Merge pull request github#6087 from smowton/smowton/admin/rest-xss-tests

Java: Add Spring XSS tests

Author: aschackmull

java/ql/test/query-tests/security/CWE-079/semmle/tests/SpringXSS.java

@@ -0,0 +1,160 @@
+import org.springframework.http.ResponseEntity;
+import org.springframework.http.MediaType;
+import org.springframework.http.HttpStatus;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import java.util.Optional;
+
+@RestController
+public class SpringXSS {
+
+  @GetMapping
+  public static ResponseEntity<String> specificContentType(boolean safeContentType, boolean chainDirectly, String userControlled) {
+
+    ResponseEntity.BodyBuilder builder = ResponseEntity.ok();
+
+    if(safeContentType) {
+      if(chainDirectly) {
+        return builder.contentType(MediaType.TEXT_HTML).body(userControlled); // $xss
+      }
+      else {
+        ResponseEntity.BodyBuilder builder2 = builder.contentType(MediaType.TEXT_HTML);
+        return builder2.body(userControlled); // $xss
+      }
+    }
+    else {
+      if(chainDirectly) {
+        return builder.contentType(MediaType.APPLICATION_JSON).body(userControlled); // $SPURIOUS: xss
+      }
+      else {
+        ResponseEntity.BodyBuilder builder2 = builder.contentType(MediaType.APPLICATION_JSON);
+        return builder2.body(userControlled); // $SPURIOUS: xss
+      }
+    }
+
+  }
+
+  @GetMapping(value = "/xyz", produces = MediaType.APPLICATION_JSON_VALUE)
+  public static ResponseEntity<String> methodContentTypeSafe(String userControlled) {
+    return ResponseEntity.ok(userControlled);
+  }
+
+  @PostMapping(value = "/xyz", produces = MediaType.APPLICATION_JSON_VALUE)
+  public static ResponseEntity<String> methodContentTypeSafePost(String userControlled) {
+    return ResponseEntity.ok(userControlled);
+  }
+
+  @RequestMapping(value = "/xyz", produces = MediaType.APPLICATION_JSON_VALUE)
+  public static ResponseEntity<String> methodContentTypeSafeRequest(String userControlled) {
+    return ResponseEntity.ok(userControlled);
+  }
+
+  @GetMapping(value = "/xyz", produces = "application/json")
+  public static ResponseEntity<String> methodContentTypeSafeStringLiteral(String userControlled) {
+    return ResponseEntity.ok(userControlled);
+  }
+
+  @GetMapping(value = "/xyz", produces = MediaType.TEXT_HTML_VALUE)
+  public static ResponseEntity<String> methodContentTypeUnsafe(String userControlled) {
+    return ResponseEntity.ok(userControlled); // $MISSING: xss
+  }
+
+  @GetMapping(value = "/xyz", produces = "text/html")
+  public static ResponseEntity<String> methodContentTypeUnsafeStringLiteral(String userControlled) {
+    return ResponseEntity.ok(userControlled); // $xss
+  }
+
+  @GetMapping(value = "/xyz", produces = {MediaType.TEXT_HTML_VALUE, MediaType.APPLICATION_JSON_VALUE})
+  public static ResponseEntity<String> methodContentTypeMaybeSafe(String userControlled) {
+    return ResponseEntity.ok(userControlled); // $xss
+  }
+
+  @GetMapping(value = "/xyz", produces = MediaType.APPLICATION_JSON_VALUE)
+  public static ResponseEntity<String> methodContentTypeSafeOverriddenWithUnsafe(String userControlled) {
+    return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $MISSING: xss
+  }
+
+  @GetMapping(value = "/xyz", produces = MediaType.TEXT_HTML_VALUE)
+  public static ResponseEntity<String> methodContentTypeUnsafeOverriddenWithSafe(String userControlled) {
+    return ResponseEntity.ok().contentType(MediaType.APPLICATION_JSON).body(userControlled);
+  }
+
+  @GetMapping(value = "/xyz", produces = {"text/html", "application/json"})
+  public static ResponseEntity<String> methodContentTypeMaybeSafeStringLiterals(String userControlled, int constructionMethod) {
+    // Also try out some alternative constructors for the ResponseEntity:
+    switch(constructionMethod) {
+      case 0:
+      return ResponseEntity.ok(userControlled); // $xss
+      case 1:
+      return ResponseEntity.of(Optional.of(userControlled)); // $xss
+      case 2:
+      return ResponseEntity.ok().body(userControlled); // $xss
+      case 3:
+      return new ResponseEntity<String>(userControlled, HttpStatus.OK); // $xss
+      default:
+      return null;
+    }
+  }
+
+  @RestController
+  @RequestMapping(produces = {"application/json"})
+  private static class ClassContentTypeSafe {
+    @GetMapping(value = "/abc")
+    public ResponseEntity<String> test(String userControlled) {
+      return ResponseEntity.ok(userControlled); // $SPURIOUS: xss
+    }
+
+    @GetMapping(value = "/abc")
+    public String testDirectReturn(String userControlled) {
+      return userControlled; // $SPURIOUS: xss
+    }
+
+    @GetMapping(value = "/xyz", produces = {"text/html"})
+    public ResponseEntity<String> overridesWithUnsafe(String userControlled) {
+      return ResponseEntity.ok(userControlled); // $xss
+    }
+
+    @GetMapping(value = "/abc")
+    public ResponseEntity<String> overridesWithUnsafe2(String userControlled) {
+      return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $xss
+    }
+  }
+
+  @RestController
+  @RequestMapping(produces = {"text/html"})
+  private static class ClassContentTypeUnsafe {
+    @GetMapping(value = "/abc")
+    public ResponseEntity<String> test(String userControlled) {
+      return ResponseEntity.ok(userControlled); // $xss
+    }
+
+    @GetMapping(value = "/abc")
+    public String testDirectReturn(String userControlled) {
+      return userControlled; // $xss
+    }
+
+    @GetMapping(value = "/xyz", produces = {"application/json"})
+    public ResponseEntity<String> overridesWithSafe(String userControlled) {
+      return ResponseEntity.ok(userControlled); // $SPURIOUS: xss
+    }
+
+    @GetMapping(value = "/abc")
+    public ResponseEntity<String> overridesWithSafe2(String userControlled) {
+      return ResponseEntity.ok().contentType(MediaType.APPLICATION_JSON).body(userControlled); // $SPURIOUS: xss
+    }
+  }
+
+  @GetMapping(value = "/abc")
+  public static ResponseEntity<String> entityWithNoMediaType(String userControlled) {
+    return ResponseEntity.ok(userControlled); // $xss
+  }
+
+  @GetMapping(value = "/abc")
+  public static String stringWithNoMediaType(String userControlled) {
+    return userControlled; // $xss
+  }
+
+}

java/ql/test/query-tests/security/CWE-079/semmle/tests/options

@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/servlet-api-2.4:${testdir}/../../../../../stubs/javax-ws-rs-api-2.1.1/
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/servlet-api-2.4:${testdir}/../../../../../stubs/javax-ws-rs-api-2.1.1/:${testdir}/../../../../../stubs/springframework-5.3.8

java/ql/test/stubs/springframework-5.3.8/org/springframework/http/MediaType.java

@@ -62,33 +62,33 @@ public MediaType(String p0, String p1, double p2){}
     public static MediaType asMediaType(MimeType p0){ return null; }
     public static MediaType parseMediaType(String p0){ return null; }
     public static MediaType valueOf(String p0){ return null; }
-    public static String ALL_VALUE = null;
-    public static String APPLICATION_ATOM_XML_VALUE = null;
-    public static String APPLICATION_CBOR_VALUE = null;
-    public static String APPLICATION_FORM_URLENCODED_VALUE = null;
-    public static String APPLICATION_JSON_UTF8_VALUE = null;
-    public static String APPLICATION_JSON_VALUE = null;
-    public static String APPLICATION_NDJSON_VALUE = null;
-    public static String APPLICATION_OCTET_STREAM_VALUE = null;
-    public static String APPLICATION_PDF_VALUE = null;
-    public static String APPLICATION_PROBLEM_JSON_UTF8_VALUE = null;
-    public static String APPLICATION_PROBLEM_JSON_VALUE = null;
-    public static String APPLICATION_PROBLEM_XML_VALUE = null;
-    public static String APPLICATION_RSS_XML_VALUE = null;
-    public static String APPLICATION_STREAM_JSON_VALUE = null;
-    public static String APPLICATION_XHTML_XML_VALUE = null;
-    public static String APPLICATION_XML_VALUE = null;
-    public static String IMAGE_GIF_VALUE = null;
-    public static String IMAGE_JPEG_VALUE = null;
-    public static String IMAGE_PNG_VALUE = null;
-    public static String MULTIPART_FORM_DATA_VALUE = null;
-    public static String MULTIPART_MIXED_VALUE = null;
-    public static String MULTIPART_RELATED_VALUE = null;
-    public static String TEXT_EVENT_STREAM_VALUE = null;
-    public static String TEXT_HTML_VALUE = null;
-    public static String TEXT_MARKDOWN_VALUE = null;
-    public static String TEXT_PLAIN_VALUE = null;
-    public static String TEXT_XML_VALUE = null;
+    public static final String ALL_VALUE = "";
+    public static final String APPLICATION_ATOM_XML_VALUE = "";
+    public static final String APPLICATION_CBOR_VALUE = "";
+    public static final String APPLICATION_FORM_URLENCODED_VALUE = "";
+    public static final String APPLICATION_JSON_UTF8_VALUE = "";
+    public static final String APPLICATION_JSON_VALUE = "";
+    public static final String APPLICATION_NDJSON_VALUE = "";
+    public static final String APPLICATION_OCTET_STREAM_VALUE = "";
+    public static final String APPLICATION_PDF_VALUE = "";
+    public static final String APPLICATION_PROBLEM_JSON_UTF8_VALUE = "";
+    public static final String APPLICATION_PROBLEM_JSON_VALUE = "";
+    public static final String APPLICATION_PROBLEM_XML_VALUE = "";
+    public static final String APPLICATION_RSS_XML_VALUE = "";
+    public static final String APPLICATION_STREAM_JSON_VALUE = "";
+    public static final String APPLICATION_XHTML_XML_VALUE = "";
+    public static final String APPLICATION_XML_VALUE = "";
+    public static final String IMAGE_GIF_VALUE = "";
+    public static final String IMAGE_JPEG_VALUE = "";
+    public static final String IMAGE_PNG_VALUE = "";
+    public static final String MULTIPART_FORM_DATA_VALUE = "";
+    public static final String MULTIPART_MIXED_VALUE = "";
+    public static final String MULTIPART_RELATED_VALUE = "";
+    public static final String TEXT_EVENT_STREAM_VALUE = "";
+    public static final String TEXT_HTML_VALUE = "";
+    public static final String TEXT_MARKDOWN_VALUE = "";
+    public static final String TEXT_PLAIN_VALUE = "";
+    public static final String TEXT_XML_VALUE = "";
     public static String toString(Collection<MediaType> p0){ return null; }
     public static void sortByQualityValue(List<MediaType> p0){}
     public static void sortBySpecificity(List<MediaType> p0){}

java/ql/test/stubs/springframework-5.3.8/org/springframework/web/bind/annotation/PostMapping.java

@@ -1,3 +1,19 @@
+/*
+ * Copyright 2002-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package org.springframework.web.bind.annotation;
 
 import java.lang.annotation.Documented;
@@ -6,11 +22,69 @@
 import java.lang.annotation.RetentionPolicy;
 import java.lang.annotation.Target;
 
+import org.springframework.core.annotation.AliasFor;
+
+/**
+ * Annotation for mapping HTTP {@code POST} requests onto specific handler
+ * methods.
+ *
+ * <p>Specifically, {@code @PostMapping} is a <em>composed annotation</em> that
+ * acts as a shortcut for {@code @RequestMapping(method = RequestMethod.POST)}.
+ *
+ * @author Sam Brannen
+ * @since 4.3
+ * @see GetMapping
+ * @see PutMapping
+ * @see DeleteMapping
+ * @see PatchMapping
+ * @see RequestMapping
+ */
 @Target(ElementType.METHOD)
 @Retention(RetentionPolicy.RUNTIME)
 @Documented
 @RequestMapping(method = RequestMethod.POST)
 public @interface PostMapping {
 
-    String[] value() default {};
-}
+	/**
+	 * Alias for {@link RequestMapping#name}.
+	 */
+	@AliasFor(annotation = RequestMapping.class)
+	String name() default "";
+
+	/**
+	 * Alias for {@link RequestMapping#value}.
+	 */
+	@AliasFor(annotation = RequestMapping.class)
+	String[] value() default {};
+
+	/**
+	 * Alias for {@link RequestMapping#path}.
+	 */
+	@AliasFor(annotation = RequestMapping.class)
+	String[] path() default {};
+
+	/**
+	 * Alias for {@link RequestMapping#params}.
+	 */
+	@AliasFor(annotation = RequestMapping.class)
+	String[] params() default {};
+
+	/**
+	 * Alias for {@link RequestMapping#headers}.
+	 */
+	@AliasFor(annotation = RequestMapping.class)
+	String[] headers() default {};
+
+	/**
+	 * Alias for {@link RequestMapping#consumes}.
+	 */
+	@AliasFor(annotation = RequestMapping.class)
+	String[] consumes() default {};
+
+	/**
+	 * Alias for {@link RequestMapping#produces}.
+	 */
+	@AliasFor(annotation = RequestMapping.class)
+	String[] produces() default {};
+
+}