From fc4aa169051e6d16aeb38eba94c25438969496bc Mon Sep 17 00:00:00 2001
From: yh-semmle <yh@semmle.com>
Date: Tue, 5 Feb 2019 21:20:29 -0500
Subject: [PATCH] Java: add remote user input for Apache Thrift framework

---
 .../semmle/code/java/dataflow/FlowSources.qll |  3 ++
 .../semmle/code/java/frameworks/Thrift.qll    | 33 +++++++++++++++++++
 2 files changed, 36 insertions(+)
 create mode 100644 java/ql/src/semmle/code/java/frameworks/Thrift.qll

diff --git a/java/ql/src/semmle/code/java/dataflow/FlowSources.qll b/java/ql/src/semmle/code/java/dataflow/FlowSources.qll
index 760b54e596b..ad0ad55e9fc 100644
--- a/java/ql/src/semmle/code/java/dataflow/FlowSources.qll
+++ b/java/ql/src/semmle/code/java/dataflow/FlowSources.qll
@@ -19,6 +19,7 @@ import semmle.code.java.frameworks.android.Intent
 import semmle.code.java.frameworks.SpringWeb
 import semmle.code.java.frameworks.Guice
 import semmle.code.java.frameworks.struts.StrutsActions
+import semmle.code.java.frameworks.Thrift
 
 /** Class for `tainted` user input. */
 abstract class UserInput extends DataFlow::Node { }
@@ -78,6 +79,8 @@ class RemoteUserInput extends UserInput {
     )
     or
     exists(Struts2ActionSupportClass c | c.getASetterMethod().getField() = this.asExpr().(FieldRead).getField())
+    or
+    exists(ThriftIface i | i.getAnImplementingMethod().getAParameter() = this.asParameter())
   }
 
   /**
diff --git a/java/ql/src/semmle/code/java/frameworks/Thrift.qll b/java/ql/src/semmle/code/java/frameworks/Thrift.qll
new file mode 100644
index 00000000000..60ca7ee7b4d
--- /dev/null
+++ b/java/ql/src/semmle/code/java/frameworks/Thrift.qll
@@ -0,0 +1,33 @@
+/**
+ * Provides classes and predicates for working with the Apache Thrift framework.
+ */
+
+import java
+
+/**
+ * A file detected as generated by the Apache Thrift Compiler.
+ */
+class ThriftGeneratedFile extends GeneratedFile {
+  ThriftGeneratedFile() {
+    exists(JavadocElement t | t.getFile() = this |
+      exists(string msg | msg = t.getText() | msg.regexpMatch("(?i).*\\bAutogenerated by Thrift.*"))
+    )
+  }
+}
+
+/**
+ * A Thrift `Iface` interface in a class generated by the Apache Thrift Compiler.
+ */
+class ThriftIface extends Interface {
+  ThriftIface() {
+    this.hasName("Iface") and
+    this.getEnclosingType() instanceof TopLevelType and
+    this.getFile() instanceof ThriftGeneratedFile
+  }
+
+  Method getAnImplementingMethod() {
+    result.getDeclaringType().(Class).getASupertype+() = this and
+    result.overrides(getAMethod()) and
+    not result.getFile() = this.getFile()
+  }
+}