microsoft
diff --git a/‎java/ql/lib/change-notes/2023-05-26-play-framework-models.md
Lines changed: 4 additions & 0 deletions b/‎java/ql/lib/change-notes/2023-05-26-play-framework-models.md
Lines changed: 4 additions & 0 deletions
diff --git a/‎java/ql/lib/ext/play.libs.ws.model.yml
Lines changed: 7 additions & 0 deletions b/‎java/ql/lib/ext/play.libs.ws.model.yml
Lines changed: 7 additions & 0 deletions
diff --git a/‎java/ql/lib/ext/play.mvc.model.yml
Lines changed: 41 additions & 4 deletions b/‎java/ql/lib/ext/play.mvc.model.yml
Lines changed: 41 additions & 4 deletions
diff --git a/‎java/ql/test/library-tests/dataflow/taintsources/PlayMvc.java
Lines changed: 25 additions & 0 deletions b/‎java/ql/test/library-tests/dataflow/taintsources/PlayMvc.java
Lines changed: 25 additions & 0 deletions
diff --git a/‎java/ql/test/library-tests/frameworks/play/mad/Test.java
Lines changed: 194 additions & 0 deletions b/‎java/ql/test/library-tests/frameworks/play/mad/Test.java
Lines changed: 194 additions & 0 deletions
diff --git a/‎java/ql/test/library-tests/frameworks/play/test.expected b/‎java/ql/test/library-tests/frameworks/play/test.expected
diff --git a/‎java/ql/test/library-tests/frameworks/play/test.ql
Lines changed: 2 additions & 0 deletions b/‎java/ql/test/library-tests/frameworks/play/test.ql
Lines changed: 2 additions & 0 deletions
diff --git a/‎java/ql/test/query-tests/security/CWE-918/mad/Test.java
Lines changed: 12 additions & 0 deletions b/‎java/ql/test/query-tests/security/CWE-918/mad/Test.java
Lines changed: 12 additions & 0 deletions
diff --git a/‎java/ql/test/query-tests/security/CWE-918/options
Lines changed: 1 addition & 1 deletion b/‎java/ql/test/query-tests/security/CWE-918/options
Lines changed: 1 addition & 1 deletion
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added more dataflow models for the Play Framework.
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["play.libs.ws", "WSClient", True, "url", "", "", "Argument[0]", "open-url", "manual"]
+      - ["play.libs.ws", "StandaloneWSClient", True, "url", "", "", "Argument[0]", "open-url", "manual"]
@@ -3,7 +3,44 @@ extensions:
       pack: codeql/java-all
       extensible: sourceModel
     data:
-      - ["play.mvc", "Http$RequestHeader", False, "getHeader", "", "", "ReturnValue", "remote", "manual"]
-      - ["play.mvc", "Http$RequestHeader", False, "getQueryString", "", "", "ReturnValue", "remote", "manual"]
-      - ["play.mvc", "Http$RequestHeader", False, "header", "", "", "ReturnValue", "remote", "manual"]
-      - ["play.mvc", "Http$RequestHeader", False, "queryString", "", "", "ReturnValue", "remote", "manual"]
+      - ["play.mvc", "Http$Request", True, "body", "", "", "ReturnValue", "remote", "manual"]
+      - ["play.mvc", "Http$RequestHeader", True, "cookie", "", "", "ReturnValue", "remote", "manual"]
+      - ["play.mvc", "Http$RequestHeader", True, "cookies", "", "", "ReturnValue", "remote", "manual"]
+      - ["play.mvc", "Http$RequestHeader", True, "getHeader", "", "", "ReturnValue", "remote", "manual"] # v2.4.x
+      - ["play.mvc", "Http$RequestHeader", True, "getHeaders", "", "", "ReturnValue", "remote", "manual"] # v2.7.x
+      - ["play.mvc", "Http$RequestHeader", True, "getQueryString", "", "", "ReturnValue", "remote", "manual"]
+      - ["play.mvc", "Http$RequestHeader", True, "header", "", "", "ReturnValue", "remote", "manual"] # v2.7.x
+      - ["play.mvc", "Http$RequestHeader", True, "headers", "", "", "ReturnValue", "remote", "manual"] # v2.4.x
+      - ["play.mvc", "Http$RequestHeader", True, "host", "", "", "ReturnValue", "remote", "manual"]
+      - ["play.mvc", "Http$RequestHeader", True, "path", "", "", "ReturnValue", "remote", "manual"]
+      - ["play.mvc", "Http$RequestHeader", True, "queryString", "", "", "ReturnValue", "remote", "manual"]
+      - ["play.mvc", "Http$RequestHeader", True, "remoteAddress", "", "", "ReturnValue", "remote", "manual"]
+      - ["play.mvc", "Http$RequestHeader", True, "uri", "", "", "ReturnValue", "remote", "manual"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["play.mvc", "Http$RequestBody", True, "as", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["play.mvc", "Http$RequestBody", True, "asBytes", "", "", "Argument[this]", "ReturnValue", "taint", "manual"] # v2.7.x
+      - ["play.mvc", "Http$RequestBody", True, "asFormUrlEncoded", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["play.mvc", "Http$RequestBody", True, "asJson", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["play.mvc", "Http$RequestBody", True, "asMultipartFormData", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["play.mvc", "Http$RequestBody", True, "asRaw", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["play.mvc", "Http$RequestBody", True, "asText", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["play.mvc", "Http$RequestBody", True, "asXml", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["play.mvc", "Http$RequestBody", True, "parseJson", "", "", "Argument[this]", "ReturnValue", "taint", "manual"] # v2.7.x
+      - ["play.mvc", "Http$MultipartFormData", True, "asFormUrlEncoded", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["play.mvc", "Http$MultipartFormData", True, "getFile", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["play.mvc", "Http$MultipartFormData", True, "getFiles", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["play.mvc", "Http$MultipartFormData$FilePart", True, "getContentType", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["play.mvc", "Http$MultipartFormData$FilePart", True, "getDispositionType", "", "", "Argument[this]", "ReturnValue", "taint", "manual"] # v2.7.x
+      - ["play.mvc", "Http$MultipartFormData$FilePart", True, "getFile", "", "", "Argument[this]", "ReturnValue", "taint", "manual"] # v2.4.x
+      - ["play.mvc", "Http$MultipartFormData$FilePart", True, "getFilename", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["play.mvc", "Http$MultipartFormData$FilePart", True, "getKey", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["play.mvc", "Http$MultipartFormData$FilePart", True, "getRef", "", "", "Argument[this]", "ReturnValue", "taint", "manual"] # v2.7.x
+      - ["play.mvc", "Http$RawBuffer", True, "asBytes", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["play.mvc", "Http$RawBuffer", True, "asFile", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["play.mvc", "Http$Cookie", True, "name", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["play.mvc", "Http$Cookie", True, "value", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["play.mvc", "Http$Cookies", True, "get", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["play.mvc", "Http$Cookies", True, "getCookie", "", "", "Argument[this]", "ReturnValue", "taint", "manual"] # v2.7.x
@@ -0,0 +1,25 @@
+import play.mvc.Http;
+
+public class PlayMvc {
+
+    private Http.Request request;
+    private Http.RequestHeader header;
+
+    private static void sink(Object o) {}
+
+    public void test() throws Exception {
+        sink(request.body()); // $ hasRemoteValueFlow
+        sink(header.cookie(null)); // $ hasRemoteValueFlow
+        sink(header.cookies()); // $ hasRemoteValueFlow
+        sink(header.getHeader(null)); // $ hasRemoteValueFlow
+        sink(header.getHeaders()); // $ hasRemoteValueFlow
+        sink(header.getQueryString(null)); // $ hasRemoteValueFlow
+        sink(header.header(null)); // $ hasRemoteValueFlow
+        sink(header.headers()); // $ hasRemoteValueFlow
+        sink(header.host()); // $ hasRemoteValueFlow
+        sink(header.path()); // $ hasRemoteValueFlow
+        sink(header.queryString()); // $ hasRemoteValueFlow
+        sink(header.remoteAddress()); // $ hasRemoteValueFlow
+        sink(header.uri()); // $ hasRemoteValueFlow
+    }
+}
@@ -0,0 +1,194 @@
+package generatedtest;
+
+import akka.util.ByteString;
+import com.fasterxml.jackson.databind.JsonNode;
+import java.io.File;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import org.w3c.dom.Document;
+import play.mvc.Http;
+
+// Test case generated by GenerateFlowTestCase.ql
+public class Test {
+
+	Object source() {
+		return null;
+	}
+
+	void sink(Object o) {}
+
+	public void test() throws Exception {
+
+		{
+			// "play.mvc;Http$Cookie;true;name;;;Argument[this];ReturnValue;taint;manual"
+			String out = null;
+			Http.Cookie in = (Http.Cookie) source();
+			out = in.name();
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "play.mvc;Http$Cookie;true;value;;;Argument[this];ReturnValue;taint;manual"
+			String out = null;
+			Http.Cookie in = (Http.Cookie) source();
+			out = in.value();
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "play.mvc;Http$Cookies;true;get;;;Argument[this];ReturnValue;taint;manual"
+			Http.Cookie out = null;
+			Http.Cookies in = (Http.Cookies) source();
+			out = in.get(null);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "play.mvc;Http$Cookies;true;getCookie;;;Argument[this];ReturnValue;taint;manual"
+			Optional out = null;
+			Http.Cookies in = (Http.Cookies) source();
+			out = in.getCookie(null);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "play.mvc;Http$MultipartFormData$FilePart;true;getContentType;;;Argument[this];ReturnValue;taint;manual"
+			String out = null;
+			Http.MultipartFormData.FilePart in = (Http.MultipartFormData.FilePart) source();
+			out = in.getContentType();
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "play.mvc;Http$MultipartFormData$FilePart;true;getDispositionType;;;Argument[this];ReturnValue;taint;manual"
+			String out = null;
+			Http.MultipartFormData.FilePart in = (Http.MultipartFormData.FilePart) source();
+			out = in.getDispositionType();
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "play.mvc;Http$MultipartFormData$FilePart;true;getFilename;;;Argument[this];ReturnValue;taint;manual"
+			String out = null;
+			Http.MultipartFormData.FilePart in = (Http.MultipartFormData.FilePart) source();
+			out = in.getFilename();
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "play.mvc;Http$MultipartFormData$FilePart;true;getKey;;;Argument[this];ReturnValue;taint;manual"
+			String out = null;
+			Http.MultipartFormData.FilePart in = (Http.MultipartFormData.FilePart) source();
+			out = in.getKey();
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "play.mvc;Http$MultipartFormData$FilePart;true;getRef;;;Argument[this];ReturnValue;taint;manual"
+			Object out = null;
+			Http.MultipartFormData.FilePart in = (Http.MultipartFormData.FilePart) source();
+			out = in.getRef();
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "play.mvc;Http$MultipartFormData;true;asFormUrlEncoded;;;Argument[this];ReturnValue;taint;manual"
+			Map out = null;
+			Http.MultipartFormData in = (Http.MultipartFormData) source();
+			out = in.asFormUrlEncoded();
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "play.mvc;Http$MultipartFormData;true;getFile;;;Argument[this];ReturnValue;taint;manual"
+			Http.MultipartFormData.FilePart out = null;
+			Http.MultipartFormData in = (Http.MultipartFormData) source();
+			out = in.getFile(null);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "play.mvc;Http$MultipartFormData;true;getFiles;;;Argument[this];ReturnValue;taint;manual"
+			List out = null;
+			Http.MultipartFormData in = (Http.MultipartFormData) source();
+			out = in.getFiles();
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "play.mvc;Http$RawBuffer;true;asBytes;;;Argument[this];ReturnValue;taint;manual"
+			ByteString out = null;
+			Http.RawBuffer in = (Http.RawBuffer) source();
+			out = in.asBytes();
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "play.mvc;Http$RawBuffer;true;asBytes;;;Argument[this];ReturnValue;taint;manual"
+			ByteString out = null;
+			Http.RawBuffer in = (Http.RawBuffer) source();
+			out = in.asBytes(0);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "play.mvc;Http$RawBuffer;true;asFile;;;Argument[this];ReturnValue;taint;manual"
+			File out = null;
+			Http.RawBuffer in = (Http.RawBuffer) source();
+			out = in.asFile();
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "play.mvc;Http$RequestBody;true;as;;;Argument[this];ReturnValue;taint;manual"
+			Object out = null;
+			Http.RequestBody in = (Http.RequestBody) source();
+			out = in.as(null);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "play.mvc;Http$RequestBody;true;asBytes;;;Argument[this];ReturnValue;taint;manual"
+			ByteString out = null;
+			Http.RequestBody in = (Http.RequestBody) source();
+			out = in.asBytes();
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "play.mvc;Http$RequestBody;true;asFormUrlEncoded;;;Argument[this];ReturnValue;taint;manual"
+			Map out = null;
+			Http.RequestBody in = (Http.RequestBody) source();
+			out = in.asFormUrlEncoded();
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "play.mvc;Http$RequestBody;true;asJson;;;Argument[this];ReturnValue;taint;manual"
+			JsonNode out = null;
+			Http.RequestBody in = (Http.RequestBody) source();
+			out = in.asJson();
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "play.mvc;Http$RequestBody;true;asMultipartFormData;;;Argument[this];ReturnValue;taint;manual"
+			Http.MultipartFormData out = null;
+			Http.RequestBody in = (Http.RequestBody) source();
+			out = in.asMultipartFormData();
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "play.mvc;Http$RequestBody;true;asRaw;;;Argument[this];ReturnValue;taint;manual"
+			Http.RawBuffer out = null;
+			Http.RequestBody in = (Http.RequestBody) source();
+			out = in.asRaw();
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "play.mvc;Http$RequestBody;true;asText;;;Argument[this];ReturnValue;taint;manual"
+			String out = null;
+			Http.RequestBody in = (Http.RequestBody) source();
+			out = in.asText();
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "play.mvc;Http$RequestBody;true;asXml;;;Argument[this];ReturnValue;taint;manual"
+			Document out = null;
+			Http.RequestBody in = (Http.RequestBody) source();
+			out = in.asXml();
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "play.mvc;Http$RequestBody;true;parseJson;;;Argument[this];ReturnValue;taint;manual"
+			Optional out = null;
+			Http.RequestBody in = (Http.RequestBody) source();
+			out = in.parseJson(null);
+			sink(out); // $ hasTaintFlow
+		}
+
+	}
+
+}
@@ -0,0 +1,2 @@
+import java
+import TestUtilities.InlineFlowTest
@@ -9,6 +9,8 @@
 import org.apache.commons.jelly.JellyContext;
 import org.codehaus.cargo.container.installer.ZipURLInstaller;
 import org.kohsuke.stapler.HttpResponses;
+import play.libs.ws.WSClient;
+import play.libs.ws.StandaloneWSClient;
 
 public class Test {
 
@@ -74,4 +76,14 @@ public void test(HttpResponses r) {
         r.staticResource((URL) source()); // $ SSRF
     }
 
+    public void test(WSClient c) {
+        // "play.libs.ws;WSClient;true;url;;;Argument[0];open-url;manual"
+        c.url((String) source()); // $ SSRF
+    }
+
+    public void test(StandaloneWSClient c) {
+        // "play.libs.ws;StandaloneWSClient;true;url;;;Argument[0];open-url;manual"
+        c.url((String) source()); // $ SSRF
+    }
+
 }
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/javax-ws-rs-api-3.0.0:${testdir}/../../../stubs/apache-http-4.4.13/:${testdir}/../../../stubs/projectreactor-3.4.3/:${testdir}/../../../stubs/postgresql-42.3.3/:${testdir}/../../../stubs/HikariCP-3.4.5/:${testdir}/../../../stubs/spring-jdbc-5.3.8/:${testdir}/../../../stubs/jdbi3-core-3.27.2/:${testdir}/../../../stubs/cargo:${testdir}/../../../stubs/javafx-web:${testdir}/../../../stubs/apache-commons-jelly-1.0.1:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/jaxen-1.2.0:${testdir}/../../../stubs/stapler-1.263:${testdir}/../../../stubs/javax-servlet-2.5:${testdir}/../../../stubs/apache-commons-fileupload-1.4:${testdir}/../../../stubs/saxon-xqj-9.x:${testdir}/../../../stubs/apache-commons-beanutils:${testdir}/../../../stubs/apache-commons-lang:${testdir}/../../../stubs/apache-http-5
+//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/javax-ws-rs-api-3.0.0:${testdir}/../../../stubs/apache-http-4.4.13/:${testdir}/../../../stubs/projectreactor-3.4.3/:${testdir}/../../../stubs/postgresql-42.3.3/:${testdir}/../../../stubs/HikariCP-3.4.5/:${testdir}/../../../stubs/spring-jdbc-5.3.8/:${testdir}/../../../stubs/jdbi3-core-3.27.2/:${testdir}/../../../stubs/cargo:${testdir}/../../../stubs/javafx-web:${testdir}/../../../stubs/apache-commons-jelly-1.0.1:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/jaxen-1.2.0:${testdir}/../../../stubs/stapler-1.263:${testdir}/../../../stubs/javax-servlet-2.5:${testdir}/../../../stubs/apache-commons-fileupload-1.4:${testdir}/../../../stubs/saxon-xqj-9.x:${testdir}/../../../stubs/apache-commons-beanutils:${testdir}/../../../stubs/apache-commons-lang:${testdir}/../../../stubs/apache-http-5:${testdir}/../../../stubs/playframework-2.6.x
-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* Added more dataflow models for the Play Framework.
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+import java`
	`2`	`+import TestUtilities.InlineFlowTest`
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		-//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/javax-ws-rs-api-3.0.0:${testdir}/../../../stubs/apache-http-4.4.13/:${testdir}/../../../stubs/projectreactor-3.4.3/:${testdir}/../../../stubs/postgresql-42.3.3/:${testdir}/../../../stubs/HikariCP-3.4.5/:${testdir}/../../../stubs/spring-jdbc-5.3.8/:${testdir}/../../../stubs/jdbi3-core-3.27.2/:${testdir}/../../../stubs/cargo:${testdir}/../../../stubs/javafx-web:${testdir}/../../../stubs/apache-commons-jelly-1.0.1:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/jaxen-1.2.0:${testdir}/../../../stubs/stapler-1.263:${testdir}/../../../stubs/javax-servlet-2.5:${testdir}/../../../stubs/apache-commons-fileupload-1.4:${testdir}/../../../stubs/saxon-xqj-9.x:${testdir}/../../../stubs/apache-commons-beanutils:${testdir}/../../../stubs/apache-commons-lang:${testdir}/../../../stubs/apache-http-5
	`1`	+//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/javax-ws-rs-api-3.0.0:${testdir}/../../../stubs/apache-http-4.4.13/:${testdir}/../../../stubs/projectreactor-3.4.3/:${testdir}/../../../stubs/postgresql-42.3.3/:${testdir}/../../../stubs/HikariCP-3.4.5/:${testdir}/../../../stubs/spring-jdbc-5.3.8/:${testdir}/../../../stubs/jdbi3-core-3.27.2/:${testdir}/../../../stubs/cargo:${testdir}/../../../stubs/javafx-web:${testdir}/../../../stubs/apache-commons-jelly-1.0.1:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/jaxen-1.2.0:${testdir}/../../../stubs/stapler-1.263:${testdir}/../../../stubs/javax-servlet-2.5:${testdir}/../../../stubs/apache-commons-fileupload-1.4:${testdir}/../../../stubs/saxon-xqj-9.x:${testdir}/../../../stubs/apache-commons-beanutils:${testdir}/../../../stubs/apache-commons-lang:${testdir}/../../../stubs/apache-http-5:${testdir}/../../../stubs/playframework-2.6.x