Java: Pass taint through Spring's AbstractMessageSource.getMessage() methods.

Sebastian Bauersfeld · Sebastian Bauersfeld · commit f36ee95128f3 · 2022-01-11T15:48:29.000+07:00
diff --git a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
@@ -102,6 +102,7 @@ private module Frameworks {
   private import semmle.code.java.frameworks.ratpack.Ratpack
   private import semmle.code.java.frameworks.ratpack.RatpackExec
   private import semmle.code.java.frameworks.spring.SpringCache
+  private import semmle.code.java.frameworks.spring.SpringContext
   private import semmle.code.java.frameworks.spring.SpringHttp
   private import semmle.code.java.frameworks.spring.SpringUtil
   private import semmle.code.java.frameworks.spring.SpringUi
diff --git a/java/ql/lib/semmle/code/java/frameworks/spring/Spring.qll b/java/ql/lib/semmle/code/java/frameworks/spring/Spring.qll
@@ -9,6 +9,7 @@ import semmle.code.java.frameworks.spring.SpringBeanFile
 import semmle.code.java.frameworks.spring.SpringBeans
 import semmle.code.java.frameworks.spring.SpringBeanRefType
 import semmle.code.java.frameworks.spring.SpringCache
+import semmle.code.java.frameworks.spring.SpringContext
 import semmle.code.java.frameworks.spring.SpringComponentScan
 import semmle.code.java.frameworks.spring.SpringConstructorArg
 import semmle.code.java.frameworks.spring.SpringController
diff --git a/java/ql/lib/semmle/code/java/frameworks/spring/SpringContext.qll b/java/ql/lib/semmle/code/java/frameworks/spring/SpringContext.qll
@@ -0,0 +1,19 @@
+/**
+ * Provides models for the `org.springframework.context` package.
+ */
+
+import java
+private import semmle.code.java.dataflow.ExternalFlow
+
+private class StringSummaryCsv extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        //`namespace; type; subtypes; name; signature; ext; input; output; kind`
+        "org.springframework.context.support;AbstractMessageSource;true;getMessage;(String,Object[],String,Locale);;ArrayElement of Argument[1];ReturnValue;taint",
+        "org.springframework.context.support;AbstractMessageSource;true;getMessage;(String,Object[],String,Locale);;Argument[2];ReturnValue;taint",
+        "org.springframework.context.support;AbstractMessageSource;true;getMessage;(String,Object[],Locale);;ArrayElement of Argument[1];ReturnValue;taint",
+        "org.springframework.context.support;AbstractMessageSource;true;getMessageFromParent;;;ArrayElement of Argument[1];ReturnValue;taint",
+      ]
+  }
+}
