Add sources for Jax-RS filters

2026-05-02 12:15:17 +02:00 · 2021-08-12 14:52:23 +01:00
parent 0ebbb333ba
commit f1c3a11103
12 changed files with 1187 additions and 20 deletions
--- a/java/ql/test/library-tests/frameworks/JaxWs/JakartaContainerRequestContextSources.java
+++ b/java/ql/test/library-tests/frameworks/JaxWs/JakartaContainerRequestContextSources.java
@@ -0,0 +1,17 @@
+import jakarta.ws.rs.container.ContainerRequestContext;
+
+public class JakartaContainerRequestContextSources {
+  void sink(Object o) {}
+
+  void test(ContainerRequestContext context) throws Exception {
+    sink(context.getAcceptableLanguages()); // $ hasValueFlow
+    sink(context.getAcceptableMediaTypes().get(0).getType()); // $ hasTaintFlow
+    sink(context.getCookies().get("someKey").getValue()); // $ hasTaintFlow
+    byte[] buf = new byte[1024];
+    context.getEntityStream().read(buf);
+    sink(buf); // $ hasTaintFlow
+    sink(context.getHeaders().getFirst("someKey")); // $ hasTaintFlow
+    sink(context.getHeaderString("someKey")); // $ hasValueFlow
+    sink(context.getUriInfo().getPath()); // $ hasTaintFlow
+  }
+}
--- a/java/ql/test/library-tests/frameworks/JaxWs/JakartaRsFlow.java
+++ b/java/ql/test/library-tests/frameworks/JaxWs/JakartaRsFlow.java
@@ -57,11 +57,11 @@ public class JakartaRsFlow {
  static PathSegment taint(PathSegment ps) { return ps; }

  static UriInfo taint(UriInfo ui) { return ui; }
-  
+
  static Map taint(Map m) { return m; }
-  
+
  static Link taint(Link l) { return l; }
-  
+
  static Class taint(Class c) { return c; }

  private static class UriSource {
@@ -196,12 +196,16 @@ public class JakartaRsFlow {
    sink(taint(ps2).getPath()); // $ hasTaintFlow
  }

-  void testUriInfo(UriInfo ui1, UriInfo ui2, UriInfo ui3, UriInfo ui4, UriInfo ui5) {
-    sink(taint(ui1).getPathParameters()); // $ hasTaintFlow
-    sink(taint(ui2).getPathSegments()); // $ hasTaintFlow
-    sink(taint(ui2).getQueryParameters()); // $ hasTaintFlow
-    sink(taint(ui2).getRequestUri()); // $ hasTaintFlow
-    sink(taint(ui2).getRequestUriBuilder()); // $ hasTaintFlow
+  void testUriInfo(UriInfo ui) {
+    ui = taint(ui);
+    sink(ui.getPathParameters()); // $ hasTaintFlow
+    sink(ui.getPathSegments()); // $ hasTaintFlow
+    sink(ui.getQueryParameters()); // $ hasTaintFlow
+    sink(ui.getRequestUri()); // $ hasTaintFlow
+    sink(ui.getRequestUriBuilder()); // $ hasTaintFlow
+    sink(ui.getQueryParameters().getFirst("someKey")); // $ hasTaintFlow
+    sink(ui.getRequestUri()); // $ hasTaintFlow
+    sink(ui.getRequestUriBuilder().build()); // $ hasTaintFlow
  }

  void testCookie() {
@@ -341,7 +345,7 @@ public class JakartaRsFlow {
    sink(UriBuilder.fromPath(taint()).buildFromEncodedMap(new HashMap<String, String>())); // $ hasTaintFlow
    sink(UriBuilder.fromPath("").buildFromMap(taint(new HashMap<String, String>()), false)); // $ hasTaintFlow
    sink(UriBuilder.fromPath(taint()).buildFromMap(new HashMap<String, String>(), true)); // $ hasTaintFlow
-    
+
    sink(UriBuilder.fromPath(taint()).clone()); // $ hasTaintFlow
    sink(UriBuilder.fromPath("").fragment(taint())); // $ hasTaintFlow
    sink(UriBuilder.fromPath(taint()).fragment("")); // $ hasTaintFlow
--- a/java/ql/test/library-tests/frameworks/JaxWs/JaxRsContainerRequestContextSources.java
+++ b/java/ql/test/library-tests/frameworks/JaxWs/JaxRsContainerRequestContextSources.java
@@ -0,0 +1,17 @@
+import javax.ws.rs.container.ContainerRequestContext;
+
+public class JaxRsContainerRequestContextSources {
+  void sink(Object o) {}
+
+  void test(ContainerRequestContext context) throws Exception {
+    sink(context.getAcceptableLanguages()); // $ hasValueFlow
+    sink(context.getAcceptableMediaTypes().get(0).getType()); // $ hasTaintFlow
+    sink(context.getCookies().get("someKey").getValue()); // $ hasTaintFlow
+    byte[] buf = new byte[1024];
+    context.getEntityStream().read(buf);
+    sink(buf); // $ hasTaintFlow
+    sink(context.getHeaders().getFirst("someKey")); // $ hasTaintFlow
+    sink(context.getHeaderString("someKey")); // $ hasValueFlow
+    sink(context.getUriInfo().getPath()); // $ hasTaintFlow
+  }
+}
--- a/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.java
+++ b/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.java
@@ -57,11 +57,11 @@ public class JaxRsFlow {
  static PathSegment taint(PathSegment ps) { return ps; }

  static UriInfo taint(UriInfo ui) { return ui; }
-  
+
  static Map taint(Map m) { return m; }
-  
+
  static Link taint(Link l) { return l; }
-  
+
  static Class taint(Class c) { return c; }

  private static class UriSource {
@@ -192,12 +192,16 @@ public class JaxRsFlow {
    sink(taint(ps2).getPath()); // $ hasTaintFlow
  }

-  void testUriInfo(UriInfo ui1, UriInfo ui2, UriInfo ui3, UriInfo ui4, UriInfo ui5) {
-    sink(taint(ui1).getPathParameters()); // $ hasTaintFlow
-    sink(taint(ui2).getPathSegments()); // $ hasTaintFlow
-    sink(taint(ui2).getQueryParameters()); // $ hasTaintFlow
-    sink(taint(ui2).getRequestUri()); // $ hasTaintFlow
-    sink(taint(ui2).getRequestUriBuilder()); // $ hasTaintFlow
+  void testUriInfo(UriInfo ui) {
+    ui = taint(ui);
+    sink(ui.getPathParameters()); // $ hasTaintFlow
+    sink(ui.getPathSegments()); // $ hasTaintFlow
+    sink(ui.getQueryParameters()); // $ hasTaintFlow
+    sink(ui.getRequestUri()); // $ hasTaintFlow
+    sink(ui.getRequestUriBuilder()); // $ hasTaintFlow
+    sink(ui.getQueryParameters().getFirst("someKey")); // $ hasTaintFlow
+    sink(ui.getRequestUri()); // $ hasTaintFlow
+    sink(ui.getRequestUriBuilder().build()); // $ hasTaintFlow
  }

  void testCookie() {
@@ -337,7 +341,7 @@ public class JaxRsFlow {
    sink(UriBuilder.fromPath(taint()).buildFromEncodedMap(new HashMap<String, String>())); // $ hasTaintFlow
    sink(UriBuilder.fromPath("").buildFromMap(taint(new HashMap<String, String>()), false)); // $ hasTaintFlow
    sink(UriBuilder.fromPath(taint()).buildFromMap(new HashMap<String, String>(), true)); // $ hasTaintFlow
-    
+
    sink(UriBuilder.fromPath(taint()).clone()); // $ hasTaintFlow
    sink(UriBuilder.fromPath("").fragment(taint())); // $ hasTaintFlow
    sink(UriBuilder.fromPath(taint()).fragment("")); // $ hasTaintFlow
--- a/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.ql
+++ b/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.ql
@@ -1,5 +1,6 @@
 import java
 import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.dataflow.FlowSources
 import TestUtilities.InlineExpectationsTest

 class TaintFlowConf extends TaintTracking::Configuration {
@@ -7,6 +8,8 @@ class TaintFlowConf extends TaintTracking::Configuration {

  override predicate isSource(DataFlow::Node n) {
    n.asExpr().(MethodAccess).getMethod().hasName("taint")
+    or
+    n instanceof RemoteFlowSource
  }

  override predicate isSink(DataFlow::Node n) {
@@ -21,6 +24,8 @@ class ValueFlowConf extends DataFlow::Configuration {

  override predicate isSource(DataFlow::Node n) {
    n.asExpr().(MethodAccess).getMethod().hasName("taint")
+    or
+    n instanceof RemoteFlowSource
  }

  override predicate isSink(DataFlow::Node n) {