Spring HTTP: inherit produced content-types from surrounding class

smowton · smowton · commit d94008538498 · 2021-09-10T16:10:52.000+01:00
diff --git a/java/ql/lib/semmle/code/java/frameworks/spring/SpringController.qll b/java/ql/lib/semmle/code/java/frameworks/spring/SpringController.qll
@@ -100,28 +100,44 @@ class SpringResponseBodyAnnotationType extends AnnotationType {
   }
 }
 
+private class SpringRequestMappingAnnotation extends Annotation {
+  SpringRequestMappingAnnotation() { this.getType() instanceof SpringRequestMappingAnnotationType }
+}
+
+private Expr getProducesExpr(RefType rt) {
+  result = rt.getAnAnnotation().(SpringRequestMappingAnnotation).getValue("produces")
+  or
+  rt.getAnAnnotation().(SpringRequestMappingAnnotation).getValue("produces").(ArrayInit).getSize() =
+    0 and
+  result = getProducesExpr(rt.getASupertype())
+}
+
 /**
  * A method on a Spring controller that is executed in response to a web request.
  */
 class SpringRequestMappingMethod extends SpringControllerMethod {
-  Annotation requestMappingAnnotation;
+  SpringRequestMappingAnnotation requestMappingAnnotation;
 
   SpringRequestMappingMethod() {
     // Any method that declares the @RequestMapping annotation, or overrides a method that declares
     // the annotation. We have to do this explicit check because the @RequestMapping annotation is
     // not declared with @Inherited.
     exists(Method superMethod |
       this.overrides*(superMethod) and
-      requestMappingAnnotation = superMethod.getAnAnnotation() and
-      requestMappingAnnotation.getType() instanceof SpringRequestMappingAnnotationType
+      requestMappingAnnotation = superMethod.getAnAnnotation()
     )
   }
 
   /** Gets a request mapping parameter. */
   SpringRequestMappingParameter getARequestParameter() { result = getAParameter() }
 
   /** Gets the "produces" @RequestMapping annotation value, if present. */
-  Expr getProducesExpr() { result = requestMappingAnnotation.getValue("produces") }
+  Expr getProducesExpr() {
+    result = requestMappingAnnotation.getValue("produces")
+    or
+    requestMappingAnnotation.getValue("produces").(ArrayInit).getSize() = 0 and
+    result = getProducesExpr(this.getDeclaringType())
+  }
 
   /** Gets the "produces" @RequestMapping annotation value, if present. */
   Expr getAProducesExpr() {
diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/SpringXSS.java b/java/ql/test/query-tests/security/CWE-079/semmle/tests/SpringXSS.java
@@ -105,12 +105,12 @@ public static ResponseEntity<String> methodContentTypeMaybeSafeStringLiterals(St
   private static class ClassContentTypeSafe {
     @GetMapping(value = "/abc")
     public ResponseEntity<String> test(String userControlled) {
-      return ResponseEntity.ok(userControlled); // $SPURIOUS: xss
+      return ResponseEntity.ok(userControlled);
     }
 
     @GetMapping(value = "/abc")
     public String testDirectReturn(String userControlled) {
-      return userControlled; // $SPURIOUS: xss
+      return userControlled;
     }
 
     @GetMapping(value = "/xyz", produces = {"text/html"})

Original file line number	Diff line number	Diff line change
`@@ -105,12 +105,12 @@ public static ResponseEntity<String> methodContentTypeMaybeSafeStringLiterals(St`
`105`	`105`	`private static class ClassContentTypeSafe {`
`106`	`106`	`@GetMapping(value = "/abc")`
`107`	`107`	`public ResponseEntity<String> test(String userControlled) {`
`108`		`- return ResponseEntity.ok(userControlled); // $SPURIOUS: xss`
	`108`	`+ return ResponseEntity.ok(userControlled);`
`109`	`109`	`}`
`110`	`110`
`111`	`111`	`@GetMapping(value = "/abc")`
`112`	`112`	`public String testDirectReturn(String userControlled) {`
`113`		`- return userControlled; // $SPURIOUS: xss`
	`113`	`+ return userControlled;`
`114`	`114`	`}`
`115`	`115`
`116`	`116`	`@GetMapping(value = "/xyz", produces = {"text/html"})`