Model Spring web.multipart

Author: Sauyon Lee

java/change-notes/2021-07-01-spring-webmultipart.md

@@ -0,0 +1,4 @@
+lgtm,codescanning
+* Additional flow steps in the `org.springframework.web.multipart` package of the Spring framework
+  have been modelled.  This may result in additional results for security queries on projects using
+  this framework.

java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll

@@ -90,6 +90,7 @@ private module Frameworks {
   private import semmle.code.java.frameworks.spring.SpringValidation
   private import semmle.code.java.frameworks.spring.SpringWebClient
   private import semmle.code.java.frameworks.spring.SpringBeans
+  private import semmle.code.java.frameworks.spring.SpringWebMultipart
   private import semmle.code.java.security.ResponseSplitting
   private import semmle.code.java.security.InformationLeak
   private import semmle.code.java.security.JexlInjectionSinkModels

java/ql/src/semmle/code/java/frameworks/spring/Spring.qll

@@ -36,6 +36,7 @@ import semmle.code.java.frameworks.spring.SpringSet
 import semmle.code.java.frameworks.spring.SpringUtil
 import semmle.code.java.frameworks.spring.SpringValidation
 import semmle.code.java.frameworks.spring.SpringValue
+import semmle.code.java.frameworks.spring.SpringWebMultipart
 import semmle.code.java.frameworks.spring.SpringXMLElement
 import semmle.code.java.frameworks.spring.metrics.MetricSpringBean
 import semmle.code.java.frameworks.spring.metrics.MetricSpringBeanFile

java/ql/src/semmle/code/java/frameworks/spring/SpringWebMultipart.qll

@@ -0,0 +1,25 @@
+/** Provides models of taint flow in `org.springframework.web.multipart` */
+
+import java
+private import semmle.code.java.dataflow.ExternalFlow
+
+private class FlowSummaries extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "org.springframework.web.multipart;MultipartFile;true;getBytes;;;Argument[-1];ReturnValue;taint",
+        "org.springframework.web.multipart;MultipartFile;true;getInputStream;;;Argument[-1];ReturnValue;taint",
+        "org.springframework.web.multipart;MultipartFile;true;getName;;;Argument[-1];ReturnValue;taint",
+        "org.springframework.web.multipart;MultipartFile;true;getOriginalFilename;;;Argument[-1];ReturnValue;taint",
+        "org.springframework.web.multipart;MultipartFile;true;getResource;;;Argument[-1];ReturnValue;taint",
+        "org.springframework.web.multipart;MultipartHttpServletRequest;true;getMultipartHeaders;;;Argument[-1];ReturnValue;taint",
+        "org.springframework.web.multipart;MultipartHttpServletRequest;true;getRequestHeaders;;;Argument[-1];ReturnValue;taint",
+        "org.springframework.web.multipart;MultipartRequest;true;getFile;;;Argument[-1];ReturnValue;taint",
+        "org.springframework.web.multipart;MultipartRequest;true;getFileMap;;;Argument[-1];MapValue of ReturnValue;taint",
+        "org.springframework.web.multipart;MultipartRequest;true;getFileNames;;;Argument[-1];Element of ReturnValue;taint",
+        "org.springframework.web.multipart;MultipartRequest;true;getFiles;;;Argument[-1];Element of ReturnValue;taint",
+        "org.springframework.web.multipart;MultipartRequest;true;getMultiFileMap;;;Argument[-1];MapValue of ReturnValue;taint",
+        "org.springframework.web.multipart;MultipartResolver;true;resolveMultipart;;;Argument[0];ReturnValue;taint"
+      ]
+  }
+}