Java: Add Spring RestTemplate return values to untrusted data types

lcartey · lcartey · commit b81ece3ed54e · 2020-05-18T00:30:47.000+01:00
- Also improve unwrapping of lists/arrays/maps etc.
diff --git a/java/ql/src/semmle/code/java/frameworks/spring/SpringController.qll b/java/ql/src/semmle/code/java/frameworks/spring/SpringController.qll
@@ -1,6 +1,7 @@
 import java
 import semmle.code.java.Maps
 import SpringWeb
+import SpringWebClient
 
 /**
  * An annotation type that identifies Spring controllers.
@@ -296,6 +297,13 @@ class SpringModelResponseType extends RefType {
   }
 }
 
+/** Strips wrapper types. */
+private RefType stripType(Type t) {
+  result = t or
+  result = stripType(t.(Array).getComponentType()) or
+  result = stripType(t.(ParameterizedType).getATypeArgument())
+}
+
 /**
  * A user data type which may be populated from a HTTP request.
  *
@@ -310,11 +318,16 @@ class SpringUntrustedDataType extends RefType {
       p.getAnAnnotation().(SpringServletInputAnnotation).getType().hasName("RequestBody")
       |
       this.fromSource() and
-      this = p.getType()
+      this = stripType(p.getType())
+    )
+    or
+    exists(SpringRestTemplateResponseEntityMethod rm |
+      this = stripType(rm.getAReference().getType().(ParameterizedType).getTypeArgument(0)) and
+      this.fromSource()
     )
     or
     exists(SpringUntrustedDataType mt |
-      this = mt.getAField().getType() and
+      this = stripType(mt.getAField().getType()) and
       this.fromSource()
     )
   }

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,7 @@`
`1`	`1`	`import java`
`2`	`2`	`import semmle.code.java.Maps`
`3`	`3`	`import SpringWeb`
	`4`	`+import SpringWebClient`
`4`	`5`
`5`	`6`	`/**`
`6`	`7`	`* An annotation type that identifies Spring controllers.`
`@@ -296,6 +297,13 @@ class SpringModelResponseType extends RefType {`
`296`	`297`	`}`
`297`	`298`	`}`
`298`	`299`
	`300`	`+/** Strips wrapper types. */`
	`301`	`+private RefType stripType(Type t) {`
	`302`	`+ result = t or`
	`303`	`+ result = stripType(t.(Array).getComponentType()) or`
	`304`	`+ result = stripType(t.(ParameterizedType).getATypeArgument())`
	`305`	`+}`
	`306`	`+`
`299`	`307`	`/**`
`300`	`308`	`* A user data type which may be populated from a HTTP request.`
`301`	`309`	`*`
`@@ -310,11 +318,16 @@ class SpringUntrustedDataType extends RefType {`
`310`	`318`	`p.getAnAnnotation().(SpringServletInputAnnotation).getType().hasName("RequestBody")`
`311`	`319`	`\|`
`312`	`320`	`this.fromSource() and`
`313`		`- this = p.getType()`
	`321`	`+ this = stripType(p.getType())`
	`322`	`+ )`
	`323`	`+ or`
	`324`	`+ exists(SpringRestTemplateResponseEntityMethod rm \|`
	`325`	`+ this = stripType(rm.getAReference().getType().(ParameterizedType).getTypeArgument(0)) and`
	`326`	`+ this.fromSource()`
`314`	`327`	`)`
`315`	`328`	`or`
`316`	`329`	`exists(SpringUntrustedDataType mt \|`
`317`		`- this = mt.getAField().getType() and`
	`330`	`+ this = stripType(mt.getAField().getType()) and`
`318`	`331`	`this.fromSource()`
`319`	`332`	`)`
`320`	`333`	`}`