Add test cases and reduce FPs

2025-12-21 19:26:31 +01:00 · 2022-07-01 23:03:29 +00:00
parent 251f67dcf3
commit e33d786745
4 changed files with 36 additions and 71 deletions
--- a/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.qll
@@ -87,6 +87,8 @@ private class GetResourceSink extends UnsafeUrlForwardSink {
  GetResourceSink() {
    sinkNode(this, "open-url")
    or
+    sinkNode(this, "get-resource")
+    or
    exists(MethodAccess ma |
      (
        ma.getMethod() instanceof GetServletResourceAsStreamMethod or
@@ -104,12 +106,6 @@ private class GetResourceSink extends UnsafeUrlForwardSink {
 private class SpringResourceSink extends UnsafeUrlForwardSink {
  SpringResourceSink() {
    exists(MethodAccess ma |
-      (
-        ma.getMethod() instanceof GetClassPathResourceInputStreamMethod or
-        ma.getMethod() instanceof GetResourceMethod
-      ) and
-      ma.getQualifier() = this.asExpr()
-      or
      ma.getMethod() instanceof GetResourceUtilsMethod and
      ma.getArgument(0) = this.asExpr()
    )
@@ -199,11 +195,26 @@ private class LoadSpringResourceFlowStep extends SummaryModelCsv {
    row =
      [
        "org.springframework.core.io;ClassPathResource;false;ClassPathResource;;;Argument[0];Argument[-1];taint;manual",
-        "org.springframework.core.io;ClassPathResource;true;" +
-          ["getFilename", "getPath", "getURL", "resolveURL"] +
-          ";;;Argument[-1];ReturnValue;taint;manual",
        "org.springframework.core.io;ResourceLoader;true;getResource;;;Argument[0];ReturnValue;taint;manual",
        "org.springframework.core.io;Resource;true;createRelative;;;Argument[0];ReturnValue;taint;manual"
      ]
  }
 }
+
+/** Sink related to spring resource. */
+private class SpringResourceCsvSink extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        // Get spring resource
+        "org.springframework.core.io;ClassPathResource;true;" +
+          ["getFilename", "getPath", "getURL", "resolveURL"] + ";;;Argument[-1];get-resource;manual",
+        // "org.springframework.core.io;Resource;true;" +
+        //   ["getFile", "getFilename", "getURI", "getURL"] +
+        //   ";;;Argument[-1];get-resource;manual",
+        // "org.springframework.core.io;InputStreamSource;true;" +
+        //   ["getInputStream"] +
+        //   ";;;Argument[-1];get-resource;manual"
+      ]
+  }
+}
--- a/java/ql/src/experimental/semmle/code/java/frameworks/SpringResource.qll
+++ b/java/ql/src/experimental/semmle/code/java/frameworks/SpringResource.qll
@@ -6,57 +6,17 @@ import java
 private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.dataflow.FlowSources

-/** A class for class path resources in the Spring framework. */
-class ClassPathResource extends Class {
-  ClassPathResource() { this.hasQualifiedName("org.springframework.core.io", "ClassPathResource") }
-}
-
-/** An interface for objects that are sources for an InputStream in the Spring framework. */
-class InputStreamResource extends RefType {
-  InputStreamResource() {
-    this.hasQualifiedName("org.springframework.core.io", "InputStreamSource")
-  }
-}
-
-/** An interface that abstracts from the underlying resource, such as a file or class path resource in the Spring framework. */
-class Resource extends RefType {
-  Resource() { this.hasQualifiedName("org.springframework.core.io", "Resource") }
-}
-
 /** A utility class for resolving resource locations to files in the file system in the Spring framework. */
 class ResourceUtils extends Class {
  ResourceUtils() { this.hasQualifiedName("org.springframework.util", "ResourceUtils") }
 }

-/**
- * The method `getInputStream()` declared in Spring `ClassPathResource`.
- */
-class GetClassPathResourceInputStreamMethod extends Method {
-  GetClassPathResourceInputStreamMethod() {
-    this.getDeclaringType().getASupertype*() instanceof ClassPathResource and
-    this.hasName("getInputStream")
-  }
-}
-
-/**
- * Resource loading method declared in Spring `Resource` with `getInputStream` inherited from the parent interface.
- */
-class GetResourceMethod extends Method {
-  GetResourceMethod() {
-    (
-      this.getDeclaringType() instanceof InputStreamResource or
-      this.getDeclaringType() instanceof Resource
-    ) and
-    this.hasName(["getFile", "getFilename", "getInputStream", "getURI", "getURL"])
-  }
-}
-
 /**
 * Resource loading method declared in Spring `ResourceUtils`.
 */
 class GetResourceUtilsMethod extends Method {
  GetResourceUtilsMethod() {
    this.getDeclaringType().getASupertype*() instanceof ResourceUtils and
-    this.hasName(["extractArchiveURL", "extractJarFileURL", "getFile", "getURL", "toURI"])
+    this.hasName(["extractArchiveURL", "extractJarFileURL", "getFile", "getURL"])
  }
 }