Consider subtypes of Expression and ExpressionParser

Add parseRaw as additional taint step

Author: atorralba

java/ql/src/semmle/code/java/security/SpelInjection.qll

@@ -105,7 +105,7 @@ private predicate isSimpleEvaluationContextBuilderCall(Expr expr) {
  */
 private class ExpressionEvaluationMethod extends Method {
   ExpressionEvaluationMethod() {
-    this.getDeclaringType() instanceof Expression and
+    this.getDeclaringType().getASupertype*() instanceof Expression and
     this.hasName(["getValue", "getValueTypeDescriptor", "getValueType", "setValue"])
   }
 }
@@ -116,8 +116,8 @@ private class ExpressionEvaluationMethod extends Method {
  */
 private predicate expressionParsingStep(DataFlow::Node node1, DataFlow::Node node2) {
   exists(MethodAccess ma, Method m | ma.getMethod() = m |
-    m.getDeclaringType().getAnAncestor*() instanceof ExpressionParser and
-    m.hasName("parseExpression") and
+    m.getDeclaringType().getASupertype*() instanceof ExpressionParser and
+    m.hasName(["parseExpression", "parseRaw"]) and
     ma.getAnArgument() = node1.asExpr() and
     node2.asExpr() = ma
   )

java/ql/test/query-tests/security/CWE-094/SpelInjectionTest.java

@@ -3,6 +3,7 @@
 import java.net.Socket;
 import org.springframework.expression.Expression;
 import org.springframework.expression.ExpressionParser;
+import org.springframework.expression.spel.standard.SpelExpression;
 import org.springframework.expression.spel.standard.SpelExpressionParser;
 import org.springframework.expression.spel.support.SimpleEvaluationContext;
 import org.springframework.expression.spel.support.StandardEvaluationContext;
@@ -23,6 +24,17 @@ public void testGetValue(Socket socket) throws IOException {
     expression.getValue(); // $hasSpelInjection
   }
 
+  public void testGetValueWithParseRaw(Socket socket) throws IOException {
+    InputStream in = socket.getInputStream();
+
+    byte[] bytes = new byte[1024];
+    int n = in.read(bytes);
+    String input = new String(bytes, 0, n);
+    SpelExpressionParser parser = new SpelExpressionParser();
+    SpelExpression expression = parser.parseRaw(input);
+    expression.getValue(); // $hasSpelInjection
+  }
+
   public void testGetValueWithChainedCalls(Socket socket) throws IOException {
     InputStream in = socket.getInputStream();