Java: add Spring MultipartFile as RemoteFlowSource

2026-05-02 12:15:17 +02:00 · 2020-04-28 15:46:37 +02:00
parent ae2bab7e9c
commit d7774788b3
1 changed files with 13 additions and 0 deletions
--- a/java/ql/src/semmle/code/java/dataflow/FlowSources.qll
+++ b/java/ql/src/semmle/code/java/dataflow/FlowSources.qll
@@ -103,6 +103,19 @@ private class MessageBodyReaderParameterSource extends RemoteFlowSource {
  override string getSourceType() { result = "MessageBodyReader parameter" }
 }

+private class SpringMultipartFileSource extends RemoteFlowSource {
+  SpringMultipartFileSource() {
+    exists(MethodAccess ma, Method m |
+      ma = this.asExpr() and
+      m = ma.getMethod() and
+      m.getDeclaringType().hasQualifiedName("org.springframework.web.multipart", "MultipartFile") and
+      m.getName().matches("get%")
+    )
+  }
+
+  override string getSourceType() { result = "Spring MultipartFile getter" }
+}
+
 private class SpringServletInputParameterSource extends RemoteFlowSource {
  SpringServletInputParameterSource() {
    this.asParameter().getAnAnnotation() instanceof SpringServletInputAnnotation