Modify the model

haby0 · smowton · commit 283376eb199c · 2021-10-19T12:49:08.000+01:00
diff --git a/java/ql/lib/semmle/code/java/frameworks/Servlets.qll b/java/ql/lib/semmle/code/java/frameworks/Servlets.qll
@@ -74,7 +74,7 @@ library class HttpServletRequestGetQueryStringMethod extends Method {
 /**
  * The method `getPathInfo()` declared in `javax.servlet.http.HttpServletRequest`.
  */
-library class HttpServletRequestGetPathMethod extends Method {
+class HttpServletRequestGetPathMethod extends Method {
   HttpServletRequestGetPathMethod() {
     getDeclaringType() instanceof HttpServletRequest and
     hasName("getPathInfo") and
@@ -120,7 +120,7 @@ library class HttpServletRequestGetHeaderNamesMethod extends Method {
 /**
  * The method `getRequestURL()` declared in `javax.servlet.http.HttpServletRequest`.
  */
-library class HttpServletRequestGetRequestURLMethod extends Method {
+class HttpServletRequestGetRequestURLMethod extends Method {
   HttpServletRequestGetRequestURLMethod() {
     getDeclaringType() instanceof HttpServletRequest and
     hasName("getRequestURL") and
@@ -131,7 +131,7 @@ library class HttpServletRequestGetRequestURLMethod extends Method {
 /**
  * The method `getRequestURI()` declared in `javax.servlet.http.HttpServletRequest`.
  */
-library class HttpServletRequestGetRequestURIMethod extends Method {
+class HttpServletRequestGetRequestURIMethod extends Method {
   HttpServletRequestGetRequestURIMethod() {
     getDeclaringType() instanceof HttpServletRequest and
     hasName("getRequestURI") and
@@ -197,9 +197,7 @@ class HttpServletResponseSendErrorMethod extends Method {
 class ServletRequestGetRequestDispatcherMethod extends Method {
   ServletRequestGetRequestDispatcherMethod() {
     getDeclaringType() instanceof ServletRequest and
-    hasName("getRequestDispatcher") and
-    getNumberOfParameters() = 1 and
-    getParameter(0).getType() instanceof TypeString
+    hasName("getRequestDispatcher")
   }
 }
 
diff --git a/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.ql b/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.ql
@@ -13,6 +13,7 @@
 import java
 import UnsafeUrlForward
 import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.frameworks.Servlets
 import DataFlow::PathGraph
 
 private class StartsWithSanitizer extends DataFlow::BarrierGuard {
@@ -32,12 +33,12 @@ class UnsafeUrlForwardFlowConfig extends TaintTracking::Configuration {
 
   override predicate isSource(DataFlow::Node source) {
     source instanceof RemoteFlowSource and
-    not exists(MethodAccess ma |
-      ma.getMethod().getName() in ["getRequestURI", "getRequestURL", "getPathInfo"] and
-      ma.getMethod()
-          .getDeclaringType()
-          .getASupertype*()
-          .hasQualifiedName("javax.servlet.http", "HttpServletRequest") and
+    not exists(MethodAccess ma, Method m | ma.getMethod() = m |
+      (
+        m instanceof HttpServletRequestGetRequestURIMethod or
+        m instanceof HttpServletRequestGetRequestURLMethod or
+        m instanceof HttpServletRequestGetPathMethod
+      ) and
       ma = source.asExpr()
     )
   }
diff --git a/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.qll b/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.qll
@@ -2,6 +2,7 @@ import java
 import DataFlow
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.frameworks.Servlets
+import semmle.code.java.frameworks.spring.SpringWeb
 
 /** A sanitizer for unsafe url forward vulnerabilities. */
 abstract class UnsafeUrlForwardSanitizer extends DataFlow::Node { }
@@ -144,7 +145,7 @@ private class UnsafeUrlForwardSanitizedExpr extends Expr {
 /**
  * A concatenate expression using the string `forward:` on the left.
  *
- * E.g: `"forward:" + url`
+ * For example, `"forward:" + url`.
  */
 private class ForwardBuilderExpr extends AddExpr {
   ForwardBuilderExpr() {
@@ -155,7 +156,7 @@ private class ForwardBuilderExpr extends AddExpr {
 /**
  * A call to `StringBuilder.append` or `StringBuffer.append` method, and the parameter value is `"forward:"`.
  *
- * E.g: `StringBuilder.append("forward:")`
+ * For example, `StringBuilder.append("forward:")`.
  */
 private class ForwardAppendCall extends StringBuilderAppend {
   ForwardAppendCall() {
@@ -191,7 +192,7 @@ private class SpringUrlForwardSink extends UnsafeUrlForwardSink {
     )
     or
     exists(ClassInstanceExpr cie |
-      cie.getConstructedType().hasQualifiedName("org.springframework.web.servlet", "ModelAndView") and
+      cie.getConstructedType() instanceof ModelAndView and
       (
         exists(ForwardBuilderExpr rbe |
           rbe = cie.getArgument(0) and rbe.getRightOperand() = this.asExpr()
@@ -201,12 +202,6 @@ private class SpringUrlForwardSink extends UnsafeUrlForwardSink {
       )
     )
     or
-    exists(MethodAccess ma |
-      ma.getMethod().hasName("setViewName") and
-      ma.getMethod()
-          .getDeclaringType()
-          .hasQualifiedName("org.springframework.web.servlet", "ModelAndView") and
-      ma.getArgument(0) = this.asExpr()
-    )
+    exists(SpringModelAndViewSetViewNameCall smavsvnc | smavsvnc.getArgument(0) = this.asExpr())
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,7 @@ import java`
`2`	`2`	`import DataFlow`
`3`	`3`	`import semmle.code.java.dataflow.FlowSources`
`4`	`4`	`import semmle.code.java.frameworks.Servlets`
	`5`	`+import semmle.code.java.frameworks.spring.SpringWeb`
`5`	`6`
`6`	`7`	`/** A sanitizer for unsafe url forward vulnerabilities. */`
`7`	`8`	`abstract class UnsafeUrlForwardSanitizer extends DataFlow::Node { }`
`@@ -144,7 +145,7 @@ private class UnsafeUrlForwardSanitizedExpr extends Expr {`
`144`	`145`	`/**`
`145`	`146`	* A concatenate expression using the string `forward:` on the left.
`146`	`147`	`*`
`147`		- * E.g: `"forward:" + url`
	`148`	+ * For example, `"forward:" + url`.
`148`	`149`	`*/`
`149`	`150`	`private class ForwardBuilderExpr extends AddExpr {`
`150`	`151`	`ForwardBuilderExpr() {`
`@@ -155,7 +156,7 @@ private class ForwardBuilderExpr extends AddExpr {`
`155`	`156`	`/**`
`156`	`157`	* A call to `StringBuilder.append` or `StringBuffer.append` method, and the parameter value is `"forward:"`.
`157`	`158`	`*`
`158`		- * E.g: `StringBuilder.append("forward:")`
	`159`	+ * For example, `StringBuilder.append("forward:")`.
`159`	`160`	`*/`
`160`	`161`	`private class ForwardAppendCall extends StringBuilderAppend {`
`161`	`162`	`ForwardAppendCall() {`
`@@ -191,7 +192,7 @@ private class SpringUrlForwardSink extends UnsafeUrlForwardSink {`
`191`	`192`	`)`
`192`	`193`	`or`
`193`	`194`	`exists(ClassInstanceExpr cie \|`
`194`		`- cie.getConstructedType().hasQualifiedName("org.springframework.web.servlet", "ModelAndView") and`
	`195`	`+ cie.getConstructedType() instanceof ModelAndView and`
`195`	`196`	`(`
`196`	`197`	`exists(ForwardBuilderExpr rbe \|`
`197`	`198`	`rbe = cie.getArgument(0) and rbe.getRightOperand() = this.asExpr()`
`@@ -201,12 +202,6 @@ private class SpringUrlForwardSink extends UnsafeUrlForwardSink {`
`201`	`202`	`)`
`202`	`203`	`)`
`203`	`204`	`or`
`204`		`- exists(MethodAccess ma \|`
`205`		`- ma.getMethod().hasName("setViewName") and`
`206`		`- ma.getMethod()`
`207`		`- .getDeclaringType()`
`208`		`- .hasQualifiedName("org.springframework.web.servlet", "ModelAndView") and`
`209`		`- ma.getArgument(0) = this.asExpr()`
`210`		`- )`
	`205`	`+ exists(SpringModelAndViewSetViewNameCall smavsvnc \| smavsvnc.getArgument(0) = this.asExpr())`
`211`	`206`	`}`
`212`	`207`	`}`