Merge pull request github#5974 from github/sauyon/java/spring-webmultipart

Model Spring `web.multipart`

Author: aschackmull

java/change-notes/2021-07-01-spring-webmultipart.md

@@ -0,0 +1,4 @@
+lgtm,codescanning
+* Additional flow steps in the `org.springframework.web.multipart` package of the Spring framework
+  have been modelled.  This may result in additional results for security queries on projects using
+  this framework.

java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll

@@ -90,6 +90,7 @@ private module Frameworks {
   private import semmle.code.java.frameworks.spring.SpringValidation
   private import semmle.code.java.frameworks.spring.SpringWebClient
   private import semmle.code.java.frameworks.spring.SpringBeans
+  private import semmle.code.java.frameworks.spring.SpringWebMultipart
   private import semmle.code.java.security.ResponseSplitting
   private import semmle.code.java.security.InformationLeak
   private import semmle.code.java.security.JexlInjectionSinkModels

java/ql/src/semmle/code/java/frameworks/spring/Spring.qll

@@ -36,6 +36,7 @@ import semmle.code.java.frameworks.spring.SpringSet
 import semmle.code.java.frameworks.spring.SpringUtil
 import semmle.code.java.frameworks.spring.SpringValidation
 import semmle.code.java.frameworks.spring.SpringValue
+import semmle.code.java.frameworks.spring.SpringWebMultipart
 import semmle.code.java.frameworks.spring.SpringXMLElement
 import semmle.code.java.frameworks.spring.metrics.MetricSpringBean
 import semmle.code.java.frameworks.spring.metrics.MetricSpringBeanFile

java/ql/src/semmle/code/java/frameworks/spring/SpringWebMultipart.qll

@@ -0,0 +1,25 @@
+/** Provides models of taint flow in `org.springframework.web.multipart` */
+
+import java
+private import semmle.code.java.dataflow.ExternalFlow
+
+private class FlowSummaries extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "org.springframework.web.multipart;MultipartFile;true;getBytes;;;Argument[-1];ReturnValue;taint",
+        "org.springframework.web.multipart;MultipartFile;true;getInputStream;;;Argument[-1];ReturnValue;taint",
+        "org.springframework.web.multipart;MultipartFile;true;getName;;;Argument[-1];ReturnValue;taint",
+        "org.springframework.web.multipart;MultipartFile;true;getOriginalFilename;;;Argument[-1];ReturnValue;taint",
+        "org.springframework.web.multipart;MultipartFile;true;getResource;;;Argument[-1];ReturnValue;taint",
+        "org.springframework.web.multipart;MultipartHttpServletRequest;true;getMultipartHeaders;;;Argument[-1];ReturnValue;taint",
+        "org.springframework.web.multipart;MultipartHttpServletRequest;true;getRequestHeaders;;;Argument[-1];ReturnValue;taint",
+        "org.springframework.web.multipart;MultipartRequest;true;getFile;;;Argument[-1];ReturnValue;taint",
+        "org.springframework.web.multipart;MultipartRequest;true;getFileMap;;;Argument[-1];MapValue of ReturnValue;taint",
+        "org.springframework.web.multipart;MultipartRequest;true;getFileNames;;;Argument[-1];Element of ReturnValue;taint",
+        "org.springframework.web.multipart;MultipartRequest;true;getFiles;;;Argument[-1];Element of ReturnValue;taint",
+        "org.springframework.web.multipart;MultipartRequest;true;getMultiFileMap;;;Argument[-1];MapValue of ReturnValue;taint",
+        "org.springframework.web.multipart;MultipartResolver;true;resolveMultipart;;;Argument[0];ReturnValue;taint"
+      ]
+  }
+}

java/ql/test/library-tests/frameworks/spring/webmultipart/Test.java

@@ -0,0 +1,123 @@
+package generatedtest;
+
+import java.io.InputStream;
+import java.util.Collection;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import javax.servlet.http.HttpServletRequest;
+import org.springframework.core.io.Resource;
+import org.springframework.http.HttpHeaders;
+import org.springframework.util.MultiValueMap;
+import org.springframework.web.multipart.MultipartFile;
+import org.springframework.web.multipart.MultipartHttpServletRequest;
+import org.springframework.web.multipart.MultipartRequest;
+import org.springframework.web.multipart.MultipartResolver;
+
+// Test case generated by GenerateFlowTestCase.ql
+public class Test {
+
+	Object getElement(Iterator container) { return container.next(); }
+	Object getElement(Collection container) { return container.iterator().next(); }
+	Object getMapValue(Map container) { return container.get(null); }
+	Object source() { return null; }
+	void sink(Object o) { }
+
+	public void test() throws Exception {
+
+		{
+			// "org.springframework.web.multipart;MultipartFile;true;getBytes;;;Argument[-1];ReturnValue;taint"
+			byte[] out = null;
+			MultipartFile in = (MultipartFile)source();
+			out = in.getBytes();
+			sink(out); // $hasTaintFlow
+		}
+		{
+			// "org.springframework.web.multipart;MultipartFile;true;getInputStream;;;Argument[-1];ReturnValue;taint"
+			InputStream out = null;
+			MultipartFile in = (MultipartFile)source();
+			out = in.getInputStream();
+			sink(out); // $hasTaintFlow
+		}
+		{
+			// "org.springframework.web.multipart;MultipartFile;true;getName;;;Argument[-1];ReturnValue;taint"
+			String out = null;
+			MultipartFile in = (MultipartFile)source();
+			out = in.getName();
+			sink(out); // $hasTaintFlow
+		}
+		{
+			// "org.springframework.web.multipart;MultipartFile;true;getOriginalFilename;;;Argument[-1];ReturnValue;taint"
+			String out = null;
+			MultipartFile in = (MultipartFile)source();
+			out = in.getOriginalFilename();
+			sink(out); // $hasTaintFlow
+		}
+		{
+			// "org.springframework.web.multipart;MultipartFile;true;getResource;;;Argument[-1];ReturnValue;taint"
+			Resource out = null;
+			MultipartFile in = (MultipartFile)source();
+			out = in.getResource();
+			sink(out); // $hasTaintFlow
+		}
+		{
+			// "org.springframework.web.multipart;MultipartHttpServletRequest;true;getMultipartHeaders;;;Argument[-1];ReturnValue;taint"
+			HttpHeaders out = null;
+			MultipartHttpServletRequest in = (MultipartHttpServletRequest)source();
+			out = in.getMultipartHeaders(null);
+			sink(out); // $hasTaintFlow
+		}
+		{
+			// "org.springframework.web.multipart;MultipartHttpServletRequest;true;getRequestHeaders;;;Argument[-1];ReturnValue;taint"
+			HttpHeaders out = null;
+			MultipartHttpServletRequest in = (MultipartHttpServletRequest)source();
+			out = in.getRequestHeaders();
+			sink(out); // $hasTaintFlow
+		}
+		{
+			// "org.springframework.web.multipart;MultipartRequest;true;getFile;;;Argument[-1];ReturnValue;taint"
+			MultipartFile out = null;
+			MultipartRequest in = (MultipartRequest)source();
+			out = in.getFile(null);
+			sink(out); // $hasTaintFlow
+		}
+		{
+			// "org.springframework.web.multipart;MultipartRequest;true;getFileMap;;;Argument[-1];MapValue of ReturnValue;taint"
+			Map out = null;
+			MultipartRequest in = (MultipartRequest)source();
+			out = in.getFileMap();
+			sink(getMapValue(out)); // $hasTaintFlow
+		}
+		{
+			// "org.springframework.web.multipart;MultipartRequest;true;getFileNames;;;Argument[-1];Element of ReturnValue;taint"
+			Iterator out = null;
+			MultipartRequest in = (MultipartRequest)source();
+			out = in.getFileNames();
+			sink(getElement(out)); // $hasTaintFlow
+		}
+		{
+			// "org.springframework.web.multipart;MultipartRequest;true;getFiles;;;Argument[-1];Element of ReturnValue;taint"
+			List out = null;
+			MultipartRequest in = (MultipartRequest)source();
+			out = in.getFiles(null);
+			sink(getElement(out)); // $hasTaintFlow
+		}
+		{
+			// "org.springframework.web.multipart;MultipartRequest;true;getMultiFileMap;;;Argument[-1];MapValue of ReturnValue;taint"
+			MultiValueMap out = null;
+			MultipartRequest in = (MultipartRequest)source();
+			out = in.getMultiFileMap();
+			sink(getMapValue(out)); // $hasTaintFlow
+		}
+		{
+			// "org.springframework.web.multipart;MultipartResolver;true;resolveMultipart;;;Argument[0];ReturnValue;taint"
+			MultipartHttpServletRequest out = null;
+			HttpServletRequest in = (HttpServletRequest)source();
+			MultipartResolver instance = null;
+			out = instance.resolveMultipart(in);
+			sink(out); // $hasTaintFlow
+		}
+
+	}
+
+}

java/ql/test/library-tests/frameworks/spring/webmultipart/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.3.8:${testdir}/../../../../stubs/javax-servlet-2.5

java/ql/test/library-tests/frameworks/spring/webmultipart/test.expected

@@ -0,0 +1,52 @@
+import java
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.TaintTracking
+import TestUtilities.InlineExpectationsTest
+
+class ValueFlowConf extends DataFlow::Configuration {
+  ValueFlowConf() { this = "qltest:valueFlowConf" }
+
+  override predicate isSource(DataFlow::Node n) {
+    n.asExpr().(MethodAccess).getMethod().hasName("source")
+  }
+
+  override predicate isSink(DataFlow::Node n) {
+    n.asExpr().(Argument).getCall().getCallee().hasName("sink")
+  }
+}
+
+class TaintFlowConf extends TaintTracking::Configuration {
+  TaintFlowConf() { this = "qltest:taintFlowConf" }
+
+  override predicate isSource(DataFlow::Node n) {
+    n.asExpr().(MethodAccess).getMethod().hasName("source")
+  }
+
+  override predicate isSink(DataFlow::Node n) {
+    n.asExpr().(Argument).getCall().getCallee().hasName("sink")
+  }
+}
+
+class HasFlowTest extends InlineExpectationsTest {
+  HasFlowTest() { this = "HasFlowTest" }
+
+  override string getARelevantTag() { result = ["hasValueFlow", "hasTaintFlow"] }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasValueFlow" and
+    exists(DataFlow::Node src, DataFlow::Node sink, ValueFlowConf conf | conf.hasFlow(src, sink) |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+    or
+    tag = "hasTaintFlow" and
+    exists(DataFlow::Node src, DataFlow::Node sink, TaintFlowConf conf |
+      conf.hasFlow(src, sink) and not any(ValueFlowConf c).hasFlow(src, sink)
+    |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+  }
+}

java/ql/test/library-tests/frameworks/spring/webmultipart/test.ql

@@ -0,0 +1,12 @@
+// Generated automatically from javax.servlet.RequestDispatcher for testing purposes
+
+package javax.servlet;
+
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+
+public interface RequestDispatcher
+{
+    void forward(ServletRequest p0, ServletResponse p1);
+    void include(ServletRequest p0, ServletResponse p1);
+}

java/ql/test/stubs/javax-servlet-2.5/javax/servlet/RequestDispatcher.java

@@ -0,0 +1,16 @@
+// Generated automatically from javax.servlet.Servlet for testing purposes
+
+package javax.servlet;
+
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+
+public interface Servlet
+{
+    ServletConfig getServletConfig();
+    String getServletInfo();
+    void destroy();
+    void init(ServletConfig p0);
+    void service(ServletRequest p0, ServletResponse p1);
+}