Change getResource() to be a taint step

2026-04-30 11:15:13 +02:00 · 2022-04-19 15:55:09 +00:00
parent 7029802f3b
commit f0c4b1955b
4 changed files with 62 additions and 13 deletions
--- a/java/ql/lib/semmle/code/java/frameworks/Servlets.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/Servlets.qll
@@ -385,10 +385,18 @@ library class ServletContext extends RefType {
  ServletContext() { this.hasQualifiedName("javax.servlet", "ServletContext") }
 }

-/** The `getResource` and `getResourceAsStream` methods of `ServletContext`. */
+/** The `getResource` method of `ServletContext`. */
 class GetServletResourceMethod extends Method {
  GetServletResourceMethod() {
    this.getDeclaringType() instanceof ServletContext and
-    this.hasName(["getResource", "getResourceAsStream"])
+    this.hasName("getResource")
+  }
+}
+
+/** The `getResourceAsStream` method of `ServletContext`. */
+class GetServletResourceAsStreamMethod extends Method {
+  GetServletResourceAsStreamMethod() {
+    this.getDeclaringType() instanceof ServletContext and
+    this.hasName("getResourceAsStream")
  }
 }
--- a/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.ql
@@ -41,6 +41,20 @@ class UnsafeUrlForwardFlowConfig extends TaintTracking::Configuration {
  override DataFlow::FlowFeature getAFeature() {
    result instanceof DataFlow::FeatureHasSourceCallContext
  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node prev, DataFlow::Node succ) {
+    exists(MethodAccess ma |
+      (
+        ma.getMethod() instanceof GetServletResourceMethod or
+        ma.getMethod() instanceof GetFacesResourceMethod or
+        ma.getMethod() instanceof GetClassResourceMethod or
+        ma.getMethod() instanceof GetClassLoaderResourceMethod or
+        ma.getMethod() instanceof GetWildflyResourceMethod
+      ) and
+      ma.getArgument(0) = prev.asExpr() and
+      ma = succ.asExpr()
+    )
+  }
 }

 from DataFlow::PathNode source, DataFlow::PathNode sink, UnsafeUrlForwardFlowConfig conf
--- a/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.qll
@@ -19,19 +19,35 @@ private class RequestDispatcherSink extends UnsafeUrlForwardSink {
  }
 }

-/** The `getResource` and `getResourceAsStream` methods of `Class`. */
+/** The `getResource` method of `Class`. */
 class GetClassResourceMethod extends Method {
  GetClassResourceMethod() {
    this.getSourceDeclaration().getDeclaringType().hasQualifiedName("java.lang", "Class") and
-    this.hasName(["getResource", "getResourceAsStream"])
+    this.hasName("getResource")
  }
 }

-/** The `getResource` and `getResourceAsStream` methods of `ClassLoader`. */
+/** The `getResourceAsStream` method of `Class`. */
+class GetClassResourceAsStreamMethod extends Method {
+  GetClassResourceAsStreamMethod() {
+    this.getSourceDeclaration().getDeclaringType().hasQualifiedName("java.lang", "Class") and
+    this.hasName("getResourceAsStream")
+  }
+}
+
+/** The `getResource` method of `ClassLoader`. */
 class GetClassLoaderResourceMethod extends Method {
  GetClassLoaderResourceMethod() {
    this.getDeclaringType().hasQualifiedName("java.lang", "ClassLoader") and
-    this.hasName(["getResource", "getResourceAsStream"])
+    this.hasName("getResource")
+  }
+}
+
+/** The `getResourceAsStream` method of `ClassLoader`. */
+class GetClassLoaderResourceAsStreamMethod extends Method {
+  GetClassLoaderResourceAsStreamMethod() {
+    this.getDeclaringType().hasQualifiedName("java.lang", "ClassLoader") and
+    this.hasName("getResourceAsStream")
  }
 }

@@ -66,13 +82,14 @@ class GetVirtualFileMethod extends Method {
 /** An argument to `getResource()` or `getResourceAsStream()`. */
 private class GetResourceSink extends UnsafeUrlForwardSink {
  GetResourceSink() {
+    sinkNode(this, "open-url")
+    or
    exists(MethodAccess ma |
      (
-        ma.getMethod() instanceof GetServletResourceMethod or
-        ma.getMethod() instanceof GetFacesResourceMethod or
-        ma.getMethod() instanceof GetClassResourceMethod or
-        ma.getMethod() instanceof GetClassLoaderResourceMethod or
-        ma.getMethod() instanceof GetWildflyResourceMethod or
+        ma.getMethod() instanceof GetServletResourceAsStreamMethod or
+        ma.getMethod() instanceof GetFacesResourceAsStreamMethod or
+        ma.getMethod() instanceof GetClassResourceAsStreamMethod or
+        ma.getMethod() instanceof GetClassLoaderResourceAsStreamMethod or
        ma.getMethod() instanceof GetVirtualFileMethod
      ) and
      ma.getArgument(0) = this.asExpr()
--- a/java/ql/src/experimental/semmle/code/java/frameworks/Jsf.qll
+++ b/java/ql/src/experimental/semmle/code/java/frameworks/Jsf.qll
@@ -14,11 +14,21 @@ class ExternalContext extends RefType {
 }

 /**
- * The methods `getResource()` and `getResourceAsStream()` declared in JSF `ExternalContext`.
+ * The method `getResource()` declared in JSF `ExternalContext`.
 */
 class GetFacesResourceMethod extends Method {
  GetFacesResourceMethod() {
    this.getDeclaringType().getASupertype*() instanceof ExternalContext and
-    this.hasName(["getResource", "getResourceAsStream"])
+    this.hasName("getResource")
+  }
+}
+
+/**
+ * The method `getResourceAsStream()` declared in JSF `ExternalContext`.
+ */
+class GetFacesResourceAsStreamMethod extends Method {
+  GetFacesResourceAsStreamMethod() {
+    this.getDeclaringType().getASupertype*() instanceof ExternalContext and
+    this.hasName("getResourceAsStream")
  }
 }