Merge pull request github#5202 from joefarebrother/apache-http

Java: Add modelling for Apache HTTP Components

Author: aschackmull

java/change-notes/2021-02-17-apache-http.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added support for the Apache Http components core library (`org.apache.http.*` and `org.apache.hc.core5.*`); adding additional remote flow sources, sinks for the XSS and Open Redirect queries, and additional taint steps. 

java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll

@@ -64,6 +64,14 @@ import java
 private import semmle.code.java.dataflow.DataFlow::DataFlow
 private import internal.DataFlowPrivate
 
+/**
+ * A module importing the frameworks that provide external flow data,
+ * ensuring that they are visible to the taint tracking / data flow library.
+ */
+private module Frameworks {
+  private import semmle.code.java.frameworks.ApacheHttp
+}
+
 private predicate sourceModelCsv(string row) {
   row =
     [
@@ -214,7 +222,7 @@ module CsvValidation {
       not name.regexpMatch("[a-zA-Z0-9_]*") and
       msg = "Dubious name \"" + name + "\" in " + pred + " model."
       or
-      not signature.regexpMatch("|\\([a-zA-Z0-9_\\.\\$<>,]*\\)") and
+      not signature.regexpMatch("|\\([a-zA-Z0-9_\\.\\$<>,\\[\\]]*\\)") and
       msg = "Dubious signature \"" + signature + "\" in " + pred + " model."
       or
       not ext.regexpMatch("|Annotated") and

java/ql/src/semmle/code/java/dataflow/FlowSteps.qll

@@ -9,14 +9,15 @@ private import semmle.code.java.dataflow.DataFlow
  * A module importing the frameworks that implement additional flow steps,
  * ensuring that they are visible to the taint tracking library.
  */
-module Frameworks {
+private module Frameworks {
   private import semmle.code.java.frameworks.jackson.JacksonSerializability
   private import semmle.code.java.frameworks.android.Intent
   private import semmle.code.java.frameworks.android.SQLite
   private import semmle.code.java.frameworks.Guice
   private import semmle.code.java.frameworks.Protobuf
   private import semmle.code.java.frameworks.guava.Guava
   private import semmle.code.java.frameworks.apache.Lang
+  private import semmle.code.java.frameworks.ApacheHttp
 }
 
 /**

java/ql/src/semmle/code/java/frameworks/ApacheHttp.qll

@@ -3,6 +3,7 @@
 import java
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.frameworks.Servlets
+import semmle.code.java.frameworks.ApacheHttp
 
 /** A URL redirection sink */
 abstract class UrlRedirectSink extends DataFlow::Node { }
@@ -24,3 +25,13 @@ private class ServletUrlRedirectSink extends UrlRedirectSink {
     )
   }
 }
+
+/** A URL redirection sink from Apache Http components. */
+private class ApacheUrlRedirectSink extends UrlRedirectSink {
+  ApacheUrlRedirectSink() {
+    exists(ApacheHttpSetHeader c |
+      c.getName().(CompileTimeConstantExpr).getStringValue() = "Location" and
+      this.asExpr() = c.getValue()
+    )
+  }
+}

java/ql/src/semmle/code/java/security/UrlRedirect.qll

@@ -7,6 +7,7 @@ import semmle.code.java.frameworks.spring.SpringController
 import semmle.code.java.frameworks.spring.SpringHttp
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.TaintTracking2
+import semmle.code.java.dataflow.ExternalFlow
 
 /** A sink that represent a method that outputs data without applying contextual output encoding. */
 abstract class XssSink extends DataFlow::Node { }
@@ -31,6 +32,8 @@ class XssAdditionalTaintStep extends Unit {
 /** A default sink representing methods susceptible to XSS attacks. */
 private class DefaultXssSink extends XssSink {
   DefaultXssSink() {
+    sinkNode(this, "xss")
+    or
     exists(HttpServletResponseSendErrorMethod m, MethodAccess ma |
       ma.getMethod() = m and
       this.asExpr() = ma.getArgument(1)

java/ql/src/semmle/code/java/security/XSS.qll

@@ -0,0 +1,65 @@
+import org.apache.http.*;
+import org.apache.http.protocol.*;
+import org.apache.http.message.BasicHeader;
+import org.apache.http.util.*;
+import org.apache.http.entity.*;
+import java.io.IOException;
+
+class A {
+    static Object taint() { return null; }
+
+    static void sink(Object o) { }
+
+    class Test1 implements HttpRequestHandler {
+        public void handle(HttpRequest req, HttpResponse res, HttpContext ctx) throws IOException {
+            A.sink(req.getRequestLine()); //$hasTaintFlow=y
+            A.sink(req.getRequestLine().getUri()); //$hasTaintFlow=y
+            A.sink(req.getRequestLine().getMethod()); //$hasTaintFlow=y
+            A.sink(req.getAllHeaders()); //$hasTaintFlow=y
+            HeaderIterator it = req.headerIterator();
+            A.sink(it.next()); //$hasTaintFlow=y
+            A.sink(it.nextHeader()); //$hasTaintFlow=y
+            Header h = req.getHeaders("abc")[3];
+            A.sink(h.getName()); //$hasTaintFlow=y
+            A.sink(h.getValue()); //$hasTaintFlow=y
+            HeaderElement el = h.getElements()[0];
+            A.sink(el.getName()); //$hasTaintFlow=y
+            A.sink(el.getValue()); //$hasTaintFlow=y
+            A.sink(el.getParameters()); //$hasTaintFlow=y
+            A.sink(el.getParameterByName("abc").getValue()); //$hasTaintFlow=y
+            A.sink(el.getParameter(0).getName()); //$hasTaintFlow=y
+            HttpEntity ent = ((HttpEntityEnclosingRequest)req).getEntity();
+            A.sink(ent.getContent()); //$hasTaintFlow=y
+            A.sink(ent.getContentEncoding()); //$hasTaintFlow=y
+            A.sink(ent.getContentType()); //$hasTaintFlow=y
+            A.sink(EntityUtils.toString(ent)); //$hasTaintFlow=y
+            A.sink(EntityUtils.toByteArray(ent)); //$hasTaintFlow=y
+            A.sink(EntityUtils.getContentCharSet(ent)); //$hasTaintFlow=y
+            A.sink(EntityUtils.getContentMimeType(ent)); //$hasTaintFlow=y
+            res.setEntity(new StringEntity("<a href='" + req.getRequestLine().getUri() + "'>a</a>")); //$hasTaintFlow=y
+            EntityUtils.updateEntity(res, new ByteArrayEntity(EntityUtils.toByteArray(ent))); //$hasTaintFlow=y
+            res.setHeader("Location", req.getRequestLine().getUri()); //$hasTaintFlow=y
+            res.setHeader(new BasicHeader("Location", req.getRequestLine().getUri())); //$hasTaintFlow=y
+        }
+    }
+
+    void test2() {
+        ByteArrayBuffer bbuf = new ByteArrayBuffer(42);
+        bbuf.append((byte[]) taint(), 0, 3);
+        sink(bbuf.buffer()); //$hasTaintFlow=y
+        sink(bbuf.toByteArray()); //$hasTaintFlow=y
+
+        CharArrayBuffer cbuf = new CharArrayBuffer(42);
+        cbuf.append(bbuf.toByteArray(), 0, 3);
+        sink(cbuf.toCharArray()); //$hasTaintFlow=y
+        sink(cbuf.toString()); //$hasTaintFlow=y
+        sink(cbuf.subSequence(0, 3)); //$hasTaintFlow=y
+        sink(cbuf.substring(0, 3)); //$hasTaintFlow=y
+        sink(cbuf.substringTrimmed(0, 3)); //$hasTaintFlow=y
+
+        sink(Args.notNull(taint(), "x")); //$hasTaintFlow=y
+        sink(Args.notEmpty((String) taint(), "x")); //$hasTaintFlow=y
+        sink(Args.notBlank((String) taint(), "x")); //$hasTaintFlow=y
+        sink(Args.notNull("x", (String) taint())); // Good
+    }
+}

java/ql/test/library-tests/frameworks/apache-http/A.java

@@ -0,0 +1,76 @@
+import org.apache.hc.core5.http.*;
+import org.apache.hc.core5.http.protocol.HttpContext;
+import org.apache.hc.core5.http.io.HttpRequestHandler;
+import org.apache.hc.core5.http.io.HttpServerRequestHandler;
+import org.apache.hc.core5.http.message.*;
+import org.apache.hc.core5.http.io.entity.*;
+import org.apache.hc.core5.util.*;
+import java.io.IOException;
+
+class B {
+    static Object taint() { return null; }
+
+    static void sink(Object o) { }
+
+    class Test1 implements HttpRequestHandler {
+        public void handle(ClassicHttpRequest req, ClassicHttpResponse res, HttpContext ctx) throws IOException, ParseException {
+            B.sink(req.getAuthority().getHostName()); //$hasTaintFlow=y
+            B.sink(req.getAuthority().toString()); //$hasTaintFlow=y
+            B.sink(req.getMethod()); //$hasTaintFlow=y
+            B.sink(req.getPath()); //$hasTaintFlow=y
+            B.sink(req.getScheme()); 
+            B.sink(req.getRequestUri()); //$hasTaintFlow=y
+            RequestLine line = new RequestLine(req);
+            B.sink(line.getUri()); //$hasTaintFlow=y
+            B.sink(line.getMethod()); //$hasTaintFlow=y
+            B.sink(req.getHeaders()); //$hasTaintFlow=y
+            B.sink(req.headerIterator()); //$hasTaintFlow=y
+            Header h = req.getHeaders("abc")[3];
+            B.sink(h.getName()); //$hasTaintFlow=y
+            B.sink(h.getValue()); //$hasTaintFlow=y
+            B.sink(req.getFirstHeader("abc")); //$hasTaintFlow=y
+            B.sink(req.getLastHeader("abc")); //$hasTaintFlow=y
+            HttpEntity ent = req.getEntity();
+            B.sink(ent.getContent()); //$hasTaintFlow=y
+            B.sink(ent.getContentEncoding()); //$hasTaintFlow=y
+            B.sink(ent.getContentType()); //$hasTaintFlow=y
+            B.sink(ent.getTrailerNames()); //$hasTaintFlow=y
+            B.sink(ent.getTrailers().get()); //$hasTaintFlow=y
+            B.sink(EntityUtils.toString(ent)); //$hasTaintFlow=y
+            B.sink(EntityUtils.toByteArray(ent)); //$hasTaintFlow=y
+            B.sink(EntityUtils.parse(ent)); //$hasTaintFlow=y
+            res.setEntity(new StringEntity("<a href='" + req.getRequestUri() + "'>a</a>")); //$hasTaintFlow=y
+            res.setEntity(new ByteArrayEntity(EntityUtils.toByteArray(ent), ContentType.TEXT_HTML)); //$hasTaintFlow=y
+            res.setEntity(HttpEntities.create("<a href='" + req.getRequestUri() + "'>a</a>")); //$hasTaintFlow=y
+            res.setHeader("Location", req.getRequestUri()); //$hasTaintFlow=y
+            res.setHeader(new BasicHeader("Location", req.getRequestUri())); //$hasTaintFlow=y
+        }
+    }
+
+    void test2() {
+        ByteArrayBuffer bbuf = new ByteArrayBuffer(42);
+        bbuf.append((byte[]) taint(), 0, 3); 
+        sink(bbuf.array()); //$hasTaintFlow=y
+        sink(bbuf.toByteArray()); //$hasTaintFlow=y
+        sink(bbuf.toString()); 
+
+        CharArrayBuffer cbuf = new CharArrayBuffer(42);
+        cbuf.append(bbuf.toByteArray(), 0, 3); 
+        sink(cbuf.toCharArray()); //$hasTaintFlow=y
+        sink(cbuf.toString()); //$hasTaintFlow=y
+        sink(cbuf.subSequence(0, 3)); //$hasTaintFlow=y
+        sink(cbuf.substring(0, 3)); //$hasTaintFlow=y
+        sink(cbuf.substringTrimmed(0, 3)); //$hasTaintFlow=y
+
+        sink(Args.notNull(taint(), "x")); //$hasTaintFlow=y
+        sink(Args.notEmpty((String) taint(), "x")); //$hasTaintFlow=y
+        sink(Args.notBlank((String) taint(), "x")); //$hasTaintFlow=y
+        sink(Args.notNull("x", (String) taint())); 
+    }
+
+    class Test3 implements HttpServerRequestHandler {
+        public void handle(ClassicHttpRequest req, HttpServerRequestHandler.ResponseTrigger restr, HttpContext ctx) throws HttpException, IOException {
+            B.sink(req.getEntity()); //$hasTaintFlow=y
+        }
+    }
+}

java/ql/test/library-tests/frameworks/apache-http/B.java

@@ -0,0 +1,39 @@
+import java
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.security.XSS
+import semmle.code.java.security.UrlRedirect
+import TestUtilities.InlineExpectationsTest
+
+class Conf extends TaintTracking::Configuration {
+  Conf() { this = "qltest:frameworks:apache-http" }
+
+  override predicate isSource(DataFlow::Node n) {
+    n.asExpr().(MethodAccess).getMethod().hasName("taint")
+    or
+    n instanceof RemoteFlowSource
+  }
+
+  override predicate isSink(DataFlow::Node n) {
+    exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
+    or
+    n instanceof XssSink
+    or
+    n instanceof UrlRedirectSink
+  }
+}
+
+class HasFlowTest extends InlineExpectationsTest {
+  HasFlowTest() { this = "HasFlowTest" }
+
+  override string getARelevantTag() { result = "hasTaintFlow" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasTaintFlow" and
+    exists(DataFlow::Node src, DataFlow::Node sink, Conf conf | conf.hasFlow(src, sink) |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = "y"
+    )
+  }
+}