Skip to content

Commit f1c3a11

Browse files
smowtonsmowton
committed
Add sources for Jax-RS filters
1 parent 0ebbb33 commit f1c3a11

File tree

12 files changed

+1187
-20
lines changed

12 files changed

+1187
-20
lines changed

java/ql/lib/semmle/code/java/frameworks/JaxWS.qll

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -544,11 +544,17 @@ private class UriInfoModel extends SummaryModelCsv {
544544
override predicate row(string row) {
545545
row =
546546
[
547+
"javax.ws.rs.core;UriInfo;true;getAbsolutePath;;;Argument[-1];ReturnValue;taint",
548+
"javax.ws.rs.core;UriInfo;true;getAbsolutePathBuilder;;;Argument[-1];ReturnValue;taint",
549+
"javax.ws.rs.core;UriInfo;true;getPath;;;Argument[-1];ReturnValue;taint",
547550
"javax.ws.rs.core;UriInfo;true;getPathParameters;;;Argument[-1];ReturnValue;taint",
548551
"javax.ws.rs.core;UriInfo;true;getPathSegments;;;Argument[-1];ReturnValue;taint",
549552
"javax.ws.rs.core;UriInfo;true;getQueryParameters;;;Argument[-1];ReturnValue;taint",
550553
"javax.ws.rs.core;UriInfo;true;getRequestUri;;;Argument[-1];ReturnValue;taint",
551554
"javax.ws.rs.core;UriInfo;true;getRequestUriBuilder;;;Argument[-1];ReturnValue;taint",
555+
"jakarta.ws.rs.core;UriInfo;true;getAbsolutePath;;;Argument[-1];ReturnValue;taint",
556+
"jakarta.ws.rs.core;UriInfo;true;getAbsolutePathBuilder;;;Argument[-1];ReturnValue;taint",
557+
"jakarta.ws.rs.core;UriInfo;true;getPath;;;Argument[-1];ReturnValue;taint",
552558
"jakarta.ws.rs.core;UriInfo;true;getPathParameters;;;Argument[-1];ReturnValue;taint",
553559
"jakarta.ws.rs.core;UriInfo;true;getPathSegments;;;Argument[-1];ReturnValue;taint",
554560
"jakarta.ws.rs.core;UriInfo;true;getQueryParameters;;;Argument[-1];ReturnValue;taint",
@@ -955,3 +961,17 @@ private class VulnerableEntity extends XssSinkBarrier {
955961
).getArgument(0)
956962
}
957963
}
964+
965+
/**
966+
* Model sources stemming from `ContainerRequestContext`.
967+
*/
968+
private class ContainerRequestContextModel extends SourceModelCsv {
969+
override predicate row(string s) {
970+
s =
971+
["javax", "jakarta"] + ".ws.rs.container;ContainerRequestContext;true;" +
972+
[
973+
"getAcceptableLanguages", "getAcceptableMediaTypes", "getCookies", "getEntityStream",
974+
"getHeaders", "getHeaderString", "getUriInfo"
975+
] + ";;;ReturnValue;remote"
976+
}
977+
}

java/ql/test/library-tests/frameworks/JaxWs/JakartaContainerRequestContextSources.java

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
import jakarta.ws.rs.container.ContainerRequestContext;
2+
3+
public class JakartaContainerRequestContextSources {
4+
void sink(Object o) {}
5+
6+
void test(ContainerRequestContext context) throws Exception {
7+
sink(context.getAcceptableLanguages()); // $ hasValueFlow
8+
sink(context.getAcceptableMediaTypes().get(0).getType()); // $ hasTaintFlow
9+
sink(context.getCookies().get("someKey").getValue()); // $ hasTaintFlow
10+
byte[] buf = new byte[1024];
11+
context.getEntityStream().read(buf);
12+
sink(buf); // $ hasTaintFlow
13+
sink(context.getHeaders().getFirst("someKey")); // $ hasTaintFlow
14+
sink(context.getHeaderString("someKey")); // $ hasValueFlow
15+
sink(context.getUriInfo().getPath()); // $ hasTaintFlow
16+
}
17+
}

java/ql/test/library-tests/frameworks/JaxWs/JakartaRsFlow.java

Lines changed: 14 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -57,11 +57,11 @@ private static class SetStringSource {
5757
static PathSegment taint(PathSegment ps) { return ps; }
5858

5959
static UriInfo taint(UriInfo ui) { return ui; }
60-
60+
6161
static Map taint(Map m) { return m; }
62-
62+
6363
static Link taint(Link l) { return l; }
64-
64+
6565
static Class taint(Class c) { return c; }
6666

6767
private static class UriSource {
@@ -196,12 +196,16 @@ void testPathSegment(PathSegment ps1, PathSegment ps2) {
196196
sink(taint(ps2).getPath()); // $ hasTaintFlow
197197
}
198198

199-
void testUriInfo(UriInfo ui1, UriInfo ui2, UriInfo ui3, UriInfo ui4, UriInfo ui5) {
200-
sink(taint(ui1).getPathParameters()); // $ hasTaintFlow
201-
sink(taint(ui2).getPathSegments()); // $ hasTaintFlow
202-
sink(taint(ui2).getQueryParameters()); // $ hasTaintFlow
203-
sink(taint(ui2).getRequestUri()); // $ hasTaintFlow
204-
sink(taint(ui2).getRequestUriBuilder()); // $ hasTaintFlow
199+
void testUriInfo(UriInfo ui) {
200+
ui = taint(ui);
201+
sink(ui.getPathParameters()); // $ hasTaintFlow
202+
sink(ui.getPathSegments()); // $ hasTaintFlow
203+
sink(ui.getQueryParameters()); // $ hasTaintFlow
204+
sink(ui.getRequestUri()); // $ hasTaintFlow
205+
sink(ui.getRequestUriBuilder()); // $ hasTaintFlow
206+
sink(ui.getQueryParameters().getFirst("someKey")); // $ hasTaintFlow
207+
sink(ui.getRequestUri()); // $ hasTaintFlow
208+
sink(ui.getRequestUriBuilder().build()); // $ hasTaintFlow
205209
}
206210

207211
void testCookie() {
@@ -341,7 +345,7 @@ void testUriBuilder() throws Exception {
341345
sink(UriBuilder.fromPath(taint()).buildFromEncodedMap(new HashMap<String, String>())); // $ hasTaintFlow
342346
sink(UriBuilder.fromPath("").buildFromMap(taint(new HashMap<String, String>()), false)); // $ hasTaintFlow
343347
sink(UriBuilder.fromPath(taint()).buildFromMap(new HashMap<String, String>(), true)); // $ hasTaintFlow
344-
348+
345349
sink(UriBuilder.fromPath(taint()).clone()); // $ hasTaintFlow
346350
sink(UriBuilder.fromPath("").fragment(taint())); // $ hasTaintFlow
347351
sink(UriBuilder.fromPath(taint()).fragment("")); // $ hasTaintFlow

java/ql/test/library-tests/frameworks/JaxWs/JaxRsContainerRequestContextSources.java

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
import javax.ws.rs.container.ContainerRequestContext;
2+
3+
public class JaxRsContainerRequestContextSources {
4+
void sink(Object o) {}
5+
6+
void test(ContainerRequestContext context) throws Exception {
7+
sink(context.getAcceptableLanguages()); // $ hasValueFlow
8+
sink(context.getAcceptableMediaTypes().get(0).getType()); // $ hasTaintFlow
9+
sink(context.getCookies().get("someKey").getValue()); // $ hasTaintFlow
10+
byte[] buf = new byte[1024];
11+
context.getEntityStream().read(buf);
12+
sink(buf); // $ hasTaintFlow
13+
sink(context.getHeaders().getFirst("someKey")); // $ hasTaintFlow
14+
sink(context.getHeaderString("someKey")); // $ hasValueFlow
15+
sink(context.getUriInfo().getPath()); // $ hasTaintFlow
16+
}
17+
}

java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.java

Lines changed: 14 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -57,11 +57,11 @@ private static class SetStringSource {
5757
static PathSegment taint(PathSegment ps) { return ps; }
5858

5959
static UriInfo taint(UriInfo ui) { return ui; }
60-
60+
6161
static Map taint(Map m) { return m; }
62-
62+
6363
static Link taint(Link l) { return l; }
64-
64+
6565
static Class taint(Class c) { return c; }
6666

6767
private static class UriSource {
@@ -192,12 +192,16 @@ void testPathSegment(PathSegment ps1, PathSegment ps2) {
192192
sink(taint(ps2).getPath()); // $ hasTaintFlow
193193
}
194194

195-
void testUriInfo(UriInfo ui1, UriInfo ui2, UriInfo ui3, UriInfo ui4, UriInfo ui5) {
196-
sink(taint(ui1).getPathParameters()); // $ hasTaintFlow
197-
sink(taint(ui2).getPathSegments()); // $ hasTaintFlow
198-
sink(taint(ui2).getQueryParameters()); // $ hasTaintFlow
199-
sink(taint(ui2).getRequestUri()); // $ hasTaintFlow
200-
sink(taint(ui2).getRequestUriBuilder()); // $ hasTaintFlow
195+
void testUriInfo(UriInfo ui) {
196+
ui = taint(ui);
197+
sink(ui.getPathParameters()); // $ hasTaintFlow
198+
sink(ui.getPathSegments()); // $ hasTaintFlow
199+
sink(ui.getQueryParameters()); // $ hasTaintFlow
200+
sink(ui.getRequestUri()); // $ hasTaintFlow
201+
sink(ui.getRequestUriBuilder()); // $ hasTaintFlow
202+
sink(ui.getQueryParameters().getFirst("someKey")); // $ hasTaintFlow
203+
sink(ui.getRequestUri()); // $ hasTaintFlow
204+
sink(ui.getRequestUriBuilder().build()); // $ hasTaintFlow
201205
}
202206

203207
void testCookie() {
@@ -337,7 +341,7 @@ void testUriBuilder() throws Exception {
337341
sink(UriBuilder.fromPath(taint()).buildFromEncodedMap(new HashMap<String, String>())); // $ hasTaintFlow
338342
sink(UriBuilder.fromPath("").buildFromMap(taint(new HashMap<String, String>()), false)); // $ hasTaintFlow
339343
sink(UriBuilder.fromPath(taint()).buildFromMap(new HashMap<String, String>(), true)); // $ hasTaintFlow
340-
344+
341345
sink(UriBuilder.fromPath(taint()).clone()); // $ hasTaintFlow
342346
sink(UriBuilder.fromPath("").fragment(taint())); // $ hasTaintFlow
343347
sink(UriBuilder.fromPath(taint()).fragment("")); // $ hasTaintFlow

java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.ql

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,15 @@
11
import java
22
import semmle.code.java.dataflow.TaintTracking
3+
import semmle.code.java.dataflow.FlowSources
34
import TestUtilities.InlineExpectationsTest
45

56
class TaintFlowConf extends TaintTracking::Configuration {
67
TaintFlowConf() { this = "qltest:frameworks:jax-rs-taint" }
78

89
override predicate isSource(DataFlow::Node n) {
910
n.asExpr().(MethodAccess).getMethod().hasName("taint")
11+
or
12+
n instanceof RemoteFlowSource
1013
}
1114

1215
override predicate isSink(DataFlow::Node n) {
@@ -21,6 +24,8 @@ class ValueFlowConf extends DataFlow::Configuration {
2124

2225
override predicate isSource(DataFlow::Node n) {
2326
n.asExpr().(MethodAccess).getMethod().hasName("taint")
27+
or
28+
n instanceof RemoteFlowSource
2429
}
2530

2631
override predicate isSink(DataFlow::Node n) {

0 commit comments

Comments
 (0)