Consider subtypes of ReaderSource

atorralba · atorralba · commit af6bd0b96399 · 2021-06-16T13:01:40.000+02:00
diff --git a/java/ql/src/semmle/code/java/security/GroovyInjection.qll b/java/ql/src/semmle/code/java/security/GroovyInjection.qll
@@ -116,7 +116,10 @@ private predicate groovySourceUnitTaintStep(DataFlow::Node fromNode, DataFlow::N
       index = 0 and arg.getType() instanceof TypeUrl
       or
       index = 1 and
-      (arg.getType() instanceof TypeString or arg.getType() instanceof TypeReaderSource)
+      (
+        arg.getType() instanceof TypeString or
+        arg.getType() instanceof TypeReaderSource
+      )
     )
   |
     fromNode.asExpr() = arg and
@@ -137,9 +140,7 @@ private predicate groovySourceUnitTaintStep(DataFlow::Node fromNode, DataFlow::N
  * a `ReaderSource` instance by calling `new *ReaderSource(tainted, ...)`
  */
 private predicate groovyReaderSourceTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
-  exists(ClassInstanceExpr cie |
-    cie.getConstructedType().getASupertype*() instanceof TypeReaderSource
-  |
+  exists(ClassInstanceExpr cie | cie.getConstructedType() instanceof TypeReaderSource |
     fromNode.asExpr() = cie.getArgument(0) and toNode.asExpr() = cie
   )
 }
@@ -163,5 +164,7 @@ private class TypeGroovySourceUnit extends RefType {
 
 /** The class `org.codehaus.groovy.control.io.ReaderSource`. */
 private class TypeReaderSource extends RefType {
-  TypeReaderSource() { this.hasQualifiedName("org.codehaus.groovy.control.io", "ReaderSource") }
+  TypeReaderSource() {
+    this.getASupertype*().hasQualifiedName("org.codehaus.groovy.control.io", "ReaderSource")
+  }
 }
diff --git a/java/ql/test/query-tests/security/CWE-094/GroovyCompilationUnitTest.java b/java/ql/test/query-tests/security/CWE-094/GroovyCompilationUnitTest.java
@@ -9,6 +9,8 @@
 import org.codehaus.groovy.control.SourceUnit;
 import org.codehaus.groovy.control.io.ReaderSource;
 import org.codehaus.groovy.control.io.StringReaderSource;
+import org.codehaus.groovy.tools.javac.JavaAwareCompilationUnit;
+import org.codehaus.groovy.tools.javac.JavaStubCompilationUnit;
 
 public class GroovyCompilationUnitTest extends HttpServlet {
     public void doGet(HttpServletRequest request, HttpServletResponse response)
@@ -51,7 +53,7 @@ public void doGet(HttpServletRequest request, HttpServletResponse response)
         }
         {
             CompilationUnit cu = new CompilationUnit();
-            ReaderSource rs = new StringReaderSource(request.getParameter("source"), null);
+            StringReaderSource rs = new StringReaderSource(request.getParameter("source"), null);
             SourceUnit su = new SourceUnit("test", rs, null, null, null);
             cu.addSource(su);
             cu.compile(); // $hasGroovyInjection

Original file line number	Diff line number	Diff line change
`@@ -116,7 +116,10 @@ private predicate groovySourceUnitTaintStep(DataFlow::Node fromNode, DataFlow::N`
`116`	`116`	`index = 0 and arg.getType() instanceof TypeUrl`
`117`	`117`	`or`
`118`	`118`	`index = 1 and`
`119`		`- (arg.getType() instanceof TypeString or arg.getType() instanceof TypeReaderSource)`
	`119`	`+ (`
	`120`	`+ arg.getType() instanceof TypeString or`
	`121`	`+ arg.getType() instanceof TypeReaderSource`
	`122`	`+ )`
`120`	`123`	`)`
`121`	`124`	`\|`
`122`	`125`	`fromNode.asExpr() = arg and`
`@@ -137,9 +140,7 @@ private predicate groovySourceUnitTaintStep(DataFlow::Node fromNode, DataFlow::N`
`137`	`140`	* a `ReaderSource` instance by calling `new *ReaderSource(tainted, ...)`
`138`	`141`	`*/`
`139`	`142`	`private predicate groovyReaderSourceTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {`
`140`		`- exists(ClassInstanceExpr cie \|`
`141`		`- cie.getConstructedType().getASupertype*() instanceof TypeReaderSource`
`142`		`- \|`
	`143`	`+ exists(ClassInstanceExpr cie \| cie.getConstructedType() instanceof TypeReaderSource \|`
`143`	`144`	`fromNode.asExpr() = cie.getArgument(0) and toNode.asExpr() = cie`
`144`	`145`	`)`
`145`	`146`	`}`
`@@ -163,5 +164,7 @@ private class TypeGroovySourceUnit extends RefType {`
`163`	`164`
`164`	`165`	/** The class `org.codehaus.groovy.control.io.ReaderSource`. */
`165`	`166`	`private class TypeReaderSource extends RefType {`
`166`		`- TypeReaderSource() { this.hasQualifiedName("org.codehaus.groovy.control.io", "ReaderSource") }`
	`167`	`+ TypeReaderSource() {`
	`168`	`+ this.getASupertype*().hasQualifiedName("org.codehaus.groovy.control.io", "ReaderSource")`
	`169`	`+ }`
`167`	`170`	`}`