diff --git a/java/ql/src/semmle/code/java/frameworks/spring/SpringUtil.qll b/java/ql/src/semmle/code/java/frameworks/spring/SpringUtil.qll index eb6cd04fff2..bc762b6eaee 100644 --- a/java/ql/src/semmle/code/java/frameworks/spring/SpringUtil.qll +++ b/java/ql/src/semmle/code/java/frameworks/spring/SpringUtil.qll @@ -10,11 +10,11 @@ private class FlowSummaries extends SummaryModelCsv { row = [ "org.springframework.util;AntPathMatcher;false;combine;;;Argument[0..1];ReturnValue;taint", - "org.springframework.util;AntPathMatcher;false;doMatch;;;Argument[0];MapValue of Argument[2];taint", + "org.springframework.util;AntPathMatcher;false;doMatch;;;Argument[1];MapValue of Argument[3];taint", "org.springframework.util;AntPathMatcher;false;extractPathWithinPattern;;;Argument[1];ReturnValue;taint", "org.springframework.util;AntPathMatcher;false;extractUriTemplateVariables;;;Argument[1];MapValue of ReturnValue;taint", - "org.springframework.util;AntPathMatcher;false;tokenizePath;;;Argument[0];ArrayValue of ReturnValue;taint", - "org.springframework.util;AntPathMatcher;false;tokenizePattern;;;Argument[0];ArrayValue of ReturnValue;taint", + "org.springframework.util;AntPathMatcher;false;tokenizePath;;;Argument[0];ArrayElement of ReturnValue;taint", + "org.springframework.util;AntPathMatcher;false;tokenizePattern;;;Argument[0];ArrayElement of ReturnValue;taint", "org.springframework.util.AntPathMatcher;AntPathStringMatcher;false;matchStrings;;;Argument[0];MapValue of Argument[1];taint", "org.springframework.util;AutoPopulatingList;false;AutoPopulatingList;(java.util.List,org.springframework.util.AutoPopulatingList.ElementFactory);;Element of Argument[0];Element of Argument[-1];value", "org.springframework.util;AutoPopulatingList;false;AutoPopulatingList;(java.util.List,java.lang.Class);;Element of Argument[0];Element of Argument[-1];value", diff --git a/java/ql/test/library-tests/frameworks/spring/util/Test.java b/java/ql/test/library-tests/frameworks/spring/util/Test.java index d10f2010360..a7486c6a402 100644 --- a/java/ql/test/library-tests/frameworks/spring/util/Test.java +++ b/java/ql/test/library-tests/frameworks/spring/util/Test.java @@ -12,6 +12,7 @@ import java.nio.charset.Charset; import java.util.Collection; import java.util.Collections; import java.util.Enumeration; +import java.util.HashMap; import java.util.Iterator; import java.util.List; import java.util.Map; @@ -54,8 +55,37 @@ public class Test { Properties newPropertiesWithMapKey(Object element) { Properties p = new Properties(); p.put(element, null); return p; } // Object newWithMapValue(Object element) { return null; } Properties newPropertiesWithMapValue(Object element) { Properties p = new Properties(); p.put(null, element); return p; } - Object source() { return null; } - void sink(Object o) { } + static Object source() { return null; } + static void sink(Object o) { } + + // Test AntPathMatcher's protected methods: + private static class AntPathMatcherTest extends AntPathMatcher { + + public void test() throws Exception { + { + // "org.springframework.util;AntPathMatcher;false;doMatch;;;Argument[1];MapValue of Argument[3];taint" + Map out = new HashMap<>(); + String in = (String)source(); + this.doMatch("somePattern", in, true, out); + sink(out.get("someKey")); // $hasTaintFlow + } + { + // "org.springframework.util;AntPathMatcher;false;tokenizePath;;;Argument[0];ArrayValue of ReturnValue;taint", + String[] out = null; + String in = (String)source(); + out = this.tokenizePath(in); + sink(out[0]); // $hasTaintFlow + } + { + // "org.springframework.util;AntPathMatcher;false;tokenizePattern;;;Argument[0];ArrayValue of ReturnValue;taint", + String[] out = null; + String in = (String)source(); + out = this.tokenizePattern(in); + sink(out[0]); // $hasTaintFlow + } + } + + } public void test() throws Exception {