Java: add resource-related methods as path-injection sinks and as summaries

Jami Cogswell · Jami Cogswell · commit e285cf232c2b · 2024-03-13T22:48:57.000-04:00
diff --git a/java/ql/lib/ext/io.undertow.server.handlers.resource.model.yml b/java/ql/lib/ext/io.undertow.server.handlers.resource.model.yml
@@ -0,0 +1,15 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      # TODO: maybe switch below to parent class `PathResourceManager` instead...? Also `getFileResource` method as well?
+      - ["io.undertow.server.handlers.resource", "FileResourceManager", True, "getResource", "(String)", "", "Argument[0]", "path-injection", "manual"]
+
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["io.undertow.server.handlers.resource", "Resource", True, "getFile", "", "", "Argument[this]", "ReturnValue", "taint", "manual"] # TODO: sink instead?
+      - ["io.undertow.server.handlers.resource", "Resource", True, "getFilePath", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["io.undertow.server.handlers.resource", "Resource", True, "getPath", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
diff --git a/java/ql/lib/ext/jakarta.faces.context.model.yml b/java/ql/lib/ext/jakarta.faces.context.model.yml
@@ -14,5 +14,7 @@ extensions:
       pack: codeql/java-all
       extensible: sinkModel
     data:
+      - ["jakarta.faces.context", "ExternalContext", True, "getResource", "(String)", "", "Argument[0]", "path-injection", "manual"]
+      - ["jakarta.faces.context", "ExternalContext", True, "getResourceAsStream", "(String)", "", "Argument[0]", "path-injection", "manual"]
       - ["jakarta.faces.context", "ResponseStream", True, "write", "", "", "Argument[0]", "html-injection", "manual"]
       - ["jakarta.faces.context", "ResponseWriter", True, "write", "", "", "Argument[0]", "html-injection", "manual"]
diff --git a/java/ql/lib/ext/java.lang.model.yml b/java/ql/lib/ext/java.lang.model.yml
@@ -3,11 +3,11 @@ extensions:
       pack: codeql/java-all
       extensible: sinkModel
     data:
-      - ["java.lang", "Class", False, "getResource", "(String)", "", "Argument[0]", "path-injection", "ai-manual"]
-      - ["java.lang", "Class", False, "getResourceAsStream", "(String)", "", "Argument[0]", "path-injection", "ai-manual"]
+      - ["java.lang", "Class", False, "getResource", "(String)", "", "Argument[0]", "path-injection", "ai-manual"] # ! model already exists
+      - ["java.lang", "Class", False, "getResourceAsStream", "(String)", "", "Argument[0]", "path-injection", "ai-manual"] # ! model already exists
       - ["java.lang", "ClassLoader", False, "getSystemResources", "(String)", "", "Argument[0]", "path-injection", "ai-manual"]
-      - ["java.lang", "ClassLoader", True, "getResource", "(String)", "", "Argument[0]", "path-injection", "ai-manual"]
-      - ["java.lang", "ClassLoader", True, "getResourceAsStream", "(String)", "", "Argument[0]", "path-injection", "ai-manual"]
+      - ["java.lang", "ClassLoader", True, "getResource", "(String)", "", "Argument[0]", "path-injection", "ai-manual"] # ! model already exists
+      - ["java.lang", "ClassLoader", True, "getResourceAsStream", "(String)", "", "Argument[0]", "path-injection", "ai-manual"] # ! model already exists
       - ["java.lang", "ClassLoader", True, "getResources", "(String)", "", "Argument[0]", "path-injection", "ai-manual"]
       - ["java.lang", "ClassLoader", True, "getSystemResource", "(String)", "", "Argument[0]", "path-injection", "ai-manual"]
       - ["java.lang", "ClassLoader", True, "getSystemResourceAsStream", "(String)", "", "Argument[0]", "path-injection", "ai-manual"]
diff --git a/java/ql/lib/ext/javax.faces.context.model.yml b/java/ql/lib/ext/javax.faces.context.model.yml
@@ -14,5 +14,7 @@ extensions:
       pack: codeql/java-all
       extensible: sinkModel
     data:
+      - ["javax.faces.context", "ExternalContext", True, "getResource", "(String)", "", "Argument[0]", "path-injection", "manual"]
+      - ["javax.faces.context", "ExternalContext", True, "getResourceAsStream", "(String)", "", "Argument[0]", "path-injection", "manual"]
       - ["javax.faces.context", "ResponseStream", True, "write", "", "", "Argument[0]", "html-injection", "manual"]
       - ["javax.faces.context", "ResponseWriter", True, "write", "", "", "Argument[0]", "html-injection", "manual"]
diff --git a/java/ql/lib/ext/javax.servlet.model.yml b/java/ql/lib/ext/javax.servlet.model.yml
@@ -13,7 +13,8 @@ extensions:
       pack: codeql/java-all
       extensible: sinkModel
     data:
-      - ["javax.servlet", "ServletContext", True, "getResourceAsStream", "(String)", "", "Argument[0]", "path-injection", "ai-manual"]
+      - ["javax.servlet", "ServletContext", True, "getResource", "(String)", "", "Argument[0]", "path-injection", "manual"]
+      - ["javax.servlet", "ServletContext", True, "getResourceAsStream", "(String)", "", "Argument[0]", "path-injection", "ai-manual"] # ! model already exists
   - addsTo:
       pack: codeql/java-all
       extensible: summaryModel
diff --git a/java/ql/lib/ext/org.jboss.vfs.model.yml b/java/ql/lib/ext/org.jboss.vfs.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["org.jboss.vfs", "VirtualFile", True, "getChild", "", "", "Argument[0]", "path-injection", "manual"]
diff --git a/java/ql/lib/ext/org.springframework.core.io.model.yml b/java/ql/lib/ext/org.springframework.core.io.model.yml
@@ -3,6 +3,15 @@ extensions:
       pack: codeql/java-all
       extensible: sinkModel
     data:
-      - ["org.springframework.core.io", "Resource", True, "createRelative", "(String)", "", "Argument[0]", "path-injection", "manual"]
-      - ["org.springframework.core.io", "ResourceLoader", True, "getResource", "(String)", "", "Argument[0]", "path-injection", "ai-manual"]
+      - ["org.springframework.core.io", "ClassPathResource", True, "getFilename", "", "", "Argument[this]", "path-injection", "manual"]
+      - ["org.springframework.core.io", "ClassPathResource", True, "getPath", "", "", "Argument[this]", "path-injection", "manual"]
+      - ["org.springframework.core.io", "ClassPathResource", True, "getURL", "", "", "Argument[this]", "path-injection", "manual"]
+      - ["org.springframework.core.io", "ClassPathResource", True, "resolveURL", "", "", "Argument[this]", "path-injection", "manual"]
+      - ["org.springframework.core.io", "Resource", True, "createRelative", "(String)", "", "Argument[0]", "path-injection", "manual"] # ! model already exists
+      - ["org.springframework.core.io", "ResourceLoader", True, "getResource", "(String)", "", "Argument[0]", "path-injection", "ai-manual"] # ! model already exists
       - ["org.springframework.core.io", "ResourceLoader", True, "getResource", "(String)", "", "Argument[0]", "request-forgery", "manual"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["org.springframework.core.io", "ClassPathResource", False, "ClassPathResource", "", "", "Argument[0]", "Argument[this]", "taint", "manual"] # TODO: sink instead?
diff --git a/java/ql/lib/ext/org.springframework.util.model.yml b/java/ql/lib/ext/org.springframework.util.model.yml
@@ -92,10 +92,10 @@ extensions:
       - ["org.springframework.util", "PropertyPlaceholderHelper", False, "parseStringValue", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["org.springframework.util", "PropertyPlaceholderHelper", False, "replacePlaceholders", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["org.springframework.util", "PropertyPlaceholderHelper", False, "replacePlaceholders", "(java.lang.String,java.util.Properties)", "", "Argument[1].MapValue", "ReturnValue", "taint", "manual"]
-      - ["org.springframework.util", "ResourceUtils", False, "extractArchiveURL", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["org.springframework.util", "ResourceUtils", False, "extractJarFileURL", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["org.springframework.util", "ResourceUtils", False, "getFile", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["org.springframework.util", "ResourceUtils", False, "getURL", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["org.springframework.util", "ResourceUtils", False, "extractArchiveURL", "", "", "Argument[0]", "ReturnValue", "taint", "manual"] # ! model already exists as summary
+      - ["org.springframework.util", "ResourceUtils", False, "extractJarFileURL", "", "", "Argument[0]", "ReturnValue", "taint", "manual"] # ! model already exists as summary
+      - ["org.springframework.util", "ResourceUtils", False, "getFile", "", "", "Argument[0]", "ReturnValue", "taint", "manual"] # ! model already exists as summary
+      - ["org.springframework.util", "ResourceUtils", False, "getURL", "", "", "Argument[0]", "ReturnValue", "taint", "manual"] # ! model already exists as summary
       - ["org.springframework.util", "ResourceUtils", False, "toURI", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["org.springframework.util", "RouteMatcher", True, "combine", "", "", "Argument[0..1]", "ReturnValue", "taint", "manual"]
       - ["org.springframework.util", "RouteMatcher", True, "matchAndExtract", "", "", "Argument[0]", "ReturnValue.MapKey", "taint", "manual"]
