost;();;Argument[-1];ReturnValue;taint",
|
||||
"org.springframework.http;HttpHeaders;true;getLocation;();;Argument[-1];ReturnValue;taint",
|
||||
"org.springframework.http;HttpHeaders;true;getOrEmpty;(Object);;Argument[-1];Element of ReturnValue;taint",
|
||||
"org.springframework.http;HttpHeaders;true;getOrigin;();;Argument[-1];ReturnValue;taint",
|
||||
"org.springframework.http;HttpHeaders;true;getPragma;();;Argument[-1];ReturnValue;taint",
|
||||
"org.springframework.http;HttpHeaders;true;getUpgrade;();;Argument[-1];ReturnValue;taint",
|
||||
"org.springframework.http;HttpHeaders;true;getValuesAsList;(String);;Argument[-1];Element of ReturnValue;taint",
|
||||
"org.springframework.http;HttpHeaders;true;getVary;();;Argument[-1];Element of ReturnValue;taint",
|
||||
"org.springframework.http;HttpHeaders;true;add;(String,String);;Argument[0..1];Argument[-1];taint",
|
||||
"org.springframework.http;HttpHeaders;true;set;(String,String);;Argument[0..1];Argument[-1];taint",
|
||||
"org.springframework.http;HttpHeaders;true;addAll;(MultiValueMap);;MapKey of Argument[0];Argument[-1];taint",
|
||||
"org.springframework.http;HttpHeaders;true;addAll;(MultiValueMap);;Element of MapValue of Argument[0];Argument[-1];taint",
|
||||
"org.springframework.http;HttpHeaders;true;addAll;(String,List);;Argument[0];Argument[-1];taint",
|
||||
"org.springframework.http;HttpHeaders;true;addAll;(String,List);;Element of Argument[1];Argument[-1];taint",
|
||||
"org.springframework.http;HttpHeaders;true;formatHeaders;(MultiValueMap);;MapKey of Argument[0];ReturnValue;taint",
|
||||
"org.springframework.http;HttpHeaders;true;formatHeaders;(MultiValueMap);;Element of MapValue of Argument[0];ReturnValue;taint",
|
||||
"org.springframework.http;HttpHeaders;true;encodeBasicAuth;(String,String,Charset);;Argument[0..1];ReturnValue;taint"
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user