Merge pull request github#5895 from github/sauyon/java/spring

Add models for some Spring pseudo-collections

Author: aschackmull

java/change-notes/2021-07-01-spring-collections.md

@@ -0,0 +1,4 @@
+lgtm,codescanning
+* Additional flow steps in the `org.springframework.ui`, and `org.springframework.cache` packages of
+  the Spring framework have been modelled.  This may result in additional results for security
+  queries on projects using this framework.

java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll

@@ -85,8 +85,10 @@ private module Frameworks {
   private import semmle.code.java.frameworks.jackson.JacksonSerializability
   private import semmle.code.java.frameworks.JaxWS
   private import semmle.code.java.frameworks.Optional
+  private import semmle.code.java.frameworks.spring.SpringCache
   private import semmle.code.java.frameworks.spring.SpringHttp
   private import semmle.code.java.frameworks.spring.SpringUtil
+  private import semmle.code.java.frameworks.spring.SpringUi
   private import semmle.code.java.frameworks.spring.SpringValidation
   private import semmle.code.java.frameworks.spring.SpringWebClient
   private import semmle.code.java.frameworks.spring.SpringBeans

java/ql/src/semmle/code/java/frameworks/spring/Spring.qll

@@ -8,6 +8,7 @@ import semmle.code.java.frameworks.spring.SpringBean
 import semmle.code.java.frameworks.spring.SpringBeanFile
 import semmle.code.java.frameworks.spring.SpringBeans
 import semmle.code.java.frameworks.spring.SpringBeanRefType
+import semmle.code.java.frameworks.spring.SpringCache
 import semmle.code.java.frameworks.spring.SpringComponentScan
 import semmle.code.java.frameworks.spring.SpringConstructorArg
 import semmle.code.java.frameworks.spring.SpringController
@@ -33,6 +34,7 @@ import semmle.code.java.frameworks.spring.SpringQualifier
 import semmle.code.java.frameworks.spring.SpringRef
 import semmle.code.java.frameworks.spring.SpringReplacedMethod
 import semmle.code.java.frameworks.spring.SpringSet
+import semmle.code.java.frameworks.spring.SpringUi
 import semmle.code.java.frameworks.spring.SpringUtil
 import semmle.code.java.frameworks.spring.SpringValidation
 import semmle.code.java.frameworks.spring.SpringValue

java/ql/src/semmle/code/java/frameworks/spring/SpringCache.qll

@@ -0,0 +1,27 @@
+/**
+ * Provides models for the `org.springframework.cache` package.
+ */
+
+import java
+private import semmle.code.java.dataflow.ExternalFlow
+
+private class FlowSummaries extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "org.springframework.cache;Cache$ValueRetrievalException;false;ValueRetrievalException;;;Argument[0];MapKey of Argument[-1];value",
+        "org.springframework.cache;Cache$ValueRetrievalException;false;getKey;;;MapKey of Argument[-1];ReturnValue;value",
+        "org.springframework.cache;Cache$ValueWrapper;true;get;;;MapValue of Argument[-1];ReturnValue;value",
+        "org.springframework.cache;Cache;true;get;(Object);;MapValue of Argument[-1];MapValue of ReturnValue;value",
+        "org.springframework.cache;Cache;true;get;(Object,Callable);;MapValue of Argument[-1];ReturnValue;value",
+        "org.springframework.cache;Cache;true;get;(Object,Class);;MapValue of Argument[-1];ReturnValue;value",
+        "org.springframework.cache;Cache;true;getNativeCache;;;MapKey of Argument[-1];MapKey of ReturnValue;value",
+        "org.springframework.cache;Cache;true;getNativeCache;;;MapValue of Argument[-1];MapValue of ReturnValue;value",
+        "org.springframework.cache;Cache;true;put;;;Argument[0];MapKey of Argument[-1];value",
+        "org.springframework.cache;Cache;true;put;;;Argument[1];MapValue of Argument[-1];value",
+        "org.springframework.cache;Cache;true;putIfAbsent;;;Argument[0];MapKey of Argument[-1];value",
+        "org.springframework.cache;Cache;true;putIfAbsent;;;Argument[1];MapValue of Argument[-1];value",
+        "org.springframework.cache;Cache;true;putIfAbsent;;;MapValue of Argument[-1];MapValue of ReturnValue;value"
+      ]
+  }
+}

java/ql/src/semmle/code/java/frameworks/spring/SpringUi.qll

@@ -0,0 +1,46 @@
+/**
+ * Provides models for the `org.springframework.ui` package.
+ */
+
+import java
+private import semmle.code.java.dataflow.ExternalFlow
+
+private class FlowSummaries extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "org.springframework.ui;Model;true;addAllAttributes;;;Argument[-1];ReturnValue;value",
+        "org.springframework.ui;Model;true;addAllAttributes;(Collection);;Element of Argument[0];MapValue of Argument[-1];value",
+        "org.springframework.ui;Model;true;addAllAttributes;(Map);;MapKey of Argument[0];MapKey of Argument[-1];value",
+        "org.springframework.ui;Model;true;addAllAttributes;(Map);;MapValue of Argument[0];MapValue of Argument[-1];value",
+        "org.springframework.ui;Model;true;addAttribute;;;Argument[-1];ReturnValue;value",
+        "org.springframework.ui;Model;true;addAttribute;(Object);;Argument[0];MapValue of Argument[-1];value",
+        "org.springframework.ui;Model;true;addAttribute;(String,Object);;Argument[0];MapKey of Argument[-1];value",
+        "org.springframework.ui;Model;true;addAttribute;(String,Object);;Argument[1];MapValue of Argument[-1];value",
+        "org.springframework.ui;Model;true;asMap;;;MapKey of Argument[-1];MapKey of ReturnValue;value",
+        "org.springframework.ui;Model;true;asMap;;;MapValue of Argument[-1];MapValue of ReturnValue;value",
+        "org.springframework.ui;Model;true;getAttribute;;;MapValue of Argument[-1];ReturnValue;value",
+        "org.springframework.ui;Model;true;mergeAttributes;;;Argument[-1];ReturnValue;value",
+        "org.springframework.ui;Model;true;mergeAttributes;;;MapKey of Argument[0];MapKey of Argument[-1];value",
+        "org.springframework.ui;Model;true;mergeAttributes;;;MapValue of Argument[0];MapValue of Argument[-1];value",
+        "org.springframework.ui;ModelMap;false;ModelMap;(Object);;Argument[0];MapValue of Argument[-1];value",
+        "org.springframework.ui;ModelMap;false;ModelMap;(String,Object);;Argument[0];MapKey of Argument[-1];value",
+        "org.springframework.ui;ModelMap;false;ModelMap;(String,Object);;Argument[1];MapValue of Argument[-1];value",
+        "org.springframework.ui;ModelMap;false;addAllAttributes;;;Argument[-1];ReturnValue;value",
+        "org.springframework.ui;ModelMap;false;addAllAttributes;(Collection);;Element of Argument[0];MapValue of Argument[-1];value",
+        "org.springframework.ui;ModelMap;false;addAllAttributes;(Map);;MapKey of Argument[0];MapKey of Argument[-1];value",
+        "org.springframework.ui;ModelMap;false;addAllAttributes;(Map);;MapValue of Argument[0];MapValue of Argument[-1];value",
+        "org.springframework.ui;ModelMap;false;addAttribute;;;Argument[-1];ReturnValue;value",
+        "org.springframework.ui;ModelMap;false;addAttribute;(Object);;Argument[0];MapValue of Argument[-1];value",
+        "org.springframework.ui;ModelMap;false;addAttribute;(String,Object);;Argument[0];MapKey of Argument[-1];value",
+        "org.springframework.ui;ModelMap;false;addAttribute;(String,Object);;Argument[1];MapValue of Argument[-1];value",
+        "org.springframework.ui;ModelMap;false;getAttribute;;;MapValue of Argument[-1];ReturnValue;value",
+        "org.springframework.ui;ModelMap;false;mergeAttributes;;;Argument[-1];ReturnValue;value",
+        "org.springframework.ui;ModelMap;false;mergeAttributes;;;MapKey of Argument[0];MapKey of Argument[-1];value",
+        "org.springframework.ui;ModelMap;false;mergeAttributes;;;MapValue of Argument[0];MapValue of Argument[-1];value",
+        "org.springframework.ui;ConcurrentModel;false;ConcurrentModel;(Object);;Argument[0];MapValue of Argument[-1];value",
+        "org.springframework.ui;ConcurrentModel;false;ConcurrentModel;(String,Object);;Argument[0];MapKey of Argument[-1];value",
+        "org.springframework.ui;ConcurrentModel;false;ConcurrentModel;(String,Object);;Argument[1];MapValue of Argument[-1];value"
+      ]
+  }
+}

java/ql/test/library-tests/frameworks/spring/cache/Test.java

@@ -0,0 +1,142 @@
+package generatedtest;
+
+import java.util.Map;
+import java.util.HashMap;
+import java.util.concurrent.Callable;
+import org.springframework.cache.Cache;
+
+
+// Test case generated by GenerateFlowTestCase.ql
+public class Test {
+
+	public class ValueWrapper extends HashMap<Object,Object> implements Cache.ValueWrapper {
+		ValueWrapper(Object element) {
+			super();
+			this.put(null, element);
+		}
+
+		public Object get() { return this.get(null); }
+	}
+
+	public class DummyCache implements Cache {
+		DummyCache(Object key, Object value) {
+			this.put(key, value);
+		}
+
+		public void clear() {}
+		public void evict(Object key) {}
+		public boolean evictIfPresent(Object key) { return false; }
+		public Cache.ValueWrapper get(Object key) { return null; }
+		public <T> T get(Object key, Callable<T> valueLoader) { return null; }
+		public <T> T get(Object key, Class<T> type) { return null; }
+		public String getName() { return null; }
+		public Object getNativeCache() { return null; }
+		//public default boolean invalidate() { return false; }
+		public void put(Object key, Object value) {}
+		//default Cache.ValueWrapper putIfAbsent(Object key, Object value) { return null; }
+	}
+
+	Object getMapKey(Cache.ValueRetrievalException container) { return container.getKey(); }
+	Object getMapKey(Cache container) { return ((Map)container.getNativeCache()).keySet().iterator().next(); }
+	Object getMapValue(Cache container) { return container.get(null, (Class)null); }
+	Object getMapValue(Cache.ValueWrapper container) { return container.get(); }
+	Object source() { return null; }
+	void sink(Object o) { }
+
+	public void test() {
+
+		{
+			// "org.springframework.cache;Cache$ValueRetrievalException;false;ValueRetrievalException;;;Argument[0];MapKey of Argument[-1];value"
+			Cache.ValueRetrievalException out = null;
+			Object in = source();
+			out = new Cache.ValueRetrievalException(in, null, null);
+			sink(getMapKey(out)); // $hasValueFlow
+		}
+		{
+			// "org.springframework.cache;Cache$ValueRetrievalException;false;getKey;;;MapKey of Argument[-1];ReturnValue;value"
+			Object out = null;
+			Cache.ValueRetrievalException in = new Cache.ValueRetrievalException(source(), null, null);
+			out = in.getKey();
+			sink(out); // $hasValueFlow
+		}
+		{
+			// "org.springframework.cache;Cache$ValueWrapper;true;get;;;MapValue of Argument[-1];ReturnValue;value"
+			Object out = null;
+			Cache.ValueWrapper in = new ValueWrapper(source());
+			out = in.get();
+			sink(out); // $hasValueFlow
+		}
+		{
+			// "org.springframework.cache;Cache;true;get;(Object);;MapValue of Argument[-1];MapValue of ReturnValue;value"
+			Cache.ValueWrapper out = null;
+			Cache in = new DummyCache(null, source());
+			out = in.get(null);
+			sink(getMapValue(out)); // $hasValueFlow
+		}
+		{
+			// "org.springframework.cache;Cache;true;get;(Object,Callable);;MapValue of Argument[-1];ReturnValue;value"
+			Object out = null;
+			Cache in = new DummyCache(null, source());
+			out = in.get(null, (Callable)null);
+			sink(out); // $hasValueFlow
+		}
+		{
+			// "org.springframework.cache;Cache;true;get;(Object,Class);;MapValue of Argument[-1];ReturnValue;value"
+			Object out = null;
+			Cache in = new DummyCache(null, source());
+			out = in.get(null, (Class)null);
+			sink(out); // $hasValueFlow
+		}
+		{
+			// "org.springframework.cache;Cache;true;getNativeCache;;;MapKey of Argument[-1];MapKey of ReturnValue;value"
+			Object out = null;
+			Cache in = new DummyCache(source(), null);
+			out = in.getNativeCache();
+			sink(getMapKey((Cache)out)); // $hasValueFlow
+		}
+		{
+			// "org.springframework.cache;Cache;true;getNativeCache;;;MapValue of Argument[-1];MapValue of ReturnValue;value"
+			Object out = null;
+			Cache in = new DummyCache(null, source());
+			out = in.getNativeCache();
+			sink(getMapValue((Cache)out)); // $hasValueFlow
+		}
+		{
+			// "org.springframework.cache;Cache;true;put;;;Argument[0];MapKey of Argument[-1];value"
+			Cache out = null;
+			Object in = source();
+			out.put(in, null);
+			sink(getMapKey(out)); // $hasValueFlow
+		}
+		{
+			// "org.springframework.cache;Cache;true;put;;;Argument[1];MapValue of Argument[-1];value"
+			Cache out = null;
+			Object in = source();
+			out.put(null, in);
+			sink(getMapValue(out)); // $hasValueFlow
+		}
+		{
+			// "org.springframework.cache;Cache;true;putIfAbsent;;;Argument[0];MapKey of Argument[-1];value"
+			Cache out = null;
+			Object in = source();
+			out.putIfAbsent(in, null);
+			sink(getMapKey(out)); // $hasValueFlow
+		}
+		{
+			// "org.springframework.cache;Cache;true;putIfAbsent;;;Argument[1];MapValue of Argument[-1];value"
+			Cache out = null;
+			Object in = source();
+			out.putIfAbsent(null, in);
+			sink(getMapValue(out)); // $hasValueFlow
+		}
+		{
+			// "org.springframework.cache;Cache;true;putIfAbsent;;;MapValue of Argument[-1];MapValue of ReturnValue;value"
+			Cache.ValueWrapper out = null;
+			Cache in = new DummyCache(null, source());
+			out = in.putIfAbsent(null, null);
+			sink(getMapValue(out)); // $hasValueFlow
+		}
+
+	}
+
+}

java/ql/test/library-tests/frameworks/spring/cache/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.3.8

java/ql/test/library-tests/frameworks/spring/cache/test.expected

@@ -0,0 +1,52 @@
+import java
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.TaintTracking
+import TestUtilities.InlineExpectationsTest
+
+class ValueFlowConf extends DataFlow::Configuration {
+  ValueFlowConf() { this = "qltest:valueFlowConf" }
+
+  override predicate isSource(DataFlow::Node n) {
+    n.asExpr().(MethodAccess).getMethod().hasName("source")
+  }
+
+  override predicate isSink(DataFlow::Node n) {
+    n.asExpr().(Argument).getCall().getCallee().hasName("sink")
+  }
+}
+
+class TaintFlowConf extends TaintTracking::Configuration {
+  TaintFlowConf() { this = "qltest:taintFlowConf" }
+
+  override predicate isSource(DataFlow::Node n) {
+    n.asExpr().(MethodAccess).getMethod().hasName("source")
+  }
+
+  override predicate isSink(DataFlow::Node n) {
+    n.asExpr().(Argument).getCall().getCallee().hasName("sink")
+  }
+}
+
+class HasFlowTest extends InlineExpectationsTest {
+  HasFlowTest() { this = "HasFlowTest" }
+
+  override string getARelevantTag() { result = ["hasValueFlow", "hasTaintFlow"] }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasValueFlow" and
+    exists(DataFlow::Node src, DataFlow::Node sink, ValueFlowConf conf | conf.hasFlow(src, sink) |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+    or
+    tag = "hasTaintFlow" and
+    exists(DataFlow::Node src, DataFlow::Node sink, TaintFlowConf conf |
+      conf.hasFlow(src, sink) and not any(ValueFlowConf c).hasFlow(src, sink)
+    |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+  }
+}