Merge pull request github#4299 from torque59/play-framework

Initial support for Java - Play Framework > 2.6.x

Author: aschackmull

java/change-notes/2021-03-05-play-framework.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added support for the Play framework core library (`play.mvc.*`); adding additional remote flow sources.

java/ql/src/semmle/code/java/dataflow/FlowSources.qll

@@ -18,6 +18,7 @@ import semmle.code.java.frameworks.JaxWS
 import semmle.code.java.frameworks.javase.WebSocket
 import semmle.code.java.frameworks.android.Android
 import semmle.code.java.frameworks.android.Intent
+import semmle.code.java.frameworks.play.Play
 import semmle.code.java.frameworks.spring.SpringWeb
 import semmle.code.java.frameworks.spring.SpringController
 import semmle.code.java.frameworks.spring.SpringWebClient
@@ -129,6 +130,12 @@ private class SpringMultipartRequestSource extends RemoteFlowSource {
   override string getSourceType() { result = "Spring MultipartRequest getter" }
 }
 
+private class PlayParameterSource extends RemoteFlowSource {
+  PlayParameterSource() { exists(PlayActionMethodQueryParameter p | p = this.asParameter()) }
+
+  override string getSourceType() { result = "Play Query Parameters" }
+}
+
 private class SpringMultipartFileSource extends RemoteFlowSource {
   SpringMultipartFileSource() {
     exists(MethodAccess ma, Method m |
@@ -264,6 +271,7 @@ private class RemoteTaintedMethod extends Method {
     this instanceof HttpServletRequestGetRequestURIMethod or
     this instanceof HttpServletRequestGetRequestURLMethod or
     this instanceof HttpServletRequestGetRemoteUserMethod or
+    this instanceof PlayRequestGetMethod or
     this instanceof SpringWebRequestGetMethod or
     this instanceof SpringRestTemplateResponseEntityMethod or
     this instanceof ServletRequestGetBodyMethod or
@@ -283,6 +291,13 @@ private class RemoteTaintedMethod extends Method {
   }
 }
 
+private class PlayRequestGetMethod extends Method {
+  PlayRequestGetMethod() {
+    this.getDeclaringType() instanceof PlayMvcHttpRequestHeader and
+    this.hasName(["queryString", "getQueryString", "header", "getHeader"])
+  }
+}
+
 private class SpringWebRequestGetMethod extends Method {
   SpringWebRequestGetMethod() {
     exists(SpringWebRequest swr | this = swr.getAMethod() |

java/ql/src/semmle/code/java/frameworks/play/Play.qll

@@ -0,0 +1,155 @@
+/**
+ * Provides classes and predicates for working with the Play framework.
+ */
+
+import java
+
+/**
+ * The `play.mvc.Result` class.
+ */
+class PlayMvcResultClass extends Class {
+  PlayMvcResultClass() { this.hasQualifiedName("play.mvc", "Result") }
+}
+
+/**
+ * The `play.mvc.Results` class.
+ */
+class PlayMvcResultsClass extends Class {
+  PlayMvcResultsClass() { this.hasQualifiedName("play.mvc", "Results") }
+}
+
+/**
+ * The `play.mvc.Http$RequestHeader` class.
+ */
+class PlayMvcHttpRequestHeader extends RefType {
+  PlayMvcHttpRequestHeader() { this.hasQualifiedName("play.mvc", "Http$RequestHeader") }
+}
+
+/**
+ * A `play.mvc.BodyParser<>$Of` annotation.
+ */
+class PlayBodyParserAnnotation extends Annotation {
+  PlayBodyParserAnnotation() { this.getType().hasQualifiedName("play.mvc", "BodyParser<>$Of") }
+}
+
+/**
+ * A `play.filters.csrf.AddCSRFToken` annotation.
+ */
+class PlayAddCsrfTokenAnnotation extends Annotation {
+  PlayAddCsrfTokenAnnotation() {
+    this.getType().hasQualifiedName("play.filters.csrf", "AddCSRFToken")
+  }
+}
+
+/**
+ * The type `play.libs.F.Promise<Result>`.
+ */
+class PlayAsyncResultPromise extends Member {
+  PlayAsyncResultPromise() {
+    exists(Class c |
+      c.hasQualifiedName("play.libs", "F") and
+      this = c.getAMember() and
+      this.getQualifiedName() = "F.Promise<Result>"
+    )
+  }
+}
+
+/**
+ * The type `java.util.concurrent.CompletionStage<Result>`.
+ */
+class PlayAsyncResultCompletionStage extends Type {
+  PlayAsyncResultCompletionStage() {
+    this.hasName("CompletionStage<Result>") and
+    this.getCompilationUnit().getPackage().hasName("java.util.concurrent")
+  }
+}
+
+/**
+ * The class `play.mvc.Controller` or a class that transitively extends it.
+ */
+class PlayController extends Class {
+  PlayController() {
+    this.extendsOrImplements*(any(Class t | t.hasQualifiedName("play.mvc", "Controller")))
+  }
+}
+
+/**
+ * A Play framework controller action method. These are mappings to route files.
+ *
+ * Sample Route - `POST  /login  @com.company.Application.login()`.
+ *
+ * Example - class gets `index` and `login` as valid action methods.
+ * ```java
+ * public class Application extends Controller {
+ *   public Result index(String username, String password) {
+ *     return ok("It works!");
+ *   }
+ *
+ *   public Result login() {
+ *     return ok("Log me In!");
+ *   }
+ * }
+ * ```
+ */
+class PlayControllerActionMethod extends Method {
+  PlayControllerActionMethod() {
+    this = any(PlayController c).getAMethod() and
+    (
+      this.getReturnType() instanceof PlayAsyncResultPromise or
+      this.getReturnType() instanceof PlayMvcResultClass or
+      this.getReturnType() instanceof PlayAsyncResultCompletionStage
+    )
+  }
+}
+
+/**
+ * A Play framework action method parameter. These are a source of user input.
+ *
+ * Example - `username` and `password` are action method parameters.
+ * ```java
+ * public class Application extends Controller {
+ *   public Result index(String username, String password) {
+ *     return ok("It works!");
+ *   }
+ * }
+ * ```
+ */
+class PlayActionMethodQueryParameter extends Parameter {
+  PlayActionMethodQueryParameter() {
+    exists(PlayControllerActionMethod a |
+      a.isPublic() and
+      this = a.getAParameter()
+    )
+  }
+}
+
+/**
+ * A PlayFramework HttpRequestHeader method, some of these are `headers`, `getQueryString`, `getHeader`.
+ */
+class PlayMvcHttpRequestHeaderMethods extends Method {
+  PlayMvcHttpRequestHeaderMethods() { this.getDeclaringType() instanceof PlayMvcHttpRequestHeader }
+
+  /**
+   * Gets a reference to the `getQueryString` method.
+   */
+  MethodAccess getAQueryStringAccess() {
+    this.hasName("getQueryString") and result = this.getAReference()
+  }
+}
+
+/**
+ * A PlayFramework results method, some of these are `ok`, `status`, `redirect`.
+ */
+class PlayMvcResultsMethods extends Method {
+  PlayMvcResultsMethods() { this.getDeclaringType() instanceof PlayMvcResultsClass }
+
+  /**
+   * Gets a reference to the `play.mvc.Results.ok` method.
+   */
+  MethodAccess getAnOkAccess() { this.hasName("ok") and result = this.getAReference() }
+
+  /**
+   * Gets a reference to the `play.mvc.Results.redirect` method.
+   */
+  MethodAccess getARedirectAccess() { this.hasName("redirect") and result = this.getAReference() }
+}

java/ql/test/library-tests/dataflow/taintsources/PlayResource.java

@@ -0,0 +1,36 @@
+import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.CompletionStage;
+import play.filters.csrf.AddCSRFToken;
+import play.libs.F;
+import play.mvc.BodyParser;
+import play.mvc.Controller;
+import play.mvc.Http.*;
+import play.mvc.Result;
+
+public class PlayResource extends Controller {
+
+  @AddCSRFToken
+  public Result index() {
+    response().setHeader("X-Play-QL", "1");
+    return ok("It works!");
+  }
+
+  @BodyParser.Of()
+  public Result session_redirect_me(String uri) {
+    String url = request().getQueryString("url");
+    return redirect(url);
+  }
+
+  public F.Promise<Result> async_promise(String token) {
+    return F.Promise.pure(ok(token));
+  }
+
+  public CompletionStage<Result> async_completionstage(String uri) {
+    return CompletableFuture.completedFuture(ok("Async completion Stage"));
+  }
+
+  public String not_playactionmethod(String no_action) {
+    String return_code = no_action;
+    return return_code;
+  }
+}

java/ql/test/library-tests/dataflow/taintsources/options

@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/springframework-5.2.3:${testdir}/../../../stubs/google-android-9.0.0
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/springframework-5.2.3:${testdir}/../../../stubs/google-android-9.0.0:${testdir}/../../../stubs/playframework-2.6.x:${testdir}/../../../stubs/jackson-databind-2.10:${testdir}/../../../stubs/akka-2.6.x

java/ql/test/library-tests/dataflow/taintsources/remote.expected

@@ -23,6 +23,14 @@
 | IntentSources.java:33:20:33:33 | getIntent(...) | IntentSources.java:33:20:33:33 | getIntent(...) |
 | IntentSources.java:33:20:33:33 | getIntent(...) | IntentSources.java:33:20:33:55 | getStringExtra(...) |
 | IntentSources.java:33:20:33:33 | getIntent(...) | IntentSources.java:34:29:34:35 | trouble |
+| PlayResource.java:19:37:19:46 | uri | PlayResource.java:19:37:19:46 | uri |
+| PlayResource.java:20:18:20:48 | getQueryString(...) | ../../../stubs/playframework-2.6.x/play/mvc/Results.java:634:33:634:42 | url |
+| PlayResource.java:20:18:20:48 | getQueryString(...) | PlayResource.java:20:18:20:48 | getQueryString(...) |
+| PlayResource.java:20:18:20:48 | getQueryString(...) | PlayResource.java:21:21:21:23 | url |
+| PlayResource.java:24:42:24:53 | token | ../../../stubs/playframework-2.6.x/play/mvc/Results.java:94:27:94:40 | content |
+| PlayResource.java:24:42:24:53 | token | PlayResource.java:24:42:24:53 | token |
+| PlayResource.java:24:42:24:53 | token | PlayResource.java:25:30:25:34 | token |
+| PlayResource.java:28:56:28:65 | uri | PlayResource.java:28:56:28:65 | uri |
 | RmiFlowImpl.java:4:30:4:40 | path | RmiFlowImpl.java:4:30:4:40 | path |
 | RmiFlowImpl.java:4:30:4:40 | path | RmiFlowImpl.java:5:20:5:31 | ... + ... |
 | RmiFlowImpl.java:4:30:4:40 | path | RmiFlowImpl.java:5:28:5:31 | path |

java/ql/test/library-tests/frameworks/play/PlayActionMethodQueryParameter.expected

@@ -0,0 +1,3 @@
+| resources/Resource.java:19:37:19:46 | uri |
+| resources/Resource.java:24:42:24:53 | token |
+| resources/Resource.java:28:56:28:65 | uri |

java/ql/test/library-tests/frameworks/play/PlayActionMethodQueryParameter.ql

@@ -0,0 +1,4 @@
+import semmle.code.java.frameworks.play.Play
+
+from PlayActionMethodQueryParameter p
+select p

java/ql/test/library-tests/frameworks/play/PlayAddCsrfTokenAnnotation.expected

@@ -0,0 +1 @@
+| resources/Resource.java:12:3:12:15 | AddCSRFToken |

java/ql/test/library-tests/frameworks/play/PlayAddCsrfTokenAnnotation.ql

@@ -0,0 +1,4 @@
+import semmle.code.java.frameworks.play.Play
+
+from PlayAddCsrfTokenAnnotation token
+select token