Sanitize Spring bodies directly associated with an XSS-safe Content-Type

smowton · smowton · commit 3b6cc97557c9 · 2021-09-10T16:10:44.000+01:00
diff --git a/java/ql/lib/semmle/code/java/frameworks/spring/SpringHttp.qll b/java/ql/lib/semmle/code/java/frameworks/spring/SpringHttp.qll
@@ -5,6 +5,8 @@
 
 import java
 private import semmle.code.java.dataflow.ExternalFlow
+private import semmle.code.java.dataflow.DataFlow
+private import semmle.code.java.security.XSS as XSS
 
 /** The class `org.springframework.http.HttpEntity` or an instantiation of it. */
 class SpringHttpEntity extends Class {
@@ -140,3 +142,96 @@ private class SpringHttpFlowStep extends SummaryModelCsv {
       ]
   }
 }
+
+private string getSpringConstantContentType(FieldAccess e) {
+  e.getQualifier().getType().(RefType).hasQualifiedName("org.springframework.http", "MediaType") and
+  exists(string fieldName | e.getField().hasName(fieldName) |
+    fieldName = "APPLICATION_ATOM_XML" and result = "application/atom+xml"
+    or
+    fieldName = "APPLICATION_CBOR" and result = "application/cbor"
+    or
+    fieldName = "APPLICATION_FORM_URLENCODED" and result = "application/x-www-form-urlencoded"
+    or
+    fieldName = "APPLICATION_JSON" and result = "application/json"
+    or
+    fieldName = "APPLICATION_JSON_UTF8" and result = "application/json;charset=UTF-8"
+    or
+    fieldName = "APPLICATION_NDJSON" and result = "application/x-ndjson"
+    or
+    fieldName = "APPLICATION_OCTET_STREAM" and result = "application/octet-stream"
+    or
+    fieldName = "APPLICATION_PDF" and result = "application/pdf"
+    or
+    fieldName = "APPLICATION_PROBLEM_JSON" and result = "application/problem+json"
+    or
+    fieldName = "APPLICATION_PROBLEM_JSON_UTF8" and
+    result = "application/problem+json;charset=UTF-8"
+    or
+    fieldName = "APPLICATION_PROBLEM_XML" and result = "application/problem+xml"
+    or
+    fieldName = "APPLICATION_RSS_XML" and result = "application/rss+xml"
+    or
+    fieldName = "APPLICATION_STREAM_JSON" and result = "application/stream+json"
+    or
+    fieldName = "APPLICATION_XHTML_XML" and result = "application/xhtml+xml"
+    or
+    fieldName = "APPLICATION_XML" and result = "application/xml"
+    or
+    fieldName = "IMAGE_GIF" and result = "image/gif"
+    or
+    fieldName = "IMAGE_JPEG" and result = "image/jpeg"
+    or
+    fieldName = "IMAGE_PNG" and result = "image/png"
+    or
+    fieldName = "MULTIPART_FORM_DATA" and result = "multipart/form-data"
+    or
+    fieldName = "MULTIPART_MIXED" and result = "multipart/mixed"
+    or
+    fieldName = "MULTIPART_RELATED" and result = "multipart/related"
+    or
+    fieldName = "TEXT_EVENT_STREAM" and result = "text/event-stream"
+    or
+    fieldName = "TEXT_HTML" and result = "text/html"
+    or
+    fieldName = "TEXT_MARKDOWN" and result = "text/markdown"
+    or
+    fieldName = "TEXT_PLAIN" and result = "text/plain"
+    or
+    fieldName = "TEXT_XML" and result = "text/xml"
+  )
+}
+
+private predicate isXssSafeContentTypeExpr(Expr e) {
+  XSS::isXssSafeContentType(e.(CompileTimeConstantExpr).getStringValue()) or
+  XSS::isXssSafeContentType(getSpringConstantContentType(e))
+}
+
+private DataFlow::Node getASanitizedBodyBuilder() {
+  result.asExpr() =
+    any(MethodAccess ma |
+      ma.getCallee()
+          .hasQualifiedName("org.springframework.http", "ResponseEntity<>$BodyBuilder",
+            "contentType") and
+      isXssSafeContentTypeExpr(ma.getArgument(0))
+    )
+  or
+  result.asExpr() =
+    any(MethodAccess ma |
+      ma.getQualifier() = getASanitizedBodyBuilder().asExpr() and
+      ma.getType()
+          .(RefType)
+          .hasQualifiedName("org.springframework.http", "ResponseEntity<>$BodyBuilder")
+    )
+  or
+  DataFlow::localFlow(getASanitizedBodyBuilder(), result)
+}
+
+private class SanitizedBodyCall extends XSS::XssSanitizer {
+  SanitizedBodyCall() {
+    this.asExpr() =
+      any(MethodAccess ma |
+        ma.getQualifier() = getASanitizedBodyBuilder().asExpr() and
+        ma.getCallee().hasName("body")
+      ).getArgument(0)
+  }
+}
diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/SpringXSS.java b/java/ql/test/query-tests/security/CWE-079/semmle/tests/SpringXSS.java
@@ -28,11 +28,11 @@ public static ResponseEntity<String> specificContentType(boolean safeContentType
     }
     else {
       if(chainDirectly) {
-        return builder.contentType(MediaType.APPLICATION_JSON).body(userControlled); // $SPURIOUS: xss
+        return builder.contentType(MediaType.APPLICATION_JSON).body(userControlled);
       }
       else {
         ResponseEntity.BodyBuilder builder2 = builder.contentType(MediaType.APPLICATION_JSON);
-        return builder2.body(userControlled); // $SPURIOUS: xss
+        return builder2.body(userControlled);
       }
     }
 

Original file line number	Diff line number	Diff line change
`@@ -28,11 +28,11 @@ public static ResponseEntity<String> specificContentType(boolean safeContentType`
`28`	`28`	`}`
`29`	`29`	`else {`
`30`	`30`	`if(chainDirectly) {`
`31`		`- return builder.contentType(MediaType.APPLICATION_JSON).body(userControlled); // $SPURIOUS: xss`
	`31`	`+ return builder.contentType(MediaType.APPLICATION_JSON).body(userControlled);`
`32`	`32`	`}`
`33`	`33`	`else {`
`34`	`34`	`ResponseEntity.BodyBuilder builder2 = builder.contentType(MediaType.APPLICATION_JSON);`
`35`		`- return builder2.body(userControlled); // $SPURIOUS: xss`
	`35`	`+ return builder2.body(userControlled);`
`36`	`36`	`}`
`37`	`37`	`}`
`38`	`38`