Add Tests to Ratpack Framework Support

Author: JLLeitschuh

java/ql/src/semmle/code/java/frameworks/ratpack/Ratpack.qll

@@ -0,0 +1,83 @@
+/**
+ * Provides classes and predicates related to `ratpack.*`.
+ */
+
+import java
+
+/**
+ * Ratpack methods that access user-supplied request data.
+ */
+abstract class RatpackGetRequestDataMethod extends Method { }
+
+/**
+ * The interface `ratpack.http.Request`.
+ * https://ratpack.io/manual/current/api/ratpack/http/Request.html
+ */
+class RatpackRequest extends RefType {
+  RatpackRequest() {
+    hasQualifiedName("ratpack.http", "Request") or
+    hasQualifiedName("ratpack.core.http", "Request")
+  }
+}
+
+/**
+ * Methods on `ratpack.http.Request` that return user tainted data.
+ */
+class RatpackHttpRequestGetMethod extends RatpackGetRequestDataMethod {
+  RatpackHttpRequestGetMethod() {
+    getDeclaringType() instanceof RatpackRequest and
+    hasName([
+        "getContentLength", "getCookies", "oneCookie", "getHeaders", "getPath", "getQuery",
+        "getQueryParams", "getRawUri", "getUri"
+      ])
+  }
+}
+
+/**
+ * The interface `ratpack.http.TypedData`.
+ * https://ratpack.io/manual/current/api/ratpack/http/TypedData.html
+ */
+class RatpackTypedData extends RefType {
+  RatpackTypedData() {
+    hasQualifiedName("ratpack.http", "TypedData") or
+    hasQualifiedName("ratpack.core.http", "TypedData")
+  }
+}
+
+/**
+ * Methods on `ratpack.http.TypedData` that return user tainted data.
+ */
+class RatpackHttpTypedDataGetMethod extends RatpackGetRequestDataMethod {
+  RatpackHttpTypedDataGetMethod() {
+    getDeclaringType() instanceof RatpackTypedData and
+    hasName(["getBuffer", "getBytes", "getContentType", "getInputStream", "getText"])
+  }
+}
+
+/**
+ * Methods on `ratpack.http.TypedData` that taint the parameter passed in.
+ */
+class RatpackHttpTypedDataWriteMethod extends Method {
+  RatpackHttpTypedDataWriteMethod() {
+    getDeclaringType() instanceof RatpackTypedData and
+    hasName("writeTo")
+  }
+}
+
+/**
+ * The interface `ratpack.form.UploadedFile`.
+ * https://ratpack.io/manual/current/api/ratpack/form/UploadedFile.html
+ */
+class RatpackUploadFile extends RefType {
+  RatpackUploadFile() {
+    hasQualifiedName("ratpack.form", "UploadedFile") or
+    hasQualifiedName("ratpack.core.form", "UploadedFile")
+  }
+}
+
+class RatpackUploadFileGetMethod extends RatpackGetRequestDataMethod {
+  RatpackUploadFileGetMethod() {
+    getDeclaringType() instanceof RatpackUploadFile and
+    hasName("getFileName")
+  }
+}

java/ql/src/semmle/code/java/frameworks/ratpack/RatpackExec.qll

@@ -0,0 +1,64 @@
+import java
+private import semmle.code.java.dataflow.DataFlow
+private import semmle.code.java.dataflow.FlowSteps
+
+/** A reference type that extends a parameterization the Promise type. */
+class RatpackPromise extends RefType {
+  RatpackPromise() {
+    getSourceDeclaration().getASourceSupertype*().hasQualifiedName("ratpack.exec", "Promise")
+  }
+}
+
+class RatpackPromiseMapMethod extends Method {
+  RatpackPromiseMapMethod() {
+    getDeclaringType() instanceof RatpackPromise and
+    hasName("map")
+  }
+}
+
+class RatpackPromiseMapMethodAccess extends MethodAccess {
+  RatpackPromiseMapMethodAccess() { getMethod() instanceof RatpackPromiseMapMethod }
+}
+
+class RatpackPromiseThenMethod extends Method {
+  RatpackPromiseThenMethod() {
+    getDeclaringType() instanceof RatpackPromise and
+    hasName("then")
+  }
+}
+
+class RatpackPromiseThenMethodAccess extends MethodAccess {
+  RatpackPromiseThenMethodAccess() { getMethod() instanceof RatpackPromiseThenMethod }
+}
+
+private class RatpackPromiseTaintPreservingCallable extends AdditionalTaintStep {
+  override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
+    stepFromFunctionalExpToPromise(node1, node2) or
+    stepFromPromiseToFunctionalArgument(node1, node2)
+  }
+
+  /**
+   * Tracks taint from return from lambda function to the outer `Promise`.
+   */
+  private predicate stepFromFunctionalExpToPromise(DataFlow::Node node1, DataFlow::Node node2) {
+    exists(FunctionalExpr fe |
+      fe.asMethod().getBody().getAStmt().(ReturnStmt).getResult() = node1.asExpr() and
+      node2.asExpr().(RatpackPromiseMapMethodAccess).getArgument(0) = fe
+    )
+  }
+
+  /**
+   * Tracks taint from the previous `Promise` to the first argument of lambda passed to `map` or `then`.
+   */
+  private predicate stepFromPromiseToFunctionalArgument(DataFlow::Node node1, DataFlow::Node node2) {
+    exists(RatpackPromiseMapMethodAccess ma |
+      node1.asExpr() = ma.getQualifier() and
+      ma.getArgument(0).(FunctionalExpr).asMethod().getParameter(0) = node2.asParameter()
+    )
+    or
+    exists(RatpackPromiseThenMethodAccess ma |
+      node1.asExpr() = ma.getQualifier() and
+      ma.getArgument(0).(FunctionalExpr).asMethod().getParameter(0) = node2.asParameter()
+    )
+  }
+}

java/ql/src/semmle/code/java/frameworks/ratpack/RatpackHttp.qll

@@ -0,0 +1,35 @@
+import java
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.security.XSS
+import semmle.code.java.security.UrlRedirect
+import TestUtilities.InlineExpectationsTest
+
+class Conf extends TaintTracking::Configuration {
+  Conf() { this = "qltest:frameworks:ratpack" }
+
+  override predicate isSource(DataFlow::Node n) {
+    n.asExpr().(MethodAccess).getMethod().hasName("taint")
+    or
+    n instanceof RemoteFlowSource
+  }
+
+  override predicate isSink(DataFlow::Node n) {
+    exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
+  }
+}
+
+class HasFlowTest extends InlineExpectationsTest {
+  HasFlowTest() { this = "HasFlowTest" }
+
+  override string getARelevantTag() { result = "hasTaintFlow" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasTaintFlow" and
+    exists(DataFlow::Node src, DataFlow::Node sink, Conf conf | conf.hasFlow(src, sink) |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+  }
+}

java/ql/test/library-tests/frameworks/ratpack/flow.expected

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/ratpack-1.9.x:${testdir}/../../../stubs/jackson-databind-2.10:${testdir}/../../../stubs/guava-30.0:${testdir}/../../../stubs/guava-30.0:${testdir}/../../../stubs/netty-4.1.x

java/ql/test/library-tests/frameworks/ratpack/flow.ql

@@ -0,0 +1,27 @@
+import ratpack.core.handling.Context;
+import ratpack.core.http.TypedData;
+
+class Resource {
+
+    void sink(Object o) {}
+
+    void test1(Context ctx) {
+        sink(ctx.getRequest().getContentLength()); //$hasTaintFlow
+        sink(ctx.getRequest().getCookies()); //$hasTaintFlow
+        sink(ctx.getRequest().oneCookie("Magic-Cookie")); //$hasTaintFlow
+        sink(ctx.getRequest().getHeaders()); //$hasTaintFlow
+        sink(ctx.getRequest().getPath()); //$hasTaintFlow
+        sink(ctx.getRequest().getQuery()); //$hasTaintFlow
+        sink(ctx.getRequest().getQueryParams()); //$hasTaintFlow
+        sink(ctx.getRequest().getRawUri()); //$hasTaintFlow
+        sink(ctx.getRequest().getUri()); //$hasTaintFlow
+    }
+
+    void test2(TypedData td) {
+        sink(td.getText()); //$hasTaintFlow
+    }
+
+    void test2(Context ctx) {
+        ctx.getRequest().getBody().map(TypedData::getText).then(this::sink); //$hasTaintFlow
+    }
+}