JaxWS: Pull out MediaType constant interpretation routine

smowton · smowton · commit 450eebcd4053 · 2021-06-30T12:04:20.000+01:00
Also extend the routine slightly to expose multiple content types given with array notation
diff --git a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll
@@ -283,23 +283,31 @@ class MessageBodyReaderRead extends Method {
   }
 }
 
+private string getContentTypeString(Expr e) {
+  result = e.(CompileTimeConstantExpr).getStringValue()
+  or
+  exists(Field jaxMediaType |
+    // Accesses to static fields on `MediaType` class do not have constant strings in the database
+    // so convert the field name to a content type string
+    jaxMediaType.getDeclaringType().hasQualifiedName(getAJaxRsPackage("core"), "MediaType") and
+    jaxMediaType.getAnAccess() = e and
+    // e.g. MediaType.TEXT_PLAIN => text/plain
+    result = jaxMediaType.getName().toLowerCase().replaceAll("_value", "").replaceAll("_", "/")
+  )
+}
+
 /** An `@Produces` annotation that describes which content types can be produced by this resource. */
 class JaxRSProducesAnnotation extends JaxRSAnnotation {
   JaxRSProducesAnnotation() { this.getType().hasQualifiedName(getAJaxRsPackage(), "Produces") }
 
   /**
    * Gets a declared content type that can be produced by this resource.
    */
-  string getADeclaredContentType() {
-    result = this.getAValue().(CompileTimeConstantExpr).getStringValue()
-    or
-    exists(Field jaxMediaType |
-      // Accesses to static fields on `MediaType` class do not have constant strings in the database
-      // so convert the field name to a content type string
-      jaxMediaType.getDeclaringType().hasQualifiedName(getAJaxRsPackage("core"), "MediaType") and
-      jaxMediaType.getAnAccess() = this.getAValue() and
-      // e.g. MediaType.TEXT_PLAIN => text/plain
-      result = jaxMediaType.getName().toLowerCase().replaceAll("_", "/")
+  Expr getADeclaredContentTypeExpr() {
+    (
+      result = this.getAValue() and not result instanceof ArrayInit
+      or
+      result = this.getAValue().(ArrayInit).getAnInit()
     )
   }
 }
@@ -319,7 +327,8 @@ private class JaxRSXssSink extends XssSink {
     |
       not exists(resourceMethod.getProducesAnnotation())
       or
-      resourceMethod.getProducesAnnotation().getADeclaredContentType() = "text/plain"
+      getContentTypeString(resourceMethod.getProducesAnnotation().getADeclaredContentTypeExpr()) =
+        "text/plain"
     )
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -283,23 +283,31 @@ class MessageBodyReaderRead extends Method {`
`283`	`283`	`}`
`284`	`284`	`}`
`285`	`285`
	`286`	`+private string getContentTypeString(Expr e) {`
	`287`	`+ result = e.(CompileTimeConstantExpr).getStringValue()`
	`288`	`+ or`
	`289`	`+ exists(Field jaxMediaType \|`
	`290`	+ // Accesses to static fields on `MediaType` class do not have constant strings in the database
	`291`	`+ // so convert the field name to a content type string`
	`292`	`+ jaxMediaType.getDeclaringType().hasQualifiedName(getAJaxRsPackage("core"), "MediaType") and`
	`293`	`+ jaxMediaType.getAnAccess() = e and`
	`294`	`+ // e.g. MediaType.TEXT_PLAIN => text/plain`
	`295`	`+ result = jaxMediaType.getName().toLowerCase().replaceAll("_value", "").replaceAll("_", "/")`
	`296`	`+ )`
	`297`	`+}`
	`298`	`+`
`286`	`299`	/** An `@Produces` annotation that describes which content types can be produced by this resource. */
`287`	`300`	`class JaxRSProducesAnnotation extends JaxRSAnnotation {`
`288`	`301`	`JaxRSProducesAnnotation() { this.getType().hasQualifiedName(getAJaxRsPackage(), "Produces") }`
`289`	`302`
`290`	`303`	`/**`
`291`	`304`	`* Gets a declared content type that can be produced by this resource.`
`292`	`305`	`*/`
`293`		`- string getADeclaredContentType() {`
`294`		`- result = this.getAValue().(CompileTimeConstantExpr).getStringValue()`
`295`		`- or`
`296`		`- exists(Field jaxMediaType \|`
`297`		- // Accesses to static fields on `MediaType` class do not have constant strings in the database
`298`		`- // so convert the field name to a content type string`
`299`		`- jaxMediaType.getDeclaringType().hasQualifiedName(getAJaxRsPackage("core"), "MediaType") and`
`300`		`- jaxMediaType.getAnAccess() = this.getAValue() and`
`301`		`- // e.g. MediaType.TEXT_PLAIN => text/plain`
`302`		`- result = jaxMediaType.getName().toLowerCase().replaceAll("_", "/")`
	`306`	`+ Expr getADeclaredContentTypeExpr() {`
	`307`	`+ (`
	`308`	`+ result = this.getAValue() and not result instanceof ArrayInit`
	`309`	`+ or`
	`310`	`+ result = this.getAValue().(ArrayInit).getAnInit()`
`303`	`311`	`)`
`304`	`312`	`}`
`305`	`313`	`}`
`@@ -319,7 +327,8 @@ private class JaxRSXssSink extends XssSink {`
`319`	`327`	`\|`
`320`	`328`	`not exists(resourceMethod.getProducesAnnotation())`
`321`	`329`	`or`
`322`		`- resourceMethod.getProducesAnnotation().getADeclaredContentType() = "text/plain"`
	`330`	`+ getContentTypeString(resourceMethod.getProducesAnnotation().getADeclaredContentTypeExpr()) =`
	`331`	`+ "text/plain"`
`323`	`332`	`)`
`324`	`333`	`}`
`325`	`334`	`}`