Skip to content

Commit ba3f9d6

Browse files
owen-mcowen-mc
committed
Convert model to QL
1 parent b5fbf2e commit ba3f9d6

File tree

2 files changed

+18
-3
lines changed

2 files changed

+18
-3
lines changed

java/ql/lib/ext/org.springframework.web.client.model.yml

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -16,9 +16,6 @@ extensions:
1616
- ["org.springframework.web.client", "RestTemplate", False, "execute", "", "", "Argument[0]", "request-forgery", "manual"]
1717
- ["org.springframework.web.client", "RestTemplate", False, "getForEntity", "", "", "Argument[0]", "request-forgery", "manual"]
1818
- ["org.springframework.web.client", "RestTemplate", False, "getForObject", "", "", "Argument[0]", "request-forgery", "manual"]
19-
- ["org.springframework.web.client", "RestTemplate", False, "getForObject", "", "", "Argument[2]", "request-forgery", "manual"] # This is a workaround for the fact that sink model can't currently have access paths
20-
# - ["org.springframework.web.client", "RestTemplate", False, "getForObject", "", "", "Argument[2].ArrayElement", "request-forgery", "manual"]
21-
# - ["org.springframework.web.client", "RestTemplate", False, "getForObject", "", "", "Argument[2].MapValue", "request-forgery", "manual"]
2219
- ["org.springframework.web.client", "RestTemplate", False, "headForHeaders", "", "", "Argument[0]", "request-forgery", "manual"]
2320
- ["org.springframework.web.client", "RestTemplate", False, "optionsForAllow", "", "", "Argument[0]", "request-forgery", "manual"]
2421
- ["org.springframework.web.client", "RestTemplate", False, "patchForObject", "", "", "Argument[0]", "request-forgery", "manual"]

java/ql/lib/semmle/code/java/frameworks/spring/SpringWebClient.qll

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,3 +27,21 @@ class SpringWebClient extends Interface {
2727
this.hasQualifiedName("org.springframework.web.reactive.function.client", "WebClient")
2828
}
2929
}
30+
31+
private import semmle.code.java.security.RequestForgery
32+
33+
private class SpringWebClientRestTemplateGetForObject extends RequestForgerySink {
34+
SpringWebClientRestTemplateGetForObject() {
35+
exists(Method m, MethodCall mc, int i |
36+
m.getDeclaringType() instanceof SpringRestTemplate and
37+
m.hasName("getForObject") and
38+
mc.getMethod() = m
39+
|
40+
// Deal with two overloads, with third parameter type `Object...` and
41+
// `Map<String, ?>`. We cannot deal with mapvalue content easily but
42+
// there is a default implicit taint read at sinks that will catch it.
43+
this.asExpr() = mc.getArgument(i) and
44+
i >= 2
45+
)
46+
}
47+
}

0 commit comments

Comments
 (0)