Java: Add Spring flow out of HttpEntity and HttpHeader

lcartey · lcartey · commit a00934a18aa7 · 2020-05-18T00:26:06.000+01:00
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -387,6 +387,19 @@ private predicate taintPreservingQualifierToMethod(Method m) {
   exists(SpringUntrustedDataType dt |
     m.(GetterMethod) = dt.getAMethod()
   )
+  or
+  exists(SpringHttpEntity sre |
+    m = sre.getAMethod() and
+    m.getName().regexpMatch("getBody|getHeaders")
+  )
+  or
+  exists(SpringHttpHeaders headers |
+    m = headers.getAMethod() |
+    m.getReturnType() instanceof TypeString
+    or
+    m.getReturnType().(RefType).getSourceDeclaration().getASourceSupertype*().hasQualifiedName("java.util", "List") and
+    m.getReturnType().(ParameterizedType).getTypeArgument(0) instanceof TypeString
+  )
 }
 
 private class StringReplaceMethod extends Method {
diff --git a/java/ql/src/semmle/code/java/frameworks/spring/SpringHttp.qll b/java/ql/src/semmle/code/java/frameworks/spring/SpringHttp.qll
@@ -32,4 +32,8 @@ class SpringResponseEntityBodyBuilder extends Interface {
     getSourceDeclaration().getEnclosingType() = any(SpringResponseEntity sre) and
     hasName("BodyBuilder")
   }
+}
+
+class SpringHttpHeaders extends Class {
+  SpringHttpHeaders() { hasQualifiedName("org.springframework.http", "HttpHeaders") }
 }

Original file line number	Diff line number	Diff line change
`@@ -32,4 +32,8 @@ class SpringResponseEntityBodyBuilder extends Interface {`
`32`	`32`	`getSourceDeclaration().getEnclosingType() = any(SpringResponseEntity sre) and`
`33`	`33`	`hasName("BodyBuilder")`
`34`	`34`	`}`
	`35`	`+}`
	`36`	`+`
	`37`	`+class SpringHttpHeaders extends Class {`
	`38`	`+ SpringHttpHeaders() { hasQualifiedName("org.springframework.http", "HttpHeaders") }`
`35`	`39`	`}`