From e2cec582be9f632b7df2fcd5a9dc0f5bfd0b8208 Mon Sep 17 00:00:00 2001
From: "lcartey@github.com" <lcartey@github.com>
Date: Sun, 17 May 2020 21:45:42 +0100
Subject: [PATCH] Java: XSS - ignore Spring sinks when content-type is safe.

Methods annotated with a produces field which indicates a safe
content-type should not be considered XSS sinks. For example:

@RequestMapping(..., produces = "application/json")
---
 java/ql/src/semmle/code/java/security/XSS.qll | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/java/ql/src/semmle/code/java/security/XSS.qll b/java/ql/src/semmle/code/java/security/XSS.qll
index 522cb75986d..5d317efee3c 100644
--- a/java/ql/src/semmle/code/java/security/XSS.qll
+++ b/java/ql/src/semmle/code/java/security/XSS.qll
@@ -35,7 +35,9 @@ class XssSink extends DataFlow::ExprNode {
     or
     exists(SpringRequestMappingMethod requestMappingMethod, ReturnStmt rs |
       requestMappingMethod = rs.getEnclosingCallable() and
-      this.asExpr() = rs.getResult() |
+      this.asExpr() = rs.getResult() and
+      (not exists(requestMappingMethod.getProduces()) or requestMappingMethod.getProduces().matches("text/%"))
+      |
       // If a Spring request mapping method is either annotated with @ResponseBody (or equivalent),
       // or returns a HttpEntity or sub-type, then the return value of the method is converted into
       // a HTTP reponse using a HttpMessageConverter implementation. The implementation is chosen