Convert existing spring http steps to csv

Author: joefarebrother

java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll

@@ -104,6 +104,7 @@ private module Frameworks {
   private import semmle.code.java.frameworks.MyBatis
   private import semmle.code.java.frameworks.Hibernate
   private import semmle.code.java.frameworks.jOOQ
+  private import semmle.code.java.frameworks.spring.SpringHttp
 }
 
 private predicate sourceModelCsv(string row) {

java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll

@@ -209,22 +209,6 @@ private predicate constructorStep(Expr tracked, ConstructorCall sink) {
     // a custom InputStream that wraps a tainted data source is tainted
     inputStreamWrapper(sink.getConstructor(), argi)
     or
-    // A SpringHttpEntity is a wrapper around a body and some headers
-    // Track flow through iff body is a String
-    exists(SpringHttpEntity she |
-      sink.getConstructor() = she.getAConstructor() and
-      argi = 0 and
-      tracked.getType() instanceof TypeString
-    )
-    or
-    // A SpringRequestEntity is a wrapper around a body and some headers
-    // Track flow through iff body is a String
-    exists(SpringResponseEntity sre |
-      sink.getConstructor() = sre.getAConstructor() and
-      argi = 0 and
-      tracked.getType() instanceof TypeString
-    )
-    or
     sink.getConstructor().(TaintPreservingCallable).returnsTaintFrom(argToParam(sink, argi))
   )
 }
@@ -277,19 +261,6 @@ private predicate taintPreservingQualifierToMethod(Method m) {
   m.getDeclaringType().getASubtype*() instanceof SpringUntrustedDataType and
   not m.getDeclaringType() instanceof TypeObject
   or
-  m.getDeclaringType() instanceof SpringHttpEntity and
-  m.getName().regexpMatch("getBody|getHeaders")
-  or
-  exists(SpringHttpHeaders headers | m = headers.getAMethod() |
-    m.getReturnType() instanceof TypeString
-    or
-    exists(ParameterizedType stringlist |
-      m.getReturnType().(RefType).getASupertype*() = stringlist and
-      stringlist.getSourceDeclaration().hasQualifiedName("java.util", "List") and
-      stringlist.getTypeArgument(0) instanceof TypeString
-    )
-  )
-  or
   m.(TaintPreservingCallable).returnsTaintFrom(-1)
   or
   exists(JaxRsResourceMethod resourceMethod |

java/ql/src/semmle/code/java/frameworks/spring/SpringHttp.qll

@@ -61,3 +61,41 @@ private class UrlOpenSink extends SinkModelCsv {
       ]
   }
 }
+
+private class SpringHttpFlowStep extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        //"package;type;overrides;name;signature;ext;inputspec;outputspec;kind",
+        "org.springframework.http;HttpEntity;false;HttpEntity;(T);;Argument[0];Argument[-1];taint",
+        "org.springframework.http;HttpEntity;false;HttpEntity;(T,MultiValueMap<String,String>);;Argument[0];Argument[-1];taint",
+        "org.springframework.http;HttpEntity;false;getBody;;;Argument[-1];ReturnValue;taint",
+        "org.springframework.http;HttpEntity;false;HttpEntity;getHeaders;;Argument[-1];ReturnValue;taint",
+        // Constructor with signature (MultiValueMap<String,String>) dependant on collection flow
+        "org.springframework.http;ResponseEntity;false;ResponseEntity;(T,HttpStatus);;Argument[0];Argument[-1];taint",
+        "org.springframework.http;ResponseEntity;false;ResponseEntity;(T,MultiValueMap<String,String>,HttpStatus);;Argument[0];Argument[-1];taint",
+        "org.springframework.http;ResponseEntity;false;ResponseEntity;(T,MultiValueMap<String,String>,int);;Argument[0];Argument[-1];taint",
+        "org.springframework.http;HttpHeaders;false;get;(Object);Argument[-1];ReturnValue;taint", // Returns List<String>
+        "org.springframework.http;HttpHeaders;false;getAccessControlAllowHeaders;();Argument[-1];ReturnValue;taint", // Returns List<String>
+        "org.springframework.http;HttpHeaders;false;getAccessControlAllowOrigin;();Argument[-1];ReturnValue;taint",
+        "org.springframework.http;HttpHeaders;false;getAccessControlExposeHeaders;();Argument[-1];ReturnValue;taint", // Returns List<String>
+        "org.springframework.http;HttpHeaders;false;getAccessControlRequestHeaders;();Argument[-1];ReturnValue;taint", // Returns List<String>
+        "org.springframework.http;HttpHeaders;false;getCacheControl;();Argument[-1];ReturnValue;taint",
+        "org.springframework.http;HttpHeaders;false;getConnection;();Argument[-1];ReturnValue;taint", // Returns List<String>
+        "org.springframework.http;HttpHeaders;false;getETag;();Argument[-1];ReturnValue;taint",
+        "org.springframework.http;HttpHeaders;false;getETagValuesAsList;(String);Argument[-1];ReturnValue;taint", // Returns List<String>
+        "org.springframework.http;HttpHeaders;false;getFieldValues;(String);Argument[-1];ReturnValue;taint",
+        "org.springframework.http;HttpHeaders;false;getFirst;(String);Argument[-1];ReturnValue;taint",
+        "org.springframework.http;HttpHeaders;false;getIfMatch;();Argument[-1];ReturnValue;taint", // Returns List<String>
+        "org.springframework.http;HttpHeaders;false;getIfNoneMatch;();Argument[-1];ReturnValue;taint", // Returns List<String>
+        "org.springframework.http;HttpHeaders;false;getLocation;();Argument[-1];ReturnValue;taint",
+        "org.springframework.http;HttpHeaders;false;getOrEmpty;(Object);Argument[-1];ReturnValue;taint", // Returns List<String>
+        "org.springframework.http;HttpHeaders;false;getOrigin;();Argument[-1];ReturnValue;taint",
+        "org.springframework.http;HttpHeaders;false;getPragma;();Argument[-1];ReturnValue;taint",
+        "org.springframework.http;HttpHeaders;false;getUpgrade;();Argument[-1];ReturnValue;taint",
+        "org.springframework.http;HttpHeaders;false;getValuesAsList;(String);Argument[-1];ReturnValue;taint", // Returns List<String>
+        "org.springframework.http;HttpHeaders;false;getVary;();Argument[-1];ReturnValue;taint", // Returns List<String>
+        ""
+      ]
+  }
+}