Java: Added sources and flow steps for RabbitMQ

Author: artem-smotrakov

java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll

@@ -138,6 +138,7 @@ private module Frameworks {
   private import semmle.code.java.frameworks.MyBatis
   private import semmle.code.java.frameworks.Hibernate
   private import semmle.code.java.frameworks.jOOQ
+  private import semmle.code.java.frameworks.RabbitMQ
 }
 
 private predicate sourceModelCsv(string row) {

java/ql/lib/semmle/code/java/dataflow/FlowSteps.qll

@@ -21,6 +21,7 @@ private module Frameworks {
   private import semmle.code.java.frameworks.guava.Guava
   private import semmle.code.java.frameworks.apache.Lang
   private import semmle.code.java.frameworks.ApacheHttp
+  private import semmle.code.java.frameworks.RabbitMQ
 }
 
 /**

java/ql/lib/semmle/code/java/frameworks/RabbitMQ.qll

@@ -0,0 +1,58 @@
+/**
+ * Provides classes and predicates related to RabbitMQ.
+ */
+
+import java
+private import semmle.code.java.dataflow.ExternalFlow
+
+/**
+ * Defines remote sources in RabbitMQ.
+ */
+private class RabbitMQSource extends SourceModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        // soruces for RabbitMQ 4.x
+        "com.rabbitmq.client;Command;true;getContentHeader;();;ReturnValue;remote",
+        "com.rabbitmq.client;Command;true;getContentBody;();;ReturnValue;remote",
+        "com.rabbitmq.client;Consumer;true;handleDelivery;(String,Envelope,BasicProperties,byte[]);;Parameter[3];remote",
+        "com.rabbitmq.client;QueueingConsumer;true;nextDelivery;;;ReturnValue;remote",
+        "com.rabbitmq.client;RpcServer;true;handleCall;(Delivery,BasicProperties);;Parameter[0];remote",
+        "com.rabbitmq.client;RpcServer;true;handleCall;(BasicProperties,byte[],BasicProperties);;Parameter[1];remote",
+        "com.rabbitmq.client;RpcServer;true;handleCall;(byte[],BasicProperties);;Parameter[0];remote",
+        "com.rabbitmq.client;RpcServer;true;preprocessReplyProperties;(Delivery,Builder);;Parameter[0];remote",
+        "com.rabbitmq.client;RpcServer;true;postprocessReplyProperties;(Delivery,Builder);;Parameter[0];remote",
+        "com.rabbitmq.client;RpcServer;true;handleCast;(Delivery);;Parameter[0];remote",
+        "com.rabbitmq.client;RpcServer;true;handleCast;(BasicProperties,byte[]);;Parameter[1];remote",
+        "com.rabbitmq.client;RpcServer;true;handleCast;(byte[]);;Parameter[0];remote",
+        "com.rabbitmq.client;StringRpcServer;true;handleStringCall;;;Parameter[0];remote",
+        "com.rabbitmq.client;RpcClient;true;doCall;;;ReturnValue;remote",
+        "com.rabbitmq.client;RpcClient;true;primitiveCall;;;ReturnValue;remote",
+        "com.rabbitmq.client;RpcClient;true;responseCall;;;ReturnValue;remote",
+        "com.rabbitmq.client;RpcClient;true;stringCall;(String);;ReturnValue;remote",
+        "com.rabbitmq.client;RpcClient;true;mapCall;;;ReturnValue;remote",
+        "com.rabbitmq.client.impl;Frame;true;getInputStream;();;ReturnValue;remote",
+        "com.rabbitmq.client.impl;Frame;true;getPayload;();;ReturnValue;remote",
+        "com.rabbitmq.client.impl;FrameHandler;true;readFrame;();;ReturnValue;remote",
+      ]
+  }
+}
+
+/**
+ * Defines flow steps in RabbitMQ.
+ */
+private class RabbitMQSummaryCsv extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        // flow steps for RabbitMQ 4.x
+        "com.rabbitmq.client;GetResponse;true;GetResponse;;;Argument[2];Argument[-1];taint",
+        "com.rabbitmq.client;GetResponse;true;getBody;();;Argument[-1];ReturnValue;taint",
+        "com.rabbitmq.client;RpcClient$Response;true;getBody;();;Argument[-1];ReturnValue;taint",
+        "com.rabbitmq.client;QueueingConsumer$Delivery;true;getBody;();;Argument[-1];ReturnValue;taint",
+        "com.rabbitmq.client.impl;Frame;false;fromBodyFragment;(int,byte[],int,int);;Argument[1];ReturnValue;taint",
+        "com.rabbitmq.client.impl;Frame;false;readFrom;(DataInputStream);;Argument[0];ReturnValue;taint",
+        "com.rabbitmq.client.impl;Frame;true;writeTo;(DataOutputStream);;Argument[-1];Argument[0];taint",
+      ]
+  }
+}

java/ql/test/library-tests/rabbitmq/FlowTest.expected

@@ -0,0 +1,20 @@
+import java
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.dataflow.FlowSources
+import TestUtilities.InlineFlowTest
+
+class Conf extends TaintTracking::Configuration {
+  Conf() { this = "qltest:frameworks:rabbitmq" }
+
+  override predicate isSource(DataFlow::Node node) { node instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node node) {
+    exists(MethodAccess ma | ma.getMethod().hasName("sink") | node.asExpr() = ma.getAnArgument())
+  }
+}
+
+class HasFlowTest extends InlineFlowTest {
+  override DataFlow::Configuration getValueFlowConfig() { none() }
+
+  override DataFlow::Configuration getTaintFlowConfig() { result = any(Conf c) }
+}

java/ql/test/library-tests/rabbitmq/FlowTest.ql

@@ -0,0 +1,19 @@
+import java
+import semmle.code.java.dataflow.FlowSources
+import TestUtilities.InlineExpectationsTest
+
+class SourceTest extends InlineExpectationsTest {
+  SourceTest() { this = "SourceTest" }
+
+  override string getARelevantTag() { result = "source" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "source" and
+    exists(RemoteFlowSource source |
+      not source.asParameter().getCallable().getDeclaringType().hasName("DefaultConsumer") and
+      source.getLocation() = location and
+      element = source.toString() and
+      value = ""
+    )
+  }
+}

java/ql/test/library-tests/rabbitmq/SourceTest.expected

@@ -0,0 +1,34 @@
+import com.rabbitmq.client.DefaultConsumer;
+import com.rabbitmq.client.Channel;
+import com.rabbitmq.client.AMQP;
+import com.rabbitmq.client.Envelope;
+import com.rabbitmq.client.QueueingConsumer;
+
+public class Test {
+
+    public void defaultConsumerTest(Channel channel) {
+        DefaultConsumer consumer = new DefaultConsumer(channel) {
+
+            @Override
+            public void handleDelivery(
+                    String consumerTag, Envelope envelope, AMQP.BasicProperties properties, 
+                    byte[] body) { // $source
+
+                sink(body); // $hasTaintFlow
+            }
+        };
+    }
+
+    public void queueingConsumerTest(QueueingConsumer consumer) {
+        while (true) {
+            QueueingConsumer.Delivery delivery = consumer.nextDelivery(); // $source
+            sink(delivery.getBody()); // $hasTaintFlow
+            delivery = consumer.nextDelivery(42); // $source
+            sink(delivery.getBody()); // $hasTaintFlow
+        }
+    }
+
+    private void sink(byte[] data) {
+
+    }
+}

java/ql/test/library-tests/rabbitmq/SourceTest.ql

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../stubs/rabbitmq-4.12.0