Add spring tests

joefarebrother · joefarebrother · commit 8f89d748fe73 · 2021-07-15T10:33:33.000+01:00
diff --git a/java/ql/src/semmle/code/java/frameworks/spring/SpringHttp.qll b/java/ql/src/semmle/code/java/frameworks/spring/SpringHttp.qll
@@ -78,22 +78,22 @@ private class SpringHttpFlowStep extends SinkModelCsv {
         "org.springframework.http;ResponseEntity;true;of;(Optional<T>);;Argument[0];ReturnValue;taint",
         "org.springframework.http;ResponseEntity;true;ok;(T);;Argument[0];ReturnValue;taint",
         "org.springframework.http;ResponseEntity;true;created;(URI);;Argument[0];ReturnValue;taint",
-        "org.springframework.http;ResponseEntity$BodyBuilder;true;contentLength;(long);;Argument[-1];ReturnValue;value",
-        "org.springframework.http;ResponseEntity$BodyBuilder;true;contentType;(MediaType);;Argument[-1];ReturnValue;value",
-        "org.springframework.http;ResponseEntity$BodyBuilder;true;body;(T);;Argument[-1..0];ReturnValue;taint",
-        "org.springframework.http;ResponseEntity$HeadersBuilder;true;allow;(HttpMethod[]);;Argument[-1];ReturnValue;value",
-        "org.springframework.http;ResponseEntity$HeadersBuilder;true;eTag;(String);;Argument[-1];ReturnValue;value",
-        "org.springframework.http;ResponseEntity$HeadersBuilder;true;eTag;(String);;Argument[0];Argument[-1];taint",
-        "org.springframework.http;ResponseEntity$HeadersBuilder;true;header;(String,String[]);;Argument[-1];ReturnValue;value",
-        "org.springframework.http;ResponseEntity$HeadersBuilder;true;header;(String,String[]);;Argument[0..1];Argument[-1];taint",
-        "org.springframework.http;ResponseEntity$HeadersBuilder;true;headers;(Consumer<HttpHeader>);;Argument[-1];ReturnValue;value",
-        "org.springframework.http;ResponseEntity$HeadersBuilder;true;headers;(HttpHeaders);;Argument[-1];ReturnValue;value",
-        "org.springframework.http;ResponseEntity$HeadersBuilder;true;headers;(HttpHeaders);;Argument[0];Argument[-1];taint",
-        "org.springframework.http;ResponseEntity$HeadersBuilder;true;lastModified;;;Argument[-1];ReturnValue;value",
-        "org.springframework.http;ResponseEntity$HeadersBuilder;true;location;(URI);;Argument[-1];ReturnValue;value",
-        "org.springframework.http;ResponseEntity$HeadersBuilder;true;location;(URI);;Argument[0];Argument[-1];taint",
-        "org.springframework.http;ResponseEntity$HeadersBuilder;true;varyBy;(String[]);;Argument[-1];ReturnValue;value",
-        "org.springframework.http;ResponseEntity$HeadersBuilder;true;build;();;Argument[-1];ReturnValue;taint",
+        "org.springframework.http;ResponseEntity<>$BodyBuilder;true;contentLength;(long);;Argument[-1];ReturnValue;value",
+        "org.springframework.http;ResponseEntity<>$BodyBuilder;true;contentType;(MediaType);;Argument[-1];ReturnValue;value",
+        "org.springframework.http;ResponseEntity<>$BodyBuilder;true;body;(T);;Argument[-1..0];ReturnValue;taint",
+        "org.springframework.http;ResponseEntity<>$HeadersBuilder;true;allow;(HttpMethod[]);;Argument[-1];ReturnValue;value",
+        "org.springframework.http;ResponseEntity<>$HeadersBuilder;true;eTag;(String);;Argument[-1];ReturnValue;value",
+        "org.springframework.http;ResponseEntity<>$HeadersBuilder;true;eTag;(String);;Argument[0];Argument[-1];taint",
+        "org.springframework.http;ResponseEntity<>$HeadersBuilder;true;header;(String,String[]);;Argument[-1];ReturnValue;value",
+        "org.springframework.http;ResponseEntity<>$HeadersBuilder;true;header;(String,String[]);;Argument[0..1];Argument[-1];taint",
+        "org.springframework.http;ResponseEntity<>$HeadersBuilder;true;headers;(Consumer<HttpHeader>);;Argument[-1];ReturnValue;value",
+        "org.springframework.http;ResponseEntity<>$HeadersBuilder;true;headers;(HttpHeaders);;Argument[-1];ReturnValue;value",
+        "org.springframework.http;ResponseEntity<>$HeadersBuilder;true;headers;(HttpHeaders);;Argument[0];Argument[-1];taint",
+        "org.springframework.http;ResponseEntity<>$HeadersBuilder;true;lastModified;;;Argument[-1];ReturnValue;value",
+        "org.springframework.http;ResponseEntity<>$HeadersBuilder;true;location;(URI);;Argument[-1];ReturnValue;value",
+        "org.springframework.http;ResponseEntity<>$HeadersBuilder;true;location;(URI);;Argument[0];Argument[-1];taint",
+        "org.springframework.http;ResponseEntity<>$HeadersBuilder;true;varyBy;(String[]);;Argument[-1];ReturnValue;value",
+        "org.springframework.http;ResponseEntity<>$HeadersBuilder;true;build;();;Argument[-1];ReturnValue;taint",
         "org.springframework.http;RequestEntity;true;getUrl;();;Argument[-1];ReturnValue;taint",
         "org.springframework.http;HttpHeaders;true;get;(Object);;Argument[-1];ReturnValue;taint", // Returns List<String>
         "org.springframework.http;HttpHeaders;true;getAccessControlAllowHeaders;();;Argument[-1];ReturnValue;taint", // Returns List<String>
diff --git a/java/ql/test/library-tests/frameworks/spring/TestHttp.java b/java/ql/test/library-tests/frameworks/spring/TestHttp.java
@@ -0,0 +1,48 @@
+import org.springframework.http.HttpEntity;
+import org.springframework.http.ResponseEntity;
+import org.springframework.http.RequestEntity;
+import org.springframework.http.HttpHeaders;
+import org.springframework.util.MultiValueMap;
+import org.springframework.util.LinkedMultiValueMap;
+import java.util.Optional;
+
+class TestHttp {
+    static <T> T taint() { return null; }
+    static void sink(Object o) {}
+
+    void test1() {
+        String x = taint();
+        sink(new HttpEntity(x)); // $hasTaintFlow
+
+        MultiValueMap<String,String> m = new LinkedMultiValueMap();
+        sink(new HttpEntity(x, m)); // $hasTaintFlow
+
+        m.add("a", taint());
+        sink(new HttpEntity("a", m)); // $ MISSING:hasTaintFlow
+        sink(new HttpEntity<String>(m)); // $ MISSING:hasTaintFlow
+
+        HttpEntity<String> ent = taint();
+        sink(ent.getBody()); // $hasTaintFlow
+        sink(ent.getHeaders()); // $hasTaintFlow
+
+        RequestEntity<String> req = taint();
+        sink(req.getUrl()); // $hasTaintFlow
+    }
+
+    void test2() {
+        String x = taint();
+        sink(ResponseEntity.ok(x)); // $hasTaintFlow
+        sink(ResponseEntity.of(Optional.of(x))); // $ MISSING:hasTaintFlow
+
+        sink(ResponseEntity.status(200).contentLength(2048).body(x)); // $hasTaintFlow
+        sink(ResponseEntity.created(taint()).contentType(null).body("a")); // $hasTaintFlow
+        sink(ResponseEntity.status(200).header(x, "a", "b", "c").build()); // $hasTaintFlow
+        sink(ResponseEntity.status(200).header("h", "a", "b", x).build()); // $hasTaintFlow
+        HttpHeaders h = new HttpHeaders();
+        h.add("h", taint());
+        sink(ResponseEntity.status(200).headers(h).allow().build()); // $hasTaintFlow
+        sink(ResponseEntity.status(200).eTag(x).allow().build()); // $hasTaintFlow
+        sink(ResponseEntity.status(200).location(taint()).lastModified(10000000).build()); // $hasTaintFlow
+        sink(ResponseEntity.status(200).varyBy(x).build()); 
+    }
+}
diff --git a/java/ql/test/library-tests/frameworks/spring/flow.expected b/java/ql/test/library-tests/frameworks/spring/flow.expected
diff --git a/java/ql/test/library-tests/frameworks/spring/flow.ql b/java/ql/test/library-tests/frameworks/spring/flow.ql
@@ -0,0 +1,53 @@
+import java
+import semmle.code.java.frameworks.spring.Spring
+import semmle.code.java.dataflow.TaintTracking
+import TestUtilities.InlineExpectationsTest
+
+class TaintFlowConf extends TaintTracking::Configuration {
+  TaintFlowConf() { this = "qltest:frameworks:spring-taint-flow" }
+
+  override predicate isSource(DataFlow::Node n) {
+    exists(string name | name.matches("taint%") |
+      n.asExpr().(MethodAccess).getMethod().hasName(name)
+    )
+  }
+
+  override predicate isSink(DataFlow::Node n) {
+    exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
+  }
+}
+
+class ValueFlowConf extends DataFlow::Configuration {
+  ValueFlowConf() { this = "qltest:frameworks:spring-value-flow" }
+
+  override predicate isSource(DataFlow::Node n) {
+    n.asExpr().(MethodAccess).getMethod().hasName("taint")
+  }
+
+  override predicate isSink(DataFlow::Node n) {
+    exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
+  }
+}
+
+class HasFlowTest extends InlineExpectationsTest {
+  HasFlowTest() { this = "HasFlowTest" }
+
+  override string getARelevantTag() { result = ["hasTaintFlow", "hasValueFlow"] }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasTaintFlow" and
+    exists(DataFlow::Node src, DataFlow::Node sink, TaintFlowConf conf | conf.hasFlow(src, sink) |
+      not any(ValueFlowConf vconf).hasFlow(src, sink) and
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+    or
+    tag = "hasValueFlow" and
+    exists(DataFlow::Node src, DataFlow::Node sink, ValueFlowConf conf | conf.hasFlow(src, sink) |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+  }
+}
diff --git a/java/ql/test/library-tests/frameworks/spring/options b/java/ql/test/library-tests/frameworks/spring/options
@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/springframework-5.2.3

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/springframework-5.2.3`