Query to detect XSS with JavaServer Faces (JSF)

Author: luchua-bc

java/ql/lib/semmle/code/java/dataflow/FlowSources.qll

@@ -25,6 +25,7 @@ import semmle.code.java.frameworks.spring.SpringWebClient
 import semmle.code.java.frameworks.Guice
 import semmle.code.java.frameworks.struts.StrutsActions
 import semmle.code.java.frameworks.Thrift
+import semmle.code.java.frameworks.javaee.jsf.JSFRenderer
 private import semmle.code.java.dataflow.ExternalFlow
 
 /** A data flow source of remote user input. */

java/ql/lib/semmle/code/java/security/XSS.qll

@@ -5,6 +5,7 @@ import semmle.code.java.frameworks.Servlets
 import semmle.code.java.frameworks.android.WebView
 import semmle.code.java.frameworks.spring.SpringController
 import semmle.code.java.frameworks.spring.SpringHttp
+import semmle.code.java.frameworks.javaee.jsf.JSFRenderer
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.TaintTracking2
 import semmle.code.java.dataflow.ExternalFlow
@@ -87,6 +88,12 @@ private class DefaultXssSink extends XssSink {
         returnType instanceof RawClass
       )
     )
+    or
+    exists(FacesWriterSourceToWritingMethodFlowConfig writer, MethodAccess ma |
+      ma.getMethod() instanceof WritingMethod and
+      writer.hasFlowToExpr(ma.getQualifier()) and
+      this.asExpr() = ma.getArgument(_)
+    )
   }
 }
 
@@ -158,3 +165,27 @@ predicate isXssVulnerableContentType(string s) {
  */
 bindingset[s]
 predicate isXssSafeContentType(string s) { not isXssVulnerableContentType(s) }
+
+/** An output stream or writer that writes to a JSF response. */
+class FacesWriterSource extends MethodAccess {
+  FacesWriterSource() {
+    this.getMethod() instanceof FacesGetResponseWriterMethod
+    or
+    this.getMethod() instanceof FacesGetResponseStreamMethod
+  }
+}
+
+/** A configuration that tracks data from a JSF writer to an output method. */
+private class FacesWriterSourceToWritingMethodFlowConfig extends TaintTracking2::Configuration {
+  FacesWriterSourceToWritingMethodFlowConfig() {
+    this = "XSS::FacesWriterSourceToWritingMethodFlowConfig"
+  }
+
+  override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof FacesWriterSource }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(MethodAccess ma |
+      sink.asExpr() = ma.getQualifier() and ma.getMethod() instanceof WritingMethod
+    )
+  }
+}

java/ql/src/Security/CWE/CWE-079/JsfXSS.java

@@ -0,0 +1,33 @@
+@FacesRenderer(componentFamily = "", rendererType = "")
+public class JsfXSS extends Renderer
+{
+    @Override
+    public void encodeBegin(FacesContext facesContext, UIComponent component) throws IOException
+    {
+        super.encodeBegin(facesContext, component);
+
+        Map<String, String> requestParameters = facesContext.getExternalContext().getRequestParameterMap();
+        String windowId = requestParameters.get("window_id");
+
+        ResponseWriter writer = facesContext.getResponseWriter();
+        writer.write("<script type=\"text/javascript\">");
+        writer.write("(function(){");
+        {
+            // BAD: directly output user input.
+            writer.write("dswh.init('" + windowId + "','"
+                + "......" + "',"
+                + -1 + ",{");
+        }
+        {
+            // GOOD: use the method `writeText` that performs escaping appropriate for the markup language being rendered.
+            writer.write("dswh.init('");
+            writer.writeText(windowId, null);
+            writer.write("','"
+                    + "......" + "',"
+                    + -1 + ",{");
+        }
+        writer.write("});");
+        writer.write("})();");
+        writer.write("</script>");
+    }
+}

java/ql/src/Security/CWE/CWE-079/XSS.qhelp

@@ -23,6 +23,15 @@ leaving the website vulnerable to cross-site scripting.</p>
 
 <sample src="XSS.java" />
 
+</example>
+
+<example>
+
+<p>The following example shows the page parameter being written directly to a custom JSF renderer
+of UI components, which leaves the website vulnerable to cross-site scripting.</p>
+
+<sample src="JsfXSS.java" />
+
 </example>
 <references>
 

java/ql/src/semmle/code/java/frameworks/javaee/jsf/JSFRenderer.qll

@@ -0,0 +1,123 @@
+/** Provides classes and predicates for working with JavaServer Faces renderer. */
+
+import java
+private import semmle.code.java.dataflow.ExternalFlow
+
+/**
+ * The JSF class `FacesContext` for processing HTTP requests.
+ */
+class FacesContext extends RefType {
+  FacesContext() {
+    this.hasQualifiedName(["javax.faces.context", "jakarta.faces.context"], "FacesContext")
+  }
+}
+
+/**
+ * The JSF class `ExternalContext` allowing JavaServer Faces based applications to run in
+ * either a Servlet or a Portlet environment.
+ */
+class ExternalContext extends RefType {
+  ExternalContext() {
+    this.hasQualifiedName(["javax.faces.context", "jakarta.faces.context"], "ExternalContext")
+  }
+}
+
+/**
+ * The base class type `UIComponent` for all user interface components in JavaServer Faces.
+ */
+class FacesUIComponent extends RefType {
+  FacesUIComponent() {
+    this.hasQualifiedName(["javax.faces.component", "jakarta.faces.component"], "UIComponent")
+  }
+}
+
+/**
+ * The JSF class `Renderer` that converts internal representation of `UIComponent` into the output
+ * stream (or writer) associated with the response we are creating for a particular request.
+ */
+class FacesRenderer extends RefType {
+  FacesRenderer() {
+    this.hasQualifiedName(["javax.faces.render", "jakarta.faces.render"], "Renderer")
+  }
+}
+
+/**
+ * The JSF class `ResponseWriter` that outputs and producing elements and attributes for markup
+ * languages like HTML and XML.
+ */
+class FacesResponseWriter extends RefType {
+  FacesResponseWriter() {
+    this.hasQualifiedName(["javax.faces.context", "jakarta.faces.context"], "ResponseWriter")
+  }
+}
+
+/**
+ * The class `ResponseStream` that produces binary output.
+ */
+class FacesResponseStream extends RefType {
+  FacesResponseStream() {
+    this.hasQualifiedName(["javax.faces.context", "jakarta.faces.context"], "ResponseStream")
+  }
+}
+
+private class ExternalContextSource extends SourceModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.faces.context;ExternalContext;true;getRequestParameterMap;();;ReturnValue;remote",
+        "javax.faces.context;ExternalContext;true;getRequestParameterNames;();;ReturnValue;remote",
+        "javax.faces.context;ExternalContext;true;getRequestParameterValuesMap;();;ReturnValue;remote",
+        "javax.faces.context;ExternalContext;true;getRequestPathInfo;();;ReturnValue;remote",
+        "javax.faces.context;ExternalContext;true;getResource;(String);;ReturnValue;remote",
+        "javax.faces.context;ExternalContext;true;getResourceAsStream;(String);;ReturnValue;remote",
+        "javax.faces.context;ExternalContext;true;getResourcePaths;(String);;ReturnValue;remote",
+        "javax.faces.context;ExternalContext;true;getRequestCookieMap;();;ReturnValue;remote",
+        "javax.faces.context;ExternalContext;true;getRequestHeaderMap;();;ReturnValue;remote",
+        "javax.faces.context;ExternalContext;true;getRequestHeaderValuesMap;();;ReturnValue;remote",
+        "jakarta.faces.context;ExternalContext;true;getRequestParameterMap;();;ReturnValue;remote",
+        "jakarta.faces.context;ExternalContext;true;getRequestParameterNames;();;ReturnValue;remote",
+        "jakarta.faces.context;ExternalContext;true;getRequestParameterValuesMap;();;ReturnValue;remote",
+        "jakarta.faces.context;ExternalContext;true;getRequestPathInfo;();;ReturnValue;remote",
+        "jakarta.faces.context;ExternalContext;true;getResource;(String);;ReturnValue;remote",
+        "jakarta.faces.context;ExternalContext;true;getResourceAsStream;(String);;ReturnValue;remote",
+        "jakarta.faces.context;ExternalContext;true;getResourcePaths;(String);;ReturnValue;remote",
+        "jakarta.faces.context;ExternalContext;true;getRequestCookieMap;();;ReturnValue;remote",
+        "jakarta.faces.context;ExternalContext;true;getRequestHeaderMap;();;ReturnValue;remote",
+        "jakarta.faces.context;ExternalContext;true;getRequestHeaderValuesMap;();;ReturnValue;remote"
+      ]
+  }
+}
+
+/**
+ * The method `getResponseWriter()` declared in JSF `ExternalContext`.
+ */
+class FacesGetResponseWriterMethod extends Method {
+  FacesGetResponseWriterMethod() {
+    getDeclaringType() instanceof FacesContext and
+    hasName("getResponseWriter") and
+    getNumberOfParameters() = 0
+  }
+}
+
+/**
+ * The method `getResponseStream()` declared in JSF `ExternalContext`.
+ */
+class FacesGetResponseStreamMethod extends Method {
+  FacesGetResponseStreamMethod() {
+    getDeclaringType() instanceof FacesContext and
+    hasName("getResponseStream") and
+    getNumberOfParameters() = 0
+  }
+}
+
+private class ExternalContextXssSink extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.faces.context;ResponseWriter;true;write;;;Argument[0];xss",
+        "javax.faces.context;ResponseStream;true;write;;;Argument[0];xss",
+        "jakarta.faces.context;ResponseWriter;true;write;;;Argument[0];xss",
+        "jakarta.faces.context;ResponseStream;true;write;;;Argument[0];xss"
+      ]
+  }
+}

java/ql/test/query-tests/security/CWE-079/semmle/tests/JsfXSS.java

@@ -0,0 +1,53 @@
+import java.io.IOException;
+import java.util.Map;
+
+import javax.faces.component.UIComponent;
+import javax.faces.context.FacesContext;
+import javax.faces.context.ResponseWriter;
+import javax.faces.render.FacesRenderer;
+import javax.faces.render.Renderer;
+
+@FacesRenderer(componentFamily = "", rendererType = "")
+public class JsfXSS extends Renderer
+{
+    @Override
+    // BAD: directly output user input.
+    public void encodeBegin(FacesContext facesContext, UIComponent component) throws IOException
+    {
+        super.encodeBegin(facesContext, component);
+
+        Map<String, String> requestParameters = facesContext.getExternalContext().getRequestParameterMap();
+        String windowId = requestParameters.get("window_id");
+
+        ResponseWriter writer = facesContext.getResponseWriter();
+        writer.write("<script type=\"text/javascript\">");
+        writer.write("(function(){");
+        writer.write("dswh.init('" + windowId + "','" // $xss
+                + "......" + "',"
+                + -1 + ",{");
+        writer.write("});");
+        writer.write("})();");
+        writer.write("</script>");
+    }
+
+    // GOOD: use the method `writeText` that performs escaping appropriate for the markup language being rendered.
+    public void encodeBegin2(FacesContext facesContext, UIComponent component) throws IOException
+    {
+        super.encodeBegin(facesContext, component);
+
+        Map<String, String> requestParameters = facesContext.getExternalContext().getRequestParameterMap();
+        String windowId = requestParameters.get("window_id");
+
+        ResponseWriter writer = facesContext.getResponseWriter();
+        writer.write("<script type=\"text/javascript\">");
+        writer.write("(function(){");
+        writer.write("dswh.init('");
+        writer.writeText(windowId, null);
+        writer.write("','"
+                + "......" + "',"
+                + -1 + ",{");
+        writer.write("});");
+        writer.write("})();");
+        writer.write("</script>");
+    }
+}

java/ql/test/query-tests/security/CWE-079/semmle/tests/options

@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/servlet-api-2.4:${testdir}/../../../../../stubs/javax-ws-rs-api-2.1.1/:${testdir}/../../../../../stubs/springframework-5.3.8
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/servlet-api-2.4:${testdir}/../../../../../stubs/javax-ws-rs-api-2.1.1/:${testdir}/../../../../../stubs/springframework-5.3.8:${testdir}/../../../../../stubs/javax-faces-2.3/