Merge pull request #17590 from Kwstubbs/java-mad-test

Java: FileUpload Support MaD

Author: owen-mc

java/ql/lib/change-notes/2024-09-24-multipart.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added more dataflow models of `org.apache.commons.fileupload.FileItem`, `javax/jakarta.servlet.http.Part` and  `org.apache.commons.fileupload.util.Streams`.

java/ql/lib/ext/jakarta.servlet.http.model.yml

@@ -3,7 +3,14 @@ extensions:
       pack: codeql/java-all
       extensible: sourceModel
     data:
-      - ["jakarta.servlet.http", "HttpServletRequest", True, "getServletPath", "", "", "ReturnValue", "remote", "manual"]
+      - ["jakarta.servlet.http", "HttpServletRequest", True, "getServletPath", "()", "", "ReturnValue", "remote", "manual"]
+      - ["jakarta.servlet.http", "Part", True, "getInputStream", "()", "", "ReturnValue", "remote", "manual"]
+      - ["jakarta.servlet.http", "Part", True, "getName", "()", "", "ReturnValue", "remote", "manual"]
+      - ["jakarta.servlet.http", "Part", True, "getContentType", "()", "", "ReturnValue", "remote", "manual"]
+      - ["jakarta.servlet.http", "Part", True, "getHeader", "(String)", "", "ReturnValue", "remote", "manual"]
+      - ["jakarta.servlet.http", "Part", True, "getHeaderNames", "()", "", "ReturnValue", "remote", "manual"]
+      - ["jakarta.servlet.http", "Part", True, "getHeaders", "(String)", "", "ReturnValue", "remote", "manual"]
+      - ["jakarta.servlet.http", "Part", True, "getSubmittedFileName", "()", "", "ReturnValue", "remote", "manual"]
       - ["jakarta.servlet.http", "HttpServletRequest", False, "getHeader", "(String)", "", "ReturnValue", "remote", "manual"]
       - ["jakarta.servlet.http", "HttpServletRequest", False, "getHeaderNames", "()", "", "ReturnValue", "remote", "manual"]
       - ["jakarta.servlet.http", "HttpServletRequest", False, "getHeaders", "(String)", "", "ReturnValue", "remote", "manual"]

java/ql/lib/ext/javax.servlet.http.model.yml

@@ -19,6 +19,14 @@ extensions:
       - ["javax.servlet.http", "HttpServletRequest", False, "getRequestURI", "()", "", "ReturnValue", "remote", "manual"]
       - ["javax.servlet.http", "HttpServletRequest", False, "getRequestURL", "()", "", "ReturnValue", "remote", "manual"]
       - ["javax.servlet.http", "HttpServletRequest", False, "getServletPath", "()", "", "ReturnValue", "remote", "manual"]
+      - ["javax.servlet.http", "Part", False, "getContentType", "()", "", "ReturnValue", "remote", "manual"]
+      - ["javax.servlet.http", "Part", False, "getHeader", "(String)", "", "ReturnValue", "remote", "manual"]
+      - ["javax.servlet.http", "Part", False, "getHeaderNames", "()", "", "ReturnValue", "remote", "manual"]
+      - ["javax.servlet.http", "Part", False, "getHeaders", "(String)", "", "ReturnValue", "remote", "manual"]
+      - ["javax.servlet.http", "Part", False, "getInputStream", "()", "", "ReturnValue", "remote", "manual"]
+      - ["javax.servlet.http", "Part", False, "getName", "()", "", "ReturnValue", "remote", "manual"]
+      - ["javax.servlet.http", "Part", False, "getSubmittedFileName", "()", "", "ReturnValue", "remote", "manual"]
+
 
   - addsTo:
       pack: codeql/java-all

java/ql/lib/ext/org.apache.commons.fileupload.model.yml

@@ -0,0 +1,16 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sourceModel
+    data:
+      - ["org.apache.commons.fileupload", "FileItem", True, "get", "()", "", "ReturnValue", "remote", "manual"]
+      - ["org.apache.commons.fileupload", "FileItem", True, "getContentType", "()", "", "ReturnValue", "remote", "manual"]
+      - ["org.apache.commons.fileupload", "FileItem", True, "getFieldName", "()", "", "ReturnValue", "remote", "manual"]
+      - ["org.apache.commons.fileupload", "FileItem", True, "getInputStream", "()", "", "ReturnValue", "remote", "manual"]
+      - ["org.apache.commons.fileupload", "FileItem", True, "getName", "()", "", "ReturnValue", "remote", "manual"]
+      - ["org.apache.commons.fileupload", "FileItem", True, "getString", "()", "", "ReturnValue", "remote", "manual"]
+      - ["org.apache.commons.fileupload", "FileItem", True, "getString", "(String)", "", "ReturnValue", "remote", "manual"]
+      - ["org.apache.commons.fileupload", "FileItemStream", True, "getContentType", "()", "", "ReturnValue", "remote", "manual"]
+      - ["org.apache.commons.fileupload", "FileItemStream", True, "getFieldName", "()", "", "ReturnValue", "remote", "manual"]
+      - ["org.apache.commons.fileupload", "FileItemStream", True, "getName", "()", "", "ReturnValue", "remote", "manual"]
+      - ["org.apache.commons.fileupload", "FileItemStream", True, "openStream", "()", "", "ReturnValue", "remote", "manual"]

java/ql/lib/ext/org.apache.commons.fileupload.util.model.yml

@@ -0,0 +1,9 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["org.apache.commons.fileupload.util", "Streams", True, "asString", "(InputStream)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["org.apache.commons.fileupload.util", "Streams", True, "asString", "(InputStream,String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["org.apache.commons.fileupload.util", "Streams", True, "copy", "(InputStream,OutputStream,boolean)", "", "Argument[0]", "Argument[1]", "taint", "manual"]
+      - ["org.apache.commons.fileupload.util", "Streams", True, "copy", "(InputStream,OutputStream,boolean,byte[])", "", "Argument[0]", "Argument[1]", "taint", "manual"]

java/ql/test/library-tests/dataflow/taintsources/FileUpload.java

@@ -0,0 +1,52 @@
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.apache.commons.fileupload.FileItem;
+import org.apache.commons.fileupload.FileItemStream;
+import org.apache.commons.fileupload.servlet.ServletFileUpload;
+
+public class FileUpload {
+
+    private HttpServletRequest request;
+    private HttpServletResponse response;
+    private javax.servlet.http.Part filePart;
+    private FileItem fileItem;
+    private FileItemStream fileItemStream;
+    private jakarta.servlet.http.Part jakartaPart;
+    private ServletFileUpload servletFileUpload;
+
+    private static void sink(Object o) {}
+
+    public void test() throws Exception {
+        sink(filePart.getContentType());  // $ hasRemoteValueFlow
+        sink(filePart.getHeader("test")); // $ hasRemoteValueFlow
+        sink(filePart.getHeaderNames()); // $ hasRemoteValueFlow
+        sink(filePart.getHeaders("test")); // $ hasRemoteValueFlow
+        sink(filePart.getInputStream()); // $ hasRemoteValueFlow
+        sink(filePart.getName()); // $ hasRemoteValueFlow
+        sink(filePart.getSubmittedFileName()); // $ hasRemoteValueFlow
+
+        sink(fileItem.get());            // $ hasRemoteValueFlow
+        sink(fileItem.getContentType()); // $ hasRemoteValueFlow
+        sink(fileItem.getFieldName());        // $ hasRemoteValueFlow
+        sink(fileItem.getInputStream());        // $ hasRemoteValueFlow
+        sink(fileItem.getName());        // $ hasRemoteValueFlow
+        sink(fileItem.getName());        // $ hasRemoteValueFlow
+        sink(fileItem.getString());      // $ hasRemoteValueFlow
+
+        sink(fileItemStream.getContentType()); // $ hasRemoteValueFlow
+        sink(fileItemStream.getFieldName()); // $ hasRemoteValueFlow
+        sink(fileItemStream.getName()); // $ hasRemoteValueFlow
+        sink(fileItemStream.openStream()); // $ hasRemoteValueFlow
+
+        sink(jakartaPart.getContentType());  // $ hasRemoteValueFlow
+        sink(jakartaPart.getHeader("test")); // $ hasRemoteValueFlow
+        sink(jakartaPart.getHeaderNames()); // $ hasRemoteValueFlow
+        sink(jakartaPart.getHeaders("test")); // $ hasRemoteValueFlow
+        sink(jakartaPart.getInputStream()); // $ hasRemoteValueFlow
+        sink(jakartaPart.getName()); // $ hasRemoteValueFlow
+        sink(jakartaPart.getSubmittedFileName()); // $ hasRemoteValueFlow
+
+        FileItem item = servletFileUpload.parseRequest(request).get(0);
+        sink(item.getName()); // $ hasRemoteValueFlow
+    }
+}

java/ql/test/library-tests/dataflow/taintsources/options

@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/springframework-5.8.x:${testdir}/../../../stubs/google-android-9.0.0:${testdir}/../../../stubs/playframework-2.6.x:${testdir}/../../../stubs/jackson-databind-2.12:${testdir}/../../../stubs/jackson-core-2.12:${testdir}/../../../stubs/akka-2.6.x:${testdir}/../../../stubs/jwtk-jjwt-0.11.2:${testdir}/../../../stubs/jenkins:${testdir}/../../../stubs/stapler-1.263
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jakarta.servlet-api-6.0.0:${testdir}/../../../stubs/apache-commons-fileupload-1.4:${testdir}/../../../stubs/javax-servlet-2.5:${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/springframework-5.8.x:${testdir}/../../../stubs/google-android-9.0.0:${testdir}/../../../stubs/playframework-2.6.x:${testdir}/../../../stubs/jackson-databind-2.12:${testdir}/../../../stubs/jackson-core-2.12:${testdir}/../../../stubs/akka-2.6.x:${testdir}/../../../stubs/jwtk-jjwt-0.11.2:${testdir}/../../../stubs/jenkins:${testdir}/../../../stubs/stapler-1.263

java/ql/test/library-tests/frameworks/apache-commons-fileupload-1.4/Test.java

@@ -0,0 +1,55 @@
+package com.mycompany.app;
+
+import org.apache.commons.fileupload.util.Streams;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.ByteArrayOutputStream;
+
+// Test case generated by GenerateFlowTestCase.ql
+public class Test {
+
+	Object source() {
+		return null;
+	}
+
+	void sink(Object o) {
+	}
+
+	public void test() throws Exception {
+
+		{
+            InputStream in = (InputStream)source();
+            OutputStream os = new ByteArrayOutputStream(1024); 
+
+			InputStream in2 = (InputStream)source();
+            OutputStream os2 = new ByteArrayOutputStream(1024); 
+
+			byte[] myArray = new byte[1024];
+
+			// "org.apache.commons.fileupload.util;Streams;true;copy;(InputStream,OutputStream,boolean,byte[]);;Argument[0];Argument[1];taint;manual"
+			long status = Streams.copy(in, os, true, myArray);
+			sink(os); // $ hasTaintFlow
+			// "org.apache.commons.fileupload.util;Streams;true;copy;(InputStream,OutputStream,boolean);;Argument[0];Argument[1];taint;manual"
+			long status2 = Streams.copy(in2, os2, true);
+			sink(os2); // $ hasTaintFlow
+		}
+
+	}
+	public void test2() throws Exception {
+
+		{
+			
+            InputStream in = (InputStream)source();
+			// "org.apache.commons.fileupload.util;Streams;true;asString;(InputStream,String);;Argument[0];ReturnValue;taint;manual"
+			String result = Streams.asString(in);
+			sink(result); // $ hasTaintFlow
+
+            InputStream in1 = (InputStream)source();
+			// "org.apache.commons.fileupload.util;Streams;true;asString;(InputStream,String);;Argument[0];ReturnValue;taint;manual"
+            String result1 = Streams.asString(in1, "test");
+            sink(result1); // $ hasTaintFlow
+		}
+
+	}
+
+}

java/ql/test/library-tests/frameworks/apache-commons-fileupload-1.4/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/apache-commons-fileupload-1.4

java/ql/test/library-tests/frameworks/apache-commons-fileupload-1.4/test.expected

@@ -0,0 +1,45 @@
+models
+| 1 | Summary: org.apache.commons.fileupload.util; Streams; true; asString; (InputStream); ; Argument[0]; ReturnValue; taint; manual |
+| 2 | Summary: org.apache.commons.fileupload.util; Streams; true; asString; (InputStream,String); ; Argument[0]; ReturnValue; taint; manual |
+| 3 | Summary: org.apache.commons.fileupload.util; Streams; true; copy; (InputStream,OutputStream,boolean); ; Argument[0]; Argument[1]; taint; manual |
+| 4 | Summary: org.apache.commons.fileupload.util; Streams; true; copy; (InputStream,OutputStream,boolean,byte[]); ; Argument[0]; Argument[1]; taint; manual |
+edges
+| Test.java:21:30:21:50 | (...)... : InputStream | Test.java:30:31:30:32 | in : InputStream | provenance |  |
+| Test.java:21:43:21:50 | source(...) : Object | Test.java:21:30:21:50 | (...)... : InputStream | provenance |  |
+| Test.java:24:22:24:42 | (...)... : InputStream | Test.java:33:32:33:34 | in2 : InputStream | provenance |  |
+| Test.java:24:35:24:42 | source(...) : Object | Test.java:24:22:24:42 | (...)... : InputStream | provenance |  |
+| Test.java:30:31:30:32 | in : InputStream | Test.java:30:35:30:36 | os [post update] : ByteArrayOutputStream | provenance | MaD:4 |
+| Test.java:30:35:30:36 | os [post update] : ByteArrayOutputStream | Test.java:31:9:31:10 | os | provenance |  |
+| Test.java:33:32:33:34 | in2 : InputStream | Test.java:33:37:33:39 | os2 [post update] : ByteArrayOutputStream | provenance | MaD:3 |
+| Test.java:33:37:33:39 | os2 [post update] : ByteArrayOutputStream | Test.java:34:9:34:11 | os2 | provenance |  |
+| Test.java:42:30:42:50 | (...)... : InputStream | Test.java:44:37:44:38 | in : InputStream | provenance |  |
+| Test.java:42:43:42:50 | source(...) : Object | Test.java:42:30:42:50 | (...)... : InputStream | provenance |  |
+| Test.java:44:20:44:39 | asString(...) : String | Test.java:45:9:45:14 | result | provenance |  |
+| Test.java:44:37:44:38 | in : InputStream | Test.java:44:20:44:39 | asString(...) : String | provenance | MaD:1 |
+| Test.java:47:31:47:51 | (...)... : InputStream | Test.java:49:47:49:49 | in1 : InputStream | provenance |  |
+| Test.java:47:44:47:51 | source(...) : Object | Test.java:47:31:47:51 | (...)... : InputStream | provenance |  |
+| Test.java:49:30:49:58 | asString(...) : String | Test.java:50:18:50:24 | result1 | provenance |  |
+| Test.java:49:47:49:49 | in1 : InputStream | Test.java:49:30:49:58 | asString(...) : String | provenance | MaD:2 |
+nodes
+| Test.java:21:30:21:50 | (...)... : InputStream | semmle.label | (...)... : InputStream |
+| Test.java:21:43:21:50 | source(...) : Object | semmle.label | source(...) : Object |
+| Test.java:24:22:24:42 | (...)... : InputStream | semmle.label | (...)... : InputStream |
+| Test.java:24:35:24:42 | source(...) : Object | semmle.label | source(...) : Object |
+| Test.java:30:31:30:32 | in : InputStream | semmle.label | in : InputStream |
+| Test.java:30:35:30:36 | os [post update] : ByteArrayOutputStream | semmle.label | os [post update] : ByteArrayOutputStream |
+| Test.java:31:9:31:10 | os | semmle.label | os |
+| Test.java:33:32:33:34 | in2 : InputStream | semmle.label | in2 : InputStream |
+| Test.java:33:37:33:39 | os2 [post update] : ByteArrayOutputStream | semmle.label | os2 [post update] : ByteArrayOutputStream |
+| Test.java:34:9:34:11 | os2 | semmle.label | os2 |
+| Test.java:42:30:42:50 | (...)... : InputStream | semmle.label | (...)... : InputStream |
+| Test.java:42:43:42:50 | source(...) : Object | semmle.label | source(...) : Object |
+| Test.java:44:20:44:39 | asString(...) : String | semmle.label | asString(...) : String |
+| Test.java:44:37:44:38 | in : InputStream | semmle.label | in : InputStream |
+| Test.java:45:9:45:14 | result | semmle.label | result |
+| Test.java:47:31:47:51 | (...)... : InputStream | semmle.label | (...)... : InputStream |
+| Test.java:47:44:47:51 | source(...) : Object | semmle.label | source(...) : Object |
+| Test.java:49:30:49:58 | asString(...) : String | semmle.label | asString(...) : String |
+| Test.java:49:47:49:49 | in1 : InputStream | semmle.label | in1 : InputStream |
+| Test.java:50:18:50:24 | result1 | semmle.label | result1 |
+subpaths
+testFailures