Java: New models for JAX-RS

atorralba · atorralba · commit fb0102b76380 · 2023-08-07T11:52:23.000+02:00
diff --git a/java/ql/lib/change-notes/2023-08-07-jaxrs-new-models.md b/java/ql/lib/change-notes/2023-08-07-jaxrs-new-models.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added more dataflow models for JAX-RS.
diff --git a/java/ql/lib/ext/jakarta.activation.model.yml b/java/ql/lib/ext/jakarta.activation.model.yml
@@ -0,0 +1,13 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["jakarta.activation", "FileDataSource", True, "FileDataSource", "", "", "Argument[0]", "path-injection", "manual"]
+      - ["jakarta.activation", "URLDataSource", True, "URLDataSource", "", "", "Argument[0]", "request-forgery", "manual"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["jakarta.activation", "DataSource", True, "getInputStream", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["jakarta.activation", "DataSource", True, "getName", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
diff --git a/java/ql/lib/ext/jakarta.xml.bind.attachment.model.yml b/java/ql/lib/ext/jakarta.xml.bind.attachment.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sourceModel
+    data:
+      - ["jakarta.xml.bind.attachment", "AttachmentUnmarshaller", True, "getAttachmentAsDataHandler", "", "", "Parameter[0]", "remote", "manual"]
+      - ["jakarta.xml.bind.attachment", "AttachmentUnmarshaller", True, "getAttachmentAsByteArray", "", "", "Parameter[0]", "remote", "manual"]
diff --git a/java/ql/lib/ext/javax.activation.model.yml b/java/ql/lib/ext/javax.activation.model.yml
@@ -0,0 +1,18 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["javax.activation", "FileDataSource", True, "FileDataSource", "", "", "Argument[0]", "path-injection", "manual"]
+      - ["javax.activation", "URLDataSource", True, "URLDataSource", "", "", "Argument[0]", "request-forgery", "manual"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["javax.activation", "DataHandler", True, "getContent", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["javax.activation", "DataHandler", True, "getDataSource", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["javax.activation", "DataHandler", True, "getInputStream", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["javax.activation", "DataHandler", True, "getName", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["javax.activation", "DataHandler", True, "writeTo", "(OutputStream)", "", "Argument[this]", "Argument[0]", "taint", "manual"]
+      - ["javax.activation", "DataSource", True, "getInputStream", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["javax.activation", "DataSource", True, "getName", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
diff --git a/java/ql/lib/ext/javax.xml.bind.attachment.model.yml b/java/ql/lib/ext/javax.xml.bind.attachment.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sourceModel
+    data:
+      - ["javax.xml.bind.attachment", "AttachmentUnmarshaller", True, "getAttachmentAsDataHandler", "", "", "Parameter[0]", "remote", "manual"]
+      - ["javax.xml.bind.attachment", "AttachmentUnmarshaller", True, "getAttachmentAsByteArray", "", "", "Parameter[0]", "remote", "manual"]
diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected b/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected
diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/mad/Test.java b/java/ql/test/query-tests/security/CWE-022/semmle/tests/mad/Test.java
@@ -9,6 +9,7 @@
 import java.nio.charset.Charset;
 import java.nio.file.Files;
 import java.nio.file.Path;
+import javax.activation.FileDataSource;
 import javax.xml.transform.stream.StreamResult;
 import org.apache.commons.io.FileUtils;
 import org.apache.tools.ant.AntClassLoader;
@@ -104,6 +105,10 @@ void test() throws IOException {
         FileCopyUtils.copy((File) source(), null);
         // "org.springframework.util;FileCopyUtils;false;copy;(File,File);;Argument[1];create-file;manual"
         FileCopyUtils.copy((File) null, (File) source());
+        // "javax.activation;FileDataSource;true;FileDataSource;(String);;Argument[0];path-injection;manual"
+        new FileDataSource((String) source());
+        // "javax.activation;FileDataSource;true;FileDataSource;(File);;Argument[0];path-injection;manual"
+        new FileDataSource((File) source());
     }
 
     void test(AntClassLoader acl) {
diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/options b/java/ql/test/query-tests/security/CWE-022/semmle/tests/options
@@ -1 +1 @@
-// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/servlet-api-2.4:${testdir}/../../../../../stubs/apache-commons-io-2.6:${testdir}/../../../../../stubs/cargo:${testdir}/../../../../../stubs/apache-ant-1.10.13:${testdir}/../../../../../stubs/stapler-1.263:${testdir}/../../../../../stubs/javax-servlet-2.5:${testdir}/../../../../../stubs/apache-commons-jelly-1.0.1:${testdir}/../../../../../stubs/apache-commons-fileupload-1.4:${testdir}/../../../../../stubs/saxon-xqj-9.x:${testdir}/../../../../../stubs/apache-commons-beanutils:${testdir}/../../../../../stubs/dom4j-2.1.1:${testdir}/../../../../../stubs/apache-commons-lang:${testdir}/../../../../../stubs/jaxen-1.2.0:${testdir}/../../../../../stubs/jmh-1.3.6:${testdir}/../../../../../stubs/springframework-5.3.8
+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/servlet-api-2.4:${testdir}/../../../../../stubs/apache-commons-io-2.6:${testdir}/../../../../../stubs/cargo:${testdir}/../../../../../stubs/apache-ant-1.10.13:${testdir}/../../../../../stubs/stapler-1.263:${testdir}/../../../../../stubs/javax-servlet-2.5:${testdir}/../../../../../stubs/apache-commons-jelly-1.0.1:${testdir}/../../../../../stubs/apache-commons-fileupload-1.4:${testdir}/../../../../../stubs/saxon-xqj-9.x:${testdir}/../../../../../stubs/apache-commons-beanutils:${testdir}/../../../../../stubs/dom4j-2.1.1:${testdir}/../../../../../stubs/apache-commons-lang:${testdir}/../../../../../stubs/jaxen-1.2.0:${testdir}/../../../../../stubs/jmh-1.3.6:${testdir}/../../../../../stubs/springframework-5.3.8:${testdir}/../../../../../stubs/jaxws-api-2.0
diff --git a/java/ql/test/query-tests/security/CWE-918/mad/Test.java b/java/ql/test/query-tests/security/CWE-918/mad/Test.java
@@ -4,6 +4,7 @@
 import java.net.SocketAddress;
 import java.net.URL;
 import java.net.URLClassLoader;
+import javax.activation.URLDataSource;
 import javax.servlet.http.HttpServletRequest;
 import javafx.scene.web.WebEngine;
 import org.apache.commons.jelly.JellyContext;
@@ -59,6 +60,8 @@ public void test(URLClassLoader cl) throws Exception {
         new JellyContext((URL) null, (URL) source()); // $ SSRF
         // "org.apache.commons.jelly;JellyContext;true;JellyContext;(URL);;Argument[0];open-url;ai-generated"
         new JellyContext((URL) source()); // $ SSRF
+        // "javax.activation;URLDataSource;true;URLDataSource;(URL);;Argument[0];request-forgery;manual"
+        new URLDataSource((URL) source()); // $ SSRF
     }
 
     public void test(WebEngine webEngine) {
diff --git a/java/ql/test/query-tests/security/CWE-918/options b/java/ql/test/query-tests/security/CWE-918/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/javax-ws-rs-api-3.0.0:${testdir}/../../../stubs/apache-http-4.4.13/:${testdir}/../../../stubs/projectreactor-3.4.3/:${testdir}/../../../stubs/postgresql-42.3.3/:${testdir}/../../../stubs/HikariCP-3.4.5/:${testdir}/../../../stubs/spring-jdbc-5.3.8/:${testdir}/../../../stubs/jdbi3-core-3.27.2/:${testdir}/../../../stubs/cargo:${testdir}/../../../stubs/javafx-web:${testdir}/../../../stubs/apache-commons-jelly-1.0.1:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/jaxen-1.2.0:${testdir}/../../../stubs/stapler-1.263:${testdir}/../../../stubs/javax-servlet-2.5:${testdir}/../../../stubs/apache-commons-fileupload-1.4:${testdir}/../../../stubs/saxon-xqj-9.x:${testdir}/../../../stubs/apache-commons-beanutils:${testdir}/../../../stubs/apache-commons-lang:${testdir}/../../../stubs/apache-http-5:${testdir}/../../../stubs/playframework-2.6.x
+//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/javax-ws-rs-api-3.0.0:${testdir}/../../../stubs/apache-http-4.4.13/:${testdir}/../../../stubs/projectreactor-3.4.3/:${testdir}/../../../stubs/postgresql-42.3.3/:${testdir}/../../../stubs/HikariCP-3.4.5/:${testdir}/../../../stubs/spring-jdbc-5.3.8/:${testdir}/../../../stubs/jdbi3-core-3.27.2/:${testdir}/../../../stubs/cargo:${testdir}/../../../stubs/javafx-web:${testdir}/../../../stubs/apache-commons-jelly-1.0.1:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/jaxen-1.2.0:${testdir}/../../../stubs/stapler-1.263:${testdir}/../../../stubs/javax-servlet-2.5:${testdir}/../../../stubs/apache-commons-fileupload-1.4:${testdir}/../../../stubs/saxon-xqj-9.x:${testdir}/../../../stubs/apache-commons-beanutils:${testdir}/../../../stubs/apache-commons-lang:${testdir}/../../../stubs/apache-http-5:${testdir}/../../../stubs/playframework-2.6.x:${testdir}/../../../stubs/jaxws-api-2.0
diff --git a/java/ql/test/stubs/jaxws-api-2.0/javax/activation/DataSource.java b/java/ql/test/stubs/jaxws-api-2.0/javax/activation/DataSource.java
diff --git a/java/ql/test/stubs/jaxws-api-2.0/javax/activation/FileDataSource.java b/java/ql/test/stubs/jaxws-api-2.0/javax/activation/FileDataSource.java
diff --git a/java/ql/test/stubs/jaxws-api-2.0/javax/activation/URLDataSource.java b/java/ql/test/stubs/jaxws-api-2.0/javax/activation/URLDataSource.java

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* Added more dataflow models for JAX-RS.
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		-// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/servlet-api-2.4:${testdir}/../../../../../stubs/apache-commons-io-2.6:${testdir}/../../../../../stubs/cargo:${testdir}/../../../../../stubs/apache-ant-1.10.13:${testdir}/../../../../../stubs/stapler-1.263:${testdir}/../../../../../stubs/javax-servlet-2.5:${testdir}/../../../../../stubs/apache-commons-jelly-1.0.1:${testdir}/../../../../../stubs/apache-commons-fileupload-1.4:${testdir}/../../../../../stubs/saxon-xqj-9.x:${testdir}/../../../../../stubs/apache-commons-beanutils:${testdir}/../../../../../stubs/dom4j-2.1.1:${testdir}/../../../../../stubs/apache-commons-lang:${testdir}/../../../../../stubs/jaxen-1.2.0:${testdir}/../../../../../stubs/jmh-1.3.6:${testdir}/../../../../../stubs/springframework-5.3.8
	`1`	+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/servlet-api-2.4:${testdir}/../../../../../stubs/apache-commons-io-2.6:${testdir}/../../../../../stubs/cargo:${testdir}/../../../../../stubs/apache-ant-1.10.13:${testdir}/../../../../../stubs/stapler-1.263:${testdir}/../../../../../stubs/javax-servlet-2.5:${testdir}/../../../../../stubs/apache-commons-jelly-1.0.1:${testdir}/../../../../../stubs/apache-commons-fileupload-1.4:${testdir}/../../../../../stubs/saxon-xqj-9.x:${testdir}/../../../../../stubs/apache-commons-beanutils:${testdir}/../../../../../stubs/dom4j-2.1.1:${testdir}/../../../../../stubs/apache-commons-lang:${testdir}/../../../../../stubs/jaxen-1.2.0:${testdir}/../../../../../stubs/jmh-1.3.6:${testdir}/../../../../../stubs/springframework-5.3.8:${testdir}/../../../../../stubs/jaxws-api-2.0
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		-//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/javax-ws-rs-api-3.0.0:${testdir}/../../../stubs/apache-http-4.4.13/:${testdir}/../../../stubs/projectreactor-3.4.3/:${testdir}/../../../stubs/postgresql-42.3.3/:${testdir}/../../../stubs/HikariCP-3.4.5/:${testdir}/../../../stubs/spring-jdbc-5.3.8/:${testdir}/../../../stubs/jdbi3-core-3.27.2/:${testdir}/../../../stubs/cargo:${testdir}/../../../stubs/javafx-web:${testdir}/../../../stubs/apache-commons-jelly-1.0.1:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/jaxen-1.2.0:${testdir}/../../../stubs/stapler-1.263:${testdir}/../../../stubs/javax-servlet-2.5:${testdir}/../../../stubs/apache-commons-fileupload-1.4:${testdir}/../../../stubs/saxon-xqj-9.x:${testdir}/../../../stubs/apache-commons-beanutils:${testdir}/../../../stubs/apache-commons-lang:${testdir}/../../../stubs/apache-http-5:${testdir}/../../../stubs/playframework-2.6.x
	`1`	+//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/javax-ws-rs-api-3.0.0:${testdir}/../../../stubs/apache-http-4.4.13/:${testdir}/../../../stubs/projectreactor-3.4.3/:${testdir}/../../../stubs/postgresql-42.3.3/:${testdir}/../../../stubs/HikariCP-3.4.5/:${testdir}/../../../stubs/spring-jdbc-5.3.8/:${testdir}/../../../stubs/jdbi3-core-3.27.2/:${testdir}/../../../stubs/cargo:${testdir}/../../../stubs/javafx-web:${testdir}/../../../stubs/apache-commons-jelly-1.0.1:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/jaxen-1.2.0:${testdir}/../../../stubs/stapler-1.263:${testdir}/../../../stubs/javax-servlet-2.5:${testdir}/../../../stubs/apache-commons-fileupload-1.4:${testdir}/../../../stubs/saxon-xqj-9.x:${testdir}/../../../stubs/apache-commons-beanutils:${testdir}/../../../stubs/apache-commons-lang:${testdir}/../../../stubs/apache-http-5:${testdir}/../../../stubs/playframework-2.6.x:${testdir}/../../../stubs/jaxws-api-2.0