Standardize the query and update qldoc

luchua-bc · luchua-bc · commit 590b9d8519a1 · 2022-04-27T22:17:17.000Z
diff --git a/java/ql/lib/semmle/code/java/frameworks/Servlets.qll b/java/ql/lib/semmle/code/java/frameworks/Servlets.qll
@@ -381,7 +381,7 @@ class RequestDispatchMethod extends Method {
 /**
  * The interface `javax.servlet.ServletContext`.
  */
-library class ServletContext extends RefType {
+class ServletContext extends RefType {
   ServletContext() { this.hasQualifiedName("javax.servlet", "ServletContext") }
 }
 
diff --git a/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeResourceGet.java b/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeResourceGet.java
@@ -1,5 +1,5 @@
 // BAD: no URI validation
-URL url = servletContext.getResource(requestUrl);
+URL url = request.getServletContext().getResource(requestUrl);
 url = getClass().getResource(requestUrl);
 InputStream in = url.openStream();
 
@@ -13,4 +13,6 @@
 }
 
 Path path = Paths.get(requestUrl).normalize().toRealPath();
-URL url = sc.getResource(path.toString());
+if (path.startsWith("/trusted")) {
+	URL url = request.getServletContext().getResource(path.toString());
+}
diff --git a/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.qhelp b/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.qhelp
@@ -54,8 +54,8 @@ file exposure attacks. It also shows how to remedy the problem by validating the
 <li>Micro Focus:
   <a href="https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.file_disclosure_j2ee">File Disclosure: J2EE</a>
 </li>
-<li>
-  <a href="https://vuldb.com/?id.81084">Apache Tomcat 6.0/7.0/8.0/9.0 Servletcontext Getresource/getresourceasstream/getresourcepaths Path Traversal</a>
+<li>CVE-2015-5174:
+  <a href="https://vuldb.com/?id.81084">Apache Tomcat 6.0/7.0/8.0/9.0 Servletcontext getResource/getResourceAsStream/getResourcePaths Path Traversal</a>
 </li>
 </references>
 </qhelp>
diff --git a/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.ql b/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.ql
@@ -14,6 +14,7 @@ import java
 import UnsafeUrlForward
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
+import experimental.semmle.code.java.frameworks.Jsf
 import experimental.semmle.code.java.PathSanitizer
 import DataFlow::PathGraph
 
diff --git a/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.qll b/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.qll
@@ -3,6 +3,7 @@ private import experimental.semmle.code.java.frameworks.Jsf
 private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.dataflow.StringPrefixes
+private import semmle.code.java.frameworks.javaee.ejb.EJBRestrictions
 
 /** A sink for unsafe URL forward vulnerabilities. */
 abstract class UnsafeUrlForwardSink extends DataFlow::Node { }
@@ -23,31 +24,31 @@ private class RequestDispatcherSink extends UnsafeUrlForwardSink {
 /** The `getResource` method of `Class`. */
 class GetClassResourceMethod extends Method {
   GetClassResourceMethod() {
-    this.getSourceDeclaration().getDeclaringType().hasQualifiedName("java.lang", "Class") and
+    this.getDeclaringType() instanceof TypeClass and
     this.hasName("getResource")
   }
 }
 
 /** The `getResourceAsStream` method of `Class`. */
 class GetClassResourceAsStreamMethod extends Method {
   GetClassResourceAsStreamMethod() {
-    this.getSourceDeclaration().getDeclaringType().hasQualifiedName("java.lang", "Class") and
+    this.getDeclaringType() instanceof TypeClass and
     this.hasName("getResourceAsStream")
   }
 }
 
 /** The `getResource` method of `ClassLoader`. */
 class GetClassLoaderResourceMethod extends Method {
   GetClassLoaderResourceMethod() {
-    this.getDeclaringType().hasQualifiedName("java.lang", "ClassLoader") and
+    this.getDeclaringType() instanceof ClassLoaderClass and
     this.hasName("getResource")
   }
 }
 
 /** The `getResourceAsStream` method of `ClassLoader`. */
 class GetClassLoaderResourceAsStreamMethod extends Method {
   GetClassLoaderResourceAsStreamMethod() {
-    this.getDeclaringType().hasQualifiedName("java.lang", "ClassLoader") and
+    this.getDeclaringType() instanceof ClassLoaderClass and
     this.hasName("getResourceAsStream")
   }
 }
@@ -73,8 +74,8 @@ class VirtualFile extends RefType {
 }
 
 /** The JBoss method `getChild` of `FileResourceManager`. */
-class GetVirtualFileMethod extends Method {
-  GetVirtualFileMethod() {
+class GetVirtualFileChildMethod extends Method {
+  GetVirtualFileChildMethod() {
     this.getDeclaringType().getASupertype*() instanceof VirtualFile and
     this.hasName("getChild")
   }
@@ -91,7 +92,7 @@ private class GetResourceSink extends UnsafeUrlForwardSink {
         ma.getMethod() instanceof GetFacesResourceAsStreamMethod or
         ma.getMethod() instanceof GetClassResourceAsStreamMethod or
         ma.getMethod() instanceof GetClassLoaderResourceAsStreamMethod or
-        ma.getMethod() instanceof GetVirtualFileMethod
+        ma.getMethod() instanceof GetVirtualFileChildMethod
       ) and
       ma.getArgument(0) = this.asExpr()
     )
diff --git a/java/ql/src/experimental/semmle/code/java/frameworks/Jsf.qll b/java/ql/src/experimental/semmle/code/java/frameworks/Jsf.qll
@@ -5,7 +5,7 @@
 import semmle.code.java.Type
 
 /**
- * The JSF class `FacesContext` for processing HTTP requests.
+ * The JSF class `ExternalContext` for processing HTTP requests.
  */
 class ExternalContext extends RefType {
   ExternalContext() {

Original file line number	Diff line number	Diff line change
`@@ -381,7 +381,7 @@ class RequestDispatchMethod extends Method {`
`381`	`381`	`/**`
`382`	`382`	* The interface `javax.servlet.ServletContext`.
`383`	`383`	`*/`
`384`		`-library class ServletContext extends RefType {`
	`384`	`+class ServletContext extends RefType {`
`385`	`385`	`ServletContext() { this.hasQualifiedName("javax.servlet", "ServletContext") }`
`386`	`386`	`}`
`387`	`387`
Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,7 @@ private import experimental.semmle.code.java.frameworks.Jsf`
`3`	`3`	`private import semmle.code.java.dataflow.ExternalFlow`
`4`	`4`	`private import semmle.code.java.dataflow.FlowSources`
`5`	`5`	`private import semmle.code.java.dataflow.StringPrefixes`
	`6`	`+private import semmle.code.java.frameworks.javaee.ejb.EJBRestrictions`
`6`	`7`
`7`	`8`	`/** A sink for unsafe URL forward vulnerabilities. */`
`8`	`9`	`abstract class UnsafeUrlForwardSink extends DataFlow::Node { }`
`@@ -23,31 +24,31 @@ private class RequestDispatcherSink extends UnsafeUrlForwardSink {`
`23`	`24`	/** The `getResource` method of `Class`. */
`24`	`25`	`class GetClassResourceMethod extends Method {`
`25`	`26`	`GetClassResourceMethod() {`
`26`		`- this.getSourceDeclaration().getDeclaringType().hasQualifiedName("java.lang", "Class") and`
	`27`	`+ this.getDeclaringType() instanceof TypeClass and`
`27`	`28`	`this.hasName("getResource")`
`28`	`29`	`}`
`29`	`30`	`}`
`30`	`31`
`31`	`32`	/** The `getResourceAsStream` method of `Class`. */
`32`	`33`	`class GetClassResourceAsStreamMethod extends Method {`
`33`	`34`	`GetClassResourceAsStreamMethod() {`
`34`		`- this.getSourceDeclaration().getDeclaringType().hasQualifiedName("java.lang", "Class") and`
	`35`	`+ this.getDeclaringType() instanceof TypeClass and`
`35`	`36`	`this.hasName("getResourceAsStream")`
`36`	`37`	`}`
`37`	`38`	`}`
`38`	`39`
`39`	`40`	/** The `getResource` method of `ClassLoader`. */
`40`	`41`	`class GetClassLoaderResourceMethod extends Method {`
`41`	`42`	`GetClassLoaderResourceMethod() {`
`42`		`- this.getDeclaringType().hasQualifiedName("java.lang", "ClassLoader") and`
	`43`	`+ this.getDeclaringType() instanceof ClassLoaderClass and`
`43`	`44`	`this.hasName("getResource")`
`44`	`45`	`}`
`45`	`46`	`}`
`46`	`47`
`47`	`48`	/** The `getResourceAsStream` method of `ClassLoader`. */
`48`	`49`	`class GetClassLoaderResourceAsStreamMethod extends Method {`
`49`	`50`	`GetClassLoaderResourceAsStreamMethod() {`
`50`		`- this.getDeclaringType().hasQualifiedName("java.lang", "ClassLoader") and`
	`51`	`+ this.getDeclaringType() instanceof ClassLoaderClass and`
`51`	`52`	`this.hasName("getResourceAsStream")`
`52`	`53`	`}`
`53`	`54`	`}`
`@@ -73,8 +74,8 @@ class VirtualFile extends RefType {`
`73`	`74`	`}`
`74`	`75`
`75`	`76`	/** The JBoss method `getChild` of `FileResourceManager`. */
`76`		`-class GetVirtualFileMethod extends Method {`
`77`		`- GetVirtualFileMethod() {`
	`77`	`+class GetVirtualFileChildMethod extends Method {`
	`78`	`+ GetVirtualFileChildMethod() {`
`78`	`79`	`this.getDeclaringType().getASupertype*() instanceof VirtualFile and`
`79`	`80`	`this.hasName("getChild")`
`80`	`81`	`}`
`@@ -91,7 +92,7 @@ private class GetResourceSink extends UnsafeUrlForwardSink {`
`91`	`92`	`ma.getMethod() instanceof GetFacesResourceAsStreamMethod or`
`92`	`93`	`ma.getMethod() instanceof GetClassResourceAsStreamMethod or`
`93`	`94`	`ma.getMethod() instanceof GetClassLoaderResourceAsStreamMethod or`
`94`		`- ma.getMethod() instanceof GetVirtualFileMethod`
	`95`	`+ ma.getMethod() instanceof GetVirtualFileChildMethod`
`95`	`96`	`) and`
`96`	`97`	`ma.getArgument(0) = this.asExpr()`
`97`	`98`	`)`