Begin refactoring Ratpack to use functional taint tracking

Signed-off-by: Jonathan Leitschuh <[email protected]>

Author: JLLeitschuh

java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll

@@ -95,6 +95,8 @@ private module Frameworks {
   private import semmle.code.java.frameworks.Optional
   private import semmle.code.java.frameworks.Stream
   private import semmle.code.java.frameworks.Strings
+  private import semmle.code.java.frameworks.ratpack.Ratpack
+  private import semmle.code.java.frameworks.ratpack.RatpackExec
   private import semmle.code.java.frameworks.spring.SpringCache
   private import semmle.code.java.frameworks.spring.SpringHttp
   private import semmle.code.java.frameworks.spring.SpringUtil

java/ql/src/semmle/code/java/frameworks/ratpack/Ratpack.qll renamed to java/ql/lib/semmle/code/java/frameworks/ratpack/Ratpack.qll

@@ -29,7 +29,8 @@ private class RatpackHttpSource extends SourceModelCsv {
     row =
       ["ratpack.handling;", "ratpack.core.handling;"] + "Context;true;parse;" +
         [
-          "(java.lang.Class);", "(com.google.common.reflect.TypeToken);", "(java.lang.Class,java.lang.Object);",
+          "(java.lang.Class);", "(com.google.common.reflect.TypeToken);",
+          "(java.lang.Class,java.lang.Object);",
           "(com.google.common.reflect.TypeToken,java.lang.Object);", "(ratpack.core.parse.Parse);",
           "(ratpack.parse.Parse);"
         ] + ";ReturnValue;remote"
@@ -74,8 +75,8 @@ private class RatpackModel extends SummaryModelCsv {
     row =
       ["ratpack.util;", "ratpack.func;"] +
         [
-          "MultiValueMap;true;getAll;;;Argument[-1];ReturnValue;taint",
-          "MultiValueMap;true;asMultimap;;;Argument[-1];ReturnValue;taint"
+          "MultiValueMap;true;getAll;;;Element of Argument[-1];ReturnValue;value",
+          "MultiValueMap;true;asMultimap;;;Element of Argument[-1];ReturnValue;value"
         ]
   }
 }

java/ql/src/semmle/code/java/frameworks/ratpack/RatpackExec.qll renamed to java/ql/lib/semmle/code/java/frameworks/ratpack/RatpackExec.qll

@@ -1,6 +1,7 @@
 import java
 private import semmle.code.java.dataflow.DataFlow
 private import semmle.code.java.dataflow.FlowSteps
+private import semmle.code.java.dataflow.ExternalFlow
 
 /** A reference type that extends a parameterization the Promise type. */
 private class RatpackPromise extends RefType {
@@ -9,6 +10,21 @@ private class RatpackPromise extends RefType {
   }
 }
 
+/** 
+ * Ratpack methods that propagate user-supplied data as tainted.
+ */
+private class RatpackExecModel extends SummaryModelCsv {
+  override predicate row(string row) {
+    //"namespace;type;overrides;name;signature;ext;inputspec;outputspec;kind",
+    row = [
+      "ratpack.exec;Promise;true;map;;;Element of Argument[-1];Parameter[0] of Argument[0];value",
+      "ratpack.exec;Promise;true;map;;;ReturnValue of Argument[0];Element of ReturnValue;value",
+      "ratpack.exec;Promise;true;then;;;Element of Argument[-1];Parameter[0] of Argument[0];value"
+    ] 
+  }
+}
+
+
 private class RatpackPromiseValueMethod extends Method, TaintPreservingCallable {
   RatpackPromiseValueMethod() { isStatic() and hasName("value") }
 
@@ -54,7 +70,7 @@ abstract private class SimpleFluentLambdaMethod extends FluentLambdaMethod {
 private class RatpackPromiseMapMethod extends SimpleFluentLambdaMethod {
   RatpackPromiseMapMethod() {
     getDeclaringType() instanceof RatpackPromise and
-    hasName(["map", "blockingMap"]) // "flatMap" & "apply" cause false positives. Wait for fluent lambda support.
+    hasName(["blockingMap"]) // "flatMap" & "apply" cause false positives. Wait for fluent lambda support.
   }
 
   override predicate consumesTaint(int lambdaArg) { lambdaArg = 0 }
@@ -92,14 +108,14 @@ private class RatpackPromiseMapErrorMethod extends FluentLambdaMethod {
   override predicate doesReturnTaint(int arg) { arg = getNumberOfParameters() - 1 }
 }
 
-private class RatpackPromiseThenMethod extends SimpleFluentLambdaMethod {
-  RatpackPromiseThenMethod() {
-    getDeclaringType() instanceof RatpackPromise and
-    hasName("then")
-  }
+// private class RatpackPromiseThenMethod extends SimpleFluentLambdaMethod {
+//   RatpackPromiseThenMethod() {
+//     getDeclaringType() instanceof RatpackPromise and
+//     hasName("then")
+//   }
 
-  override predicate consumesTaint(int lambdaArg) { lambdaArg = 0 }
-}
+//   override predicate consumesTaint(int lambdaArg) { lambdaArg = 0 }
+// }
 
 private class RatpackPromiseFluentMethod extends FluentMethod, FluentLambdaMethod {
   RatpackPromiseFluentMethod() {

java/ql/test/library-tests/frameworks/ratpack/options

@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/ratpack-1.9.x:${testdir}/../../../stubs/jackson-databind-2.10:${testdir}/../../../stubs/guava-30.0:${testdir}/../../../stubs/guava-30.0:${testdir}/../../../stubs/netty-4.1.x
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/ratpack-1.9.x:${testdir}/../../../stubs/jackson-databind-2.12:${testdir}/../../../stubs/guava-30.0:${testdir}/../../../stubs/guava-30.0:${testdir}/../../../stubs/netty-4.1.x

java/ql/test/library-tests/frameworks/ratpack/resources/Resource.java

@@ -36,6 +36,7 @@ void test1(Context ctx) {
 
     void test2(Context ctx, OutputStream os) {
         ctx.getRequest().getBody().then(td -> {
+            sink(td); //$hasTaintFlow
             sink(td.getText()); //$hasTaintFlow
             sink(td.getBuffer()); //$hasTaintFlow
             sink(td.getBytes()); //$hasTaintFlow
@@ -53,6 +54,12 @@ void test2(Context ctx, OutputStream os) {
 
     void test3(Context ctx) {
         sink(ctx.getRequest().getBody().map(TypedData::getText)); //$hasTaintFlow
+        Promise<String> mapResult = ctx.getRequest().getBody().map(b -> {
+            sink(b); //$hasTaintFlow
+            sink(b.getText()); //$hasTaintFlow
+            return b.getText();
+        });
+        sink(mapResult); //$hasTaintFlow
         ctx.getRequest().getBody().map(TypedData::getText).then(this::sink); //$hasTaintFlow
         ctx
             .getRequest()