Merge pull request github#5590 from github/sauyon/java-spring-errors

Add models for Spring validation.Errors

Author: aschackmull

java/change-notes/2021-04-02-add-spring-validation-errors.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added additional taint steps modeling the Spring `validation.Errors` class (`org.springframework.validation.Errors`).

java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll

@@ -86,6 +86,7 @@ private module Frameworks {
   private import semmle.code.java.frameworks.Optional
   private import semmle.code.java.frameworks.spring.SpringHttp
   private import semmle.code.java.frameworks.spring.SpringUtil
+  private import semmle.code.java.frameworks.spring.SpringValidation
   private import semmle.code.java.frameworks.spring.SpringWebClient
   private import semmle.code.java.frameworks.spring.SpringBeans
   private import semmle.code.java.security.ResponseSplitting

java/ql/src/semmle/code/java/frameworks/spring/Spring.qll

@@ -34,6 +34,7 @@ import semmle.code.java.frameworks.spring.SpringRef
 import semmle.code.java.frameworks.spring.SpringReplacedMethod
 import semmle.code.java.frameworks.spring.SpringSet
 import semmle.code.java.frameworks.spring.SpringUtil
+import semmle.code.java.frameworks.spring.SpringValidation
 import semmle.code.java.frameworks.spring.SpringValue
 import semmle.code.java.frameworks.spring.SpringXMLElement
 import semmle.code.java.frameworks.spring.metrics.MetricSpringBean

java/ql/src/semmle/code/java/frameworks/spring/SpringValidation.qll

@@ -0,0 +1,25 @@
+/** Definitions of flow steps through utility methods of `org.springframework.validation.Errors`. */
+
+import java
+private import semmle.code.java.dataflow.ExternalFlow
+
+private class SpringValidationErrorModel extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "org.springframework.validation;Errors;true;addAllErrors;;;Argument[0];Argument[-1];taint",
+        "org.springframework.validation;Errors;true;getAllErrors;;;Argument[-1];ReturnValue;taint",
+        "org.springframework.validation;Errors;true;getFieldError;;;Argument[-1];ReturnValue;taint",
+        "org.springframework.validation;Errors;true;getFieldErrors;;;Argument[-1];ReturnValue;taint",
+        "org.springframework.validation;Errors;true;getGlobalError;;;Argument[-1];ReturnValue;taint",
+        "org.springframework.validation;Errors;true;getGlobalErrors;;;Argument[-1];ReturnValue;taint",
+        "org.springframework.validation;Errors;true;reject;;;Argument[0];Argument[-1];taint",
+        "org.springframework.validation;Errors;true;reject;;;ArrayElement of Argument[1];Argument[-1];taint",
+        "org.springframework.validation;Errors;true;reject;;;Argument[2];Argument[-1];taint",
+        "org.springframework.validation;Errors;true;rejectValue;;;Argument[1];Argument[-1];taint",
+        "org.springframework.validation;Errors;true;rejectValue;;;Argument[3];Argument[-1];taint",
+        "org.springframework.validation;Errors;true;rejectValue;(java.lang.String,java.lang.String,java.lang.Object[],java.lang.String);;ArrayElement of Argument[2];Argument[-1];taint",
+        "org.springframework.validation;Errors;true;rejectValue;(java.lang.String,java.lang.String,java.lang.String);;Argument[2];Argument[-1];taint"
+      ]
+  }
+}

java/ql/test/library-tests/frameworks/spring/validation/Test.java

@@ -0,0 +1,78 @@
+import org.springframework.validation.Errors;
+
+class ValidationErrorsTest {
+  Object source() { return null; }
+
+  Errors sourceErrs() { return (Errors)source(); }
+  Errors errors() { return null; }
+
+  void sink(Object o) {}
+
+  void test() {
+    Errors es0 = errors();
+    es0.addAllErrors(sourceErrs());
+    sink(es0); // $hasTaintFlow
+
+    sink(sourceErrs().getAllErrors()); // $hasTaintFlow
+
+    sink(sourceErrs().getFieldError()); // $hasTaintFlow
+    sink(sourceErrs().getFieldError("field")); // $hasTaintFlow
+
+    sink(sourceErrs().getGlobalError()); // $hasTaintFlow
+    sink(sourceErrs().getGlobalErrors()); // $hasTaintFlow
+
+    Errors es1 = errors();
+    es1.reject((String)source());
+    sink(es1); // $hasTaintFlow
+
+    Errors es2 = errors();
+    es2.reject((String)source(), null, "");
+    sink(es2); // $hasTaintFlow
+
+    Errors es3 = errors();
+    es3.reject((String)source(), null, "");
+    sink(es3); // $hasTaintFlow
+
+    {
+      Errors es4 = errors();
+      Object[] in = { (String)source() };
+      es4.reject("", in, "");
+      sink(in); // $hasTaintFlow
+    }
+
+    {
+      Errors es5 = errors();
+      es5.reject("", null, (String)source());
+      sink(es5); // $hasTaintFlow
+    }
+
+    Errors es6 = errors();
+    es6.reject((String)source(), "");
+    sink(es6); // $hasTaintFlow
+
+    Errors es7 = errors();
+    es7.reject("", (String)source());
+    sink(es7); // $hasTaintFlow
+
+    Errors es8 = errors();
+    es8.rejectValue("", (String)source(), null, "");
+    sink(es8); // $hasTaintFlow
+
+    Errors es9 = errors();
+    Object[] in = {source()};
+    es9.rejectValue("", "", in, "");
+    sink(es9); // $hasTaintFlow
+
+    Errors es10 = errors();
+    es10.rejectValue("", "", null, (String)source());
+    sink(es10); // $hasTaintFlow
+
+    Errors es11 = errors();
+    es11.rejectValue("", (String)source(), "");
+    sink(es11); // $hasTaintFlow
+
+    Errors es12 = errors();
+    es12.rejectValue("", "", (String)source());
+    sink(es12); // $hasTaintFlow
+  }
+}

java/ql/test/library-tests/frameworks/spring/validation/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.3.8

java/ql/test/library-tests/frameworks/spring/validation/test.expected

@@ -0,0 +1,52 @@
+import java
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.TaintTracking
+import TestUtilities.InlineExpectationsTest
+
+class ValueFlowConf extends DataFlow::Configuration {
+  ValueFlowConf() { this = "qltest:valueFlowConf" }
+
+  override predicate isSource(DataFlow::Node n) {
+    n.asExpr().(MethodAccess).getMethod().hasName("source")
+  }
+
+  override predicate isSink(DataFlow::Node n) {
+    n.asExpr().(Argument).getCall().getCallee().hasName("sink")
+  }
+}
+
+class TaintFlowConf extends TaintTracking::Configuration {
+  TaintFlowConf() { this = "qltest:taintFlowConf" }
+
+  override predicate isSource(DataFlow::Node n) {
+    n.asExpr().(MethodAccess).getMethod().hasName("source")
+  }
+
+  override predicate isSink(DataFlow::Node n) {
+    n.asExpr().(Argument).getCall().getCallee().hasName("sink")
+  }
+}
+
+class HasFlowTest extends InlineExpectationsTest {
+  HasFlowTest() { this = "HasFlowTest" }
+
+  override string getARelevantTag() { result = ["hasValueFlow", "hasTaintFlow"] }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasValueFlow" and
+    exists(DataFlow::Node src, DataFlow::Node sink, ValueFlowConf conf | conf.hasFlow(src, sink) |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+    or
+    tag = "hasTaintFlow" and
+    exists(DataFlow::Node src, DataFlow::Node sink, TaintFlowConf conf |
+      conf.hasFlow(src, sink) and not any(ValueFlowConf c).hasFlow(src, sink)
+    |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+  }
+}

java/ql/test/library-tests/frameworks/spring/validation/test.ql

@@ -0,0 +1,29 @@
+/*
+ * Copyright 2002-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.context;
+
+public interface MessageSourceResolvable {
+  String[] getCodes();
+
+  default Object[] getArguments() {
+    return null;
+  }
+
+  default String getDefaultMessage() {
+    return null;
+  }
+}

java/ql/test/stubs/springframework-5.3.8/org/springframework/context/MessageSourceResolvable.java

@@ -0,0 +1,78 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.context.support;
+
+import java.io.Serializable;
+import org.springframework.context.MessageSourceResolvable;
+import org.springframework.lang.Nullable;
+
+public class DefaultMessageSourceResolvable implements MessageSourceResolvable, Serializable {
+  public DefaultMessageSourceResolvable(String code) {}
+
+  public DefaultMessageSourceResolvable(String[] codes) {}
+
+  public DefaultMessageSourceResolvable(String[] codes, String defaultMessage) {}
+
+  public DefaultMessageSourceResolvable(String[] codes, Object[] arguments) {}
+
+  public DefaultMessageSourceResolvable(
+      @Nullable String[] codes, @Nullable Object[] arguments, @Nullable String defaultMessage) {}
+
+  public DefaultMessageSourceResolvable(MessageSourceResolvable resolvable) {}
+
+  public String getCode() {
+    return null;
+  }
+
+  @Override
+  public String[] getCodes() {
+    return null;
+  }
+
+  @Override
+  public Object[] getArguments() {
+    return null;
+  }
+
+  @Override
+  public String getDefaultMessage() {
+    return null;
+  }
+
+  public boolean shouldRenderDefaultMessage() {
+    return false;
+  }
+
+  @Override
+  public String toString() {
+    return null;
+  }
+
+  @Override
+  public boolean equals(@Nullable Object other) {
+    return false;
+  }
+
+  @Override
+  public int hashCode() {
+    return 0;
+  }
+
+  protected final String resolvableToString() {
+    return null;
+  }
+}