Add left value, Add return expression tracing flow

Author: haby0

java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.qll

@@ -18,20 +18,48 @@ class StartsWithSanitizer extends DataFlow::BarrierGuard {
 }
 
 /**
- * A concatenate expression using the string `redirect:` on the left.
+ * A concatenate expression using the string `redirect:` or `ajaxredirect:` or `forward:` on the left.
  *
  * E.g: `"redirect:" + redirectUrl`
  */
 class RedirectBuilderExpr extends AddExpr {
   RedirectBuilderExpr() {
-    this.getLeftOperand().(CompileTimeConstantExpr).getStringValue() = "redirect:"
+    this.getLeftOperand().(CompileTimeConstantExpr).getStringValue() in [
+        "redirect:", "ajaxredirect:", "forward:"
+      ]
+  }
+}
+
+/**
+ * A call to `StringBuilder.append` or `StringBuffer.append` method, and the parameter value is
+ * `"redirect:"` or `"ajaxredirect:"` or `"forward:"`.
+ *
+ * E.g: `StringBuilder.append("redirect:")`
+ */
+class RedirectAppendCall extends MethodAccess {
+  RedirectAppendCall() {
+    this.getMethod().hasName("append") and
+    this.getMethod().getDeclaringType() instanceof StringBuildingType and
+    this.getArgument(0).(CompileTimeConstantExpr).getStringValue() in [
+        "redirect:", "ajaxredirect:", "forward:"
+      ]
   }
 }
 
 /** A URL redirection sink from spring controller method. */
 class SpringUrlRedirectSink extends DataFlow::Node {
   SpringUrlRedirectSink() {
-    exists(RedirectBuilderExpr rbe | rbe.getRightOperand() = this.asExpr())
+    exists(RedirectBuilderExpr rbe |
+      rbe.getRightOperand() = this.asExpr() and
+      exists(RedirectBuilderFlowConfig rbfc | rbfc.hasFlow(exprNode(rbe), _))
+    )
+    or
+    exists(MethodAccess ma, RedirectAppendCall rac |
+      DataFlow2::localExprFlow(rac.getQualifier(), ma.getQualifier()) and
+      ma.getMethod().hasName("append") and
+      ma.getArgument(0) = this.asExpr() and
+      exists(RedirectBuilderFlowConfig rbfc | rbfc.hasFlow(exprNode(ma.getQualifier()), _))
+    )
     or
     exists(MethodAccess ma |
       ma.getMethod().hasName("setUrl") and
@@ -50,8 +78,40 @@ class SpringUrlRedirectSink extends DataFlow::Node {
     or
     exists(ClassInstanceExpr cie |
       cie.getConstructedType().hasQualifiedName("org.springframework.web.servlet", "ModelAndView") and
-      cie.getArgument(0) = this.asExpr() and
-      exists(RedirectBuilderExpr rbe | rbe.getRightOperand() = this.asExpr())
+      exists(RedirectBuilderExpr rbe |
+        rbe = cie.getArgument(0) and rbe.getRightOperand() = this.asExpr()
+      )
+    )
+  }
+}
+
+/** A data flow configuration tracing flow from redirect builder expression to spring controller method return expression. */
+private class RedirectBuilderFlowConfig extends DataFlow2::Configuration {
+  RedirectBuilderFlowConfig() { this = "RedirectBuilderFlowConfig" }
+
+  override predicate isSource(DataFlow::Node src) {
+    exists(RedirectBuilderExpr rbe | rbe = src.asExpr())
+    or
+    exists(MethodAccess ma, RedirectAppendCall rac |
+      DataFlow2::localExprFlow(rac.getQualifier(), ma.getQualifier()) and
+      ma.getMethod().hasName("append") and
+      ma.getQualifier() = src.asExpr()
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(ReturnStmt rs, SpringRequestMappingMethod sqmm |
+      rs.getResult() = sink.asExpr() and
+      sqmm.getBody().getAStmt() = rs
+    )
+  }
+
+  override predicate isAdditionalFlowStep(Node prod, Node succ) {
+    exists(MethodAccess ma |
+      ma.getMethod().hasName("toString") and
+      ma.getMethod().getDeclaringType() instanceof StringBuildingType and
+      ma.getQualifier() = prod.asExpr() and
+      ma = succ.asExpr()
     )
   }
 }

java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.expected

@@ -3,6 +3,8 @@ edges
 | SpringUrlRedirect.java:20:24:20:41 | redirectUrl : String | SpringUrlRedirect.java:21:36:21:46 | redirectUrl |
 | SpringUrlRedirect.java:26:30:26:47 | redirectUrl : String | SpringUrlRedirect.java:27:44:27:54 | redirectUrl |
 | SpringUrlRedirect.java:32:30:32:47 | redirectUrl : String | SpringUrlRedirect.java:33:47:33:57 | redirectUrl |
+| SpringUrlRedirect.java:37:24:37:41 | redirectUrl : String | SpringUrlRedirect.java:40:29:40:39 | redirectUrl |
+| SpringUrlRedirect.java:45:24:45:41 | redirectUrl : String | SpringUrlRedirect.java:48:30:48:40 | redirectUrl |
 nodes
 | SpringUrlRedirect.java:13:30:13:47 | redirectUrl : String | semmle.label | redirectUrl : String |
 | SpringUrlRedirect.java:15:19:15:29 | redirectUrl | semmle.label | redirectUrl |
@@ -12,8 +14,14 @@ nodes
 | SpringUrlRedirect.java:27:44:27:54 | redirectUrl | semmle.label | redirectUrl |
 | SpringUrlRedirect.java:32:30:32:47 | redirectUrl : String | semmle.label | redirectUrl : String |
 | SpringUrlRedirect.java:33:47:33:57 | redirectUrl | semmle.label | redirectUrl |
+| SpringUrlRedirect.java:37:24:37:41 | redirectUrl : String | semmle.label | redirectUrl : String |
+| SpringUrlRedirect.java:40:29:40:39 | redirectUrl | semmle.label | redirectUrl |
+| SpringUrlRedirect.java:45:24:45:41 | redirectUrl : String | semmle.label | redirectUrl : String |
+| SpringUrlRedirect.java:48:30:48:40 | redirectUrl | semmle.label | redirectUrl |
 #select
 | SpringUrlRedirect.java:15:19:15:29 | redirectUrl | SpringUrlRedirect.java:13:30:13:47 | redirectUrl : String | SpringUrlRedirect.java:15:19:15:29 | redirectUrl | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:13:30:13:47 | redirectUrl | user-provided value |
 | SpringUrlRedirect.java:21:36:21:46 | redirectUrl | SpringUrlRedirect.java:20:24:20:41 | redirectUrl : String | SpringUrlRedirect.java:21:36:21:46 | redirectUrl | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:20:24:20:41 | redirectUrl | user-provided value |
 | SpringUrlRedirect.java:27:44:27:54 | redirectUrl | SpringUrlRedirect.java:26:30:26:47 | redirectUrl : String | SpringUrlRedirect.java:27:44:27:54 | redirectUrl | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:26:30:26:47 | redirectUrl | user-provided value |
 | SpringUrlRedirect.java:33:47:33:57 | redirectUrl | SpringUrlRedirect.java:32:30:32:47 | redirectUrl : String | SpringUrlRedirect.java:33:47:33:57 | redirectUrl | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:32:30:32:47 | redirectUrl | user-provided value |
+| SpringUrlRedirect.java:40:29:40:39 | redirectUrl | SpringUrlRedirect.java:37:24:37:41 | redirectUrl : String | SpringUrlRedirect.java:40:29:40:39 | redirectUrl | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:37:24:37:41 | redirectUrl | user-provided value |
+| SpringUrlRedirect.java:48:30:48:40 | redirectUrl | SpringUrlRedirect.java:45:24:45:41 | redirectUrl : String | SpringUrlRedirect.java:48:30:48:40 | redirectUrl | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:45:24:45:41 | redirectUrl | user-provided value |

java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.java

@@ -34,6 +34,22 @@ public ModelAndView bad4(String redirectUrl) {
     }
 
     @GetMapping("url5")
+    public String bad5(String redirectUrl) {
+        StringBuffer stringBuffer = new StringBuffer();
+        stringBuffer.append("redirect:");
+        stringBuffer.append(redirectUrl);
+        return stringBuffer.toString();
+    }
+
+    @GetMapping("url6")
+    public String bad6(String redirectUrl) {
+        StringBuilder stringBuilder = new StringBuilder();
+        stringBuilder.append("redirect:");
+        stringBuilder.append(redirectUrl);
+        return stringBuilder.toString();
+    }
+
+    @GetMapping("url7")
     public RedirectView good1(String redirectUrl) {
         RedirectView rv = new RedirectView();
         if (redirectUrl.startsWith(VALID_REDIRECT)){
@@ -44,7 +60,7 @@ public RedirectView good1(String redirectUrl) {
         return rv;
     }
 
-    @GetMapping("url6")
+    @GetMapping("url8")
     public ModelAndView good2(String token) {
         String url = "/edit?token=" + token;
         return new ModelAndView("redirect:" + url);