Merge branch 'main' into clipBoard

Author: erik-krogh

.github/workflows/csv-coverage-update.yml

@@ -8,7 +8,7 @@ on:
 jobs:
   update:
     name: Update framework coverage report
-    if: github.event.repository.fork == false
+    if: github.repository == 'github/codeql'
     runs-on: ubuntu-latest
 
     steps:

cpp/ql/src/jsf/4.13 Functions/AV Rule 114.ql

@@ -63,6 +63,7 @@ where
   functionsMissingReturnStmt(f, blame) and
   reachable(blame) and
   not functionImperfectlyExtracted(f) and
+  not f.isFromUninstantiatedTemplate(_) and
   (blame = stmt or blame.(Expr).getEnclosingStmt() = stmt) and
   msg =
     "Function " + f.getName() + " should return a value of type " + f.getType().getName() +

java/change-notes/2021-08-09-flexjson-unsafe-deserialization.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The "Deserialization of user-controlled data" (`java/unsafe-deserialization`) query now recognizes deserialization using the `Flexjson` library.

java/change-notes/2021-09-14-jsf-support.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added basic support for untrusted data sources and XSS-vulnerable sinks relating to the JavaServer Faces (JSF) framework.

java/documentation/library-coverage/coverage.csv

@@ -16,7 +16,8 @@ groovy.lang,26,,,,,26,,,,,,,,,,,,,,,,,
 groovy.util,5,,,,,5,,,,,,,,,,,,,,,,,
 jakarta.json,,,123,,,,,,,,,,,,,,,,,,,100,23
 jakarta.ws.rs.client,1,,,,,,,,,,,,,1,,,,,,,,,
-jakarta.ws.rs.core,2,,143,,,,,,,,,,,,,,,2,,,,88,55
+jakarta.ws.rs.container,,9,,,,,,,,,,,,,,,,,,,9,,
+jakarta.ws.rs.core,2,,149,,,,,,,,,,,,,,,2,,,,94,55
 java.beans,,,1,,,,,,,,,,,,,,,,,,,1,
 java.io,3,,27,,3,,,,,,,,,,,,,,,,,26,1
 java.lang,,,45,,,,,,,,,,,,,,,,,,,39,6
@@ -32,7 +33,8 @@ javax.script,1,,,,,,,,,,,1,,,,,,,,,,,
 javax.servlet,4,21,2,,,,3,1,,,,,,,,,,,,,21,2,
 javax.validation,1,1,,1,,,,,,,,,,,,,,,,,1,,
 javax.ws.rs.client,1,,,,,,,,,,,,,1,,,,,,,,,
-javax.ws.rs.core,3,,143,,,,1,,,,,,,,,,,2,,,,88,55
+javax.ws.rs.container,,9,,,,,,,,,,,,,,,,,,,9,,
+javax.ws.rs.core,3,,149,,,,1,,,,,,,,,,,2,,,,94,55
 javax.xml.transform.sax,,,4,,,,,,,,,,,,,,,,,,,4,
 javax.xml.transform.stream,,,2,,,,,,,,,,,,,,,,,,,2,
 javax.xml.xpath,3,,,,,,,,,,,,,,,,,,3,,,,

java/documentation/library-coverage/coverage.rst

@@ -16,8 +16,8 @@ Java framework & library support
    `Google Guava <https://guava.dev/>`_,``com.google.common.*``,,175,6,,6,,,,,
    `JSON-java <https://github.com/stleary/JSON-java>`_,``org.json``,,236,,,,,,,,
    Java Standard Library,``java.*``,3,421,30,13,,,7,,,10
-   Java extensions,"``javax.*``, ``jakarta.*``",22,540,27,,,,,1,1,2
+   Java extensions,"``javax.*``, ``jakarta.*``",40,552,27,,,,,1,1,2
    `Spring <https://spring.io/>`_,``org.springframework.*``,29,469,91,,,,19,14,,29
    Others,"``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.fasterxml.jackson.core``, ``com.fasterxml.jackson.databind``, ``com.opensymphony.xwork2.ognl``, ``com.unboundid.ldap.sdk``, ``groovy.lang``, ``groovy.util``, ``jodd.json``, ``ognl``, ``org.apache.commons.codec``, ``org.apache.commons.jexl2``, ``org.apache.commons.jexl3``, ``org.apache.commons.ognl``, ``org.apache.directory.ldap.client.api``, ``org.apache.ibatis.jdbc``, ``org.apache.shiro.jndi``, ``org.codehaus.groovy.control``, ``org.dom4j``, ``org.hibernate``, ``org.jooq``, ``org.mvel2``, ``org.xml.sax``, ``org.xmlpull.v1``, ``play.mvc``",7,25,146,,,,14,18,,
-   Totals,,84,3541,398,13,6,6,107,33,1,66
+   Totals,,102,3553,398,13,6,6,107,33,1,66
 

java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll

@@ -81,8 +81,10 @@ private module Frameworks {
   private import semmle.code.java.frameworks.ApacheHttp
   private import semmle.code.java.frameworks.apache.Collections
   private import semmle.code.java.frameworks.apache.Lang
+  private import semmle.code.java.frameworks.Flexjson
   private import semmle.code.java.frameworks.guava.Guava
   private import semmle.code.java.frameworks.jackson.JacksonSerializability
+  private import semmle.code.java.frameworks.javaee.jsf.JSFRenderer
   private import semmle.code.java.frameworks.JavaxJson
   private import semmle.code.java.frameworks.JaxWS
   private import semmle.code.java.frameworks.JoddJson

java/ql/lib/semmle/code/java/dataflow/FlowSources.qll

@@ -25,6 +25,7 @@ import semmle.code.java.frameworks.spring.SpringWebClient
 import semmle.code.java.frameworks.Guice
 import semmle.code.java.frameworks.struts.StrutsActions
 import semmle.code.java.frameworks.Thrift
+import semmle.code.java.frameworks.javaee.jsf.JSFRenderer
 private import semmle.code.java.dataflow.ExternalFlow
 
 /** A data flow source of remote user input. */

java/ql/lib/semmle/code/java/frameworks/Flexjson.qll

@@ -0,0 +1,41 @@
+/**
+ * Provides classes for working with the Flexjson framework.
+ */
+
+import java
+private import semmle.code.java.dataflow.ExternalFlow
+
+/** The class `flexjson.JSONDeserializer`. */
+class FlexjsonDeserializer extends RefType {
+  FlexjsonDeserializer() { this.hasQualifiedName("flexjson", "JSONDeserializer") }
+}
+
+/** The class `flexjson.ObjectFactory`. */
+class FlexjsonObjectFactory extends RefType {
+  FlexjsonObjectFactory() { this.hasQualifiedName("flexjson", "ObjectFactory") }
+}
+
+/** The deserialization method `deserialize`. */
+class FlexjsonDeserializeMethod extends Method {
+  FlexjsonDeserializeMethod() {
+    this.getDeclaringType().getSourceDeclaration().getASourceSupertype*() instanceof
+      FlexjsonDeserializer and
+    this.getName() = "deserialize" and
+    not this.getAParameter().getType() instanceof FlexjsonObjectFactory // deserialization method with specified class types in object factory is unlikely to be vulnerable
+  }
+}
+
+/** The method `use` to configure allowed class type. */
+class FlexjsonDeserializerUseMethod extends Method {
+  FlexjsonDeserializerUseMethod() {
+    this.getDeclaringType().getSourceDeclaration().getASourceSupertype*() instanceof
+      FlexjsonDeserializer and
+    this.hasName("use")
+  }
+}
+
+private class FluentUseMethodModel extends SummaryModelCsv {
+  override predicate row(string r) {
+    r = "flexjson;JSONDeserializer;true;use;;;Argument[-1];ReturnValue;value"
+  }
+}

java/ql/lib/semmle/code/java/frameworks/javaee/jsf/JSFRenderer.qll

@@ -0,0 +1,63 @@
+/** Provides classes and predicates for working with JavaServer Faces renderer. */
+
+import java
+private import semmle.code.java.dataflow.ExternalFlow
+
+/**
+ * The JSF class `FacesContext` for processing HTTP requests.
+ */
+class FacesContext extends RefType {
+  FacesContext() {
+    this.hasQualifiedName(["javax.faces.context", "jakarta.faces.context"], "FacesContext")
+  }
+}
+
+private class ExternalContextSource extends SourceModelCsv {
+  override predicate row(string row) {
+    row =
+      ["javax.", "jakarta."] +
+        [
+          "faces.context;ExternalContext;true;getRequestParameterMap;();;ReturnValue;remote",
+          "faces.context;ExternalContext;true;getRequestParameterNames;();;ReturnValue;remote",
+          "faces.context;ExternalContext;true;getRequestParameterValuesMap;();;ReturnValue;remote",
+          "faces.context;ExternalContext;true;getRequestPathInfo;();;ReturnValue;remote",
+          "faces.context;ExternalContext;true;getRequestCookieMap;();;ReturnValue;remote",
+          "faces.context;ExternalContext;true;getRequestHeaderMap;();;ReturnValue;remote",
+          "faces.context;ExternalContext;true;getRequestHeaderValuesMap;();;ReturnValue;remote"
+        ]
+  }
+}
+
+/**
+ * The method `getResponseWriter()` declared in JSF `ExternalContext`.
+ */
+class FacesGetResponseWriterMethod extends Method {
+  FacesGetResponseWriterMethod() {
+    getDeclaringType() instanceof FacesContext and
+    hasName("getResponseWriter") and
+    getNumberOfParameters() = 0
+  }
+}
+
+/**
+ * The method `getResponseStream()` declared in JSF `ExternalContext`.
+ */
+class FacesGetResponseStreamMethod extends Method {
+  FacesGetResponseStreamMethod() {
+    getDeclaringType() instanceof FacesContext and
+    hasName("getResponseStream") and
+    getNumberOfParameters() = 0
+  }
+}
+
+private class ExternalContextXssSink extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.faces.context;ResponseWriter;true;write;;;Argument[0];xss",
+        "javax.faces.context;ResponseStream;true;write;;;Argument[0];xss",
+        "jakarta.faces.context;ResponseWriter;true;write;;;Argument[0];xss",
+        "jakarta.faces.context;ResponseStream;true;write;;;Argument[0];xss"
+      ]
+  }
+}