Add support for Promise.value and Promise::flatMap

JLLeitschuh · JLLeitschuh · commit b2e3df29b3ae · 2021-10-18T12:21:08.000-04:00
diff --git a/java/ql/src/semmle/code/java/frameworks/ratpack/RatpackExec.qll b/java/ql/src/semmle/code/java/frameworks/ratpack/RatpackExec.qll
@@ -3,12 +3,18 @@ private import semmle.code.java.dataflow.DataFlow
 private import semmle.code.java.dataflow.FlowSteps
 
 /** A reference type that extends a parameterization the Promise type. */
-class RatpackPromise extends RefType {
+private class RatpackPromise extends RefType {
   RatpackPromise() {
     getSourceDeclaration().getASourceSupertype*().hasQualifiedName("ratpack.exec", "Promise")
   }
 }
 
+private class RatpackPromiseValueMethod extends Method, TaintPreservingCallable {
+  RatpackPromiseValueMethod() { isStatic() and hasName("value") }
+
+  override predicate returnsTaintFrom(int arg) { arg = 0 }
+}
+
 abstract private class SimpleFluentLambdaMethod extends Method {
   SimpleFluentLambdaMethod() { getNumberOfParameters() = 1 }
 
@@ -25,18 +31,18 @@ abstract private class SimpleFluentLambdaMethod extends Method {
   predicate doesReturnTaint() { none() }
 }
 
-class RatpackPromiseMapMethod extends SimpleFluentLambdaMethod {
+private class RatpackPromiseMapMethod extends SimpleFluentLambdaMethod {
   RatpackPromiseMapMethod() {
     getDeclaringType() instanceof RatpackPromise and
-    hasName("map")
+    hasName(["map", "flatMap"])
   }
 
   override predicate consumesTaint(int arg) { arg = 0 }
 
   override predicate doesReturnTaint() { any() }
 }
 
-class RatpackPromiseThenMethod extends SimpleFluentLambdaMethod {
+private class RatpackPromiseThenMethod extends SimpleFluentLambdaMethod {
   RatpackPromiseThenMethod() {
     getDeclaringType() instanceof RatpackPromise and
     hasName("then")
@@ -45,7 +51,7 @@ class RatpackPromiseThenMethod extends SimpleFluentLambdaMethod {
   override predicate consumesTaint(int arg) { arg = 0 }
 }
 
-class RatpackPromiseNextMethod extends FluentMethod, SimpleFluentLambdaMethod {
+private class RatpackPromiseNextMethod extends FluentMethod, SimpleFluentLambdaMethod {
   RatpackPromiseNextMethod() {
     getDeclaringType() instanceof RatpackPromise and
     hasName("next")
@@ -54,21 +60,27 @@ class RatpackPromiseNextMethod extends FluentMethod, SimpleFluentLambdaMethod {
   override predicate consumesTaint(int arg) { arg = 0 }
 }
 
-private class RatpackPromiseTaintPreservingCallable extends AdditionalTaintStep {
+private class RatpackPromiseTaintPreservingStep extends AdditionalTaintStep {
   override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
     stepIntoLambda(node1, node2) or
     stepOutOfLambda(node1, node2)
   }
 
+  /**
+   * Holds if the method access qualifier `node1` has dataflow to the functional expression parameter `node2`.
+   */
   predicate stepIntoLambda(DataFlow::Node node1, DataFlow::Node node2) {
-    exists(MethodAccess ma, SimpleFluentLambdaMethod sflm, int arg |
+    exists(MethodAccess ma, SimpleFluentLambdaMethod sflm, int arg | sflm.consumesTaint(arg) |
       ma.getMethod() = sflm and
-      sflm.consumesTaint(arg) and
       node1.asExpr() = ma.getQualifier() and
       ma.getArgument(0).(FunctionalExpr).asMethod().getParameter(arg) = node2.asParameter()
     )
   }
 
+  /**
+   * Holds if the return statement result of the functional expression `node1` has dataflow to the
+   * method access result `node2`.
+   */
   predicate stepOutOfLambda(DataFlow::Node node1, DataFlow::Node node2) {
     exists(SimpleFluentLambdaMethod sflm, MethodAccess ma, FunctionalExpr fe |
       sflm.doesReturnTaint()
diff --git a/java/ql/test/library-tests/frameworks/ratpack/resources/Resource.java b/java/ql/test/library-tests/frameworks/ratpack/resources/Resource.java
@@ -1,12 +1,17 @@
 import ratpack.core.handling.Context;
 import ratpack.core.http.TypedData;
 import ratpack.core.form.UploadedFile;
+import ratpack.exec.Promise;
 import java.io.OutputStream;
 
 class Resource {
 
     void sink(Object o) {}
 
+    String taint() {
+        return null;
+    }
+
     void test1(Context ctx) {
         sink(ctx.getRequest().getContentLength()); //$hasTaintFlow
         sink(ctx.getRequest().getCookies()); //$hasTaintFlow
@@ -53,4 +58,14 @@ void test5(Context ctx) {
             .next(this::sink) //$hasTaintFlow
             .then(this::sink); //$hasTaintFlow
     }
+
+    void test6() {
+        String tainted = taint();
+        Promise.value(tainted);
+        sink(Promise.value(tainted)); //$hasTaintFlow
+        Promise
+            .value(tainted)
+            .flatMap(a -> Promise.value(a))
+            .then(this::sink); //$hasTaintFlow
+    }
 }
diff --git a/java/ql/test/stubs/ratpack-1.9.x/ratpack/exec/Promise.java b/java/ql/test/stubs/ratpack-1.9.x/ratpack/exec/Promise.java
