Java: Convert SpringMultipartFileSource to CSV based flow source

2026-05-01 11:45:14 +02:00 · 2021-03-01 11:00:56 +01:00
parent 80b4d63d4b
commit f2448cc921
3 changed files with 11 additions and 16 deletions
--- a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
@@ -102,7 +102,16 @@ private predicate sourceModelCsv(string row) {
      "org.springframework.web.multipart;MultipartRequest;true;getFileNames;();;ReturnValue;remote",
      "org.springframework.web.multipart;MultipartRequest;true;getFiles;(String);;ReturnValue;remote",
      "org.springframework.web.multipart;MultipartRequest;true;getMultiFileMap;();;ReturnValue;remote",
-      "org.springframework.web.multipart;MultipartRequest;true;getMultipartContentType;(String);;ReturnValue;remote"
+      "org.springframework.web.multipart;MultipartRequest;true;getMultipartContentType;(String);;ReturnValue;remote",
+      // SpringMultipartFileSource
+      "org.springframework.web.multipart;MultipartFile;true;getBytes;();;ReturnValue;remote",
+      "org.springframework.web.multipart;MultipartFile;true;getContentType;();;ReturnValue;remote",
+      "org.springframework.web.multipart;MultipartFile;true;getInputStream;();;ReturnValue;remote",
+      "org.springframework.web.multipart;MultipartFile;true;getName;();;ReturnValue;remote",
+      "org.springframework.web.multipart;MultipartFile;true;getOriginalFilename;();;ReturnValue;remote",
+      "org.springframework.web.multipart;MultipartFile;true;getResource;();;ReturnValue;remote",
+      "org.springframework.web.multipart;MultipartFile;true;getSize;();;ReturnValue;remote",
+      "org.springframework.web.multipart;MultipartFile;true;isEmpty;();;ReturnValue;remote"
    ]
 }

--- a/java/ql/src/semmle/code/java/dataflow/FlowSources.qll
+++ b/java/ql/src/semmle/code/java/dataflow/FlowSources.qll
@@ -121,21 +121,6 @@ private class PlayParameterSource extends RemoteFlowSource {
  override string getSourceType() { result = "Play Query Parameters" }
 }

-private class SpringMultipartFileSource extends RemoteFlowSource {
-  SpringMultipartFileSource() {
-    exists(MethodAccess ma, Method m |
-      ma = this.asExpr() and
-      m = ma.getMethod() and
-      m.getDeclaringType()
-          .getASourceSupertype*()
-          .hasQualifiedName("org.springframework.web.multipart", "MultipartFile") and
-      m.getName().matches("get%")
-    )
-  }
-
-  override string getSourceType() { result = "Spring MultipartFile getter" }
-}
-
 private class SpringServletInputParameterSource extends RemoteFlowSource {
  SpringServletInputParameterSource() {
    this.asParameter() = any(SpringRequestMappingParameter srmp | srmp.isTaintedInput())
--- a/java/ql/test/library-tests/dataflow/taintsources/remote.expected
+++ b/java/ql/test/library-tests/dataflow/taintsources/remote.expected
@@ -36,6 +36,7 @@
 | RmiFlowImpl.java:4:30:4:40 | path | RmiFlowImpl.java:5:28:5:31 | path |
 | RmiFlowImpl.java:4:30:4:40 | path | RmiFlowImpl.java:6:29:6:35 | command |
 | SpringMultiPart.java:8:3:8:17 | getBytes(...) | SpringMultiPart.java:8:3:8:17 | getBytes(...) |
+| SpringMultiPart.java:9:3:9:16 | isEmpty(...) | SpringMultiPart.java:9:3:9:16 | isEmpty(...) |
 | SpringMultiPart.java:10:3:10:23 | getInputStream(...) | SpringMultiPart.java:10:3:10:23 | getInputStream(...) |
 | SpringMultiPart.java:11:3:11:20 | getResource(...) | SpringMultiPart.java:11:3:11:20 | getResource(...) |
 | SpringMultiPart.java:12:3:12:16 | getName(...) | SpringMultiPart.java:12:3:12:16 | getName(...) |