Add more test cases

Author: luchua-bc

java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.qll

@@ -160,15 +160,17 @@ private class ServletGetPathSource extends SourceModelCsv {
   }
 }
 
-/** Taint model related to `java.nio.file.Path`. */
+/** Taint model related to `java.nio.file.Path` and `io.undertow.server.handlers.resource.Resource`. */
 private class FilePathFlowStep extends SummaryModelCsv {
   override predicate row(string row) {
     row =
       [
         "java.nio.file;Paths;true;get;;;Argument[0..1];ReturnValue;taint",
         "java.nio.file;Path;true;resolve;;;Argument[-1..0];ReturnValue;taint",
         "java.nio.file;Path;true;normalize;;;Argument[-1];ReturnValue;taint",
-        "java.nio.file;Path;true;toString;;;Argument[-1];ReturnValue;taint"
+        "io.undertow.server.handlers.resource;Resource;true;getFile;;;Argument[-1];ReturnValue;taint",
+        "io.undertow.server.handlers.resource;Resource;true;getFilePath;;;Argument[-1];ReturnValue;taint",
+        "io.undertow.server.handlers.resource;Resource;true;getPath;;;Argument[-1];ReturnValue;taint"
       ]
   }
 }

java/ql/src/experimental/semmle/code/java/frameworks/Jsf.qll

@@ -2,7 +2,7 @@
  * Provides classes and predicates for working with the Java Server Faces (JSF).
  */
 
-import semmle.code.java.Type
+import java
 
 /**
  * The JSF class `ExternalContext` for processing HTTP requests.

java/ql/test/experimental/query-tests/security/CWE-552/UnsafeResourceGet.java

@@ -5,7 +5,9 @@
 import java.io.PrintWriter;
 import java.nio.file.Path;
 import java.nio.file.Paths;
+import java.net.URI;
 import java.net.URL;
+import java.net.URISyntaxException;
 
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
@@ -15,6 +17,11 @@
 import javax.servlet.ServletConfig;
 import javax.servlet.ServletContext;
 
+import io.undertow.server.handlers.resource.FileResourceManager;
+import io.undertow.server.handlers.resource.Resource;
+import org.jboss.vfs.VFS;
+import org.jboss.vfs.VirtualFile;
+
 public class UnsafeResourceGet extends HttpServlet {
 	private static final String BASE_PATH = "/pages";
 
@@ -137,7 +144,7 @@ protected void doHead(HttpServletRequest request, HttpServletResponse response)
 		ServletOutputStream out = response.getOutputStream();
 
 		// A sample request /fake.jsp/../../../WEB-INF/web.xml can load the web.xml file
-		// Note the class is in two levels of subpackages and `Class.loadResource` starts from its own directory
+		// Note the class is in two levels of subpackages and `Class.getResource` starts from its own directory
 		URL url = getClass().getResource(requestUrl);
 
 		InputStream in = url.openStream();
@@ -205,4 +212,59 @@ protected void doPutGood(HttpServletRequest request, HttpServletResponse respons
 			}
 		}
 	}
+
+	// BAD: getResource constructed from `ClassLoader` without input validation
+	protected void doPutBad(HttpServletRequest request, HttpServletResponse response)
+			throws ServletException, IOException {
+		String requestUrl = request.getParameter("requestURL");
+		ServletOutputStream out = response.getOutputStream();
+
+		// A sample request /fake.jsp/../../../WEB-INF/web.xml can load the web.xml file
+		// Note the class is in two levels of subpackages and `ClassLoader.getResource` starts from its own directory
+		URL url = getClass().getClassLoader().getResource(requestUrl);
+
+		InputStream in = url.openStream();
+		byte[] buf = new byte[4 * 1024];  // 4K buffer
+		int bytesRead;
+		while ((bytesRead = in.read(buf)) != -1) {
+			out.write(buf, 0, bytesRead);
+		}
+	}
+
+	// BAD: getResource constructed using Undertow IO without input validation
+	protected void doPutBad2(HttpServletRequest request, HttpServletResponse response)
+			throws ServletException, IOException {
+		String requestPath = request.getParameter("requestPath");
+
+		try {
+			FileResourceManager rm = new FileResourceManager(VFS.getChild(new URI("/usr/share")).getPhysicalFile());
+			Resource rs = rm.getResource(requestPath);
+
+			VirtualFile overlay = VFS.getChild(new URI("EAP_HOME/modules/"));
+			// Do file operations
+			overlay.getChild(rs.getPath());
+		} catch (URISyntaxException ue) {
+			throw new IOException("Cannot parse the URI");
+		}
+	}
+
+	// GOOD: getResource constructed using Undertow IO with input validation
+	protected void doPutGood2(HttpServletRequest request, HttpServletResponse response)
+			throws ServletException, IOException {
+		String requestPath = request.getParameter("requestPath");
+
+		try {
+			FileResourceManager rm = new FileResourceManager(VFS.getChild(new URI("/usr/share")).getPhysicalFile());
+			Resource rs = rm.getResource(requestPath);
+
+			VirtualFile overlay = VFS.getChild(new URI("EAP_HOME/modules/"));
+			String path = rs.getPath();
+			if (path.startsWith("/trusted_path") && !path.contains("..")) {
+				// Do file operations
+				overlay.getChild(path);
+			}
+		} catch (URISyntaxException ue) {
+			throw new IOException("Cannot parse the URI");
+		}
+	}
 }

java/ql/test/experimental/query-tests/security/CWE-552/UnsafeResourceGet2.java

@@ -0,0 +1,58 @@
+package com.example;
+
+import javax.faces.context.FacesContext;
+import java.io.BufferedReader;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.io.IOException;
+import java.net.URL;
+import java.util.Map;
+
+/** Sample class of JSF managed bean */
+public class UnsafeResourceGet2 {
+	// BAD: getResourceAsStream constructed from `ExternalContext` without input validation
+	public String parameterActionBad1() throws IOException {
+		FacesContext fc = FacesContext.getCurrentInstance();
+		Map<String, String> params = fc.getExternalContext().getRequestParameterMap();
+		String loadUrl = params.get("loadUrl");
+
+		InputStreamReader isr = new InputStreamReader(fc.getExternalContext().getResourceAsStream(loadUrl));
+		BufferedReader br = new BufferedReader(isr);
+		if(br.ready()) {
+			//Do Stuff
+			return "result";
+		}
+
+		return "home";
+	}
+
+	// BAD: getResource constructed from `ExternalContext` without input validation
+	public String parameterActionBad2() throws IOException {
+		FacesContext fc = FacesContext.getCurrentInstance();
+		Map<String, String> params = fc.getExternalContext().getRequestParameterMap();
+		String loadUrl = params.get("loadUrl");
+
+		URL url = fc.getExternalContext().getResource(loadUrl);
+
+		InputStream in = url.openStream();
+		//Do Stuff
+		return "result";
+	}
+
+	// GOOD: getResource constructed from `ExternalContext` with input validation
+	public String parameterActionGood1() throws IOException {
+		FacesContext fc = FacesContext.getCurrentInstance();
+		Map<String, String> params = fc.getExternalContext().getRequestParameterMap();
+		String loadUrl = params.get("loadUrl");
+
+		if (loadUrl.equals("/public/crossdomain.xml")) {
+			URL url = fc.getExternalContext().getResource(loadUrl);
+
+			InputStream in = url.openStream();
+			//Do Stuff
+			return "result";
+		}
+
+		return "home";
+	}
+}